I'm digitally signing a XML document and verifying it on 2 different machines (Sign it at one machine and verifying on another).
I'm doing the following to verify the XML DSIG in CSharp.Net.
public static Boolean VerifyXml(XmlDocument document)
{
document.PreserveWhitespace = true;
// Create a new CspParameters object to specify
// a key container.
CspParameters cspParams = new CspParameters();
cspParams.KeyContainerName = "XML_DSIG_RSA_KEY";
// Create a new RSA signing key and save it in the container.
//**Earlier was getting exception here in rsaKey object**
RSACryptoServiceProvider rsaKey = new RSACryptoServiceProvider(cspParams);
// Create a new SignedXml object and pass it
// the XML document class.
SignedXml signedXml = new SignedXml(document);
// Find the "Signature" node and create a new
// XmlNodeList object.
// It's guaranteed that there's always exists a signature
XmlNodeList nodeList = document.GetElementsByTagName("Signature");
// Load the <signature> node.
signedXml.LoadXml((XmlElement)nodeList[0]);
// Check the signature and return the result.
bool isDone = signedXml.CheckSignature(rsaKey); //**This is returning false.**
return isDone;
}
Initially I was getting PermissionDenied exception when my web application tries to access the Key Container. However I've temporarily add the application user and IIS user to Administrator role and assigned FullTrust security policy to my web application using CasPol.
Q1: [My first question is What is the best way to over come this]?? I know assigning web application fulltrust and adding the user to administrator role is not a bright idea, even though it works
My second question is regarding the signedXml.CheckSignature(rsaKey);
returning false. Now as per my understanding, since the XML document is digitally signed on a different machine the MAC used to signed it is stored on that machines KEY Container Name "XML_DSIG_RSA_KEY", but when I tried to verify the signature on host machine a different MAC is generated and stored in container name "XML_DSIG_RSA_KEY" on host machine, hence the digital signature didn't got verified.
Q2: Is this assumption correct?? and what is the best way to cope with this... Should I use a certificate to digitally signed the XML document and then verify it, in that case. should I need to accompany the certificate with the DSIG XML document.???