dotnet/Documentation/breaking-changes/xml-documents-are-now-consider-invalid-if-they-contains-transforms-that-are-not-allowed-on-digital-signatures.md

156: SignedXml and EncryptedXml Breaking Changes

Scope

Minor

Version Introduced

4.6.2

Source Analyzer Status

Planned

Change Description

In .NET Framework 4.6.2, Security fixes in SignedXml and EncryptedXml lead to different run-time behaviors. For example,

• If a document has multiple elements with the same id attribute and a signature targets one of those elements as the root of the signature, the document will now be considered invalid.
• Documents using non-canonical XPath transform algorithms in references are now considered invalid.
• Documents using non-canonical XSLT transform algorithms in references are now consider invalid.
• Any program making use of external resource detached signatures will be unable to do so.

• Quirked
• Build-time break

Recommended Action

Developers might want to review the usage of System.Security.Cryptography.Xml.XmlDsigXsltTransform and System.Security.Cryptography.Xml.XmlDsigXPathTransform, as well as types derived from System.Security.Cryptography.Xml.Transform since a document receiver may not be able to process it.

Affected APIs

• T:System.Security.Cryptography.Xml.Transform
• T:System.Security.Cryptography.Xml.XmlDsigXPathTransform
• T:System.Security.Cryptography.Xml.XmlDsigXsltTransform

Category

Security

More information