Delphi ActiveX
Delphi ActiveX
Verify Authenticode Signature of EXE or DLL
See more Code Signing Examples
Demonstrates how to verify an Authenticode signed EXE or DLL.Note: Chilkat's code signing class was added in v9.5.0.97
Chilkat Delphi ActiveX Downloads
uses
Winapi.Windows, Winapi.Messages, System.SysUtils, System.Variants, System.Classes, Vcl.Graphics,
Vcl.Controls, Vcl.Forms, Vcl.Dialogs, Vcl.StdCtrls, Chilkat_TLB;
...
procedure TForm1.Button1Click(Sender: TObject);
var
path: WideString;
json: TChilkatJsonObject;
validator: TChilkatCodeSign;
valid: Integer;
issuerCN: WideString;
serial: WideString;
genTime: TDtObj;
dt: TCkDateTime;
i: Integer;
count_i: Integer;
numSigners: Integer;
begin
// This example requires the Chilkat API to have been previously unlocked.
// See Global Unlock Sample for sample code.
// You can verify a signed DLL or EXE.
path := 'c:/someDir/something.dll';
// The verify method returns an overall indicator of whether
// the EXE or DLL can be trusted or not.
// The details of the signature are emitted to the JSON object
// passed in the last argument.
json := TChilkatJsonObject.Create(Self);
json.EmitCompact := 0;
validator := TChilkatCodeSign.Create(Self);
valid := validator.VerifySignature(path,json.ControlInterface);
if (valid = 0) then
begin
// Validation failed.
Memo1.Lines.Add(validator.LastErrorText);
// You can also examine the details of the validation (see below)
Memo1.Lines.Add(json.Emit());
Exit;
end;
// Examine the details of the Authenticode signature
// println json.Emit();
// An example of the JSON details of an authenticode signature, with selected parsing code, is shown below.
//
// Use this online tool to generate parsing code from sample JSON:
// Generate Parsing Code from JSON
// {
// "pkcs7": {
// "verify": {
// "peFile": {
// "hashOid": "2.16.840.1.101.3.4.2.1",
// "hash": "q9tzWEcea8f8kaMXG8LpWNPe9JIW7aKccYWuL3mrCBw="
// },
// "certs": [
// {
// "issuerCN": "AAA Certificate Services",
// "serial": "48FC93B46055948D36A7C98A89D69416"
// },
// {
// "issuerCN": "Sectigo Public Code Signing Root R46",
// "serial": "621D6D0C52019E3B9079152089211C0A"
// },
// {
// "issuerCN": "Sectigo Public Code Signing CA R36",
// "serial": "3FF5B69109BFD4046C92CC0D18EE23C2"
// }
// ],
// "digestAlgorithms": [
// "sha256"
// ],
// "signerInfo": [
// {
// "cert": {
// "serialNumber": "3FF5B69109BFD4046C92CC0D18EE23C2",
// "issuerCN": "Sectigo Public Code Signing CA R36",
// "digestAlgOid": "2.16.840.1.101.3.4.2.1",
// "digestAlgName": "SHA256"
// },
// "contentType": "1.3.6.1.4.1.311.2.1.4",
// "messageDigest": "4MkPVkY4qdwoVAj5JcCvn3ISSS5yqtf1+KmIs/Ckni4=",
// "signingAlgOid": "1.2.840.113549.1.1.1",
// "signingAlgName": "RSA-PKCSV-1_5",
// "authAttr": {
// "1.3.6.1.4.1.311.2.1.12": {
// "der": "MAA="
// },
// "1.2.840.113549.1.9.3": {
// "name": "contentType",
// "oid": "1.3.6.1.4.1.311.2.1.4"
// },
// "1.3.6.1.4.1.311.2.1.11": {
// "der": "MAwGCisGAQQBgjcCARU="
// },
// "1.2.840.113549.1.9.4": {
// "name": "messageDigest",
// "digest": "4MkPVkY4qdwoVAj5JcCvn3ISSS5yqtf1+KmIs/Ckni4="
// }
// },
// "unauthAttr": {
// "1.3.6.1.4.1.311.3.3.1": {
// "name": "timestampToken",
// "der": "MIIXJwY ... QZej",
// "verify": {
// "digestAlgorithms": [
// "sha256"
// ],
// "signerInfo": [
// {
// "cert": {
// "serialNumber": "0544AFF3949D0839A6BFDB3F5FE56116",
// "issuerCN": "DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA",
// "digestAlgOid": "2.16.840.1.101.3.4.2.1",
// "digestAlgName": "SHA256"
// },
// "contentType": "1.2.840.113549.1.9.16.1.4",
// "signingTime": "240117124047Z",
// "messageDigest": "y6cKjJoRfgJwW+Dj29w3tEfWqVybz7Sg+d8opKQxCjM=",
// "signingAlgOid": "1.2.840.113549.1.1.1",
// "signingAlgName": "RSA-PKCSV-1_5",
// "authAttr": {
// "1.2.840.113549.1.9.3": {
// "name": "contentType",
// "oid": "1.2.840.113549.1.9.16.1.4"
// },
// "1.2.840.113549.1.9.5": {
// "name": "signingTime",
// "utctime": "240117124047Z"
// },
// "1.2.840.113549.1.9.16.2.12": {
// "name": "signingCertificate",
// "der": "MBowGDAWBBRm8CsywsLJD4JdzqqKycZPGZzPQA=="
// },
// "1.2.840.113549.1.9.4": {
// "name": "messageDigest",
// "digest": "y6cKjJoRfgJwW+Dj29w3tEfWqVybz7Sg+d8opKQxCjM="
// },
// "1.2.840.113549.1.9.16.2.47": {
// "name": "signingCertificateV2",
// "der": "MCYwJDAiBCDS9uRt7XQizNHUQFdoQTZvgoraVZquMxavTRqa1Ax4KA=="
// }
// }
// }
// ],
// "uncommonOptions": "NO_SIGCERTV2_OID,NoSigningCertV2IssuerSerial"
// },
// "timestampSignatureVerified": true,
// "tstInfo": {
// "tsaPolicyId": "2.16.840.1.114412.7.1",
// "messageImprint": {
// "hashAlg": "sha256",
// "digest": "JqY7U+30qScMnRQwnDfUYEikZwOLHMhKX0oo5zo4ils=",
// "digestMatches": true
// },
// "serialNumber": "6E4597E574BC909213565DAEBC0E4888",
// "genTime": "20240117124047Z"
// }
// }
// }
// }
// ],
// "pkcs7": {
// "verify": {
// "certs": [
// {
// "issuerCN": "DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA",
// "serial": "0544AFF3949D0839A6BFDB3F5FE56116"
// },
// {
// "issuerCN": "DigiCert Trusted Root G4",
// "serial": "073637B724547CD847ACFD28662A5E5B"
// },
// {
// "issuerCN": "DigiCert Assured ID Root CA",
// "serial": "0E9B188EF9D02DE7EFDB50E20840185A"
// }
// ]
// }
// }
// }
// }
// }
genTime := TDtObj.Create(Self);
dt := TCkDateTime.Create(Self);
// Show the certificates embedded in the PKCS7 signature.
Memo1.Lines.Add('Certificates contained in the PKCS7 signature:');
i := 0;
count_i := json.SizeOfArray('pkcs7.verify.certs');
while i < count_i do
begin
json.I := i;
issuerCN := json.StringOf('pkcs7.verify.certs[i].issuerCN');
serial := json.StringOf('pkcs7.verify.certs[i].serial');
Memo1.Lines.Add(issuerCN + ', ' + serial);
i := i + 1;
end;
// Show details about the signing certificate(s)
numSigners := json.SizeOfArray('pkcs7.verify.signerInfo');
i := 0;
while i < numSigners do
begin
json.I := i;
Memo1.Lines.Add('---- Signing Certificate ----');
Memo1.Lines.Add('serial number: ' + json.StringOf('pkcs7.verify.signerInfo[i].cert.serialNumber'));
Memo1.Lines.Add('issuerCN: ' + json.StringOf('pkcs7.verify.signerInfo[i].cert.issuerCN'));
Memo1.Lines.Add('hash algorithm: ' + json.StringOf('pkcs7.verify.signerInfo[i].cert.digestAlgName'));
Memo1.Lines.Add('signing algorithm: ' + json.StringOf('pkcs7.verify.signerInfo[i].signingAlgName'));
// If this signature includes a timestamp token, get information about it.
if (json.HasMember('pkcs7.verify.signerInfo[i].unauthAttr."1.3.6.1.4.1.311.3.3.1"') = 1) then
begin
// We're going to assume the timestamp token had only 1 signer..
Memo1.Lines.Add('--- Timestamp Token ----');
Memo1.Lines.Add('TS hash algorithm: ' + json.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.3.6.1.4.1.311.3.3.1".verify.digestAlgorithms[0]'));
Memo1.Lines.Add('TS certificate serial: ' + json.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.3.6.1.4.1.311.3.3.1".verify.signerInfo[0].cert.serialNumber'));
Memo1.Lines.Add('TS certificate issuerCN: ' + json.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.3.6.1.4.1.311.3.3.1".verify.signerInfo[0].cert.issuerCN'));
Memo1.Lines.Add('timestamp signature verified: ' + IntToStr(Ord(json.BoolOf('pkcs7.verify.signerInfo[i].unauthAttr."1.3.6.1.4.1.311.3.3.1".timestampSignatureVerified'))));
json.DtOf('pkcs7.verify.signerInfo[i].unauthAttr."1.3.6.1.4.1.311.3.3.1".tstInfo.genTime',0,genTime.ControlInterface);
dt.SetFromDtObj(genTime.ControlInterface);
Memo1.Lines.Add('timestamp date/time: ' + dt.GetAsRfc822(1));
end;
i := i + 1;
end;
Memo1.Lines.Add('The Authenticode signature is valid.');
// Sample output:
// Certificates contained in the PKCS7 signature:
// AAA Certificate Services, 48FC93B46055948D36A7C98A89D69416
// Sectigo Public Code Signing Root R46, 621D6D0C52019E3B9079152089211C0A
// Sectigo Public Code Signing CA R36, 3FF5B69109BFD4046C92CC0D18EE23C2
// ---- Signing Certificate ----
// serial number: 3FF5B69109BFD4046C92CC0D18EE23C2
// issuerCN: Sectigo Public Code Signing CA R36
// hash algorithm: SHA256
// signing algorithm: RSA-PKCSV-1_5
// --- Timestamp Token ----
// TS hash algorithm: sha256
// TS certificate serial: 0544AFF3949D0839A6BFDB3F5FE56116
// TS certificate issuerCN: DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
// timestamp signature verified: True
// timestamp date/time: Wed, 17 Jan 2024 06:40:47 -0600
// The Authenticode signature is valid.
end;