Table of Contents
Using CERTivity, you can verify signatures for:
JAR files;
XML files;
PDF files.
using Menu Signature >
Verify
command.
You can use the examples provided in the distribution kit in
doc/samples
folder, to test verify and sign
features.
When verifying a JAR signature, a KeyStore entry can be selected for verifying the entry certificates. In case there is no KeyStore selected, you can continue verification of the JAR signature without checking the existence of the certificates from the JAR entries in the KeyStore. An error will be displayed if KeyStore file could not be loaded or if the KeyStore password is wrong or the file is corrupt. A successful JAR file verification occurs if the signature(s) are valid, and none of the files that were in the JAR file when the signatures were generated have been changed since then. After the JAR signature verification operation, the messages that will be displayed are:
"The JAR file was verified.
"
in case of successful JAR signature verification;
"The JAR file was not
verified.
" in case the JAR file has not a valid
signature.
The embedded certificate(s) can be viewed, exported into an external file or directly imported into the active KeyStore.
You can use JAR examples provided in the distribution kit in
doc/samples/jar
folder, to test the verify JAR
features.
When importing a selected embedded certificate into the active
KeyStore, the certificate trust will be verified in the same way it is
verified when importing a trusted certificate into the active KeyStore.
If a Trust Path can not be established using the provided TrustStores
and the Trust Path validation options (which can be set from Tools
> Options > Trust Path Options
), a message will be
displayed informing about that and asking if the certificate should be
displayed for user verification. If "No" is selected, or the dialog is
closed, the import operation is aborted. If "Yes" is selected, the
certificate details will be displayed, and the user will have the option
to continue the import operation (by selecting the "Accept Import"
button) or to abort it (by selecting the "Cancel Import" button).
XML signatures can be used as authentication credentials or as a way to check data integrity. XML signatures can be applied to XML file, HTML pages, gif files, XML-encoded data. When validating an XML signature, an XML file must be chosen first. If there is no certificate embedded, the certificate identified by the current selected entry is used to validate the XML signature.
After the XML signature verification process, the messages that will be displayed are:
"File not signed.
" in case
the XML file was not signed;
"Signature is invalid.
" in
case the XML file signature is not valid;
"Signature is valid.
" in case
the XML file signature is valid. The trusted state of the embedded
certificate is not checked.
If the certificates are embedded these will be shown under the
"Certificates details
" panel and details can be viewed or
Certificates exported or directly imported into the active
KeyStore.
You can use XML examples provided in the distribution kit in
doc/samples/xml
folder, to test the verify XML
features.
When importing a selected embedded certificate into the active
KeyStore, the certificate trust will be verified in the same way it is
verified when importing a trusted certificate into the active KeyStore.
If a Trust Path can not be established using the provided TrustStores
and the Trust Path validation options (which can be set from Tools
> Options > Trust Path Options
), a message will be
displayed informing about that and asking if the certificate should be
displayed for user verification. If "No" is selected, or the dialog is
closed, the import operation is aborted. If "Yes" is selected, the
certificate details will be displayed, and the user will have the option
to continue the import operation (by selecting the "Accept Import"
button) or to abort it (by selecting the "Cancel Import" button).
The Portable Document Format (PDF)
allows to digitally sign a document by inserting a
cryptographic signature value in the file. A signature is in most cases
represented by a signature field containing the name and other
attributes of the signer. When verifying a PDF signature, a PDF file
must be chosen first. The digital signatures CERTivity understands for
PDF verification are the public/private-key encrypted document digest
with the standard SubFilter values adbe.x509.rsa_sha1
,
adbe.pkcs7.detached
, and adbe.pkcs7.sha1
. The
exact specified handler (the Filter
value) is ignored when
verifying the signature according to the PDF Reference “An
application may substitute a different handler when verifying the
signature, as long as it supports the specified SubFilter
format.”
After verifying the PDF signature, a dialog called
"Verification Results
" is presented for
the Document containing the global document status and details for each
Signature found. The global Verification Status can be one of:
"File not signed.
" in case
the PDF file was not signed;
"At least one known signature is
invalid.
" in case at least one of the supported
(known) PDF file signature is not valid;
"All known signatures are
valid.
" in case all of the supported (known) PDF
file signatures are valid according to the sub-filter values and
algorithm (including the digest being recomputed and compared with
the one stored in the signature). The trusted state of the embedded
certificates is not checked.
"Unknown.
" in case the
document is containing only unsupported SubFilters.
For each signature recognized in the document, you can see the signer details, such as name, location, reason, date, certificate, signature verification status and verification info. The embedded certificate of each signature can be viewed and even exported into an external file.
A Verbose text report can be analysed (Show Details
)
revealing the reason why, for example, some signatures are not valid, or
revealing the value of the SubFilter/Filter. This is especially useful
to observe the details for invalid cases as many information is logged.
For example, according to the adbe.pkcs7.sha1
SubFilter the
signature process involves two digests - the SHA1 digest of the byte
range which is encapsulated in the PKCS#7 signed-data field with
ContentInfo of type Data, and then this signed-data field is digested
and signed according to the PKCS#7 standard. So there are two digest
verified, and if one of these fails the validation fails, and this could
be visible by inspecting the Details section, for example:
The calculated SHA1 Message Digest coincides with
the encapsulated PKCS#7 signed-data field. Continuing the signature
verification procedure.
Digest Mismatch
[message-digest attribute value does not match calculated
value].
Although a signature may not be valid, the option View
Certificate > Export Certificate > Import to KeyStore
can
be available in many situations (usually if preliminary validation
passes) as long as the certificate is embedded according to the PDF
standards. For example, in the case above where the second
message-digest mismatch the embedded certificate can still be
viewed/exported/imported to KeyStore.
You can use PDF examples provided in the distribution kit in
doc/samples/pdf
folder, to test the verify PDF
features.
Verifying the signature of a PDF which is encrypted is not supported.
When importing a selected embedded certificate into the active
KeyStore, the certificate trust will be verified in the same way it is
verified when importing a trusted certificate into the active KeyStore.
If a Trust Path can not be established using the provided TrustStores
and the Trust Path validation options (which can be set from Tools
> Options > Trust Path Options
), a message will be
displayed informing about that and asking if the certificate should be
displayed for user verification. If "No" is selected, or the dialog is
closed, the import operation is aborted. If "Yes" is selected, the
certificate details will be displayed, and the user will have the option
to continue the import operation (by selecting the "Accept Import"
button) or to abort it (by selecting the "Cancel Import" button).