Can I verify an XMLDSIG signature in .NET without requiring the root certificate be installed?

Question

I'd like to use XMLDSIG for verifying that a .config file has not been tampered with. I also want to be able to verify the signature chain so that I can trust the signature.

I've got three certificates in the chain:

Root CA -> Intermediate Signing CA -> Signing Key

I check that the file is signed with a key that is issued by the intermediate CA.

I'd like to do this without installing any certificates in the user's Windows certificate store. These are self-signed certificates, so not every user is going to want me installing them in their Root store. I don't have a problem with installing them in my root store.

I have the original .CER files -- they're included in the Signature block, and I can include them with the verification code. I can build a certificate chain from this by using X509ChainPolicy.ExtraStore.

If the certificates are not installed in the root store, and I verify the chain, then X509Chain.Build returns false, and the chain has a X509ChainStatusFlags.UntrustedRoot in it.

Can I add trusted certificates just for the duration of this operation?

Answer 1

Assuming you have physical copies of the public keys of ALL signing certs in the trust chain, then this is possible by using the OpenSSL command line tool.

http://www.madboa.com/geek/openssl/#verify-standard

It's a bit of a steep learning curve at first, but a very powerful utility.

If you don't have the signing certs, then you cannot verify anything. That would be the same as trying to verify a human signature without having seen the original. You have nothing to compare to, so how could you verify the authenticity?

Update

There's something here perhaps that could help you:

http://social.msdn.microsoft.com/Forums/eu/clr/thread/1966a6e8-b6f4-44d1-9102-ec3a26426789