Discuss this help topic in SecureBlackbox Forum

Validate PKCS#7 signature

There are several ways to validate PKCS#7-based signatures with SecureBlackbox. This article concerns the simplest method based on the TElMessageVerifier component. For greater flexibility of the validation process or to establish certain signature profile compliance (e.g. CAdES-based), please consider using TElSignedCMSMessage or TElCMSSignature classes.

To verify a signature using TElMessageVerifier:

  1. Create an instance of TElMessageVerifier class.
  2. (Optionally) Load the signer's public certificate into a TElMemoryCertStorage object. This step is optional because signer's certificates are often included to the signature.
  3. Attach the certificate storage to the verifier: verifier.CertStorage = certStorage;
  4. Use a static IsSignatureDetached() method to find out whether the message contains an enveloping or a detached signature: bool detached = TElMessageVerifier.IsSignatureDetached(sigStream);
  5. If validating an enveloping (non-detached) signature, pass your signature to the Verify() method: int r = verifier.Verify(sigStream, contentStream); // contentStream will receive the signed content If validating a detached signature, use VerifyDetached() method instead, and pass the content as its first parameter: int r = verifier.VerifyDetached(contentStream, sigStream); Note, it is important to check the returned value. A successful verification always completes with 0; any other value indicates an error.

Remember that Verify() and VerifyDetached() only verify the integrity and validity of the signature. They neither check the validity of the signing certificate, nor ensure that the correct certificate is used at all. It is your responsibility to check that the certificate is correct and that it is valid. You might consider using TElX509CertificateValidator class to validate the signing certificate as explained here.

Once the signature is validated, you can access the certificates it stores along with any PKCS#7 attributes via TElMessageVerifier's Certificates and Attributes properties. SigningTime and HashAlgorithm properties contain information about signature creation time and its hash algorithm.

How To articles about PKCS7 signing and encryption

Discuss this help topic in SecureBlackbox Forum