ASiCVerifier Class

Properties   Methods   Events   Config Settings   Errors  

The ASiCVerifier class verifies signature containers.

Syntax

secureblackbox.Asicverifier

Remarks

ASiCVerifier provides the functionality of verifying signatures residing in Associated Signature Containers.

Both ASiC-S and ASiC-E profiles are supported.

Property List

---

The following is the full list of the properties of the class with short descriptions. Click on the links for further details.

Method List

---

The following is the full list of the methods of the class with short descriptions. Click on the links for further details.

Event List

---

The following is the full list of the events fired by the class with short descriptions. Click on the links for further details.

Config Settings

---

The following is a list of config settings for the class with short descriptions. Click on the links for further details.

AllSignaturesValid Property (ASiCVerifier Class)

The cumulative validity of all signatures.

Syntax

public boolean isAllSignaturesValid();

Default Value

False

Remarks

Use this property to check if all the signatures found in the message or document are valid.

This property is read-only and not available at design time.

AutoValidateSignatures Property (ASiCVerifier Class)

Specifies whether ASiCVerifier should validate any present signatures when the document is opened.

Syntax

public boolean isAutoValidateSignatures();


public void setAutoValidateSignatures(boolean autoValidateSignatures);

Default Value

True

Remarks

This setting is switched on by default. You can choose to set this property to false in order to validate the signatures manually on a later stage using the Revalidate method.

BlockedCertificates Property (ASiCVerifier Class)

The certificates that must be rejected as trust anchors.

Syntax

public CertificateList getBlockedCertificates();


public void setBlockedCertificates(CertificateList blockedCertificates);

Remarks

Use this property to provide a list of compromised or blocked certificates. Any chain containing a blocked certificate will fail validation.

This property is not available at design time.

Please refer to the Certificate type for a complete list of fields.

Certificates Property (ASiCVerifier Class)

A collection of certificates included in the electronic signature.

Syntax

public CertificateList getCertificates();

Remarks

Use this property to access all certificates included into the signature(s) by its creator.

This property is read-only and not available at design time.

Please refer to the Certificate type for a complete list of fields.

CRLs Property (ASiCVerifier Class)

A collection of certificate revocation lists embedded into the signature by the signer.

Syntax

public CRLList getCRLs();

Remarks

Use this property to access the CRLs embedded into the signature by the signer.

This property is read-only and not available at design time.

Please refer to the CRL type for a complete list of fields.

ExtractionMode Property (ASiCVerifier Class)

Specifies which entries should be extracted from the container upon verification.

Syntax

public int getExtractionMode();


public void setExtractionMode(int extractionMode);


Enumerated values:
  public final static int aemNone = 0;
  public final static int aemAll = 1;
  public final static int aemSigned = 2;
  public final static int aemSignedAndValid = 3;

Default Value

0

Remarks

Use this property to choose entries that should be extracted in the Verify method. Choose between extracting all files, signed-only, signed and with verified signature, and none at all (verify-only mode).

Files Property (ASiCVerifier Class)

Lists all files contained in the container.

Syntax

public ArchivedFileList getFiles();

Remarks

Use this collection property to walk through the list of files contained in the archive.

This property is read-only and not available at design time.

Please refer to the ArchivedFile type for a complete list of fields.

FIPSMode Property (ASiCVerifier Class)

Reserved.

Syntax

public boolean isFIPSMode();


public void setFIPSMode(boolean FIPSMode);

Default Value

False

Remarks

This property is reserved for future use.

IgnoreChainValidationErrors Property (ASiCVerifier Class)

Makes the class tolerant to chain validation errors.

Syntax

public boolean isIgnoreChainValidationErrors();


public void setIgnoreChainValidationErrors(boolean ignoreChainValidationErrors);

Default Value

False

Remarks

If this property is set to True, any errors emerging during certificate chain validation will be ignored. This setting may be handy if the purpose of validation is the creation of an LTV signature, and the validation is performed in an environment that doesn't trust the signer's certificate chain.

InputBytes Property (ASiCVerifier Class)

Use this property to pass the input to class in byte array form.

Syntax

public byte[] getInputBytes();


public void setInputBytes(byte[] inputBytes);

Remarks

Assign a byte array containing the data to be processed to this property.

This property is not available at design time.

InputFile Property (ASiCVerifier Class)

A path to the ASiC container to process.

Syntax

public String getInputFile();


public void setInputFile(String inputFile);

Default Value

""

Remarks

Use this property to provide a path to the signature container. Use InputStream to provide the container from memory rather than a disk file.

InputStream Property (ASiCVerifier Class)

A stream containing ASiC data.

Syntax

public java.io.InputStream getInputStream();


public void setInputStream(java.io.InputStream inputStream);

Default Value

null

Remarks

Use this property to feed ASiC data to the component from a stream object.

This property is not available at design time.

KnownCertificates Property (ASiCVerifier Class)

Additional certificates for chain validation.

Syntax

public CertificateList getKnownCertificates();


public void setKnownCertificates(CertificateList knownCertificates);

Remarks

Use this property to supply a list of additional certificates that might be needed for chain validation. An example of a scenario where you might want to do that is when intermediary CA certificates are absent from the standard system locations (or when there are no standard system locations), and therefore should be supplied to the class manually.

The purpose of the certificates to be added to this collection is roughly equivalent to that of the Intermediate Certification Authorities system store in Windows.

Do not add trust anchors or root certificates to this collection: add them to TrustedCertificates instead.

This property is not available at design time.

Please refer to the Certificate type for a complete list of fields.

KnownCRLs Property (ASiCVerifier Class)

Additional CRLs for chain validation.

Syntax

public CRLList getKnownCRLs();


public void setKnownCRLs(CRLList knownCRLs);

Remarks

Use this property to supply additional CRLs that might be needed for chain validation. This property may be helpful when a chain is validated in offline mode, and the associated CRLs are stored separately from the signed message or document.

This property is not available at design time.

Please refer to the CRL type for a complete list of fields.

KnownOCSPs Property (ASiCVerifier Class)

Additional OCSP responses for chain validation.

Syntax

public OCSPResponseList getKnownOCSPs();


public void setKnownOCSPs(OCSPResponseList knownOCSPs);

Remarks

Use this property to supply additional OCSP responses that might be needed for chain validation. This property may be helpful when a chain is validated in offline mode, and the associated OCSP responses are stored separately from the signed message or document.

This property is not available at design time.

Please refer to the OCSPResponse type for a complete list of fields.

OCSPs Property (ASiCVerifier Class)

A collection of OCSP responses embedded into the signature.

Syntax

public OCSPResponseList getOCSPs();

Remarks

Use this property to access the OCSP responses embedded into the signature by its creator.

This property is read-only and not available at design time.

Please refer to the OCSPResponse type for a complete list of fields.

OfflineMode Property (ASiCVerifier Class)

Switches the class to offline mode.

Syntax

public boolean isOfflineMode();


public void setOfflineMode(boolean offlineMode);

Default Value

False

Remarks

When working in offline mode, the class restricts itself from using any online revocation information sources, such as CRL or OCSP responders.

Offline mode may be useful if there is a need to verify the completeness of the validation information included within the signature or provided via KnownCertificates, KnownCRLs, and other related properties.

OutputBytes Property (ASiCVerifier Class)

Use this property to read the output the class object has produced.

Syntax

public byte[] getOutputBytes();

Remarks

Read the contents of this property after the operation has completed to read the produced output. This property will only be set if the OutputFile and OutputStream properties had not been assigned.

This property is read-only and not available at design time.

OutputFile Property (ASiCVerifier Class)

The file where the processed data will be saved.

Syntax

public String getOutputFile();


public void setOutputFile(String outputFile);

Default Value

""

Remarks

Provides a path to the file where the class should save the updated container.

OutputPath Property (ASiCVerifier Class)

A local path to extract the files to.

Syntax

public String getOutputPath();


public void setOutputPath(String outputPath);

Default Value

""

Remarks

Assign this property with a path where the extracted files (selected according to ExtractionMode criteria) are to be saved.

OutputStream Property (ASiCVerifier Class)

The stream where the file is to be extracted.

Syntax

public java.io.OutputStream getOutputStream();


public void setOutputStream(java.io.OutputStream outputStream);

Default Value

null

Remarks

Use this property to specify the stream to take the data extracted from the container.

This property is not available at design time.

Profile Property (ASiCVerifier Class)

Specifies a pre-defined profile to apply when creating the signature.

Syntax

public String getProfile();


public void setProfile(String profile);

Default Value

""

Remarks

Advanced signatures come in many variants, which are often defined by parties that needs to process them or by local standards. SecureBlackbox profiles are sets of pre-defined configurations which correspond to particular signature variants. By specifying a profile, you are pre-configuring the component to make it produce the signature that matches the configuration corresponding to that profile.

RevocationCheck Property (ASiCVerifier Class)

Specifies the kind(s) of revocation check to perform for all chain certificates.

Syntax

public int getRevocationCheck();


public void setRevocationCheck(int revocationCheck);


Enumerated values:
  public final static int crcNone = 0;
  public final static int crcAuto = 1;
  public final static int crcAllCRL = 2;
  public final static int crcAllOCSP = 3;
  public final static int crcAllCRLAndOCSP = 4;
  public final static int crcAnyCRL = 5;
  public final static int crcAnyOCSP = 6;
  public final static int crcAnyCRLOrOCSP = 7;
  public final static int crcAnyOCSPOrCRL = 8;

Default Value

1

Remarks

Revocation checking is necessary to ensure the integrity of the chain and obtain up-to-date certificate validity and trustworthiness information.

Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP) responses serve the same purpose of ensuring that the certificate had not been revoked by the Certificate Authority (CA) at the time of use. Depending on your circumstances and security policy requirements, you may want to use either one or both of the revocation information source types.

This setting controls the way the revocation checks are performed for every certificate in the chain. Typically certificates come with two types of revocation information sources: CRL (certificate revocation lists) and OCSP responders. CRLs are static objects periodically published by the CA at some online location. OCSP responders are active online services maintained by the CA that can provide up-to-date information on certificate statuses in near real time.

There are some conceptual differences between the two. CRLs are normally larger in size. Their use involves some latency because there is normally some delay between the time when a certificate was revoked and the time the subsequent CRL mentioning that is published. The benefits of CRL is that the same object can provide statuses for all certificates issued by a particular CA, and that the whole technology is much simpler than OCSP (and thus is supported by more CAs).

This setting lets you adjust the validation course by including or excluding certain types of revocation sources from the validation process. The crcAnyOCSPOrCRL setting (give preference to the faster OCSP route and only demand one source to succeed) is a good choice for most typical validation environments. The "crcAll*" modes are much stricter, and may be used in scenarios where bulletproof validity information is essential.

Note: If no CRL or OCSP endpoints are provided by the CA, the revocation check will be considered successful. This is because the CA chose not to supply revocation information for its certificates, meaning they are considered irrevocable.

Note: Within each of the above settings, if any retrieved CRL or OCSP response indicates that the certificate has been revoked, the revocation check fails.

Signatures Property (ASiCVerifier Class)

Contains the list of signatures included in the ASiC container.

Syntax

public ASiCSignatureList getSignatures();

Remarks

Use this property to access all signatures in the container.

This property is read-only and not available at design time.

Please refer to the ASiCSignature type for a complete list of fields.

SocketSettings Property (ASiCVerifier Class)

Manages network connection settings.

Syntax

public SocketSettings getSocketSettings();

Remarks

Use this property to tune up network connection parameters.

This property is read-only.

Please refer to the SocketSettings type for a complete list of fields.

Timestamps Property (ASiCVerifier Class)

Contains a collection of timestamps for the processed document.

Syntax

public TimestampInfoList getTimestamps();

Remarks

Use this property to access the timestamps included in the processed document.

This property is read-only and not available at design time.

Please refer to the TimestampInfo type for a complete list of fields.

TLSClientChain Property (ASiCVerifier Class)

The TLS client certificate chain.

Syntax

public CertificateList getTLSClientChain();


public void setTLSClientChain(CertificateList TLSClientChain);

Remarks

Assign a certificate chain to this property to enable TLS client authentication in the class. Note that the client's end-entity certificate should have a private key associated with it.

Use the CertificateStorage or CertificateManager components to import the certificate from a file, system store, or PKCS11 device.

This property is not available at design time.

Please refer to the Certificate type for a complete list of fields.

TLSServerChain Property (ASiCVerifier Class)

The TLS server's certificate chain.

Syntax

public CertificateList getTLSServerChain();

Remarks

Use this property to access the certificate chain sent by the TLS server. This property is ready to read when the TLSCertValidate event is fired by the client component.

This property is read-only and not available at design time.

Please refer to the Certificate type for a complete list of fields.

TLSSettings Property (ASiCVerifier Class)

Manages TLS layer settings.

Syntax

public TLSSettings getTLSSettings();

Remarks

Use this property to tune up the TLS layer parameters.

This property is read-only.

Please refer to the TLSSettings type for a complete list of fields.

TrustedCertificates Property (ASiCVerifier Class)

A list of trusted certificates for chain validation.

Syntax

public CertificateList getTrustedCertificates();


public void setTrustedCertificates(CertificateList trustedCertificates);

Remarks

Use this property to supply a list of trusted certificates that might be needed for chain validation. An example of a scenario where you might want to do that is when root CA certificates are absent from the standard system locations (or when there are no standard system locations), and therefore should be supplied to the component manually.

The purpose of this certificate collection is largely the same as that of the Windows Trusted Root Certification Authorities system store.

Use this property with extreme care as it directly affects chain verifiability; a wrong certificate added to the trusted list may result in bad chains being accepted, and forfeited signatures being recognized as genuine. Only add certificates that originate from the parties that you know and trust.

This property is not available at design time.

Please refer to the Certificate type for a complete list of fields.

ValidationMoment Property (ASiCVerifier Class)

The time point at which signature validity is to be established.

Syntax

public String getValidationMoment();


public void setValidationMoment(String validationMoment);

Default Value

""

Remarks

Use this property to specify the moment in time at which signature validity should be established. The time is in UTC. Leave the setting empty to stick to the default moment (either the signature creation time or the current time).

The validity of the same signature may differ depending on the time point chosen due to temporal changes in chain validities, revocation statuses, and timestamp times.

Close Method (Asicverifier Class)

Closes an opened container.

Syntax

public void close(boolean saveChanges);

Remarks

Use this method to close a previously opened container. Set SaveChanges to true to apply any changes made.

Config Method (Asicverifier Class)

Sets or retrieves a configuration setting.

Syntax

public String config(String configurationString);

Remarks

Config is a generic method available in every class. It is used to set and retrieve configuration settings for the class.

These settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the class, access to these internal properties is provided through the Config method.

To set a configuration setting named PROPERTY, you must call Config("PROPERTY=VALUE"), where VALUE is the value of the setting expressed as a string. For boolean values, use the strings "True", "False", "0", "1", "Yes", or "No" (case does not matter).

To read (query) the value of a configuration setting, you must call Config("PROPERTY"). The value will be returned as a string.

DoAction Method (Asicverifier Class)

Performs an additional action.

Syntax

public String doAction(String actionID, String actionParams);

Remarks

DoAction is a generic method available in every class. It is used to perform an additional action introduced after the product major release. The list of actions is not fixed, and may be flexibly extended over time.

The unique identifier (case insensitive) of the action is provided in the ActionID parameter.

ActionParams contains the value of a single parameter, or a list of multiple parameters for the action in the form of PARAM1=VALUE1;PARAM2=VALUE2;....

ExtractFile Method (Asicverifier Class)

Extracts a file to one of the output media (bytes, stream, or disk file).

Syntax

public void extractFile(String filename);

Remarks

Use this method to extract a single archived

ExtractFiles Method (Asicverifier Class)

Extracts files covered by a signature to OutputPath .

Syntax

public void extractFiles(int sigIndex);

Remarks

Use this method to extract all files covered by the signature SigIndex to OutputPath. Set SigIndex to -1 to extract all the files included in the container.

Open Method (Asicverifier Class)

Opens an existing container for signing or updating.

Syntax

public void open();

Remarks

Use this method to open a container for signing or updating. When finished, call Close to complete or discard the operation.

Revalidate Method (Asicverifier Class)

Revalidates a signature in accordance with current settings.

Syntax

public void revalidate(int index);

Remarks

Use this method to re-validate a signature in the opened ASiC document.

Unsign Method (Asicverifier Class)

Deletes a signature from the container.

Syntax

public void unsign(int sigIndex);

Remarks

Use this method to delete an existing signature from the container. Use SigIndex parameter to specify the signature to be removed.

Verify Method (Asicverifier Class)

Verifies all signatures in the ASiC container.

Syntax

public void verify();

Remarks

Use this method to verify the signature and any associated signed files residing in the ASiC container.

When processing the container, the verifier walks through all the signatures contained in the message, one after another.

For each signature, the SignatureFound event is thrown. The benefits of this are that it:

• Lets you know some basic details about the signature and its creator
• Allows you to tell the component whether or not you want to validate it and/or its signing certificate's chain
• Gives you a chance to provide any missing certificates (CertFound indicates whether you need to do that)

The control then validates the signature and the chain (if told to do so in SignatureFound), reporting the validity of each via SignatureValidated and ChainValidated events, respectively. Before these events are fired, the properties of the signature are populated in the control's properties. Two properties that may be useful to read inside the event handlers are those reporting the signature's creation time, ClaimedSigningTime and ValidatedSigningTime.

The control's properties remain assigned with the last processed signature's details, and are still available after the Verify() call returns, providing a handy way to work with single-signature containers.

Once the main signature's processing completes, the control proceeds to its subordinate elements (countersignatures and/or timestamps). Each timestamp is reported via TimestampValidated event.

Having reported all the countersignatures and timestamps, the control proceeds to the next main signature and any timestamps associated with it - and so on.

ChainElementDownload Event (Asicverifier Class)

Fires when there is a need to download a chain element from an online source.

Syntax

public class DefaultAsicverifierEventListener implements AsicverifierEventListener {
  ...
  public void chainElementDownload(AsicverifierChainElementDownloadEvent e) {}
  ...
}

public class AsicverifierChainElementDownloadEvent {
  public int kind;
  public String certRDN;
  public String CACertRDN;
  public String location;
  public int action;
}

Remarks

Subscribe to this event to be notified about validation element retrievals. Use the Action parameter to suppress the download if required.

ChainElementNeeded Event (Asicverifier Class)

Fires when an element required to validate the chain was not located.

Syntax

public class DefaultAsicverifierEventListener implements AsicverifierEventListener {
  ...
  public void chainElementNeeded(AsicverifierChainElementNeededEvent e) {}
  ...
}

public class AsicverifierChainElementNeededEvent {
  public int kind;
  public String certRDN;
  public String CACertRDN;
}

Remarks

Subscribe to this event to be notified about missing validation elements. Use the KnownCRLs, KnownCertificates, and KnownOCSPs properties in the event handler to provide the missing piece.

ChainElementStore Event (Asicverifier Class)

This event is fired when a chain element (certificate, CRL, or OCSP response) should be stored along with a signature.

Syntax

public class DefaultAsicverifierEventListener implements AsicverifierEventListener {
  ...
  public void chainElementStore(AsicverifierChainElementStoreEvent e) {}
  ...
}

public class AsicverifierChainElementStoreEvent {
  public int kind;
  public byte[] body;
  public String URI;
}

Remarks

This event could occur if you are verifying XAdES-C form or higher. The Body parameter contains the element in binary form that should be stored along with a signature. Use the URI parameter to provide an URI of the stored element.

ChainValidated Event (Asicverifier Class)

Reports the completion of a certificate chain validation.

Syntax

public class DefaultAsicverifierEventListener implements AsicverifierEventListener {
  ...
  public void chainValidated(AsicverifierChainValidatedEvent e) {}
  ...
}

public class AsicverifierChainValidatedEvent {
  public int index;
  public String subjectRDN;
  public int validationResult;
  public int validationDetails;
}

Remarks

This event is fired when a certificate chain validation routine completes. SubjectRDN identifies the owner of the validated certificate.

ValidationResult set to 0 (zero) indicates successful chain validation.

Any other value reports a failure, and ValidationDetails provides more details on its reasons.

ChainValidationProgress Event (Asicverifier Class)

This event is fired multiple times during chain validation to report various stages of the validation procedure.

Syntax

public class DefaultAsicverifierEventListener implements AsicverifierEventListener {
  ...
  public void chainValidationProgress(AsicverifierChainValidationProgressEvent e) {}
  ...
}

public class AsicverifierChainValidationProgressEvent {
  public String eventKind;
  public String certRDN;
  public String CACertRDN;
  public int action;
}

Remarks

Subscribe to this event to be notified about chain validation progress. Use the Action parameter to alter the validation flow.

The EventKind parameter reports the nature of the event being reported. The CertRDN and CACertRDN parameters report the distinguished names of the certificates that are relevant for the event invocation (one or both can be empty, depending on EventKind). Use the Action parameter to adjust the validation flow.

ContainerLoaded Event (Asicverifier Class)

This event is fired when the container has been loaded into memory.

Syntax

public class DefaultAsicverifierEventListener implements AsicverifierEventListener {
  ...
  public void containerLoaded(AsicverifierContainerLoadedEvent e) {}
  ...
}

public class AsicverifierContainerLoadedEvent {
  public boolean cancel;
}

Remarks

The handler for this event is a good place to check for any existing signatures and validate them if required.

Set Cancel to true to terminate document processing on this stage.

Error Event (Asicverifier Class)

Information about errors during ASiC signature verification.

Syntax

public class DefaultAsicverifierEventListener implements AsicverifierEventListener {
  ...
  public void error(AsicverifierErrorEvent e) {}
  ...
}

public class AsicverifierErrorEvent {
  public int errorCode;
  public String description;
}

Remarks

The event is fired in case of exceptional conditions during ASiC signature verification.

ErrorCode contains an error code and Description contains a textual description of the error.

FileExtractionStart Event (Asicverifier Class)

Signifies the start of a file extraction process.

Syntax

public class DefaultAsicverifierEventListener implements AsicverifierEventListener {
  ...
  public void fileExtractionStart(AsicverifierFileExtractionStartEvent e) {}
  ...
}

public class AsicverifierFileExtractionStartEvent {
  public String fileName;
  public long fileSize;
  public String modDate;
  public boolean extract;
  public String destFile;
}

Remarks

This event fires for every file located in the archive and matching the ExtractionMode setting before it is to be extracted.

DestFile indicates the path where the file will be saved to. You can alter the destination path here, by providing an alternative extraction path.

Set DestFile to an empty string and provide a stream object via the OutputStream property if you prefer to save the data to a stream instead of file.

If DestFile is set to an empty string and OutputStream is unassigned, the file will not be extracted.

Alternatively, you can request the extracted content to be saved into a byte array. To do this, leave DestFile and OutputStream empty, and keep the Extract parameter enabled.

Please take care when extracting large files into byte arrays, as those may consume large amounts of memory.

Note: if DestFile already exists, the class will overwrite it. To prevent overwriting of existing files, subscribe to this event, and change DestFile when needed.

Notification Event (Asicverifier Class)

This event notifies the application about an underlying control flow event.

Syntax

public class DefaultAsicverifierEventListener implements AsicverifierEventListener {
  ...
  public void notification(AsicverifierNotificationEvent e) {}
  ...
}

public class AsicverifierNotificationEvent {
  public String eventID;
  public String eventParam;
}

Remarks

The class fires this event to let the application know about some event, occurrence, or milestone in the class. For example, it may fire to report completion of the document processing. The list of events being reported is not fixed, and may be flexibly extended over time.

The unique identifier of the event is provided in the EventID parameter. EventParam contains any parameters accompanying the occurrence. Depending on the type of the class, the exact action it is performing, or the document being processed, one or both may be omitted.

SignatureFound Event (Asicverifier Class)

Signifies the start of signature validation.

Syntax

public class DefaultAsicverifierEventListener implements AsicverifierEventListener {
  ...
  public void signatureFound(AsicverifierSignatureFoundEvent e) {}
  ...
}

public class AsicverifierSignatureFoundEvent {
  public int index;
  public String issuerRDN;
  public byte[] serialNumber;
  public byte[] subjectKeyID;
  public boolean certFound;
  public boolean validateSignature;
  public boolean validateChain;
}

Remarks

This event tells the application that signature validation is about to start, and provides the details about the signer's certificate via its IssuerRDN, SerialNumber, and SubjectKeyID parameters. It fires for every signature located in the verified document or message.

The CertFound parameter is set to True if the class has found the needed certificate in one of the known locations, and to False otherwise, in which case you must provide it manually via the KnownCertificates property.

Signature validation consists of two independent stages: cryptographic signature validation and chain validation. Separate validation results are reported for each, with the SignatureValidationResult and ChainValidationResult properties respectively.

Use the ValidateSignature and ValidateChain parameters to tell the verifier which stages to include in the validation.

SignatureValidated Event (Asicverifier Class)

Marks the completion of the signature validation routine.

Syntax

public class DefaultAsicverifierEventListener implements AsicverifierEventListener {
  ...
  public void signatureValidated(AsicverifierSignatureValidatedEvent e) {}
  ...
}

public class AsicverifierSignatureValidatedEvent {
  public int index;
  public String issuerRDN;
  public byte[] serialNumber;
  public byte[] subjectKeyID;
  public int validationResult;
}

Remarks

This event is fired upon the completion of the signature validation routine, and reports the respective validation result.

Use the IssuerRDN, SerialNumber, and/or SubjectKeyID parameters to identify the signing certificate.

ValidationResult is set to 0 if the validation has been successful, or to a non-zero value in case of a validation failure.

TimestampFound Event (Asicverifier Class)

Signifies the start of a timestamp validation routine.

Syntax

public class DefaultAsicverifierEventListener implements AsicverifierEventListener {
  ...
  public void timestampFound(AsicverifierTimestampFoundEvent e) {}
  ...
}

public class AsicverifierTimestampFoundEvent {
  public int index;
  public String issuerRDN;
  public byte[] serialNumber;
  public byte[] subjectKeyID;
  public boolean certFound;
  public boolean validateTimestamp;
  public boolean validateChain;
}

Remarks

This event fires for every timestamp identified during signature processing, and reports the details about the signer's certificate via its IssuerRDN, SerialNumber, and SubjectKeyID parameters.

The CertFound parameter is set to True if the class has found the needed certificate in one of the known locations, and to False otherwise, in which case you must provide it manually via the KnownCertificates property.

Just like with signature validation, timestamp validation consists of two independent stages: cryptographic signature validation and chain validation. Separate validation results are reported for each, with the ValidationResult and ChainValidationResult properties respectively.

Use the ValidateSignature and ValidateChain parameters to tell the verifier which stages to include in the validation.

TimestampValidated Event (Asicverifier Class)

Reports the completion of the timestamp validation routine.

Syntax

public class DefaultAsicverifierEventListener implements AsicverifierEventListener {
  ...
  public void timestampValidated(AsicverifierTimestampValidatedEvent e) {}
  ...
}

public class AsicverifierTimestampValidatedEvent {
  public int index;
  public String issuerRDN;
  public byte[] serialNumber;
  public byte[] subjectKeyID;
  public String time;
  public int validationResult;
  public int chainValidationResult;
  public int chainValidationDetails;
}

Remarks

This event is fired upon the completion of the timestamp validation routine, and reports the respective validation result.

ValidationResult is set to 0 if the validation has been successful, or to a non-zero value in case of a failure.

TLSCertNeeded Event (Asicverifier Class)

Fires when a remote TLS party requests a client certificate.

Syntax

public class DefaultAsicverifierEventListener implements AsicverifierEventListener {
  ...
  public void TLSCertNeeded(AsicverifierTLSCertNeededEvent e) {}
  ...
}

public class AsicverifierTLSCertNeededEvent {
  public String host;
  public String CANames;
}

Remarks

This event fires to notify the implementation that a remote TLS server has requested a client certificate. The Host parameter identifies the host that makes a request, and the CANames parameter (optional, according to the TLS spec) advises on the accepted issuing CAs.

Use the TLSClientChain property in response to this event to provide the requested certificate. Please make sure the client certificate includes the associated private key. Note that you may set the certificates before the connection without waiting for this event to fire.

This event is preceded by the TLSHandshake event for the given host and, if the certificate was accepted, succeeded by the TLSEstablished event.

TLSCertValidate Event (Asicverifier Class)

This event is fired upon receipt of the TLS server's certificate, allowing the user to control its acceptance.

Syntax

public class DefaultAsicverifierEventListener implements AsicverifierEventListener {
  ...
  public void TLSCertValidate(AsicverifierTLSCertValidateEvent e) {}
  ...
}

public class AsicverifierTLSCertValidateEvent {
  public String serverHost;
  public String serverIP;
  public boolean accept;
}

Remarks

This event is fired during a TLS handshake. Use the TLSServerChain property to access the certificate chain. In general, classes may contact a number of TLS endpoints during their work, depending on their configuration.

Accept is assigned in accordance with the outcome of the internal validation check performed by the class, and can be adjusted if needed.

TLSEstablished Event (Asicverifier Class)

Fires when a TLS handshake with Host successfully completes.

Syntax

public class DefaultAsicverifierEventListener implements AsicverifierEventListener {
  ...
  public void TLSEstablished(AsicverifierTLSEstablishedEvent e) {}
  ...
}

public class AsicverifierTLSEstablishedEvent {
  public String host;
  public String version;
  public String ciphersuite;
  public byte[] connectionId;
  public boolean abort;
}

Remarks

The class uses this event to notify the application about a successful completion of a TLS handshake.

The Version, Ciphersuite, and ConnectionId parameters indicate the security parameters of the new connection. Use the Abort parameter if you need to terminate the connection at this stage.

TLSHandshake Event (Asicverifier Class)

Fires when a new TLS handshake is initiated, before the handshake commences.

Syntax

public class DefaultAsicverifierEventListener implements AsicverifierEventListener {
  ...
  public void TLSHandshake(AsicverifierTLSHandshakeEvent e) {}
  ...
}

public class AsicverifierTLSHandshakeEvent {
  public String host;
  public boolean abort;
}

Remarks

The class uses this event to notify the application about the start of a new TLS handshake to Host. If the handshake is successful, this event will be followed by the TLSEstablished event. If the server chooses to request a client certificate, the TLSCertNeeded event will also be fired.

TLSShutdown Event (Asicverifier Class)

Reports the graceful closure of a TLS connection.

Syntax

public class DefaultAsicverifierEventListener implements AsicverifierEventListener {
  ...
  public void TLSShutdown(AsicverifierTLSShutdownEvent e) {}
  ...
}

public class AsicverifierTLSShutdownEvent {
  public String host;
}

Remarks

This event notifies the application about the closure of an earlier established TLS connection. Note that only graceful connection closures are reported.

ArchivedFile Type

Provides information about the compressed file.

Remarks

Use this type to access compressed file details.

Fields

Constructors

public ArchivedFile();

Creates a new ArchivedFile object.

ASiCSignature Type

Represents a signature in the ASiC container.

Remarks

This type contains information about a signature found in ASiC container. It holds various information about the signature, including its coverage and validation results.

An ASiC-S container can include one CAdES, and/or one XAdES, and/or one Timestamp. An ASiC-E container can include multiple CAdES signatures, XAdES signatures, and timestamp tokens.

Fields

Constructors

public ASiCSignature();

Creates a new empty ASiC signature object.

Certificate Type

Provides details of an individual X.509 certificate.

Remarks

This type provides access to X.509 certificate details.

Fields

Constructors

public Certificate( bytes,  startIndex,  count,  password);

Loads the X.509 certificate from a memory buffer. Bytes is a buffer containing the raw certificate data. StartIndex and Count specify the starting position and number of bytes to be read from the buffer, respectively. Password is a password encrypting the certificate.

public Certificate( certBytes,  certStartIndex,  certCount,  keyBytes,  keyStartIndex,  keyCount,  password);

Loads the X.509 certificate from a memory buffer. CertBytes is a buffer containing the raw certificate data. CertStartIndex and CertCount specify the number of bytes to be read from the buffer, respectively. KeyBytes is a buffer containing the private key data. KeyStartIndex and KeyCount specify the starting position and number of bytes to be read from the buffer, respectively. Password is a password encrypting the certificate.

public Certificate( bytes,  startIndex,  count);

Loads the X.509 certificate from a memory buffer. Bytes is a buffer containing the raw certificate data. StartIndex and Count specify the starting position and number of bytes to be read from the buffer, respectively.

public Certificate( path,  password);

Loads the X.509 certificate from a file. Path specifies the full path to the file containing the certificate data. Password is a password encrypting the certificate.

public Certificate( certPath,  keyPath,  password);

Loads the X.509 certificate from a file. CertPath specifies the full path to the file containing the certificate data. KeyPath specifies the full path to the file containing the private key. Password is a password encrypting the certificate.

public Certificate( path);

Loads the X.509 certificate from a file. Path specifies the full path to the file containing the certificate data.

public Certificate( stream);

Loads the X.509 certificate from a stream. Stream is a stream containing the certificate data.

public Certificate( stream,  password);

Loads the X.509 certificate from a stream. Stream is a stream containing the certificate data. Password is a password encrypting the certificate.

public Certificate( certStream,  keyStream,  password);

Loads the X.509 certificate from a stream. CertStream is a stream containing the certificate data. KeyStream is a stream containing the private key. Password is a password encrypting the certificate.

public Certificate();

Creates a new object with default field values.

CRL Type

Represents a Certificate Revocation List.

Remarks

CRLs store information about revoked certificates, i.e., certificates that have been identified as invalid by their issuing certificate authority (CA) for any number of reasons.

Each CRL object lists certificates from a single CA and identifies them by their serial numbers. A CA may or may not publish a CRL, may publish several CRLs, or may publish the same CRL in multiple locations.

Unlike OCSP responses, CRLs only list certificates that have been revoked. They do not list certificates that are still valid.

Fields

Constructors

public CRL( bytes,  startIndex,  count);

Creates a CRL object from a memory buffer. Bytes is a buffer containing raw (DER) CRL data, StartIndex and Count specify the starting position and the length of the CRL data in the buffer, respectively.

public CRL( location);

Creates a CRL object by downloading it from a remote location.

public CRL( stream);

Creates a CRL object from data contained in a stream.

public CRL();

Creates an empty CRL object.

OCSPResponse Type

Represents a single OCSP response originating from an OCSP responder.

Remarks

OCSP is a protocol that allows verification of certificate status in real-time, and is an alternative to Certificate Revocation Lists (CRLs).

An OCSP response is a snapshot of the certificate status at a given time.

Fields

Constructors

public OCSPResponse( bytes,  startIndex,  count);

Initializes the response from a memory buffer. Bytes is a buffer containing raw OCSP response data, StartIndex and Count specify the starting position and the number of bytes to be read from this buffer.

public OCSPResponse( location);

Downloads an OCSP response from a remote location.

public OCSPResponse( stream);

Initializes the response with the data from a stream.

public OCSPResponse();

Creates an empty OCSP response object.

SocketSettings Type

A container for the socket settings.

Remarks

This type is a container for socket-layer parameters.

Fields

Constructors

public SocketSettings();

Creates a new SocketSettings object.

TimestampInfo Type

A container for timestamp information.

Remarks

The TimestampInfo object contains details of a third-party timestamp and the outcome of its validation.

Fields

Constructors

public TimestampInfo();

Creates a new TimestampInfo object with default field values.

TLSSettings Type

A container for TLS connection settings.

Remarks

The TLS (Transport Layer Security) protocol provides security for information exchanged over insecure connections such as TCP/IP.

Fields

Constructors

public TLSSettings();

Creates a new TLSSettings object.

Config Settings (Asicverifier Class)

The class accepts one or more of the following configuration settings. Configuration settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the class, access to these internal properties is provided through the Config method.

ASiCVerifier Config Settings

Base Config Settings

Trappable Errors (Asicverifier Class)

ASiCVerifier Errors

	1048577   Invalid parameter value (SB_ERROR_INVALID_PARAMETER)
	1048578   Class is configured incorrectly (SB_ERROR_INVALID_SETUP)
	1048579   Operation cannot be executed in the current state (SB_ERROR_INVALID_STATE)
	1048580   Attempt to set an invalid value to a property (SB_ERROR_INVALID_VALUE)
	1048581   Certificate does not have its private key loaded (SB_ERROR_NO_PRIVATE_KEY)
	1048581   Cancelled by the user (SB_ERROR_CANCELLED_BY_USER) 
	16777217   Unsupported level (SB_ERROR_ASIC_UNSUPPORTED_LEVEL)
	16777218   Unsupported signature form (SB_ERROR_ASIC_UNSUPPORTED_SIGNATURE_FORM)
	16777219   Unsupported signature type (SB_ERROR_ASIC_UNSUPPORTED_SIGNATURE_TYPE)
	16777220   Unsupported extraction mode (SB_ERROR_ASIC_UNSUPPORTED_EXTRACTION_MODE)
	16777221   Input file does not exist (SB_ERROR_ASIC_INPUTFILE_NOT_EXISTS)
	16777222   Output file already exists (SB_ERROR_ASIC_OUTPUTFILE_ALREADY_EXISTS)