I’m trying to sign XML files via a USB Token in the XAdES format.
Documentation on System.Security.Cryptography.Xml is scarce. I can only find how to sign an XML with basic/default options (https://learn.microsoft.com/en-us/dotnet/standard/security/how-to-sign-xml-documents-with-digital-signatures).
It works. However it's missing several elements, e.g.: some References, Transforms and the Object element.
This is the XAdES XML structure I need.
<?xml version='1.0' encoding='utf-8'?>
<MyRootTag xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<MainElement>
<!--xml_payload_goes_here-->
</MainElement>
<ds:Signature xmlns:xadesv1410="http://uri.etsi.org/01903/v1.4.1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:xades="http://uri.etsi.org/01903/v1.3.2#" Id="signature-5743-9455-8953-3682">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2002/06/xmldsig-filter2">
<dsig-xpath:XPath xmlns:dsig-xpath="http://www.w3.org/2002/06/xmldsig-filter2" Filter="subtract">/descendant::ds:Signature</dsig-xpath:XPath>
</ds:Transform>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue><!--Base64--></ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#signed-properties-0967-6800-5986-4853" Type="http://uri.etsi.org/01903#SignedProperties">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue><!--Base64--></ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue Id="signature-value-3400-3038-9836-4335"><!--Base64--></ds:SignatureValue>
<ds:KeyInfo Id="key-info-3540-2157-4472-8413">
<ds:X509Data>
<ds:X509Certificate><!--Base64--></ds:X509Certificate>
</ds:X509Data>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus><!--Base64--></ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
<ds:Object Id="signature-object-0000-0000-0000-0000">
<xades:QualifyingProperties Target="#signature-0000-0000-0000-0000">
<xades:SignedProperties Id="signed-properties-0000-0000-0000-0000">
<xades:SignedSignatureProperties>
<xades:SigningTime>2021-11-03T08:25:08Z</xades:SigningTime>
<xades:SigningCertificate>
<xades:Cert>
<xades:CertDigest>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue><!--Base64--></ds:DigestValue>
</xades:CertDigest>
<xades:IssuerSerial>
<ds:X509IssuerName>Issuer_Name</ds:X509IssuerName>
<ds:X509SerialNumber>000000000000000000000000000000000000000</ds:X509SerialNumber>
</xades:IssuerSerial>
</xades:Cert>
</xades:SigningCertificate>
</xades:SignedSignatureProperties>
</xades:SignedProperties>
</xades:QualifyingProperties>
</ds:Object>
</ds:Signature>
</MyRootTag>
I need to figure out how to add these elements to SignedXml using AddReference (+AddTransform), AddObject, etc.
Where can I find some c# code examples for XAdES signing, particularly regarding different SignedXml formatting options?
It's better to use a NuGet package for it. there is good on here FirmaXadesNetCore. if you try to implement it by yourself you have a very hard way because there are many details in XAdES. by the way the only problem that you'll face with FirmaXadesNetCore is that it just implements signing with the windows certificate store and you have to clone it and implement Signer class with PKCS#11. it's easy because there is a good NuGet package for it also. you can find it here Pkcs11Interop.