Sample code for 30+ languages & platforms
Objective-C

Validate PDF Signatures

See more PDF Signatures Examples

This example demonstrates how to validate the signatures in a PDF and also shows how to get information from each signature.

Note: This example requires Chilkat v9.5.0.85 or greater.

Chilkat Objective-C Downloads

Objective-C
#import <CkoPdf.h>
#import <CkoJsonObject.h>
#import <CkoDtObj.h>
#import <NSString.h>

BOOL success = NO;

// This example requires the Chilkat API to have been previously unlocked.
// See Global Unlock Sample for sample code.

CkoPdf *pdf = [[CkoPdf alloc] init];

// Load a PDF that has cryptographic signatures to be validated
success = [pdf LoadFile: @"qa_data/pdf/sign_testing_1/helloSigned2.pdf"];
if (success == NO) {
    NSLog(@"%@",pdf.LastErrorText);
    return;
}

// Each time we verify a signature, information about the signature is written into
// sigInfo (replacing whatever sigInfo previously contained).
CkoJsonObject *sigInfo = [[CkoJsonObject alloc] init];
sigInfo.EmitCompact = NO;

// Iterate over each signature and validate each.
int numSignatures = [pdf.NumSignatures intValue];
BOOL validated = NO;
int i = 0;
while (i < numSignatures) {
    validated = [pdf VerifySignature: [NSNumber numberWithInt: i] sigInfo: sigInfo];
    NSLog(@"%@%d%@%d",@"Signature ",i,@" validated: ",validated);
    NSLog(@"%@",[sigInfo Emit]);
    i = i + 1;
}

NSLog(@"%@",@"Finished.");

// When VerifySignature validates a signature, a lot of information is deposited into the JSON sigInfo object.
// The information can vary depending on what was included in the signature (for example, various authenticated attributes
// and unauthenticated attributes may or may not be included).
// Here is a sample of the information you'll see.
// 
// The following online tool can be used to generate code to parse any given JSON.
// Generate Parsing Code from JSON

// {
//   "validated": true,
//   "signatureDictionary": {         <--- This is the contents of the PDF Signature Dictionary for this signature.
//     "/ByteRange": [
//       0,
//       154682,
//       170512,
//       3233
//     ],
//     "/Contents": "<hex_data>",
//     "/Filter": "/Adobe.PPKLite",        <--- The meaning of the Signature Dictionary entries are defined in the PDF format specification document.
//     "/M": "D:20201006110216-05'00'",
//     "/Name": "yubikey rsa 1024 authentication",
//     "/Prop_Build": {
//       "/App": {
//         "/Name": "/Adobe#20Acrobat#20Pro#20DC",
//         "/OS": [
//           "/Win"
//         ],
//         "/R": 1313792,
//         "/REx": "2020.012.20048",
//         "/TrustedMode": true
//       },
//       "/Filter": {
//         "/Date": "Sep 11 2020 16:30:54",
//         "/Name": "/Adobe.PPKLite",
//         "/R": 131104,
//         "/V": 2
//       },
//       "/PubSec": {
//         "/Date": "Sep 11 2020 16:30:54",
//         "/NonEFontNoWarn": true,
//         "/R": 131105
//       }
//     },
//     "/SubFilter": "/adbe.pkcs7.detached",
//     "/Type": "/Sig"
//   },
//   "pkcs7": {          <--- This is the content of the CMS signature.
//     "verify": {
//       "certs": [      <--- Each signing certificate is listed here (by issuer common name and signing cert's serail number (in hex))
//         {
//           "issuerCN": "yubikey rsa 1024 authentication",
//           "serial": "66BE58138D761E92BC594A722932657BE26D421F"
//         }
//       ],
//       "digestAlgorithms": [
//         "sha256"
//       ],
//       "signerInfo": [     <--- contains data from each SignerInfo
//         {
//           "cert": {
//             "serialNumber": "66BE58138D761E92BC594A722932657BE26D421F",
//             "issuerCN": "yubikey rsa 1024 authentication",
//             "digestAlgOid": "2.16.840.1.101.3.4.2.1",
//             "digestAlgName": "SHA256"
//           },
//           "contentType": "1.2.840.113549.1.7.1",
//           "messageDigest": "btQOuSEvC31mdRFHtyEUPw8R9NuKfk0XPcQ6Lcmn6pk=",
//           "signingAlgOid": "1.2.840.113549.1.1.11",
//           "signingAlgName": "RSA-SHA256-PKCSV-1_5",
//           "authAttr": {     <--- CMS authenticated attributes are contained here.
//             "1.2.840.113583.1.1.8": {
//               "der": "MAA="
//             },
//             "1.2.840.113549.1.9.3": {
//               "name": "contentType",
//               "oid": "1.2.840.113549.1.7.1"
//             },
//             "1.2.840.113549.1.9.4": {
//               "name": "messageDigest",
//               "digest": "btQOuSEvC31mdRFHtyEUPw8R9NuKfk0XPcQ6Lcmn6pk="
//             }
//           },
//           "unauthAttr": {    <--- CMS unauthenticated attributes are contained here.
//             "1.2.840.113549.1.9.16.2.14": {
//               "name": "timestampToken",
//               "der": "MIIOvAYJKo ... Es/70g=",
//               "verify": {
//                 "digestAlgorithms": [
//                   "sha256"
//                 ],
//                 "signerInfo": [
//                   {
//                     "cert": {
//                       "serialNumber": "04CD3F8568AE76C61BB0FE7160CCA76D",
//                       "issuerCN": "DigiCert SHA2 Assured ID Timestamping CA",
//                       "digestAlgOid": "2.16.840.1.101.3.4.2.1",
//                       "digestAlgName": "SHA256"
//                     },
//                     "contentType": "1.2.840.113549.1.9.16.1.4",
//                     "signingTime": "201006160423Z",
//                     "messageDigest": "Atv5Rj3kidB8IR6CplYiX3o6De/k8SC6JJ6uUPAGO0g=",
//                     "signingAlgOid": "1.2.840.113549.1.1.1",
//                     "signingAlgName": "RSA-PKCSV-1_5",
//                     "authAttr": {
//                       "1.2.840.113549.1.9.3": {
//                         "name": "contentType",
//                         "oid": "1.2.840.113549.1.9.16.1.4"
//                       },
//                       "1.2.840.113549.1.9.5": {
//                         "name": "signingTime",
//                         "utctime": "201006160423Z"
//                       },
//                       "1.2.840.113549.1.9.16.2.12": {
//                         "name": "signingCertificate",
//                         "der": "MBowGDAWBBQDJb1QXtqWMC3CL0+gHkwovig0xQ=="
//                       },
//                       "1.2.840.113549.1.9.4": {
//                         "name": "messageDigest",
//                         "digest": "Atv5Rj3kidB8IR6CplYiX3o6De/k8SC6JJ6uUPAGO0g="
//                       }
//                     }
//                   }
//                 ]
//               },
//               "timestampSignatureVerified": true,
//               "tstInfo": {
//                 "tsaPolicyId": "2.16.840.1.114412.7.1",
//                 "messageImprint": {
//                   "hashAlg": "sha256",
//                   "digest": "gLJtrRWUSDfjzDkF1MfWG1wyHA6FrUJLkWMGRG+eMlA=",
//                   "digestMatches": true
//                 },
//                 "serialNumber": "00CE57E1113970607EF63B1D1160545321",
//                 "genTime": "20201006160423Z"
//               }
//             }
//           }
//         }
//       ],
//       "pkcs7": {
//         "verify": {
//           "certs": [
//             {
//               "issuerCN": "DigiCert SHA2 Assured ID Timestamping CA",
//               "serial": "04CD3F8568AE76C61BB0FE7160CCA76D"
//             },
//             {
//               "issuerCN": "DigiCert Assured ID Root CA",
//               "serial": "0AA125D6D6321B7E41E405DA3697C215"
//             }
//           ]
//         }
//       }
//     }
//   }
// }

// **** The point of this code is to show how to get at each desired piece of information contained in the signature.
// **** If your signature contains additional information not shown here, then you can use the online tool to generate the parse code.
// **** It is likely you're only interested in a few items of information, and therefore you wouldn't copy all of this code, but might
// **** choose to use bits and pieces to get the information you find important.

CkoJsonObject *json = [[CkoJsonObject alloc] init];

// Imagine that the "json" object contains the information obtained by validating a signature...
// The code below was generated using the online tool:  Generate Parsing Code from JSON

CkoDtObj *unauthAttrTimestampTokenTstInfoGenTime = [[CkoDtObj alloc] init];
CkoDtObj *signingTime = [[CkoDtObj alloc] init];
CkoDtObj *authAttrSigningTimeUtctime = [[CkoDtObj alloc] init];
int intVal;
NSString *strVal = 0;
NSString *issuerCN = 0;
NSString *serial = 0;
NSString *certSerialNumber = 0;
NSString *certIssuerCN = 0;
NSString *certDigestAlgOid = 0;
NSString *certDigestAlgName = 0;
NSString *contentType = 0;
NSString *messageDigest = 0;
NSString *signingAlgOid = 0;
NSString *signingAlgName = 0;
NSString *authAttr1_2_840_113583_1_1_8Der = 0;
NSString *authAttrContentTypeName = 0;
NSString *authAttrContentTypeOid = 0;
NSString *authAttrMessageDigestName = 0;
NSString *authAttrMessageDigestDigest = 0;
NSString *unauthAttrTimestampTokenName = 0;
NSString *unauthAttrTimestampTokenDer = 0;
BOOL unauthAttrTimestampTokenTimestampSignatureVerified;
NSString *unauthAttrTimestampTokenTstInfoTsaPolicyId = 0;
NSString *unauthAttrTimestampTokenTstInfoMessageImprintHashAlg = 0;
NSString *unauthAttrTimestampTokenTstInfoMessageImprintDigest = 0;
BOOL unauthAttrTimestampTokenTstInfoMessageImprintDigestMatches;
NSString *unauthAttrTimestampTokenTstInfoSerialNumber = 0;
int j;
int count_j;
NSString *authAttrSigningTimeName = 0;
NSString *authAttrSigningCertificateName = 0;
NSString *authAttrSigningCertificateDer = 0;

validated = [json BoolOf: @"validated"];
NSString *signatureDictionary_Contents = [json StringOf: @"signatureDictionary./Contents"];
NSString *signatureDictionary_Filter = [json StringOf: @"signatureDictionary./Filter"];
NSString *signatureDictionary_M = [json StringOf: @"signatureDictionary./M"];
NSString *signatureDictionary_Name = [json StringOf: @"signatureDictionary./Name"];
NSString *signatureDictionary_Prop_Build_App_Name = [json StringOf: @"signatureDictionary./Prop_Build./App./Name"];
int signatureDictionary_Prop_Build_App_R = [[json IntOf: @"signatureDictionary./Prop_Build./App./R"] intValue];
NSString *signatureDictionary_Prop_Build_App_REx = [json StringOf: @"signatureDictionary./Prop_Build./App./REx"];
BOOL signatureDictionary_Prop_Build_App_TrustedMode = [json BoolOf: @"signatureDictionary./Prop_Build./App./TrustedMode"];
NSString *signatureDictionary_Prop_Build_Filter_Date = [json StringOf: @"signatureDictionary./Prop_Build./Filter./Date"];
NSString *signatureDictionary_Prop_Build_Filter_Name = [json StringOf: @"signatureDictionary./Prop_Build./Filter./Name"];
int signatureDictionary_Prop_Build_Filter_R = [[json IntOf: @"signatureDictionary./Prop_Build./Filter./R"] intValue];
int signatureDictionary_Prop_Build_Filter_V = [[json IntOf: @"signatureDictionary./Prop_Build./Filter./V"] intValue];
NSString *signatureDictionary_Prop_Build_PubSec_Date = [json StringOf: @"signatureDictionary./Prop_Build./PubSec./Date"];
BOOL signatureDictionary_Prop_Build_PubSec_NonEFontNoWarn = [json BoolOf: @"signatureDictionary./Prop_Build./PubSec./NonEFontNoWarn"];
int signatureDictionary_Prop_Build_PubSec_R = [[json IntOf: @"signatureDictionary./Prop_Build./PubSec./R"] intValue];
NSString *signatureDictionary_SubFilter = [json StringOf: @"signatureDictionary./SubFilter"];
NSString *signatureDictionary_Type = [json StringOf: @"signatureDictionary./Type"];
i = 0;
int count_i = [[json SizeOfArray: @"signatureDictionary./ByteRange"] intValue];
while (i < count_i) {
    json.I = [NSNumber numberWithInt: i];
    intVal = [[json IntOf: @"signatureDictionary./ByteRange[i]"] intValue];
    i = i + 1;
}

i = 0;
count_i = [[json SizeOfArray: @"signatureDictionary./Prop_Build./App./OS"] intValue];
while (i < count_i) {
    json.I = [NSNumber numberWithInt: i];
    strVal = [json StringOf: @"signatureDictionary./Prop_Build./App./OS[i]"];
    i = i + 1;
}

i = 0;
count_i = [[json SizeOfArray: @"pkcs7.verify.certs"] intValue];
while (i < count_i) {
    json.I = [NSNumber numberWithInt: i];
    issuerCN = [json StringOf: @"pkcs7.verify.certs[i].issuerCN"];
    serial = [json StringOf: @"pkcs7.verify.certs[i].serial"];
    i = i + 1;
}

i = 0;
count_i = [[json SizeOfArray: @"pkcs7.verify.digestAlgorithms"] intValue];
while (i < count_i) {
    json.I = [NSNumber numberWithInt: i];
    strVal = [json StringOf: @"pkcs7.verify.digestAlgorithms[i]"];
    i = i + 1;
}

i = 0;
count_i = [[json SizeOfArray: @"pkcs7.verify.signerInfo"] intValue];
while (i < count_i) {
    json.I = [NSNumber numberWithInt: i];
    certSerialNumber = [json StringOf: @"pkcs7.verify.signerInfo[i].cert.serialNumber"];
    certIssuerCN = [json StringOf: @"pkcs7.verify.signerInfo[i].cert.issuerCN"];
    certDigestAlgOid = [json StringOf: @"pkcs7.verify.signerInfo[i].cert.digestAlgOid"];
    certDigestAlgName = [json StringOf: @"pkcs7.verify.signerInfo[i].cert.digestAlgName"];
    contentType = [json StringOf: @"pkcs7.verify.signerInfo[i].contentType"];
    messageDigest = [json StringOf: @"pkcs7.verify.signerInfo[i].messageDigest"];
    signingAlgOid = [json StringOf: @"pkcs7.verify.signerInfo[i].signingAlgOid"];
    signingAlgName = [json StringOf: @"pkcs7.verify.signerInfo[i].signingAlgName"];
    authAttr1_2_840_113583_1_1_8Der = [json StringOf: @"pkcs7.verify.signerInfo[i].authAttr.\"1.2.840.113583.1.1.8\".der"];
    authAttrContentTypeName = [json StringOf: @"pkcs7.verify.signerInfo[i].authAttr.\"1.2.840.113549.1.9.3\".name"];
    authAttrContentTypeOid = [json StringOf: @"pkcs7.verify.signerInfo[i].authAttr.\"1.2.840.113549.1.9.3\".oid"];
    authAttrMessageDigestName = [json StringOf: @"pkcs7.verify.signerInfo[i].authAttr.\"1.2.840.113549.1.9.4\".name"];
    authAttrMessageDigestDigest = [json StringOf: @"pkcs7.verify.signerInfo[i].authAttr.\"1.2.840.113549.1.9.4\".digest"];
    unauthAttrTimestampTokenName = [json StringOf: @"pkcs7.verify.signerInfo[i].unauthAttr.\"1.2.840.113549.1.9.16.2.14\".name"];
    unauthAttrTimestampTokenDer = [json StringOf: @"pkcs7.verify.signerInfo[i].unauthAttr.\"1.2.840.113549.1.9.16.2.14\".der"];
    unauthAttrTimestampTokenTimestampSignatureVerified = [json BoolOf: @"pkcs7.verify.signerInfo[i].unauthAttr.\"1.2.840.113549.1.9.16.2.14\".timestampSignatureVerified"];
    unauthAttrTimestampTokenTstInfoTsaPolicyId = [json StringOf: @"pkcs7.verify.signerInfo[i].unauthAttr.\"1.2.840.113549.1.9.16.2.14\".tstInfo.tsaPolicyId"];
    unauthAttrTimestampTokenTstInfoMessageImprintHashAlg = [json StringOf: @"pkcs7.verify.signerInfo[i].unauthAttr.\"1.2.840.113549.1.9.16.2.14\".tstInfo.messageImprint.hashAlg"];
    unauthAttrTimestampTokenTstInfoMessageImprintDigest = [json StringOf: @"pkcs7.verify.signerInfo[i].unauthAttr.\"1.2.840.113549.1.9.16.2.14\".tstInfo.messageImprint.digest"];
    unauthAttrTimestampTokenTstInfoMessageImprintDigestMatches = [json BoolOf: @"pkcs7.verify.signerInfo[i].unauthAttr.\"1.2.840.113549.1.9.16.2.14\".tstInfo.messageImprint.digestMatches"];
    unauthAttrTimestampTokenTstInfoSerialNumber = [json StringOf: @"pkcs7.verify.signerInfo[i].unauthAttr.\"1.2.840.113549.1.9.16.2.14\".tstInfo.serialNumber"];
    [json DtOf: @"pkcs7.verify.signerInfo[i].unauthAttr.\"1.2.840.113549.1.9.16.2.14\".tstInfo.genTime" bLocal: NO dt: unauthAttrTimestampTokenTstInfoGenTime];
    j = 0;
    count_j = [[json SizeOfArray: @"pkcs7.verify.signerInfo[i].unauthAttr.\"1.2.840.113549.1.9.16.2.14\".verify.digestAlgorithms"] intValue];
    while (j < count_j) {
        json.J = [NSNumber numberWithInt: j];
        strVal = [json StringOf: @"pkcs7.verify.signerInfo[i].unauthAttr.\"1.2.840.113549.1.9.16.2.14\".verify.digestAlgorithms[j]"];
        j = j + 1;
    }

    j = 0;
    count_j = [[json SizeOfArray: @"pkcs7.verify.signerInfo[i].unauthAttr.\"1.2.840.113549.1.9.16.2.14\".verify.signerInfo"] intValue];
    while (j < count_j) {
        json.J = [NSNumber numberWithInt: j];
        certSerialNumber = [json StringOf: @"pkcs7.verify.signerInfo[i].unauthAttr.\"1.2.840.113549.1.9.16.2.14\".verify.signerInfo[j].cert.serialNumber"];
        certIssuerCN = [json StringOf: @"pkcs7.verify.signerInfo[i].unauthAttr.\"1.2.840.113549.1.9.16.2.14\".verify.signerInfo[j].cert.issuerCN"];
        certDigestAlgOid = [json StringOf: @"pkcs7.verify.signerInfo[i].unauthAttr.\"1.2.840.113549.1.9.16.2.14\".verify.signerInfo[j].cert.digestAlgOid"];
        certDigestAlgName = [json StringOf: @"pkcs7.verify.signerInfo[i].unauthAttr.\"1.2.840.113549.1.9.16.2.14\".verify.signerInfo[j].cert.digestAlgName"];
        contentType = [json StringOf: @"pkcs7.verify.signerInfo[i].unauthAttr.\"1.2.840.113549.1.9.16.2.14\".verify.signerInfo[j].contentType"];
        [json DtOf: @"pkcs7.verify.signerInfo[i].unauthAttr.\"1.2.840.113549.1.9.16.2.14\".verify.signerInfo[j].signingTime" bLocal: NO dt: signingTime];
        messageDigest = [json StringOf: @"pkcs7.verify.signerInfo[i].unauthAttr.\"1.2.840.113549.1.9.16.2.14\".verify.signerInfo[j].messageDigest"];
        signingAlgOid = [json StringOf: @"pkcs7.verify.signerInfo[i].unauthAttr.\"1.2.840.113549.1.9.16.2.14\".verify.signerInfo[j].signingAlgOid"];
        signingAlgName = [json StringOf: @"pkcs7.verify.signerInfo[i].unauthAttr.\"1.2.840.113549.1.9.16.2.14\".verify.signerInfo[j].signingAlgName"];
        authAttrContentTypeName = [json StringOf: @"pkcs7.verify.signerInfo[i].unauthAttr.\"1.2.840.113549.1.9.16.2.14\".verify.signerInfo[j].authAttr.\"1.2.840.113549.1.9.3\".name"];
        authAttrContentTypeOid = [json StringOf: @"pkcs7.verify.signerInfo[i].unauthAttr.\"1.2.840.113549.1.9.16.2.14\".verify.signerInfo[j].authAttr.\"1.2.840.113549.1.9.3\".oid"];
        authAttrSigningTimeName = [json StringOf: @"pkcs7.verify.signerInfo[i].unauthAttr.\"1.2.840.113549.1.9.16.2.14\".verify.signerInfo[j].authAttr.\"1.2.840.113549.1.9.5\".name"];
        [json DtOf: @"pkcs7.verify.signerInfo[i].unauthAttr.\"1.2.840.113549.1.9.16.2.14\".verify.signerInfo[j].authAttr.\"1.2.840.113549.1.9.5\".utctime" bLocal: NO dt: authAttrSigningTimeUtctime];
        authAttrSigningCertificateName = [json StringOf: @"pkcs7.verify.signerInfo[i].unauthAttr.\"1.2.840.113549.1.9.16.2.14\".verify.signerInfo[j].authAttr.\"1.2.840.113549.1.9.16.2.12\".name"];
        authAttrSigningCertificateDer = [json StringOf: @"pkcs7.verify.signerInfo[i].unauthAttr.\"1.2.840.113549.1.9.16.2.14\".verify.signerInfo[j].authAttr.\"1.2.840.113549.1.9.16.2.12\".der"];
        authAttrMessageDigestName = [json StringOf: @"pkcs7.verify.signerInfo[i].unauthAttr.\"1.2.840.113549.1.9.16.2.14\".verify.signerInfo[j].authAttr.\"1.2.840.113549.1.9.4\".name"];
        authAttrMessageDigestDigest = [json StringOf: @"pkcs7.verify.signerInfo[i].unauthAttr.\"1.2.840.113549.1.9.16.2.14\".verify.signerInfo[j].authAttr.\"1.2.840.113549.1.9.4\".digest"];
        j = j + 1;
    }

    i = i + 1;
}

i = 0;
count_i = [[json SizeOfArray: @"pkcs7.verify.pkcs7.verify.certs"] intValue];
while (i < count_i) {
    json.I = [NSNumber numberWithInt: i];
    issuerCN = [json StringOf: @"pkcs7.verify.pkcs7.verify.certs[i].issuerCN"];
    serial = [json StringOf: @"pkcs7.verify.pkcs7.verify.certs[i].serial"];
    i = i + 1;
}