AutoIt
AutoIt
Validate CAdES-T Signature (.p7m)
See more CAdES Examples
Validates a CAdES-T CMS signature and extracts the time-stamp token and gets information about it. Also validates the time-stamp token.Chilkat AutoIt Downloads
Local $bSuccess = False
; This example requires the Chilkat API to have been previously unlocked.
; See Global Unlock Sample for sample code.
$oCrypt = ObjCreate("Chilkat.Crypt2")
; Indicate that the CAdES-T timestamp tokens must also pass validation for the signature to be validated.
$oCmsOptions = ObjCreate("Chilkat.JsonObject")
$oCmsOptions.UpdateBool("ValidateTimestampTokens",True)
$oCrypt.CmsOptions = $oCmsOptions.Emit()
; Validate the .p7m and extract the original signed data to an output file.
; Note: The timestampToken is an unauthenticated attribute. See the code below that retrieves and parses the last JSON data.
; for details about examining timestampToken.
$bSuccess = $oCrypt.VerifyP7M("qa_data/cades/CAdES-T/Signature-C-T-1.p7m","qa_output/out.dat")
; Get information about the CMS signature in the last JSON data.
; The detailed results of the signature validation are available in the last JSON data.
; (If the non-success return status was caused by an error such as "file not found", then the
; last JSON data would be empty.)
$oJson = ObjCreate("Chilkat.JsonObject")
$oCrypt.GetLastJsonData $oJson
$oJson.EmitCompact = False
ConsoleWrite($oJson.Emit() & @CRLF)
; Here is a sample result:
; See the parsing code below..
; Use this online tool to generate parsing code from sample JSON:
; Generate Parsing Code from JSON
; {
; "pkcs7": {
; "verify": {
; "digestAlgorithms": [
; "sha256"
; ],
; "signerInfo": [
; {
; "cert": {
; "serialNumber": "00DCB814678CDB",
; "issuerCN": "LevelBCAOK",
; "issuerDN": "",
; "digestAlgOid": "2.16.840.1.101.3.4.2.1",
; "digestAlgName": "SHA256"
; },
; "contentType": "1.2.840.113549.1.7.1",
; "signingTime": "131203065741Z",
; "messageDigest": "JJZt41Nt8VsYahP+Xti4rR3vBDkUfRd6gquItl6R5Os=",
; "signingAlgOid": "1.2.840.113549.1.1.1",
; "signingAlgName": "RSA-PKCSV-1_5",
; "authAttr": {
; "1.2.840.113549.1.9.3": {
; "name": "contentType",
; "oid": "1.2.840.113549.1.7.1"
; },
; "1.2.840.113549.1.9.5": {
; "name": "signingTime",
; "utctime": "131203065741Z"
; },
; "1.2.840.113549.1.9.4": {
; "name": "messageDigest",
; "digest": "JJZt41Nt8VsYahP+Xti4rR3vBDkUfRd6gquItl6R5Os="
; },
; "1.2.840.113549.1.9.16.2.47": {
; "name": "signingCertificateV2",
; "der": "MIGIMIGFMIGCBCBJrxOU0w0dWGsVovjLv9QDH3syB5mLVv3grSYA40x9IDBeMFOkUTBPMQswCQYDVQQGEwJGUjENMAsGA1UEChMERVRTSTEcMBoGA1UECwwTUGx1Z3Rlc3RzXzIwMTMtMjAxNDETMBEGA1UEAxMKTGV2ZWxCQ0FPSwIHANy4FGeM2w=="
; }
; },
; "unauthAttr": {
; "1.2.840.113549.1.9.16.2.14": {
; "name": "timestampToken",
; "der": "MIIL+AYJKoZI...u7CfcjURNTY=",
; "verify": {
; "digestAlgorithms": [
; "sha256"
; ],
; "signerInfo": [
; {
; "cert": {
; "serialNumber": "01AA4592D36C61",
; "issuerCN": "RootCAOK",
; "issuerDN": "",
; "digestAlgOid": "2.16.840.1.101.3.4.2.1",
; "digestAlgName": "SHA256"
; },
; "contentType": "1.2.840.113549.1.9.16.1.4",
; "messageDigest": "NSsMUrfoyCQ0OszPE1YLx1j3EyyCiBmnE5Sua6ghu/Q=",
; "signingAlgOid": "1.2.840.113549.1.1.1",
; "signingAlgName": "RSA-PKCSV-1_5",
; "authAttr": {
; "1.2.840.113549.1.9.3": {
; "name": "contentType",
; "oid": "1.2.840.113549.1.9.16.1.4"
; },
; "1.2.840.113549.1.9.4": {
; "name": "messageDigest",
; "digest": "NSsMUrfoyCQ0OszPE1YLx1j3EyyCiBmnE5Sua6ghu/Q="
; },
; "1.2.840.113549.1.9.16.2.47": {
; "name": "signingCertificateV2",
; "der": "MIGGMIGDMIGABCDB/np5UxvhcPnSxD2Kme+C88uXGCMWLAvFPHNvTApTWDBcMFGkTzBNMQswCQYDVQQGEwJGUjENMAsGA1UEChMERVRTSTEcMBoGA1UECwwTUGx1Z3Rlc3RzXzIwMTMtMjAxNDERMA8GA1UEAxMIUm9vdENBT0sCBwGqRZLTbGE="
; }
; }
; }
; ]
; },
; "timestampSignatureVerified": true,
; "tstInfo": {
; "tsaPolicyId": "1.3.6.1.4.1.2706.2.2.5.2.1.1.1",
; "messageImprint": {
; "hashAlg": "sha256",
; "digest": "C8xEe9NA4X1cUyHGX9zG89ipmQ2byFs3aa+Xe4Fz2P0=",
; "digestMatches": true
; },
; "serialNumber": "313E162121D922",
; "genTime": "20131203065742Z"
; }
; }
; }
; }
; ]
; }
; }
; }
;
Local $i
Local $iCount_i
Local $strVal
Local $sCertSerialNumber
Local $sCertIssuerCN
Local $sCertIssuerDN
Local $sCertDigestAlgOid
Local $sCertDigestAlgName
Local $sContentType
$oSigningTime = ObjCreate("Chilkat.DtObj")
Local $sMessageDigest
Local $signingAlgOid
Local $signingAlgName
Local $sAuthAttrContentTypeName
Local $sAuthAttrContentTypeOid
Local $sAuthAttrSigningTimeName
$oAuthAttrSigningTimeUtctime = ObjCreate("Chilkat.DtObj")
Local $sAuthAttrMessageDigestName
Local $sAuthAttrMessageDigestDigest
Local $sAuthAttrSigningCertificateV2Name
Local $sAuthAttrSigningCertificateV2Der
Local $sUnauthAttrTimestampTokenName
Local $sUnauthAttrTimestampTokenDer
Local $bUnauthAttrTimestampTokenTimestampSignatureVerified
Local $sUnauthAttrTimestampTokenTstInfoTsaPolicyId
Local $sUnauthAttrTimestampTokenTstInfoMessageImprintHashAlg
Local $sUnauthAttrTimestampTokenTstInfoMessageImprintDigest
Local $bUnauthAttrTimestampTokenTstInfoMessageImprintDigestMatches
Local $sUnauthAttrTimestampTokenTstInfoSerialNumber
$oUnauthAttrTimestampTokenTstInfoGenTime = ObjCreate("Chilkat.DtObj")
Local $iJ
Local $iCount_j
; Iterate over the hash algorithms used in the signature.
$i = 0
$iCount_i = $oJson.SizeOfArray("pkcs7.verify.digestAlgorithms")
While $i < $iCount_i
$oJson.I = $i
$strVal = $oJson.StringOf("pkcs7.verify.digestAlgorithms[i]")
$i = $i + 1
Wend
; For each signer...
$i = 0
$iCount_i = $oJson.SizeOfArray("pkcs7.verify.signerInfo")
While $i < $iCount_i
$oJson.I = $i
; Get information about the certificate used by this signer.
$sCertSerialNumber = $oJson.StringOf("pkcs7.verify.signerInfo[i].cert.serialNumber")
$sCertIssuerCN = $oJson.StringOf("pkcs7.verify.signerInfo[i].cert.issuerCN")
$sCertIssuerDN = $oJson.StringOf("pkcs7.verify.signerInfo[i].cert.issuerDN")
$sCertDigestAlgOid = $oJson.StringOf("pkcs7.verify.signerInfo[i].cert.digestAlgOid")
$sCertDigestAlgName = $oJson.StringOf("pkcs7.verify.signerInfo[i].cert.digestAlgName")
; Get additional information for this signer, such as the signingTime, signature algorithm, etc.
$sContentType = $oJson.StringOf("pkcs7.verify.signerInfo[i].contentType")
$oJson.DtOf("pkcs7.verify.signerInfo[i].signingTime",False,$oSigningTime)
$sMessageDigest = $oJson.StringOf("pkcs7.verify.signerInfo[i].messageDigest")
$signingAlgOid = $oJson.StringOf("pkcs7.verify.signerInfo[i].signingAlgOid")
$signingAlgName = $oJson.StringOf("pkcs7.verify.signerInfo[i].signingAlgName")
; --------------------------------
; Examine authenticated attributes.
; --------------------------------
; contentType
If ($oJson.HasMember("pkcs7.verify.signerInfo[i].authAttr.""1.2.840.113549.1.9.3""") = True) Then
$sAuthAttrContentTypeName = $oJson.StringOf("pkcs7.verify.signerInfo[i].authAttr.""1.2.840.113549.1.9.3"".name")
$sAuthAttrContentTypeOid = $oJson.StringOf("pkcs7.verify.signerInfo[i].authAttr.""1.2.840.113549.1.9.3"".oid")
EndIf
; signingTime
If ($oJson.HasMember("pkcs7.verify.signerInfo[i].authAttr.""1.2.840.113549.1.9.5""") = True) Then
$sAuthAttrSigningTimeName = $oJson.StringOf("pkcs7.verify.signerInfo[i].authAttr.""1.2.840.113549.1.9.5"".name")
$oJson.DtOf("pkcs7.verify.signerInfo[i].authAttr.""1.2.840.113549.1.9.5"".utctime",False,$oAuthAttrSigningTimeUtctime)
EndIf
; messageDigest
If ($oJson.HasMember("pkcs7.verify.signerInfo[i].authAttr.""1.2.840.113549.1.9.4""") = True) Then
$sAuthAttrMessageDigestName = $oJson.StringOf("pkcs7.verify.signerInfo[i].authAttr.""1.2.840.113549.1.9.4"".name")
$sAuthAttrMessageDigestDigest = $oJson.StringOf("pkcs7.verify.signerInfo[i].authAttr.""1.2.840.113549.1.9.4"".digest")
EndIf
; signingCertificateV2
If ($oJson.HasMember("pkcs7.verify.signerInfo[i].authAttr.""1.2.840.113549.1.9.16.2.47""") = True) Then
$sAuthAttrSigningCertificateV2Name = $oJson.StringOf("pkcs7.verify.signerInfo[i].authAttr.""1.2.840.113549.1.9.16.2.47"".name")
$sAuthAttrSigningCertificateV2Der = $oJson.StringOf("pkcs7.verify.signerInfo[i].authAttr.""1.2.840.113549.1.9.16.2.47"".der")
EndIf
; --------------------------------
; Examine unauthenticated attributes.
; --------------------------------
; timestampToken (the timestampToken is what makes this signature a CAdES-T)
If ($oJson.HasMember("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14""") = True) Then
$sUnauthAttrTimestampTokenName = $oJson.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".name")
$sUnauthAttrTimestampTokenDer = $oJson.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".der")
; This is where we find out if the timestampToken's signature is valid.
$bUnauthAttrTimestampTokenTimestampSignatureVerified = $oJson.BoolOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".timestampSignatureVerified")
$sUnauthAttrTimestampTokenTstInfoTsaPolicyId = $oJson.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".tstInfo.tsaPolicyId")
$sUnauthAttrTimestampTokenTstInfoMessageImprintHashAlg = $oJson.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".tstInfo.messageImprint.hashAlg")
$sUnauthAttrTimestampTokenTstInfoMessageImprintDigest = $oJson.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".tstInfo.messageImprint.digest")
; Here is where we check to see if the digest in the timestampToken's messageImprint matches the digest of the signature of this signerInfo
$bUnauthAttrTimestampTokenTstInfoMessageImprintDigestMatches = $oJson.BoolOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".tstInfo.messageImprint.digestMatches")
$sUnauthAttrTimestampTokenTstInfoSerialNumber = $oJson.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".tstInfo.serialNumber")
; Here is where we get the date/time of the timestampToken (i.e. when it was timestamped)
$oJson.DtOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".tstInfo.genTime",False,$oUnauthAttrTimestampTokenTstInfoGenTime)
; The following code gets details about the validity of the timestampToken's signature...
$iJ = 0
$iCount_j = $oJson.SizeOfArray("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".verify.digestAlgorithms")
While $iJ < $iCount_j
$oJson.J = $iJ
$strVal = $oJson.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".verify.digestAlgorithms[j]")
$iJ = $iJ + 1
Wend
$iJ = 0
$iCount_j = $oJson.SizeOfArray("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".verify.signerInfo")
While $iJ < $iCount_j
$oJson.J = $iJ
$sCertSerialNumber = $oJson.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".verify.signerInfo[j].cert.serialNumber")
$sCertIssuerCN = $oJson.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".verify.signerInfo[j].cert.issuerCN")
$sCertIssuerDN = $oJson.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".verify.signerInfo[j].cert.issuerDN")
$sCertDigestAlgOid = $oJson.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".verify.signerInfo[j].cert.digestAlgOid")
$sCertDigestAlgName = $oJson.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".verify.signerInfo[j].cert.digestAlgName")
$sContentType = $oJson.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".verify.signerInfo[j].contentType")
$sMessageDigest = $oJson.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".verify.signerInfo[j].messageDigest")
$signingAlgOid = $oJson.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".verify.signerInfo[j].signingAlgOid")
$signingAlgName = $oJson.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".verify.signerInfo[j].signingAlgName")
$sAuthAttrContentTypeName = $oJson.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".verify.signerInfo[j].authAttr.""1.2.840.113549.1.9.3"".name")
$sAuthAttrContentTypeOid = $oJson.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".verify.signerInfo[j].authAttr.""1.2.840.113549.1.9.3"".oid")
$sAuthAttrMessageDigestName = $oJson.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".verify.signerInfo[j].authAttr.""1.2.840.113549.1.9.4"".name")
$sAuthAttrMessageDigestDigest = $oJson.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".verify.signerInfo[j].authAttr.""1.2.840.113549.1.9.4"".digest")
$sAuthAttrSigningCertificateV2Name = $oJson.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".verify.signerInfo[j].authAttr.""1.2.840.113549.1.9.16.2.47"".name")
$sAuthAttrSigningCertificateV2Der = $oJson.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".verify.signerInfo[j].authAttr.""1.2.840.113549.1.9.16.2.47"".der")
$iJ = $iJ + 1
Wend
EndIf
$i = $i + 1
Wend
If ($bSuccess <> True) Then
ConsoleWrite($oCrypt.LastErrorText & @CRLF)
ConsoleWrite("CAdES-T verification failed." & @CRLF)
Else
ConsoleWrite("CAdES-T signature is valid." & @CRLF)
EndIf