Discuss this help topic in SecureBlackbox Forum

Validate CAdES signature

Validation of CAdES signature depends on the specific environment. The first and the foremost, you need to check the signature's validity, i.e., make sure it corresponds to the signed data. This confirms that the data hasn't been changed in transit, and that the signer produced the signature over exactly the same revision of data.

The next step, validation of the signer's trust, is the most complicated part in CAdES validation. This procedure ensures that it was actually the signer who made the signature, and that the signature was produced at the time it claims it was. Hence, the certificate chain of the signer's certificate should be validated and checked against revocation information (at the moment of signing). The latter may involve contacting third parties (CRL and OCSP services) to obtain certificate statuses at the requested time. Similar validations have to be performed for subordinate chains such as the timestamp service chains.

Higher level policies might set certain compliance requirements for all signatures operating within the environment such as compliance to a particular signature profile (e.g. CAdES-T). Those have to be checked on the final stage of CAdES validation.

To validate a CAdES signature with SecureBlackbox:

  1. Load your CAdES message into a TElSignedCMSMessage object.
  2. Find the required signature in the list and load it into a TElCMSSignature object: TElCMSSignature sig = cms.get_Signatures(0);
  3. Create a TElCAdESSignatureProcessor object passing your signature to the constructor:
    TElCAdESSignatureProcessor processor = new TElCAdESSignatureProcessor(sig);
    processor.ValidationMoment = sig.SigningTime; // or, alternatively, sig.get_Timestamps(0).Info.Time;
  4. Call the processor's Validate() method: TSBCAdESSignatureValidity validity = processor.Validate(); It will return one of the following values:
    • asvValid — the signature is valid;
    • asvInvalid — the signature is not valid. Check CompatibilityErrors for the details.
    • asvIncomplete — the signature value is valid, but the verifier was unable to collect all required revocation information to confirm signer's genuineness.
  5. If needed, check that the signature corresponds to the needed CAdES profile (e.g. CAdES-T): bool isT = processor.IsT();

How To articles about CAdES

Discuss this help topic in SecureBlackbox Forum