在 C# 中,使用 x.509 证书签署 xml 并检查签名

发布于 2024-07-29 14:07:17 字数 207 浏览 14 评论 0原文

我正在尝试使用 x.509 证书对 XML 文件进行签名,我可以使用私钥对文档进行签名,然后使用 CheckSignature 方法(它具有接收证书作为参数的重载)来验证签名。

问题是验证签名的用户必须拥有证书,我担心的是,如果用户拥有证书,那么他就可以访问私钥,据我了解,这是私有的,应该仅对用户可用谁签名。

我缺少什么?

感谢您的帮助。

I'm trying to sign an XML file using a x.509 certificate, I can use the private key to sign the document and then use the CheckSignature method (it has an overload that receives a certificate as parameter) to verify the signature.

The problem is that the user who validates the signature must have the certificate, my concern is, if the user has the certificate then he has access to the private key, and as I understand, this is private and should be available only to the user who signs.

What am I missing?

Thanks for your help.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

扮仙女 2024-08-05 14:07:17

在 .NET 中,如果您从 .pfx 文件获取 X509 证书,如下所示:

 X509Certificate2 certificate = new X509Certificate2(certFile, pfxPassword);
 RSACryptoServiceProvider rsaCsp = (RSACryptoServiceProvider) certificate.PrivateKey;   

那么您可以像这样导出公钥部分:

 rsaCsp.ToXmlString(false);

“false”部分表示,仅导出公共部分,不导出私有部分。 (RSA.ToXmlString 的文档)

然后在验证应用程序中,使用

 RSACryptoServiceProvider csp = new RSACryptoServiceProvider();
 csp.FromXmlString(PublicKeyXml);
 bool isValid = VerifyXml(xmlDoc, rsa2);

VerifyXml 调用CheckSignature()。 它看起来像这样:

private Boolean VerifyXml(XmlDocument Doc, RSA Key)
{
    // Create a new SignedXml object and pass it
    // the XML document class.
    var signedXml = new System.Security.Cryptography.Xml.SignedXml(Doc);

    // Find the "Signature" node and create a new XmlNodeList object.
    XmlNodeList nodeList = Doc.GetElementsByTagName("Signature");

    // Throw an exception if no signature was found.
    if (nodeList.Count <= 0)
    {
        throw new CryptographicException("Verification failed: No Signature was found in the document.");
    }

    // Though it is possible to have multiple signatures on 
    // an XML document, this app only supports one signature for
    // the entire XML document.  Throw an exception 
    // if more than one signature was found.
    if (nodeList.Count >= 2)
    {
        throw new CryptographicException("Verification failed: More that one signature was found for the document.");
    }

    // Load the first <signature> node.  
    signedXml.LoadXml((XmlElement)nodeList[0]);

    // Check the signature and return the result.
    return signedXml.CheckSignature(Key);
}

In .NET, If you get your X509 cert from a .pfx file, like this:

 X509Certificate2 certificate = new X509Certificate2(certFile, pfxPassword);
 RSACryptoServiceProvider rsaCsp = (RSACryptoServiceProvider) certificate.PrivateKey;   

Then you can export the public key portion like so:

 rsaCsp.ToXmlString(false);

The "false" part says, only export the public piece, don't export the private piece. (doc for RSA.ToXmlString)

And then in the verifying application, use

 RSACryptoServiceProvider csp = new RSACryptoServiceProvider();
 csp.FromXmlString(PublicKeyXml);
 bool isValid = VerifyXml(xmlDoc, rsa2);

And the VerifyXml calls CheckSignature(). It looks something like this:

private Boolean VerifyXml(XmlDocument Doc, RSA Key)
{
    // Create a new SignedXml object and pass it
    // the XML document class.
    var signedXml = new System.Security.Cryptography.Xml.SignedXml(Doc);

    // Find the "Signature" node and create a new XmlNodeList object.
    XmlNodeList nodeList = Doc.GetElementsByTagName("Signature");

    // Throw an exception if no signature was found.
    if (nodeList.Count <= 0)
    {
        throw new CryptographicException("Verification failed: No Signature was found in the document.");
    }

    // Though it is possible to have multiple signatures on 
    // an XML document, this app only supports one signature for
    // the entire XML document.  Throw an exception 
    // if more than one signature was found.
    if (nodeList.Count >= 2)
    {
        throw new CryptographicException("Verification failed: More that one signature was found for the document.");
    }

    // Load the first <signature> node.  
    signedXml.LoadXml((XmlElement)nodeList[0]);

    // Check the signature and return the result.
    return signedXml.CheckSignature(Key);
}
岁月打碎记忆 2024-08-05 14:07:17

任何证书都有公共部分和私有部分。 您只发送公共部分。 只需在浏览器中打开任何启用 SSL 的网站,单击挂锁符号即可查看其证书。

Any certificate has a public and a private part. You only send around the public part. Just open any SSL enabled website in your browser, click on the padlock symbol and have a look at their certificate.

绮烟 2024-08-05 14:07:17

首先,您需要确保证书是 .pfx 或 .cer
您正在使用的旨在用于签名目的。

You can check same in General Tab of a certificate

*.Proves your identity to a remote computer
*.Protects e-mail messages
*.Allows data to be signed with the current time
*.Allows data on disk to be encrypted
*.2.16.356.100.2
**Document Signing**

此处编写了用于用 C# 对 XmlDocument 进行数字签名/验证的完整控制台应用程序

First off all you need to be sure that the certificate .pfx or .cer
that you are using is intended for signing purpose.

You can check same in General Tab of a certificate

*.Proves your identity to a remote computer
*.Protects e-mail messages
*.Allows data to be signed with the current time
*.Allows data on disk to be encrypted
*.2.16.356.100.2
**Document Signing**

A Complete console application to digitally sign/verify XmlDocument in C# is written here.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文