Using XPS Digital Signature API

This topic lists considerations for using the XPS Digital Signature API to add digital signatures to an XPS document.

The XPS Digital Signature API enables applications to request users to sign XPS documents and to verify signatures that are found in XPS documents. The XPS Digital Signature API can be applied to an XPS document without loading it into an XPS OM, and it can be used on XPS document streams that are serialized from an XPS OM.

The XPS Digital Signature API Programming Tasks section contains topics that describe how to program with the XPS Digital Signature API. This topic lists the following considerations for using the XPS Digital Signature API when adding digital signature support to an application.

  • XPS Digital Signature API Programming Tasks
  • Special Notes about XPS Digital Signature API Programming
    • Verifying Digital Signatures in an XPS Document
    • Digital Signature Signing Policy
    • Embedding a Certificate Chain
    • Using the CERT_CONTEXT Structure
  • Related topics

XPS Digital Signature API Programming Tasks

This section contains topics that describe how to perform programming tasks by using the XPS Digital Signature API.

Special Notes about XPS Digital Signature API Programming

The following topics require some special consideration when you use the XPS Digital Signature API.

  • Verifying Digital Signatures in an XPS Document
  • Digital Signature Signing Policy
  • Embedding a Certificate Chain
  • Using the CERT_CONTEXT Structure

Verifying Digital Signatures in an XPS Document

IXpsSignature::Verify checks only the signed content to determine that it has not changed since it was signed. IXpsSignature::Verify does not verify any of the certificates that were used to sign the document content.

For more information about certificates and cryptography, see About Cryptography.

For an example of how to verify document signatures in a program, see Verify Document Signatures and Certificates.

Digital Signature Signing Policy

The digital signature signing policy determines which parts of an XPS document are signed. One signing policy option is to sign the signature relationships that start from the signature origin part. Because the signature relationships change with each signature that is added, signatures that are made under this policy will break when new signatures are added. Make sure that you understand clearly the implications and effects of setting this policy; otherwise, unexpected or undesired behavior might result.

For more information about signing policies, see XPS_SIGN_POLICY.

Embedding a Certificate Chain

The certificates that make up the trust chain of a specific certificate can be added to an XPS document. Embedding these certificates can make it easier, in off-line scenarios, for an application to verify the certificates that a digital signature uses.

For more information about how to embed certificates in an XPS document, see Embed Certificate Chains in a Document.

Using the CERT_CONTEXT Structure

The CERT_CONTEXT and CERT_INFO structures are the main data structures that hold certificate information. For more information about using these structures, see Using a CERT_INFO Data Structure.

CERT_CONTEXT structures that are returned by Crypto API functions must be released when they are no longer needed. To release a CERT_CONTEXT structure, call the CertFreeCertificateContext function.

Common Digital Signature Programming Tasks

Additional Digital Signature Programming Tasks

CERT_CONTEXT

CERT_INFO

CertFreeCertificateContext

XPS_SIGN_POLICY

XML Paper Specification