Signature verification is a series of operations performed by the signature checkers. These checkers consist of structural checkers and signing certificate checker. The certificate checker performs the structural validation chain validation and revocation status control for a signing certificate. Certificate revocation status control needs CRL or OCSP Response valid in signing time. Certificate validation requires validation policy file. This XML file can be configured by adjusting several parameters. See the section Parameters or the class EParameters fot the list of the parameters.
The class SignedDataValidation is responsible for signature verification. By using its method verify(…), you can perform verification. It takes the signature to be verified and verification parameters as input. This method verifies the signed document as a whole. If any of the signatures in the document is invalid, then verify(…) returns false. The sample code for signature verification:
byte[] signedData = AsnIO.dosyadanOKU(SIGNATURE_FILE);
ValidationPolicy policy= PolicyReader.readValidationPolicy(new FileInputStream(POLICY_FILE));
Hashtable<String, Object> params = new Hashtable<String, Object>();
params.put(EParameters.P_CERT_VALIDATION_POLICY, policy);
SignedDataValidation sdv = new SignedDataValidation();
SignedDataValidationResult sdvr = sdv.verify(signedData, params);
if(sdvr.getSDStatus() != SignedData_Status.ALL_VALID)
System.out.println("İmzaların hepsi doğrulamadı");
System.out.println(sdvr.toString());
byte[] signedData = AsnIO.dosyadanOKU(SIGNATURE_FILE);
ValidationPolicy policy = PolicyReader.readValidationPolicy(new FileStream(POLICY_FILE,
FileMode.Open,
FileAccess.Read));
Dictionary<String, Object> params_ = new Dictionary<String, Object>();
params_[EParameters.P_CERT_VALIDATION_POLICY] = policy;
SignedDataValidation sdv = new SignedDataValidation();
SignedDataValidationResult sdvr = sdv.verify(signedData, params_);
if (sdvr.getSDStatus() != SignedData_Status.ALL_VALID)
Console.WriteLine("İmzaların hepsi doğrulamadı");
Console.WriteLine(sdvr.ToString());
If the signature is attached, the method getContent() of the class BaseSignedData can be used to get the signed content.
“verify” returns an object of the class SignatureValidationResult. The method getSDStatus() of this class takes the value ALL_VALID if all of the signatures in the document are verified successfully, and NOT_ALL_VALID if any fails. By using toString() you can get control results as textual explanations.
The validation result of a specific signature is accessed by traversing in the validation result tree. The following code demonstrates accessing the validation result of the first counter signature of the first parallel signature.
BaseSignedData bs = getBaseSignedData();
SignedDataValidationResult sdvr = getValidationResult();
SignerfirstCounterSigner = bs.getSignerList().get(0).getCounterSigners().get(0);
SignatureValidationResultfirstCounterSignerVR = sdvr.
getSDValidationResults().get(0).
getCounterSigValidationResults().
get(0);
BaseSignedData bs = getBaseSignedData();
SignedDataValidationResult sdvr = getValidationResult();
Signer firstCounterSigner = bs.getSignerList()[0].getCounterSigners()[0];
SignatureValidationResult firstCounterSignerVR = sdvr.getSDValidationResults()[0].
getCounterSigValidationResults()[0];
The validation result of each signature is stored in SignatureValidationResult objects. A validation result of a signature also contains the validation results of its counter signatures. The methof toString() of an object of the class SignatureValidationResult returns textual validation results of the signature and its counter signatures. If only the validation details of the signature is wanted, not those of its counter signatures, then the method getValidationDetails() must be used. As the signature type gets more advanced, the number of control operations and certificates increase. Since timestamps are also added to the signature as another signed data, they should also be verified.
The method getSignatureStatus() of the class SignatureValidationResult returns the signature status as an object of the class Signature_Status. If the result INCOMPLETE means the certificate validation data could not be reached.
For the complete verification of a signature , a certain time after the signature creation has to pass in order for the certificate revocation information to be updated. This period is called “grace period”. In the API, this period can be specified by the parameter P_GRACE_PERIOD and it is 86400 seconds (1 day) by default.
Sometimes, signature verification is performed before the grace period passes, which is called pre-validation and does not provide an absolute validation information. For an absolute result, the grace period must be wait.
In that sense, the result of the pre-validation is indicated by premature whereas the absolute validation result is indicated by MATURE in the API. The code below, shows how to get the status of a signature validation result.
SignedDataValidationResultsdvr = getValidationResult();
if(sdvr.getSDValidationResults().
get(0).getValidationState() == ValidationState.PREMATURE)
System.out.println("Ön doğrulama yapıldı.");
SignedDataValidationResult sdvr = getValidationResult();
if (sdvr.getSDValidationResults()[0].getValidationState() == ValidationState.PREMATURE)
Console.WriteLine("Ön doğrulama yapıldı");
In rare cases, the result of pre-validation is different from the result of complete validation. This may happen when the signing certificate was valid during pre-validation but revoked at the time of complete validation. Revocation of a certificate due to the stolen smartcard of a user may cause this.
The grace period is pretty short for OCSP Responses while CRL requires a longer grace period. The document “E-Signature Profiles” states that tie grace period for OCSP is negligable and can be ignored. Therefore using OCSP provides great advantage since it does not require any grace period to be wait for.
When a detached signature is verified, the content must be provided by the parameter P_EXTERNAL_CONTENT.
byte[] signedData = AsnIO.dosyadanOKU(SIGNATURE_FILE);
ISignable content = new SignableFile(new File(CONTENT_FILE));
ValidationPolicy policy =
PolicyReader.readValidationPolicy(new FileInputStream(POLICY_FILE));
Hashtable<String, Object> params = new Hashtable<String, Object>();
params.put(EParameters.P_CERT_VALIDATION_POLICY, policy);
params.put(EParameters.P_EXTERNAL_CONTENT, content );
SignedDataValidation sdv = new SignedDataValidation();
SignedDataValidationResult sdvr = sdv.verify(signedData, params);
if(sdvr.getSDStatus() != SignedData_Status.ALL_VALID)
System.out.println("İmzaların hepsi doğrulamadı");
System.out.println(sdvr.toString());
byte[] signedData = AsnIO.dosyadanOKU(SIGNATURE_FILE);
ISignable content = new SignableFile(new FileInfo(CONTENT_FILE));
ValidationPolicy policy =
PolicyReader.readValidationPolicy(new FileStream(POLICY_FILE,
FileMode.Open, FileAccess.Read));
Dictionary<String, Object> params_ = new Dictionary<String, Object>();
params_[EParameters.P_CERT_VALIDATION_POLICY] = policy;
params_[EParameters.P_EXTERNAL_CONTENT] = content;
SignedDataValidation sdv = new SignedDataValidation();
SignedDataValidationResult sdvr = sdv.verify(signedData, params_);
if (sdvr.getSDStatus() != SignedData_Status.ALL_VALID)
Console.WriteLine("İmzaların hepsi doğrulamadı");
Console.WriteLine(sdvr.ToString());