|
Chilkat • HOME • .NET Core C# • Android™ • AutoIt • C • C# • C++ • Chilkat2-Python • CkPython • Classic ASP • DataFlex • Delphi ActiveX • Delphi DLL • Go • Java • Lianja • Mono C# • Node.js • Objective-C • PHP ActiveX • PHP Extension • Perl • PowerBuilder • PowerShell • PureBasic • Ruby • SQL Server • Swift 2 • Swift 3,4,5... • Tcl • Unicode C • Unicode C++ • VB.NET • VBScript • Visual Basic 6.0 • Visual FoxPro • Xojo Plugin
(Visual FoxPro) Validate CAdES-T Signature (.p7m)Validates a CAdES-T CMS signature and extracts the time-stamp token and gets information about it. Also validates the time-stamp token. Note: This example requires Chilkat v9.5.0.78 or greater.
LOCAL loCrypt LOCAL lnSuccess LOCAL loCmsOptions LOCAL loJson LOCAL i LOCAL lnCount_i LOCAL lcStrVal LOCAL lcCertSerialNumber LOCAL lcCertIssuerCN LOCAL lcCertIssuerDN LOCAL lcCertDigestAlgOid LOCAL lcCertDigestAlgName LOCAL lcContentType LOCAL loSigningTime LOCAL lcMessageDigest LOCAL lcSigningAlgOid LOCAL lcSigningAlgName LOCAL lcAuthAttrContentTypeName LOCAL lcAuthAttrContentTypeOid LOCAL lcAuthAttrSigningTimeName LOCAL loAuthAttrSigningTimeUtctime LOCAL lcAuthAttrMessageDigestName LOCAL lcAuthAttrMessageDigestDigest LOCAL lcAuthAttrSigningCertificateV2Name LOCAL lcAuthAttrSigningCertificateV2Der LOCAL lcUnauthAttrTimestampTokenName LOCAL lcUnauthAttrTimestampTokenDer LOCAL lnUnauthAttrTimestampTokenTimestampSignatureVerified LOCAL lcUnauthAttrTimestampTokenTstInfoTsaPolicyId LOCAL lcUnauthAttrTimestampTokenTstInfoMessageImprintHashAlg LOCAL lcUnauthAttrTimestampTokenTstInfoMessageImprintDigest LOCAL lnUnauthAttrTimestampTokenTstInfoMessageImprintDigestMatches LOCAL lcUnauthAttrTimestampTokenTstInfoSerialNumber LOCAL loUnauthAttrTimestampTokenTstInfoGenTime LOCAL j LOCAL lnCount_j * This example requires the Chilkat API to have been previously unlocked. * See Global Unlock Sample for sample code. * For versions of Chilkat < 10.0.0, use CreateObject('Chilkat_9_5_0.Crypt2') loCrypt = CreateObject('Chilkat.Crypt2') * Indicate that the CAdES-T timestamp tokens must also pass validation for the signature to be validated. * For versions of Chilkat < 10.0.0, use CreateObject('Chilkat_9_5_0.JsonObject') loCmsOptions = CreateObject('Chilkat.JsonObject') loCmsOptions.UpdateBool("ValidateTimestampTokens",1) loCrypt.CmsOptions = loCmsOptions.Emit() * Validate the .p7m and extract the original signed data to an output file. * Note: The timestampToken is an unauthenticated attribute. See the code below that parses the LastJsonData * for details about examining timestampToken. lnSuccess = loCrypt.VerifyP7M("qa_data/cades/CAdES-T/Signature-C-T-1.p7m","qa_output/out.dat") * Get information about the CMS signature in the LastJsonData. * The detailed results of the signature validation are available in LastJsonData. * (If the non-success return status was caused by an error such as "file not found", then the * LastJsonData would be empty.) loJson = loCrypt.LastJsonData() loJson.EmitCompact = 0 ? loJson.Emit() * Here is a sample result: * See the parsing code below.. * Use this online tool to generate parsing code from sample JSON: * Generate Parsing Code from JSON * { * "pkcs7": { * "verify": { * "digestAlgorithms": [ * "sha256" * ], * "signerInfo": [ * { * "cert": { * "serialNumber": "00DCB814678CDB", * "issuerCN": "LevelBCAOK", * "issuerDN": "", * "digestAlgOid": "2.16.840.1.101.3.4.2.1", * "digestAlgName": "SHA256" * }, * "contentType": "1.2.840.113549.1.7.1", * "signingTime": "131203065741Z", * "messageDigest": "JJZt41Nt8VsYahP+Xti4rR3vBDkUfRd6gquItl6R5Os=", * "signingAlgOid": "1.2.840.113549.1.1.1", * "signingAlgName": "RSA-PKCSV-1_5", * "authAttr": { * "1.2.840.113549.1.9.3": { * "name": "contentType", * "oid": "1.2.840.113549.1.7.1" * }, * "1.2.840.113549.1.9.5": { * "name": "signingTime", * "utctime": "131203065741Z" * }, * "1.2.840.113549.1.9.4": { * "name": "messageDigest", * "digest": "JJZt41Nt8VsYahP+Xti4rR3vBDkUfRd6gquItl6R5Os=" * }, * "1.2.840.113549.1.9.16.2.47": { * "name": "signingCertificateV2", * "der": "MIGIMIGFMIGCBCBJrxOU0w0dWGsVovjLv9QDH3syB5mLVv3grSYA40x9IDBeMFOkUTBPMQswCQYDVQQGEwJGUjENMAsGA1UEChMERVRTSTEcMBoGA1UECwwTUGx1Z3Rlc3RzXzIwMTMtMjAxNDETMBEGA1UEAxMKTGV2ZWxCQ0FPSwIHANy4FGeM2w==" * } * }, * "unauthAttr": { * "1.2.840.113549.1.9.16.2.14": { * "name": "timestampToken", * "der": "MIIL+AYJKoZI...u7CfcjURNTY=", * "verify": { * "digestAlgorithms": [ * "sha256" * ], * "signerInfo": [ * { * "cert": { * "serialNumber": "01AA4592D36C61", * "issuerCN": "RootCAOK", * "issuerDN": "", * "digestAlgOid": "2.16.840.1.101.3.4.2.1", * "digestAlgName": "SHA256" * }, * "contentType": "1.2.840.113549.1.9.16.1.4", * "messageDigest": "NSsMUrfoyCQ0OszPE1YLx1j3EyyCiBmnE5Sua6ghu/Q=", * "signingAlgOid": "1.2.840.113549.1.1.1", * "signingAlgName": "RSA-PKCSV-1_5", * "authAttr": { * "1.2.840.113549.1.9.3": { * "name": "contentType", * "oid": "1.2.840.113549.1.9.16.1.4" * }, * "1.2.840.113549.1.9.4": { * "name": "messageDigest", * "digest": "NSsMUrfoyCQ0OszPE1YLx1j3EyyCiBmnE5Sua6ghu/Q=" * }, * "1.2.840.113549.1.9.16.2.47": { * "name": "signingCertificateV2", * "der": "MIGGMIGDMIGABCDB/np5UxvhcPnSxD2Kme+C88uXGCMWLAvFPHNvTApTWDBcMFGkTzBNMQswCQYDVQQGEwJGUjENMAsGA1UEChMERVRTSTEcMBoGA1UECwwTUGx1Z3Rlc3RzXzIwMTMtMjAxNDERMA8GA1UEAxMIUm9vdENBT0sCBwGqRZLTbGE=" * } * } * } * ] * }, * "timestampSignatureVerified": true, * "tstInfo": { * "tsaPolicyId": "1.3.6.1.4.1.2706.2.2.5.2.1.1.1", * "messageImprint": { * "hashAlg": "sha256", * "digest": "C8xEe9NA4X1cUyHGX9zG89ipmQ2byFs3aa+Xe4Fz2P0=", * "digestMatches": true * }, * "serialNumber": "313E162121D922", * "genTime": "20131203065742Z" * } * } * } * } * ] * } * } * } * * For versions of Chilkat < 10.0.0, use CreateObject('Chilkat_9_5_0.DtObj') loSigningTime = CreateObject('Chilkat.DtObj') * For versions of Chilkat < 10.0.0, use CreateObject('Chilkat_9_5_0.DtObj') loAuthAttrSigningTimeUtctime = CreateObject('Chilkat.DtObj') * For versions of Chilkat < 10.0.0, use CreateObject('Chilkat_9_5_0.DtObj') loUnauthAttrTimestampTokenTstInfoGenTime = CreateObject('Chilkat.DtObj') * Iterate over the hash algorithms used in the signature. i = 0 lnCount_i = loJson.SizeOfArray("pkcs7.verify.digestAlgorithms") DO WHILE i < lnCount_i loJson.I = i lcStrVal = loJson.StringOf("pkcs7.verify.digestAlgorithms[i]") i = i + 1 ENDDO * For each signer... i = 0 lnCount_i = loJson.SizeOfArray("pkcs7.verify.signerInfo") DO WHILE i < lnCount_i loJson.I = i * Get information about the certificate used by this signer. lcCertSerialNumber = loJson.StringOf("pkcs7.verify.signerInfo[i].cert.serialNumber") lcCertIssuerCN = loJson.StringOf("pkcs7.verify.signerInfo[i].cert.issuerCN") lcCertIssuerDN = loJson.StringOf("pkcs7.verify.signerInfo[i].cert.issuerDN") lcCertDigestAlgOid = loJson.StringOf("pkcs7.verify.signerInfo[i].cert.digestAlgOid") lcCertDigestAlgName = loJson.StringOf("pkcs7.verify.signerInfo[i].cert.digestAlgName") * Get additional information for this signer, such as the signingTime, signature algorithm, etc. lcContentType = loJson.StringOf("pkcs7.verify.signerInfo[i].contentType") loJson.DtOf("pkcs7.verify.signerInfo[i].signingTime",0,loSigningTime) lcMessageDigest = loJson.StringOf("pkcs7.verify.signerInfo[i].messageDigest") lcSigningAlgOid = loJson.StringOf("pkcs7.verify.signerInfo[i].signingAlgOid") lcSigningAlgName = loJson.StringOf("pkcs7.verify.signerInfo[i].signingAlgName") * -------------------------------- * Examine authenticated attributes. * -------------------------------- * contentType IF (loJson.HasMember('pkcs7.verify.signerInfo[i].authAttr."1.2.840.113549.1.9.3"') = 1) THEN lcAuthAttrContentTypeName = loJson.StringOf('pkcs7.verify.signerInfo[i].authAttr."1.2.840.113549.1.9.3".name') lcAuthAttrContentTypeOid = loJson.StringOf('pkcs7.verify.signerInfo[i].authAttr."1.2.840.113549.1.9.3".oid') ENDIF * signingTime IF (loJson.HasMember('pkcs7.verify.signerInfo[i].authAttr."1.2.840.113549.1.9.5"') = 1) THEN lcAuthAttrSigningTimeName = loJson.StringOf('pkcs7.verify.signerInfo[i].authAttr."1.2.840.113549.1.9.5".name') loJson.DtOf('pkcs7.verify.signerInfo[i].authAttr."1.2.840.113549.1.9.5".utctime',0,loAuthAttrSigningTimeUtctime) ENDIF * messageDigest IF (loJson.HasMember('pkcs7.verify.signerInfo[i].authAttr."1.2.840.113549.1.9.4"') = 1) THEN lcAuthAttrMessageDigestName = loJson.StringOf('pkcs7.verify.signerInfo[i].authAttr."1.2.840.113549.1.9.4".name') lcAuthAttrMessageDigestDigest = loJson.StringOf('pkcs7.verify.signerInfo[i].authAttr."1.2.840.113549.1.9.4".digest') ENDIF * signingCertificateV2 IF (loJson.HasMember('pkcs7.verify.signerInfo[i].authAttr."1.2.840.113549.1.9.16.2.47"') = 1) THEN lcAuthAttrSigningCertificateV2Name = loJson.StringOf('pkcs7.verify.signerInfo[i].authAttr."1.2.840.113549.1.9.16.2.47".name') lcAuthAttrSigningCertificateV2Der = loJson.StringOf('pkcs7.verify.signerInfo[i].authAttr."1.2.840.113549.1.9.16.2.47".der') ENDIF * -------------------------------- * Examine unauthenticated attributes. * -------------------------------- * timestampToken (the timestampToken is what makes this signature a CAdES-T) IF (loJson.HasMember('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14"') = 1) THEN lcUnauthAttrTimestampTokenName = loJson.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".name') lcUnauthAttrTimestampTokenDer = loJson.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".der') * This is where we find out if the timestampToken's signature is valid. lnUnauthAttrTimestampTokenTimestampSignatureVerified = loJson.BoolOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".timestampSignatureVerified') lcUnauthAttrTimestampTokenTstInfoTsaPolicyId = loJson.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".tstInfo.tsaPolicyId') lcUnauthAttrTimestampTokenTstInfoMessageImprintHashAlg = loJson.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".tstInfo.messageImprint.hashAlg') lcUnauthAttrTimestampTokenTstInfoMessageImprintDigest = loJson.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".tstInfo.messageImprint.digest') * Here is where we check to see if the digest in the timestampToken's messageImprint matches the digest of the signature of this signerInfo lnUnauthAttrTimestampTokenTstInfoMessageImprintDigestMatches = loJson.BoolOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".tstInfo.messageImprint.digestMatches') lcUnauthAttrTimestampTokenTstInfoSerialNumber = loJson.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".tstInfo.serialNumber') * Here is where we get the date/time of the timestampToken (i.e. when it was timestamped) loJson.DtOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".tstInfo.genTime',0,loUnauthAttrTimestampTokenTstInfoGenTime) * The following code gets details about the validity of the timestampToken's signature... j = 0 lnCount_j = loJson.SizeOfArray('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.digestAlgorithms') DO WHILE j < lnCount_j loJson.J = j lcStrVal = loJson.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.digestAlgorithms[j]') j = j + 1 ENDDO j = 0 lnCount_j = loJson.SizeOfArray('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.signerInfo') DO WHILE j < lnCount_j loJson.J = j lcCertSerialNumber = loJson.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.signerInfo[j].cert.serialNumber') lcCertIssuerCN = loJson.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.signerInfo[j].cert.issuerCN') lcCertIssuerDN = loJson.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.signerInfo[j].cert.issuerDN') lcCertDigestAlgOid = loJson.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.signerInfo[j].cert.digestAlgOid') lcCertDigestAlgName = loJson.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.signerInfo[j].cert.digestAlgName') lcContentType = loJson.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.signerInfo[j].contentType') lcMessageDigest = loJson.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.signerInfo[j].messageDigest') lcSigningAlgOid = loJson.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.signerInfo[j].signingAlgOid') lcSigningAlgName = loJson.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.signerInfo[j].signingAlgName') lcAuthAttrContentTypeName = loJson.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.signerInfo[j].authAttr."1.2.840.113549.1.9.3".name') lcAuthAttrContentTypeOid = loJson.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.signerInfo[j].authAttr."1.2.840.113549.1.9.3".oid') lcAuthAttrMessageDigestName = loJson.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.signerInfo[j].authAttr."1.2.840.113549.1.9.4".name') lcAuthAttrMessageDigestDigest = loJson.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.signerInfo[j].authAttr."1.2.840.113549.1.9.4".digest') lcAuthAttrSigningCertificateV2Name = loJson.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.signerInfo[j].authAttr."1.2.840.113549.1.9.16.2.47".name') lcAuthAttrSigningCertificateV2Der = loJson.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.signerInfo[j].authAttr."1.2.840.113549.1.9.16.2.47".der') j = j + 1 ENDDO ENDIF i = i + 1 ENDDO IF (lnSuccess <> 1) THEN ? loCrypt.LastErrorText ? "CAdES-T verification failed." ELSE ? "CAdES-T signature is valid." ENDIF RELEASE loJson RELEASE loCrypt RELEASE loCmsOptions RELEASE loSigningTime RELEASE loAuthAttrSigningTimeUtctime RELEASE loUnauthAttrTimestampTokenTstInfoGenTime |
||||
© 2000-2024 Chilkat Software, Inc. All Rights Reserved.