Free Support Forum - aspose.com

How does MailMessage.CheckSignature work?

In the documentation of MailMessage.CheckSignature (https://apireference.aspose.com/net/email/aspose.email/mailmessage/methods/checksignature), it is not clear how the result is communicated. Presumably an exception would be thrown in the case of an invalid signature, but none is documented.

More importantly, in my tests, the CheckSignature passes, even though the certificate with which the message is signed is not trusted. Have I misunderstood something, does it not actually do what I think it does? Or is it a bug?

@vashek,

I suggest you to please visit this API reference guide link for your further kind reference. It gives more elaboration of what method performs and what type of exceptions are expected to thrown.

Well that’s nice, but unlike the static method with a string argument that you link to, the one I’m using returns void, not bool, and doesn’t document any exception for invalid signature. Plus it passes just fine with an untrusted certificate.

@vashek,

I can understand your point of view. Therefore, I suggested you to please use the method which return the bool value. If you still face issue, please share the working sample project along with un-trusted certificate that we may use on our end to help you further.

So you’re suggesting that I save the message to a file and then call CheckSignature(filename)? That hardly seems efficient…

@vashek,

We have internally discussed the issue. Actually, the ‘void CheckSignature()’ internally uses ‘bool CheckSignature(Stream stream)’ and throws InvalidOperationException with follow cases:

  1. Mail message is not signed
  2. Signature is not verified
  3. Other cases with incorrect signature and data format

Regarding issue with un-trusted certificate:

Only the digital signatures are verified without the signers’ certificates being validated

OK, great, thanks.
(If I want to nitpick, throwing InvalidOperationException in all these different cases is not great, but I’m sure you know that. ;))
Is there a way to obtain the certificate of the signer, then, so that I can validate it myself? Because without validating the certificate, the method is actually useless as anyone can generate a signature for anyone else that will look valid.

@vashek,

We have created an issue with ID EMAILNET-39665 in our issue tracking system for validating the issues with Certificate validation(CheckSignature). We will share the feedback with you as soon as the issue will be fixed.