I am trying to sign an XML on one computer then verify that XML on another computer. I have seen this question asked (Signed and Verify xml file in C#) but the asker was not clear and an answer was not found.
I sign and verify the XML file using the example found here: http://msdn.microsoft.com/en-us/library/ms229745(v=vs.110).aspx
The verification works if I run both signing and verification on the same computer. But when I try verifying on another computer it fails.
Before signing the file, I create the key container like this:
aspnet_iisreg -pc "MY_KEY_CONTAINER" -exp
I sign the XML and then export the key (note here I do not export the private key using -pri):
aspnet_iisreg -ps "MY_KEY_CONTAINER" "D:\\MY_KEY_CONTAINER.xml"
Then import the key on the other computer:
aspnet_iisreg -pi "MY_KEY_CONTAINER" "D:\\MY_KEY_CONTAINER.xml"
Then, on the second computer, I run the same verifcation application that works on the first computer. However, on the second computer the verification fails. The settings on both machines are the same. Both running the same verion of .net.
I would like to confirm that the process I described should work. If there are no problems with my code, should the key exchange process I described above work?
EDIT: I started printing the key to the screen and realized that even if I delete the old key and create a new, the key within the application does not change. It seems that there are two different key containers even though they have the same name. One key container is being accessed by my applicaition and the other is being used when I run the aspnet_iisreg command. Is this correct? What is causing this and can I fix it?
What the mentioned MSDN example misses is the
KeyInfo
structure in the created signature.KeyInfo
lets you even include the certificate in the signed document which makes it totally portable - the certificate is a part of the signed document which means that at the receiver side you not only can validate the signature but also accept or reject the certificate (usually this involves thumbprint lookup).What I also disliked in the MSDN article is the lack of theory - there are three types of signatures - enveloped, enveloping and detached. The distinction could be important and it is better to have a deeper understanding of what is going on.
This is why I wrote a three part tutorial that covers the interoperable XMLDsig. I show how to create and validate signatures in C# and Java in an interoperable way:
Part 1 (theory) http://www.wiktorzychla.com/2012/12/interoperable-xml-digital-signatures-c.html
Part 2 (C#) http://www.wiktorzychla.com/2012/12/interoperable-xml-digital-signatures-c_20.html
Part 3 (Java) http://www.wiktorzychla.com/2012/12/interoperable-xml-digital-signatures-c_4247.html