One option is to use the application's properties to define the default algorithms if that machine.config file does not contain them. One possible scenario, and the one I will use here, is that all of your base crypto files/utils can extend from a base class that uses a static constructor to ensure that either the machine.config values exist OR that they are added to the CryptoConfig configuration from a property file. There are other ways to initialize the CryptoConfig, of course, but this one is easy and works well. However, it is important to note, that if an exception is thrown within the static constructor, that the application will NOT terminate and the class file will be left in an unusable state, so please make sure you code for this. Some might consider this a bad decision (to use this static constructor), but I think it depends on your situation - in my case, if this fails that application can't be used, thus I check for this and fail out gracefully.
Now on to the example. First create a base class from which your others can extend:
public abstract class Cryptography
{
static Cryptography()
{
}
}
private static void SetAlgorithm(
string name, string cryptoType)
{
CryptoConfig config = new CryptoConfig();
Type type = Type.GetType(cryptoType);
CryptoConfig.AddAlgorithm(type, name);
}
private static void SetConfiguration(
string name, string type)
{
object algorithm = CryptoConfig.CreateFromName(type);
if (algorithm == null)
{
SetAlgorithm(name, type);
}
}
static Cryptography()
{
Action action = SetConfiguration;
if(Properties.Settings.Default.UseLocalSettings)
{
action = SetAlgorithm;
}
action("Hash256", Properties.Settings.Default.Hash256);
action("Hash512", Properties.Settings.Default.Hash512);
action("Symmetric", Properties.Settings.Default.Symmetric);
action("Asymmetric", Properties.Settings.Default.Asymmetric);
}
Action<string, string> action =
Properties.Settings.Default.UseLocalSettings ?
SetAlgorithm : SetConfiguration;
Hash256=System.Security.Cryptography.SHA256CryptoServiceProvider,
System.Core, Version=4.0.0.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089
Hash512=System.Security.Cryptography.SHA512CryptoServiceProvider,
System.Core, Version=4.0.0.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089
Symmetric=System.Security.Cryptography.AesCryptoServiceProvider,
System.Core, Version=4.0.0.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089
Asymmetric=System.Security.Cryptography.RSACryptoServiceProvider,
mscorlib, Version=4.0.0.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089
Hellp Paul,
ReplyDeleteI have been working on registering the SHA256 algorithm in my Sharepoint Webpart, while I am able to do this in my windows forms application on .Net 4.0,I am unable to get this working in my Sharepoint which is built onin .Net 3.5 . Can you tell me if there is any workaround for this. Iam actually following this http://social.msdn.microsoft.com/Forums/en-SG/netfxbcl/thread/6438011b-92fb-4123-a22f-ad071efddf85 which is alomost similar to what yoiu have suggested in your article. Let me know if this can made working in .Net 3.5?? Appreciate ur early response.
muneeb - I need a little more detail about what you are doing. Are you trying to use the machine.config or are you registering algorithms at run time the way I am showing in this post? As far as I know, this is all supported in .Net 3.5
ReplyDeletehttp://msdn.microsoft.com/en-us/library/693aff9y%28v=vs.90%29.aspx --> set the version to 3.5 - from this, I would say what you are trying to do is supported. Please feel free to post back with more details and I will try to help.
Also, what specific SHA256 algorithm are you trying to use? It appears both (CNG and CryptoServiceProvider) are supported in .Net 3.5
http://msdn.microsoft.com/en-us/library/system.security.cryptography.sha256.aspx
This comment has been removed by the author.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteThanks Paul, I am trying to register it at runtime . As I said I am actually following this
ReplyDeletehttp://social.msdn.microsoft.com/Forums/en-SG/netfxbcl/thread/6438011b-92fb-4123-a22f-ad071efddf85 which is almost similar to what you have suggested(my guessing??). I have class with the RSA SHA256 signature description in the properties instead of the appconfig and I call this method 'AddAlgorithm' of CryptoConfig.AddAlgorithm(typeof(Security.Cryptography.RSAPKCS1SHA256SignatureDescription), "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"); to register it in config at runtime . This method is available in .Net 4.0 but not int 3.5. The intellisense does not list it and I am unable to add the 'mscorelib' from 4.0 to the solution of 3.5 so that I have this method available. Let me know how can acheive this in 3.5 , Is there any other way I need to adapt. And you metnion .Net 4.0 at the end , I need the values for 3.5 if possible. Thanks and appreciate your earliest response
Ok, I see your problem... you want to call "AddAlgorithm", but that was not added until .Net 4.0 - I believe the solution you are looking for is provided by CLR Security. I have not utilized this, but a quick look at the source code suggests it is exactly what you need.
ReplyDeletehttp://clrsecurity.codeplex.com/
I hope this helped... good luck!
Thanks Paul, that is where I am at now. I hope just adding the Security.Cryptography.dll through the gacutil should do it for me??
ReplyDeleteMy pleasure. Please, post back and let me know if this worked out for you. These comments might help someone else out!
ReplyDeletePaul, I am unable to get past this . I have the AddAlgorithm method available now but I am not able to add in the algorithm as it says " Alias 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' already exists in the CryptoConfig2 map ". It seems it already exists. I tried Createfromname metthod and not sure what exactly to pass as parameter?
ReplyDeleteAnother crtical point is I am signing an xmldocument with SignedXml class of System.Security.Cryptography.Xml by calling its ComputerSignature() method. Is is compatible with this CryptoConfig2 or do I have to use any other class from the installed dll. Request you to throw some light. Also please refer to the signature definiton class to get a better idea whats in ther.. Appreciate your help Thanks
It sounds like you don't need to register that algorithm... remove your call to AddAlgorithm and when you call CreateFromName pass in RSA-SHA256 - so 'CreateFromName("RSA-SHA256") as SignatureDescription;'
ReplyDeleteBased on what I saw online, RSAPKCS1SHA256SignatureDescription became available in .Net 4.5 - I am not sure if maybe CryptoConfig2 is providing this library or what is going on. Please see this post too: http://clrsecurity.codeplex.com/wikipage?title=Security.Cryptography.RSAPKCS1SHA256SignatureDescription
I am not sure about your second question. I have never used CryptoConfig2 - I changed from .Net 3.5 to 4.0 in order to take advantage of the code I wrote about in the blog post.
Paul, I have this working in .Net 4.0. Its with 3.5 I have the problem with as Sharepoint is bound to 3.5 only.
ReplyDeleteMy Second question was as it seems that I aready have the algorithm available now, how do i use it to sign an xml document. I am signing it using the SignedXml class available in System.Secuirty.Cryptography.Xml namespace. Is this the correct way or do I have to use a class from Security.Cryptography namesapce??
And One more thing is that is it necessary for me to make any changes to the machine config as discussed here while using Cryptoconfig2 as it mentions here
http://clrsecurity.codeplex.com/discussions/243156 ?? I guess I am registering the algorithm in config from the code itself by following Addalgoirth method. or it is already available with the new dlls added. ?? Really appreciate your help and analysis into this..
Thanks
No, I do not believe that you need to register it with machine.config if you call CryptoConfig2.AddAlgorithm().
DeleteFrom your first link, it looks like you want something like this: CryptoConfig2.AddAlgorithm(typeof(RSAPKCS1SHA256SignatureDescription), "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
I know earlier you mentioned that you got an error that it was already present. I think the reason for that is that CryptoConfig2 has their own impl of this and it might match what you want (I am not sure what you defined in your RSAPKCS1SHA256SignatureDescription object. Take a look at this http://clrsecurity.codeplex.com/SourceControl/changeset/view/47833#269110 to see if that is what you are trying to define.
As far as signing the xml document, I would think the code in the first link you posted should work. I think that the SignedXml method ComputeSignature should work.
I am sorry that I am probably not being very helpful at this point, but it is too difficult to troubleshoot without the code.
This comment has been removed by the author.
ReplyDeleteYes I have exactly the same description for RSAPKCS1SHA256SignatureDescription object as mentioned in your link
ReplyDeletehttp://clrsecurity.codeplex.com/SourceControl/changeset/view/47833#269110 except for Createformatter method.
One more is that I had just added the reference to the Security.Cryptography in my project and using "gactutil -I" it said it got added GAC but i was not able to locate in the list of dlls in under .Net. tab while adding the refernce. Am I OK with this or the dll was not correctly added to GAC..hence it did not get listed ??
Also wanted to know if the certificate I use need to have the exactly same signature algorithm as the one with which Im trying to sign as the certificate has sha1 and I am trying to sign the XML with SHA256??
Let me know if I can provide the code here? Really apprciate your help..Thanks
I am not sure of the answer to your first question, I am not familiar with gactutil.
DeleteYes, your certificate needs to be updated to be a Sha2 cert if you want to use SHA256 (recommended).
You can provide code here, though I think the comments here will make it ugly and hard to read.
ReplyDeletepublic static XmlDocument SignXml(XmlDocument xmlDoc, RSA Key, X509Certificate2 cert)
{
// CryptoConfig2.AddAlgorithm(typeof(Security.Cryptography.RSAPKCS1SHA256SignatureDescription1), "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
// Create a SignedXml object.
SignedXml signedXml = new SignedXml(xmlDoc);
signedXml.SignedInfo.CanonicalizationMethod = "http://www.w3.org/2001/10/xml-exc-c14n#";
KeyInfo keyInfo = new KeyInfo();
// *** The actual key for signing - MAKE SURE THIS ISN'T NULL!
signedXml.SigningKey = cert.PrivateKey;
// *** Specifically use the issuer and serial number for the data rather than the default
KeyInfoX509Data keyInfoData = new KeyInfoX509Data();
// keyInfoData.AddIssuerSerial(cert.Issuer, cert.GetSerialNumberString());
keyInfoData.AddCertificate(cert);
keyInfo.AddClause(keyInfoData);
// *** provide the certficate info that gets embedded - note this is only // *** for specific formatting of the message to provide the cert info
signedXml.KeyInfo = keyInfo;
// Add the key to the SignedXml document.
signedXml.SigningKey = Key;
// Create a reference to be signed.
Reference reference = new Reference();
reference.Uri = "";
// Add an enveloped transformation to the reference.
XmlDsigEnvelopedSignatureTransform env = new XmlDsigEnvelopedSignatureTransform();
// env.Algorithm = "http://www.w3.org/2001/10/xml-exc-c14n#";
reference.AddTransform(env);
XmlDsigEnvelopedSignatureTransform env1 = new XmlDsigEnvelopedSignatureTransform();
env1.Algorithm = "http://www.w3.org/2001/10/xml-exc-c14n#";
reference.AddTransform(env1);
// Add the reference to the SignedXml object.
signedXml.AddReference(reference);
signedXml.SignedInfo.SignatureMethod = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";
// signedXml.SignedInfo.SignatureMethod = "SHA256";
// Compute the signature.
signedXml.ComputeSignature();
// Get the XML representation of the signature and save
// it to an XmlElement object.
XmlElement xmlDigitalSignature = signedXml.GetXml();
XmlNamespaceManager nmgr = new XmlNamespaceManager(xmlDoc.NameTable);
XmlElement node = xmlDoc.DocumentElement.SelectSingleNode("//s:Envelope/s:Header/wsse:Security", nmgr) as XmlElement;
XmlElement oldnode = xmlDoc.DocumentElement.SelectSingleNode("//s:Envelope/s:Header", nmgr) as XmlElement; ;
node.AppendChild(xmlDigitalSignature);
xmlDoc.SelectSingleNode("//s:Envelope/s:Header/wsse:Security", nmgr).AppendChild(xmlDigitalSignature);
// XmlElement soapHeader = xmlDoc.DocumentElement.SelectSingleNode("//SOAP:Header", ns) as XmlElement;
// Append the element to the XML document.
xmlDoc.DocumentElement.AppendChild(xmlDoc.ImportNode(xmlDigitalSignature, true));
return xmlDoc;
}
}
Paul ,can you tell me what are the other algorithms supported for generating XMl signature other than SHA 1 and SHA256. I have tried using SHA 128,SHA 256, SHA 512 with the same code but they don;t work.Please let me know
ReplyDeletemuneeb - sorry for the lack of reply, been busy with work all day. You have, if i recall correctly, a SHA1 cert... the algorithms you listed are all SHA2. The one you are looking for is SHA1 (http://msdn.microsoft.com/en-us/library/system.security.cryptography.sha1.aspx).
ReplyDeleteI will try to look over your code tomorrow night... been a long day.
Thanks Paul and not at a problem . reaaly appreciate your effort.
ReplyDeleteYes I have SHA cert and I am able to sign the xml with sha1 even if i dont give the signature method as SHA1. it generates it by default. The SHa2 algorithms don;t work.. Thanks once again let me know.
Paul , I have an update that our team has realized that we won;t be going forward with ShA-256 for now due to few other constraints and I will be using SHA-1 for now. I am pretty comfortable with it ..
ReplyDeleteThanks a lot for your effort and time !!!!Appreciate it.
No problem, glad I could help a little and I am happy to hear that you have it all working now. You should, for security reasons, move on to SHA2 as soon as you can... once you have a SHA2 cert, you will be able to use the other algorithms.
ReplyDeleteYes we do have that on our agenda for the future. Hope I can reach out to you incase if i need anything else related to Cryptography? Thanks a lot Paul
ReplyDeleteYes muneeb... please do. If interested, I do some consulting on the side as well. I am CSSLP (Certified Secure Software Lifecycle Professional) certified (Cert #: 392260) and always looking for ways to utilize those skills.
ReplyDeletenice
ReplyDeleteHi - long shot but I hope you can help me.
ReplyDeleteI'm trying to use RSA-SHA256 with .net 3.5. Because
CryptoConfig.AddAlgorithm(typeof(RSAPKCS1SHA256SignatureDescription), "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
is not supported in .net 3.5 I used
CryptoConfig2.AddAlgorithm(typeof(RSAPKCS1SHA256SignatureDescription), "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"); from (http://clrsecurity.codeplex.com/) but I keep getting "Additional information: Alias 'http://www.w3.org/2001/04/xmldsig-more#... already exists in the CryptoConfig2 map."
Do you have any idea?