none
IsSignatureValid always returning false on Azure environment

    Question

  • We are using a Comodo certificate to now sign some of data we store in HealthVault. We use the code below to verify the certificate and the signature.

     

            public  bool CertCheckValid(HealthRecordItem data)

            {

                try

                {

                    data.ValidateCertificate();

                    return data.IsSignatureValid();

                }

                catch (Exception)

                {

                    return false;

                }

            }

     

     

    data.IsSignatureValid() is always returning true if we run this in our dev environment on signed data items. However in our deployed staging environment (on a Azure Werbsite) it alwas returns false.

    It is worth noting that data items signed on the Azure environment return true on the dev environment. But data items signed  on both environments return false always on the Azure environment

    Interestingly enough to sign data on the Azure environment we had to add the flags highlighted (they were not necessary locally):

     

            public void CertSign(HealthRecordItem p_model)

            {

                p_model.HealthRecordItemSignatures.Clear();

                if (!EditorIsHealthPro(p_model.CommonData.Source)) return;

                var path = ConfigurationManager.AppSettings["CodeSigningCertificateFileName"];

                var cert = new X509Certificate2();

                cert.Import(path, PASS, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable);

                p_model.Sign(cert);

            }

     

    Can someone please help?

    Friday, September 06, 2013 2:12 PM

All replies

  • Seems the Azure team and the HealthVault team can't solve it. So anyone else needing a solution we have a workaround:
    Since it is only failing on the verification of the signature and not on signing, we sign the data again after retrieval and compare the signatures.

            public bool CheckSignatureIsValid(HealthRecordItem data)

            {

                var path = ConfigurationManager.AppSettings["CodeSigningCertificateFileName"];

                foreach  (HealthRecordItemSignature signature in data.HealthRecordItemSignatures)

                {

                    X509Certificate2 x = signature.X509Certificate2;

                    X509Certificate2 cert = new X509Certificate2();

                    cert.Import(path, PASS, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.Exportable);

                    if (x.Equals(cert))

                    {

                        //its our certificate

                        var originalSignature = data.HealthRecordItemSignatures;

                        data.HealthRecordItemSignatures.Clear();

                        data.Sign(cert);

                        if (originalSignature.Equals(data.HealthRecordItemSignatures))

                        {

                            //data matches

                            return true;

                        }

                    }

                }

                return false;

            }


    Wednesday, September 25, 2013 12:52 PM
  • Had a call from Azure support. Seems there will be no change and movement in Azure or HealthVault so this stays unsupported and they confirmed the solution above is the only solution.
    Thursday, October 03, 2013 7:43 AM