Sample code for 30+ languages & platforms
Classic ASP

Verify Authenticode Signature of EXE or DLL

See more Code Signing Examples

Demonstrates how to verify an Authenticode signed EXE or DLL.

Note: Chilkat's code signing class was added in v9.5.0.97

Chilkat Classic ASP Downloads

Classic ASP
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<%
' This example requires the Chilkat API to have been previously unlocked.
' See Global Unlock Sample for sample code.

' You can verify a signed DLL or EXE.
path = "c:/someDir/something.dll"

' The verify method returns an overall indicator of whether
' the EXE or DLL can be trusted or not.
' The details of the signature are emitted to the JSON object
' passed in the last argument.

set json = Server.CreateObject("Chilkat.JsonObject")
json.EmitCompact = 0

set validator = Server.CreateObject("Chilkat.CodeSign")
valid = validator.VerifySignature(path,json)
If (valid = 0) Then
    ' Validation failed.
    Response.Write "<pre>" & Server.HTMLEncode( validator.LastErrorText) & "</pre>"
    ' You can also examine the details of the validation (see below)
    Response.Write "<pre>" & Server.HTMLEncode( json.Emit()) & "</pre>"
    Response.End
End If

' Examine the details of the Authenticode signature
' println json.Emit();

' An example of the JSON details of an authenticode signature, with selected parsing code, is shown below.
' 
' Use this online tool to generate parsing code from sample JSON: 
' Generate Parsing Code from JSON

' {
'   "pkcs7": {
'     "verify": {
'       "peFile": {
'         "hashOid": "2.16.840.1.101.3.4.2.1",
'         "hash": "q9tzWEcea8f8kaMXG8LpWNPe9JIW7aKccYWuL3mrCBw="
'       },
'       "certs": [
'         {
'           "issuerCN": "AAA Certificate Services",
'           "serial": "48FC93B46055948D36A7C98A89D69416"
'         },
'         {
'           "issuerCN": "Sectigo Public Code Signing Root R46",
'           "serial": "621D6D0C52019E3B9079152089211C0A"
'         },
'         {
'           "issuerCN": "Sectigo Public Code Signing CA R36",
'           "serial": "3FF5B69109BFD4046C92CC0D18EE23C2"
'         }
'       ],
'       "digestAlgorithms": [
'         "sha256"
'       ],
'       "signerInfo": [
'         {
'           "cert": {
'             "serialNumber": "3FF5B69109BFD4046C92CC0D18EE23C2",
'             "issuerCN": "Sectigo Public Code Signing CA R36",
'             "digestAlgOid": "2.16.840.1.101.3.4.2.1",
'             "digestAlgName": "SHA256"
'           },
'           "contentType": "1.3.6.1.4.1.311.2.1.4",
'           "messageDigest": "4MkPVkY4qdwoVAj5JcCvn3ISSS5yqtf1+KmIs/Ckni4=",
'           "signingAlgOid": "1.2.840.113549.1.1.1",
'           "signingAlgName": "RSA-PKCSV-1_5",
'           "authAttr": {
'             "1.3.6.1.4.1.311.2.1.12": {
'               "der": "MAA="
'             },
'             "1.2.840.113549.1.9.3": {
'               "name": "contentType",
'               "oid": "1.3.6.1.4.1.311.2.1.4"
'             },
'             "1.3.6.1.4.1.311.2.1.11": {
'               "der": "MAwGCisGAQQBgjcCARU="
'             },
'             "1.2.840.113549.1.9.4": {
'               "name": "messageDigest",
'               "digest": "4MkPVkY4qdwoVAj5JcCvn3ISSS5yqtf1+KmIs/Ckni4="
'             }
'           },
'           "unauthAttr": {
'             "1.3.6.1.4.1.311.3.3.1": {
'               "name": "timestampToken",
'               "der": "MIIXJwY ... QZej",
'               "verify": {
'                 "digestAlgorithms": [
'                   "sha256"
'                 ],
'                 "signerInfo": [
'                   {
'                     "cert": {
'                       "serialNumber": "0544AFF3949D0839A6BFDB3F5FE56116",
'                       "issuerCN": "DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA",
'                       "digestAlgOid": "2.16.840.1.101.3.4.2.1",
'                       "digestAlgName": "SHA256"
'                     },
'                     "contentType": "1.2.840.113549.1.9.16.1.4",
'                     "signingTime": "240117124047Z",
'                     "messageDigest": "y6cKjJoRfgJwW+Dj29w3tEfWqVybz7Sg+d8opKQxCjM=",
'                     "signingAlgOid": "1.2.840.113549.1.1.1",
'                     "signingAlgName": "RSA-PKCSV-1_5",
'                     "authAttr": {
'                       "1.2.840.113549.1.9.3": {
'                         "name": "contentType",
'                         "oid": "1.2.840.113549.1.9.16.1.4"
'                       },
'                       "1.2.840.113549.1.9.5": {
'                         "name": "signingTime",
'                         "utctime": "240117124047Z"
'                       },
'                       "1.2.840.113549.1.9.16.2.12": {
'                         "name": "signingCertificate",
'                         "der": "MBowGDAWBBRm8CsywsLJD4JdzqqKycZPGZzPQA=="
'                       },
'                       "1.2.840.113549.1.9.4": {
'                         "name": "messageDigest",
'                         "digest": "y6cKjJoRfgJwW+Dj29w3tEfWqVybz7Sg+d8opKQxCjM="
'                       },
'                       "1.2.840.113549.1.9.16.2.47": {
'                         "name": "signingCertificateV2",
'                         "der": "MCYwJDAiBCDS9uRt7XQizNHUQFdoQTZvgoraVZquMxavTRqa1Ax4KA=="
'                       }
'                     }
'                   }
'                 ],
'                 "uncommonOptions": "NO_SIGCERTV2_OID,NoSigningCertV2IssuerSerial"
'               },
'               "timestampSignatureVerified": true,
'               "tstInfo": {
'                 "tsaPolicyId": "2.16.840.1.114412.7.1",
'                 "messageImprint": {
'                   "hashAlg": "sha256",
'                   "digest": "JqY7U+30qScMnRQwnDfUYEikZwOLHMhKX0oo5zo4ils=",
'                   "digestMatches": true
'                 },
'                 "serialNumber": "6E4597E574BC909213565DAEBC0E4888",
'                 "genTime": "20240117124047Z"
'               }
'             }
'           }
'         }
'       ],
'       "pkcs7": {
'         "verify": {
'           "certs": [
'             {
'               "issuerCN": "DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA",
'               "serial": "0544AFF3949D0839A6BFDB3F5FE56116"
'             },
'             {
'               "issuerCN": "DigiCert Trusted Root G4",
'               "serial": "073637B724547CD847ACFD28662A5E5B"
'             },
'             {
'               "issuerCN": "DigiCert Assured ID Root CA",
'               "serial": "0E9B188EF9D02DE7EFDB50E20840185A"
'             }
'           ]
'         }
'       }
'     }
'   }
' }

set genTime = Server.CreateObject("Chilkat.DtObj")
set dt = Server.CreateObject("Chilkat.CkDateTime")

' Show the certificates embedded in the PKCS7 signature.
Response.Write "<pre>" & Server.HTMLEncode( "Certificates contained in the PKCS7 signature:") & "</pre>"
i = 0
count_i = json.SizeOfArray("pkcs7.verify.certs")
Do While i < count_i
    json.I = i
    issuerCN = json.StringOf("pkcs7.verify.certs[i].issuerCN")
    serial = json.StringOf("pkcs7.verify.certs[i].serial")
    Response.Write "<pre>" & Server.HTMLEncode( issuerCN & ", " & serial) & "</pre>"
    i = i + 1
Loop

' Show details about the signing certificate(s)
numSigners = json.SizeOfArray("pkcs7.verify.signerInfo")
i = 0
Do While i < numSigners
    json.I = i
    Response.Write "<pre>" & Server.HTMLEncode( "---- Signing Certificate ----") & "</pre>"
    Response.Write "<pre>" & Server.HTMLEncode( "serial number: " & json.StringOf("pkcs7.verify.signerInfo[i].cert.serialNumber")) & "</pre>"
    Response.Write "<pre>" & Server.HTMLEncode( "issuerCN: " & json.StringOf("pkcs7.verify.signerInfo[i].cert.issuerCN")) & "</pre>"
    Response.Write "<pre>" & Server.HTMLEncode( "hash algorithm: " & json.StringOf("pkcs7.verify.signerInfo[i].cert.digestAlgName")) & "</pre>"
    Response.Write "<pre>" & Server.HTMLEncode( "signing algorithm: " & json.StringOf("pkcs7.verify.signerInfo[i].signingAlgName")) & "</pre>"

    ' If this signature includes a timestamp token, get information about it.
    If (json.HasMember("pkcs7.verify.signerInfo[i].unauthAttr.""1.3.6.1.4.1.311.3.3.1""") = 1) Then
        ' We're going to assume the timestamp token had only 1 signer..
        Response.Write "<pre>" & Server.HTMLEncode( "--- Timestamp Token ----") & "</pre>"
        Response.Write "<pre>" & Server.HTMLEncode( "TS hash algorithm: " & json.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.3.6.1.4.1.311.3.3.1"".verify.digestAlgorithms[0]")) & "</pre>"
        Response.Write "<pre>" & Server.HTMLEncode( "TS certificate serial: " & json.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.3.6.1.4.1.311.3.3.1"".verify.signerInfo[0].cert.serialNumber")) & "</pre>"
        Response.Write "<pre>" & Server.HTMLEncode( "TS certificate issuerCN: " & json.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.3.6.1.4.1.311.3.3.1"".verify.signerInfo[0].cert.issuerCN")) & "</pre>"
        Response.Write "<pre>" & Server.HTMLEncode( "timestamp signature verified: " & json.BoolOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.3.6.1.4.1.311.3.3.1"".timestampSignatureVerified")) & "</pre>"
        success = json.DtOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.3.6.1.4.1.311.3.3.1"".tstInfo.genTime",0,genTime)
        success = dt.SetFromDtObj(genTime)
        Response.Write "<pre>" & Server.HTMLEncode( "timestamp date/time: " & dt.GetAsRfc822(1)) & "</pre>"
    End If

    i = i + 1
Loop

Response.Write "<pre>" & Server.HTMLEncode( "The Authenticode signature is valid.") & "</pre>"

' Sample output:

' Certificates contained in the PKCS7 signature:
' AAA Certificate Services, 48FC93B46055948D36A7C98A89D69416
' Sectigo Public Code Signing Root R46, 621D6D0C52019E3B9079152089211C0A
' Sectigo Public Code Signing CA R36, 3FF5B69109BFD4046C92CC0D18EE23C2
' ---- Signing Certificate ----
' serial number: 3FF5B69109BFD4046C92CC0D18EE23C2
' issuerCN: Sectigo Public Code Signing CA R36
' hash algorithm: SHA256
' signing algorithm: RSA-PKCSV-1_5
' --- Timestamp Token ----
' TS hash algorithm: sha256
' TS certificate serial: 0544AFF3949D0839A6BFDB3F5FE56116
' TS certificate issuerCN: DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
' timestamp signature verified: True
' timestamp date/time: Wed, 17 Jan 2024 06:40:47 -0600
' The Authenticode signature is valid.

%>
</body>
</html>