.NET 4.6.2 Break Changing - SignedXml.CheckSignature(X509Certificate2, bool) #341
Comments
|
After updating .NET FW to 4.6.2 we experienced the same issue. We ended up with "CryptographicException: Object was not found" exception. However, in our case it was a WCF service hosted inside IIS web application and changing the option "Load User Profile" to True instead of False solved the problem for us (in Advanced Settings of Application Pool). |
|
We are currently getting this: |
|
@hhotham did you solve the issue at your end |
|
Looking into this ... /cc @terrajobst |
|
@Petermarcu, are you aware of any rough spots in that area? |
|
@krwq @danmosemsft |
|
A fix is already being prepared for future .NET Framework releases and servicing updates to .NET 4.6.2. Two workarounds are known at this time: 1) Upgrading the OS to Windows Server 2012R2 or newer, 2) loading the user profile. |
|
@bartonjs the fix is only for CryptographicException: Object was not found? Or also fixes the different behavior when validating signature? |
|
@fujiy It will avoid the path where CngLightup ends up calling CngKey.Create. If you're having a problem that isn't caused by that, we'd need a new bug report. |
|
We had to change the code. In regard to workarounds, we couldn't upgrade to 2012R2, and load user profile was already set. We extracted the certificate from the signedXml and then called signedXml.CheckSignature(cert.PublicKey.Key) with the cert we had extracted from signedXml |
|
After upgrade to .net 4.6.2 I have problem with signedXml.CheckSignature(); with CryptoConfig.AddAlgorithm(typeof(RSAPKCS1SHA256SignatureDescription), "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"); It works on my machine but don't work on test serwer. Error: System.Security.Cryptography.CryptographicException SignatureDescription could not be created for the signature algorithm supplied. P.S. In my comuper I work as administator and run as Console App., in test serwer there is custom profile created and run as a Windows Service |
|
@zchpit That exception means that the signature algorithm in the document didn't map to a known SignatureDescription. Check that the signature method is what you expect. Note that you shouldn't need the AddAlgorithm call anymore, but also that it shouldn't break things. |
|
@bartonjs what dll name I should add to solution that this method recognise SignatureDescription? Or how to do it manualy? P.S. |
|
Same issue, can't upgrade to 2012 and load user profile is not working.. Any other work arounds? |
|
@christru What is the error that you're getting? A couple of different exceptions have been discussed on this issue. |
|
@zchpit Sorry, I missed... a lot... of notifications from this issue in November. Apparently. On systems with 4.6.2 installed the RSA+SHA256 signature method is available and works fine. If you don't have 4.6.2 installed you need to make a handler for it and register it with CryptoConfig. https://social.msdn.microsoft.com/Forums/vstudio/en-US/6438011b-92fb-4123-a22f-ad071efddf85/xml-digital-signature-with-sha256-algorithm?forum=netfxbcl#7bf8d91a-6bf9-4ee7-90c6-b9e0f3a48706 looks like a good example of this. |
|
@bartonjs the limited trace I have - Happens when calling: SignedXml.CheckSignature(myCert, true) thanks |
|
@christru Are you on a 4.6.2 preview build? The callstack there doesn't look right for either 4.6.1 or 4.6.2+. If so, the answer is probably to upgrade to full 4.6.2 (and then accept the updates which fixed this problem) |
|
@bartonjs registry states Excuse the \r\n enabled additional debugging error is being returned via json result. Yes - it looks slightly different in this production environment then we have recreated in ours. |
No, the difference is in the Windows CNG library underneath .NET, I don't fully understand the difference. Our main fix for the problem was to detect when CNG wasn't working and fall back to the older crypto library (CAPI). If you were calling |
|
@bartonjs Awesome, thank you for all your insight and quick response Jeremy! |
|
The issue I first mentioned didn't throw Exceptions, and I didn't try enabling User Load Profile. The problem was that the same SignedXml returns true in 4.6.1 and returns false in 4.6.2 when calling: SignedXml.CheckSignature(myCert, true) |
|
@fujiy The page you liked to for "as described here" is talking about an exception caused by not loading the user profile. I don't know of situations where it would switch from true to false (and back to true by using cert.PublicKey.Key). I'd be curious to see a repro for that, too. If you don't have one you can share, you can try seeing where it went wrong via the SignedXml logging (https://stackoverflow.com/a/41430472/6535399 being the first example I saw of that) |
|
I don't have any repro anymore :/ |
|
This issue has not got any input for long time and we have changed were issues are tracked. If this is still an issue kindly raise a new issue in the appropriate repo as mentioned in dotnet/1275 |
As described here: http://www.wiktorzychla.com/2016/08/signedxmlchecksignature-and-dreadful.html
SignedXml.CheckSignature in 4.6.2 doesn't work as before.
Looking the source code: https://referencesource.microsoft.com/#System.Security/system/security/cryptography/xml/signedxml.cs,b9518cc2212419a2
You can see that it ends up calling :
CheckSignature(certificate.GetAnyPublicKey())- https://referencesource.microsoft.com/#System.Security/system/security/cryptography/xml/signedxml.cs,342GetAnyPublicKeycallsX509Certificate2.GetRSAPublicKey(), which return a System.Security.Cryptography.RSACng.Whereas that .NET 4.6.1 calls
CheckSignature(certificate.PublicKey.Key)working as expected.As a workaround I am changing my calls from:
SignedXml.CheckSignature(myCert, true)to:
SignedXml.CheckSignature(myCert.PublicKey.Key)Simulating what SignedXml.CheckSignature(X509Certificate2, bool) does in 4.6.1
The text was updated successfully, but these errors were encountered: