作法:驗證 XML 文件的數位簽章
您可以使用 System.Security.Cryptography.Xml 命名空間中的類別,驗證使用數位簽章簽署的 XML 資料。 XML 數位簽章 (XMLDSIG) 可讓您驗證在簽署資料後,資料未經過變更。 如需 XMLDSIG 標準的詳細資訊,請參閱全球資訊網協會 (W3C) 規格,位於 https://www.w3.org/TR/xmldsig-core/。
注意
本文中的程式碼適用於 Windows。
這個程序中的程式碼範例會示範如何驗證 <Signature
> 項目所包含的 XML 數位簽章。 範例會從金鑰容器擷取 RSA 公開金鑰,然後使用金鑰來驗證簽章。
如需如何建立可以使用這項技術來驗證之數位簽章的相關資訊,請參閱 HOW TO:使用數位簽章簽署 XML 文件。
驗證 XML 文件的數位簽章
若要驗證文件,您必須使用用於簽章的相同非對稱金鑰。 建立 CspParameters 物件,並指定用於簽章的金鑰容器名稱。
CspParameters cspParams = new() { KeyContainerName = "XML_DSIG_RSA_KEY" };
Dim cspParams As New CspParameters() cspParams.KeyContainerName = "XML_DSIG_RSA_KEY"
使用 RSACryptoServiceProvider 類別擷取公用金鑰。 當您將 CspParameters 物件傳遞到 RSACryptoServiceProvider 類別的建構函式時,金鑰會自動依名稱從金鑰容器載入。
RSACryptoServiceProvider rsaKey = new(cspParams);
Dim rsaKey As New RSACryptoServiceProvider(cspParams)
藉由從磁碟載入 XML 檔案,建立 XmlDocument 物件。 XmlDocument 物件包含要驗證的已簽署 XML 文件。
XmlDocument xmlDoc = new() { // Load an XML file into the XmlDocument object. PreserveWhitespace = true }; xmlDoc.Load("test.xml");
Dim xmlDoc As New XmlDocument() ' Load an XML file into the XmlDocument object. xmlDoc.PreserveWhitespace = True xmlDoc.Load("test.xml")
建立新的 SignedXml 物件,並傳遞 XmlDocument 物件給它。
SignedXml signedXml = new(xmlDoc);
Dim signedXml As New SignedXml(xmlDoc)
找出 <
signature
> 項目,並建立新的 XmlNodeList 物件。XmlNodeList nodeList = xmlDoc.GetElementsByTagName("Signature");
Dim nodeList As XmlNodeList = xmlDoc.GetElementsByTagName("Signature")
將第一個 <
signature
> 項目的 XML 載入至 SignedXml 物件。signedXml.LoadXml((XmlElement?)nodeList[0]);
signedXml.LoadXml(CType(nodeList(0), XmlElement))
使用 CheckSignature 方法和 RSA 公開金鑰檢查簽章。 這個方法會傳回表示成功或失敗的布林值。
return signedXml.CheckSignature(key);
Return signedXml.CheckSignature(key)
範例
這個範例假設名為 "test.xml"
的檔案已存在於和編譯程式相同的目錄中。 "test.xml"
檔案必須使用 HOW TO:使用數位簽章簽署 XML 文件中所述的技巧簽署。
using System;
using System.Runtime.Versioning;
using System.Security.Cryptography;
using System.Security.Cryptography.Xml;
using System.Xml;
[SupportedOSPlatform("Windows")]
public class VerifyXML
{
public static void Main(string[] args)
{
try
{
// Create a new CspParameters object to specify
// a key container.
CspParameters cspParams = new()
{
KeyContainerName = "XML_DSIG_RSA_KEY"
};
// Create a new RSA signing key and save it in the container.
RSACryptoServiceProvider rsaKey = new(cspParams);
// Create a new XML document.
XmlDocument xmlDoc = new()
{
// Load an XML file into the XmlDocument object.
PreserveWhitespace = true
};
xmlDoc.Load("test.xml");
// Verify the signature of the signed XML.
Console.WriteLine("Verifying signature...");
bool result = VerifyXml(xmlDoc, rsaKey);
// Display the results of the signature verification to
// the console.
if (result)
{
Console.WriteLine("The XML signature is valid.");
}
else
{
Console.WriteLine("The XML signature is not valid.");
}
}
catch (Exception e)
{
Console.WriteLine(e.Message);
}
}
// Verify the signature of an XML file against an asymmetric
// algorithm and return the result.
public static bool VerifyXml(XmlDocument xmlDoc, RSA key)
{
// Check arguments.
if (xmlDoc == null)
throw new ArgumentException(null, nameof(xmlDoc));
if (key == null)
throw new ArgumentException(null, nameof(key));
// Create a new SignedXml object and pass it
// the XML document class.
SignedXml signedXml = new(xmlDoc);
// Find the "Signature" node and create a new
// XmlNodeList object.
XmlNodeList nodeList = xmlDoc.GetElementsByTagName("Signature");
// Throw an exception if no signature was found.
if (nodeList.Count <= 0)
{
throw new CryptographicException("Verification failed: No Signature was found in the document.");
}
// This example only supports one signature for
// the entire XML document. Throw an exception
// if more than one signature was found.
if (nodeList.Count >= 2)
{
throw new CryptographicException("Verification failed: More that one signature was found for the document.");
}
// Load the first <signature> node.
signedXml.LoadXml((XmlElement?)nodeList[0]);
// Check the signature and return the result.
return signedXml.CheckSignature(key);
}
}
Imports System.Security.Cryptography
Imports System.Security.Cryptography.Xml
Imports System.Xml
Module VerifyXML
Sub Main(ByVal args() As String)
Try
' Create a new CspParameters object to specify
' a key container.
Dim cspParams As New CspParameters()
cspParams.KeyContainerName = "XML_DSIG_RSA_KEY"
' Create a new RSA signing key and save it in the container.
Dim rsaKey As New RSACryptoServiceProvider(cspParams)
' Create a new XML document.
Dim xmlDoc As New XmlDocument()
' Load an XML file into the XmlDocument object.
xmlDoc.PreserveWhitespace = True
xmlDoc.Load("test.xml")
' Verify the signature of the signed XML.
Console.WriteLine("Verifying signature...")
Dim result As Boolean = VerifyXml(xmlDoc, rsaKey)
' Display the results of the signature verification to
' the console.
If result Then
Console.WriteLine("The XML signature is valid.")
Else
Console.WriteLine("The XML signature is not valid.")
End If
Catch e As Exception
Console.WriteLine(e.Message)
End Try
End Sub
' Verify the signature of an XML file against an asymmetric
' algorithm and return the result.
Function VerifyXml(ByVal xmlDoc As XmlDocument, ByVal key As RSA) As [Boolean]
' Check arguments.
If xmlDoc Is Nothing Then
Throw New ArgumentException(
"The XML doc cannot be nothing.", NameOf(xmlDoc))
End If
If key Is Nothing Then
Throw New ArgumentException(
"The key cannot be nothing.", NameOf(key))
End If
' Create a new SignedXml object and pass it
' the XML document class.
Dim signedXml As New SignedXml(xmlDoc)
' Find the "Signature" node and create a new
' XmlNodeList object.
Dim nodeList As XmlNodeList = xmlDoc.GetElementsByTagName("Signature")
' Throw an exception if no signature was found.
If nodeList.Count <= 0 Then
Throw New CryptographicException("Verification failed: No Signature was found in the document.")
End If
' This example only supports one signature for
' the entire XML document. Throw an exception
' if more than one signature was found.
If nodeList.Count >= 2 Then
Throw New CryptographicException("Verification failed: More that one signature was found for the document.")
End If
' Load the first <signature> node.
signedXml.LoadXml(CType(nodeList(0), XmlElement))
' Check the signature and return the result.
Return signedXml.CheckSignature(key)
End Function
End Module
編譯程式碼
在以 .NET Framework 為目標的專案中,包含
System.Security.dll
的參考。在以 .NET Core 或 .NET 5 為目標的專案中,安裝 NuGet 套件 System.Security.Cryptography.Xml。
包含下列命名空間:System.Xml、System.Security.Cryptography 和 System.Security.Cryptography.Xml。
.NET 安全性
絕對不要以純文字儲存或傳輸非對稱金鑰組的私密金鑰。 如需對稱和非對稱密碼編譯金鑰的詳細資訊,請參閱產生加密和解密金鑰。
絕對不要直接將私密金鑰內嵌在您的原始程式碼。 內嵌的金鑰可以藉由使用 Ildasm.exe (IL 反組譯工具) 或是藉由在文字編輯器 (例如記事本) 中開啟組件,輕鬆地從組件讀取。