Discuss this help topic in SecureBlackbox Forum

XML: Verify signature

Verification of the signed document consists of two steps - validation of the signature and reference validation.

First you need to load the signature from the document. To do this, call Load() method of TElXMLVerifier class and pass an element, which contains a signature node. The element need not be a signature node itself -- it can contain a signature as one of the children nodes.

Next, call ValidateSignature() method of TElXMLVerifier class. This method will return true if the signature could be verified and was correct. The method will return false in 2 cases - the signature is incorrect (altered, broken etc.) or there's not enough information to validate the signature. KeyDataNeeded property is true if there was not enough information or false if the signature is incorrect.

If there's not enough information, you need to provide the missing key. First, you need to check whether the signature is regular or MAC. Use SignatureMethodType property of TElXMLVerifier for this.

In case of MAC signature, you need to set the HMAC key, used to decrypt the signature data. To set this key,

  1. create an instance of TElXMLKeyInfoHMACData class;
  2. place the key to Key property of TElXMLKeyInfoHMACData class;
  3. assign the created instance to HMACKey property of TElXMLVerifier class.

In case of the regular signature, you need to provide a certificate or a key against which verification is performed. You will need only a public key or certificate without a private key for verification of the signature. KeyName property of TElXMLVerifier can contain the name of the key, which will help you locate the key. Note, that the presence of this value is optional. Load the key data to the instance of the corresponding key data class and set KeyData property of TElXMLVerifier class to reference the instance of the key data class.

After the key data is set call ValidateSignature() once again.

If the signature contains XAdES information, you should call TElXAdESVerifier.Validate() method to validate it and a signer certificate. If no XAdES information is present, you can get the signer certificate or keydata using TElXMLVerifier.SignerCertificate and/or TElXMLVerifier.SignerKeyData properties, and then, if the signature is signed with a certificate, use TElX509CertificateValidator class to validate a certificate, or check if the key / certificate belongs to this signer in application-defined way (for example, the public key could be stored in database and associated with a customer name).

Reference validation is described in the corresponding how-to article.

How To articles about XML signing (XMLDSig and XAdES)

Discuss this help topic in SecureBlackbox Forum