Verify an enveloping signature using a X509 certificate

In this example, you verify the document (MyDocumentEnvelopingSignature.xml) signed with a DSA key.

The DSA key was created in Create an enveloping signature using a DSA key.

A X509 certificate ("DSACertificate.crt") can be used to verify the signed document. The certificate will contain the public key corresponding to the private key (DSAKey.pem) used to sign the document. You will need to generate this certificate first. The certificate can be created with the OpenSSL tool:
openssl req -x509 -new -key DSAKey.pem -out DSACertificate.crt
You can examine the contents of the certificate in plain text using:
openssl x509 -in DSACertificate.crt --text 
Copy the file "DSACertificate.crt" to a directory where you test the sample code.

All keys or certificates in PEM or DER format were created with the OpenSSL tool. For information on how the OpenSSL tool works, refer to the openssl (external link) documentation.

IMPORT xml

MAIN
  DEFINE doc xml.DomDocument
  DEFINE sig xml.Signature
  DEFINE cert xml.CryptoX509
  DEFINE pub xml.CryptoKey
  DEFINE isVerified INTEGER
  # Create DomDocument object
  LET doc = xml.DomDocument.Create()
  # Notice that whitespaces are significant in cryptography, 
  # therefore it is recommended to remove unnecessary ones 
  CALL doc.setFeature("whitespace-in-element-content",FALSE)
  TRY
    # Load Signature into a DomDocument object
    CALL doc.load("MyDocumentEnvelopingSignature.xml")
    # Create signature object from DomDocument root node
    LET sig = xml.Signature.CreateFromNode(doc.getDocumentElement())
    # Create X509 certificate 
    LET cert = xml.CryptoX509.Create()
    CALL cert.loadPEM("DSACertificate.crt")
    # Create public key from that X509 certificate 
    LET pub = cert.createPublicKey(
      "http://www.w3.org/2000/09/xmldsig#dsa-sha1")
    # Assign it to the signature 
    CALL sig.setKey(pub)
    # Verify enveloping signature validity 
    LET isVerified = sig.verify(NULL)
    # Notice that if something has been modified in the signature 
    # or if the certificate isn't associated with the 
    # private DSA key of example 3,
    # the program will display "FAILED".
    IF isVerified THEN
      DISPLAY "Signature OK"
    ELSE
      DISPLAY "Signature FAILED"
    END IF
  CATCH
    DISPLAY "Unable to verify the enveloping signature :",status
  END TRY
END MAIN