SignedXml Class
.NET Framework 4.5
Provides a wrapper on a core XML signature object to facilitate creating XML signatures.
Namespace: System.Security.Cryptography.Xml
Assembly: System.Security (in System.Security.dll)
The SignedXml type exposes the following members.
| Name | Description | |
|---|---|---|
 | SignedXml() | Initializes a new instance of the SignedXml class. |
| SignedXml(XmlDocument) | Initializes a new instance of the SignedXml class from the specified XML document. |
| SignedXml(XmlElement) | Initializes a new instance of the SignedXml class from the specified XmlElement object. |
| Name | Description | |
|---|---|---|
 | EncryptedXml | Gets or sets an EncryptedXml object that defines the XML encryption processing rules. |
| KeyInfo | Gets or sets the KeyInfo object of the current SignedXml object. |
| Resolver | Sets the current XmlResolver object. |
| Signature | Gets the Signature object of the current SignedXml object. |
| SignatureFormatValidator | Gets a delegate that will be called to validate the format (not the cryptographic security) of an XML signature. |
| SignatureLength | Gets the length of the signature for the current SignedXml object. |
| SignatureMethod | Gets the signature method of the current SignedXml object. |
| SignatureValue | Gets the signature value of the current SignedXml object. |
| SignedInfo | Gets the SignedInfo object of the current SignedXml object. |
| SigningKey | Gets or sets the asymmetric algorithm key used for signing a SignedXml object. |
| SigningKeyName | Infrastructure. Gets or sets the name of the installed key to be used for signing the SignedXml object. |
| Name | Description | |
|---|---|---|
| AddObject | Adds a DataObject object to the list of objects to be signed. |
| AddReference | Adds a Reference object to the SignedXml object that describes a digest method, digest value, and transform to use for creating an XML digital signature. |
| CheckSignature() | Determines whether the Signature property verifies using the public key in the signature. |
| CheckSignature(AsymmetricAlgorithm) | Determines whether the Signature property verifies for the specified key. |
| CheckSignature(KeyedHashAlgorithm) | Determines whether the Signature property verifies for the specified message authentication code (MAC) algorithm. |
| CheckSignature(X509Certificate2, Boolean) | Determines whether the Signature property verifies for the specified X509Certificate2 object and, optionally, whether the certificate is valid. |
| CheckSignatureReturningKey | Determines whether the Signature property verifies using the public key in the signature. |
| ComputeSignature() | Computes an XML digital signature. |
| ComputeSignature(KeyedHashAlgorithm) | Computes an XML digital signature using the specified message authentication code (MAC) algorithm. |
| Equals(Object) | Determines whether the specified object is equal to the current object. (Inherited from Object.) |
 | Finalize | Allows an object to try to free resources and perform other cleanup operations before it is reclaimed by garbage collection. (Inherited from Object.) |
| GetHashCode | Serves as a hash function for a particular type. (Inherited from Object.) |
| GetIdElement | Returns the XmlElement object with the specified ID from the specified XmlDocument object. |
| GetPublicKey | Returns the public key of a signature. |
| GetType | Gets the Type of the current instance. (Inherited from Object.) |
| GetXml | Returns the XML representation of a SignedXml object. |
| LoadXml | Loads a SignedXml state from an XML element. |
| MemberwiseClone | Creates a shallow copy of the current Object. (Inherited from Object.) |
| ToString | Returns a string that represents the current object. (Inherited from Object.) |
| Name | Description | |
|---|---|---|
 | m_signature | Infrastructure. Represents the Signature object of the current SignedXml object. |
| m_strSigningKeyName | Infrastructure. Represents the name of the installed key to be used for signing the SignedXml object. |
  | XmlDecryptionTransformUrl | Represents the Uniform Resource Identifier (URI) for the XML mode decryption transformation. This field is constant. |
| XmlDsigBase64TransformUrl | Represents the Uniform Resource Identifier (URI) for the base 64 transformation. This field is constant. |
| XmlDsigC14NTransformUrl | Represents the Uniform Resource Identifier (URI) for the Canonical XML transformation. This field is constant. |
| XmlDsigC14NWithCommentsTransformUrl | Represents the Uniform Resource Identifier (URI) for the Canonical XML transformation, with comments. This field is constant. |
| XmlDsigCanonicalizationUrl | Represents the Uniform Resource Identifier (URI) for the standard canonicalization algorithm for XML digital signatures. This field is constant. |
| XmlDsigCanonicalizationWithCommentsUrl | Represents the Uniform Resource Identifier (URI) for the standard canonicalization algorithm for XML digital signatures and includes comments. This field is constant. |
| XmlDsigDSAUrl | Represents the Uniform Resource Identifier (URI) for the standard DSA algorithm for XML digital signatures. This field is constant. |
| XmlDsigEnvelopedSignatureTransformUrl | Represents the Uniform Resource Identifier (URI) for enveloped signature transformation. This field is constant. |
| XmlDsigExcC14NTransformUrl | Represents the Uniform Resource Identifier (URI) for exclusive XML canonicalization. This field is constant. |
| XmlDsigExcC14NWithCommentsTransformUrl | Represents the Uniform Resource Identifier (URI) for exclusive XML canonicalization, with comments. This field is constant. |
| XmlDsigHMACSHA1Url | Represents the Uniform Resource Identifier (URI) for the standard HMACSHA1 algorithm for XML digital signatures. This field is constant. |
| XmlDsigMinimalCanonicalizationUrl | Represents the Uniform Resource Identifier (URI) for the standard minimal canonicalization algorithm for XML digital signatures. This field is constant. |
| XmlDsigNamespaceUrl | Represents the Uniform Resource Identifier (URI) for the standard namespace for XML digital signatures. This field is constant. |
| XmlDsigRSASHA1Url | Represents the Uniform Resource Identifier (URI) for the standard RSA signature method for XML digital signatures. This field is constant. |
| XmlDsigSHA1Url | Represents the Uniform Resource Identifier (URI) for the standard SHA1 digest method for XML digital signatures. This field is constant. |
| XmlDsigXPathTransformUrl | Represents the Uniform Resource Identifier (URI) for the XML Path Language (XPath). This field is constant. |
| XmlDsigXsltTransformUrl | Represents the Uniform Resource Identifier (URI) for XSLT transformations. This field is constant. |
| XmlLicenseTransformUrl | Represents the Uniform Resource Identifier (URI) for the license transform algorithm used to normalize XrML licenses for signatures. |
The SignedXml class is the main class used for XML signing and verification (XMLDSIG) in the .NET Framework. XMLDSIG is a standards-based, interoperable way to sign and verify all or part of an XML document or other data that is addressable from a Uniform Resource Identifier (URI). The .NET Framework XMLDSIG classes implement the World Wide Web Consortium (W3C) specification for XML signing and verification located at http://www.w3.org/TR/xmldsig-core/.
Use the SignedXml class whenever you need to share signed XML data between applications or organizations in a standard way. Any data signed using this class can be verified by any conforming implementation of the W3C specification for XMLDSIG.
XMLDSIG creates a <Signature> element, which contains a digital signature of an XML document or other data that is addressable from a URI. The <Signature> element can optionally contain information about where to find a key that will verify the signature and which cryptographic algorithm was used for signing.
The SignedXml class allows you to create the following three kinds of XML digital signatures:
Signature Type | Description |
|---|---|
Enveloped signature | The signature is contained within the XML document being signed. |
Enveloping signature | The signed XML is contained within the <Signature> element. |
Detached signature | The signature is in a separate document from the data being signed. |
Use one of the following methods to exchange key information:
Do not include any key information. If you choose this option, both parties must agree on an algorithm and key before they exchange a digital signature.
Include a public key in the <EncryptedKey> element.
Include the location of the key in the URI attribute of the <RetrievalMethod> element. Both parties must agree on the key location ahead of time and this location must be kept secret.
Include a string name that maps to a key in the <KeyName> element. Both parties must agree on the key name mapping before they exchange encrypted data and this mapping must be kept secret.
 Note |
|---|
The HostProtectionAttribute attribute applied to this type or member has the following Resources property value: MayLeakOnAbort. The HostProtectionAttribute does not affect desktop applications (which are typically started by double-clicking an icon, typing a command, or entering a URL in a browser). For more information, see the HostProtectionAttribute class or SQL Server Programming and Host Protection Attributes. |
The following code example shows how to sign and verify an entire XML document using an enveloped signature.
// // This example signs an XML file using an // envelope signature. It then verifies the // signed XML. // using System; using System.Security.Cryptography; using System.Security.Cryptography.X509Certificates; using System.Security.Cryptography.Xml; using System.Text; using System.Xml; public class SignVerifyEnvelope { public static void Main(String[] args) { try { // Generate a signing key. RSACryptoServiceProvider Key = new RSACryptoServiceProvider(); // Create an XML file to sign. CreateSomeXml("Example.xml"); Console.WriteLine("New XML file created."); // Sign the XML that was just created and save it in a // new file. SignXmlFile("Example.xml", "signedExample.xml", Key); Console.WriteLine("XML file signed."); // Verify the signature of the signed XML. Console.WriteLine("Verifying signature..."); bool result = VerifyXmlFile("SignedExample.xml", Key); // Display the results of the signature verification to // the console. if(result) { Console.WriteLine("The XML signature is valid."); } else { Console.WriteLine("The XML signature is not valid."); } } catch(CryptographicException e) { Console.WriteLine(e.Message); } } // Sign an XML file and save the signature in a new file. This method does not // save the public key within the XML file. This file cannot be verified unless // the verifying code has the key with which it was signed. public static void SignXmlFile(string FileName, string SignedFileName, RSA Key) { // Create a new XML document. XmlDocument doc = new XmlDocument(); // Load the passed XML file using its name. doc.Load(new XmlTextReader(FileName)); // Create a SignedXml object. SignedXml signedXml = new SignedXml(doc); // Add the key to the SignedXml document. signedXml.SigningKey = Key; // Create a reference to be signed. Reference reference = new Reference(); reference.Uri = ""; // Add an enveloped transformation to the reference. XmlDsigEnvelopedSignatureTransform env = new XmlDsigEnvelopedSignatureTransform(); reference.AddTransform(env); // Add the reference to the SignedXml object. signedXml.AddReference(reference); // Compute the signature. signedXml.ComputeSignature(); // Get the XML representation of the signature and save // it to an XmlElement object. XmlElement xmlDigitalSignature = signedXml.GetXml(); // Append the element to the XML document. doc.DocumentElement.AppendChild(doc.ImportNode(xmlDigitalSignature, true)); if (doc.FirstChild is XmlDeclaration) { doc.RemoveChild(doc.FirstChild); } // Save the signed XML document to a file specified // using the passed string. XmlTextWriter xmltw = new XmlTextWriter(SignedFileName, new UTF8Encoding(false)); doc.WriteTo(xmltw); xmltw.Close(); } // Verify the signature of an XML file against an asymetric // algorithm and return the result. public static Boolean VerifyXmlFile(String Name, RSA Key) { // Create a new XML document. XmlDocument xmlDocument = new XmlDocument(); // Load the passed XML file into the document. xmlDocument.Load(Name); // Create a new SignedXml object and pass it // the XML document class. SignedXml signedXml = new SignedXml(xmlDocument); // Find the "Signature" node and create a new // XmlNodeList object. XmlNodeList nodeList = xmlDocument.GetElementsByTagName("Signature"); // Load the signature node. signedXml.LoadXml((XmlElement)nodeList[0]); // Check the signature and return the result. return signedXml.CheckSignature(Key); } // Create example data to sign. public static void CreateSomeXml(string FileName) { // Create a new XmlDocument object. XmlDocument document = new XmlDocument(); // Create a new XmlNode object. XmlNode node = document.CreateNode(XmlNodeType.Element, "", "MyElement", "samples"); // Add some text to the node. node.InnerText = "Example text to be signed."; // Append the node to the document. document.AppendChild(node); // Save the XML document to the file name specified. XmlTextWriter xmltw = new XmlTextWriter(FileName, new UTF8Encoding(false)); document.WriteTo(xmltw); xmltw.Close(); } }
The following code example shows how to sign and verify an object that is addressable from a Uniform Resource Identifier (URI), using a detached signature..
// // This example signs a file specified by a URI // using a detached signature. It then verifies // the signed XML. // using System; using System.Security.Cryptography; using System.Security.Cryptography.Xml; using System.Text; using System.Xml; class XMLDSIGDetached { [STAThread] static void Main(string[] args) { // The URI to sign. string resourceToSign = "http://www.microsoft.com"; // The name of the file to which to save the XML signature. string XmlFileName = "xmldsig.xml"; try { // Generate a signing key. RSACryptoServiceProvider Key = new RSACryptoServiceProvider(); Console.WriteLine("Signing: {0}", resourceToSign); // Sign the detached resourceand save the signature in an XML file. SignDetachedResource(resourceToSign, XmlFileName, Key); Console.WriteLine("XML Signature was succesfully computed and saved to {0}.", XmlFileName); // Verify the signature of the signed XML. Console.WriteLine("Verifying signature..."); //Verify the XML signature in the XML file against the key. bool result = VerifyDetachedSignature(XmlFileName, Key); // Display the results of the signature verification to // the console. if(result) { Console.WriteLine("The XML signature is valid."); } else { Console.WriteLine("The XML signature is not valid."); } } catch(CryptographicException e) { Console.WriteLine(e.Message); } } // Sign an XML file and save the signature in a new file. This method does not // save the public key within the XML file. This file cannot be verified unless // the verifying code has the key with which it was signed. public static void SignDetachedResource(string URIString, string XmlSigFileName, RSA Key) { // Create a SignedXml object. SignedXml signedXml = new SignedXml(); // Assign the key to the SignedXml object. signedXml.SigningKey = Key; // Create a reference to be signed. Reference reference = new Reference(); // Add the passed URI to the reference object. reference.Uri = URIString; // Add the reference to the SignedXml object. signedXml.AddReference(reference); // Compute the signature. signedXml.ComputeSignature(); // Get the XML representation of the signature and save // it to an XmlElement object. XmlElement xmlDigitalSignature = signedXml.GetXml(); // Save the signed XML document to a file specified // using the passed string. XmlTextWriter xmltw = new XmlTextWriter(XmlSigFileName, new UTF8Encoding(false)); xmlDigitalSignature.WriteTo(xmltw); xmltw.Close(); } // Verify the signature of an XML file against an asymetric // algorithm and return the result. public static Boolean VerifyDetachedSignature(string XmlSigFileName, RSA Key) { // Create a new XML document. XmlDocument xmlDocument = new XmlDocument(); // Load the passedXML file into the document. xmlDocument.Load(XmlSigFileName); // Create a new SignedXml object. SignedXml signedXml = new SignedXml(); // Find the "Signature" node and create a new // XmlNodeList object. XmlNodeList nodeList = xmlDocument.GetElementsByTagName("Signature"); // Load the signature node. signedXml.LoadXml((XmlElement)nodeList[0]); // Check the signature against the passed asymetric key // and return the result. return signedXml.CheckSignature(Key); } }
The following code example shows how to sign and verify a single element of an XML document using an enveloping signature.
// // This example signs an XML file using an // envelope signature. It then verifies the // signed XML. // using System; using System.Security.Cryptography; using System.Security.Cryptography.Xml; using System.Text; using System.Xml; public class SignVerifyEnvelope { public static void Main(String[] args) { // Generate a signing key. RSACryptoServiceProvider Key = new RSACryptoServiceProvider(); try { // Specify an element to sign. string[] elements = { "#tag1" }; // Sign an XML file and save the signature to a // new file. SignXmlFile("Test.xml", "SignedExample.xml", Key, elements); Console.WriteLine("XML file signed."); // Verify the signature of the signed XML. Console.WriteLine("Verifying signature..."); bool result = VerifyXmlFile("SignedExample.xml"); // Display the results of the signature verification to // the console. if (result) { Console.WriteLine("The XML signature is valid."); } else { Console.WriteLine("The XML signature is not valid."); } } catch (CryptographicException e) { Console.WriteLine(e.Message); } finally { // Clear resources associated with the // RSACryptoServiceProvider. Key.Clear(); } } // Sign an XML file and save the signature in a new file. public static void SignXmlFile(string FileName, string SignedFileName, RSA Key, string[] ElementsToSign) { // Check the arguments. if (FileName == null) throw new ArgumentNullException("FileName"); if (SignedFileName == null) throw new ArgumentNullException("SignedFileName"); if (Key == null) throw new ArgumentNullException("Key"); if (ElementsToSign == null) throw new ArgumentNullException("ElementsToSign"); // Create a new XML document. XmlDocument doc = new XmlDocument(); // Format the document to ignore white spaces. doc.PreserveWhitespace = false; // Load the passed XML file using it's name. doc.Load(new XmlTextReader(FileName)); // Create a SignedXml object. SignedXml signedXml = new SignedXml(doc); // Add the key to the SignedXml document. signedXml.SigningKey = Key; // Loop through each passed element to sign // and create a reference. foreach (string s in ElementsToSign) { // Create a reference to be signed. Reference reference = new Reference(); reference.Uri = s; // Add an enveloped transformation to the reference. XmlDsigEnvelopedSignatureTransform env = new XmlDsigEnvelopedSignatureTransform(); reference.AddTransform(env); // Add the reference to the SignedXml object. signedXml.AddReference(reference); } // Add an RSAKeyValue KeyInfo (optional; helps recipient find key to validate). KeyInfo keyInfo = new KeyInfo(); keyInfo.AddClause(new RSAKeyValue((RSA)Key)); signedXml.KeyInfo = keyInfo; // Compute the signature. signedXml.ComputeSignature(); // Get the XML representation of the signature and save // it to an XmlElement object. XmlElement xmlDigitalSignature = signedXml.GetXml(); // Append the element to the XML document. doc.DocumentElement.AppendChild(doc.ImportNode(xmlDigitalSignature, true)); if (doc.FirstChild is XmlDeclaration) { doc.RemoveChild(doc.FirstChild); } // Save the signed XML document to a file specified // using the passed string. XmlTextWriter xmltw = new XmlTextWriter(SignedFileName, new UTF8Encoding(false)); doc.WriteTo(xmltw); xmltw.Close(); } // Verify the signature of an XML file and return the result. public static Boolean VerifyXmlFile(String Name) { // Check the arguments. if (Name == null) throw new ArgumentNullException("Name"); // Create a new XML document. XmlDocument xmlDocument = new XmlDocument(); // Format using white spaces. xmlDocument.PreserveWhitespace = true; // Load the passed XML file into the document. xmlDocument.Load(Name); // Create a new SignedXml object and pass it // the XML document class. SignedXml signedXml = new SignedXml(xmlDocument); // Find the "Signature" node and create a new // XmlNodeList object. XmlNodeList nodeList = xmlDocument.GetElementsByTagName("Signature"); // Load the signature node. signedXml.LoadXml((XmlElement)nodeList[0]); // Check the signature and return the result. return signedXml.CheckSignature(); } }
Windows 8, Windows Server 2012, Windows 7, Windows Vista SP2, Windows Server 2008 (Server Core Role not supported), Windows Server 2008 R2 (Server Core Role supported with SP1 or later; Itanium not supported)
The .NET Framework does not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.
