Discuss this help topic in SecureBlackbox Forum
Validate PKCS#7 signature
There are several ways to validate PKCS#7-based signatures with SecureBlackbox. This article concerns the simplest method based on the TElMessageVerifier component. For greater flexibility of the validation process or to establish certain signature profile compliance (e.g. CAdES-based), please consider using TElSignedCMSMessage or TElCMSSignature classes.
To verify a signature using TElMessageVerifier:
verifier.CertStorage = certStorage;
bool detached = TElMessageVerifier.IsSignatureDetached(sigStream);
int r = verifier.Verify(sigStream, contentStream); // contentStream will receive the signed content
If validating a detached signature, use VerifyDetached() method instead, and pass the content as its first parameter:
int r = verifier.VerifyDetached(contentStream, sigStream);
Note, it is important to check the returned value.
A successful verification always completes with 0; any other value indicates an error.
Remember that Verify() and VerifyDetached() only verify the integrity and validity of the signature. They neither check the validity of the signing certificate, nor ensure that the correct certificate is used at all. It is your responsibility to check that the certificate is correct and that it is valid. You might consider using TElX509CertificateValidator class to validate the signing certificate as explained here.
Once the signature is validated, you can access the certificates it stores along with any PKCS#7 attributes via TElMessageVerifier's Certificates and Attributes properties. SigningTime and HashAlgorithm properties contain information about signature creation time and its hash algorithm.