1、 ETSI EN 319 122-1 V1.1.1 (2016-04) Electronic Signatures and Infrastructures (ESI); CAdES digital signatures; Part 1: Building blocks and CAdES baseline signatures EUROPEAN STANDARD ETSI ETSI EN 319 122-1 V1.1.1 (2016-04) 2 Reference DEN/ESI-0019122-1 Keywords ASN.1, CAdES, electronic signature, pr
2、ofile, security ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be dow
3、nloaded from: http:/www.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any exist
4、ing or perceived difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subj
5、ect to revision or change of status. Information on the current status of this and other ETSI documents is available at https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/P
6、eople/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without th
7、e written authorization of ETSI. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2016. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members.
8、 3GPPTM and LTE are Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI EN 319 122-1 V1.1.1 (2016-04) 3 Contents Intellectual Property Rights 5g3Foreword . 5
9、g3Modal verbs terminology 5g3Introduction 5g31 Scope 7g32 References 7g32.1 Normative references . 7g32.2 Informative references 8g33 Definitions and abbreviations . 9g33.1 Definitions 9g33.2 Abbreviations . 10g34 General syntax 10g34.1 General requirements . 10g34.2 The data content type. 10g34.3 T
10、he signed-data content type 11g34.4 The SignedData type . 11g34.5 The EncapsulatedContentInfo type 11g34.6 The SignerInfo type . 11g34.7 ASN.1 Encoding . 11g34.7.1 DER 11g34.7.2 BER 11g34.8 Other standard data structures 12g34.8.1 Time-stamp token format 12g34.8.2 Additional types 12g34.9 Attributes
11、 12g35 Attribute semantics and syntax . 12g35.1 CMS defined basic signed attributes 12g35.1.1 The content-type attribute 12g35.1.2 The message-digest attribute . 13g35.2 Basic attributes for CAdES signatures . 13g35.2.1 The signing-time attribute 13g35.2.2 Signing certificate reference attributes .
12、13g35.2.2.1 General requirements 13g35.2.2.2 ESS signing-certificate attribute . 13g35.2.2.3 ESS signing-certificate-v2 attribute 14g35.2.3 The commitment-type-indication attribute . 14g35.2.4 Attributes for identifying the signed data type 15g35.2.4.1 The content-hints attribute 15g35.2.4.2 The mim
13、e-type attribute 16g35.2.5 The signer-location attribute . 16g35.2.6 Incorporating attributes of the signer 17g35.2.6.1 The signer-attributes-v2 attribute . 17g35.2.6.2 claimed-SAML-assertion 18g35.2.7 The countersignature attribute . 19g35.2.8 The content-time-stamp attribute 19g35.2.9 The signatur
14、e-policy-identifier attribute and the SigPolicyQualifierInfo type . 19g35.2.9.1 The signature-policy-identifier attribute . 19g35.2.9.2 The SigPolicyQualifierInfo type . 20g35.2.10 The signature-policy-store attribute 22g35.2.11 The content-reference attribute 23g35.2.12 The content-identifier attri
15、bute 23g35.3 The signature-time-stamp attribute . 23g35.4 Attributes for validation data values . 24g3ETSI ETSI EN 319 122-1 V1.1.1 (2016-04) 4 5.4.1 Introduction. 24g35.4.2 OCSP responses 24g35.4.2.1 OCSP response types 24g35.4.2.2 OCSP responses within RevocationInfoChoices 24g35.4.3 CRLs . 24g35.
16、5 Attributes for long term availability and integrity of validation material . 24g35.5.1 Introduction. 24g35.5.2 The ats-hash-index-v3 attribute 25g35.5.3 The archive-time-stamp-v3 attribute . 26g36 CAdES baseline signatures 29g36.1 Signature levels 29g36.2 General requirements . 29g36.2.1 Algorithm
17、 requirements 29g36.2.2 Notation for requirements . 29g36.3 Requirements on components and services 32g36.4 Legacy CAdES baseline signatures 35g3Annex A (normative): Additional Attributes Specification 36g3A.1 Attributes for validation data 36g3A.1.1 Certificates validation data . 36g3A.1.1.1 The co
18、mplete-certificate-references attribute . 36g3A.1.1.2 The certificate-values attribute 37g3A.1.2 Revocation validation data . 37g3A.1.2.1 The complete-revocation-references attribute. 37g3A.1.2.2 The revocation-values attribute 39g3A.1.3 The attribute-certificate-references attribute 40g3A.1.4 The a
19、ttribute-revocation-references attribute . 41g3A.1.5 Time-stamps on references to validation data 42g3A.1.5.1 The time-stamped-certs-crls-references attribute 42g3A.1.5.2 The CAdES-C-timestamp attribute 43g3A.2 Deprecated attributes 43g3A.2.1 Usage of deprecated attributes 43g3A.2.2 The other-signin
20、g-certificate attribute 43g3A.2.3 The signer-attributes attribute 44g3A.2.4 The archive-time-stamp attribute . 44g3A.2.5 The long-term-validation attribute . 44g3A.2.6 The ats-hash-index attribute . 44g3Annex B (normative): Alternative mechanisms for long term availability and integrity of validatio
21、n data 45g3Annex C (informative): Signature Format Definitions Using X.208 ASN.1 Syntax . 46g3Annex D (normative): Signature Format Definitions Using X.680 ASN.1 Syntax . 52g3Annex E (informative): Example Structured Contents and MIME 59g3E.1 Use of MIME to Encode Data 59g3E.1.1 MIME Structure . 59g
22、3E.1.2 Header Information 59g3E.1.3 Content Encoding . 60g3E.1.4 Multi-Part Content 60g3E.2 S/MIME 60g3E.2.1 Using S/MIME . 60g3E.2.2 Using application/pkcs7-mime . 61g3E.2.3 Using multipart/signed and application/pkcs7-signature 61g3E.3 Use of MIME in the signature 62g3History 64g3ETSI ETSI EN 319
23、122-1 V1.1.1 (2016-04) 5 Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 31
24、4: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (https:/ipr.etsi.org/). Pursuant to the ETSI IPR Policy, no investigati
25、on, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This European Standard (EN)
26、 has been produced by ETSI Technical Committee Electronic Signatures and Infrastructures (ESI). The present document is part 1 of a multi-part deliverable covering CAdES digital signatures, as identified below: Part 1: “Building blocks and CAdES baseline signatures“; Part 2: “Extended CAdES signatur
27、es“. The present document partly contains an evolved specification of the ETSI TS 101 733 1 and ETSI TS 103 173 i.1. National transposition dates Date of adoption of this EN: 1 April 2016 Date of latest announcement of this EN (doa): 31 July 2016 Date of latest publication of new National Standard o
28、r endorsement of this EN (dop/e): 31 January 2017 Date of withdrawal of any conflicting National Standard (dow): 31 January 2017 Modal verbs terminology In the present document “shall“, “shall not“, “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpret
29、ed as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citation. Introduction Electronic commerce has emerged as a frequent way of doing business between companies
30、 across local, wide area and global networks. Trust in this way of doing business is essential for the success and continued development of electronic commerce. It is therefore important that companies using this electronic means of doing business have suitable security controls and mechanisms in pl
31、ace to protect their transactions and to ensure trust and confidence with their business partners. In this respect digital signatures are an important security component that can be used to protect information and provide trust in electronic business. The present document is intended to cover digita
32、l signatures supported by PKI and public key certificates, and aims to meet the general requirements of the international community to provide trust and confidence in electronic transactions, including, amongst other, applicable requirements from Regulation (EU) No 910/2014 i.13. ETSI ETSI EN 319 12
33、2-1 V1.1.1 (2016-04) 6 The present document can be used for any transaction between an individual and a company, between two companies, between an individual and a governmental body, etc. The present document is independent of any environment. It can be applied to any environment e.g. smart cards, G
34、SM SIM cards, special programs for electronic signatures, etc. The present document is part of a rationalized framework of standards (see ETSI TR 119 000 i.2). See ETSI TR 119 100 i.4 for getting guidance on how to use the present document within the aforementioned framework. ETSI ETSI EN 319 122-1
35、V1.1.1 (2016-04) 7 1 Scope The present document specifies CAdES digital signatures. CAdES signatures are built on CMS signatures 7, by incorporation of signed and unsigned attributes, which fulfil certain common requirements (such as the long term validity of digital signatures, for instance) in a n
36、umber of use cases. The present document specifies the ASN.1 definitions for the aforementioned attributes as well as their usage when incorporating them to CAdES signatures. The present document specifies formats for CAdES baseline signatures, which provide the basic features necessary for a wide r
37、ange of business and governmental use cases for electronic procedures and communications to be applicable to a wide range of communities when there is a clear need for interoperability of digital signatures used in electronic documents. The present document defines four levels of CAdES baseline sign
38、atures addressing incremental requirements to maintain the validity of the signatures over the long term, in a way that a certain level always addresses all the requirements addressed at levels that are below it. Each level requires the presence of certain CAdES attributes, suitably profiled for red
39、ucing the optionality as much as possible. Procedures for creation, augmentation and validation of CAdES digital signatures are out of scope and specified in ETSI EN 319 102-1 i.5. Guidance on creation, augmentation and validation of CAdES digital signatures including the usage of the different prop
40、erties defined in the present document is provided in ETSI TR 119 100 i.4. The present document aims at supporting digital signatures in different regulatory frameworks. NOTE: Specifically, but not exclusively, CAdES digital signatures specified in the present document aim at supporting electronic s
41、ignatures, advanced electronic signatures, qualified electronic signatures, electronic seals, advanced electronic seals, and qualified electronic seals as per Regulation (EU) No 910/2014 i.13. 2 References 2.1 Normative references References are either specific (identified by date of publication and
42、/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies. Referenced documents which are not found to be publicly available in the expe
43、cted location might be found at http:/docbox.etsi.org/Reference. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. The following referenced documents are necessary for the application of the present document. 1 E
44、TSI TS 101 733 (V2.2.1): “Electronic Signatures and Infrastructures (ESI); CMS Advanced Electronic Signatures (CAdES)“. 2 IETF RFC 2045 (1996): “Multipurpose Internet Mail Extensions (MIME) Part One: Format of Internet Message Bodies“. 3 IETF RFC 2634 (1999): “Enhanced Security Services for S/MIME“.
45、 4 IETF RFC 3161 (2001): “Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP)“. 5 IETF RFC 5035 (2007): “Enhanced Security Services (ESS) Update: Adding CertID Algorithm Agility“. 6 IETF RFC 5280 (2008): “Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation
46、List (CRL) Profile“. NOTE: Obsoletes IETF RFC 3280. ETSI ETSI EN 319 122-1 V1.1.1 (2016-04) 8 7 IETF RFC 5652 (2009): “Cryptographic Message Syntax (CMS)“. NOTE: Obsoletes IETF RFC 3852. 8 IETF RFC 5755 (2010): “An Internet Attribute Certificate Profile for Authorization“. NOTE: Obsoletes IETF RFC 3
47、281. 9 IETF RFC 5816 (2010): “ESSCertIDv2 Update for RFC 3161“. 10 IETF RFC 5911 (2010): “New ASN.1 Modules for Cryptographic Message Syntax (CMS) and S/MIME“. 11 IETF RFC 5912 (2010): “New ASN.1 Modules for the Public Key Infrastructure Using X.509 (PKIX)“. NOTE: Updated by IETF RFC 6268. 12 IETF R
48、FC 6268 (2011): “Additional New ASN.1 Modules for the Cryptographic Message Syntax (CMS) and the Public Key Infrastructure Using X.509 (PKIX)“. 13 IETF RFC 5940 (2010): “Additional Cryptographic Message Syntax (CMS) Revocation Information Choices“. 14 IETF RFC 6960 (2013): “X.509 Internet Public Key
49、 Infrastructure Online Certificate Status Protocol - OCSP“. NOTE: Obsoletes IETF RFC 2560. 15 Recommendation ITU-T X.520 (11/2008)/ISO/IEC 9594-6:2008): “Information technology - Open Systems Interconnection - The Directory: Selected attribute types“. 16 Recommendation ITU-T X.680 (2008): “Information technology - Abstract Syntax Notation One (ASN.1): Specification of basic notation“. 17 Recommendation ITU-T X.690 (2008): “Information technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical E
