I have a business requirement to check the digital signature on an Open Packaging Conventions Package (it's a Word document) prior to continuing to process the document. The package is signed by me prior to delivering it to the client, so my code needs to verify at runtime that the file came from me and also has not been altered. I have working code that does this properly:
public static bool VerifySignature(Package package)
{
bool verified = true;
PackageDigitalSignatureManager dsm = new PackageDigitalSignatureManager(package);
VerifyResult verifyResult = dsm.VerifySignatures(false);
verified &= verifyResult == VerifyResult.Success;
var signature = dsm.Signatures.Where(s => s.Signer.Subject.Equals("MyCompanyName")).FirstOrDefault();
verified &= !ReferenceEquals(signature, null) && signature.Signer.Issuer.Equals("NameOfCA");
return verified;
}
My question relates to what actually happens when PackageDigitalSignatureManager.VerifySignatures() is called. I am concerned that during the certificate validation a CRL check, or some other call outside the network, will be made. I have some clients who run my application on machines with absolutely no internet access. If the code relies on internet access, it's basically a showstopper for me.
I want to know two things:
- Will my code lead to a CRL check or something else which could result in a call outside the network?
- If so, is there a way to prevent it, or perhaps a different way to validate the signature reliably using a different mechanism?