Discuss this help topic in SecureBlackbox Forum

EDI: Verify a signature of an AS2/AS3 message

Signed messages are verified automatically as they are loaded. The result of the verification is available as the value of Signature.VerificationResult property. If the value is 0, the signature is valid, otherwise the value specifies one of the errors described in "Message Error Codes" topic. IMPORTANT: as the result of the signature verification is not critical for data extraction, no exception is thrown if signature verification fails.

Signatures can be verified with local certificate(s) or with the certificate(s) embedded in signatures or both.

If you want to use only local certificates, you have to load the trusted certificate(s) into a certificate storage and assign it to Signature.CertStorage property. This can be done before calling Load() method or in the handler of OnVerifyIDs event. Also, it's needed to include voUseLocalCerts option in Signature.VerificationOptions property.

If you want to use the certificates, included into the message, as well, it's needed to include voUseEmbeddedCerts option in Signature.VerificationOptions property. Also in this case the signed certificate MUST be validated to ensure that the certificate belongs to the message originator.

Signature verification result is available as Signature.VerificationResult property value after returning from Load method. If the result is not 0 (success), it is also included to the message processing errors list.

During verification process the following events are fired in the specified order:

  1. OnVerifying - the event occurs just before signature verification is executed. This event allows to access the configured instance of TElMessageVerifier class.
  2. OnVerifyIDs - the event occurs when the signing certificate ID becomes known. In the event handler it's possible to find out which certificate is used to sign the message and what certificates are included in the signature. Also, this is the last chance to tweak the signature verification options.
  3. OnVerify - the event occurs just after the signature is verified. This is the right place to validate the signing certificate(s) if an embedded certificate was used to verify the signature. Also, it's possible to access the signed and unsigned attributes, included to the signature, here.



TElAS2Message message = new TElAS2Message();

// use only local certificates to verify messages signatures
message.Signature.VerificationOptions |= SBMessages.Unit.voUseLocalCerts;
message.Signature.VerificationOptions &= ~SBMessages.Unit.voUseEmbeddedCerts;

// create an empty storage, the appropriate certificate will be loaded later
message.Signature.CertStorage = new TElMemoryCertStorage();

// create an event handler which will load the necessary certificate
// to the empty certificate storage
message.OnVerifyIDs += delegate(Object sender, TElASMessageVerifier verifier)
    // load certificate of the specified signer
    // (LoadLocalCertificate method has to be created)
        // where to load the necessary certificate
        // ID of the certificate which signed the message
        (verifier as TElASSMIMEMessageVerifier).Verifier.get_CertIDs(0)

    // actually load the message from one stream and
    // extract the included data to another stream
    if (!message.Load(messageStream, dataStream))
        // there were some issues while loading the message

        // check if the message is signed and if the signature is valid
        if (message.Signature.Enabled &&
            message.Signature.VerificationResult != 0)
            Console.WriteLine("Failed to verify message signature: {0}",
catch (Exception err)
    Console.WriteLine("Failed to extract included data: {0}", err.Message);

How To articles about AS2 and AS3 messages

Discuss this help topic in SecureBlackbox Forum