1、 ETSI TS 119 122-1 V1.0.1 (2015-07) Electronic Signatures and Infrastructures (ESI); CAdES digital signatures; Part 1: Building blocks and CAdES baseline signatures TECHNICAL SPECIFICATION ETSI ETSI TS 119 122-1 V1.0.1 (2015-07)2Reference RTS/ESI-0019122-1-TS Keywords ASN.1, CAdES, electronic signat
2、ure, profile, security ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can
3、 be downloaded from: http:/www.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of an
4、y existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may
5、be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/Peop
6、le/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the w
7、ritten authorization of ETSI. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2015. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3G
8、PPTM and LTE are Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI TS 119 122-1 V1.0.1 (2015-07)3Contents Intellectual Property Rights 5g3Foreword . 5g3Mod
9、al verbs terminology 5g3Introduction 5g31 Scope 6g32 References 6g32.1 Normative references . 6g32.2 Informative references 7g33 Definitions and abbreviations . 8g33.1 Definitions 8g33.2 Abbreviations . 9g34 General syntax 9g34.1 General requirements . 9g34.2 The data content type. 9g34.3 The signed
10、-data content type 9g34.4 The SignedData type . 9g34.5 The EncapsulatedContentInfo type 10g34.6 The SignerInfo type . 10g34.7 ASN.1 Encoding . 10g34.7.1 DER 10g34.7.2 BER 10g34.8 Other standard data structures 10g34.8.1 Time-stamp token format 10g34.8.2 Additional types 10g34.9 Attributes 11g35 Attr
11、ibute semantics and syntax . 11g35.1 CMS defined basic signed attributes 11g35.1.1 The content-type attribute 11g35.1.2 The message-digest attribute . 11g35.2 Basic attributes for CAdES signatures . 12g35.2.1 The signing-time attribute 12g35.2.2 Signing certificate reference attributes . 12g35.2.2.1
12、 General requirements 12g35.2.2.2 ESS signing-certificate attribute . 12g35.2.2.3 ESS signing-certificate-v2 attribute 13g35.2.3 The commitment-type-indication attribute . 13g35.2.4 Attributes for identifying the signed data type 14g35.2.4.1 The content-hints attribute 14g35.2.4.2 The mime-type attr
13、ibute 14g35.2.5 The signer-location attribute . 15g35.2.6 Incorporating attributes of the signer 15g35.2.6.1 The signer-attributes-v2 attribute . 15g35.2.6.2 claimed-SAML-assertion 17g35.2.7 The countersignature attribute . 17g35.2.8 The content-time-stamp attribute 18g35.2.9 The signature-policy-id
14、entifier attribute and the SigPolicyQualifierInfo type . 18g35.2.9.1 The signature-policy-identifier attribute . 18g35.2.9.2 The SigPolicyQualifierInfo type . 19g35.2.10 The signature-policy-store attribute 21g35.2.11 The content-reference attribute 21g35.2.12 The content-identifier attribute 22g35.
15、3 The signature-time-stamp attribute . 22g3ETSI ETSI TS 119 122-1 V1.0.1 (2015-07)45.4 Attributes for validation data values . 23g35.4.1 Introduction. 23g35.4.2 OCSP responses 23g35.4.2.1 OCSP response types 23g35.4.2.2 OCSP responses within RevocationInfoChoices 23g35.4.3 CRLs . 23g35.5 Archive val
16、idation data 23g35.5.1 Introduction. 23g35.5.2 The ats-hash-index-v2 attribute 23g35.5.3 The archive-time-stamp-v3 attribute . 25g36 CAdES baseline signatures 27g36.1 Signature levels 27g36.2 General requirements . 28g36.2.1 Algorithm requirements 28g36.2.2 Notation for requirements . 28g36.3 Requir
17、ements on components and services 30g36.4 Legacy CAdES baseline signatures 33g3Annex A (normative): Additional Attributes Specification 34g3A.1 Attributes for validation data 34g3A.1.1 Certificates validation data . 34g3A.1.1.1 The complete-certificate-references attribute . 34g3A.1.1.2 The certific
18、ate-values attribute 35g3A.1.2 Revocation validation data . 35g3A.1.2.1 The complete-revocation-references attribute. 35g3A.1.2.2 The revocation-values attribute 37g3A.1.3 The attribute-certificate-references attribute 38g3A.1.4 The attribute-revocation-references attribute . 39g3A.1.5 Time-stamps o
19、n references to validation data 40g3A.1.5.1 The time-stamped-certs-crls-references attribute 40g3A.1.5.2 The CAdES-C-timestamp attribute 40g3A.2 Deprecated attributes 41g3A.2.1 Usage of deprecated attributes 41g3A.2.2 The other-signing-certificate attribute 41g3A.2.3 The signer-attributes attribute
20、41g3A.2.4 The archive-time-stamp attribute . 41g3A.2.5 The long-term-validation attribute . 41g3A.2.6 The ats-hash-index attribute . 42g3Annex B (informative): Signature Format Definitions Using X.208 ASN.1 Syntax . 43g3Annex C (normative): Signature Format Definitions Using X.680 ASN.1 Syntax . 49g
21、3Annex D (informative): Example Structured Contents and MIME 56g3D.1 Use of MIME to Encode Data 56g3D.1.1 MIME Structure . 56g3D.1.2 Header Information 56g3D.1.3 Content Encoding . 57g3D.1.4 Multi-Part Content 57g3D.2 S/MIME 58g3D.2.1 Using S/MIME . 58g3D.2.2 Using application/pkcs7-mime . 58g3D.2.3
22、 Using multipart/signed and application/pkcs7-signature 59g3D.3 Use of MIME in the signature 59g3Annex E (informative): Change history . 61g3History 62 ETSI ETSI TS 119 122-1 V1.0.1 (2015-07)5Intellectual Property Rights IPRs essential or potentially essential to the present document may have been d
23、eclared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, wh
24、ich is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/ipr.etsi.org). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in
25、 ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Technical Specification (TS) has been produced by ETSI Technical Committee Electronic Signatures and Infrastructures (ESI). The present document is part 1 of
26、 a multi-part deliverable covering CAdES digital signatures as identified below: Part 1: “Building blocks and CAdES baseline signatures“; Part 2: “Extended CAdES signatures“. The present document partly contains an evolved specification of the ETSI TS 101 733 1 and ETSI TS 103 173 i.1. Modal verbs t
27、erminology In the present document “shall“, “shall not“, “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowe
28、d in ETSI deliverables except when used in direct citation. Introduction Electronic commerce has emerged as a frequent way of doing business between companies across local, wide area and global networks. Trust in this way of doing business is essential for the success and continued development of el
29、ectronic commerce. It is therefore important that companies using this electronic means of doing business have suitable security controls and mechanisms in place to protect their transactions and to ensure trust and confidence with their business partners. In this respect digital signatures are an i
30、mportant security component that can be used to protect information and provide trust in electronic business. The present document is intended to cover digital signatures supported by PKI and public key certificates, and aims to meet the general requirements of the international community to provide
31、 trust and confidence in electronic transactions, including, amongst other, applicable requirements from Regulation (EU) No 910/2014 i.13. The present document can be used for any transaction between an individual and a company, between two companies, between an individual and a governmental body, e
32、tc. The present document is independent of any environment. It can be applied to any environment e.g. smart cards, GSM SIM cards, special programs for electronic signatures, etc. The present document is part of a rationalized framework of standards (see ETSI TR 119 000 i.2). See ETSI TR 119 100 i.4
33、for getting guidance on how to use the present document within the aforementioned framework. ETSI ETSI TS 119 122-1 V1.0.1 (2015-07)61 Scope The present document specifies CAdES digital signatures. CAdES signatures are built on CMS signatures 7, by incorporation of signed and unsigned attributes, wh
34、ich fulfil certain common requirements (such as the long term validity of digital signatures, for instance) in a number of use cases. The present document specifies the ASN.1 definitions for the aforementioned attributes as well as their usage when incorporating them to CAdES signatures. The present
35、 document specifies formats for CAdES baseline signatures, which provide the basic features necessary for a wide range of business and governmental use cases for electronic procedures and communications to be applicable to a wide range of communities when there is a clear need for interoperability o
36、f digital signatures used in electronic documents. The present document defines four levels of CAdES baseline signatures addressing incremental requirements to maintain the validity of the signatures over the long term, in a way that a certain level always addresses all the requirements addressed at
37、 levels that are below it. Each level requires the presence of certain CAdES attributes, suitably profiled for reducing the optionality as much as possible. Procedures for creation and validation of CAdES digital signatures are out of scope and specified in ETSI TS 119 102-1 i.5. The present documen
38、t aims at supporting digital signatures in different regulatory frameworks. NOTE: Specifically, but not exclusively, CAdES digital signatures specified in the present document aim at supporting electronic signatures, advanced electronic signatures, qualified electronic signatures, electronic seals,
39、advanced electronic seals, and qualified electronic seals as per Regulation (EU) No 910/2014 i.13. 2 References 2.1 Normative references References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited
40、 version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies. Referenced documents which are not found to be publicly available in the expected location might be found at http:/docbox.etsi.org/Reference. NOTE: While any hyperlinks in
41、cluded in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. The following referenced documents are necessary for the application of the present document. 1 ETSI TS 101 733 (V2.2.1): “Electronic Signatures and Infrastructures (ESI); CMS Advanced Electr
42、onic Signatures (CAdES)“. 2 IETF RFC 2045 (1996): “Multipurpose Internet Mail Extensions (MIME) Part One: Format of Internet Message Bodies“. 3 IETF RFC 2634 (1999): “Enhanced Security Services for S/MIME“. 4 IETF RFC 3161 (2001): “Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP)“.
43、 5 IETF RFC 5035 (2007): “Enhanced Security Services (ESS) Update: Adding CertID Algorithm Agility“. 6 IETF RFC 5280 (2008): “Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile“. NOTE: Obsoletes IETF RFC 3280. ETSI ETSI TS 119 122-1 V1.0.1 (2015-07)77
44、IETF RFC 5652 (2009): “Cryptographic Message Syntax (CMS)“. NOTE: Obsoletes RFC 3852. 8 IETF RFC 5755 (2010): “An Internet Attribute Certificate Profile for Authorization“. NOTE: Obsoletes IETF RFC 3281. 9 IETF RFC 5816 (2010): “ESSCertIDv2 Update for RFC 3161“. 10 IETF RFC 5911 (2010): “New ASN.1 M
45、odules for Cryptographic Message Syntax (CMS) and S/MIME“. 11 IETF RFC 5912 (2010): “New ASN.1 Modules for the Public Key Infrastructure Using X.509 (PKIX)“. NOTE: Updated by IETF RFC 6268. 12 IETF RFC 6268 (2011): “Additional New ASN.1 Modules for the Cryptographic Message Syntax (CMS) and the Publ
46、ic Key Infrastructure Using X.509 (PKIX)“. 13 IETF RFC 5940 (2010): “Additional Cryptographic Message Syntax (CMS) Revocation Information Choices“. 14 IETF RFC 6960 (2013): “X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP“. NOTE: Obsoletes IETF RFC 2560. 15 Recomme
47、ndation ITU-T X.520 (11/2008)/ISO/IEC 9594-6:2008): “Information technology - Open Systems Interconnection - The Directory: Selected attribute types“. 16 Recommendation ITU-T X.680 (2008): “Information technology - Abstract Syntax Notation One (ASN.1): Specification of basic notation“. 17 Recommenda
48、tion ITU-T X.690 (2008): “Information technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)“. 18 OASIS Standard “Security Assertion Markup Language (SAML) V2.0“. 2.2 Informative references References are
49、either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the reference document (including any amendments) applies. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. The following referenced documents are not necessary for the application of the present document but they assist the
