(Unicode C++) Verify Authenticode Signature of EXE or DLL

See more Code Signing Examples

Demonstrates how to verify an Authenticode signed EXE or DLL.

Note: Chilkat's code signing class was added in v9.5.0.97

Chilkat C/C++ Library Downloads
MS Visual C/C++ Linux/CentOS C/C++ Alpine Linux C/C++ MAC OS X C/C++	armhf/aarch64 C/C++ C++ Builder iOS C/C++ Android C/C++	Solaris C/C++ MinGW C/C++

#include <CkJsonObjectW.h>
#include <CkCodeSignW.h>
#include <CkDtObjW.h>
#include <CkDateTimeW.h>

void ChilkatSample(void)
    {
    // This example requires the Chilkat API to have been previously unlocked.
    // See Global Unlock Sample for sample code.

    // You can verify a signed DLL or EXE.
    const wchar_t *path = L"c:/someDir/something.dll";

    // The verify method returns an overall indicator of whether
    // the EXE or DLL can be trusted or not.
    // The details of the signature are emitted to the JSON object
    // passed in the last argument.

    CkJsonObjectW json;
    json.put_EmitCompact(false);

    CkCodeSignW validator;
    bool valid = validator.VerifySignature(path,json);
    if (valid == false) {
        // Validation failed.
        wprintf(L"%s\n",validator.lastErrorText());
        // You can also examine the details of the validation (see below)
        wprintf(L"%s\n",json.emit());
        return;
    }

    // Examine the details of the Authenticode signature
    // println json.Emit();

    // An example of the JSON details of an authenticode signature, with selected parsing code, is shown below.
    // 
    // Use this online tool to generate parsing code from sample JSON: 
    // Generate Parsing Code from JSON

    // {
    //   "pkcs7": {
    //     "verify": {
    //       "peFile": {
    //         "hashOid": "2.16.840.1.101.3.4.2.1",
    //         "hash": "q9tzWEcea8f8kaMXG8LpWNPe9JIW7aKccYWuL3mrCBw="
    //       },
    //       "certs": [
    //         {
    //           "issuerCN": "AAA Certificate Services",
    //           "serial": "48FC93B46055948D36A7C98A89D69416"
    //         },
    //         {
    //           "issuerCN": "Sectigo Public Code Signing Root R46",
    //           "serial": "621D6D0C52019E3B9079152089211C0A"
    //         },
    //         {
    //           "issuerCN": "Sectigo Public Code Signing CA R36",
    //           "serial": "3FF5B69109BFD4046C92CC0D18EE23C2"
    //         }
    //       ],
    //       "digestAlgorithms": [
    //         "sha256"
    //       ],
    //       "signerInfo": [
    //         {
    //           "cert": {
    //             "serialNumber": "3FF5B69109BFD4046C92CC0D18EE23C2",
    //             "issuerCN": "Sectigo Public Code Signing CA R36",
    //             "digestAlgOid": "2.16.840.1.101.3.4.2.1",
    //             "digestAlgName": "SHA256"
    //           },
    //           "contentType": "1.3.6.1.4.1.311.2.1.4",
    //           "messageDigest": "4MkPVkY4qdwoVAj5JcCvn3ISSS5yqtf1+KmIs/Ckni4=",
    //           "signingAlgOid": "1.2.840.113549.1.1.1",
    //           "signingAlgName": "RSA-PKCSV-1_5",
    //           "authAttr": {
    //             "1.3.6.1.4.1.311.2.1.12": {
    //               "der": "MAA="
    //             },
    //             "1.2.840.113549.1.9.3": {
    //               "name": "contentType",
    //               "oid": "1.3.6.1.4.1.311.2.1.4"
    //             },
    //             "1.3.6.1.4.1.311.2.1.11": {
    //               "der": "MAwGCisGAQQBgjcCARU="
    //             },
    //             "1.2.840.113549.1.9.4": {
    //               "name": "messageDigest",
    //               "digest": "4MkPVkY4qdwoVAj5JcCvn3ISSS5yqtf1+KmIs/Ckni4="
    //             }
    //           },
    //           "unauthAttr": {
    //             "1.3.6.1.4.1.311.3.3.1": {
    //               "name": "timestampToken",
    //               "der": "MIIXJwY ... QZej",
    //               "verify": {
    //                 "digestAlgorithms": [
    //                   "sha256"
    //                 ],
    //                 "signerInfo": [
    //                   {
    //                     "cert": {
    //                       "serialNumber": "0544AFF3949D0839A6BFDB3F5FE56116",
    //                       "issuerCN": "DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA",
    //                       "digestAlgOid": "2.16.840.1.101.3.4.2.1",
    //                       "digestAlgName": "SHA256"
    //                     },
    //                     "contentType": "1.2.840.113549.1.9.16.1.4",
    //                     "signingTime": "240117124047Z",
    //                     "messageDigest": "y6cKjJoRfgJwW+Dj29w3tEfWqVybz7Sg+d8opKQxCjM=",
    //                     "signingAlgOid": "1.2.840.113549.1.1.1",
    //                     "signingAlgName": "RSA-PKCSV-1_5",
    //                     "authAttr": {
    //                       "1.2.840.113549.1.9.3": {
    //                         "name": "contentType",
    //                         "oid": "1.2.840.113549.1.9.16.1.4"
    //                       },
    //                       "1.2.840.113549.1.9.5": {
    //                         "name": "signingTime",
    //                         "utctime": "240117124047Z"
    //                       },
    //                       "1.2.840.113549.1.9.16.2.12": {
    //                         "name": "signingCertificate",
    //                         "der": "MBowGDAWBBRm8CsywsLJD4JdzqqKycZPGZzPQA=="
    //                       },
    //                       "1.2.840.113549.1.9.4": {
    //                         "name": "messageDigest",
    //                         "digest": "y6cKjJoRfgJwW+Dj29w3tEfWqVybz7Sg+d8opKQxCjM="
    //                       },
    //                       "1.2.840.113549.1.9.16.2.47": {
    //                         "name": "signingCertificateV2",
    //                         "der": "MCYwJDAiBCDS9uRt7XQizNHUQFdoQTZvgoraVZquMxavTRqa1Ax4KA=="
    //                       }
    //                     }
    //                   }
    //                 ],
    //                 "uncommonOptions": "NO_SIGCERTV2_OID,NoSigningCertV2IssuerSerial"
    //               },
    //               "timestampSignatureVerified": true,
    //               "tstInfo": {
    //                 "tsaPolicyId": "2.16.840.1.114412.7.1",
    //                 "messageImprint": {
    //                   "hashAlg": "sha256",
    //                   "digest": "JqY7U+30qScMnRQwnDfUYEikZwOLHMhKX0oo5zo4ils=",
    //                   "digestMatches": true
    //                 },
    //                 "serialNumber": "6E4597E574BC909213565DAEBC0E4888",
    //                 "genTime": "20240117124047Z"
    //               }
    //             }
    //           }
    //         }
    //       ],
    //       "pkcs7": {
    //         "verify": {
    //           "certs": [
    //             {
    //               "issuerCN": "DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA",
    //               "serial": "0544AFF3949D0839A6BFDB3F5FE56116"
    //             },
    //             {
    //               "issuerCN": "DigiCert Trusted Root G4",
    //               "serial": "073637B724547CD847ACFD28662A5E5B"
    //             },
    //             {
    //               "issuerCN": "DigiCert Assured ID Root CA",
    //               "serial": "0E9B188EF9D02DE7EFDB50E20840185A"
    //             }
    //           ]
    //         }
    //       }
    //     }
    //   }
    // }

    const wchar_t *issuerCN = 0;
    const wchar_t *serial = 0;
    CkDtObjW genTime;
    CkDateTimeW dt;

    // Show the certificates embedded in the PKCS7 signature.
    wprintf(L"Certificates contained in the PKCS7 signature:\n");
    int i = 0;
    int count_i = json.SizeOfArray(L"pkcs7.verify.certs");
    while (i < count_i) {
        json.put_I(i);
        issuerCN = json.stringOf(L"pkcs7.verify.certs[i].issuerCN");
        serial = json.stringOf(L"pkcs7.verify.certs[i].serial");
        wprintf(L"%s, %s\n",issuerCN,serial);
        i = i + 1;
    }

    // Show details about the signing certificate(s)
    int numSigners = json.SizeOfArray(L"pkcs7.verify.signerInfo");
    i = 0;
    while (i < numSigners) {
        json.put_I(i);
        wprintf(L"---- Signing Certificate ----\n");
        wprintf(L"serial number: %s\n",json.stringOf(L"pkcs7.verify.signerInfo[i].cert.serialNumber"));
        wprintf(L"issuerCN: %s\n",json.stringOf(L"pkcs7.verify.signerInfo[i].cert.issuerCN"));
        wprintf(L"hash algorithm: %s\n",json.stringOf(L"pkcs7.verify.signerInfo[i].cert.digestAlgName"));
        wprintf(L"signing algorithm: %s\n",json.stringOf(L"pkcs7.verify.signerInfo[i].signingAlgName"));

        // If this signature includes a timestamp token, get information about it.
        if (json.HasMember(L"pkcs7.verify.signerInfo[i].unauthAttr.\"1.3.6.1.4.1.311.3.3.1\"") == true) {
            // We're going to assume the timestamp token had only 1 signer..
            wprintf(L"--- Timestamp Token ----\n");
            wprintf(L"TS hash algorithm: %s\n",json.stringOf(L"pkcs7.verify.signerInfo[i].unauthAttr.\"1.3.6.1.4.1.311.3.3.1\".verify.digestAlgorithms[0]"));
            wprintf(L"TS certificate serial: %s\n",json.stringOf(L"pkcs7.verify.signerInfo[i].unauthAttr.\"1.3.6.1.4.1.311.3.3.1\".verify.signerInfo[0].cert.serialNumber"));
            wprintf(L"TS certificate issuerCN: %s\n",json.stringOf(L"pkcs7.verify.signerInfo[i].unauthAttr.\"1.3.6.1.4.1.311.3.3.1\".verify.signerInfo[0].cert.issuerCN"));
            wprintf(L"timestamp signature verified: %d\n",json.BoolOf(L"pkcs7.verify.signerInfo[i].unauthAttr.\"1.3.6.1.4.1.311.3.3.1\".timestampSignatureVerified"));
            json.DtOf(L"pkcs7.verify.signerInfo[i].unauthAttr.\"1.3.6.1.4.1.311.3.3.1\".tstInfo.genTime",false,genTime);
            dt.SetFromDtObj(genTime);
            wprintf(L"timestamp date/time: %s\n",dt.getAsRfc822(true));
        }

        i = i + 1;
    }

    wprintf(L"The Authenticode signature is valid.\n");

    // Sample output:

    // Certificates contained in the PKCS7 signature:
    // AAA Certificate Services, 48FC93B46055948D36A7C98A89D69416
    // Sectigo Public Code Signing Root R46, 621D6D0C52019E3B9079152089211C0A
    // Sectigo Public Code Signing CA R36, 3FF5B69109BFD4046C92CC0D18EE23C2
    // ---- Signing Certificate ----
    // serial number: 3FF5B69109BFD4046C92CC0D18EE23C2
    // issuerCN: Sectigo Public Code Signing CA R36
    // hash algorithm: SHA256
    // signing algorithm: RSA-PKCSV-1_5
    // --- Timestamp Token ----
    // TS hash algorithm: sha256
    // TS certificate serial: 0544AFF3949D0839A6BFDB3F5FE56116
    // TS certificate issuerCN: DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
    // timestamp signature verified: True
    // timestamp date/time: Wed, 17 Jan 2024 06:40:47 -0600
    // The Authenticode signature is valid.
    }