Verifying Multiple Digital Signatures

LiveCycle provides the means to verify all digital signatures that are located in a PDF document. Assume that a PDF document contains multiple digital signatures as a result of a business process that requires signatures from multiple signers. For example, consider a financial transaction that requires both a loan officer’s and a manager’s signature. You can use the Signature service Java API or web service API to verify all signatures within the PDF document. When verifying multiple digital signatures, you can check the status and properties of each signature. Before you trust a digital signature, it is recommended that you verify it. It is recommended that you are familiar with verifying a single digital signature.

Note: Verification of multiple signatures was added in LiveCycle ES 9.0.
Note: For more information about the Signature service and verifying digital signatures, see Services Reference for LiveCycle.

Summary of steps

To verify multiple digital signature, perform the following tasks:

  1. Include project files.

  2. Create a Signature client.

  3. Get the PDF document that contains the signatures to verify.

  4. Set PKI run-time options.

  5. Retrieve all digital signatures.

  6. Iterate through all signatures.

Include project files

Include the necessary files in your development project. If you are creating a client application using Java, include the necessary JAR files. If you are using web services, include the proxy files.

The following JAR files must be added to your project’s classpath:

  • adobe-livecycle-client.jar

  • adobe-usermanager-client.jar

  • adobe-signatures-client.jar

  • adobe-utilities.jar (required if LiveCycle is deployed on JBoss)

  • jbossall-client.jar (required if LiveCycle is deployed on JBoss)

For information about the location of these JAR files, see Including LiveCycle Java library files.

Create a Signature client

Before you programmatically perform a Signature service operation, create a Signature service client.

Get the PDF document that contains the signatures to verify

To verify a signature used to digitally sign or certify a PDF document, obtain a PDF document that contains a signature.

Set PKI runtime options

Set these PKI run-time options that the Signature service uses when verifying all signatures in a PDF document:

  • Verification time

  • Revocation checking

  • Time-stamping values

As part of setting these options, you can specify verification time. For example, you can select current time (the time on the validator’s computer), which indicates to use the current time. For information about the different time values, see the VerificationTime enumeration value in LiveCycle API Reference.

You can also specify whether to perform revocation checking as part of the verification process. For example, you can perform a revocation check to determine whether the certificate is revoked. For information about the revocation-checking options, see the RevocationCheckStyle enumeration value in LiveCycle API Reference.

To perform revocation checking on a certificate, specify a URL to a certificate revocation list (CRL) server by using a CRLOptionSpec object. However, if you do not specify a URL to a CRL server, the Signature service obtains the URL from the certificate.

Instead of using a CRL server, you can use an online certificate status protocol (OCSP) server when performing revocation checking. Typically, when using an OCSP server instead of a CRL server, the revocation check is performed faster. (See Online Certificate Status Protocol.)

You can set the CRL and OCSP server order that the Signature service uses by using Adobe Applications and Services. For example, if the OCSP server is set first in Adobe Applications and Services, the OCSP server is checked, followed by the CRL server.

If you do not perform revocation checking, the Signature service does not check whether the certificate is revoked. That is, CRL and OCSP server information is ignored.

Note: You can override the URL specified in the certificate by using a CRLOptionSpec and an OCSPOptionSpec object. For example, to override the CRL server, you can invoke the CRLOptionSpec object’s setLocalURI method.

Time stamping is the process of tracking the time when a signed or certified document was modified. After a document is signed, no one can modify it. Time stamping helps enforce the validity of a signed or certified document. You can set time stamping options by using a TSPOptionSpec object. For example, you can specify the URL of a time stamping provider (TSP) server.

Note: In the Java and web service quick starts, the verification time is set to VerificationTime.CURRENT_TIME and revocation checking is set to RevocationCheckStyle.BestEffort. Because no CRL or OCSP server information is specified, the server information is obtained from the certificate.

Retrieve all digital signatures

To verify all digital signatures located in a PDF document, retrieve the digital signatures from the PDF document. All signatures are returned in a list. As part of verifying a digital signature, check the status of the signature.

Note: Unlike when you verify a single digital signature, when you verify multiple signatures, you are not required to specify the signature field name.

Iterate through all signatures

Iterate through each signature. That is, for each signature, verify the digital signature, and check the signer’s identity and the status of each signature. (See Verifying Digital Signatures.)

Note: You do not need to iterate through all the signatures if the requirement is the entire document.

Verify multiple digital signatures using the Java API

Verify multiple digital signatures by using the Signature Service API (Java):

  1. Include project files

    Include client JAR files, such as adobe-signatures-client.jar, in your Java project’s classpath.

  2. Create a Signature client

    • Create a ServiceClientFactory object that contains connection properties.

    • Create a SignatureServiceClient object by using its constructor and passing the ServiceClientFactory object.

  3. Get the PDF document that contains the signatures to verify

    • Create a java.io.FileInputStream object that represents the PDF document that contains multiple digital signatures to verify by using its constructor. Pass a string value that specifies the location of the PDF document.

    • Create a com.adobe.idp.Document object by using its constructor and passing the java.io.FileInputStream object.

  4. Set PKI runtime options

    • Create a PKIOptions object by using its constructor.

    • Set the verification time by invoking the PKIOptions object’s setVerificationTime method and passing a VerificationTime enumeration value that specifies the verification time.

    • Set the revocation checking option by invoking PKIOptions object’s setRevocationCheckStyle method and passing a RevocationCheckStyle enumeration value that specifies whether to perform revocation checking.

  5. Retrieve all digital signatures

    Invoke the SignatureServiceClient object’s verifyPDFDocument method and pass the following values:

    • A com.adobe.idp.Document object that contains a PDF document that contains multiple digital signatures.

    • A PKIOptions object that contains PKI run-time options.

    • A VerifySPIOptions instance that contains SPI information. You can specify null for this parameter.

    The verifyPDFDocument method returns a PDFDocumentVerificationInfo object that contains information about all the digital signatures located in the PDF document.

  6. Iterate through all signatures

    • Iterate through all signatures by invoking the PDFDocumentVerificationInfo object’s getVerificationInfos method. This method returns a java.util.List object where each element is a PDFSignatureVerificationInfo object. Use a java.util.Iterator object to iterate through the list of signatures.

    • Using the PDFSignatureVerificationInfo object, you can perform tasks such as determining the status of the signature by invoking the PDFSignatureVerificationInfo object’s getStatus method. This method returns a SignatureStatus object whose static data member informs you about the status of the signature. For example, if the signature is unknown, this method returns SignatureStatus.DocumentSignatureUnknown.

Verifying multiple digital signatures using the web service API

Verify multiple digital signatures by using the Signature Service API (web service):

  1. Include project files

    Create a Microsoft .NET project that uses MTOM. Ensure that you use the following WSDL definition: http://localhost:8080/soap/services/SignatureService?WSDL&lc_version=9.0.1.

    Note: Replace localhost with the IP address of the server hosting LiveCycle.
  2. Create a Signature client

    • Create a SignatureServiceClient object by using its default constructor.

    • Create a SignatureServiceClient.Endpoint.Address object by using the System.ServiceModel.EndpointAddress constructor. Pass a string value that specifies the WSDL to the LiveCycle service (for example, http://localhost:8080/soap/services/SignatureService?WSDL). You do not need to use the lc_version attribute. This attribute is used when you create a service reference.)

    • Create a System.ServiceModel.BasicHttpBinding object by getting the value of the SignatureServiceClient.Endpoint.Binding field. Cast the return value to BasicHttpBinding.

    • Set the System.ServiceModel.BasicHttpBinding object’s MessageEncoding field to WSMessageEncoding.Mtom. This value ensures that MTOM is used.

    • Enable basic HTTP authentication by performing the following tasks:

      • Assign the LiveCycle user name to the field SignatureServiceClient.ClientCredentials.UserName.UserName.

      • Assign the corresponding password value to the field SignatureServiceClient.ClientCredentials.UserName.Password.

      • Assign the constant value HttpClientCredentialType.Basic to the field BasicHttpBindingSecurity.Transport.ClientCredentialType.

      • Assign the constant value BasicHttpSecurityMode.TransportCredentialOnly to the field BasicHttpBindingSecurity.Security.Mode.

  3. Get the PDF document that contains the signatures to verify

    • Create a BLOB object by using its constructor. The BLOB object stores a PDF document that contains multiple digital signatures to verify.

    • Create a System.IO.FileStream object by invoking its constructor. Pass a string value that represents the file location of the PDF document and the mode in which to open the file.

    • Create a byte array that stores the content of the System.IO.FileStream object. You can determine the size of the byte array by getting the System.IO.FileStream object’s Length property.

    • Populate the byte array with stream data by invoking the System.IO.FileStream object’s Read method. Pass the byte array, the starting position, and the stream length to read.

    • Populate the BLOB object by assigning its MTOM property the contents of the byte array.

  4. Set PKI runtime options

    • Create a PKIOptions object by using its constructor.

    • Set the verification time by assigning the PKIOptions object’s verificationTime data member a VerificationTime enumeration value that specifies the verification time.

    • Set the revocation checking option by assigning the PKIOptions object’s revocationCheckStyle data member a RevocationCheckStyle enumeration value that specifies whether to perform revocation checking.

  5. Retrieve all digital signatures

    Invoke the SignatureServiceClient object’s verifyPDFDocument method and pass the following values:

    • A BLOB object that contains a PDF document that contains multiple digital signatures.

    • A PKIOptions object that contains PKI run-time options.

    • A VerifySPIOptions instance that contains SPI information. You can specify null for this parameter.

    The verifyPDFDocument method returns a PDFDocumentVerificationInfo object that contains information about all the digital signatures located in the PDF document.

  6. Iterate through all signatures

    • Iterate through all signatures by getting the PDFDocumentVerificationInfo object’s verificationInfos data member. This data member returns an Object array where each element is a PDFSignatureVerificationInfo object.

    • Using the PDFSignatureVerificationInfo object, you can perform tasks like determining the status of the signature by getting the PDFSignatureVerificationInfo object’s status data member. This data member returns a SignatureStatus object whose static data member informs you about the status of the signature. For example, if the signature is unknown, this method returns SignatureStatus.DocumentSignatureUnknown.

// Ethnio survey code removed