Verifying CMS/PKCS#7 Signatures

M. Gallant May 18/2007

CMS/PKCS#7 (Cryptographic Message Syntax / Public Key Cryptography Standard #7) is the established standard for cryptographic representation of digitally signed and enveloped messages using X.509 v3 certificate technology. The secure mail standard S/MIME builds on CMS/pkcs#7 standards. CMS messages can be decoded and verified using different technologies. Windows CryptoAPI technology provides extensive capability for constructing, parsing and verifying of CMS/PKCS#7 messages. CAPICOM 2 exposes much of the useful functionality of CryptoAPI to COM object automation.

The details of the content actually hashed and signed into a CMS message depends to some extent on the technology used. Some technologies will represent string data as UNICODE-encoded bytes, while others will simply use text data as ANSI data (one character per byte). This can cause confusion in the process of verifying detached CMS signatures if the verification program is not aware of how the content data was originally represented for hashing and signing.

The WSH vbs script VerifyPKCS7.vbs is a utility which demonstrates one approach to verifying CMS/pkcs#7 signature messages which should cover most of the common cases:

The signature alone is first verified and if successful, signature verification is attempted including the certificate chain validity and the date validity of the signature (relative to a timestamp, if included with the signature, or the validity period of the certificate). For detached signatures, several consecutive attempts are made to verify the CMS signature (and validate the associated certificates) using common content formats (UNICODE, ASCII, raw binary bytes). The detailed status of the verification is displayed, including error codes for various attempts at verification, if the Verbose variable is True (default is False). The status of the verification is displayed in a message box window.


Example Results: