Best practices for validating SignedXml

Question

When would you use CheckSignature() - Determines whether the Signature property verifies using the public key in the signature.

over

CheckSignature(X509Certificate2, Boolean) - Determines whether the Signature property verifies for the specified X509Certificate2 object and, optionally, whether the certificate is valid.

https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.xml.signedxml.checksignature?view=dotnet-plat-ext-6.0

Answer 1

Generally, using the no-argument CheckSignature() is a bad idea. It's only really appropriate if you also verify that the key in KeyInfo is "correct" and/or "trustworthy". This is sort of hard to do... so, basically, never call this version.

The CheckSignature(AsymmetricAlgorithm) and CheckSignature(X509Certificate2, bool) overloads avoid this problem by assuming you've already decided that the input was a contextually-acceptable key.

(Opinion: Also, SignedXml is an archaic component based on a very poor specification. Don't use it unless you have to to interoperate with something that is already using it.)