Sample code for 30+ languages & platforms
Visual FoxPro

Validate CAdES-T Signature (.p7m)

See more CAdES Examples

Validates a CAdES-T CMS signature and extracts the time-stamp token and gets information about it. Also validates the time-stamp token.

Chilkat Visual FoxPro Downloads

Visual FoxPro
LOCAL lnSuccess
LOCAL loCrypt
LOCAL loCmsOptions
LOCAL loJson
LOCAL i
LOCAL lnCount_i
LOCAL lcStrVal
LOCAL lcCertSerialNumber
LOCAL lcCertIssuerCN
LOCAL lcCertIssuerDN
LOCAL lcCertDigestAlgOid
LOCAL lcCertDigestAlgName
LOCAL lcContentType
LOCAL loSigningTime
LOCAL lcMessageDigest
LOCAL lcSigningAlgOid
LOCAL lcSigningAlgName
LOCAL lcAuthAttrContentTypeName
LOCAL lcAuthAttrContentTypeOid
LOCAL lcAuthAttrSigningTimeName
LOCAL loAuthAttrSigningTimeUtctime
LOCAL lcAuthAttrMessageDigestName
LOCAL lcAuthAttrMessageDigestDigest
LOCAL lcAuthAttrSigningCertificateV2Name
LOCAL lcAuthAttrSigningCertificateV2Der
LOCAL lcUnauthAttrTimestampTokenName
LOCAL lcUnauthAttrTimestampTokenDer
LOCAL lnUnauthAttrTimestampTokenTimestampSignatureVerified
LOCAL lcUnauthAttrTimestampTokenTstInfoTsaPolicyId
LOCAL lcUnauthAttrTimestampTokenTstInfoMessageImprintHashAlg
LOCAL lcUnauthAttrTimestampTokenTstInfoMessageImprintDigest
LOCAL lnUnauthAttrTimestampTokenTstInfoMessageImprintDigestMatches
LOCAL lcUnauthAttrTimestampTokenTstInfoSerialNumber
LOCAL loUnauthAttrTimestampTokenTstInfoGenTime
LOCAL j
LOCAL lnCount_j

lnSuccess = 0

* This example requires the Chilkat API to have been previously unlocked.
* See Global Unlock Sample for sample code.

loCrypt = CreateObject('Chilkat.Crypt2')

* Indicate that the CAdES-T timestamp tokens must also pass validation for the signature to be validated.
loCmsOptions = CreateObject('Chilkat.JsonObject')
loCmsOptions.UpdateBool("ValidateTimestampTokens",1)
loCrypt.CmsOptions = loCmsOptions.Emit()

* Validate the .p7m and extract the original signed data to an output file.
* Note: The timestampToken is an unauthenticated attribute.  See the code below that retrieves and parses the last JSON data.
* for details about examining timestampToken.
lnSuccess = loCrypt.VerifyP7M("qa_data/cades/CAdES-T/Signature-C-T-1.p7m","qa_output/out.dat")

* Get information about the CMS signature in the last JSON data.
* The detailed results of the signature validation are available in the last JSON data.
* (If the non-success return status was caused by an error such as "file not found", then the
* last JSON data would be empty.)
loJson = CreateObject('Chilkat.JsonObject')
loCrypt.GetLastJsonData(loJson)
loJson.EmitCompact = 0
? loJson.Emit()

* Here is a sample result:
* See the parsing code below..

* Use this online tool to generate parsing code from sample JSON: 
* Generate Parsing Code from JSON

* {
*   "pkcs7": {
*     "verify": {
*       "digestAlgorithms": [
*         "sha256"
*       ],
*       "signerInfo": [
*         {
*           "cert": {
*             "serialNumber": "00DCB814678CDB",
*             "issuerCN": "LevelBCAOK",
*             "issuerDN": "",
*             "digestAlgOid": "2.16.840.1.101.3.4.2.1",
*             "digestAlgName": "SHA256"
*           },
*           "contentType": "1.2.840.113549.1.7.1",
*           "signingTime": "131203065741Z",
*           "messageDigest": "JJZt41Nt8VsYahP+Xti4rR3vBDkUfRd6gquItl6R5Os=",
*           "signingAlgOid": "1.2.840.113549.1.1.1",
*           "signingAlgName": "RSA-PKCSV-1_5",
*           "authAttr": {
*             "1.2.840.113549.1.9.3": {
*               "name": "contentType",
*               "oid": "1.2.840.113549.1.7.1"
*             },
*             "1.2.840.113549.1.9.5": {
*               "name": "signingTime",
*               "utctime": "131203065741Z"
*             },
*             "1.2.840.113549.1.9.4": {
*               "name": "messageDigest",
*               "digest": "JJZt41Nt8VsYahP+Xti4rR3vBDkUfRd6gquItl6R5Os="
*             },
*             "1.2.840.113549.1.9.16.2.47": {
*               "name": "signingCertificateV2",
*               "der": "MIGIMIGFMIGCBCBJrxOU0w0dWGsVovjLv9QDH3syB5mLVv3grSYA40x9IDBeMFOkUTBPMQswCQYDVQQGEwJGUjENMAsGA1UEChMERVRTSTEcMBoGA1UECwwTUGx1Z3Rlc3RzXzIwMTMtMjAxNDETMBEGA1UEAxMKTGV2ZWxCQ0FPSwIHANy4FGeM2w=="
*             }
*           },
*           "unauthAttr": {
*             "1.2.840.113549.1.9.16.2.14": {
*               "name": "timestampToken",
*               "der": "MIIL+AYJKoZI...u7CfcjURNTY=",
*               "verify": {
*                 "digestAlgorithms": [
*                   "sha256"
*                 ],
*                 "signerInfo": [
*                   {
*                     "cert": {
*                       "serialNumber": "01AA4592D36C61",
*                       "issuerCN": "RootCAOK",
*                       "issuerDN": "",
*                       "digestAlgOid": "2.16.840.1.101.3.4.2.1",
*                       "digestAlgName": "SHA256"
*                     },
*                     "contentType": "1.2.840.113549.1.9.16.1.4",
*                     "messageDigest": "NSsMUrfoyCQ0OszPE1YLx1j3EyyCiBmnE5Sua6ghu/Q=",
*                     "signingAlgOid": "1.2.840.113549.1.1.1",
*                     "signingAlgName": "RSA-PKCSV-1_5",
*                     "authAttr": {
*                       "1.2.840.113549.1.9.3": {
*                         "name": "contentType",
*                         "oid": "1.2.840.113549.1.9.16.1.4"
*                       },
*                       "1.2.840.113549.1.9.4": {
*                         "name": "messageDigest",
*                         "digest": "NSsMUrfoyCQ0OszPE1YLx1j3EyyCiBmnE5Sua6ghu/Q="
*                       },
*                       "1.2.840.113549.1.9.16.2.47": {
*                         "name": "signingCertificateV2",
*                         "der": "MIGGMIGDMIGABCDB/np5UxvhcPnSxD2Kme+C88uXGCMWLAvFPHNvTApTWDBcMFGkTzBNMQswCQYDVQQGEwJGUjENMAsGA1UEChMERVRTSTEcMBoGA1UECwwTUGx1Z3Rlc3RzXzIwMTMtMjAxNDERMA8GA1UEAxMIUm9vdENBT0sCBwGqRZLTbGE="
*                       }
*                     }
*                   }
*                 ]
*               },
*               "timestampSignatureVerified": true,
*               "tstInfo": {
*                 "tsaPolicyId": "1.3.6.1.4.1.2706.2.2.5.2.1.1.1",
*                 "messageImprint": {
*                   "hashAlg": "sha256",
*                   "digest": "C8xEe9NA4X1cUyHGX9zG89ipmQ2byFs3aa+Xe4Fz2P0=",
*                   "digestMatches": true
*                 },
*                 "serialNumber": "313E162121D922",
*                 "genTime": "20131203065742Z"
*               }
*             }
*           }
*         }
*       ]
*     }
*   }
* }
* 

loSigningTime = CreateObject('Chilkat.DtObj')

loAuthAttrSigningTimeUtctime = CreateObject('Chilkat.DtObj')

loUnauthAttrTimestampTokenTstInfoGenTime = CreateObject('Chilkat.DtObj')

* Iterate over the hash algorithms used in the signature.
i = 0
lnCount_i = loJson.SizeOfArray("pkcs7.verify.digestAlgorithms")
DO WHILE i < lnCount_i
    loJson.I = i
    lcStrVal = loJson.StringOf("pkcs7.verify.digestAlgorithms[i]")
    i = i + 1
ENDDO

* For each signer...
i = 0
lnCount_i = loJson.SizeOfArray("pkcs7.verify.signerInfo")
DO WHILE i < lnCount_i
    loJson.I = i

    * Get information about the certificate used by this signer.
    lcCertSerialNumber = loJson.StringOf("pkcs7.verify.signerInfo[i].cert.serialNumber")
    lcCertIssuerCN = loJson.StringOf("pkcs7.verify.signerInfo[i].cert.issuerCN")
    lcCertIssuerDN = loJson.StringOf("pkcs7.verify.signerInfo[i].cert.issuerDN")
    lcCertDigestAlgOid = loJson.StringOf("pkcs7.verify.signerInfo[i].cert.digestAlgOid")
    lcCertDigestAlgName = loJson.StringOf("pkcs7.verify.signerInfo[i].cert.digestAlgName")

    * Get additional information for this signer, such as the signingTime, signature algorithm, etc.
    lcContentType = loJson.StringOf("pkcs7.verify.signerInfo[i].contentType")
    loJson.DtOf("pkcs7.verify.signerInfo[i].signingTime",0,loSigningTime)
    lcMessageDigest = loJson.StringOf("pkcs7.verify.signerInfo[i].messageDigest")
    lcSigningAlgOid = loJson.StringOf("pkcs7.verify.signerInfo[i].signingAlgOid")
    lcSigningAlgName = loJson.StringOf("pkcs7.verify.signerInfo[i].signingAlgName")

    * --------------------------------
    * Examine authenticated attributes.
    * --------------------------------

    * contentType
    IF (loJson.HasMember('pkcs7.verify.signerInfo[i].authAttr."1.2.840.113549.1.9.3"') = 1) THEN
        lcAuthAttrContentTypeName = loJson.StringOf('pkcs7.verify.signerInfo[i].authAttr."1.2.840.113549.1.9.3".name')
        lcAuthAttrContentTypeOid = loJson.StringOf('pkcs7.verify.signerInfo[i].authAttr."1.2.840.113549.1.9.3".oid')
    ENDIF

    * signingTime
    IF (loJson.HasMember('pkcs7.verify.signerInfo[i].authAttr."1.2.840.113549.1.9.5"') = 1) THEN
        lcAuthAttrSigningTimeName = loJson.StringOf('pkcs7.verify.signerInfo[i].authAttr."1.2.840.113549.1.9.5".name')
        loJson.DtOf('pkcs7.verify.signerInfo[i].authAttr."1.2.840.113549.1.9.5".utctime',0,loAuthAttrSigningTimeUtctime)
    ENDIF

    * messageDigest
    IF (loJson.HasMember('pkcs7.verify.signerInfo[i].authAttr."1.2.840.113549.1.9.4"') = 1) THEN
        lcAuthAttrMessageDigestName = loJson.StringOf('pkcs7.verify.signerInfo[i].authAttr."1.2.840.113549.1.9.4".name')
        lcAuthAttrMessageDigestDigest = loJson.StringOf('pkcs7.verify.signerInfo[i].authAttr."1.2.840.113549.1.9.4".digest')
    ENDIF

    * signingCertificateV2
    IF (loJson.HasMember('pkcs7.verify.signerInfo[i].authAttr."1.2.840.113549.1.9.16.2.47"') = 1) THEN
        lcAuthAttrSigningCertificateV2Name = loJson.StringOf('pkcs7.verify.signerInfo[i].authAttr."1.2.840.113549.1.9.16.2.47".name')
        lcAuthAttrSigningCertificateV2Der = loJson.StringOf('pkcs7.verify.signerInfo[i].authAttr."1.2.840.113549.1.9.16.2.47".der')
    ENDIF

    * --------------------------------
    * Examine unauthenticated attributes.
    * --------------------------------

    * timestampToken  (the timestampToken is what makes this signature a CAdES-T)
    IF (loJson.HasMember('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14"') = 1) THEN

        lcUnauthAttrTimestampTokenName = loJson.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".name')
        lcUnauthAttrTimestampTokenDer = loJson.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".der')

        * This is where we find out if the timestampToken's signature is valid.
        lnUnauthAttrTimestampTokenTimestampSignatureVerified = loJson.BoolOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".timestampSignatureVerified')

        lcUnauthAttrTimestampTokenTstInfoTsaPolicyId = loJson.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".tstInfo.tsaPolicyId')
        lcUnauthAttrTimestampTokenTstInfoMessageImprintHashAlg = loJson.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".tstInfo.messageImprint.hashAlg')
        lcUnauthAttrTimestampTokenTstInfoMessageImprintDigest = loJson.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".tstInfo.messageImprint.digest')

        * Here is where we check to see if the digest in the timestampToken's messageImprint matches the digest of the signature of this signerInfo
        lnUnauthAttrTimestampTokenTstInfoMessageImprintDigestMatches = loJson.BoolOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".tstInfo.messageImprint.digestMatches')

        lcUnauthAttrTimestampTokenTstInfoSerialNumber = loJson.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".tstInfo.serialNumber')

        * Here is where we get the date/time of the timestampToken (i.e. when it was timestamped)
        loJson.DtOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".tstInfo.genTime',0,loUnauthAttrTimestampTokenTstInfoGenTime)

        * The following code gets details about the validity of the timestampToken's signature...
        j = 0
        lnCount_j = loJson.SizeOfArray('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.digestAlgorithms')
        DO WHILE j < lnCount_j
            loJson.J = j
            lcStrVal = loJson.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.digestAlgorithms[j]')
            j = j + 1
        ENDDO
        j = 0
        lnCount_j = loJson.SizeOfArray('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.signerInfo')
        DO WHILE j < lnCount_j
            loJson.J = j
            lcCertSerialNumber = loJson.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.signerInfo[j].cert.serialNumber')
            lcCertIssuerCN = loJson.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.signerInfo[j].cert.issuerCN')
            lcCertIssuerDN = loJson.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.signerInfo[j].cert.issuerDN')
            lcCertDigestAlgOid = loJson.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.signerInfo[j].cert.digestAlgOid')
            lcCertDigestAlgName = loJson.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.signerInfo[j].cert.digestAlgName')
            lcContentType = loJson.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.signerInfo[j].contentType')
            lcMessageDigest = loJson.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.signerInfo[j].messageDigest')
            lcSigningAlgOid = loJson.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.signerInfo[j].signingAlgOid')
            lcSigningAlgName = loJson.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.signerInfo[j].signingAlgName')
            lcAuthAttrContentTypeName = loJson.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.signerInfo[j].authAttr."1.2.840.113549.1.9.3".name')
            lcAuthAttrContentTypeOid = loJson.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.signerInfo[j].authAttr."1.2.840.113549.1.9.3".oid')
            lcAuthAttrMessageDigestName = loJson.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.signerInfo[j].authAttr."1.2.840.113549.1.9.4".name')
            lcAuthAttrMessageDigestDigest = loJson.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.signerInfo[j].authAttr."1.2.840.113549.1.9.4".digest')
            lcAuthAttrSigningCertificateV2Name = loJson.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.signerInfo[j].authAttr."1.2.840.113549.1.9.16.2.47".name')
            lcAuthAttrSigningCertificateV2Der = loJson.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.signerInfo[j].authAttr."1.2.840.113549.1.9.16.2.47".der')
            j = j + 1
        ENDDO

    ENDIF

    i = i + 1
ENDDO

IF (lnSuccess <> 1) THEN
    ? loCrypt.LastErrorText
    ? "CAdES-T verification failed."
ELSE
    ? "CAdES-T signature is valid."
ENDIF

RELEASE loCrypt
RELEASE loCmsOptions
RELEASE loJson
RELEASE loSigningTime
RELEASE loAuthAttrSigningTimeUtctime
RELEASE loUnauthAttrTimestampTokenTstInfoGenTime