Discuss this help topic in SecureBlackbox Forum
Load CMS message
Validating CAdES signatures The validation of a CAdES signature is not always a straightforward process which may differ depending on specifics of a particular environment. The first and the foremost is that you need to establish that the signature is actually valid - i.e. that it corresponds to the signed data. This will confirm that the data has not been changes in transit and that the signer made their signature over exactly the same revision of data (for whatever reason - authorization, authentication, non-repudiation - they did that). The next, and at the same time the most complicated stage with CAdES, is validation of the signer's trust - i.e. whether we can actually be sure that it was the signer who made the signature and whether the signature was made at the time it is claimed to be. This is done by validating the certificate chain for the signer's certificate and ensuring that the signer's certificate was not revoked at the moment of signing. This procedure may involve contacting third parties (revocation information sources, such as CRL or OCSP services) to obtain certificate statuses at the needed time. Similar validations are also performed for subordinate chains, such as timestamp service chains. Finally, higher level policies might set certain compliance requirements for all signatures operating within the environment, such as compliance to a particular signature profile (e.g. CAdES-T). This should also be checked. To validate a CAdES signature with SecureBlackbox, 1. Load your CAdES message into a TElSignedCMSMessage object. 2. Find a TElCMSSignature object corresponding to the needed signature in the list : TElCMSSignature sig = cms.get_Signatures(0); 3. Create a TElCAdESSignatureProcessor object, passing your signature object to its constructor, and set it up: TElCAdESSignatureProcessor processor = new TElCAdESSignatureProcessor(sig); processor.ValidationMoment = sig.SigningTime; // or, alternatively, sig.get_Timestamps(0).Info.Time; ... 4. Call processor object's Validate() method: TSBCAdESSignatureValidity validity = processor.Validate(); The following values might be returned: validity = TSBCAdESSignatureValidity.asvValid: the signature is valid; validity = TSBCAdESSignatureValidity.asvInvalid: the signature is not valid; check CompatibilityErrors for the details; validity = TSBCAdESSignatureValidity.asvIncomplete: the signature value is valid, but the verifier was unable to collect all the needed revocation information to confirm that the signer was acting genuinely. 5. If needed, check that the signature corresponds to the needed CAdES profile (e.g. CAdES-T): bool isT = processor.IsT();