6

I need to verify a signed xml.

When running in c# the next error appears: "Unknown transform has been encountered.". However running in java it correctly validates the xml.

It looks like the the xmldsig-filter2 is not recognized by .net framework. Could anything be done on this matter in c#/.net?

<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
  <dsig:SignedInfo>
    <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
    <dsig:Reference Id="reference-data-0" URI="">
      <dsig:Transforms>
        <dsig:Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2">
          <xf2:XPath Filter="intersect" xmlns:xf2="http://www.w3.org/2002/06/xmldsig-filter2">here()/ancestor::SomeNS:SomeElement[1]</xf2:XPath>
        </dsig:Transform>
        <dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
        <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      </dsig:Transforms>
      <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
      <dsig:DigestValue>...</dsig:DigestValue>
    </dsig:Reference>
  </dsig:SignedInfo>
  <dsig:SignatureValue>
    ...
  </dsig:SignatureValue>
</dsig:Signature>
csg
  • 2,047
  • 2
  • 22
  • 35

1 Answers1

0

You can derive from the Transform class and implement the algorithm yourself and register the transform using CryptoConfig.AddAlgorithm. But .NET does not allow transform to be safe for canoicalization so you must allow it in the registry under HKLM:\\SOFTWARE\Microsoft\.NETFramework\Security\SafeTransformMethods or use reflection to modify the private field holding the list.

public class XmlDigSigFilter2Transform : Transform {
  public static void Register() {
    var self = CryptoConfig.CreateFromName(Url);
    if (self == null) {
      CryptoConfig.AddAlgorithm(typeof(XmlDigSigFilter2Transform), Url);
    }
    var signedXmlType = typeof(SignedXml);
    var knownCanonicalizationMethodsField =
      signedXmlType.GetField(
        "s_knownCanonicalizationMethods",
        BindingFlags.NonPublic | BindingFlags.Static);

    if (knownCanonicalizationMethodsField == null) {
      return;
    }

    var knownCanonicalizationMethodsValue =
      knownCanonicalizationMethodsField.GetValue(new SignedXml());

    if (!(knownCanonicalizationMethodsValue is IList<string> list)) {
      return;
    }

    if (!list.Contains(Url)) {
      list.Add(Url);
    }
  }

 ...
}
Daniel Fisher lennybacon
  • 3,865
  • 1
  • 30
  • 38