Skip to content

ECDSA XML Signatures in .NET

Jump to bottom
Aleksandar Gyonov edited this page Feb 16, 2024 · 3 revisions

The main issue with ECDSA signatures of XML, using the System.Security.Cryptography.Xml package, is that these algorithms are not implemented in the package / library at all. Although they are part of the XML Signature Syntax and Processing Version 1.1 specification. Namely algorithms like:

  • ECDSAwithSHA256
  • ECDSAwithSHA384
  • ECDSAwithSHA512

The other issue is that from library's documentation point - it is not obvious, at least, from first look, how it is possible to extend the System.Security.Cryptography.Xml to implement those missing algorithms. You have to spend some time going through library's code and some googling around (thanks Scott Brady ECDSA and Custom XML Signatures in .NET) to figure it out.

Implementation

The key thing, done by CryptoEx library, in extending the standard System.Security.Cryptography.Xml to allow it to do ECDSA sign & verify, is to implement several classes that extend basic classes:

  • System.Security.Cryptography.AsymmetricSignatureFormatter
  • System.Security.Cryptography.AsymmetricSignatureDeformatter
  • System.Security.Cryptography.SignatureDescription

These child, extension classes may be found in the namespace CryptoEx.XML.

They actually bind and describe to the .NET standard library, which algorithms to use when you want to sign or verify XML by using ECDSA keys.

The actual binding is done in this way:

// add knowledge about ECDSA keys
CryptoConfig.AddAlgorithm(
    typeof(EcdsaSha256SignatureDescription), XmlDsigECDSASHA256Url);
CryptoConfig.AddAlgorithm(
    typeof(EcdsaSha384SignatureDescription), XmlDsigECDSASHA384Url);
CryptoConfig.AddAlgorithm(
    typeof(EcdsaSha512SignatureDescription), XmlDsigECDSASHA512Url);

And you can see it in the static constructor of the CryptoEx.XML.SignedXmlExt class.

Client usage of the CryptoEx.XML.SignedXmlExt class

The current project has a class CryptoEx.XML.SignedXmlExt that is direct descendant of the standard library's class - System.Security.Cryptography.Xml.SignedXml.

This class extends the standard library and has two basic purposes:

  • To enable usage of ECDSA keys
  • To be used when signing external (for the original XML) Reference XML entries

If you are only interested in the first option then just use the SignedXmlExt instead of standard SignedXml class in your code and that is all you need to do. All the standard examples out there in .NET documentation site for signing & verifying XMLs will work just fine and additionally - with support for ECDSA keys / algorithms.

For the additional, external Reference XML entries there is an other Wiki page here - you may look at it for details.

NB The both features (ECDSA & References) are heavily used by the current project when implementing the European Union's XAdES specification.

CryptoEx

Home

Base64Url Encode and Decode

ECDSA XML Signatures in .NET

XML signing of additional and external reference data

ETSI XML Sigantures and detached content

JSON Web Signature JWS

ETSI JSON Signatures

Ed Algorithms in .NET similar way

EdDSA for JWS and jAdES

ETSI Baseline-T, Baseline-LT & Baseline-LTA level signatures

Clone this wiki locally