Sample code for 30+ languages & platforms
AutoIt

Validate CAdES-T Signature (.p7m)

See more CAdES Examples

Validates a CAdES-T CMS signature and extracts the time-stamp token and gets information about it. Also validates the time-stamp token.

Chilkat AutoIt Downloads

AutoIt
Local $bSuccess = False

; This example requires the Chilkat API to have been previously unlocked.
; See Global Unlock Sample for sample code.

$oCrypt = ObjCreate("Chilkat.Crypt2")

; Indicate that the CAdES-T timestamp tokens must also pass validation for the signature to be validated.
$oCmsOptions = ObjCreate("Chilkat.JsonObject")
$oCmsOptions.UpdateBool("ValidateTimestampTokens",True)
$oCrypt.CmsOptions = $oCmsOptions.Emit()

; Validate the .p7m and extract the original signed data to an output file.
; Note: The timestampToken is an unauthenticated attribute.  See the code below that retrieves and parses the last JSON data.
; for details about examining timestampToken.
$bSuccess = $oCrypt.VerifyP7M("qa_data/cades/CAdES-T/Signature-C-T-1.p7m","qa_output/out.dat")

; Get information about the CMS signature in the last JSON data.
; The detailed results of the signature validation are available in the last JSON data.
; (If the non-success return status was caused by an error such as "file not found", then the
; last JSON data would be empty.)
$oJson = ObjCreate("Chilkat.JsonObject")
$oCrypt.GetLastJsonData $oJson
$oJson.EmitCompact = False
ConsoleWrite($oJson.Emit() & @CRLF)

; Here is a sample result:
; See the parsing code below..

; Use this online tool to generate parsing code from sample JSON: 
; Generate Parsing Code from JSON

; {
;   "pkcs7": {
;     "verify": {
;       "digestAlgorithms": [
;         "sha256"
;       ],
;       "signerInfo": [
;         {
;           "cert": {
;             "serialNumber": "00DCB814678CDB",
;             "issuerCN": "LevelBCAOK",
;             "issuerDN": "",
;             "digestAlgOid": "2.16.840.1.101.3.4.2.1",
;             "digestAlgName": "SHA256"
;           },
;           "contentType": "1.2.840.113549.1.7.1",
;           "signingTime": "131203065741Z",
;           "messageDigest": "JJZt41Nt8VsYahP+Xti4rR3vBDkUfRd6gquItl6R5Os=",
;           "signingAlgOid": "1.2.840.113549.1.1.1",
;           "signingAlgName": "RSA-PKCSV-1_5",
;           "authAttr": {
;             "1.2.840.113549.1.9.3": {
;               "name": "contentType",
;               "oid": "1.2.840.113549.1.7.1"
;             },
;             "1.2.840.113549.1.9.5": {
;               "name": "signingTime",
;               "utctime": "131203065741Z"
;             },
;             "1.2.840.113549.1.9.4": {
;               "name": "messageDigest",
;               "digest": "JJZt41Nt8VsYahP+Xti4rR3vBDkUfRd6gquItl6R5Os="
;             },
;             "1.2.840.113549.1.9.16.2.47": {
;               "name": "signingCertificateV2",
;               "der": "MIGIMIGFMIGCBCBJrxOU0w0dWGsVovjLv9QDH3syB5mLVv3grSYA40x9IDBeMFOkUTBPMQswCQYDVQQGEwJGUjENMAsGA1UEChMERVRTSTEcMBoGA1UECwwTUGx1Z3Rlc3RzXzIwMTMtMjAxNDETMBEGA1UEAxMKTGV2ZWxCQ0FPSwIHANy4FGeM2w=="
;             }
;           },
;           "unauthAttr": {
;             "1.2.840.113549.1.9.16.2.14": {
;               "name": "timestampToken",
;               "der": "MIIL+AYJKoZI...u7CfcjURNTY=",
;               "verify": {
;                 "digestAlgorithms": [
;                   "sha256"
;                 ],
;                 "signerInfo": [
;                   {
;                     "cert": {
;                       "serialNumber": "01AA4592D36C61",
;                       "issuerCN": "RootCAOK",
;                       "issuerDN": "",
;                       "digestAlgOid": "2.16.840.1.101.3.4.2.1",
;                       "digestAlgName": "SHA256"
;                     },
;                     "contentType": "1.2.840.113549.1.9.16.1.4",
;                     "messageDigest": "NSsMUrfoyCQ0OszPE1YLx1j3EyyCiBmnE5Sua6ghu/Q=",
;                     "signingAlgOid": "1.2.840.113549.1.1.1",
;                     "signingAlgName": "RSA-PKCSV-1_5",
;                     "authAttr": {
;                       "1.2.840.113549.1.9.3": {
;                         "name": "contentType",
;                         "oid": "1.2.840.113549.1.9.16.1.4"
;                       },
;                       "1.2.840.113549.1.9.4": {
;                         "name": "messageDigest",
;                         "digest": "NSsMUrfoyCQ0OszPE1YLx1j3EyyCiBmnE5Sua6ghu/Q="
;                       },
;                       "1.2.840.113549.1.9.16.2.47": {
;                         "name": "signingCertificateV2",
;                         "der": "MIGGMIGDMIGABCDB/np5UxvhcPnSxD2Kme+C88uXGCMWLAvFPHNvTApTWDBcMFGkTzBNMQswCQYDVQQGEwJGUjENMAsGA1UEChMERVRTSTEcMBoGA1UECwwTUGx1Z3Rlc3RzXzIwMTMtMjAxNDERMA8GA1UEAxMIUm9vdENBT0sCBwGqRZLTbGE="
;                       }
;                     }
;                   }
;                 ]
;               },
;               "timestampSignatureVerified": true,
;               "tstInfo": {
;                 "tsaPolicyId": "1.3.6.1.4.1.2706.2.2.5.2.1.1.1",
;                 "messageImprint": {
;                   "hashAlg": "sha256",
;                   "digest": "C8xEe9NA4X1cUyHGX9zG89ipmQ2byFs3aa+Xe4Fz2P0=",
;                   "digestMatches": true
;                 },
;                 "serialNumber": "313E162121D922",
;                 "genTime": "20131203065742Z"
;               }
;             }
;           }
;         }
;       ]
;     }
;   }
; }
; 

Local $i
Local $iCount_i
Local $strVal
Local $sCertSerialNumber
Local $sCertIssuerCN
Local $sCertIssuerDN
Local $sCertDigestAlgOid
Local $sCertDigestAlgName
Local $sContentType
$oSigningTime = ObjCreate("Chilkat.DtObj")
Local $sMessageDigest
Local $signingAlgOid
Local $signingAlgName
Local $sAuthAttrContentTypeName
Local $sAuthAttrContentTypeOid
Local $sAuthAttrSigningTimeName
$oAuthAttrSigningTimeUtctime = ObjCreate("Chilkat.DtObj")
Local $sAuthAttrMessageDigestName
Local $sAuthAttrMessageDigestDigest
Local $sAuthAttrSigningCertificateV2Name
Local $sAuthAttrSigningCertificateV2Der
Local $sUnauthAttrTimestampTokenName
Local $sUnauthAttrTimestampTokenDer
Local $bUnauthAttrTimestampTokenTimestampSignatureVerified
Local $sUnauthAttrTimestampTokenTstInfoTsaPolicyId
Local $sUnauthAttrTimestampTokenTstInfoMessageImprintHashAlg
Local $sUnauthAttrTimestampTokenTstInfoMessageImprintDigest
Local $bUnauthAttrTimestampTokenTstInfoMessageImprintDigestMatches
Local $sUnauthAttrTimestampTokenTstInfoSerialNumber
$oUnauthAttrTimestampTokenTstInfoGenTime = ObjCreate("Chilkat.DtObj")
Local $iJ
Local $iCount_j

; Iterate over the hash algorithms used in the signature.
$i = 0
$iCount_i = $oJson.SizeOfArray("pkcs7.verify.digestAlgorithms")
While $i < $iCount_i
    $oJson.I = $i
    $strVal = $oJson.StringOf("pkcs7.verify.digestAlgorithms[i]")
    $i = $i + 1
Wend

; For each signer...
$i = 0
$iCount_i = $oJson.SizeOfArray("pkcs7.verify.signerInfo")
While $i < $iCount_i
    $oJson.I = $i

    ; Get information about the certificate used by this signer.
    $sCertSerialNumber = $oJson.StringOf("pkcs7.verify.signerInfo[i].cert.serialNumber")
    $sCertIssuerCN = $oJson.StringOf("pkcs7.verify.signerInfo[i].cert.issuerCN")
    $sCertIssuerDN = $oJson.StringOf("pkcs7.verify.signerInfo[i].cert.issuerDN")
    $sCertDigestAlgOid = $oJson.StringOf("pkcs7.verify.signerInfo[i].cert.digestAlgOid")
    $sCertDigestAlgName = $oJson.StringOf("pkcs7.verify.signerInfo[i].cert.digestAlgName")

    ; Get additional information for this signer, such as the signingTime, signature algorithm, etc.
    $sContentType = $oJson.StringOf("pkcs7.verify.signerInfo[i].contentType")
    $oJson.DtOf("pkcs7.verify.signerInfo[i].signingTime",False,$oSigningTime)
    $sMessageDigest = $oJson.StringOf("pkcs7.verify.signerInfo[i].messageDigest")
    $signingAlgOid = $oJson.StringOf("pkcs7.verify.signerInfo[i].signingAlgOid")
    $signingAlgName = $oJson.StringOf("pkcs7.verify.signerInfo[i].signingAlgName")

    ; --------------------------------
    ; Examine authenticated attributes.
    ; --------------------------------

    ; contentType
    If ($oJson.HasMember("pkcs7.verify.signerInfo[i].authAttr.""1.2.840.113549.1.9.3""") = True) Then
        $sAuthAttrContentTypeName = $oJson.StringOf("pkcs7.verify.signerInfo[i].authAttr.""1.2.840.113549.1.9.3"".name")
        $sAuthAttrContentTypeOid = $oJson.StringOf("pkcs7.verify.signerInfo[i].authAttr.""1.2.840.113549.1.9.3"".oid")
    EndIf

    ; signingTime
    If ($oJson.HasMember("pkcs7.verify.signerInfo[i].authAttr.""1.2.840.113549.1.9.5""") = True) Then
        $sAuthAttrSigningTimeName = $oJson.StringOf("pkcs7.verify.signerInfo[i].authAttr.""1.2.840.113549.1.9.5"".name")
        $oJson.DtOf("pkcs7.verify.signerInfo[i].authAttr.""1.2.840.113549.1.9.5"".utctime",False,$oAuthAttrSigningTimeUtctime)
    EndIf

    ; messageDigest
    If ($oJson.HasMember("pkcs7.verify.signerInfo[i].authAttr.""1.2.840.113549.1.9.4""") = True) Then
        $sAuthAttrMessageDigestName = $oJson.StringOf("pkcs7.verify.signerInfo[i].authAttr.""1.2.840.113549.1.9.4"".name")
        $sAuthAttrMessageDigestDigest = $oJson.StringOf("pkcs7.verify.signerInfo[i].authAttr.""1.2.840.113549.1.9.4"".digest")
    EndIf

    ; signingCertificateV2
    If ($oJson.HasMember("pkcs7.verify.signerInfo[i].authAttr.""1.2.840.113549.1.9.16.2.47""") = True) Then
        $sAuthAttrSigningCertificateV2Name = $oJson.StringOf("pkcs7.verify.signerInfo[i].authAttr.""1.2.840.113549.1.9.16.2.47"".name")
        $sAuthAttrSigningCertificateV2Der = $oJson.StringOf("pkcs7.verify.signerInfo[i].authAttr.""1.2.840.113549.1.9.16.2.47"".der")
    EndIf

    ; --------------------------------
    ; Examine unauthenticated attributes.
    ; --------------------------------

    ; timestampToken  (the timestampToken is what makes this signature a CAdES-T)
    If ($oJson.HasMember("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14""") = True) Then

        $sUnauthAttrTimestampTokenName = $oJson.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".name")
        $sUnauthAttrTimestampTokenDer = $oJson.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".der")

        ; This is where we find out if the timestampToken's signature is valid.
        $bUnauthAttrTimestampTokenTimestampSignatureVerified = $oJson.BoolOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".timestampSignatureVerified")

        $sUnauthAttrTimestampTokenTstInfoTsaPolicyId = $oJson.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".tstInfo.tsaPolicyId")
        $sUnauthAttrTimestampTokenTstInfoMessageImprintHashAlg = $oJson.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".tstInfo.messageImprint.hashAlg")
        $sUnauthAttrTimestampTokenTstInfoMessageImprintDigest = $oJson.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".tstInfo.messageImprint.digest")

        ; Here is where we check to see if the digest in the timestampToken's messageImprint matches the digest of the signature of this signerInfo
        $bUnauthAttrTimestampTokenTstInfoMessageImprintDigestMatches = $oJson.BoolOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".tstInfo.messageImprint.digestMatches")

        $sUnauthAttrTimestampTokenTstInfoSerialNumber = $oJson.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".tstInfo.serialNumber")

        ; Here is where we get the date/time of the timestampToken (i.e. when it was timestamped)
        $oJson.DtOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".tstInfo.genTime",False,$oUnauthAttrTimestampTokenTstInfoGenTime)

        ; The following code gets details about the validity of the timestampToken's signature...
        $iJ = 0
        $iCount_j = $oJson.SizeOfArray("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".verify.digestAlgorithms")
        While $iJ < $iCount_j
            $oJson.J = $iJ
            $strVal = $oJson.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".verify.digestAlgorithms[j]")
            $iJ = $iJ + 1
        Wend
        $iJ = 0
        $iCount_j = $oJson.SizeOfArray("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".verify.signerInfo")
        While $iJ < $iCount_j
            $oJson.J = $iJ
            $sCertSerialNumber = $oJson.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".verify.signerInfo[j].cert.serialNumber")
            $sCertIssuerCN = $oJson.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".verify.signerInfo[j].cert.issuerCN")
            $sCertIssuerDN = $oJson.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".verify.signerInfo[j].cert.issuerDN")
            $sCertDigestAlgOid = $oJson.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".verify.signerInfo[j].cert.digestAlgOid")
            $sCertDigestAlgName = $oJson.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".verify.signerInfo[j].cert.digestAlgName")
            $sContentType = $oJson.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".verify.signerInfo[j].contentType")
            $sMessageDigest = $oJson.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".verify.signerInfo[j].messageDigest")
            $signingAlgOid = $oJson.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".verify.signerInfo[j].signingAlgOid")
            $signingAlgName = $oJson.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".verify.signerInfo[j].signingAlgName")
            $sAuthAttrContentTypeName = $oJson.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".verify.signerInfo[j].authAttr.""1.2.840.113549.1.9.3"".name")
            $sAuthAttrContentTypeOid = $oJson.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".verify.signerInfo[j].authAttr.""1.2.840.113549.1.9.3"".oid")
            $sAuthAttrMessageDigestName = $oJson.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".verify.signerInfo[j].authAttr.""1.2.840.113549.1.9.4"".name")
            $sAuthAttrMessageDigestDigest = $oJson.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".verify.signerInfo[j].authAttr.""1.2.840.113549.1.9.4"".digest")
            $sAuthAttrSigningCertificateV2Name = $oJson.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".verify.signerInfo[j].authAttr.""1.2.840.113549.1.9.16.2.47"".name")
            $sAuthAttrSigningCertificateV2Der = $oJson.StringOf("pkcs7.verify.signerInfo[i].unauthAttr.""1.2.840.113549.1.9.16.2.14"".verify.signerInfo[j].authAttr.""1.2.840.113549.1.9.16.2.47"".der")
            $iJ = $iJ + 1
        Wend

    EndIf

    $i = $i + 1
Wend

If ($bSuccess <> True) Then
    ConsoleWrite($oCrypt.LastErrorText & @CRLF)
    ConsoleWrite("CAdES-T verification failed." & @CRLF)
Else
    ConsoleWrite("CAdES-T signature is valid." & @CRLF)
EndIf