在C#中,使用x.509证书签署xml并检查签名
[英]In C#, sign an xml with a x.509 certificate and check the signature
问题描述
I'm trying to sign an XML file using a x.509 certificate, I can use the private key to sign the document and then use the CheckSignature method (it has an overload that receives a certificate as parameter) to verify the signature. 
我正在尝试使用x.509证书签署XML文件,我可以使用私钥对文档进行签名,然后使用CheckSignature方法(它具有接收证书作为参数的重载)来验证签名。
The problem is that the user who validates the signature must have the certificate, my concern is, if the user has the certificate then he has access to the private key, and as I understand, this is private and should be available only to the user who signs. 问题是验证签名的用户必须拥有证书,我担心的是,如果用户拥有证书,那么他可以访问私钥,据我所知,这是私有的,应该只对用户可用谁签字。
What am I missing? 我错过了什么?
Thanks for your help. 谢谢你的帮助。
3 个解决方案
解决方案1
19 2009-07-29 07:13:25
In .NET, If you get your X509 cert from a .pfx file, like this: 在.NET中,如果从.pfx文件获得X509证书,如下所示:
X509Certificate2 certificate = new X509Certificate2(certFile, pfxPassword);
RSACryptoServiceProvider rsaCsp = (RSACryptoServiceProvider) certificate.PrivateKey;
Then you can export the public key portion like so: 然后你可以像这样导出公钥部分:
rsaCsp.ToXmlString(false);
The "false" part says, only export the public piece, don't export the private piece. “虚假”部分说,只出口公共件,不出口私人件。 (doc for RSA.ToXmlString ) (doc for RSA.ToXmlString )
And then in the verifying application, use 然后在验证应用程序中,使用
RSACryptoServiceProvider csp = new RSACryptoServiceProvider();
csp.FromXmlString(PublicKeyXml);
bool isValid = VerifyXml(xmlDoc, rsa2);
And the VerifyXml calls CheckSignature() . 并且VerifyXml调用CheckSignature() 。 It looks something like this: 它看起来像这样:
private Boolean VerifyXml(XmlDocument Doc, RSA Key)
{
// Create a new SignedXml object and pass it
// the XML document class.
var signedXml = new System.Security.Cryptography.Xml.SignedXml(Doc);
// Find the "Signature" node and create a new XmlNodeList object.
XmlNodeList nodeList = Doc.GetElementsByTagName("Signature");
// Throw an exception if no signature was found.
if (nodeList.Count <= 0)
{
throw new CryptographicException("Verification failed: No Signature was found in the document.");
}
// Though it is possible to have multiple signatures on
// an XML document, this app only supports one signature for
// the entire XML document. Throw an exception
// if more than one signature was found.
if (nodeList.Count >= 2)
{
throw new CryptographicException("Verification failed: More that one signature was found for the document.");
}
// Load the first <signature> node.
signedXml.LoadXml((XmlElement)nodeList[0]);
// Check the signature and return the result.
return signedXml.CheckSignature(Key);
}
解决方案2
5 2009-07-28 18:19:43
Any certificate has a public and a private part. 任何证书都有公共部分和私有部分。 You only send around the public part. 你只发送公共部分。 Just open any SSL enabled website in your browser, click on the padlock symbol and have a look at their certificate. 只需在浏览器中打开任何启用SSL的网站,单击挂锁符号即可查看其证书。
解决方案3
0 2015-09-29 09:20:14
First off all you need to be sure that the certificate .pfx or .cer that you are using is intended for signing purpose. 首先,您需要确保您使用的证书.pfx或.cer是用于签名的。
You can check same in General Tab of a certificate *.Proves your identity to a remote computer *.Protects e-mail messages *.Allows data to be signed with the current time *.Allows data on disk to be encrypted *.2.16.356.100.2 **Document Signing**
A Complete console application to digitally sign/verify XmlDocument in C# is written here . 此处编写了一个完整的控制台应用程序,用于在C#中对XmlDocument进行数字签名/验证。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.