JAdESVerifier Class

Properties   Methods   Events   Config Settings   Errors  

The JAdESVerifier class verifies signatures over JSON objects.

Syntax

secureblackbox.JAdESVerifier

Remarks

Use JAdESVerifier to validate electronic signatures over JSON structures. Generic (JWS) and JAdES (JSON Advanced Electronic Signatures) are supported. JAdESVerifier verifier = new JAdESVerifier(); verifier.setInputFile("SignedFile.scs"); if (verifier.isDetached()){ // To verify a detached signature, we need // to provide both the signature and the original data verifier.setDataFile("MyExe.exe"); verifier.verify(); } else { // To verify an enveloping signature, we need // to provide the location to extract the data verifier.setOutputFile("output.exe"); verifier.verify(); } // The outcome of the cryptographic signature validation for (int idx = 0 ; idx < verifier.getSignatures().size() ; idx++) { System.out.println("Signature " + (idx + 1)); System.out.println(" Timestamp: " + verifier.getSignatures().item(idx).getValidatedSigningTime()); System.out.print(" Validation Result: " + verifier.getSignatures().item(idx).getSignatureValidationResult() + ", "); switch (verifier.getSignatures().item(idx).getSignatureValidationResult()) { case svtValid: System.out.println("The signature is valid."); break; case svtCorrupted: System.out.println("The signature is corrupted."); break; case svtSignerNotFound: System.out.println("Failed to acquire the signing certificate. The signature cannot be validated."); break; case svtFailure: System.out.println("General failure."); break; default: System.out.println("Signature validity is unknown."); break; } }

JAdESVerifier validates each signature from two perspectives: the integrity and validity of the signature itself (i.e. its correspondence to the JSON data it covers), and the validity and trustworthiness of the signing certificate chain. These two signature aspects are generally independent of each other: the signature may be valid but the chain may not be trusted, or, the other way round, the chain may be trusted, but the integrity of the signature may be violated. Under normal circumstances both the signature and the chain must be valid for the signature to be considered good.

To initiate the validation, assign the path to the signed JSON file to the InputFile property (alternatively, you can provide it in a memory buffer via InputBytes or InputString property), and call Verify method. For every signature located in the document, JAdESVerifier will fire the SignatureFound event. This event lets you specify whether you want JAdESVerifier to validate the signature, the chain, or both.

Note: it does not mean that any of the two is optional. This API lets you be flexible in how you validate documents in your code, to allow for a variety of validation scenarios. For example, if your trust environment relies on certificate pinning, validating the chain by JAdESVerifier internally may cause unnecessary burden on the system, in which case (but not in others!) it may be reasonable to disable it in the event handler.

Once SignatureFound returns, JAdESVerifier proceeds to the signature validation routine in accordance with the provided settings. Upon completion of the validation, SignatureValidated event is fired, and the validation results are separately provided via SignatureValidationResult and ChainValidationResult properties of the relevant signature object. Other information about the signature can be accessed via the Signatures property.

Useful settings and properties

The following properties of JAdESVerifier may be handy when working with this component:

• OfflineMode lets you validate the JSON object without contacting online revocation sources. Paired with switched off system trust settings, it can be used to establish the long-term validity of the signed object and the completeness of validation material included in it.
• RevocationCheck lets you adjust the revocation checking preferences.
• ValidatedSigningTime returns the signing time as recorded in the embedded signature timestamp. This is in contrast to ClaimedSigningTime, which returns the signing time as specified by the signer.
• ValidationLog is a great way to find out the details of chain validation failures. This property returns a comprehensive validation log that reports all the issues encountered during the validation.

By default, JAdESVerifier uses the system trust settings to establish certificate chain validity. You can configure it to use your own, custom validation environment by providing the necessary trust elements via KnownCertificates, TrustedCertificates, KnownCRLs, and other similar properties.

Property List

---

The following is the full list of the properties of the class with short descriptions. Click on the links for further details.

Method List

---

The following is the full list of the methods of the class with short descriptions. Click on the links for further details.

Event List

---

The following is the full list of the events fired by the class with short descriptions. Click on the links for further details.

Config Settings

---

The following is a list of config settings for the class with short descriptions. Click on the links for further details.

AllSignaturesValid Property (JAdESVerifier Class)

The cumulative validity of all signatures.

Syntax

public boolean isAllSignaturesValid();

Default Value

False

Remarks

Use this property to check if all the signatures found in the message or document are valid.

This property is read-only and not available at design time.

AutoValidateSignatures Property (JAdESVerifier Class)

Specifies whether class should validate any present signatures when the JWS/JAdES signature is opened.

Syntax

public boolean isAutoValidateSignatures();


public void setAutoValidateSignatures(boolean autoValidateSignatures);

Default Value

True

Remarks

This setting is switched on by default. You can choose to set this property to false in order to validate the signatures manually on a later stage using the Revalidate method.

BlockedCertificates Property (JAdESVerifier Class)

The certificates that must be rejected as trust anchors.

Syntax

public CertificateList getBlockedCertificates();


public void setBlockedCertificates(CertificateList blockedCertificates);

Remarks

Use this property to provide a list of compromised or blocked certificates. Any chain containing a blocked certificate will fail validation.

This property is not available at design time.

Please refer to the Certificate type for a complete list of fields.

Certificates Property (JAdESVerifier Class)

A collection of certificates included in the electronic signature.

Syntax

public CertificateList getCertificates();

Remarks

This property includes a collection of certificates of the currently selected info.

This collection is indexed from 0 to size -1.

This property is read-only and not available at design time.

Please refer to the Certificate type for a complete list of fields.

CheckTrustedLists Property (JAdESVerifier Class)

Specifies whether the class should attempt to validate chain trust via a known Trusted List.

Syntax

public boolean isCheckTrustedLists();


public void setCheckTrustedLists(boolean checkTrustedLists);

Default Value

False

Remarks

Set this property to true to enable the component to validate chain trust against an internal list of known Trusted Lists (such as EUTL).

CompactForm Property (JAdESVerifier Class)

Specifies if the JWS compact serialization to be used.

Syntax

public boolean isCompactForm();


public void setCompactForm(boolean compactForm);

Default Value

False

Remarks

When this property is set to "true" value, the JAdES component will use the JWS compact serialization format when saving a signature.

The JWS compact serialization format is a compact, Url safe representation of a JWS (JSON Web Signature) or JWE (JSON Web Encryption) object, used for transmitting security tokens.

The JWS compact serialization format supports only one signature without unprotected header (only JWS or JAdES BaselineB signature).

ContentType Property (JAdESVerifier Class)

Specifies payload content type.

Syntax

public String getContentType();

Default Value

""

Remarks

Use this property to read the content type of the payload.

This property is read-only and not available at design time.

CRLs Property (JAdESVerifier Class)

A collection of certificate revocation lists embedded into the signature by the signer.

Syntax

public CRLList getCRLs();

Remarks

Use this property to access the CRLs embedded into the signature by the signer.

This property is read-only and not available at design time.

Please refer to the CRL type for a complete list of fields.

DataBytes Property (JAdESVerifier Class)

Use this property to pass a payload or an object data to class in the byte array form.

Syntax

public byte[] getDataBytes();


public void setDataBytes(byte[] dataBytes);

Remarks

Assign a byte array containing a JWS payload or an object data to be processed to this property.

This property is not available at design time.

DataFile Property (JAdESVerifier Class)

A path to a file containing a payload or an object data.

Syntax

public String getDataFile();


public void setDataFile(String dataFile);

Default Value

""

Remarks

Use this property to provide a JWS payload or an object data to be processed.

DataStream Property (JAdESVerifier Class)

A stream containing a payload or an object data.

Syntax

public java.io.InputStream getDataStream();


public void setDataStream(java.io.InputStream dataStream);

Default Value

null

Remarks

Use this property to provide a JWS payload or an object data to be processed.

This property is not available at design time.

DataString Property (JAdESVerifier Class)

Use this property to pass a payload or an object data to class in the string form.

Syntax

public String getDataString();


public void setDataString(String dataString);

Default Value

""

Remarks

Assign a string containing a JWS payload or an object data to be processed to this property.

This property is not available at design time.

Detached Property (JAdESVerifier Class)

Specifies whether a detached signature should be produced or verified.

Syntax

public boolean isDetached();


public void setDetached(boolean detached);

Default Value

False

Remarks

Use this property to specify whether a detached signature should be produced or verified.

When this property is set to "true" value, the JWS payload will be detached from the signature and may either be a single detached object or the result of concatenating multiple detached data objects. In other words, the JWS payload and the signature are stored in separate objects.

If this property is set to "true" value, the user must provide the detached content via the DataFile or DataStream or DataBytes or DataString properties.

When Detached is set to "false" value, the JWS payload is included with the signature as a single object.

ExtractPayload Property (JAdESVerifier Class)

Specifies whether a payload should be extracted.

Syntax

public boolean isExtractPayload();


public void setExtractPayload(boolean extractPayload);

Default Value

False

Remarks

Use this property to specify whether a payload should be extracted when signature loaded. This applies only to non-detached signatures with a payload.

When this property is set to "true" value, the JWS payload will be extracted from the signature.

The user must provide the OutputFile or OutputStream properties with a filename or stream where to save the payload, if none is provided then payload is returned via OutputBytes or OutputString properties.

FIPSMode Property (JAdESVerifier Class)

Reserved.

Syntax

public boolean isFIPSMode();


public void setFIPSMode(boolean FIPSMode);

Default Value

False

Remarks

This property is reserved for future use.

FlattenedSignature Property (JAdESVerifier Class)

Specifies if the flattened signature to be used.

Syntax

public boolean isFlattenedSignature();


public void setFlattenedSignature(boolean flattenedSignature);

Default Value

True

Remarks

This property determines whether to use the flattened JWS JSON serialization format. This format is optimized for the single digital signature case and flattens the general JWS JSON serialization syntax by removing the "signatures" member and instead placing the "protected", "header", and "signature" members at the top-level JSON object (at the same level as the "payload" member).

When the FlattenedSignature property is set to "true" value, the signature will be represented using the flattened JWS JSON serialization format, but it is only applicable when there is a single signature involved.

When the property is set to "false" value, the signature will be represented using the general JWS JSON serialization format.

IgnoreChainValidationErrors Property (JAdESVerifier Class)

Makes the class tolerant to chain validation errors.

Syntax

public boolean isIgnoreChainValidationErrors();


public void setIgnoreChainValidationErrors(boolean ignoreChainValidationErrors);

Default Value

False

Remarks

If this property is set to True, any errors emerging during certificate chain validation will be ignored. This setting may be handy if the purpose of validation is the creation of an LTV signature, and the validation is performed in an environment that doesn't trust the signer's certificate chain.

InputBytes Property (JAdESVerifier Class)

Use this property to pass the input to class in byte array form.

Syntax

public byte[] getInputBytes();


public void setInputBytes(byte[] inputBytes);

Remarks

Assign a byte array containing the data to be processed to this property.

This property is not available at design time.

InputFile Property (JAdESVerifier Class)

The file to be signed.

Syntax

public String getInputFile();


public void setInputFile(String inputFile);

Default Value

""

Remarks

Provide the path to the JSON to be signed.

InputStream Property (JAdESVerifier Class)

Stream containing the JWS/JAdES signature.

Syntax

public java.io.InputStream getInputStream();


public void setInputStream(java.io.InputStream inputStream);

Default Value

null

Remarks

Use this property to feed the JWS/JAdES signature to the class via a stream.

This property is not available at design time.

InputString Property (JAdESVerifier Class)

Use this property to pass the input to class in the string form.

Syntax

public String getInputString();


public void setInputString(String inputString);

Default Value

""

Remarks

Assign a string containing the data to be processed to this property.

This property is not available at design time.

KnownCertificates Property (JAdESVerifier Class)

Additional certificates for chain validation.

Syntax

public CertificateList getKnownCertificates();


public void setKnownCertificates(CertificateList knownCertificates);

Remarks

Use this property to supply a list of additional certificates that might be needed for chain validation. An example of a scenario where you might want to do that is when intermediary CA certificates are absent from the standard system locations (or when there are no standard system locations), and therefore should be supplied to the class manually.

The purpose of the certificates to be added to this collection is roughly equivalent to that of the Intermediate Certification Authorities system store in Windows.

Do not add trust anchors or root certificates to this collection: add them to TrustedCertificates instead.

This property is not available at design time.

Please refer to the Certificate type for a complete list of fields.

KnownCRLs Property (JAdESVerifier Class)

Additional CRLs for chain validation.

Syntax

public CRLList getKnownCRLs();


public void setKnownCRLs(CRLList knownCRLs);

Remarks

Use this property to supply additional CRLs that might be needed for chain validation. This property may be helpful when a chain is validated in offline mode, and the associated CRLs are stored separately from the signed message or document.

This property is not available at design time.

Please refer to the CRL type for a complete list of fields.

KnownOCSPs Property (JAdESVerifier Class)

Additional OCSP responses for chain validation.

Syntax

public OCSPResponseList getKnownOCSPs();


public void setKnownOCSPs(OCSPResponseList knownOCSPs);

Remarks

Use this property to supply additional OCSP responses that might be needed for chain validation. This property may be helpful when a chain is validated in offline mode, and the associated OCSP responses are stored separately from the signed message or document.

This property is not available at design time.

Please refer to the OCSPResponse type for a complete list of fields.

OCSPs Property (JAdESVerifier Class)

A collection of OCSP responses embedded into the signature.

Syntax

public OCSPResponseList getOCSPs();

Remarks

Use this property to access the OCSP responses embedded into the signature by its creator.

This property is read-only and not available at design time.

Please refer to the OCSPResponse type for a complete list of fields.

OfflineMode Property (JAdESVerifier Class)

Switches the class to offline mode.

Syntax

public boolean isOfflineMode();


public void setOfflineMode(boolean offlineMode);

Default Value

False

Remarks

When working in offline mode, the class restricts itself from using any online revocation information sources, such as CRL or OCSP responders.

Offline mode may be useful if there is a need to verify the completeness of the validation information included within the signature or provided via KnownCertificates, KnownCRLs, and other related properties.

OutputBytes Property (JAdESVerifier Class)

Use this property to read the output the class object has produced.

Syntax

public byte[] getOutputBytes();

Remarks

Read the contents of this property after the operation has completed to read the produced output. This property will only be set if the OutputFile and OutputStream properties had not been assigned.

This property is read-only and not available at design time.

OutputFile Property (JAdESVerifier Class)

Defines where to save the signature.

Syntax

public String getOutputFile();


public void setOutputFile(String outputFile);

Default Value

""

Remarks

Specifies the path where the JWS/JAdES signature should be saved.

OutputStream Property (JAdESVerifier Class)

The stream where the signature would be saved.

Syntax

public java.io.OutputStream getOutputStream();


public void setOutputStream(java.io.OutputStream outputStream);

Default Value

null

Remarks

Use this property to save the JWS/JAdES signature to the stream.

This property is not available at design time.

OutputString Property (JAdESVerifier Class)

Use this property to read the output the class object has produced.

Syntax

public String getOutputString();

Default Value

""

Remarks

Read the contents of this property after the operation is completed to read the produced output. This property will only be set if OutputFile and OutputStream properties had not been assigned.

This property is read-only and not available at design time.

Profile Property (JAdESVerifier Class)

Specifies a pre-defined profile to apply when creating the signature.

Syntax

public String getProfile();


public void setProfile(String profile);

Default Value

""

Remarks

Advanced signatures come in many variants, which are often defined by parties that needs to process them or by local standards. SecureBlackbox profiles are sets of pre-defined configurations which correspond to particular signature variants. By specifying a profile, you are pre-configuring the component to make it produce the signature that matches the configuration corresponding to that profile.

Proxy Property (JAdESVerifier Class)

The proxy server settings.

Syntax

public ProxySettings getProxy();

Remarks

Use this property to tune up the proxy server settings.

This property is read-only.

Please refer to the ProxySettings type for a complete list of fields.

RevocationCheck Property (JAdESVerifier Class)

Specifies the kind(s) of revocation check to perform for all chain certificates.

Syntax

public int getRevocationCheck();


public void setRevocationCheck(int revocationCheck);


Enumerated values:
  public final static int crcNone = 0;
  public final static int crcAuto = 1;
  public final static int crcAllCRL = 2;
  public final static int crcAllOCSP = 3;
  public final static int crcAllCRLAndOCSP = 4;
  public final static int crcAnyCRL = 5;
  public final static int crcAnyOCSP = 6;
  public final static int crcAnyCRLOrOCSP = 7;
  public final static int crcAnyOCSPOrCRL = 8;

Default Value

1

Remarks

Revocation checking is necessary to ensure the integrity of the chain and obtain up-to-date certificate validity and trustworthiness information.

Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP) responses serve the same purpose of ensuring that the certificate had not been revoked by the Certificate Authority (CA) at the time of use. Depending on your circumstances and security policy requirements, you may want to use either one or both of the revocation information source types.

This setting controls the way the revocation checks are performed for every certificate in the chain. Typically certificates come with two types of revocation information sources: CRL (certificate revocation lists) and OCSP responders. CRLs are static objects periodically published by the CA at some online location. OCSP responders are active online services maintained by the CA that can provide up-to-date information on certificate statuses in near real time.

There are some conceptual differences between the two. CRLs are normally larger in size. Their use involves some latency because there is normally some delay between the time when a certificate was revoked and the time the subsequent CRL mentioning that is published. The benefits of CRL is that the same object can provide statuses for all certificates issued by a particular CA, and that the whole technology is much simpler than OCSP (and thus is supported by more CAs).

This setting lets you adjust the validation course by including or excluding certain types of revocation sources from the validation process. The crcAnyOCSPOrCRL setting (give preference to the faster OCSP route and only demand one source to succeed) is a good choice for most typical validation environments. The "crcAll*" modes are much stricter, and may be used in scenarios where bulletproof validity information is essential.

Note: If no CRL or OCSP endpoints are provided by the CA, the revocation check will be considered successful. This is because the CA chose not to supply revocation information for its certificates, meaning they are considered irrevocable.

Note: Within each of the above settings, if any retrieved CRL or OCSP response indicates that the certificate has been revoked, the revocation check fails.

Signatures Property (JAdESVerifier Class)

Provides details of all signatures found in the JWS/JAdES signature.

Syntax

public JAdESSignatureList getSignatures();

Remarks

Use this property to get the details of all the signatures identified in the JWS/JAdES signature.

This property is read-only and not available at design time.

Please refer to the JAdESSignature type for a complete list of fields.

SocketSettings Property (JAdESVerifier Class)

Manages network connection settings.

Syntax

public SocketSettings getSocketSettings();

Remarks

Use this property to tune up network connection parameters.

This property is read-only.

Please refer to the SocketSettings type for a complete list of fields.

Timestamps Property (JAdESVerifier Class)

Contains a collection of timestamps for the processed document.

Syntax

public TimestampInfoList getTimestamps();

Remarks

Use this property to access the timestamps included in the processed document.

This property is read-only and not available at design time.

Please refer to the TimestampInfo type for a complete list of fields.

TLSClientChain Property (JAdESVerifier Class)

The TLS client certificate chain.

Syntax

public CertificateList getTLSClientChain();


public void setTLSClientChain(CertificateList TLSClientChain);

Remarks

Assign a certificate chain to this property to enable TLS client authentication in the class. Note that the client's end-entity certificate should have a private key associated with it.

Use the CertificateStorage or CertificateManager components to import the certificate from a file, system store, or PKCS11 device.

This property is not available at design time.

Please refer to the Certificate type for a complete list of fields.

TLSServerChain Property (JAdESVerifier Class)

The TLS server's certificate chain.

Syntax

public CertificateList getTLSServerChain();

Remarks

Use this property to access the certificate chain sent by the TLS server. This property is ready to read when the TLSCertValidate event is fired by the client component.

This property is read-only and not available at design time.

Please refer to the Certificate type for a complete list of fields.

TLSSettings Property (JAdESVerifier Class)

Manages TLS layer settings.

Syntax

public TLSSettings getTLSSettings();

Remarks

Use this property to tune up the TLS layer parameters.

This property is read-only.

Please refer to the TLSSettings type for a complete list of fields.

TrustedCertificates Property (JAdESVerifier Class)

A list of trusted certificates for chain validation.

Syntax

public CertificateList getTrustedCertificates();


public void setTrustedCertificates(CertificateList trustedCertificates);

Remarks

Use this property to supply a list of trusted certificates that might be needed for chain validation. An example of a scenario where you might want to do that is when root CA certificates are absent from the standard system locations (or when there are no standard system locations), and therefore should be supplied to the component manually.

The purpose of this certificate collection is largely the same as that of the Windows Trusted Root Certification Authorities system store.

Use this property with extreme care as it directly affects chain verifiability; a wrong certificate added to the trusted list may result in bad chains being accepted, and forfeited signatures being recognized as genuine. Only add certificates that originate from the parties that you know and trust.

This property is not available at design time.

Please refer to the Certificate type for a complete list of fields.

ValidationMoment Property (JAdESVerifier Class)

The time point at which signature validity is to be established.

Syntax

public String getValidationMoment();


public void setValidationMoment(String validationMoment);

Default Value

""

Remarks

Use this property to specify the moment in time at which signature validity should be established. The time is in UTC. Leave the setting empty to stick to the default moment (either the signature creation time or the current time).

The validity of the same signature may differ depending on the time point chosen due to temporal changes in chain validities, revocation statuses, and timestamp times.

Close Method (JAdESVerifier Class)

Closes an opened JWS/JAdES signature.

Syntax

public void close(boolean saveChanges);

Remarks

Use this method to close a previously opened JWS/JAdES signature. Set SaveChanges to true to apply any changes made.

Config Method (JAdESVerifier Class)

Sets or retrieves a configuration setting.

Syntax

public String config(String configurationString);

Remarks

Config is a generic method available in every class. It is used to set and retrieve configuration settings for the class.

These settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the class, access to these internal properties is provided through the Config method.

To set a configuration setting named PROPERTY, you must call Config("PROPERTY=VALUE"), where VALUE is the value of the setting expressed as a string. For boolean values, use the strings "True", "False", "0", "1", "Yes", or "No" (case does not matter).

To read (query) the value of a configuration setting, you must call Config("PROPERTY"). The value will be returned as a string.

DoAction Method (JAdESVerifier Class)

Performs an additional action.

Syntax

public String doAction(String actionID, String actionParams);

Remarks

DoAction is a generic method available in every class. It is used to perform an additional action introduced after the product major release. The list of actions is not fixed, and may be flexibly extended over time.

The unique identifier (case insensitive) of the action is provided in the ActionID parameter.

ActionParams contains the value of a single parameter, or a list of multiple parameters for the action in the form of PARAM1=VALUE1;PARAM2=VALUE2;....

Open Method (JAdESVerifier Class)

Opens a JSON for verifying or removing signatures.

Syntax

public void open();

Remarks

Use this method to open a JSON for verifying or removing signatures. When finished, call Close to complete or discard the operation.

Reset Method (JAdESVerifier Class)

Resets the class settings.

Syntax

public void reset();

Remarks

Reset is a generic method available in every class.

Revalidate Method (JAdESVerifier Class)

Revalidates a signature in accordance with current settings.

Syntax

public void revalidate(String sigLabel);

Remarks

Use this method to re-validate a signature in the opened JWS/JAdES signature.

SelectInfo Method (JAdESVerifier Class)

Select signature information for a specific entity.

Syntax

public void selectInfo(String entityLabel, int infoType, boolean clearSelection);

Remarks

Use this method to select (or filter) signature-related information for a specific signature element.

Provide the unique label of the entity that you are interested in via the EntityLabel parameter. Use one of the following filters, or their combination, to specify what information you are interested in:

Following the call, the relevant pieces of information will be copied to the respective component properties (Certificates, CRLs, OCSPs). Note that you can accumulate information in the properties by making repeated calls to SelectInfo and keeping ClearSelection set to false.

This method is useful if you would like to read/display detailed information about a particular signature or timestamp.

Unsign Method (JAdESVerifier Class)

Deletes a signature from the JWS/JAdES signature.

Syntax

public void unsign(String sigLabel);

Remarks

Use this method to delete an existing signature from the JWS/JAdES signature. Use SigLabel parameter to specify the signature to be removed.

Verify Method (JAdESVerifier Class)

Verifies the JWS/JAdES signature.

Syntax

public void verify();

Remarks

Use this method to verify the JWS/JAdES signature.

ChainElementDownload Event (JAdESVerifier Class)

Fires when there is a need to download a chain element from an online source.

Syntax

public class DefaultJAdESVerifierEventListener implements JAdESVerifierEventListener {
  ...
  public void chainElementDownload(JAdESVerifierChainElementDownloadEvent e) {}
  ...
}

public class JAdESVerifierChainElementDownloadEvent {
  public int kind;
  public String certRDN;
  public String CACertRDN;
  public String location;
  public int action; //read-write
}

Remarks

Subscribe to this event to be notified about validation element retrievals. Use the Action parameter to suppress the download if required.

ChainElementNeeded Event (JAdESVerifier Class)

Fires when an element required to validate the chain was not located.

Syntax

public class DefaultJAdESVerifierEventListener implements JAdESVerifierEventListener {
  ...
  public void chainElementNeeded(JAdESVerifierChainElementNeededEvent e) {}
  ...
}

public class JAdESVerifierChainElementNeededEvent {
  public int kind;
  public String certRDN;
  public String CACertRDN;
}

Remarks

Subscribe to this event to be notified about missing validation elements. Use the KnownCRLs, KnownCertificates, and KnownOCSPs properties in the event handler to provide the missing piece.

ChainElementStore Event (JAdESVerifier Class)

This event is fired when a chain element (certificate, CRL, or OCSP response) should be stored along with a signature.

Syntax

public class DefaultJAdESVerifierEventListener implements JAdESVerifierEventListener {
  ...
  public void chainElementStore(JAdESVerifierChainElementStoreEvent e) {}
  ...
}

public class JAdESVerifierChainElementStoreEvent {
  public int kind;
  public byte[] body;
  public String URI; //read-write
}

Remarks

This event could occur if you are verifying XAdES-C form or higher. The Body parameter contains the element in binary form that should be stored along with a signature. Use the URI parameter to provide an URI of the stored element.

ChainValidated Event (JAdESVerifier Class)

Reports the completion of a certificate chain validation.

Syntax

public class DefaultJAdESVerifierEventListener implements JAdESVerifierEventListener {
  ...
  public void chainValidated(JAdESVerifierChainValidatedEvent e) {}
  ...
}

public class JAdESVerifierChainValidatedEvent {
  public int index;
  public String entityLabel;
  public String subjectRDN;
  public int validationResult;
  public int validationDetails;
  public boolean cancel; //read-write
}

Remarks

This event is fired when a certificate chain validation routine completes. SubjectRDN identifies the owner of the validated certificate.

ValidationResult set to 0 (zero) indicates successful chain validation.

Any other value reports a failure, and ValidationDetails provides more details on its reasons.

ChainValidationProgress Event (JAdESVerifier Class)

This event is fired multiple times during chain validation to report various stages of the validation procedure.

Syntax

public class DefaultJAdESVerifierEventListener implements JAdESVerifierEventListener {
  ...
  public void chainValidationProgress(JAdESVerifierChainValidationProgressEvent e) {}
  ...
}

public class JAdESVerifierChainValidationProgressEvent {
  public String eventKind;
  public String certRDN;
  public String CACertRDN;
  public int action; //read-write
}

Remarks

Subscribe to this event to be notified about chain validation progress. Use the Action parameter to alter the validation flow.

The EventKind parameter reports the nature of the event being reported. The CertRDN and CACertRDN parameters report the distinguished names of the certificates that are relevant for the event invocation (one or both can be empty, depending on EventKind). Use the Action parameter to adjust the validation flow.

Error Event (JAdESVerifier Class)

Information about errors during signing.

Syntax

public class DefaultJAdESVerifierEventListener implements JAdESVerifierEventListener {
  ...
  public void error(JAdESVerifierErrorEvent e) {}
  ...
}

public class JAdESVerifierErrorEvent {
  public int errorCode;
  public String description;
}

Remarks

This event is fired in case of exceptional conditions during the JSON processing.

ErrorCode contains an error code and Description contains a textual description of the error.

HTTPHeaderFieldNeeded Event (JAdESVerifier Class)

This event is fired when HTTP header field value is required.

Syntax

public class DefaultJAdESVerifierEventListener implements JAdESVerifierEventListener {
  ...
  public void HTTPHeaderFieldNeeded(JAdESVerifierHTTPHeaderFieldNeededEvent e) {}
  ...
}

public class JAdESVerifierHTTPHeaderFieldNeededEvent {
  public String fieldName;
  public String fieldValues; //read-write
}

Remarks

This event is triggered when the type of signed data is HttpHeaders mechanism (jasdtHttpHeaders). It indicates that a HTTP header field value is needed.

For "(request target)" field name value return request method and target URI seperated by space character. For example: "GET https://nsoftware.com/sbb/"

Loaded Event (JAdESVerifier Class)

This event is fired when the JSON has been loaded into memory.

Syntax

public class DefaultJAdESVerifierEventListener implements JAdESVerifierEventListener {
  ...
  public void loaded(JAdESVerifierLoadedEvent e) {}
  ...
}

public class JAdESVerifierLoadedEvent {
  public boolean cancel; //read-write
}

Remarks

The handler for this event is a good place to check JWS/JAdES signature properties, which may be useful when preparing the signature.

Set Cancel to true to terminate JSON processing on this stage.

Notification Event (JAdESVerifier Class)

This event notifies the application about an underlying control flow event.

Syntax

public class DefaultJAdESVerifierEventListener implements JAdESVerifierEventListener {
  ...
  public void notification(JAdESVerifierNotificationEvent e) {}
  ...
}

public class JAdESVerifierNotificationEvent {
  public String eventID;
  public String eventParam;
}

Remarks

The class fires this event to let the application know about some event, occurrence, or milestone in the class. For example, it may fire to report completion of the document processing. The list of events being reported is not fixed, and may be flexibly extended over time.

The unique identifier of the event is provided in the EventID parameter. EventParam contains any parameters accompanying the occurrence. Depending on the type of the class, the exact action it is performing, or the document being processed, one or both may be omitted.

This class can fire this event with the following EventID values:

ObjectNeeded Event (JAdESVerifier Class)

This event is fired when object is required.

Syntax

public class DefaultJAdESVerifierEventListener implements JAdESVerifierEventListener {
  ...
  public void objectNeeded(JAdESVerifierObjectNeededEvent e) {}
  ...
}

public class JAdESVerifierObjectNeededEvent {
  public String URI;
  public String contentType;
  public boolean base64; //read-write
}

Remarks

This event is triggered when the type of signed data is ObjectIdByURI mechanism (jasdtObjectIdByURI). It is fired to request the data to be signed/verified.

The event handler must pass object data to the component via DataFile or DataStream or DataBytes or DataString property.

ObjectValidate Event (JAdESVerifier Class)

This event is fired when object should be verified by user.

Syntax

public class DefaultJAdESVerifierEventListener implements JAdESVerifierEventListener {
  ...
  public void objectValidate(JAdESVerifierObjectValidateEvent e) {}
  ...
}

public class JAdESVerifierObjectValidateEvent {
  public String URI;
  public String contentType;
  public String hashAlgorithm;
  public byte[] hash;
  public boolean base64;
  public boolean valid; //read-write
}

Remarks

This event is triggered when the type of signed data is ObjectIdByURIHash mechanism (jasdtObjectIdByURIHash). It is fired to validate the detached object.

The event handler must pass the object validity to the component via Valid parameter.

SignatureFound Event (JAdESVerifier Class)

Signifies the start of signature validation.

Syntax

public class DefaultJAdESVerifierEventListener implements JAdESVerifierEventListener {
  ...
  public void signatureFound(JAdESVerifierSignatureFoundEvent e) {}
  ...
}

public class JAdESVerifierSignatureFoundEvent {
  public int index;
  public String entityLabel;
  public String issuerRDN;
  public byte[] serialNumber;
  public byte[] subjectKeyID;
  public boolean certFound;
  public boolean validateSignature; //read-write
  public boolean validateChain; //read-write
}

Remarks

This event tells the application that signature validation is about to start, and provides the details about the signer's certificate via its IssuerRDN, SerialNumber, and SubjectKeyID parameters. It fires for every signature located in the verified document or message.

The CertFound parameter is set to True if the class has found the needed certificate in one of the known locations, and to False otherwise, in which case you must provide it manually via the KnownCertificates property.

Signature validation consists of two independent stages: cryptographic signature validation and chain validation. Separate validation results are reported for each, with the SignatureValidationResult and ChainValidationResult properties respectively.

Use the ValidateSignature and ValidateChain parameters to tell the verifier which stages to include in the validation.

SignatureValidated Event (JAdESVerifier Class)

Marks the completion of the signature validation routine.

Syntax

public class DefaultJAdESVerifierEventListener implements JAdESVerifierEventListener {
  ...
  public void signatureValidated(JAdESVerifierSignatureValidatedEvent e) {}
  ...
}

public class JAdESVerifierSignatureValidatedEvent {
  public int index;
  public String entityLabel;
  public String issuerRDN;
  public byte[] serialNumber;
  public byte[] subjectKeyID;
  public int validationResult;
  public boolean cancel; //read-write
}

Remarks

This event is fired upon the completion of the signature validation routine, and reports the respective validation result.

Use the IssuerRDN, SerialNumber, and/or SubjectKeyID parameters to identify the signing certificate.

ValidationResult is set to 0 if the validation has been successful, or to a non-zero value in case of a validation failure.

TimestampFound Event (JAdESVerifier Class)

Signifies the start of a timestamp validation routine.

Syntax

public class DefaultJAdESVerifierEventListener implements JAdESVerifierEventListener {
  ...
  public void timestampFound(JAdESVerifierTimestampFoundEvent e) {}
  ...
}

public class JAdESVerifierTimestampFoundEvent {
  public int index;
  public String entityLabel;
  public String issuerRDN;
  public byte[] serialNumber;
  public byte[] subjectKeyID;
  public boolean certFound;
  public boolean validateTimestamp; //read-write
  public boolean validateChain; //read-write
}

Remarks

This event fires for every timestamp identified during signature processing, and reports the details about the signer's certificate via its IssuerRDN, SerialNumber, and SubjectKeyID parameters.

The CertFound parameter is set to True if the class has found the needed certificate in one of the known locations, and to False otherwise, in which case you must provide it manually via the KnownCertificates property.

Just like with signature validation, timestamp validation consists of two independent stages: cryptographic signature validation and chain validation. Separate validation results are reported for each, with the ValidationResult and ChainValidationResult properties respectively.

Use the ValidateSignature and ValidateChain parameters to tell the verifier which stages to include in the validation.

TimestampValidated Event (JAdESVerifier Class)

Reports the completion of the timestamp validation routine.

Syntax

public class DefaultJAdESVerifierEventListener implements JAdESVerifierEventListener {
  ...
  public void timestampValidated(JAdESVerifierTimestampValidatedEvent e) {}
  ...
}

public class JAdESVerifierTimestampValidatedEvent {
  public int index;
  public String entityLabel;
  public String issuerRDN;
  public byte[] serialNumber;
  public byte[] subjectKeyID;
  public String time;
  public int validationResult;
  public int chainValidationResult;
  public int chainValidationDetails;
  public boolean cancel; //read-write
}

Remarks

This event is fired upon the completion of the timestamp validation routine, and reports the respective validation result.

ValidationResult is set to 0 if the validation has been successful, or to a non-zero value in case of a failure.

TLSCertNeeded Event (JAdESVerifier Class)

Fires when a remote TLS party requests a client certificate.

Syntax

public class DefaultJAdESVerifierEventListener implements JAdESVerifierEventListener {
  ...
  public void TLSCertNeeded(JAdESVerifierTLSCertNeededEvent e) {}
  ...
}

public class JAdESVerifierTLSCertNeededEvent {
  public String host;
  public String CANames;
}

Remarks

This event fires to notify the implementation that a remote TLS server has requested a client certificate. The Host parameter identifies the host that makes a request, and the CANames parameter (optional, according to the TLS spec) advises on the accepted issuing CAs.

Use the TLSClientChain property in response to this event to provide the requested certificate. Please make sure the client certificate includes the associated private key. Note that you may set the certificates before the connection without waiting for this event to fire.

This event is preceded by the TLSHandshake event for the given host and, if the certificate was accepted, succeeded by the TLSEstablished event.

TLSCertValidate Event (JAdESVerifier Class)

This event is fired upon receipt of the TLS server's certificate, allowing the user to control its acceptance.

Syntax

public class DefaultJAdESVerifierEventListener implements JAdESVerifierEventListener {
  ...
  public void TLSCertValidate(JAdESVerifierTLSCertValidateEvent e) {}
  ...
}

public class JAdESVerifierTLSCertValidateEvent {
  public String serverHost;
  public String serverIP;
  public boolean accept; //read-write
}

Remarks

This event is fired during a TLS handshake. Use the TLSServerChain property to access the certificate chain. In general, classes may contact a number of TLS endpoints during their work, depending on their configuration.

Accept is assigned in accordance with the outcome of the internal validation check performed by the class, and can be adjusted if needed.

TLSEstablished Event (JAdESVerifier Class)

Fires when a TLS handshake with Host successfully completes.

Syntax

public class DefaultJAdESVerifierEventListener implements JAdESVerifierEventListener {
  ...
  public void TLSEstablished(JAdESVerifierTLSEstablishedEvent e) {}
  ...
}

public class JAdESVerifierTLSEstablishedEvent {
  public String host;
  public String version;
  public String ciphersuite;
  public byte[] connectionId;
  public boolean abort; //read-write
}

Remarks

The class uses this event to notify the application about a successful completion of a TLS handshake.

The Version, Ciphersuite, and ConnectionId parameters indicate the security parameters of the new connection. Use the Abort parameter if you need to terminate the connection at this stage.

TLSHandshake Event (JAdESVerifier Class)

Fires when a new TLS handshake is initiated, before the handshake commences.

Syntax

public class DefaultJAdESVerifierEventListener implements JAdESVerifierEventListener {
  ...
  public void TLSHandshake(JAdESVerifierTLSHandshakeEvent e) {}
  ...
}

public class JAdESVerifierTLSHandshakeEvent {
  public String host;
  public boolean abort; //read-write
}

Remarks

The class uses this event to notify the application about the start of a new TLS handshake to Host. If the handshake is successful, this event will be followed by the TLSEstablished event. If the server chooses to request a client certificate, the TLSCertNeeded event will also be fired.

TLSShutdown Event (JAdESVerifier Class)

Reports the graceful closure of a TLS connection.

Syntax

public class DefaultJAdESVerifierEventListener implements JAdESVerifierEventListener {
  ...
  public void TLSShutdown(JAdESVerifierTLSShutdownEvent e) {}
  ...
}

public class JAdESVerifierTLSShutdownEvent {
  public String host;
}

Remarks

This event notifies the application about the closure of an earlier established TLS connection. Note that only graceful connection closures are reported.

Certificate Type

Encapsulates an individual X.509 certificate.

Remarks

This type keeps and provides access to X.509 certificate details.

Fields

Constructors

public Certificate( bytes,  startIndex,  count,  password);

public Certificate( certBytes,  certStartIndex,  certCount,  keyBytes,  keyStartIndex,  keyCount,  password);

public Certificate( bytes,  startIndex,  count);

public Certificate( path,  password);

public Certificate( certPath,  keyPath,  password);

public Certificate( path);

public Certificate( stream);

public Certificate( stream,  password);

public Certificate( certStream,  keyStream,  password);

public Certificate();

CRL Type

Represents a Certificate Revocation List.

Remarks

CRLs store information about revoked certificates, i.e., certificates that have been identified as invalid by their issuing certificate authority (CA) for any number of reasons.

Each CRL object lists certificates from a single CA and identifies them by their serial numbers. A CA may or may not publish a CRL, may publish several CRLs, or may publish the same CRL in multiple locations.

Unlike OCSP responses, CRLs only list certificates that have been revoked. They do not list certificates that are still valid.

Fields

Constructors

public CRL( bytes,  startIndex,  count);

public CRL( location);

public CRL( stream);

public CRL();

JAdESSignature Type

The class is a container for an JWS/JAdES signature.

Remarks

JSON message may include any number of JWS/JAdES signatures. class stores one of them.

Fields

Constructors

public JAdESSignature();

OCSPResponse Type

Represents a single OCSP response originating from an OCSP responder.

Remarks

OCSP is a protocol that allows verification of certificate status in real-time, and is an alternative to Certificate Revocation Lists (CRLs).

An OCSP response is a snapshot of the certificate status at a given time.

Fields

Constructors

public OCSPResponse( bytes,  startIndex,  count);

public OCSPResponse( location);

public OCSPResponse( stream);

public OCSPResponse();

ProxySettings Type

A container for proxy server settings.

Remarks

This type exposes a collection of properties for tuning up the proxy server configuration.

Fields

Constructors

public ProxySettings();

SocketSettings Type

A container for the socket settings.

Remarks

This type is a container for socket-layer parameters.

Fields

Constructors

public SocketSettings();

TimestampInfo Type

A container for timestamp information.

Remarks

The TimestampInfo object contains details of a third-party timestamp and the outcome of its validation.

Fields

Constructors

public TimestampInfo();

TLSSettings Type

A container for TLS connection settings.

Remarks

The TLS (Transport Layer Security) protocol provides security for information exchanged over insecure connections such as TCP/IP.

Fields

Constructors

public TLSSettings();

Config Settings (JAdESVerifier Class)

The class accepts one or more of the following configuration settings. Configuration settings are similar in functionality to properties, but they are rarely used. In order to avoid "polluting" the property namespace of the class, access to these internal properties is provided through the Config method.

JAdESVerifier Config Settings

Base Config Settings

Trappable Errors (JAdESVerifier Class)

JAdESVerifier Errors