Verify PDF Signature operation

Verifies the signature in a signature field and returns information about the signature. Verification includes the signed content and the identity of the signer. After the verification occurs, an error occurs to indicate that the document was signed in the future. The error occurs because the signature, which is being verified, was applied at a time that is more than 65 min. You can change this setting in Administration Console. (See Applications and Services Administration Help) The trust settings that are used are configured in Trust Store. Before identities of signers can be verified, they must be added in Trust Store. (See Trust Store Management Help.)

For example, your application must verify the identity and trust chain of people who signed the PDF document. You use the Verify PDF Signature operation to verify that the identity and trust chain of the signer.

For information about the General and Route Evaluation property groups, see Common operation properties.

Common properties

Properties that specify the input PDF document and verification information.

Input PDF

A document value that represents a PDF document that contains a signature to verify.

If you provide a literal value, clicking the ellipsis button opens the Select Asset dialog box. (See About Select Asset.)

When you provide a PDF document that has signed signature fields, it populates the Signature Field Name property as a list. The list contains fully qualified names of the signed signature fields in the PDF document.

Signature Field Name

A string value that represents the name of the signature field that contains a signature to verify. Use a fully qualified name for the signature field. When using a PDF document based on a form created in Designer, the partial name of the signature field can be used. For example, form1[0].#subform[1].SignatureField3[3] can be specified as SignatureField3[3].

If you provide a literal value for the Signature Field Name property and a literal value is provided in the Input PDF property, a list appears. Select one of the values from the list of fully qualified names. Each fully qualified name represents a signed signature field in the provided PDF document.

PKI Options properties

Properties to specify revocation-checking style, verification time, path validation, time-stamping, certification revocation lists, and online certificate status protocol settings for verifying the PDF document.

Revocation Check Style

A RevocationCheckStyle value that specifies the revocation-checking style used for verifying the trust status of the CRL provider’s certificate from its observed revocation status.

If you provide a literal value, select one of these values:

NoCheck:
Does not check for revocation.

BestEffort:
Checks for revocation of all certificates when possible.

CheckIfAvailable:
(Default) Checks for revocation of all certificates only when revocation information is available.

AlwaysCheck:
Checks for revocation of all certificates.

Verification Time

(Optional) A VerificationTime value that specifies the verification time to use. The default value is Secure Time Else Current Time.

If you provide a literal value, select one of these values:

Signing Time:
The time that the signature was applied as given by the signer's computer.

Current Time:
The time that the verification operation is being carried out.

Secure Time Else Current Time:
The time specified by a trusted time-stamping authority.

If you specify Secure Time Else Current Time and validation returns a status of unknown with a trusted timestamp, the validation is checked using Current Time.

OCSP Options Spec

(Optional) An OCSPOptionSpec value that represents settings for using Online Certificate Status Protocol (OCSP) revocation checking. To provide a literal value, specify the following options.

URL to Consult Option: Sets the list and order of the OCSP servers used to perform the revocation check. Select one of these values:

UseAIAInCert:
(Default) Use the URL of an online certificate status protocol server specified in the Authority Information Access (AIA) extension in the certificate. The AIA extension is used to identify how to access certificate authority (CA) information and services for the issuer of the certificate.

LocalURL:
Use the specified URL for the OCSP server specified in the OCSP Server URL option.

UseAIAIfPresentElseLocal:
Use the URL of the OCSP server specified in the AIA extension in the certificate if present. If the AIA extension is not present in the certificate, use the URL that is configured in the OCSP Server URL.

UseAIAInSignerCert:
Use the URL of the OCSP server specified in the AIA extension in the OCSP request of the signer certificate.
OCSP Server URL:
Sets the URL of the configured OCSP server. The value is used only when the LocalURL or UseAIAIfPresentElseLocal values are in URL To Consult Option.

Revocation Check Style:
Sets the revocation-checking style that is used for verifying the trust status of the CRL provider’s certificate from its observed revocation status. Select one of these values:

Sets the URL of the configured OCSP server. The value is used only when the LocalURL or UseAIAIfPresentElseLocal values are in URL To Consult Option.

Revocation Check Style:

Sets the revocation-checking style that is used for verifying the trust status of the CRL provider’s certificate from its observed revocation status. Select one of these values:

NoCheck:
Does not check for revocation.

BestEffort:
Checks for revocation of all certificates when possible.

CheckIfAvailable:
(Default) Checks for revocation of all certificates only when revocation information is available.

AlwaysCheck:
Checks for revocation of all certificates.
Max Clock Skew Time (Minutes):
Sets the maximum allowed skew, in minutes, between response time and local time. Valid skew times are 0 - 2147483647 min. The default value is 5 min.

Response Freshness Time (Minutes):
Sets the maximum time, in minutes, for which a preconstructed OCSP response is considered valid. Valid response freshness times are 1- 2147483647 min. The default value is 525600 min. (one year).

Send Nonce:
Select this option to send a nonce with the OCSP request. A nonce is a parameter that varies with time. These parameters can be a timestamp, a visit counter on a web page, or a special marker. The parameter is intended to limit or prevent the unauthorized replay or reproduction of a file. When the option deselected, a nonce is not sent with the request. By default, the option is selected.

Sign OCSP Request:
Select this option to specify that the OCSP request must be signed. When the option is deselected, the OCSP request does not need be signed. By default, the option deselected.

Request Signer Credential Alias:
Sets the credential alias used for signing the OCSP request when signing is enabled.

Go Online for OCSP:
Select this option to access the network for OCSP information. The network can be accessed to retrieve OCSP information for OCSP checking. The LiveCycle Server uses embedded and cached OCSP information when possible to reduce the amount of network traffic generated due to OCSP checking. When the option is deselected, OCSP checking is not retrieved from the network, and only embedded and cached OCSP information is used. By default, the option is selected.

Ignore Validity Dates:
Select this option to use the OCSP response thisUpdate and nextUpdate times. Ignoring these response times prevents any negative effect on response validity. The thisUpdate and nextUpdate times are retrieved from external sources by using HTTP or LDAP, and can be different for each revocation information. When the option is deselected, the thisUpdate and nextUpdate times are ignored. By default, the option is deselected.

Allow OCSP NoCheck Extension:
Select this option to allow an OCSPNoCheck extension in the response signing certificate. An OCSPNoCheck extension can be present in the OCSP Responder’s certificate to prevent infinite loops from occurring during the validation process. When the option is deselected, the OCSPNoCheck extension is not used. By default, the option is selected.

Require OCSP ISIS-MTT CertHash Extension:
Select this option to specify that certificate public key hash (CertHash) extensions must be present in OCSP responses. This extension is required for SigQ validation. SigQ compliance requires the CertHash extension to be in the OCSP responder certificate. Select this option when processing for SigQ compliance and supported OCSP responders. When the option is deselected, the CertHash extension presence in the OCSP response is not required. By default, the option is deselected.

Sets the maximum allowed skew, in minutes, between response time and local time. Valid skew times are 0 - 2147483647 min. The default value is 5 min.

Response Freshness Time (Minutes):

Sets the maximum time, in minutes, for which a preconstructed OCSP response is considered valid. Valid response freshness times are 1- 2147483647 min. The default value is 525600 min. (one year).

Send Nonce:

Select this option to send a nonce with the OCSP request. A nonce is a parameter that varies with time. These parameters can be a timestamp, a visit counter on a web page, or a special marker. The parameter is intended to limit or prevent the unauthorized replay or reproduction of a file. When the option deselected, a nonce is not sent with the request. By default, the option is selected.

Sign OCSP Request:

Select this option to specify that the OCSP request must be signed. When the option is deselected, the OCSP request does not need be signed. By default, the option deselected.

Request Signer Credential Alias:

Sets the credential alias used for signing the OCSP request when signing is enabled.

Go Online for OCSP:

Select this option to access the network for OCSP information. The network can be accessed to retrieve OCSP information for OCSP checking. The LiveCycle Server uses embedded and cached OCSP information when possible to reduce the amount of network traffic generated due to OCSP checking. When the option is deselected, OCSP checking is not retrieved from the network, and only embedded and cached OCSP information is used. By default, the option is selected.

Ignore Validity Dates:

Select this option to use the OCSP response thisUpdate and nextUpdate times. Ignoring these response times prevents any negative effect on response validity. The thisUpdate and nextUpdate times are retrieved from external sources by using HTTP or LDAP, and can be different for each revocation information. When the option is deselected, the thisUpdate and nextUpdate times are ignored. By default, the option is deselected.

Allow OCSP NoCheck Extension:

Select this option to allow an OCSPNoCheck extension in the response signing certificate. An OCSPNoCheck extension can be present in the OCSP Responder’s certificate to prevent infinite loops from occurring during the validation process. When the option is deselected, the OCSPNoCheck extension is not used. By default, the option is selected.

Require OCSP ISIS-MTT CertHash Extension:

Select this option to specify that certificate public key hash (CertHash) extensions must be present in OCSP responses. This extension is required for SigQ validation. SigQ compliance requires the CertHash extension to be in the OCSP responder certificate. Select this option when processing for SigQ compliance and supported OCSP responders. When the option is deselected, the CertHash extension presence in the OCSP response is not required. By default, the option is deselected.

CRL Options Spec

(Optional) A CRLOptionSpec value that represents the certificate revocation list (CRL) preferences when CRL is used to perform revocation checking. If you provide a literal value, specify the following options.

Consult Local URI First:
Select this option to use the CRL location provided as a local URI before any specified locations within a certificate. The CRL location provided is used for revocation checking. When this option is selected, it means the local URI is used first. When this option is deselected, the locations specified in the certificate before using the local URI are used. By default, the option is deselected.

Local URI for CRL Lookup:
Sets the URL for the local CRL store. This value is used only if the Consult Local URI First option is selected. No default value is provided.

Revocation Check Style:
Sets the revocation-checking style used for verifying the trust status of the CRL provider’s certificate from its observed revocation status. Select one of these values:
  • NoCheck: Does not check for revocation.

  • BestEffort: (Default) Checks for revocation of all certificates when possible.

  • CheckIfAvailable: Checks for revocation of all certificates only when revocation information is available.

  • AlwaysCheck: Checks for revocation of all certificates.

LDAP Server:
Sets the URL or path of the Lightweight Directory Access Protocol (LDAP) server used to retrieve information about the certificate revocation list (CRL). The LDAP server searches for CRL information using the distinguished name (DN) according to the rules specified in RFC 3280, section 4.2.1.14. For example, you can type www.ldap.com for the URL or ldap://ssl.ldap.com:200 for the path and port. No default value is provided.

Go Online for CRL Retrieval:
Select this option to access the network to retrieve CRL information. CRL information is cached on the server to improve network performance. CRL information is retrieved online only when necessary. When this option is deselected, CRL information is not retrieved online. By default, the option is selected.

Ignore Validity Dates:
Select this option to use thisUpdate and nextUpdate times. Ignoring the response’s thisUpdate and nextUpdate times prevents any negative effect on response validity. The thisUpdate and nextUpdate times are retrieved from external sources by using HTTP or LDAP and can be different for each revocation information. When the option is deselected, the thisUpdate and nextUpdate time are ignored. By default, the option deselected.

Require AKI Extension in CRL:
Select this option to specify that the Authority Key Identifier (AKI) extension must be present in the CRL. The AKI extension can be used for CRL validation. When this option is deselected, the presence of the AKI extension the CRL is not required. By default, the option is deselected.

Path Validation Options Spec

(Optional) A PathValidationOptionSpec that represents the settings that control RFC3280-related path validation options. For example, you can indicate whether policy mapping is allowed in the certification path. (See RFC 3280). If you provide a literal value, you can set the following options.

Require Explicit Policy:
Select this option to specify that the path must be valid for at least one of the certificate policies in the user initial policy set. When this option is deselected, the path validity is not required. By default, the option is deselected.

Inhibit Any Policy:
Select this option to specify that a policy object identifier (OID) must be processed if it is included in a certificate. When deselected, any policy can be selected. By default, the option is deselected.

Check All Paths:
Select this option to require that all paths to a trust anchor must be validated. When this option is deselected, all paths to a trust anchor are not validated. By default, the option is deselected.

Inhibit Policy Mapping:
Select this option to allow policy mapping in the certification path. When this option is deselect, policy mapping is not allowed in the certification path. By default, the option is deselected.

LDAP Server:
Sets the URL or path of the Lightweight Directory Access Protocol (LDAP) server used to retrieve information about the certificate revocation list (CRL). The LDAP server searches for CRL information using the distinguished name (DN) according to the rules specified in RFC 3280, section 4.2.1.14. For example, you can type www.ldap.com for the URL or ldap://ssl.ldap.com:200 for the path and port. No default value is provided.

Follow URIs in Certificate AIA:
Select this option to specify to follow any URIs specified in the certificate’s Authority Information Access (AIA) extension for path discovery. The AIA extension specifies where to find up-to-date certificates. When this option is deselected, no URIs are processed in the AIA extension from the certificate. By default, the option is deselected.

Basic Constraints Extension Required in CA Certificates:
Select this option to specify that the certificate authority (CA) Basic Constraints certificate extension must be present for CA certificates. Some early German certified root certificates (7 and earlier) are not compliant to RFC 3280 and do not contain the basic constraint extension. If it is known that a user's EE certificate chains up to such a German root, deselect this option. When this option is deselected, the presence of the CA Basic Constraints certificate in CA certificates is not required. By default, the value is selected.

Require Valid Certificate Signature During Chain Building:
Select this option to require that all Digital Signature Algorithm (DSA) signatures on certificates be valid before a chain is built. For example, in a chain CA > ICA > EE where the signature for EE is not valid, the chain building stops at ICA. EEs are not included in the chain. When this option is deselected, the entire chain is built regardless of whether an invalid DSA signature is encountered. By default, the option is deselected.

TSP Options Spec

(Optional) A TSPOptionSpec value that represents the settings that define time-stamping information applied to the certified signature. Only the Revocation Check Style (tspRevocationCheckStyle data item) option is used from the TSPOptionSpec value.

If you provide a literal value, specify the following option.

Revocation Check Style:
A list that specifies the revocation-checking style used for verifying the trust status of the CRL provider’s certificate from its observed revocation status. Select one of these values:
NoCheck:
Does not check for revocation.

BestEffort:
(Default) Checks for revocation of all certificates when possible.

CheckIfAvailable:
Checks for revocation of all certificates only when revocation information is available.

AlwaysCheck:
Checks for revocation of all certificates.

Use Expired Timestamps:
Select this option to use timestamps that have expired during the validation of the certificate. When this option is deselected, expired timestamps are not used. By default, this option is selected.

SPI Options properties

Properties to specify the name and properties passed to a custom SPI for verifying the PDF signature. For example, you use a custom signature handler. The custom signature handler can reference a security credential stored in locations that are accessible over a network instead of the LiveCycle trust store. For information about creating custom service providers, see Programming with LiveCycleES2.5 .

Name of SPI Service

(Optional) A string value that specifies the name of the SPI.

Properties Map To Be Passed To SPI

(Optional) A map of string values that specifies the properties passed to the SPI to verify the certificate.

If you provide a literal value, clicking the ellipsis button  opens the SPI Properties dialog box. (See SPI Properties.)

The file you choose must contain a property-value pair. Each property-value pair must be formatted as [property name]=[value], where [property name] is the name of the property and [value] is the value assigned to the property. The design of the SPI determines the property- value pairs that is used.

Output properties

Property to specify the verification result.

PDF Signature Verification Result

The location in the process data model to store information about the signature and its validity status. The data type is PDFSignatureVerificationInfo.

// Ethnio survey code removed