runtime: CmsSigner.ComputeSignature() creates a signature with incorrect SignerInfo

I’m currently porting over some code to .Net Core and using the recently added CmsSigner from System.Security.Cryptography.Pkcs (I’m using the 4.5.0-rc1) The certificate I’m using has a serial number of FD319CB1514B06AF49E00522277E43C8, it also happens to be self signed cert.

Here is what I’m doing to create the signature.

X509Certificate2 cert = new X509Certificate2(certificate, password);
ContentInfo contentInfo = new ContentInfo(message);
SignedCms signedCms = new SignedCms(contentInfo, true); 
CmsSigner cmsSigner = new CmsSigner(cert);
cmsSigner.SignerIdentifierType = SubjectIdentifierType.IssuerAndSerialNumber;

signedCms.ComputeSignature(cmsSigner);
signature = signedCms.Encode();

After calling ComputeSignature the signedCms object created has the wrong serial number in the SignerInfos list, with “00” prefix being added. Calling signedCms.SignerInfos[0].SignerIdentifier.Value

Produces the result below, where you can see the extra “00” being added {System.Security.Cryptography.Xml.X509IssuerSerial} IssuerName: “CN=myorg” SerialNumber: “00FD319CB1514B06AF49E00522277E43C8”

In addition, if I check the signedCms.Certificates[0].SerialNumber object I can see the correct serial number with no “00” prefix.

Can you tell me what is causing this “00” to be added and if its a bug or something I can correct with config.

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Comments: 19 (13 by maintainers)

Most upvoted comments

Correction, it is an encoding problem. Apparently I was looking at the encoded serial number of the certificate (unsurprisingly: had the value of the encoded serial number of the certificate) instead of the IssuerAndSerialNumber value, which does have the leading 0x00.

+1
bartonjs on May 14, 2018

That serial number is invalid according to IETF RFC 3280 sec 4.1.2.2:

… CAs MUST force the serialNumber to be a non-negative integer.

Since the most significant byte (0xFD) has the high bit set, this is a negative number.

That said, it looks like the file is encoding properly (didn’t write down the 0x00) and it’s matching properly (signedCms.SignerInfos[0].Certificate != null). So there’s some sort of stringification bug, which I’m looking for.

+1
bartonjs on May 14, 2018
Read more comments on GitHub
← runtime: CLRJit Access Violation on when attempting to run Windows ARM64 app
runtime: Coalescing calls to non-returning throw helpers? →