Sample code for 30+ languages & platforms
Java

Verify Authenticode Signature of EXE or DLL

See more Code Signing Examples

Demonstrates how to verify an Authenticode signed EXE or DLL.

Note: Chilkat's code signing class was added in v9.5.0.97

Chilkat Java Downloads

Java
import com.chilkatsoft.*;

public class ChilkatExample {

  static {
    try {
        System.loadLibrary("chilkat");
    } catch (UnsatisfiedLinkError e) {
      System.err.println("Native code library failed to load.\n" + e);
      System.exit(1);
    }
  }

  public static void main(String argv[])
  {
    //  This example requires the Chilkat API to have been previously unlocked.
    //  See Global Unlock Sample for sample code.

    //  You can verify a signed DLL or EXE.
    String path = "c:/someDir/something.dll";

    //  The verify method returns an overall indicator of whether
    //  the EXE or DLL can be trusted or not.
    //  The details of the signature are emitted to the JSON object
    //  passed in the last argument.

    CkJsonObject json = new CkJsonObject();
    json.put_EmitCompact(false);

    CkCodeSign validator = new CkCodeSign();
    boolean valid = validator.VerifySignature(path,json);
    if (valid == false) {
        //  Validation failed.
        System.out.println(validator.lastErrorText());
        //  You can also examine the details of the validation (see below)
        System.out.println(json.emit());
        return;
        }

    //  Examine the details of the Authenticode signature
    //  println json.Emit();

    //  An example of the JSON details of an authenticode signature, with selected parsing code, is shown below.
    //  
    //  Use this online tool to generate parsing code from sample JSON: 
    //  Generate Parsing Code from JSON

    //  {
    //    "pkcs7": {
    //      "verify": {
    //        "peFile": {
    //          "hashOid": "2.16.840.1.101.3.4.2.1",
    //          "hash": "q9tzWEcea8f8kaMXG8LpWNPe9JIW7aKccYWuL3mrCBw="
    //        },
    //        "certs": [
    //          {
    //            "issuerCN": "AAA Certificate Services",
    //            "serial": "48FC93B46055948D36A7C98A89D69416"
    //          },
    //          {
    //            "issuerCN": "Sectigo Public Code Signing Root R46",
    //            "serial": "621D6D0C52019E3B9079152089211C0A"
    //          },
    //          {
    //            "issuerCN": "Sectigo Public Code Signing CA R36",
    //            "serial": "3FF5B69109BFD4046C92CC0D18EE23C2"
    //          }
    //        ],
    //        "digestAlgorithms": [
    //          "sha256"
    //        ],
    //        "signerInfo": [
    //          {
    //            "cert": {
    //              "serialNumber": "3FF5B69109BFD4046C92CC0D18EE23C2",
    //              "issuerCN": "Sectigo Public Code Signing CA R36",
    //              "digestAlgOid": "2.16.840.1.101.3.4.2.1",
    //              "digestAlgName": "SHA256"
    //            },
    //            "contentType": "1.3.6.1.4.1.311.2.1.4",
    //            "messageDigest": "4MkPVkY4qdwoVAj5JcCvn3ISSS5yqtf1+KmIs/Ckni4=",
    //            "signingAlgOid": "1.2.840.113549.1.1.1",
    //            "signingAlgName": "RSA-PKCSV-1_5",
    //            "authAttr": {
    //              "1.3.6.1.4.1.311.2.1.12": {
    //                "der": "MAA="
    //              },
    //              "1.2.840.113549.1.9.3": {
    //                "name": "contentType",
    //                "oid": "1.3.6.1.4.1.311.2.1.4"
    //              },
    //              "1.3.6.1.4.1.311.2.1.11": {
    //                "der": "MAwGCisGAQQBgjcCARU="
    //              },
    //              "1.2.840.113549.1.9.4": {
    //                "name": "messageDigest",
    //                "digest": "4MkPVkY4qdwoVAj5JcCvn3ISSS5yqtf1+KmIs/Ckni4="
    //              }
    //            },
    //            "unauthAttr": {
    //              "1.3.6.1.4.1.311.3.3.1": {
    //                "name": "timestampToken",
    //                "der": "MIIXJwY ... QZej",
    //                "verify": {
    //                  "digestAlgorithms": [
    //                    "sha256"
    //                  ],
    //                  "signerInfo": [
    //                    {
    //                      "cert": {
    //                        "serialNumber": "0544AFF3949D0839A6BFDB3F5FE56116",
    //                        "issuerCN": "DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA",
    //                        "digestAlgOid": "2.16.840.1.101.3.4.2.1",
    //                        "digestAlgName": "SHA256"
    //                      },
    //                      "contentType": "1.2.840.113549.1.9.16.1.4",
    //                      "signingTime": "240117124047Z",
    //                      "messageDigest": "y6cKjJoRfgJwW+Dj29w3tEfWqVybz7Sg+d8opKQxCjM=",
    //                      "signingAlgOid": "1.2.840.113549.1.1.1",
    //                      "signingAlgName": "RSA-PKCSV-1_5",
    //                      "authAttr": {
    //                        "1.2.840.113549.1.9.3": {
    //                          "name": "contentType",
    //                          "oid": "1.2.840.113549.1.9.16.1.4"
    //                        },
    //                        "1.2.840.113549.1.9.5": {
    //                          "name": "signingTime",
    //                          "utctime": "240117124047Z"
    //                        },
    //                        "1.2.840.113549.1.9.16.2.12": {
    //                          "name": "signingCertificate",
    //                          "der": "MBowGDAWBBRm8CsywsLJD4JdzqqKycZPGZzPQA=="
    //                        },
    //                        "1.2.840.113549.1.9.4": {
    //                          "name": "messageDigest",
    //                          "digest": "y6cKjJoRfgJwW+Dj29w3tEfWqVybz7Sg+d8opKQxCjM="
    //                        },
    //                        "1.2.840.113549.1.9.16.2.47": {
    //                          "name": "signingCertificateV2",
    //                          "der": "MCYwJDAiBCDS9uRt7XQizNHUQFdoQTZvgoraVZquMxavTRqa1Ax4KA=="
    //                        }
    //                      }
    //                    }
    //                  ],
    //                  "uncommonOptions": "NO_SIGCERTV2_OID,NoSigningCertV2IssuerSerial"
    //                },
    //                "timestampSignatureVerified": true,
    //                "tstInfo": {
    //                  "tsaPolicyId": "2.16.840.1.114412.7.1",
    //                  "messageImprint": {
    //                    "hashAlg": "sha256",
    //                    "digest": "JqY7U+30qScMnRQwnDfUYEikZwOLHMhKX0oo5zo4ils=",
    //                    "digestMatches": true
    //                  },
    //                  "serialNumber": "6E4597E574BC909213565DAEBC0E4888",
    //                  "genTime": "20240117124047Z"
    //                }
    //              }
    //            }
    //          }
    //        ],
    //        "pkcs7": {
    //          "verify": {
    //            "certs": [
    //              {
    //                "issuerCN": "DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA",
    //                "serial": "0544AFF3949D0839A6BFDB3F5FE56116"
    //              },
    //              {
    //                "issuerCN": "DigiCert Trusted Root G4",
    //                "serial": "073637B724547CD847ACFD28662A5E5B"
    //              },
    //              {
    //                "issuerCN": "DigiCert Assured ID Root CA",
    //                "serial": "0E9B188EF9D02DE7EFDB50E20840185A"
    //              }
    //            ]
    //          }
    //        }
    //      }
    //    }
    //  }

    String issuerCN;
    String serial;
    CkDtObj genTime = new CkDtObj();
    CkDateTime dt = new CkDateTime();

    //  Show the certificates embedded in the PKCS7 signature.
    System.out.println("Certificates contained in the PKCS7 signature:");
    int i = 0;
    int count_i = json.SizeOfArray("pkcs7.verify.certs");
    while (i < count_i) {
        json.put_I(i);
        issuerCN = json.stringOf("pkcs7.verify.certs[i].issuerCN");
        serial = json.stringOf("pkcs7.verify.certs[i].serial");
        System.out.println(issuerCN + ", " + serial);
        i = i+1;
        }

    //  Show details about the signing certificate(s)
    int numSigners = json.SizeOfArray("pkcs7.verify.signerInfo");
    i = 0;
    while (i < numSigners) {
        json.put_I(i);
        System.out.println("---- Signing Certificate ----");
        System.out.println("serial number: " + json.stringOf("pkcs7.verify.signerInfo[i].cert.serialNumber"));
        System.out.println("issuerCN: " + json.stringOf("pkcs7.verify.signerInfo[i].cert.issuerCN"));
        System.out.println("hash algorithm: " + json.stringOf("pkcs7.verify.signerInfo[i].cert.digestAlgName"));
        System.out.println("signing algorithm: " + json.stringOf("pkcs7.verify.signerInfo[i].signingAlgName"));

        //  If this signature includes a timestamp token, get information about it.
        if (json.HasMember("pkcs7.verify.signerInfo[i].unauthAttr.\"1.3.6.1.4.1.311.3.3.1\"") == true) {
            //  We're going to assume the timestamp token had only 1 signer..
            System.out.println("--- Timestamp Token ----");
            System.out.println("TS hash algorithm: " + json.stringOf("pkcs7.verify.signerInfo[i].unauthAttr.\"1.3.6.1.4.1.311.3.3.1\".verify.digestAlgorithms[0]"));
            System.out.println("TS certificate serial: " + json.stringOf("pkcs7.verify.signerInfo[i].unauthAttr.\"1.3.6.1.4.1.311.3.3.1\".verify.signerInfo[0].cert.serialNumber"));
            System.out.println("TS certificate issuerCN: " + json.stringOf("pkcs7.verify.signerInfo[i].unauthAttr.\"1.3.6.1.4.1.311.3.3.1\".verify.signerInfo[0].cert.issuerCN"));
            System.out.println("timestamp signature verified: " + json.BoolOf("pkcs7.verify.signerInfo[i].unauthAttr.\"1.3.6.1.4.1.311.3.3.1\".timestampSignatureVerified"));
            json.DtOf("pkcs7.verify.signerInfo[i].unauthAttr.\"1.3.6.1.4.1.311.3.3.1\".tstInfo.genTime",false,genTime);
            dt.SetFromDtObj(genTime);
            System.out.println("timestamp date/time: " + dt.getAsRfc822(true));
            }

        i = i+1;
        }

    System.out.println("The Authenticode signature is valid.");

    //  Sample output:

    //  Certificates contained in the PKCS7 signature:
    //  AAA Certificate Services, 48FC93B46055948D36A7C98A89D69416
    //  Sectigo Public Code Signing Root R46, 621D6D0C52019E3B9079152089211C0A
    //  Sectigo Public Code Signing CA R36, 3FF5B69109BFD4046C92CC0D18EE23C2
    //  ---- Signing Certificate ----
    //  serial number: 3FF5B69109BFD4046C92CC0D18EE23C2
    //  issuerCN: Sectigo Public Code Signing CA R36
    //  hash algorithm: SHA256
    //  signing algorithm: RSA-PKCSV-1_5
    //  --- Timestamp Token ----
    //  TS hash algorithm: sha256
    //  TS certificate serial: 0544AFF3949D0839A6BFDB3F5FE56116
    //  TS certificate issuerCN: DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
    //  timestamp signature verified: True
    //  timestamp date/time: Wed, 17 Jan 2024 06:40:47 -0600
    //  The Authenticode signature is valid.
  }
}