SignedXml.CheckSignature fails in .NET 4 but it works in .NET 3.5, 3 or 2

Question

I have a response from a 3-rd party web service. I load an XmlDocument with that response.

  string txt = readStream.ReadToEnd();
  response = new XmlDocumen         


        

Answer 1

I had the same problem but none of those answers helped me. In this case it works or not depending on the operative system I used, not on the .Net version.

I've enabled the SignedXML log by adding this code in the app.config to see what happened behind:

<system.diagnostics>
        <sources>
            <source name="System.Security.Cryptography.Xml.SignedXml" switchName="XmlDsigLogSwitch">
                <listeners>
                    <add name="logFile" />
                </listeners>
            </source>
        </sources>
        <switches>
            <add name="XmlDsigLogSwitch" value="Verbose" />
        </switches>
        <sharedListeners>
            <add name="logFile" type="System.Diagnostics.TextWriterTraceListener" initializeData="XmlDsigLog.txt"/>
        </sharedListeners>
        <trace autoflush="true">
            <listeners>
                <add name="logFile" />
            </listeners>
        </trace>
    </system.diagnostics>

It wrote this particular line:

System.Security.Cryptography.Xml.SignedXml Information: 17 : [SignedXml#033ec00f, UnsafeTransformMethod] Canonicalization method "http://www.w3.org/TR/1999/REC-xpath-19991116" is not on the safe list. Safe canonicalization methods are: "http://www.w3.org/TR/2001/REC-xml-c14n-20010315", "http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments", "http://www.w3.org/2001/10/xml-exc-c14n#", "http://www.w3.org/2001/10/xml-exc-c14n#WithComments", "http://www.w3.org/2000/09/xmldsig#enveloped-signature", "http://www.w3.org/2000/09/xmldsig#base64", "urn:mpeg:mpeg21:2003:01-REL-R-NS:licenseTransform", "http://www.w3.org/2002/07/decrypt#XML".

I found this Microsoft Support article which tries to fix an error introduced by the security update 3141780: https://support.microsoft.com/en-us/kb/3148821

Into that article, in Scenario 2 section, there are 2 solutions, I fixed the problem applying the registry key related to the XPath Transform Method: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\Security\SafeTransformMethods@XmlDsigXPathTransform=http://www.w3.org/TR/1999/REC-xpath-19991116

Answer 2

I solved this problem adding same namespace from Signature tag to SignedInfo. Like this:

Before:

After: