验证XMLDSIG链.NET？ [英] Verify XMLDSIG chain in .NET?

问题描述

我使用的是XMLDSIG来签署配置文件。我想我的CA以能够发出可用于签署的XML密钥。那么我想验证XML与我的CA颁发的密钥进行签名。

I'm using XMLDSIG to sign a configuration file. I'd like my CA to be able to issue keys that can be used to sign XML. I'd then like to verify that the XML was signed with a key issued by my CA.

我如何得到签名证书了 SignedXml 的对象？我如何按照证书链返回到一个特定的CA？

How do I get the signing certificate out of the SignedXml object? How do I follow the certificate chain back to a specific CA?

注意，公共密钥为我的CA将存储在我的可执行文件，而不是证书存储

Note that the public key for my CA will be stored in my executable, rather than the certificate store.

推荐答案

要附加任意证书到XML-DSIG文件，添加的 ＆LT;的X509Data＆GT; 元素。为此，在.NET中，使用方法：

To attach arbitrary certificates to an XML-DSIG file, add an <X509Data> element. To do this in .NET, use:

signedXml.KeyInfo.AddClause(
    new KeyInfoX509Data(certificate, X509IncludeOption.WholeChain));

要提取XML文件中的证书，用途：

To extract the certificates from the XML file, use:

var certificates = signedXml.KeyInfo.OfType<KeyInfoX509Data>().Single();

然后，您可以通过下面的验证链：

You can then verify the chain by using the following:

var chain = new X509Chain();
chain.ChainPolicy.ExtraStore.AddRange(
    certificates.Cast<X509Certificate2>().ToArray());
var chainIsOk = chain.Build(signingCertificate);

要找出哪些证书实际上是用于签名（因此对 signingCertificate 的值），你需要找到包含证书的matches从 CheckSignatureReturningKey 键回来了。

To figure out which certificate was actually used for signing (and hence the value of signingCertificate), you need to find the included certificate that matches the key returned from CheckSignatureReturningKey.

这篇关于验证XMLDSIG链.NET？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！