Verify an enveloping signature using a X509 certificate

In this example, you verify the document (MyDocumentEnvelopingSignature.xml) signed with a DSA key.

The DSA key was created in Create an enveloping signature using a DSA key.

openssl req -x509 -new -key DSAKey.pem -out DSACertificate.crt

openssl x509 -in DSACertificate.crt --text 

All keys or certificates in PEM or DER format were created with the OpenSSL tool. For information on how the OpenSSL tool works, refer to the openssl (external link) documentation.

IMPORT xml

MAIN
  DEFINE doc xml.DomDocument
  DEFINE sig xml.Signature
  DEFINE cert xml.CryptoX509
  DEFINE pub xml.CryptoKey
  DEFINE isVerified INTEGER
  # Create DomDocument object
  LET doc = xml.DomDocument.Create()
  # Notice that whitespaces are significant in cryptography, 
  # therefore it is recommended to remove unnecessary ones 
  CALL doc.setFeature("whitespace-in-element-content",FALSE)
  TRY
    # Load Signature into a DomDocument object
    CALL doc.load("MyDocumentEnvelopingSignature.xml")
    # Create signature object from DomDocument root node
    LET sig = xml.Signature.CreateFromNode(doc.getDocumentElement())
    # Create X509 certificate 
    LET cert = xml.CryptoX509.Create()
    CALL cert.loadPEM("DSACertificate.crt")
    # Create public key from that X509 certificate 
    LET pub = cert.createPublicKey(
      "http://www.w3.org/2000/09/xmldsig#dsa-sha1")
    # Assign it to the signature 
    CALL sig.setKey(pub)
    # Verify enveloping signature validity 
    LET isVerified = sig.verify(NULL)
    # Notice that if something has been modified in the signature 
    # or if the certificate isn't associated with the 
    # private DSA key of example 3,
    # the program will display "FAILED".
    IF isVerified THEN
      DISPLAY "Signature OK"
    ELSE
      DISPLAY "Signature FAILED"
    END IF
  CATCH
    DISPLAY "Unable to verify the enveloping signature :",status
  END TRY
END MAIN