Discuss this help topic in SecureBlackbox Forum

Validate CryptoAPI signature

To validate a signature with CryptoAPI signature handler you need to

  1. load the document into an instance of TElOfficeBinaryDocument class
  2. traverse the loaded signatures using SignatureHandlerCount and SignatureHandlers[] properties of TElOfficeBinaryDocument.
  3. check the type of signature handler object to verify that it is of TElOfficeBinaryCryptoAPISignatureHandler type. If the check is successful, cast SignatureHandlers[index] object to TElOfficeBinaryCryptoAPISignatureHandler type and then call Validate() method of the handler to validate the signature.
  4. If the signature is valid, then you should perform validation of the signer certificate. You can retrieve the signer certificate using Certificate property of the handler object. Additional (intermediate) certificates can be retrieved using IntermediateCertificatesStorage property.
  5. Additionally, you may need to check the values of SignTime and ExpireTime properties of the handler.


bool ValidateBinaryCryptoAPISignature(string sourceFilename)
    using (TElOfficeDocument Document = new TElOfficeDocument())
        if ((Document.DocumentFormat != TSBOfficeDocumentFormat.Binary) || !Document.IsSigned)
            throw new Exception("Cannot validate Binary CryptoAPI signature");

        bool Result = true;
        for (int i = 0; i < Document.SignatureHandlerCount; i++)
            if (!(Document.get_SignatureHandlers(i) is TElOfficeBinaryCryptoAPISignatureHandler))
                throw new Exception("Unexpected signature handler");

            TElOfficeBinaryCryptoAPISignatureHandler BinCryptoAPISigHandler = (TElOfficeBinaryCryptoAPISignatureHandler)(Document.get_SignatureHandlers(i));

            TSBOfficeBinarySignatureValidationStatus BinValidationStatus = BinCryptoAPISigHandler.Validate();
            Result = Result && (BinValidationStatus == TSBOfficeBinarySignatureValidationStatus.Valid);

            TElX509Certificate SignerCertificate = BinCryptoAPISigHandler.Certificate;
            TElCustomCertStorage AdditionalCertificates = BinCryptoAPISigHandler.IntermediateCertificatesStorage;
            DateTime SigningTime = BinCryptoAPISigHandler.SignTime;
            // then use TElX509CertificateValidator object to validate the signer certificate

        return Result;

function ValidateBinaryCryptoAPISignature(const SourceFilename : string) : Boolean;
  Document : TElOfficeDocument;
  BinCryptoAPISigHandler : TElOfficeBinaryCryptoAPISignatureHandler;
  BinValidationStatus : TSBOfficeBinarySignatureValidationStatus;
  SignerCertificate : TElX509Certificate;
  AdditionalCertificates : TElCustomCertStorage;
  SigningTime : TDateTime;
  i : Integer;
  Document := TElOfficeDocument.Create(nil);
    if (Document.DocumentFormat <> dfBinary) or not Document.IsSigned then
      raise Exception.Create('Cannot validate Binary CryptoAPI signature');

    Result := true;
    for i := 0 to Document.SignatureHandlerCount - 1 do
      if Document.SignatureHandlers[i] is TElOfficeBinaryCryptoAPISignatureHandler then
        BinCryptoAPISigHandler := TElOfficeBinaryCryptoAPISignatureHandler(Document.SignatureHandlers[i])
        raise Exception.Create('Unexpected signature handler');

      BinValidationStatus := BinCryptoAPISigHandler.Validate();
      Result := Result and (BinValidationStatus = bsvsValid);

      SignerCertificate := BinCryptoAPISigHandler.Certificate;
      AdditionalCertificates := BinCryptoAPISigHandler.IntermediateCertificatesStorage;
      SigningTime := BinCryptoAPISigHandler.SignTime;
      // then use TElX509CertificateValidator object to validate the signer certificate

How To articles about MS Office binary documents

Discuss this help topic in SecureBlackbox Forum