diff options
author | Krzysztof Wicher <mordotymoja@gmail.com> | 2017-04-21 02:53:47 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-04-21 02:53:47 +0300 |
commit | 378b1e398a40e78f3c40363f91a2359e14c9940c (patch) | |
tree | a6074a3c4adab235b1133e95b074afa1252334da /src | |
parent | 6f9717eaa8f09ff1dd445e2407edc29ac3226845 (diff) | |
parent | cd630bc2c0375c0b34d9aa14328ed96df303cfbb (diff) |
Merge pull request #18685 from krwq/signedxml-def-sha256
Update defaults of SignedXml to use SHA256
Diffstat (limited to 'src')
4 files changed, 65 insertions, 9 deletions
diff --git a/src/System.Security.Cryptography.Xml/src/System/Security/Cryptography/Xml/Reference.cs b/src/System.Security.Cryptography.Xml/src/System/Security/Cryptography/Xml/Reference.cs index 1b4146202d..a34d3d492c 100644 --- a/src/System.Security.Cryptography.Xml/src/System/Security/Cryptography/Xml/Reference.cs +++ b/src/System.Security.Cryptography.Xml/src/System/Security/Cryptography/Xml/Reference.cs @@ -15,6 +15,8 @@ namespace System.Security.Cryptography.Xml { public class Reference { + internal const string DefaultDigestMethod = SignedXml.XmlDsigSHA256Url; + private string _id; private string _uri; private string _type; @@ -38,7 +40,7 @@ namespace System.Security.Cryptography.Xml _refTarget = null; _refTargetType = ReferenceTargetType.UriReference; _cachedXml = null; - _digestMethod = SignedXml.XmlDsigSHA1Url; + _digestMethod = DefaultDigestMethod; } public Reference(Stream stream) @@ -47,7 +49,7 @@ namespace System.Security.Cryptography.Xml _refTarget = stream; _refTargetType = ReferenceTargetType.Stream; _cachedXml = null; - _digestMethod = SignedXml.XmlDsigSHA1Url; + _digestMethod = DefaultDigestMethod; } public Reference(string uri) @@ -57,7 +59,7 @@ namespace System.Security.Cryptography.Xml _uri = uri; _refTargetType = ReferenceTargetType.UriReference; _cachedXml = null; - _digestMethod = SignedXml.XmlDsigSHA1Url; + _digestMethod = DefaultDigestMethod; } internal Reference(XmlElement element) @@ -66,7 +68,7 @@ namespace System.Security.Cryptography.Xml _refTarget = element; _refTargetType = ReferenceTargetType.XmlElement; _cachedXml = null; - _digestMethod = SignedXml.XmlDsigSHA1Url; + _digestMethod = DefaultDigestMethod; } // diff --git a/src/System.Security.Cryptography.Xml/src/System/Security/Cryptography/Xml/SignedXml.cs b/src/System.Security.Cryptography.Xml/src/System/Security/Cryptography/Xml/SignedXml.cs index 9c743bb092..f07fae4bce 100644 --- a/src/System.Security.Cryptography.Xml/src/System/Security/Cryptography/Xml/SignedXml.cs +++ b/src/System.Security.Cryptography.Xml/src/System/Security/Cryptography/Xml/SignedXml.cs @@ -401,7 +401,7 @@ namespace System.Security.Cryptography.Xml { // Default to RSA-SHA1 if (SignedInfo.SignatureMethod == null) - SignedInfo.SignatureMethod = XmlDsigRSASHA1Url; + SignedInfo.SignatureMethod = XmlDsigRSASHA256Url; } else { @@ -911,7 +911,7 @@ namespace System.Security.Cryptography.Xml { // If no DigestMethod has yet been set, default it to sha1 if (reference.DigestMethod == null) - reference.DigestMethod = XmlDsigSHA1Url; + reference.DigestMethod = Reference.DefaultDigestMethod; SignedXmlDebugLog.LogSigningReference(this, reference); diff --git a/src/System.Security.Cryptography.Xml/tests/ReferenceTest.cs b/src/System.Security.Cryptography.Xml/tests/ReferenceTest.cs index e1fafbc5b9..006e4bd3bd 100644 --- a/src/System.Security.Cryptography.Xml/tests/ReferenceTest.cs +++ b/src/System.Security.Cryptography.Xml/tests/ReferenceTest.cs @@ -43,7 +43,7 @@ namespace System.Security.Cryptography.Xml.Tests public void Ctor_Uri(string uri) { Reference reference = new Reference(uri); - Assert.Equal("http://www.w3.org/2000/09/xmldsig#sha1", reference.DigestMethod); + Assert.Equal("http://www.w3.org/2001/04/xmlenc#sha256", reference.DigestMethod); Assert.Null(reference.DigestValue); Assert.Null(reference.Id); Assert.Null(reference.Type); @@ -61,7 +61,7 @@ namespace System.Security.Cryptography.Xml.Tests using (MemoryStream memoryStream = data != null ? new MemoryStream(Encoding.UTF8.GetBytes(data)) : null) { Reference reference = new Reference(memoryStream); - Assert.Equal("http://www.w3.org/2000/09/xmldsig#sha1", reference.DigestMethod); + Assert.Equal("http://www.w3.org/2001/04/xmlenc#sha256", reference.DigestMethod); Assert.Null(reference.DigestValue); Assert.Null(reference.Id); Assert.Null(reference.Type); @@ -187,6 +187,7 @@ namespace System.Security.Cryptography.Xml.Tests Reference reference = new Reference(); // adding an empty hash value byte[] hash = new byte[20]; + reference.DigestMethod = SignedXml.XmlDsigSHA1Url; reference.DigestValue = hash; XmlElement xel = reference.GetXml(); // this is the minimal Reference (DigestValue)! diff --git a/src/System.Security.Cryptography.Xml/tests/SignedXmlTest.cs b/src/System.Security.Cryptography.Xml/tests/SignedXmlTest.cs index d04ad9cdf5..a156b8cbd5 100644 --- a/src/System.Security.Cryptography.Xml/tests/SignedXmlTest.cs +++ b/src/System.Security.Cryptography.Xml/tests/SignedXmlTest.cs @@ -15,6 +15,7 @@ using System.IO; using System.Security.Cryptography.X509Certificates; using System.Text; using System.Xml; +using System.Xml.XPath; using Xunit; namespace System.Security.Cryptography.Xml.Tests @@ -187,7 +188,7 @@ namespace System.Security.Cryptography.Xml.Tests signedXml.ComputeSignature(); Assert.Null(signedXml.SigningKeyName); - Assert.Equal(SignedXml.XmlDsigRSASHA1Url, signedXml.SignatureMethod); + Assert.Equal(SignedXml.XmlDsigRSASHA256Url, signedXml.SignatureMethod); Assert.Equal(key.KeySize / 8, signedXml.SignatureValue.Length); Assert.Null(signedXml.SigningKeyName); @@ -658,8 +659,10 @@ namespace System.Security.Cryptography.Xml.Tests SignedXml signedXml = new SignedXml(doc); signedXml.SigningKey = cert.PrivateKey; signedXml.SignedInfo.CanonicalizationMethod = SignedXml.XmlDsigExcC14NTransformUrl; + signedXml.SignedInfo.SignatureMethod = SignedXml.XmlDsigRSASHA1Url; Reference reference = new Reference(); + reference.DigestMethod = SignedXml.XmlDsigSHA1Url; reference.Uri = ""; XmlDsigEnvelopedSignatureTransform env = new XmlDsigEnvelopedSignatureTransform(); @@ -714,9 +717,11 @@ namespace System.Security.Cryptography.Xml.Tests X509Certificate2 cert = new X509Certificate2(_pkcs12, "mono"); SignedXml signedXml = new SignedXml(doc); signedXml.SigningKey = cert.PrivateKey; + signedXml.SignedInfo.SignatureMethod = SignedXml.XmlDsigRSASHA1Url; signedXml.SignedInfo.CanonicalizationMethod = SignedXml.XmlDsigExcC14NTransformUrl; Reference reference = new Reference(); + reference.DigestMethod = SignedXml.XmlDsigSHA1Url; reference.Uri = ""; XmlDsigEnvelopedSignatureTransform env = new XmlDsigEnvelopedSignatureTransform(); @@ -954,8 +959,10 @@ namespace System.Security.Cryptography.Xml.Tests SignedXml signedXml = new SignedXml(doc); signedXml.SigningKey = cert.PrivateKey; signedXml.SignedInfo.CanonicalizationMethod = canonicalizationMethod; + signedXml.SignedInfo.SignatureMethod = SignedXml.XmlDsigRSASHA1Url; Reference reference = new Reference(); + reference.DigestMethod = SignedXml.XmlDsigSHA1Url; reference.Uri = ""; XmlDsigEnvelopedSignatureTransform env = new XmlDsigEnvelopedSignatureTransform(); @@ -1543,5 +1550,51 @@ namespace System.Security.Cryptography.Xml.Tests SignedXml sign = GetSignedXml(xml); Assert.Throws<FormatException>(() => sign.CheckSignature(new HMACSHA1(Encoding.ASCII.GetBytes("no clue")))); } + + [Fact] + public void SignedXmlUsesSha256ByDefault() + { + const string expectedSignatureMethod = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"; + const string expectedDigestMethod = "http://www.w3.org/2001/04/xmlenc#sha256"; + + const string xml = @"<?xml version=""1.0""?> +<example> +<test>some text node</test> +</example>"; + + var doc = new XmlDocument(); + doc.PreserveWhitespace = true; + doc.LoadXml(xml); + + using (RSA key = RSA.Create()) + { + var sxml = new SignedXml(doc) + { + SigningKey = key + }; + + Assert.Null(sxml.SignedInfo.SignatureMethod); + + var reference = new Reference(); + Assert.Equal(expectedDigestMethod, reference.DigestMethod); + + reference.Uri = ""; + reference.AddTransform(new XmlDsigEnvelopedSignatureTransform()); + sxml.AddReference(reference); + sxml.ComputeSignature(); + + XmlElement dsig = sxml.GetXml(); + XPathNavigator xp = dsig.CreateNavigator(); + + XmlNamespaceManager nsMgr = new XmlNamespaceManager(xp.NameTable); + nsMgr.AddNamespace("ds", "http://www.w3.org/2000/09/xmldsig#"); + + Assert.Equal(expectedSignatureMethod, + xp.SelectSingleNode("/ds:SignedInfo/ds:SignatureMethod/@Algorithm", nsMgr)?.Value); + + Assert.Equal(expectedDigestMethod, + xp.SelectSingleNode("/ds:SignedInfo/ds:Reference/ds:DigestMethod/@Algorithm", nsMgr)?.Value); + } + } } } |