The task is to avoid an error in the signature verification of the SignedXml object. The problem is that after the latest windows updates, they turned off the algorithm support

http://www.w3.org/2000/09/xmldsig#rsa-sha1

But the problem is that it is default for X509Certificate2.PrivateKey

And this one

  public AsymmetricAlgorithm PrivateKey { get; set; } // // Сводка: // Получает объект System.Security.Cryptography.X509Certificates.X509Certificate2.PublicKey, // связанный с сертификатом. // // Возвращает: // Объект System.Security.Cryptography.X509Certificates.X509Certificate2.PublicKey. // // Исключения: // System.Security.Cryptography.CryptographicException: // Значение ключа не является значением RSA или DSA, или ключ не читается.

By default, it is the rsa-sha1 algorithm. And I don’t know how to change it (Inheriting all classes from a task including SignedXml seems like a bad solution)? I will be glad to any information on the issue! On the msdn site I was told that I needed to have certificates with another algorithm. Question on MSDN . But on the CryptoPro forum, the algorithm can be used by another. A question on the CryptoPro forum .

  • one
    It? msdn.microsoft.com/en-us/library/ms733772(v=vs.110).aspx - andreycha
  • @andreycha Yes, it is. Please make your comment a response. In view of the recent windows updates, this will be the actual question! - Yury Bakharev
  • Made. If there are comments on the translation - tell me, I will correct. - andreycha
  • And what's stopping you just to get a certificate with a supported algorithm? - Pavel Mayorov
  • @PavelMayorov A huge number of clients whose certificates do not change me and a large number of code that uses X509 certificates. - Yury Bakharev

1 answer 1

Judging by the MSDN documentation, you can. For this you need:

  1. Create a new class and inherit it from the X509AsymmetricSecurityKey .
  2. Override the KeySize property. This property returns the key size of the certificate (public / private key pair)
  3. Override the DecryptKey method. This method is called by WCF to decrypt the symmetric key using the certificate's private key.
  4. Override the GetAsymmetricAlgorithm method. This method is called by WCF and returns an instance of the AsymmetricAlgorithm class, which is a cryptographic provider for the private or public key of the certificate, depending on the passed parameter.
  5. Optional: override the GetHashAlgorithmForSignature method. Override this method if you need to use another implementation of HashAlgorithm .
  6. Override the GetSignatureFormatter method. This method returns an instance of the AsymmetricSignatureFormatter class associated with the private key of the instance.
  7. Override the IsSupportedAlgorithm method. This method is used to verify the support of a cryptographic algorithm by this key implementation.

You will also need:

  1. Create an X509SecurityToken successor using a custom key.
  2. Create a heir to SecurityTokenProvider that returns a custom token from claim 1.
  3. Create a successor ClientCredentialsSecurityTokenManager , if the key is needed on the client side.
  4. Create a successor to ServiceCredentialsSecurityTokenManager if the key is needed on the server side.

For details, see the article Change the encryption service provider for the X.509 certificate's private key on MSDN.