CAdESVerifier Component

Properties   Methods   Events   Config Settings   Errors  

The CAdESVerifier component is used to validate CAdES signatures.

Syntax

nsoftware.SecureBlackbox.CAdESVerifier

Remarks

CAdESVerifier validates electronic signatures that comply with the Electronic Signatures and Infrastructures (ESI) CMS Advanced Electronic Signatures (CAdES) specification. CAdESVerifier verifier = new CAdESVerifier(); // Select the file which contains the signed message verifier.setInputFile("signedFile.scs"); if (verifier.isDetached()){ // To verify a detached signature, we need // to provide both the signature and the original data verifier.setDataFile("MyExe.exe"); verifier.verify(); } else { // To verify an enveloping signature, we need // to provide the location to extract the data verifier.setOutputFile("output.exe"); verifier.verify(); } // The outcome of the cryptographic signature validation for (int idx = 0; idx < verifier.getSignatures().size() ; idx++) { switch (verifier.getSignatures().item(idx).getSignatureValidationResult()) { case CAdESSignature.svtValid: System.out.println("The signature is valid."); break; case CAdESSignature.svtUnknown: System.out.println("Signature verification failed: Unknown signature."); break; case CAdESSignature.svtFailure: case CAdESSignature.svtCorrupted: System.out.println("Signature verification failed: The signature is corrupt or invalid."); break; case CAdESSignature.svtSignerNotFound: System.out.println("Signature verification failed: The signature does not contain a signer."); break; default: System.out.println("Signature verification failed."); break; } }

Property List


The following is the full list of the properties of the component with short descriptions. Click on the links for further details.

AllSignaturesValidThe cumulative validity of all signatures.
AutoValidateSignaturesSpecifies whether CAdESVerifier should validate any present signatures when the document is opened.
BlockedCertificatesThe certificates that must be rejected as trust anchors.
CertificatesA collection of certificates included in the electronic signature.
CheckTrustedListsSpecifies whether the component should attempt to validate chain trust via a known Trusted List.
CRLsA collection of certificate revocation lists embedded into the signature by the signer.
DataBytesUse this property to pass the signed data to component in the byte array form.
DataFileA path to the file containing the originally signed data.
DataIsHashSpecifies whether the data source contains the hash of the data or the actual data.
DataStreamA stream containing the originally signed data.
DetachedSpecifies whether a detached signature should be produced or verified.
ExtractContentSpecifies whether a message content should be extracted.
FIPSModeReserved.
IgnoreChainValidationErrorsMakes the component tolerant to chain validation errors.
InputBytesUse this property to pass the input to component in byte array form.
InputFileA path to the file containing the signature blob.
InputStreamA stream containing the signature blob.
KnownCertificatesAdditional certificates for chain validation.
KnownCRLsAdditional CRLs for chain validation.
KnownOCSPsAdditional OCSP responses for chain validation.
OCSPsA collection of OCSP responses embedded into the signature.
OfflineModeSwitches the component to offline mode.
OutputBytesUse this property to read the output the component object has produced.
OutputFileA path to the file to write the extracted data to.
OutputStreamA stream where the verified and extracted data should be saved.
ProfileSpecifies a pre-defined profile to apply when creating the signature.
ProxyThe proxy server settings.
RevocationCheckSpecifies the kind(s) of revocation check to perform for all chain certificates.
SignaturesContains the list of signatures included in the CAdES signature.
SignedAttributesCustom signature attributes that are covered by the electronic signature.
SocketSettingsManages network connection settings.
TimestampsContains a collection of timestamps for the processed document.
TLSClientChainThe TLS client certificate chain.
TLSServerChainThe TLS server's certificate chain.
TLSSettingsManages TLS layer settings.
TrustedCertificatesA list of trusted certificates for chain validation.
UnsignedAttributesCustom unsigned attributes included in the electronic signature.
ValidationMomentThe time point at which signature validity is to be established.

Method List


The following is the full list of the methods of the component with short descriptions. Click on the links for further details.

CloseCloses an opened container.
ConfigSets or retrieves a configuration setting.
DoActionPerforms an additional action.
OpenOpens an existing container for signing or updating.
ResetResets the component settings.
RevalidateRevalidates a signature in accordance with current settings.
SelectInfoSelect signature information for a specific entity.
UnsignDeletes a signature from the CAdES signature.
VerifyVerifies a digitally signed CAdES message.

Event List


The following is the full list of the events fired by the component with short descriptions. Click on the links for further details.

ChainElementDownloadFires when there is a need to download a chain element from an online source.
ChainElementNeededFires when an element required to validate the chain was not located.
ChainValidatedReports the completion of a certificate chain validation.
ChainValidationProgressThis event is fired multiple times during chain validation to report various stages of the validation procedure.
ErrorInformation about errors during CAdES verification.
LoadedThis event is fired when the CAdES signature has been loaded into memory.
NotificationThis event notifies the application about an underlying control flow event.
SignatureFoundSignifies the start of signature validation.
SignatureValidatedMarks the completion of the signature validation routine.
TimestampFoundSignifies the start of a timestamp validation routine.
TimestampValidatedReports the completion of the timestamp validation routine.
TLSCertNeededFires when a remote TLS party requests a client certificate.
TLSCertValidateThis event is fired upon receipt of the TLS server's certificate, allowing the user to control its acceptance.
TLSEstablishedFires when a TLS handshake with Host successfully completes.
TLSHandshakeFires when a new TLS handshake is initiated, before the handshake commences.
TLSShutdownReports the graceful closure of a TLS connection.

Config Settings


The following is a list of config settings for the component with short descriptions. Click on the links for further details.

AddReferencesToAllUsedCertsAndRevInfoWhether to include all certificates and revocation references in CompleteCertificateRefs attribute.
AddReferencesToIrrevocableCertsWhether references to irrevocable certificates should be included in CompleteCertificateRefs attribute.
AddReferenceToSigningCertWhether a reference to the signing certificate should be included in CompleteCertificateRefs attribute.
AllowPartialValidationInfoWhether to allow for missing validation info.
AsyncDocumentIDSpecifies the document ID for SignAsyncEnd() call.
ChainCurrentCACertReturns the current CA certificate.
ChainCurrentCertReturns the certificate that is currently being validated.
ChainCurrentCRLReturns the current CRL.
ChainCurrentCRLSizeReturns the size of the current CRL.
ChainCurrentOCSPReturns the current OCSP response.
ChainCurrentOCSPSignerReturns the signer of the current OCSP object.
ChainInterimDetailsReturns the current interim validation details.
ChainInterimResultReturns the current interim validation result.
CheckValidityPeriodForTrustedWhether to check validity period for trusted certificates.
CmsOptAnnexKArchiveTimestampV2ModeToggles use of Annex K method of calculating validation timestamp hashes.
CmsOptCheckATSHashIndexElementsEnables extra checks when processing ATSHashIndex attribute.
CmsOptCompareRDNAsStringsEnforces comparison of RDN elements as text strings, rather than their byte encodings.
CmsOptDEREncodeContentForATSv2Enables DER encoding for ATSv2 hashed content.
CmsOptDigitPADSSCompatibilityEnables Digit PADSS compatibility mode.
CmsOptForceSigningCertificateV2UsageEnforces use of signing-certificate-v2 attribute.
CmsOptIgnoreDERReqInArchiveTimestampsSwitches off DER encoding requirement for archival timestamps.
CmsOptImzagerMIMCompatibilityEnables Imzager MIM compatibility mode.
CmsOptIncludeCertToAttributesRegulates whether to include the signing certificate to the signature as the signing-certificate attribute.
CmsOptIncludeCertToMessageRegulates whether to include the signing certificate and its chain to the CMS.
CmsOptInsertContentTypeRegulates whether the content-type time attribute should be included in the signature structure.
CmsOptInsertMessageDigestsRegulates whether the message-digest signed attribute should be included in the signature structure.
CmsOptInsertSigningTimeRegulates whether the signing-time attribute should be included in the signature structure.
CmsOptSkipEnvContentInfoOnSigArchivalExcludes hashing of enveloped content when calculating an archival timestamp.
CmsOptUseATSHashIndexV1Enables use of ATSHashIndexV1 attribute.
CmsOptUseATSHashIndexV3Enables the use of the third version of archival timestamps.
CmsOptUseGeneralizedTimeFormatEnables or disables encoding of the signing-time attribute using ASN.1 GENERALIZEDTIME type.
CmsOptUseGenericSigAlgorithmOIDsEnables use of generic signature algorithm OIDs in the signature.
CmsOptUsePlainContentForTimestampHashesMakes CAdESSigner ignore ASN.1 content formatting when calculating timestamp hashes.
ContentTypeThe content type of the CMS message.
CustomTrustedListsSpecifies the custom TrustedLists.
CustomTSLsSpecifies the custom TrustedLists.
DeepCountersignatureValidationWhether to validate countersignatures.
DeepTimestampValidationWhether to perform deep validation of all timestamps.
DislikeOpenEndedOCSPsTells the component to discourage OCSP responses without an explicit NextUpdate parameter.
ForceCompleteChainValidationWhether to check the CA certificates when the signing certificate is invalid.
ForceCompleteChainValidationForTrustedWhether to continue with the full validation up to the root CA certificate for mid-level trust anchors.
GracePeriodSpecifies a grace period to apply during revocation information checks.
IgnoreChainLoopsWhether chain loops should be ignored.
IgnoreChainValidationErrorsWhether to ignore any certificate chain validation issues.
IgnoreOCSPNoCheckExtensionWhether the OCSP NoCheck extension should be ignored.
IgnoreSystemTrustWhether trusted Windows Certificate Stores should be treated as trusted.
ImplicitlyTrustSelfSignedCertificatesWhether to trust self-signed certificates.
PolicyDescriptionsignature policy description.
PolicyDescriptionsignature policy description.
PolicyExplicitTextThe explicit text of the user notice.
PolicyExplicitTextThe explicit text of the user notice.
PolicyUNNumbersThe noticeNumbers part of the NoticeReference CAdES attribute.
PolicyUNNumbersThe noticeNumbers part of the NoticeReference CAdES attribute.
PolicyUNOrganizationThe organization part of the NoticeReference qualifier.
PolicyUNOrganizationThe organization part of the NoticeReference qualifier.
ProductionPlaceIdentifies the place of the signature production.
ProductionPlaceIdentifies the place of the signature production.
PromoteLongOCSPResponsesWhether long OCSP responses are requested.
PSSUsedWhether to use RSASSA-PSS algorithm.
PSSUsedWhether to use RSASSA-PSS algorithm.
ReportInvalidTimestampsWhether to raise errors for invalid timestamps.
SchemeParamsThe algorithm scheme parameters to employ.
SigPolicyDescriptionsignature policy description.
SigPolicyDescriptionsignature policy description.
SigPolicyExplicitTextThe explicit text of the user notice.
SigPolicyExplicitTextThe explicit text of the user notice.
SigPolicyHashThe EPES policy hash.
SigPolicyHashThe EPES policy hash.
SigPolicyHashAlgorithmThe hash algorithm that was used to generate the EPES policy hash.
SigPolicyHashAlgorithmThe hash algorithm that was used to generate the EPES policy hash.
SigPolicyIDThe EPES policy ID.
SigPolicyIDThe EPES policy ID.
SigPolicyNoticeNumbersThe noticeNumbers part of the NoticeReference CAdES attribute.
SigPolicyNoticeNumbersThe noticeNumbers part of the NoticeReference CAdES attribute.
SigPolicyNoticeOrganizationThe organization part of the NoticeReference qualifier.
SigPolicyNoticeOrganizationThe organization part of the NoticeReference qualifier.
SigPolicyURIThe EPES policy URI.
SigPolicyURIThe EPES policy URI.
SkipValidationTimestampedSignaturesWhether to validate signatures with validation timestamps.
SuppressValuesInCMakes CAdESSigner not add certificate and revocation values to its C-level signatures.
TempPathPath for storing temporary files.
TimestampResponseA base16-encoded timestamp response received from a TSA.
TLSChainValidationDetailsContains the advanced details of the TLS server certificate validation.
TLSChainValidationResultContains the result of the TLS server certificate validation.
TLSClientAuthRequestedIndicates whether the TLS server requests client authentication.
TLSValidationLogContains the log of the TLS server certificate validation.
TolerateMinorChainIssuesWhether to tolerate minor chain issues.
TspAttemptCountSpecifies the number of timestamping request attempts.
TspHashAlgorithmSets a specific hash algorithm for use with the timestamping service.
TspReqPolicySets a request policy ID to include in the timestamping request.
UseArchivalTimestampV3Whether to stick to archival timestamp V3 in the new signatures.
UseDefaultTrustedListsEnables or disables the use of the default TrustedLists.
UseDefaultTSLsEnables or disables the use of the default TrustedLists.
UseMicrosoftCTLEnables or disables the automatic use of the Microsoft online certificate trust list.
UsePSSWhether to use RSASSA-PSS algorithm.
UsePSSWhether to use RSASSA-PSS algorithm.
UseSystemCertificatesEnables or disables the use of the system certificates.
UseUndefSizeToggles the use of indefinite/definite ASN.1 tag length encoding.
UseValidationCacheEnables or disable the use of the product-wide certificate chain validation cache.
UseValidatorSettingsForTLSValidationWhether to employ the primary chain validator setup for auxiliary TLS chain validations.
ASN1UseGlobalTagCacheControls whether ASN.1 module should use a global object cache.
AssignSystemSmartCardPinsSpecifies whether CSP-level PINs should be assigned to CNG keys.
CheckKeyIntegrityBeforeUseEnables or disable private key integrity check before use.
CookieCachingSpecifies whether a cookie cache should be used for HTTP(S) transports.
CookiesGets or sets local cookies for the component.
DefDeriveKeyIterationsSpecifies the default key derivation algorithm iteration count.
DNSLocalSuffixThe suffix to assign for TLD names.
EnableClientSideSSLFFDHEEnables or disables finite field DHE key exchange support in TLS clients.
GlobalCookiesGets or sets global cookies for all the HTTP transports.
HardwareCryptoUsePolicyThe hardware crypto usage policy.
HttpUserAgentSpecifies the user agent name to be used by all HTTP clients.
HttpVersionThe HTTP version to use in any inner HTTP client components created.
IgnoreExpiredMSCTLSigningCertWhether to tolerate the expired Windows Update signing certificate.
ListDelimiterThe delimiter character for multi-element lists.
LogDestinationSpecifies the debug log destination.
LogDetailsSpecifies the debug log details to dump.
LogFileSpecifies the debug log filename.
LogFiltersSpecifies the debug log filters.
LogFlushModeSpecifies the log flush mode.
LogLevelSpecifies the debug log level.
LogMaxEventCountSpecifies the maximum number of events to cache before further action is taken.
LogRotationModeSpecifies the log rotation mode.
MaxASN1BufferLengthSpecifies the maximal allowed length for ASN.1 primitive tag data.
MaxASN1TreeDepthSpecifies the maximal depth for processed ASN.1 trees.
OCSPHashAlgorithmSpecifies the hash algorithm to be used to identify certificates in OCSP requests.
OldClientSideRSAFallbackSpecifies whether the SSH client should use a SHA1 fallback.
ProductVersionReturns the version of the SecureBlackbox library.
ServerSSLDHKeyLengthSets the size of the TLS DHE key exchange group.
StaticDNSSpecifies whether static DNS rules should be used.
StaticIPAddress[domain]Gets or sets an IP address for the specified domain name.
StaticIPAddressesGets or sets all the static DNS rules.
TagAllows to store any custom data.
TLSSessionGroupSpecifies the group name of TLS sessions to be used for session resumption.
TLSSessionLifetimeSpecifies lifetime in seconds of the cached TLS session.
TLSSessionPurgeIntervalSpecifies how often the session cache should remove the expired TLS sessions.
UseInternalRandomSwitches between SecureBlackbox-own and platform PRNGs.
UseLegacyAdESValidationEnables legacy AdES validation mode.
UseOwnDNSResolverSpecifies whether the client components should use own DNS resolver.
UseSharedSystemStoragesSpecifies whether the validation engine should use a global per-process copy of the system certificate stores.
UseSystemNativeSizeCalculationAn internal CryptoAPI access tweak.
UseSystemOAEPAndPSSEnforces or disables the use of system-driven RSA OAEP and PSS computations.
UseSystemRandomEnables or disables the use of the OS PRNG.

AllSignaturesValid Property (CAdESVerifier Component)

The cumulative validity of all signatures.

Syntax

public bool AllSignaturesValid { get; }
Public ReadOnly Property AllSignaturesValid As Boolean

Default Value

False

Remarks

Use this property to check if all the signatures found in the message or document are valid.

This property is read-only and not available at design time.

AutoValidateSignatures Property (CAdESVerifier Component)

Specifies whether CAdESVerifier should validate any present signatures when the document is opened.

Syntax

public bool AutoValidateSignatures { get; set; }
Public Property AutoValidateSignatures As Boolean

Default Value

True

Remarks

This setting is switched on by default. You can choose to set this property to false in order to validate the signatures manually on a later stage using the Revalidate method.

BlockedCertificates Property (CAdESVerifier Component)

The certificates that must be rejected as trust anchors.

Syntax

public CertificateList BlockedCertificates { get; }
Public Property BlockedCertificates As CertificateList

Remarks

Use this property to provide a list of compromised or blocked certificates. Any chain containing a blocked certificate will fail validation.

This property is not available at design time.

Please refer to the Certificate type for a complete list of fields.

Certificates Property (CAdESVerifier Component)

A collection of certificates included in the electronic signature.

Syntax

public CertificateList Certificates { get; }
Public ReadOnly Property Certificates As CertificateList

Remarks

This property includes a collection of certificates of the currently selected info.

This collection is indexed from 0 to count -1.

This property is read-only and not available at design time.

Please refer to the Certificate type for a complete list of fields.

CheckTrustedLists Property (CAdESVerifier Component)

Specifies whether the component should attempt to validate chain trust via a known Trusted List.

Syntax

public bool CheckTrustedLists { get; set; }
Public Property CheckTrustedLists As Boolean

Default Value

False

Remarks

Set this property to true to enable the component to validate chain trust against an internal list of known Trusted Lists (such as EUTL).

CRLs Property (CAdESVerifier Component)

A collection of certificate revocation lists embedded into the signature by the signer.

Syntax

public CRLList CRLs { get; }
Public ReadOnly Property CRLs As CRLList

Remarks

Use this property to access the CRLs embedded into the signature by the signer.

This property is read-only and not available at design time.

Please refer to the CRL type for a complete list of fields.

DataBytes Property (CAdESVerifier Component)

Use this property to pass the signed data to component in the byte array form.

Syntax

public byte[] DataBytes { get; set; }
Public Property DataBytes As Byte()

Remarks

Assign a byte array containing the original signed data to this property.

This property is not available at design time.

DataFile Property (CAdESVerifier Component)

A path to the file containing the originally signed data.

Syntax

public string DataFile { get; set; }
Public Property DataFile As String

Default Value

""

Remarks

Use this property when working with detached signatures to provide the original signed input. Alternatively, use DataStream to provide in-memory data.

DataIsHash Property (CAdESVerifier Component)

Specifies whether the data source contains the hash of the data or the actual data.

Syntax

public bool DataIsHash { get; set; }
Public Property DataIsHash As Boolean

Default Value

False

Remarks

Use this property to tell the component whether the data source contains the actual data or its hash.

This property is not available at design time.

DataStream Property (CAdESVerifier Component)

A stream containing the originally signed data.

Syntax

public System.IO.Stream DataStream { get; set; }
Public Property DataStream As System.IO.Stream

Default Value

null

Remarks

Use this property when working with detached signatures to provide the original signed input. Alternatively, use DataFile to provide the data in a file.

This property is not available at design time.

Detached Property (CAdESVerifier Component)

Specifies whether a detached signature should be produced or verified.

Syntax

public bool Detached { get; set; }
Public Property Detached As Boolean

Default Value

False

Remarks

Use this property to specify whether a detached signature should be produced or verified.

When this property is set to "true" value, the data will be detached from the signature.

If this property is set to "true" value, the user must provide the detached content via the DataFile or DataStream or DataBytes properties.

When Detached is set to "false" value, the data is included with the signature.

ExtractContent Property (CAdESVerifier Component)

Specifies whether a message content should be extracted.

Syntax

public bool ExtractContent { get; set; }
Public Property ExtractContent As Boolean

Default Value

False

Remarks

Use this property to specify whether a message content should be extracted when a signature is loaded. This applies only to non-detached signatures with embedded data.

When this property is set to "true" value, the message content will be extracted from the signature.

The user must provide the OutputFile or OutputStream properties with a filename or stream where to save the message content, if none is provided then message content is returned via OutputBytes property.

FIPSMode Property (CAdESVerifier Component)

Reserved.

Syntax

public bool FIPSMode { get; set; }
Public Property FIPSMode As Boolean

Default Value

False

Remarks

This property is reserved for future use.

IgnoreChainValidationErrors Property (CAdESVerifier Component)

Makes the component tolerant to chain validation errors.

Syntax

public bool IgnoreChainValidationErrors { get; set; }
Public Property IgnoreChainValidationErrors As Boolean

Default Value

False

Remarks

If this property is set to True, any errors emerging during certificate chain validation will be ignored. This setting may be handy if the purpose of validation is the creation of an LTV signature, and the validation is performed in an environment that doesn't trust the signer's certificate chain.

InputBytes Property (CAdESVerifier Component)

Use this property to pass the input to component in byte array form.

Syntax

public byte[] InputBytes { get; set; }
Public Property InputBytes As Byte()

Remarks

Assign a byte array containing the data to be processed to this property.

This property is not available at design time.

InputFile Property (CAdESVerifier Component)

A path to the file containing the signature blob.

Syntax

public string InputFile { get; set; }
Public Property InputFile As String

Default Value

""

Remarks

Use this property to provide a path to the file containing the CAdES signature blob. If verifying detached signatures, use DataStream or DataFile to also supply the original data that was signed.

InputStream Property (CAdESVerifier Component)

A stream containing the signature blob.

Syntax

public System.IO.Stream InputStream { get; set; }
Public Property InputStream As System.IO.Stream

Default Value

null

Remarks

Use this property to provide the signature blob to the component. If verifying detached signatures, remember to also supply the data that was signed via DataStream or DataFile properties.

This property is not available at design time.

KnownCertificates Property (CAdESVerifier Component)

Additional certificates for chain validation.

Syntax

public CertificateList KnownCertificates { get; }
Public Property KnownCertificates As CertificateList

Remarks

Use this property to supply a list of additional certificates that might be needed for chain validation. An example of a scenario where you might want to do that is when intermediary CA certificates are absent from the standard system locations (or when there are no standard system locations), and therefore should be supplied to the component manually.

The purpose of the certificates to be added to this collection is roughly equivalent to that of the Intermediate Certification Authorities system store in Windows.

Do not add trust anchors or root certificates to this collection: add them to TrustedCertificates instead.

This property is not available at design time.

Please refer to the Certificate type for a complete list of fields.

KnownCRLs Property (CAdESVerifier Component)

Additional CRLs for chain validation.

Syntax

public CRLList KnownCRLs { get; }
Public Property KnownCRLs As CRLList

Remarks

Use this property to supply additional CRLs that might be needed for chain validation. This property may be helpful when a chain is validated in offline mode, and the associated CRLs are stored separately from the signed message or document.

This property is not available at design time.

Please refer to the CRL type for a complete list of fields.

KnownOCSPs Property (CAdESVerifier Component)

Additional OCSP responses for chain validation.

Syntax

public OCSPResponseList KnownOCSPs { get; }
Public Property KnownOCSPs As OCSPResponseList

Remarks

Use this property to supply additional OCSP responses that might be needed for chain validation. This property may be helpful when a chain is validated in offline mode, and the associated OCSP responses are stored separately from the signed message or document.

This property is not available at design time.

Please refer to the OCSPResponse type for a complete list of fields.

OCSPs Property (CAdESVerifier Component)

A collection of OCSP responses embedded into the signature.

Syntax

public OCSPResponseList OCSPs { get; }
Public ReadOnly Property OCSPs As OCSPResponseList

Remarks

Use this property to access the OCSP responses embedded into the signature by its creator.

This property is read-only and not available at design time.

Please refer to the OCSPResponse type for a complete list of fields.

OfflineMode Property (CAdESVerifier Component)

Switches the component to offline mode.

Syntax

public bool OfflineMode { get; set; }
Public Property OfflineMode As Boolean

Default Value

False

Remarks

When working in offline mode, the component restricts itself from using any online revocation information sources, such as CRL or OCSP responders.

Offline mode may be useful if there is a need to verify the completeness of the validation information included within the signature or provided via KnownCertificates, KnownCRLs, and other related properties.

OutputBytes Property (CAdESVerifier Component)

Use this property to read the output the component object has produced.

Syntax

public byte[] OutputBytes { get; }
Public ReadOnly Property OutputBytes As Byte()

Remarks

Read the contents of this property after the operation has completed to read the produced output. This property will only be set if the OutputFile and OutputStream properties had not been assigned.

This property is read-only and not available at design time.

OutputFile Property (CAdESVerifier Component)

A path to the file to write the extracted data to.

Syntax

public string OutputFile { get; set; }
Public Property OutputFile As String

Default Value

""

Remarks

Use this property to provide a file name to save the data extracted from the enveloping signature.

OutputStream Property (CAdESVerifier Component)

A stream where the verified and extracted data should be saved.

Syntax

public System.IO.Stream OutputStream { get; set; }
Public Property OutputStream As System.IO.Stream

Default Value

null

Remarks

Use this property to specify a stream to write the data extracted from the enveloping signature to.

This property is not available at design time.

Profile Property (CAdESVerifier Component)

Specifies a pre-defined profile to apply when creating the signature.

Syntax

public string Profile { get; set; }
Public Property Profile As String

Default Value

""

Remarks

Advanced signatures come in many variants, which are often defined by parties that needs to process them or by local standards. SecureBlackbox profiles are sets of pre-defined configurations which correspond to particular signature variants. By specifying a profile, you are pre-configuring the component to make it produce the signature that matches the configuration corresponding to that profile.

Proxy Property (CAdESVerifier Component)

The proxy server settings.

Syntax

public ProxySettings Proxy { get; }
Public ReadOnly Property Proxy As ProxySettings

Remarks

Use this property to tune up the proxy server settings.

This property is read-only.

Please refer to the ProxySettings type for a complete list of fields.

RevocationCheck Property (CAdESVerifier Component)

Specifies the kind(s) of revocation check to perform for all chain certificates.

Syntax

public CAdESVerifierRevocationChecks RevocationCheck { get; set; }

enum CAdESVerifierRevocationChecks { crcNone, crcAuto, crcAllCRL, crcAllOCSP, crcAllCRLAndOCSP, crcAnyCRL, crcAnyOCSP, crcAnyCRLOrOCSP, crcAnyOCSPOrCRL }
Public Property RevocationCheck As CadesverifierRevocationChecks

Enum CAdESVerifierRevocationChecks crcNone crcAuto crcAllCRL crcAllOCSP crcAllCRLAndOCSP crcAnyCRL crcAnyOCSP crcAnyCRLOrOCSP crcAnyOCSPOrCRL End Enum

Default Value

1

Remarks

Revocation checking is necessary to ensure the integrity of the chain and obtain up-to-date certificate validity and trustworthiness information.

Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP) responses serve the same purpose of ensuring that the certificate had not been revoked by the Certificate Authority (CA) at the time of use. Depending on your circumstances and security policy requirements, you may want to use either one or both of the revocation information source types.

crcNone0No revocation checking.
crcAuto1Automatic mode selection. Currently this maps to crcAnyOCSPOrCRL, but it may change in the future.
crcAllCRL2All provided CRL endpoints will be checked, and all checks must succeed.
crcAllOCSP3All provided OCSP endpoints will be checked, and all checks must succeed.
crcAllCRLAndOCSP4All provided CRL and OCSP endpoints will be checked, and all checks must succeed.
crcAnyCRL5All provided CRL endpoints will be checked, and at least one check must succeed.
crcAnyOCSP6All provided OCSP endpoints will be checked, and at least one check must succeed.
crcAnyCRLOrOCSP7All provided CRL and OCSP endpoints will be checked, and at least one check must succeed. CRL endpoints are checked first.
crcAnyOCSPOrCRL8All provided CRL and OCSP endpoints will be checked, and at least one check must succeed. OCSP endpoints are checked first.

This setting controls the way the revocation checks are performed for every certificate in the chain. Typically certificates come with two types of revocation information sources: CRL (certificate revocation lists) and OCSP responders. CRLs are static objects periodically published by the CA at some online location. OCSP responders are active online services maintained by the CA that can provide up-to-date information on certificate statuses in near real time.

There are some conceptual differences between the two. CRLs are normally larger in size. Their use involves some latency because there is normally some delay between the time when a certificate was revoked and the time the subsequent CRL mentioning that is published. The benefits of CRL is that the same object can provide statuses for all certificates issued by a particular CA, and that the whole technology is much simpler than OCSP (and thus is supported by more CAs).

This setting lets you adjust the validation course by including or excluding certain types of revocation sources from the validation process. The crcAnyOCSPOrCRL setting (give preference to the faster OCSP route and only demand one source to succeed) is a good choice for most typical validation environments. The "crcAll*" modes are much stricter, and may be used in scenarios where bulletproof validity information is essential.

Note: If no CRL or OCSP endpoints are provided by the CA, the revocation check will be considered successful. This is because the CA chose not to supply revocation information for its certificates, meaning they are considered irrevocable.

Note: Within each of the above settings, if any retrieved CRL or OCSP response indicates that the certificate has been revoked, the revocation check fails.

Signatures Property (CAdESVerifier Component)

Contains the list of signatures included in the CAdES signature.

Syntax

public CAdESSignatureList Signatures { get; }
Public ReadOnly Property Signatures As CAdESSignatureList

Remarks

Use this property to access all signatures in the CAdES signature.

This property is read-only and not available at design time.

Please refer to the CAdESSignature type for a complete list of fields.

SignedAttributes Property (CAdESVerifier Component)

Custom signature attributes that are covered by the electronic signature.

Syntax

public SignatureAttributeList SignedAttributes { get; }
Public ReadOnly Property SignedAttributes As SignatureAttributeList

Remarks

Signature attributes are used to store auxiliary information in the signature. Values included as signed attributes are covered by the signature.

This property is read-only and not available at design time.

Please refer to the SignatureAttribute type for a complete list of fields.

SocketSettings Property (CAdESVerifier Component)

Manages network connection settings.

Syntax

public SocketSettings SocketSettings { get; }
Public ReadOnly Property SocketSettings As SocketSettings

Remarks

Use this property to tune up network connection parameters.

This property is read-only.

Please refer to the SocketSettings type for a complete list of fields.

Timestamps Property (CAdESVerifier Component)

Contains a collection of timestamps for the processed document.

Syntax

public TimestampInfoList Timestamps { get; }
Public ReadOnly Property Timestamps As TimestampInfoList

Remarks

Use this property to access the timestamps included in the processed document.

This property is read-only and not available at design time.

Please refer to the TimestampInfo type for a complete list of fields.

TLSClientChain Property (CAdESVerifier Component)

The TLS client certificate chain.

Syntax

public CertificateList TLSClientChain { get; }
Public Property TLSClientChain As CertificateList

Remarks

Assign a certificate chain to this property to enable TLS client authentication in the component. Note that the client's end-entity certificate should have a private key associated with it.

Use the CertificateStorage or CertificateManager components to import the certificate from a file, system store, or PKCS11 device.

This property is not available at design time.

Please refer to the Certificate type for a complete list of fields.

TLSServerChain Property (CAdESVerifier Component)

The TLS server's certificate chain.

Syntax

public CertificateList TLSServerChain { get; }
Public ReadOnly Property TLSServerChain As CertificateList

Remarks

Use this property to access the certificate chain sent by the TLS server. This property is ready to read when the TLSCertValidate event is fired by the client component.

This property is read-only and not available at design time.

Please refer to the Certificate type for a complete list of fields.

TLSSettings Property (CAdESVerifier Component)

Manages TLS layer settings.

Syntax

public TLSSettings TLSSettings { get; }
Public ReadOnly Property TLSSettings As TLSSettings

Remarks

Use this property to tune up the TLS layer parameters.

This property is read-only.

Please refer to the TLSSettings type for a complete list of fields.

TrustedCertificates Property (CAdESVerifier Component)

A list of trusted certificates for chain validation.

Syntax

public CertificateList TrustedCertificates { get; }
Public Property TrustedCertificates As CertificateList

Remarks

Use this property to supply a list of trusted certificates that might be needed for chain validation. An example of a scenario where you might want to do that is when root CA certificates are absent from the standard system locations (or when there are no standard system locations), and therefore should be supplied to the component manually.

The purpose of this certificate collection is largely the same as that of the Windows Trusted Root Certification Authorities system store.

Use this property with extreme care as it directly affects chain verifiability; a wrong certificate added to the trusted list may result in bad chains being accepted, and forfeited signatures being recognized as genuine. Only add certificates that originate from the parties that you know and trust.

This property is not available at design time.

Please refer to the Certificate type for a complete list of fields.

UnsignedAttributes Property (CAdESVerifier Component)

Custom unsigned attributes included in the electronic signature.

Syntax

public SignatureAttributeList UnsignedAttributes { get; }
Public ReadOnly Property UnsignedAttributes As SignatureAttributeList

Remarks

Signature attributes are used to store auxiliary information in the signature. Values included as unsigned attributes are not covered by the signature and can be changed or removed without affecting the signature.

This property is read-only and not available at design time.

Please refer to the SignatureAttribute type for a complete list of fields.

ValidationMoment Property (CAdESVerifier Component)

The time point at which signature validity is to be established.

Syntax

public string ValidationMoment { get; set; }
Public Property ValidationMoment As String

Default Value

""

Remarks

Use this property to specify the moment in time at which signature validity should be established. The time is in UTC. Leave the setting empty to stick to the default moment (either the signature creation time or the current time).

The validity of the same signature may differ depending on the time point chosen due to temporal changes in chain validities, revocation statuses, and timestamp times.

Close Method (CAdESVerifier Component)

Closes an opened container.

Syntax

public void Close(bool saveChanges);
Public Sub Close(ByVal SaveChanges As Boolean)

Remarks

Use this method to close a previously opened container. Set SaveChanges to true to apply any changes made.

Config Method (CAdESVerifier Component)

Sets or retrieves a configuration setting.

Syntax

public string Config(string configurationString);
Public Function Config(ByVal ConfigurationString As String) As String

Remarks

Config is a generic method available in every component. It is used to set and retrieve configuration settings for the component.

These settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the component, access to these internal properties is provided through the Config method.

To set a configuration setting named PROPERTY, you must call Config("PROPERTY=VALUE"), where VALUE is the value of the setting expressed as a string. For boolean values, use the strings "True", "False", "0", "1", "Yes", or "No" (case does not matter).

To read (query) the value of a configuration setting, you must call Config("PROPERTY"). The value will be returned as a string.

DoAction Method (CAdESVerifier Component)

Performs an additional action.

Syntax

public string DoAction(string actionID, string actionParams);
Public Function DoAction(ByVal ActionID As String, ByVal ActionParams As String) As String

Remarks

DoAction is a generic method available in every component. It is used to perform an additional action introduced after the product major release. The list of actions is not fixed, and may be flexibly extended over time.

The unique identifier (case insensitive) of the action is provided in the ActionID parameter.

ActionParams contains the value of a single parameter, or a list of multiple parameters for the action in the form of PARAM1=VALUE1;PARAM2=VALUE2;....

Open Method (CAdESVerifier Component)

Opens an existing container for signing or updating.

Syntax

public void Open();
Public Sub Open()

Remarks

Use this method to open a container for signing or updating. When finished, call Close to complete or discard the operation.

Reset Method (CAdESVerifier Component)

Resets the component settings.

Syntax

public void Reset();
Public Sub Reset()

Remarks

Reset is a generic method available in every component.

Revalidate Method (CAdESVerifier Component)

Revalidates a signature in accordance with current settings.

Syntax

public void Revalidate(string sigLabel);
Public Sub Revalidate(ByVal SigLabel As String)

Remarks

Use this method to re-validate a signature in the opened CAdES signature.

SelectInfo Method (CAdESVerifier Component)

Select signature information for a specific entity.

Syntax

public void SelectInfo(string entityLabel, int infoType, bool clearSelection);
Public Sub SelectInfo(ByVal EntityLabel As String, ByVal InfoType As Integer, ByVal ClearSelection As Boolean)

Remarks

Use this method to select (or filter) signature-related information for a specific signature element.

Provide the unique label of the entity that you are interested in via the EntityLabel parameter. Use one of the following filters, or their combination, to specify what information you are interested in:

sitEntity1Select the current entity

sitParentEntity2Select the parent entity of the current entity

sitTimestamps4Select all timestamps covering the current entity

sitSignatures8Select all signatures covering the current entity

sitSigningChain16Select the signing chain of the current entity

sitEmbeddedCertificates256Select all certificates embedded in the current entity

sitEmbeddedCRLs512Select all CRLs embedded in the current entity

sitEmbeddedOCSPs1024Select all OCSP responses embedded in the current entity

sitEmbeddedRevInfo1792Select the whole pack of embedded revocation information (certificates, CRLs and OCSPs)

sitUsedCertificates4096Select all the certificates used to validate this entity's chain

sitUsedCRLs8192Select all the CRLs used to validate this entity's chain

sitUsedOCSPs16384Select all the OCSP responses used to validate this entity's chain

sitUsedRevInfo28672Select the whole pack of revocation information used to validate this entity's chain (certificates, CRLs, OCSP responses)

sitAttributes65536Select this entity's CMS attributes

sitReferences131072Select this entity's XML references

sitSignedParts262144Select this entity's signed parts

Following the call, the relevant pieces of information will be copied to the respective component properties (Certificates, CRLs, OCSPs). Note that you can accumulate information in the properties by making repeated calls to SelectInfo and keeping ClearSelection set to false.

This method is useful if you would like to read/display detailed information about a particular signature or timestamp.

Unsign Method (CAdESVerifier Component)

Deletes a signature from the CAdES signature.

Syntax

public void Unsign(string sigLabel);
Public Sub Unsign(ByVal SigLabel As String)

Remarks

Use this method to delete an existing signature from the CAdES signature. Use SigLabel parameter to specify the signature to be removed.

Verify Method (CAdESVerifier Component)

Verifies a digitally signed CAdES message.

Syntax

public void Verify();
Public Sub Verify()

Remarks

CAdESVerifier supports two types of signatures: enveloping and detached. In the enveloping case, both the data and the signature travel in the same 'combined' message. The detached variant observes the signature and the data (in its original form) residing in different files.

To verify enveloping signatures pass the signature via InputFile, InputStream or InputBytes properties.

To verify detached signatures pass the signature via InputFile, InputStream or InputBytes properties, and the data via DataStream or DataFile properties, and set Detached property.

ChainElementDownload Event (CAdESVerifier Component)

Fires when there is a need to download a chain element from an online source.

Syntax

public event OnChainElementDownloadHandler OnChainElementDownload;

public delegate void OnChainElementDownloadHandler(object sender, CAdESVerifierChainElementDownloadEventArgs e);

public class CAdESVerifierChainElementDownloadEventArgs : EventArgs {
  public int Kind { get; }
  public string CertRDN { get; }
  public string CACertRDN { get; }
  public string Location { get; }
  public int Action { get; set; }
}
Public Event OnChainElementDownload As OnChainElementDownloadHandler

Public Delegate Sub OnChainElementDownloadHandler(sender As Object, e As CAdESVerifierChainElementDownloadEventArgs)

Public Class CAdESVerifierChainElementDownloadEventArgs Inherits EventArgs
  Public ReadOnly Property Kind As Integer
  Public ReadOnly Property CertRDN As String
  Public ReadOnly Property CACertRDN As String
  Public ReadOnly Property Location As String
  Public Property Action As Integer
End Class

Remarks

Subscribe to this event to be notified about validation element retrievals. Use the Action parameter to suppress the download if required.

veaAuto0Handle the action automatically (the default behaviour)

veaContinue1Accept the request implied by the event (accept the certificate, allow the object retrieval)

veaReject2Reject the request implied by the event (reject the certificate, disallow the object retrieval)

veaAcceptNow3Accept the validated certificate immediately

veaAbortNow4Abort the validation, reject the certificate

cekUnknown0Unknown or unsupported element type

cekCertificate1An X.509 certificate

cekCRL2A CRL

cekOCSP3An OCSP response

ChainElementNeeded Event (CAdESVerifier Component)

Fires when an element required to validate the chain was not located.

Syntax

public event OnChainElementNeededHandler OnChainElementNeeded;

public delegate void OnChainElementNeededHandler(object sender, CAdESVerifierChainElementNeededEventArgs e);

public class CAdESVerifierChainElementNeededEventArgs : EventArgs {
  public int Kind { get; }
  public string CertRDN { get; }
  public string CACertRDN { get; }
}
Public Event OnChainElementNeeded As OnChainElementNeededHandler

Public Delegate Sub OnChainElementNeededHandler(sender As Object, e As CAdESVerifierChainElementNeededEventArgs)

Public Class CAdESVerifierChainElementNeededEventArgs Inherits EventArgs
  Public ReadOnly Property Kind As Integer
  Public ReadOnly Property CertRDN As String
  Public ReadOnly Property CACertRDN As String
End Class

Remarks

Subscribe to this event to be notified about missing validation elements. Use the KnownCRLs, KnownCertificates, and KnownOCSPs properties in the event handler to provide the missing piece.

cekUnknown0Unknown or unsupported element type

cekCertificate1An X.509 certificate

cekCRL2A CRL

cekOCSP3An OCSP response

ChainValidated Event (CAdESVerifier Component)

Reports the completion of a certificate chain validation.

Syntax

public event OnChainValidatedHandler OnChainValidated;

public delegate void OnChainValidatedHandler(object sender, CAdESVerifierChainValidatedEventArgs e);

public class CAdESVerifierChainValidatedEventArgs : EventArgs {
  public int Index { get; }
  public string EntityLabel { get; }
  public string SubjectRDN { get; }
  public int ValidationResult { get; }
  public int ValidationDetails { get; }
  public bool Cancel { get; set; }
}
Public Event OnChainValidated As OnChainValidatedHandler

Public Delegate Sub OnChainValidatedHandler(sender As Object, e As CAdESVerifierChainValidatedEventArgs)

Public Class CAdESVerifierChainValidatedEventArgs Inherits EventArgs
  Public ReadOnly Property Index As Integer
  Public ReadOnly Property EntityLabel As String
  Public ReadOnly Property SubjectRDN As String
  Public ReadOnly Property ValidationResult As Integer
  Public ReadOnly Property ValidationDetails As Integer
  Public Property Cancel As Boolean
End Class

Remarks

This event is fired when a certificate chain validation routine completes. SubjectRDN identifies the owner of the validated certificate.

ValidationResult set to 0 (zero) indicates successful chain validation.

cvtValid0The chain is valid

cvtValidButUntrusted1The chain is valid, but the root certificate is not trusted

cvtInvalid2The chain is not valid (some of certificates are revoked, expired, or contain an invalid signature)

cvtCantBeEstablished3The validity of the chain cannot be established because of missing or unavailable validation information (certificates, CRLs, or OCSP responses)

Any other value reports a failure, and ValidationDetails provides more details on its reasons.
cvrBadData0x0001One or more certificates in the validation path are malformed

cvrRevoked0x0002One or more certificates are revoked

cvrNotYetValid0x0004One or more certificates are not yet valid

cvrExpired0x0008One or more certificates are expired

cvrInvalidSignature0x0010A certificate contains a non-valid digital signature

cvrUnknownCA0x0020A CA certificate for one or more certificates has not been found (chain incomplete)

cvrCAUnauthorized0x0040One of the CA certificates are not authorized to act as CA

cvrCRLNotVerified0x0080One or more CRLs could not be verified

cvrOCSPNotVerified0x0100One or more OCSP responses could not be verified

cvrIdentityMismatch0x0200The identity protected by the certificate (a TLS endpoint or an e-mail addressee) does not match what is recorded in the certificate

cvrNoKeyUsage0x0400A mandatory key usage is not enabled in one of the chain certificates

cvrBlocked0x0800One or more certificates are blocked

cvrFailure0x1000General validation failure

cvrChainLoop0x2000Chain loop: one of the CA certificates recursively signs itself

cvrWeakAlgorithm0x4000A weak algorithm is used in one of certificates or revocation elements

cvrUserEnforced0x8000The chain was considered invalid following intervention from a user code

ChainValidationProgress Event (CAdESVerifier Component)

This event is fired multiple times during chain validation to report various stages of the validation procedure.

Syntax

public event OnChainValidationProgressHandler OnChainValidationProgress;

public delegate void OnChainValidationProgressHandler(object sender, CAdESVerifierChainValidationProgressEventArgs e);

public class CAdESVerifierChainValidationProgressEventArgs : EventArgs {
  public string EventKind { get; }
  public string CertRDN { get; }
  public string CACertRDN { get; }
  public int Action { get; set; }
}
Public Event OnChainValidationProgress As OnChainValidationProgressHandler

Public Delegate Sub OnChainValidationProgressHandler(sender As Object, e As CAdESVerifierChainValidationProgressEventArgs)

Public Class CAdESVerifierChainValidationProgressEventArgs Inherits EventArgs
  Public ReadOnly Property EventKind As String
  Public ReadOnly Property CertRDN As String
  Public ReadOnly Property CACertRDN As String
  Public Property Action As Integer
End Class

Remarks

Subscribe to this event to be notified about chain validation progress. Use the Action parameter to alter the validation flow.

The EventKind parameter reports the nature of the event being reported. The CertRDN and CACertRDN parameters report the distinguished names of the certificates that are relevant for the event invocation (one or both can be empty, depending on EventKind). Use the Action parameter to adjust the validation flow.

veaAuto0Handle the action automatically (the default behaviour)

veaContinue1Accept the request implied by the event (accept the certificate, allow the object retrieval)

veaReject2Reject the request implied by the event (reject the certificate, disallow the object retrieval)

veaAcceptNow3Accept the validated certificate immediately

veaAbortNow4Abort the validation, reject the certificate

Error Event (CAdESVerifier Component)

Information about errors during CAdES verification.

Syntax

public event OnErrorHandler OnError;

public delegate void OnErrorHandler(object sender, CAdESVerifierErrorEventArgs e);

public class CAdESVerifierErrorEventArgs : EventArgs {
  public int ErrorCode { get; }
  public string Description { get; }
}
Public Event OnError As OnErrorHandler

Public Delegate Sub OnErrorHandler(sender As Object, e As CAdESVerifierErrorEventArgs)

Public Class CAdESVerifierErrorEventArgs Inherits EventArgs
  Public ReadOnly Property ErrorCode As Integer
  Public ReadOnly Property Description As String
End Class

Remarks

The event is fired in case of exceptional conditions during message processing.

ErrorCode contains an error code and Description contains a textual description of the error. For a list of valid error codes and their descriptions, please refer to the Messages section.

Loaded Event (CAdESVerifier Component)

This event is fired when the CAdES signature has been loaded into memory.

Syntax

public event OnLoadedHandler OnLoaded;

public delegate void OnLoadedHandler(object sender, CAdESVerifierLoadedEventArgs e);

public class CAdESVerifierLoadedEventArgs : EventArgs {
  public bool Cancel { get; set; }
}
Public Event OnLoaded As OnLoadedHandler

Public Delegate Sub OnLoadedHandler(sender As Object, e As CAdESVerifierLoadedEventArgs)

Public Class CAdESVerifierLoadedEventArgs Inherits EventArgs
  Public Property Cancel As Boolean
End Class

Remarks

The handler for this event is a good place to check CAdES signature properties, which may be useful when preparing the signature.

Set Cancel to true to terminate CAdES signature processing on this stage.

Notification Event (CAdESVerifier Component)

This event notifies the application about an underlying control flow event.

Syntax

public event OnNotificationHandler OnNotification;

public delegate void OnNotificationHandler(object sender, CAdESVerifierNotificationEventArgs e);

public class CAdESVerifierNotificationEventArgs : EventArgs {
  public string EventID { get; }
  public string EventParam { get; }
}
Public Event OnNotification As OnNotificationHandler

Public Delegate Sub OnNotificationHandler(sender As Object, e As CAdESVerifierNotificationEventArgs)

Public Class CAdESVerifierNotificationEventArgs Inherits EventArgs
  Public ReadOnly Property EventID As String
  Public ReadOnly Property EventParam As String
End Class

Remarks

The component fires this event to let the application know about some event, occurrence, or milestone in the component. For example, it may fire to report completion of the document processing. The list of events being reported is not fixed, and may be flexibly extended over time.

The unique identifier of the event is provided in the EventID parameter. EventParam contains any parameters accompanying the occurrence. Depending on the type of the component, the exact action it is performing, or the document being processed, one or both may be omitted.

This component can fire this event with the following EventID values:

LoadedReports the completion of signature processing by the component. Use the event handler to access signature-related information. The EventParam value passed with this EventID is empty.
ContentExtractedReports the completion of message content extraction by the component if ExtractContent property is enabled. Use the event handler to access message content. The EventParam value passed with this EventID is empty.
SignaturesLoadedNotifies the application that the component has finished loading signatures.
BeforeTimestampThis event is fired before a timestamp is requested from the timestamping authority. Use the event handler to modify TSA and HTTP settings.
TimestampErrorThis event is only fired if the component failed to obtain a timestamp from the timestamping authority. The EventParam parameter contains extended error info.
TimestampRequestA timestamp is requested from the custom timestamping authority. This event is only fired if TimestampServer was set to a virtual:// URI. The EventParam parameter contains the TSP request (or the plain hash, depending on the value provided to TimestampServer), in base16, that needs to be sent to the TSA.

Use the event handler to send the request to the TSA. Upon receiving the response, assign it, in base16, to the TimestampResponse configuration property.

SignatureFound Event (CAdESVerifier Component)

Signifies the start of signature validation.

Syntax

public event OnSignatureFoundHandler OnSignatureFound;

public delegate void OnSignatureFoundHandler(object sender, CAdESVerifierSignatureFoundEventArgs e);

public class CAdESVerifierSignatureFoundEventArgs : EventArgs {
  public int Index { get; }
  public string EntityLabel { get; }
  public string IssuerRDN { get; }
  public byte[] SerialNumber { get; }
  public byte[] SubjectKeyID { get; }
  public bool CertFound { get; }
  public bool ValidateSignature { get; set; }
  public bool ValidateChain { get; set; }
}
Public Event OnSignatureFound As OnSignatureFoundHandler

Public Delegate Sub OnSignatureFoundHandler(sender As Object, e As CAdESVerifierSignatureFoundEventArgs)

Public Class CAdESVerifierSignatureFoundEventArgs Inherits EventArgs
  Public ReadOnly Property Index As Integer
  Public ReadOnly Property EntityLabel As String
  Public ReadOnly Property IssuerRDN As String
  Public ReadOnly Property SerialNumber As Byte()
  Public ReadOnly Property SubjectKeyID As Byte()
  Public ReadOnly Property CertFound As Boolean
  Public Property ValidateSignature As Boolean
  Public Property ValidateChain As Boolean
End Class

Remarks

This event tells the application that signature validation is about to start, and provides the details about the signer's certificate via its IssuerRDN, SerialNumber, and SubjectKeyID parameters. It fires for every signature located in the verified document or message.

The CertFound parameter is set to True if the component has found the needed certificate in one of the known locations, and to False otherwise, in which case you must provide it manually via the KnownCertificates property.

Signature validation consists of two independent stages: cryptographic signature validation and chain validation. Separate validation results are reported for each, with the SignatureValidationResult and ChainValidationResult properties respectively.

Use the ValidateSignature and ValidateChain parameters to tell the verifier which stages to include in the validation.

SignatureValidated Event (CAdESVerifier Component)

Marks the completion of the signature validation routine.

Syntax

public event OnSignatureValidatedHandler OnSignatureValidated;

public delegate void OnSignatureValidatedHandler(object sender, CAdESVerifierSignatureValidatedEventArgs e);

public class CAdESVerifierSignatureValidatedEventArgs : EventArgs {
  public int Index { get; }
  public string EntityLabel { get; }
  public string IssuerRDN { get; }
  public byte[] SerialNumber { get; }
  public byte[] SubjectKeyID { get; }
  public int ValidationResult { get; }
  public bool Cancel { get; set; }
}
Public Event OnSignatureValidated As OnSignatureValidatedHandler

Public Delegate Sub OnSignatureValidatedHandler(sender As Object, e As CAdESVerifierSignatureValidatedEventArgs)

Public Class CAdESVerifierSignatureValidatedEventArgs Inherits EventArgs
  Public ReadOnly Property Index As Integer
  Public ReadOnly Property EntityLabel As String
  Public ReadOnly Property IssuerRDN As String
  Public ReadOnly Property SerialNumber As Byte()
  Public ReadOnly Property SubjectKeyID As Byte()
  Public ReadOnly Property ValidationResult As Integer
  Public Property Cancel As Boolean
End Class

Remarks

This event is fired upon the completion of the signature validation routine, and reports the respective validation result.

Use the IssuerRDN, SerialNumber, and/or SubjectKeyID parameters to identify the signing certificate.

ValidationResult is set to 0 if the validation has been successful, or to a non-zero value in case of a validation failure.

svtValid0The signature is valid

svtUnknown1Signature validity is unknown

svtCorrupted2The signature is corrupted

svtSignerNotFound3Failed to acquire the signing certificate. The signature cannot be validated.

svtFailure4General failure

svtReferenceCorrupted5Reference corrupted (XML-based signatures only)

TimestampFound Event (CAdESVerifier Component)

Signifies the start of a timestamp validation routine.

Syntax

public event OnTimestampFoundHandler OnTimestampFound;

public delegate void OnTimestampFoundHandler(object sender, CAdESVerifierTimestampFoundEventArgs e);

public class CAdESVerifierTimestampFoundEventArgs : EventArgs {
  public int Index { get; }
  public string EntityLabel { get; }
  public string IssuerRDN { get; }
  public byte[] SerialNumber { get; }
  public byte[] SubjectKeyID { get; }
  public bool CertFound { get; }
  public bool ValidateTimestamp { get; set; }
  public bool ValidateChain { get; set; }
}
Public Event OnTimestampFound As OnTimestampFoundHandler

Public Delegate Sub OnTimestampFoundHandler(sender As Object, e As CAdESVerifierTimestampFoundEventArgs)

Public Class CAdESVerifierTimestampFoundEventArgs Inherits EventArgs
  Public ReadOnly Property Index As Integer
  Public ReadOnly Property EntityLabel As String
  Public ReadOnly Property IssuerRDN As String
  Public ReadOnly Property SerialNumber As Byte()
  Public ReadOnly Property SubjectKeyID As Byte()
  Public ReadOnly Property CertFound As Boolean
  Public Property ValidateTimestamp As Boolean
  Public Property ValidateChain As Boolean
End Class

Remarks

This event fires for every timestamp identified during signature processing, and reports the details about the signer's certificate via its IssuerRDN, SerialNumber, and SubjectKeyID parameters.

The CertFound parameter is set to True if the component has found the needed certificate in one of the known locations, and to False otherwise, in which case you must provide it manually via the KnownCertificates property.

Just like with signature validation, timestamp validation consists of two independent stages: cryptographic signature validation and chain validation. Separate validation results are reported for each, with the ValidationResult and ChainValidationResult properties respectively.

Use the ValidateSignature and ValidateChain parameters to tell the verifier which stages to include in the validation.

TimestampValidated Event (CAdESVerifier Component)

Reports the completion of the timestamp validation routine.

Syntax

public event OnTimestampValidatedHandler OnTimestampValidated;

public delegate void OnTimestampValidatedHandler(object sender, CAdESVerifierTimestampValidatedEventArgs e);

public class CAdESVerifierTimestampValidatedEventArgs : EventArgs {
  public int Index { get; }
  public string EntityLabel { get; }
  public string IssuerRDN { get; }
  public byte[] SerialNumber { get; }
  public byte[] SubjectKeyID { get; }
  public string Time { get; }
  public int ValidationResult { get; }
  public int ChainValidationResult { get; }
  public int ChainValidationDetails { get; }
  public bool Cancel { get; set; }
}
Public Event OnTimestampValidated As OnTimestampValidatedHandler

Public Delegate Sub OnTimestampValidatedHandler(sender As Object, e As CAdESVerifierTimestampValidatedEventArgs)

Public Class CAdESVerifierTimestampValidatedEventArgs Inherits EventArgs
  Public ReadOnly Property Index As Integer
  Public ReadOnly Property EntityLabel As String
  Public ReadOnly Property IssuerRDN As String
  Public ReadOnly Property SerialNumber As Byte()
  Public ReadOnly Property SubjectKeyID As Byte()
  Public ReadOnly Property Time As String
  Public ReadOnly Property ValidationResult As Integer
  Public ReadOnly Property ChainValidationResult As Integer
  Public ReadOnly Property ChainValidationDetails As Integer
  Public Property Cancel As Boolean
End Class

Remarks

This event is fired upon the completion of the timestamp validation routine, and reports the respective validation result.

ValidationResult is set to 0 if the validation has been successful, or to a non-zero value in case of a failure.

svtValid0The signature is valid

svtUnknown1Signature validity is unknown

svtCorrupted2The signature is corrupted

svtSignerNotFound3Failed to acquire the signing certificate. The signature cannot be validated.

svtFailure4General failure

svtReferenceCorrupted5Reference corrupted (XML-based signatures only)

TLSCertNeeded Event (CAdESVerifier Component)

Fires when a remote TLS party requests a client certificate.

Syntax

public event OnTLSCertNeededHandler OnTLSCertNeeded;

public delegate void OnTLSCertNeededHandler(object sender, CAdESVerifierTLSCertNeededEventArgs e);

public class CAdESVerifierTLSCertNeededEventArgs : EventArgs {
  public string Host { get; }
  public string CANames { get; }
}
Public Event OnTLSCertNeeded As OnTLSCertNeededHandler

Public Delegate Sub OnTLSCertNeededHandler(sender As Object, e As CAdESVerifierTLSCertNeededEventArgs)

Public Class CAdESVerifierTLSCertNeededEventArgs Inherits EventArgs
  Public ReadOnly Property Host As String
  Public ReadOnly Property CANames As String
End Class

Remarks

This event fires to notify the implementation that a remote TLS server has requested a client certificate. The Host parameter identifies the host that makes a request, and the CANames parameter (optional, according to the TLS spec) advises on the accepted issuing CAs.

Use the TLSClientChain property in response to this event to provide the requested certificate. Please make sure the client certificate includes the associated private key. Note that you may set the certificates before the connection without waiting for this event to fire.

This event is preceded by the TLSHandshake event for the given host and, if the certificate was accepted, succeeded by the TLSEstablished event.

TLSCertValidate Event (CAdESVerifier Component)

This event is fired upon receipt of the TLS server's certificate, allowing the user to control its acceptance.

Syntax

public event OnTLSCertValidateHandler OnTLSCertValidate;

public delegate void OnTLSCertValidateHandler(object sender, CAdESVerifierTLSCertValidateEventArgs e);

public class CAdESVerifierTLSCertValidateEventArgs : EventArgs {
  public string ServerHost { get; }
  public string ServerIP { get; }
  public bool Accept { get; set; }
}
Public Event OnTLSCertValidate As OnTLSCertValidateHandler

Public Delegate Sub OnTLSCertValidateHandler(sender As Object, e As CAdESVerifierTLSCertValidateEventArgs)

Public Class CAdESVerifierTLSCertValidateEventArgs Inherits EventArgs
  Public ReadOnly Property ServerHost As String
  Public ReadOnly Property ServerIP As String
  Public Property Accept As Boolean
End Class

Remarks

This event is fired during a TLS handshake. Use the TLSServerChain property to access the certificate chain. In general, components may contact a number of TLS endpoints during their work, depending on their configuration.

Accept is assigned in accordance with the outcome of the internal validation check performed by the component, and can be adjusted if needed.

TLSEstablished Event (CAdESVerifier Component)

Fires when a TLS handshake with Host successfully completes.

Syntax

public event OnTLSEstablishedHandler OnTLSEstablished;

public delegate void OnTLSEstablishedHandler(object sender, CAdESVerifierTLSEstablishedEventArgs e);

public class CAdESVerifierTLSEstablishedEventArgs : EventArgs {
  public string Host { get; }
  public string Version { get; }
  public string Ciphersuite { get; }
  public byte[] ConnectionId { get; }
  public bool Abort { get; set; }
}
Public Event OnTLSEstablished As OnTLSEstablishedHandler

Public Delegate Sub OnTLSEstablishedHandler(sender As Object, e As CAdESVerifierTLSEstablishedEventArgs)

Public Class CAdESVerifierTLSEstablishedEventArgs Inherits EventArgs
  Public ReadOnly Property Host As String
  Public ReadOnly Property Version As String
  Public ReadOnly Property Ciphersuite As String
  Public ReadOnly Property ConnectionId As Byte()
  Public Property Abort As Boolean
End Class

Remarks

The component uses this event to notify the application about a successful completion of a TLS handshake.

The Version, Ciphersuite, and ConnectionId parameters indicate the security parameters of the new connection. Use the Abort parameter if you need to terminate the connection at this stage.

TLSHandshake Event (CAdESVerifier Component)

Fires when a new TLS handshake is initiated, before the handshake commences.

Syntax

public event OnTLSHandshakeHandler OnTLSHandshake;

public delegate void OnTLSHandshakeHandler(object sender, CAdESVerifierTLSHandshakeEventArgs e);

public class CAdESVerifierTLSHandshakeEventArgs : EventArgs {
  public string Host { get; }
  public bool Abort { get; set; }
}
Public Event OnTLSHandshake As OnTLSHandshakeHandler

Public Delegate Sub OnTLSHandshakeHandler(sender As Object, e As CAdESVerifierTLSHandshakeEventArgs)

Public Class CAdESVerifierTLSHandshakeEventArgs Inherits EventArgs
  Public ReadOnly Property Host As String
  Public Property Abort As Boolean
End Class

Remarks

The component uses this event to notify the application about the start of a new TLS handshake to Host. If the handshake is successful, this event will be followed by the TLSEstablished event. If the server chooses to request a client certificate, the TLSCertNeeded event will also be fired.

TLSShutdown Event (CAdESVerifier Component)

Reports the graceful closure of a TLS connection.

Syntax

public event OnTLSShutdownHandler OnTLSShutdown;

public delegate void OnTLSShutdownHandler(object sender, CAdESVerifierTLSShutdownEventArgs e);

public class CAdESVerifierTLSShutdownEventArgs : EventArgs {
  public string Host { get; }
}
Public Event OnTLSShutdown As OnTLSShutdownHandler

Public Delegate Sub OnTLSShutdownHandler(sender As Object, e As CAdESVerifierTLSShutdownEventArgs)

Public Class CAdESVerifierTLSShutdownEventArgs Inherits EventArgs
  Public ReadOnly Property Host As String
End Class

Remarks

This event notifies the application about the closure of an earlier established TLS connection. Note that only graceful connection closures are reported.

CAdESSignature Type

Represents an individual signature in a CAdES container.

Remarks

This type contains information about a signature found in CAdES container. It holds various information about the signature, including its coverage and validation results.

The following fields are available:

Fields

ChainValidationDetails
int (read-only)

Default: 0

The details of a certificate chain validation outcome. They may often suggest the reasons that contributed to the overall validation result.

Returns a bit mask of the following options:

cvrBadData0x0001One or more certificates in the validation path are malformed

cvrRevoked0x0002One or more certificates are revoked

cvrNotYetValid0x0004One or more certificates are not yet valid

cvrExpired0x0008One or more certificates are expired

cvrInvalidSignature0x0010A certificate contains a non-valid digital signature

cvrUnknownCA0x0020A CA certificate for one or more certificates has not been found (chain incomplete)

cvrCAUnauthorized0x0040One of the CA certificates are not authorized to act as CA

cvrCRLNotVerified0x0080One or more CRLs could not be verified

cvrOCSPNotVerified0x0100One or more OCSP responses could not be verified

cvrIdentityMismatch0x0200The identity protected by the certificate (a TLS endpoint or an e-mail addressee) does not match what is recorded in the certificate

cvrNoKeyUsage0x0400A mandatory key usage is not enabled in one of the chain certificates

cvrBlocked0x0800One or more certificates are blocked

cvrFailure0x1000General validation failure

cvrChainLoop0x2000Chain loop: one of the CA certificates recursively signs itself

cvrWeakAlgorithm0x4000A weak algorithm is used in one of certificates or revocation elements

cvrUserEnforced0x8000The chain was considered invalid following intervention from a user code

ChainValidationResult
ChainValidities (read-only)

Default: 0

The outcome of a certificate chain validation routine.

Available options:

cvtValid0The chain is valid

cvtValidButUntrusted1The chain is valid, but the root certificate is not trusted

cvtInvalid2The chain is not valid (some of certificates are revoked, expired, or contain an invalid signature)

cvtCantBeEstablished3The validity of the chain cannot be established because of missing or unavailable validation information (certificates, CRLs, or OCSP responses)

Use the ValidationLog property to access the detailed validation log.

ClaimedSigningTime
string

Default: ""

The signing time from the signer's computer.

Use this property to provide the signature production time. The claimed time is not supported by a trusted source; it may be inaccurate, forfeited, or wrong, and as such is usually taken for informational purposes only by verifiers. Use timestamp servers to embed verifiable trusted timestamps. The time is in UTC.

CompatibilityErrors
int (read-only)

Default: 0

Returns compatibility errors encountered during validation.

Use this property to get specific compatibility errors encountered during validation. Unlike chain validation details, compatibility errors indicate violations by the signature of the assumed signature level/profile. For example, BES signatures are required to contain the signing time attribute. A prospective BES signature without such attribute will invoke a compatibility error.

Supported values:

cerrUnknown0x00001Unknown validation error

cerrNoMessageDigest0x00002No message digest attribute included in the signature

cerrNoContentType0x00004No mandatory content-type attribute is included in the signature

cerrNoSigningCertificate0x00008No mandatory signing-certificate (-v2) attribute is included in the signature

cerrNoSignaturePolicy0x00010No signature policy information is included in the signature

cerrNoSignatureTimestamp0x00020The signature is not timestamped

cerrNoCertificateReferences0x00040No certificate-references attribute was found in the signature

cerrNoRevocationReferences0x00080No revocation-references attribute was found in the signature

cerrNoCertificateValues0x00100No certificate-values attribute was found in the signature

cerrNoRevocationValues0x00200No revocation-values attribute was found in the signature

cerrNoTimestampedValidationData0x00400No timestamped validation data was found in the signature

cerrNoArchivalTimestamp0x00800No archival timestamp was found in the signature

cerrUnexpectedValidationElements0x01000Unexpected validation elements were found in the signature

cerrMissingValidationElements0x02000Some mandatory validation elements are missing from the signature

cerrInvalidATSHashIndex0x04000ATS Hash Index attribute is invalid

cerrNoSigningTime0x08000No mandatory signing-time attribute was found in the signature

cerrMisplacedSigPolicyStore0x10000Signature policy store attribute is misplaced

ContainsLongTermInfo
bool (read-only)

Default: False

Returns true if the signature was found to contain long-term validation details (certificates, CRLs, and OCSP response).

ContentType
string

Default: ""

The signature content type.

Use this property to check the content type attribute of the message record in it by the signer.

Countersigned
bool (read-only)

Default: False

Indicates if the signature is countersigned.

Use this property to find out whether the signed message contains any countersignatures over the main signature(s).

You can track countersignatures during the validating by subscribing to SignatureValidated event.

EntityLabel
string (read-only)

Default: ""

Use this property to get the signature entity label.

This property returns a string label that uniquely identifies the signature. The label can be used to establish the signature target in the SignatureFound event or to select the signing chain via the SelectInfo method.

HashAlgorithm
string

Default: ""

Set or returns the hash algorithm used to generate the signature.

Check this property after verifying the signature to get the hash algorithm which was used to calculate it. When creating a signed file, use this property to specify the hash algorithm to use.

SB_HASH_ALGORITHM_SHA1SHA1
SB_HASH_ALGORITHM_SHA224SHA224
SB_HASH_ALGORITHM_SHA256SHA256
SB_HASH_ALGORITHM_SHA384SHA384
SB_HASH_ALGORITHM_SHA512SHA512
SB_HASH_ALGORITHM_MD2MD2
SB_HASH_ALGORITHM_MD4MD4
SB_HASH_ALGORITHM_MD5MD5
SB_HASH_ALGORITHM_RIPEMD160RIPEMD160
SB_HASH_ALGORITHM_CRC32CRC32
SB_HASH_ALGORITHM_SSL3SSL3
SB_HASH_ALGORITHM_GOST_R3411_1994GOST1994
SB_HASH_ALGORITHM_WHIRLPOOLWHIRLPOOL
SB_HASH_ALGORITHM_POLY1305POLY1305
SB_HASH_ALGORITHM_SHA3_224SHA3_224
SB_HASH_ALGORITHM_SHA3_256SHA3_256
SB_HASH_ALGORITHM_SHA3_384SHA3_384
SB_HASH_ALGORITHM_SHA3_512SHA3_512
SB_HASH_ALGORITHM_BLAKE2S_128BLAKE2S_128
SB_HASH_ALGORITHM_BLAKE2S_160BLAKE2S_160
SB_HASH_ALGORITHM_BLAKE2S_224BLAKE2S_224
SB_HASH_ALGORITHM_BLAKE2S_256BLAKE2S_256
SB_HASH_ALGORITHM_BLAKE2B_160BLAKE2B_160
SB_HASH_ALGORITHM_BLAKE2B_256BLAKE2B_256
SB_HASH_ALGORITHM_BLAKE2B_384BLAKE2B_384
SB_HASH_ALGORITHM_BLAKE2B_512BLAKE2B_512
SB_HASH_ALGORITHM_SHAKE_128SHAKE_128
SB_HASH_ALGORITHM_SHAKE_256SHAKE_256
SB_HASH_ALGORITHM_SHAKE_128_LENSHAKE_128_LEN
SB_HASH_ALGORITHM_SHAKE_256_LENSHAKE_256_LEN

IssuerRDN
string (read-only)

Default: ""

The Relative Distinguished Name of the signing certificate's issuer.

A collection of information, in the form of [OID, Value] pairs, about the company that issued the signing certificate.

LastArchivalTime
string (read-only)

Default: ""

Indicates the most recent archival time of an archived signature

This property returns the time of the most recent archival timestamp applied to the signature. This property only makes sense for 'archived' (e.g. CAdES-A) signatures. Time is in UTC.

Level
AdESSignatureLevels

Default: 2

Specifies the CAdES signature level.

CMS Advanced Electronic Signatures (CAdES) standard defines a number of different 'levels' of signatures which can be used for different purposes.

The supported levels are:

aslUnknown0Unknown signature level

aslGeneric1Generic (this value applicable to XAdES signature only and corresponds to XML-DSIG signature)

aslBaselineB2Baseline B (B-B, basic)

aslBaselineT3Baseline T (B-T, timestamped)

aslBaselineLT4Baseline LT (B-LT, long-term)

aslBaselineLTA5Baseline LTA (B-LTA, long-term with archived timestamp)

aslBES6BES (Basic Electronic Signature)

aslEPES7EPES (Electronic Signature with an Explicit Policy)

aslT8T (Timestamped)

aslC9C (T with revocation references)

aslX10X (C with SigAndRefs timestamp or RefsOnly timestamp) (this value applicable to XAdES signature only)

aslXType111X Type 1 (C with an ES-C timestamp) (this value applicable to CAdES signature only)

aslXType212X Type 2 (C with a CertsAndCRLs timestamp) (this value applicable to CAdES signature only)

aslXL13X-L (X with revocation values) (this value applicable to XAdES signature only)

aslXLType114X-L Type 1 (C with revocation values and an ES-C timestamp) (this value applicable to CAdES signature only)

aslXLType215X-L Type 2 (C with revocation values and a CertsAndCRLs timestamp) (this value applicable to CAdES signature only)

aslA16A (archived)

aslExtendedBES17Extended BES

aslExtendedEPES18Extended EPES

aslExtendedT19Extended T

aslExtendedC20Extended C

aslExtendedX21Extended X (this value applicable to XAdES signature only)

aslExtendedXType122Extended X (type 1) (this value applicable to CAdES signature only)

aslExtendedXType223Extended X (type 2) (this value applicable to CAdES signature only)

aslExtendedXLong24Extended X-Long (this value applicable to XAdES signature only)

aslExtendedXL25Extended X-L (this value applicable to XAdES signature only)

aslExtendedXLType126Extended XL (type 1) (this value applicable to CAdES signature only)

aslExtendedXLType227Extended XL (type 2) (this value applicable to CAdES signature only)

aslExtendedA28Extended A

MessageDigest
string (read-only)

Default: ""

The binary of the signature's message digest.

Use this property to access the 'main' message digest of the CMS blob (the digest included as a message-digest signed attribute).

ParentEntity
string

Default: ""

Use this property to get the parent signature label.

This property contains the unique entity label of the current signature's parent object - typically a higher-level signature or a timestamp.

PolicyHash
string

Default: ""

The signature policy hash value.

Use this property to get the signature policy hash from EPES signatures

PolicyHashAlgorithm
string

Default: ""

The algorithm that was used to calculate the signature policy hash

Use this property to get or set the hash algorithm used to calculate the signature policy hash. Read the actual hash value from PolicyHash.

SB_HASH_ALGORITHM_SHA1SHA1
SB_HASH_ALGORITHM_SHA224SHA224
SB_HASH_ALGORITHM_SHA256SHA256
SB_HASH_ALGORITHM_SHA384SHA384
SB_HASH_ALGORITHM_SHA512SHA512
SB_HASH_ALGORITHM_MD2MD2
SB_HASH_ALGORITHM_MD4MD4
SB_HASH_ALGORITHM_MD5MD5
SB_HASH_ALGORITHM_RIPEMD160RIPEMD160
SB_HASH_ALGORITHM_CRC32CRC32
SB_HASH_ALGORITHM_SSL3SSL3
SB_HASH_ALGORITHM_GOST_R3411_1994GOST1994
SB_HASH_ALGORITHM_WHIRLPOOLWHIRLPOOL
SB_HASH_ALGORITHM_POLY1305POLY1305
SB_HASH_ALGORITHM_SHA3_224SHA3_224
SB_HASH_ALGORITHM_SHA3_256SHA3_256
SB_HASH_ALGORITHM_SHA3_384SHA3_384
SB_HASH_ALGORITHM_SHA3_512SHA3_512
SB_HASH_ALGORITHM_BLAKE2S_128BLAKE2S_128
SB_HASH_ALGORITHM_BLAKE2S_160BLAKE2S_160
SB_HASH_ALGORITHM_BLAKE2S_224BLAKE2S_224
SB_HASH_ALGORITHM_BLAKE2S_256BLAKE2S_256
SB_HASH_ALGORITHM_BLAKE2B_160BLAKE2B_160
SB_HASH_ALGORITHM_BLAKE2B_256BLAKE2B_256
SB_HASH_ALGORITHM_BLAKE2B_384BLAKE2B_384
SB_HASH_ALGORITHM_BLAKE2B_512BLAKE2B_512
SB_HASH_ALGORITHM_SHAKE_128SHAKE_128
SB_HASH_ALGORITHM_SHAKE_256SHAKE_256
SB_HASH_ALGORITHM_SHAKE_128_LENSHAKE_128_LEN
SB_HASH_ALGORITHM_SHAKE_256_LENSHAKE_256_LEN

PolicyID
string

Default: ""

The policy ID that was included or to be included into the signature.

Use this property to retrieve the signature policy identifier from EPES signatures.

PolicyURI
string

Default: ""

The signature policy URI that was included in the signature.

Use this property to set or retrieve the URI of the signature policy from EPES signatures.

PublicKeyAlgorithm
string (read-only)

Default: ""

Returns the public key algorithm that was used to create the signature.

This property specifies the public key algorithm that was used to create the signature. This typically matches the algorithm of the signing certificate.

SB_CERT_ALGORITHM_ID_RSA_ENCRYPTIONrsaEncryption
SB_CERT_ALGORITHM_MD2_RSA_ENCRYPTIONmd2withRSAEncryption
SB_CERT_ALGORITHM_MD5_RSA_ENCRYPTIONmd5withRSAEncryption
SB_CERT_ALGORITHM_SHA1_RSA_ENCRYPTIONsha1withRSAEncryption
SB_CERT_ALGORITHM_ID_DSAid-dsa
SB_CERT_ALGORITHM_ID_DSA_SHA1id-dsa-with-sha1
SB_CERT_ALGORITHM_DH_PUBLICdhpublicnumber
SB_CERT_ALGORITHM_SHA224_RSA_ENCRYPTIONsha224WithRSAEncryption
SB_CERT_ALGORITHM_SHA256_RSA_ENCRYPTIONsha256WithRSAEncryption
SB_CERT_ALGORITHM_SHA384_RSA_ENCRYPTIONsha384WithRSAEncryption
SB_CERT_ALGORITHM_SHA512_RSA_ENCRYPTIONsha512WithRSAEncryption
SB_CERT_ALGORITHM_ID_RSAPSSid-RSASSA-PSS
SB_CERT_ALGORITHM_ID_RSAOAEPid-RSAES-OAEP
SB_CERT_ALGORITHM_RSASIGNATURE_RIPEMD160ripemd160withRSA
SB_CERT_ALGORITHM_ID_ELGAMALelGamal
SB_CERT_ALGORITHM_SHA1_ECDSAecdsa-with-SHA1
SB_CERT_ALGORITHM_RECOMMENDED_ECDSAecdsa-recommended
SB_CERT_ALGORITHM_SHA224_ECDSAecdsa-with-SHA224
SB_CERT_ALGORITHM_SHA256_ECDSAecdsa-with-SHA256
SB_CERT_ALGORITHM_SHA384_ECDSAecdsa-with-SHA384
SB_CERT_ALGORITHM_SHA512_ECDSAecdsa-with-SHA512
SB_CERT_ALGORITHM_ECid-ecPublicKey
SB_CERT_ALGORITHM_SPECIFIED_ECDSAecdsa-specified
SB_CERT_ALGORITHM_GOST_R3410_1994id-GostR3410-94
SB_CERT_ALGORITHM_GOST_R3410_2001id-GostR3410-2001
SB_CERT_ALGORITHM_GOST_R3411_WITH_R3410_1994id-GostR3411-94-with-GostR3410-94
SB_CERT_ALGORITHM_GOST_R3411_WITH_R3410_2001id-GostR3411-94-with-GostR3410-2001
SB_CERT_ALGORITHM_SHA1_ECDSA_PLAINecdsa-plain-SHA1
SB_CERT_ALGORITHM_SHA224_ECDSA_PLAINecdsa-plain-SHA224
SB_CERT_ALGORITHM_SHA256_ECDSA_PLAINecdsa-plain-SHA256
SB_CERT_ALGORITHM_SHA384_ECDSA_PLAINecdsa-plain-SHA384
SB_CERT_ALGORITHM_SHA512_ECDSA_PLAINecdsa-plain-SHA512
SB_CERT_ALGORITHM_RIPEMD160_ECDSA_PLAINecdsa-plain-RIPEMD160
SB_CERT_ALGORITHM_WHIRLPOOL_RSA_ENCRYPTIONwhirlpoolWithRSAEncryption
SB_CERT_ALGORITHM_ID_DSA_SHA224id-dsa-with-sha224
SB_CERT_ALGORITHM_ID_DSA_SHA256id-dsa-with-sha256
SB_CERT_ALGORITHM_SHA3_224_RSA_ENCRYPTIONid-rsassa-pkcs1-v1_5-with-sha3-224
SB_CERT_ALGORITHM_SHA3_256_RSA_ENCRYPTIONid-rsassa-pkcs1-v1_5-with-sha3-256
SB_CERT_ALGORITHM_SHA3_384_RSA_ENCRYPTIONid-rsassa-pkcs1-v1_5-with-sha3-384
SB_CERT_ALGORITHM_SHA3_512_RSA_ENCRYPTIONid-rsassa-pkcs1-v1_5-with-sha3-512
SB_CERT_ALGORITHM_SHA3_224_ECDSAid-ecdsa-with-sha3-224
SB_CERT_ALGORITHM_SHA3_256_ECDSAid-ecdsa-with-sha3-256
SB_CERT_ALGORITHM_SHA3_384_ECDSAid-ecdsa-with-sha3-384
SB_CERT_ALGORITHM_SHA3_512_ECDSAid-ecdsa-with-sha3-512
SB_CERT_ALGORITHM_SHA3_224_ECDSA_PLAINid-ecdsa-plain-with-sha3-224
SB_CERT_ALGORITHM_SHA3_256_ECDSA_PLAINid-ecdsa-plain-with-sha3-256
SB_CERT_ALGORITHM_SHA3_384_ECDSA_PLAINid-ecdsa-plain-with-sha3-384
SB_CERT_ALGORITHM_SHA3_512_ECDSA_PLAINid-ecdsa-plain-with-sha3-512
SB_CERT_ALGORITHM_ID_DSA_SHA3_224id-dsa-with-sha3-224
SB_CERT_ALGORITHM_ID_DSA_SHA3_256id-dsa-with-sha3-256
SB_CERT_ALGORITHM_BLAKE2S_128_RSA_ENCRYPTIONid-rsassa-pkcs1-v1_5-with-blake2s128
SB_CERT_ALGORITHM_BLAKE2S_160_RSA_ENCRYPTIONid-rsassa-pkcs1-v1_5-with-blake2s160
SB_CERT_ALGORITHM_BLAKE2S_224_RSA_ENCRYPTIONid-rsassa-pkcs1-v1_5-with-blake2s224
SB_CERT_ALGORITHM_BLAKE2S_256_RSA_ENCRYPTIONid-rsassa-pkcs1-v1_5-with-blake2s256
SB_CERT_ALGORITHM_BLAKE2B_160_RSA_ENCRYPTIONid-rsassa-pkcs1-v1_5-with-blake2b160
SB_CERT_ALGORITHM_BLAKE2B_256_RSA_ENCRYPTIONid-rsassa-pkcs1-v1_5-with-blake2b256
SB_CERT_ALGORITHM_BLAKE2B_384_RSA_ENCRYPTIONid-rsassa-pkcs1-v1_5-with-blake2b384
SB_CERT_ALGORITHM_BLAKE2B_512_RSA_ENCRYPTIONid-rsassa-pkcs1-v1_5-with-blake2b512
SB_CERT_ALGORITHM_BLAKE2S_128_ECDSAid-ecdsa-with-blake2s128
SB_CERT_ALGORITHM_BLAKE2S_160_ECDSAid-ecdsa-with-blake2s160
SB_CERT_ALGORITHM_BLAKE2S_224_ECDSAid-ecdsa-with-blake2s224
SB_CERT_ALGORITHM_BLAKE2S_256_ECDSAid-ecdsa-with-blake2s256
SB_CERT_ALGORITHM_BLAKE2B_160_ECDSAid-ecdsa-with-blake2b160
SB_CERT_ALGORITHM_BLAKE2B_256_ECDSAid-ecdsa-with-blake2b256
SB_CERT_ALGORITHM_BLAKE2B_384_ECDSAid-ecdsa-with-blake2b384
SB_CERT_ALGORITHM_BLAKE2B_512_ECDSAid-ecdsa-with-blake2b512
SB_CERT_ALGORITHM_BLAKE2S_128_ECDSA_PLAINid-ecdsa-plain-with-blake2s128
SB_CERT_ALGORITHM_BLAKE2S_160_ECDSA_PLAINid-ecdsa-plain-with-blake2s160
SB_CERT_ALGORITHM_BLAKE2S_224_ECDSA_PLAINid-ecdsa-plain-with-blake2s224
SB_CERT_ALGORITHM_BLAKE2S_256_ECDSA_PLAINid-ecdsa-plain-with-blake2s256
SB_CERT_ALGORITHM_BLAKE2B_160_ECDSA_PLAINid-ecdsa-plain-with-blake2b160
SB_CERT_ALGORITHM_BLAKE2B_256_ECDSA_PLAINid-ecdsa-plain-with-blake2b256
SB_CERT_ALGORITHM_BLAKE2B_384_ECDSA_PLAINid-ecdsa-plain-with-blake2b384
SB_CERT_ALGORITHM_BLAKE2B_512_ECDSA_PLAINid-ecdsa-plain-with-blake2b512
SB_CERT_ALGORITHM_ID_DSA_BLAKE2S_224id-dsa-with-blake2s224
SB_CERT_ALGORITHM_ID_DSA_BLAKE2S_256id-dsa-with-blake2s256
SB_CERT_ALGORITHM_EDDSA_ED25519id-Ed25519
SB_CERT_ALGORITHM_EDDSA_ED448id-Ed448
SB_CERT_ALGORITHM_EDDSA_ED25519_PHid-Ed25519ph
SB_CERT_ALGORITHM_EDDSA_ED448_PHid-Ed448ph
SB_CERT_ALGORITHM_EDDSAid-EdDSA
SB_CERT_ALGORITHM_EDDSA_SIGNATUREid-EdDSA-sig

Scope
int (read-only)

Default: 0

Returns the type of the entity that this signature corresponds to.

A CAdES signature may cover several kinds of entities: the signed data itself (a top-level signature - something you create when you sign documents), a timestamp, or a countersignature.

cssUnknown0The scope of signature is unknown

cssData1The signature is a top-level signature over the data

cssSignature2The signature is a countersignature, and is made over another signature

cssTimestamp3The signature is made over a timestamp

SerialNumber
byte[] (read-only)

Default: ""

The serial number of the signing certificate.

SignatureBytes
byte[] (read-only)

Default: ""

Returns the binary representation of the CAdES signature.

SignatureValidationResult
SignatureValidities (read-only)

Default: 0

The outcome of the cryptographic signature validation.

The following signature validity values are supported:

svtValid0The signature is valid

svtUnknown1Signature validity is unknown

svtCorrupted2The signature is corrupted

svtSignerNotFound3Failed to acquire the signing certificate. The signature cannot be validated.

svtFailure4General failure

svtReferenceCorrupted5Reference corrupted (XML-based signatures only)

SubjectKeyID
byte[] (read-only)

Default: ""

Contains the subject key identifier of the signing certificate.

Subject Key Identifier is a (non-critical) X.509 certificate extension which allows the identification of certificates containing a particular public key. In SecureBlackbox, the unique identifier is represented by a SHA-1 hash of the bit string of the subject public key.

SubjectRDN
string (read-only)

Default: ""

Contains the RDN of the owner of the signing certificate.

RDN is a number of OID=Value pairs declared in the certificate and providing the owner's details.

Timestamped
bool (read-only)

Default: False

Use this property to establish whether the signature contains an embedded timestamp.

ValidatedSigningTime
string (read-only)

Default: ""

Contains the certified signing time.

Use this property to obtain the signing time as certified by a timestamp from a trusted timestamping authority. This property is only non-empty if there was a valid timestamp included in the signature.

ClaimedSigningTime returns a non-trusted signing time from the signer's computer.

Both times are in UTC.

ValidationLog
string (read-only)

Default: ""

Contains the signing certificate's chain validation log. This information may be very useful in investigating chain validation failures.

Constructors

public CAdESSignature();
Public CAdESSignature()

Creates a new empty CAdES signature object.

Certificate Type

Encapsulates an individual X.509 certificate.

Remarks

This type keeps and provides access to X.509 certificate details.

The following fields are available:

Fields

Bytes
byte[] (read-only)

Default: ""

Returns the raw certificate data in DER format.

CA
bool

Default: False

Indicates whether the certificate has a CA capability. For the certificate to be considered a CA, it must have its Basic Constraints extension set with the CA indicator enabled.

Set this field when generating a new certificate to have its Basic Constraints extension generated automatically.

CAKeyID
byte[] (read-only)

Default: ""

A unique identifier (fingerprint) of the CA certificate's cryptographic key.

Authority Key Identifier is a certificate extension which allows identification of certificates belonging to the same issuer, but with different public keys. It is a de-facto standard to include this extension in all certificates to facilitate chain building.

This setting cannot be set when generating a certificate as it always derives from another certificate property. CertificateManager generates this setting automatically if enough information is available to it: for self-signed certificates, this value is copied from the SubjectKeyID setting, and for lower-level certificates, from the parent certificate's subject key ID extension.

CertType
CertTypes (read-only)

Default: 0

Returns the type of the entity contained in the Certificate object.

A Certificate object can contain two types of cryptographic objects: a ready-to-use X.509 certificate, or a certificate request ("an unsigned certificate"). Certificate requests can be upgraded to full certificates by signing them with a CA certificate.

Use the CertificateManager component to load or create new certificate and certificate requests objects.

CRLDistributionPoints
string

Default: ""

Contains a list of locations of CRL distribution points used to check this certificate's validity. The list is taken from the respective certificate extension.

Use this field when generating a certificate to provide a list of CRL endpoints that should be made part of the new certificate.

The endpoints are provided as a list of CRLF-separated URLs. Note that this differs from the behaviour used in earlier product versions, where the "|" character was used as the location separator.

Curve
string

Default: ""

Specifies the elliptic curve associated with the certificate's public key. This setting only applies to certificates containing EC keys.

SB_EC_SECP112R1SECP112R1
SB_EC_SECP112R2SECP112R2
SB_EC_SECP128R1SECP128R1
SB_EC_SECP128R2SECP128R2
SB_EC_SECP160K1SECP160K1
SB_EC_SECP160R1SECP160R1
SB_EC_SECP160R2SECP160R2
SB_EC_SECP192K1SECP192K1
SB_EC_SECP192R1SECP192R1
SB_EC_SECP224K1SECP224K1
SB_EC_SECP224R1SECP224R1
SB_EC_SECP256K1SECP256K1
SB_EC_SECP256R1SECP256R1
SB_EC_SECP384R1SECP384R1
SB_EC_SECP521R1SECP521R1
SB_EC_SECT113R1SECT113R1
SB_EC_SECT113R2SECT113R2
SB_EC_SECT131R1SECT131R1
SB_EC_SECT131R2SECT131R2
SB_EC_SECT163K1SECT163K1
SB_EC_SECT163R1SECT163R1
SB_EC_SECT163R2SECT163R2
SB_EC_SECT193R1SECT193R1
SB_EC_SECT193R2SECT193R2
SB_EC_SECT233K1SECT233K1
SB_EC_SECT233R1SECT233R1
SB_EC_SECT239K1SECT239K1
SB_EC_SECT283K1SECT283K1
SB_EC_SECT283R1SECT283R1
SB_EC_SECT409K1SECT409K1
SB_EC_SECT409R1SECT409R1
SB_EC_SECT571K1SECT571K1
SB_EC_SECT571R1SECT571R1
SB_EC_PRIME192V1PRIME192V1
SB_EC_PRIME192V2PRIME192V2
SB_EC_PRIME192V3PRIME192V3
SB_EC_PRIME239V1PRIME239V1
SB_EC_PRIME239V2PRIME239V2
SB_EC_PRIME239V3PRIME239V3
SB_EC_PRIME256V1PRIME256V1
SB_EC_C2PNB163V1C2PNB163V1
SB_EC_C2PNB163V2C2PNB163V2
SB_EC_C2PNB163V3C2PNB163V3
SB_EC_C2PNB176W1C2PNB176W1
SB_EC_C2TNB191V1C2TNB191V1
SB_EC_C2TNB191V2C2TNB191V2
SB_EC_C2TNB191V3C2TNB191V3
SB_EC_C2ONB191V4C2ONB191V4
SB_EC_C2ONB191V5C2ONB191V5
SB_EC_C2PNB208W1C2PNB208W1
SB_EC_C2TNB239V1C2TNB239V1
SB_EC_C2TNB239V2C2TNB239V2
SB_EC_C2TNB239V3C2TNB239V3
SB_EC_C2ONB239V4C2ONB239V4
SB_EC_C2ONB239V5C2ONB239V5
SB_EC_C2PNB272W1C2PNB272W1
SB_EC_C2PNB304W1C2PNB304W1
SB_EC_C2TNB359V1C2TNB359V1
SB_EC_C2PNB368W1C2PNB368W1
SB_EC_C2TNB431R1C2TNB431R1
SB_EC_NISTP192NISTP192
SB_EC_NISTP224NISTP224
SB_EC_NISTP256NISTP256
SB_EC_NISTP384NISTP384
SB_EC_NISTP521NISTP521
SB_EC_NISTB163NISTB163
SB_EC_NISTB233NISTB233
SB_EC_NISTB283NISTB283
SB_EC_NISTB409NISTB409
SB_EC_NISTB571NISTB571
SB_EC_NISTK163NISTK163
SB_EC_NISTK233NISTK233
SB_EC_NISTK283NISTK283
SB_EC_NISTK409NISTK409
SB_EC_NISTK571NISTK571
SB_EC_GOSTCPTESTGOSTCPTEST
SB_EC_GOSTCPAGOSTCPA
SB_EC_GOSTCPBGOSTCPB
SB_EC_GOSTCPCGOSTCPC
SB_EC_GOSTCPXCHAGOSTCPXCHA
SB_EC_GOSTCPXCHBGOSTCPXCHB
SB_EC_BRAINPOOLP160R1BRAINPOOLP160R1
SB_EC_BRAINPOOLP160T1BRAINPOOLP160T1
SB_EC_BRAINPOOLP192R1BRAINPOOLP192R1
SB_EC_BRAINPOOLP192T1BRAINPOOLP192T1
SB_EC_BRAINPOOLP224R1BRAINPOOLP224R1
SB_EC_BRAINPOOLP224T1BRAINPOOLP224T1
SB_EC_BRAINPOOLP256R1BRAINPOOLP256R1
SB_EC_BRAINPOOLP256T1BRAINPOOLP256T1
SB_EC_BRAINPOOLP320R1BRAINPOOLP320R1
SB_EC_BRAINPOOLP320T1BRAINPOOLP320T1
SB_EC_BRAINPOOLP384R1BRAINPOOLP384R1
SB_EC_BRAINPOOLP384T1BRAINPOOLP384T1
SB_EC_BRAINPOOLP512R1BRAINPOOLP512R1
SB_EC_BRAINPOOLP512T1BRAINPOOLP512T1
SB_EC_CURVE25519CURVE25519
SB_EC_CURVE448CURVE448

Fingerprint
string (read-only)

Default: ""

Contains the fingerprint (a hash imprint) of this certificate.

While there is no formal standard defining what a fingerprint is, a SHA1 hash of the certificate's DER-encoded body is typically used.

FriendlyName
string (read-only)

Default: ""

Contains an associated alias (friendly name) of the certificate. The friendly name is not a property of a certificate: it is maintained by the certificate media rather than being included in its DER representation. Windows certificate stores are one example of media that does support friendly names.

HashAlgorithm
string

Default: ""

Provides means to set the hash algorithm to be used in the subsequent operation on the certificate (such as generation or key signing). It is not a property of a certificate; use SigAlgorithm to find out the hash algorithm that is part of the certificate signature.

SB_HASH_ALGORITHM_SHA1SHA1
SB_HASH_ALGORITHM_SHA224SHA224
SB_HASH_ALGORITHM_SHA256SHA256
SB_HASH_ALGORITHM_SHA384SHA384
SB_HASH_ALGORITHM_SHA512SHA512
SB_HASH_ALGORITHM_MD2MD2
SB_HASH_ALGORITHM_MD4MD4
SB_HASH_ALGORITHM_MD5MD5
SB_HASH_ALGORITHM_RIPEMD160RIPEMD160
SB_HASH_ALGORITHM_CRC32CRC32
SB_HASH_ALGORITHM_SSL3SSL3
SB_HASH_ALGORITHM_GOST_R3411_1994GOST1994
SB_HASH_ALGORITHM_WHIRLPOOLWHIRLPOOL
SB_HASH_ALGORITHM_POLY1305POLY1305
SB_HASH_ALGORITHM_SHA3_224SHA3_224
SB_HASH_ALGORITHM_SHA3_256SHA3_256
SB_HASH_ALGORITHM_SHA3_384SHA3_384
SB_HASH_ALGORITHM_SHA3_512SHA3_512
SB_HASH_ALGORITHM_BLAKE2S_128BLAKE2S_128
SB_HASH_ALGORITHM_BLAKE2S_160BLAKE2S_160
SB_HASH_ALGORITHM_BLAKE2S_224BLAKE2S_224
SB_HASH_ALGORITHM_BLAKE2S_256BLAKE2S_256
SB_HASH_ALGORITHM_BLAKE2B_160BLAKE2B_160
SB_HASH_ALGORITHM_BLAKE2B_256BLAKE2B_256
SB_HASH_ALGORITHM_BLAKE2B_384BLAKE2B_384
SB_HASH_ALGORITHM_BLAKE2B_512BLAKE2B_512
SB_HASH_ALGORITHM_SHAKE_128SHAKE_128
SB_HASH_ALGORITHM_SHAKE_256SHAKE_256
SB_HASH_ALGORITHM_SHAKE_128_LENSHAKE_128_LEN
SB_HASH_ALGORITHM_SHAKE_256_LENSHAKE_256_LEN

Issuer
string (read-only)

Default: ""

The common name of the certificate issuer (CA), typically a company name. This is part of a larger set of credentials available via IssuerRDN.

IssuerRDN
string

Default: ""

A list of Property=Value pairs that uniquely identify the certificate issuer.

Example: /C=US/O=Nationwide CA/CN=Web Certification Authority

KeyAlgorithm
string

Default: "0"

Specifies the public key algorithm of this certificate.

SB_CERT_ALGORITHM_ID_RSA_ENCRYPTIONrsaEncryption
SB_CERT_ALGORITHM_MD2_RSA_ENCRYPTIONmd2withRSAEncryption
SB_CERT_ALGORITHM_MD5_RSA_ENCRYPTIONmd5withRSAEncryption
SB_CERT_ALGORITHM_SHA1_RSA_ENCRYPTIONsha1withRSAEncryption
SB_CERT_ALGORITHM_ID_DSAid-dsa
SB_CERT_ALGORITHM_ID_DSA_SHA1id-dsa-with-sha1
SB_CERT_ALGORITHM_DH_PUBLICdhpublicnumber
SB_CERT_ALGORITHM_SHA224_RSA_ENCRYPTIONsha224WithRSAEncryption
SB_CERT_ALGORITHM_SHA256_RSA_ENCRYPTIONsha256WithRSAEncryption
SB_CERT_ALGORITHM_SHA384_RSA_ENCRYPTIONsha384WithRSAEncryption
SB_CERT_ALGORITHM_SHA512_RSA_ENCRYPTIONsha512WithRSAEncryption
SB_CERT_ALGORITHM_ID_RSAPSSid-RSASSA-PSS
SB_CERT_ALGORITHM_ID_RSAOAEPid-RSAES-OAEP
SB_CERT_ALGORITHM_RSASIGNATURE_RIPEMD160ripemd160withRSA
SB_CERT_ALGORITHM_ID_ELGAMALelGamal
SB_CERT_ALGORITHM_SHA1_ECDSAecdsa-with-SHA1
SB_CERT_ALGORITHM_RECOMMENDED_ECDSAecdsa-recommended
SB_CERT_ALGORITHM_SHA224_ECDSAecdsa-with-SHA224
SB_CERT_ALGORITHM_SHA256_ECDSAecdsa-with-SHA256
SB_CERT_ALGORITHM_SHA384_ECDSAecdsa-with-SHA384
SB_CERT_ALGORITHM_SHA512_ECDSAecdsa-with-SHA512
SB_CERT_ALGORITHM_ECid-ecPublicKey
SB_CERT_ALGORITHM_SPECIFIED_ECDSAecdsa-specified
SB_CERT_ALGORITHM_GOST_R3410_1994id-GostR3410-94
SB_CERT_ALGORITHM_GOST_R3410_2001id-GostR3410-2001
SB_CERT_ALGORITHM_GOST_R3411_WITH_R3410_1994id-GostR3411-94-with-GostR3410-94
SB_CERT_ALGORITHM_GOST_R3411_WITH_R3410_2001id-GostR3411-94-with-GostR3410-2001
SB_CERT_ALGORITHM_SHA1_ECDSA_PLAINecdsa-plain-SHA1
SB_CERT_ALGORITHM_SHA224_ECDSA_PLAINecdsa-plain-SHA224
SB_CERT_ALGORITHM_SHA256_ECDSA_PLAINecdsa-plain-SHA256
SB_CERT_ALGORITHM_SHA384_ECDSA_PLAINecdsa-plain-SHA384
SB_CERT_ALGORITHM_SHA512_ECDSA_PLAINecdsa-plain-SHA512
SB_CERT_ALGORITHM_RIPEMD160_ECDSA_PLAINecdsa-plain-RIPEMD160
SB_CERT_ALGORITHM_WHIRLPOOL_RSA_ENCRYPTIONwhirlpoolWithRSAEncryption
SB_CERT_ALGORITHM_ID_DSA_SHA224id-dsa-with-sha224
SB_CERT_ALGORITHM_ID_DSA_SHA256id-dsa-with-sha256
SB_CERT_ALGORITHM_SHA3_224_RSA_ENCRYPTIONid-rsassa-pkcs1-v1_5-with-sha3-224
SB_CERT_ALGORITHM_SHA3_256_RSA_ENCRYPTIONid-rsassa-pkcs1-v1_5-with-sha3-256
SB_CERT_ALGORITHM_SHA3_384_RSA_ENCRYPTIONid-rsassa-pkcs1-v1_5-with-sha3-384
SB_CERT_ALGORITHM_SHA3_512_RSA_ENCRYPTIONid-rsassa-pkcs1-v1_5-with-sha3-512
SB_CERT_ALGORITHM_SHA3_224_ECDSAid-ecdsa-with-sha3-224
SB_CERT_ALGORITHM_SHA3_256_ECDSAid-ecdsa-with-sha3-256
SB_CERT_ALGORITHM_SHA3_384_ECDSAid-ecdsa-with-sha3-384
SB_CERT_ALGORITHM_SHA3_512_ECDSAid-ecdsa-with-sha3-512
SB_CERT_ALGORITHM_SHA3_224_ECDSA_PLAINid-ecdsa-plain-with-sha3-224
SB_CERT_ALGORITHM_SHA3_256_ECDSA_PLAINid-ecdsa-plain-with-sha3-256
SB_CERT_ALGORITHM_SHA3_384_ECDSA_PLAINid-ecdsa-plain-with-sha3-384
SB_CERT_ALGORITHM_SHA3_512_ECDSA_PLAINid-ecdsa-plain-with-sha3-512
SB_CERT_ALGORITHM_ID_DSA_SHA3_224id-dsa-with-sha3-224
SB_CERT_ALGORITHM_ID_DSA_SHA3_256id-dsa-with-sha3-256
SB_CERT_ALGORITHM_BLAKE2S_128_RSA_ENCRYPTIONid-rsassa-pkcs1-v1_5-with-blake2s128
SB_CERT_ALGORITHM_BLAKE2S_160_RSA_ENCRYPTIONid-rsassa-pkcs1-v1_5-with-blake2s160
SB_CERT_ALGORITHM_BLAKE2S_224_RSA_ENCRYPTIONid-rsassa-pkcs1-v1_5-with-blake2s224
SB_CERT_ALGORITHM_BLAKE2S_256_RSA_ENCRYPTIONid-rsassa-pkcs1-v1_5-with-blake2s256
SB_CERT_ALGORITHM_BLAKE2B_160_RSA_ENCRYPTIONid-rsassa-pkcs1-v1_5-with-blake2b160
SB_CERT_ALGORITHM_BLAKE2B_256_RSA_ENCRYPTIONid-rsassa-pkcs1-v1_5-with-blake2b256
SB_CERT_ALGORITHM_BLAKE2B_384_RSA_ENCRYPTIONid-rsassa-pkcs1-v1_5-with-blake2b384
SB_CERT_ALGORITHM_BLAKE2B_512_RSA_ENCRYPTIONid-rsassa-pkcs1-v1_5-with-blake2b512
SB_CERT_ALGORITHM_BLAKE2S_128_ECDSAid-ecdsa-with-blake2s128
SB_CERT_ALGORITHM_BLAKE2S_160_ECDSAid-ecdsa-with-blake2s160
SB_CERT_ALGORITHM_BLAKE2S_224_ECDSAid-ecdsa-with-blake2s224
SB_CERT_ALGORITHM_BLAKE2S_256_ECDSAid-ecdsa-with-blake2s256
SB_CERT_ALGORITHM_BLAKE2B_160_ECDSAid-ecdsa-with-blake2b160
SB_CERT_ALGORITHM_BLAKE2B_256_ECDSAid-ecdsa-with-blake2b256
SB_CERT_ALGORITHM_BLAKE2B_384_ECDSAid-ecdsa-with-blake2b384
SB_CERT_ALGORITHM_BLAKE2B_512_ECDSAid-ecdsa-with-blake2b512
SB_CERT_ALGORITHM_BLAKE2S_128_ECDSA_PLAINid-ecdsa-plain-with-blake2s128
SB_CERT_ALGORITHM_BLAKE2S_160_ECDSA_PLAINid-ecdsa-plain-with-blake2s160
SB_CERT_ALGORITHM_BLAKE2S_224_ECDSA_PLAINid-ecdsa-plain-with-blake2s224
SB_CERT_ALGORITHM_BLAKE2S_256_ECDSA_PLAINid-ecdsa-plain-with-blake2s256
SB_CERT_ALGORITHM_BLAKE2B_160_ECDSA_PLAINid-ecdsa-plain-with-blake2b160
SB_CERT_ALGORITHM_BLAKE2B_256_ECDSA_PLAINid-ecdsa-plain-with-blake2b256
SB_CERT_ALGORITHM_BLAKE2B_384_ECDSA_PLAINid-ecdsa-plain-with-blake2b384
SB_CERT_ALGORITHM_BLAKE2B_512_ECDSA_PLAINid-ecdsa-plain-with-blake2b512
SB_CERT_ALGORITHM_ID_DSA_BLAKE2S_224id-dsa-with-blake2s224
SB_CERT_ALGORITHM_ID_DSA_BLAKE2S_256id-dsa-with-blake2s256
SB_CERT_ALGORITHM_EDDSA_ED25519id-Ed25519
SB_CERT_ALGORITHM_EDDSA_ED448id-Ed448
SB_CERT_ALGORITHM_EDDSA_ED25519_PHid-Ed25519ph
SB_CERT_ALGORITHM_EDDSA_ED448_PHid-Ed448ph
SB_CERT_ALGORITHM_EDDSAid-EdDSA
SB_CERT_ALGORITHM_EDDSA_SIGNATUREid-EdDSA-sig

Use the KeyBits, Curve, and PublicKeyBytes fields to get more details about the key the certificate contains.

KeyBits
int (read-only)

Default: 0

Returns the length of the public key in bits.

This value indicates the length of the principal cryptographic parameter of the key, such as the length of the RSA modulus or ECDSA field. The key data returned by the PublicKeyBytes or PrivateKeyBytes field would typically contain auxiliary values, and therefore be longer.

KeyFingerprint
string (read-only)

Default: ""

Returns a SHA1 fingerprint of the public key contained in the certificate.

Note that the key fingerprint is different from the certificate fingerprint accessible via the Fingerprint field. The key fingeprint uniquely identifies the public key, and so can be the same for multiple certificates containing the same key.

KeyUsage
int

Default: 0

Indicates the purposes of the key contained in the certificate, in the form of an OR'ed flag set.

This value is a bit mask of the following values:

ckuUnknown0x00000Unknown key usage

ckuDigitalSignature0x00001Digital signature

ckuNonRepudiation0x00002Non-repudiation

ckuKeyEncipherment0x00004Key encipherment

ckuDataEncipherment0x00008Data encipherment

ckuKeyAgreement0x00010Key agreement

ckuKeyCertSign0x00020Certificate signing

ckuCRLSign0x00040Revocation signing

ckuEncipherOnly0x00080Encipher only

ckuDecipherOnly0x00100Decipher only

ckuServerAuthentication0x00200Server authentication

ckuClientAuthentication0x00400Client authentication

ckuCodeSigning0x00800Code signing

ckuEmailProtection0x01000Email protection

ckuTimeStamping0x02000Timestamping

ckuOCSPSigning0x04000OCSP signing

ckuSmartCardLogon0x08000Smartcard logon

ckuKeyPurposeClientAuth0x10000Kerberos - client authentication

ckuKeyPurposeKDC0x20000Kerberos - KDC

Set this field before generating the certificate to propagate the key usage flags to the new certificate.

KeyValid
bool (read-only)

Default: False

Returns True if the certificate's key is cryptographically valid, and False otherwise.

OCSPLocations
string

Default: ""

Locations of OCSP services that can be used to check this certificate's validity in real time, as recorded by the CA.

Set this field before calling the certificate manager's Generate method to propagate it to the new certificate.

The OCSP locations are provided as a list of CRLF-separated URLs. Note that this differs from the behaviour used in earlier product versions, where the "|" character was used as the location separator.

OCSPNoCheck
bool

Default: False

Accessor to the value of the certificate's ocsp-no-check extension.

Origin
int (read-only)

Default: 0

Returns the location that the certificate was taken or loaded from.

PolicyIDs
string

Default: ""

Contains identifiers (OIDs) of the applicable certificate policies.

The Certificate Policies extension identifies a sequence of policies under which the certificate has been issued, and which regulate its usage.

Set this field when generating a certificate to propagate the policies information to the new certificate.

The policies are provided as a list of CRLF-separated entries. Note that this differs from the behaviour used in earlier product versions, where the "|" character was used as the policy element separator.

PrivateKeyBytes
byte[] (read-only)

Default: ""

Returns the certificate's private key in DER-encoded format. It is normal for this field to be empty if the private key is non-exportable, which, for example, is typical for certificates originating from hardware security devices.

PrivateKeyExists
bool (read-only)

Default: False

Indicates whether the certificate has a usable private key associated with it. If it is set to True, the certificate can be used for private key operations, such as signing or decryption.

This field is independent from PrivateKeyBytes, and can be set to True even if the former is empty. This would imply that the private key is non-exportable, but still can be used for cryptographic operations.

PrivateKeyExtractable
bool (read-only)

Default: False

Indicates whether the private key is extractable (exportable).

PublicKeyBytes
byte[] (read-only)

Default: ""

Contains the certificate's public key in DER format.

This typically would contain an ASN.1-encoded public key value. The exact format depends on the type of the public key contained in the certificate.

Qualified
bool (read-only)

Default: False

Indicates whether the certificate is qualified.

This property is set to True if the certificate is confirmed by a Trusted List to be qualified.

QualifiedStatements
QualifiedStatementsTypes

Default: 0

Returns a simplified qualified status of the certificate.

Qualifiers
string (read-only)

Default: ""

A list of qualifiers.

Contains a comma-separated list of qualifier aliases for the certificate, for example QCP-n-qscd,QCWithSSCD.

SelfSigned
bool (read-only)

Default: False

Indicates whether the certificate is self-signed (root) or signed by an external CA.

SerialNumber
byte[]

Default: ""

Returns the certificate's serial number.

The serial number is a binary string that uniquely identifies a certificate among others issued by the same CA. According to the X.509 standard, the (issuer, serial number) pair should be globally unique to facilitate chain building.

SigAlgorithm
string (read-only)

Default: ""

Indicates the algorithm that was used by the CA to sign this certificate.

A signature algorithm typically combines hash and public key algorithms together, such as sha256WithRSAEncryption or ecdsa-with-SHA256.

Source
PKISources (read-only)

Default: 0

Returns the source (location or disposition) of a cryptographic primitive entity, such as a certificate, CRL, or OCSP response.

Subject
string (read-only)

Default: ""

The common name of the certificate holder, typically an individual's name, a URL, an e-mail address, or a company name. This is part of a larger set of credentials available via SubjectRDN.

SubjectAlternativeName
string

Default: ""

Returns or sets the value of the Subject Alternative Name extension of the certificate.

Subject alternative names are used to provide additional names that are impractical to store in the main SubjectRDN field. For example, it is often used to store all the domain names that a TLS certificate is authorized to protect.

The alternative names are provided as a list of CRLF-separated entries. Note that this differs from the behaviour used in earlier product versions, where the "|" character was used as the element separator.

SubjectKeyID
byte[]

Default: ""

Contains a unique identifier of the certificate's cryptographic key.

Subject Key Identifier is a certificate extension which allows a specific public key to be associated with a certificate holder. Typically, subject key identifiers of CA certificates are recorded as respective CA key identifiers in the subordinate certificates that they issue, which facilitates chain building.

The SubjectKeyID and CAKeyID fields of self-signed certificates typically contain identical values, as in that specific case, the issuer and the subject are the same entity.

SubjectRDN
string

Default: ""

A list of Property=Value pairs that uniquely identify the certificate holder (subject).

Depending on the purpose of the certificate and the policies of the CA that issued it, the values included in the subject record may differ drastically and contain business or personal names, web URLs, email addresses, and other data.

Example: /C=US/O=Oranges and Apples, Inc./OU=Accounts Receivable/1.2.3.4.5=Value with unknown OID/CN=Margaret Watkins.

Valid
bool (read-only)

Default: False

Indicates whether or not the signature over the certificate or the request is valid and matches the public key contained in the CA certificate/request.

ValidFrom
string

Default: ""

The time point at which the certificate becomes valid, in UTC.

ValidTo
string

Default: ""

The time point at which the certificate expires, in UTC.

Constructors

public Certificate(byte[] bytes, int startIndex, int count, string password);
Public Certificate(ByVal Bytes As Byte(), ByVal StartIndex As Integer, ByVal Count As Integer, ByVal Password As String)

Loads the X.509 certificate from a memory buffer. Bytes is a buffer containing the raw certificate data. StartIndex and Count specify the starting position and number of bytes to be read from the buffer, respectively. Password is a password encrypting the certificate.

public Certificate(byte[] certBytes, int certStartIndex, int certCount, byte[] keyBytes, int keyStartIndex, int keyCount, string password);
Public Certificate(ByVal CertBytes As Byte(), ByVal CertStartIndex As Integer, ByVal CertCount As Integer, ByVal KeyBytes As Byte(), ByVal KeyStartIndex As Integer, ByVal KeyCount As Integer, ByVal Password As String)

Loads the X.509 certificate from a memory buffer.

CertBytes is a buffer containing the raw certificate data. CertStartIndex and CertCount specify the starting position and number of bytes to be read from the buffer, respectively.

KeyBytes is a buffer containing the private key data. KeyStartIndex and KeyCount specify the starting position and number of bytes to be read from the buffer, respectively.

Password is a password encrypting the certificate.

public Certificate(byte[] bytes, int startIndex, int count);
Public Certificate(ByVal Bytes As Byte(), ByVal StartIndex As Integer, ByVal Count As Integer)

Loads the X.509 certificate from a memory buffer. Bytes is a buffer containing the raw certificate data. StartIndex and Count specify the starting position and number of bytes to be read from the buffer, respectively.

public Certificate(string path, string password);
Public Certificate(ByVal Path As String, ByVal Password As String)

Loads the X.509 certificate from a file. Path specifies the full path to the file containing the certificate data. Password is a password encrypting the certificate.

public Certificate(string certPath, string keyPath, string password);
Public Certificate(ByVal CertPath As String, ByVal KeyPath As String, ByVal Password As String)

Loads the X.509 certificate from a file. CertPath specifies the full path to the file containing the certificate data. KeyPath specifies the full path to the file containing the private key. Password is a password encrypting the certificate.

public Certificate(string path);
Public Certificate(ByVal Path As String)

Loads the X.509 certificate from a file. Path specifies the full path to the file containing the certificate data.

Public Certificate(ByVal Stream As System.IO.Stream)

Loads the X.509 certificate from a stream. Stream is a stream containing the certificate data.

public Certificate(System.IO.Stream stream, string password);
Public Certificate(ByVal Stream As System.IO.Stream, ByVal Password As String)

Loads the X.509 certificate from a stream. Stream is a stream containing the certificate data. Password is a password encrypting the certificate.

public Certificate(System.IO.Stream certStream, System.IO.Stream keyStream, string password);
Public Certificate(ByVal CertStream As System.IO.Stream, ByVal KeyStream As System.IO.Stream, ByVal Password As String)

Loads the X.509 certificate from a stream. CertStream is a stream containing the certificate data. KeyStream is a stream containing the private key. Password is a password encrypting the certificate.

public Certificate();
Public Certificate()

Creates a new object with default field values.

CRL Type

Represents a Certificate Revocation List.

Remarks

CRLs store information about revoked certificates, i.e., certificates that have been identified as invalid by their issuing certificate authority (CA) for any number of reasons.

Each CRL object lists certificates from a single CA and identifies them by their serial numbers. A CA may or may not publish a CRL, may publish several CRLs, or may publish the same CRL in multiple locations.

Unlike OCSP responses, CRLs only list certificates that have been revoked. They do not list certificates that are still valid.

The following fields are available:

Fields

Bytes
byte[] (read-only)

Default: ""

Returns the raw CRL data in DER format.

CAKeyID
byte[]

Default: ""

A unique identifier (fingerprint) of the CA certificate's private key, if present in the CRL.

EntryCount
int (read-only)

Default: 0

Returns the number of certificate status entries in the CRL.

Issuer
string (read-only)

Default: ""

The common name of the CRL issuer (CA), typically a company name.

IssuerRDN
string (read-only)

Default: ""

A collection of information, in the form of [OID, Value] pairs, uniquely identifying the CRL issuer.

Location
string (read-only)

Default: ""

The URL that the CRL was downloaded from.

NextUpdate
string

Default: ""

The planned time and date of the next version of this CRL to be published.

SigAlgorithm
string

Default: "0"

The public key algorithm that was used by the CA to sign this CRL.

Source
PKISources (read-only)

Default: 0

Returns the source (location or disposition) of a cryptographic primitive entity, such as a certificate, CRL, or OCSP response.

TBS
byte[] (read-only)

Default: ""

The to-be-signed part of the CRL (the CRL without the signature part).

ThisUpdate
string

Default: ""

The date and time at which this version of the CRL was published.

Constructors

public CRL(byte[] bytes, int startIndex, int count);
Public CRL(ByVal Bytes As Byte(), ByVal StartIndex As Integer, ByVal Count As Integer)

Creates a CRL object from a memory buffer. Bytes is a buffer containing raw (DER) CRL data, StartIndex and Count specify the starting position and the length of the CRL data in the buffer, respectively.

public CRL(string location);
Public CRL(ByVal Location As String)

Creates a CRL object by downloading it from a remote location.

public CRL(System.IO.Stream stream);
Public CRL(ByVal Stream As System.IO.Stream)

Creates a CRL object from data contained in a stream.

public CRL();
Public CRL()

Creates an empty CRL object.

OCSPResponse Type

Represents a single OCSP response originating from an OCSP responder.

Remarks

OCSP is a protocol that allows verification of certificate status in real-time, and is an alternative to Certificate Revocation Lists (CRLs).

An OCSP response is a snapshot of the certificate status at a given time.

The following fields are available:

Fields

Bytes
byte[] (read-only)

Default: ""

A buffer containing the raw OCSP response data.

EntryCount
int (read-only)

Default: 0

The number of SingleResponse elements contained in this OCSP response. Each SingleResponse element corresponds to a certificate status.

Issuer
string (read-only)

Default: ""

Indicates the issuer of this response (a CA or its authorized representative).

IssuerRDN
string (read-only)

Default: ""

Indicates the RDN of the issuer of this response (a CA or its authorized representative).

Location
string (read-only)

Default: ""

The location of the OCSP responder.

ProducedAt
string

Default: ""

Specifies the time when the response was produced, in UTC.

SigAlgorithm
string

Default: "0"

The public key algorithm that was used by the CA to sign this OCSP response.

Source
PKISources (read-only)

Default: 0

Returns the source (location or disposition) of a cryptographic primitive entity, such as a certificate, CRL, or OCSP response.

Constructors

public OCSPResponse(byte[] bytes, int startIndex, int count);
Public OCSPResponse(ByVal Bytes As Byte(), ByVal StartIndex As Integer, ByVal Count As Integer)

Initializes the response from a memory buffer. Bytes is a buffer containing raw OCSP response data, StartIndex and Count specify the starting position and the number of bytes to be read from this buffer.

public OCSPResponse(string location);
Public OCSPResponse(ByVal Location As String)

Downloads an OCSP response from a remote location.

Public OCSPResponse(ByVal Stream As System.IO.Stream)

Initializes the response with the data from a stream.

public OCSPResponse();
Public OCSPResponse()

Creates an empty OCSP response object.

ProxySettings Type

A container for proxy server settings.

Remarks

This type exposes a collection of properties for tuning up the proxy server configuration.

The following fields are available:

Fields

Address
string

Default: ""

The IP address of the proxy server.

Authentication
ProxyAuthTypes

Default: 0

The authentication type used by the proxy server.

patNoAuthentication0
patBasic1
patDigest2
patNTLM3

Password
string

Default: ""

The password to authenticate to the proxy server.

Port
int

Default: 0

The port on the proxy server to connect to.

ProxyType
ProxyTypes

Default: 0

The type of the proxy server.

cptNone0
cptSocks41
cptSocks52
cptWebTunnel3
cptHTTP4

RequestHeaders
string

Default: ""

Contains HTTP request headers for WebTunnel and HTTP proxy.

ResponseBody
string

Default: ""

Contains the HTTP or HTTPS (WebTunnel) proxy response body.

ResponseHeaders
string

Default: ""

Contains response headers received from an HTTP or HTTPS (WebTunnel) proxy server.

UseIPv6
bool

Default: False

Specifies whether IPv6 should be used when connecting through the proxy.

Username
string

Default: ""

Specifies the username credential for proxy authentication.

Constructors

public ProxySettings();
Public ProxySettings()

Creates a new ProxySettings object.

SignatureAttribute Type

Represents an attribute of a digital PKCS#7/CMS signature.

Remarks

Attributes store auxiliary information about the signed message, the signature, or the owner. Each attribute is a OID=Value pair.

Common attributes are signing time, a content type, a policy identifier, and a signature timestamp.

The following fields are available:

Fields

OID
string

Default: ""

The object identifier of the attribute.

Value
byte[]

Default: ""

The value of the attribute.

Constructors

Creates a new, empty, signature attribute.

SocketSettings Type

A container for the socket settings.

Remarks

This type is a container for socket-layer parameters.

The following fields are available:

Fields

DNSMode
DNSResolveModes

Default: 0

Selects the DNS resolver to use: the component's (secure) built-in one, or the one provided by the system.

dmAuto0
dmPlatform1
dmOwn2
dmOwnSecure3

DNSPort
int

Default: 0

Specifies the port number to be used for sending queries to the DNS server.

DNSQueryTimeout
int

Default: 0

The timeout (in milliseconds) for each DNS query. The value of 0 indicates an infinite timeout.

DNSServers
string

Default: ""

The addresses of DNS servers to use for address resolution, separated by commas or semicolons.

DNSTotalTimeout
int

Default: 0

The timeout (in milliseconds) for the whole resolution process. The value of 0 indicates an infinite timeout.

IncomingSpeedLimit
int

Default: 0

The maximum number of bytes to read from the socket, per second.

LocalAddress
string

Default: ""

The local network interface to bind the socket to.

LocalPort
int

Default: 0

The local port number to bind the socket to.

OutgoingSpeedLimit
int

Default: 0

The maximum number of bytes to write to the socket, per second.

Timeout
int

Default: 60000

The maximum period of waiting, in milliseconds, after which the socket operation is considered unsuccessful.

If Timeout is set to 0, a socket operation will expire after the system-default timeout (2 hrs 8 min for TCP stack).

UseIPv6
bool

Default: False

Enables or disables IP protocol version 6.

Constructors

public SocketSettings();
Public SocketSettings()

Creates a new SocketSettings object.

TimestampInfo Type

A container for timestamp information.

Remarks

The TimestampInfo object contains details of a third-party timestamp and the outcome of its validation.

The following fields are available:

Fields

Accuracy
long (read-only)

Default: 0

This field indicates the accuracy of the included time mark, in microseconds.

Bytes
byte[] (read-only)

Default: ""

Returns the raw timestamp data in DER format.

CertificateIndex
int (read-only)

Default: -1

Returns the index of the TSA certificate in the Certificates collection.

Use this property to look up the TSA certificate in the Certificates collection.

ChainValidationDetails
int (read-only)

Default: 0

The details of a certificate chain validation outcome. They may often suggest the reasons that contributed to the overall validation result.

Returns a bit mask of the following options:

cvrBadData0x0001One or more certificates in the validation path are malformed

cvrRevoked0x0002One or more certificates are revoked

cvrNotYetValid0x0004One or more certificates are not yet valid

cvrExpired0x0008One or more certificates are expired

cvrInvalidSignature0x0010A certificate contains a non-valid digital signature

cvrUnknownCA0x0020A CA certificate for one or more certificates has not been found (chain incomplete)

cvrCAUnauthorized0x0040One of the CA certificates are not authorized to act as CA

cvrCRLNotVerified0x0080One or more CRLs could not be verified

cvrOCSPNotVerified0x0100One or more OCSP responses could not be verified

cvrIdentityMismatch0x0200The identity protected by the certificate (a TLS endpoint or an e-mail addressee) does not match what is recorded in the certificate

cvrNoKeyUsage0x0400A mandatory key usage is not enabled in one of the chain certificates

cvrBlocked0x0800One or more certificates are blocked

cvrFailure0x1000General validation failure

cvrChainLoop0x2000Chain loop: one of the CA certificates recursively signs itself

cvrWeakAlgorithm0x4000A weak algorithm is used in one of certificates or revocation elements

cvrUserEnforced0x8000The chain was considered invalid following intervention from a user code

ChainValidationResult
ChainValidities (read-only)

Default: 0

The outcome of a certificate chain validation routine.

Available options:

cvtValid0The chain is valid

cvtValidButUntrusted1The chain is valid, but the root certificate is not trusted

cvtInvalid2The chain is not valid (some of certificates are revoked, expired, or contain an invalid signature)

cvtCantBeEstablished3The validity of the chain cannot be established because of missing or unavailable validation information (certificates, CRLs, or OCSP responses)

Use the ValidationLog property to access the detailed validation log.

ContainsLongTermInfo
bool (read-only)

Default: False

Returns true if the signature was found to contain long-term validation details (certificates, CRLs, and OCSP response).

EntityLabel
string (read-only)

Default: ""

Use this property to get the timestamp entity label.

This property returns a string label that uniquely identifies the timestamp. The label can be used to establish the signature target in the SignatureFound event or to select the signing chain via the SelectInfo method.

HashAlgorithm
string (read-only)

Default: ""

Returns the timestamp's hash algorithm.

SB_HASH_ALGORITHM_SHA1SHA1
SB_HASH_ALGORITHM_SHA224SHA224
SB_HASH_ALGORITHM_SHA256SHA256
SB_HASH_ALGORITHM_SHA384SHA384
SB_HASH_ALGORITHM_SHA512SHA512
SB_HASH_ALGORITHM_MD2MD2
SB_HASH_ALGORITHM_MD4MD4
SB_HASH_ALGORITHM_MD5MD5
SB_HASH_ALGORITHM_RIPEMD160RIPEMD160
SB_HASH_ALGORITHM_CRC32CRC32
SB_HASH_ALGORITHM_SSL3SSL3
SB_HASH_ALGORITHM_GOST_R3411_1994GOST1994
SB_HASH_ALGORITHM_WHIRLPOOLWHIRLPOOL
SB_HASH_ALGORITHM_POLY1305POLY1305
SB_HASH_ALGORITHM_SHA3_224SHA3_224
SB_HASH_ALGORITHM_SHA3_256SHA3_256
SB_HASH_ALGORITHM_SHA3_384SHA3_384
SB_HASH_ALGORITHM_SHA3_512SHA3_512
SB_HASH_ALGORITHM_BLAKE2S_128BLAKE2S_128
SB_HASH_ALGORITHM_BLAKE2S_160BLAKE2S_160
SB_HASH_ALGORITHM_BLAKE2S_224BLAKE2S_224
SB_HASH_ALGORITHM_BLAKE2S_256BLAKE2S_256
SB_HASH_ALGORITHM_BLAKE2B_160BLAKE2B_160
SB_HASH_ALGORITHM_BLAKE2B_256BLAKE2B_256
SB_HASH_ALGORITHM_BLAKE2B_384BLAKE2B_384
SB_HASH_ALGORITHM_BLAKE2B_512BLAKE2B_512
SB_HASH_ALGORITHM_SHAKE_128SHAKE_128
SB_HASH_ALGORITHM_SHAKE_256SHAKE_256
SB_HASH_ALGORITHM_SHAKE_128_LENSHAKE_128_LEN
SB_HASH_ALGORITHM_SHAKE_256_LENSHAKE_256_LEN

ParentEntity
string (read-only)

Default: ""

Use this property to get the label of the timestamp's parent entity.

This property references the EntityLabel of the object that the timestamp covers, typically a signature.

SerialNumber
byte[] (read-only)

Default: ""

Returns the timestamp's serial number.

Time
string (read-only)

Default: ""

The time point incorporated into the timestamp.

TimestampType
int (read-only)

Default: 0

Returns the type of the timestamp.

Available options:

tstUnknown0
tstLegacy1Supported by: Authenticode components

tstTrusted2Supported by: Authenticode components

tstGeneric3Supported by: CAdES components

tstESC4Supported by: CAdES components

tstContent5Supported by: CAdES components

tstCertsAndCRLs6Supported by: CAdES components

tstArchive7Archive timestamp. Supported by: ASiC, CAdES, JAdES, Office, SOAP, XAdES components

tstArchive28Archive v2 timestamp. Supported by: ASiC, CAdES components

tstArchive39Archive v3 timestamp. Supported by: ASiC, CAdES components

tstIndividualDataObjects10Individual data objects timetamp. Supported by: ASiC, Office, SOAP, XAdES components

tstAllDataObjects11All data objects timestamp. Supported by: ASiC, Office, SOAP, XAdES components

tstSignature12Signature timestamp. Supported by: ASiC, JAdES, Office, SOAP, XAdES components

tstRefsOnly13RefsOnly timestamp. Supported by: ASiC, JAdES, Office, SOAP, XAdES components

tstSigAndRefs14SigAndRefs timestamp. Supported by: ASiC, JAdES, Office, SOAP, XAdES components

tstSignedData15SignedData timestamp. Supported by: JAdES components

tstArchive14116Archive timestamp v1.4.1. Supported by: ASiC, Office, SOAP, XAdES components

Not all of the above timestamp types can be supported by a specific signature technology used (CAdES, PDF, XAdES).

TSAName
string (read-only)

Default: ""

This value uniquely identifies the Timestamp Authority (TSA).

This property provides information about the entity that manages the TSA.

ValidationLog
string (read-only)

Default: ""

Contains the TSA certificate chain validation log. This information is extremely useful if the timestamp validation fails.

ValidationResult
SignatureValidities (read-only)

Default: 0

Contains the timestamp validation outcome.

Use this property to check the result of the most recent timestamp validation.

svtValid0The signature is valid

svtUnknown1Signature validity is unknown

svtCorrupted2The signature is corrupted

svtSignerNotFound3Failed to acquire the signing certificate. The signature cannot be validated.

svtFailure4General failure

svtReferenceCorrupted5Reference corrupted (XML-based signatures only)

Constructors

public TimestampInfo();
Public TimestampInfo()

Creates a new TimestampInfo object with default field values.

TLSSettings Type

A container for TLS connection settings.

Remarks

The TLS (Transport Layer Security) protocol provides security for information exchanged over insecure connections such as TCP/IP.

The following fields are available:

Fields

AutoValidateCertificates
bool

Default: True

Specifies whether server-side TLS certificates should be validated automatically using internal validation rules.

BaseConfiguration
SecureTransportPredefinedConfigurations

Default: 0

Selects the base configuration for the TLS settings. Several profiles are offered and tuned up for different purposes, such as high security or higher compatibility.

stpcDefault0
stpcCompatible1
stpcComprehensiveInsecure2
stpcHighlySecure3

Ciphersuites
string

Default: ""

A list of ciphersuites separated with commas or semicolons. Each ciphersuite in the list may be prefixed with a minus sign (-) to indicate that the ciphersuite should be disabled rather than enabled. Besides the specific ciphersuite modifiers, this property supports the all (and -all) aliases, allowing all ciphersuites to be blanketly enabled or disabled at once.

Note: the list of ciphersuites provided to this property alters the baseline list of ciphersuites as defined by BaseConfiguration. Remember to start your ciphersuite string with -all; if you need to only enable a specific fixed set of ciphersuites. The list of supported ciphersuites is provided below:

  • NULL_NULL_NULL
  • RSA_NULL_MD5
  • RSA_NULL_SHA
  • RSA_RC4_MD5
  • RSA_RC4_SHA
  • RSA_RC2_MD5
  • RSA_IDEA_MD5
  • RSA_IDEA_SHA
  • RSA_DES_MD5
  • RSA_DES_SHA
  • RSA_3DES_MD5
  • RSA_3DES_SHA
  • RSA_AES128_SHA
  • RSA_AES256_SHA
  • DH_DSS_DES_SHA
  • DH_DSS_3DES_SHA
  • DH_DSS_AES128_SHA
  • DH_DSS_AES256_SHA
  • DH_RSA_DES_SHA
  • DH_RSA_3DES_SHA
  • DH_RSA_AES128_SHA
  • DH_RSA_AES256_SHA
  • DHE_DSS_DES_SHA
  • DHE_DSS_3DES_SHA
  • DHE_DSS_AES128_SHA
  • DHE_DSS_AES256_SHA
  • DHE_RSA_DES_SHA
  • DHE_RSA_3DES_SHA
  • DHE_RSA_AES128_SHA
  • DHE_RSA_AES256_SHA
  • DH_ANON_RC4_MD5
  • DH_ANON_DES_SHA
  • DH_ANON_3DES_SHA
  • DH_ANON_AES128_SHA
  • DH_ANON_AES256_SHA
  • RSA_RC2_MD5_EXPORT
  • RSA_RC4_MD5_EXPORT
  • RSA_DES_SHA_EXPORT
  • DH_DSS_DES_SHA_EXPORT
  • DH_RSA_DES_SHA_EXPORT
  • DHE_DSS_DES_SHA_EXPORT
  • DHE_RSA_DES_SHA_EXPORT
  • DH_ANON_RC4_MD5_EXPORT
  • DH_ANON_DES_SHA_EXPORT
  • RSA_CAMELLIA128_SHA
  • DH_DSS_CAMELLIA128_SHA
  • DH_RSA_CAMELLIA128_SHA
  • DHE_DSS_CAMELLIA128_SHA
  • DHE_RSA_CAMELLIA128_SHA
  • DH_ANON_CAMELLIA128_SHA
  • RSA_CAMELLIA256_SHA
  • DH_DSS_CAMELLIA256_SHA
  • DH_RSA_CAMELLIA256_SHA
  • DHE_DSS_CAMELLIA256_SHA
  • DHE_RSA_CAMELLIA256_SHA
  • DH_ANON_CAMELLIA256_SHA
  • PSK_RC4_SHA
  • PSK_3DES_SHA
  • PSK_AES128_SHA
  • PSK_AES256_SHA
  • DHE_PSK_RC4_SHA
  • DHE_PSK_3DES_SHA
  • DHE_PSK_AES128_SHA
  • DHE_PSK_AES256_SHA
  • RSA_PSK_RC4_SHA
  • RSA_PSK_3DES_SHA
  • RSA_PSK_AES128_SHA
  • RSA_PSK_AES256_SHA
  • RSA_SEED_SHA
  • DH_DSS_SEED_SHA
  • DH_RSA_SEED_SHA
  • DHE_DSS_SEED_SHA
  • DHE_RSA_SEED_SHA
  • DH_ANON_SEED_SHA
  • SRP_SHA_3DES_SHA
  • SRP_SHA_RSA_3DES_SHA
  • SRP_SHA_DSS_3DES_SHA
  • SRP_SHA_AES128_SHA
  • SRP_SHA_RSA_AES128_SHA
  • SRP_SHA_DSS_AES128_SHA
  • SRP_SHA_AES256_SHA
  • SRP_SHA_RSA_AES256_SHA
  • SRP_SHA_DSS_AES256_SHA
  • ECDH_ECDSA_NULL_SHA
  • ECDH_ECDSA_RC4_SHA
  • ECDH_ECDSA_3DES_SHA
  • ECDH_ECDSA_AES128_SHA
  • ECDH_ECDSA_AES256_SHA
  • ECDHE_ECDSA_NULL_SHA
  • ECDHE_ECDSA_RC4_SHA
  • ECDHE_ECDSA_3DES_SHA
  • ECDHE_ECDSA_AES128_SHA
  • ECDHE_ECDSA_AES256_SHA
  • ECDH_RSA_NULL_SHA
  • ECDH_RSA_RC4_SHA
  • ECDH_RSA_3DES_SHA
  • ECDH_RSA_AES128_SHA
  • ECDH_RSA_AES256_SHA
  • ECDHE_RSA_NULL_SHA
  • ECDHE_RSA_RC4_SHA
  • ECDHE_RSA_3DES_SHA
  • ECDHE_RSA_AES128_SHA
  • ECDHE_RSA_AES256_SHA
  • ECDH_ANON_NULL_SHA
  • ECDH_ANON_RC4_SHA
  • ECDH_ANON_3DES_SHA
  • ECDH_ANON_AES128_SHA
  • ECDH_ANON_AES256_SHA
  • RSA_NULL_SHA256
  • RSA_AES128_SHA256
  • RSA_AES256_SHA256
  • DH_DSS_AES128_SHA256
  • DH_RSA_AES128_SHA256
  • DHE_DSS_AES128_SHA256
  • DHE_RSA_AES128_SHA256
  • DH_DSS_AES256_SHA256
  • DH_RSA_AES256_SHA256
  • DHE_DSS_AES256_SHA256
  • DHE_RSA_AES256_SHA256
  • DH_ANON_AES128_SHA256
  • DH_ANON_AES256_SHA256
  • RSA_AES128_GCM_SHA256
  • RSA_AES256_GCM_SHA384
  • DHE_RSA_AES128_GCM_SHA256
  • DHE_RSA_AES256_GCM_SHA384
  • DH_RSA_AES128_GCM_SHA256
  • DH_RSA_AES256_GCM_SHA384
  • DHE_DSS_AES128_GCM_SHA256
  • DHE_DSS_AES256_GCM_SHA384
  • DH_DSS_AES128_GCM_SHA256
  • DH_DSS_AES256_GCM_SHA384
  • DH_ANON_AES128_GCM_SHA256
  • DH_ANON_AES256_GCM_SHA384
  • ECDHE_ECDSA_AES128_SHA256
  • ECDHE_ECDSA_AES256_SHA384
  • ECDH_ECDSA_AES128_SHA256
  • ECDH_ECDSA_AES256_SHA384
  • ECDHE_RSA_AES128_SHA256
  • ECDHE_RSA_AES256_SHA384
  • ECDH_RSA_AES128_SHA256
  • ECDH_RSA_AES256_SHA384
  • ECDHE_ECDSA_AES128_GCM_SHA256
  • ECDHE_ECDSA_AES256_GCM_SHA384
  • ECDH_ECDSA_AES128_GCM_SHA256
  • ECDH_ECDSA_AES256_GCM_SHA384
  • ECDHE_RSA_AES128_GCM_SHA256
  • ECDHE_RSA_AES256_GCM_SHA384
  • ECDH_RSA_AES128_GCM_SHA256
  • ECDH_RSA_AES256_GCM_SHA384
  • PSK_AES128_GCM_SHA256
  • PSK_AES256_GCM_SHA384
  • DHE_PSK_AES128_GCM_SHA256
  • DHE_PSK_AES256_GCM_SHA384
  • RSA_PSK_AES128_GCM_SHA256
  • RSA_PSK_AES256_GCM_SHA384
  • PSK_AES128_SHA256
  • PSK_AES256_SHA384
  • PSK_NULL_SHA256
  • PSK_NULL_SHA384
  • DHE_PSK_AES128_SHA256
  • DHE_PSK_AES256_SHA384
  • DHE_PSK_NULL_SHA256
  • DHE_PSK_NULL_SHA384
  • RSA_PSK_AES128_SHA256
  • RSA_PSK_AES256_SHA384
  • RSA_PSK_NULL_SHA256
  • RSA_PSK_NULL_SHA384
  • RSA_CAMELLIA128_SHA256
  • DH_DSS_CAMELLIA128_SHA256
  • DH_RSA_CAMELLIA128_SHA256
  • DHE_DSS_CAMELLIA128_SHA256
  • DHE_RSA_CAMELLIA128_SHA256
  • DH_ANON_CAMELLIA128_SHA256
  • RSA_CAMELLIA256_SHA256
  • DH_DSS_CAMELLIA256_SHA256
  • DH_RSA_CAMELLIA256_SHA256
  • DHE_DSS_CAMELLIA256_SHA256
  • DHE_RSA_CAMELLIA256_SHA256
  • DH_ANON_CAMELLIA256_SHA256
  • ECDHE_ECDSA_CAMELLIA128_SHA256
  • ECDHE_ECDSA_CAMELLIA256_SHA384
  • ECDH_ECDSA_CAMELLIA128_SHA256
  • ECDH_ECDSA_CAMELLIA256_SHA384
  • ECDHE_RSA_CAMELLIA128_SHA256
  • ECDHE_RSA_CAMELLIA256_SHA384
  • ECDH_RSA_CAMELLIA128_SHA256
  • ECDH_RSA_CAMELLIA256_SHA384
  • RSA_CAMELLIA128_GCM_SHA256
  • RSA_CAMELLIA256_GCM_SHA384
  • DHE_RSA_CAMELLIA128_GCM_SHA256
  • DHE_RSA_CAMELLIA256_GCM_SHA384
  • DH_RSA_CAMELLIA128_GCM_SHA256
  • DH_RSA_CAMELLIA256_GCM_SHA384
  • DHE_DSS_CAMELLIA128_GCM_SHA256
  • DHE_DSS_CAMELLIA256_GCM_SHA384
  • DH_DSS_CAMELLIA128_GCM_SHA256
  • DH_DSS_CAMELLIA256_GCM_SHA384
  • DH_anon_CAMELLIA128_GCM_SHA256
  • DH_anon_CAMELLIA256_GCM_SHA384
  • ECDHE_ECDSA_CAMELLIA128_GCM_SHA256
  • ECDHE_ECDSA_CAMELLIA256_GCM_SHA384
  • ECDH_ECDSA_CAMELLIA128_GCM_SHA256
  • ECDH_ECDSA_CAMELLIA256_GCM_SHA384
  • ECDHE_RSA_CAMELLIA128_GCM_SHA256
  • ECDHE_RSA_CAMELLIA256_GCM_SHA384
  • ECDH_RSA_CAMELLIA128_GCM_SHA256
  • ECDH_RSA_CAMELLIA256_GCM_SHA384
  • PSK_CAMELLIA128_GCM_SHA256
  • PSK_CAMELLIA256_GCM_SHA384
  • DHE_PSK_CAMELLIA128_GCM_SHA256
  • DHE_PSK_CAMELLIA256_GCM_SHA384
  • RSA_PSK_CAMELLIA128_GCM_SHA256
  • RSA_PSK_CAMELLIA256_GCM_SHA384
  • PSK_CAMELLIA128_SHA256
  • PSK_CAMELLIA256_SHA384
  • DHE_PSK_CAMELLIA128_SHA256
  • DHE_PSK_CAMELLIA256_SHA384
  • RSA_PSK_CAMELLIA128_SHA256
  • RSA_PSK_CAMELLIA256_SHA384
  • ECDHE_PSK_CAMELLIA128_SHA256
  • ECDHE_PSK_CAMELLIA256_SHA384
  • ECDHE_PSK_RC4_SHA
  • ECDHE_PSK_3DES_SHA
  • ECDHE_PSK_AES128_SHA
  • ECDHE_PSK_AES256_SHA
  • ECDHE_PSK_AES128_SHA256
  • ECDHE_PSK_AES256_SHA384
  • ECDHE_PSK_NULL_SHA
  • ECDHE_PSK_NULL_SHA256
  • ECDHE_PSK_NULL_SHA384
  • ECDHE_RSA_CHACHA20_POLY1305_SHA256
  • ECDHE_ECDSA_CHACHA20_POLY1305_SHA256
  • DHE_RSA_CHACHA20_POLY1305_SHA256
  • PSK_CHACHA20_POLY1305_SHA256
  • ECDHE_PSK_CHACHA20_POLY1305_SHA256
  • DHE_PSK_CHACHA20_POLY1305_SHA256
  • RSA_PSK_CHACHA20_POLY1305_SHA256
  • AES128_GCM_SHA256
  • AES256_GCM_SHA384
  • CHACHA20_POLY1305_SHA256
  • AES128_CCM_SHA256
  • AES128_CCM8_SHA256

ClientAuth
ClientAuthTypes

Default: 0

Enables or disables certificate-based client authentication.

Set this property to true to tune up the client authentication type:

ccatNoAuth0
ccatRequestCert1
ccatRequireCert2

ECCurves
string

Default: ""

Defines the elliptic curves to enable.

Extensions
string

Default: ""

Provides access to TLS extensions.

ForceResumeIfDestinationChanges
bool

Default: False

Whether to force TLS session resumption when the destination address changes.

PreSharedIdentity
string

Default: ""

Defines the identity used when the PSK (Pre-Shared Key) key-exchange mechanism is negotiated.

PreSharedKey
string

Default: ""

Contains the pre-shared key for the PSK (Pre-Shared Key) key-exchange mechanism, encoded with base16.

PreSharedKeyCiphersuite
string

Default: ""

Defines the ciphersuite used for PSK (Pre-Shared Key) negotiation.

RenegotiationAttackPreventionMode
RenegotiationAttackPreventionModes

Default: 2

Selects the renegotiation attack prevention mechanism.

The following options are available:

crapmCompatible0TLS 1.0 and 1.1 compatibility mode (renegotiation indication extension is disabled).
crapmStrict1Renegotiation attack prevention is enabled and enforced.
crapmAuto2Automatically choose whether to enable or disable renegotiation attack prevention.

RevocationCheck
RevocationCheckKinds

Default: 1

Specifies the kind(s) of revocation check to perform.

Revocation checking is necessary to ensure the integrity of the chain and obtain up-to-date certificate validity and trustworthiness information.

crcNone0No revocation checking.
crcAuto1Automatic mode selection. Currently this maps to crcAnyOCSPOrCRL, but it may change in the future.
crcAllCRL2All provided CRL endpoints will be checked, and all checks must succeed.
crcAllOCSP3All provided OCSP endpoints will be checked, and all checks must succeed.
crcAllCRLAndOCSP4All provided CRL and OCSP endpoints will be checked, and all checks must succeed.
crcAnyCRL5All provided CRL endpoints will be checked, and at least one check must succeed.
crcAnyOCSP6All provided OCSP endpoints will be checked, and at least one check must succeed.
crcAnyCRLOrOCSP7All provided CRL and OCSP endpoints will be checked, and at least one check must succeed. CRL endpoints are checked first.
crcAnyOCSPOrCRL8All provided CRL and OCSP endpoints will be checked, and at least one check must succeed. OCSP endpoints are checked first.

This setting controls the way the revocation checks are performed for every certificate in the chain. Typically certificates come with two types of revocation information sources: CRL (certificate revocation lists) and OCSP responders. CRLs are static objects periodically published by the CA at some online location. OCSP responders are active online services maintained by the CA that can provide up-to-date information on certificate statuses in near real time.

There are some conceptual differences between the two. CRLs are normally larger in size. Their use involves some latency because there is normally some delay between the time when a certificate was revoked and the time the subsequent CRL mentioning that is published. The benefits of CRL is that the same object can provide statuses for all certificates issued by a particular CA, and that the whole technology is much simpler than OCSP (and thus is supported by more CAs).

This setting lets you adjust the validation course by including or excluding certain types of revocation sources from the validation process. The crcAnyOCSPOrCRL setting (give preference to the faster OCSP route and only demand one source to succeed) is a good choice for most typical validation environments. The "crcAll*" modes are much stricter, and may be used in scenarios where bulletproof validity information is essential.

Note: If no CRL or OCSP endpoints are provided by the CA, the revocation check will be considered successful. This is because the CA chose not to supply revocation information for its certificates, meaning they are considered irrevocable.

Note: Within each of the above settings, if any retrieved CRL or OCSP response indicates that the certificate has been revoked, the revocation check fails.

SSLOptions
int

Default: 16

Various SSL (TLS) protocol options, set of

cssloExpectShutdownMessage0x001Wait for the close-notify message when shutting down the connection

cssloOpenSSLDTLSWorkaround0x002(DEPRECATED) Use a DTLS version workaround when talking to very old OpenSSL versions

cssloDisableKexLengthAlignment0x004Do not align the client-side PMS by the RSA modulus size. It is unlikely that you will ever need to adjust it.

cssloForceUseOfClientCertHashAlg0x008Enforce the use of the client certificate hash algorithm. It is unlikely that you will ever need to adjust it.

cssloAutoAddServerNameExtension0x010Automatically add the server name extension when known

cssloAcceptTrustedSRPPrimesOnly0x020Accept trusted SRP primes only

cssloDisableSignatureAlgorithmsExtension0x040Disable (do not send) the signature algorithms extension. It is unlikely that you will ever need to adjust it.

cssloIntolerateHigherProtocolVersions0x080(server option) Do not allow fallback from TLS versions higher than currently enabled

cssloStickToPrefCertHashAlg0x100Stick to preferred certificate hash algorithms

cssloNoImplicitTLS12Fallback0x200Disable implicit TLS 1.3 to 1.2 fallbacks

cssloUseHandshakeBatches0x400Send the handshake message as large batches rather than individually

TLSMode
SSLModes

Default: 0

Specifies the TLS mode to use.

smDefault0
smNoTLS1Do not use TLS
smExplicitTLS2Connect to the server without any encryption and then request an SSL session.
smImplicitTLS3Connect to the specified port, and establish the SSL session at once.
smMixedTLS4Connect to the specified port, and establish the SSL session at once, but allow plain data.

UseExtendedMasterSecret
bool

Default: False

Enables the Extended Master Secret Extension, as defined in RFC 7627.

UseSessionResumption
bool

Default: False

Enables or disables the TLS session resumption capability.

Versions
int

Default: 16

The SSL/TLS versions to enable by default.

csbSSL20x01SSL 2

csbSSL30x02SSL 3

csbTLS10x04TLS 1.0

csbTLS110x08TLS 1.1

csbTLS120x10TLS 1.2

csbTLS130x20TLS 1.3

Constructors

public TLSSettings();
Public TLSSettings()

Creates a new TLSSettings object.

Config Settings (CAdESVerifier Component)

The component accepts one or more of the following configuration settings. Configuration settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the component, access to these internal properties is provided through the Config method.

CAdESVerifier Config Settings

AddReferencesToAllUsedCertsAndRevInfo:   Whether to include all certificates and revocation references in CompleteCertificateRefs attribute.

If this property is set, all certificates and revocation references collected during validation will be added to the CompleteCertificateRefs attribute of the signature. This feature is not required by the CAdES specification, however, some processors may expect such behavior.

AddReferencesToIrrevocableCerts:   Whether references to irrevocable certificates should be included in CompleteCertificateRefs attribute.

Set this property to True to include references to irrevocable certificates in CompleteCertificateRefs attribute

AddReferenceToSigningCert:   Whether a reference to the signing certificate should be included in CompleteCertificateRefs attribute.

Set this property to True to include a reference to the signing certificate in CompleteCertificateRefs attribute

AllowPartialValidationInfo:   Whether to allow for missing validation info.

If this property is set to True, signature validation will not fail if validation information for a certificate is absent.

AsyncDocumentID:   Specifies the document ID for SignAsyncEnd() call.

Use this property when working with multi-signature DCAuth requests and responses to uniquely identify documents signed within a larger batch. This value helps ASiCSigner identify the correct signature in the returned batch of responses. If using batched requests, make sure to set this property to the same value on both pre-signing (SignAsyncBegin) and completion (SignAsyncEnd) stages.

ChainCurrentCACert:   Returns the current CA certificate.

This property returns the CA certificate that is used on the current step.

ChainCurrentCert:   Returns the certificate that is currently being validated.

Use this property to obtain the body of the certificate that is currently being validated.

ChainCurrentCRL:   Returns the current CRL.

Returns the CRL object that is currently being processed.

ChainCurrentCRLSize:   Returns the size of the current CRL.

This property returns the size of the CRL object that is currently being processed.

ChainCurrentOCSP:   Returns the current OCSP response.

Returns the OCSP object that is currently being processed.

ChainCurrentOCSPSigner:   Returns the signer of the current OCSP object.

Returns the signer/CA that has issued the OCSP response that is currently being processed.

ChainInterimDetails:   Returns the current interim validation details.

This property returns the interim chain validation details.

ChainInterimResult:   Returns the current interim validation result.

Use this setting to obtain the current (mid-chain) validation result. This property applies to the current validation step and may change as the chain walk proceeds. The final result will be published in the ChainValidationResult property once the validation process completes.

CheckValidityPeriodForTrusted:   Whether to check validity period for trusted certificates.

Whether to check validity period for trusted certificates.