如何:验证 XML 文档的数字签名
可以使用 System.Security.Cryptography.Xml 命名空间中的类来验证签有数字签名的 XML 数据。 使用 XML 数字签名 (XMLDSIG),你可以验证签名后的数据没有被更改。 有关 XMLDSIG 标准的详细信息,请参阅万维网联合会 (W3C) 规范(位于 https://www.w3.org/TR/xmldsig-core/)。
注意
本文中的代码适用于 Windows。
此过程中的代码示例演示了如何验证包含在 <Signature
> 元素中的 XML 数字签名。 该示例检索密钥容器中 RSA 公钥,然后使用该密钥来验证签名。
有关如何创建可使用此技术验证的数字签名的信息,请参阅 如何:使用数字签名为 XML 文档签名。
验证 XML 文档的数字签名
若要验证文档,必须使用用于签名的同一非对称密钥。 创建 CspParameters 对象,并指定用于签名的密钥容器的名称。
CspParameters cspParams = new() { KeyContainerName = "XML_DSIG_RSA_KEY" };
Dim cspParams As New CspParameters() cspParams.KeyContainerName = "XML_DSIG_RSA_KEY"
检索使用 RSACryptoServiceProvider 类的公钥。 当将 CspParameters 对象传递到 RSACryptoServiceProvider 类的构造函数中时,会按名称从密钥容器自动加载密钥。
RSACryptoServiceProvider rsaKey = new(cspParams);
Dim rsaKey As New RSACryptoServiceProvider(cspParams)
通过从磁盘加载 XML 文件来创建 XmlDocument 对象。 XmlDocument 对象包含要验证的已签名 XML 文档。
XmlDocument xmlDoc = new() { // Load an XML file into the XmlDocument object. PreserveWhitespace = true }; xmlDoc.Load("test.xml");
Dim xmlDoc As New XmlDocument() ' Load an XML file into the XmlDocument object. xmlDoc.PreserveWhitespace = True xmlDoc.Load("test.xml")
创建一个新的 SignedXml 对象,并向其传递 XmlDocument 对象。
SignedXml signedXml = new(xmlDoc);
Dim signedXml As New SignedXml(xmlDoc)
找到 <
signature
> 元素,并创建新的 XmlNodeList 对象。XmlNodeList nodeList = xmlDoc.GetElementsByTagName("Signature");
Dim nodeList As XmlNodeList = xmlDoc.GetElementsByTagName("Signature")
将第一个 <
signature
> 元素的 XML 加载到 SignedXml 对象中。signedXml.LoadXml((XmlElement?)nodeList[0]);
signedXml.LoadXml(CType(nodeList(0), XmlElement))
使用 CheckSignature 方法和 RSA 公钥检查签名。 此方法返回一个指示成功或失败的布尔值。
return signedXml.CheckSignature(key);
Return signedXml.CheckSignature(key)
示例
此示例假定名为 "test.xml"
的文件与已编译程序存在于同一目录中。 必须使用 如何:使用数字签名为 XML 文档签名 中所述的技术对 "test.xml"
文件进行签名。
using System;
using System.Runtime.Versioning;
using System.Security.Cryptography;
using System.Security.Cryptography.Xml;
using System.Xml;
[SupportedOSPlatform("Windows")]
public class VerifyXML
{
public static void Main(string[] args)
{
try
{
// Create a new CspParameters object to specify
// a key container.
CspParameters cspParams = new()
{
KeyContainerName = "XML_DSIG_RSA_KEY"
};
// Create a new RSA signing key and save it in the container.
RSACryptoServiceProvider rsaKey = new(cspParams);
// Create a new XML document.
XmlDocument xmlDoc = new()
{
// Load an XML file into the XmlDocument object.
PreserveWhitespace = true
};
xmlDoc.Load("test.xml");
// Verify the signature of the signed XML.
Console.WriteLine("Verifying signature...");
bool result = VerifyXml(xmlDoc, rsaKey);
// Display the results of the signature verification to
// the console.
if (result)
{
Console.WriteLine("The XML signature is valid.");
}
else
{
Console.WriteLine("The XML signature is not valid.");
}
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
}
// Verify the signature of an XML file against an asymmetric
// algorithm and return the result.
public static bool VerifyXml(XmlDocument xmlDoc, RSA key)
{
// Check arguments.
if (xmlDoc == null)
throw new ArgumentException(null, nameof(xmlDoc));
if (key == null)
throw new ArgumentException(null, nameof(key));
// Create a new SignedXml object and pass it
// the XML document class.
SignedXml signedXml = new(xmlDoc);
// Find the "Signature" node and create a new
// XmlNodeList object.
XmlNodeList nodeList = xmlDoc.GetElementsByTagName("Signature");
// Throw an exception if no signature was found.
if (nodeList.Count <= 0)
{
throw new CryptographicException("Verification failed: No Signature was found in the document.");
}
// This example only supports one signature for
// the entire XML document. Throw an exception
// if more than one signature was found.
if (nodeList.Count >= 2)
{
throw new CryptographicException("Verification failed: More that one signature was found for the document.");
}
// Load the first <signature> node.
signedXml.LoadXml((XmlElement?)nodeList[0]);
// Check the signature and return the result.
return signedXml.CheckSignature(key);
}
}
Imports System.Security.Cryptography
Imports System.Security.Cryptography.Xml
Imports System.Xml
Module VerifyXML
Sub Main(ByVal args() As String)
Try
' Create a new CspParameters object to specify
' a key container.
Dim cspParams As New CspParameters()
cspParams.KeyContainerName = "XML_DSIG_RSA_KEY"
' Create a new RSA signing key and save it in the container.
Dim rsaKey As New RSACryptoServiceProvider(cspParams)
' Create a new XML document.
Dim xmlDoc As New XmlDocument()
' Load an XML file into the XmlDocument object.
xmlDoc.PreserveWhitespace = True
xmlDoc.Load("test.xml")
' Verify the signature of the signed XML.
Console.WriteLine("Verifying signature...")
Dim result As Boolean = VerifyXml(xmlDoc, rsaKey)
' Display the results of the signature verification to
' the console.
If result Then
Console.WriteLine("The XML signature is valid.")
Else
Console.WriteLine("The XML signature is not valid.")
End If
Catch e As Exception
Console.WriteLine(e.Message)
End Try
End Sub
' Verify the signature of an XML file against an asymmetric
' algorithm and return the result.
Function VerifyXml(ByVal xmlDoc As XmlDocument, ByVal key As RSA) As [Boolean]
' Check arguments.
If xmlDoc Is Nothing Then
Throw New ArgumentException(
"The XML doc cannot be nothing.", NameOf(xmlDoc))
End If
If key Is Nothing Then
Throw New ArgumentException(
"The key cannot be nothing.", NameOf(key))
End If
' Create a new SignedXml object and pass it
' the XML document class.
Dim signedXml As New SignedXml(xmlDoc)
' Find the "Signature" node and create a new
' XmlNodeList object.
Dim nodeList As XmlNodeList = xmlDoc.GetElementsByTagName("Signature")
' Throw an exception if no signature was found.
If nodeList.Count <= 0 Then
Throw New CryptographicException("Verification failed: No Signature was found in the document.")
End If
' This example only supports one signature for
' the entire XML document. Throw an exception
' if more than one signature was found.
If nodeList.Count >= 2 Then
Throw New CryptographicException("Verification failed: More that one signature was found for the document.")
End If
' Load the first <signature> node.
signedXml.LoadXml(CType(nodeList(0), XmlElement))
' Check the signature and return the result.
Return signedXml.CheckSignature(key)
End Function
End Module
编译代码
在面向 .NET Framework 的项目中,包含对
System.Security.dll
的引用。在面向 .NET Core 或 .NET 5 的项目中,安装 NuGet 包 System.Security.Cryptography.Xml。
包括以下命名空间:System.Xml、System.Security.Cryptography 和 System.Security.Cryptography.Xml。
.NET 安全性
切勿用纯文本存储或传输非对称密钥对的私钥。 有关对称和非对称加密密钥的详细信息,请参阅 生成加密和解密的密钥。
切勿将私钥直接嵌入到源代码中。 可通过使用 Ildasm.exe(IL 反汇编程序) 或在文本编辑器(如记事本)中打开程序集的方式轻松从程序集中读取嵌入的密钥。