Verifying Digital Signatures

Digital signatures can be verified to ensure that a signed PDF document was not modified and that the digital signature is valid. When verifying a digital signature, you can check the signature’s status and the signature’s properties, such as the signer’s identity. Before trusting a digital signature, it is recommended that you verify it. When verifying a digital signature, reference a PDF document that contains a digital signature.

Assume that the identity of the signer is unknown. When you open the PDF document in Acrobat, a warning message states that the signer’s identity is unknown, as shown in the following illustration.

Likewise, when you programmatically verify a digital signature, you can determine the status of the signer’s identity. For example, if you verify the digital signature in the document shown in the previous illustration, the result would be that the signer’s identity is unknown.

Remarque : For more information about the Signature service and verifying digital signatures, see Services Reference for LiveCycle.

Summary of steps

To verify a digital signature, perform the following tasks:

  1. Include project files.

  2. Create a Signature client.

  3. Get the PDF document that contains the signature to verify.

  4. Set PKI run-time options.

  5. Verify the digital signature.

  6. Determine the status of the signature.

  7. Determine the identity of the signer.

Include project files

Include the necessary files in your development project. If you are creating a client application using Java, include the necessary JAR files. If you are using web services, include the proxy files.

The following JAR files must be added to your project’s classpath:

  • adobe-livecycle-client.jar

  • adobe-usermanager-client.jar

  • adobe-signatures-client.jar

  • adobe-utilities.jar (required if LiveCycle is deployed on JBoss)

  • jbossall-client.jar (required if LiveCycle is deployed on JBoss)

For information about the location of these JAR files, see Including LiveCycle Java library files.

Create a Signature client

Before you programmatically perform a Signature service operation, create a Signature service client.

Get the PDF document that contains the signature to verify

To verify a signature used to digitally sign or certify a PDF document, obtain a PDF document that contains a signature.

Set PKI run-time options

Set these PKI run-time options that the Signature service uses when verifying signatures in a PDF document:

  • Verification time

  • Revocation checking

  • Time-stamping values

As part of setting these options, you can specify verification time. For example, you can select current time (the time on the validator’s computer), which indicates to use the current time. For information about the different time values, see the VerificationTime enumeration value in LiveCycle API Reference.

You can also specify whether to perform revocation checking as part of the verification process. For example, you can perform a revocation check to determine whether the certificate is revoked. For information about the revocation-checking options, see the RevocationCheckStyle enumeration value in LiveCycle API Reference.

To perform revocation checking on a certificate, specify a URL to a certificate revocation list (CRL) server by using a CRLOptionSpec object. However, if you do not specify a URL to CRL server, the Signature service obtains the URL from the certificate.

Instead of using a CRL server, you can use an online certificate status protocol (OCSP) server when performing revocation checking. Typically, when using an OCSP server as opposed to a CRL server, the revocation check is performed faster. (See Online Certificate Status Protocol.)

You can set the CRL and OCSP server order that the Signature service uses by using Adobe Applications and Services. For example, if the OCSP server is set first in Adobe Applications and Services, then the OCSP server is checked, followed by the CRL server.

If you do not perform revocation checking, the Signature service does not check whether the certificate is revoked. That is, CRL and OCSP server information is ignored.

Remarque : You can override the URL specified in the certificate by using a CRLOptionSpec and an OCSPOptionSpec object. For example, to override the CRL server, you can invoke the CRLOptionSpec object’s setLocalURI method.

Time stamping is the process of tracking the time when a signed or certified document was modified. After a document is signed, no one can modify it. Time stamping helps enforce the validity of a signed or certified document. You can set time stamping options using a TSPOptionSpec object. For example, you can specify the URL of a time stamping provider (TSP) server.

Remarque : In the Java and web service quick starts, the verification time is set to VerificationTime.CURRENT_TIME and revocation checking is set to RevocationCheckStyle.BestEffort. Because no CRL or OCSP server information is specified, the server information is obtained from the certificate.

Verify the digital signature

To successfully verify a signature, specify the fully qualified name of the signature field that contains the signature, such as form1[0].#subform[1].SignatureField3[3]. When using an XFA form field, you can also use the partial name of the signature field : SignatureField3.

By default, the Signature service limits the amount of time that a document can be signed after validation time to 65 min. If a user attempts to verify a signature at current time and the sign time is later than the current time and is within 65 min, the Signature service does not create a verification error.

Remarque : For other values that you require when verifying a signature, see LiveCycle API Reference.

Determine the status of the signature

As part of verifying a digital signature, you can check the status of the signature.

Determine the identity of the signer

You can determine the identity of the signer, which can be one of the following values:

  • Unknown: This signer is unknown because the signer verification cannot be performed.

  • Trusted: This signer is trusted.

  • Not trusted: This signer is not trusted.

Verify digital signatures using the Java API

Verify a digital signature by using the Signature Service API (Java):

  1. Include project files

    Include client JAR files, such as adobe-signatures-client.jar, in your Java project’s classpath.

  2. Create a Signature client

    • Create a ServiceClientFactory object that contains connection properties.

    • Create a SignatureServiceClient object by using its constructor and passing the ServiceClientFactory object.

  3. Get the PDF document that contains the signature to verify

    • Create a java.io.FileInputStream object that represents the PDF document that contains the signature to verify by using its constructor. Pass a string value that specifies the location of the PDF document.

    • Create a com.adobe.idp.Document object by using its constructor and passing the java.io.FileInputStream object.

  4. Set PKI run-time options

    • Create a PKIOptions object by using its constructor.

    • Set the verification time by invoking the PKIOptions object’s setVerificationTime method and passing a VerificationTime enumeration value that specifies the verification time.

    • Set the revocation-checking option by invoking PKIOptions object’s setRevocationCheckStyle method and passing a RevocationCheckStyle enumeration value that specifies whether to perform revocation checking.

  5. Verify the digital signature

    Verify the signature by invoking the SignatureServiceClient object’s verify2 method and passing the following values:

    • A com.adobe.idp.Document object that contains a digitally signed or certified PDF document.

    • A string value that represents the signature field name that contains the signature to verify.

    • A PKIOptions object that contains PKI run-time options.

    • A VerifySPIOptions instance that contains SPI information. You can specify null for this parameter.

    The verify2 method returns a PDFSignatureVerificationInfo object that contains information that can be used to verify the digital signature.

  6. Determine the status of the signature

    • Determine the signature’s status by invoking the PDFSignatureVerificationInfo object’s getStatus method. This method returns a SignatureStatus object that specifies the signature status. For example, if a signed PDF document is not modified, this method returns SignatureStatus.DocumentSigNoChanges.

  7. Determine the identity of the signer

    • Determine the signer’s identity by invoking the PDFSignatureVerificationInfo object’s getSigner method. This method returns an IdentityInformation object.

    • Invoke the IdentityInformation object’s getStatus method to determine the signer’s identity. This method returns an IdentityStatus enumeration value that specifies the identity. For example, if the signer is trusted, this method returns IdentityStatus.TRUSTED.

Verify digital signatures using the web service API

Verify a digital signature by using the Signature Service API (web service):

  1. Include project files

    Create a Microsoft .NET project that uses MTOM. Ensure that you use the following WSDL definition: http://localhost:8080/soap/services/SignatureService?WSDL&lc_version=9.0.1.

    Remarque : Replace localhost with the IP address of the server hosting LiveCycle.
  2. Create a Signature client

    • Create a SignatureServiceClient object by using its default constructor.

    • Create a SignatureServiceClient.Endpoint.Address object by using the System.ServiceModel.EndpointAddress constructor. Pass a string value that specifies the WSDL to the LiveCycle service (for example, http://localhost:8080/soap/services/SignatureService?WSDL). You do not need to use the lc_version attribute. This attribute is used when you create a service reference.)

    • Create a System.ServiceModel.BasicHttpBinding object by getting the value of the SignatureServiceClient.Endpoint.Binding field. Cast the return value to BasicHttpBinding.

    • Set the System.ServiceModel.BasicHttpBinding object’s MessageEncoding field to WSMessageEncoding.Mtom. This value ensures that MTOM is used.

    • Enable basic HTTP authentication by performing the following tasks:

      • Assign the LiveCycle user name to the field SignatureServiceClient.ClientCredentials.UserName.UserName.

      • Assign the corresponding password value to the field SignatureServiceClient.ClientCredentials.UserName.Password.

      • Assign the constant value HttpClientCredentialType.Basic to the field BasicHttpBindingSecurity.Transport.ClientCredentialType.

      • Assign the constant value BasicHttpSecurityMode.TransportCredentialOnly to the field BasicHttpBindingSecurity.Security.Mode.

  3. Get the PDF document that contains the signature to verify

    • Create a BLOB object by using its constructor. The BLOB object is used to store a PDF document that contains a digital or certified signature to verify.

    • Create a System.IO.FileStream object by invoking its constructor. Pass a string value that represents the file location of the signed PDF document and the mode in which to open the file.

    • Create a byte array that stores the content of the System.IO.FileStream object. You can determine the size of the byte array by getting the System.IO.FileStream object’s Length property.

    • Populate the byte array with stream data by invoking the System.IO.FileStream object’s Read method. Pass the byte array, the starting position, and the stream length to read.

    • Populate the BLOB object by assigning its MTOM property the contents of the byte array.

  4. Set PKI run-time options

    • Create a PKIOptions object by using its constructor.

    • Set the verification time by assigning the PKIOptions object’s verificationTime data member a VerificationTime enumeration value that specifies the verification time.

    • Set the revocation-checking option by assigning the PKIOptions object’s revocationCheckStyle data member a RevocationCheckStyle enumeration value that specifies whether to perform revocation checking.

  5. Verify the digital signature

    Verify the signature by invoking the SignatureServiceClient object’s verify2 method and passing the following values:

    • The BLOB object that contains a digitally signed or certified PDF document.

    • A string value that represents the signature field name that contains the signature to verify.

    • A PKIOptions object that contains PKI run-time options.

    • A VerifySPIOptions instance that contains SPI information. You can specify null for this parameter.

    The verify2 method returns a PDFSignatureVerificationInfo object that contains information that can be used to verify the digital signature.

  6. Determine the status of the signature

    Determine the signature’s status by getting the value of the PDFSignatureVerificationInfo object’s status data member. This data member stores a SignatureStatus object that specifies the signature’s status. For example, if a signed PDF document is modified, the status data member stores the value SignatureStatus.DocumentSigNoChanges.

  7. Determine the identity of the signer

    • Determine the signer’s identity by retrieving the value of the PDFSignatureVerificationInfo object’s signer data member. This member returns an IdentityInformation object.

    • Retrieve the IdentityInformation object’s status data member to determine the signer’s identity. This data member returns an IdentityStatus enumeration value that specifies the identity. For example, if the signer is trusted, this member returns IdentityStatus.TRUSTED.