SignedXml, X509Certificate 2 and certificates with *Strong* protection

Rune Nergard

I have tried to use the System.Security .Cryptography.X ml.SignedXml class
to sign an Xml message with Xml-DSIG and using an Enveloped signature type
and the sha1RSA algorithm. Everything works fine with soft certificates
and some smartcard based certificates. I'm using X509Certificate 2 to hold
the certificates. My problem is that our customers is forced (by law!) to
use a smart-card based personal certificate with strong protection. That
is a certificate that can't be accessed without the user being informed.
If a message is to be signed, the user will have to punch his pin code for
every message he?s signing. When I try to get the
X509Certificate 2.PrivateKey property to set the SigningKey property in the
SignedXml class, it fails. I found a link to a message indicating the
reason why: http://www.ureader.com/message/200413.aspx. It says there:
"noticed that the CryptAcquireCer tificatePrivate Key() call was using a
"silent" flag". It looks like the X509Certificate 2 class is using
CryptoApi, and the PrivateKey property's get method is using
CryptAcquireCer tificatePrivate Key() with the second parameter including
the CRYPT_ACQUIRE_S ILENT_FLAG. That will not work with these certificates.

Now to my question: Is there any way to circumvent this? If the SignedXml
class could compute and expose the Hash-value, I could use InterOp and
write a small c++ routine that signs the hash, and returns the signature,
but it looks like the ComputeSignatur e is an atomic operation preventing
any customization. I already have working c++ code for signing a hash
using certificates with strong protection, using CryptoApi, but I hoped I
didn't have to write all the Xml-handling myself, but could use the
SignedXml class for that. Or most preferable: Force X509Certificate 2 to
allow the CSP to show the PIN-dialog before returning the algorithm.
Regards

Rune Nergard

Jun 15 '06 #1

Subscribe Reply

5771

Kevin Yu [MSFT]

Hi Rune,

The dotnet.xml newsgroup is mainly for Xml discussions. Since your question
is about signing and security, besides posting in dotnet.security group,
you can also post in the following one. There might be more professionals
who can help you there. HTH.

microsoft.publi c.security.cryp to

Kevin Yu
Microsoft Online Community Support

=============== =============== =============== =============== =============== =
=============== ===========
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=============== =============== =============== =============== =============== =
=============== ===========

(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Jun 16 '06 #2

Eugene Mayevski

Hello!
You wrote on Thu, 15 Jun 2006 11:13:09 +0200:

RN> using CryptoApi, but I hoped I didn't have to write all the
RN> Xml-handling myself, but could use the SignedXml class for that. Or
RN> most preferable: Force X509Certificate 2 to allow the CSP to show the
PIN-dialog
RN> before returning the algorithm.

If you don't find an easier-to-use solution, check our XMLBlackbox (
http://www.eldos.com/sbb/net-xml.php )

With best regards,
Eugene Mayevski
http://www.SecureBlackbox.com - the comprehensive component suite for
network security

Jun 17 '06 #3

Similar topics

2683

Any reason NOT to strong-name an assembly?

by: Tony Jones | last post by:

Can anyone think of a reason why a 3rd party vendor writing .NET components would NOT strong name their assemblies? What harm does adding a strong-name to assembly present - I would think none whatsoever. Strong-naming the assembly should benefit the end user just in case he/she wants to reference the assembly in another strong-named assembly or add it to the GAC. If you were a third-party vendor, would you strong-name your...

.NET Framework

2896

Help - Soap Message - SignedXml - Apache Xml Security Suite - Interoperability

by: Raghu | last post by:

I am using SignedXml class to sign and verify soap xml documents. We are not using WSE at this point. When I sign a soap document and send it to my trading partner, they can verify the document without any problem. However when they send me the signed soap document, I am not able to verify it. But they can take their signed document and can verify it without any problem. They are using Apache Xml Security Suite (v 1.0.4). One thing we...

.NET Framework

7648

Which type of digital certificate to get from VeriSign for SignedXML

by: Guangxi Wu | last post by:

Hi all, Happy New Year. I am using SignedXML and an X509 certificate to digitally sign a SOAP message body and put the signature in the SOAP header for a B2B business application. Can you suggest which type of digital certificates from VeriSign is for this purpose? I checked VeriSign's web site but didn't find it obvious to decide.

.NET Framework

3718

SignedXML.CheckSignature() not working

by: ChrisA | last post by:

I'm using Michael Gallants DecodeCertKey example to get the public key from an X509 certificate. I then create an RSAServiceProvider and try to use it to CheckSignature() on the signed XML file. Other sources such as http://www.infomosaic.net/XMLSign/SecureXMLVerifyWS.htm can verify the signature, but .Net won't. Any ideas? Here is the code I'm using: ' Verify the signature of an XML file and return the result. Public Shared Function...

.NET Framework

4996

SignedXML

by: Karol | last post by:

Hello, I'm trying to create signed XML document with SignedXml class. As a SigningKey I'd like to use key pair obtained from user certificate stored in current user certificate store. I'm using WSE 2 SP 2 to get certificate, but when I'm invoking ComputeSignature() method of SignedXML instance I recive the following exception: "An unhandled exception of type 'System.NotSupportedException' occurred in microsoft.web.services2.dll

.NET Framework

2614

SignedXml question

by: William Stacey [MVP] | last post by:

Given the following, how do I get the plain xml without the security elements (i.e. the original xml before the security was added) in the VerifyXML() method. TIA. using System; using System.Security.Cryptography; using System.Security.Cryptography.Xml; using System.Xml; using System.IO;

C# / C Sharp

4365

SignedXml gives false negatives when using namespaces in signed xm

by: Peter Ravnholt | last post by:

Hello all, It seems that digitally signing XML documents using the SignedXml class has a bug - or at least a behavior I cannot explain. The problem occurs when I sign XML documents containing namespace prefixes and namespace references and then validate it. The validation always fails (returns false) in this case. When I remove the namespace prefixes and namespace references from the XML, signing and validating works fine.

.NET Framework

1467

Urgent Help with CheckSignature method of SignedXml

by: | last post by:

Hey Friends, I have a Signed XML that looks like the below I also have the public certificate for this but i am not able to pass the public key of the X509Certificate2 to the CheckSignature method any idea or help? <?xml version="1.0" encoding="UTF-8"?> <B:Envelope xmlns:B="http://schemas.xmlsoap.org/soap/envelope/" xmlns:A="http://www.routeone.com/namespace.messaging.diag#"...

.NET Framework

2981

X509Certificate2.HasPrivateKey = true, but no PrivateKey?

by: Dominik Amon | last post by:

Hi, I have a X509 certifikate, with public- and privatekey. For test reasons, I programed a small Consoleapplication, which executes with my user rights (Administrator). When I am reading an X509Certificate, the property HasPrivateKey of the X509Certificate2 is set to "true". I can also check the publickey But if I want to use the PrivateKey Property, after a while i get the error

C# / C Sharp

8375

What is ONU?

by: marktang | last post by:

ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...

General

8815

Problem With Comparison Operator <=> in G++

by: Oralloy | last post by:

Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...

C / C++

8593

Discussion: How does Zigbee compare with other wireless protocols in smart home applications?

by: tracyyun | last post by:

Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...

General

7306

AI Job Threat for Devs

by: agi2029 | last post by:

Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...

Career Advice

6161

Access Europe - Using VBA to create a class based on a table - Wed 1 May

by: isladogs | last post by:

The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...

Microsoft Access / VBA

5622

Couldn’t get equations in html when convert word .docx file to html file in C#.

by: conductexam | last post by:

I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...

C# / C Sharp

4149

Trying to create a lan-to-lan vpn between two differents networks

by: TSSRALBI | last post by:

Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...

Networking - Hardware / Configuration

2714

transfer the data from one system to another through ip address

by: 6302768590 | last post by:

Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system

C# / C Sharp

1916

How to add payments to a PHP MySQL app.

by: muto222 | last post by:

How can i add a mobile payment intergratation into php mysql website.

PHP