Sample code for 30+ languages & platforms
C#

Verify an XML Signature with Multiple References

See more XML Digital Signatures Examples

Demonstrates how to verify an XML digital signature that contains multiple references.

Chilkat C# Downloads

C#
bool success = false;

//  This example requires the Chilkat API to have been previously unlocked.
//  See Global Unlock Sample for sample code.

//  An example of an enveloping XML signature with mulitple references is available at
//  https://www.chilkatsoft.com/exampleData/envelopedMultipleRefs.xml

//  This example will show how to verify the signature and all references, and also how
//  to verify each reference individually.  This is useful to distinguish which part
//  of the XML signature validation failed.  It could be that one or more of the references
//  failed because of a hash computation mismatch.  Or it could be that the signature over
//  the SignedInfo failed.  

//  First, let's grab the sample XML signature.
Chilkat.Http http = new Chilkat.Http();
Chilkat.StringBuilder sbXml = new Chilkat.StringBuilder();
success = http.QuickGetSb("https://www.chilkatsoft.com/exampleData/envelopedMultipleRefs.xml",sbXml);
if (success != true) {
    Debug.WriteLine(http.LastErrorText);
    return;
}

//  Load the XML containing the signature to be verified.
Chilkat.XmlDSig verifier = new Chilkat.XmlDSig();
success = verifier.LoadSignatureSb(sbXml);
if (success != true) {
    Debug.WriteLine(verifier.LastErrorText);
    return;
}

bool verifyReferenceDigests = true;

//  The quick way to validate all references and the signature over the SignedInfo
//  is to call VerifySignature with verifyReferenceDigests equal to true.
bool verified = verifier.VerifySignature(verifyReferenceDigests);
Debug.WriteLine("Signature and all reference digests verified = " + Convert.ToString(verified));

//  Let's pretend the call to VerifySignature returned false.  Something did not validate.
//  Was it one or more of the References that did not hash to the correct value?
//  Or was it the signature over the SignedInfo that failed?
//  We can check just the signature over the SignedInfo by passing false to VerifySignature.
//  This allows us to skip the hashing and checking each Reference.  
verifyReferenceDigests = false;
bool signedInfoVerified = verifier.VerifySignature(verifyReferenceDigests);
Debug.WriteLine("Neglecting the reference hashes, the SignedInfo validation result = " + Convert.ToString(signedInfoVerified));

//  We can also verify each reference digest separately
int numRefs = verifier.NumReferences;
int i = 0;
while (i < numRefs) {
    bool refDigestVerified = verifier.VerifyReferenceDigest(i);
    Debug.WriteLine("Reference " + Convert.ToString(i) + " digest verified = " + Convert.ToString(refDigestVerified));
    i = i + 1;
}

//  For this sample XML signature with 3 References, we get the following output:

//  Signature and all reference digests verified = True
//  Neglecting the reference hashes, the SignedInfo validation result = True
//  Reference 0 digest verified = True
//  Reference 1 digest verified = True
//  Reference 2 digest verified = True