MessageSigner Component
Properties Methods Events Config Settings Errors
The MessageSigner component digitally signs data and stores it in the PKCS#7 format.
Syntax
TsbxMessageSigner
Remarks
PKCS#7 (Public Key Cryptography Standard #7) is a common format used to store encrypted and signed data. It is used by a variety of protocols, including S/MIME and CMS.
Property List
The following is the full list of the properties of the component with short descriptions. Click on the links for further details.
| ClaimedSigningTime | The signing time from the signer's computer. |
| ExternalCrypto | Provides access to external signing and DC parameters. |
| FIPSMode | Reserved. |
| HashAlgorithm | Specifies the hash algorithm to be used. |
| InputBytes | Use this property to pass the input to component in the byte array form. |
| InputFile | A path to the source file. |
| InputIsHash | Specifies whether the input source contains the hash of the data or the actual data. |
| MACAlgorithm | Specifies the keyed MAC algorithm to use. |
| OutputBytes | Use this property to read the output the component object has produced. |
| OutputFile | A path to the output file. |
| Proxy | The proxy server settings. |
| RecipientCertificate | The recipient certificate for HMAC-based signing. |
| SignatureType | Specifies the kind of signature to create. |
| SignedAttributes | Custom signature attributes to be covered by the electronic signature. |
| SigningCertificate | The certificate to be used for signing. |
| SigningChain | The signing certificate chain. |
| SocketSettings | Manages network connection settings. |
| TimestampServer | The address of the timestamping server. |
| TLSClientChain | The TLS client certificate chain. |
| TLSServerChain | The TLS server's certificate chain. |
| TLSSettings | Manages TLS layer settings. |
| UnsignedAttributes | Custom unsigned attributes to be included in the electronic signature. |
Method List
The following is the full list of the methods of the component with short descriptions. Click on the links for further details.
| Config | Sets or retrieves a configuration setting. |
| Countersign | Countersigns an existing signature. |
| DoAction | Performs an additional action. |
| ExtractAsyncData | Extracts user data from the DC signing service response. |
| Sign | Signs the data. |
| SignAsyncBegin | Initiates the asynchronous signing operation. |
| SignAsyncEnd | Completes the asynchronous signing operation. |
| Timestamp | Timestamps a signature. |
Event List
The following is the full list of the events fired by the component with short descriptions. Click on the links for further details.
| Error | Information about errors during PKCS#7 message signing. |
| ExternalSign | Handles remote or external signing initiated by the SignExternal method or other source. |
| Notification | This event notifies the application about an underlying control flow event. |
| TimestampRequest | Fires when the component is ready to request a timestamp from an external TSA. |
| TLSCertNeeded | Fires when a remote TLS party requests a client certificate. |
| TLSCertValidate | This event is fired upon receipt of the TLS server's certificate, allowing the user to control its acceptance. |
| TLSEstablished | Fires when a TLS handshake with Host successfully completes. |
| TLSHandshake | Fires when a new TLS handshake is initiated, before the handshake commences. |
| TLSShutdown | Reports the graceful closure of a TLS connection. |
Config Settings
The following is a list of config settings for the component with short descriptions. Click on the links for further details.
| ContentType | Content type of the message. |
| TempPath | Path for storing temporary files. |
| TLSChainValidationDetails | Contains the advanced details of the TLS server certificate validation. |
| TLSChainValidationResult | Contains the result of the TLS server certificate validation. |
| TLSClientAuthRequested | Indicates whether the TLS server requests client authentication. |
| TLSValidationLog | Contains the log of the TLS server certificate validation. |
| TspHashAlgorithm | Sets a specific hash algorithm for use with the timestamping service. |
| TspReqPolicy | Sets a request policy ID to include in the timestamping request. |
| UsePSS | Whether to use RSASSA-PSS algorithm. |
| UseUndefSize | Allows or forbids the use of ASN.1 tags of undefined size. |
| CheckKeyIntegrityBeforeUse | Enables or disable private key integrity check before use. |
| CookieCaching | Specifies whether a cookie cache should be used for HTTP(S) transports. |
| Cookies | Gets or sets local cookies for the component (supported for HTTPClient, RESTClient and SOAPClient only). |
| DefDeriveKeyIterations | Specifies the default key derivation algorithm iteration count. |
| EnableClientSideSSLFFDHE | Enables or disables finite field DHE key exchange support in TLS clients. |
| GlobalCookies | Gets or sets global cookies for all the HTTP transports. |
| HttpUserAgent | Specifies the user agent name to be used by all HTTP clients. |
| LogDestination | Specifies the debug log destination. |
| LogDetails | Specifies the debug log details to dump. |
| LogFile | Specifies the debug log filename. |
| LogFilters | Specifies the debug log filters. |
| LogFlushMode | Specifies the log flush mode. |
| LogLevel | Specifies the debug log level. |
| LogMaxEventCount | Specifies the maximum number of events to cache before further action is taken. |
| LogRotationMode | Specifies the log rotation mode. |
| MaxASN1BufferLength | Specifies the maximal allowed length for ASN.1 primitive tag data. |
| MaxASN1TreeDepth | Specifies the maximal depth for processed ASN.1 trees. |
| OCSPHashAlgorithm | Specifies the hash algorithm to be used to identify certificates in OCSP requests. |
| StaticDNS | Specifies whether static DNS rules should be used. |
| StaticIPAddress[domain] | Gets or sets an IP address for the specified domain name. |
| StaticIPAddresses | Gets or sets all the static DNS rules. |
| Tag | Allows to store any custom data. |
| UseOwnDNSResolver | Specifies whether the client components should use own DNS resolver. |
| UseSharedSystemStorages | Specifies whether the validation engine should use a global per-process copy of the system certificate stores. |
| UseSystemOAEPAndPSS | Enforces or disables the use of system-driven RSA OAEP and PSS computations. |
| UseSystemRandom | Enables or disables the use of the OS PRNG. |
ClaimedSigningTime Property (MessageSigner Component)
The signing time from the signer's computer.
Syntax
property ClaimedSigningTime: String read get_ClaimedSigningTime write set_ClaimedSigningTime;
Default Value
''
Remarks
Use this property to provide the signature production time. The claimed time is not supported by a trusted source; it may be inaccurate, forfeited, or wrong, and as such is usually taken for informational purposes only by verifiers. Use timestamp servers to embed verifiable trusted timestamps. The time is in UTC.
ExternalCrypto Property (MessageSigner Component)
Provides access to external signing and DC parameters.
Syntax
property ExternalCrypto: TsbxExternalCrypto read get_ExternalCrypto;
Remarks
Use this property to tune-up remote cryptography settings. SecureBlackbox supports two independent types of external cryptography: synchronous (based on OnExternalSign event) and asynchronous (based on DC protocol and DCAuth signing component).
This property is read-only.
FIPSMode Property (MessageSigner Component)
Reserved.
Syntax
property FIPSMode: Boolean read get_FIPSMode write set_FIPSMode;
Default Value
false
Remarks
This property is reserved for future use.
HashAlgorithm Property (MessageSigner Component)
Specifies the hash algorithm to be used.
Syntax
property HashAlgorithm: String read get_HashAlgorithm write set_HashAlgorithm;
Default Value
'SHA256'
Remarks
This property specifies the hash algorithm to used for calculating the signature.
| SB_HASH_ALGORITHM_SHA1 | SHA1 | |
| SB_HASH_ALGORITHM_SHA224 | SHA224 | |
| SB_HASH_ALGORITHM_SHA256 | SHA256 | |
| SB_HASH_ALGORITHM_SHA384 | SHA384 | |
| SB_HASH_ALGORITHM_SHA512 | SHA512 | |
| SB_HASH_ALGORITHM_MD2 | MD2 | |
| SB_HASH_ALGORITHM_MD4 | MD4 | |
| SB_HASH_ALGORITHM_MD5 | MD5 | |
| SB_HASH_ALGORITHM_RIPEMD160 | RIPEMD160 | |
| SB_HASH_ALGORITHM_CRC32 | CRC32 | |
| SB_HASH_ALGORITHM_SSL3 | SSL3 | |
| SB_HASH_ALGORITHM_GOST_R3411_1994 | GOST1994 | |
| SB_HASH_ALGORITHM_WHIRLPOOL | WHIRLPOOL | |
| SB_HASH_ALGORITHM_POLY1305 | POLY1305 | |
| SB_HASH_ALGORITHM_SHA3_224 | SHA3_224 | |
| SB_HASH_ALGORITHM_SHA3_256 | SHA3_256 | |
| SB_HASH_ALGORITHM_SHA3_384 | SHA3_384 | |
| SB_HASH_ALGORITHM_SHA3_512 | SHA3_512 | |
| SB_HASH_ALGORITHM_BLAKE2S_128 | BLAKE2S_128 | |
| SB_HASH_ALGORITHM_BLAKE2S_160 | BLAKE2S_160 | |
| SB_HASH_ALGORITHM_BLAKE2S_224 | BLAKE2S_224 | |
| SB_HASH_ALGORITHM_BLAKE2S_256 | BLAKE2S_256 | |
| SB_HASH_ALGORITHM_BLAKE2B_160 | BLAKE2B_160 | |
| SB_HASH_ALGORITHM_BLAKE2B_256 | BLAKE2B_256 | |
| SB_HASH_ALGORITHM_BLAKE2B_384 | BLAKE2B_384 | |
| SB_HASH_ALGORITHM_BLAKE2B_512 | BLAKE2B_512 | |
| SB_HASH_ALGORITHM_SHAKE_128 | SHAKE_128 | |
| SB_HASH_ALGORITHM_SHAKE_256 | SHAKE_256 | |
| SB_HASH_ALGORITHM_SHAKE_128_LEN | SHAKE_128_LEN | |
| SB_HASH_ALGORITHM_SHAKE_256_LEN | SHAKE_256_LEN |
InputBytes Property (MessageSigner Component)
Use this property to pass the input to component in the byte array form.
Syntax
property InputBytes: TBytes read get_InputBytes write set_InputBytes;
Remarks
Assign a byte array containing the data to be processed to this property.
This property is not available at design time.
InputFile Property (MessageSigner Component)
A path to the source file.
Syntax
property InputFile: String read get_InputFile write set_InputFile;
Default Value
''
Remarks
Use this property to provide a path to the file containing the data to be signed.
InputIsHash Property (MessageSigner Component)
Specifies whether the input source contains the hash of the data or the actual data.
Syntax
property InputIsHash: Boolean read get_InputIsHash write set_InputIsHash;
Default Value
false
Remarks
Use this property to tell the component whether the input source contains the actual data or its hash.
This property is not available at design time.
MACAlgorithm Property (MessageSigner Component)
Specifies the keyed MAC algorithm to use.
Syntax
property MACAlgorithm: String read get_MACAlgorithm write set_MACAlgorithm;
Default Value
'SHA256'
Remarks
This property specifies the MAC algorithm to use for calculating the MAC signature.
| SB_MAC_ALGORITHM_HMAC_SHA1 | SHA1 | |
| SB_MAC_ALGORITHM_HMAC_SHA256 | SHA256 | |
| SB_MAC_ALGORITHM_HMAC_SHA512 | SHA512 |
OutputBytes Property (MessageSigner Component)
Use this property to read the output the component object has produced.
Syntax
property OutputBytes: TBytes read get_OutputBytes;
Remarks
Read the contents of this property after the operation is completed to read the produced output. This property will only be set if OutputFile and OutputStream properties had not been assigned.
This property is read-only and not available at design time.
OutputFile Property (MessageSigner Component)
A path to the output file.
Syntax
property OutputFile: String read get_OutputFile write set_OutputFile;
Default Value
''
Remarks
Use this property to specify the file to save the signed message to.
Proxy Property (MessageSigner Component)
The proxy server settings.
Syntax
property Proxy: TsbxProxySettings read get_Proxy;
Remarks
Use this property to tune up the proxy server settings.
This property is read-only.
RecipientCertificate Property (MessageSigner Component)
The recipient certificate for HMAC-based signing.
Syntax
property RecipientCertificate: TsbxCertificate read get_RecipientCertificate write set_RecipientCertificate;
Remarks
Use this property to specify the certificate to be used for encryption of the HMAC key. This is a "recipient's" certificate, and as such it does not need to have an associated private key.
The certificate is used with SignatureType set to one of the MAC options to generate an encrypted session key block. Upon receiving the signed message, the recipient decrypts the HMAC key and uses that to verify the integrity of the message.
This property is not available at design time.
SignatureType Property (MessageSigner Component)
Specifies the kind of signature to create.
Syntax
property SignatureType: TsbxMessageSignatureTypes read get_SignatureType write set_SignatureType;
TsbxMessageSignatureTypes = ( stUnknown, stPKCS1Detached, stPKCS7Detached, stPKCS7Enveloping, stPKCS7MACDetached, stPKCS7MACEnveloping );
Default Value
stPKCS7Detached
Remarks
Possible values:
| stUnknown | 0 | Unknown or unsupported signature types |
| stPKCS1Detached | 1 | Detached PKCS#1 signature |
| stPKCS7Detached | 2 | Detached PKCS#7 signature |
| stPKCS7Enveloping | 3 | Enveloping PKCS#7 signature |
| stPKCS7MACDetached | 4 | Detached PKCS#7 MAC signature |
| stPKCS7MACEnveloping | 5 | Enveloping PKCS#7 MAC signature |
SignedAttributes Property (MessageSigner Component)
Custom signature attributes to be covered by the electronic signature.
Syntax
property SignedAttributes: TsbxSignatureAttributeList read get_SignedAttributes;
Remarks
Signature attributes are used to store auxiliary information in the signature. Values included as signed attributes are covered by the signature.
This property is read-only and not available at design time.
SigningCertificate Property (MessageSigner Component)
The certificate to be used for signing.
Syntax
property SigningCertificate: TsbxCertificate read get_SigningCertificate write set_SigningCertificate;
Remarks
Use this property to specify the certificate that shall be used for signing the data. Note that this certificate should have a private key associated with it. Use SigningChain to supply the rest of the certificate chain for inclusion into the signature.
This property is not available at design time.
SigningChain Property (MessageSigner Component)
The signing certificate chain.
Syntax
property SigningChain: TsbxCertificateList read get_SigningChain write set_SigningChain;
Remarks
Use this property to provide the chain for the signing certificate. Use SigningCertificate property, if it is available, to provide the signing certificate itself.
This property is not available at design time.
SocketSettings Property (MessageSigner Component)
Manages network connection settings.
Syntax
property SocketSettings: TsbxSocketSettings read get_SocketSettings;
Remarks
Use this property to tune up network connection parameters.
This property is read-only.
TimestampServer Property (MessageSigner Component)
The address of the timestamping server.
Syntax
property TimestampServer: String read get_TimestampServer write set_TimestampServer;
Default Value
''
Remarks
Use this property to provide the address of the Time Stamping Authority (TSA) server to be used for timestamping the signature.
SecureBlackbox supports RFC3161-compliant timestamping servers, available via HTTP or HTTPS.
If your timestamping service enforces credential-based user authentication (basic or digest), you can provide the credentials in the same URL:
http://user:password@timestamp.server.com/TsaService
For TSAs using certificate-based TLS authentication, provide the client certificate via the TLSClientChain property.
If this property is left empty, no timestamp will be added to the signature.
Starting from summer 2021 update (Vol. 2), the virtual timestamping service is supported, which allows you to intervene in the timestamping routine and provide your own handling for the TSA exchange. This may be handy if the service that you are requesting timestamps from uses a non-standard TSP protocol or requires special authentication option.
To employ the virtual service, assign an URI of the following format to this property:
virtual://localhost?hashonly=true&includecerts=true&reqpolicy=1.2.3.4.5&halg=SHA256
Subscribe to Notification event to get notified about the virtualized timestamping event. The EventID of the timestamping event is TimestampRequest. Inside the event handler, read the base16-encoded request from the EventParam parameter and forward it to the timestamping authority. Upon receiving the response, pass it back to the component, encoded in base16, via the TimestampResponse config property:
component.Config("TimestampResponse=308208ab...");
Note that all the exchange with your custom TSA should take place within the same invocation of the Notification event.
The hashonly parameter of the virtual URI tells the component to only return the timestamp message imprint via the EventParam parameter. If set to false, EventParam will contain the complete RFC3161 timestamping request.
The includecerts parameter specifies that the requestCertificates parameter of the timestamping request should be set to true.
The reqpolicy parameter lets you specify the request policy, and the halg parameter specifies the hash algorithm to use for timestamping.
All the parameters are optional.
TLSClientChain Property (MessageSigner Component)
The TLS client certificate chain.
Syntax
property TLSClientChain: TsbxCertificateList read get_TLSClientChain write set_TLSClientChain;
Remarks
Assign a certificate chain to this property to enable TLS client authentication in the component. Note that the client's end-entity certificate should have a private key associated with it.
This property is not available at design time.
TLSServerChain Property (MessageSigner Component)
The TLS server's certificate chain.
Syntax
property TLSServerChain: TsbxCertificateList read get_TLSServerChain;
Remarks
Use this property to access the certificate chain sent by the TLS server.
This property is read-only and not available at design time.
TLSSettings Property (MessageSigner Component)
Manages TLS layer settings.
Syntax
property TLSSettings: TsbxTLSSettings read get_TLSSettings;
Remarks
Use this property to tune up the TLS layer parameters.
This property is read-only.
UnsignedAttributes Property (MessageSigner Component)
Custom unsigned attributes to be included in the electronic signature.
Syntax
property UnsignedAttributes: TsbxSignatureAttributeList read get_UnsignedAttributes;
Remarks
Signature attributes are used to store auxiliary information in the signature. Values included as unsigned attributes are not covered by the signature and can be changed or removed without affecting the signature.
This property is read-only and not available at design time.
Config Method (MessageSigner Component)
Sets or retrieves a configuration setting.
Syntax
function Config(ConfigurationString: String): String;
Remarks
Config is a generic method available in every component. It is used to set and retrieve configuration settings for the component.
These settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the component, access to these internal properties is provided through the Config method.
To set a configuration setting named PROPERTY, you must call Config("PROPERTY=VALUE"), where VALUE is the value of the setting expressed as a string. For boolean values, use the strings "True", "False", "0", "1", "Yes", or "No" (case does not matter).
To read (query) the value of a configuration setting, you must call Config("PROPERTY"). The value will be returned as a string.
Countersign Method (MessageSigner Component)
Countersigns an existing signature.
Syntax
procedure Countersign();
Remarks
Use this method to certify an existing document signature. Countersigning doesn't alter the existing signatures or the signed document itself.
DoAction Method (MessageSigner Component)
Performs an additional action.
Syntax
function DoAction(ActionID: String; ActionParams: String): String;
Remarks
DoAction is a generic method available in every component. It is used to perform an additional action introduced after the product major release. The list of actions is not fixed, and may be flexibly extended over time.
The unique identifier of the action is provided in ActionID parameter. ActionParams contains a list of parameters for the action in the form of PARAM1=VALUE1;PARAM2=VALUE2;....
ExtractAsyncData Method (MessageSigner Component)
Extracts user data from the DC signing service response.
Syntax
function ExtractAsyncData(AsyncReply: String): String;
Remarks
Call this method before finalizing the asynchronous signing process to extract the data passed to the ExternalCrypto.Data property on the pre-signing stage.
The Data parameter can be used to pass some state or document identifier along with the signing request from the pre-signing to completion async stage.
Sign Method (MessageSigner Component)
Signs the data.
Syntax
procedure Sign();
Remarks
This method signs the data provided via InputFile (or InputStream) with SigningCertificate, and saves the signature in OutputFile (OutputStream). Set the desired signature variant via SignatureType property.
The component automatically timestamps the created signature if a TimestampServer is provided.
SignAsyncBegin Method (MessageSigner Component)
Initiates the asynchronous signing operation.
Syntax
function SignAsyncBegin(): String;
Remarks
When using the DC framework, call this method to initiate the asynchronous signing process. Upon completion, a pre-signed copy of the document will be saved in OutputFile (or OutputStream). Keep the pre-signed copy somewhere local, and pass the returned string ('the request state') to the DC processor for handling.
Upon receiving the response state from the DC processor, assign the path to the pre-signed copy to InputFile (or InputStream), and call SignAsyncEnd to finalize the signing.
Note that depending on the signing method and DC configuration used, you may still need to provide the public part of the signing certificate via the SigningCertificate property.
Use the ExternalCrypto.AsyncDocumentID property to supply a unique document ID to include in the request. This is helpful when creating batches of multiple async requests, as it allows you to pass the whole response batch to SignAsyncEnd and expect it to recover the correct response from the batch automatically.
AsyncState is a message of the distributed cryptography (DC) protocol. DC protocol is based on exchange of async states between a DC client (an application that wants to sign a PDF, XML, or Office document) and a DC server (an application that controls access to the private key). An async state can carry one or more signing requests, comprised of document hashes, or one or more signatures produced over those hashes.
In a typical scenario you get a client-side async state from the SignAsyncBegin method. This state contains document hashes to be signed on the DC server side. You then send the async state to the DC server (often represented by the DCAuth control), which processes it and produces a matching signatures state. The async state produced by the server is then passed to the SignAsyncEnd method.
SignAsyncEnd Method (MessageSigner Component)
Completes the asynchronous signing operation.
Syntax
procedure SignAsyncEnd(AsyncReply: String);
Remarks
When using the DC framework, call this method upon receiving the response state from the DC processor to complete the asynchronous signing process.
Before calling this method, assign the path to the pre-signed copy of the document obtained from prior SignAsyncBegin call to InputFile (or InputStream). The method will embed the signature into the pre-signed document, and save the complete signed document to OutputFile (or OutputStream).
Note that depending on the signing method and DC configuration used, you may still need to provide the public part of the signing certificate via the SigningCertificate property.
Use the ExternalCrypto.AsyncDocumentID parameter to pass a specific document ID if using batched AsyncReply. If used, it should match the value provided on the pre-signing (SignAsyncBegin) stage.
AsyncState is a message of the distributed cryptography (DC) protocol. DC protocol is based on exchange of async states between a DC client (an application that wants to sign a PDF, XML, or Office document) and a DC server (an application that controls access to the private key). An async state can carry one or more signing requests, comprised of document hashes, or one or more signatures produced over those hashes.
In a typical scenario you get a client-side async state from the SignAsyncBegin method. This state contains document hashes to be signed on the DC server side. You then send the async state to the DC server (often represented by the DCAuth control), which processes it and produces a matching signatures state. The async state produced by the server is then passed to the SignAsyncEnd method.
Timestamp Method (MessageSigner Component)
Timestamps a signature.
Syntax
procedure Timestamp();
Remarks
This method timestamps an existing PKCS#7 signature with TimestampServer. Pass your existing signature via InputFile (or InputStream), and collect the timestamped variant from OutputFile (OutputStream).
Error Event (MessageSigner Component)
Information about errors during PKCS#7 message signing.
Syntax
type TErrorEvent = procedure ( Sender: TObject; ErrorCode: Integer; const Description: String ) of Object;
property OnError: TErrorEvent read FOnError write FOnError;
Remarks
The event is fired in case of exceptional conditions during message processing.
ErrorCode contains an error code and Description contains a textual description of the error. For a list of valid error codes and their descriptions, please refer to the Messages section.
ExternalSign Event (MessageSigner Component)
Handles remote or external signing initiated by the SignExternal method or other source.
Syntax
type TExternalSignEvent = procedure ( Sender: TObject; const OperationId: String; const HashAlgorithm: String; const Pars: String; const Data: String; var SignedData: String ) of Object;
property OnExternalSign: TExternalSignEvent read FOnExternalSign write FOnExternalSign;
Remarks
Assign a handler to this event if you need to delegate a low-level signing operation to an external, remote, or custom signing engine. Depending on the settings, the handler will receive a hashed or unhashed value to be signed.
The event handler must pass the value of Data to the signer, obtain the signature, and pass it back to the component via SignedData parameter.
OperationId provides a comment about the operation and its origin. It depends on the exact component being used, and may be empty. HashAlgorithm specifies the hash algorithm being used for the operation, and Pars contain algorithm-dependent parameters.
The component uses base16 (hex) encoding for Data, SignedData, and Pars parameters. If your signing engine uses a different input and output encoding, you may need to decode and/or encode the data before and/or after the signing.
A sample MD5 hash encoded in base16: a0dee2a0382afbb09120ffa7ccd8a152 - lower case base16 A0DEE2A0382AFBB09120FFA7CCD8A152 - upper case base16
A sample event handler that uses a .NET RSACryptoServiceProvider class may look like the following:
signer.OnExternalSign += (s, e) =>
{
var cert = new X509Certificate2("cert.pfx", "", X509KeyStorageFlags.Exportable);
var key = (RSACryptoServiceProvider)cert.PrivateKey;
var dataToSign = e.Data.FromBase16String();
var signedData = key.SignHash(dataToSign, "2.16.840.1.101.3.4.2.1");
e.SignedData = signedData.ToBase16String();
};
Notification Event (MessageSigner Component)
This event notifies the application about an underlying control flow event.
Syntax
type TNotificationEvent = procedure ( Sender: TObject; const EventID: String; const EventParam: String ) of Object;
property OnNotification: TNotificationEvent read FOnNotification write FOnNotification;
Remarks
The component fires this event to let the application know about some event, occurrence, or milestone in the component. For example, it may fire to report completion of the document processing. The list of events being reported is not fixed, and may be flexibly extended over time.
The unique identifier of the event is provided in EventID parameter. EventParam contains any parameters accompanying the occurrence. Depending on the type of the component, the exact action it is performing, or the document being processed, one or both may be omitted.
This component can fire this event with the following EventID values:
| TimestampRequest | A timestamp is requested from the custom timestamping
authority. This event is only fired if TimestampServer was set to a
virtual:// URI. The EventParam parameter contains the
TSP request (or the plain hash, depending on the value provided to
TimestampServer), in base16, that needs to be sent to the TSA.
Use the event handler to send the request to the TSA. Upon receiving the response, assign it, in base16, to the TimestampResponse configuration property. |
TimestampRequest Event (MessageSigner Component)
Fires when the component is ready to request a timestamp from an external TSA.
Syntax
type TTimestampRequestEvent = procedure ( Sender: TObject; const TSA: String; const TimestampRequest: String; var TimestampResponse: String; var SuppressDefault: Boolean ) of Object;
property OnTimestampRequest: TTimestampRequestEvent read FOnTimestampRequest write FOnTimestampRequest;
Remarks
Subscribe to this event to be intercept timestamp requests. You can use it to override timestamping requests and perform them in your code.
The TSA parameter indicates the timestamping service being used. It matches the value passed to TimestampServer property. Set SuppressDefault parameter to false if you would like to stop the built-in TSA request from going ahead. The built-in TSA request is also not performed if the returned TimestampResponse parameter is not empty.
TLSCertNeeded Event (MessageSigner Component)
Fires when a remote TLS party requests a client certificate.
Syntax
type TTLSCertNeededEvent = procedure ( Sender: TObject; const Host: String; const CANames: String ) of Object;
property OnTLSCertNeeded: TTLSCertNeededEvent read FOnTLSCertNeeded write FOnTLSCertNeeded;
Remarks
This event fires to notify the implementation that a remote TLS server has requested a client certificate. The Host parameter identifies the host that makes a request, and the CANames (optional, according to the TLS spec) advises on the accepted issuing CAs.
Use the TLSClientChain property in response to this event to provide the requested certificate. Please make sure the client certificate includes the associated private key. Note that you may set the certificates before the connection without waiting for this event to fire.
This event is preceded by the TLSHandshake event for the given host and, if the certificate was accepted, succeeded by the TLSEstablished event.
TLSCertValidate Event (MessageSigner Component)
This event is fired upon receipt of the TLS server's certificate, allowing the user to control its acceptance.
Syntax
type TTLSCertValidateEvent = procedure ( Sender: TObject; const ServerHost: String; const ServerIP: String; var Accept: Boolean ) of Object;
property OnTLSCertValidate: TTLSCertValidateEvent read FOnTLSCertValidate write FOnTLSCertValidate;
Remarks
This event is fired during a TLS handshake. Use TLSServerChain property to access the certificate chain. In general case, components may contact a number of TLS endpoints during their work, depending on their configuration.
Accept is assigned in accordance with the outcome of the internal validation check performed by the component, and can be adjusted if needed.
TLSEstablished Event (MessageSigner Component)
Fires when a TLS handshake with Host successfully completes.
Syntax
type TTLSEstablishedEvent = procedure ( Sender: TObject; const Host: String; const Version: String; const Ciphersuite: String; ConnectionId: TBytes; var Abort: Boolean ) of Object;
property OnTLSEstablished: TTLSEstablishedEvent read FOnTLSEstablished write FOnTLSEstablished;
Remarks
The component uses this event to notify the application about successful completion of a TLS handshake.
The Version, Ciphersuite, and ConnectionId parameters indicate security parameters of the new connection. Use the Abort parameter if you need to terminate the connection at this stage.
TLSHandshake Event (MessageSigner Component)
Fires when a new TLS handshake is initiated, before the handshake commences.
Syntax
type TTLSHandshakeEvent = procedure ( Sender: TObject; const Host: String; var Abort: Boolean ) of Object;
property OnTLSHandshake: TTLSHandshakeEvent read FOnTLSHandshake write FOnTLSHandshake;
Remarks
The component uses this event to notify the application about the start of a new TLS handshake to Host. If the handshake is successful, this event will be followed with TLSEstablished event. If the server chooses to request a client certificate, TLSCertNeeded event will also be fired.
TLSShutdown Event (MessageSigner Component)
Reports the graceful closure of a TLS connection.
Syntax
type TTLSShutdownEvent = procedure ( Sender: TObject; const Host: String ) of Object;
property OnTLSShutdown: TTLSShutdownEvent read FOnTLSShutdown write FOnTLSShutdown;
Remarks
This event notifies the application about the closure of an earlier established TLS connection. Note that only graceful connection closures are reported.
Certificate Type
Provides details of an individual X.509 certificate.
Remarks
This type provides access to X.509 certificate details.
Fields
|
Bytes TBytes |
Returns raw certificate data in DER format. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
CA Boolean |
Indicates whether the certificate has a CA capability (a setting in BasicConstraints extension). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
CAKeyID TBytes |
A unique identifier (fingerprint) of the CA certificate's private key. Authority Key Identifier is a (non-critical) X.509 certificate extension which allows the identification of certificates produced by the same issuer, but with different public keys. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
CRLDistributionPoints String |
Locations of the CRL (Certificate Revocation List) distribution points used to check this certificate's validity. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Curve String |
Specifies the elliptic curve of the EC public key.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Fingerprint TBytes |
Contains the fingerprint (a hash imprint) of this certificate. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
FriendlyName String |
Contains an associated alias (friendly name) of the certificate. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Handle Int64 |
Allows to get or set a 'handle', a unique identifier of the underlying property object. Use this property to assign objects of the same type in a quicker manner, without copying them fieldwise. When you pass a handle of one object to another, the source object is copied to the destination rather than assigned. It is safe to get rid of the original object
after such operation.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
HashAlgorithm String |
Specifies the hash algorithm to be used in the operations on the certificate (such as key signing)
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Issuer String |
The common name of the certificate issuer (CA), typically a company name. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
IssuerRDN String |
A collection of information, in the form of [OID, Value] pairs, uniquely identifying the certificate issuer. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
KeyAlgorithm String |
Specifies the public key algorithm of this certificate.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
KeyBits Integer |
Returns the length of the public key. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
KeyFingerprint TBytes |
Returns a fingerprint of the public key contained in the certificate. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
KeyUsage Integer |
Indicates the purposes of the key contained in the certificate, in the form of an OR'ed flag set. This value is a bit mask of the following values:
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
KeyValid Boolean |
Returns True if the certificate's key is cryptographically valid, and False otherwise. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
OCSPLocations String |
Locations of OCSP (Online Certificate Status Protocol) services that can be used to check this certificate's validity, as recorded by the CA. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
OCSPNoCheck Boolean |
Accessor to the value of the certificates ocsp-no-check extension. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Origin Integer |
Returns the origin of this certificate. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
PolicyIDs String |
Contains identifiers (OIDs) of the applicable certificate policies. The Certificate Policies extension identifies a sequence of policies under which the certificate has been issued, and which regulate its usage. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
PrivateKeyBytes TBytes |
Contains the certificate's private key. It is normal for this property to be empty if the private key is non-exportable. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
PrivateKeyExists Boolean |
Indicates whether the certificate has an associated private key. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
PrivateKeyExtractable Boolean |
Indicates whether the private key is extractable |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
PublicKeyBytes TBytes |
Contains the certificate's public key in DER format. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
QualifiedStatements TsbxQualifiedStatementsTypes |
Returns the qualified status of the certificate. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
SelfSigned Boolean |
Indicates whether the certificate is self-signed (root) or signed by an external CA. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
SerialNumber TBytes |
Returns the certificate's serial number. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
SigAlgorithm String |
Indicates the algorithm that was used by the CA to sign this certificate. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Subject String |
The common name of the certificate holder, typically an individual's name, a URL, an e-mail address, or a company name. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
SubjectAlternativeName String |
Returns or sets the value of the Subject Alternative Name extension of the certificate. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
SubjectKeyID TBytes |
Contains a unique identifier (fingerprint) of the certificate's private key. Subject Key Identifier is a (non-critical) X.509 certificate extension which allows the identification of certificates containing a particular public key. In SecureBlackbox, the unique identifier is represented with a SHA1 hash of the bit string of the subject public key. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
SubjectRDN String |
A collection of information, in the form of [OID, Value] pairs, uniquely identifying the certificate holder (subject). |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
ValidFrom String |
The time point at which the certificate becomes valid, in UTC. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
ValidTo String |
The time point at which the certificate expires, in UTC. |
Constructors
>
constructor Create();
Creates a new object with default field values.
ExternalCrypto Type
Specifies the parameters of external cryptographic calls.
Remarks
External cryptocalls are used in a Distributed Cryptography (DC) subsystem, which allows the delegation of security operations to the remote agent. For instance, it can be used to compute the signature value on the server, while retaining the client's private key locally.
Fields
|
AsyncDocumentID String |
Specifies an optional document ID for SignAsyncBegin() and SignAsyncEnd() calls. Use this property when working with multi-signature DCAuth requests and responses to uniquely identify documents signed within a larger batch. On the completion stage, this value helps the signing component identify the correct signature in the returned batch of responses. If using batched requests, make sure to set this property to the same value on both pre-signing (SignAsyncBegin) and completion (SignAsyncEnd) stages. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
CustomParams String |
Custom parameters to be passed to the signing service (uninterpreted). |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Data String |
Additional data to be included in the async state and mirrored back by the requestor |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
ExternalHashCalculation Boolean |
Specifies whether the message hash is to be calculated at the external endpoint. Please note that this mode is not supported by all components. In particular, components operating with larger objects (PDFSigner, CAdESSigner, XAdESSigner) do not support it. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
HashAlgorithm String |
Specifies the request's signature hash algorithm.
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
KeyID String |
The ID of the pre-shared key used for DC request authentication. Asynchronous DCAuth-driven communication requires that parties authenticate each other with a secret pre-shared cryptographic key. This provides extra protection layer for the protocol and diminishes the risk of private key becoming abused by foreign parties. Use this property to provide the pre-shared key identifier, and use KeySecret to pass the key itself. The same KeyID/KeySecret pair should be used on the DCAuth side for the signing requests to be accepted. Note: The KeyID/KeySecret scheme is very similar to the AuthKey scheme used in various Cloud service providers to authenticate users. Example:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
KeySecret String |
The pre-shared key used for DC request authentication. This key must be set and match the key used by the DCAuth counterpart for the scheme to work. Read more about configuring authentication in the KeyID topic. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Method TsbxAsyncSignMethods |
Specifies the asynchronous signing method. This is typically defined by the DC server capabilities and setup. Available options:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Mode TsbxExternalCryptoModes |
Specifies the external cryptography mode. Available options:
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
PublicKeyAlgorithm String |
Provide public key algorithm here if the certificate is not available on the pre-signing stage.
|
Constructors
>
constructor Create();
Creates a new ExternalCrypto object with default field values.
ProxySettings Type
A container for proxy server settings.
Remarks
This type exposes a collection of properties for tuning up the proxy server configuration.
Fields
|
Address String |
The IP address of the proxy server. |
||||||||||
|
Authentication TsbxProxyAuthTypes |
The authentication type used by the proxy server.
|
||||||||||
|
Password String |
The password to authenticate to the proxy server. |
||||||||||
|
Port Integer |
The port on the proxy server to connect to. |
||||||||||
|
ProxyType TsbxProxyTypes |
The type of the proxy server. The WebTunnel proxy is also known as HTTPS proxy. Unlike HTTP proxy, HTTPS proxy (WebTunnel) provides end-to-end security.
|
||||||||||
|
RequestHeaders String |
Contains HTTP request headers for WebTunnel and HTTP proxy. |
||||||||||
|
ResponseBody String |
Contains the HTTP or HTTPS (WebTunnel) proxy response body. |
||||||||||
|
ResponseHeaders String |
Contains response headers received from an HTTP or HTTPS (WebTunnel) proxy server. |
||||||||||
|
UseIPv6 Boolean |
Specifies whether IPv6 should be used when connecting through the proxy. |
||||||||||
|
UseProxy Boolean |
Enables or disables proxy-driven connection. |
||||||||||
|
Username String |
Specifies the username credential for proxy authentication. |
Constructors
>
constructor Create();
Creates a new ProxySettings object.
SignatureAttribute Type
Represents an attribute of a digital PKCS#7/CMS signature.
Remarks
Attributes store auxiliary information about the signed message, the signature, or the owner. Each attribute is a OID=Value pair.
Common attributes are signing time, a content type, a policy identifier, and a signature timestamp.
Fields
|
OID String |
The object identifier of the attribute. |
|
Value TBytes |
The value of the attribute. |
Constructors
>
constructor Create();
Creates a new, empty, signature attribute.
SocketSettings Type
A container for the socket settings.
Remarks
This type is a container for socket-layer parameters.
Fields
|
DNSMode TsbxDNSResolveModes |
Selects the DNS resolver to use: the component's (secure) built-in one, or the one provided by the system.
|
||||||||
|
DNSPort Integer |
Specifies the port number to be used for sending queries to the DNS server. |
||||||||
|
DNSQueryTimeout Integer |
The timeout (in milliseconds) for each DNS query. The value of 0 indicates the infinite timeout. |
||||||||
|
DNSServers String |
The addresses of DNS servers to use for address resolution, separated by commas or semicolons. |
||||||||
|
DNSTotalTimeout Integer |
The timeout (in milliseconds) for the whole resolution process. The value of 0 indicates the infinite timeout. |
||||||||
|
IncomingSpeedLimit Integer |
The maximum number of bytes to read from the socket, per second. |
||||||||
|
LocalAddress String |
The local network interface to bind the socket to. |
||||||||
|
LocalPort Integer |
The local port number to bind the socket to. |
||||||||
|
OutgoingSpeedLimit Integer |
The maximum number of bytes to write to the socket, per second. |
||||||||
|
Timeout Integer |
The maximum period of waiting, in milliseconds, after which the socket operation is considered unsuccessful. If Timeout is set to 0, a socket operation will expire after the system-default timeout (2 hrs 8 min for TCP stack). |
||||||||
|
UseIPv6 Boolean |
Enables or disables IP protocol version 6. |
Constructors
>
constructor Create();
Creates a new SocketSettings object.
TLSSettings Type
A container for TLS connection settings.
Remarks
TLS (Transport Layer Security) protocol provides security for information exchanged over insecure connections such as TCP/IP.
Fields
|
AutoValidateCertificates Boolean |
Specifies whether server-side TLS certificates should be validated automatically using internal validation rules. |
|||||||||||||||||||||||||||||||||
|
BaseConfiguration TsbxSecureTransportPredefinedConfigurations |
Selects the base configuration for the TLS settings. Several profiles are on offer, tuned up for different purposes, such as high security or higher compatibility.
|
|||||||||||||||||||||||||||||||||
|
Ciphersuites String |
A list of ciphersuites separated with commas or semicolons. Each ciphersuite in the list may be prefixed with a minus sign (-) to indicate that the ciphersuite should be disabled rather than enabled. Besides the specific ciphersuite modifiers, this property supports the all (and -all) aliases that allow to blanketly enable or disable all ciphersuites at once. Note: the list of ciphersuites provided to this property alters the baseline list of ciphersuites as defined by BaseConfiguration. Remember to start your ciphersuite string with -all; if you need to only enable a specific fixed set of ciphersuites. The list of supported ciphersuites is provided below:
|
|||||||||||||||||||||||||||||||||
|
ECCurves String |
Defines the elliptic curves to enable. |
|||||||||||||||||||||||||||||||||
|
Extensions String |
Provides access to TLS extensions. |
|||||||||||||||||||||||||||||||||
|
ForceResumeIfDestinationChanges Boolean |
Whether to force TLS session resumption when the destination address changes. |
|||||||||||||||||||||||||||||||||
|
PreSharedIdentity String |
Defines the identity used when the PSK (Pre-Shared Key) key-exchange mechanism is negotiated. |
|||||||||||||||||||||||||||||||||
|
PreSharedKey String |
Contains the pre-shared for the PSK (Pre-Shared Key) key-exchange mechanism, encoded with base16. |
|||||||||||||||||||||||||||||||||
|
PreSharedKeyCiphersuite String |
Defines the ciphersuite used for PSK (Pre-Shared Key) negotiation. |
|||||||||||||||||||||||||||||||||
|
RenegotiationAttackPreventionMode TsbxRenegotiationAttackPreventionModes |
Selects renegotiation attack prevention mechanism. The following options are available:
|
|||||||||||||||||||||||||||||||||
|
RevocationCheck TsbxRevocationCheckKinds |
Specifies the kind(s) of revocation check to perform. Revocation checking is necessary to ensure the integrity of the chain and obtain up-to-date certificate validity and trustworthiness information.
This setting controls the way the revocation checks are performed. Typically certificates come with two types of revocation information sources: CRL (certificate revocation lists) and OCSP responders. CRLs are static objects periodically published by the CA at some online location. OCSP responders are active online services maintained by the CA that can provide up-to-date information on certificate statuses in near real time. There are some conceptual differences between the two. CRLs are normally larger in size. Their use involves some latency because there is normally some delay between the time when a certificate was revoked and the time the subsequent CRL mentioning that is published. The benefits of CRL is that the same object can provide statuses for all certificates issued by a particular CA, and that the whole technology is much simpler than OCSP (and thus is supported by more CAs). This setting lets you adjust the validation course by including or excluding certain types of revocation sources from the validation process. The crcAnyOCSPOrCRL setting (give preference to faster OCSP route and only demand one source to succeed) is a good choice for most of typical validation environments. The 'crcAll*' modes are much stricter, and may be used in scenarios where bulletproof validity information is essential. |
|||||||||||||||||||||||||||||||||
|
SSLOptions Integer |
Various SSL (TLS) protocol options, set of
|
|||||||||||||||||||||||||||||||||
|
TLSMode TsbxSSLModes |
Specifies the TLS mode to use.
|
|||||||||||||||||||||||||||||||||
|
UseExtendedMasterSecret Boolean |
Enables Extended Master Secret Extension, as defined in RFC 7627. |
|||||||||||||||||||||||||||||||||
|
UseSessionResumption Boolean |
Enables or disables TLS session resumption capability. |
|||||||||||||||||||||||||||||||||
|
Versions Integer |
Th SSL/TLS versions to enable by default.
|
Constructors
>
constructor Create();
Creates a new TLSSettings object.
Config Settings (MessageSigner Component)
The component accepts one or more of the following configuration settings. Configuration settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the component, access to these internal properties is provided through the Config method.MessageSigner Config Settings | ||||||||||||||||||||||||||||||
| ContentType: Content type of the message.Specifies the content type of the PKCS#7 message. | ||||||||||||||||||||||||||||||
| TempPath: Path for storing temporary files.This setting specifies an absolute path to the location on disk where temporary files are stored. | ||||||||||||||||||||||||||||||
| TLSChainValidationDetails: Contains the advanced details of the TLS server certificate validation.Check this property in TLSCertValidate event handler to access the TLS certificate validation details. | ||||||||||||||||||||||||||||||
| TLSChainValidationResult: Contains the result of the TLS server certificate validation.Check this property in TLSCertValidate event handler to obtain the TLS certificate validation result. | ||||||||||||||||||||||||||||||
| TLSClientAuthRequested: Indicates whether the TLS server requests client authentication.Check this property in TLSCertValidate event handler to find out whether the TLS server requests the client to provide the authentication certificate. If this property is set to true, provide your certificate via TLSClientChain property. Note that the component may fire this event more than once during each operation, as more than one TLS-enabled server may need to be contacted. | ||||||||||||||||||||||||||||||
| TLSValidationLog: Contains the log of the TLS server certificate validation.Check this property in TLSCertValidate event handler to retrieve the validation log of the TLS server. | ||||||||||||||||||||||||||||||
| TspHashAlgorithm: Sets a specific hash algorithm for use with the timestamping service.In its default configuration MessageSigner uses the same hash algorithm (taken from the HashAlgorithm property) for the main signature and any associated timestamps. Use this property to specify a different hash algorithm for the timestamp. | ||||||||||||||||||||||||||||||
| TspReqPolicy: Sets a request policy ID to include in the timestamping request.Use this property to provide a specific request policy OID to include in the timestamping request. Use the standard human-readable OID notation (1.2.3.4.5). | ||||||||||||||||||||||||||||||
| UsePSS: Whether to use RSASSA-PSS algorithm.Although the RSASSA-PSS algorithm provides better security than a classic RSA scheme (PKCS#1-1.5), please take into account that RSASSA-PSS is a relatively new algorithm which may not be understood by older implementations. | ||||||||||||||||||||||||||||||
| UseUndefSize: Allows or forbids the use of ASN.1 tags of undefined size.Usually PKCS#7 messages are handled correctly when undefined-size tags are used. However some ASN.1 parsers (S/MIME handler in Outlook Express, security plugins of Adobe Acrobat) can't correctly handle such tags. If you are targeting such software, you need this property. | ||||||||||||||||||||||||||||||
Base Config Settings | ||||||||||||||||||||||||||||||
| CheckKeyIntegrityBeforeUse:
Enables or disable private key integrity check before use.This global property enables or disables private key material check before each signing operation. This slows down performance a bit,
but prevents a selection of attacks on RSA keys where keys with unknown origins are used.
You can switch this property off to improve performance if your project only uses known, good private keys. |
||||||||||||||||||||||||||||||
| CookieCaching:
Specifies whether a cookie cache should be used for HTTP(S) transports.Set this property to enable or disable cookies caching for the component.
Supported values are:
|
||||||||||||||||||||||||||||||
| Cookies: Gets or sets local cookies for the component (supported for HTTPClient, RESTClient and SOAPClient only).Use this property to get cookies from the internal cookie storage of the component and/or restore them back between application sessions. | ||||||||||||||||||||||||||||||
| DefDeriveKeyIterations: Specifies the default key derivation algorithm iteration count.This global property sets the default number of iterations for all supported key derivation algorithms. Note that you can provide the required number of iterations by using properties of the relevant key generation component; this global setting is used in scenarios where specific iteration count is not or cannot be provided. | ||||||||||||||||||||||||||||||
| EnableClientSideSSLFFDHE:
Enables or disables finite field DHE key exchange support in TLS clients.This global property enables or disables support for finite field DHE key exchange methods in TLS clients. FF DHE is a slower
algorithm if compared to EC DHE; enabling it may result in slower connections.
This setting only applies to sessions negotiated with TLS version 1.3. |
||||||||||||||||||||||||||||||
| GlobalCookies: Gets or sets global cookies for all the HTTP transports.Use this property to get cookies from the GLOBAL cookie storage or restore them back between application sessions. These cookies will be used by all the components that have its CookieCaching property set to "global". | ||||||||||||||||||||||||||||||
| HttpUserAgent: Specifies the user agent name to be used by all HTTP clients.This global setting defines the User-Agent field of the HTTP request provides information about the software that initiates the request. This value will be used by all the HTTP clients including the ones used internally in other components. | ||||||||||||||||||||||||||||||
| LogDestination:
Specifies the debug log destination.Contains a comma-separated list of values that specifies where debug log should be dumped.
Supported values are:
|
||||||||||||||||||||||||||||||
| LogDetails:
Specifies the debug log details to dump.Contains a comma-separated list of values that specifies which debug log details to dump.
Supported values are:
|
||||||||||||||||||||||||||||||
| LogFile: Specifies the debug log filename.Use this property to provide a path to the log file. | ||||||||||||||||||||||||||||||
| LogFilters:
Specifies the debug log filters.Contains a comma-separated list of value pairs ("name:value") that describe filters.
Supported filter names are:
|
||||||||||||||||||||||||||||||
LogFlushMode:
Specifies the log flush mode.Use this property to set the log flush mode. The following values are defined:
|
||||||||||||||||||||||||||||||
| LogLevel:
Specifies the debug log level.Use this property to provide the desired debug log level.
Supported values are:
|
||||||||||||||||||||||||||||||
| LogMaxEventCount:
Specifies the maximum number of events to cache before further action is taken.Use this property to specify the log event number threshold. This threshold may have different effects,
depending on the rotation setting and/or the flush mode.
The default value of this setting is 100. |
||||||||||||||||||||||||||||||
LogRotationMode:
Specifies the log rotation mode.Use this property to set the log rotation mode. The following values are defined:
|
||||||||||||||||||||||||||||||
| MaxASN1BufferLength: Specifies the maximal allowed length for ASN.1 primitive tag data.This global property limits the maximal allowed length for ASN.1 tag data for non-content-carrying structures, such as certificates, CRLs, or timestamps. It does not affect structures that can carry content, such as CMS/CAdES messages. This is a security property aiming at preventing DoS attacks. | ||||||||||||||||||||||||||||||
| MaxASN1TreeDepth: Specifies the maximal depth for processed ASN.1 trees.This global property limits the maximal depth of ASN.1 trees that the component can handle without throwing an error. This is a security property aiming at preventing DoS attacks. | ||||||||||||||||||||||||||||||
| OCSPHashAlgorithm: Specifies the hash algorithm to be used to identify certificates in OCSP requests.This global setting defines the hash algorithm to use in OCSP requests during chain validation. Some OCSP responders can only use older algorithms, in which case setting this property to SHA1 may be helpful. | ||||||||||||||||||||||||||||||
| StaticDNS:
Specifies whether static DNS rules should be used.Set this property to enable or disable static DNS rules for the component. Works only if UseOwnDNSResolver is set to true.
Supported values are:
|
||||||||||||||||||||||||||||||
| StaticIPAddress[domain]: Gets or sets an IP address for the specified domain name.Use this property to get or set an IP address for the specified domain name in the internal (of the component) or global DNS rules storage depending on the StaticDNS value. The type of the IP address (IPv4 or IPv6) is determined automatically. If both addresses are available, they are devided by the | (pipe) character. | ||||||||||||||||||||||||||||||
| StaticIPAddresses: Gets or sets all the static DNS rules.Use this property to get static DNS rules from the current rules storage or restore them back between application sessions. If StaticDNS of the component is set to "local", the property returns/restores the rules from/to the internal storage of the component. If StaticDNS of the component is set to "global", the property returns/restores the rules from/to the GLOBAL storage. The rules list is returned and accepted in JSON format. | ||||||||||||||||||||||||||||||
| Tag: Allows to store any custom data.Use this config property to store any custom data. | ||||||||||||||||||||||||||||||
| UseOwnDNSResolver: Specifies whether the client components should use own DNS resolver.Set this global property to false to force all the client components to use the DNS resolver provided by the target OS instead of using own one. | ||||||||||||||||||||||||||||||
| UseSharedSystemStorages: Specifies whether the validation engine should use a global per-process copy of the system certificate stores.Set this global property to false to make each validation run use its own copy of system certificate stores. | ||||||||||||||||||||||||||||||
| UseSystemOAEPAndPSS:
Enforces or disables the use of system-driven RSA OAEP and PSS computations.This global setting defines who is responsible for performing RSA-OAEP and RSA-PSS computations where the private key is stored in a Windows system store and is exportable.
If set to true, SBB will delegate the computations to Windows via a CryptoAPI call. Otherwise, it will export the key material and perform the computations
using its own OAEP/PSS implementation.
This setting only applies to certificates originating from a Windows system store. |
||||||||||||||||||||||||||||||
| UseSystemRandom: Enables or disables the use of the OS PRNG.Use this global property to enable or disable the use of operating system-driven pseudorandom number generation. |
Trappable Errors (MessageSigner Component)
MessageSigner Errors
| 1048577 Invalid parameter value (SB_ERROR_INVALID_PARAMETER) | |
| 1048578 Component is configured incorrectly (SB_ERROR_INVALID_SETUP) | |
| 1048579 Operation cannot be executed in the current state (SB_ERROR_INVALID_STATE) | |
| 1048580 Attempt to set an invalid value to a property (SB_ERROR_INVALID_VALUE) | |
| 1048581 Certificate does not have its private key loaded (SB_ERROR_NO_PRIVATE_KEY) | |
| 1048581 Cancelled by the user (SB_ERROR_CANCELLED_BY_USER) |