Applies To.NET Framework 4.6.1 .NET Framework 4.6.2 .NET Framework 3.5.1

Summary

After you install any of the 3141780 security updates (described in Microsoft security bulletin MS16-035), .NET Framework applications may encounter exception errors or unexpected failures when they are processing files that contain SignedXml.

More Information

ImportantThis section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756How to back up and restore the registry in Windows

Scenario 1

Scenario 1 symptoms

Managed applications return an error exception that has the following signature:

System.Security.Cryptography.CryptographicException: Unable to resolve Uri [FileOrUrl].

ExampleSystem.Security.Cryptography.CryptographicException: Unable to resolve Uri testfile.xml.

Scenario 1 resolution

Customers can apply the following registry key to their system:Registry entryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Security@SignedXmlAllowDetachedSignature=1

.Reg file available for download

To resolve this problem, click the appropriate link, and then double-click the downloaded file to make the registry changes. SignedXml-ExternalReferences.reg (32-bit process on 32-bit system and 64-bit process on 64-bit system) SignedXml-ExternalReferences.Wow6432.reg (32-bit process on 64-bit system)Notes

  • This registry entry should be a DWORD entry.

  • This registry entry restores the previous behavior of opening or downloading a resource that is external to the document being verified to compute its digest.

Warning Enabling this registry key could allow security vulnerabilities including Denial of Service, Distributed Reflection Denial of Service, Information Disclosure, Signature Bypass, and Remote Code Execution.

Scenario 2

Scenario 2 symptoms

Signature verification fails when success was expected.

Scenario 2 resolution

If the content contains the following signature block, consider applying the provided registry entry:Signature block example<Document>

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">

<SignedInfo>

<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />

<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />

<Reference URI="...">

<Transforms>

<Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116" /></Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue>…</DigestValue> </Reference> </SignedInfo> <SignatureValue>…</SignatureValue> </Signature> …</Document>Registry entryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Security\SafeTransformMethods@XmlDsigXPathTransform=http://www.w3.org/TR/1999/REC-xpath-19991116

.Reg file available for download

To resolve this problem, click the appropriate link, and then double-click the downloaded file to make the registry changes. XmlDSigXPathTransform.reg (32-bit process on 32-bit system and 64-bit process on 64-bit system)XmlDSigXPathTransform.Wow6432.reg (32-bit process on 64-bit system)If the signature block contains the following text, consider applying the provided registry entry:Signature block example<Document>

<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">

<SignedInfo>

<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />

<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />

<Reference URI="...">

<Transforms>

<Transform Algorithm="http://www.w3.org/TR/1999/REC-xslt-19991116" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><DigestValue>…</DigestValue></Reference></SignedInfo><SignatureValue>…</SignatureValue></Signature>… </Document>Registry entryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Security\SafeTransformMethods@XmlDsigXsltTransform=http://www.w3.org/TR/1999/REC-xslt-19991116

.Reg file available for download

To resolve this problem, click the appropriate link, and then double-click the downloaded file to make the registry changes. XmlDSigXsltTransform.reg (32-bit process on 32-bit system and 64-bit process on 64-bit system)XmlDSigXsltTransform.Wow6432.reg (32-bit process on 64-bit system)Note By default, only those XML Signature Transforms that are provided by the .NET Framework and do not accept input from the signed document are enabled. To enable input-accepting transforms or custom transforms, the registered URI for that transform must be specified as the data of a REG_SZ-typed value within this registry key. The name of the value is not processed, and it can be anything that the computer administrator chooses. Warning The XPath and XSLT transforms allow the document sender to construct documents that are computationally expensive. This could cause a Denial of Service situation.

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.