SignedXml.CheckSignature failing for valid Enveloped signature with #xpointer(/) reference #95390
Comments
ghost
added
the
|
Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones Issue DetailsDescription
This should work, given that Reproduction Stepsvar xmlDoc = new XmlDocument();
xmlDoc.LoadXml("""<?xml version="1.0" encoding="UTF-8"?><hello><world>Hi</world><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" /><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><Reference URI="#xpointer(/)"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><DigestValue>SVaCE5w9iLXTVYTKP1t/yjjmPXvWovMYpgljGgpgz2Y=</DigestValue></Reference></SignedInfo><SignatureValue>dqcBmS1ZvDJNhmCEgobpAb+A2XaiuB69dfGIhisZvqoxaWqAqv/0w49jp38+usJ5t3wcq3aMC631QE8iln+lHWrarojDMDWLa00isv3oE3q9UgOIV9e6MUSoRTTvQkmlK/LSYV9T/SKx6h03vLLcIkUMXaTkC/n2kthlJTGkLbU=</SignatureValue><KeyInfo><KeyValue><RSAKeyValue><Modulus>t6qV1iTlkCPoaIeOTvnDczQv5pytUxMoyNXws5vaMQYxfJMKos47dvmiLtfWUDLYXFX3Yf/JMC14plJw2JA5jLrlHLnZj/vCjRtXckmWW/wGYewXUqrgR1CytStUeQKj9mNsi76erukua10UhzIrWG+H6YQ/qS4AMMJZU6jBvO0=</Modulus><Exponent>AQAB</Exponent></RSAKeyValue></KeyValue></KeyInfo></Signature></hello>""");
var signedXml = new SignedXml(xmlDoc);
var signature = xmlDoc.GetElementsByTagName("Signature", SignedXml.XmlDsigNamespaceUrl).OfType<XmlElement>().Single();
signedXml.LoadXml(signature);
var result = signedXml.CheckSignature();Expected behavior
Actual behavior
Regression?This issue started happening between v7.0.0-preview.3.22175.4 and v7.0.0-preview.4.22229.4 Known WorkaroundsNo response ConfigurationNo response Other informationI wrote a small app for reproducing and narrowing down the regression here: https://github.com/m0sa/EnvelopedXMLDSIG I get the following output: I did some debugging and it seems to boil down to the
|
|
@vcsjones yup. I think I have a fix in the PR. |
|
We also just stumbled on this bug. Would be nice to get a fix for .net 8 soon. |
|
The PR with the fix is ready. It would be great if we could backport the fix to the 7.0.x version, too, since it's a regression from 6. |
I lack any "official" word here, but from the support policy:
Since .NET 7 is EOL in < 6 months, I would not expect any fixes to go in to .NET 7. |
|
Maybe any fix for .NET 8? |
|
The PR got merged into main yesterday I don't know what the procedure is to get the fix into .NET 8 |
|
Does anybody else here know how get this fix shipped with a .net 8 patch version? |
I will bring this up for discussion next week. |
|
I've started the process of a backport to 8. It hasn't been approved by servicing yet, so it's not guaranteed to happen. |
|
Servicing was approved and the change is now queued up for the next servicing release. I think that means we'll have an 8.0.1 package on NuGet.org on April 9th; but I could be mistaken about the date. |
Description
SignedXml.CheckSignatureis returningfalsefor valid a enveloped signature document that is using a<ds:References URI="#xpointer(/)">.This should work, given that
xpointer(/)is explicitly mentioned in the documentation, andSignedXmlcodeReproduction Steps
Expected behavior
SignedXml.CheckSignaturereturnstrueActual behavior
SignedXml.CheckSignaturereturnsfalseRegression?
This issue started happening between v7.0.0-preview.3.22175.4 and v7.0.0-preview.4.22229.4
Known Workarounds
No response
Configuration
No response
Other information
I wrote a small app for reproducing and narrowing down the regression here: https://github.com/m0sa/EnvelopedXMLDSIG
I get the following output:
I did some debugging and it seems to boil down to the
XmlDsigEnvelopedSignatureTransform.SignaturePositionnot getting set hereThe text was updated successfully, but these errors were encountered: