System.Security.Cryptography.Xml.Utils.GetAnyPublicKey returns only RSA or null?

[alexaka1]

This is the line in question:

runtime/src/libraries/System.Security.Cryptography.Xml/src/System/Security/Cryptography/Xml/Utils.cs

Line 753 in 7e43f8c

return (AsymmetricAlgorithm)certificate.GetRSAPublicKey();

But what about DSA or ECDsa keys? Shouldn't it check for them when GetRSAPublicKey() returns null?
How about return (AsymmetricAlgorithm) (certificate.GetRSAPublicKey() ?? certificate.GetDSAPublicKey() ?? certificate.GetECDsaPublicKey()); ?

Tagging subscribers to this area: @bartonjs, @vcsjones, @krwq, @GrabYourPitchforks
See info in area-owners.md if you want to be subscribed.

Issue Details

---

This is the line in question:

runtime/src/libraries/System.Security.Cryptography.Xml/src/System/Security/Cryptography/Xml/Utils.cs

Line 753 in 7e43f8c

return (AsymmetricAlgorithm)certificate.GetRSAPublicKey();

But what about DSA or ECDsa keys? Shouldn't it check for them when GetRSAPublicKey() returns null?
How about return (AsymmetricAlgorithm) (certificate.GetRSAPublicKey() ?? certificate.GetDSAPublicKey() ?? certificate.GetECDsaPublicKey()); ?

Author:	alexaka1
Assignees:	-
Labels:	area-System.Security, untriaged
Milestone:	-

[bartonjs]

Do you have a specifically impacted scenario, or is this just a code inspection question?

My recollection is that SignedXml doesn't support ECDSA, so having GetECDsaPublicKey in there doesn't make sense. And GetDSAPublicKey isn't part of .NET Standard 2.0, so we can't call it without splitting the library. Given that there's not a lot usage of DSA we thought it wasn't worth splitting for it.

[alexaka1]

@bartonjs I am trying to validate XAdES signatures in XML files. I already use SignedXML for signing such documents with ECDSA keys. The SigningKey property has no trouble accepting an ECDsa object, since it's just an AsymmetricAlgorithm. The only thing I had to do is register a System.Security.Cryptography.SignatureDescription.
Also I just need to put eg.: http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512 into the SignedInfo.SignatureMethod and it works like a charm.

The problem comes when I try to check the signature of an XML signed with something else than an RSA key. I make a new SignedXml, load the signature, and it fails (CheckSignature() returns false) because the key returned is null. (I debugged it with Rider and the above referenced code was where it starts to fail, because it returns null.) My use case doesn't need DSA keys, but my country will start to require ECC based keys for digital signatures starting with Q3 2021, and we're going ahead implementing it sooner rather than later.

What would you suggest I try to do? I could just rip the entire source code of the classes required to reach that particular line, and re-implement them with the needed changes in our app, but I'd rather avoid re-inventing the wheel.

ps.: To be honest I didn't research what platforms support what functions of the Cryptography library, my use case is Windows x64, though I believe we compile into portable runtime.

[bartonjs]

It looks like:

• NET Framework's version does try all three
• GetECDsaPublicKey is part of .NET Standard 2.0, so no problems adding that one
• We recently split the compilation of this assembly as part of unifying how we build our NuGet packages, so we can add the DSA call in the .NET (nee Core) specific line.

So adding those calls is a reasonable compat thing to do.

[vcsjones]

@bartonjs I can pick this one up for 6.0.