堆栈内存溢出
  简体   繁体   English

我可以在不需要安装根证书的情况下验证 .NET 中的 XMLDSIG 签名吗?

[英]Can I verify an XMLDSIG signature in .NET without requiring the root certificate be installed?

 原文  2012-04-10 15:13:58       c#/ x509certificate/ xml-dsig

问题描述

I'd like to use XMLDSIG for verifying that a.config file has not been tampered with.我想使用 XMLDSIG 来验证 a.config 文件是否未被篡改。 I also want to be able to verify the signature chain so that I can trust the signature.我还希望能够验证签名链,以便我可以信任签名。

I've got three certificates in the chain:我在链中获得了三个证书:

Root CA -> Intermediate Signing CA -> Signing Key

I check that the file is signed with a key that is issued by the intermediate CA.我检查该文件是否使用中间 CA 颁发的密钥签名。

I'd like to do this without installing any certificates in the user's Windows certificate store.我想在不在用户的 Windows 证书存储中安装任何证书的情况下执行此操作。 These are self-signed certificates, so not every user is going to want me installing them in their Root store.这些是自签名证书,因此并非每个用户都希望我将它们安装在他们的根存储中。 I don't have a problem with installing them in my root store.我的根存储中安装它们没有问题。

I have the original.CER files -- they're included in the Signature block, and I can include them with the verification code.我有原始的 CER 文件——它们包含在签名块中,我可以将它们与验证码一起包含在内。 I can build a certificate chain from this by using X509ChainPolicy.ExtraStore .我可以使用X509ChainPolicy.ExtraStore从中构建证书链。

If the certificates are not installed in the root store, and I verify the chain, then X509Chain.Build returns false , and the chain has a X509ChainStatusFlags.UntrustedRoot in it.如果证书未安装在根存储中,并且我验证了链,则X509Chain.Build返回false ,并且链中有一个X509ChainStatusFlags.UntrustedRoot

Can I add trusted certificates just for the duration of this operation?是否可以仅在此操作期间添加受信任的证书?

1 个解决方案

解决方案1
 0 已采纳  2012-04-10 15:20:22

Assuming you have physical copies of the public keys of ALL signing certs in the trust chain, then this is possible by using the OpenSSL command line tool.假设您拥有信任链中所有签名证书的公钥的物理副本,那么这可以通过使用 OpenSSL 命令行工具来实现。

http://www.madboa.com/geek/openssl/#verify-standard http://www.madboa.com/geek/openssl/#verify-standard

It's a bit of a steep learning curve at first, but a very powerful utility.起初它的学习曲线有点陡峭,但却是一个非常强大的实用程序。

If you don't have the signing certs, then you cannot verify anything.如果您没有签名证书,则无法验证任何内容。 That would be the same as trying to verify a human signature without having seen the original.这与在没有看到原件的情况下试图验证人类签名是一样的。 You have nothing to compare to, so how could you verify the authenticity?你没有可比性,怎么验证真伪?

Update更新

There's something here perhaps that could help you:也许这里有一些东西可以帮助你:

http://social.msdn.microsoft.com/Forums/eu/clr/thread/1966a6e8-b6f4-44d1-9102-ec3a26426789 http://social.msdn.microsoft.com/Forums/eu/clr/thread/1966a6e8-b6f4-44d1-9102-ec3a26426789

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 C#XmlDsig。 在根元素内设置签名元素 - c# XmlDsig. Set signature elements inside root element 是否可以在不使用证书的情况下进行数字签名和验证签名? - Is it possible to digitally sign and verify the signature without using a certificate? 无法在JAVA中验证签名,但在.NET中成功 - Can't verify signature in JAVA but success in .NET 验证.NET中的电子签名 - Verify electronic signature in .NET .net 5 项目需要安装 .net core 3.1 - .net 5 project requiring .net core 3.1 to be installed X509证书和XmlDsig - X509Certificate and XmlDsig 如何在 .NET 中验证 HTTPS/SSL 证书的有效性? - How can you verify validity of an HTTPS/SSL certificate in .NET? 如何使用BouncyCastle验证开放PGP的签名 - How can I verify signature for open PGP using BouncyCastle 我可以在ASP.NET中使用X509Certificate2而不使用证书存储吗? - Can I use an X509Certificate2 within ASP.NET without using a certificate store? 如何在回复Outlook MailItem时验证存在签名? - How can i verify existence signature in replying Outlook MailItem?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM