SignDocVerificationResult Class |
Namespace: de.softpro.signdocsdk
public sealed class SignDocVerificationResult : IDisposable
The SignDocVerificationResult type exposes the following members.
Name | Description | |||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
checkBiometricHash | Check the hash of the biometric data.
This function fails for document time stamps, see getMethod().
| |||||||||||||||||||||||||
Dispose | Releases all resources used by the SignDocVerificationResult | |||||||||||||||||||||||||
getBiometricData | Get the biometric data of the field. | |||||||||||||||||||||||||
getBiometricEncryption | Get the encryption method used for biometric data of the signature
field.
This function fails for document time stamps, see getMethod().
| |||||||||||||||||||||||||
getCertificateChainLength | Get the certificate chain length.
verifyCertificateChain() or verifyCertificateSimplified() must
have been called successfully.
This function fails for document time stamps, see getMethod()
and getTimeStampCertificates().
| |||||||||||||||||||||||||
getCertificateRevocationState | Get the revocation state of the certificate chain of the
signature's certificate.
verifyCertificateChain() must have been called successfully.
getErrorMessage() will return an error message if the
verification result returned is not #crs_ok.
If #vf_check_revocation was not set in integer parameter
"VerificationFlags" for the most recent call to
verifyCertificateChain(), this function will return
#crs_not_checked.
This function fails for document time stamps, see getMethod()
and getTimeStampCertificateRevocationState().
| |||||||||||||||||||||||||
getCertificates | Get the certificates of the signature.
This function fails for document time stamps, see getMethod()
and getTimeStampCertificates().
| |||||||||||||||||||||||||
getDigestAlgorithm | Get the message digest algorithm of the signature.
Note that the values returned by this functions are different
from the Digest values used by
de.softpro.doc.SignDocField.getSeedValueDigestMethod() and
friends:
| |||||||||||||||||||||||||
getDocMDP | Get the DocMDP P value of a certification signature.
The DocMDP P value specifies what modifications to the document are
allowed by the certification signature.
| |||||||||||||||||||||||||
getEncryptedBiometricData | Get the encrypted biometric data of the field.
Use this function if you cannot use getBiometricData() for
decrypting the biometric data (for instance, because the private
key is stored in an HSM).
In the following description of the format of the encrypted data
retrieved by this function, all numbers are stored in little-endian
format (howver, RSA uses big-endian format):
- 4 octets: version number
- 4 octets: number of following octets (hash and body)
- 32 octets: SHA-256 hash of body (ie, of the octets which follow)
- body (format depends on version number)
.
If the version number is 1, the encryption method is be_rsa with
a 2048-bit key and the body has this format:
- 32 octets: SHA-256 hash of unencrypted biometric data
- 256 octets: AES-256 session key encrypted with 2048-bit RSA 2.0 (OAEP)
with SHA-256
- rest: biometric data encrypted with AES-256 in CBC mode using
padding as described in RFC 2246. The IV is zero (not a
problem as the session key is random).
.
If the version number is 2, the body has this format:
- 4 octets: method (be_fixed, be_binary, be_passphrase)
- 32 octets: IV (only the first 16 octets are used, please ignore the rest)
- 32 octets: SHA-256 hash of unencrypted biometric data
- rest: biometric data encrypted with AES-256 in CBC mode using
padding as described in RFC 2246.
.
If the version number is 3, the encryption method is be_rsa with
a key longer than 2048 bits and the body has this format:
- 4 octets: size n of encrypted AES key in octets
- n octets: AES-256 session key encrypted with RSA 2.0 (OAEP)
with SHA-256
- 32 octets: IV (only the first 16 octets are used, please ignore the rest)
- 32 octets: SHA-256 hash of unencrypted biometric data
- rest: biometric data encrypted with AES-256 in CBC mode using
padding as described in RFC 2246.
This function fails for document time stamps, see getMethod().
| |||||||||||||||||||||||||
getErrorMessage | ||||||||||||||||||||||||||
getKeyLength | Get the length of the key used for signing. | |||||||||||||||||||||||||
getLockMDP | Get the lock MDP value of the signature.
The lock MDP value specifies what modifications to the document are
allowed by the signature.
| |||||||||||||||||||||||||
getMethod | Get the signing method.
If the output is
SignDocSignatureParameters.m_digsig_cades_rfc3161, the signature
is a document time stamp. Use verifyTimeStampCertificateChain()
etc. instead of verifyCertificateChain() etc. for document time
stamps.
| |||||||||||||||||||||||||
getModificationState | Get the modification state of a PDF document.
Use this function to find out if the modifications applied to a
PDF document after adding a signature are allowed
by that signature.
As there is no specification for the modifications allowed or
prohibited by a signature, this function tries to mimic the
behavior of Adobe Reader.
For TIFF documents, the output is computed directly from the
output of getState().
| |||||||||||||||||||||||||
getSignatureBlob | Get a blob property from the signature field.
Available blob parameters are:
-BiometricHash A message digest computed over the document hash
and the unencrypted biometric data,
empty if not present.
- Contents The Contents entry of the signature dictionary, that is,
the digital signature (PDF documents only).
- Signature The PKCS #1 or DER-encoded PKCS #7 signature.
.
Additional, you can store your own blobs in the signature by
using a name starting with "Prop_", except for "Prop_AuthTime",
"Prop_AuthType", "Prop_BiometricData", and "Prop_Build",
which are reserved), see
de.softpro.doc.SignDocSignatureParameters.setBlob().
| |||||||||||||||||||||||||
getSignatureString | Get a string parameter from the signature field. | |||||||||||||||||||||||||
getState | Get the signature state.
Use this function to find out if the document is still identical
to the signed document, or has been updated since signed, or
has been tampered with.
If the state is ss_unsupported_signature or
ss_invalid_certificate, getErrorMessage() will provide additional
information.
Use verifyCertificateChain() to find out if you can trust
the identity of the signer.
If the return value is #ss_document_extended for a PDF document,
you should call getModificationState() to get additional
information.
| |||||||||||||||||||||||||
getTimeStamp | Get the value of the RFC 3161 time stamp.
You must call verifyTimeStampCertificateChain() and
getTimeStampCertificateRevocationState() to find out whether
the time stamp can be trusted. If either of these functions
report a problem, the time stamp should not be displayed.
A signature has either an RFC 3161 time stamp (returned by this
function) or a time stamp stored as string parameter (returned by
getSignatureString().
| |||||||||||||||||||||||||
getTimeStampCertificateRevocationState | Get the revocation state of the certificate chain of the
RFC 3161 time stamp.
verifyTimeStampCertificateChain() must have been called successfully.
getErrorMessage() will return an error message if this function
fails (return value not #rc_ok) or the verification result returned
is not #crs_ok.
If #vf_check_revocation was not set in integer parameter
"VerificationFlags" of the most recent call to
verifyTimeStampCertificateChain(), this function will return
#crs_not_checked.
| |||||||||||||||||||||||||
getTimeStampCertificates | Get the certificates of the RFC 3161 time stamp. | |||||||||||||||||||||||||
getTimeStampDigestAlgorithm | Get the message digest algorithm of the RFC 3161 timestamp.
The following table shows the supported digest algorithms and
the respective value of integer parameter "TimeStampHashAlgorithm":
| |||||||||||||||||||||||||
getTimeStampState | Get the state of the RFC 3161 time stamp. | |||||||||||||||||||||||||
verifyCertificateChain | Verify the certificate chain of the signature's certificate.
Use this function to find out if you can trust the identity of the
signer.
getErrorMessage() will return an error message if this function
fails (return value not #rc_ok) or the verification result returned
is not #ccs_ok or getCertificateRevocationState() won't return #crs_ok.
Call getCertificateRevocationState() after this function to get
the revocation state.
This function fails for document time stamps, see getMethod()
and verifyTimeStampCertificateChain().
| |||||||||||||||||||||||||
verifyCertificateSimplified | Simplified verification of the certificate chain and revocation
status of the signature's certificate.
This function just returns a good / not good value according to
policies defined by the arguments. It does not tell the caller
what exactly is wrong. However, getErrorMessage() will return an
error message if this function fails. Do not attempt to base
decisions on that error message, please use verifyCertificateChain()
instead of this function if
you need details about the failure.
This function fails for document time stamps, see getMethod() and
verifyTimeStampCertificateSimplified().
| |||||||||||||||||||||||||
verifyTimeStampCertificateChain | Verify the certificate chain of the RFC 3161 time stamp.
getErrorMessage() will return an error message if this function
fails (return value not #rc_ok) or the verification result returned
is not #ccs_ok.
Call getTimeStampCertificateRevocationState() after this function
to get the revocation state.
| |||||||||||||||||||||||||
verifyTimeStampCertificateSimplified | Simplified verification of the certificate chain and revocation
status of the RFC 3161 time stamp.
This function just returns a good / not good value according to
policies defined by the arguments. It does not tell the caller
what exactly is wrong. However, getErrorMessage() will return an
error message if this function fails. Do not attempt to base
decisions on that error message, please use verifyCertificateChain()
instead of this function if you need details about the failure.
For integer parameter "CertificateChainVerificationPolicy",
#ccvp_accept_self_signed_with_bio and
#ccvp_accept_self_signed_with_rsa_bio are treated like
#ccvp_accept_self_signed.
|