473,785 Members | 2,829 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Issues with SignedXml Class

Class SignedXml is used to produce/verify signature over XML document. One of its methods, function GetIdElement, is used to select Xml elements for signature and verification and consist following line:

xmlElement = document.Select SingleNode(Stri ng.Concat("//*[@Id=\"", idValue, "\"]")) is XmlElement;

I can see two issues with this line

1. URI injection - there is no validation of idValue whatsoever; therefore I can successfully validate document below (see what is the URI). I have control over XPATH query you are performing. Although I cannot find any "dangerous" functions in XPATH specification, I think it is bug that should be fixed, especially before XPATH 2.0

<test><el1 Id="abc" /><el2 noid="qwerty" /><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><Sign edInfo><Canonic alizationMethod Algorithm="http ://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMeth od Algorithm="http ://www.w3.org/2000/09/xmldsig#rsa-sha1" /><Reference URI="#abc1"] | //*[@noid="qwerty"> <Transforms><Tr ansform Algorithm="http ://www.w3.org/2000/09/xmldsig#envelop ed-signature" /><Transform Algorithm="http ://www.w3.org/2001/10/xml-exc-c14n#" /></Transforms><Dig estMethod Algorithm="http ://www.w3.org/2000/09/xmldsig#sha1" /><DigestValue>L b1b1rf+AbI+zRYH nL3AQXLfWoQ=</DigestValue></Reference></SignedInfo><Sig natureValue>sUf pZr66IpdqxsfEaf Ih+lUbRJCifQWGj SckVMNlOqoa2RA/UPFRPcajTbbSe+U RVU+MrU9cV1bhP8 nH4DNNuWy3Kdmy2 mhXxObqsPLqfwf5 bOSwFEpGckQq52+ YrIx+Wi127VfdQM qC33J7Afm/trY5c0O6I2cFswm 0EWgeFW8=</SignatureValue> </Signature></test>

2. Why SelectSingleNod e is used instead of SelectNodes? Because of it only the first element is returned and no exception is raised if there are two XML elements with the same Id. I can use it and having one valid signature create new docment (with the same Id) and signature will be still valid. Example below:

I have
<test><el1 Id="abc" /><el2 Id="qwerty">val ue1</el2><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><Sign edInfo><Canonic alizationMethod Algorithm="http ://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMeth od Algorithm="http ://www.w3.org/2000/09/xmldsig#rsa-sha1" /><Reference URI="#qwerty">< Transforms><Tra nsform Algorithm="http ://www.w3.org/2000/09/xmldsig#envelop ed-signature" /><Transform Algorithm="http ://www.w3.org/2001/10/xml-exc-c14n#" /></Transforms><Dig estMethod Algorithm="http ://www.w3.org/2000/09/xmldsig#sha1" /><DigestValue>v TwJDnUsVD3k4J+S adUZRK5tp6k=</DigestValue></Reference></SignedInfo><Sig natureValue>ju9 QkFABobpzShI1cH Imx+oeo3Bttzge+ So407KZ47ViSpxp cjfCDMbPoeDyFkG CC99O/vKhkwcCq9iqPgda jgtBQ+ZjUTODRwV MNxz42Z3Vq0Yu+U JHA2gGIaCyQpLBY GSAwqo8rdTw5Fv1 Bi5Br441wGkAQS/lblTK2ubZRcA=</SignatureValue> </Signature></test>

I can create
<test><el1 Id="abc"><el2 Id="qwerty">val ue1</el2></el1><el2 Id="qwerty">val ue2</el2><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><Sign edInfo><Canonic alizationMethod Algorithm="http ://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMeth od Algorithm="http ://www.w3.org/2000/09/xmldsig#rsa-sha1" /><Reference URI="#qwerty">< Transforms><Tra nsform Algorithm="http ://www.w3.org/2000/09/xmldsig#envelop ed-signature" /><Transform Algorithm="http ://www.w3.org/2001/10/xml-exc-c14n#" /></Transforms><Dig estMethod Algorithm="http ://www.w3.org/2000/09/xmldsig#sha1" /><DigestValue>v TwJDnUsVD3k4J+S adUZRK5tp6k=</DigestValue></Reference></SignedInfo><Sig natureValue>ju9 QkFABobpzShI1cH Imx+oeo3Bttzge+ So407KZ47ViSpxp cjfCDMbPoeDyFkG CC99O/vKhkwcCq9iqPgda jgtBQ+ZjUTODRwV MNxz42Z3Vq0Yu+U JHA2gGIaCyQpLBY GSAwqo8rdTw5Fv1 Bi5Br441wGkAQS/lblTK2ubZRcA=</SignatureValue> </Signature></test>

Signature will be successfully validated, but instead of value1 my code responsible for deserialization el2 will use value2.

Of course multiple Id are not permitted; therefore I would expect that it should raise an exception, instead of happily validating signature.

My suggestion for everyone who uses this class is two create a new class, inherit from SignedXml and overload GetIdElement class.

Cheers,

Pak76
Nov 12 '05 #1
0 1771

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
5
2902
Help - Soap Message - SignedXml - Apache Xml Security Suite - Interoperability
by: Raghu | last post by:
I am using SignedXml class to sign and verify soap xml documents. We are not using WSE at this point. When I sign a soap document and send it to my trading partner, they can verify the document without any problem. However when they send me the signed soap document, I am not able to verify it. But they can take their signed document and can verify it without any problem. They are using Apache Xml Security Suite (v 1.0.4). One thing we...
.NET Framework
0
491
Issues with SignedXml Class
by: pak76 | last post by:
Class SignedXml is used to produce/verify signature over XML document. One of its methods, function GetIdElement, is used to select Xml elements for signature and verification and consist following line: xmlElement = document.SelectSingleNode(String.Concat("//*")) is XmlElement; I can see two issues with this line 1. URI injection - there is no validation of idValue whatsoever; therefore I can successfully validate document below (see...
.NET Framework
0
3764
SignedXML.CheckSignature() not working
by: ChrisA | last post by:
I'm using Michael Gallants DecodeCertKey example to get the public key from an X509 certificate. I then create an RSAServiceProvider and try to use it to CheckSignature() on the signed XML file. Other sources such as http://www.infomosaic.net/XMLSign/SecureXMLVerifyWS.htm can verify the signature, but .Net won't. Any ideas? Here is the code I'm using: ' Verify the signature of an XML file and return the result. Public Shared Function...
.NET Framework
2
4999
SignedXML throws error
by: Nikhil | last post by:
When I try to used the CheckSignature Method of SignedXML I get the following error. "Unknown transform has been encountered. at System.Security.Cryptography.Xml.Reference.LoadXml(XmlElement value)\r\n at System.Security.Cryptography.Xml.SignedInfo.LoadXml(XmlElement value)\r\n at System.Security.Cryptography.Xml.Signature.LoadXml(XmlElement value)\r\n at System.Security.Cryptography.Xml.SignedXml.LoadXml(XmlElement value)\r\n at...
.NET Framework
4
5001
SignedXML
by: Karol | last post by:
Hello, I'm trying to create signed XML document with SignedXml class. As a SigningKey I'd like to use key pair obtained from user certificate stored in current user certificate store. I'm using WSE 2 SP 2 to get certificate, but when I'm invoking ComputeSignature() method of SignedXML instance I recive the following exception: "An unhandled exception of type 'System.NotSupportedException' occurred in microsoft.web.services2.dll
.NET Framework
2
2631
SignedXml question
by: William Stacey [MVP] | last post by:
Given the following, how do I get the plain xml without the security elements (i.e. the original xml before the security was added) in the VerifyXML() method. TIA. using System; using System.Security.Cryptography; using System.Security.Cryptography.Xml; using System.Xml; using System.IO;
C# / C Sharp
0
1568
SignedXML from a SmartCard
by: Senshodan | last post by:
Hi all, I'm trying to use the SignedXML class in order to create a XMLDSIG signature using a certificate stored in a smartcard. For that purpose I find out the data of the certificate context ( key contai ner name, provider type & name) and I create a cspParameters with that info. The problem arises when I try to create a new RSACryptoServicesProvider usin g the cspParameters. Then I got the error "More info is available" that is n ot a...
C# / C Sharp
2
5787
SignedXml, X509Certificate2 and certificates with *Strong* protection
by: Rune Nergard | last post by:
I have tried to use the System.Security.Cryptography.Xml.SignedXml class to sign an Xml message with Xml-DSIG and using an Enveloped signature type and the sha1RSA algorithm. Everything works fine with soft certificates and some smartcard based certificates. I'm using X509Certificate2 to hold the certificates. My problem is that our customers is forced (by law!) to use a smart-card based personal certificate with strong protection. That is...
.NET Framework
1
4373
SignedXml gives false negatives when using namespaces in signed xm
by: Peter Ravnholt | last post by:
Hello all, It seems that digitally signing XML documents using the SignedXml class has a bug - or at least a behavior I cannot explain. The problem occurs when I sign XML documents containing namespace prefixes and namespace references and then validate it. The validation always fails (returns false) in this case. When I remove the namespace prefixes and namespace references from the XML, signing and validating works fine.
.NET Framework
0
9645
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
General
0
9480
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
Windows Server
0
10327
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
C / C++
1
10092
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
Windows Server
0
8973
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
Career Advice
0
5381
Trying to create a lan-to-lan vpn between two differents networks
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
Networking - Hardware / Configuration
0
5511
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET
1
4053
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
C# / C Sharp
2
3647
muto222
How to add payments to a PHP MySQL app.
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
PHP

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us