A colleague is currently extending an existing .NET 1.1 application, and is adding functionality to handle SAML tokens provided by an identity provider web site. He came across the problem of handing exclusive XML canonicalisation in the older version of the framework. Microsoft supports the use of pluggable ‘transform’ classes to handle XML digital signature transforms (as specified using the element in the XML Digital Signature standard. The trouble is that version 1.1 of the framework does not contain a transform class for exclusive XML canonicalisation. Every time he tried to validate the digital signature in the token he got an error message saying:
“Could not create the XML transformation identified by the URI http://www.w3.org/2001/10/xml-exc-c14n#.”
Version 2.0 of the framework has a suitable transform class called XmlDsigExcC14NTransform in the System.Security.Cryptography.Xml namespace (System.Security assembly). However, this is no use to my colleague, as the code he is working on is written for 1.1. It turns out that WSE 2.0 has a suitable class of the same name, but different namespace (Microsoft.Web.Services2.Security.Xml). This is in the Microsoft.Web.Services2 assembly.
In order to handle exclusive XML canonicalisation in Framework 1.1, install WSE 2.0 SP3. You must also register the transform class in your machine.config file. Here is the XML you need to add to machine.config:
Don’t forget to reboot your machine after changing machine.config.
This actually configures two transform classes. XmlDsigExcC14NWithCommentsTransform has the same functionality as XmlDsigExcC14NTransform, but will handle the serialisation of XML comments. The ‘name’ attributes of the elements specify the URIs that can be used in the of the digital signature. Now, when you call Checksignature() on an instance of SignedXml, the code should be able to handle the transform.