I'm using XMLDSIG to sign a configuration file. I'd like my CA to be able to issue keys that can be used to sign XML. I'd then like to verify that the XML was signed with a key issued by my CA.
How do I get the signing certificate out of the SignedXml
object? How do I follow the certificate chain back to a specific CA?
Note that the public key for my CA will be stored in my executable, rather than the certificate store.
To attach arbitrary certificates to an XML-DSIG file, add an <X509Data>
element. To do this in .NET, use:
signedXml.KeyInfo.AddClause(
new KeyInfoX509Data(certificate, X509IncludeOption.WholeChain));
To extract the certificates from the XML file, use:
var certificates = signedXml.KeyInfo.OfType<KeyInfoX509Data>().Single();
You can then verify the chain by using the following:
var chain = new X509Chain();
chain.ChainPolicy.ExtraStore.AddRange(
certificates.Cast<X509Certificate2>().ToArray());
var chainIsOk = chain.Build(signingCertificate);
To figure out which certificate was actually used for signing (and hence the value of signingCertificate
), you need to find the included certificate that matches the key returned from CheckSignatureReturningKey
.