Sample code for 30+ languages & platforms
C#

Verify an XML Signature with Multiple References

See more XML Digital Signatures Examples

Demonstrates how to verify an XML digital signature that contains multiple references.

Chilkat C# Downloads

C#
bool success = false;

// This example requires the Chilkat API to have been previously unlocked.
// See Global Unlock Sample for sample code.

// An example of an enveloping XML signature with mulitple references is available at
// https://www.chilkatsoft.com/exampleData/envelopedMultipleRefs.xml

// This example will show how to verify the signature and all references, and also how
// to verify each reference individually.  This is useful to distinguish which part
// of the XML signature validation failed.  It could be that one or more of the references
// failed because of a hash computation mismatch.  Or it could be that the signature over
// the SignedInfo failed.  

// First, let's grab the sample XML signature.
Chilkat.Http http = new Chilkat.Http();
Chilkat.StringBuilder sbXml = new Chilkat.StringBuilder();
success = http.QuickGetSb("https://www.chilkatsoft.com/exampleData/envelopedMultipleRefs.xml",sbXml);
if (success != true) {
    Debug.WriteLine(http.LastErrorText);
    return;
}

// Load the XML containing the signature to be verified.
Chilkat.XmlDSig verifier = new Chilkat.XmlDSig();
success = verifier.LoadSignatureSb(sbXml);
if (success != true) {
    Debug.WriteLine(verifier.LastErrorText);
    return;
}

bool verifyReferenceDigests = true;

// The quick way to validate all references and the signature over the SignedInfo
// is to call VerifySignature with verifyReferenceDigests equal to true.
bool verified = verifier.VerifySignature(verifyReferenceDigests);
Debug.WriteLine("Signature and all reference digests verified = " + Convert.ToString(verified));

// Let's pretend the call to VerifySignature returned false.  Something did not validate.
// Was it one or more of the References that did not hash to the correct value?
// Or was it the signature over the SignedInfo that failed?
// We can check just the signature over the SignedInfo by passing false to VerifySignature.
// This allows us to skip the hashing and checking each Reference.  
verifyReferenceDigests = false;
bool signedInfoVerified = verifier.VerifySignature(verifyReferenceDigests);
Debug.WriteLine("Neglecting the reference hashes, the SignedInfo validation result = " + Convert.ToString(signedInfoVerified));

// We can also verify each reference digest separately
int numRefs = verifier.NumReferences;
int i = 0;
while (i < numRefs) {
    bool refDigestVerified = verifier.VerifyReferenceDigest(i);
    Debug.WriteLine("Reference " + Convert.ToString(i) + " digest verified = " + Convert.ToString(refDigestVerified));
    i = i + 1;
}

// For this sample XML signature with 3 References, we get the following output:

// Signature and all reference digests verified = True
// Neglecting the reference hashes, the SignedInfo validation result = True
// Reference 0 digest verified = True
// Reference 1 digest verified = True
// Reference 2 digest verified = Tru