SignedXML.CheckSignature Always Fails RRS feed

  • Question

  • I don't think I posted my original question in the correct forum, so I'm going to close that one and post here.

    I'm currently working on a project which requires the XML posts to be digitally signed. I do not seem to have any luck with getting any test posts from our client to validate with the below code:

    public static bool verifySignature(string xmlData)
        XmlDocument theDocument = new XmlDocument();
        XmlNodeList nodeList;
        SignedXml signedDocument;
        theDocument.PreserveWhitespace = true;
        signedDocument = new SignedXml(theDocument);
        nodeList = theDocument.GetElementsByTagName(
         return signedDocument.CheckSignature();

    The posts are signed using the XML Signature tag with a namespace of "ds". I am simply base64 decoding the post and sending it straight to here without any modifications of whitespace or casing.

    Any help would be greatly appreciated!

    - Jake
    Friday, April 3, 2009 2:06 PM

All replies

  • So what exactly happens? Do you get an error? If so which one? Or is the verifySignature method always returning false?
    Can you post an example value of xmlData that you pass in where you expect to get true but get false?

    Friday, April 3, 2009 2:21 PM
  • It simply returns false. No fireworks or exceptions that I'm aware of. I'll post a scrubbed post up in a few minutes. Thanks for the help!
    Monday, April 6, 2009 1:16 PM
  • Here's a sample post (it will fail now for sure because I changed some data to fake values). Please keep in mind that this is all base64 encoded right up until I check the signature (when I then decode it without any other modifications). Another assertion that I tested gave me an invalid reference exception, but this one simply returns false.

    <samlp:Response IssueInstant="2009-02-12T20:06:51.658Z" ID="DxwelMilVtxlWhuU4sjX8taaaxo" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    	<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    		<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    	<saml:Assertion Version="2.0" IssueInstant="2009-02-12T20:06:51.746Z" ID="rXmPjqvtnczkUvznkNOBpL.tu1e" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    		<ds:Signature xmlns:ds="">
    				<ds:CanonicalizationMethod Algorithm=""/>
    				<ds:SignatureMethod Algorithm=""/>
    				<ds:Reference URI="#rXmPjqvtnczkUvznkNOBpL.tu1e">
    						<ds:Transform Algorithm=""/>
    						<ds:Transform Algorithm=""/>
    					<ds:DigestMethod Algorithm=""/>
    			<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
    			<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
    				<saml:SubjectConfirmationData NotOnOrAfter="2009-02-12T20:11:51.805Z" Recipient=""/>
    		<saml:Conditions NotOnOrAfter="2009-02-12T20:11:51.758Z" NotBefore="2009-02-12T20:01:51.758Z">
    		<saml:AuthnStatement AuthnInstant="2009-02-12T20:06:51.735Z" SessionIndex="rXmPjqvtnczkUvznkNOBpL.tu1e">
    		<saml:AttributeStatement xmlns:xs="">
    			<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="lastname">
    				<saml:AttributeValue xsi:type="xs:string" xmlns:xsi="">
    			<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="firstname">
    				<saml:AttributeValue xsi:type="xs:string" xmlns:xsi="">
    			<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="uid">
    				<saml:AttributeValue xsi:type="xs:string" xmlns:xsi="">
    			<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="mail">
    				<saml:AttributeValue xsi:type="xs:string" xmlns:xsi="">
    Monday, April 6, 2009 1:23 PM
  • I expect the problem comes from formatting the signed document. If you want to be able to format it put

    PreserveWhitespace = false;

    when you format it and verify signature.

    Please note, even this would nt allow you to reformat text fields:


    shouldb't be converted to:

    Tuesday, April 7, 2009 5:32 PM
  • Well the thing is, what your seeing above (although human-readable) is actually what the base64 decoder gives me. No formatting was done after the document was signed that I am aware of. Regardless, I'll try your suggestion, and thanks for the input!

    - Jake
    Tuesday, April 7, 2009 8:50 PM
  • No luck. Here's the general procedure I'm using in pseudocode:

    inString = base64-encoded XML document;
    outString = Encoding.UTF8.GetString(Convert.FromBase64String(inString);
    // load XML document into XMLDocument object
    // load signature block into SignedXML object
    // check signature

    As you can see I'm not making any modifications to the document which I have received. Perhaps I'm not using the proper Encoding class? I have no idea... I'll research this.

    Tuesday, April 7, 2009 9:05 PM
  • Try whether using Encoding.ASCII instead of Encoding.UTF8 works.
    Wednesday, April 8, 2009 6:06 PM
  • Hi Jake,

    Just refer to How to: Sign XML Documents with Digital Signatures and How to: Verify the Digital Signatures of XML Documents in this scenario. Also it is best option to give your code snippet about how you sign the XML and verify that document with sample XML.

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.
    Thursday, April 9, 2009 9:04 AM
  • Did you get any solution for this. i am also in the same position. my SAML response is also same. could you please help me on this.

    • Proposed as answer by toddcscar Thursday, May 3, 2012 4:46 PM
    • Unproposed as answer by toddcscar Thursday, May 3, 2012 4:46 PM
    Monday, December 14, 2009 3:56 PM
  • I had a similar problem and the following thread, though about a different problem, helped me find the solution.

    Most examples in MSDN and on the web show passing the XML document root into the SignedXml.  However, if <Signature> is at a lower level element (child of something else), the CheckSignature will fail when passing in the root document.  In the example above,


    Then the sample code then computes/validates the top level Document.  This will fail.

    If you grab the parent Node of the <ds:Signature> (which is the <saml:Assertion> Node) and pass that into SignedXml constructor, the CheckSignature will work.  I am working on a full solution to this problem.  For starters, this code below will work but it is rough and has some duplicated code that I want to get rid of.  It also only works for enveloped Signatures.  I am trying to make it more generic to include enveloping and detached signatures.

    XmlDocument signedDoc = new XmlDocument();
    signedDoc.PreserveWhitespace = true;
    XmlNode signatureNode = doc.SelectSingleNode("//dsig:Signature", nsMgr);
    XmlNode signedNode = signedDoc.ImportNode(signatureNode.ParentNode,true);
    SignedXml verifier = new SignedXml(signedDoc);
    XmlNodeList nl = signedDoc.GetElementsByTagName("Signature",SignedXml.XmlDsigNamespaceUrl);
    foreach (XmlNode signNode in nl)
        if (verifier.CheckSignature(signingKey))
            // SUCCESS

    • Edited by toddcscar Thursday, May 3, 2012 7:37 PM
    Thursday, May 3, 2012 7:36 PM
  • Hi toddcscar,

    I tried passing in the Assertion element in the SignedXml constructor, but still the CheckSignature(cert, true) call returns false. There are no errors raised, but it just returns false.

    Does the

    PreserveWhitespace = true / false

    has any effect on the behaviour of this...I think the answer is yes, but still want to confirm. And what should be the value of "PreserveWhitespace" kept during signing and during verification?





    Monday, May 21, 2012 5:36 AM
  • I have the same problem when i try to validate de siganture in xml document. I read a lot of it, maybe is an incompatibility in the .net framework version, the programs that run in version less than 3.5 works fine, but other greaters version doesn't work. If somebody have a other idea or solution please tell us.


    Wednesday, December 24, 2014 3:08 PM
  • +1

    Yes, solved the problem for me once.

    Thursday, June 6, 2019 9:58 AM