ActionScript® 3.0 Reference for the Adobe® Flash® Platform
Home  |  Hide Packages and Classes List |  Packages  |  Classes  |  What's New  |  Index  |  Appendixes

Language Reference only
Filters: AIR 32.0 and earlier, Flash Player 32.0 and earlier, Flash Lite 4
Flex 4.6 and earlier, Flash Pro CS6 and earlier
Hide Filters
flash.security 

XMLSignatureValidator  - AS3

Packagesx

Top Level
adobe.utils
air.desktop
air.net
air.update
air.update.events
coldfusion.air
coldfusion.air.errors
coldfusion.air.events
coldfusion.service
coldfusion.service.events
coldfusion.service.mxml
com.adobe.acm.solutions.authoring.domain.extensions
com.adobe.acm.solutions.ccr.domain.extensions
com.adobe.consulting.pst.vo
com.adobe.dct.component
com.adobe.dct.component.datadictionary
com.adobe.dct.component.datadictionaryElement
com.adobe.dct.component.dataElementsPanel
com.adobe.dct.component.toolbars
com.adobe.dct.event
com.adobe.dct.exp
com.adobe.dct.model
com.adobe.dct.service
com.adobe.dct.service.provider
com.adobe.dct.transfer
com.adobe.dct.util
com.adobe.dct.view
com.adobe.ep.taskmanagement.domain
com.adobe.ep.taskmanagement.event
com.adobe.ep.taskmanagement.filter
com.adobe.ep.taskmanagement.services
com.adobe.ep.taskmanagement.util
com.adobe.ep.ux.attachmentlist.component
com.adobe.ep.ux.attachmentlist.domain
com.adobe.ep.ux.attachmentlist.domain.events
com.adobe.ep.ux.attachmentlist.domain.renderers
com.adobe.ep.ux.attachmentlist.skin
com.adobe.ep.ux.attachmentlist.skin.renderers
com.adobe.ep.ux.content.event
com.adobe.ep.ux.content.factory
com.adobe.ep.ux.content.handlers
com.adobe.ep.ux.content.managers
com.adobe.ep.ux.content.model.asset
com.adobe.ep.ux.content.model.preview
com.adobe.ep.ux.content.model.relation
com.adobe.ep.ux.content.model.search
com.adobe.ep.ux.content.model.toolbar
com.adobe.ep.ux.content.search
com.adobe.ep.ux.content.services
com.adobe.ep.ux.content.services.load
com.adobe.ep.ux.content.services.permissions
com.adobe.ep.ux.content.services.preview
com.adobe.ep.ux.content.services.providers
com.adobe.ep.ux.content.services.query
com.adobe.ep.ux.content.services.relationships
com.adobe.ep.ux.content.services.search.lccontent
com.adobe.ep.ux.content.services.version
com.adobe.ep.ux.content.view
com.adobe.ep.ux.content.view.components.activate
com.adobe.ep.ux.content.view.components.grid
com.adobe.ep.ux.content.view.components.grid.hover
com.adobe.ep.ux.content.view.components.grid.hover.component
com.adobe.ep.ux.content.view.components.grid.renderers
com.adobe.ep.ux.content.view.components.relationships
com.adobe.ep.ux.content.view.components.review
com.adobe.ep.ux.content.view.components.search.renderers
com.adobe.ep.ux.content.view.components.searchpod
com.adobe.ep.ux.content.view.components.toolbar
com.adobe.ep.ux.content.view.components.toolbar.controlRenderers
com.adobe.ep.ux.content.view.components.version
com.adobe.ep.ux.documentsubmit.component
com.adobe.ep.ux.documentsubmit.domain
com.adobe.ep.ux.documentsubmit.skin
com.adobe.ep.ux.taskaction.component
com.adobe.ep.ux.taskaction.domain
com.adobe.ep.ux.taskaction.domain.events
com.adobe.ep.ux.taskaction.skin
com.adobe.ep.ux.taskdetails.component
com.adobe.ep.ux.taskdetails.domain
com.adobe.ep.ux.taskdetails.skin
com.adobe.ep.ux.tasklist.component
com.adobe.ep.ux.tasklist.domain
com.adobe.ep.ux.tasklist.skin
com.adobe.ep.ux.webdocumentviewer.domain
com.adobe.exm.expression
com.adobe.exm.expression.error
com.adobe.exm.expression.event
com.adobe.exm.expression.impl
com.adobe.fiber.runtime.lib
com.adobe.fiber.services
com.adobe.fiber.services.wrapper
com.adobe.fiber.styles
com.adobe.fiber.util
com.adobe.fiber.valueobjects
com.adobe.gravity.binding
com.adobe.gravity.context
com.adobe.gravity.flex.bundleloader
com.adobe.gravity.flex.progress
com.adobe.gravity.flex.serviceloader
com.adobe.gravity.framework
com.adobe.gravity.init
com.adobe.gravity.service.bundleloader
com.adobe.gravity.service.logging
com.adobe.gravity.service.manifest
com.adobe.gravity.service.progress
com.adobe.gravity.tracker
com.adobe.gravity.ui
com.adobe.gravity.utility
com.adobe.gravity.utility.async
com.adobe.gravity.utility.error
com.adobe.gravity.utility.events
com.adobe.gravity.utility.factory
com.adobe.gravity.utility.flex.async
com.adobe.gravity.utility.logging
com.adobe.gravity.utility.message
com.adobe.gravity.utility.sequence
com.adobe.gravity.utility.url
com.adobe.guides.control
com.adobe.guides.domain
com.adobe.guides.i18n
com.adobe.guides.spark.components.skins
com.adobe.guides.spark.components.skins.mx
com.adobe.guides.spark.headers.components
com.adobe.guides.spark.headers.skins
com.adobe.guides.spark.layouts.components
com.adobe.guides.spark.layouts.skins
com.adobe.guides.spark.navigators.components
com.adobe.guides.spark.navigators.renderers
com.adobe.guides.spark.navigators.skins
com.adobe.guides.spark.util
com.adobe.guides.spark.wrappers.components
com.adobe.guides.spark.wrappers.skins
com.adobe.guides.submit
com.adobe.icc.dc.domain
com.adobe.icc.dc.domain.factory
com.adobe.icc.editors.events
com.adobe.icc.editors.handlers
com.adobe.icc.editors.managers
com.adobe.icc.editors.model
com.adobe.icc.editors.model.config
com.adobe.icc.editors.model.el
com.adobe.icc.editors.model.el.operands
com.adobe.icc.editors.model.el.operators
com.adobe.icc.enum
com.adobe.icc.external.dc
com.adobe.icc.obj
com.adobe.icc.services
com.adobe.icc.services.category
com.adobe.icc.services.config
com.adobe.icc.services.download
com.adobe.icc.services.export
com.adobe.icc.services.external
com.adobe.icc.services.formbridge
com.adobe.icc.services.fragmentlayout
com.adobe.icc.services.layout
com.adobe.icc.services.letter
com.adobe.icc.services.locator
com.adobe.icc.services.module
com.adobe.icc.services.render
com.adobe.icc.services.submit
com.adobe.icc.services.user
com.adobe.icc.token
com.adobe.icc.vo
com.adobe.icc.vo.render
com.adobe.icomm.assetplacement.controller
com.adobe.icomm.assetplacement.controller.utils
com.adobe.icomm.assetplacement.data
com.adobe.icomm.assetplacement.model
com.adobe.livecycle.assetmanager.client
com.adobe.livecycle.assetmanager.client.event
com.adobe.livecycle.assetmanager.client.handler
com.adobe.livecycle.assetmanager.client.managers
com.adobe.livecycle.assetmanager.client.model
com.adobe.livecycle.assetmanager.client.model.cms
com.adobe.livecycle.assetmanager.client.service
com.adobe.livecycle.assetmanager.client.service.search
com.adobe.livecycle.assetmanager.client.service.search.cms
com.adobe.livecycle.assetmanager.client.utils
com.adobe.livecycle.content
com.adobe.livecycle.rca.model
com.adobe.livecycle.rca.model.constant
com.adobe.livecycle.rca.model.document
com.adobe.livecycle.rca.model.participant
com.adobe.livecycle.rca.model.reminder
com.adobe.livecycle.rca.model.stage
com.adobe.livecycle.rca.service
com.adobe.livecycle.rca.service.core
com.adobe.livecycle.rca.service.core.delegate
com.adobe.livecycle.rca.service.process
com.adobe.livecycle.rca.service.process.delegate
com.adobe.livecycle.rca.token
com.adobe.livecycle.ria.security.api
com.adobe.livecycle.ria.security.service
com.adobe.mosaic.layouts
com.adobe.mosaic.layouts.dragAndDrop
com.adobe.mosaic.layouts.interfaces
com.adobe.mosaic.mxml
com.adobe.mosaic.om.constants
com.adobe.mosaic.om.events
com.adobe.mosaic.om.impl
com.adobe.mosaic.om.interfaces
com.adobe.mosaic.skinning
com.adobe.mosaic.sparklib.editors
com.adobe.mosaic.sparklib.optionMenu
com.adobe.mosaic.sparklib.scrollableMenu
com.adobe.mosaic.sparklib.scrollableMenu.skins
com.adobe.mosaic.sparklib.tabLayout
com.adobe.mosaic.sparklib.tabLayout.events
com.adobe.mosaic.sparklib.tabLayout.layouts
com.adobe.mosaic.sparklib.tabLayout.skins
com.adobe.mosaic.sparklib.text
com.adobe.mosaic.sparklib.util
com.adobe.solutions.acm.authoring.presentation
com.adobe.solutions.acm.authoring.presentation.actionbar
com.adobe.solutions.acm.authoring.presentation.common
com.adobe.solutions.acm.authoring.presentation.events
com.adobe.solutions.acm.authoring.presentation.fragment
com.adobe.solutions.acm.authoring.presentation.letter
com.adobe.solutions.acm.authoring.presentation.letter.data
com.adobe.solutions.acm.authoring.presentation.preview
com.adobe.solutions.acm.authoring.presentation.rte
com.adobe.solutions.acm.ccr.presentation
com.adobe.solutions.acm.ccr.presentation.contentcapture
com.adobe.solutions.acm.ccr.presentation.contentcapture.events
com.adobe.solutions.acm.ccr.presentation.contentcapture.preview
com.adobe.solutions.acm.ccr.presentation.datacapture
com.adobe.solutions.acm.ccr.presentation.datacapture.renderers
com.adobe.solutions.acm.ccr.presentation.pdf
com.adobe.solutions.exm
com.adobe.solutions.exm.authoring
com.adobe.solutions.exm.authoring.components.controls
com.adobe.solutions.exm.authoring.components.toolbars
com.adobe.solutions.exm.authoring.domain
com.adobe.solutions.exm.authoring.domain.expression
com.adobe.solutions.exm.authoring.domain.impl
com.adobe.solutions.exm.authoring.domain.method
com.adobe.solutions.exm.authoring.domain.variable
com.adobe.solutions.exm.authoring.enum
com.adobe.solutions.exm.authoring.events
com.adobe.solutions.exm.authoring.model
com.adobe.solutions.exm.authoring.renderer
com.adobe.solutions.exm.authoring.view
com.adobe.solutions.exm.expression
com.adobe.solutions.exm.impl
com.adobe.solutions.exm.impl.method
com.adobe.solutions.exm.method
com.adobe.solutions.exm.mock
com.adobe.solutions.exm.mock.method
com.adobe.solutions.exm.runtime
com.adobe.solutions.exm.runtime.impl
com.adobe.solutions.exm.variable
com.adobe.solutions.prm.constant
com.adobe.solutions.prm.domain
com.adobe.solutions.prm.domain.factory
com.adobe.solutions.prm.domain.impl
com.adobe.solutions.prm.domain.manager
com.adobe.solutions.prm.presentation.asset
com.adobe.solutions.prm.presentation.constant
com.adobe.solutions.prm.presentation.document
com.adobe.solutions.prm.presentation.event
com.adobe.solutions.prm.presentation.file
com.adobe.solutions.prm.presentation.project
com.adobe.solutions.prm.presentation.team
com.adobe.solutions.prm.presentation.util
com.adobe.solutions.prm.service
com.adobe.solutions.prm.services.impl
com.adobe.solutions.prm.vo
com.adobe.solutions.rca.constant
com.adobe.solutions.rca.domain
com.adobe.solutions.rca.domain.common
com.adobe.solutions.rca.domain.factory
com.adobe.solutions.rca.domain.impl
com.adobe.solutions.rca.domain.impl.manager
com.adobe.solutions.rca.domain.manager
com.adobe.solutions.rca.presentation
com.adobe.solutions.rca.presentation.comment
com.adobe.solutions.rca.presentation.constant
com.adobe.solutions.rca.presentation.event
com.adobe.solutions.rca.presentation.gantt
com.adobe.solutions.rca.presentation.gantt.ruler
com.adobe.solutions.rca.presentation.template
com.adobe.solutions.rca.presentation.template.audit
com.adobe.solutions.rca.presentation.template.definition
com.adobe.solutions.rca.presentation.template.documents
com.adobe.solutions.rca.presentation.template.stages
com.adobe.solutions.rca.presentation.util
com.adobe.solutions.rca.service
com.adobe.solutions.rca.services.impl
com.adobe.solutions.rca.vo
com.adobe.solutions.rca.vo.um
com.adobe.viewsource
fl.accessibility
fl.containers
fl.controls
fl.controls.dataGridClasses
fl.controls.listClasses
fl.controls.progressBarClasses
fl.core
fl.data
fl.display
fl.events
fl.ik
fl.lang
fl.livepreview
fl.managers
fl.motion
fl.motion.easing
fl.rsl
fl.text
fl.transitions
fl.transitions.easing
fl.video
flash.accessibility
flash.concurrent
flash.crypto
flash.data
flash.desktop
flash.display
flash.display3D
flash.display3D.textures
flash.errors
flash.events
flash.external
flash.filesystem
flash.filters
flash.geom
flash.globalization
flash.html
flash.media
flash.net
flash.net.dns
flash.net.drm
flash.notifications
flash.permissions
flash.printing
flash.profiler
flash.sampler
flash.security
flash.sensors
flash.system
flash.text
flash.text.engine
flash.text.ime
flash.ui
flash.utils
flash.xml
flashx.textLayout
flashx.textLayout.compose
flashx.textLayout.container
flashx.textLayout.conversion
flashx.textLayout.edit
flashx.textLayout.elements
flashx.textLayout.events
flashx.textLayout.factory
flashx.textLayout.formats
flashx.textLayout.operations
flashx.textLayout.utils
flashx.undo
ga.controls
ga.layouts
ga.model
ga.uiComponents
ga.util
ga.views
ga.wrappers
lc.foundation
lc.foundation.domain
lc.foundation.events
lc.foundation.ui
lc.foundation.util
lc.preloader
lc.procmgmt
lc.procmgmt.commands
lc.procmgmt.domain
lc.procmgmt.events
lc.procmgmt.formbridge
lc.procmgmt.impl
lc.procmgmt.ui.attachments
lc.procmgmt.ui.controls
lc.procmgmt.ui.controls.card
lc.procmgmt.ui.controls.renderer
lc.procmgmt.ui.help
lc.procmgmt.ui.layout
lc.procmgmt.ui.presentationmodel
lc.procmgmt.ui.process
lc.procmgmt.ui.search
lc.procmgmt.ui.startpoint
lc.procmgmt.ui.task
lc.procmgmt.ui.task.form
lc.procmgmt.ui.task.form.commands
lc.procmgmt.ui.tracking
mx.accessibility
mx.automation
mx.automation.air
mx.automation.delegates
mx.automation.delegates.advancedDataGrid
mx.automation.delegates.charts
mx.automation.delegates.containers
mx.automation.delegates.controls
mx.automation.delegates.controls.dataGridClasses
mx.automation.delegates.controls.fileSystemClasses
mx.automation.delegates.core
mx.automation.delegates.flashflexkit
mx.automation.events
mx.binding
mx.binding.utils
mx.charts
mx.charts.chartClasses
mx.charts.effects
mx.charts.effects.effectClasses
mx.charts.events
mx.charts.renderers
mx.charts.series
mx.charts.series.items
mx.charts.series.renderData
mx.charts.styles
mx.collections
mx.collections.errors
mx.containers
mx.containers.accordionClasses
mx.containers.dividedBoxClasses
mx.containers.errors
mx.containers.utilityClasses
mx.controls
mx.controls.advancedDataGridClasses
mx.controls.dataGridClasses
mx.controls.listClasses
mx.controls.menuClasses
mx.controls.olapDataGridClasses
mx.controls.scrollClasses
mx.controls.sliderClasses
mx.controls.textClasses
mx.controls.treeClasses
mx.controls.videoClasses
mx.core
mx.core.windowClasses
mx.data
mx.data.crypto
mx.data.errors
mx.data.events
mx.data.messages
mx.data.mxml
mx.data.offline.errors
mx.data.utils
mx.effects
mx.effects.easing
mx.effects.effectClasses
mx.events
mx.filters
mx.flash
mx.formatters
mx.geom
mx.graphics
mx.graphics.codec
mx.graphics.shaderClasses
mx.logging
mx.logging.errors
mx.logging.targets
mx.managers
mx.messaging
mx.messaging.channels
mx.messaging.config
mx.messaging.errors
mx.messaging.events
mx.messaging.management
mx.messaging.messages
mx.modules
mx.netmon
mx.olap
mx.olap.aggregators
mx.preloaders
mx.printing
mx.resources
mx.rpc
mx.rpc.events
mx.rpc.http
mx.rpc.http.mxml
mx.rpc.livecycle
mx.rpc.mxml
mx.rpc.remoting
mx.rpc.remoting.mxml
mx.rpc.soap
mx.rpc.soap.mxml
mx.rpc.wsdl
mx.rpc.xml
mx.skins
mx.skins.halo
mx.skins.spark
mx.skins.wireframe
mx.skins.wireframe.windowChrome
mx.states
mx.styles
mx.utils
mx.validators
org.osmf.containers
org.osmf.display
org.osmf.elements
org.osmf.events
org.osmf.layout
org.osmf.logging
org.osmf.media
org.osmf.metadata
org.osmf.net
org.osmf.net.dvr
org.osmf.net.httpstreaming
org.osmf.net.metrics
org.osmf.net.qos
org.osmf.net.rtmpstreaming
org.osmf.net.rules
org.osmf.traits
org.osmf.utils
spark.accessibility
spark.automation.delegates
spark.automation.delegates.components
spark.automation.delegates.components.gridClasses
spark.automation.delegates.components.mediaClasses
spark.automation.delegates.components.supportClasses
spark.automation.delegates.skins.spark
spark.automation.events
spark.collections
spark.components
spark.components.calendarClasses
spark.components.gridClasses
spark.components.mediaClasses
spark.components.supportClasses
spark.components.windowClasses
spark.core
spark.effects
spark.effects.animation
spark.effects.easing
spark.effects.interpolation
spark.effects.supportClasses
spark.events
spark.filters
spark.formatters
spark.formatters.supportClasses
spark.globalization
spark.globalization.supportClasses
spark.layouts
spark.layouts.supportClasses
spark.managers
spark.modules
spark.preloaders
spark.primitives
spark.primitives.supportClasses
spark.skins
spark.skins.mobile
spark.skins.mobile.supportClasses
spark.skins.spark
spark.skins.spark.mediaClasses.fullScreen
spark.skins.spark.mediaClasses.normal
spark.skins.spark.windowChrome
spark.skins.wireframe
spark.skins.wireframe.mediaClasses
spark.skins.wireframe.mediaClasses.fullScreen
spark.transitions
spark.utils
spark.validators
spark.validators.supportClasses
xd.core.axm.enterprise.view.components
xd.core.axm.enterprise.view.skins
xd.core.axm.view.components
xd.core.axm.view.components.support

Language Elements

Global Constants
Global Functions
Operators
Statements, Keywords & Directives
Special Types

Appendixes

What's New
Compiler Errors
Compiler Warnings
Run-Time Errors
Migrating to ActionScript 3
Supported Character Sets
MXML Only Tags
Motion XML Elements
Timed Text Tags
List of deprecated elements
Accessibility Implementation Constants
How to Use ActionScript Examples
Legal notices
Packageflash.security
Classpublic class XMLSignatureValidator
InheritanceXMLSignatureValidator Inheritance EventDispatcher Inheritance Object

Language Version: ActionScript 3.0
Runtime Versions: AIR 1.0

The XMLSignatureValidator class validates whether an XML signature file is well formed, unmodified, and, optionally, whether it is signed using a key linked to a trusted digital certificate.

AIR profile support: This feature is supported on all desktop operating systems and AIR for TV devices, but it is not supported on mobile devices. You can test for support at run time using the XMLSignatureValidator.isSupported property. See AIR Profile Support for more information regarding API support across multiple profiles.

XMLSignatureValidator implements a subset of the W3C Recommendation for XML-Signature Syntax and Processing and should not be considered a conforming implementation. The supported subset of the recommendation includes:

  • All of the core signature syntax except KeyInfo element.
  • The KeyInfo element only supports the X509Data element.
  • The X509Data element only supports the X509Certificate element.
  • The SHA256 digest method algorithm.
  • The PKCS1 signing algorithm.
  • The "Canonical XML without comments" Canonicalization Method and Transform algorithm.
  • The Manifest element in additional signature syntax.

You must provide an IURIDereferencer implementation in order to verify an XML signature. This implementation class is responsible for resolving the URIs specified in the SignedInfo elements of the signature file and returning the referenced data in an object, such as a ByteArray, that implements the IDataInput interface.

In order to verify that the signing certificate chains to a trusted certificate, either the XML signature must contain the certificates required to build the chain in X509Certificate elements, or you must supply the certificates required to build the chain using the addCertificate() method.

To verify an XMLSignature:

  1. Create an instance of the XMLSignatureValidator class.
  2. Set the uriDereferencer property of the instance to an instance of your IURIDereferencer implementation class.
  3. Supply DER-encoded certificates for building the certificate trust chain, if desired, using the addCertificate() method.
  4. Call the XMLSignatureValidator verify method, passing in the signature to be verified.
  5. Check the validityStatus property after the XMLSignatureValidator object dispatches a complete event.

About signature status:

The validity of an XML signature can be valid, invalid, or unknown. The overall status depends on the verification status of the individual components of the signature file:

  • digestStatus — The validity of the cryptographic of the signature computed over the SignedInfo element. Can be valid, invalid, or unknown.
  • identityStatus — The validity of the signing certificate. If the certificate has expired, has been revoked, or altered, the status is invalid. If the certificate cannot be chained to a trusted root certificate, the status is unknown. The certificate is not checked if the digest is invalid. If not checked, the status will be reported as unknown.
  • referencesStatus — The validity of the data addressed by the references in the SignedInfo element of the signature file. Can be valid, invalid, or unknown. The references are not checked if the digest or certificate is invalid. Reference checking can also be skipped based on the setting of the referencesValidationSetting property. If not checked, the status will be reported as unknown.

The signature validity reported by the validityStatus property can be:

  • valid — If referencesStatus, digestStatus, and identityStatus are all valid.
  • invalid — If any individual status is invalid.
  • unknown — If referencesStatus, digestStatus, or identityStatus is unknown.

Canonicalization limitations:

The XML engine in AIR does not always produce the expected XML string when canonicalizing an XML document. For this reason, it is recommended that you avoid putting inter-element whitespace in enveloped or detached signature documents and do not redefine namespaces inside a signature document. In both cases, AIR may not recreate the document with the same character sequence as the original and, therefore, validation will fail.

View the examples

Learn more

Related API Elements



Public Properties
 PropertyDefined By
 Inheritedconstructor : Object
A reference to the class object or constructor function for a given object instance.
Object
      digestStatus : String
[read-only] The validity status of the cryptographic signature computed over the signature SignedInfo element.
XMLSignatureValidator
      identityStatus : String
[read-only] The validity status of the signing certificate.
XMLSignatureValidator
      isSupported : Boolean
[static] [read-only] The isSupported property is set to true if the XMLSignatureValidator class is supported on the current platform, otherwise it is set to false.
XMLSignatureValidator
      referencesStatus : String
[read-only] The validity status of the data in the references in the signature SignedInfo element.
XMLSignatureValidator
      referencesValidationSetting : String
Specifies the conditions under which references are checked.
XMLSignatureValidator
      revocationCheckSetting : String
Specifies how certificate revocation is checked.
XMLSignatureValidator
      signerCN : String
[read-only] The Common Name field of the signing certificate.
XMLSignatureValidator
      signerDN : String
[read-only] The Distinguished Name field of the signing certificate.
XMLSignatureValidator
      signerExtendedKeyUsages : Array
[read-only] An array containing the Extended Key Usages OIDs listed in the signing certificate.
XMLSignatureValidator
      signerTrustSettings : Array
[read-only] An array containing the trust settings of the signing certificate.
XMLSignatureValidator
      uriDereferencer : IURIDereferencer
The IURIDereferencer implementation.
XMLSignatureValidator
      useSystemTrustStore : Boolean
Specifies that certificates in the system trust store are used for chain building.
XMLSignatureValidator
      validityStatus : String
[read-only] The validity status of a verified XML signature.
XMLSignatureValidator
Public Methods
 MethodDefined By
  
Creates an XMLSignatureValidator object.
XMLSignatureValidator
  
    addCertificate(cert:ByteArray, trusted:Boolean):*
Adds an x509 certificate for chain building.
XMLSignatureValidator
 Inherited
addEventListener(type:String, listener:Function, useCapture:Boolean = false, priority:int = 0, useWeakReference:Boolean = false):void
Registers an event listener object with an EventDispatcher object so that the listener receives notification of an event.
EventDispatcher
 Inherited
Dispatches an event into the event flow.
EventDispatcher
 Inherited
Checks whether the EventDispatcher object has any listeners registered for a specific type of event.
EventDispatcher
 Inherited
Indicates whether an object has a specified property defined.
Object
 Inherited
Indicates whether an instance of the Object class is in the prototype chain of the object specified as the parameter.
Object
 Inherited
Indicates whether the specified property exists and is enumerable.
Object
 Inherited
removeEventListener(type:String, listener:Function, useCapture:Boolean = false):void
Removes a listener from the EventDispatcher object.
EventDispatcher
 Inherited
Sets the availability of a dynamic property for loop operations.
Object
 Inherited
Returns the string representation of this object, formatted according to locale-specific conventions.
Object
 Inherited
Returns the string representation of the specified object.
Object
 Inherited
Returns the primitive value of the specified object.
Object
  
    verify(signature:XML):void
Verifies the specified signature.
XMLSignatureValidator
 Inherited
Checks whether an event listener is registered with this EventDispatcher object or any of its ancestors for the specified event type.
EventDispatcher
Events
 Event Summary Defined By
 Inherited[broadcast event] Dispatched when the Flash Player or AIR application gains operating system focus and becomes active.EventDispatcher
  
    complete
Dispatched when verification is complete.XMLSignatureValidator
 Inherited[broadcast event] Dispatched when the Flash Player or AIR application operating loses system focus and is becoming inactive.EventDispatcher
  
    error
Dispatched if verification cannot complete because of errors.XMLSignatureValidator
Property Detail
    

digestStatus

property
digestStatus:String  [read-only]

Language Version: ActionScript 3.0
Runtime Versions: AIR 1.0

The validity status of the cryptographic signature computed over the signature SignedInfo element.

The status is:

  • valid — If signature is cryptographically valid.
  • invalid — If the digest has been altered after signing.
  • unknown — If the verify() method has not been called.

Note: If the digestStatus is invalid, the identityStatus and referencesStatus are not checked and will be reported as unknown.



Implementation
    public function get digestStatus():String

Throws
IllegalOperationError — If accessed while a signature is being validated.
    

identityStatus

property 
identityStatus:String  [read-only]

Language Version: ActionScript 3.0
Runtime Versions: AIR 1.0

The validity status of the signing certificate.

The status can be:

  • valid — The certificate has not expired, has not failed a revocation check and chains to a trusted root certificate.
  • unknown — The certificate has not expired and has not failed a revocation check, but does not chain to a trusted root certificate. A status of unknown will also be reported when the status has not been verified, either because the verify() method has not been called or because the cryptographic signature of the SignedInfo element (digestStatus) is invalid.
  • invalid — The certificate has expired or fails a revocation check.

The certificates added using the addCertificate() method and the settings of the revocationCheckSetting and the useSystemTrustStore properties can change whether a certificate is considered valid.

Note: If the identityStatus is invalid, the referencesStatus is not checked and will be reported as unknown. In addition, references are not checked when the identityStatus is unknown unless the referencesValidationSetting is validOrUnknownIdentity



Implementation
    public function get identityStatus():String

Throws
IllegalOperationError — If accessed while a signature is being validated.

Related API Elements


Example  ( How to use this example )
The following example gets the result of validating the signing certificate (after a signature has been validated):
 import flash.security.XMLSignatureValidator;
 
 
 var verifier:XMLSignatureValidator = new XMLSignatureValidator();
 //validate a signature...
  
 var identityResult:String = verifier.identityStatus;
    

isSupported

property 
isSupported:Boolean  [read-only]

Language Version: ActionScript 3.0
Runtime Versions: AIR 2

The isSupported property is set to true if the XMLSignatureValidator class is supported on the current platform, otherwise it is set to false.



Implementation
    public static function get isSupported():Boolean
    

referencesStatus

property 
referencesStatus:String  [read-only]

Language Version: ActionScript 3.0
Runtime Versions: AIR 1.0

The validity status of the data in the references in the signature SignedInfo element.

The status can be:

  • valid — If all references are valid.
  • invalid — If any reference is invalid.
  • unknown — If not verified. References can remain unverified in the following circumstances:
    • the verify() method has not been called
    • the cryptographic signature of the SignedInfo element (digestStatus) is invalid.
    • the signing certificate (identityStatus) is invalid
    • referencesValidationSetting is validIdentity (which is the default setting) and the identityStatus of the signing certificate is unknown.
    • the referencesValidationSetting is never.

Important: External resources are not validated unless they are referenced directly in a SignedInfo element within the signature document. External resources referred to by a secondary reference are not validated. For example, if an XML signature signs a manifest element, only the integrity of the manifest element itself is verified. The files listed in the manifest are not checked.



Implementation
    public function get referencesStatus():String

Throws
IllegalOperationError — If accessed while a signature is being validated.

Related API Elements


Example  ( How to use this example )
The following example gets the result of validating the references in the signature (after a signature has been validated):
 import flash.security.XMLSignatureValidator;
 
 var verifier:XMLSignatureValidator = new XMLSignatureValidator();
 //validate a signature...
  
 var dataResult:String = verifier.referencesStatus;
    

referencesValidationSetting

property 
referencesValidationSetting:String

Language Version: ActionScript 3.0
Runtime Versions: AIR 1.5

Specifies the conditions under which references are checked.

Use constants defined in the ReferencesValidationSetting class to set this property. The settings include:

  • ReferencesValidationSetting.VALID_IDENTITY — Check references only if the signing certificate is valid and chains to a trusted root. This is the default setting.
  • ReferencesValidationSetting.VALID_OR_UNKNOWN_IDENTITY — Check references if the signing certificate is valid, even if it does not chain to a trusted root.
  • ReferencesValidationSetting.NEVER — Never check references.

Use the default, validIdentity, setting with signatures signed with a commercial certificate or when you supply your own certificate as a trust anchor with the addCertificate() method. This setting avoids the overhead of checking reference validity when the signed document will be rejected anyway.

Use the validOrUnknownIdentity setting with signatures signed with self-signed certificates. This setting allows you to validate that the signed data has not been altered, but does not provide any assurances about the identity of the signer.

Use the never setting to avoid the overhead of validating references when such validation is not important in the context of your application.



Implementation
    public function get referencesValidationSetting():String
    public function set referencesValidationSetting(value:String):void

Throws
IllegalOperationError — If set while a signature is being validated.
 
ArgumentError — if the setting parameter contains a value not defined in the ReferencesValidationSetting class.

Related API Elements


Example  ( How to use this example )
The following example sets the XMLSignatureValidator object to check references only if the signing certificate chains to a trust anchor:
 import flash.security.ReferencesValidationSetting;
 
 var verifier:XMLSignatureValidator = new XMLSignatureValidator(); 
 verifier.referencesValidationSetting = ReferencesValidationSetting.VALID_OR_UNKNOWN_IDENTITY;
    

revocationCheckSetting

property 
revocationCheckSetting:String

Language Version: ActionScript 3.0
Runtime Versions: AIR 1.0

Specifies how certificate revocation is checked.

Use constants defined in the RevocationSettings class to set this property. The settings include:

  • RevocationCheckSettings.NEVER — Do not check certificate revocation.
  • RevocationCheckSettings.BEST_EFFORT — Check certificate revocation, if revocation information is available and the revocation status can be obtained. If revocation status cannot be positively determined, the certificate is not rejected.
  • RevocationCheckSettings.REQUIRED_IF_AVAILABLE — If the certificate includes revocation information, the revocation status must be positively determined to validate the certificate.
  • RevocationCheckSettings.ALWAYS_REQUIRED — Always check certificate revocation. Certificates without revocation information are rejected.



Implementation
    public function get revocationCheckSetting():String
    public function set revocationCheckSetting(value:String):void

Throws
IllegalOperationError — If set while a signature is being validated.

Related API Elements

    

signerCN

property 
signerCN:String  [read-only]

Language Version: ActionScript 3.0
Runtime Versions: AIR 1.0

The Common Name field of the signing certificate.



Implementation
    public function get signerCN():String

Example  ( How to use this example )
The following example reads the common name of the signing certificate (after a signature has been validated):
 
 var verifier:XMLSignatureValidator = new XMLSignatureValidator();
 //validate a signature...
  
 var commonName:String = verifier.signerCN;
    

signerDN

property 
signerDN:String  [read-only]

Language Version: ActionScript 3.0
Runtime Versions: AIR 1.0

The Distinguished Name field of the signing certificate.



Implementation
    public function get signerDN():String

Example  ( How to use this example )
The following example reads the distinguished name of the signing certificate (after a signature has been validated):
 
 var verifier:XMLSignatureValidator = new XMLSignatureValidator();
 //validate a signature...
  
 var distinguishedName:String = verifier.signerDN;
    

signerExtendedKeyUsages

property 
signerExtendedKeyUsages:Array  [read-only]

Language Version: ActionScript 3.0
Runtime Versions: AIR 1.0

An array containing the Extended Key Usages OIDs listed in the signing certificate.

Each extended key usage is reported in numeric OID form.



Implementation
    public function get signerExtendedKeyUsages():Array

Throws
IllegalOperationError — If accessed while a signature is being validated.

Example  ( How to use this example )
The following example reads the extended key OIDs of the signing certificate (after a signature has been validated):
 import flash.security.XMLSignatureValidator;
 
 var verifier:XMLSignatureValidator = new XMLSignatureValidator();
 //validate a signature...
  
 var extendedKeyOIDs:Array = verifier.signerExtendedKeyUsages;
    

signerTrustSettings

property 
signerTrustSettings:Array  [read-only]

Language Version: ActionScript 3.0
Runtime Versions: AIR 1.0

An array containing the trust settings of the signing certificate.

Trust settings are derived from the system and the key usage OIDs embedded in the certificate. Constants for the strings representing the recognized trust settings are defined in the SignerTrustSettings class.

The signerTrustSettings array of an unknown or invalid certificate is empty.

Modifying the array does not change the certificate trust settings.



Implementation
    public function get signerTrustSettings():Array

Throws
IllegalOperationError — If accessed while a signature is being validated.

Related API Elements


Example  ( How to use this example )
The following example reads the trust settings of the signing certificate (after a signature has been validated):
 import flash.security.XMLSignatureValidator;
 
 var verifier:XMLSignatureValidator = new XMLSignatureValidator();
 //validate a signature...
  
 var certificateTrustedFor:Array = verifier.signerTrustSettings;
    

uriDereferencer

property 
uriDereferencer:IURIDereferencer

Language Version: ActionScript 3.0
Runtime Versions: AIR 1.0

The IURIDereferencer implementation.

An IURIDereferencer implementation must be provided before attempting to verify a signature.



Implementation
    public function get uriDereferencer():IURIDereferencer
    public function set uriDereferencer(value:IURIDereferencer):void

Throws
IllegalOperationError — If set while a signature is being validated.

Related API Elements


Example  ( How to use this example )
The following example creates an instance of SignedMessageDereferencer, which implements the IURIDereferencer interface, and sets it as the dereferencer to use for signature validation:
 import com.example.SignedMessageDereferencer; //A custom class implementing IURIDereferencer
 
 var verifier:XMLSignatureValidator = new XMLSignatureValidator(); 
 verifier.uriDereferencer = new SignedMessageDereferencer();
    

useSystemTrustStore

property 
useSystemTrustStore:Boolean

Language Version: ActionScript 3.0
Runtime Versions: AIR 1.0

Specifies that certificates in the system trust store are used for chain building.

If true, then the trust anchors in the system trust store are used as trusted roots. The system trust store is not used by default.



Implementation
    public function get useSystemTrustStore():Boolean
    public function set useSystemTrustStore(value:Boolean):void

Throws
IllegalOperationError — If set while a signature is being validated.

Example  ( How to use this example )
The following example creates an XMLSignatureValidator instance and sets it to use the system repository of trusted certificates when validating an XML signature:
 var verifier:XMLSignatureValidator = new XMLSignatureValidator(); 
 verifier.useSystemTrustStore = true;
    

validityStatus

property 
validityStatus:String  [read-only]

Language Version: ActionScript 3.0
Runtime Versions: AIR 1.0

The validity status of a verified XML signature.

The XML signature is verified by validating the the cryptographic signature of the SignedInfo element, the signing certificate, and the data addressed by the references in the SignedInfo element. The validity of each of these elements is reported individually by the digestStatus, identityStatus(), and referencesStatus properties, respectively.

The validity of an XML signature can be valid, invalid, or unknown. The overall status depends on the verification status of the individual components of the signature file:

  • digestStatus — The validity of the cryptographic signature computed over the SignedInfo element.
  • identityStatus — The validity of the signing certificate.
  • referencesStatus — The validity of the digest of the references in the signature SignedInfo element.

The signature validity reported by the validityStatus property can be:

  • valid — If referencesStatus, digestStatus, and identityStatus are all valid.
  • invalid — If any individual status is invalid.
  • unknown — If any individual status is unknown.



Implementation
    public function get validityStatus():String

Throws
IllegalOperationError — If accessed while a signature is being validated.

Related API Elements


Example  ( How to use this example )
The following example gets the result of validating the XML signature
 import flash.security.XMLSignatureValidator;
 
 var verifier:XMLSignatureValidator = new XMLSignatureValidator();
 //validate the signature...
  
 var validationResult:String = verifier.validityStatus;
Constructor Detail
    

XMLSignatureValidator

()Constructor
public function XMLSignatureValidator()

Language Version: ActionScript 3.0
Runtime Versions: AIR 1.0

Creates an XMLSignatureValidator object.

You must set the uriDereferencer property before calling the verify() method of the new object.

Related API Elements


Example  ( How to use this example )

The following example creates and sets up a new XMLSignatureValidator object:
 
import com.example.EnvelopedDereferencer; //Your custom IURIDereferencer implementation

//Create the object
var verifier:XMLSignatureValidator = new XMLSignatureValidator();

//Provide the IURIDerferencer
verifier.uriDereferencer = new EnvelopedDereferencer(xmlDoc);

//Set validation options
verifier.referencesValidationSetting = ReferencesValidationSetting.VALID_OR_UNKNOWN_IDENTITY;
verifier.revocationCheckSetting = RevocationCheckSettings.NEVER;
verifier.useSystemTrustStore = true;

//Add listeners to handle results
verifier.addEventListener(Event.COMPLETE, verificationComplete);
verifier.addEventListener(ErrorEvent.ERROR, verificationError);
Method Detail

    addCertificate

()method
public function addCertificate(cert:ByteArray, trusted:Boolean):*

Language Version: ActionScript 3.0
Runtime Versions: AIR 1.0

Adds an x509 certificate for chain building.

The certificate added must be a DER-encoded x509 certificate.

If the trusted parameter is true, the certificate is considered a trust anchor.

Note: An XML signature may include certificates for building the signer's certificate chain. The XMLSignatureValidator class uses these certificates for chain building, but not as trusted roots (by default).

Parameters

cert:ByteArray — A ByteArray object containing a DER-encoded x509 digital certificate.
 
trusted:Boolean — Set to true to designate this certificate as a trust anchor.

Returns
*

Throws
IllegalOperationError — If called while a signature is being validated.

Example  ( How to use this example )

The following example loads a certificate from the file system and adds it as a trusted anchor.
 import flash.utils.ByteArray;
 
 var verifier:XMLSignatureValidator = new XMLSignatureValidator();
 var certificate:ByteArray = new ByteArray();
 
 var certFile:File = new File("certificate.cer");
 var certFileStream:FileStream = new FileStream();
 certFileStream.open(certFile, FileMode.READ);
 certFileStream.readBytes(certificate, 0, certFileStream.bytesAvailable);

 verifier.addCertificate(certificate, true);

    verify

()method 
public function verify(signature:XML):void

Language Version: ActionScript 3.0
Runtime Versions: AIR 1.0

Verifies the specified signature.

Verification is asynchronous. The XMLSignatureValidator object dispatches a complete event when verification completes successfully or an error event if verification cannot complete because of errors.

The verification process cannot be cancelled. While a verification process is under way, subsequent calls to the verify() method fail. After the current verification check is complete, you can call the verify() method again.

Note: Because the XMLSignatureValidator only implements a subset of the W3C recommendation for XML Signature Syntax and Processing, not all valid XML signatures can be verified.

Parameters

signature:XML — The XML signature to verify.


Events
complete:Event — Dispatched when verification completes successfully.
 
error:ErrorEvent — Dispatched if the verification of references encounters an error.

Throws
IllegalOperationError — If called while a signature is being validated.
 
Error — If other errors are encountered, such as non-well-formed XML or unsupported elements in the signature file.

Example  ( How to use this example )

The following example reads a file containing an XML signature and validates it by calling the verify() method. (The example assumes that the IURIDereferencer implementation is appropriate for the signature.)
import flash.filesystem.File;
import flash.filesystem.FileStream;
import com.example.SignedMessageDereferencer; //Your IURIDereferencer implementation
 
const xmlSignatureNS:Namespace = new Namespace( "http://www.w3.org/2000/09/xmldsig#" );

var verifier:XMLSignatureValidator = new XMLSignatureValidator();
verifier.uriDereferencer = new SignedMessageDereferencer();

var signatureFile:File = new File( "path/to/XMLSignatureDocument.xml" );
var sigFileStream:FileStream = new FileStream();
sigFileStream.open( signatureFile, FileMode.READ );

var xmlDoc:XML = XML( sigFileStream.readUTFBytes(sigFileStream.bytesAvailable) );
var xmlSig:XML = XML( xmlDoc..xmlSignatureNS::Signature );

verifier.verify( xmlSig );
Event Detail
    

complete

Event
Event Object Type: flash.events.Event
property Event.type = flash.events.Event.COMPLETE

Language Version: ActionScript 3.0
Runtime Versions: AIR 1.0

Dispatched when verification is complete.

A complete event does not imply that the signature is valid. Check the validityStatus property of the XMLSignatureValidator object to determine the outcome of the signature verification.

The Event.COMPLETE constant defines the value of the type property of a complete event object.

This event has the following properties:

PropertyValue
bubblesfalse
cancelablefalse; there is no default behavior to cancel.
currentTargetThe object that is actively processing the Event object with an event listener.
targetThe network object that has completed loading.

Example  ( How to use this example )

The following example listens for the complete event dispatched by an XMLSignatureValidator object and traces the validation results:
private function verificationComplete(event:Event):void{
    var validator:XMLSignatureValidator = event.target as XMLSignatureValidator;
    trace("Digest status: " + validator.digestStatus);
    trace("Identity status: " + validator.identityStatus);
    trace("Reference status: " + validator.referencesStatus);
    trace("Signature status: " + validator.validityStatus);    
}

Related API Elements

    

error

Event  
Event Object Type: flash.events.ErrorEvent
property ErrorEvent.type = flash.events.ErrorEvent.ERROR

Language Version: ActionScript 3.0
Runtime Versions: AIR 1.0

Dispatched if verification cannot complete because of errors.

Defines the value of the type property of an error event object.

This event has the following properties:

PropertyValue
bubblesfalse
cancelablefalse; there is no default behavior to cancel.
currentTargetThe object that is actively processing the Event object with an event listener.
targetThe object experiencing a network operation failure.
textText to be displayed as an error message.

Example  ( How to use this example )

The following example listens for the error event dispatched by an XMLSignatureValidator object and traces the error message:
private function verificationError(event:ErrorEvent):void{
    trace("Verification error: " + event.text);                
}
XMLSignatureValidatorExample.as

The following example loads and verifies a file containing an XML signature. To use this example, you must implement an IURIDereferencer appropriate for the signatures to be validated (replacing the SignedMessageDereferencer class used in the example). Run the example by calling SignatureValidatorExample.validateSignature( signatureFile ), passing in the file referencing the XML signature document to validate.
import flash.events.Event;
import flash.filesystem.File;
import flash.filesystem.FileStream;
import flash.security.ReferencesValidationSetting;
import flash.security.XMLSignatureValidator; 

import com.example.SignedMessageDereferencer; //A custom class implementing IURIDereferencer

public class SignatureValidatorExample{ 
    private var xmlSig:XML;
    private const signatureNS:Namespace = new Namespace( "http://www.w3.org/2000/09/xmldsig#" );
    
    public static function validateSignature( signatureFile:File ):void{
        try{
            //Set up the XMLSignatureValidator
            var verifier:XMLSignatureValidator = new XMLSignatureValidator();
            verifier.addEventListener( Event.COMPLETE, verificationComplete );
            verifier.uriDereferencer = new SignedMessageDereferencer();
            verifier.referencesValidationSetting = ReferencesValidationSetting.VALID_OR_UNKNOWN_IDENTITY;
    
            //Load the signed document
            var sigFileStream:FileStream = new FileStream();
            sigFileStream.open( signatureFile, FileMode.READ );
            var xmlDoc:XML = XML( sigFileStream.readUTFBytes(sigFileStream.bytesAvailable) );
            
            //Get the last Signature element in the document
            if( xmlDoc.name().localName != "Signature" ){
                var signatureList:XMLList = xmlDoc..signatureNS::Signature;
                xmlSig = XML( signatureList[ signatureList.length()-1 ] );
            } else{
                xmlSig = xmlDoc;
            }
    
            //Validate the signature
            verifier.verify( xmlSig );
            
        }catch (e:Error){
            statusDisplay.text = "Verification error.\n" + e;
        }
    }
    
    private static function verificationComplete(event:Event):void{
        trace( "Signature Validity: " + verifier.validityStatus );
        trace( "Digest validity: " + verifier.digestStatus );
        trace( "Certificate validity: " + verifier.identityStatus );
        trace( "Data validity: " + verifier.referencesStatus );
    }
}