SignedXml.CheckSignature() is true, but SignedXml.CheckSignature(certificate) is false

StackOverflow https://stackoverflow.com/questions/22411140

Question

I'm generating a SAML2 token from ADFS, signed by certificate. Now I'm trying to verify that signature, using the same certificate.

X509Certificate2 cert = LoadCert();
XmlDocument token = LoadXmlToken(); //SAML2 token
XmlElement signature = GetSignatureElement(token);

SignedXml signedXml = new SignedXml(token);
signedXml.LoadXml(signature);
bool result1 = signedXml.CheckSignature();            //true
bool result2 = signedXml.CheckSignature(cert, false); //false

CheckSignature() verifies signature against the public key contained in the token. CheckSignature(cert, [true/false]) verifies signature against the private key from the certificate.

How can it be that one works and the other doesn't?

Was it helpful?

Solution

The method signedXml.CheckSignature() evaluates the xml signature integrity against the certificate contained inside the own signature.

The method SignedXml.CheckSignature(X509Certificate2, Boolean) evaluates the xml signature integrity against the certificate passed as first parameter, and optionally if the second parameter is false it checks also the validity of the certificate in the first parameter.

Probably the second method returns false because you are specifying a wrong certificate: is not the certificate which performs the signature or its state is revoked or expired or it is issued by an untrusted certificate authority.

OTHER TIPS

We had to enable IP address and/or URL's on our outbound firewall for the checksignature method when using the certificate check. In our case it tried to communicate with the root CA and the sub CA's website. With the firewall closed the method failed, but once we identified the URL's being accessed and opened up the firewall it started to work as expected.

The difference is in the second parameter (boolean). If you look at documentation of parameterless CheckSignature method you can find this:

This method also computes the digest of the references and the value of the signature.

The second method has this documentation. If the second parameter is set to

false then verify both the signature and certificate.

To verify certificate this method will probably build whole certificate chain and check revocation information of all certificates in this chain.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top