0

I have 2 files : a PKCS#7 signature and a file, which has been signed by this signature. My question is how can I verify this signature properly? Which data exactly should I use and extract from the PKCS7 in order to do that? I've heard that the order of the actions looks like this:

  1. Check whether a certificate out of date or not
  2. Check whether CA is out out of date or not
  3. Check whether this public key is still valid
  4. And perhaps extract the hash value from the attribute in PKCS7 file and check for equality to a hash file, which has been signed

Am I correct? And how can I do it using Bouncy Castle? I've come across with this

CMSSignedData data = new CMSSignedData(bytesArray)

But how can I check validality using only one method, if there is? This looks like overcomplicated - I should take every certificate, check it's expire date, writing custom method that does it.. And somehow check that the public key is still valid.. Is it possible to do it easier?

Robert Baratheon
  • 139
  • 1
  • 9
  • Verify a digital signature is complex. You can start with an example like this https://stackoverflow.com/a/9261365/6371459 – pedrofb Nov 19 '17 at 19:32

1 Answers1

0

https://docs.oracle.com/javase/tutorial/security/apisign/versig.html

You can find here a a quite good step by step description. Although this is not using Bouncy Castel but just

benjamin.donze
  • 446
  • 3
  • 19