Cms signature created with .Net Framework cannot be verified with .Net Core for an elliptic curve certificate

[jgustavs-tibco]

Description

Link to a project to reproduce: https://github.com/jgustavs-tibco/cmssigner-incompatibility

If you use CmsSigner to create a signature in .Net Framework 4.8 with an ECC certificate then the signature cannot be verified using CmsSigner in .Net Core 6.0.

The signature is created as follows:

            using (var certificate = new X509Certificate2(CertificatePath, Password))
            {
                var cmsSigner = new CmsSigner(certificate);
                cmsSigner.IncludeOption = X509IncludeOption.EndCertOnly;
                var contentInfo = new ContentInfo(new Oid(PkcsObjectIdentifiersData), InputBytes);
                var signedCms = new SignedCms(SubjectIdentifierType.Unknown, contentInfo, true);
                signedCms.ComputeSignature(cmsSigner);
                File.WriteAllBytes(SignaturePath, signedCms.Encode());
            }

The signature is verified as follows.

                var contentInfo = new ContentInfo(InputBytes);
                var signedData = new SignedCms(contentInfo, true);
                signedData.Decode(signatureBytes);
                var signerInfos = signedData.SignerInfos;
                signedData.CheckSignature(true);

Note that it is possible to verify the signature in .Net Framework.

We have tried to generate the ECC certificate using .Net and using Java and it the verification fails in both cases. We have tried to reproduce the issue using RSA certificates. Then it works fine.

We noticed that the signature algorithm is SignedCms.SignerInfos is not the same if we try to generate the signature using .Net Framework and .Net Core which is not what we expected.

Reproduction Steps

Build the project in https://github.com/jgustavs-tibco/cmssigner-incompatibility and run test.bat.

This runs different combinations of .Net Framework and .Net Core and certificate key algorithms.

It gives the following output

Test create signature in .Net Framework. Verify in .Net Framework using elliptic curve.
 Verification ok
Test create signature in .Net Core. Verify in .Net Core using elliptic curve.
 Verification ok
Test create signature in .Net Framework. Verify in .Net Core using RSA.
 Verification ok
Test create signature in .Net Framework. Verify in .Net Core using elliptic curve.
 Verification failed
 Exception: SignerInfo digest algorithm '2.16.840.1.101.3.4.2.1' is not valid for signature algorithm ''.

Expected behavior

All combinations of .Net Framework and .Net Core and certificate key algorithms should work.

Actual behavior

The case where the signature is created in .Net Framework but verified in .Net Core does not work for ECC certificates.

Regression?

No response

Known Workarounds

No response

Configuration

We have tried .Net Framework 4.8 and .Net Core 6.0 on Windows.

Other information

No response

Tagging subscribers to this area: @dotnet/area-system-security, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

---

Description

Link to a project to reproduce: https://github.com/jgustavs-tibco/cmssigner-incompatibility

If you use CmsSigner to create a signature in .Net Framework 4.8 with an ECC certificate then the signature cannot be verified using CmsSigner in .Net Core 6.0.

The signature is created as follows:

            using (var certificate = new X509Certificate2(CertificatePath, Password))
            {
                var cmsSigner = new CmsSigner(certificate);
                cmsSigner.IncludeOption = X509IncludeOption.EndCertOnly;
                var contentInfo = new ContentInfo(new Oid(PkcsObjectIdentifiersData), InputBytes);
                var signedCms = new SignedCms(SubjectIdentifierType.Unknown, contentInfo, true);
                signedCms.ComputeSignature(cmsSigner);
                File.WriteAllBytes(SignaturePath, signedCms.Encode());
            }

The signature is verified as follows.

                var contentInfo = new ContentInfo(InputBytes);
                var signedData = new SignedCms(contentInfo, true);
                signedData.Decode(signatureBytes);
                var signerInfos = signedData.SignerInfos;
                signedData.CheckSignature(true);

Note that it is possible to verify the signature in .Net Framework.

We have tried to generate the ECC certificate using .Net and using Java and it the verification fails in both cases. We have tried to reproduce the issue using RSA certificates. Then it works fine.

We noticed that the signature algorithm is SignedCms.SignerInfos is not the same if we try to generate the signature using .Net Framework and .Net Core which is not what we expected.

Reproduction Steps

Build the project in https://github.com/jgustavs-tibco/cmssigner-incompatibility and run test.bat.

This runs different combinations of .Net Framework and .Net Core and certificate key algorithms.

It gives the following output

Test create signature in .Net Framework. Verify in .Net Framework using elliptic curve.
 Verification ok
Test create signature in .Net Core. Verify in .Net Core using elliptic curve.
 Verification ok
Test create signature in .Net Framework. Verify in .Net Core using RSA.
 Verification ok
Test create signature in .Net Framework. Verify in .Net Core using elliptic curve.
 Verification failed
 Exception: SignerInfo digest algorithm '2.16.840.1.101.3.4.2.1' is not valid for signature algorithm ''.

Expected behavior

All combinations of .Net Framework and .Net Core and certificate key algorithms should work.

Actual behavior

The case where the signature is created in .Net Framework but verified in .Net Core does not work for ECC certificates.

Regression?

No response

Known Workarounds

No response

Configuration

We have tried .Net Framework 4.8 and .Net Core 6.0 on Windows.

Other information

No response

Author:	jgustavs-tibco
Assignees:	-
Labels:	area-System.Security, untriaged
Milestone:	-

[vcsjones]

Okay, I think I see what is going on here. In .NET Framework, the signature algorithm is 1.2.840.10045.2.1 (EcPublicKey).

When we lookup the signature info here:

runtime/src/libraries/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/CmsSignature.ECDsa.cs

Line 20 in 36df7cc

lookup.Add(Oids.EcPublicKey, new ECDsaCmsSignature(null, default));

We use a default hash algorithm name. When we compare the digest with the default digest of what we are expecting the comparison fails here:

runtime/src/libraries/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/CmsSignature.ECDsa.cs

Line 52 in 36df7cc

if (_expectedDigest != digestAlgorithmName)

I think the right fix here for maintaining compat with .NET Framework is to skip the hash algorithm check if we are using .NET Framework's signature algorithm identifier. Basically change the check to:

if (_expectedDigest != default(HashAlgorithmName) && _expectedDigest != digestAlgorithmName)

(or make _expectedDigest nullable, etc).

@bartonjs does this sound reasonable?

[bartonjs]

if (_expectedDigest != default(HashAlgorithmName) && _expectedDigest != digestAlgorithmName)

seems like the right fix to me.

[vcsjones]

As a matter of an update to this, even once we get past the hash algorithm check, the digest that gets signed and verified differs between .NET Framework and .NET 6+. So this will take a little more time for me to understand exactly what .NET Framework is doing differently.

[jeffhandley]

I'm moving this to Future as we won't be able to further investigate it during .NET 8. I'm also going to label this as help wanted [up-for-grabs] Good issue for external contributors since more investigation is needed to get to a root cause and proposed fix for this issue.