How to verify XML Digital Signature in native C++ without MSXML 5?

Question

I'm considering using an XML dsig for basic app licensing. The app is native windows code (no .net). I can easily use .net to create a dsig offline, but then I want to verify it in native c++. From what I've found so far MSXML V5 will do the job, but musn't be used and V6 removes support for dsigs.

So how can I easily verify an XML dsig produced by .net code in native C++?

Answer 1

Unfortunately, XML Signatures comes with MSXML 5.0 only. The thing is that XML-DSig isn't actually considered a feature of MSXML. It's best to consider MSXML 5.0 an offshoot - the strange step brother of MSXML - instead of part of the line. They would have been better off naming it something besides MSXML for all the confusion it has caused. There's barely any documentation for it and no way to distribute it. Even the XML Team at Microsoft says "Don't use it".

But all that doesn't help you. The real problem is that XML Digital Signatures are tricky things. MSXML 5.0 only implemented it because MS Office had total control over the XML; and because of that, could get consistent results. There's no guarantee that an XML signature generated from .NET is interoperable with MSXML 5.0. You might even have inconsistent results, where it works sometimes and doesn't work other times.

What you'll need to do is to write managed C++ code where you can use the same .NET features that generated the signature in the first place. It's not native C++, but it will get you consistent results. The only other alternative is to find a library that you can use in both .NET and C++ that can generate a digital signature.

• How to: Sign XML Documents with Digital Signatures
• How to: Verify the Digital Signatures of XML Documents