473,796 Members | 2,702 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Issues with SignedXml Class

Class SignedXml is used to produce/verify signature over XML document. One of its methods, function GetIdElement, is used to select Xml elements for signature and verification and consist following line:

xmlElement = document.Select SingleNode(Stri ng.Concat("//*[@Id=\"", idValue, "\"]")) is XmlElement;

I can see two issues with this line

1. URI injection - there is no validation of idValue whatsoever; therefore I can successfully validate document below (see what is the URI). I have control over XPATH query you are performing. Although I cannot find any "dangerous" functions in XPATH specification, I think it is bug that should be fixed, especially before XPATH 2.0

<test><el1 Id="abc" /><el2 noid="qwerty" /><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><Sign edInfo><Canonic alizationMethod Algorithm="http ://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMeth od Algorithm="http ://www.w3.org/2000/09/xmldsig#rsa-sha1" /><Reference URI="#abc1"] | //*[@noid="qwerty"> <Transforms><Tr ansform Algorithm="http ://www.w3.org/2000/09/xmldsig#envelop ed-signature" /><Transform Algorithm="http ://www.w3.org/2001/10/xml-exc-c14n#" /></Transforms><Dig estMethod Algorithm="http ://www.w3.org/2000/09/xmldsig#sha1" /><DigestValue>L b1b1rf+AbI+zRYH nL3AQXLfWoQ=</DigestValue></Reference></SignedInfo><Sig natureValue>sUf pZr66IpdqxsfEaf Ih+lUbRJCifQWGj SckVMNlOqoa2RA/UPFRPcajTbbSe+U RVU+MrU9cV1bhP8 nH4DNNuWy3Kdmy2 mhXxObqsPLqfwf5 bOSwFEpGckQq52+ YrIx+Wi127VfdQM qC33J7Afm/trY5c0O6I2cFswm 0EWgeFW8=</SignatureValue> </Signature></test>

2. Why SelectSingleNod e is used instead of SelectNodes? Because of it only the first element is returned and no exception is raised if there are two XML elements with the same Id. I can use it and having one valid signature create new docment (with the same Id) and signature will be still valid. Example below:

I have
<test><el1 Id="abc" /><el2 Id="qwerty">val ue1</el2><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><Sign edInfo><Canonic alizationMethod Algorithm="http ://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMeth od Algorithm="http ://www.w3.org/2000/09/xmldsig#rsa-sha1" /><Reference URI="#qwerty">< Transforms><Tra nsform Algorithm="http ://www.w3.org/2000/09/xmldsig#envelop ed-signature" /><Transform Algorithm="http ://www.w3.org/2001/10/xml-exc-c14n#" /></Transforms><Dig estMethod Algorithm="http ://www.w3.org/2000/09/xmldsig#sha1" /><DigestValue>v TwJDnUsVD3k4J+S adUZRK5tp6k=</DigestValue></Reference></SignedInfo><Sig natureValue>ju9 QkFABobpzShI1cH Imx+oeo3Bttzge+ So407KZ47ViSpxp cjfCDMbPoeDyFkG CC99O/vKhkwcCq9iqPgda jgtBQ+ZjUTODRwV MNxz42Z3Vq0Yu+U JHA2gGIaCyQpLBY GSAwqo8rdTw5Fv1 Bi5Br441wGkAQS/lblTK2ubZRcA=</SignatureValue> </Signature></test>

I can create
<test><el1 Id="abc"><el2 Id="qwerty">val ue1</el2></el1><el2 Id="qwerty">val ue2</el2><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><Sign edInfo><Canonic alizationMethod Algorithm="http ://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMeth od Algorithm="http ://www.w3.org/2000/09/xmldsig#rsa-sha1" /><Reference URI="#qwerty">< Transforms><Tra nsform Algorithm="http ://www.w3.org/2000/09/xmldsig#envelop ed-signature" /><Transform Algorithm="http ://www.w3.org/2001/10/xml-exc-c14n#" /></Transforms><Dig estMethod Algorithm="http ://www.w3.org/2000/09/xmldsig#sha1" /><DigestValue>v TwJDnUsVD3k4J+S adUZRK5tp6k=</DigestValue></Reference></SignedInfo><Sig natureValue>ju9 QkFABobpzShI1cH Imx+oeo3Bttzge+ So407KZ47ViSpxp cjfCDMbPoeDyFkG CC99O/vKhkwcCq9iqPgda jgtBQ+ZjUTODRwV MNxz42Z3Vq0Yu+U JHA2gGIaCyQpLBY GSAwqo8rdTw5Fv1 Bi5Br441wGkAQS/lblTK2ubZRcA=</SignatureValue> </Signature></test>

Signature will be successfully validated, but instead of value1 my code responsible for deserialization el2 will use value2.

Of course multiple Id are not permitted; therefore I would expect that it should raise an exception, instead of happily validating signature.

My suggestion for everyone who uses this class is two create a new class, inherit from SignedXml and overload GetIdElement class.

Cheers,

Pak76
Nov 12 '05 #1
0 1772

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
5
2903
Help - Soap Message - SignedXml - Apache Xml Security Suite - Interoperability
by: Raghu | last post by:
I am using SignedXml class to sign and verify soap xml documents. We are not using WSE at this point. When I sign a soap document and send it to my trading partner, they can verify the document without any problem. However when they send me the signed soap document, I am not able to verify it. But they can take their signed document and can verify it without any problem. They are using Apache Xml Security Suite (v 1.0.4). One thing we...
.NET Framework
0
491
Issues with SignedXml Class
by: pak76 | last post by:
Class SignedXml is used to produce/verify signature over XML document. One of its methods, function GetIdElement, is used to select Xml elements for signature and verification and consist following line: xmlElement = document.SelectSingleNode(String.Concat("//*")) is XmlElement; I can see two issues with this line 1. URI injection - there is no validation of idValue whatsoever; therefore I can successfully validate document below (see...
.NET Framework
0
3765
SignedXML.CheckSignature() not working
by: ChrisA | last post by:
I'm using Michael Gallants DecodeCertKey example to get the public key from an X509 certificate. I then create an RSAServiceProvider and try to use it to CheckSignature() on the signed XML file. Other sources such as http://www.infomosaic.net/XMLSign/SecureXMLVerifyWS.htm can verify the signature, but .Net won't. Any ideas? Here is the code I'm using: ' Verify the signature of an XML file and return the result. Public Shared Function...
.NET Framework
2
5005
SignedXML throws error
by: Nikhil | last post by:
When I try to used the CheckSignature Method of SignedXML I get the following error. "Unknown transform has been encountered. at System.Security.Cryptography.Xml.Reference.LoadXml(XmlElement value)\r\n at System.Security.Cryptography.Xml.SignedInfo.LoadXml(XmlElement value)\r\n at System.Security.Cryptography.Xml.Signature.LoadXml(XmlElement value)\r\n at System.Security.Cryptography.Xml.SignedXml.LoadXml(XmlElement value)\r\n at...
.NET Framework
4
5003
SignedXML
by: Karol | last post by:
Hello, I'm trying to create signed XML document with SignedXml class. As a SigningKey I'd like to use key pair obtained from user certificate stored in current user certificate store. I'm using WSE 2 SP 2 to get certificate, but when I'm invoking ComputeSignature() method of SignedXML instance I recive the following exception: "An unhandled exception of type 'System.NotSupportedException' occurred in microsoft.web.services2.dll
.NET Framework
2
2631
SignedXml question
by: William Stacey [MVP] | last post by:
Given the following, how do I get the plain xml without the security elements (i.e. the original xml before the security was added) in the VerifyXML() method. TIA. using System; using System.Security.Cryptography; using System.Security.Cryptography.Xml; using System.Xml; using System.IO;
C# / C Sharp
0
1568
SignedXML from a SmartCard
by: Senshodan | last post by:
Hi all, I'm trying to use the SignedXML class in order to create a XMLDSIG signature using a certificate stored in a smartcard. For that purpose I find out the data of the certificate context ( key contai ner name, provider type & name) and I create a cspParameters with that info. The problem arises when I try to create a new RSACryptoServicesProvider usin g the cspParameters. Then I got the error "More info is available" that is n ot a...
C# / C Sharp
2
5788
SignedXml, X509Certificate2 and certificates with *Strong* protection
by: Rune Nergard | last post by:
I have tried to use the System.Security.Cryptography.Xml.SignedXml class to sign an Xml message with Xml-DSIG and using an Enveloped signature type and the sha1RSA algorithm. Everything works fine with soft certificates and some smartcard based certificates. I'm using X509Certificate2 to hold the certificates. My problem is that our customers is forced (by law!) to use a smart-card based personal certificate with strong protection. That is...
.NET Framework
1
4373
SignedXml gives false negatives when using namespaces in signed xm
by: Peter Ravnholt | last post by:
Hello all, It seems that digitally signing XML documents using the SignedXml class has a bug - or at least a behavior I cannot explain. The problem occurs when I sign XML documents containing namespace prefixes and namespace references and then validate it. The validation always fails (returns false) in this case. When I remove the namespace prefixes and namespace references from the XML, signing and validating works fine.
.NET Framework
0
10217
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
Online Marketing
1
10168
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
Windows Server
0
10003
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
General
0
9047
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
Career Advice
0
6785
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
C# / C Sharp
0
5440
Trying to create a lan-to-lan vpn between two differents networks
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
Networking - Hardware / Configuration
1
4114
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
C# / C Sharp
2
3730
muto222
How to add payments to a PHP MySQL app.
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
PHP
3
2924
bsmnconsultancy
Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us