Public Member Functions | Static Public Attributes | Protected Member Functions

de.softpro.doc.SignDocVerificationParameters Class Reference

Parameters for verifying a certificate chain. More...

List of all members.

Public Member Functions

 SignDocVerificationParameters () throws SignDocException
 Constructor.
void setForUpdateDSS () throws SignDocException
 Set suitable values for using this object with SignDocDocument.updateDSS() and SignDocDocument.updateDSS2().
synchronized int setString (String aName, String aValue) throws SignDocException
 Set a string parameter.
synchronized int setInteger (String aName, int aValue) throws SignDocException
 Set an integer parameter.
synchronized int setBlob (String aName, byte[] aValue) throws SignDocException
 Set a blob parameter.

Static Public Attributes

static final int rc_ok = 0
 Return code for setter functions: Parameter set successfully.
static final int rc_unknown = 1
 Return code for setter functions: Unknown parameter.
static final int rc_not_supported = 2
 Return code for setter functions: Setting the parameter is not supported.
static final int rc_invalid_value = 3
 Return code for setter functions: The value for the parameter is invalid.
static final int ccvp_dont_verify = 0
 Value for integer parameter "CertificateChainVerificationPolicy": don't verify.
static final int ccvp_accept_self_signed = 1
 Value for integer parameter "CertificateChainVerificationPolicy": accept self-signed certificates.
static final int ccvp_accept_self_signed_with_bio = 2
 Value for integer parameter "CertificateChainVerificationPolicy": accept self-signed certificates: Accept self-signed certificates if biometric data is present.
static final int ccvp_accept_self_signed_with_rsa_bio = 3
 Value for integer parameter "CertificateChainVerificationPolicy": accept self-signed certificates if asymmetrically encrypted biometric data is present.
static final int ccvp_require_trusted_root = 4
 Value for integer parameter "CertificateChainVerificationPolicy": require a trusted root certificate.
static final int crvp_dont_check = 0
 Value for integer parameter "CertificateRevocationVerificationPolicy": don't verify revocation of certificates.
static final int crvp_offline = 1
 Value for integer parameter "CertificateRevocationVerificationPolicy": accept offline server.
static final int crvp_online = 2
 Value for integer parameter "CertificateRevocationVerificationPolicy": require online server.
static final int vm_minimal = 0
 Value for integer parameter "VerificationModel": minimal.
static final int vm_chain = 1
 Value for integer parameter "VerificationModel": chain model.
static final int vm_modified_shell = 2
 Value for integer parameter "VerificationModel": modified shell model (also known as hybrid model).
static final int vm_shell = 3
 Value for integer parameter "VerificationModel": shell model.
static final int vf_check_revocation = 0x01
 Flag for integer parameter "VerificationFlags": check the revocation state of the certificates.
static final int vf_use_crl_only = 0x02
 Flag for integer parameter "VerificationFlags": use only certification revocation lists for checking the revocation state of the certificates.
static final int vf_use_ocsp_only = 0x04
 Flag for integer parameter "VerificationFlags": use only OCSP for checking the revocation state of the certificates.
static final int vf_offline = 0x08
 Flag for integer parameter "VerificationFlags": use only CRLs and OCSP responses stored in the document, do not connect to any server for getting CRLs and OCSP responses.
static final int vf_enforce_next_update = 0x10
 Flag for integer parameter "VerificationFlags": enforce nextUpdate of CRLs and OCSP responses.
static final int vf_enforce_ocsp_signer = 0x20
 Flag for integer parameter "VerificationFlags": enforce correct OCSP signer.
static final int vf_online = 0x40
 Flag for integer parameter "VerificationFlags": do not use CRLs and OCSP responses stored in the document, always use server for getting CRLs and OCSP responses.
static final int vf_no_ocsp_nonce = 0x80
 Flag for integer parameter "VerificationFlags": do not use a nonce in OCSP requests.
static final int vf_crl_first = 0x100
 Flag for integer parameter "VerificationFlags": try CRL before OCSP for certificates that specify both CRL distribution points and OCSP distribution points.
static final int vf_ignore_no_revocation = 0x200
 Flag for integer parameter "VerificationFlags": ignore for revocation checking certificates that don't have CRL and OCSP distribution points.

Protected Member Functions

void finalize () throws Throwable
 Finalize this object.

Detailed Description

Parameters for verifying a certificate chain.

If you use null instead of a SignDocVerificationParameters object, the following default values will be used (those are identical to the default values for a freshly created SignDocVerificationParameters object):

However, for SignDocDocument.updateDSS() and SignDocDocument.updateDSS2(), the following default values will be used if a null pointer is passed (those are identical to the values set by setForUpdateDSS()):

To make the signature maximally meaningful, verification parameters for SignDocDocument.addSignature() should include vf_check_revocation in integer parameter "VerificationFlags".

If integer parameter "CertificateChainVerificationPolicy" is ccvp_dont_verify, integer parameter "CertificateRevocationVerificationPolicy" must be crvp_dont_check.

See also:
SignDocDocument.renderPageAsImage(), SignDocDocument.updateDSS(), SignDocDocument.updateDSS2(), SignDocVerificationResult.verifyCertificateChain(), SignDocVerificationResult.verifyCertificateSimplified(), SignDocVerificationResult.verifyTimeStampCertificateChain(), SignDocVerificationResult.verifyTimeStampSimplified()

Constructor & Destructor Documentation

de.softpro.doc.SignDocVerificationParameters.SignDocVerificationParameters (  ) throws SignDocException

Constructor.

See SignDocVerificationParameters for the default values.

See also:
setForUpdateDSS()

Member Function Documentation

void de.softpro.doc.SignDocVerificationParameters.finalize (  ) throws Throwable [protected]

Finalize this object.

Do not call this method unless you know what you are doing.

synchronized int de.softpro.doc.SignDocVerificationParameters.setBlob ( String  aName,
byte[]  aValue 
) throws SignDocException

Set a blob parameter.

Available blob parameters are:

  • IntermediateCertificate Add an intermediate certificate which might help building the certificate chain. The blob must contain a serialized X.509 certificate (DER or PEM).
  • TrustedCertificate Add a trusted root certificate. The blob must contain a serialized X.509 certificate (DER or PEM).
Parameters:
[in]aNameThe name of the parameter (case-sensitive).
[in]aValueThe value of the parameter.
Returns:
rc_ok iff successful.
void de.softpro.doc.SignDocVerificationParameters.setForUpdateDSS (  ) throws SignDocException

Set suitable values for using this object with SignDocDocument.updateDSS() and SignDocDocument.updateDSS2().

See SignDocVerificationParameters for the values set by this function.

synchronized int de.softpro.doc.SignDocVerificationParameters.setInteger ( String  aName,
int  aValue 
) throws SignDocException

Set an integer parameter.

Available integer parameters are:

Parameters:
[in]aNameThe name of the parameter (case-sensitive).
[in]aValueThe value of the parameter.
Returns:
rc_ok iff successful.
synchronized int de.softpro.doc.SignDocVerificationParameters.setString ( String  aName,
String  aValue 
) throws SignDocException

Set a string parameter.

Available string parameters are:

  • UserAgent The value of the User-Agent header field sent to CRL and OCSP servers. The default value is "SignDoc".
  • VerificationTime Empty (for the current date and time) or a string in ISO 8601 format ("yyyy-mm-ddThh:mm:ss", with optional timezone) specifying the verification date and time. The default value is empty. Used only if integer parameter "VerificationModel" is vm_shell. This parameteter is not used by SignDocDocument.addSignature(); that function always use the signing time as verification time.
Parameters:
[in]aNameThe name of the parameter (case-sensitive).
[in]aValueThe value of the parameter.
Returns:
rc_ok iff successful.

Member Data Documentation

Value for integer parameter "CertificateChainVerificationPolicy": accept self-signed certificates.

Accept self-signed certificates. If the signing certificate is not self-signed, it must chain up to a trusted root certificate.

See also:
ccvp_accept_self_signed_with_bio, ccvp_accept_self_signed_with_rsa_bio, ccvp_dont_verify, ccvp_require_trusted_root

Value for integer parameter "CertificateChainVerificationPolicy": accept self-signed certificates: Accept self-signed certificates if biometric data is present.

If the signing certificate is not self-signed or if there is no biometric data, the certificate must chain up to a trusted root certificate.

See also:
ccvp_accept_self_signed, ccvp_accept_self_signed_with_rsa_bio, ccvp_dont_verify, ccvp_require_trusted_root

Value for integer parameter "CertificateChainVerificationPolicy": accept self-signed certificates if asymmetrically encrypted biometric data is present.

If the signing certificate is not self-signed or if there is no biometric data or if the biometric data is not encrypted with RSA, the certificate must chain up to a trusted root certificate.

See also:
ccvp_accept_self_signed, ccvp_accept_self_signed_with_bio, ccvp_dont_verify, ccvp_require_trusted_root

Value for integer parameter "CertificateChainVerificationPolicy": don't verify.

Don't verify the certificate chain, always pretend that the certificate chain is OK.

See also:
ccvp_accept_self_signed, ccvp_accept_self_signed_with_bio, ccvp_accept_self_signed_with_rsa_bio, ccvp_require_trusted_root

Value for integer parameter "CertificateChainVerificationPolicy": require a trusted root certificate.

The signing certificate must chain up to a trusted root certificate.

See also:
ccvp_accept_self_signed_with_bio, ccvp_accept_self_signed_with_rsa_bio, ccvp_dont_verify, ccvp_accept_self_signed

Value for integer parameter "CertificateRevocationVerificationPolicy": don't verify revocation of certificates.

Don't verify revocation of certificates, always pretend that certificates have not been revoked.

See also:
crvp_offline, crvp_online

Value for integer parameter "CertificateRevocationVerificationPolicy": accept offline server.

Check revocation, assume that certificates are not revoked if the revocation server is offline.

See also:
crvp_dont_check, crvp_online

Value for integer parameter "CertificateRevocationVerificationPolicy": require online server.

Check revocation, assume that certificates are revoked if the revocation server is offline.

See also:
crvp_dont_check, crvp_offline

Return code for setter functions: The value for the parameter is invalid.

Return code for setter functions: Setting the parameter is not supported.

Return code for setter functions: Parameter set successfully.

Return code for setter functions: Unknown parameter.

Flag for integer parameter "VerificationFlags": check the revocation state of the certificates.

See also:
vf_crl_first, vf_enforce_next_update, vf_enforce_ocsp_signer, vf_ignore_no_revocation, vf_no_ocsp_nonce, vf_offline, vf_online, vf_use_crl_only, vf_use_ocsp_only, verifyCertificateChain(), verifyTimeStampCertificateChain()

Flag for integer parameter "VerificationFlags": try CRL before OCSP for certificates that specify both CRL distribution points and OCSP distribution points.

If this flag is set, CRLs will be tried first which has the advantage of CRLs being cacheable.

If this flag is not set, OCSP will be tried first which has the advantage of OCSP responses being usually smaller than CRLs.

See also:
vf_check_revocation, vf_enforce_next_update, vf_enforce_ocsp_signer, vf_ignore_no_revocation, vf_no_ocsp_nonce, vf_offline, vf_online, vf_use_crl_only, vf_use_ocsp_only, verifyCertificateChain(), verifyTimeStampCertificateChain()

Flag for integer parameter "VerificationFlags": enforce nextUpdate of CRLs and OCSP responses.

If this flag is set, CRLs and OCSP responses whose nextUpdate time is before the signing time or verification time (depending on the verification model) will be ignored. See also integer parameter "ComputeOfflineNextUpdate".

This flag is ignored unless vf_check_revocation is set. If this flag is set, there are more cases in which an OCSP or CRL server needs to be contacted.

See also:
vf_check_revocation, vf_crl_first, vf_enforce_ocsp_signer, vf_ignore_no_revocation, vf_no_ocsp_nonce, vf_offline, vf_online, vf_use_crl_only, vf_use_ocsp_only, verifyCertificateChain(), verifyTimeStampCertificateChain()

Flag for integer parameter "VerificationFlags": enforce correct OCSP signer.

If this flag is set, an OCSP response must be signed by the issuer certificate or a delegate issued by the issuer certificate.

This flag flag is not set, any trusted signer will be accepted as OCSP signer.

This flag is ignored unless vf_check_revocation is set.

See also:
vf_check_revocation, vf_crl_first, vf_enforce_next_update, vf_ignore_no_revocation, vf_no_ocsp_nonce, vf_offline, vf_online, vf_use_crl_only, vf_use_ocsp_only, verifyCertificateChain(), verifyTimeStampCertificateChain()

Flag for integer parameter "VerificationFlags": ignore for revocation checking certificates that don't have CRL and OCSP distribution points.

If this flag is set, certificates that have neither CRL distribution points nor OCSP distribution points will be ignored during revocation checking.

If this flag is not set, certificates that have neither CRL distribution points nor OCSP distribution points cause revocation checking to fail (result SignDocVerificationResult.crs_not_checked for SignDocVerificationResult.getCertificateRevocationState()) unless there is a revoked certificate (result SignDocVerificationResult.crs_revoked for SignDocVerificationResult.getCertificateRevocationState()).

See also:
vf_check_revocation, vf_crl_first, vf_enforce_next_update, vf_enforce_ocsp_signer, vf_no_ocsp_nonce, vf_offline, vf_online, vf_use_crl_only, vf_use_ocsp_only, verifyCertificateChain(), verifyTimeStampCertificateChain()

Flag for integer parameter "VerificationFlags": do not use a nonce in OCSP requests.

If this flag is set, OCSP requests won't use a nonce, enabling OCSP responders to cache responses and enabling attackers to mount replay attacks.

If this flag is not set, a nonce is used in OCSP requests (and is therefore required in OCSP responses).

See also:
vf_check_revocation, vf_crl_first, vf_enforce_next_update, vf_enforce_ocsp_signer, vf_ignore_no_revocation, vf_offline, vf_online, vf_use_crl_only, vf_use_ocsp_only, verifyCertificateChain(), verifyTimeStampCertificateChain()

Flag for integer parameter "VerificationFlags": use only CRLs and OCSP responses stored in the document, do not connect to any server for getting CRLs and OCSP responses.

This flag is ignored unless vf_check_revocation is set. vf_online must not be set if this flag is set.

See also:
vf_check_revocation, vf_crl_first, vf_enforce_next_update, vf_enforce_ocsp_signer, vf_ignore_no_revocation, vf_no_ocsp_nonce, vf_online, vf_use_crl_only, vf_use_ocsp_only, verifyCertificateChain(), verifyTimeStampCertificateChain()

Flag for integer parameter "VerificationFlags": do not use CRLs and OCSP responses stored in the document, always use server for getting CRLs and OCSP responses.

This flag is ignored unless vf_check_revocation is set. vf_offline must not be set if this flag is set.

See also:
vf_check_revocation, vf_crl_first, vf_enforce_next_update, vf_enforce_ocsp_signer, vf_ignore_no_revocation, vf_no_ocsp_nonce, vf_offline, vf_use_crl_only, vf_use_ocsp_only, verifyCertificateChain(), verifyTimeStampCertificateChain()

Flag for integer parameter "VerificationFlags": use only certification revocation lists for checking the revocation state of the certificates.

This flag is ignored unless vf_check_revocation is set. vf_use_ocsp_only must not be set if this flag is set.

See also:
vf_check_revocation, vf_crl_first, vf_enforce_next_update, vf_enforce_ocsp_signer, vf_ignore_no_revocation, vf_no_ocsp_nonce, vf_offline, vf_online, vf_use_ocsp_only, verifyCertificateChain(), verifyTimeStampCertificateChain()

Flag for integer parameter "VerificationFlags": use only OCSP for checking the revocation state of the certificates.

This flag is ignored unless vf_check_revocation is set. vf_use_crl_only must not be set if this flag is set.

See also:
vf_check_revocation, vf_crl_first, vf_enforce_next_update, vf_enforce_ocsp_signer, vf_ignore_no_revocation, vf_no_ocsp_nonce, vf_offline, vf_online, vf_use_crl_only, verifyCertificateChain(), verifyTimeStampCertificateChain()

Value for integer parameter "VerificationModel": chain model.

Each certificate in the chain (except for the root certificate) must have been issued during the validity time period of its issuer certificate. The signing certificate must be valid at signing time.

See also:
vm_minimal, vm_modified_shell, vm_shell

Value for integer parameter "VerificationModel": minimal.

The signing certificate must be valid at signing time. Apparently, this is what Adobe Reader does.

See also:
vm_chain, vm_modified_shell, vm_shell

Value for integer parameter "VerificationModel": modified shell model (also known as hybrid model).

All certificates in the chain must be valid at signing time.

See also:
vm_chain, vm_minimal, vm_shell

Value for integer parameter "VerificationModel": shell model.

All certificates in the chain must be valid at verification time and the signing certificate must be valid at signing time.

The shell model is not really suitable for digital signatures as it allows for repudiation of signatures. An exception is LTV (long term validity) validation as signatures are validated at times in the past established by document time stamps.

See also:
vm_chain, vm_minimal, vm_modified_shell

The documentation for this class was generated from the following file: