flash.securityXMLSignatureValidator The XMLSignatureValidator class validates whether an XML signature file is well formed, unmodified, and, optionally, whether it is signed using a key linked to a trusted digital certificate.flash.events:EventDispatcher The XMLSignatureValidator class validates whether an XML signature file is well formed, unmodified, and, optionally, whether it is signed using a key linked to a trusted digital certificate.

AIR profile support: This feature is supported on all desktop operating systems and AIR for TV devices, but it is not supported on mobile devices. You can test for support at run time using the XMLSignatureValidator.isSupported property. See AIR Profile Support for more information regarding API support across multiple profiles.

XMLSignatureValidator implements a subset of the W3C Recommendation for XML-Signature Syntax and Processing and should not be considered a conforming implementation. The supported subset of the recommendation includes:

All of the core signature syntax except KeyInfo element.
The KeyInfo element only supports the X509Data element.
The X509Data element only supports the X509Certificate element.
The SHA256 digest method algorithm.
The PKCS1 signing algorithm.
The "Canonical XML without comments" Canonicalization Method and Transform algorithm.
The Manifest element in additional signature syntax.

You must provide an IURIDereferencer implementation in order to verify an XML signature. This implementation class is responsible for resolving the URIs specified in the SignedInfo elements of the signature file and returning the referenced data in an object, such as a ByteArray, that implements the IDataInput interface.

In order to verify that the signing certificate chains to a trusted certificate, either the XML signature must contain the certificates required to build the chain in X509Certificate elements, or you must supply the certificates required to build the chain using the addCertificate() method.

To verify an XMLSignature:

Create an instance of the XMLSignatureValidator class.
Set the uriDereferencer property of the instance to an instance of your IURIDereferencer implementation class.
Supply DER-encoded certificates for building the certificate trust chain, if desired, using the addCertificate() method.
Call the XMLSignatureValidator verify method, passing in the signature to be verified.
Check the validityStatus property after the XMLSignatureValidator object dispatches a complete event.

About signature status:

The validity of an XML signature can be valid, invalid, or unknown. The overall status depends on the verification status of the individual components of the signature file:

digestStatus — The validity of the cryptographic of the signature computed over the SignedInfo element. Can be valid, invalid, or unknown.
identityStatus — The validity of the signing certificate. If the certificate has expired, has been revoked, or altered, the status is invalid. If the certificate cannot be chained to a trusted root certificate, the status is unknown. The certificate is not checked if the digest is invalid. If not checked, the status will be reported as unknown.
referencesStatus — The validity of the data addressed by the references in the SignedInfo element of the signature file. Can be valid, invalid, or unknown. The references are not checked if the digest or certificate is invalid. Reference checking can also be skipped based on the setting of the referencesValidationSetting property. If not checked, the status will be reported as unknown.

The signature validity reported by the validityStatus property can be:

valid — If referencesStatus, digestStatus, and identityStatus are all valid.
invalid — If any individual status is invalid.
unknown — If referencesStatus, digestStatus, or identityStatus is unknown.

Canonicalization limitations:

The XML engine in AIR does not always produce the expected XML string when canonicalizing an XML document. For this reason, it is recommended that you avoid putting inter-element whitespace in enveloped or detached signature documents and do not redefine namespaces inside a signature document. In both cases, AIR may not recreate the document with the same character sequence as the original and, therefore, validation will fail.

The following example loads and verifies a file containing an XML signature. To use this example, you must implement an IURIDereferencer appropriate for the signatures to be validated (replacing the SignedMessageDereferencer class used in the example). Run the example by calling SignatureValidatorExample.validateSignature( signatureFile ), passing in the file referencing the XML signature document to validate. import flash.events.Event; import flash.filesystem.File; import flash.filesystem.FileStream; import flash.security.ReferencesValidationSetting; import flash.security.XMLSignatureValidator; import com.example.SignedMessageDereferencer; //A custom class implementing IURIDereferencer public class SignatureValidatorExample{ private var xmlSig:XML; private const signatureNS:Namespace = new Namespace( "http://www.w3.org/2000/09/xmldsig#" ); public static function validateSignature( signatureFile:File ):void{ try{ //Set up the XMLSignatureValidator var verifier:XMLSignatureValidator = new XMLSignatureValidator(); verifier.addEventListener( Event.COMPLETE, verificationComplete ); verifier.uriDereferencer = new SignedMessageDereferencer(); verifier.referencesValidationSetting = ReferencesValidationSetting.VALID_OR_UNKNOWN_IDENTITY; //Load the signed document var sigFileStream:FileStream = new FileStream(); sigFileStream.open( signatureFile, FileMode.READ ); var xmlDoc:XML = XML( sigFileStream.readUTFBytes(sigFileStream.bytesAvailable) ); //Get the last Signature element in the document if( xmlDoc.name().localName != "Signature" ){ var signatureList:XMLList = xmlDoc..signatureNS::Signature; xmlSig = XML( signatureList[ signatureList.length()-1 ] ); } else{ xmlSig = xmlDoc; } //Validate the signature verifier.verify( xmlSig ); }catch (e:Error){ statusDisplay.text = "Verification error.\n" + e; } } private static function verificationComplete(event:Event):void{ trace( "Signature Validity: " + verifier.validityStatus ); trace( "Digest validity: " + verifier.digestStatus ); trace( "Certificate validity: " + verifier.identityStatus ); trace( "Data validity: " + verifier.referencesStatus ); } } error Dispatched if verification cannot complete because of errors.flash.events.ErrorEvent.ERRORflash.events.ErrorEvent Dispatched if verification cannot complete because of errors. The following example listens for the error event dispatched by an XMLSignatureValidator object and traces the error message: private function verificationError(event:ErrorEvent):void{ trace("Verification error: " + event.text); } complete Dispatched when verification is complete.flash.events.Event.COMPLETEflash.events.Event Dispatched when verification is complete.

A complete event does not imply that the signature is valid. Check the validityStatus property of the XMLSignatureValidator object to determine the outcome of the signature verification.

The following example listens for the complete event dispatched by an XMLSignatureValidator object and traces the validation results: private function verificationComplete(event:Event):void{ var validator:XMLSignatureValidator = event.target as XMLSignatureValidator; trace("Digest status: " + validator.digestStatus); trace("Identity status: " + validator.identityStatus); trace("Reference status: " + validator.referencesStatus); trace("Signature status: " + validator.validityStatus); } XMLSignatureValidator Creates an XMLSignatureValidator object. Creates an XMLSignatureValidator object.

You must set the uriDereferencer property before calling the verify() method of the new object.

The following example creates and sets up a new XMLSignatureValidator object: import com.example.EnvelopedDereferencer; //Your custom IURIDereferencer implementation //Create the object var verifier:XMLSignatureValidator = new XMLSignatureValidator(); //Provide the IURIDerferencer verifier.uriDereferencer = new EnvelopedDereferencer(xmlDoc); //Set validation options verifier.referencesValidationSetting = ReferencesValidationSetting.VALID_OR_UNKNOWN_IDENTITY; verifier.revocationCheckSetting = RevocationCheckSettings.NEVER; verifier.useSystemTrustStore = true; //Add listeners to handle results verifier.addEventListener(Event.COMPLETE, verificationComplete); verifier.addEventListener(ErrorEvent.ERROR, verificationError); addCertificate Adds an x509 certificate for chain building.If called while a signature is being validated. IllegalOperationErrorflash.errors:IllegalOperationErrorcertflash.utils:ByteArrayA ByteArray object containing a DER-encoded x509 digital certificate. trustedBooleanSet to true to designate this certificate as a trust anchor. Adds an x509 certificate for chain building.

The certificate added must be a DER-encoded x509 certificate.

If the trusted parameter is true, the certificate is considered a trust anchor.

Note: An XML signature may include certificates for building the signer's certificate chain. The XMLSignatureValidator class uses these certificates for chain building, but not as trusted roots (by default).

The following example loads a certificate from the file system and adds it as a trusted anchor. import flash.utils.ByteArray; var verifier:XMLSignatureValidator = new XMLSignatureValidator(); var certificate:ByteArray = new ByteArray(); var certFile:File = new File("certificate.cer"); var certFileStream:FileStream = new FileStream(); certFileStream.open(certFile, FileMode.READ); certFileStream.readBytes(certificate, 0, certFileStream.bytesAvailable); verifier.addCertificate(certificate, true); verify Verifies the specified signature.If called while a signature is being validated. IllegalOperationErrorflash.errors:IllegalOperationErrorIf other errors are encountered, such as non-well-formed XML or unsupported elements in the signature file. ErrorErrorsignatureXMLThe XML signature to verify. Verifies the specified signature.

Verification is asynchronous. The XMLSignatureValidator object dispatches a complete event when verification completes successfully or an error event if verification cannot complete because of errors.

The verification process cannot be cancelled. While a verification process is under way, subsequent calls to the verify() method fail. After the current verification check is complete, you can call the verify() method again.

Note: Because the XMLSignatureValidator only implements a subset of the W3C recommendation for XML Signature Syntax and Processing, not all valid XML signatures can be verified.

The following example reads a file containing an XML signature and validates it by calling the verify() method. (The example assumes that the IURIDereferencer implementation is appropriate for the signature.) import flash.filesystem.File; import flash.filesystem.FileStream; import com.example.SignedMessageDereferencer; //Your IURIDereferencer implementation const xmlSignatureNS:Namespace = new Namespace( "http://www.w3.org/2000/09/xmldsig#" ); var verifier:XMLSignatureValidator = new XMLSignatureValidator(); verifier.uriDereferencer = new SignedMessageDereferencer(); var signatureFile:File = new File( "path/to/XMLSignatureDocument.xml" ); var sigFileStream:FileStream = new FileStream(); sigFileStream.open( signatureFile, FileMode.READ ); var xmlDoc:XML = XML( sigFileStream.readUTFBytes(sigFileStream.bytesAvailable) ); var xmlSig:XML = XML( xmlDoc..xmlSignatureNS::Signature ); verifier.verify( xmlSig ); completeflash.events:EventDispatched when verification completes successfully. Dispatched when verification completes successfully.errorflash.events:ErrorEventDispatched if the verification of references encounters an error. Dispatched if the verification of references encounters an error.digestStatus The validity status of the cryptographic signature computed over the signature SignedInfo element.StringIf accessed while a signature is being validated. IllegalOperationErrorflash.errors:IllegalOperationError The validity status of the cryptographic signature computed over the signature SignedInfo element.

The status is:

valid — If signature is cryptographically valid.
invalid — If the digest has been altered after signing.
unknown — If the verify() method has not been called.

Note: If the digestStatus is invalid, the identityStatus and referencesStatus are not checked and will be reported as unknown.

identityStatus The validity status of the signing certificate.StringIf accessed while a signature is being validated. IllegalOperationErrorflash.errors:IllegalOperationError The validity status of the signing certificate.

The status can be:

valid — The certificate has not expired, has not failed a revocation check and chains to a trusted root certificate.
unknown — The certificate has not expired and has not failed a revocation check, but does not chain to a trusted root certificate. A status of unknown will also be reported when the status has not been verified, either because the verify() method has not been called or because the cryptographic signature of the SignedInfo element (digestStatus) is invalid.
invalid — The certificate has expired or fails a revocation check.

The certificates added using the addCertificate() method and the settings of the revocationCheckSetting and the useSystemTrustStore properties can change whether a certificate is considered valid.

Note: If the identityStatus is invalid, the referencesStatus is not checked and will be reported as unknown. In addition, references are not checked when the identityStatus is unknown unless the referencesValidationSetting is validOrUnknownIdentity

The following example gets the result of validating the signing certificate (after a signature has been validated): import flash.security.XMLSignatureValidator; var verifier:XMLSignatureValidator = new XMLSignatureValidator(); //validate a signature... var identityResult:String = verifier.identityStatus; isSupported The isSupported property is set to true if the XMLSignatureValidator class is supported on the current platform, otherwise it is set to false.BooleanReports whether the XMLSignatureValidation class is supported on the client system. The isSupported property is set to true if the XMLSignatureValidator class is supported on the current platform, otherwise it is set to false. referencesStatus The validity status of the data in the references in the signature SignedInfo element.StringIf accessed while a signature is being validated. IllegalOperationErrorflash.errors:IllegalOperationError The validity status of the data in the references in the signature SignedInfo element.

The status can be:

valid — If all references are valid.
invalid — If any reference is invalid.
unknown — If not verified. References can remain unverified in the following circumstances:
- the verify() method has not been called
- the cryptographic signature of the SignedInfo element (digestStatus) is invalid.
- the signing certificate (identityStatus) is invalid
- referencesValidationSetting is validIdentity (which is the default setting) and the identityStatus of the signing certificate is unknown.
- the referencesValidationSetting is never.

Important: External resources are not validated unless they are referenced directly in a SignedInfo element within the signature document. External resources referred to by a secondary reference are not validated. For example, if an XML signature signs a manifest element, only the integrity of the manifest element itself is verified. The files listed in the manifest are not checked.

The following example gets the result of validating the references in the signature (after a signature has been validated): import flash.security.XMLSignatureValidator; var verifier:XMLSignatureValidator = new XMLSignatureValidator(); //validate a signature... var dataResult:String = verifier.referencesStatus; referencesValidationSetting Specifies the conditions under which references are checked.StringIf set while a signature is being validated. IllegalOperationErrorflash.errors:IllegalOperationErrorif the setting parameter contains a value not defined in the ReferencesValidationSetting class. ArgumentErrorArgumentError Specifies the conditions under which references are checked.

Use constants defined in the ReferencesValidationSetting class to set this property. The settings include:

ReferencesValidationSetting.VALID_IDENTITY — Check references only if the signing certificate is valid and chains to a trusted root. This is the default setting.
ReferencesValidationSetting.VALID_OR_UNKNOWN_IDENTITY — Check references if the signing certificate is valid, even if it does not chain to a trusted root.
ReferencesValidationSetting.NEVER — Never check references.

Use the default, validIdentity, setting with signatures signed with a commercial certificate or when you supply your own certificate as a trust anchor with the addCertificate() method. This setting avoids the overhead of checking reference validity when the signed document will be rejected anyway.

Use the validOrUnknownIdentity setting with signatures signed with self-signed certificates. This setting allows you to validate that the signed data has not been altered, but does not provide any assurances about the identity of the signer.

Use the never setting to avoid the overhead of validating references when such validation is not important in the context of your application.

The following example sets the XMLSignatureValidator object to check references only if the signing certificate chains to a trust anchor: import flash.security.ReferencesValidationSetting; var verifier:XMLSignatureValidator = new XMLSignatureValidator(); verifier.referencesValidationSetting = ReferencesValidationSetting.VALID_OR_UNKNOWN_IDENTITY; revocationCheckSetting Specifies how certificate revocation is checked.StringIf set while a signature is being validated. IllegalOperationErrorflash.errors:IllegalOperationError Specifies how certificate revocation is checked.

Use constants defined in the RevocationSettings class to set this property. The settings include:

RevocationCheckSettings.NEVER — Do not check certificate revocation.
RevocationCheckSettings.BEST_EFFORT — Check certificate revocation, if revocation information is available and the revocation status can be obtained. If revocation status cannot be positively determined, the certificate is not rejected.
RevocationCheckSettings.REQUIRED_IF_AVAILABLE — If the certificate includes revocation information, the revocation status must be positively determined to validate the certificate.
RevocationCheckSettings.ALWAYS_REQUIRED — Always check certificate revocation. Certificates without revocation information are rejected.

signerCN The Common Name field of the signing certificate.String The Common Name field of the signing certificate. The following example reads the common name of the signing certificate (after a signature has been validated): var verifier:XMLSignatureValidator = new XMLSignatureValidator(); //validate a signature... var commonName:String = verifier.signerCN; signerDN The Distinguished Name field of the signing certificate.String The Distinguished Name field of the signing certificate. The following example reads the distinguished name of the signing certificate (after a signature has been validated): var verifier:XMLSignatureValidator = new XMLSignatureValidator(); //validate a signature... var distinguishedName:String = verifier.signerDN; signerExtendedKeyUsages An array containing the Extended Key Usages OIDs listed in the signing certificate.ArrayIf accessed while a signature is being validated. IllegalOperationErrorflash.errors:IllegalOperationError An array containing the Extended Key Usages OIDs listed in the signing certificate.

Each extended key usage is reported in numeric OID form.

The following example reads the extended key OIDs of the signing certificate (after a signature has been validated): import flash.security.XMLSignatureValidator; var verifier:XMLSignatureValidator = new XMLSignatureValidator(); //validate a signature... var extendedKeyOIDs:Array = verifier.signerExtendedKeyUsages; signerTrustSettings An array containing the trust settings of the signing certificate.ArrayIf accessed while a signature is being validated. IllegalOperationErrorflash.errors:IllegalOperationError An array containing the trust settings of the signing certificate.

Trust settings are derived from the system and the key usage OIDs embedded in the certificate. Constants for the strings representing the recognized trust settings are defined in the SignerTrustSettings class.

The signerTrustSettings array of an unknown or invalid certificate is empty.

Modifying the array does not change the certificate trust settings.

The following example reads the trust settings of the signing certificate (after a signature has been validated): import flash.security.XMLSignatureValidator; var verifier:XMLSignatureValidator = new XMLSignatureValidator(); //validate a signature... var certificateTrustedFor:Array = verifier.signerTrustSettings; uriDereferencer The IURIDereferencer implementation.flash.security:IURIDereferencerIf set while a signature is being validated. IllegalOperationErrorflash.errors:IllegalOperationError The IURIDereferencer implementation.

An IURIDereferencer implementation must be provided before attempting to verify a signature.

The following example creates an instance of SignedMessageDereferencer, which implements the IURIDereferencer interface, and sets it as the dereferencer to use for signature validation: import com.example.SignedMessageDereferencer; //A custom class implementing IURIDereferencer var verifier:XMLSignatureValidator = new XMLSignatureValidator(); verifier.uriDereferencer = new SignedMessageDereferencer(); useSystemTrustStore Specifies that certificates in the system trust store are used for chain building.BooleanIf set while a signature is being validated. IllegalOperationErrorflash.errors:IllegalOperationError Specifies that certificates in the system trust store are used for chain building.

If true, then the trust anchors in the system trust store are used as trusted roots. The system trust store is not used by default.

The following example creates an XMLSignatureValidator instance and sets it to use the system repository of trusted certificates when validating an XML signature: var verifier:XMLSignatureValidator = new XMLSignatureValidator(); verifier.useSystemTrustStore = true; validityStatus The validity status of a verified XML signature.StringIf accessed while a signature is being validated. IllegalOperationErrorflash.errors:IllegalOperationError The validity status of a verified XML signature.

The XML signature is verified by validating the the cryptographic signature of the SignedInfo element, the signing certificate, and the data addressed by the references in the SignedInfo element. The validity of each of these elements is reported individually by the digestStatus, identityStatus(), and referencesStatus properties, respectively.

The validity of an XML signature can be valid, invalid, or unknown. The overall status depends on the verification status of the individual components of the signature file:

digestStatus — The validity of the cryptographic signature computed over the SignedInfo element.
identityStatus — The validity of the signing certificate.
referencesStatus — The validity of the digest of the references in the signature SignedInfo element.

The signature validity reported by the validityStatus property can be:

valid — If referencesStatus, digestStatus, and identityStatus are all valid.
invalid — If any individual status is invalid.
unknown — If any individual status is unknown.

The following example gets the result of validating the XML signature import flash.security.XMLSignatureValidator; var verifier:XMLSignatureValidator = new XMLSignatureValidator(); //validate the signature... var validationResult:String = verifier.validityStatus; IURIDereferencer IURIDereferencer defines an interface for objects that resolve URIs in an XML signature. IURIDereferencer defines an interface for objects that resolve URIs in an XML signature.

The IURIDereferencer implementation is responsible for resolving the URIs specified in the SignedInfo elements of an XML signature file and returning the referenced data in an object, such as a ByteArray, that implements the IDataInput interface.

The interface has one method: dereference(). A typical implementation might also require a method for passing the XML signature object containing the URIs to be resolved to the dereferencer.

The IURIDereferencer interface is used with the XMLSignatureValidator class.

dereference Resolves and dereferences the specified URI.The data referenced by the URI. flash.utils:IDataInputuriStringThe URI to dereference. Resolves and dereferences the specified URI. SignerTrustSettings The SignerTrustSettings class defines constants used with the signerTrustSettings property of an XMLSignatureValidator object.Object The SignerTrustSettings class defines constants used with the signerTrustSettings property of an XMLSignatureValidator object. CODE_SIGNING The certificate is trusted for code signing.codeSigningString The certificate is trusted for code signing. This implies that the certificate chains to a trusted root, the root is trusted for code signing, and the signing certificate has the CodeSigning OID in its Extended Key Usage extension. PLAYLIST_SIGNING The certificate is trusted for signing playlists.playlistSigningString The certificate is trusted for signing playlists. This implies that the certificate chains to a trusted root and has the playlist signing OID in its Extended Key Usage extension. SIGNING The certificate is trusted for signing in general.signingString The certificate is trusted for signing in general. SignatureStatus The SignatureStatus class defines constants used by the validityStatus property of an XMLSignatureValidator object.Object The SignatureStatus class defines constants used by the validityStatus property of an XMLSignatureValidator object. INVALID Invalid status.invalidString Invalid status. UNKNOWN Unknown status.unknownString Unknown status. VALID Valid status.validString Valid status. ReferencesValidationSetting The ReferencesValidationSetting class defines constants used by the referencesValidationSetting property of an XMLSignatureValidator object.Defines constants for the supported modes for validating referenced data in an XML signature. Object The ReferencesValidationSetting class defines constants used by the referencesValidationSetting property of an XMLSignatureValidator object. NEVER Never check references.neverString Never check references. VALID_IDENTITY Only check references if the signing certificate is valid and trusted.validIdentityString Only check references if the signing certificate is valid and trusted. VALID_OR_UNKNOWN_IDENTITY Check references even if the signing certificate is untrusted (does not chain to a known trusted root).validOrUnknownIdentityString Check references even if the signing certificate is untrusted (does not chain to a known trusted root). RevocationCheckSettings The RevocationCheckSettings class defines constants used by the revocationCheckSetting property of an XMLSignatureValidator object.Object The RevocationCheckSettings class defines constants used by the revocationCheckSetting property of an XMLSignatureValidator object. ALWAYS_REQUIRED Always check certificate revocation.alwaysRequiredString Always check certificate revocation. Certificates without revocation information are rejected. BEST_EFFORT Check certificate revocation, if revocation information is available and the revocation status can be obtained.bestEffortString Check certificate revocation, if revocation information is available and the revocation status can be obtained. If revocation status cannot be positively determined, the certificate is not rejected. NEVER Do not check certificate revocation.neverString Do not check certificate revocation. REQUIRED_IF_AVAILABLE Check certificate revocation if the certificate includes revocation information.requiredIfInfoAvailableString Check certificate revocation if the certificate includes revocation information. If the information is available, but revocation status cannot be positively determined, the certificate is rejected. CertificateStatus The CertificateStatus class defines constants used to report the results of certificate validation processing by a SecureSocket object.Object The CertificateStatus class defines constants used to report the results of certificate validation processing by a SecureSocket object. EXPIRED The certificate is outside its valid period.expiredString The certificate is outside its valid period.

Indicates that certificate validation processing was attempted, but failed because the validity period of the certificate is either before or after the current date. On some operating systems, the notYetValid status is reported when the current date is before the validity period of the cerificate. On other operating systems, the expired status is reported in both cases.

INVALID_CHAIN A root or intermediate certificate in this certificate's chain is invalid.invalidChainString A root or intermediate certificate in this certificate's chain is invalid.

Indicates that certificate validation processing was attempted, but failed because the certificate's trust chain was invalid.

INVALID An invalid certificate.invalidString An invalid certificate.

Indicates that certificate validation processing was attempted, but failed. This is the generic faliure status that is reported when a more specific certificate status cannot be determined.

NOT_YET_VALID The certificate is not yet valid.notYetValidString The certificate is not yet valid.

Indicates that a certificate is not yet valid. The current date is before the notBefore date/time of the certificate

PRINCIPAL_MISMATCH The certificate common name does not match the expected host name.principalMismatchString The certificate common name does not match the expected host name.

Indicates that certificate validation processing was attempted, but failed because the certificate's common name does not match the fully qualified domain name of the host.

REVOKED The certificate has been revoked.revokedString The certificate has been revoked.

Indicates that certificate validation processing was attempted, but failed because the certificate has been revoked. On some operating systems, the revoked status is also reported when the certificate (or its root certificate) has been added to the list of untrusted certificates on the client computer.

TRUSTED A valid, trusted certificate.trustedString A valid, trusted certificate.

Indicates that a certificate has not expired, has not failed a revocation check, and chains to a trusted root certificate.

UNKNOWN The validity of the certificate is not known.unknownString The validity of the certificate is not known.

Indicates that certificate validation processing has not been performed yet on a certificate.

UNTRUSTED_SIGNERS The certificate does not chain to a trusted root certificate.untrustedSignersString The certificate does not chain to a trusted root certificate.

Indicates that certificate validation processing was attempted, but that the certificate does not chain to any of the root certificates in the client trust store. On some operating systems, the untrustedSigners is also reported if the certificate is in the list of untrusted certificates on the client computer.