How to sign/validate with X509 certificate using RSA SHA2 algorithm with the System.Security.Cryptography.Xml.SignedXml class without exporting/importing the key? RRS feed

  • Question

  • I need to support RSA SHA2 algorithm for signing and validating messages and SAML tokens through X509 certificate.

    When the certificate was issued it was destined for RSA SHA1.

    Now anytime I try to use the RSA SHA2 algorithm it assumes RSA SHA1 and throws exception.

    I have found a workaround this, but it requires that the private key to be exportable which is a big security hole waiting for disaster.

    Currently what I have is the following registering of algorithm and it's handler:

    //registers RSA SHA256 provider
    CryptoConfig.AddAlgorithm(typeof(RSAPKCS1SHA256SignatureDescription), SecurityAlgorithms.RsaSha256Signature);

    And the code for signing:


    using (RSACryptoServiceProvider rsa = cert.PrivateKey as RSACryptoServiceProvider) { byte[] privateKeyBlob = rsa.ExportCspBlob(true); using (RSACryptoServiceProvider rsa2 = new RSACryptoServiceProvider()) { rsa2.ImportCspBlob(privateKeyBlob); //this is the piece of code which activates the above mapping

    //but it requires for us to make the private keys exportable which is unacceptable xmldsig.SigningKey = rsa2; xmldsig.ComputeSignature(); } }

    Can someone help by giving an alternative which doesn't require certificate private key export, we're using .NET 4.0.

    Thank You



    Saturday, October 5, 2013 10:22 AM

All replies