void ComputeSignature(HashAlgorithm hash, AsymmetricSignatureFormatter formatter, string signatureMethod) { this.Signature.SignedInfo.ComputeReferenceDigests(); this.Signature.SignedInfo.ComputeHash(hash); byte[] signature; if (SecurityUtils.RequiresFipsCompliance && signatureMethod == SecurityAlgorithms.RsaSha256Signature) { // This is to avoid the RSAPKCS1SignatureFormatter.CreateSignature from using SHA256Managed (non-FIPS-Compliant). // Hence we precompute the hash using SHA256CSP (FIPS compliant) and pass it to method. // NOTE: RSAPKCS1SignatureFormatter does not understand SHA256CSP inherently and hence this workaround. formatter.SetHashAlgorithm("SHA256"); signature = formatter.CreateSignature(hash.Hash); } else { signature = formatter.CreateSignature(hash); } this.Signature.SetSignatureValue(signature); }
/// <summary> /// Wrapper that creates a signature for SHA256 taking into consideration the special logic required for FIPS compliance /// </summary> /// <param name="formatter">the signature formatter</param> /// <param name="hash">the hash algorithm</param> /// <returns>byte array representing the signature</returns> internal static byte[] CreateSignatureForSha256( AsymmetricSignatureFormatter formatter, HashAlgorithm hash ) { if ( SecurityUtils.RequiresFipsCompliance ) { // // When FIPS is turned ON. We need to set the hash algorithm specifically // as we need to pass the pre-computed buffer to CreateSignature, else // for SHA256 and FIPS turned ON, the underlying formatter does not understand the // OID for the hashing algorithm. // formatter.SetHashAlgorithm( "SHA256" ); return formatter.CreateSignature( hash.Hash ); } else { // // Calling the formatter with the object allows us to be Crypto-Agile // return formatter.CreateSignature( hash ); } }
private void ComputeSignature(HashAlgorithm hash, AsymmetricSignatureFormatter formatter, string signatureMethod) { byte[] buffer; this.Signature.SignedInfo.ComputeReferenceDigests(); this.Signature.SignedInfo.ComputeHash(hash); if (System.IdentityModel.SecurityUtils.RequiresFipsCompliance && (signatureMethod == "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256")) { formatter.SetHashAlgorithm("SHA256"); buffer = formatter.CreateSignature(hash.Hash); } else { buffer = formatter.CreateSignature(hash); } this.Signature.SetSignatureValue(buffer); }