Desktop: System.Security.Cryptography.Xml.Tests.SigningVerifyingX509Cert.SignedXmlHasCertificateVerifiableSignature failed with "System.NotSupportedException"

[KristinXie1]

Failed test: System.Security.Cryptography.Xml.Tests.SigningVerifyingX509Cert.SignedXmlHasCertificateVerifiableSignature

Detail: https://ci.dot.net/job/dotnet_corefx/job/master/job/outerloop_netfx_windows_nt_debug/39/testReport/System.Security.Cryptography.Xml.Tests/SigningVerifyingX509Cert/SignedXmlHasCertificateVerifiableSignature/

MESSAGE:

System.NotSupportedException : Method is not supported.

STACK TRACE:

at System.Security.Cryptography.RSA.DecryptValue(Byte[] rgb) 
at System.Security.Cryptography.Xml.SignedXml.ComputeSignature() 
at System.Security.Cryptography.Xml.Tests.SigningVerifyingX509Cert.SignXml(XmlDocument doc, AsymmetricAlgorithm key) 
in D:\j\workspace\outerloop_net---903ddde6\src\System.Security.Cryptography.Xml\tests\Samples\SigningVerifyingX509Cert.cs:line 38 
at System.Security.Cryptography.Xml.Tests.SigningVerifyingX509Cert.SignedXmlHasCertificateVerifiableSignature() 
in D:\j\workspace\outerloop_net---903ddde6\src\System.Security.Cryptography.Xml\tests\Samples\SigningVerifyingX509Cert.cs:line 73

[karelz]

Fixed in dotnet/corefx#19376

[KristinXie1]

This issue is still repro: https://ci.dot.net/job/dotnet_corefx/job/master/job/outerloop_netfx_windows_nt_debug/45/testReport/System.Security.Cryptography.Xml.Tests/SigningVerifyingX509Cert/SignedXmlHasCertificateVerifiableSignature/

[bartonjs]

This is probably a if (key is RSACryptoServiceProvider)-ism which was fixed in net462.

[krwq]

@bartonjs I was trying to run this test on new desktop 4.5.2 project and getting compile errors:

• X509Certificate2 does not implement IDisposable
• X509Certificate2.GetRSAPrivateKey extension does not exist (even after adding nuget pkg reference to netstandard2.0)

is this expected?

I'm also not sure I understand if (key is RSACryptoServiceProvider) - what's the proper way to write this test then? (or what's the limitation on desktop?) Here is the skeleton of the test:

            using (X509Certificate2 x509cert = TestHelpers.GetSampleX509Certificate())
            {
                var xmlDoc = new XmlDocument();
                xmlDoc.PreserveWhitespace = true;
                xmlDoc.LoadXml(ExampleXml);

                using (RSA key = x509cert.GetRSAPrivateKey())
                {
                    SignXml(xmlDoc, key); // calls key.DecryptValue
                }

                Assert.True(VerifyXml(xmlDoc.OuterXml, x509cert));
            }

all that SignedXml is trying to do is calling key.DecryptValue

[bartonjs]

@krwq Why net452? netstandard20 is net461, we don't support any lower than that.

The problem is https://referencesource.microsoft.com/#mscorlib/system/security/cryptography/rsapkcs1signatureformatter.cs,65. In net461 we didn't have the (middle) else-if. So it went from RSACryptoServiceProvider straight to RSA.DecryptValue (which has never been implemented by a .NET type).

So the whole RSA signing scenario here is busted for 4.6.1; it needs all of the SignedXml-related fixes we did in 4.6.2. While there is workable code that could be written, it's definitely not best-of-breed; it's worst-of-compat; so let's just disable the tests which fail in DecryptValue for net461.

[krwq]

@bartonjs - my bad with 4.5.2 🤦‍♂️ I've sent a PR disabling that test

[karelz]

@krwq which PR fixed it?

[krwq]

@karelz the one which says merged two posts above (#19500)