|
Certificate processing in proXSign |
|
|
Certificate processing in proXSign |
|
Applications that use certificates need to verify the given certificate validity. Such is the behavior of proXSign® during the process of signing, verifying, .... Before the signing process, the component, validates the signing certificate. If the certificate is not time valid or is revoked an error is thrown and the document will not be signed. When verifying the retrieved signature certificates must also be validated.
Three typical checks are done, and status about each of them is reported to the user. Depending on flags used an operation may or may not complete if a certificate status is not valid or unknown.
The checks are done in this order:
1.Time validity check - In this check the time specified in the certificate expire date field is checked against local system time. If current time is after the expire date, the certificate is not considered time valid.
2.Chain validity check - For this to work the issuer certificate must be located in the trusted certificates store on the platform (or at least one certificate down the chain must be listed as a trusted certificate on the system).
3.Certificate revocation status check - This check requires having active internet connection on the client computer as it must contact servers hosted at the CA. These servers keep track of all REVOKED certificates for a given CA. A revoked certificate is a certificate considered invalid prior its expiry date (for example the user private key was breached or lost). The servers keep a list of certificate names issued by the CA which are revoked. These lists are signed with the CA certificate (the issuer certificate).
The behavior of the checks can be controlled via the outputType property flags. The following flags are of concern:
|
Value |
Option Name |
Description |
|
8 |
XSIGN_OPTION_CHECK_CRL |
Enables CRL check. CRL check is not conducted if this is not specified when signing. |
|
32 |
XSIGN_OPTION_DONT_CERT_TIME |
Disables time check. Signing might be done with time invalid certificate. |
|
64 |
XSIGN_OPTION_DONT_CERT_CHAIN |
Disables the certificate chain validity check. Signing might be done with a certificate with incomplete chain |
Please note that if a computer lacks internet connection and the XSIGN_OPTION_CHECK_CRL is specified, a delay may be noticed that would freeze the browser temporary. This is because the CRL download is a blocking operation trying to contact several URLs specified in the certificate. If no internet connection is available or the listed sites are not contactable for various reasons this delay may be noticeable.
