Search code examples
c#x509certificate2pkcs#7

SignedCms.CheckSignature checks the signature against which certificates?

I have a signed message and I want to know against what certificate is this code checking the signature. Does the SignedCms always have the signing certificate in it (and it is used to verify the signature) or sometimes the certificate isn't inside the message and it is taken from the verifying machine Certificate Store's? Basically I'm interested in identifying who is the User that signed that message.

Here is the example of code that makes that verification (from msdn: https://msdn.microsoft.com/en-us/library/aedbc064(v=vs.110).aspx )

// Create a ContentInfo object from the inner content obtained independently from encodedMessage.
ContentInfo contentInfo = new ContentInfo(innerContent);
// Create a new, detached SignedCms message.
SignedCms signedCms = new SignedCms(contentInfo, true);
// encodedMessage is the encoded message received from  the sender.
signedCms.Decode(encodedMessage);
// Verify the signature without validating the certificate.
signedCms.CheckSignature(true); //<-- Here is the verification

Thank you, and sorry for my poor english.

Solution

  • SignedCms is represented by an ASN.1 structure SignedData defined in RFC 2315

     SignedData ::= SEQUENCE {
     version Version,
     digestAlgorithms DigestAlgorithmIdentifiers,
     contentInfo ContentInfo,
     certificates
        [0] IMPLICIT ExtendedCertificatesAndCertificates
          OPTIONAL,
     crls
       [1] IMPLICIT CertificateRevocationLists OPTIONAL,
     signerInfos SignerInfos }

    Property certificates as described by RFC 2315

    is a set of PKCS #6 extended certificates and X.509 certificates. It is intended that the set be sufficient to contain chains from a recognized "root" or "top-level certification authority" to all of the signers in the signerInfos field. There may be more certificates than necessary, and there may be certificates sufficient to contain chains from two or more independent top-level certification authorities. There may also be fewer certificates than necessary, if it is expected that those verifying the signatures have an alternate means of obtaining necessary certificates (e.g., from a previous set of certificates).

    But it is optional.

    signerInfos is described as

    signerInfos is a collection of per-signer information. There may be any number of elements in the collection, including zero.

    SignerInfo contains IssuerAndSerialNumber element that describes what certificate was used to sign the content.

    More info in RFC 2315

    In c# you can get the certificate with this code:

    signedCms.SignerInfos[0].Certificate