Adds signature validation information for
long-term validation of digital signatures applied to a PDF document.
When a digital signature expires, you can no longer verify the PDF
document. Long-term signature validation allows for the validity
of a PDF document to be extended when the signature information
cannot be verified. Signature information cannot be verified when
the signature information expires, the resources to validate the
signature are not available, or the certificate used to sign it
is revoked. Use this operation to add validation information (required
certificates, CRLs, and OCSP responses) to digitally signed PDF
documents to extend them for long-term validation.
For example, your application requires that the validation period
for a signed PDF document is extended. To extend the validation
period, add updated validation information to the PDF document so
that it remains valid. Use the Add Signature Validation Information
to update the validation information in the signed PDF document.
For information about the General and Route Evaluation property
groups, see
Common operation properties
.
Common properties
Properties to specify signed PDF document and signature
field to extend for long-term validation.
Input PDF
A
document
value
that represents the PDF document that the invisible signature field
is added to.
If you provide a literal value, clicking the
ellipsis button opens the Select Asset dialog box. (See
About Select Asset
.)
Signature Field Name
A
string
value
for the name of the signature field to add. The fully qualified
name of the signature field must be specified.
Signature Validation Options properties
Properties for updating validation information to extend
a signed PDF document for long-term validation.
OCSP Options Spec
(Optional)
An
OCSPOptionSpec
value
that represents settings for using Online Certificate Status Protocol
(OCSP) revocation checking. To provide a literal value, specify
the following options.
URL to Consult Option:
Sets
the list and order of the OCSP servers used to perform the revocation
check. Select one of these values:
-
UseAIAInCert:
-
(Default) Use the URL of an online certificate status protocol
server specified in the Authority Information Access (AIA) extension
in the certificate. The AIA extension is used to identify how to
access certificate authority (CA) information and services for the
issuer of the certificate.
-
LocalURL:
-
Use the specified URL for the OCSP server specified in the
OCSP Server URL option.
-
UseAIAIfPresentElseLocal:
-
Use the URL of the OCSP server specified in the AIA extension
in the certificate if present. If the AIA extension is not present
in the certificate, use the URL that is configured in the OCSP Server
URL.
-
UseAIAInSignerCert:
-
Use the URL of the OCSP server specified in the AIA extension
in the OCSP request of the signer certificate.
-
OCSP Server URL:
-
Sets the URL of the configured OCSP server. The value is
used only when the LocalURL or UseAIAIfPresentElseLocal values are
in URL To Consult Option.
-
Revocation Check Style:
-
Sets the revocation-checking style that is used for verifying
the trust status of the CRL provider’s certificate from its observed
revocation status. Select one of these values:
Sets
the URL of the configured OCSP server. The value is used only when
the LocalURL or UseAIAIfPresentElseLocal values are in URL To Consult
Option.
Revocation Check Style:
Sets the revocation-checking
style that is used for verifying the trust status of the CRL provider’s
certificate from its observed revocation status. Select one of these
values:
-
NoCheck:
-
Does not check for revocation.
-
BestEffort:
-
Checks for revocation of all certificates when possible.
-
CheckIfAvailable:
-
(Default) Checks for revocation of all certificates only
when revocation information is available.
-
AlwaysCheck:
-
Checks for revocation of all certificates.
-
Max Clock Skew Time (Minutes):
-
Sets the maximum allowed skew, in minutes, between response
time and local time. Valid skew times are
0
-
2147483647
min. The
default value is
5
min.
-
Response Freshness Time (Minutes):
-
Sets the maximum time, in minutes, for which a preconstructed
OCSP response is considered valid. Valid response freshness times
are
1
-
2147483647
min. The default
value is
525600
min. (one year).
-
Send Nonce:
-
Select this option to send a nonce with the OCSP request.
A
nonce
is a parameter that varies with time. These parameters
can be a timestamp, a visit counter on a web page, or a special
marker. The parameter is intended to limit or prevent the unauthorized replay
or reproduction of a file. When the option deselected, a nonce is
not sent with the request. By default, the option is selected.
-
Sign OCSP Request:
-
Select this option to specify that the OCSP request must
be signed. When the option is deselected, the OCSP request does
not need be signed. By default, the option deselected.
-
Request Signer Credential Alias:
-
Sets the credential alias used for signing the OCSP request
when signing is enabled.
-
Go Online for OCSP:
-
Select this option to access the network for OCSP information.
The network can be accessed to retrieve OCSP information for OCSP
checking. The LiveCycle server uses embedded and cached OCSP information
when possible to reduce the amount of network traffic generated
due to OCSP checking. When the option is deselected, OCSP checking
is not retrieved from the network, and only embedded and cached
OCSP information is used. By default, the option is selected.
-
Ignore Validity Dates:
-
Select this option to use the OCSP response thisUpdate and
nextUpdate times. Ignoring these response times prevents any negative
effect on response validity. The thisUpdate and nextUpdate times
are retrieved from external sources by using HTTP or LDAP, and can
be different for each revocation information. When the option is
deselected, the thisUpdate and nextUpdate times are ignored. By
default, the option is deselected.
-
Allow OCSP NoCheck Extension:
-
Select this option to allow an OCSPNoCheck extension in the
response signing certificate. An OCSPNoCheck extension can be present
in the OCSP Responder’s certificate to prevent infinite loops from
occurring during the validation process. When the option is deselected,
the OCSPNoCheck extension is not used. By default, the option is
selected.
-
Require OCSP ISIS-MTT CertHash Extension:
-
Select this option to specify that certificate public key
hash (CertHash) extensions must be present in OCSP responses. This
extension is required for SigQ validation. SigQ compliance requires
the CertHash extension to be in the OCSP responder certificate.
Select this option when processing for SigQ compliance and supported
OCSP responders. When the option is deselected, the CertHash extension
presence in the OCSP response is not required. By default, the option
is deselected.
Sets the maximum allowed
skew, in minutes, between response time and local time. Valid skew
times are
0
-
2147483647
min.
The default value is
5
min.
Response Freshness
Time (Minutes):
Sets the maximum time, in minutes, for which
a preconstructed OCSP response is considered valid. Valid response
freshness times are
1
-
2147483647
min.
The default value is
525600
min. (one year).
Send
Nonce:
Select this option to send a nonce with the OCSP request.
A
nonce
is a parameter that varies with time. These parameters
can be a timestamp, a visit counter on a web page, or a special
marker. The parameter is intended to limit or prevent the unauthorized
replay or reproduction of a file. When the option deselected, a
nonce is not sent with the request. By default, the option is selected.
Sign
OCSP Request:
Select this option to specify that the OCSP
request must be signed. When the option is deselected, the OCSP
request does not need be signed. By default, the option deselected.
Request
Signer Credential Alias:
Sets the credential alias used for
signing the OCSP request when signing is enabled.
Go Online
for OCSP:
Select this option to access the network for OCSP
information. The network can be accessed to retrieve OCSP information
for OCSP checking. The LiveCycle server uses embedded and cached
OCSP information when possible to reduce the amount of network traffic
generated due to OCSP checking. When the option is deselected, OCSP
checking is not retrieved from the network, and only embedded and
cached OCSP information is used. By default, the option is selected.
Ignore
Validity Dates:
Select this option to use the OCSP response
thisUpdate and nextUpdate times. Ignoring these response times prevents
any negative effect on response validity. The thisUpdate and nextUpdate
times are retrieved from external sources by using HTTP or LDAP,
and can be different for each revocation information. When the option
is deselected, the thisUpdate and nextUpdate times are ignored.
By default, the option is deselected.
Allow OCSP NoCheck Extension:
Select
this option to allow an OCSPNoCheck extension in the response signing
certificate. An OCSPNoCheck extension can be present in the OCSP Responder’s
certificate to prevent infinite loops from occurring during the validation
process. When the option is deselected, the OCSPNoCheck extension is
not used. By default, the option is selected.
Require OCSP
ISIS-MTT CertHash Extension:
Select this option to specify
that certificate public key hash (CertHash) extensions must be present
in OCSP responses. This extension is required for SigQ validation.
SigQ compliance requires the CertHash extension to be in the OCSP
responder certificate. Select this option when processing for SigQ compliance
and supported OCSP responders. When the option is deselected, the CertHash
extension presence in the OCSP response is not required. By default, the
option is deselected.
CRL Options Spec
(Optional)
A
CRLOptionSpec
value that
represents the certificate revocation list (CRL) preferences when
CRL is used to perform revocation checking. If you provide a literal
value, specify the following options.
-
Consult
Local URI First:
-
Select this option to use the CRL location provided as a
local URI before any specified locations within a certificate. The
CRL location provided is used for revocation checking. When this
option is selected, it means the local URI is used first. When this
option is deselected, the locations specified in the certificate
before using the local URI are used. By default, the option is deselected.
-
Local URI for CRL Lookup:
-
Sets the URL for the local CRL store. This value is used
only if the Consult Local URI First option is selected. No default
value is provided.
-
Revocation Check Style:
-
Sets the revocation-checking style used for verifying the
trust status of the CRL provider’s certificate from its observed
revocation status. Select one of these values:
-
NoCheck:
Does
not check for revocation.
-
BestEffort:
(Default) Checks for revocation of all
certificates when possible.
-
CheckIfAvailable:
Checks for revocation of all certificates only
when revocation information is available.
-
AlwaysCheck:
Checks for revocation of all certificates.
-
LDAP Server:
-
Sets the URL or path of the Lightweight Directory Access
Protocol (LDAP) server used to retrieve information about the certificate
revocation list (CRL). The LDAP server searches for CRL information
using the distinguished name (DN) according to the rules specified
in
RFC 3280
, section 4.2.1.14. For example,
you can type
www.ldap.com
for the URL or
ldap://ssl.ldap.com:200
for
the path and port. No default value is provided.
-
Go Online for CRL Retrieval:
-
Select this option to access the network to retrieve CRL
information. CRL information is cached on the server to improve
network performance. CRL information is retrieved online only when
necessary. When this option is deselected, CRL information is not retrieved
online. By default, the option is selected.
-
Ignore Validity Dates:
-
Select this option to use thisUpdate and nextUpdate times.
Ignoring the response’s thisUpdate and nextUpdate times prevents
any negative effect on response validity. The thisUpdate and nextUpdate
times are retrieved from external sources by using HTTP or LDAP
and can be different for each revocation information. When the option
is deselected, the thisUpdate and nextUpdate time are ignored. By default,
the option deselected.
-
Require AKI Extension in CRL:
-
Select this option to specify that the Authority Key Identifier
(AKI) extension must be present in the CRL. The AKI extension can
be used for CRL validation. When this option is deselected, the
presence of the AKI extension the CRL is not required. By default,
the option is deselected.
Path Validation Options Spec
(Optional)
A
PathValidationOptionSpec
that represents
the settings that control RFC3280-related path validation options.
For example, you can indicate whether policy mapping is allowed
in the certification path. (See
RFC
3280
). If you provide a literal value, you can set the following
options.
-
Require Explicit Policy:
-
Select this option to specify that the path must be valid
for at least one of the certificate policies in the user initial
policy set. When this option is deselected, the path validity is
not required. By default, the option is deselected.
-
Inhibit Any Policy:
-
Select this option to specify that a policy object identifier
(OID) must be processed if it is included in a certificate. When
deselected, any policy can be selected. By default, the option is deselected.
-
Check All Paths:
-
Select this option to require that all paths to a trust anchor
must be validated. When this option is deselected, all paths to
a trust anchor are not validated. By default, the option is deselected.
-
Inhibit Policy Mapping:
-
Select this option to allow policy mapping in the certification
path. When this option is deselect, policy mapping is not allowed
in the certification path. By default, the option is deselected.
-
LDAP Server:
-
Sets the URL or path of the Lightweight Directory Access
Protocol (LDAP) server used to retrieve information about the certificate
revocation list (CRL). The LDAP server searches for CRL information
using the distinguished name (DN) according to the rules specified
in
RFC 3280
, section 4.2.1.14. For example,
you can type
www.ldap.com
for the URL or
ldap://ssl.ldap.com:200
for
the path and port. No default value is provided.
-
Follow URIs in Certificate AIA:
-
Select this option to specify to follow any URIs specified
in the certificate’s Authority Information Access (AIA) extension
for path discovery. The AIA extension specifies where to find up-to-date
certificates. When this option is deselected, no URIs are processed
in the AIA extension from the certificate. By default, the option
is deselected.
-
Basic Constraints Extension Required in CA Certificates:
-
Select this option to specify that the certificate authority
(CA) Basic Constraints certificate extension must be present for
CA certificates. Some early German certified root certificates (7
and earlier) are not compliant to
RFC
3280
and do not contain the basic constraint extension. If
it is known that a user's EE certificate chains up to such a German
root, deselect this option. When this option is deselected, the
presence of the CA Basic Constraints certificate in CA certificates
is not required. By default, the value is selected.
-
Require Valid Certificate Signature During Chain Building:
-
Select this option to require that all Digital Signature
Algorithm (DSA) signatures on certificates be valid before a chain
is built. For example, in a chain CA > ICA > EE where the
signature for EE is not valid, the chain building stops at ICA.
EEs are not included in the chain. When this option is deselected,
the entire chain is built regardless of whether an invalid DSA signature
is encountered. By default, the option is deselected.
TSP Options Spec
(Optional)
A
TSPOptionSpec
value that
represents the settings that define timestamp information applied
to the certified signature.
If you provide a literal value,
specify the following options.
-
Time Stamp Server
URL:
-
Sets the URL for a TSP server. If no value is provided, the
timestamp from the local system is applied. No default value is
provided.
-
Time Stamp Server Username:
-
Sets the user name, if necessary, for accessing the TSP server.
No default value is provided.
-
Time Stamp Server Password:
-
Sets the password for the user name, if necessary, for accessing
the TSP server. No default value is provided.
-
Time Stamp Server Hash Algorithm:
-
Sets the hash algorithm used to digest the request sent to
the timestamp provider. Select one of these values:
-
SHA1: (Default)
-
The Secure Hash Algorithm that has a 160-bit hash value.
-
SHA256:
-
The Secure Hash Algorithm that has a 256-bit hash value.
-
SHA384:
-
The Secure Hash Algorithm that has a 384-bit hash value.
-
SHA512:
-
The Secure Hash Algorithm that has a 512-bit hash value.
-
RIPEMD160:
-
The RACE Integrity Primitives Evaluation Message Digest that
has a 160-bit message digest algorithm and is not FIPS-compliant.
-
Revocation Check Style:
-
Sets the revocation-checking style used for verifying the
trust status of the CRL provider’s certificate from its observed
revocation status. Select one of these values:
-
NoCheck:
-
Does not check for revocation.
-
BestEffort:
-
(Default) Checks for revocation of all certificates when
possible.
-
CheckIfAvailable:
-
Checks for revocation of all certificates only when revocation
information is available.
-
AlwaysCheck:
-
Checks for revocation of all certificates.
-
Use Expired Timestamps:
-
Select this option to use timestamps that have expired during
the validation of the certificate. When this option is deselected,
expired timestamps are not used. By default, this option is selected.
-
Predicted Time Stamp Token Size (In Bytes):
-
Sets the estimated size, in bytes, of the TSP response. The
size is used to create a signature hole in the PDF document. This
value represents the maximum size of the timestamp response that
the configured TSP could return. Configuring an undersized value
can cause the operation to fail; however, configuring an oversized
value causes the size to be larger than necessary. It is recommended
that this value is not modified unless the timestamp server requires
a response size to be less than 4096 bytes. Valid values are from
60
to
10240
.
The default value is
4096
.
-
Send Nonce:
-
Select this option to send a nonce with the request. A
nonce
is
a parameter that varies with time. These parameters can be a timestamp,
a visit counter on a web page, or a special marker. The parameter
is intended to limit or prevent the unauthorized replay or reproduction
of a file. When the option deselected, a nonce is not sent with
the request. By default, the option is selected.
Output PDF properties
Property to specify the output PDF document.
Output PDF
The location in the process data model to store the
PDF document. The signed PDF document contains the updated validation
information. The data type is
document
.
|
|
|