{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 贪生不怕死 的问题《How to sign xml element using RSA-SHA1 algorithm?》','https://www.manongdao.com/q-707441.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I need to sign (and verify eventually) one of the nodes of an XML document using RSA-SHA1 algorithm. w3.org link
RSA-SHA1 URI:
http://www.w3.org/2000/09/xmldsig#rsa-sha1
Specified in:
section 6.4.2 of [XMLDSIG-CORE2002]
I am following this example, however cannot figure how to change the algorithm to required.
The signature generation happens here:
signedXml.ComputeSignature();
The only override with a parameter expects KeyedHashAlgorithm:
public void ComputeSignature(KeyedHashAlgorithm macAlg); (link)
KeyedHashAlgorithm (link) in turn only allows creating HMAC* and MAC* algorithms and has no RSA-SHA1.
What is the most painless way of signing an XML with RSA-SHA1 in .Net?
Edit:
I'm trying to use a X509 certificate to extract the key. Certificate's signature algorithm property is sha1RSA.
This is how I'm assigning it:
var signedXml = new SignedXml(xmlDoc);
...
signedXml.SigningKey = (RSACryptoServiceProvider)cert.PrivateKey;
...
signedXml.ComputeSignature();
The resulting signature xml format matches expected one, however digest and signature values are invalid.
In .NET Framework 1.1 through .NET Framework 4.7 you get RSA-SHA-1 by simply setting
signedXml.SigningKeyto an RSA key object.If .NET 4.7.1 (currently in preview) is installed the default for RSA will change to RSA-SHA-2-256, per https://github.com/Microsoft/dotnet/blob/master/releases/net471/dotnet471-changes.md.
So, if you really want a RSA-SHA-1 signature you need to
a) set
signedXml.SigningKeyto an RSA keyb) set
signedXml.SignedInfo.SignatureMethod = SignedXml.XmlDsigRSASHA1Url(both before calling
signedXml.ComputeSignature())Conversely, if you want to do something better than RSA-SHA-1 on current versions, set signedXml.SignedInfo.SignatureMethod to
SignedXml.XmlDsigSHA256Urlor better.Word of warning: SHA-1 is considered broken for cryptographic purposes now that a collision has been found. While it's not generalized enough (at this point) to attack arbitrary XML, it may well grow up to that point. You really shouldn't be using SHA-1 in anything new, and should consider validating that your signature method is something better than SHA-1 based when deciding whether to accept a signed document.