I have a c# app which I use to process encrypted and signed xml file from a 3rd party. File I generate and sign inside the app using valid certificate pass the validation without problems. I have problems validating files received from the 3rd party. (which is a reputable source so I rule out problems on their end)
File is successfully decrypted but signature validation always returns false. I have tried to strip off their signature and signing the file myself - I have generated the same <DigestValue> and apart from differences in binary fields (as expected using different certificates), files structures are identical
I load the .pem file to X509Certificate2 object and try to validate the received file. It has all necessary elements but the validation always fails without any indication why.
Is there anything else I need to do? Any good resource to understand what CheckSignature() does?
The signature validation code (working on self signed files)
public static bool VerifySignedXml(string signedXmlPath, X509Certificate2 theirPublicKey)
{
XmlDocument doc = new XmlDocument();
doc.Load(signedXmlPath);
XmlElement signature = (XmlElement)doc.GetElementsByTagName("Signature")[0];
SignedXml sig = new SignedXml(doc);
sig.LoadXml(signature);
bool bVerified = sig.CheckSignature(theirPublicKey , false);
return bVerified;
}
Thanks
