AIR profile support: This feature is supported
on all desktop operating systems and AIR for TV devices, but it is not supported on mobile devices. You can test
for support at run time using the
XMLSignatureValidator implements a subset of the W3C Recommendation for XML-Signature Syntax and Processing and should not be considered a conforming implementation. The supported subset of the recommendation includes:
You must provide an IURIDereferencer implementation in order to verify an XML signature. This implementation class is responsible for resolving the URIs specified in the SignedInfo elements of the signature file and returning the referenced data in an object, such as a ByteArray, that implements the IDataInput interface.
In order to verify that the signing certificate chains to a trusted certificate, either
the XML signature must contain the certificates required to build the chain in X509Certificate
elements, or you must supply the certificates required to build the chain using the
To verify an XMLSignature:
About signature status:
The validity of an XML signature can be valid, invalid, or unknown. The overall status depends on the verification status of the individual components of the signature file:
The signature validity reported by the
Canonicalization limitations:
The XML engine in AIR does not always produce the expected XML string when canonicalizing an XML document. For this reason, it is recommended that you avoid putting inter-element whitespace in enveloped or detached signature documents and do not redefine namespaces inside a signature document. In both cases, AIR may not recreate the document with the same character sequence as the original and, therefore, validation will fail.
A
You must set the
The certificate added must be a DER-encoded x509 certificate.
If the
Note: An XML signature may include certificates for building the signer's certificate chain. The XMLSignatureValidator class uses these certificates for chain building, but not as trusted roots (by default).
Verification is asynchronous. The XMLSignatureValidator object dispatches
a
The verification process cannot be cancelled. While a verification process is under way,
subsequent calls to the
Note: Because the XMLSignatureValidator only implements a subset of the W3C recommendation for XML Signature Syntax and Processing, not all valid XML signatures can be verified.
The status is:
Note: If the
The status can be:
The certificates added using the
Note: If the
The status can be:
Important: External resources are not validated unless they are referenced directly in a SignedInfo element within the signature document. External resources referred to by a secondary reference are not validated. For example, if an XML signature signs a manifest element, only the integrity of the manifest element itself is verified. The files listed in the manifest are not checked.
Use constants defined in the ReferencesValidationSetting class to set this property. The settings include:
Use the default,
Use the
Use the
Use constants defined in the RevocationSettings class to set this property. The settings include:
Each extended key usage is reported in numeric OID form.
Trust settings are derived from the system and the key usage OIDs embedded in the certificate. Constants for the strings representing the recognized trust settings are defined in the SignerTrustSettings class.
The
Modifying the array does not change the certificate trust settings.
An IURIDereferencer implementation must be provided before attempting to verify a signature.
If
The XML signature is verified by validating the the cryptographic signature of the SignedInfo element,
the signing certificate, and the data addressed by the references in the SignedInfo element.
The validity of each of these elements is reported individually by the
The validity of an XML signature can be valid, invalid, or unknown. The overall status depends on the verification status of the individual components of the signature file:
The signature validity reported by the
The IURIDereferencer implementation is responsible for resolving the URIs specified in the SignedInfo elements of an XML signature file and returning the referenced data in an object, such as a ByteArray, that implements the IDataInput interface.
The interface has one method:
The IURIDereferencer interface is used with the XMLSignatureValidator class.
Indicates that certificate validation processing
was attempted, but failed because the validity period of the certificate is either before or
after the current date. On some operating systems, the
Indicates that certificate validation processing was attempted, but failed because the certificate's trust chain was invalid.
Indicates that certificate validation processing was attempted, but failed. This is the generic faliure status that is reported when a more specific certificate status cannot be determined.
Indicates that a certificate is not yet valid. The current date is before the notBefore date/time of the certificate
Indicates that certificate validation processing was attempted, but failed because the certificate's common name does not match the fully qualified domain name of the host.
Indicates that certificate validation processing
was attempted, but failed because the certificate has been revoked. On
some operating systems, the
Indicates that a certificate has not expired, has not failed a revocation check, and chains to a trusted root certificate.
Indicates that certificate validation processing has not been performed yet on a certificate.
Indicates that certificate validation
processing was attempted, but that the certificate does not chain
to any of the root certificates in the client trust store. On
some operating systems, the