如何在不使用SignedXml的情况下验证c#中的xml数字签名?

时间:2017-06-07 18:00:00

标签: c# cryptography .net-core xml-signature

如何在不使用SignedXml(在dotnet核心中不可用)的情况下验证xml签名(在SOAP请求中使用)?

我是这样想的,但它总是让我虚假:

 public static void CheckSignature(XElement responseXml, MyResponseType response)
    {
        string originalDigestValue = Convert.ToBase64String(response.Signature.SignedInfo.Reference.FirstOrDefault().DigestValue);
        var originalSignatureValue = response.Signature.SignatureValue.Value;

        X509DataType certificateData = (X509DataType)response.Signature.KeyInfo.Items[0];
        X509Certificate2 certificate = new X509Certificate2((byte[])certificateData.Items[0]);

        //for calculating digest value
        //responseXml.Descendants(nm + "Signature").SingleOrDefault().Remove();
        //var digestValue = Convert.ToBase64String(SHA1.Create().ComputeHash(System.Text.Encoding.UTF8.GetBytes(responseXml.Document.ToString())));

        XNamespace nm = @"http://www.w3.org/2000/09/xmldsig#";
        var signedInfoNode = responseXml.Descendants(nm + "SignedInfo").SingleOrDefault();

        var signedInfo = signedInfoNode.ToString().Trim();

        byte[] signedInfoBytes = Encoding.UTF8.GetBytes(signedInfo);

        var hash = SHA1.Create().ComputeHash(signedInfoBytes);

        RSA rsa = certificate.GetRSAPublicKey();

        try
        {
            Console.WriteLine("Signed Info: \n" + signedInfo);
            Console.WriteLine("Verification: \n" + rsa.VerifyData(signedInfoBytes, originalSignatureValue, HashAlgorithmName.SHA1, RSASignaturePadding.Pkcs1));
            Console.WriteLine("Verification hash: \n" + rsa.VerifyData(hash, originalSignatureValue, HashAlgorithmName.SHA1, RSASignaturePadding.Pkcs1));
        }
        catch (Exception exc)
        {
           //
        }
    }

1 个答案:

答案 0 :(得分:2)

xmldsig是一个非常庞大,非常复杂的规范。如果您愿意,可以尝试实现它,复杂的部分是将XML文档转换为字节以进行签名和验证(canonicalization (or c14n) spec是独立的,并且很大)。

SignedXml现在应该可以.NET Core 2.0 Preview 1使用,升级绝对是最简单的选择。

相关问题
最新问题