CEF Esig DSS Cookbook

CEF eSignature Building Block DSS Cookbook

DIGIT

Unit B1

DSS Cookbook

CEF eSignature Building Block

Date: 05/03/2015

Doc. Version: V2.7

PM² Template v2.1.0 (Oct.2013)

CEF eSIG DSS Cookbook - CEF iSIG DSS Cookbook Page 1 / 87

Document Version 1.Error! Unknown document property name. dated 05-03-2015

CEF eSignature Building Block DSS Cookbook

Document Control Information

Settings / Value
Document Title: / DSS Cookbook
Project Title: / CEF eSignature Building Block
Document Author: / Mr. Nicolas Pirard
Project Owners: / Mr. Andrea Servida, DG CNECT
Project Manager: / Mr. Philippe Schneider, DIGIT
Doc. Version: / V2.7
Sensitivity: / High
Date: / 05/03/2015

Document Approver(s) and Reviewer(s):

NOTE: All Approvers are required. Records of each approver must be maintained. All Reviewers in the list are considered required unless explicitly listed as Optional.

Name / DG / Role / Action / Date
Mr. Philippe Schneider / DIGIT.A.3 / Information Systems Architect / ISIP / Review

Document history:

The Document Author is authorized to make the following types of changes to the document without requiring that the document be re-approved:

·  Editorial, formatting, and spelling

·  Clarification

To request a change to this document, contact the Document Author or Owner.

Changes to this document are summarized in the following table in reverse chronological order (latest version first).

Revision / Date / Created by / Short Description of Changes
0.01 / 17/12/2012 / Robert Bielecki / Version sent for Review
0.05 / 13/02/2013 / Robert Bielecki / Alignment following the comments of the European Commission
1.00 / 20/02/2013 / Frank Meyer / Version sent for Acceptance
1.01 / 19/03/2013 / Robert Bielecki / Alignment for publication following the comments of the European Commission
1.03 / 28/03/2013 / Robert Bielecki / Addressed further comments
1.04 / 09/04/2013 / Robert Bielecki / Aligned with DSS version 2.0/2.0.1
1.05 / 11/03/2013 / Robert Bielecki / Addressed further comments
2.00 / 27/11/2013 / Robert Bielecki / General update after implementation of the new validation process based on “ETSI TS 102 853” standard and incorporation of baseline profiles.
2.01 / 24/01/2014 / Robert Bielecki / Incorporation of WS and PdfBox
2.02 / 03/03/2014 / Robert Bielecki / Update of cookbook’s classes. XAdES: Managing different versions.
2.1 / 08/06/2014 / Robert Bielecki / -  Performance optimisation: multi-threaded retrieval of validation data
-  Validation of non ADES signatures
Information on the scope of the signatures
2.2 / 16/07/2014 / Robert Bielecki / Update of test classes
2.3 / 15/09/2014 / Vincent Bouckaert / Alignment with version 4.2.0-RC
2.4 / 13/11/2014 / Robert Bielecki / Code sample updated
2.5 / 15/12/2014 / Robert Bielecki / Code sample updated
2.6 / 30/01/2014 / Robert Bielecki / Code sample updated
0.01 / 17/12/2012 / Robert Bielecki / Version sent for Review
0.05 / 13/02/2013 / Robert Bielecki / Alignment following the comments of the European Commission
1.00 / 20/02/2013 / Frank Meyer / Version sent for Acceptance
1.01 / 19/03/2013 / Robert Bielecki / Alignment for publication following the comments of the European Commission
1.03 / 28/03/2013 / Robert Bielecki / Addressed further comments
1.04 / 09/04/2013 / Robert Bielecki / Aligned with DSS version 2.0/2.0.1
1.05 / 11/03/2013 / Robert Bielecki / Addressed further comments
2.00 / 27/11/2013 / Robert Bielecki / General update after implementation of the new validation process based on “ETSI TS 102 853” standard and incorporation of baseline profiles.
2.01 / 24/01/2014 / Robert Bielecki / Incorporation of WS and PdfBox
2.02 / 03/03/2014 / Robert Bielecki / Update of cookbook’s classes. XAdES: Managing different versions.
2.1 / 08/06/2014 / Robert Bielecki / -  Performance optimisation: multi-threaded retrieval of validation data
-  Validation of non ADES signatures
-  Information on the scope of the signatures
2.2 / 16/07/2014 / Robert Bielecki / Update of test classes
2.3 / 15/09/2014 / Vincent Bouckaert / Alignment with version 4.2.0-RC
2.4 / 13/11/2014 / Robert Bielecki / Code sample updated
2.5 / 15/12/2014 / Robert Bielecki / Code sample updated
2.6 / 30/01/2014 / Robert Bielecki / Code sample updated
2.7 / 05/03/2015 / Nicolas Pirard / -  Aligned with DSS version 4.4.RC1
-  Document migrated to CEF eSig template.

Reference and Applicable Documents

This section contains the lists of all references and applicable documents. When referring to any of the documents below, the bracketed reference will be used in the text, such as [R01].

Reference and applicable documents:

Ref. / Title / Reference / Version / Date
R01 / DSS - Functional Analysis / DSS4-FAD / 2.02 / 24/01/2014
R02 / DSS - Software Architecture / DSS4-SAD / 2.01 / 24/01/2014
R03 / DSS - Design Model / DSS2-DM / 2.00 / 20/01/2012
R04 / XAdES Specifications / ETSI TS 101 903 / 1.4.2 / 12/2010
R05 / CAdES Specifications / ETSI TS 101 733 / 2.2.1 / 04/2013
R06 / PAdES Specification / ETSI TS 102 778 part 1-6 / 1.x.x / 07/2010
R07 / Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation
List (CRL) Profile / IETF RFC 5280 / N/A / May 2008
R08 / OCSP / RFC 6960 / N/A / June 2013
R09 / TC Security - Electronic Signatures
and Infrastructures (ESI);
XML format for signature policies / ETSI TR 102 038 / 1.1.1 / 2002-04
R10 / Document management - Portable document format - Part 1:
PDF 1.7 / ISO 32000-1 / 1 / 2008
R11 / Electronic Signatures and Infrastructures;
Associated Signature Containers
Testing Compliance & Interoperability;
Test Suite for ASiC interoperability test events / ETSI TS 119 164-2 / 1.1.1 / 2012-03
R12 / Electronic Signatures and Infrastructures;
Associated Signature Containers / ETSI TS 102 918 / 1.1.1 / 2011-04
R13 / Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures. / DIRECTIVE 1999/93/EC / N/A / 13/12/1999
R14 / Internet X.509 Public Key Infrastructure
Time-Stamp Protocol (TSP) / RFC 3161 / N/A / 08/2001
R15 / Electronic Signatures and Infrastructures;
Signature verification procedures and policies / ETSI TS 102 853 / 1.1.1 / 2012-07
R16 / Policy Requirements for Time-Stamping Authorities (TSAs) / RFC 3628 / N/A / 11/2003
R17 / XAdES Baseline profiles / ETSI TS 103 171 / 2.1.1 / 2012-03
R18 / CAdES Baseline profiles / ETSI TS 103 173 / 2.2.1 / 2013-04
R19 / PAdES Baseline profiles / ETSI TS 103 172 / 2.1.1 / 2012-03
R20 / ASiC Baseline profiles / ETSI TS 103 174 / 2.1.1 / 2012-03
R21 / DSS3-QTM4-Signature Validation Policy and Report Simplification Analysis-v1.00.doc

Abbreviations and Acronyms:

Code / Description
AdES / Advanced Electronic Signature
API / Application Programming Interface
ASiC / Associated Signature Containers
BB / Building Block (CEF)
CA / Certificate authority
CAdES / CMS Advanced Electronic Signatures
CD / Commission Decision
CEF / Connecting Europe Facility
CMS / Cryptographic Message Syntax
CRL / Certificate Revocation List
CSP / Core Service Platform (CEF)
CSP / Cryptographic Service Provider
DER / Distinguished Encoding Rules
DSA / Digital Signature Algorithm - an algorithm for public-key cryptography
DSI / Digital Service Infrastructure (CEF)
DSS / Digital Signature Service
EC / European Commission
eID / Electronic Identity Card
EJB / Enterprise Java Beans
ESI / Electronic Signatures and Infrastructures
ETSI / European Telecommunications Standards Institute
EUPL / European Union Public License
FAT / Factory Acceptance Testing
FSF / Free Software Foundation
GS / Generic Service (CEF)
GUI / Graphical User Interface
HSM / Hardware Security Modules
HTTP / Hypertext Transfer Protocol
I18N / Internationalisation
iText / Is an open source library that allows you to create and manipulate PDF documents: http://itextpdf.com/
Java EE / Java Enterprise Edition
JavaDoc / JavaDoc is developed by Sun Microsystems to create API documentation in HTML format from the comments in the source code. JavaDoc is an industrial standard for documenting Java classes.
JAXB / Java Architecture for XML Binding
JCA / Java Cryptographic Architecture
JCE / Java Cryptography Extension
JDBC / Java DataBase Connectivity
LGPL / Lesser General Public License
LOTL / List of Trusted List or List of the Lists
LSP / Large Scale Pilot
MIT / Massachusetts Institute of Technology
MOCCA / Austrian Modular Open Citizen Card Architecture; implemented in Java
MS / EUMS / Member State
MS CAPI / Microsoft Cryptographic Application Programming Interface
OCF / OEBPS Container Format
OCSP / Online Certificate Status Protocol
ODF / Open Document Format
ODT / Open Document Text
OEBPS / Open eBook Publication Structure
OID / Object Identifier
OOXML / Office Open XML
OSI / Open Source Initiative
OSS / Open Source Software
PAdES / PDF Advanced Electronic Signatures
PAO / Project and Architecture Office (CEF)
PC/SC / Personal computer/Smart Card
PDF / Portable Document Format
PDFBox / Apache PDFBox - A Java PDF Library: http://pdfbox.apache.org/
PKCS / Public Key Cryptographic Standards
PKCS#12 / It defines a file format commonly used to store X.509 private key accompanying public key certificates, protected by symmetrical password
PKIX / Internet X.509 Public Key Infrastructure
RSA / Rivest Shamir Adleman - an algorithm for public-key cryptography
SCA / Signature Creation Application
SCD / Signature Creation Device
SME / Subject Matter Expert
SMO / Stakeholder Management Office (CEF)
SOAP / Simple Object Access Protocol
SSCD / Secure Signature-Creation Device
SVA / Signature Validation Application
TL / Trusted List
TLManager / Application for managing trusted lists.
TSA / Time Stamping Authority
TSL / Trust-service Status List
TSP / Time Stamp Protocol
TSP / Trusted Service Provider
TST / Time-Stamp Token
UAT / User Acceptance Testing
UCF / Universal Container Format
URI / Uniform Resource Identifier
WP / Work Package
WSDL / Web Services Description Language
WYSIWYS / What you see is what you sign
XAdES / XML Advanced Electronic Signatures
XML / Extensible Markup Language
ZIP / File format used for data compression and archiving

Date: 05/03/2015 7 / 84 Doc. Version: V2.7

CEF eSignature Building Block DSS Cookbook

TABLE OF CONTENTS

Reference and Applicable Documents 4

1 Introduction 10

1.1 Purpose of the Document 10

1.2 Scope of the Document 10

1.3 Intended Audience 10

2 General Framework Structure 11

3 Signature’s Profile simplification 14

4 The XML Signature (XAdES) 15

4.1 XAdES Profiles 15

4.1.1 XAdES-BASELINE-B 15

4.1.1.1 Signing process 18

4.1.1.2 Additional attributes 19

4.1.1.3 Handling signature policy 22

4.1.2 XAdES-BASELINE-T 25

4.1.2.1 Use of online TSP source 26

4.1.3 XAdES-BASELINE-LT 28

4.1.4 XAdES-BASELINE-LTA 30

4.2 Various settings 31

4.2.1 Trust anchor inclusion policy 31

4.3 Multiple signatures 31

4.4 The XML Signature Extension (XAdES) 32

4.5 XAdES-BASELINE-T 32

4.6 XAdES-BASELINE-LT and -LTA 34

4.7 XAdES and specific schema version 34

5 The Signature Validation 35

5.1 Validation Process 35

5.2 EU Trusted Lists of Certification Service Providers 39

5.3 Validation Result Materials 39

5.3.1 Simple Report 40

5.3.2 Detailed Report 40

5.3.3 Diagnostic Data 41

5.4 Customised Validation Policy 44

5.5 Structural signature validation 47

6 CAdES Signature and Validation 48

7 PAdES Signature and Validation 50

7.1 PAdES Visible Signature 52

8 ASiC Signature and Validation 55

9 Management of Signature Tokens 58

9.1 PKCS#11 58

9.2 PKCS#12 59

9.3 MS CAPI 60

9.4 Other Implementations 61

10 Management of Certificates Sources 66

11 Management of CRL and OCSP Sources 68

11.1 Other implementations of CRL and OCSP Sources 68

12 TSP Sources 71

13 WEB SERVICES 72

13.1 Available SOAP services: 72

13.1 SignatureService 72

13.2 ValidationService 76

14 How to check a simple certificate 78

15 Validation of non ADES signatures 81

16 Handling the Scope of the signature 82

17 TESTING facility classes 83

· Mock CRL Sources 83

· Mock OCSP Sources 83

· AlwaysValidOCSPSource 83

· MockTSLCertificateSource 83

· MockTSPSource 83

18 Accessing a standard Java KeyStore 84

18.1 JavaKeyStore 84

18.2 Signing „Application“ 85

18.3 Root class „Cookbook“ 87

TABLE OF FIGURES

Figure 1: Signature Validation Process Scheme (source: [ETSI TS 102 853]) 35

Figure 2: Pkcs11SignatureToken interface 58

Figure 3: Pkcs12SignatureToken interface 59

Figure 4: MSCAPISignatureToken interface 60

Figure 5: Implementation of SignatureTokenConnection for Java 6 IO PC/SC 62

Figure 6: CertificateSource interface (not trusted part) 67

Figure 7: CertificateSource interface (trusted part) 67

Figure 8: CRLSource interface 69

Figure 9: OCSPSource interface 70

Figure 10: SignatureScope default specializations 82

Figure 11: SignatureScopeFinder and its specializations 82

Figure 12: SignatureScopeFinderFactory class 82

TABLE OF CODE

Code 1: src\main\resources\xml_example.xml 15

Code 2: cookbook.example.sign.SignXmlXadesB.java 17

Code 3: cookbook.example.signXmlXadesBProperties.java 20

Code 4: cookbook.example.sign.SignXmlXadesBAllDataObjectsTimestamp.java 22

Code 5: cookbook.example.sign.SignXmlXadesBImplicitPolicy.java 23

Code 6: cookbook.example.sign.SignXmlXadesBExplicitPolicy.java 24

Code 7: cookbook.example.sign.SignXmlXadesT.java 26

Code 8: cookbook.example.sign.SignXmlXadesTWithOnlineSource.java 27

Code 9: cookbook.example.Sign.SignXmlXadesLT.java 29

Code 10: cookbook.example.sign.CountersignXmlXadesB.java 32

Code 11: cookbook.example.sign.ExtendSignXmlXadesBToT.java 33

Code 12: cookbook.example.validate.ValidateSignedXmlXadesB.java 37

Code 13: cookbook.example.validate.ValidateXmlXadesLTWithOnlineSources.java 38

Code 14: cookbook.example.validate.ValidateSignedXmlXadesBWithCustomPolicy.java 46

Code 15: cookbook.example.sign.SignXmlCadesB.java 49

Code 16: cookbook.example.sign.SignPdfPadesB.java 51

Code 17: cookbook.example.sign. SignPdfPadesBVisible.java 54

Code 18: cookbook.example.sign.SignPdfAsicB.java 56

Code 19: cookbook.example.sign.SignXmlXadesBWithMSCAPI.java 61

Code 20: cookbook.example.sign.EidNativeSignatureTokenConnection.java 63

Code 21: cookbook.example.sources.EidPrivateKeyEntry.java 64

Code 22: cookbook.example.sources.AppletView.java 65

Code 23: cookbook.example.sources.InitOnlineTSPSource.java 71

Code 24: cookbook.example.sign.SignWithWS.java 76

Code 25: cookbook.example.sources.CheckCertificate.java 79

Code 26: Constraint file for non AdES signature validation 81

Code 27: Example of the Java code to validate non AdES signature 81

Code 28: Example of the simple (non AdES) XML signature 81

Code 29: Example of the Simple Report associated to the non AdES signature 81

Code 30: XSD description of the signature scope 82

Code 31: cookbook.example.sources.JavaKeyStoreTool.java 85

Code 32: cookbook.example.sign.SigningApplication.java 86

Code 33: cookbook.example.Cookbook.java 88

1  Introduction

1.1  Purpose of the Document

This document describes some examples of how to develop in Java using the DSS framework. The aim is to show to the developers, in a progressive manner, the different uses of the framework. It will familiarise them with the code step by step.

1.2  Scope of the Document

This document provides examples of code which allow easy handling of digital signatures. The examples are consistent with the Release 4.4.RC1 of SD-DSS framework which can be downloaded via https://joinup.ec.europa.eu/software/sd-dss/release/all.

Three main features can be distinguished within the framework:

·  The digital signature;