Sample code for 30+ languages & platforms
Pascal (Lazarus/Delphi)

Validate PDF Signatures

See more PDF Signatures Examples

This example demonstrates how to validate the signatures in a PDF and also shows how to get information from each signature.

Note: This example requires Chilkat v9.5.0.85 or greater.

Chilkat Pascal (Lazarus/Delphi) Downloads

Pascal (Lazarus/Delphi)
program ChilkatDemo;

// Demonstrates using the Chilkat Pascal wrapper via the C bridge DLL.
// Builds as a console application under Lazarus (FPC) or Delphi.

{$IFDEF FPC}
  {$MODE DELPHI}
{$ENDIF}
{$APPTYPE CONSOLE}

uses
  {$IFDEF UNIX}
  cthreads,
  {$ENDIF}
  SysUtils,
  CkDllLoader,
  Chilkat.DtObj,
  Chilkat.Pdf,
  Chilkat.JsonObject;

// ---------------------------------------------------------------------------

procedure RunDemo;
var
  success: Boolean;
  pdf: TPdf;
  sigInfo: TJsonObject;
  numSignatures: Integer;
  validated: Boolean;
  i: Integer;
  json: TJsonObject;
  unauthAttrTimestampTokenTstInfoGenTime: TDtObj;
  signingTime: TDtObj;
  authAttrSigningTimeUtctime: TDtObj;
  intVal: Integer;
  strVal: string;
  issuerCN: string;
  serial: string;
  certSerialNumber: string;
  certIssuerCN: string;
  certDigestAlgOid: string;
  certDigestAlgName: string;
  contentType: string;
  messageDigest: string;
  signingAlgOid: string;
  signingAlgName: string;
  authAttr1_2_840_113583_1_1_8Der: string;
  authAttrContentTypeName: string;
  authAttrContentTypeOid: string;
  authAttrMessageDigestName: string;
  authAttrMessageDigestDigest: string;
  unauthAttrTimestampTokenName: string;
  unauthAttrTimestampTokenDer: string;
  unauthAttrTimestampTokenTimestampSignatureVerified: Boolean;
  unauthAttrTimestampTokenTstInfoTsaPolicyId: string;
  unauthAttrTimestampTokenTstInfoMessageImprintHashAlg: string;
  unauthAttrTimestampTokenTstInfoMessageImprintDigest: string;
  unauthAttrTimestampTokenTstInfoMessageImprintDigestMatches: Boolean;
  unauthAttrTimestampTokenTstInfoSerialNumber: string;
  j: Integer;
  count_j: Integer;
  authAttrSigningTimeName: string;
  authAttrSigningCertificateName: string;
  authAttrSigningCertificateDer: string;
  signatureDictionary_Contents: string;
  signatureDictionary_Filter: string;
  signatureDictionary_M: string;
  signatureDictionary_Name: string;
  signatureDictionary_Prop_Build_App_Name: string;
  signatureDictionary_Prop_Build_App_R: Integer;
  signatureDictionary_Prop_Build_App_REx: string;
  signatureDictionary_Prop_Build_App_TrustedMode: Boolean;
  signatureDictionary_Prop_Build_Filter_Date: string;
  signatureDictionary_Prop_Build_Filter_Name: string;
  signatureDictionary_Prop_Build_Filter_R: Integer;
  signatureDictionary_Prop_Build_Filter_V: Integer;
  signatureDictionary_Prop_Build_PubSec_Date: string;
  signatureDictionary_Prop_Build_PubSec_NonEFontNoWarn: Boolean;
  signatureDictionary_Prop_Build_PubSec_R: Integer;
  signatureDictionary_SubFilter: string;
  signatureDictionary_Type: string;
  count_i: Integer;

begin
  success := False;

  //  This example requires the Chilkat API to have been previously unlocked.
  //  See Global Unlock Sample for sample code.

  pdf := TPdf.Create;

  //  Load a PDF that has cryptographic signatures to be validated
  success := pdf.LoadFile('qa_data/pdf/sign_testing_1/helloSigned2.pdf');
  if (success = False) then
    begin
      WriteLn(pdf.LastErrorText);
      Exit;
    end;

  //  Each time we verify a signature, information about the signature is written into
  //  sigInfo (replacing whatever sigInfo previously contained).
  sigInfo := TJsonObject.Create;
  sigInfo.EmitCompact := False;

  //  Iterate over each signature and validate each.
  numSignatures := pdf.NumSignatures;
  validated := False;
  i := 0;
  while i < numSignatures do
    begin
      validated := pdf.VerifySignature(i,sigInfo);
      WriteLn('Signature ' + i + ' validated: ' + validated);
      WriteLn(sigInfo.Emit());
      i := i + 1;
    end;

  WriteLn('Finished.');

  //  When VerifySignature validates a signature, a lot of information is deposited into the JSON sigInfo object.
  //  The information can vary depending on what was included in the signature (for example, various authenticated attributes
  //  and unauthenticated attributes may or may not be included).
  //  Here is a sample of the information you'll see.
  //  
  //  The following online tool can be used to generate code to parse any given JSON.
  //  Generate Parsing Code from JSON

  //  {
  //    "validated": true,
  //    "signatureDictionary": {         <--- This is the contents of the PDF Signature Dictionary for this signature.
  //      "/ByteRange": [
  //        0,
  //        154682,
  //        170512,
  //        3233
  //      ],
  //      "/Contents": "<hex_data>",
  //      "/Filter": "/Adobe.PPKLite",        <--- The meaning of the Signature Dictionary entries are defined in the PDF format specification document.
  //      "/M": "D:20201006110216-05'00'",
  //      "/Name": "yubikey rsa 1024 authentication",
  //      "/Prop_Build": {
  //        "/App": {
  //          "/Name": "/Adobe#20Acrobat#20Pro#20DC",
  //          "/OS": [
  //            "/Win"
  //          ],
  //          "/R": 1313792,
  //          "/REx": "2020.012.20048",
  //          "/TrustedMode": true
  //        },
  //        "/Filter": {
  //          "/Date": "Sep 11 2020 16:30:54",
  //          "/Name": "/Adobe.PPKLite",
  //          "/R": 131104,
  //          "/V": 2
  //        },
  //        "/PubSec": {
  //          "/Date": "Sep 11 2020 16:30:54",
  //          "/NonEFontNoWarn": true,
  //          "/R": 131105
  //        }
  //      },
  //      "/SubFilter": "/adbe.pkcs7.detached",
  //      "/Type": "/Sig"
  //    },
  //    "pkcs7": {          <--- This is the content of the CMS signature.
  //      "verify": {
  //        "certs": [      <--- Each signing certificate is listed here (by issuer common name and signing cert's serail number (in hex))
  //          {
  //            "issuerCN": "yubikey rsa 1024 authentication",
  //            "serial": "66BE58138D761E92BC594A722932657BE26D421F"
  //          }
  //        ],
  //        "digestAlgorithms": [
  //          "sha256"
  //        ],
  //        "signerInfo": [     <--- contains data from each SignerInfo
  //          {
  //            "cert": {
  //              "serialNumber": "66BE58138D761E92BC594A722932657BE26D421F",
  //              "issuerCN": "yubikey rsa 1024 authentication",
  //              "digestAlgOid": "2.16.840.1.101.3.4.2.1",
  //              "digestAlgName": "SHA256"
  //            },
  //            "contentType": "1.2.840.113549.1.7.1",
  //            "messageDigest": "btQOuSEvC31mdRFHtyEUPw8R9NuKfk0XPcQ6Lcmn6pk=",
  //            "signingAlgOid": "1.2.840.113549.1.1.11",
  //            "signingAlgName": "RSA-SHA256-PKCSV-1_5",
  //            "authAttr": {     <--- CMS authenticated attributes are contained here.
  //              "1.2.840.113583.1.1.8": {
  //                "der": "MAA="
  //              },
  //              "1.2.840.113549.1.9.3": {
  //                "name": "contentType",
  //                "oid": "1.2.840.113549.1.7.1"
  //              },
  //              "1.2.840.113549.1.9.4": {
  //                "name": "messageDigest",
  //                "digest": "btQOuSEvC31mdRFHtyEUPw8R9NuKfk0XPcQ6Lcmn6pk="
  //              }
  //            },
  //            "unauthAttr": {    <--- CMS unauthenticated attributes are contained here.
  //              "1.2.840.113549.1.9.16.2.14": {
  //                "name": "timestampToken",
  //                "der": "MIIOvAYJKo ... Es/70g=",
  //                "verify": {
  //                  "digestAlgorithms": [
  //                    "sha256"
  //                  ],
  //                  "signerInfo": [
  //                    {
  //                      "cert": {
  //                        "serialNumber": "04CD3F8568AE76C61BB0FE7160CCA76D",
  //                        "issuerCN": "DigiCert SHA2 Assured ID Timestamping CA",
  //                        "digestAlgOid": "2.16.840.1.101.3.4.2.1",
  //                        "digestAlgName": "SHA256"
  //                      },
  //                      "contentType": "1.2.840.113549.1.9.16.1.4",
  //                      "signingTime": "201006160423Z",
  //                      "messageDigest": "Atv5Rj3kidB8IR6CplYiX3o6De/k8SC6JJ6uUPAGO0g=",
  //                      "signingAlgOid": "1.2.840.113549.1.1.1",
  //                      "signingAlgName": "RSA-PKCSV-1_5",
  //                      "authAttr": {
  //                        "1.2.840.113549.1.9.3": {
  //                          "name": "contentType",
  //                          "oid": "1.2.840.113549.1.9.16.1.4"
  //                        },
  //                        "1.2.840.113549.1.9.5": {
  //                          "name": "signingTime",
  //                          "utctime": "201006160423Z"
  //                        },
  //                        "1.2.840.113549.1.9.16.2.12": {
  //                          "name": "signingCertificate",
  //                          "der": "MBowGDAWBBQDJb1QXtqWMC3CL0+gHkwovig0xQ=="
  //                        },
  //                        "1.2.840.113549.1.9.4": {
  //                          "name": "messageDigest",
  //                          "digest": "Atv5Rj3kidB8IR6CplYiX3o6De/k8SC6JJ6uUPAGO0g="
  //                        }
  //                      }
  //                    }
  //                  ]
  //                },
  //                "timestampSignatureVerified": true,
  //                "tstInfo": {
  //                  "tsaPolicyId": "2.16.840.1.114412.7.1",
  //                  "messageImprint": {
  //                    "hashAlg": "sha256",
  //                    "digest": "gLJtrRWUSDfjzDkF1MfWG1wyHA6FrUJLkWMGRG+eMlA=",
  //                    "digestMatches": true
  //                  },
  //                  "serialNumber": "00CE57E1113970607EF63B1D1160545321",
  //                  "genTime": "20201006160423Z"
  //                }
  //              }
  //            }
  //          }
  //        ],
  //        "pkcs7": {
  //          "verify": {
  //            "certs": [
  //              {
  //                "issuerCN": "DigiCert SHA2 Assured ID Timestamping CA",
  //                "serial": "04CD3F8568AE76C61BB0FE7160CCA76D"
  //              },
  //              {
  //                "issuerCN": "DigiCert Assured ID Root CA",
  //                "serial": "0AA125D6D6321B7E41E405DA3697C215"
  //              }
  //            ]
  //          }
  //        }
  //      }
  //    }
  //  }

  //  **** The point of this code is to show how to get at each desired piece of information contained in the signature.
  //  **** If your signature contains additional information not shown here, then you can use the online tool to generate the parse code.
  //  **** It is likely you're only interested in a few items of information, and therefore you wouldn't copy all of this code, but might
  //  **** choose to use bits and pieces to get the information you find important.

  json := TJsonObject.Create;

  //  Imagine that the "json" object contains the information obtained by validating a signature...
  //  The code below was generated using the online tool:  Generate Parsing Code from JSON

  unauthAttrTimestampTokenTstInfoGenTime := TDtObj.Create;
  signingTime := TDtObj.Create;
  authAttrSigningTimeUtctime := TDtObj.Create;

  validated := json.BoolOf('validated');
  signatureDictionary_Contents := json.StringOf('signatureDictionary./Contents');
  signatureDictionary_Filter := json.StringOf('signatureDictionary./Filter');
  signatureDictionary_M := json.StringOf('signatureDictionary./M');
  signatureDictionary_Name := json.StringOf('signatureDictionary./Name');
  signatureDictionary_Prop_Build_App_Name := json.StringOf('signatureDictionary./Prop_Build./App./Name');
  signatureDictionary_Prop_Build_App_R := json.IntOf('signatureDictionary./Prop_Build./App./R');
  signatureDictionary_Prop_Build_App_REx := json.StringOf('signatureDictionary./Prop_Build./App./REx');
  signatureDictionary_Prop_Build_App_TrustedMode := json.BoolOf('signatureDictionary./Prop_Build./App./TrustedMode');
  signatureDictionary_Prop_Build_Filter_Date := json.StringOf('signatureDictionary./Prop_Build./Filter./Date');
  signatureDictionary_Prop_Build_Filter_Name := json.StringOf('signatureDictionary./Prop_Build./Filter./Name');
  signatureDictionary_Prop_Build_Filter_R := json.IntOf('signatureDictionary./Prop_Build./Filter./R');
  signatureDictionary_Prop_Build_Filter_V := json.IntOf('signatureDictionary./Prop_Build./Filter./V');
  signatureDictionary_Prop_Build_PubSec_Date := json.StringOf('signatureDictionary./Prop_Build./PubSec./Date');
  signatureDictionary_Prop_Build_PubSec_NonEFontNoWarn := json.BoolOf('signatureDictionary./Prop_Build./PubSec./NonEFontNoWarn');
  signatureDictionary_Prop_Build_PubSec_R := json.IntOf('signatureDictionary./Prop_Build./PubSec./R');
  signatureDictionary_SubFilter := json.StringOf('signatureDictionary./SubFilter');
  signatureDictionary_Type := json.StringOf('signatureDictionary./Type');
  i := 0;
  count_i := json.SizeOfArray('signatureDictionary./ByteRange');
  while i < count_i do
    begin
      json.I := i;
      intVal := json.IntOf('signatureDictionary./ByteRange[i]');
      i := i + 1;
    end;

  i := 0;
  count_i := json.SizeOfArray('signatureDictionary./Prop_Build./App./OS');
  while i < count_i do
    begin
      json.I := i;
      strVal := json.StringOf('signatureDictionary./Prop_Build./App./OS[i]');
      i := i + 1;
    end;

  i := 0;
  count_i := json.SizeOfArray('pkcs7.verify.certs');
  while i < count_i do
    begin
      json.I := i;
      issuerCN := json.StringOf('pkcs7.verify.certs[i].issuerCN');
      serial := json.StringOf('pkcs7.verify.certs[i].serial');
      i := i + 1;
    end;

  i := 0;
  count_i := json.SizeOfArray('pkcs7.verify.digestAlgorithms');
  while i < count_i do
    begin
      json.I := i;
      strVal := json.StringOf('pkcs7.verify.digestAlgorithms[i]');
      i := i + 1;
    end;

  i := 0;
  count_i := json.SizeOfArray('pkcs7.verify.signerInfo');
  while i < count_i do
    begin
      json.I := i;
      certSerialNumber := json.StringOf('pkcs7.verify.signerInfo[i].cert.serialNumber');
      certIssuerCN := json.StringOf('pkcs7.verify.signerInfo[i].cert.issuerCN');
      certDigestAlgOid := json.StringOf('pkcs7.verify.signerInfo[i].cert.digestAlgOid');
      certDigestAlgName := json.StringOf('pkcs7.verify.signerInfo[i].cert.digestAlgName');
      contentType := json.StringOf('pkcs7.verify.signerInfo[i].contentType');
      messageDigest := json.StringOf('pkcs7.verify.signerInfo[i].messageDigest');
      signingAlgOid := json.StringOf('pkcs7.verify.signerInfo[i].signingAlgOid');
      signingAlgName := json.StringOf('pkcs7.verify.signerInfo[i].signingAlgName');
      authAttr1_2_840_113583_1_1_8Der := json.StringOf('pkcs7.verify.signerInfo[i].authAttr."1.2.840.113583.1.1.8".der');
      authAttrContentTypeName := json.StringOf('pkcs7.verify.signerInfo[i].authAttr."1.2.840.113549.1.9.3".name');
      authAttrContentTypeOid := json.StringOf('pkcs7.verify.signerInfo[i].authAttr."1.2.840.113549.1.9.3".oid');
      authAttrMessageDigestName := json.StringOf('pkcs7.verify.signerInfo[i].authAttr."1.2.840.113549.1.9.4".name');
      authAttrMessageDigestDigest := json.StringOf('pkcs7.verify.signerInfo[i].authAttr."1.2.840.113549.1.9.4".digest');
      unauthAttrTimestampTokenName := json.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".name');
      unauthAttrTimestampTokenDer := json.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".der');
      unauthAttrTimestampTokenTimestampSignatureVerified := json.BoolOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".timestampSignatureVerified');
      unauthAttrTimestampTokenTstInfoTsaPolicyId := json.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".tstInfo.tsaPolicyId');
      unauthAttrTimestampTokenTstInfoMessageImprintHashAlg := json.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".tstInfo.messageImprint.hashAlg');
      unauthAttrTimestampTokenTstInfoMessageImprintDigest := json.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".tstInfo.messageImprint.digest');
      unauthAttrTimestampTokenTstInfoMessageImprintDigestMatches := json.BoolOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".tstInfo.messageImprint.digestMatches');
      unauthAttrTimestampTokenTstInfoSerialNumber := json.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".tstInfo.serialNumber');
      json.DtOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".tstInfo.genTime',False,unauthAttrTimestampTokenTstInfoGenTime);
      j := 0;
      count_j := json.SizeOfArray('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.digestAlgorithms');
      while j < count_j do
        begin
          json.J := j;
          strVal := json.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.digestAlgorithms[j]');
          j := j + 1;
        end;

      j := 0;
      count_j := json.SizeOfArray('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.signerInfo');
      while j < count_j do
        begin
          json.J := j;
          certSerialNumber := json.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.signerInfo[j].cert.serialNumber');
          certIssuerCN := json.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.signerInfo[j].cert.issuerCN');
          certDigestAlgOid := json.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.signerInfo[j].cert.digestAlgOid');
          certDigestAlgName := json.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.signerInfo[j].cert.digestAlgName');
          contentType := json.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.signerInfo[j].contentType');
          json.DtOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.signerInfo[j].signingTime',False,signingTime);
          messageDigest := json.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.signerInfo[j].messageDigest');
          signingAlgOid := json.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.signerInfo[j].signingAlgOid');
          signingAlgName := json.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.signerInfo[j].signingAlgName');
          authAttrContentTypeName := json.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.signerInfo[j].authAttr."1.2.840.113549.1.9.3".name');
          authAttrContentTypeOid := json.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.signerInfo[j].authAttr."1.2.840.113549.1.9.3".oid');
          authAttrSigningTimeName := json.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.signerInfo[j].authAttr."1.2.840.113549.1.9.5".name');
          json.DtOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.signerInfo[j].authAttr."1.2.840.113549.1.9.5".utctime',False,authAttrSigningTimeUtctime);
          authAttrSigningCertificateName := json.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.signerInfo[j].authAttr."1.2.840.113549.1.9.16.2.12".name');
          authAttrSigningCertificateDer := json.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.signerInfo[j].authAttr."1.2.840.113549.1.9.16.2.12".der');
          authAttrMessageDigestName := json.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.signerInfo[j].authAttr."1.2.840.113549.1.9.4".name');
          authAttrMessageDigestDigest := json.StringOf('pkcs7.verify.signerInfo[i].unauthAttr."1.2.840.113549.1.9.16.2.14".verify.signerInfo[j].authAttr."1.2.840.113549.1.9.4".digest');
          j := j + 1;
        end;

      i := i + 1;
    end;

  i := 0;
  count_i := json.SizeOfArray('pkcs7.verify.pkcs7.verify.certs');
  while i < count_i do
    begin
      json.I := i;
      issuerCN := json.StringOf('pkcs7.verify.pkcs7.verify.certs[i].issuerCN');
      serial := json.StringOf('pkcs7.verify.pkcs7.verify.certs[i].serial');
      i := i + 1;
    end;



  pdf.Free;
  sigInfo.Free;
  json.Free;
  unauthAttrTimestampTokenTstInfoGenTime.Free;
  signingTime.Free;
  authAttrSigningTimeUtctime.Free;

end;

// ---------------------------------------------------------------------------

begin

  try
    RunDemo;
  except
    on E: Exception do
      WriteLn('Unhandled exception: ', E.ClassName, ': ', E.Message);
  end;

  WriteLn;
  {$IFDEF MSWINDOWS}
  WriteLn('Press Enter to exit...');
  ReadLn;
  {$ENDIF}
end.