XML DSIG Verification

Question

I'm digitally signing a XML document and verifying it on 2 different machines (Sign it at one machine and verifying on another).

I'm doing the following to verify the XML DSIG in CSharp.Net.

        public static Boolean VerifyXml(XmlDocument document)
        {
            document.PreserveWhitespace = true;
            // Create a new CspParameters object to specify
            // a key container.
            CspParameters cspParams = new CspParameters();
            cspParams.KeyContainerName = "XML_DSIG_RSA_KEY";

            // Create a new RSA signing key and save it in the container. 
            //**Earlier was getting exception here in rsaKey object**
            RSACryptoServiceProvider rsaKey = new RSACryptoServiceProvider(cspParams);

            // Create a new SignedXml object and pass it
            // the XML document class.
            SignedXml signedXml = new SignedXml(document);

            // Find the "Signature" node and create a new
            // XmlNodeList object.
            // It's guaranteed that there's always exists a signature 
            XmlNodeList nodeList = document.GetElementsByTagName("Signature");

            // Load the <signature> node.  
            signedXml.LoadXml((XmlElement)nodeList[0]);

            // Check the signature and return the result.
            bool isDone = signedXml.CheckSignature(rsaKey); //**This is returning false.**
            return isDone;
        }

Initially I was getting PermissionDenied exception when my web application tries to access the Key Container. However I've temporarily add the application user and IIS user to Administrator role and assigned FullTrust security policy to my web application using CasPol.

Q1: [My first question is What is the best way to over come this]?? I know assigning web application fulltrust and adding the user to administrator role is not a bright idea, even though it works

My second question is regarding the signedXml.CheckSignature(rsaKey); returning false. Now as per my understanding, since the XML document is digitally signed on a different machine the MAC used to signed it is stored on that machines KEY Container Name "XML_DSIG_RSA_KEY", but when I tried to verify the signature on host machine a different MAC is generated and stored in container name "XML_DSIG_RSA_KEY" on host machine, hence the digital signature didn't got verified.

Q2: Is this assumption correct?? and what is the best way to cope with this... Should I use a certificate to digitally signed the XML document and then verify it, in that case. should I need to accompany the certificate with the DSIG XML document.???

Answer 1

To answer your second question first: You want to verify the XML with the public part of the RSA key-pair that was used to sign it. So you need to either already possess (and trust) the public key on the verifying machine or to send the certificate containing the public key with the XML (it can be stored inside the XML-signature structure) and then verify that the certificate has been issued by a trusted Certificate Authority.

To implement the first case, you can call ToXmlString(false) on the key on the sending side, store the result in a file and keep this file on the receiving side. Then on the receiving end, read the file and call:

RSACryptoServiceProvider rsaKey = new RSACryptoServiceProvider();
rsaKey.ImportFromXml(publicKeyFromFile);

The second case can be done by obtaining a certificate, and adding it to the signature on the signing side like this:

KeyInfo keyInfo = new KeyInfo();
X509Certificate cert = // load certificate
keyInfo.AddClause(new KeyInfoX509Data(cert));
signedXml.KeyInfo = keyInfo;

If the certificate is trusted, you can then verify the signature on the receiving side by just calling:

bool isDone = signedXml.CheckSignature();

To answer your first question: once you are no longer trying to access the private key store (which you were doing by calling the RSACryptoServiceProvider-constructor like you did), you should be able to run without full trust.