class BundleVerifier

File Information

Library: OSP/BundleSign
Package: BundleSign
Header: Poco/OSP/BundleSign/BundleVerifier.h


The BundleVerifier class is used to verify the signature of a signed bundle.

Member Summary

Member Functions: digestFromHex, extractCertificate, firstSigner, listSigners, nibble, verify

Types Aliases


using CertificatePtr = Poco::SharedPtr < Poco::Crypto::X509Certificate >;




Bundle verification was successful.


No signature was found for the given signer.


The signature files found in the bundle are not valid.


Bundle verification failed.



explicit BundleVerifier(
    const std::string & bundlePath

Creates a BundleVerifier for verifying the bundle given by bundlePath. The given path can either refer to a bundle file (in ZIP file format), or a bundle directory.




Destroys the BundleVerifier.

Member Functions


CertificatePtr extractCertificate(
    const std::string & alias
) const;

Extracts the X509 certificate for the signer given by alias from the bundle's signature file.

If the bundle does not contain a certificate for the given alias, returns 0.


std::string firstSigner() const;

Returns the alias name of the signer of the bundle.

If the bundle has more than one signature, the alias name of the first signer found is returned.

If the bundle does not contain any signatures, returns an empty string.


void listSigners(
    std::vector < std::string > & aliases
) const;

Fills the given vectors with the alias names of all signers of the bundle.

The list is built by searching for <alias>.sf files in the bundle's META-INF directory.


VerificationResult verify(
    const std::string & alias,
    const Poco::Crypto::X509Certificate & certificate,
    std::vector < std::string > & messages

Verifies the bundle, using the signature from the signer given by alias, as well as the signer's public key extracted from the given certificate.

First, checks whether a signature from the given signer exists in the bundle. Second, verifies the integrity of the signature file, using the public key from the certificate. Third, computes the SHA1/SHA2 digests for all files in the bundle, and checks that the signatures match the signatures in the bundle's signature file.

Return values:

Note that verify() can also throw a Poco::Exception if a low-level error occurs.

digestFromHex protected static

static void digestFromHex(
    const std::string & hex,
    Poco::DigestEngine::Digest & digest

nibble protected static

static int nibble(
    char ch