How to sign an XML document using C# and .NET

To sign an XML document in C#, use the SignedXml class in .NET to apply a digital signature that can secure the entire document, specific elements, or external resources by embedding a element. 2. Generate or load a cryptographic key such as RSA or DSA, where in production you should retrieve the private key from a secure source like an X509Certificate2 loaded from a .pfx file or certificate store. 3. Create a SignedXml object, set the signing key, add a Reference to the target part of the document (e.g., whole document with Uri = ""), specify the signature method (e.g., rsa-sha256), and call ComputeSignature() to generate the signature, optionally embedding the public key or certificate via KeyInfo for verification. 4. Append the resulting signature XML to the original document and output the signed XML string. 5. When signing specific elements, ensure they have an Id attribute marked as an XmlId, use standard algorithms for interoperability, and test thoroughly due to limited transform support in .NET’s SignedXml. 6. To verify, load the node into a SignedXml object and call CheckSignature() with the corresponding public key, returning true if the signature is valid. This process ensures secure and verifiable XML data exchange in applications like SAML or web services.

Signing an XML document in C# using .NET is a common requirement when working with secure data exchange, such as in SAML assertions, web services, or digital contracts. The .NET Framework and .NET (Core/5 ) provide robust support for XML digital signatures via the SignedXml class.

Here’s how to sign an XML document using C# and .NET.

✅ 1. Understanding XML Digital Signatures

An XML signature can:

• Sign the entire document
• Sign specific elements
• Include references to external resources

The signature is embedded within the XML itself, typically in a <signature></signature> element.

✅ 2. Generate or Use a Signing Key

You need a cryptographic key to sign the XML. This is usually an RSA or DSA key. In production, use a certificate from a trusted authority. For testing, you can generate a key pair.

// Example: Generate a new RSA key (for demo)
using var rsa = RSA.Create();

In production, load a private key from a certificate:

X509Certificate2 cert = new X509Certificate2("path/to/your.pfx", "password");
RSA privateKey = cert.GetRSAPrivateKey();

✅ 3. Sign the XML Document

Here’s a complete example that:

• Creates an XML document
• Signs it with RSA-SHA256
• Embeds the public key (so the recipient can verify)

using System;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using System.Security.Cryptography.Xml;
using System.Xml;

public static string SignXmlDocument(XmlDocument xmlDoc, RSA signingKey, X509Certificate2? cert = null)
{
    // Create a SignedXml object
    SignedXml signedXml = new SignedXml(xmlDoc)
    {
        SigningKey = signingKey
    };

    // Create a reference to the entire document
    Reference reference = new Reference
    {
        Uri = "" // Empty URI means the whole document
    };

    // Add the reference
    signedXml.AddReference(reference);

    // Set the signing algorithm
    signedXml.SignedInfo.SignatureMethod = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";

    // Compute the signature
    signedXml.ComputeSignature();

    // Get the XML representation of the signature
    XmlElement xmlDigitalSignature = signedXml.GetXml();

    // Append the signature to the document
    xmlDoc.DocumentElement?.AppendChild(xmlDoc.ImportNode(xmlDigitalSignature, true));

    // Optional: Include KeyInfo with public key or certificate
    if (cert != null)
    {
        KeyInfo keyInfo = new KeyInfo();
        keyInfo.AddClause(new KeyInfoX509Data(cert));
        signedXml.KeyInfo = keyInfo;
        // Update signature with KeyInfo
        xmlDoc.DocumentElement?.ReplaceChild(xmlDoc.ImportNode(signedXml.GetXml(), true), xmlDigitalSignature);
    }

    return xmlDoc.OuterXml;
}

✅ 4. Usage Example

// Create a sample XML document
XmlDocument doc = new XmlDocument();
doc.LoadXml("<Data>Hello, World!</Data>");

// Generate or load key
using RSA rsa = RSA.Create();
// Or: var cert = new X509Certificate2("cert.pfx", "pass"); rsa = cert.GetRSAPrivateKey();

// Sign the document
string signedXml = SignXmlDocument(doc, rsa, null); // Pass cert if you want to embed it

Console.WriteLine(signedXml);

✅ 5. Important Notes

• Always use secure key storage in production (e.g., Windows Certificate Store, Azure Key Vault).
• You can sign specific elements by setting Uri to an ID (e.g., "#MyElement"), but the target element must have an Id attribute.
• Make sure the XML document uses Id as an XmlId attribute (via XmlAttribute.IdAttribute or schema).
• For interoperability, use standard algorithms like rsa-sha256.
• SignedXml in .NET does not support all XML Signature transforms by default — test carefully.

✅ 6. Verifying the Signature

To verify:

public static bool VerifyXmlDocument(XmlDocument xmlDoc, RSA publicKey)
{
    SignedXml signedXml = new SignedXml(xmlDoc);

    // Find the <Signature> node
    XmlNode? signatureNode = xmlDoc.GetElementsByTagName("Signature").Item(0);
    if (signatureNode == null) return false;

    signedXml.LoadXml((XmlElement)signatureNode);

    return signedXml.CheckSignature(publicKey);
}

Basically, that's how you sign XML in C#. It's not overly complex, but easy to get wrong if you skip details like algorithm names or proper key handling.

The above is the detailed content of How to sign an XML document using C# and .NET. For more information, please follow other related articles on the PHP Chinese website!