Discuss this help topic in SecureBlackbox Forum

Verify and extract the signed data (embedded and detached signatures)

To verify the signature made using X.509 certificates and PKCS#7 format you need to use TElMessageVerifier component.

To find out, whether you have a regular ("wrapping") or detached signature, use IsSignatureDetached() class method of TElMessageVerifier class.

You can set certain verification options using VerificationOptions property.

Call Verify() method of TElMessageVerifier class to verify the regular signature and extract the signed data.
Call VerifyDetached() method of TElMessageVerifier class to verify the detached signature.

In SecureBlackbox 5 and later two options are available: you can verify the data buffer or the data stream.

If you need to extract the signed data which contain a text string, you can either create a string from the extracted data buffer, or extract the stream to MemoryStream (available in .NET Framework and in VCL) and read the data string from this memory stream.

After Verify() or VerifyDetached() is called, Certificates property of TElMessageVerifier class is filled with certificates, used to sign and/or countersign the document. The IDs of the ceritifcates used to sign and/or countersign the data, are accessible using CertIDCount and CertIDs[] and CountersignatureCertIDCount and CountersignatureCertIDs[] properties of TElMessageVerifier class respectively.

Note, that if the certificates where not included to the signature by the signer, you won't get the certificates. In this case you only get the certificate IDs. The OnCertIDs event is fired, and you can set the CertStorage property of TElMessageVerifier class to reference the TElMemoryStorage with the certificates, which correspond to the certificate IDs.

If you are verifying a MAC signature, you need to use CertStorage property of TElMessageVerifier class to provide a certificate with the corresponding private key, which will be used to decrypt the MAC signature. This must be one of certificates, used for creating a MAC signature.

Note, that TElMessageVerifier doesn't validate the certificates, which were used for signing the data. It's the application job to validate these certificates.

Timestamps are accessible via TimestampCount and Timestamps[] properties of TElMessageVerifier. If timestamp verification is enabled via VerificationOptions property, the timestamps are verified automatically. Again, the certificates, used to sign the timestamp, are not validated by TElMessageVerifier, and must be validated by the application. Read more about timestamping in PKCS#7 in the corresponding how-to article.

Use the Attributes property to access the attributes, which were specified when the data were signed. The integrity of the authenticated attributes is verified automatically.

How To articles about PKCS7 signing and encryption

Discuss this help topic in SecureBlackbox Forum