I’m digitally signing a XML document and verifying it on 2 different machines (Sign it at one machine and verifying on another).
I’m doing the following to verify the XML DSIG in CSharp.Net.
public static Boolean VerifyXml(XmlDocument document)
{
document.PreserveWhitespace = true;
// Create a new CspParameters object to specify
// a key container.
CspParameters cspParams = new CspParameters();
cspParams.KeyContainerName = "XML_DSIG_RSA_KEY";
// Create a new RSA signing key and save it in the container.
//**Earlier was getting exception here in rsaKey object**
RSACryptoServiceProvider rsaKey = new RSACryptoServiceProvider(cspParams);
// Create a new SignedXml object and pass it
// the XML document class.
SignedXml signedXml = new SignedXml(document);
// Find the "Signature" node and create a new
// XmlNodeList object.
// It's guaranteed that there's always exists a signature
XmlNodeList nodeList = document.GetElementsByTagName("Signature");
// Load the <signature> node.
signedXml.LoadXml((XmlElement)nodeList[0]);
// Check the signature and return the result.
bool isDone = signedXml.CheckSignature(rsaKey); //**This is returning false.**
return isDone;
}
Initially I was getting PermissionDenied exception when my web application tries to access the Key Container. However I’ve temporarily add the application user and IIS user to Administrator role and assigned FullTrust security policy to my web application using CasPol.
Q1: [My first question is What is the best way to over come this]?? I know assigning web application fulltrust and adding the user to administrator role is not a bright idea, even though it works
My second question is regarding the signedXml.CheckSignature(rsaKey); returning false. Now as per my understanding, since the XML document is digitally signed on a different machine the MAC used to signed it is stored on that machines KEY Container Name “XML_DSIG_RSA_KEY”, but when I tried to verify the signature on host machine a different MAC is generated and stored in container name “XML_DSIG_RSA_KEY” on host machine, hence the digital signature didn’t got verified.
Q2: Is this assumption correct?? and what is the best way to cope with this… Should I use a certificate to digitally signed the XML document and then verify it, in that case. should I need to accompany the certificate with the DSIG XML document.???
To answer your second question first: You want to verify the XML with the public part of the RSA key-pair that was used to sign it. So you need to either already possess (and trust) the public key on the verifying machine or to send the certificate containing the public key with the XML (it can be stored inside the XML-signature structure) and then verify that the certificate has been issued by a trusted Certificate Authority.
To implement the first case, you can call
ToXmlString(false)on the key on the sending side, store the result in a file and keep this file on the receiving side. Then on the receiving end, read the file and call:The second case can be done by obtaining a certificate, and adding it to the signature on the signing side like this:
If the certificate is trusted, you can then verify the signature on the receiving side by just calling:
To answer your first question: once you are no longer trying to access the private key store (which you were doing by calling the RSACryptoServiceProvider-constructor like you did), you should be able to run without full trust.