Table of Contents
The following checklist should be considered when setting up ADSS Verification Service to verify signatures produced using a specific PKI:
The following checklist needs to be configured to verify digital signatures:
It depends on the business requirements of the client, whether they are fine with basic path validation or looking for a RFC 5280 compliant validation.
Basic Validation is used when policy processing and name constraints are not required to be checked in the certificate's validation. The path validation is performed by using Ascertia's custom algorithm, which is much faster and performs the following checks:
Advanced Validation is fully RFC 5280 compliant, and is mostly used when certificates (to validate) are issued by Federal PKI.
It is often observed that CAs are registered in Trust Manager but they are not made available in the verification profile. Consequently, the validation request gets failed as the certificate path could not be properly built.
To resolve this:
When the target certificate chain is built up to the registered self-signed Root CA certificate, and the intermediate CA certificate(s) are not registered within the Trust Manager module, then the revocation of such non-registered CAs is discovered by using a non registered CA policy (configured within the Verification Profile > Advanced Settings). ADSS Server also provides the flexibility to choose a certificate validation mechanism from CDP, AIA and configured OCSP addresses.
The Verification Service can also be used to enhance the existing signatures to more advanced signatures, as part of a validation process. The Verification Service has implemented "Advanced Electronic Signature (AdES)" profile of the OASIS DSS, and can enhance the basic CAdES, XAdES and PAdES signatures to their relevant advanced formats i.e. -X, -T, -C, -XL and -A signatures. For this:
Go to ADSS-Client-SDK/ API/ apidocs/ adss/ index.html
For more details, see the "setReturnUpdatedSignature()" method of the "com.ascertia.adss.client.api.verification.SignatureVerificationRequest" class.