Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[release/8.0] Fixing SignedXml.CheckSignature for enveloped signature with #xpointer(/) Reference #99651

Merged
merged 1 commit into from
Mar 14, 2024

Conversation

bartonjs
Copy link
Member

@bartonjs bartonjs commented Mar 12, 2024

Fixes #95390. Backport of #95404 plus nuget package servicing authoring.

Description

  • Customer reported
  • Found internally

SignedXml documents using an enveloped signature targeting the whole document with <Reference URI="#xpointer(/)" /> compute an invalid data hash during verification in the 7.0 and 8.0 versions of the SignedXml package.

Customer Impact

Customers validating such a document produced by a different platform/library will be told the document's signature is not valid, when it is. Such documents produced with the 7.0 or 8.0 versions of the package will produce the correct signature, then fail signature verification.

Regression

Yes. It worked in .NET Framework, and in the nuget package up until 7.0-preview.3. It's broken in 7.0.x and 8.0.0.

Testing

A new test has been added.

Risk

Low. The existing tests cover alternative forms of referencing the root element, as well as referencing a non-root element.

@bartonjs bartonjs added Servicing-consider Issue for next servicing release review area-System.Security labels Mar 12, 2024
@bartonjs bartonjs added this to the 8.0.x milestone Mar 12, 2024
Copy link
Contributor

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

@bartonjs bartonjs changed the title Fixing SignedXml.CheckSignature for enveloped signature with #xpointer(/) Reference [release/8.0] Fixing SignedXml.CheckSignature for enveloped signature with #xpointer(/) Reference Mar 12, 2024
…er(/)` Reference

This additionally improves support for URI-less Reference elements.

Co-authored-by: Kevin Jones <[email protected]>
@bartonjs
Copy link
Member Author

Build Analysis says all failures are known.

Servicing approval was granted over email.

@bartonjs bartonjs added Servicing-approved Approved for servicing release and removed Servicing-consider Issue for next servicing release review labels Mar 14, 2024
@bartonjs bartonjs merged commit e373424 into dotnet:release/8.0-staging Mar 14, 2024
106 of 112 checks passed
@bartonjs bartonjs deleted the xmldsig_backport branch March 14, 2024 16:58
@github-actions github-actions bot locked and limited conversation to collaborators Apr 14, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
area-System.Security Servicing-approved Approved for servicing release
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants