I am using the SignedXml class to validate a signature in a XML document. The signature refers only to part to the document.
I am able to verify the signature, but how can I be sure that the signature is signing the specific part of the document that I need to validate? Someone could simply sign a different part of the document using the same key and the signature will still be valid.
From what I understand, SignedXml automatically verifies a signature against the part of the document that's supposedly signed.
A digital signature is verified by passing it the signature value and the data/content that's supposedly signed (or hash value of it). That means that if the signature verifies, you can be sure the right part of the document was signed.
If someone signs a different part of the document and you're verifying the signature against a non-signed part of the document, you won't get a positive result. And due to the structure of XML, SignedXml verifies a signature against what's suppposedly signed, not against something else.