Bug 4938

Summary: SignedXml reporting Malformed reference object where referenced attribute name is lowercase id, rather than Id
Product: [Mono] Class Libraries Reporter: Andrew Patterson <andrewpatto>
Component: System.SecurityAssignee: Bugzilla <bugzilla>
Severity: normal CC: miguel, mono-bugs+mono
Priority: ---    
Version: master   
Target Milestone: Untriaged   
Hardware: Macintosh   
OS: Mac OS   
Tags: Is this bug a regression?: ---
Last known good build:

Description Andrew Patterson 2012-05-07 23:56:36 UTC
When signing an XML document there is a concept of the
Reference that indicates where and how to sign a portion
of the XML document.
The Reference object contains a URI which is often
something like


to indicate that in the following xml

  <signthis id="aaabbbccc">

we would like to sign the 'signthis' nodes

It is not clear from various XML sources how URI
fragments are meant to be treated when the underlying
DTD/schema of 'mydocument' is not available. In
this case, the current SignedXml implementation
defaults to looking for an attribute named 'Id'.

From GetIdElement() in mono / mcs / class / System.Security / System.Security.Cryptography.Xml / SignedXml.cs

// this works only if there's a DTD or XSD available to define the ID
XmlElement xel = document.GetElementById (idValue);
if (xel == null) {
  // search an "undefined" ID
  xel = (XmlElement) document.SelectSingleNode ("//*[@Id='" + idValue + "']");

However, in porting working code over from .NET we have a
situation where our document to be signed uses a lowercase
'id' attribute (as in the id attribute name is lowercase,
 not its content).

So I believe the fix is to add an additional search
for the lowercase id attribute where xel is still null..

if (xel == null)
  xel = (XmlElement) document.SelectSingleNode ("//*[@id='" + idValue + "']");

The current Mono behaviour is definitely different from the
current .NET implementation which will find the lowercase id
element in these situations where the DTD/XSD is missing.
Comment 1 Miguel de Icaza [MSFT] 2015-09-23 14:42:59 UTC