I have seen several similar questions but none that address exactly what I'm asking.
I am trying to sign an XML then verify it with the public key using C#.
I sign the XML with a key then export the key to an XML. Then take the key and the signed XML to a different computer, import the key using rsa.FromXmlString(doc.InnerXml)
, and verify the XML signature.
This works if I export both the public and private keys to an XML using rsa.ToXmlString(True)
. However, I want to export only my public key using rsa.ToXmlString(False)
. If I export only the public key and import it on the second computer and try to validate the XML signature it says the signature is not valid.
First, should I be able to verify the signed XML with only the public key?
Second, If that is true, why does my verify XML function only work with the pub/priv key pair and not with only the public key?
Do you have any wisdom about how to debug this problem? I am not sure what else to do because signedXml.CheckSignature(Key);
does not provide any information about why it failed.
My import key, export key, sign XML, and verify XML functions are below. Let me know if you need more information.
public static void ImportKeyFromFile(string ContainerName, string inputFile)
{
try
{
// Create new XmlDocument.
XmlDocument doc = new XmlDocument();
// Load XML Document.
doc.Load(inputFile);
// Create the CspParameters object and set the key container
// name used to store the RSA key pair.
CspParameters cp = new CspParameters();
cp.KeyContainerName = ContainerName;
// Create a new instance of RSACryptoServiceProvider that accesses
// the key container MyKeyContainerName.
RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(cp);
// Get RSA Parameters from xml document.
rsa.FromXmlString(doc.InnerXml);
}
catch (Exception ex)
{
MessageBox.Show(ex.Message);
}
}
public static void ExportKeyToFile(string ContainerName, string outputPath, bool private_key)
{
try
{
// Create the CspParameters object and set the key container
// name used to store the RSA key pair.
CspParameters cp = new CspParameters();
cp.KeyContainerName = ContainerName;
// Create a new instance of RSACryptoServiceProvider that accesses
// the key container MyKeyContainerName.
RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(cp);
// Create new XmlDocument.
XmlDocument doc = new XmlDocument();
// Store rsa key.
doc.InnerXml = rsa.ToXmlString(private_key);
// Save Document.
doc.Save(outputPath);
}
catch (Exception ex)
{
MessageBox.Show(ex.Message);
}
}
public static Boolean VerifyXml(XmlDocument Doc, RSA Key)
{
// Check arguments.
if (Doc == null)
throw new ArgumentException("Doc");
if (Key == null)
throw new ArgumentException("Key");
// Create a new SignedXml object and pass it
// the XML document class.
SignedXml signedXml = new SignedXml(Doc);
// Find the "Signature" node and create a new
// XmlNodeList object.
XmlNodeList nodeList = Doc.GetElementsByTagName("Signature");
// Throw an exception if no signature was found.
if (nodeList.Count <= 0)
{
throw new CryptographicException("Verification failed: No Signature was found in the document.");
}
// Load the first <signature> node.
signedXml.LoadXml((XmlElement)nodeList[0]);
// Check the signature and return the result.
return signedXml.CheckSignature(Key);
}
public static void SignXml(XmlDocument xmlDoc, RSA Key)
{
// Check arguments.
if (xmlDoc == null)
throw new ArgumentException("xmlDoc");
if (Key == null)
throw new ArgumentException("Key");
// Create a SignedXml object.
SignedXml signedXml = new SignedXml(xmlDoc);
// Add the key to the SignedXml document.
signedXml.SigningKey = Key;
// Create a reference to be signed.
Reference reference = new Reference();
reference.Uri = "";
// Add an enveloped transformation to the reference.
XmlDsigEnvelopedSignatureTransform env = new XmlDsigEnvelopedSignatureTransform();
reference.AddTransform(env);
// Add the reference to the SignedXml object.
signedXml.AddReference(reference);
// Compute the signature.
signedXml.ComputeSignature();
// Get the XML representation of the signature and save
// it to an XmlElement object.
XmlElement xmlDigitalSignature = signedXml.GetXml();
// Append the element to the XML document.
xmlDoc.DocumentElement.AppendChild(xmlDoc.ImportNode(xmlDigitalSignature, true));
}
The problem is because you cannot store public keys in a Key Container. To verify a signature with just a public key, you should import the key from the XML using
rsa.FromXmlString
then pass rsa directly to the Verify Signature function. If you try to store a public key in a key container and retrieve it later you will just end up creating a new key. How to store a public key in a machine-level RSA key container