Adobe® AIR® API Reference for HTML Developers
Home  |  Show Classes List |  Index  |  Appendixes

Language Reference only       
XMLSignatureValidator 
3D:
Context3D
Context3DBlendFactor
Context3DClearMask
Context3DCompareMode
Context3DProgramType
Context3DRenderMode
Context3DStencilAction
Context3DTextureFormat
Context3DTriangleFace
Context3DVertexBufferFormat
CubeTexture
IndexBuffer3D
Program3D
Stage3D
Texture
VertexBuffer3D
Air.net:
ServiceMonitor
SocketMonitor
URLMonitor
Air.update:
ApplicationUpdater
ApplicationUpdaterUI
DownloadErrorEvent
StatusFileUpdateErrorEvent
StatusFileUpdateEvent
StatusUpdateErrorEvent
StatusUpdateEvent
UpdateEvent
Data:
EncryptedLocalStore
SQLCollationType
SQLColumnNameStyle
SQLColumnSchema
SQLConnection
SQLError
SQLErrorEvent
SQLErrorOperation
SQLEvent
SQLIndexSchema
SQLMode
SQLResult
SQLSchema
SQLSchemaResult
SQLStatement
SQLTableSchema
SQLTransactionLockType
SQLTriggerSchema
SQLUpdateEvent
SQLViewSchema
Desktop:
Clipboard
ClipboardFormats
ClipboardTransferMode
DockIcon
Icon
InteractiveIcon
NativeApplication
NativeProcess
NativeProcessStartupInfo
NotificationType
SystemTrayIcon
Display:
BitmapData
NativeMenu
NativeMenuItem
Screen
Stage
StageDisplayState
StageQuality
Events:
ActivityEvent
AsyncErrorEvent
BrowserInvokeEvent
DataEvent
DatagramSocketDataEvent
DNSResolverEvent
DRMAuthenticateEvent
DRMStatusEvent
ErrorEvent
Event
EventDispatcher
FileListEvent
HTTPStatusEvent
InvokeEvent
InvokeEventReason
IOErrorEvent
LocationChangeEvent
MouseEvent
NativeProcessExitEvent
NetDataEvent
NetMonitorEvent
NetStatusEvent
OutputProgressEvent
ProgressEvent
SampleDataEvent
SecurityErrorEvent
ServerSocketConnectEvent
StatusEvent
StorageVolumeChangeEvent
TimerEvent
UncaughtErrorEvent
UncaughtErrorEvents
File:
File
FileMode
FileStream
StorageVolume
StorageVolumeInfo
Functions:
trace()
generateRandomBytes()
navigateToURL()
sendToURL()
Geom:
Matrix
Point
Rectangle
Media:
AudioDecoder
AudioPlaybackMode
H264Level
H264Profile
H264VideoStreamSettings
ID3Info
InputMediaStream
Microphone
MicrophoneEnhancedMode
MicrophoneEnhancedOptions
Sound
SoundChannel
SoundCodec
SoundLoaderContext
SoundMixer
SoundTransform
VideoCodec
VideoStatus
VideoStreamSettings
Native window:
NativeWindow
NativeWindowBoundsEvent
NativeWindowDisplayState
NativeWindowDisplayStateEvent
NativeWindowInitOptions
NativeWindowRenderMode
NativeWindowResize
NativeWindowSystemChrome
NativeWindowType
Net:
AAAARecord
ARecord
CertificateStatus
DatagramSocket
DNSResolver
FileFilter
InterfaceAddress
IPVersion
LocalConnection
MXRecord
NetConnection
NetMonitor
NetStreamAppendBytesAction
NetStreamMulticastInfo
NetworkInfo
NetworkInterface
ObjectEncoding
PTRRecord
ResourceRecord
Responder
SecureSocket
ServerSocket
SharedObject
SharedObjectFlushStatus
Socket
SRVRecord
URLLoader
URLLoaderDataFormat
URLRequest
URLRequestDefaults
URLRequestHeader
URLRequestMethod
URLStream
URLVariables
XMLSocket
Security:
ReferencesValidationSetting
RevocationCheckSettings
SignatureStatus
SignerTrustSettings
X500DistinguishedName
X509Certificate
XMLSignatureValidator
System:
Capabilities
Security
System
Updater
Ui:
Keyboard
KeyboardType
KeyLocation
Mouse
MouseCursorData
Utils:
Vector
ByteArray
Collator
CollatorMode
CompressionAlgorithm
CurrencyFormatter
CurrencyParseResult
DateTimeFormatter
DateTimeNameContext
DateTimeNameStyle
DateTimeStyle
Endian
HTMLLoader
HTMLPDFCapability
LastOperationStatus
LocaleID
NationalDigitsType
NumberFormatter
NumberParseResult
StringTools
Timer
window.runtime propertywindow.runtime.flash.security.XMLSignatureValidator
InheritanceXMLSignatureValidator Inheritance EventDispatcher Inheritance Object

Runtime Versions:  1.0

The XMLSignatureValidator class validates whether an XML signature file is well formed, unmodified, and, optionally, whether it is signed using a key linked to a trusted digital certificate.

XMLSignatureValidator implements a subset of the W3C Recommendation for XML-Signature Syntax and Processing and should not be considered a conforming implementation. The supported subset of the recommendation includes:

  • All of the core signature syntax except KeyInfo element.
  • The KeyInfo element only supports the X509Data element.
  • The X509Data element only supports the X509Certificate element.
  • The SHA256 digest method algorithm.
  • The PKCS1 signing algorithm.
  • The "Canonical XML without comments" Canonicalization Method and Transform algorithm.
  • The Manifest element in additional signature syntax.

You must provide an IURIDereferencer implementation in order to verify an XML signature. This implementation class is responsible for resolving the URIs specified in the SignedInfo elements of the signature file and returning the referenced data in an object, such as a ByteArray, that implements the IDataInput interface.

In order to verify that the signing certificate chains to a trusted certificate, either the XML signature must contain the certificates required to build the chain in X509Certificate elements, or you must supply the certificates required to build the chain using the addCertificate() method.

To verify an XMLSignature:

  1. Create an instance of the XMLSignatureValidator class.
  2. Set the uriDereferencer property of the instance to an instance of your IURIDereferencer implementation class.
  3. Supply DER-encoded certificates for building the certificate trust chain, if desired, using the addCertificate() method.
  4. Call the XMLSignatureValidator verify method, passing in the signature to be verified.
  5. Check the validityStatus property after the XMLSignatureValidator object dispatches a complete event.

About signature status:

The validity of an XML signature can be valid, invalid, or unknown. The overall status depends on the verification status of the individual components of the signature file:

  • digestStatus — The validity of the cryptographic of the signature computed over the SignedInfo element. Can be valid, invalid, or unknown.
  • identityStatus — The validity of the signing certificate. If the certificate has expired, has been revoked, or altered, the status is invalid. If the certificate cannot be chained to a trusted root certificate, the status is unknown. The certificate is not checked if the digest is invalid. If not checked, the status will be reported as unknown.
  • referencesStatus — The validity of the data addressed by the references in the SignedInfo element of the signature file. Can be valid, invalid, or unknown. The references are not checked if the digest or certificate is invalid. Reference checking can also be skipped based on the setting of the referencesValidationSetting property. If not checked, the status will be reported as unknown.

The signature validity reported by the validityStatus property can be:

  • valid — If referencesStatus, digestStatus, and identityStatus are all valid.
  • invalid — If any individual status is invalid.
  • unknown — If referencesStatus, digestStatus, or identityStatus is unknown.

Canonicalization limitations:

The XML engine in AIR does not always produce the expected XML string when canonicalizing an XML document. For this reason, it is recommended that you avoid putting inter-element whitespace in enveloped or detached signature documents and do not redefine namespaces inside a signature document. In both cases, AIR may not recreate the document with the same character sequence as the original and, therefore, validation will fail.


Properties
 PropertyDefined By
 Inheritedconstructor : Object
A reference to the class object or constructor function for a given object instance.
Object
  digestStatus : String
[read-only] The validity status of the cryptographic signature computed over the signature SignedInfo element.
XMLSignatureValidator
  identityStatus : String
[read-only] The validity status of the signing certificate.
XMLSignatureValidator
  isSupported : Boolean
[static] [read-only] The isSupported property is set to true if the XMLSignatureValidator class is supported on the current platform, otherwise it is set to false.
XMLSignatureValidator
 Inheritedprototype : Object
[static] A reference to the prototype object of a class or function object.
Object
  referencesStatus : String
[read-only] The validity status of the data in the references in the signature SignedInfo element.
XMLSignatureValidator
  referencesValidationSetting : String
Specifies the conditions under which references are checked.
XMLSignatureValidator
  revocationCheckSetting : String
Specifies how certificate revocation is checked.
XMLSignatureValidator
  signerCN : String
[read-only] The Common Name field of the signing certificate.
XMLSignatureValidator
  signerDN : String
[read-only] The Distinguished Name field of the signing certificate.
XMLSignatureValidator
  signerExtendedKeyUsages : Array
[read-only] An array containing the Extended Key Usages OIDs listed in the signing certificate.
XMLSignatureValidator
  signerTrustSettings : Array
[read-only] An array containing the trust settings of the signing certificate.
XMLSignatureValidator
  uriDereferencer : IURIDereferencer
The IURIDereferencer implementation.
XMLSignatureValidator
  useSystemTrustStore : Boolean
Specifies that certificates in the system trust store are used for chain building.
XMLSignatureValidator
  validityStatus : String
[read-only] The validity status of a verified XML signature.
XMLSignatureValidator
Public Methods
 MethodDefined By
  
XMLSignatureValidator()
Creates an XMLSignatureValidator object.
XMLSignatureValidator
  
addCertificate(cert:ByteArray, trusted:Boolean):*
Adds an x509 certificate for chain building.
XMLSignatureValidator
 Inherited
addEventListener(type:String, listener:Function, useCapture:Boolean = false, priority:int = 0, useWeakReference:Boolean = false):void
Registers an event listener object with an EventDispatcher object so that the listener receives notification of an event.
EventDispatcher
 Inherited
dispatchEvent(event:Event):Boolean
Dispatches an event into the event flow.
EventDispatcher
 Inherited
hasEventListener(type:String):Boolean
Checks whether the EventDispatcher object has any listeners registered for a specific type of event.
EventDispatcher
 Inherited
hasOwnProperty(name:String):Boolean
Indicates whether an object has a specified property defined.
Object
 Inherited
isPrototypeOf(theClass:Object):Boolean
Indicates whether an instance of the Object class is in the prototype chain of the object specified as the parameter.
Object
 Inherited
propertyIsEnumerable(name:String):Boolean
Indicates whether the specified property exists and is enumerable.
Object
 Inherited
removeEventListener(type:String, listener:Function, useCapture:Boolean = false):void
Removes a listener from the EventDispatcher object.
EventDispatcher
 Inherited
setPropertyIsEnumerable(name:String, isEnum:Boolean = true):void
Sets the availability of a dynamic property for loop operations.
Object
 Inherited
toLocaleString():String
Returns the string representation of this object, formatted according to locale-specific conventions.
Object
 Inherited
toString():String
Returns the string representation of the specified object.
Object
 Inherited
valueOf():Object
Returns the primitive value of the specified object.
Object
  
verify(signature:XML):void
Verifies the specified signature.
XMLSignatureValidator
 Inherited
willTrigger(type:String):Boolean
Checks whether an event listener is registered with this EventDispatcher object or any of its ancestors for the specified event type.
EventDispatcher
Events
 Event Summary Defined By
 Inherited
activate
[broadcast event] Dispatched when the Flash Player or AIR application gains operating system focus and becomes active.EventDispatcher
  
complete
Dispatched when verification is complete.XMLSignatureValidator
 Inherited
deactivate
[broadcast event] Dispatched when the Flash Player or AIR application operating loses system focus and is becoming inactive.EventDispatcher
  
error
Dispatched if verification cannot complete because of errors.XMLSignatureValidator
Property Detail

digestStatus

property
digestStatus:String  [read-only]

Runtime Versions:  1.0

The validity status of the cryptographic signature computed over the signature SignedInfo element.

The status is:

  • valid — If signature is cryptographically valid.
  • invalid — If the digest has been altered after signing.
  • unknown — If the verify() method has not been called.

Note: If the digestStatus is invalid, the identityStatus and referencesStatus are not checked and will be reported as unknown.


Throws
IllegalOperationError — If accessed while a signature is being validated.

identityStatus

property 
identityStatus:String  [read-only]

Runtime Versions:  1.0

The validity status of the signing certificate.

The status can be:

  • valid — The certificate has not expired, has not failed a revocation check and chains to a trusted root certificate.
  • unknown — The certificate has not expired and has not failed a revocation check, but does not chain to a trusted root certificate. A status of unknown will also be reported when the status has not been verified, either because the verify() method has not been called or because the cryptographic signature of the SignedInfo element (digestStatus) is invalid.
  • invalid — The certificate has expired or fails a revocation check.

The certificates added using the addCertificate() method and the settings of the revocationCheckSetting and the useSystemTrustStore properties can change whether a certificate is considered valid.

Note: If the identityStatus is invalid, the referencesStatus is not checked and will be reported as unknown. In addition, references are not checked when the identityStatus is unknown unless the referencesValidationSetting is validOrUnknownIdentity


Throws
IllegalOperationError — If accessed while a signature is being validated.

See also

addCertificate()
revocationCheckSetting
useSystemTrustStore
referencesValidationSetting

isSupported

property 
isSupported:Boolean  [read-only]

Runtime Versions:  2

The isSupported property is set to true if the XMLSignatureValidator class is supported on the current platform, otherwise it is set to false.

referencesStatus

property 
referencesStatus:String  [read-only]

Runtime Versions:  1.0

The validity status of the data in the references in the signature SignedInfo element.

The status can be:

  • valid — If all references are valid.
  • invalid — If any reference is invalid.
  • unknown — If not verified. References can remain unverified in the following circumstances:
    • the verify() method has not been called
    • the cryptographic signature of the SignedInfo element (digestStatus) is invalid.
    • the signing certificate (identityStatus) is invalid
    • referencesValidationSetting is validIdentity (which is the default setting) and the identityStatus of the signing certificate is unknown.
    • the referencesValidationSetting is never.

Important: External resources are not validated unless they are referenced directly in a SignedInfo element within the signature document. External resources referred to by a secondary reference are not validated. For example, if an XML signature signs a manifest element, only the integrity of the manifest element itself is verified. The files listed in the manifest are not checked.


Throws
IllegalOperationError — If accessed while a signature is being validated.

See also

referencesValidationSetting

referencesValidationSetting

property 
referencesValidationSetting:String

Runtime Versions:  1.5

Specifies the conditions under which references are checked.

Use constants defined in the ReferencesValidationSetting class to set this property. The settings include:

  • ReferencesValidationSetting.VALID_IDENTITY — Check references only if the signing certificate is valid and chains to a trusted root. This is the default setting.
  • ReferencesValidationSetting.VALID_OR_UNKNOWN_IDENTITY — Check references if the signing certificate is valid, even if it does not chain to a trusted root.
  • ReferencesValidationSetting.NEVER — Never check references.

Use the default, validIdentity, setting with signatures signed with a commercial certificate or when you supply your own certificate as a trust anchor with the addCertificate() method. This setting avoids the overhead of checking reference validity when the signed document will be rejected anyway.

Use the validOrUnknownIdentity setting with signatures signed with self-signed certificates. This setting allows you to validate that the signed data has not been altered, but does not provide any assurances about the identity of the signer.

Use the never setting to avoid the overhead of validating references when such validation is not important in the context of your application.


Throws
IllegalOperationError — If set while a signature is being validated.
 
ArgumentError — if the setting parameter contains a value not defined in the ReferencesValidationSetting class.

See also

ReferencesValidationSetting

revocationCheckSetting

property 
revocationCheckSetting:String

Runtime Versions:  1.0

Specifies how certificate revocation is checked.

Use constants defined in the RevocationSettings class to set this property. The settings include:

  • RevocationCheckSettings.NEVER — Do not check certificate revocation.
  • RevocationCheckSettings.BEST_EFFORT — Check certificate revocation, if revocation information is available and the revocation status can be obtained. If revocation status cannot be positively determined, the certificate is not rejected.
  • RevocationCheckSettings.REQUIRED_IF_AVAILABLE — If the certificate includes revocation information, the revocation status must be positively determined to validate the certificate.
  • RevocationCheckSettings.ALWAYS_REQUIRED — Always check certificate revocation. Certificates without revocation information are rejected.


Throws
IllegalOperationError — If set while a signature is being validated.

See also

RevocationCheckSettings

signerCN

property 
signerCN:String  [read-only]

Runtime Versions:  1.0

The Common Name field of the signing certificate.

signerDN

property 
signerDN:String  [read-only]

Runtime Versions:  1.0

The Distinguished Name field of the signing certificate.

signerExtendedKeyUsages

property 
signerExtendedKeyUsages:Array  [read-only]

Runtime Versions:  1.0

An array containing the Extended Key Usages OIDs listed in the signing certificate.

Each extended key usage is reported in numeric OID form.


Throws
IllegalOperationError — If accessed while a signature is being validated.

signerTrustSettings

property 
signerTrustSettings:Array  [read-only]

Runtime Versions:  1.0

An array containing the trust settings of the signing certificate.

Trust settings are derived from the system and the key usage OIDs embedded in the certificate. Constants for the strings representing the recognized trust settings are defined in the SignerTrustSettings class.

The signerTrustSettings array of an unknown or invalid certificate is empty.

Modifying the array does not change the certificate trust settings.


Throws
IllegalOperationError — If accessed while a signature is being validated.

See also

SignerTrustSettings

uriDereferencer

property 
uriDereferencer:IURIDereferencer

Runtime Versions:  1.0

The IURIDereferencer implementation.

An IURIDereferencer implementation must be provided before attempting to verify a signature.


Throws
IllegalOperationError — If set while a signature is being validated.

useSystemTrustStore

property 
useSystemTrustStore:Boolean

Runtime Versions:  1.0

Specifies that certificates in the system trust store are used for chain building.

If true, then the trust anchors in the system trust store are used as trusted roots. The system trust store is not used by default.


Throws
IllegalOperationError — If set while a signature is being validated.

validityStatus

property 
validityStatus:String  [read-only]

Runtime Versions:  1.0

The validity status of a verified XML signature.

The XML signature is verified by validating the the cryptographic signature of the SignedInfo element, the signing certificate, and the data addressed by the references in the SignedInfo element. The validity of each of these elements is reported individually by the digestStatus, identityStatus(), and referencesStatus properties, respectively.

The validity of an XML signature can be valid, invalid, or unknown. The overall status depends on the verification status of the individual components of the signature file:

  • digestStatus — The validity of the cryptographic signature computed over the SignedInfo element.
  • identityStatus — The validity of the signing certificate.
  • referencesStatus — The validity of the digest of the references in the signature SignedInfo element.

The signature validity reported by the validityStatus property can be:

  • valid — If referencesStatus, digestStatus, and identityStatus are all valid.
  • invalid — If any individual status is invalid.
  • unknown — If any individual status is unknown.


Throws
IllegalOperationError — If accessed while a signature is being validated.

See also

digestStatus
identityStatus
referencesStatus
SignatureStatus
Constructor Detail

XMLSignatureValidator

()Constructor
public function XMLSignatureValidator()

Runtime Versions:  1.0

Creates an XMLSignatureValidator object.

You must set the uriDereferencer property before calling the verify() method of the new object.

See also

uriDereferencer
Method Detail

addCertificate

()method
public function addCertificate(cert:ByteArray, trusted:Boolean):*

Runtime Versions:  1.0

Adds an x509 certificate for chain building.

The certificate added must be a DER-encoded x509 certificate.

If the trusted parameter is true, the certificate is considered a trust anchor.

Note: An XML signature may include certificates for building the signer's certificate chain. The XMLSignatureValidator class uses these certificates for chain building, but not as trusted roots (by default).

Parameters

cert:ByteArray — A ByteArray object containing a DER-encoded x509 digital certificate.
 
trusted:Boolean — Set to true to designate this certificate as a trust anchor.

Returns
*

Throws
IllegalOperationError — If called while a signature is being validated.

verify

()method 
public function verify(signature:XML):void

Runtime Versions:  1.0

Verifies the specified signature.

Verification is asynchronous. The XMLSignatureValidator object dispatches a complete event when verification completes successfully or an error event if verification cannot complete because of errors.

The verification process cannot be cancelled. While a verification process is under way, subsequent calls to the verify() method fail. After the current verification check is complete, you can call the verify() method again.

Note: Because the XMLSignatureValidator only implements a subset of the W3C recommendation for XML Signature Syntax and Processing, not all valid XML signatures can be verified.

Parameters

signature:XML — The XML signature to verify.


Events
complete:Event — Dispatched when verification completes successfully.
 
error:ErrorEvent — Dispatched if the verification of references encounters an error.

Throws
IllegalOperationError — If called while a signature is being validated.
 
Error — If other errors are encountered, such as non-well-formed XML or unsupported elements in the signature file.
Event Detail

complete

 Event
Event Object Type: flash.events.Event
property Event.type = flash.events.Event.COMPLETE

Runtime Versions:  1.0

Dispatched when verification is complete.

A complete event does not imply that the signature is valid. Check the validityStatus property of the XMLSignatureValidator object to determine the outcome of the signature verification.

The Event.COMPLETE constant defines the value of the type property of a complete event object.

This event has the following properties:

PropertyValue
bubblesfalse
cancelablefalse; there is no default behavior to cancel.
currentTargetThe object that is actively processing the Event object with an event listener.
targetThe network object that has completed loading.

See also

validityStatus

error

 Event  
Event Object Type: flash.events.ErrorEvent
property ErrorEvent.type = flash.events.ErrorEvent.ERROR

Runtime Versions:  1.0

Dispatched if verification cannot complete because of errors.

Defines the value of the type property of an error event object.

This event has the following properties:

PropertyValue
bubblesfalse
cancelablefalse; there is no default behavior to cancel.
currentTargetThe object that is actively processing the Event object with an event listener.
targetThe object experiencing a network operation failure.
textText to be displayed as an error message.



© 2011 Adobe Systems Incorporated. All rights reserved.
Thu Sep 29 2011, 02:34 AM -07:00
 
[an error occurred while processing this directive][an error occurred while processing this directive]

 

Legal Notices | Online Privacy Policy