.NET doesn't support non-standard XMLDSIG signature element names

走远了吗. 提交于 2019-12-10 12:13:53

问题


I'm trying to implement an industry spec that requires enveloped XML digital signatures (XMLDSIG). Instead of conforming to the examples (<Signature>) my spec uses its own name for the signature element:

<xs:element name="ensembleSignature" type="dsig:SignatureType" />
<!-- wish this was:  <xs:element ref="dsig:Signature" />  -->

So the element isn't named 'Signature' and is in the domain's XML namespace instead of the dsig XML namespace.

With a lot of extra work I can create this custom signature in .NET.

  1. Using the .NET SignedXml class I create <dsig:Signature> element
  2. I manipulate the DOM to remove <dsig:Signature> and recreate the element as <myns:ensembleSignature>.

But it seems .NET can't verify the incoming <myns:ensembleSignature>, even if I rename the incoming element back to <dsig:Signature>.

I've been over the XMLDSIG spec many times, and although all their examples use <Signature> it doesn't seem to specifically require this element name, even for enveloped transforms. So is this a bug in SignedXml that it only supports this single element name when there is no such requirement in XMLDSIG spec?


回答1:


Using a non-standard element name isn't possible in .NET. But the signature element name isn't part of the digest, so you can remove the 'custom' signature element and add a 'standard' signature element name (<Signature>) but be careful not to change any whitespace or namespaces in the SignedInfo element, because SignedInfo IS part of the digest. In the canonicalization method I am using whitespace is significant, and so is the namespace of the elements.

  1. load XML into XmlDocument
  2. find <customSignature xmlns="http://b-to-b.com/Namespace">
  3. create new element <Signature>
  4. move all children of <customSignature> to
    • Be careful not to disturb whitespace or namespace context of <SignedInfo>.
  5. replace <customSignature> with <Signature>
  6. verify signature using .NET SignedXml class


来源:https://stackoverflow.com/questions/9371356/net-doesnt-support-non-standard-xmldsig-signature-element-names

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!