XML Digital Signature Problems

XML and the .NET Framework

ernestxp

Hi everyone!

I have a code to sign one XML using msxml5 and work perfect BUT the msxml5 is including only in the Office, so I am trying to convert my code to class of FrameWork to sign and I get the same value in the <DigestValue> but different value in the <SignatureValue> and of course I have using the same Certificate. So when I check the signature of the document XML with other application they say that is wrong the signature.

Here is the code to sign using the framework class (Visual Basic 2005 .NET) and I using the deattach signature:

dim id_container as string = "{10CA2CE8-A17E-436A-BB62-22B98F36CDA6}"

dim FileName as string ="c:\demo.xml"

Dim cspParams As New CspParameters

cspParams.KeyContainerName = id_container

cspParams.ProviderType = 1

cspParams.KeyNumber = 2

Dim key As New RSACryptoServiceProvider(cspParams)

Dim doc As New XmlDocument()

doc.PreserveWhitespace = True

doc.Load(FileName)

Dim signer As New SignedXml(doc)

signer.KeyInfo = New KeyInfo

signer.KeyInfo.AddClause(New RSAKeyValue(key))

signer.SigningKey = Key

Dim referencia As New Reference()

referencia.Uri = "#SetDoc"

referencia.AddTransform(New XmlDsigC14NTransform())

signer.AddReference(referencia)

signer.SignedInfo.SignatureMethod = SignedXml.XmlDsigRSASHA1Url

signer.SignedInfo.CanonicalizationMethod = SignedXml.XmlDsigCanonicalizationUrl

signer.ComputeSignature()

'------------------------------------------------------------------------------------

Dim xmlDigitalSignature As XmlElement = signer.GetXml()

doc.DocumentElement.AppendChild(doc.ImportNode(xmlDigitalSignature, True))

If TypeOf doc.FirstChild Is XmlDeclaration Then

doc.RemoveChild(doc.FirstChild)

End If

Dim vencode As System.Text.Encoding = System.Text.Encoding.GetEncoding("ISO-8859-1")

Dim xmltw As New XmlTextWriter(SignedFileName, vencode)

xmltw.Formatting = Formatting.Indented

xmlDigitalSignature.WriteTo(xmltw)

xmltw.Close()

ANY HELP!!!!!

Ernesto


Top

Re: XML and the .NET Framework XML Digital Signature Problems

Derek Smyth

Hi,

Just like to say I have sat here for the last 10 minutes and I have no idea why this is happening. Do you think you could post your private key (only kidding!), post your MSXML code so I can reproduce the error. If your getting the corrent DigestValue, which is the hash of the files contents, then it implies that a) either your using a different certificate (and I'm sure you've checked that), or b) there is a difference in the algorithim that encrypted the hash to make the digital signature and that suggests a bug or at least a breaking change.

I don't have time to write out the MSXML code but if you post the code perhaps I can reproduce the error and from there I'll can have a look and see if I spot anything.





Top

Re: XML and the .NET Framework XML Digital Signature Problems

ernestxp

OK here the other code (the good one)

Code Block

Imports msxml = MSXML2

----------------------------------------

dim id_container as string = "{10CA2CE8-A17E-436A-BB62-22B98F36CDA6}"

dim vfilesetdte as string = "c:\demo.xml"

Dim vcomillas As Char = Chr(34)

Dim xmldoc As New msxml.DOMDocument50

Dim xmldsig As New msxml.MXDigitalSignature50

Dim dsigKey As msxml.IXMLDSigKey

Dim dataObj As msxml.IXMLDOMNode

Dim xpath As String

xmldoc.load(vfilesetdte)

xmldoc.setProperty("SelectionNamespaces", SIINS)

xmldsig.signature = xmldoc.selectSingleNode("//sii:EnvioDTE/ds:Signature")

xpath = "/sii:EnvioDTE/sii:SetDTE[@ID=" & vcomillas & "SetDoc" & vcomillas & "]"

dataObj = xmldoc.selectSingleNode(xpath)

xmldsig.setReferenceData("#SetDoc", dataObj)

dsigKey = xmldsig.createKeyFromCSP(1, "", id_container , 0)

dsigKey = xmldsig.sign(dsigKey, MSXML2.XMLDSIG_WRITEKEYINFO.NOKEYINFO)

Dim vsetdtexml As String = System.IO.Path.GetTempFileName()

xmldoc.save(vsetdtexml)

xmldoc = Nothing

And here the XML to sign (demo.xml):

Code Block

< xml version="1.0" encoding="iso-8859-1" >
<EnvioDTE xmlns="http://www.sii.cl/SiiDte" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.sii.cl/SiiDte EnvioDTE_v10.xsd" version="1.0">
<SetDTE ID="SetDoc">
<Caratula version="1.0">
<RutEmisor>96873490-3</RutEmisor>
<RutEnvia>7980545-9</RutEnvia>
<RutReceptor>60803000-K</RutReceptor>
<FchResol>2004-02-19</FchResol>
<NroResol>0</NroResol>
<TmstFirmaEnv>2007-10-24T16:47:35</TmstFirmaEnv>
<SubTotDTE>
<TpoDTE>33</TpoDTE>
<NroDTE>1</NroDTE>
</SubTotDTE>
</Caratula>
<DTE version="1.0" xmlns="http://www.sii.cl/SiiDte">
<Documento ID="T33F592">
<Encabezado>
<IdDoc>
<TipoDTE>33</TipoDTE>
<Folio>592</Folio>
<FchEmis>2006-02-28</FchEmis>
<TipoDespacho>2</TipoDespacho>
<FmaPago>1</FmaPago>
<FchVenc>2006-03-30</FchVenc>
</IdDoc>
<Emisor>
<RUTEmisor>96873490-3</RUTEmisor>
<RznSoc>EMPRESA DEMO</RznSoc>
<GiroEmis>Asesoria y ventas en area informatica y desarrollo organizacional.</GiroEmis>
<Telefono>(56)-(32) 961798</Telefono>
<Acteco>83231</Acteco>
<DirOrigen>La Paz 1358</DirOrigen>
<CmnaOrigen>Vina del Mar</CmnaOrigen>
<CiudadOrigen>Vina del Mar</CiudadOrigen>
<CdgVendedor> 1</CdgVendedor>
</Emisor>
<Receptor>
<RUTRecep>21225704-4</RUTRecep>
<CdgIntRecep>21225704-4</CdgIntRecep>
<RznSocRecep>chicho</RznSocRecep>
<GiroRecep>Laboratorio</GiroRecep>
<DirRecep>El Conquistador del Monte 4775</DirRecep>
<CmnaRecep>Huechuraba</CmnaRecep>
<CiudadRecep>Santiago</CiudadRecep>
</Receptor>
<Totales>
<MntNeto>1072582</MntNeto>
<TasaIVA>19</TasaIVA>
<IVA>203791</IVA>
<MntTotal>1276373</MntTotal>
</Totales>
</Encabezado>
<Detalle>
<NroLinDet>1</NroLinDet>
<CdgItem>
<TpoCodigo>INT1</TpoCodigo>
<VlrCodigo>SFPR-005</VlrCodigo>
</CdgItem>
<NmbItem>Profactura Base lic. 1 servid</NmbItem>
<DscItem>Licencia 1000 doc/mes UF 120</DscItem>
<QtyItem>0.5</QtyItem>
<UnmdItem>un</UnmdItem>
<PrcItem>2145163</PrcItem>
<MontoItem>1072582</MontoItem>
</Detalle>
<TED version="1.0">
<DD>
<RE>96873490-3</RE>
<TD>33</TD>
<F>592</F>
<FE>2006-02-28</FE>
<RR>21225704-4</RR>
<RSR>chicho</RSR>
<MNT>1276373</MNT>
<IT1>Profactura Base lic. 1 servid</IT1>
<CAF version="1.0">
<DA>
<RE>96873490-3</RE>
<RS>GESTION Y SISTEMAS SOCIEDAD ANONIMA</RS>
<TD>33</TD>
<RNG>
<D>1</D>
<H>10000</H>
</RNG>
<FA>2004-02-25</FA>
<RSAPK>
<M>n3fgV5GVbZ5EaHRZtTTXWmUW0XDwirKc1jTxETAKFKzThLEKw1qIvnnooUDH1iSEGRLXg/1PGRtF0VA/sb89yQ==</M>
<E>Aw==</E>
</RSAPK>
<IDK>100</IDK>
</DA>
<FRMA algoritmo="SHA1withRSA">hRJSQRxb9QTAuQ9UowjDX+VW5xr80OJI+9+Y+gALrvD6KMwLbATb7H5f4M1ES1g8KJWpOD4Hdj7oMeXuCxmgOA==</FRMA>
</CAF>
<TSTED>2007-10-24T16:47:35</TSTED>
</DD>
<FRMT algoritmo="SHA1withRSA">SLSWsQELAVY66UTWwGXQsdKyYQvlFd5q9zPiAeVfiMXyOxdrDr/jAOpmA0/RLwVUIRqoSZ/eTZZjwnsNiX1w/Q==</FRMT>
</TED>
<TmstFirma>2007-10-24T16:47:35</TmstFirma>
</Documento>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#T33F592">
<Transforms>
<Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>38AbWR197NB8PewjnHgNM+pTFUI=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
zivbTgM1vrB26UOZT7fWRL48hwYslkC0o75WrjkvtaGT63UDtl2IbdgeYsTbIowekhfOMkLs
mWkf+Oaihyz31gqdugCC9ZSr04bdrZgkqNsQffYQ426AgW66Bd1Em1FeagOIbSbMzIGqxCqM
DI8mXBNbezLYW0oBUsTA1eNm7k8=
</SignatureValue>
<KeyInfo>
<KeyValue>
<RSAKeyValue>
<Modulus>4f1KiPwaxLz+N6AQ/IG7SHf0J5v2JjxRSYS4uMaKw3xd4VufyEP2wyZIBBmfK8um1XqscpUNRb775iGSY+yk/1SvQPkSWjXrNuQte6iW7cC9+vbfYPZcUa4X+AXuOdlMKFcqn7tWYv/Ld7lpr+6CMjCzkttABWn5++osPFXdDXE=</Modulus>
<Exponent>AQAB</Exponent>
</RSAKeyValue>
</KeyValue>
<X509Data>
<X509Certificate>MIIGITCCBQmgAwIBAgIDARQMMA0GCSqGSIb3DQEBBQUAMIHGMQswCQYDVQQGEwJDTDEYMBYGA1UE
ChMPQWNlcHRhLmNvbSBTLkEuMTgwNgYDVQQLEy9BdXRvcmlkYWQgY2VydGlmaWNhZG9yYSBDbGFz
ZSAzIHBlcnNvbmEgbmF0dXJhbDFDMEEGA1UEAxM6QWNlcHRhLmNvbSBBdXRvcmlkYWQgY2VydGlm
aWNhZG9yYSBDbGFzZSAzIHBlcnNvbmEgbmF0dXJhbDEeMBwGCSqGSIb3DQEJARYPaW5mb0BhY2Vw
dGEuY29tMB4XDTA1MDIyMTIyMTUwM1oXDTA4MDIyMTIyMTUwM1owgc8xCzAJBgNVBAYTAkNMMRgw
FgYDVQQKEw9BY2VwdGEuY29tIFMuQS4xLDAqBgNVBAsTI0NlcnRpZmljYWRvIENsYXNlIDMgUGVy
c29uYSBOYXR1cmFsMS0wKwYJKoZIhvcNAQkBFh5wYW1lbGEuZXNjb2JlZG9AcHJvc2lzdGVtLmlu
Zm8xGDAWBgNVBAwTD1BFUlNPTkEgTkFUVVJBTDEvMC0GA1UEAxMmUEFNRUxBIFJBUVVFTCBBTkRS
RUEgRVNDT0JFRE8gRklHVUVST0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOH9Soj8GsS8
/jegEPyBu0h39Ceb9iY8UUmEuLjGisN8XeFbn8hD9sMmSAQZnyvLptV6rHKVDUW+++YhkmPspP9U
r0D5Elo16zbkLXuolu3Avfr232D2XFGuF/gF7jnZTChXKp+7VmL/y3e5aa/ugjIws5LbQAVp+fvq
LDxV3Q1xAgMBAAGjggKPMIICizAdBggrBgEEAbVrDwQRFg9BY2VwdGEuY29tIFMuQS4wQgYDVR0R
BDswOaAXBggrBgEEAcEBAaALFgk3OTgwNTQ1LTmBHnBhbWVsYS5lc2NvYmVkb0Bwcm9zaXN0ZW0u
aW5mbzAPBggrBgEEAbVrCQQDFgEgMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgWgMAsGA1Ud
DwQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFCOpzGYrgfMj
K46zQuwtQgsyWrbIMB8GA1UdIwQYMBaAFFxcx5oqKT0CMAeIQ9j6hV1SbFEVMCUGA1UdEgQeMByg
GgYIKwYBBAHBAQKgDhYMOTYuOTE5LjA1MC04MIH0BgNVHSAEgewwgekwgeYGCCsGAQQBtWsCMIHZ
MCsGCCsGAQUFBwIBFh9odHRwOi8vd3d3LmFjZXB0YS5jb20vQ1BTL3YxLjAvMIGpBggrBgEFBQcC
AjCBnDAWFg9BY2VwdGEuY29tIFMuQS4wAwIBARqBgUVsIHRpdHVsYXIgaGEgc2lkbyB2YWxpZGFk
byBlbiBmb3JtYSBwcmVzZW5jaWFsLCBxdWVkYW5kbyBoYWJpbGl0YWRvIGVsIENlcnRpZmljYWRv
IHBhcmEgdXNvIHRyaWJ1dGFyaW8sIHBhZ29zLCBjb21lcmNpbyB5IG90cm9zLjAzBggrBgEFBQcB
AQQnMCUwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLmFjZXB0YS5jb20vMDgGA1UdHwQxMC8wLaAr
oCmGJ2h0dHA6Ly9jcmwuYWNlcHRhLmNvbS9DbGFzZTNQZXJzb25hLmNybDANBgkqhkiG9w0BAQUF
AAOCAQEAakIFXTXdsTmLsfkPfDYaIZLXSPHBjdh9G8CBrCU3Ug2HOkc+1btYDJY1c7UGxaLi/uBU
nlPrH9di2SY2Cr3KSJAMOC/2sIxETboBm0mrbob3kzAo27gT5J8POJIuYX5QJ0pRnX9n3yVHb4Pa
K6tmnUASYLvnyF8bKx18DrLcQtaI/arZ33/nDcO5jpX25tnO9jLoz6hYQm5Gq7bHm2GNRyk3lYI8
MlUddt55wqNUTtBiwAKT3J09clyfpomGm5zB2b3Uhrq/ZCPVQqyXMfQBi2I9wi3H19NHJuxbMv+x
L0EjtSALeAuL63bUV8pwhU7CBs1FBfoJUXGysovft2kiiA==</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
</DTE>
</SetDTE>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#SetDoc">
<Transforms>
<Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>
</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
</SignatureValue>
<KeyInfo>
<KeyValue>
<RSAKeyValue>
<Modulus>4f1KiPwaxLz+N6AQ/IG7SHf0J5v2JjxRSYS4uMaKw3xd4VufyEP2wyZIBBmfK8um1XqscpUNRb775iGSY+yk/1SvQPkSWjXrNuQte6iW7cC9+vbfYPZcUa4X+AXuOdlMKFcqn7tWYv/Ld7lpr+6CMjCzkttABWn5++osPFXdDXE=</Modulus>
<Exponent>AQAB</Exponent>
</RSAKeyValue>
</KeyValue>
<X509Data>
<X509Certificate>MIIGITCCBQmgAwIBAgIDARQMMA0GCSqGSIb3DQEBBQUAMIHGMQswCQYDVQQGEwJDTDEYMBYGA1UE
ChMPQWNlcHRhLmNvbSBTLkEuMTgwNgYDVQQLEy9BdXRvcmlkYWQgY2VydGlmaWNhZG9yYSBDbGFz
ZSAzIHBlcnNvbmEgbmF0dXJhbDFDMEEGA1UEAxM6QWNlcHRhLmNvbSBBdXRvcmlkYWQgY2VydGlm
aWNhZG9yYSBDbGFzZSAzIHBlcnNvbmEgbmF0dXJhbDEeMBwGCSqGSIb3DQEJARYPaW5mb0BhY2Vw
dGEuY29tMB4XDTA1MDIyMTIyMTUwM1oXDTA4MDIyMTIyMTUwM1owgc8xCzAJBgNVBAYTAkNMMRgw
FgYDVQQKEw9BY2VwdGEuY29tIFMuQS4xLDAqBgNVBAsTI0NlcnRpZmljYWRvIENsYXNlIDMgUGVy
c29uYSBOYXR1cmFsMS0wKwYJKoZIhvcNAQkBFh5wYW1lbGEuZXNjb2JlZG9AcHJvc2lzdGVtLmlu
Zm8xGDAWBgNVBAwTD1BFUlNPTkEgTkFUVVJBTDEvMC0GA1UEAxMmUEFNRUxBIFJBUVVFTCBBTkRS
RUEgRVNDT0JFRE8gRklHVUVST0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOH9Soj8GsS8
/jegEPyBu0h39Ceb9iY8UUmEuLjGisN8XeFbn8hD9sMmSAQZnyvLptV6rHKVDUW+++YhkmPspP9U
r0D5Elo16zbkLXuolu3Avfr232D2XFGuF/gF7jnZTChXKp+7VmL/y3e5aa/ugjIws5LbQAVp+fvq
LDxV3Q1xAgMBAAGjggKPMIICizAdBggrBgEEAbVrDwQRFg9BY2VwdGEuY29tIFMuQS4wQgYDVR0R
BDswOaAXBggrBgEEAcEBAaALFgk3OTgwNTQ1LTmBHnBhbWVsYS5lc2NvYmVkb0Bwcm9zaXN0ZW0u
aW5mbzAPBggrBgEEAbVrCQQDFgEgMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgWgMAsGA1Ud
DwQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFCOpzGYrgfMj
K46zQuwtQgsyWrbIMB8GA1UdIwQYMBaAFFxcx5oqKT0CMAeIQ9j6hV1SbFEVMCUGA1UdEgQeMByg
GgYIKwYBBAHBAQKgDhYMOTYuOTE5LjA1MC04MIH0BgNVHSAEgewwgekwgeYGCCsGAQQBtWsCMIHZ
MCsGCCsGAQUFBwIBFh9odHRwOi8vd3d3LmFjZXB0YS5jb20vQ1BTL3YxLjAvMIGpBggrBgEFBQcC
AjCBnDAWFg9BY2VwdGEuY29tIFMuQS4wAwIBARqBgUVsIHRpdHVsYXIgaGEgc2lkbyB2YWxpZGFk
byBlbiBmb3JtYSBwcmVzZW5jaWFsLCBxdWVkYW5kbyBoYWJpbGl0YWRvIGVsIENlcnRpZmljYWRv
IHBhcmEgdXNvIHRyaWJ1dGFyaW8sIHBhZ29zLCBjb21lcmNpbyB5IG90cm9zLjAzBggrBgEFBQcB
AQQnMCUwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLmFjZXB0YS5jb20vMDgGA1UdHwQxMC8wLaAr
oCmGJ2h0dHA6Ly9jcmwuYWNlcHRhLmNvbS9DbGFzZTNQZXJzb25hLmNybDANBgkqhkiG9w0BAQUF
AAOCAQEAakIFXTXdsTmLsfkPfDYaIZLXSPHBjdh9G8CBrCU3Ug2HOkc+1btYDJY1c7UGxaLi/uBU
nlPrH9di2SY2Cr3KSJAMOC/2sIxETboBm0mrbob3kzAo27gT5J8POJIuYX5QJ0pRnX9n3yVHb4Pa
K6tmnUASYLvnyF8bKx18DrLcQtaI/arZ33/nDcO5jpX25tnO9jLoz6hYQm5Gq7bHm2GNRyk3lYI8
MlUddt55wqNUTtBiwAKT3J09clyfpomGm5zB2b3Uhrq/ZCPVQqyXMfQBi2I9wi3H19NHJuxbMv+x
L0EjtSALeAuL63bUV8pwhU7CBs1FBfoJUXGysovft2kiiA==</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
</EnvioDTE>








Top

Re: XML and the .NET Framework XML Digital Signature Problems

Derek Smyth

Hi,

I've have a reasonable look, although haven't recreated your problem yet. What kind of signature are you generating, it looks like your creating enveloping signatures with MSXML but your .NET code doesn't look to be generating those. I'm having a spot of problem seeing what signatures your generated through MSXML, but some other similar code I've seen suggests that the MSXML code is producing enveloping signatures, is that correct. Which type of signature are you looking to create





Top

Re: XML and the .NET Framework XML Digital Signature Problems

ernestxp

The Enveloping signature is like this:

<Signature>

<Content></Content>

</Signature>

The Enveloped is:

<Content>

<Signature></Signature>

</Content>

<Content>

and the Detached is:

<Signature>

</Signature>

<Content>

</Content>

So the signature in this case is detached and the content is above of it. (as you can see in the XML)

The code .net if just a test to see if I get the same digest value and the same signature value, and I know the XML with the part of tree nodes of Signature is create separated of the content.

The content in this case start in the node SetDTE with the ID SetDoc something like this:

<EnvioDTE>

<SetDTE ID=SetDoc>

.......content to sign

</SetDTE>

<Signature>

... referent to SetDoc

</Signature>

</EnvioDTE>


Top

Re: XML and the .NET Framework XML Digital Signature Problems

Derek Smyth

Hi,

I've had a look at this and the results are interesting, here is what I did.

First of all I stored a RSA key in the CSP for both SignedXml and MSXML to use. I then changed your sample XML file so that it only contained the SetDTE element, I removed all the signatures and the parent EnvioDTE, I just worked with the XML document.

I created a detached signature for this document in .NET using the RSA key, not storing the KeyInfo, and this signature verified ok when checked in .NET.

I then created a detached signature in MSXML using the same RSA key, not storing the KeyInfo, and this signature verified ok when checked in MSXML.

However neither the DigestValue or the SignatureValue matched. I am getting completely different signatures and the MSXML signature is not being verified in .NET.

Here is why I think this is happening. There is a difference in the way that the detached signature is being generated in both technologies. In .NET the XML file is being signed using a stream (because any file can be signed with a XML detached signature and so the XML is treated as binary) however in MSXML the XML file is being signed from a DOM.

I'm using VBA inside Access to write the MSXML and the Sign method accepts a type of IStream but I cannot for the life of me find anyway in VBA to create an object of type IStream.

I need to say that the .NET code you posted is not creating a detached xml signature. Here is how you create a detached signature in .NET for an XML document.

'sign the document into a detached signature

Dim dsig As New SignedXml()

dsig.SigningKey = key

Dim strm As New FileStream("XmlFile.xml", FileMode.OpenOrCreate)

Dim fileToSign As New Reference(strm)

fileToSign.Uri = Path.GetFileName(strm.Name)

fileToSign.Type = System.Net.Mime.MediaTypeNames.Text.Xml

dsig.AddReference(fileToSign)

dsig.ComputeSignature()

strm.Close()

From your code it looks like you are creating a enveloping signature without setting any object data.

I am going to try the same experiment with an enveloping signature and see what the results are. That should remove the difference between using the Stream in .NET and the DOM in MSXML and hopefully the two should verify. If I had known about the IStream in VBA I wouldn't have bothered doing this test, but it's still good practise.

I will post my findings.





Top

Re: XML and the .NET Framework XML Digital Signature Problems

Derek Smyth

Hi again,

I created an enveloped signature in .NET and then in MSXML using the same data (again the document only contains the SetDTE element|) and the two signatures match. The .NET generated signature verifies in MSXML and vice versa.

So it looks the detached signatures didn't match because .NET used streams and MSXML used the DOM.

This doesn't explain why your getting the same digest but different signatures. What I found though is that MSXML uses a template signature that is a blank digital signature containing no digest and signature value but that had all the other transforms and options specified for generating the signature. The template is loaded into MSXML and filled in whenever you create a signature. It would be worthwhile making sure this template signature has been set up correctly according to the signature you want to generate. Looking at you MSXML code it appears your using an existing signature already stored in the file and that could be throwing your new signature off, it could be using the existings KeyInfo element for example, which would explain the same digest / different signatures problem.

I also think it would be worthwhile you doing a similar experiment just with the plain data and try to generate matching eveloped signatures. I think this will give you an better understanding of what is going on with digital signatures and why your not getting the same results.





Top