File: system\security\cryptography\xml\signedxml.cs
Project: ndp\clr\src\managedlibraries\security\System.Security.csproj (System.Security)
// ==++==
// 
//   Copyright (c) Microsoft Corporation.  All rights reserved.
// 
// ==--==
// <OWNER>Microsoft</OWNER>
// 
 
//
// SignedXml.cs
//
// 21 Microsoft 2000
// 
 
namespace System.Security.Cryptography.Xml
{
    using System;
    using System.Collections;
    using System.Collections.Generic;
    using System.Collections.ObjectModel;
    using System.Globalization;
    using System.IO;
    using System.Runtime.CompilerServices;
    using System.Runtime.InteropServices;
    using System.Security.Cryptography;
    using System.Security.Cryptography.X509Certificates;
    using System.Security.Permissions;
    using System.Xml;
    using Microsoft.Win32;
 
    [System.Security.Permissions.HostProtection(MayLeakOnAbort = true)]
    public class SignedXml {
        /// <internalonly/>
        protected Signature m_signature;
        /// <internalonly/>
        protected string m_strSigningKeyName;
 
        private AsymmetricAlgorithm m_signingKey;
        private XmlDocument m_containingDocument = null;
        private IEnumerator m_keyInfoEnum = null;
        private X509Certificate2Collection m_x509Collection = null;
        private IEnumerator m_x509Enum = null;
 
        private bool[] m_refProcessed = null;
        private int[] m_refLevelCache = null;
 
        internal XmlResolver m_xmlResolver = null;
        internal XmlElement m_context = null;
        private bool m_bResolverSet = false;
 
        private Func<SignedXml, bool> m_signatureFormatValidator = DefaultSignatureFormatValidator;
        private Collection<string> m_safeCanonicalizationMethods;
 
        // Built in canonicalization algorithm URIs
        private static IList<string> s_knownCanonicalizationMethods = null;
        // Built in transform algorithm URIs (excluding canonicalization URIs)
        private static IList<string> s_defaultSafeTransformMethods = null;
 
        // additional HMAC Url identifiers
        private const string XmlDsigMoreHMACMD5Url = "http://www.w3.org/2001/04/xmldsig-more#hmac-md5";
        private const string XmlDsigMoreHMACSHA256Url = "http://www.w3.org/2001/04/xmldsig-more#hmac-sha256";
        private const string XmlDsigMoreHMACSHA384Url = "http://www.w3.org/2001/04/xmldsig-more#hmac-sha384";
        private const string XmlDsigMoreHMACSHA512Url = "http://www.w3.org/2001/04/xmldsig-more#hmac-sha512";
        private const string XmlDsigMoreHMACRIPEMD160Url = "http://www.w3.org/2001/04/xmldsig-more#hmac-ripemd160";
 
        // defines the XML encryption processing rules
        private EncryptedXml m_exml = null;
 
        //
        // public constant Url identifiers most frequently used within the XML Signature classes
        //
 
        public const string XmlDsigNamespaceUrl = "http://www.w3.org/2000/09/xmldsig#";
        public const string XmlDsigMinimalCanonicalizationUrl = "http://www.w3.org/2000/09/xmldsig#minimal";
        public const string XmlDsigCanonicalizationUrl = XmlDsigC14NTransformUrl;
        public const string XmlDsigCanonicalizationWithCommentsUrl = XmlDsigC14NWithCommentsTransformUrl;
 
        public const string XmlDsigSHA1Url = "http://www.w3.org/2000/09/xmldsig#sha1";
        public const string XmlDsigDSAUrl = "http://www.w3.org/2000/09/xmldsig#dsa-sha1";
        public const string XmlDsigRSASHA1Url = "http://www.w3.org/2000/09/xmldsig#rsa-sha1";
        public const string XmlDsigHMACSHA1Url = "http://www.w3.org/2000/09/xmldsig#hmac-sha1";
 
        public const string XmlDsigSHA256Url = "http://www.w3.org/2001/04/xmlenc#sha256";
        public const string XmlDsigRSASHA256Url = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";
 
        // Yes, SHA384 is in the xmldsig-more namespace even though all the other SHA variants are in xmlenc. That's the standard.
        public const string XmlDsigSHA384Url = "http://www.w3.org/2001/04/xmldsig-more#sha384";
        public const string XmlDsigRSASHA384Url = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384";
 
        public const string XmlDsigSHA512Url = "http://www.w3.org/2001/04/xmlenc#sha512";
        public const string XmlDsigRSASHA512Url = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512";
 
        internal static readonly string XmlDsigDigestDefault = LocalAppContextSwitches.XmlUseInsecureHashAlgorithms ? XmlDsigSHA1Url : XmlDsigSHA256Url;
        internal static readonly string XmlDsigRSADefault = LocalAppContextSwitches.XmlUseInsecureHashAlgorithms ? XmlDsigRSASHA1Url : XmlDsigRSASHA256Url;
 
        public const string XmlDsigC14NTransformUrl = "http://www.w3.org/TR/2001/REC-xml-c14n-20010315"; 
        public const string XmlDsigC14NWithCommentsTransformUrl = "http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"; 
        public const string XmlDsigExcC14NTransformUrl = "http://www.w3.org/2001/10/xml-exc-c14n#";
        public const string XmlDsigExcC14NWithCommentsTransformUrl = "http://www.w3.org/2001/10/xml-exc-c14n#WithComments"; 
        public const string XmlDsigBase64TransformUrl = "http://www.w3.org/2000/09/xmldsig#base64";
        public const string XmlDsigXPathTransformUrl = "http://www.w3.org/TR/1999/REC-xpath-19991116";
        public const string XmlDsigXsltTransformUrl = "http://www.w3.org/TR/1999/REC-xslt-19991116";
        public const string XmlDsigEnvelopedSignatureTransformUrl = "http://www.w3.org/2000/09/xmldsig#enveloped-signature";
        public const string XmlDecryptionTransformUrl = "http://www.w3.org/2002/07/decrypt#XML";
        public const string XmlLicenseTransformUrl = "urn:mpeg:mpeg21:2003:01-REL-R-NS:licenseTransform";
 
        //
        // public constructors
        //
 
        public SignedXml() {
            Initialize(null);
        }
 
        public SignedXml(XmlDocument document) {
            if (document == null)
                throw new ArgumentNullException("document");
            Initialize(document.DocumentElement);
        }
 
        public SignedXml(XmlElement elem) {
            if (elem == null)
                throw new ArgumentNullException("elem");
            Initialize(elem);
        }
 
        private void Initialize (XmlElement element) {
            m_containingDocument = (element == null ? null : element.OwnerDocument);
            m_context = element;
            m_signature = new Signature();
            m_signature.SignedXml = this;
            m_signature.SignedInfo = new SignedInfo();
            m_signingKey = null;
 
            m_safeCanonicalizationMethods = new Collection<string>(KnownCanonicalizationMethods);
        }
 
        //
        // public properties
        //
 
        /// <internalonly/>
        public string SigningKeyName {
            get { return m_strSigningKeyName; }
            set { m_strSigningKeyName = value; }
        }
 
        [ComVisible(false)]
        public XmlResolver Resolver {
            // This property only has a setter. The rationale for this is that we don't have a good value
            // to return when it has not been explicitely set, as we are using XmlSecureResolver by default
            set { 
                m_xmlResolver = value;
                m_bResolverSet = true;
            }
        }
 
        internal bool ResolverSet {
            get { return m_bResolverSet; }
        }
 
        public Func<SignedXml, bool> SignatureFormatValidator {
            get { return m_signatureFormatValidator; }
            set { m_signatureFormatValidator = value; }
        }
 
        public Collection<string> SafeCanonicalizationMethods {
            get { return m_safeCanonicalizationMethods; }
        }
 
        public AsymmetricAlgorithm SigningKey {
            get { return m_signingKey; }
            set { m_signingKey = value; }
        }
 
        [ComVisible(false)]
        public EncryptedXml EncryptedXml {
            get {
                if (m_exml == null)
                    m_exml = new EncryptedXml(m_containingDocument); // default processing rules
                return m_exml; 
            }
            set { m_exml = value; }
        }
 
        public Signature Signature {
            get { return m_signature; }
        }
 
        public SignedInfo SignedInfo {
            get { return m_signature.SignedInfo; }
        }
 
        public string SignatureMethod  {
            get { return m_signature.SignedInfo.SignatureMethod; }
        }
 
        public string SignatureLength {
            get { return m_signature.SignedInfo.SignatureLength; }
        }
 
        public byte[] SignatureValue {
            get { return m_signature.SignatureValue; }
        }
 
        public KeyInfo KeyInfo {
            get { return m_signature.KeyInfo; }
            set { m_signature.KeyInfo = value; }
        }
 
        public XmlElement GetXml() {
            // If we have a document context, then return a signature element in this context
            if (m_containingDocument != null)
                return m_signature.GetXml(m_containingDocument);
            else
                return m_signature.GetXml();
        }
 
        public void LoadXml(XmlElement value) {
            if (value == null)
                throw new ArgumentNullException("value");
 
            m_signature.LoadXml(value);
 
            if (m_context == null) {
                m_context = value;
            }
 
            bCacheValid = false;
        }
 
        //
        // public methods
        //
 
        public void AddReference(Reference reference) {
            m_signature.SignedInfo.AddReference(reference);
        }
 
        public void AddObject(DataObject dataObject) {
            m_signature.AddObject(dataObject);
        }
 
        public bool CheckSignature() {
            AsymmetricAlgorithm signingKey;
            return CheckSignatureReturningKey(out signingKey);
        }
 
        public bool CheckSignatureReturningKey(out AsymmetricAlgorithm signingKey) {
            SignedXmlDebugLog.LogBeginSignatureVerification(this, m_context);
 
            signingKey = null;
            bool bRet = false;
            AsymmetricAlgorithm key = null;
 
            if (!CheckSignatureFormat()) {
                return false;
            }
 
            do {
                key = GetPublicKey();
                if (key != null) {
                    bRet = CheckSignature(key);
                    SignedXmlDebugLog.LogVerificationResult(this, key, bRet);
                }
            } while (key != null && bRet == false);
 
            signingKey = key;
            return bRet;
        }
 
        public bool CheckSignature(AsymmetricAlgorithm key) {
            if (!CheckSignatureFormat()) {
                return false;
            }
 
            if (!CheckSignedInfo(key)) {
                SignedXmlDebugLog.LogVerificationFailure(this, SecurityResources.GetResourceString("Log_VerificationFailed_SignedInfo"));
                return false;
            }
 
            // Now is the time to go through all the references and see if their DigestValues are good
            if (!CheckDigestedReferences()) {
                SignedXmlDebugLog.LogVerificationFailure(this, SecurityResources.GetResourceString("Log_VerificationFailed_References"));
                return false;
            }
 
            SignedXmlDebugLog.LogVerificationResult(this, key, true);
            return true;
        }
 
        public bool CheckSignature(KeyedHashAlgorithm macAlg) {
            if (!CheckSignatureFormat()) {
                return false;
            }
 
            if (!CheckSignedInfo(macAlg)) {
                SignedXmlDebugLog.LogVerificationFailure(this, SecurityResources.GetResourceString("Log_VerificationFailed_SignedInfo"));
                return false;
            }
 
            if (!CheckDigestedReferences()) {
                SignedXmlDebugLog.LogVerificationFailure(this, SecurityResources.GetResourceString("Log_VerificationFailed_References"));
                return false;
            }
 
            SignedXmlDebugLog.LogVerificationResult(this, macAlg, true);
            return true;
        }
 
        [ComVisible(false)]
        [SecuritySafeCritical]
        public bool CheckSignature(X509Certificate2 certificate, bool verifySignatureOnly) {
            if (!verifySignatureOnly) {
                // Check key usages to make sure it is good for signing.
                foreach (X509Extension extension in certificate.Extensions) {
                    if (String.Compare(extension.Oid.Value, CAPI.szOID_KEY_USAGE, StringComparison.OrdinalIgnoreCase) == 0) {
                        X509KeyUsageExtension keyUsage = new X509KeyUsageExtension();
                        keyUsage.CopyFrom(extension);
                        SignedXmlDebugLog.LogVerifyKeyUsage(this, certificate, keyUsage);
 
                        bool validKeyUsage = (keyUsage.KeyUsages & X509KeyUsageFlags.DigitalSignature) != 0 ||
                                             (keyUsage.KeyUsages & X509KeyUsageFlags.NonRepudiation) != 0;
 
                        if (!validKeyUsage) {
                            SignedXmlDebugLog.LogVerificationFailure(this, SecurityResources.GetResourceString("Log_VerificationFailed_X509KeyUsage"));
                            return false;
                        }
                        break;
                    }
                }
 
                // Do the chain verification to make sure the certificate is valid.
                X509Chain chain = new X509Chain();
                chain.ChainPolicy.ExtraStore.AddRange(BuildBagOfCerts());
                bool chainVerified = chain.Build(certificate);
                SignedXmlDebugLog.LogVerifyX509Chain(this, chain, certificate);
 
                if (!chainVerified) {
                    SignedXmlDebugLog.LogVerificationFailure(this, SecurityResources.GetResourceString("Log_VerificationFailed_X509Chain"));
                    return false;
                }
            }
 
            if (!CheckSignature(certificate.GetAnyPublicKey())) {
                return false;
            }
 
            SignedXmlDebugLog.LogVerificationResult(this, certificate, true);
            return true;
        }
 
        public void ComputeSignature() {
            SignedXmlDebugLog.LogBeginSignatureComputation(this, m_context);
 
            BuildDigestedReferences();
 
            // Load the key
            AsymmetricAlgorithm key = SigningKey;
 
            if (key == null)
                throw new CryptographicException(SecurityResources.GetResourceString("Cryptography_Xml_LoadKeyFailed"));
 
            // Check the signature algorithm associated with the key so that we can accordingly set the signature method
            if (SignedInfo.SignatureMethod == null) {
                if (key is DSA) {
                    SignedInfo.SignatureMethod = XmlDsigDSAUrl;
                } else if (key is RSA) {
                    // Default to RSA-SHA256 or RSA-SHA1 depending on context switch
                    if (SignedInfo.SignatureMethod == null) 
                        SignedInfo.SignatureMethod = XmlDsigRSADefault;
                } else {
                    throw new CryptographicException(SecurityResources.GetResourceString("Cryptography_Xml_CreatedKeyFailed"));
                }
            }
 
            // See if there is a signature description class defined in the Config file
            SignatureDescription signatureDescription = Utils.CreateFromName<SignatureDescription>(SignedInfo.SignatureMethod);
            if (signatureDescription == null)
                throw new CryptographicException(SecurityResources.GetResourceString("Cryptography_Xml_SignatureDescriptionNotCreated"));
            HashAlgorithm hashAlg = signatureDescription.CreateDigest();
            if (hashAlg == null)
                throw new CryptographicException(SecurityResources.GetResourceString("Cryptography_Xml_CreateHashAlgorithmFailed"));
            byte[] hashvalue = GetC14NDigest(hashAlg);
            AsymmetricSignatureFormatter asymmetricSignatureFormatter = signatureDescription.CreateFormatter(key);
 
            SignedXmlDebugLog.LogSigning(this, key, signatureDescription, hashAlg, asymmetricSignatureFormatter);
            m_signature.SignatureValue = asymmetricSignatureFormatter.CreateSignature(hashAlg);
        }
 
        public void ComputeSignature(KeyedHashAlgorithm macAlg) {
            if (macAlg == null)
                throw new ArgumentNullException("macAlg");
 
            HMAC hash = macAlg as HMAC;
            if(hash == null)
                throw new CryptographicException(SecurityResources.GetResourceString("Cryptography_Xml_SignatureMethodKeyMismatch"));
 
            int signatureLength;
            if (m_signature.SignedInfo.SignatureLength == null)
                signatureLength = hash.HashSize;
            else
                signatureLength = Convert.ToInt32(m_signature.SignedInfo.SignatureLength, null);
            // signatureLength should be less than hash size
            if (signatureLength < 0 || signatureLength > hash.HashSize)
                throw new CryptographicException(SecurityResources.GetResourceString("Cryptography_Xml_InvalidSignatureLength"));
            if (signatureLength % 8 != 0)
                throw new CryptographicException(SecurityResources.GetResourceString("Cryptography_Xml_InvalidSignatureLength2"));
 
            BuildDigestedReferences();
            switch (hash.HashName) {
            case "SHA1":
                SignedInfo.SignatureMethod = SignedXml.XmlDsigHMACSHA1Url;
                break;
            case "SHA256":
                SignedInfo.SignatureMethod = SignedXml.XmlDsigMoreHMACSHA256Url;
                break;
            case "SHA384":
                SignedInfo.SignatureMethod = SignedXml.XmlDsigMoreHMACSHA384Url;
                break;
            case "SHA512":
                SignedInfo.SignatureMethod = SignedXml.XmlDsigMoreHMACSHA512Url;
                break;
            case "MD5":
                SignedInfo.SignatureMethod = SignedXml.XmlDsigMoreHMACMD5Url;
                break;
            case "RIPEMD160":
                SignedInfo.SignatureMethod = SignedXml.XmlDsigMoreHMACRIPEMD160Url;
                break;
            default:
                throw new CryptographicException(SecurityResources.GetResourceString("Cryptography_Xml_SignatureMethodKeyMismatch"));
            }
 
            byte[] hashValue = GetC14NDigest(hash);
 
            SignedXmlDebugLog.LogSigning(this, hash);
            m_signature.SignatureValue = new byte[signatureLength / 8];
            Buffer.BlockCopy(hashValue, 0, m_signature.SignatureValue, 0, signatureLength / 8);
        }
 
        //
        // virtual methods
        //
 
        protected virtual AsymmetricAlgorithm GetPublicKey() {
            if (KeyInfo == null)
                throw new CryptographicException(SecurityResources.GetResourceString("Cryptography_Xml_KeyInfoRequired"));
 
            if (m_x509Enum != null) {
                AsymmetricAlgorithm key = GetNextCertificatePublicKey();
                if (key != null)
                    return key;
            }
 
            if (m_keyInfoEnum == null)
                m_keyInfoEnum = KeyInfo.GetEnumerator();
 
            // In our implementation, we move to the next KeyInfo clause which is an RSAKeyValue, DSAKeyValue or KeyInfoX509Data
            while (m_keyInfoEnum.MoveNext()) {
                RSAKeyValue rsaKeyValue = m_keyInfoEnum.Current as RSAKeyValue;
                if (rsaKeyValue != null) 
                    return rsaKeyValue.Key;
 
                DSAKeyValue dsaKeyValue = m_keyInfoEnum.Current as DSAKeyValue;
                if (dsaKeyValue != null) 
                    return dsaKeyValue.Key;
 
                KeyInfoX509Data x509Data = m_keyInfoEnum.Current as KeyInfoX509Data;
                if (x509Data != null) {
                    m_x509Collection = Utils.BuildBagOfCerts (x509Data, CertUsageType.Verification);
                    if (m_x509Collection.Count > 0) {
                        m_x509Enum = m_x509Collection.GetEnumerator();
                        AsymmetricAlgorithm key = GetNextCertificatePublicKey();
                        if (key != null)
                            return key;
                    }
                }
            }
 
            return null;
        }
 
        private X509Certificate2Collection BuildBagOfCerts () {
            X509Certificate2Collection collection = new X509Certificate2Collection();
            if (this.KeyInfo != null) {
                foreach (KeyInfoClause clause in this.KeyInfo) {
                    KeyInfoX509Data x509Data = clause as KeyInfoX509Data;
                    if (x509Data != null) 
                        collection.AddRange(Utils.BuildBagOfCerts(x509Data, CertUsageType.Verification));
                }
            }
 
            return collection;
        }
 
        private AsymmetricAlgorithm GetNextCertificatePublicKey () {
            while (m_x509Enum.MoveNext()) {
                X509Certificate2 certificate = (X509Certificate2) m_x509Enum.Current;
                if (certificate != null)
                    return LocalAppContextSwitches.SignedXmlUseLegacyCertificatePrivateKey ? certificate.PublicKey.Key : certificate.GetAnyPublicKey();
            }
 
            return null;
        }
 
        public virtual XmlElement GetIdElement (XmlDocument document, string idValue) {
            return DefaultGetIdElement(document, idValue);
        }
 
        internal static XmlElement DefaultGetIdElement(XmlDocument document, string idValue) {
            if (document == null)
                return null;
 
            if (Utils.RequireNCNameIdentifier()) {
                try {
                    XmlConvert.VerifyNCName(idValue);
                } catch (XmlException) {
                    // Identifiers are required to be an NCName
                    //   (xml:id version 1.0, part 4, paragraph 2, bullet 1)
                    //
                    // If it isn't an NCName, it isn't allowed to match.
                    return null;
                }
            }
 
            // Get the element with idValue
            XmlElement elem = document.GetElementById(idValue);
 
            if (elem != null) {
                if (!Utils.AllowAmbiguousReferenceTargets()) {
                    // Have to check for duplicate ID values from the DTD.
 
                    XmlDocument docClone = (XmlDocument)document.CloneNode(true);
                    XmlElement cloneElem = docClone.GetElementById(idValue);
 
                    // If it's null here we want to know about it, because it means that
                    // GetElementById failed to work across the cloning, and our uniqueness
                    // test is invalid.
                    System.Diagnostics.Debug.Assert(cloneElem != null);
 
                    // Guard against null anyways
                    if (cloneElem != null) {
                        cloneElem.Attributes.RemoveAll();
 
                        XmlElement cloneElem2 = docClone.GetElementById(idValue);
 
                        if (cloneElem2 != null) {
                            throw new CryptographicException(
                                SecurityResources.GetResourceString("Cryptography_Xml_InvalidReference"));
                        }
                    }
                }
 
                return elem;
            }
 
            elem = GetSingleReferenceTarget(document, "Id", idValue);
            if (elem != null)
                return elem;
            elem = GetSingleReferenceTarget(document, "id", idValue);
            if (elem != null)
                return elem;
            elem = GetSingleReferenceTarget(document, "ID", idValue);
 
            return elem;
        }
 
        //
        // private methods
        //
 
        private bool bCacheValid = false;
        private byte[] _digestedSignedInfo = null;
 
        private static bool DefaultSignatureFormatValidator(SignedXml signedXml) {
            // Reject the signature if it uses a truncated HMAC
            if (signedXml.DoesSignatureUseTruncatedHmac()) {
                return false;
            }
 
            // Reject the signature if it uses a canonicalization algorithm other than
            // one of the ones explicitly allowed
            if (!signedXml.DoesSignatureUseSafeCanonicalizationMethod()) {
                return false;
            }
 
            // Otherwise accept it
            return true;
        }
 
        // Validation function to see if the current signature is signed with a truncated HMAC - one which
        // has a signature length of fewer bits than the whole HMAC output.
        private bool DoesSignatureUseTruncatedHmac() {
            // If we're not using the SignatureLength property, then we're not truncating the signature length
            if (SignedInfo.SignatureLength == null) {
                return false;
            }
 
            // See if we're signed witn an HMAC algorithm
            HMAC hmac = Utils.CreateFromName<HMAC>(SignatureMethod);
            if (hmac == null) {
                // We aren't signed with an HMAC algorithm, so we cannot have a truncated HMAC
                return false;
            }
 
            // Figure out how many bits the signature is using
            int actualSignatureSize = 0;
            if (!Int32.TryParse(SignedInfo.SignatureLength, out actualSignatureSize)) {
                // If the value wasn't a valid integer, then we'll conservatively reject it all together
                return true;
            }
 
            // Make sure the full HMAC signature size is the same size that was specified in the XML
            // signature.  If the actual signature size is not exactly the same as the full HMAC size, then
            // reject the signature.
            return actualSignatureSize != hmac.HashSize;
        }
 
        // Validation function to see if the signature uses a canonicalization algorithm from our list
        // of approved algorithm URIs.
        private bool DoesSignatureUseSafeCanonicalizationMethod() {
            foreach (string safeAlgorithm in SafeCanonicalizationMethods) {
                if (String.Equals(safeAlgorithm, SignedInfo.CanonicalizationMethod, StringComparison.OrdinalIgnoreCase)) {
                    return true;
                }
            }
 
            SignedXmlDebugLog.LogUnsafeCanonicalizationMethod(this, SignedInfo.CanonicalizationMethod, SafeCanonicalizationMethods);
            return false;
        }
 
        private bool ReferenceUsesSafeTransformMethods(Reference reference)
        {
            TransformChain transformChain = reference.TransformChain;
            int transformCount = transformChain.Count;
 
            for (int i = 0; i < transformCount; i++) {
                Transform transform = transformChain[i];
 
                if (!IsSafeTransform(transform.Algorithm)) {
                    return false;
                }
            }
 
            return true;
        }
 
        private bool IsSafeTransform(string transformAlgorithm)
        {
            // All canonicalization algorithms are valid transform algorithms.
            foreach (string safeAlgorithm in SafeCanonicalizationMethods) {
                if (String.Equals(safeAlgorithm, transformAlgorithm, StringComparison.OrdinalIgnoreCase)) {
                    return true;
                }
            }
 
            foreach (string safeAlgorithm in DefaultSafeTransformMethods) {
                if (String.Equals(safeAlgorithm, transformAlgorithm, StringComparison.OrdinalIgnoreCase)) {
                    return true;
                }
            }
 
            SignedXmlDebugLog.LogUnsafeTransformMethod(
                this,
                transformAlgorithm,
                SafeCanonicalizationMethods,
                DefaultSafeTransformMethods);
 
            return false;
        }
 
        // Get a list of the built in canonicalization algorithms, as well as any that the machine admin has
        // added to the valid set.
        private static IList<string> KnownCanonicalizationMethods
        {
            get {
                if (s_knownCanonicalizationMethods == null) {
                    // Start with the list that the machine admin added, if any
                    List<string> safeAlgorithms = ReadAdditionalSafeCanonicalizationMethods();
 
                    // And add the built in algorithms as well
                    safeAlgorithms.Add(XmlDsigC14NTransformUrl);
                    safeAlgorithms.Add(XmlDsigC14NWithCommentsTransformUrl);
                    safeAlgorithms.Add(XmlDsigExcC14NTransformUrl);
                    safeAlgorithms.Add(XmlDsigExcC14NWithCommentsTransformUrl);
 
                    s_knownCanonicalizationMethods = safeAlgorithms;
                }
 
                return s_knownCanonicalizationMethods;
            }
        }
 
        private static IList<string> DefaultSafeTransformMethods
        {
            get {
                if (s_defaultSafeTransformMethods == null) {
                    List<string> safeAlgorithms = ReadAdditionalSafeTransformMethods();
 
                    // And the built in algorithms
 
                    // KnownCanonicalizationMethods don't need to be added here, because
                    // the validator will automatically accept those.
                    //
                    // xmldsig 6.6.1:
                    //     Any canonicalization algorithm that can be used for
                    //     CanonicalizationMethod can be used as a Transform.
                    safeAlgorithms.Add(XmlDsigEnvelopedSignatureTransformUrl);
                    safeAlgorithms.Add(XmlDsigBase64TransformUrl);
                    safeAlgorithms.Add(XmlLicenseTransformUrl);
                    safeAlgorithms.Add(XmlDecryptionTransformUrl);
 
                    s_defaultSafeTransformMethods = safeAlgorithms;
                }
 
                return s_defaultSafeTransformMethods;
            }
        }
 
        // Allow machine admins to add additional canonicalization algorithms that should be considered valid when
        // validating XML signatuers by supplying a list in the 
        // HKLM\Software\Microsoft\.NETFramework\Security\SafeCanonicalizationMethods
        // key.  Each REG_SZ entry in this key will be considered a canonicalziation algorithm URI that should be
        // allowed by SignedXml instances on this machine.
        [RegistryPermission(SecurityAction.Assert, Unrestricted = true)]
        [SecuritySafeCritical]
        private static List<string> ReadAdditionalSafeCanonicalizationMethods() {
            return ReadFxSecurityStringValues("SafeCanonicalizationMethods");
        }
 
        // Allow machine admins to add additional transform algorithms that should be considered valid when
        // validating XML signatuers by supplying a list in the 
        // HKLM\Software\Microsoft\.NETFramework\Security\SafeTransformMethods
        // key.  Each REG_SZ entry in this key will be considered a transform algorithm URI that should be
        // allowed by SignedXml instances on this machine.
        [RegistryPermission(SecurityAction.Assert, Unrestricted = true)]
        [SecuritySafeCritical]
        private static List<string> ReadAdditionalSafeTransformMethods() {
            return ReadFxSecurityStringValues("SafeTransformMethods");
        }
 
        private static List<string> ReadFxSecurityStringValues(string subkey) {
            List<string> values = new List<string>();
 
            try {
                using (RegistryKey stringListKey = Registry.LocalMachine.OpenSubKey(@"SOFTWARE\Microsoft\.NETFramework\Security\" + subkey, false)) {
                    if (stringListKey != null) {
                        foreach (string value in stringListKey.GetValueNames()) {
                            if (stringListKey.GetValueKind(value) == RegistryValueKind.String) {
                                string stringValue = stringListKey.GetValue(value) as string;
                                if (!String.IsNullOrWhiteSpace(stringValue)) {
                                    values.Add(stringValue);
                                }
                            }
                        }
                    }
                }
            }
            catch (SecurityException) { /* we could not open the key - that's fine, we can proceed with no additional values */ }
            return values;
        }
 
        private byte[] GetC14NDigest (HashAlgorithm hash) {
            if (!bCacheValid || !this.SignedInfo.CacheValid) {
                string baseUri = (m_containingDocument == null ? null : m_containingDocument.BaseURI);
                XmlResolver resolver = (m_bResolverSet ? m_xmlResolver : new XmlSecureResolver(new XmlUrlResolver(), baseUri));
                XmlDocument doc = Utils.PreProcessElementInput(SignedInfo.GetXml(), resolver, baseUri);
 
                // Add non default namespaces in scope
                CanonicalXmlNodeList namespaces = (m_context == null ? null : Utils.GetPropagatedAttributes(m_context));
                SignedXmlDebugLog.LogNamespacePropagation(this, namespaces);
                Utils.AddNamespaces(doc.DocumentElement, namespaces);
 
                Transform c14nMethodTransform = SignedInfo.CanonicalizationMethodObject;
                c14nMethodTransform.Resolver = resolver;
                c14nMethodTransform.BaseURI = baseUri;
 
                SignedXmlDebugLog.LogBeginCanonicalization(this, c14nMethodTransform);
                c14nMethodTransform.LoadInput(doc);
                SignedXmlDebugLog.LogCanonicalizedOutput(this, c14nMethodTransform);
                _digestedSignedInfo = c14nMethodTransform.GetDigestedOutput(hash);
 
                bCacheValid = true;
            }
            return _digestedSignedInfo;
        }
 
        private int GetReferenceLevel (int index, ArrayList references) {
            if (m_refProcessed[index]) return m_refLevelCache[index];
            m_refProcessed[index] = true;
            Reference reference = (Reference) references[index];
            if (reference.Uri == null || reference.Uri.Length == 0 || (reference.Uri.Length > 0 && reference.Uri[0] != '#')) {
                m_refLevelCache[index] = 0;
                return 0;
            }
            if (reference.Uri.Length > 0 && reference.Uri[0] == '#') {
                String idref = Utils.ExtractIdFromLocalUri(reference.Uri);
                if (idref == "xpointer(/)") {
                    m_refLevelCache[index] = 0;
                    return 0;
                }
                // If this is pointing to another reference
                for (int j=0; j < references.Count; ++j) {
                    if (((Reference)references[j]).Id == idref) {
                        m_refLevelCache[index] = GetReferenceLevel(j, references) + 1;
                        return (m_refLevelCache[index]);
                    }
                }
                // Then the reference points to an object tag
                m_refLevelCache[index] = 0;
                return 0;
            }
            // Malformed reference
            throw new CryptographicException(SecurityResources.GetResourceString("Cryptography_Xml_InvalidReference"));
        }
 
        private class ReferenceLevelSortOrder : IComparer {
            private ArrayList m_references = null;
            public ReferenceLevelSortOrder() {}
 
            public ArrayList References {
                get { return m_references; }
                set { m_references = value; }
            }
 
            public int Compare(Object a, Object b) {
                Reference referenceA = a as Reference;
                Reference referenceB = b as Reference;
 
                // Get the indexes
                int iIndexA = 0;
                int iIndexB = 0;
                int i = 0;
                foreach (Reference reference in References) {
                    if (reference == referenceA) iIndexA = i;
                    if (reference == referenceB) iIndexB = i;
                    i++;
                }
 
                int iLevelA = referenceA.SignedXml.GetReferenceLevel(iIndexA, References);
                int iLevelB = referenceB.SignedXml.GetReferenceLevel(iIndexB, References);
                return iLevelA.CompareTo(iLevelB);
            }
        }
 
        private void BuildDigestedReferences() {
            // Default the DigestMethod and Canonicalization
            ArrayList references = SignedInfo.References;
            // Reset the cache
            m_refProcessed = new bool[references.Count];
            m_refLevelCache = new int[references.Count];
 
            ReferenceLevelSortOrder sortOrder = new ReferenceLevelSortOrder();
            sortOrder.References = references;
            // Don't alter the order of the references array list
            ArrayList sortedReferences = new ArrayList();
            foreach (Reference reference in references) {
                sortedReferences.Add(reference);
            }
            sortedReferences.Sort(sortOrder);
 
            CanonicalXmlNodeList nodeList = new CanonicalXmlNodeList();
            foreach (DataObject obj in m_signature.ObjectList) {
                nodeList.Add(obj.GetXml());
            }
            foreach (Reference reference in sortedReferences) {
                // If no DigestMethod has yet been set, default it to SHA256 or SHA1 depending on context switch
                if (reference.DigestMethod == null)
                    reference.DigestMethod = XmlDsigDigestDefault;
 
                SignedXmlDebugLog.LogSigningReference(this, reference);
 
                reference.UpdateHashValue(m_containingDocument, nodeList);
                // If this reference has an Id attribute, add it
                if (reference.Id != null)
                    nodeList.Add(reference.GetXml());
            }
        }
 
        private bool CheckDigestedReferences () {
            ArrayList references = m_signature.SignedInfo.References;
            for (int i = 0; i < references.Count; ++i) {
                Reference digestedReference = (Reference) references[i];
 
                if (!ReferenceUsesSafeTransformMethods(digestedReference)) {
                    return false;
                }
 
                SignedXmlDebugLog.LogVerifyReference(this, digestedReference);
                byte[] calculatedHash = null;
                try {
                    calculatedHash = digestedReference.CalculateHashValue(m_containingDocument, m_signature.ReferencedItems);
                }
                catch (CryptoSignedXmlRecursionException) {
                    SignedXmlDebugLog.LogSignedXmlRecursionLimit(this, digestedReference);
                    return false;
                }
                // Compare both hashes
                SignedXmlDebugLog.LogVerifyReferenceHash(this, digestedReference, calculatedHash, digestedReference.DigestValue);
 
                if (!CryptographicEquals(calculatedHash, digestedReference.DigestValue, calculatedHash.Length)) {
                    return false;
                }
            }
 
            return true;
        }
 
        // Methods _must_ be marked both No Inlining and No Optimization to be fully opted out of optimization.
        // This is because if a candidate method is inlined, its method level attributes, including the NoOptimization
        // attribute, are lost. 
        // This method makes no attempt to disguise the length of either of its inputs. It is assumed the attacker has 
        // knowledge of the algorithms used, and thus the output length. Length is difficult to properly blind in modern CPUs.
        [MethodImpl(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)]
        internal static bool CryptographicEquals(byte[] a, byte[] b, int count) {
            System.Diagnostics.Debug.Assert(a != null);
            System.Diagnostics.Debug.Assert(b != null);
            System.Diagnostics.Debug.Assert(count > 0);
 
            int result = 0;
 
            // Short cut if the lengths are not right
            if (a.Length < count || b.Length < count)
                return false;
 
            unchecked {
                // This routine was changed to accept the count as an input, so the total length is already
                // in a register.
                //
                // If this method is being copied to require an exact length match (a la
                // CryptographicOperations.FixedTimeEquals(ReadOnlySpan, ReadOnlySpan) then
                // one of the lengths should be saved to a local here, or the non-optimized call in the
                // for loop is noticable.
 
                for (int i = 0; i < count; i++)
                    // We use subtraction here instead of XOR because the XOR algorithm gets ever so
                    // slightly faster as more and more differences pile up.
                    // This cannot overflow more than once (and back to 0) because bytes are 1 byte
                    // in length, and result is 4 bytes. The OR propagates all set bytes, so the differences
                    // can't add up and overflow a second time.
                    result = result | (a[i] - b[i]);
            }
 
            return (0 == result);
        }
 
        // If we have a signature format validation callback, check to see if this signature's format (not
        // the signautre itself) is valid according to the validator.  A return value of true indicates that
        // the signature format is acceptable, false means that the format is not valid.
        private bool CheckSignatureFormat() {
            if (m_signatureFormatValidator == null) {
                // No format validator means that we default to accepting the signature.  (This is
                // effectively compatibility mode with v3.5).
                return true;
            }
            
            SignedXmlDebugLog.LogBeginCheckSignatureFormat(this, m_signatureFormatValidator);
 
            bool formatValid = m_signatureFormatValidator(this);
            SignedXmlDebugLog.LogFormatValidationResult(this, formatValid);
            return formatValid;
        }
 
        private bool CheckSignedInfo (AsymmetricAlgorithm key) {
            if (key == null)
                throw new ArgumentNullException("key");
 
            SignedXmlDebugLog.LogBeginCheckSignedInfo(this, m_signature.SignedInfo);
 
            SignatureDescription signatureDescription = Utils.CreateFromName<SignatureDescription>(SignatureMethod);
            if (signatureDescription == null)
                throw new CryptographicException(SecurityResources.GetResourceString("Cryptography_Xml_SignatureDescriptionNotCreated"));
 
            // Let's see if the key corresponds with the SignatureMethod 
            Type ta = Type.GetType(signatureDescription.KeyAlgorithm);
            if (!IsKeyTheCorrectAlgorithm(key, ta))
                return false;
 
            HashAlgorithm hashAlgorithm = signatureDescription.CreateDigest();
            if (hashAlgorithm == null)
                throw new CryptographicException(SecurityResources.GetResourceString("Cryptography_Xml_CreateHashAlgorithmFailed"));
            byte[] hashval = GetC14NDigest(hashAlgorithm);
 
            AsymmetricSignatureDeformatter asymmetricSignatureDeformatter = signatureDescription.CreateDeformatter(key);
            SignedXmlDebugLog.LogVerifySignedInfo(this,
                                                  key,
                                                  signatureDescription,
                                                  hashAlgorithm,
                                                  asymmetricSignatureDeformatter,
                                                  hashval,
                                                  m_signature.SignatureValue);
            return asymmetricSignatureDeformatter.VerifySignature(hashval, m_signature.SignatureValue);
        }
 
        private bool CheckSignedInfo (KeyedHashAlgorithm macAlg) {
            if (macAlg == null)
                throw new ArgumentNullException("macAlg");
 
            SignedXmlDebugLog.LogBeginCheckSignedInfo(this, m_signature.SignedInfo);
 
            int signatureLength;
            if (m_signature.SignedInfo.SignatureLength == null)
                signatureLength = macAlg.HashSize;
            else 
                signatureLength = Convert.ToInt32(m_signature.SignedInfo.SignatureLength, null);
 
            // signatureLength should be less than hash size
            if (signatureLength < 0 || signatureLength > macAlg.HashSize)
                throw new CryptographicException(SecurityResources.GetResourceString("Cryptography_Xml_InvalidSignatureLength"));
            if (signatureLength % 8 != 0)
                throw new CryptographicException(SecurityResources.GetResourceString("Cryptography_Xml_InvalidSignatureLength2"));
            if (m_signature.SignatureValue == null)
                throw new CryptographicException(SecurityResources.GetResourceString("Cryptography_Xml_SignatureValueRequired"));
            if (m_signature.SignatureValue.Length != signatureLength / 8)
                throw new CryptographicException(SecurityResources.GetResourceString("Cryptography_Xml_InvalidSignatureLength"));
 
            // Calculate the hash
            byte[] hashValue = GetC14NDigest(macAlg);
            SignedXmlDebugLog.LogVerifySignedInfo(this, macAlg, hashValue, m_signature.SignatureValue);
            for (int i=0; i<m_signature.SignatureValue.Length; i++) {
                if (m_signature.SignatureValue[i] != hashValue[i]) return false;
            }
            return true; 
        }
 
        private static XmlElement GetSingleReferenceTarget(XmlDocument document, string idAttributeName, string idValue) {
            // idValue has already been tested as an NCName (unless overridden for compatibility), so there's no
            // escaping that needs to be done here.
            string xPath = "//*[@" + idAttributeName + "=\"" + idValue + "\"]";
 
            if (Utils.AllowAmbiguousReferenceTargets()) {
                return document.SelectSingleNode(xPath) as XmlElement;
            }
 
            // http://www.w3.org/TR/xmldsig-core/#sec-ReferenceProcessingModel says that for the form URI="#chapter1":
            //
            //   Identifies a node-set containing the element with ID attribute value 'chapter1' ...
            //
            // Note that it uses the singular. Therefore, if the match is ambiguous, we should consider the document invalid.
            //
            // In this case, we'll treat it the same as having found nothing across all fallbacks (but shortcut so that we don't
            // fall into a trap of finding a secondary element which wasn't the originally signed one).
 
            XmlNodeList nodeList = document.SelectNodes(xPath);
 
            if (nodeList == null || nodeList.Count == 0) {
                return null;
            }
 
            if (nodeList.Count == 1) {
                return nodeList[0] as XmlElement;
            }
 
            throw new CryptographicException(SecurityResources.GetResourceString("Cryptography_Xml_InvalidReference"));
        }
 
        private static bool IsKeyTheCorrectAlgorithm(AsymmetricAlgorithm key, Type expectedType)
        {
            Type actualType = key.GetType();
 
            if (actualType == expectedType)
                return true;
 
            // This check exists solely for compatibility with 4.6. Normally, we would expect "expectedType" to be the superclass type and
            // the actualType to be the subclass.
            if (expectedType.IsSubclassOf(actualType))
                return true;
 
            //
            // "expectedType" comes from the KeyAlgorithm property of a SignatureDescription. The BCL SignatureDescription classes have historically 
            // denoted provider-specific implementations ("RSACryptoServiceProvider") rather than the base class for the algorithm ("RSA"). We could
            // change those (at the risk of creating other compat problems) but we have no control over third party SignatureDescriptions.
            //
            // So, in the absence of a better approach, walk up the parent hierarchy until we find the ancestor that's a direct subclass of
            // AsymmetricAlgorithm and treat that as the algorithm identifier.
            //
            while (expectedType != null && expectedType.BaseType != typeof(AsymmetricAlgorithm))
            {
                expectedType = expectedType.BaseType;
            }
 
            if (expectedType == null)
                return false;   // SignatureDescription specified something that isn't even a subclass of AsymmetricAlgorithm. For compatibility with 4.6, return false rather throw.
 
            if (actualType.IsSubclassOf(expectedType))
                return true;
 
            return false;
        }
    }
}