我使用的是XMLDSIG来签署配置文件。我想我的CA以能够发出可用于签署的XML密钥。那么我想验证XML与我的CA颁发的密钥进行签名。
I'm using XMLDSIG to sign a configuration file. I'd like my CA to be able to issue keys that can be used to sign XML. I'd then like to verify that the XML was signed with a key issued by my CA.
我如何得到签名证书了 SignedXml
的对象?我如何按照证书链返回到一个特定的CA?
How do I get the signing certificate out of the SignedXml
object? How do I follow the certificate chain back to a specific CA?
注意,公共密钥为我的CA将存储在我的可执行文件,而不是证书存储
Note that the public key for my CA will be stored in my executable, rather than the certificate store.
推荐答案
要附加任意证书到XML-DSIG文件,添加的 <的X509Data>
元素。为此,在.NET中,使用方法:
To attach arbitrary certificates to an XML-DSIG file, add an <X509Data>
element. To do this in .NET, use:
signedXml.KeyInfo.AddClause(
new KeyInfoX509Data(certificate, X509IncludeOption.WholeChain));
要提取XML文件中的证书,用途:
To extract the certificates from the XML file, use:
var certificates = signedXml.KeyInfo.OfType<KeyInfoX509Data>().Single();
然后,您可以通过下面的验证链:
You can then verify the chain by using the following:
var chain = new X509Chain();
chain.ChainPolicy.ExtraStore.AddRange(
certificates.Cast<X509Certificate2>().ToArray());
var chainIsOk = chain.Build(signingCertificate);
要找出哪些证书实际上是用于签名(因此对 signingCertificate
的值),你需要找到包含证书的
相关推荐
最新文章