DCAuth Module

Properties   Methods   Events   Config Settings   Errors  

The DCAuth module represents the private key side of the SecureBlackbox distributed cryptography protocol.

Syntax

SecureBlackbox.Dcauth

Remarks

The purpose of DCAuth is to sign async requests produced by SignAsyncBegin calls. For each incoming async request containing a document hash, DCAuth produces the corresponding async response containing a signature over that hash.

Protocol Overview

The distributed cryptography protocol involves two principal parties. The signing party, represented by classes such as PDFSigner, XAdESSigner, or OfficeSigner, pre-signs documents (such as PDF files), and encapsulates their hashes into what is called an async request. It then communicates the async request to the private key side, where the DCAuth class extracts the hash and signs it with a local private key. DCAuth then encapsulates the signature into an async response, which is sent back to the signing party. The signing party completes the signing operation by extracting the signature from the async response and embedding it into the pre-signed document.

The protocol supports a variety of uses. The scheme above describes the most typical of them, where the signing party is represented by a web application, and the private key side is represented by a workstation. In that particular scenario DC provides a mechanism for the web app to sign documents residing on the web server with private keys residing on the users workstations, perhaps in non-exportable form (e.g. a USB dongle). Other uses include creation of a signing server for a team of driver developers, or an automated signing gateway for outgoing official documents.

In the webapp-to-browser setting the DCAuth control would normally be used within a web server running on the users workstation. That web server would accept async requests from the web page running in the browser, use DCAuth to generate the matching async response, and feed that response back to the web page. The web page will then submit it back to the web server.

Configuring and Using DCAuth

To process an async request, you need to set up a DCAuth object first, and then call its ProcessRequest method:

• Set the KeyId and KeySecret properties so they match the credentials used by the signing party - e.g. those of PDFSigner object: DCAuth.KeyId = "mykeyid"; DCAuth.KeySecret = "mykeysecret123";

  These two properties are used to verify the integrity of the incoming async requests. Keep them safe.

• Provide the signing certificate: DCAuth.SigningCertificate = "C:\Certs\SigningCert.pfx"; DCAuth.CertPassword = "password789";

  Alternatively, use StorageId to provide a certificate residing elsewhere, such as a PKCS#11 device.

• Assign the async request to the Input property: DCAuth.Input = Request;

  Make sure to provide the request in its original XML format. Some technologies and SecureBlackbox code samples may apply additional encoding when conveying async requests from their origin to the DCAuth endpoint. Please double check that you assign the request without any encodings applied. An async request is a properly formed XML document with the root element of SecureBlackboxAsyncState.

• Call the ProcessRequest method: DCAuth.ProcessRequest;

  This method performs the actual signing of the hash. Make sure your code is prepared for potential signing errors.

• If the ProcessRequest call has succeeded, grab the async response from the Output property: Result = DCAuth.Output;

Property List

The following is the full list of the properties of the module with short descriptions. Click on the links for further details.

Method List

The following is the full list of the methods of the module with short descriptions. Click on the links for further details.

Event List

The following is the full list of the events fired by the module with short descriptions. Click on the links for further details.

Config Settings

The following is a list of config settings for the module with short descriptions. Click on the links for further details.

ClaimedSigningTime Property (DCAuth Module)

The signing time from the signer's computer.

Syntax

• Swift
• Objective-C

public var claimedSigningTime: String {
  get {...}
  set {...}
}

@property (nonatomic,readwrite,assign,getter=claimedSigningTime,setter=setClaimedSigningTime:) NSString* claimedSigningTime;

- (NSString*)claimedSigningTime;
- (void)setClaimedSigningTime :(NSString*)newClaimedSigningTime;

Default Value

""

Remarks

Use this property to provide the signature production time. The claimed time is not supported by a trusted source; it may be inaccurate, forfeited, or wrong, and as such is usually taken for informational purposes only by verifiers. Use timestamp servers to embed verifiable trusted timestamps. The time is in UTC.

ExternalCrypto Property (DCAuth Module)

Provides access to external signing and DC parameters.

Syntax

• Swift
• Objective-C

public var externalCrypto: ExternalCrypto {
  get {...}
}

@property (nonatomic,readwrite,assign,getter=externalCryptoAsyncDocumentID,setter=setExternalCryptoAsyncDocumentID:) NSString* externalCryptoAsyncDocumentID;

- (NSString*)externalCryptoAsyncDocumentID;
- (void)setExternalCryptoAsyncDocumentID :(NSString*)newExternalCryptoAsyncDocumentID;

@property (nonatomic,readwrite,assign,getter=externalCryptoCustomParams,setter=setExternalCryptoCustomParams:) NSString* externalCryptoCustomParams;

- (NSString*)externalCryptoCustomParams;
- (void)setExternalCryptoCustomParams :(NSString*)newExternalCryptoCustomParams;

@property (nonatomic,readwrite,assign,getter=externalCryptoData,setter=setExternalCryptoData:) NSString* externalCryptoData;

- (NSString*)externalCryptoData;
- (void)setExternalCryptoData :(NSString*)newExternalCryptoData;

@property (nonatomic,readwrite,assign,getter=externalCryptoExternalHashCalculation,setter=setExternalCryptoExternalHashCalculation:) BOOL externalCryptoExternalHashCalculation;

- (BOOL)externalCryptoExternalHashCalculation;
- (void)setExternalCryptoExternalHashCalculation :(BOOL)newExternalCryptoExternalHashCalculation;

@property (nonatomic,readwrite,assign,getter=externalCryptoHashAlgorithm,setter=setExternalCryptoHashAlgorithm:) NSString* externalCryptoHashAlgorithm;

- (NSString*)externalCryptoHashAlgorithm;
- (void)setExternalCryptoHashAlgorithm :(NSString*)newExternalCryptoHashAlgorithm;

@property (nonatomic,readwrite,assign,getter=externalCryptoKeyID,setter=setExternalCryptoKeyID:) NSString* externalCryptoKeyID;

- (NSString*)externalCryptoKeyID;
- (void)setExternalCryptoKeyID :(NSString*)newExternalCryptoKeyID;

@property (nonatomic,readwrite,assign,getter=externalCryptoKeySecret,setter=setExternalCryptoKeySecret:) NSString* externalCryptoKeySecret;

- (NSString*)externalCryptoKeySecret;
- (void)setExternalCryptoKeySecret :(NSString*)newExternalCryptoKeySecret;

@property (nonatomic,readwrite,assign,getter=externalCryptoMethod,setter=setExternalCryptoMethod:) int externalCryptoMethod;

- (int)externalCryptoMethod;
- (void)setExternalCryptoMethod :(int)newExternalCryptoMethod;

@property (nonatomic,readwrite,assign,getter=externalCryptoMode,setter=setExternalCryptoMode:) int externalCryptoMode;

- (int)externalCryptoMode;
- (void)setExternalCryptoMode :(int)newExternalCryptoMode;

@property (nonatomic,readwrite,assign,getter=externalCryptoPublicKeyAlgorithm,setter=setExternalCryptoPublicKeyAlgorithm:) NSString* externalCryptoPublicKeyAlgorithm;

- (NSString*)externalCryptoPublicKeyAlgorithm;
- (void)setExternalCryptoPublicKeyAlgorithm :(NSString*)newExternalCryptoPublicKeyAlgorithm;

 

Default Value

16

Remarks

Use this property to tune-up remote cryptography settings. SecureBlackbox supports two independent types of external cryptography: synchronous (based on OnExternalSign event) and asynchronous (based on DC protocol and DCAuth signing component).

FIPSMode Property (DCAuth Module)

Reserved.

Syntax

• Swift
• Objective-C

public var fipsMode: Bool {
  get {...}
  set {...}
}

@property (nonatomic,readwrite,assign,getter=FIPSMode,setter=setFIPSMode:) BOOL FIPSMode;

- (BOOL)FIPSMode;
- (void)setFIPSMode :(BOOL)newFIPSMode;

Default Value

False

Remarks

This property is reserved for future use.

Input Property (DCAuth Module)

Contains the signing request to process.

Syntax

• Swift
• Objective-C

public var input: String {
  get {...}
  set {...}
}

@property (nonatomic,readwrite,assign,getter=input,setter=setInput:) NSString* input;

- (NSString*)input;
- (void)setInput :(NSString*)newInput;

Default Value

""

Remarks

Assign the request you received from the counterparty to this property before calling the ProcessRequest method. Use Output to read the resulting signature response after ProcessRequest completes.

InputEncoding Property (DCAuth Module)

Specifies request encoding.

Syntax

• Swift
• Objective-C

public var inputEncoding: DcauthInputEncodings {
  get {...}
  set {...}
}

public enum DcauthInputEncodings: Int32 {
  case encNone = 0
  case encAuto = 1
  case encBase64 = 2
}

@property (nonatomic,readwrite,assign,getter=inputEncoding,setter=setInputEncoding:) int inputEncoding;

- (int)inputEncoding;
- (void)setInputEncoding :(int)newInputEncoding;

Default Value

0

Remarks

Use this property to specify the encoding to expect the requests to be in.

KeyId Property (DCAuth Module)

Specifies the KeyID of the pre-shared authentication key.

Syntax

• Swift
• Objective-C

public var keyId: String {
  get {...}
  set {...}
}

@property (nonatomic,readwrite,assign,getter=keyId,setter=setKeyId:) NSString* keyId;

- (NSString*)keyId;
- (void)setKeyId :(NSString*)newKeyId;

Default Value

""

Remarks

If processing requests from a single known party, assign the Id of the key you pre-shared with them to this property, and the key itself to the KeySecret property. If you expect to receive requests from many parties with different authentication keys, use KeySecretNeeded event instead.

KeySecret Property (DCAuth Module)

The pre-shared authentication key.

Syntax

• Swift
• Objective-C

public var keySecret: String {
  get {...}
  set {...}
}

@property (nonatomic,readwrite,assign,getter=keySecret,setter=setKeySecret:) NSString* keySecret;

- (NSString*)keySecret;
- (void)setKeySecret :(NSString*)newKeySecret;

Default Value

""

Remarks

If processing requests from a single known party, assign the key you pre-shared with them to this property. Use KeyId property to assign the ID of that key. If you expect to receive requests from many parties with different authentication keys, use KeySecretNeeded event instead.

Output Property (DCAuth Module)

Contains the output of the request processing.

Syntax

• Swift
• Objective-C

public var output: String {
  get {...}
}

@property (nonatomic,readonly,assign,getter=output) NSString* output;

- (NSString*)output;

Default Value

""

Remarks

When ProcessRequest method completes it saves the processing output to this property. The output typically contains the response to be sent back to the requestor.

This property is read-only.

OutputEncoding Property (DCAuth Module)

Specifies response encoding.

Syntax

• Swift
• Objective-C

public var outputEncoding: DcauthOutputEncodings {
  get {...}
  set {...}
}

public enum DcauthOutputEncodings: Int32 {
  case encNone = 0
  case encAuto = 1
  case encBase64 = 2
}

@property (nonatomic,readwrite,assign,getter=outputEncoding,setter=setOutputEncoding:) int outputEncoding;

- (int)outputEncoding;
- (void)setOutputEncoding :(int)newOutputEncoding;

Default Value

0

Remarks

Use this property to specify the encoding you want the response to be produced in.

Policies Property (DCAuth Module)

Specifies the policies to use when processing requests.

Syntax

• Swift
• Objective-C

public var policies: Int32 {
  get {...}
  set {...}
}

@property (nonatomic,readwrite,assign,getter=policies,setter=setPolicies:) int policies;

- (int)policies;
- (void)setPolicies :(int)newPolicies;

Default Value

0

Remarks

This property lets you specify policies to apply blanketly to the requests. If this property does not give you enough flexibility - for example, if you need to cherry-pick requests basing on their content - please consider using the SignRequest (allows you to track individual requests) and/or ExternalSign (lets you perform the signing manually) events. This setting is a bit mask of the following flags:

Profile Property (DCAuth Module)

Specifies a pre-defined profile to apply when creating the signature.

Syntax

• Swift
• Objective-C

public var profile: String {
  get {...}
  set {...}
}

@property (nonatomic,readwrite,assign,getter=profile,setter=setProfile:) NSString* profile;

- (NSString*)profile;
- (void)setProfile :(NSString*)newProfile;

Default Value

""

Remarks

Advanced signatures come in many variants, which are often defined by parties that needs to process them or by local standards. SecureBlackbox profiles are sets of pre-defined configurations which correspond to particular signature variants. By specifying a profile, you are pre-configuring the component to make it produce the signature that matches the configuration corresponding to that profile.

Proxy Property (DCAuth Module)

The proxy server settings.

Syntax

• Swift
• Objective-C

public var proxy: ProxySettings {
  get {...}
}

@property (nonatomic,readwrite,assign,getter=proxyAddress,setter=setProxyAddress:) NSString* proxyAddress;

- (NSString*)proxyAddress;
- (void)setProxyAddress :(NSString*)newProxyAddress;

@property (nonatomic,readwrite,assign,getter=proxyAuthentication,setter=setProxyAuthentication:) int proxyAuthentication;

- (int)proxyAuthentication;
- (void)setProxyAuthentication :(int)newProxyAuthentication;

@property (nonatomic,readwrite,assign,getter=proxyPassword,setter=setProxyPassword:) NSString* proxyPassword;

- (NSString*)proxyPassword;
- (void)setProxyPassword :(NSString*)newProxyPassword;

@property (nonatomic,readwrite,assign,getter=proxyPort,setter=setProxyPort:) int proxyPort;

- (int)proxyPort;
- (void)setProxyPort :(int)newProxyPort;

@property (nonatomic,readwrite,assign,getter=proxyProxyType,setter=setProxyProxyType:) int proxyProxyType;

- (int)proxyProxyType;
- (void)setProxyProxyType :(int)newProxyProxyType;

@property (nonatomic,readwrite,assign,getter=proxyRequestHeaders,setter=setProxyRequestHeaders:) NSString* proxyRequestHeaders;

- (NSString*)proxyRequestHeaders;
- (void)setProxyRequestHeaders :(NSString*)newProxyRequestHeaders;

@property (nonatomic,readwrite,assign,getter=proxyResponseBody,setter=setProxyResponseBody:) NSString* proxyResponseBody;

- (NSString*)proxyResponseBody;
- (void)setProxyResponseBody :(NSString*)newProxyResponseBody;

@property (nonatomic,readwrite,assign,getter=proxyResponseHeaders,setter=setProxyResponseHeaders:) NSString* proxyResponseHeaders;

- (NSString*)proxyResponseHeaders;
- (void)setProxyResponseHeaders :(NSString*)newProxyResponseHeaders;

@property (nonatomic,readwrite,assign,getter=proxyUseIPv6,setter=setProxyUseIPv6:) BOOL proxyUseIPv6;

- (BOOL)proxyUseIPv6;
- (void)setProxyUseIPv6 :(BOOL)newProxyUseIPv6;

@property (nonatomic,readwrite,assign,getter=proxyUseProxy,setter=setProxyUseProxy:) BOOL proxyUseProxy;

- (BOOL)proxyUseProxy;
- (void)setProxyUseProxy :(BOOL)newProxyUseProxy;

@property (nonatomic,readwrite,assign,getter=proxyUsername,setter=setProxyUsername:) NSString* proxyUsername;

- (NSString*)proxyUsername;
- (void)setProxyUsername :(NSString*)newProxyUsername;

 

Default Value

16

Remarks

Use this property to tune up the proxy server settings.

SigningCertificate Property (DCAuth Module)

The certificate to be used for signing.

Syntax

• Swift
• Objective-C

public var signingCertificate: Certificate {
  get {...}
  set {...}
}

@property (nonatomic,readonly,assign,getter=signingCertBytes) NSData* signingCertBytes;

- (NSData*)signingCertBytes;

@property (nonatomic,readwrite,assign,getter=signingCertHandle,setter=setSigningCertHandle:) long long signingCertHandle;

- (long long)signingCertHandle;
- (void)setSigningCertHandle :(long long)newSigningCertHandle;

 

Default Value

16

Remarks

Use this property to specify the certificate that shall be used for signing the data. Note that this certificate should have a private key associated with it. Use SigningChain to supply the rest of the certificate chain for inclusion into the signature.

SigningChain Property (DCAuth Module)

The signing certificate chain.

Syntax

• Swift
• Objective-C

public var signingChain: Array<Certificate> {
  get {...}
}

@property (nonatomic,readwrite,assign,getter=signingChainCount,setter=setSigningChainCount:) int signingChainCount;

- (int)signingChainCount;
- (void)setSigningChainCount :(int)newSigningChainCount;

- (NSData*)signingChainBytes:(int)signingChainIndex;

- (long long)signingChainHandle:(int)signingChainIndex;
- (void)setSigningChainHandle:(int)signingChainIndex :(long long)newSigningChainHandle;

Default Value

16

Remarks

Use this property to provide the chain for the signing certificate. Use SigningCertificate property, if it is available, to provide the signing certificate itself.

SocketSettings Property (DCAuth Module)

Manages network connection settings.

Syntax

• Swift
• Objective-C

public var socketSettings: SocketSettings {
  get {...}
}

@property (nonatomic,readwrite,assign,getter=socketDNSMode,setter=setSocketDNSMode:) int socketDNSMode;

- (int)socketDNSMode;
- (void)setSocketDNSMode :(int)newSocketDNSMode;

@property (nonatomic,readwrite,assign,getter=socketDNSPort,setter=setSocketDNSPort:) int socketDNSPort;

- (int)socketDNSPort;
- (void)setSocketDNSPort :(int)newSocketDNSPort;

@property (nonatomic,readwrite,assign,getter=socketDNSQueryTimeout,setter=setSocketDNSQueryTimeout:) int socketDNSQueryTimeout;

- (int)socketDNSQueryTimeout;
- (void)setSocketDNSQueryTimeout :(int)newSocketDNSQueryTimeout;

@property (nonatomic,readwrite,assign,getter=socketDNSServers,setter=setSocketDNSServers:) NSString* socketDNSServers;

- (NSString*)socketDNSServers;
- (void)setSocketDNSServers :(NSString*)newSocketDNSServers;

@property (nonatomic,readwrite,assign,getter=socketDNSTotalTimeout,setter=setSocketDNSTotalTimeout:) int socketDNSTotalTimeout;

- (int)socketDNSTotalTimeout;
- (void)setSocketDNSTotalTimeout :(int)newSocketDNSTotalTimeout;

@property (nonatomic,readwrite,assign,getter=socketIncomingSpeedLimit,setter=setSocketIncomingSpeedLimit:) int socketIncomingSpeedLimit;

- (int)socketIncomingSpeedLimit;
- (void)setSocketIncomingSpeedLimit :(int)newSocketIncomingSpeedLimit;

@property (nonatomic,readwrite,assign,getter=socketLocalAddress,setter=setSocketLocalAddress:) NSString* socketLocalAddress;

- (NSString*)socketLocalAddress;
- (void)setSocketLocalAddress :(NSString*)newSocketLocalAddress;

@property (nonatomic,readwrite,assign,getter=socketLocalPort,setter=setSocketLocalPort:) int socketLocalPort;

- (int)socketLocalPort;
- (void)setSocketLocalPort :(int)newSocketLocalPort;

@property (nonatomic,readwrite,assign,getter=socketOutgoingSpeedLimit,setter=setSocketOutgoingSpeedLimit:) int socketOutgoingSpeedLimit;

- (int)socketOutgoingSpeedLimit;
- (void)setSocketOutgoingSpeedLimit :(int)newSocketOutgoingSpeedLimit;

@property (nonatomic,readwrite,assign,getter=socketTimeout,setter=setSocketTimeout:) int socketTimeout;

- (int)socketTimeout;
- (void)setSocketTimeout :(int)newSocketTimeout;

@property (nonatomic,readwrite,assign,getter=socketUseIPv6,setter=setSocketUseIPv6:) BOOL socketUseIPv6;

- (BOOL)socketUseIPv6;
- (void)setSocketUseIPv6 :(BOOL)newSocketUseIPv6;

 

Default Value

16

Remarks

Use this property to tune up network connection parameters.

StorageId Property (DCAuth Module)

Specifies the signing certificate residing in an alternative location.

Syntax

• Swift
• Objective-C

public var storageId: String {
  get {...}
  set {...}
}

@property (nonatomic,readwrite,assign,getter=storageId,setter=setStorageId:) NSString* storageId;

- (NSString*)storageId;
- (void)setStorageId :(NSString*)newStorageId;

Default Value

""

Remarks

Use this property to specify the signing certificate contained on alternative media, such as a hardware device or in a system certificate store.

Example 1: The certificate resides on a PKCS#11 device

pkcs11://user:pin@/c:/windows/system32/pkcsdriver.dll?slot=0&readonly=1

Example 2: The certificate resides in a system store

system://localmachine@/?store=MY

You can use the following URI modifiers to provide more accurate specifiers for the needed certificate:

• cn: the common name of the certificate subject.
• keyid: the unique identifier included in subject key identifier extension of the certificate.
• keyusage: a comma-separated list of enabled (+) or disabled (-) key usages. The following usages are supported: signature, nonrepudiation, keyencipherment, dataencipherment, keyagreement, keycertsign, crlsign, encipheronly, decipheronly, serverauth, clientauth, codesigning, emailprotection, timestamping, ocspsigning, smartcardlogon, keypurposeclientauth, keypurposekdc.
• fingerprint: the fingerprint of the certificate.

Example 3: selecting the certificate with a given fingerprint:

pkcs11://user:pin@/c:/windows/system32/pkcsdriver.dll?slot=0&readonly=1&fingerprint=001122334455667788aabbccddeeff0011223344

TimestampServer Property (DCAuth Module)

The address of the timestamping server.

Syntax

• Swift
• Objective-C

public var timestampServer: String {
  get {...}
  set {...}
}

@property (nonatomic,readwrite,assign,getter=timestampServer,setter=setTimestampServer:) NSString* timestampServer;

- (NSString*)timestampServer;
- (void)setTimestampServer :(NSString*)newTimestampServer;

Default Value

""

Remarks

Use this property to provide the address of the Time Stamping Authority (TSA) server to be used for timestamping the signature.

SecureBlackbox supports RFC3161-compliant timestamping servers, available via HTTP or HTTPS.

If your timestamping service enforces credential-based user authentication (basic or digest), you can provide the credentials in the same URL:

http://user:password@timestamp.server.com/TsaService

For TSAs using certificate-based TLS authentication, provide the client certificate via the TLSClientChain property.

If this property is left empty, no timestamp will be added to the signature.

Starting from summer 2021 update (Vol. 2), the virtual timestamping service is supported, which allows you to intervene in the timestamping routine and provide your own handling for the TSA exchange. This may be handy if the service that you are requesting timestamps from uses a non-standard TSP protocol or requires special authentication option.

To employ the virtual service, assign an URI of the following format to this property:

virtual://localhost?hashonly=true&includecerts=true&reqpolicy=1.2.3.4.5&halg=SHA256

Subscribe to Notification event to get notified about the virtualized timestamping event. The EventID of the timestamping event is TimestampRequest. Inside the event handler, read the base16-encoded request from the EventParam parameter and forward it to the timestamping authority. Upon receiving the response, pass it back to the component, encoded in base16, via the TimestampResponse config property:

component.Config("TimestampResponse=308208ab...");

Note that all the exchange with your custom TSA should take place within the same invocation of the Notification event.

The hashonly parameter of the virtual URI tells the component to only return the timestamp message imprint via the EventParam parameter. If set to false, EventParam will contain the complete RFC3161 timestamping request.

The includecerts parameter specifies that the requestCertificates parameter of the timestamping request should be set to true.

The reqpolicy parameter lets you specify the request policy, and the halg parameter specifies the hash algorithm to use for timestamping.

All the parameters are optional.

TLSClientChain Property (DCAuth Module)

The TLS client certificate chain.

Syntax

• Swift
• Objective-C

public var tlsClientChain: Array<Certificate> {
  get {...}
}

@property (nonatomic,readwrite,assign,getter=TLSClientCertCount,setter=setTLSClientCertCount:) int TLSClientCertCount;

- (int)TLSClientCertCount;
- (void)setTLSClientCertCount :(int)newTLSClientCertCount;

- (NSData*)TLSClientCertBytes:(int)tLSClientCertIndex;

- (long long)TLSClientCertHandle:(int)tLSClientCertIndex;
- (void)setTLSClientCertHandle:(int)tLSClientCertIndex :(long long)newTLSClientCertHandle;

Default Value

16

Remarks

Assign a certificate chain to this property to enable TLS client authentication in the class. Note that the client's end-entity certificate should have a private key associated with it.

TLSServerChain Property (DCAuth Module)

The TLS server's certificate chain.

Syntax

• Swift
• Objective-C

public var tlsServerChain: Array<Certificate> {
  get {...}
}

@property (nonatomic,readonly,assign,getter=TLSServerCertCount) int TLSServerCertCount;

- (int)TLSServerCertCount;

- (NSData*)TLSServerCertBytes:(int)tLSServerCertIndex;

- (long long)TLSServerCertHandle:(int)tLSServerCertIndex;

Default Value

16

Remarks

Use this property to access the certificate chain sent by the TLS server.

TLSSettings Property (DCAuth Module)

Manages TLS layer settings.

Syntax

• Swift
• Objective-C

public var tlsSettings: TLSSettings {
  get {...}
}

@property (nonatomic,readwrite,assign,getter=TLSAutoValidateCertificates,setter=setTLSAutoValidateCertificates:) BOOL TLSAutoValidateCertificates;

- (BOOL)TLSAutoValidateCertificates;
- (void)setTLSAutoValidateCertificates :(BOOL)newTLSAutoValidateCertificates;

@property (nonatomic,readwrite,assign,getter=TLSBaseConfiguration,setter=setTLSBaseConfiguration:) int TLSBaseConfiguration;

- (int)TLSBaseConfiguration;
- (void)setTLSBaseConfiguration :(int)newTLSBaseConfiguration;

@property (nonatomic,readwrite,assign,getter=TLSCiphersuites,setter=setTLSCiphersuites:) NSString* TLSCiphersuites;

- (NSString*)TLSCiphersuites;
- (void)setTLSCiphersuites :(NSString*)newTLSCiphersuites;

@property (nonatomic,readwrite,assign,getter=TLSECCurves,setter=setTLSECCurves:) NSString* TLSECCurves;

- (NSString*)TLSECCurves;
- (void)setTLSECCurves :(NSString*)newTLSECCurves;

@property (nonatomic,readwrite,assign,getter=TLSExtensions,setter=setTLSExtensions:) NSString* TLSExtensions;

- (NSString*)TLSExtensions;
- (void)setTLSExtensions :(NSString*)newTLSExtensions;

@property (nonatomic,readwrite,assign,getter=TLSForceResumeIfDestinationChanges,setter=setTLSForceResumeIfDestinationChanges:) BOOL TLSForceResumeIfDestinationChanges;

- (BOOL)TLSForceResumeIfDestinationChanges;
- (void)setTLSForceResumeIfDestinationChanges :(BOOL)newTLSForceResumeIfDestinationChanges;

@property (nonatomic,readwrite,assign,getter=TLSPreSharedIdentity,setter=setTLSPreSharedIdentity:) NSString* TLSPreSharedIdentity;

- (NSString*)TLSPreSharedIdentity;
- (void)setTLSPreSharedIdentity :(NSString*)newTLSPreSharedIdentity;

@property (nonatomic,readwrite,assign,getter=TLSPreSharedKey,setter=setTLSPreSharedKey:) NSString* TLSPreSharedKey;

- (NSString*)TLSPreSharedKey;
- (void)setTLSPreSharedKey :(NSString*)newTLSPreSharedKey;

@property (nonatomic,readwrite,assign,getter=TLSPreSharedKeyCiphersuite,setter=setTLSPreSharedKeyCiphersuite:) NSString* TLSPreSharedKeyCiphersuite;

- (NSString*)TLSPreSharedKeyCiphersuite;
- (void)setTLSPreSharedKeyCiphersuite :(NSString*)newTLSPreSharedKeyCiphersuite;

@property (nonatomic,readwrite,assign,getter=TLSRenegotiationAttackPreventionMode,setter=setTLSRenegotiationAttackPreventionMode:) int TLSRenegotiationAttackPreventionMode;

- (int)TLSRenegotiationAttackPreventionMode;
- (void)setTLSRenegotiationAttackPreventionMode :(int)newTLSRenegotiationAttackPreventionMode;

@property (nonatomic,readwrite,assign,getter=TLSRevocationCheck,setter=setTLSRevocationCheck:) int TLSRevocationCheck;

- (int)TLSRevocationCheck;
- (void)setTLSRevocationCheck :(int)newTLSRevocationCheck;

@property (nonatomic,readwrite,assign,getter=TLSSSLOptions,setter=setTLSSSLOptions:) int TLSSSLOptions;

- (int)TLSSSLOptions;
- (void)setTLSSSLOptions :(int)newTLSSSLOptions;

@property (nonatomic,readwrite,assign,getter=TLSTLSMode,setter=setTLSTLSMode:) int TLSTLSMode;

- (int)TLSTLSMode;
- (void)setTLSTLSMode :(int)newTLSTLSMode;

@property (nonatomic,readwrite,assign,getter=TLSUseExtendedMasterSecret,setter=setTLSUseExtendedMasterSecret:) BOOL TLSUseExtendedMasterSecret;

- (BOOL)TLSUseExtendedMasterSecret;
- (void)setTLSUseExtendedMasterSecret :(BOOL)newTLSUseExtendedMasterSecret;

@property (nonatomic,readwrite,assign,getter=TLSUseSessionResumption,setter=setTLSUseSessionResumption:) BOOL TLSUseSessionResumption;

- (BOOL)TLSUseSessionResumption;
- (void)setTLSUseSessionResumption :(BOOL)newTLSUseSessionResumption;

@property (nonatomic,readwrite,assign,getter=TLSVersions,setter=setTLSVersions:) int TLSVersions;

- (int)TLSVersions;
- (void)setTLSVersions :(int)newTLSVersions;

 

Default Value

16

Remarks

Use this property to tune up the TLS layer parameters.

Config Method (DCAuth Module)

Sets or retrieves a configuration setting.

Syntax

• Swift
• Objective-C

public func config(configurationString: String) throws -> String

- (NSString*)config:(NSString*)configurationString;

Remarks

Config is a generic method available in every class. It is used to set and retrieve configuration settings for the class.

These settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the class, access to these internal properties is provided through the Config method.

To set a configuration setting named PROPERTY, you must call Config("PROPERTY=VALUE"), where VALUE is the value of the setting expressed as a string. For boolean values, use the strings "True", "False", "0", "1", "Yes", or "No" (case does not matter).

To read (query) the value of a configuration setting, you must call Config("PROPERTY"). The value will be returned as a string.

DoAction Method (DCAuth Module)

Performs an additional action.

Syntax

• Swift
• Objective-C

public func doAction(actionID: String, actionParams: String) throws -> String

- (NSString*)doAction:(NSString*)actionID :(NSString*)actionParams;

Remarks

DoAction is a generic method available in every class. It is used to perform an additional action introduced after the product major release. The list of actions is not fixed, and may be flexibly extended over time.

The unique identifier (case insencitive) of the action is provided in the ActionID parameter.

ActionParams contains the value of a single parameter, or a list of multiple parameters for the action in the form of PARAM1=VALUE1;PARAM2=VALUE2;....

ProcessRequest Method (DCAuth Module)

Processes the request.

Syntax

• Swift
• Objective-C

public func processRequest() throws -> Void

- (void)processRequest;

Remarks

Use this method to process the request, sign the hashes, and produce the response. This is the main method of the class. Note that a single request received from the counterparty may contain more than one signature request. This method processes them all, reporting each atomic signature request with SignRequest and SignRequestCompleted events. Before calling this method, make sure you assign the request content to Input. Upon completion, read the response (containing all the signatures) from Output property.

CustomParametersReceived Event (DCAuth Module)

Passes custom request parameters to the application.

Syntax

• Swift
• Objective-C

func onCustomParametersReceived(value: String)

- (void)onCustomParametersReceived:(NSString*)value;

Remarks

This event is only provided for backward compatibility and is not currently used.

Error Event (DCAuth Module)

Reports information about errors during request processing or signing.

Syntax

• Swift
• Objective-C

func onError(errorCode: Int32, description: String)

- (void)onError:(int)errorCode :(NSString*)description;

Remarks

The event is fired if an error occurs during the request processing. Use the ErrorCode and Description parameters to get the details.

ExternalSign Event (DCAuth Module)

Handles remote or external signing initiated by the SignExternal method or other source.

Syntax

• Swift
• Objective-C

func onExternalSign(operationId: String, hashAlgorithm: String, pars: String, methodPars: String, data: String, signedData: inout String)

- (void)onExternalSign:(NSString*)operationId :(NSString*)hashAlgorithm :(NSString*)pars :(NSString*)methodPars :(NSString*)data :(NSString**)signedData;

Remarks

Assign a handler to this event if you need to delegate a low-level signing operation to an external, remote, or custom signing engine. Depending on the settings, the handler will receive a hashed or unhashed value to be signed.

The event handler must pass the value of Data to the signer, obtain the signature, and pass it back to the component via SignedData parameter.

OperationId provides a comment about the operation and its origin. It depends on the exact component being used, and may be empty. HashAlgorithm specifies the hash algorithm being used for the operation, and Pars contain algorithm-dependent parameters.

The component uses base16 (hex) encoding for Data, SignedData, and Pars parameters. If your signing engine uses a different input and output encoding, you may need to decode and/or encode the data before and/or after the signing.

A sample MD5 hash encoded in base16: a0dee2a0382afbb09120ffa7ccd8a152 - lower case base16 A0DEE2A0382AFBB09120FFA7CCD8A152 - upper case base16

A sample event handler that uses a .NET RSACryptoServiceProvider class may look like the following: signer.OnExternalSign += (s, e) => { var cert = new X509Certificate2("cert.pfx", "", X509KeyStorageFlags.Exportable); var key = (RSACryptoServiceProvider)cert.PrivateKey; var dataToSign = e.Data.FromBase16String(); var signedData = key.SignHash(dataToSign, "2.16.840.1.101.3.4.2.1"); e.SignedData = signedData.ToBase16String(); };

The MethodPars parameter contains the method-specific parameters. For example, for PKCS7 requests it contains the requested parameters of the PKCS7 blob.

KeySecretNeeded Event (DCAuth Module)

Requests the key secret from the application.

Syntax

• Swift
• Objective-C

func onKeySecretNeeded(keyId: String, keySecret: inout String)

- (void)onKeySecretNeeded:(NSString*)keyId :(NSString**)keySecret;

Remarks

Subscribe to this event to pass the key secret (a pre-shared request authentication code) to the signing component when it is needed. The authentication combination consists of the KeyId, a non-secret unique key identifier, and the KeySecret, shared by the parties, which should be kept private. This event is an alternative for KeySecret property. Use it when you expect to process requests from requestors with different KeyIds and secrets. If you only expect to receive requests from a single requestor with a known KeyId, providing the key secret via KeyId and KeySecret properties would be an easier route.

Notification Event (DCAuth Module)

This event notifies the application about an underlying control flow event.

Syntax

• Swift
• Objective-C

func onNotification(eventID: String, eventParam: String)

- (void)onNotification:(NSString*)eventID :(NSString*)eventParam;

Remarks

The class fires this event to let the application know about some event, occurrence, or milestone in the component. For example, it may fire to report completion of the document processing. The list of events being reported is not fixed, and may be flexibly extended over time.

The unique identifier of the event is provided in EventID parameter. EventParam contains any parameters accompanying the occurrence. Depending on the type of the component, the exact action it is performing, or the document being processed, one or both may be omitted.

ParameterReceived Event (DCAuth Module)

Passes a standard request parameter to the user code.

Syntax

• Swift
• Objective-C

func onParameterReceived(name: String, value: String)

- (void)onParameterReceived:(NSString*)name :(NSString*)value;

Remarks

This event is only provided for backward compatibility and is not currently used.

SignRequest Event (DCAuth Module)

This event signifies the processing of an atomic signing request.

Syntax

• Swift
• Objective-C

func onSignRequest(method: Int32, hashAlgorithm: String, hash: Data, keyID: String, pars: String, methodPars: String, allow: inout Bool)

- (void)onSignRequest:(int)method :(NSString*)hashAlgorithm :(NSData*)hash :(NSString*)keyID :(NSString*)pars :(NSString*)methodPars :(int*)allow;

Remarks

Subscribe to this event to be notified of every signature request processed by the DC server. Note that any one request coming from the requestor may contain multiple individual signature requests (so-called 'batching'). This event is a good mechanism to track signature requests for accountability purposes, and provide basic access control over the signing operations. The Method parameter specifies the async signing method requested by the client:

The Hash parameter contains the hash, made using HashAlgorithm, that needs to be signed. KeyID contains the key identifier of the requestor.

The Pars string contains a semicolon-separated string of the principal signature parameters. This has the same format and content that is passed to ExternalSign, if it is used. The MethodPars contains a similar parameter string, but for the specific async signing method used. For the PKCS1 method there are no defined method parameters, while the PKCS7 method supports a selection of settings that tune up the CMS blob.

Set Allow to false to stop the request from being served. Use the SignRequestCompleted event to track completion of the initiated operation.

SignRequestCompleted Event (DCAuth Module)

This event signifies completion of the processing of an atomic signing request.

Syntax

• Swift
• Objective-C

func onSignRequestCompleted(method: Int32, hashAlgorithm: String, hash: Data, keyID: String, pars: String, methodPars: String, signature: Data)

- (void)onSignRequestCompleted:(int)method :(NSString*)hashAlgorithm :(NSData*)hash :(NSString*)keyID :(NSString*)pars :(NSString*)methodPars :(NSData*)signature;

Remarks

Use this event to track completion of signing request processing. The Hash parameter contains the hash that is signed, as supplied by the requestor, and the Signature parameter contains the resulting cryptographic signature. The KeyID parameter matches the parameter in SignRequest event.

TimestampRequest Event (DCAuth Module)

Fires when the component is ready to request a timestamp from an external TSA.

Syntax

• Swift
• Objective-C

func onTimestampRequest(tsa: String, timestampRequest: String, timestampResponse: inout String, suppressDefault: inout Bool)

- (void)onTimestampRequest:(NSString*)TSA :(NSString*)timestampRequest :(NSString**)timestampResponse :(int*)suppressDefault;

Remarks

Subscribe to this event to be intercept timestamp requests. You can use it to override timestamping requests and perform them in your code.

The TSA parameter indicates the timestamping service being used. It matches the value passed to TimestampServer property. Set SuppressDefault parameter to false if you would like to stop the built-in TSA request from going ahead. The built-in TSA request is also not performed if the returned TimestampResponse parameter is not empty.

TLSCertNeeded Event (DCAuth Module)

Fires when a remote TLS party requests a client certificate.

Syntax

• Swift
• Objective-C

func onTLSCertNeeded(host: String, caNames: String)

- (void)onTLSCertNeeded:(NSString*)host :(NSString*)CANames;

Remarks

This event fires to notify the implementation that a remote TLS server has requested a client certificate. The Host parameter identifies the host that makes a request, and the CANames (optional, according to the TLS spec) advises on the accepted issuing CAs.

Use the TLSClientChain property in response to this event to provide the requested certificate. Please make sure the client certificate includes the associated private key. Note that you may set the certificates before the connection without waiting for this event to fire.

This event is preceded by the TLSHandshake event for the given host and, if the certificate was accepted, succeeded by the TLSEstablished event.

TLSCertValidate Event (DCAuth Module)

This event is fired upon receipt of the TLS server's certificate, allowing the user to control its acceptance.

Syntax

• Swift
• Objective-C

func onTLSCertValidate(serverHost: String, serverIP: String, accept: inout Bool)

- (void)onTLSCertValidate:(NSString*)serverHost :(NSString*)serverIP :(int*)accept;

Remarks

This event is fired during a TLS handshake. Use TLSServerChain property to access the certificate chain. In general case, components may contact a number of TLS endpoints during their work, depending on their configuration.

Accept is assigned in accordance with the outcome of the internal validation check performed by the component, and can be adjusted if needed.

TLSEstablished Event (DCAuth Module)

Fires when a TLS handshake with Host successfully completes.

Syntax

• Swift
• Objective-C

func onTLSEstablished(host: String, version: String, ciphersuite: String, connectionId: Data, abort: inout Bool)

- (void)onTLSEstablished:(NSString*)host :(NSString*)version :(NSString*)ciphersuite :(NSData*)connectionId :(int*)abort;

Remarks

The class uses this event to notify the application about successful completion of a TLS handshake.

The Version, Ciphersuite, and ConnectionId parameters indicate security parameters of the new connection. Use the Abort parameter if you need to terminate the connection at this stage.

TLSHandshake Event (DCAuth Module)

Fires when a new TLS handshake is initiated, before the handshake commences.

Syntax

• Swift
• Objective-C

func onTLSHandshake(host: String, abort: inout Bool)

- (void)onTLSHandshake:(NSString*)host :(int*)abort;

Remarks

The class uses this event to notify the application about the start of a new TLS handshake to Host. If the handshake is successful, this event will be followed with TLSEstablished event. If the server chooses to request a client certificate, TLSCertNeeded event will also be fired.

TLSShutdown Event (DCAuth Module)

Reports the graceful closure of a TLS connection.

Syntax

• Swift
• Objective-C

func onTLSShutdown(host: String)

- (void)onTLSShutdown:(NSString*)host;

Remarks

This event notifies the application about the closure of an earlier established TLS connection. Note that only graceful connection closures are reported.

Certificate Type

Provides details of an individual X.509 certificate.

Remarks

This type provides access to X.509 certificate details.

Fields

Constructors

public init(stream: )

Loads the X.509 certificate from a stream. Stream is a stream containing the certificate data.

public init()

Creates a new object with default field values.

ExternalCrypto Type

Specifies the parameters of external cryptographic calls.

Remarks

External cryptocalls are used in a Distributed Cryptography (DC) subsystem, which allows the delegation of security operations to the remote agent. For instance, it can be used to compute the signature value on the server, while retaining the client's private key locally.

Fields

Constructors

public init()

Creates a new ExternalCrypto object with default field values.

ProxySettings Type

A container for proxy server settings.

Remarks

This type exposes a collection of properties for tuning up the proxy server configuration.

Fields

Constructors

public init()

Creates a new ProxySettings object.

SocketSettings Type

A container for the socket settings.

Remarks

This type is a container for socket-layer parameters.

Fields

Constructors

public init()

Creates a new SocketSettings object.

TLSSettings Type

A container for TLS connection settings.

Remarks

TLS (Transport Layer Security) protocol provides security for information exchanged over insecure connections such as TCP/IP.

Fields

Constructors

public init()

Creates a new TLSSettings object.

Config Settings (DCAuth Module)

DCAuth Config Settings

Base Config Settings

Trappable Errors (DCAuth Module)