runtime: CmsSigner.ComputeSignature() creates a signature with incorrect SignerInfo
I’m currently porting over some code to .Net Core and using the recently added CmsSigner from System.Security.Cryptography.Pkcs (I’m using the 4.5.0-rc1) The certificate I’m using has a serial number of FD319CB1514B06AF49E00522277E43C8, it also happens to be self signed cert.
Here is what I’m doing to create the signature.
X509Certificate2 cert = new X509Certificate2(certificate, password);
ContentInfo contentInfo = new ContentInfo(message);
SignedCms signedCms = new SignedCms(contentInfo, true);
CmsSigner cmsSigner = new CmsSigner(cert);
cmsSigner.SignerIdentifierType = SubjectIdentifierType.IssuerAndSerialNumber;
signedCms.ComputeSignature(cmsSigner);
signature = signedCms.Encode();
After calling ComputeSignature the signedCms object created has the wrong serial number in the SignerInfos list, with “00” prefix being added.
Calling
signedCms.SignerInfos[0].SignerIdentifier.Value
Produces the result below, where you can see the extra “00” being added {System.Security.Cryptography.Xml.X509IssuerSerial} IssuerName: “CN=myorg” SerialNumber: “00FD319CB1514B06AF49E00522277E43C8”
In addition, if I check the signedCms.Certificates[0].SerialNumber object I can see the correct serial number with no “00” prefix.
Can you tell me what is causing this “00” to be added and if its a bug or something I can correct with config.
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Comments: 19 (13 by maintainers)
Correction, it is an encoding problem. Apparently I was looking at the encoded serial number of the certificate (unsurprisingly: had the value of the encoded serial number of the certificate) instead of the IssuerAndSerialNumber value, which does have the leading 0x00.
That serial number is invalid according to IETF RFC 3280 sec 4.1.2.2:
Since the most significant byte (0xFD) has the high bit set, this is a negative number.
That said, it looks like the file is encoding properly (didn’t write down the 0x00) and it’s matching properly (
signedCms.SignerInfos[0].Certificate != null
). So there’s some sort of stringification bug, which I’m looking for.