public List<VerificationOK> VerifySignature()
{
LOGGER.Info("Verifying signature.");
List<VerificationOK> result = new List<VerificationOK>();
// Get the certificate chain
X509Certificate[] chain = pkcs7.SignCertificateChain;
VerifyChain(chain);
// how many certificates in the chain do we need to check?
int total = 1;
if (LtvVerification.CertificateOption.WHOLE_CHAIN.Equals(option)) {
total = chain.Length;
}
// loop over the certificates
X509Certificate signCert;
X509Certificate issuerCert;
for (int i = 0; i < total; ) {
// the certificate to check
signCert = chain[i];
// its issuer
issuerCert = null;
if (++i < chain.Length)
issuerCert = chain[i];
// now lets verify the certificate
LOGGER.Info(signCert.SubjectDN.ToString());
List<VerificationOK> list = Verify(signCert, issuerCert, signDate);
if (list.Count == 0) {
try {
signCert.Verify(signCert.GetPublicKey());
if (latestRevision && chain.Length > 1) {
list.Add(new VerificationOK(signCert, this, "Root certificate in revision"));
}
if (list.Count == 0 && verifyRootCertificate)
throw new GeneralSecurityException();
if (chain.Length > 1)
list.Add(new VerificationOK(signCert, this, "Root certificate passed without checking"));
}
catch (GeneralSecurityException) {
throw new VerificationException(signCert, "Couldn't verify with CRL or OCSP or trusted anchor");
}
}
result.AddRange(list);
}
// go to the previous revision
SwitchToPreviousRevision();
return result;
}