Discuss this help topic in SecureBlackbox Forum

SOAP: Verify signature

To validate the SOAP or WS-Security signature(s) you should perform the following steps:

  1. Traverse the loaded signatures using TElXMLSOAPMessage.SignatureHandlerCount and TElXMLSOAPMessage.SignatureHandlers[] properties.
  2. For each signature call TElXMLSOAPBaseSignatureHandler.Validate() method and then perform signer / key validation or XAdES information validation (where applicable). Validate() method performs XML digital signature validation. This method is equivalent to calling both TElXMLVerifier.ValidateSignature() and TElXMLVerifier.ValidateReferences() methods. You can access TElXMLVerifier object, used for validation, using TTElXMLSOAPBaseSignatureHandler.Verifier property.
  3. If Validate() method returns the ssvsNoKey result, then you should ask a user for a key / certificate, then pass it as parameter to the Validate() method to re-validate the signature.
  4. If Validate() method returns the ssvsValid result, then you should perform validation of the signer's key or certificate and/or XAdES information validation.

To check if the valid signature contains XAdES information you need to inspect the value of TElXMLSOAPBaseSignatureHandler.XAdESProcessor property. If the property value is not null/nil/Nothing, then you should cast it to TElXAdESVerifier and then check, whether IsEnabled property of the casted object is true. If this property is true, then you should call TElXAdESVerifier.Validate() method to validate it and a signer certificate.

If one or both of the above conditions are not met, you can get the signer certificate or keydata using SignerCertificate and SignerKeyData properties of the signature, and then verify the certificate or key. If the signature is made with a certificate, SignerCertificate property will contain a certificate. In this case you need to validate this certificate. If the SignerCertificate is empty or you want to perform some custom certificate verification, you can check if the key or certificate belongs to this signer in an application-defined way (for example, the public key could be stored in a database and associated with customer name).

If the signature includes a certificate chain, you can reach these certificates via Certificates property of the signature.

How To articles about SOAP messages

Discuss this help topic in SecureBlackbox Forum