The .NET Framework supports the XML Signature specification (commonly referred to as XMLDSIG), which provides a standard approach to creating and representing signatures for XML documents.
In this section, we introduce the .NET XMLDSIG classes. We do not discuss all of the options available to you or provide in-depth coverage of the standard itself. The XMLDSIG standard is complex, and full coverage is outside the scope of this book. For full details of the XML Signature specification, consult the World Wide Web Consortium web site, at http://www.w3.org/TR/xmldsig-core. Consult the .NET documentation for full details of the XMLDSIG classes. You should have a basic understanding of how the .NET Framework supports XML.
The .NET Framework includes classes that support creating and verifying XMLDSIG signatures for XML documents; in other words, the .NET XMLDSIG classes allow you to sign XML documents to create signatures that are also XML documents themselves.
Throughout this section, we will base our examples on creating a signature for the following simple XML, which we assume is in a file named book.xml:
<book> <title>Programming .NET Security</title> <author>Adam Freeman</author> <author>Allen Jones</author> </book>
All of the .NET XMLDSIG classes are contained in the System.Security.Cryptography.Xml namespace, which is included in System.Security.dll.
In the following sections, we demonstrate how to create an XMLDSIG signature for our sample XML document.
To create a signature, the first step is to create a reference to the XML document that you want to sign. The .NET Reference class allows you to create a reference using a URL string or a stream of data. When the signature is created, the XML data will be read from the URL or the stream to create the signature. The following statements demonstrate how to create a Reference object:
# C# // specify the URL of the document we want to sign string x_url = "http://www.mydomain.com/book.xml"; // create a reference that points to the URL Reference x_url_ref = new Reference(x_url); // open a file stream for the document we want to sign FileStream x_stream = new FileStream("book.xml", FileMode.Open); // create a Reference that will use the stream Reference x_stream_ref = new Reference(x_stream); # Visual Basic .NET ' specify the URL of the document we want to sign Dim x_url As String = "http:'www.mydomain.com/book.xml" ' create a reference that points to the URL Dim x_url_ref As Reference = New Reference(x_url) ' open a file stream for the document we want to sign Dim x_stream As FileStream = New FileStream("book.xml", FileMode.Open) ' create a Reference that will use the stream Dim x_stream_ref As Reference = New Reference(x_stream)
The System.Security.Cryptography.Xml.SignedXml class is responsible for creating the signature document. Create an instance of this class, and then configure it with the settings you wish to use in creating the signature. Create a new instance of the SignedXml class using the default constructor, and then use the AddReference method to add the Reference object you created in the previous section:
# C# SignedXml x_signed_xml = new SignedXml( ); x_signed_xml.AddReference(x_stream_ref); # Visual Basic .NET Dim x_signed_xml As SignedXml = New SignedXml( ) x_signed_xml.AddReference(x_stream_ref)
you need to create a new asymmetric signing algorithm instance and assign it to the SignedXml object using the SigningKey property, as illustrated by the following statements:
# C# // create a new instance of the DSA algorithm DSA x_dsa = DSA.Create( ); // configure the signing key // ... // set the algorithm for the SignedXml x_signed_xml.SigningKey = x_dsa; # Visual Basic .NET ' create a new instance of the DSA algorithm Dim x_dsa As DSA = DSA.Create( ) ' configure the signing key ' ... ' set the algorithm for the SignedXml x_signed_xml.SigningKey = x_dsa
These statements have the effect of defining the algorithm and the keys that will be used to create the signature. The .NET classes support using the RSA and DSA algorithms for generating XML Signature documents.
Create the signature by calling the ComputeSignature method. You can then obtain the signature by calling the GetXml method, and obtain a string representation by using the OuterXml property, as shown below:
# C# x_signed_xml.ComputeSignature( ); Console.WriteLine(x_signed_xml.GetXml( ).OuterXml); # Visual Basic .NET x_signed_xml.ComputeSignature( ) Console.WriteLine(x_signed_xml.GetXml( ).OuterXml)
The result of creating a DSA signature for our sample XML is as follows:
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1" /> <Reference> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue>eJgWGA+lXiqrOpXa+2NSBbO1HS4=</DigestValue> </Reference> </SignedInfo> <SignatureValue>u5zleIl7IY5MV8sxsirlGIqRaZ9LgExoKdQwgCMqaPxWZX7VOAcT9g== </SignatureValue> </Signature>
Notice that the XML signature document contains information about the signing algorithm (DSA), the hashing algorithm (SHA-1), and the signature value, which has been Base64-encoded. This is a formalized representation of the information that is needed to verify the signature, which would otherwise have to be communicated between parties in an ad hoc manner (for example, Alice and Bob exchange messages to agree on the hashing and signing algorithms before they exchange signed data).
The signature that you created in the previous section is separate from the data it relates to, as are the other signatures you created in Section 16.2. The XMLDSIG standard supports including the original data as part of the XML signature document.
To include your sample XML document, load the XML document and use it to create a new instance of the DataObject class:
# C# // load the XML document XmlDocument x_xml_doc = new XmlDocument( ); x_xml_doc.Load("book.xml"); // create the data object for the xml document DataObject x_obj = new DataObject( ); x_obj.Data = x_xml_doc.ChildNodes; x_obj.Id = "book"; # Visual Basic .NET ' load the XML document Dim x_xml_doc As XmlDocument = New XmlDocument( ) x_xml_doc.Load("book.xml") ' create the data object for the xml document Dim x_obj As DataObject = New DataObject( ) x_obj.Data = x_xml_doc.ChildNodes x_obj.Uri = "book"
Assign the XML data to the DataObject using the Data property, and assign an ID to the object using the URI property; for example, choose the ID "book." Continue by creating a new reference, but instead of using a URL or a stream for the data, use a "local" reference, where you place a # symbol in front of our object ID (in this case, the local reference is #book):
# C# // create the local reference Reference x_local_reference = new Reference( ); x_local_reference.Uri = "#book"; # Visual Studio .NET ' create the local reference Dim x_local_reference As Reference = New Reference( ) x_local_reference.Uri = "#book"
Create a new instance of the SignedXml class, and use the AddReference and AddObjects methods to add your reference and data:
# C# // create the SignedXml instance SignedXml x_signed_xml = new SignedXml( ); // add the local reference x_signed_xml.AddReference(x_local_reference); // add the data object x_signed_xml.AddObject(x_obj); # Visual Basic .NET ' create the SignedXml instance Dim x_signed_xml As SignedXml = New SignedXml( ) ' add the local reference x_signed_xml.AddReference(x_local_reference) ' add the data object x_signed_xml.AddObject(x_obj)
Finally, set the instance of the signing algorithm and compute the signature:
# C# // create a new instance of the DSA algorithm DSA x_dsa = DSA.Create( ); // configure the signing key // ... // set the algorithm for the SignedXml x_signed_xml.SigningKey = x_dsa; // compute the signature x_signed_xml.ComputeSignature( ); Console.WriteLine(x_signed_xml.GetXml( ).OuterXml); # Visual Basic .NET ' create a new instance of the DSA algorithm Dim x_dsa As DSA = DSA.Create( ) ' configure the signing key ' ... ' set the algorithm for the SignedXml x_signed_xml.SigningKey = x_dsa ' compute the signature x_signed_xml.ComputeSignature( ) Console.WriteLine(x_signed_xml.GetXml( ).OuterXml)
The resulting signature is shown below; the included data is hightlighted:
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1" /> <Reference URI="#book"> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <DigestValue>1UhFInEywZYY/3eLgCqg5w+IROI=</DigestValue> </Reference> </SignedInfo> <SignatureValue>DUuD4ZJd8YiDLIr7HimDWGmCXYQDpX1jv1xRxKLgccw/lTyh3XjB6Q== </SignatureValue> <Object Id="book"> <book xmlns=""> <title>Programming .NET Security</title> <author>Adam Freeman</author> <author>Allen Jones</author> </book> </Object> </Signature>
By including the data in this way, you create an XML document that contains the data that was signed, details of how the signature was created (hashing and signature algorithms), and the signature itself, which allows Alice to send a single XML document to Bob when exchanging signed messages.
Begin verifying the signature by loading the XML Signature document (which you have saved as the file xmlsig.xml) into an instance of the SignedXml class:
# C# // load the XML document XmlDocument x_xml_doc = new XmlDocument( ); x_xml_doc.Load("xmlsig.xml"); // create the SignedXml instance SignedXml x_signed_xml = new SignedXml( ); // get the node list from the XML sig doc XmlNodeList x_node_list = x_xml_doc.GetElementsByTagName("Signature"); // load the XML signature document x_signed_xml.LoadXml((XmlElement)x_node_list[0]); # Visual Basic .NET ' load the XML document Dim x_xml_doc As XmlDocument = New XmlDocument( ) x_xml_doc.Load("xmlsig.xml") ' create the SignedXml instance Dim x_signed_xml As SignedXml = New SignedXml( ) ' get the node list from the XML sig doc Dim x_node_list As XmlNodeList = x_xml_doc.GetElementsByTagName("Signature") ' load the XML signature document x_signed_xml.LoadXml(CType(x_node_list(0), XmlElement))
You need to create the asymmetric algorithm that will be used to verify the signature; you should configure the algorithm class with the public parameters from the key pair that was used to generate the signature.
Once you have created the algorithm, create an instance of the KeyInfo class, which accepts an instance of either the DSAKeyValue or RSAKeyValue class, depending on which algorithm has been used. Configure the SignedXml class to use the asymmetric algorithm by setting the value of the KeyInfo property:
# C# // create a new instance of the DSA algorithm DSA x_dsa = DSA.Create( ); // configure the signing key // ... // create the KeyInfo instance KeyInfo x_info = new KeyInfo( ); // add the DSA instance to the KeyInfo x_info.AddClause(new DSAKeyValue(x_dsa)); // configure the SignedXml class to use the // DSA keys for verification x_signed_xml.KeyInfo = x_info; # Visual Basic .NET ' create a new instance of the DSA algorithm Dim x_dsa As DSA = DSA.Create( ) ' configure the signing key ' ... ' create the KeyInfo instance Dim x_info As KeyInfo = New KeyInfo( ) ' add the DSA instance to the KeyInfo x_info.AddClause(New DSAKeyValue(x_dsa)) ' configure the SignedXml class to use the ' DSA keys for verification x_signed_xml.KeyInfo = x_info
Finally, verify the signature by calling the CheckSignature method of the SignedXml class; this method returns true if the signature is valid and false if it is not:
# C# // verify the signature bool x_signature_valid = x_signed_xml.CheckSignature( ); # Visual Basic .NET ' verify the signature Dim x_signature_valid As Boolean = x_signed_xml.CheckSignature( )