编辑。XmlDsigXPathTransform验证有问题。遗憾的是,即使我从文档中复制了1:1的示例,xpath验证也失败了。我错过了什么?当docs的例子失败时,我再也想不出这件事了。
https://learn.microsoft.com/pl-pl/dotnet/api/system.security.cryptography.xml.xmldsigxpathtransform?view=netframework-4.6.1
var signatureReference = new Reference { Uri = "", };
XmlDsigXPathTransform XPathTransform =
CreateXPathTransform(XPathString);
signatureReference.DigestMethod = "http://www.w3.org/2001/04/xmlenc#sha256";
signatureReference.AddTransform(XPathTransform);
signedXml.AddReference(signatureReference);
private static XmlDsigXPathTransform CreateXPathTransform(string XPathString)
{
XmlDocument doc = new XmlDocument();
XmlElement xPathElem = doc.CreateElement("XPath");
xPathElem.InnerText = XPathString;
XmlDsigXPathTransform xForm = new XmlDsigXPathTransform();
xForm.LoadInnerXml(xPathElem.SelectNodes("."));
return xForm;
}
XmlDsigXPathTransform不再被认为是安全的,因此任何使用它的文档都会自动被认为具有无效签名。
https://referencesource.microsoft.com/#System.Security/system/security/cryptography/xml/signedxml.cs,8b616077b30145cd
如果你真的想使用它,你必须在任何要调用CheckSignature的计算机上的Windows注册表中启用它。
https://support.microsoft.com/en-us/topic/after-you-apply-security-update-3141780-net-framework-applications-encounter-exception-errors-or-unexpected-failures-while-processing-files-that-contain-signedxml-922edd45-a91e-c755-bb30-2604acf37362
SignedXml既旧又过时,我的建议是根本不要使用它,除非为了兼容性而必须使用它(.NET团队称之为遗留问题,并表示它没有在问题上进行投资,例如。https://github.com/dotnet/runtime/issues/44674#issuecomment-875163316)。