Verifying CMS/PKCS #7 Signatures

M. Gallant 07/01/2002

PKCS #7 is the established standard for cryptographic representation of digitally signed and enveloped messages using X509 certificate technology. The secure mail standard S/MIME builds on pkcs #7 standards. PKCS #7 messages can be decoded and verified using different technologies. Windows cryptoAPI technology provides extensive capability for dealing with CMS/PKCS #7. CAPICOM 2 exposes much of the useful functionality of cryptoAPI to COM object automation.

The details of the content actually hashed and signed into a pkcs #7 object depend to some extent on the technology used. Some technologies will represent string data as UNICODE-encoded bytes, while others will simply use text data as ANSI data (one character per byte). This can cause confusion in the process of verifying detached signature pkcs #7 data if the verification program is not aware of how the content data was originally represented for hashing and signing.

The WSH vbs script VerifyAll.vbs is a utility which demonstrates one approach to verifying pkcs #7 signature files which should cover most of the common cases:

signatures with detached or included content
base64 or binary encoded DER file formats
UNICODE-encoded string or ASCII-encoded string data
pure binary files
Netscape 4.x crypto.signText() formsigning script data
S/MIME multipart/signed and application/pkcs-signature data (Note on S/MIME)

For detached signatures, several consecutive attempts are make to verify the PKCS #7 signature (and validate the associated certificates) using typical scenarios (UNICODE, ANSI, raw binary bytes). The detailed status of the verification is displayed, including error codes for various attempts at verification, if the Verbose variable is True (default is False).

VerifyAll.vbs