Professional Documents
Culture Documents
XMLSec Project
Zdravko Danailov
Krassen Deltchev
Email: nqkoi_ot_bg@yahoo.com Email: Krassen.Deltchev@rub.de
Project thesis
at
Chair for Network and Data Security
Prof. Dr. Jrg Schwenk
advised through Dipl.Ing. Lijun Liao
22.05.2007
Abstract
XML Advanced Electronic Signature (XAdES) provides basic authentication and integrity protection, and
satisfies the legal requirements for advanced electronic signatures.There are several implementations of
XAdES, but most of them are not OpenSource, or are partialy proprietary software. Great project concerned
with Digital Electronic Signatures is the OpenSource Apache XML Security Project. For the developer and
common user there is an implementation for the XMLDSIG specification, but still no one for XAdES.
The free source code implemetations of XAdES threat this project as a separate one and there is no interface,
which can explicit assemble them into the Apache XML Sec. Thats why, the scope of our project is to create
a library, that implements XAdES into the OpenSource Apache XML Security- to extend its functionality
and level of security, so using the Apache XML Sec, gives the opportunity to handle Advanced Electronic
Signatures, which is a standard of security nowadays.
The library is developed in Java, because shouldnt be any kind of OS platform - dependencies, using it as a
plug-in to the Security Project of Apache.
More detailed, to validate the signing and verifying of signatures, and also test our code, we use the textbased test suite of JUnit.
Acknowledgements
We want to express our gratitude to our families and friends, who gave their moral support all the time
and contributed for the better working atmosphere.
To Dipl.Ing. Lijun Liao, we want to thank for the technical input and support.
ii
Contents
1 Introduction
1.1 Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2 Related works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1
1
2
2 Background
2.1 Definitions and Abbreviations . . . . . . . . . . . . .
2.2 XML . . . . . . . . . . . . . . . . . . . . . . . . . .
2.3 XML Advanced Electronic Signature Data Structures .
2.3.1 XML Signature . . . . . . . . . . . . . . . . .
2.3.2 XAdES- XML Advanced Electronic Signature
.
.
.
.
.
4
4
5
6
6
8
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
10
10
12
14
16
17
19
21
23
24
25
30
31
34
37
39
40
41
4 Datatypes
4.1 The ObjectIdentifierType . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.2 The EncapsulatedPKIDataType . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.3 The TimeStampType . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
42
42
44
45
5 Conclusion
47
6 Authors addresses
48
7 Bibliography
49
3 XAdES Elements
3.1 Overview . . . . . . . . . . . . . . . . . . . .
3.2 QualifyingProperties . . . . . . . . . . . . . .
3.3 SignedProperties . . . . . . . . . . . . . . . .
3.4 UnsignedProperties . . . . . . . . . . . . . . .
3.5 SignedSignatureProperties . . . . . . . . . . .
3.6 SignedDataObjectProperties . . . . . . . . . .
3.7 UnsignedSignatureProperties . . . . . . . . . .
3.8 The SigningTime element . . . . . . . . . . . .
3.9 The SigningCertificate element . . . . . . . . .
3.10 The SignaturePolicyIdentifier element . . . . .
3.11 The SignatureProductionPlace element . . . . .
3.12 The SignerRole element . . . . . . . . . . . .
3.13 The DataObjectFormat element . . . . . . . . .
3.14 The CommitmentTypeIndication element . . .
3.15 The AllDataObjectsTimeStamp element . . . .
3.16 The IndividualDataObjectsTimeStamp element
3.17 The CounterSignature element . . . . . . . . .
A Appendix - XAdES
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
iii
B Appendix - XAdES-BES
iv
vi
D Appendix - Screenshots
xi
iv
List of Figures
2.1
2.2
2.3
2.4
XMLDSIG Specification . . . . . . . .
XMLDSIG example . . . . . . . . . . .
Advanced Electronic Signature(XAdES)
XAdES Specification . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
6
7
8
9
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
3.10
3.11
3.12
3.13
3.14
3.15
3.16
3.17
3.18
3.19
3.20
3.21
3.22
3.23
3.24
3.25
3.26
3.27
3.28
3.29
3.30
3.31
3.32
3.33
3.34
3.35
3.36
QualifyingProperties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Method setSignedProperties . . . . . . . . . . . . . . . . . . . . . . . . . .
Method setUnsignedProperties . . . . . . . . . . . . . . . . . . . . . . . . .
Method setTarget . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SignedProperties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Methods setSignedSignatureProperties, setSignedDataObjectProperties . . .
UnsignedProperties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Method setUnsignedSignatureProperties . . . . . . . . . . . . . . . . . . . .
Method setUnsignedDataObjectProperties . . . . . . . . . . . . . . . . . . .
SignedSignatureProperties . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contructor SignedSignatureProperties . . . . . . . . . . . . . . . . . . . . .
SignedDataObjectProperties . . . . . . . . . . . . . . . . . . . . . . . . . .
Methods setCommitmentTypeIndication, setDataObjectFormat . . . . . . . .
Methods setAllDataObjectsTimeStamp, setIndividualDataObjectsTimeStamp
UnsignedSignatureProperties . . . . . . . . . . . . . . . . . . . . . . . . . .
Method setCounterSignature . . . . . . . . . . . . . . . . . . . . . . . . . .
SigningTime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Constructor SigningTime . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SigningCertificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Method setSigningCertificate . . . . . . . . . . . . . . . . . . . . . . . . . .
SignaturePolicyIdentifier . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Method setSignaturePolicyId . . . . . . . . . . . . . . . . . . . . . . . . . .
Methods setSigPolicyId, setSigPolicyHash . . . . . . . . . . . . . . . . . . .
Methods setTransforms1, setSigPolicyQualifiers . . . . . . . . . . . . . . . .
Method setSigPolicyQualifiers . . . . . . . . . . . . . . . . . . . . . . . . .
SignatureProductionPlace . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Methods: setStateOrProvince, setCity . . . . . . . . . . . . . . . . . . . . .
Methods: setPostalCode, setCountryName . . . . . . . . . . . . . . . . . . .
SignerRole . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Methods: setClaimedRoles, setCertifiedRoles . . . . . . . . . . . . . . . . .
Constructor CertifiedRolesList . . . . . . . . . . . . . . . . . . . . . . . . .
Constructor ClaimedRolesList . . . . . . . . . . . . . . . . . . . . . . . . .
DataObjectFormat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Method setDescription . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Method setObjectIdentifier . . . . . . . . . . . . . . . . . . . . . . . . . . .
Method setMimeType . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
12
12
13
13
14
15
16
16
17
17
19
20
20
21
22
22
23
23
24
25
26
27
27
28
29
30
30
31
32
32
33
33
34
34
35
35
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
3.37
3.38
3.39
3.40
3.41
3.42
3.43
3.44
3.45
3.46
Method setEncoding . . . . . . . . . . . . .
Method setObjectReference attribite . . . . .
CommitmentTypeIndication . . . . . . . . .
Constructor CommitmentTypeIndication . . .
Method setCommitmentTypeQualifier . . . .
AllDataObjectsTimeStamp . . . . . . . . . .
Method setAllDataObjectsTimeStamp . . . .
IndividualDataObjectsTimeStamp . . . . . .
Method setIndividualDataObjectsTimeStamp
CounterSignature . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
35
36
37
38
38
39
39
40
40
41
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
ObjectIdentifierType . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IdentifierType . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DocumentationReferencesType . . . . . . . . . . . . . . . . . . . . . . . .
Methods setIdentifier, setDescription, setDocumentationReferences . . . .
EncapsulatedPKIDataType . . . . . . . . . . . . . . . . . . . . . . . . . .
Method setID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TimeStampType . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Method setHashDataInfo, setEncapsulatedTimeStamp, setXMLTimeStamp
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
42
42
43
43
44
45
46
46
vi
List of Tables
2.1
2.2
2.3
Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
XML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4
5
6
A.1 XAdES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
iii
B.1 XAdES-BES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
vii
1 Introduction
The XML Signature is a method of associating a key with referenced data (octets); it does not normatively
specify how keys are associated with persons or institutions, nor the meaning of the data, being referenced
and signed.
The main goal of our project is to build a library, which extends the Apache XML Security Project, to
meet the XAdES specification, so that the user shall be able to create advanced electronic signatures and be
able to validate them.
The XAdES (XML Advanced Electronic Signature) specification is sophisticated and there are strong
hierarchies among the different XML elements. Every one of them is discussed in separated sections of this
thesis(in chapter 3 and chapter 4), where the reader gets an overview on the XML notation, regarding every
specific XAdES element, associated with Java code samples: important constructors, variables, constants;
and at last, but not at least a pointer to the JUnit test, which verifies the right execution of the code in the
library, regarding this particular XAdES element.
The XAdES specification is extended by the: XAdES-T, XAdES-C, XAdES-X, XAdES-X-L, XAdES-A;
we describe in this thesis only the implemented specifications in our project library of XAdES and XAdESBES (Basic Electronic Signature).
We concentrate only on the creation and verification of electronic signatures, which are valid, requiring
only one signer party; therefore, neither independent (parallel signers, without ordering requirement), nor
embedded (multiple party signers with signer ordering requirement) digital signatures (such as: contracts,
signed between two parties) are described in this work, or find implementation in this version of our project.
1.1 Tools
In this section we will specify the necessary tools and mention some requirements, which are obligatory for
the use, execution and further development of this project.
1. Tools for development:
- Java Development Kit (at least version 1.5)1
- IBM Eclipse IDE2
- JUnit 3.8.1(Plug-In for Eclipse)3
2. Tools for the common user:
- Java Runtime Environment (at least version 1.5)4
NOTE: We cannot test the functionality of this project and especially of our library with a lower
version of JUnit, because there are no such ones available.
1
http://java.sun.com/
http://www.eclipse.org/
NOTE: you can use also the Apache Ant toolkit, instead of Eclipsehttp://ant.apache.org/
3
http://www.junit.org/index.htm
4
http://java.sun.com/
2
2 Background
For the better understanding of this thesis and the goal of our library, we shall specify some basic terms and
expound the essence of the main Building Blocks.
Repository Authorities
Signer
Time-Stamping Authorities
Time-Marking Authorities
Trusted Service Providers
Verifier
Definition
entity that arbitrates in disputes between a signer and a
verifier
provide users with attributes linked to public key certificates
provide users with public key certificates
allow the identification and registration of entities before
a CA generates certificates
publish CRLs issued by CAs, signature policies issued by
signature policy issuers and optionally public key certificates
define the technical and procedural requirements for electronic signature creation and validation, in order to meet a
particular business need
entity that creates the electronic signature
attest that some data object was formed before a given
trusted time
record that some data was formed before a given trusted
time
one or more entities that help to build trust relationships
between the signer and verifier
entity that verifies the electronic signature
Table 2.1: Definitions
Term
Attribute Certificate
Certification Authority
Cryptographic Message Syntax
Certificate Revocation List
Document Type Definition
Electronic Signature
Hyper Text Transfer Protocol
Online Certificate Status Protocol
Object IDentifier
Public Key Certificate
Time-Stamping Authorities
Trusted Service Providers
Time Stamping Unit
Uniform Resource Identifier
Uniform Resource Name
XML Advanced Electronic Signature
XAdES Archiving validation data
XAdES Basic Electronic Signature
XAdES Complete validation data
XAdES Explicit Policy based Electronic Signature
XAdES with Time-stamp
XAdES eXtended validation data
eXtensible Markup Language
eXtensible Markup Language Digital
SIGnature
eXtensible Stylesheet Language
eXtensible Stylesheet Language
Transformations
Abbreviation
AC
CA
CMS
CRL
DTD
ES
HTTP
OCSP
OID
PKC
TSA
TSP
TSU
URI
URN
XAdES
XAdES-A
XAdES-BES
XAdES-C
XAdES-EPES
XAdES-T
XAdES-X
XML
XMLDSIG
XSL
XSLT
2.2 XML
As mentioned above XML [XML][XML-schema-part-1][XML-schema-part-2] is the abbreviation for eXtensible Markup Language. Its main purpose is to facilitate the sharing of data across different information systems, particularly via the Internet. By adding semantic constraints, application languages such as
XHTML, RSS, MathML, GraphML, Scalable Vector Graphics, can be implemented in XML. Moreover,
XML is sometimes used as the specification language for such application languages.
XML is recommended by the World Wide Web Consortium (W3C). It is a fee-free open standard. The
W3C recommendation specifies both the lexical grammar, and the requirements for parsing.
File extension
Uniform Type
MIME type
Developed by
Type of format
Markup language
Extended from
SGML
Extended to
Standard(s)
Signatures are related to data objects via URIs. Within an XML document, signatures are related to local
data objects via fragment identifiers. Such local data can be included within an enveloping signature or
can enclose an enveloped signature. Detached signatures are over external network resources or local data
objects that reside within the same XML document as sibling elements; in this case, the signature is neither
enveloping (signature is parent) nor enveloped attribute (signature is child). Since a Signature element (and
its Id value/name) may co-exist or be combined with other elements (and their IDs) within a single XML
document, care should be taken in choosing names such that there are no subsequent collisions that violate
the ID uniqueness validity constraint.
The following example is a detached signature of the content of the HTML4.01 in XML specification.
The required SignedInfo element is the information that is actually signed. Core validation of SignedInfo
consists of two mandatory processes: validation of the signature over SignedInfo and validation of each
Reference digest within SignedInfo. Note that the algorithms used in calculating the SignatureValue are
also included in the signed information while the SignatureValue element is outside SignedInfo.
The CanonicalizationMethod is the algorithm that is used to canonicalize the SignedInfo element before
it is digested as part of the signature operation. Note that the example in Figure 2.2 , as well as all examples
in this specification, are not in canonical form.
The XML Advanced Electronic Signature (XAdES)- its format is the one defined in [XMLDSIG] with
the addition of signed properties (SigningTime, SigningCertificate, SignaturePolicyIdentifier, SignatureProductionPlace, SignerRole, AllDataObjectsTimeStamp, IndividualDataObjectsTimeStamp, DataObjectFormat and CommitmentTypeIndication) and unsigned properties (CounterSignature) (where "?" denotes zero
or one occurrence; "+" denotes one or more occurrences; and "*" denotes zero or more occurrences):
XMLDSIG
|
< d s : S i g n a t u r e ID ? > + +
<ds:SignedInfo>
|
|
<ds:CanonicalizationMethod />
|
|
<ds:SignatureMethod / >
|
|
( < d s : R e f e r e n c e URI? >
|
|
(<ds:Transforms>)?
|
|
<ds:DigestMethod>
|
|
<ds:DigestValue>
|
|
< / d s : R e f e r e n c e >)+
|
|
</ ds:SignedInfo>
|
|
<ds:SignatureValue>
|
|
( < d s : K e y I n f o >)? +
|
|
<ds:Object>
|
|
<QualifyingProperties>
|
|
<SignedProperties>
|
|
<SignedSignatureProperties>
|
( SigningTime )
|
( SigningCertificate )
|
( SignaturePolicyIdentifier )
|
( SignatureProductionPlace )?
|
( SignerRole )?
|
</ SignedSignatureProperties>
|
|
<SignedDataObjectProperties>
|
( DataObjectFormat )
|
( CommitmentTypeIndication )
|
( AllDataObjectsTimeStamp )
|
( IndividualDataObjectsTimeStamp )
|
</ SignedDataObjectProperties>
|
|
</ SignedProperties>
|
|
<UnsignedProperties>
|
|
<UnsignedSignatureProperties>
|
( CounterSignature )
|
</ UnsignedSignatureProperties>
|
|
</ UnsignedProperties>
|
|
</ QualifyingProperties>
|
|
</ ds:Object>
|
|
< / d s : S i g n a t u r e > +
|
XAdES
3 XAdES Elements
3.1 Overview
The reader shall understand that, there are several requirements for the sake of the proper run of the project
library. The original OpenSource Apache XML Security Project can be found at:
http://santuario.apache.org/Java/index.html , where the developer can find the source and binary packages (
http://xml.apache.org/security/dist/ ) and important installation notes(
http://santuario.apache.org/Java/installation.html) Our project library is tested on the former version of the
Apache XMLSec Project- v1.3.0. Furthermore, the Apache Project is created as an Eclipse Java Project
and we use Sun JDK 1.5.0_11. For the reader concerned, regarding the implementation of the Project, using
JDK 1.4.x (only Windows NT 4.0 and old Unix-based distributions with kernel 2.4.x) please refer to the
installation site of the project. The developer must be aware of the following facts:
Copy all files from xml-security-bin-1_3_0/xml-security-1_3_0/libs to the xml-security-src-1_3_0/
xml-security-1_3_0/libs, so the Apache XMLSec Project( xml-security-src-1_3_0) can be loaded as
a standard Eclipse Java Project and properly run,
In the new Eclipse Java Project load the JUnit 3.8.1 library, so the XAdES JUnit tests can be executed.
We didnt test our project library with the current version of JUnit namely version 4.1.
We decided to separate the XAdES library package (.../xml-security-src-1_3_0/xml-security-src-1_3_0/
xml-security-1_3_0/src-xades/ ) in the following sub-packages:
.../input/ - where the Java Keystore data is specified;
.../doc/- where the JavaDoc shall be found,
.../org/apache/xml/security/xades/ - where the user can find the source code of our XAdES library;
the following Java classes are important for the discussion in this introduction to the thesis:
QualifyingProperties- the fundamental XAdES element, which embeds all qualifying
properties of an Advanced XML Signature; The QualifyingProperties is a child element
of Object (one of the four base XAdES elements-SignedInfo, SignatureValue,
KeyInfo and Object); if we regret the use of the Object element, then an Advanced
Electronic Signature cannot be built, because the other sub-elements: SignedInfo,
SignatureValue, KeyInfo in their selves do not fulfill completely the XAdES specification ,
Constants- all used constants for the different types of elements/attributes, namespaces, algorithms descriptions are defined,
.../org/apache/xml/security/xades/sp- the SignedProperties XAdES element and its subelements ( conform to the XMLDSIG notation) are specified,
.../org/apache/xml/security/xades/up- the user shall find all the classes, which describe the basic
child-element UnsignedProperties( of the QualifyingProperties) and its sub-elements,
which are optional( see further)
10
11
3.2 QualifyingProperties
The basic element of Object is the QualifyingProperties element, which contains the whole qualifying information for the Advanced Electronic Signature. This element has the following structure:
< x s d : e l e m e n t name= " Q u a l i f y i n g P r o p e r t i e s "
type =" Q u a l i f y i n g P r o p e r t i e s T y p e " / >
< x s d : c o m p l e x T y p e name= " Q u a l i f y i n g P r o p e r t i e s T y p e " >
<xsd:sequence>
< x s d : e l e m e n t name= " S i g n e d P r o p e r t i e s " t y p e = " S i g n e d P r o p e r t i e s T y p e "
minOccurs=" 0 " / >
< x s d : e l e m e n t name= " U n s i g n e d P r o p e r t i e s " t y p e = " U n s i g n e d P r o p e r t i e s T y p e "
minOccurs=" 0 " / >
</ xsd:sequence>
< x s d : a t t r i b u t e name= " T a r g e t " t y p e = " x s d : a n y U R I " u s e = " r e q u i r e d " / >
< x s d : a t t r i b u t e name= " I d " t y p e = " x s d : I D " u s e = " o p t i o n a l " / >
< / xsd:complexType>
1
2
3
4
5
6
7
8
9
10
11
12
/
Method s e t S i g n e d P r o p e r t i e s
@param s p
/
public void s e t S i g n e d P r o p e r t i e s ( S i g n e d P r o p e r t i e s sp ) {
i f ( ( t h i s . _ s t a t e == MODE_SIGN)&& ( s p ! = n u l l ) )
{
t h i s . _ c o n s t r u c t i o n E l e m e n t . appendChild ( sp . getElement ( ) ) ;
XMLUtils . a d d R e t u r n T o E l e m e n t ( t h i s . _ c o n s t r u c t i o n E l e m e n t ) ;
}
}
http://www.w3.org/TR/XAdES/
12
1
2
3
4
5
6
7
8
9
10
11
12
13
14
Method s e t U n s i g n e d P r o p e r t i e s
@param u s p
/
publ ic void s e t U n s i g n e d P r o p e r t i e s ( U n s i g n e d P r o p e r t i e s usp )
{
if
( ( t h i s . _ s t a t e == MODE_SIGN)&& ( u s p ! = n u l l ) )
{
t h i s . _ c o n s t r u c t i o n E l e m e n t . appendChild ( usp . getElement ( ) ) ;
XMLUtils . a d d R e t u r n T o E l e m e n t ( t h i s . _ c o n s t r u c t i o n E l e m e n t ) ;
}
}
/
S e t s t h e <code >T a r g e t </ code > a t t r i b u t e
@param T a r g e t ( anyURI )
@throws I l l e g a l A r g u m e n t E x c e p t i o n b e c a u s e o f " u s e= r e q u i r e d "
/
public void s e t T a r g e t ( S t r i n g Target ) {
i f ( T a r g e t == n u l l ) { throw new
IllegalArgumentException ( " Target Attibute is required ! " ) ;
}
e l s e i f ( ( t h i s . _ s t a t e == MODE_SIGN) && ( T a r g e t ! = n u l l ) ) {
this . _constructionElement . setAttributeNS
( n u l l , C o n s t a n t s . _ATT_TARGET , T a r g e t ) ;
}
}
13
The Target Attribute, as we already mentioned above, is a required one. Within a set-Method two
general cases are tested:
1. First of all, whether this attribute is an empty one (which is forbidden), so an IllegalArgumentException should be executed with the relevant message.
1
2
3
4
i f ( T a r g e t == n u l l } ) {
throw b f new I l l e g a l A r g u m e n t E x c e p t i o n ( " T a r g e t A t t i b u t e i s
required ! " );
}
2. Second of all, whether the present state of the signature-creation is -"Signing Mode"((this._state ==
MODE_SIGN)), and whether the attribute is not an empty one((Target != null));
At the end, we shall mention this requirement of the Target attribute, as a test-case (JUnit test), which is
implemented in our project library as a JUnit negative test ("testNeg_QP_Target_required"), refers to class
JUtests in the package org.apache.xml.security.xades.tests.
3.3 SignedProperties
The SignedProperties has two elements - SignedSignatureProperties and
SignedDataObjectProperties. The SignedSignatureProperties element is required and
must occur only once within the SignedProperties.
The other sub-element of the SignedProperties, SignedDataObjectProperties, is optional
and contains elements that can appear one or more than once in the XML signature, which is good illustrated
in our JUnit tests.
The schema definition of SignedProperties element as it follows:
< x s d : e l e m e n t name= " S i g n e d P r o p e r t i e s " t y p e = " S i g n e d P r o p e r t i e s T y p e " / >
< x s d : c o m p l e x T y p e name= " S i g n e d P r o p e r t i e s T y p e " >
<xsd:sequence>
< x s d : e l e m e n t name= " S i g n e d S i g n a t u r e P r o p e r t i e s "
type =" S i g n e d S i g n a t u r e P r o p e r t i e s T y p e " / >
< x s d : e l e m e n t name= " S i g n e d D a t a O b j e c t P r o p e r t i e s "
t y p e =" S i g n e d D a t a O b j e c t P r o p e r t i e s T y p e " minOccurs=" 0 " / >
</ xsd:sequence>
< x s d : a t t r i b u t e name= " I d " t y p e = " x s d : I D " u s e = " o p t i o n a l " / >
< / xsd:complexType>
14
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
/
Method s e t S i g n e d S i g n a t u r e P r o p e r t i e s
@param s s p
/
public void s e t S i g n e d S i g n a t u r e P r o p e r t i e s ( S i g n e d S i g n a t u r e P r o p e r t i e s ssp ) {
i f ( s s p == n u l l ) {
throw new I l l e g a l A r g u m e n t E x c e p t i o n (
" S i g n e d S i g n a t u r e P r o p e r t i e s Element i s r e q u i r e d ! " ) ;
}
e l s e i f ( ( t h i s . _ s t a t e == MODE_SIGN)&& ( s s p ! = n u l l ) ) {
t h i s . _constructionElement . appendChild ( ssp . getElement ( ) ) ;
XMLUtils . a d d R e t u r n T o E l e m e n t ( t h i s . _ c o n s t r u c t i o n E l e m e n t ) ;
}
}
16
17
18
19
20
21
22
23
24
25
26
27
/
Method s e t S i g n e d D a t a O b j e c t P r o p e r t i e s
@param s d o p
/
p u b l i c void s e t S i g n e d D a t a O b j e c t P r o p e r t i e s ( S i g n e d D a t a O b j e c t P r o p e r t i e s sdop ) {
i f ( ( t h i s . _ s t a t e == MODE_SIGN)&& ( s d o p ! = n u l l ) ) {
t h i s . _ c o n s t r u c t i o n E l e m e n t . appendChild ( sdop . getElement ( ) ) ;
XMLUtils . a d d R e t u r n T o E l e m e n t ( t h i s . _ c o n s t r u c t i o n E l e m e n t ) ;
}
}
1
2
3
4
i f ( s s p == n u l l } {
throw new I l l e g a l A r g u m e n t E x c e p t i o n ( " S i g n e d S i g n a t u r e P r o p e r t i e s E l e m e n t i s
required ! " );
}
15
3.4 UnsignedProperties
The UnsignedProperties element and its sub-elements are not signed by the [XMLDSIG] signature.
They are divided on *SignatureProperties and *DataObjectProperties just like the
SignedProperties.
In this case we can make a reference to the UnsignedProperties element using the optional Id
attribute.
The two child-elements - UnsignedSignatureProperties and
UnsignedDataObjectProperties, are created using a set-Method. Because of their occurrence, it
is necessary to define the following conditions:
1. It should not be proved, whether the present state of the signature creation is -"Signing Mode"
((this._state == MODE_SIGN)), because the UnsignedProperties element consists of "children", that are not signed by the XMLDSIG signature;
2. So it appears only one condition to be proved, whether the XML-element
(UnsignedSignatureProperties, UnsignedDataObjectProperties) is not an empty
one((ussp != null)or (usdop != null));
1
2
3
4
5
6
7
8
9
10
11
/
Method s e t U n s i g n e d S i g n a t u r e P r o p e r t i e s
@param u s s p
/
public void s e t U n s i g n e d S i g n a t u r e P r o p e r t i e s ( U n s i g n e d S i g n a t u r e P r o p e r t i e s ussp ) {
i f ( ( t h i s . _ s t a t e == MODE_SIGN) && ( u s s p ! = n u l l ) ) {
t h i s . _constructionElement . appendChild ( ussp . getElement ( ) ) ;
XMLUtils . a d d R e t u r n T o E l e m e n t ( t h i s . _ c o n s t r u c t i o n E l e m e n t ) ;
}
}
16
1
2
3
4
5
6
7
8
9
10
11
/
Method s e t U n s i g n e d D a t a O b j e c t P r o p e r t i e s
@param u s d o p
/
p u b l i c void s e t U n s i g n e d D a t a O b j e c t P r o p e r t i e s ( U n s i g n e d D a t a O b j e c t P r o p e r t i e s usdop ) {
i f ( ( t h i s . _ s t a t e == MODE_SIGN) && ( u s s p ! = n u l l ) ) {
t h i s . _ c o n s t r u c t i o n E l e m e n t . appendChild ( usdop . get El eme nt ( ) ) ;
XMLUtils . a d d R e t u r n T o E l e m e n t ( t h i s . _ c o n s t r u c t i o n E l e m e n t ) ;
}
}
3.5 SignedSignatureProperties
The SignedSignatureProperties has three required Elements (SigningTime,
SigningCertificate, SignaturePolicyIdentifier) and two optional ones
(SignatureProductionPlace, SignerRole).The XAdES-BES specification is applied through the
SigningTime, SigningCertificate, SignaturePolicyIdentifier elements.
The child-elements of the SignedSignatureProperties are added, using a constructor. As mentioned above, the SigningTime, SigningCertificate and
SignaturePolicyIdentifier elements are required. Thorough, their occurrence is tested: if one
of these obligatory elements is missing, an IllegalArgumentException should be executed with the relevant
message:
17
1
2
3
4
5
i f ( s i g n i n g t i m e == n u l l } | | ( s i g n i n g c e r t i f i c a t e == n u l l } | | (
s i g n a t u r e p o l i c y i d e n t i f i e r == n u l l )
{
throw new I l l e g a l A r g u m e n t E x c e p t i o n ( " Wrong E l e m e n t V a l u e ! " ) ;
}
18
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
/
Constructor SignedSignatureProperties
@param doc
@param s i g n i n g t i m e S i g n i n g T i m e
@param s i g n i n g c e r t i f i c a t e S i g n i n g C e r t i f i c a t e
@param s i g n a t u r e p o l i c y i d e n t i f i e r S i g n a t u r e P o l i c y I d e n t i f i e r
@param s i g n a t u r e p r o d u c t i o n p l a c e S i g n a t u r e P r o d u c t i o n P l a c e
@param s i g n e r r o l e S i g n e r R o l e
/
p u b l i c S i g n e d S i g n a t u r e P r o p e r t i e s ( Document doc , S i g n i n g T i m e s i g n i n g t i m e ,
SigningCertificate signingcertificate , SignaturePolicyIdentifier
signaturepolicyidentifier , SignatureProductionPlace
signatureproductionplace , SignerRole s i g n e r r o l e ) {
s u p e r ( doc ) ;
i f ( s i g n i n g t i m e == n u l l | | s i g n i n g c e r t i f i c a t e == n u l l | |
s i g n a t u r e p o l i c y i d e n t i f i e r == n u l l )
throw new I l l e g a l A r g u m e n t E x c e p t i o n ( " Wrong E l e m e n t V a l u e ! " ) ;
19
20
21
22
23
24
25
26
27
28
i f ( ( s i g n a t u r e p r o d u c t i o n p l a c e != n u l l ) {
t h i s . _constructionElement . appendChild ( s i g n a t u r e p r o d u c t i o n p l a c e . getElement ( ) ) ;
XMLUtils . a d d R e t u r n T o E l e m e n t ( t h i s . _ c o n s t r u c t i o n E l e m e n t ) ;
}
i f ( s i g n e r r o l e != n u l l ) {
t h i s . _constructionElement . appendChild ( s i g n e r r o l e . getElement ( ) ) ;
XMLUtils . a d d R e t u r n T o E l e m e n t ( t h i s . _ c o n s t r u c t i o n E l e m e n t ) ;
}
29
30
31
32
33
34
35
36
37
3.6 SignedDataObjectProperties
SignedDataObjectProperties contains sub- elements that qualify some of the signed data objects.
DataObjectFormat, CommitmentTypeIndication,
AllDataObjectsTimeStamp, IndividualDataObjectsTimeStamp can occur more than once
within the SignedDataObjectProperties elements.
All these properties qualify the signed data object after all the required transforms have been made.
19
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
/
Method s e t D a t a O b j e c t F o r m a t
@param d a t a o b j e c t f o r m a t
/
public void setDataObjectFormat ( DataObjectFormat d a t a o b j e c t f o r m a t ) {
i f ( ( t h i s . _ s t a t e == MODE_SIGN)&& ( d a t a o b j e c t f o r m a t ! = n u l l ) ) {
t h i s . _constructionElement . appendChild ( d a t a o b j e c t f o r m a t . getElement ( ) ) ;
XMLUtils . a d d R e t u r n T o E l e m e n t ( t h i s . _ c o n s t r u c t i o n E l e m e n t ) ;
}
}
/
Method s e t C o m m i t m e n t T y p e I n d i c a t i o n
@param c o m m i t m e n t t y p e i n d i c a t i o n
/
public void setCommitmentTypeIndication ( CommitmentTypeIndication
commitmenttypeindication ) {
i f ( ( t h i s . _ s t a t e == MODE_SIGN)&& ( c o m m i t m e n t t y p e i n d i c a t i o n ! = n u l l ) ) {
t h i s . _constructionElement . appendChild ( commitmenttypeindication . getElement ( ) ) ;
XMLUtils . a d d R e t u r n T o E l e m e n t ( t h i s . _ c o n s t r u c t i o n E l e m e n t ) ;
}
}
20
1
2
3
4
5
6
7
8
9
10
11
12
/
Method s e t A l l D a t a O b j e c t s T i m e S t a m p
@param a l l d a t a o b j e c t s t i m e s t a m p
/
public void setAllDataObjectsTimeStamp ( AllDataObjectsTimeStamp
alldataobjectstimestamp ) {
i f ( ( t h i s . _ s t a t e == MODE_SIGN)&&( a l l d a t a o b j e c t s t i m e s t a m p ! = n u l l ) )
{ t h i s . _constructionElement . appendChild ( a l l d a t a o b j e c t s t i m e s t a m p . getElement ( ) ) ;
XMLUtils . a d d R e t u r n T o E l e m e n t ( t h i s . _ c o n s t r u c t i o n E l e m e n t ) ;
}
}
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
/
Method s e t I n d i v i d u a l D a t a O b j e c t s T i m e S t a m p
@param i n d i v i d u a l d a t a o b j e c t s t i m e s t a m p
/
public void setIn dividual DataObje ctsTimeS tamp ( IndividualDataObjectsTimeStamp
individualdataobjectstimestamp ) {
i f ( ( t h i s . _ s t a t e == MODE_SIGN)&& ( i n d i v i d u a l d a t a o b j e c t s t i m e s t a m p ! =
null )){
t h i s . _constructionElement . appendChild
( ind ivid uald ata obje ctst imes tamp . getElement ( ) ) ;
XMLUtils . a d d R e t u r n T o E l e m e n t ( t h i s . _ c o n s t r u c t i o n E l e m e n t ) ;
}
}
3.7 UnsignedSignatureProperties
The UnsignedSignatureProperties element contains CounterSignature,
SignatureTimeStamp, CompleteCertificateRefs, CompleteCertificateRefs,
SigAndRefsTimeStamp, RefsOnlyTimeStamp, CertificateValues,
RevocationValues, ArchiveTimeStamp. In our Project we will pay attention only to the
CounterSignature element, because of the structure of XAdES. This will be discussed more detailed
in section 3.17.
21
Only the CounterSignature element, using a set-Method, is specified, because the other sub-elements
of the UnsignedSignatureProperties are not included in the XAdES XML structure. Note, that
only the value of the element is tested, because the "children" of
UnsignedProperties element, are not signed by the XMLDSIG signature.
1
2
3
4
5
6
7
8
9
10
/
Method s e t C o u n t e r S i g n a t u r e
@param s i g n a t u r e
/
public void s e t C o u n t e r S i g n a t u r e ( C o u n t e r S i g n a t u r e
signature ) {
i f ( ( t h i s . _ s t a t e == MODE_SIGN) && ( s i g n a t u r e ! = n u l l ) ) {
t h i s . _constructionElement . appendChild ( s i g n a t u r e . getElement ( ) ) ;
XMLUtils . a d d R e t u r n T o E l e m e n t ( t h i s . _ c o n s t r u c t i o n E l e m e n t ) ;
}
}
22
1
2
3
4
5
6
7
8
9
10
/
Constructor SigningTime
@param doc
@param d a t e T i m e
/
p u b l i c S i g n i n g T i m e ( Document doc , D a t e d a t e T i m e ) {
s u p e r ( doc ) ;
t h i s . a d d T e x t ( toXMLDate ( d a t e T i m e ) . t o S t r i n g ( ) ) ;
}
The SigningTime is created using a specific constructor, with two variables doc and dateTime. For
this function we use the javax.xml.datatype.XMLGregorianCalendar and
java.util.GregorianCalendar libraries.
23
The SigningCertificate element is created using a set-Method, and because of its type is specified
as CertIDList ("(CertIDList SigningCertificate)").Again it is necessary to define the following conditions:
1. It should be proved, whether the present state of the signature creation is -"Signing Mode"
((this._state == MODE_SIGN));
2. And also, whether the XML-element (SigningCertificate) is not an empty one
((SigningCertificate!= null);
If any one of these both statements is not fulfilled, no SigningCertificate element would be created. This shall be illustrated in the next table:
24
1
2
3
4
5
6
7
8
9
10
11
/
Method s e t S i g n i n g C e r t i f i c a t e
@param S i g n i n g C e r t i f i c a t e
/
public void s e t S i g n i n g C e r t i f i c a t e ( C e r t I D L i s t S i g n i n g C e r t i f i c a t e ) {
i f ( ( t h i s . _ s t a t e == MODE_SIGN)&& ( S i g n i n g C e r t i f i c a t e ! = n u l l ) ) {
t h i s . _constructionElement . appendChild ( S i g n i n g C e r t i f i c a t e . getElement ( ) ) ;
XMLUtils . a d d R e t u r n T o E l e m e n t ( t h i s . _ c o n s t r u c t i o n E l e m e n t ) ;
}
}
25
1
2
3
4
i f ( S i g n a t u r e P o l i c y I d == n u l l ) {
throw new I l l e g a l A r g u m e n t E x c e p t i o n ( " S i g n a t u r e P o l i c y I d E l e m e n t
is required ! " );
}
26
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
/
Method s e t S i g n a t u r e P o l i c y I d
@param S i g n a t u r e P o l i c y I d
/
public void s e t S i g n a t u r e P o l i c y I d ( S i g n a t u r e P o l i c y I d T y p e S i g n a t u r e P o l i c y I d ){
i f ( S i g n a t u r e P o l i c y I d == n u l l ) {
throw new I l l e g a l A r g u m e n t E x c e p t i o n ( " S i g n a t u r e P o l i c y I d E l e m e n t
is required ! " );
}
e l s e i f ( ( t h i s . _ s t a t e == MODE_SIGN)&& ( S i g n a t u r e P o l i c y I d ! = n u l l ) ) {
t h i s . _constructionElement . appendChild ( S i g n a t u r e P o l i c y I d . getElement ( ) ) ;
XMLUtils . a d d R e t u r n T o E l e m e n t ( t h i s . _ c o n s t r u c t i o n E l e m e n t ) ;
}
}
/
Method s e t S i g P o l i c y I d
@param S i g P o l i c y I d
/
public void s e t S i g P o l i c y I d ( O b j e c t I d e n t i f i e r S i g P o l i c y I d ){
i f ( S i g P o l i c y I d == n u l l ) {
throw new I l l e g a l A r g u m e n t E x c e p t i o n ( " S i g P o l i c y I d E l e m e n t i s r e q u i r e d ! " ) ;
}
e l s e i f ( ( t h i s . _ s t a t e == MODE_SIGN)&& ( S i g P o l i c y I d ! = n u l l ) ) {
t h i s . _constructionElement . appendChild ( SigPolicyId . getElement ( ) ) ;
XMLUtils . a d d R e t u r n T o E l e m e n t ( t h i s . _ c o n s t r u c t i o n E l e m e n t ) ;
}
}
14
15
16
17
18
19
20
21
22
23
24
25
26
27
/
Method s e t S i g P o l i c y H a s h
@param S i g P o l i c y H a s h
/
public void s e t S i g P o l i c y H a s h ( DigestAlgAndValue SigPolicyHash ){
i f ( S i g P o l i c y H a s h == n u l l ) {
throw new I l l e g a l A r g u m e n t E x c e p t i o n ( " S i g P o l i c y H a s h E l e m e n t i s r e q u i r e d ! " ) ;
}
else
i f ( ( t h i s . _ s t a t e == MODE_SIGN)&& ( S i g P o l i c y H a s h ! = n u l l ) ) {
t h i s . _constructionElement . appendChild ( SigPolicyHash . getElement ( ) ) ;
XMLUtils . a d d R e t u r n T o E l e m e n t ( t h i s . _ c o n s t r u c t i o n E l e m e n t ) ;
}
}
27
1
2
3
4
5
6
7
8
9
10
/
Method s e t T r a n s f o r m s 1
@param t r a n s f o r m s 1
/
public void setTransforms1 ( Transforms1 t r a n s f o r m s 1 ){
i f ( ( t h i s . _ s t a t e == MODE_SIGN)&& ( t r a n s f o r m s 1 ! = n u l l ) ) {
t h i s . _constructionElement . appendChild ( transforms1 . getElement ( ) ) ;
XMLUtils . a d d R e t u r n T o E l e m e n t ( t h i s . _ c o n s t r u c t i o n E l e m e n t ) ;
}
}
11
12
13
14
15
16
17
18
19
20
21
22
23
/
Method s e t S i g P o l i c y Q u a l i f i e r s
@param S i g P o l i c y Q u a l i f i e r s
/
public void s e t S i g P o l i c y Q u a l i f i e r s ( S i g P o l i c y Q u a l i f i e r s L i s t T y p e
S i g P o l i c y Q u a l i f i e r s ){
i f ( ( t h i s . _ s t a t e == MODE_SIGN)&& ( S i g P o l i c y Q u a l i f i e r s ! = n u l l ) ) {
t h i s . _constructionElement . appendChild ( S i g P o l i c y Q u a l i f i e r s . getElement ( ) ) ;
XMLUtils . a d d R e t u r n T o E l e m e n t ( t h i s . _ c o n s t r u c t i o n E l e m e n t ) ;
}
}
1
2
3
4
i f ( S i g P o l i c y I d == n u l l ) {
throw new I l l e g a l A r g u m e n t E x c e p t i o n ( " S i g P o l i c y I d E l e m e n t
is required ! " );
}
5
6
7
8
9
i f ( S i g P o l i c y H a s h == n u l l ) {
throw new I l l e g a l A r g u m e n t E x c e p t i o n ( " S i g P o l i c y H a s h E l e m e n t
is required ! " );
}
28
/
Method s e t S i g P o l i c y Q u a l i f i e r
@param S i g P o l i c y Q u a l i f i e r
/
public void s e t S i g P o l i c y Q u a l i f i e r ( S t r i n g S i g P o l i c y Q u a l i f i e r ){
i f ( ( t h i s . _ s t a t e == MODE_SIGN)&& ( S i g P o l i c y Q u a l i f i e r ! = n u l l ) ) {
this . addStringElement ( SigPolicyQualifier ,
C o n s t a n t s . _TAG_SIGPOLICYQUALIFIER ) ;
XMLUtils . a d d R e t u r n T o E l e m e n t ( t h i s . _ c o n s t r u c t i o n E l e m e n t ) ;
}
}
The child-element, which defines the format SigPolicyQualifiersListType SigPolicyQualifier is created using set-Method. Because of its occurrence, it is necessary to define
the following conditions:
1. It should be proved, whether the present state of the signature creation is -"Signing Mode"
((this._state == MODE_SIGN));
2. And also, whether the XML-element (SigPolicyQualifier) is not an empty one
((SigPolicyQualifier != null));
If any one of these both statements is not fulfilled, no child-element of
SigPolicyQualifiersListType would be created.
29
1
2
3
4
5
6
7
8
9
10
/
Method s e t C i t y
@param C i t y
/
public void s e t C i t y ( S t r i n g City ) {
i f ( ( t h i s . _ s t a t e == MODE_SIGN) && ( C i t y ! = n u l l ) ) {
t h i s . a d d S t r i n g E l e m e n t ( C i t y , C o n s t a n t s . _TAG_CITY ) ;
XMLUtils . a d d R e t u r n T o E l e m e n t ( t h i s . _ c o n s t r u c t i o n E l e m e n t ) ;
}
}
11
12
13
14
15
16
17
18
19
20
21
/
Method s e t S t a t e O r P r o v i n c e
@param S t a t e O r P r o v i n c e
/
public void s e t S t a t e O r P r o v i n c e ( S t r i n g S t a t e O r P r o v i n c e ) {
i f ( ( t h i s . _ s t a t e == MODE_SIGN)&& ( S t a t e O r P r o v i n c e ! = n u l l ) ) {
t h i s . a d d S t r i n g E l e m e n t ( S t a t e O r P r o v i n c e , C o n s t a n t s . _TAG_STATEORPROVINCE ) ;
XMLUtils . a d d R e t u r n T o E l e m e n t ( t h i s . _ c o n s t r u c t i o n E l e m e n t ) ;
}
}
30
1
2
3
4
5
6
7
8
9
10
/
Method s e t P o s t a l C o d e
@param P o s t a l C o d e
/
public void s e t P o s t a l C o d e ( S t r i n g PostalCode ) {
i f ( ( t h i s . _ s t a t e == MODE_SIGN)&& ( P o s t a l C o d e ! = n u l l ) ) {
t h i s . a d d S t r i n g E l e m e n t ( P o s t a l C o d e , C o n s t a n t s . _TAG_POSTALCODE ) ;
XMLUtils . a d d R e t u r n T o E l e m e n t ( t h i s . _ c o n s t r u c t i o n E l e m e n t ) ;
}
}
11
12
13
14
15
16
17
18
19
20
21
/
Method s e t C o u n t r y N a m e
@param CountryName
/
p u b l i c v o i d s e t C o u n t r y N a m e ( S t r i n g CountryName ) {
i f ( ( t h i s . _ s t a t e == MODE_SIGN)&& ( CountryName ! = n u l l ) ) {
t h i s . a d d S t r i n g E l e m e n t ( CountryName , C o n s t a n t s . _TAG_COUNTRYNAME ) ;
XMLUtils . a d d R e t u r n T o E l e m e n t ( t h i s . _ c o n s t r u c t i o n E l e m e n t ) ;
}
}
31
The following java-Code fragments shall illustrate this XAdES - element in detail:
1
2
3
4
5
6
7
8
9
/ Method s e t C l a i m e d R o l e s
@param C l a i m e d R o l e s
/
public void setClaimedRoles ( ClaimedRolesList ClaimedRoles ) {
i f ( ( t h i s . _ s t a t e == MODE_SIGN)&& ( C l a i m e d R o l e s ! = n u l l ) ) {
t h i s . _ c o n s t r u c t i o n E l e m e n t . appendChild ( ClaimedRoles . getElement ( ) ) ;
XMLUtils . a d d R e t u r n T o E l e m e n t ( t h i s . _ c o n s t r u c t i o n E l e m e n t ) ;
}
}
10
11
12
13
14
15
16
17
18
19
/ Method s e t C e r t i f i e d R o l e s
@param C e r t i f i e d R o l e s
/
public void s e t C e r t i f i e d R o l e s ( C e r t i f i e d R o l e s L i s t C e r t i f i e d R o l e s ) {
i f ( ( t h i s . _ s t a t e == MODE_SIGN)&& ( C e r t i f i e d R o l e s ! = n u l l ) ) {
t h i s . _constructionElement . appendChild ( C e r t i f i e d R o l e s . getElement ( ) ) ;
XMLUtils . a d d R e t u r n T o E l e m e n t ( t h i s . _ c o n s t r u c t i o n E l e m e n t ) ;
}
}
32
The child-elements- ClaimedRoles and CertifiedRoles, are created using a set-Method. Because of their way of occurrence, it is necessary to define the following conditions:
1. It should be proved, whether the present state of the signature creation is -"Signing Mode"
((this._state == MODE_SIGN));
2. And also, whether the XML-element (ClaimedRoles, CertifiedRoles) is not an empty one
((ClaimedRoles != null), (CertifiedRoles != null);
If any one of these both statements is not fulfilled, no child-element of SignerRole would be created.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
/
Constructor CertifiedRolesList
@param doc
@param C e r t i f i e d R o l e E n c a p s u l a t e d P K I D a t a T y p e
/
p u b l i c C e r t i f i e d R o l e s L i s t ( Document doc , E n c a p s u l a t e d P K I D a t a T y p e
CertifiedRole ) {
s u p e r ( doc ) ;
i f ( ( t h i s . _ s t a t e == MODE_SIGN)&& ( C e r t i f i e d R o l e ! = n u l l ) ) {
t h i s . _constructionElement . appendChild ( C e r t i f i e d R o l e . getElement ( ) ) ;
XMLUtils . a d d R e t u r n T o E l e m e n t ( t h i s . _ c o n s t r u c t i o n E l e m e n t ) ;
}
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
/
Constructor ClaimedRolesList
@param doc
@param C l a i m e d R o l e
/
p u b l i c C l a i m e d R o l e s L i s t ( Document doc , S t r i n g C l a i m e d R o l e ) {
s u p e r ( doc ) ;
i f ( ClaimedRole != n u l l ) {
t h i s . a d d S t r i n g E l e m e n t ( C l a i m e d R o l e , C o n s t a n t s . _TAG_CLAIMEDROLE ) ;
XMLUtils . a d d R e t u r n T o E l e m e n t ( t h i s . _ c o n s t r u c t i o n E l e m e n t ) ;
}
}
33
1. It should be proved, whether the present state of the signature creation is -"Signing Mode"
((this._state == MODE_SIGN));
2. And also, whether the XML-element (CertifiedRole) is not an empty one
((CertifiedRole!= null));
If any one of these both statements is not fulfilled, no child-element of
CertifiedRolesListType would be created.
For the ClaimedRole element it should be proved only whether it is not an empty one ((ClaimedRole!=
null)).
1
2
3
4
5
6
7
8
9
10
11
/
Method s e t D e s c r i p t i o n
@param D e s c r i p t i o n
/
public void s e t D e s c r i p t i o n ( S t r i n g D e s c r i p t i o n ) {
i f ( ( t h i s . _ s t a t e == MODE_SIGN) && ( D e s c r i p t i o n ! = n u l l ) ) {
t h i s . a d d S t r i n g E l e m e n t ( D e s c r i p t i o n , C o n s t a n t s . _TAG_DESCRIPTION ) ;
XMLUtils . a d d R e t u r n T o E l e m e n t ( t h i s . _ c o n s t r u c t i o n E l e m e n t ) ;
}
}
34
1
2
3
4
5
6
7
8
9
10
11
/
Method s e t O b j e c t I d e n t i f i e r
@param o b j e c t I d e n t i f i e r
/
public void s e t O b j e c t I d e n t i f i e r ( O b j e c t I d e n t i f i e r o b j e c t I d e n t i f i e r ) {
i f ( ( t h i s . _ s t a t e == MODE_SIGN) && ( o b j e c t I d e n t i f i e r ! = n u l l ) ) {
t h i s . _constructionElement . appendChild ( o b j e c t I d e n t i f i e r . getElement ( ) ) ;
XMLUtils . a d d R e t u r n T o E l e m e n t ( t h i s . _ c o n s t r u c t i o n E l e m e n t ) ;
}
}
1
2
3
4
5
6
7
8
9
10
11
/
Method s e t M i m e T y p e
@param MimeType
/
p u b l i c v o i d setMimeType ( S t r i n g MimeType ) {
i f ( ( t h i s . _ s t a t e == MODE_SIGN) && ( MimeType ! = n u l l ) ) {
t h i s . a d d S t r i n g E l e m e n t ( MimeType , C o n s t a n t s . _TAG_MIMETYPE ) ;
XMLUtils . a d d R e t u r n T o E l e m e n t ( t h i s . _ c o n s t r u c t i o n E l e m e n t ) ;
}
}
1
2
3
4
5
6
7
8
9
10
11
/
Method s e t E n c o d i n g
@param E n c o d i n g
/
public void setEncoding ( S t r i n g Encoding ) {
i f ( ( t h i s . _ s t a t e == MODE_SIGN) && ( E n c o d i n g ! = n u l l ) ) {
t h i s . a d d S t r i n g E l e m e n t ( Encoding , C o n s t a n t s . _TAG_ENCODING ) ;
XMLUtils . a d d R e t u r n T o E l e m e n t ( t h i s . _ c o n s t r u c t i o n E l e m e n t ) ;
}
}
35
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
/
S e t s t h e <code > O b j e c t R e f e r e n c e </ code > a t t r i b u t e
@param O b j e c t R e f e r e n c e ( anyURI )
@throws I l l e g a l A r g u m e n t E x c e p t i o n b e c a u s e o f " u s e= r e q u i r e d "
/
public void s e t O b j e c t R e f e r e n c e ( S t r i n g ObjectReference ) {
i f ( O b j e c t R e f e r e n c e == n u l l ) {
throw new I l l e g a l A r g u m e n t E x c e p t i o n ( " O b j e c t R e f e r e n c e A t t i b u t e i s r e q u i r e d ! " ) ;
}
e l s e i f ( ( t h i s . _ s t a t e == MODE_SIGN) && ( O b j e c t R e f e r e n c e ! = n u l l ) ) {
this . _constructionElement . setAttributeNS (
n u l l , C o n s t a n t s . _ATT_OBJECTREFERENCE , O b j e c t R e f e r e n c e ) ;
}
}
1
2
3
i f ( O b j e c t R e f e r e n c e == n u l l ) {
throw new I l l e g a l A r g u m e n t E x c e p t i o n ( " O b j e c t R e f e r e n c e A t t i b u t e i s r e q u i r e d ! " ) ;
}
36
On the next page follows the java Constructor for the CommitmentTypeIndication XAdES element,
see Figure 3.41. The CommitmentTypeIndication element is created using a specific constructor. As
child-elements, which define the format CommitmentTypeIndicationType : CommitmentTypeId, AllSignedDataObjects and CommitmentTypeQualifiers, are added. Because of their occurrence, it is necessary to define the following condition:
whether the XML-element (CommitmentTypeId, AllSignedDataObjects,
CommitmentTypeQualifiers) is not an empty one ((CommitmentTypeId!= null), (AllSignedDataObjects!= null), (commitmentTypeQualifiers!= null)). If this statement is not fulfilled, no child-element of
CommitmentTypeIndicationType would be created. By the CommitmentTypeId element we use
the JUnit test to demonstrate the obligatorily occurrence, with other words: if this element does not exist, an
IllegalArgumentException should be executed with the relevant message:
1
2
3
4
i f ( CommitmentTypeId == n u l l ) {
throw new I l l e g a l A r g u m e n t E x c e p t i o n ( " CommitmentTypeId E l e m e n t
is required ! " );
}
37
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
/
Constructor CommitmentTypeIndication
@param doc
@param C o m m i t m e n t T y p e I d O b j e c t I d e n t i f i e r
@param c o m m i t m e n t T y p e Q u a l i f i e r s C o m m i t m e n t T y p e Q u a l i f i e r s L i s t
@param A l l S i g n e d D a t a O b j e c t s
/
p u b l i c C o m m i t m e n t T y p e I n d i c a t i o n ( Document doc , O b j e c t I d e n t i f i e r
CommitmentTypeId , A l l S i g n e d D a t a O b j e c t s A l l S i g n e d D a t a O b j e c t s ,
CommitmentTypeQualifiersList commitmentTypeQualifiers ) {
s u p e r ( doc ) ;
i f ( CommitmentTypeId == n u l l ) {
throw new I l l e g a l A r g u m e n t E x c e p t i o n ( " CommitmentTypeId e l e m e n t i s r e q u i r e d ! " ) ;
}
e l s e i f ( CommitmentTypeId ! = n u l l ) {
t h i s . _ c o n s t r u c t i o n E l e m e n t . a p p e n d C h i l d ( CommitmentTypeId . g e t E l e m e n t ( ) ) ;
XMLUtils . a d d R e t u r n T o E l e m e n t ( t h i s . _ c o n s t r u c t i o n E l e m e n t ) ;
}
i f ( A l l S i g n e d D a t a O b j e c t s != n u l l ) {
t h i s . _constructionElement . appendChild ( AllSignedDataObjects . getElement ( ) ) ;
XMLUtils . a d d R e t u r n T o E l e m e n t ( t h i s . _ c o n s t r u c t i o n E l e m e n t ) ;
}
i f ( c om m it me n tT yp e Qu al i fi er s != n u l l ) {
t h i s . _constructionElement . appendChild ( commitmentTypeQualifiers . getElement ( ) ) ;
XMLUtils . a d d R e t u r n T o E l e m e n t ( t h i s . _ c o n s t r u c t i o n E l e m e n t ) ;
}
}
1
2
3
4
5
6
7
8
9
10
11
12
/
Method s e t C o m m i t m e n t T y p e Q u a l i f i e r
@param C o m m i t m e n t T y p e Q u a l i f i e r
/
public void setCommitmentTypeQualifier ( S t r i n g CommitmentTypeQualifier ) {
i f ( ( t h i s . _ s t a t e == MODE_SIGN)&& ( C o m m i t m e n t T y p e Q u a l i f i e r ! = n u l l ) ) {
t h i s . addStringElement ( CommitmentTypeQualifier ,
C o n s t a n t s . _TAG_COMMITMENTTYPEQUALIFIER ) ;
XMLUtils . a d d R e t u r n T o E l e m e n t ( t h i s . _ c o n s t r u c t i o n E l e m e n t ) ;
}
}
38
1
2
3
4
5
6
7
8
9
10
11
/
Method s e t A l l D a t a O b j e c t s T i m e S t a m p
@param A l l D a t a O b j e c t s T i m e S t a m p
/
p u b l i c v o i d s e t A l l D a t a O b j e c t s T i m e S t a m p ( TimeStampType A l l D a t a O b j e c t s T i m e S t a m p ) {
i f ( ( t h i s . _ s t a t e == MODE_SIGN) && ( A l l D a t a O b j e c t s T i m e S t a m p ! = n u l l ) ) {
t h i s . _constructionElement . appendChild ( AllDataObjectsTimeStamp . getElement ( ) ) ;
XMLUtils . a d d R e t u r n T o E l e m e n t ( t h i s . _ c o n s t r u c t i o n E l e m e n t ) ;
}
}
The AllDataObjectsTimeStamp element is created using a set-Method, and because of its type is
specified as TimeStampType ("(TimeStampType AllDataObjectsTimeStamp)"). It is necessary to define
the following conditions:
1. It should be proved, whether the present state of the signature creation is -"Signing Mode"
((this._state == MODE_SIGN));
2. And also, whether the XML-element (AllDataObjectsTimeStamp) is not an empty one
((AllDataObjectsTimeStamp!= null);
If any one of these both statements is not fulfilled, no AllDataObjectsTimeStamp element would
be created.
39
1
2
3
4
5
6
7
8
9
10
11
/
Method s e t I n d i v i d u a l D a t a O b j e c t s T i m e S t a m p
@param i n d i v i d u a l d a t a o b j e c t s t i m e s t a m p
/
p u b l i c v o i d s e t I n d i v i d u a l D a t a O b j e c t s T i m e S t a m p ( TimeStampType i n d i v i d u a l d a t a o b j e c t s t i m e s t a m p ) {
i f ( ( t h i s . _ s t a t e == MODE_SIGN) && ( i n d i v i d u a l d a t a o b j e c t s t i m e s t a m p ! = n u l l ) ) {
t h i s . _constructionElement . appendChild ( i n d i v i d u a l d a t a o b j e c t s t i m e s t a m p . getElement ( ) ) ;
XMLUtils . a d d R e t u r n T o E l e m e n t ( t h i s . _ c o n s t r u c t i o n E l e m e n t ) ;
}
}
40
41
4 Datatypes
4.1 The ObjectIdentifierType
The ObjectIdentifierType data type identifies every single specific data object.
< x s d : c o m p l e x T y p e name= " O b j e c t I d e n t i f i e r T y p e " >
<xsd:sequence>
< x s d : e l e m e n t name= " I d e n t i f i e r " t y p e = " x s d : a n y U R I " / >
< x s d : e l e m e n t name= " D e s c r i p t i o n " t y p e = " x s d : s t r i n g " m i n O c c u r s = " 0 " / >
< x s d : e l e m e n t name= " D o c u m e n t a t i o n R e f e r e n c e s "
t y p e = " D o c u m e n t a t i o n R e f e r e n c e s T y p e " m i n O c c u r s = " 0 " / >< / x s d : s e q u e n c e >
< / xsd:complexType>
Reassigning of the Identifier element is not permitted (that means: once the Identifier element is
assigned, it can never be reassigned again).The ObjectIdentifier element as an interface between the
URN specification of the data objects and the associated URI specification (Domain names).For the developer concerned, please refer to the Chapter 5.1.2 of the W3C XAdES specification. The ObjectIdentifierType is extended by the DocumentationReferences, which give further explanation on the
documentation of the ObjectIdentifier. The optional element DocumentationReference is
from type anyURI.
The next tables shall illustrate the IdentifierType and DocumentationReferencesType XAdES
complexTypes:
< x s d : c o m p l e x T y p e name= " I d e n t i f i e r T y p e " >
<xsd:complexContent>
< x s d : e x t e n s i o n base =" xsd:anyURI ">
< x s d : a t t r i b u t e name= " Q u a l i f i e r " t y p e = " Q u a l i f i e r T y p e " u s e = " o p t i o n a l " / >
< / x s d : e x t e n s i o n >< / x s d : c o m p l e x C o n t e n t >
< / x s d : c o m p l e x T y p e > < x s d : s i m p l e T y p e name= " Q u a l i f i e r T y p e " >
< x s d : r e s t r i c t i o n base=" x s d : s t r i n g ">
< x s d : e n u m e r a t i o n v a l u e = " OIDAsURI " / >
< x s d : e n u m e r a t i o n v a l u e = "OIDAsURN" / >< / x s d : r e s t r i c t i o n >
</ xsd:simpleType>
42
1
2
3
4
5
6
7
8
9
10
11
12
13
/
Method s e t I d e n t i f i e r
@param I d e n t i f i e r S t r i n g
/
public void s e t I d e n t i f i e r ( S t r i n g I d e n t i f i e r ) {
i f ( I d e n t i f i e r == n u l l ) {
throw new I l l e g a l A r g u m e n t E x c e p t i o n ( " I d e n t i f i e r A t t i b u t e i s r e q u i r e d ! " ) ; }
e l s e i f ( t h i s . _ s t a t e == MODE_SIGN) {
t h i s . a d d S t r i n g E l e m e n t ( I d e n t i f i e r , C o n s t a n t s . _TAG_IDENTIFIER ) ;
XMLUtils . a d d R e t u r n T o E l e m e n t ( t h i s . _ c o n s t r u c t i o n E l e m e n t ) ;
}
}
14
15
16
17
18
19
20
21
22
23
24
/
Method s e t D e s c r i p t i o n
@param D e s c r i p t i o n S t r i n g
/
public void s e t D e s c r i p t i o n ( S t r i n g D e s c r i p t i o n ) {
i f ( ( t h i s . _ s t a t e == MODE_SIGN) && ( D e s c r i p t i o n ! = n u l l ) ) {
t h i s . a d d S t r i n g E l e m e n t ( D e s c r i p t i o n , C o n s t a n t s . _TAG_DESCRIPTION ) ;
XMLUtils . a d d R e t u r n T o E l e m e n t ( t h i s . _ c o n s t r u c t i o n E l e m e n t ) ;
}
}
25
26
27
28
29
30
31
32
33
34
35
36
37
/
Method s e t D o c u m e n t a t i o n R e f e r e n c e s
@param D o c u m e n t a t i o n R e f e r e n c e s S t r i n g
/
public void setDocumentationReferences ( S t r i n g DocumentationReferences ) {
i f ( ( t h i s . _ s t a t e == MODE_SIGN) && ( D o c u m e n t a t i o n R e f e r e n c e s ! = n u l l ) ) {
t h i s . addStringElement ( DocumentationReferences ,
C o n s t a n t s . _TAG_DOCUMENTATIONREFERENCES ) ;
XMLUtils . a d d R e t u r n T o E l e m e n t ( t h i s . _ c o n s t r u c t i o n E l e m e n t ) ;
}
}
43
i f ( I d e n t i f i e r == n u l l ) {
throw new I l l e g a l A r g u m e n t E x c e p t i o n ( " I d e n t i f i e r A t t i b u t e i s
required ! " );
}
More detailed, this PKI data type is base64 encoded referred to the XMLDSIG specification.
44
1
2
3
4
5
6
7
8
9
10
11
12
/
S e t s t h e <code >Id </ code > E l e m e n t
@param I d
/
public void s e t I d ( S t r i n g Id ) {
i f ( ( t h i s . _ s t a t e == MODE_SIGN) && ( I d ! = n u l l ) ) {
t h i s . _constructionElement . s e t A t t r i b u t e N S ( null ,
C o n s t a n t s . _ATT_ID , I d ) ;
IdResolver . registerElementById ( t h i s . _constructionElement , Id ) ;
}
}
The HashDataInfo element decrypts the time-stamp request to the TSA. On one hand referencing an
uri attribute to the data object, on the other containing the Transforms element, refer to XMLDSIG.
The following Java-code for the implementation of these elements:
45
/
Method s e t H a s h D a t a I n f o
@param h a s h d a t a i n f o
/
public void setHashDataInfo ( HashDataInfoType h a s h d a t a i n f o ) {
i f ( h a s h d a t a i n f o == n u l l ) {
throw new I l l e g a l A r g u m e n t E x c e p t i o n ( " H a s h D a t a I n f o E l e m e n t i s r e q u i r e d ! " ) ;
}
else
i f ( ( t h i s . _ s t a t e == MODE_SIGN) && ( h a s h d a t a i n f o ! = n u l l ) ) {
t h i s . _constructionElement . appendChild ( hashdatainfo . getElement ( ) ) ;
XMLUtils . a d d R e t u r n T o E l e m e n t ( t h i s . _ c o n s t r u c t i o n E l e m e n t ) ;
}
}
15
16
17
18
19
20
21
22
23
24
25
26
/
Method s e t E n c a p s u l a t e d T i m e S t a m p
@param e n c a p s u l a t e d t i m e s t a m p
/
public void setEncapsulatedTimeStamp ( EncapsulatedPKIDataType e n c a p s u l a t e d t i m e s t a m p ) {
i f ( ( t h i s . _ s t a t e == MODE_SIGN) && ( e n c a p s u l a t e d t i m e s t a m p ! = n u l l ) ) {
t h i s . _constructionElement . appendChild ( encapsulatedtimestamp . getElement ( ) ) ;
XMLUtils . a d d R e t u r n T o E l e m e n t ( t h i s . _ c o n s t r u c t i o n E l e m e n t ) ;
}
}
27
28
29
30
31
32
33
34
35
36
37
38
/
Method setXMLTimeStamp
@param XMLTimeStamp
/
p u b l i c v o i d setXMLTimeStamp ( S t r i n g XMLTimeStamp ) {
i f ( ( t h i s . _ s t a t e == MODE_SIGN)&& ( XMLTimeStamp ! = n u l l ) ) {
t h i s . a d d S t r i n g E l e m e n t ( XMLTimeStamp , C o n s t a n t s . _TAG_XMLTIMESTAMP ) ;
XMLUtils . a d d R e t u r n T o E l e m e n t ( t h i s . _ c o n s t r u c t i o n E l e m e n t ) ;
}
}
46
5 Conclusion
At the end of this project thesis a brief discussion over the librarys functionality, associated test-cases and
further use/ future implementations will be made.
The reader/ developer/ user can refer to the Appendixes A and B , where the complete output from the Java
classes:
CreateSinature_XAdES,
CreateSignature_XAdES_BES,
can be found.
This illustrates the functionality of the library, which can generate the complete XAdES/ XAdES-BES specifications.
The case where, optional XAdES elements can meet their occurrence more than once, is demonstrated on
the example of the Java class: CreateSignature_XAdES_MoreThanOneElement, refer to Appendix C.
Furthermore, there are three associated with these classes positive JUnit test cases, which verify the proper
execution of the Java classes and creation of the advanced electronic signatures, see Appendix D.
The other 16 negative JUnit tests validate the created signature, as every required element / attribute of the
XAdES specification is probed for its existence in the advanced electronic signature, see Appendix D.
The negative tests are created in a way , that if one required element/ attribute is an empty one, this particular
test gives a proper run, which is its expected value.This means that the signature creation has failed, and if
this is not the expected situation, there is no proper creation of the advanced electronic signature, because
a required XAdES element/ attribute is compromised with its 0 occurrence, which makes the signature
invalid.
The Eclipse IDE integrated JUnit plug-in delivers the complete execution time of all 19 tests of 3.438
seconds.
This confirms the good efficiency of the XAdES library.
These tests run as an example on a Pentium Celeron IV 1.7GHz, Single Core CPU PC with 768 MB of
DDR-I SD-RAM, Microsoft Windows XP SP2, refer to Appendix D.
Beside the qualifying property and its sub-elements , which extend the security of the advanced electronic signature, required future development on the projects library shall be the implementation of timestamps[TSP][TSPProf], which are explained in the XAdES-T, XAdES-X, XAdES-X-L and XAdES-A specifications.
Furthermore, an implementation of the countersignature is also seen in the future works of the project.
This shall give the chance to complete integration of advanced electronic signature to the Apache XML
Security Project.
Finally, our XAdES project is developed as an OpenSource,so this gives the freedom for further implementations to the other developers, who can use our XAdES library as a fundament and extend its functionality.
47
6 Authors addresses
Zdravko Danailov
Krassen Deltchev
Ruhr-University of Bochum
Department of Applied Informatics, Block IC
Universitaetsstrasse 150
44801, Bochum
Ruhr-University of Bochum
Department of Applied Informatics, Block IC
Universitaetsstrasse 150
44801, Bochum
e-mail: nqkoi_ot_bg@yahoo.com
e-mail: Krassen.Deltchev@rub.de
48
Bibliography
[CMS] RFC 3852: Cryptographic Message Syntax. R. Housley. July 2004.
http://tools.ietf.org/html/rfc3852
[ESI] ETSI TS 101 733: Electronic Signature Formats.
http://www.etsi.org
[ESI-XAdES] ETSI TS 101 903: XML Advanced Electronic Signatures (XAdES).
http://uri.etsi.org/01903/v1.1.1#
[ES-SMIME] RFC 2634: Enhanced Security Services for S/MIME. P. Hoffman. June 1999.
http://www.ietf.org/rfc/rfc2634.txt
update:
RFC2634-update-00: Enhanced Security Services for S/MIME;
draft-ietf-smime-rfc2634-update-00.txt, J Schaad, August 2004
http://tools.ietf.org/html/draft-ietf-smime-rfc2634-update-00
[EU-DIR-ESIG] Directive 1999/93/EC of the European Parliament and of the Council of 13 December
1999 on a Community framework for electronic signatures.
[Keywords] RFC 2119: Key words for use in RFCs to Indicate Requirement Levels. S. Bradner . March
1997.
http://www.ietf.org/rfc/rfc2119.txt
[OCSP] RFC 2560: X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP. M.
Myers, R. Ankney, A. Malpani, S. Galperin, C. Adams. June 1999.
http://www.ietf.org/rfc/rfc2560.txt
[TSP] RFC 3161: Internet X.509 Public Key Infrastructure Time Stamp Protocol (TSP). P. Cain, D. Pinkas,
R. Zuccherato. August 2001.
http://www.ietf.org/rfc/rfc3161.txt
[TSPProf] ETSI TS 101 861: Time stamping profile.
http://www.etsi.org
http://portal.etsi.org/docbox/EC_Files/EC_Files/ts_101861v010201p.pdf
[URI] RFC 2396: Uniform Resource Identifiers (URI): Generic Syntax. T. Berners-Lee, R. Fielding, U.C.
Irvine, L. Masinter. August 1998.
http://www.ietf.org/rfc/rfc2396.txt
update:
RFC : Uniform Resource Identifier (URI): Generic Syntax. T. Berners-Lee. January 2005
http://www.ietf.org/rfc/rfc3986.txt
[URN] RFC 2141: URN Syntax. R. Moats. May 1997.
http://www.ietf.org/rfc/rfc2141.txt
49
[URN-NM] RFC 2611: URN Namespace Definition Mechanisms. L. Daigle, D. van Gulik, R. Iannella, P.
Falstrom. June 1999.
http://www.ietf.org/rfc/rfc2611.txt
update:
RFC 3406: URN Namespace Definition Mechanisms. L. Daigle. October 2002
http://ietfreport.isoc.org/idref/rfc3406/
[URN-OID] RFC 3061: A URN Namespace of Object Identifiers. M. Mealling. February 2001.
http://www.ietf.org/rfc/rfc3061.txt
[XML] Extensible Markup Language (XML) 1.0 (Second Edition). W3C Recommendation. T. Bray, E.
Maler, J. Paoli, C. M. Sperberg-McQueen. October 2000.
http://www.w3.org/TR/2000/REC-xml-20001006
update:
Extensible Markup Language (XML) 1.0 (Fourth Edition), W3C Recommendation
http://www.w3.org/TR/REC-xml/
http://www.w3.org/TR/2006/PER-xml-20060614/
[XMLDSIG] XML-Signature Syntax and Processing. W3C Recommendation. Donald Eastlake, Joseph
Reagle, David Solo. February 2002.
http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/
[XAdES] XML Advanced Electronic Signatures (XAdES). W3C Recommendation. Juan Carlos Cruellas(
UPC), Gregor Karlinger( IAIK), Denis Pinkas( Bull), John Ross( Security and Standards), Krishna
Sankar( Cisco). February 2003.
http://www.w3.org/TR/2003/NOTE-XAdES-20030220/
update:
http://www.w3.org/TR/XAdES/
[XML-schema-part-1] XML-Schema Part 1: Structures. W3C Recommendation. D. Beech, M. Maloney,
N. Mendelsohn, H. Thompson. May 2001.
http://www.w3.org/TR/2001/REC-xmlschema-1-20010502/
[XML-schema-part-2] XML-Schema Part 2: Datatypes. W3C Recommendation. P. Biron, A. Malhotra.
May 2001.
http://www.w3.org/TR/2001/REC-xmlschema-2-20010502/
[X509v3] ITU-T Recommendation X.509 version 3 (1997). "Information Technology - Open Systems Interconnection - The Directory Authentication Framework" ISO/IEC 9594-8:1997.
[X509Prof] RFC 2459: Internet X.509 Public Key Infrastructure Certificate and CRL Profile. R. Housley,
W. Polk, D. Solo. January 1999.
http://www.ietf.org/rfc/rfc2459.txt
50
A Appendix - XAdES
<nds:RootElement xmlns:nds="http://www.nds.rub.de/xades">
<nds:AI-NDS-HGI Id="AI-NDS-HGI-18378667">Some simple text</nds:AI-NDS-HGI>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#" Id="SignatureId">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1" />
<Reference URI="#AI-NDS-HGI-18378667">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>+e0UhqPaZkX7+5xVrbg50ITch2I=</DigestValue>
</Reference>
<Reference URI="#SignedProperties-11626165">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>5ZbU+3vplCMW1BCVNM+6n1N2klc=</DigestValue>
</Reference>
<Reference URI="#UnsignedProperties-25392791">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>9E3pIezH0ZCKfO781NEOBxAEiE4=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>SVlS9m97Q0t12piyIqegQbR9mhqU8OcTtEV/IdclY4/fMOuHtBCx/Q==
</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIC3DCCApoCBEY1vX .....</X509Certificate>
</X509Data>
<KeyValue>
<DSAKeyValue>
<P>/X9TgR11EilS30q .....</P>
<Q>l2BQjxUjC8yykrmCouuEC/BYHPU=</Q>
<G>+GghdabPd7LvKtc .....</G>
<Y>OglcRuqvCSTioZQ .....</Y>
</DSAKeyValue>
</KeyValue>
</KeyInfo>
<Object>
<QualifyingProperties xmlns="http://uri.etsi.org/01903/v1.1.1#"
Id="QualifyingProperties-26613447"
Target="#SignatureId">
<SignedProperties Id="SignedProperties-11626165">
<SignedSignaturePropeties>
<SigningTime>2007-05-01T17:34:07.140+02:00</SigningTime>
<SigningCertificate>
<CertIDList>
<CertID>
<DigestAlgAndValue>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>Nqcd88piw69JTL7UsOPhTqS+YMw=</DigestValue>
</DigestAlgAndValue>
<IssuerSerial xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509IssuerName>
CN=DanDel,OU=AI-NDS-HGI,O=Ruhr-University-Bochum,C=DE
</X509IssuerName>
<X509SerialNumber>1177927027
</X509SerialNumber>
</IssuerSerial>
</CertID>
</CertIDList>
</SigningCertificate>
<SignaturePolicyIdentifier>
<SignaturePolicyID>
<ObjectIdentifier>
<Identifier>URN:OID:0.9.2342.19200300.100.4</Identifier>
<Description>Description of ObjectIdentifier</Description>
<DocumentationReferences>http://www.ietf.org/rfc/rfc3061.txt
</DocumentationReferences>
</ObjectIdentifier>
<Transforms xmlns="http://www.w3.org/2000/09/xmldsig#">
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestAlgAndValue>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>uL+KWM9kVQ2vgVpD3QPz58Xyhpg=</DigestValue>
</DigestAlgAndValue>
<SigPolicyQualifiers>
<SigPolicyQualifier>SigPolicyQualifier</SigPolicyQualifier>
</SigPolicyQualifiers>
</SignaturePolicyID>
</SignaturePolicyIdentifier>
<SignatureProductionPlace>
<City>Bochum</City>
<StateOrProvince>NRW</StateOrProvince>
<PostalCode>44789</PostalCode>
<CountryName>Germany</CountryName>
</SignatureProductionPlace>
<SignerRole>
<CertifiedRolesList>
<CertifiedRole>RXhhbXBsZSA=</CertifiedRole>
</CertifiedRolesList>
<ClaimedRolesList>
<ClaimedRole>http://uri.etsi.org/01903/v1.1.1#</ClaimedRole>
</ClaimedRolesList>
</SignerRole>
</SignedSignaturePropeties>
<SignedDataObjectProperties>
<DataObjectFormat ObjectReference="SignedProperties-11626165">
<Description>Description</Description>
<ObjectIdentifier>
<Identifier>URN:OID:0.9.2342.19200300.100.4</Identifier>
<Description>Description of ObjectIdentifier</Description>
<DocumentationReferences>http://www.ietf.org/rfc/rfc3061.txt
</DocumentationReferences>
</ObjectIdentifier>
<Encoding>UTF-8</Encoding>
<MimeType>plain/text,charset=ISO-8859-1</MimeType>
</DataObjectFormat>
<CommitmentTypeIndication>
<ObjectIdentifier>
<Description>Description of CommitmentTypeId</Description>
<Identifier>URN:OID:0.9.2342.19200300.100.4</Identifier>
<DocumentationReferences>http://www.ietf.org/rfc/rfc3061.txt
</DocumentationReferences>
</ObjectIdentifier>
<AllSignedDataObjects />
<CommitmentTypeQualifiersList>
<CommitmentTypeQualifier>CommitmentTypeQualifier
</CommitmentTypeQualifier>
ii
</CommitmentTypeQualifiersList>
</CommitmentTypeIndication>
<AllDataObjectsTimeStamp>
<TimeStampType>
<HashDataInfo URI="AI-NDS-HGI-18378667">
<Transforms xmlns="http://www.w3.org/2000/09/xmldsig#">
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
</HashDataInfo>
<EncapsulatedTimeStamp Id="EncapsulatedTimeStamp">
<EncapsulatedPKIData>MIIC3DCCApoCBEY1vXMwCwYH ......
</EncapsulatedPKIData>
</EncapsulatedTimeStamp>
<XMLTimeStamp>XMLTimeStamp</XMLTimeStamp>
</TimeStampType>
</AllDataObjectsTimeStamp>
<IndividualDataObjectsTimeStamp>
<TimeStampType>
<HashDataInfo URI="AI-NDS-HGI-18378667">
<Transforms xmlns="http://www.w3.org/2000/09/xmldsig#">
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
</HashDataInfo>
<EncapsulatedTimeStamp Id="EncapsulatedTimeStamp">
<EncapsulatedPKIData>MIIC3DCCApoCBEY1vXMwCwYH ......
</EncapsulatedPKIData>
</EncapsulatedTimeStamp>
<XMLTimeStamp>XMLTimeStamp</XMLTimeStamp>
</TimeStampType>
</IndividualDataObjectsTimeStamp>
</SignedDataObjectProperties>
</SignedProperties>
<UnsignedProperties Id="UnsignedProperties-25392791">
<UnsignedSignatureProperties>
<CounterSignature />
</UnsignedSignatureProperties>
<UnsignedDataObjectProperties />
</UnsignedProperties>
</QualifyingProperties>
</Object>
</Signature>
</nds:RootElement>
Table A.1: XAdES
iii
B Appendix - XAdES-BES
<nds:RootElement xmlns:nds="http://www.nds.rub.de/xades">
<nds:AI-NDS-HGI Id="AI-NDS-HGI-18378667">Some simple text</nds:AI-NDS-HGI>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#" Id="SignatureId">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1" />
<Reference URI="#AI-NDS-HGI-18378667">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>+e0UhqPaZkX7+5xVrbg50ITch2I=</DigestValue>
</Reference>
<Reference URI="#SignedProperties-11626165">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>5ZbU+3vplCMW1BCVNM+6n1N2klc=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>SVlS9m97Q0t12pi .....
</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIC3DCCApoCBEY1 .....</X509Certificate>
</X509Data>
<KeyValue>
<DSAKeyValue>
<P>/X9TgR11EilS30qcLuz .....</P>
<Q>l2BQjxUjC8yykrmCouuEC/BYHPU=</Q>
<G>9+GghdabPd7LvKtc .....</G>
<Y>OglcRuqvCSTioZQ .....</Y>
</DSAKeyValue>
</KeyValue>
</KeyInfo>
<Object>
<QualifyingProperties xmlns="http://uri.etsi.org/01903/v1.1.1#"
Id="QualifyingProperties-26613447" Target="#SignatureId">
<SignedProperties
Id="SignedProperties-11626165">
<SignedSignaturePropeties>
<SigningTime>2007-05-01T17:34:07.140+02:00</SigningTime>
<SigningCertificate>
<CertIDList>
<CertID>
<DigestAlgAndValue>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>Nqcd88piw69JTL7UsOPhTqS+YMw=</DigestValue>
</DigestAlgAndValue>
<IssuerSerial xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509IssuerName>
CN=DanDel,OU=AI-NDS-HGI,O=Ruhr-University-Bochum,C=DE
</X509IssuerName>
<X509SerialNumber>1177927027</X509SerialNumber>
</IssuerSerial>
</CertID>
iv
</CertIDList>
</SigningCertificate>
<SignaturePolicyIdentifier>
<SignaturePolicyID>
<ObjectIdentifier>
<Identifier>URN:OID:0.9.2342.19200300.100.4</Identifier>
<Description>Description of ObjectIdentifier</Description>
<DocumentationReferences>http://www.ietf.org/rfc/rfc3061.txt
</DocumentationReferences>
</ObjectIdentifier>
<Transforms xmlns="http://www.w3.org/2000/09/xmldsig#">
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestAlgAndValue>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>uL+KWM9kVQ2vgVpD3QPz58Xyhpg=</DigestValue>
</DigestAlgAndValue>
<SigPolicyQualifiers>
<SigPolicyQualifier>SigPolicyQualifier</SigPolicyQualifier>
</SigPolicyQualifiers>
</SignaturePolicyID>
</SignaturePolicyIdentifier>
</SignedSignaturePropeties>
</SignedProperties>
</QualifyingProperties>
</Object>
</Signature>
</nds:RootElement>
Table B.1: XAdES-BES
vi
<IssuerSerial xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509IssuerName>
CN=DanDel,OU=AI-NDS-HGI,O=Ruhr-University-Bochum,C=DE
</X509IssuerName>
<X509SerialNumber>1177927027
</X509SerialNumber>
</IssuerSerial>
</CertID>
</CertIDList>
</SigningCertificate>
<SignaturePolicyIdentifier>
<SignaturePolicyID>
<ObjectIdentifier>
<Identifier>URN:OID:0.9.2342.19200300.100.4</Identifier>
<Description>Description of ObjectIdentifier</Description>
<DocumentationReferences>http://www.ietf.org/rfc/rfc3061.txt
</DocumentationReferences>
</ObjectIdentifier>
<Transforms xmlns="http://www.w3.org/2000/09/xmldsig#">
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestAlgAndValue>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>uL+KWM9kVQ2vgVpD3QPz58Xyhpg=</DigestValue>
</DigestAlgAndValue>
<SigPolicyQualifiers>
<SigPolicyQualifier>SigPolicyQualifier</SigPolicyQualifier>
</SigPolicyQualifiers>
</SignaturePolicyID>
</SignaturePolicyIdentifier>
<SignatureProductionPlace>
<City>Bochum</City>
<StateOrProvince>NRW</StateOrProvince>
<PostalCode>44789</PostalCode>
<CountryName>Germany</CountryName>
</SignatureProductionPlace>
<SignerRole>
<CertifiedRolesList>
<CertifiedRole>RXhhbXBsZSA=</CertifiedRole>
</CertifiedRolesList>
<ClaimedRolesList>
<ClaimedRole>http://uri.etsi.org/01903/v1.1.1#</ClaimedRole>
</ClaimedRolesList>
</SignerRole>
</SignedSignaturePropeties>
<SignedDataObjectProperties>
<DataObjectFormat ObjectReference="SignedProperties-11626165">
<Description>Description</Description>
<ObjectIdentifier>
<Identifier>URN:OID:0.9.2342.19200300.100.4</Identifier>
<Description>Description of ObjectIdentifier</Description>
<DocumentationReferences>http://www.ietf.org/rfc/rfc3061.txt
</DocumentationReferences>
</ObjectIdentifier>
<Encoding>UTF-8</Encoding>
<MimeType>plain/text,charset=ISO-8859-1</MimeType>
</DataObjectFormat>
<DataObjectFormat ObjectReference="SignedProperties-11626165">
<Description>Description</Description>
<ObjectIdentifier>
<Identifier>URN:OID:0.9.2342.19200300.100.4</Identifier>
<Description>Description of ObjectIdentifier</Description>
<DocumentationReferences>http://www.ietf.org/rfc/rfc3061.txt
</DocumentationReferences>
</ObjectIdentifier>
<Encoding>UTF-8</Encoding>
<MimeType>plain/text,charset=ISO-8859-1</MimeType>
</DataObjectFormat>
vii
<DataObjectFormat ObjectReference="SignedProperties-11626165">
<Description>Description</Description>
<ObjectIdentifier>
<Identifier>URN:OID:0.9.2342.19200300.100.4</Identifier>
<Description>Description of ObjectIdentifier</Description>
<DocumentationReferences>http://www.ietf.org/rfc/rfc3061.txt
</DocumentationReferences>
</ObjectIdentifier>
<Encoding>UTF-8</Encoding>
<MimeType>plain/text,charset=ISO-8859-1</MimeType>
</DataObjectFormat>
<CommitmentTypeIndication>
<ObjectIdentifier>
<Description>Description of CommitmentTypeId</Description>
<Identifier>URN:OID:0.9.2342.19200300.100.4</Identifier>
<DocumentationReferences>http://www.ietf.org/rfc/rfc3061.txt
</DocumentationReferences>
</ObjectIdentifier>
<AllSignedDataObjects />
<CommitmentTypeQualifiersList>
<CommitmentTypeQualifier>CommitmentTypeQualifier
</CommitmentTypeQualifier>
</CommitmentTypeQualifiersList>
</CommitmentTypeIndication>
<CommitmentTypeIndication>
<ObjectIdentifier>
<Description>Description of CommitmentTypeId</Description>
<Identifier>URN:OID:0.9.2342.19200300.100.4</Identifier>
<DocumentationReferences>http://www.ietf.org/rfc/rfc3061.txt
</DocumentationReferences>
</ObjectIdentifier>
<AllSignedDataObjects />
<CommitmentTypeQualifiersList>
<CommitmentTypeQualifier>CommitmentTypeQualifier
</CommitmentTypeQualifier>
</CommitmentTypeQualifiersList>
</CommitmentTypeIndication>
<CommitmentTypeIndication>
<ObjectIdentifier>
<Description>Description of CommitmentTypeId</Description>
<Identifier>URN:OID:0.9.2342.19200300.100.4</Identifier>
<DocumentationReferences>http://www.ietf.org/rfc/rfc3061.txt
</DocumentationReferences>
</ObjectIdentifier>
<AllSignedDataObjects />
<CommitmentTypeQualifiersList>
<CommitmentTypeQualifier>CommitmentTypeQualifier
</CommitmentTypeQualifier>
</CommitmentTypeQualifiersList>
</CommitmentTypeIndication>
<AllDataObjectsTimeStamp>
<TimeStampType>
<HashDataInfo URI="AI-NDS-HGI-18378667">
<Transforms xmlns="http://www.w3.org/2000/09/xmldsig#">
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
</HashDataInfo>
<EncapsulatedTimeStamp Id="EncapsulatedTimeStamp">
<EncapsulatedPKIData>MIIC3DCCApoCBEY1vXMwCwYH ......
</EncapsulatedPKIData>
</EncapsulatedTimeStamp>
<XMLTimeStamp>XMLTimeStamp</XMLTimeStamp>
</TimeStampType>
</AllDataObjectsTimeStamp>
<AllDataObjectsTimeStamp>
<TimeStampType>
<HashDataInfo URI="AI-NDS-HGI-18378667">
<Transforms xmlns="http://www.w3.org/2000/09/xmldsig#">
viii
ix
<UnsignedProperties Id="UnsignedProperties-25392791">
<UnsignedSignatureProperties>
<CounterSignature />
</UnsignedSignatureProperties>
<UnsignedDataObjectProperties />
</UnsignedProperties>
</QualifyingProperties>
</Object>
</Signature>
</nds:RootElement>
Table C.1: XAdES-More then one Element
D Appendix - Screenshots
Short summary on the screenshots in this appendix:
Screenshot - Eclipse IDE Junit plug-in console output , gives an overview over the 19 different
JUnit tests( positive and negative) and
the reader can obtain information on the test execution time, proper run of the different tests,
test errors and failures.
The screenshot shows the complete Eclipse IDE frame and there is a pointer from the JUnit console,
which is separately shown below, for the sake of a better illustration.
Screenshot - Eclipse IDE console output , gives the console output from the Eclipse IDE
after successful execution of the Java class JUtests.
The console delivers information on the correct
verification of all ReferenceURIs for the
XAdES root element, Signed- and Unsigned Properies;
which proves on one hand the securing on all their subelements,
which are referenced to the unique IDs of that ones and
on another the sucessful creation of the XAdES signature.More detailed:
- regarding CreateSignature_XAdES, the ReferenceURIs are:
#AI-NDS-HGI-XXXXXXXX 1 , #SignedProperties-XXXXXXXX and #UnsignedProperties-XXXXXXXX;
- regarding CreateSignature_XAdES_BES, the ReferenceURIs are:
#AI-NDS-HGI-XXXXXXXX and #SignedProperties-XXXXXXXX
NOTE: Unsigned Property element is empty for the
Basic Electronic XAdES signatures;
- regarding CreateSignature_XAdES_MoreThanOneElement, the ReferenceURIs are:
#AI-NDS-HGI-XXXXXXXX, #SignedProperties-XXXXXXXX and #UnsignedProperties-XXXXXXXX.
This second screenshot shows also the complete Eclipse IDE frame and with a pointer from the enlarged Eclipse output console,
which is separately shown below, for the sake of a better illustration too.
The XXXXXXXX represent digits in the unique element ID, generated as a random hashcode, using SHA1
xi
xii
xiii