Verify XMLDSIG chain in .NET?

心已入冬 提交于 2019-12-01 10:37:59
Roger Lipscombe

To attach arbitrary certificates to an XML-DSIG file, add an <X509Data> element. To do this in .NET, use:

signedXml.KeyInfo.AddClause(
    new KeyInfoX509Data(certificate, X509IncludeOption.WholeChain));

To extract the certificates from the XML file, use:

var certificates = signedXml.KeyInfo.OfType<KeyInfoX509Data>().Single();

You can then verify the chain by using the following:

var chain = new X509Chain();
chain.ChainPolicy.ExtraStore.AddRange(
    certificates.Cast<X509Certificate2>().ToArray());
var chainIsOk = chain.Build(signingCertificate);

To figure out which certificate was actually used for signing (and hence the value of signingCertificate), you need to find the included certificate that matches the key returned from CheckSignatureReturningKey.

标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!