Open Nukepayload2 opened 4 years ago
Tagging subscribers to this area: @bartonjs, @vcsjones, @krwq Notify danmosemsft if you want to be subscribed.
I believe it is possible to get this working today if you are able to implementing the formatters and are able to ensure its correctness.
If you set the signature method URI before signing, it will attempt to resolve a SignatureDescription
from the CryptoConfig
. So you could do something like this:
CryptoConfig.AddAlgorithm(typeof(ECDsaP256SHA256SignatureDescription), "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256");
XmlDocument doc = GetDocument();
SignedXml sxml = new SignedXml(doc);
sxml.SignedInfo.SignatureMethod = "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256";
using var ecdsa = ECDsa.Create(ECCurve.NamedCurves.nistP256);
sxml.SigningKey = ecdsa;
The trick then is to create and implement the ECDsaP256SHA256SignatureDescription
, which is really just used for getting an AsymmetricSignatureDeformatter
and AsymmetricSignatureFormatter
, which are also abstract classes that need to be implemented for ECDSA. Looking at the XmlDSig spec, it expects signatures to be in {R,S} IEEE format, which I believe ECDsa produces by default.
I threw together a gist that implements a bare-bones example here: https://gist.github.com/vcsjones/07460cd1a0adf03ade27151efdf266e2. It bears repeating that this code is a quickly thrown together example to explore the feasibility of it.
@vcsjones thanks for sharing. Example code in you gist looks to be working correctly.
On https://gist.github.com/olljanat/848c51c141634c7306712fe1bbb20727 I combined it with HLKX package signing code and hardware submission portal looks to be detecting it as correctly signed file.
However as far I see, there is not way to define SignatureMethod
method when signing is done thorough PackageDigitalSignatureManager
which why at least https://github.com/olljanat/dotnet-runtime/commit/0de728bec47b76de495de322e1f919c8733fb371 should be included to here.
This feature request is related to the following problem:
When I'm using
System.Security.Cryptography.Xml.SignedXml
, if the type ofSigningKey
isECDsa
,ComputeSignature
will throwCryptographicException
. The exception was thrown at this line: https://github.com/dotnet/runtime/blob/30119554b2be144ceff06a41326345975dd178f9/src/libraries/System.Security.Cryptography.Xml/src/System/Security/Cryptography/Xml/SignedXml.cs#L401 If I setSignedInfo.SignatureMethod
to"http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"
by setting protected fields through a subclass, another exception will be thrown at: https://github.com/dotnet/runtime/blob/30119554b2be144ceff06a41326345975dd178f9/src/libraries/System.Security.Cryptography.Xml/src/System/Security/Cryptography/Xml/SignedXml.cs#L408Description of what API need to be added or changed
System.Security.Cryptography.Xml.SignedXml
should be able to create and verifyECDsa
xml signatures.