1、 ETSI TS 119 124-5 V1.1.1 (2016-06) Electronic Signatures and Infrastructures (ESI); CAdES digital signatures - Testing Conformance and Interoperability; Part 5: Testing conformance of extended CAdES signatures TECHNICAL SPECIFICATION ETSI ETSI TS 119 124-5 V1.1.1 (2016-06)2 Reference DTS/ESI-001912
2、4-5 Keywords CAdES, conformance, e-commerce, electronic signature, profile, security, testing ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfec
3、ture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be
4、modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretaria
5、t. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, pleas
6、e send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permi
7、ssion of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2016. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand th
8、e ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI TS 119
9、124-5 V1.1.1 (2016-06)3 Contents Intellectual Property Rights 4g3Foreword . 4g3Modal verbs terminology 4g31 Scope 5g32 References 5g32.1 Normative references . 5g32.2 Informative references 6g33 Definitions and abbreviations . 6g33.1 Definitions 6g33.2 Abbreviations . 6g34 Overview 6g35 Testing conf
10、ormance to CAdES-E-BES extended signatures 7g35.1 Introduction 7g35.2 Testing CMSversion . 7g35.3 Testing DigestAlgorithmIdentifiers 8g35.4 Testing EncapsulatedContentInfo 8g35.5 Testing SignedData.certificates 8g35.6 Testing SignedData.crls 8g35.7 Testing SignerInfos 8g35.8 Testing content-type . 8
11、g35.9 Testing message-digest . 8g35.10 Testing signing-time . 8g35.11 Testing Enhanced Security Services (ESS) 9g35.12 Testing commitment-type-indication . 9g35.13 Testing signer-location . 9g35.14 Testing signer-attributes-v2 9g35.15 Testing counter-signature . 9g35.16 Testing content-time-stamp 9g
12、35.17 Testing content-reference . 9g35.18 Testing content-identifier . 9g35.19 Testing content-hints 9g35.20 Testing mime-type 10g36 Testing conformance to CAdES-E-EPES extended signatures 10g36.1 Introduction 10g36.2 Testing signature-policy-identifier . 10g36.3 Testing signature-policy-store 10g37
13、 Testing conformance to CAdES-E-T extended signatures . 10g37.1 Introduction 10g37.2 Testing SignatureTimeStamp . 10g38 Testing conformance to CAdES-E-A extended signatures 11g38.1 Introduction 11g38.2 Testing ArchiveTimeStampV3 . 11g38.3 Testing Certificate and Revocation references . 11g38.4 Testi
14、ng Certificate and Revocation values . 12g38.5 Testing time-stamp attributes . 12g3History 13g3ETSI ETSI TS 119 124-5 V1.1.1 (2016-06)4 Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these ess
15、ential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updat
16、es are available on the ETSI Web server (https:/ipr.etsi.org/). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web serve
17、r) which are, or may be, or may become, essential to the present document. Foreword This Technical Specification (TS) has been produced by ETSI Technical Committee Electronic Signatures and Infrastructures (ESI). The present document is part 5 of a multi-part deliverable covering CAdES digital signa
18、tures - Testing Conformance and Interoperability. Full details of the entire series can be found in part 1 i.1. A tool implementing the present document has been developed and is accessible at http:/signatures-conformance-checker.etsi.org/. Modal verbs terminology In the present document “shall“, “s
19、hall not“, “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in dir
20、ect citation. ETSI ETSI TS 119 124-5 V1.1.1 (2016-06)5 1 Scope The present document defines the checks to be performed for testing conformance of CAdES signatures against extended CAdES signatures as specified in ETSI EN 319 122-2 2. It defines only the checks that are specific to extended CAdES sig
21、natures. The set of checks that are common to both extended and baseline CAdES signatures, are defined in ETSI TS 119 124-4 3. The complete set of checks to be performed by any tool on CAdES extended signatures is the union of the sets defined within the present document and the set of common checks
22、 for testing conformance against ETSI EN 319 122-1 1 and ETSI EN 319 122-2 2 defined in ETSI TS 119 124-4 3, as indicated in the normative clauses of the present document. The present document does not specify checks leading to conclude whether a signature is technically valid or not (for instance,
23、it does not specify checks for determining whether the cryptographic material present in the signature may be considered valid or not). In consequence, no conclusion may be inferred regarding the technical validity of a signature that has been successfully tested by any tool conformant to the presen
24、t document. Checks specified by the present document are exclusively constrained to elements specified by CAdES 1. Regarding CAdES attributes, the present document explicitly differentiates between structural requirements that are defined on building blocks, and the requirements specified for extend
25、ed CAdES signatures conformance. The present document is intentionally not linked to any software development technology and is also intentionally agnostic on implementation strategies. This is one of the reasons why the test assertions set specified in the present document includes tests on the cor
26、rectness of the structure of all the elements specified by CAdES 1. 2 References 2.1 Normative references References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-speci
27、fic references, the latest version of the referenced document (including any amendments) applies. Referenced documents which are not found to be publicly available in the expected location might be found at https:/docbox.etsi.org/Reference/. NOTE: While any hyperlinks included in this clause were va
28、lid at the time of publication, ETSI cannot guarantee their long term validity. The following referenced documents are necessary for the application of the present document. 1 ETSI EN 319 122-1: “Electronic Signatures and Infrastructures (ESI); CAdES digital signatures; Part 1: Building blocks and C
29、AdES baseline signatures“. 2 ETSI EN 319 122-2: “Electronic Signatures and Infrastructures (ESI); CAdES digital signatures; Part 2: Extended CAdES signatures“. 3 ETSI TS 119 124-4: “Electronic Signatures and Infrastructures (ESI); CAdES digital signatures - Testing Conformance and Interoperability;
30、Part 4: Testing conformance of CAdES baseline signatures“. ETSI ETSI TS 119 124-5 V1.1.1 (2016-06)6 2.2 Informative references References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version a
31、pplies. For non-specific references, the latest version of the referenced document (including any amendments) applies. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. The following referenced documents are not
32、necessary for the application of the present document but they assist the user with regard to a particular subject area. i.1 ETSI TR 119 124-1: “Electronic Signatures and Infrastructures (ESI); CAdES digital signatures - Testing Conformance and Interoperability; Part 1: Overview“. i.2 ETSI TR 119 00
33、1: “Electronic Signatures and Infrastructures (ESI); The framework for standardization of signatures; Definitions and abbreviations“. i.3 OASIS Committee Notes: “Test Assertions Guidelines Version 1.0“ Committee Note 02, 19 June 2013. 3 Definitions and abbreviations 3.1 Definitions For the purposes
34、of the present document, the terms and definitions given in ETSI TR 119 001 i.2 apply. 3.2 Abbreviations For the purposes of the present document, the abbreviations given in ETSI TR 119 001 i.2 apply. 4 Overview The present clause describes the main aspects of the technical approach used for specify
35、ing the set of checks to be performed for testing conformance to ETSI EN 319 122-2 2. ETSI EN 319 122-1 1 defines requirements for building blocks and CAdES baseline signatures. For the purpose of identifying the whole set of test assertions required for testing conformance against extended CAdES si
36、gnatures as specified in ETSI EN 319 122-2 2, the present document classifies the whole set of requirements specified in ETSI EN 319 122-1 1 and in ETSI EN 319 122-2 2 in two groups as follows: 1) Requirements “CAdES_BB“ (after “CAdES building blocks“): requirements defined in clauses 4, 5, and anne
37、x A of ETSI EN 319 122-1 1 that have to be satisfied by both CAdES baseline signatures as specified in ETSI EN 319 122-1 1 and extended CAdES signatures as specified in ETSI EN 319 122-2 2. The checks for these requirements are defined in ETSI TS 119 124-4 3. When needed in the present document, suc
38、h checks are referred by their TA_id. 2) Requirements “CAdES_ES“ (after “Extended CAdES signatures“): requirements defined in clauses 5 and 6 of ETSI EN 319 122-2 2. These are requirements specific to extended CAdES signatures. a) In order to test conformance to ETSI EN 319 122-2 2, several types of
39、 tests are identified, namely: 1) Tests on the signature structure. 2) Tests on values of specific elements and/or attributes. 3) Tests on interrelationship between different elements present in the signature. ETSI ETSI TS 119 124-5 V1.1.1 (2016-06)7 4) Tests on computations reflected in the content
40、s of the signatures (message imprints for a time-stamping service, computed by digesting the concatenation of a number of elements of the signature, for instance). b) No tests are included testing actual validity of the cryptographic material that might be present at the signature or to be used for
41、its verification (status of certificates for instance). c) Tests are defined as test assertions following the work produced by OASIS in “Test Assertions Guidelines Version 1.0“ i.3. Each test assertion includes: 1) Unique identifier for further referencing. The identifiers of the assertions defined
42、within the present document start with “CAdES_ES“, after “Extended CAdES signatures“. 2) Reference to the Normative source for the test. 3) The Target of the assertion. In the normative part, this field identifies one of the format specified in Extended CAdES signatures specification 2. 4) Prerequis
43、ite (optional) is, according to i.3, “a logical expression (similar to a Predicate) which further qualifies the Target for undergoing the core test (expressed by the Predicate) that addresses the Normative Statement“. It is used for building test assertions corresponding to requirements that are imp
44、osed under certain conditions. 5) Predicate fully and unambiguously defining the assertion to be tested. 6) Prescription level: Three levels are defined: mandatory, recommended and permitted, whose semantics is to be interpreted as described in clause 3.1.2 of i.3. 7) Tag: information on the element
45、 tested by the assertion. The presentation of the checks are organized following the formats of extended CAdES signatures specified in 2. The following signature levels are considered: CAdES-E-BES. CAdES-E-EPES. CAdES-E-T. CAdES-E-A. 5 Testing conformance to CAdES-E-BES extended signatures 5.1 Intro
46、duction This clause specifies the set of assertions to be tested on signatures claiming conformance to the CAdES-E-BES signatures level as specified by ETSI EN 319 122-2 2. The next clauses specify the assertions for testing whether the elements that are profiled by ETSI EN 319 122-2 2, are actually
47、 conformant to this level. The constraints imposed by the extended CAdES signatures specification 2 to the CMS Signature elements are tested. 5.2 Testing CMSversion This clause defines the test assertions for SignedData.CMSversion attribute presence in CMS signature. The CAdES_BB/CMSV check in ETSI
48、TS 119 124-4 3 shall apply. ETSI ETSI TS 119 124-5 V1.1.1 (2016-06)8 5.3 Testing DigestAlgorithmIdentifiers This clause defines the test assertions for SignedData.DigestAlgorithmIdentifiers attribute presence in CMS signature. The CAdES_BB/DAI check in ETSI TS 119 124-4 3 shall apply. 5.4 Testing En
49、capsulatedContentInfo This clause defines the test assertions for SignedData.EncapsulatedContentInfo attribute presence in CMS signature. The CAdES_BB/ECI check in ETSI TS 119 124-4 3 shall apply. 5.5 Testing SignedData.certificates This clause defines the test assertions for SignedData.certificates attribute presence in CMS signature. The CAdES_BB/SDC/1 and 2 checks in ETSI TS 119 124-4 3 shall apply. 5.6 Testing SignedData.crls This clause defines the test assertions for SignedData.crls a
