1、 ETSI TS 119 144-3 V1.1.1 (2016-06) Electronic Signatures and Infrastructures (ESI); PAdES digital signatures - Testing Conformance and Interoperability; Part 3: Test suites for testing interoperability of additional PAdES signatures TECHNICAL SPECIFICATION ETSI ETSI TS 119 144-3 V1.1.1 (2016-06)2 R
2、eference DTS/ESI-0019144-3 Keywords conformance, e-commerce, electronic signature, PAdES, profile, security, testing ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif e
3、nregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present
4、 document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive
5、 within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the
6、present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as auth
7、orized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2016. All rights reserved. DECTTM, PL
8、UGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Associa
9、tion. ETSI ETSI TS 119 144-3 V1.1.1 (2016-06)3 Contents Intellectual Property Rights 4g3Foreword . 4g3Modal verbs terminology 4g31 Scope 5g32 References 5g32.1 Normative references . 5g32.2 Informative references 6g33 Definitions and abbreviations . 6g33.1 Definitions 6g33.2 Abbreviations . 6g34 Tes
10、ting CMS digital signatures in PDF interoperability 6g34.1 Introduction 6g34.2 Testing CMS digital signatures in PDF 6g35 Testing interoperability of PAdES-E-BES and PAdES-E-EPES signatures 8g35.1 Introduction 8g35.2 Testing PAdES-E-BES signatures 9g35.3 Testing PAdES-E-EPES signatures 11g36 Testing
11、 interoperability of PAdES-E-LTV signatures . 11g36.1 Testing PAdES-E-LTV signatures . 11g37 Testing interoperability of XAdES signatures signing XML content in PDF 15g37.1 Introduction 15g37.2 Testing XAdES signatures of XML documents embedded in PDF containers 15g37.3 Testing XAdES signatures on X
12、FA forms . 16g38 Testing negative additional PAdES signatures. 16g38.1 CMS digital signatures in PDF test cases . 16g38.2 PAdES-E-BES and PAdES-E-EPES test cases 17g38.3 PAdES-E-LTV test cases . 17g3History 18g3ETSI ETSI TS 119 144-3 V1.1.1 (2016-06)4 Intellectual Property Rights IPRs essential or p
13、otentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essent
14、ial, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (https:/ipr.etsi.org/). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee ca
15、n be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Technical Specification (TS) has been produced by ETSI Technical Committee Electronic Signature
16、s and Infrastructures (ESI). The present document is part 3 of a multi-part deliverable covering PAdES digital signatures - Testing Conformance and Interoperability. Full details of the entire series can be found in part 1 i.1. Modal verbs terminology In the present document “shall“, “shall not“, “s
17、hould“, “should not“, “may“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citation.
18、 ETSI ETSI TS 119 144-3 V1.1.1 (2016-06)5 1 Scope The present document defines a number of test suites to assess the interoperability between implementations claiming conformance to additional PAdES signatures profiles 3. The present document defines test suites for each profile defined in ETSI EN 3
19、19 142-2 3. Test suites also cover augmentation of additional PAdES signatures and negative test cases. These test suites are agnostic of the PKI infrastructure. Any PKI infrastructure can be used including the one based on EU Member States Trusted Lists. 2 References 2.1 Normative references Refere
20、nces are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies. Referenced doc
21、uments which are not found to be publicly available in the expected location might be found at http:/docbox.etsi.org/Reference. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. The following referenced documents
22、 are necessary for the application of the present document. 1 ISO 32000-1: “Document management - Portable document format - Part 1: PDF 1.7“. NOTE: Available at http:/ 2 ETSI EN 319 132-1: “Electronic Signatures and Infrastructures (ESI); XAdES digital signatures; Part 1: Building blocks and XAdES
23、baseline signatures“. 3 ETSI EN 319 142-2: “ Electronic Signatures and Infrastructures (ESI); PAdES digital signatures; Part 2: Additional PAdES signatures profiles“. 4 ETSI EN 319 122-1: “Electronic Signatures and Infrastructures (ESI); CAdES digital signatures; Part 1: Building blocks and CAdES ba
24、seline signatures“. 5 IETF RFC 6960: “X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP“. 6 IETF RFC 5280 (2008): “Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile“. ETSI ETSI TS 119 144-3 V1.1.1 (2016-06)6 2.2 Inform
25、ative references References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments)
26、applies. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. The following referenced documents are not necessary for the application of the present document but they assist the user with regard to a particular sub
27、ject area. i.1 ETSI TR 119 144-1: “Electronic Signatures and Infrastructures (ESI); PAdES digital signatures - Testing Conformance and Interoperability; Part 1: Overview“. i.2 ETSI TR 119 001: “Electronic Signatures and Infrastructures (ESI); The framework for standardization of signatures; Definiti
28、ons and abbreviations“. i.3 ETSI EN 319 102-1: “Electronic Signatures and Infrastructures (ESI); Procedures for Creation and Validation of AdES Digital Signatures; Part 1: Creation and Validation“. 3 Definitions and abbreviations 3.1 Definitions For the purposes of the present document, the terms an
29、d definitions given in ETSI TR 119 001 i.2 and the following apply: negative test case: test case for a signature whose validation according to ETSI EN 319 102-1 i.3 would not result in TOTAL-PASSED 3.2 Abbreviations For the purposes of the present document, the abbreviations given in ETSI TR 119 00
30、1 i.2 and the following apply: XFA XML Forms Architecture 4 Testing CMS digital signatures in PDF interoperability 4.1 Introduction This clause refers to clause 4 of ETSI EN 319 142-2 3. The test cases in this clause have been defined for different combinations of CMS digital signatures in PDF attri
31、butes. They test the use of PDF signatures, as described in ISO 32000-1 1 and based on CMS. Mandatory attributes for CMS digital signatures in PDF described in ETSI EN 319 142-2 3, clause 4.2, shall be present. 4.2 Testing CMS digital signatures in PDF The test cases in this clause have been defined
32、 for different combinations of CMS/PDF attributes but the following minimum requirements shall be satisfied. Mandatory attributes for CMS digital signatures in PDF described in ETSI EN 319 142-2 3, clause 4, shall be present. ETSI ETSI TS 119 144-3 V1.1.1 (2016-06)7 Table 1 shows which attributes ar
33、e required to generate CMS digital signatures in PDF for each test case. Table 1: Test cases for CMS digital signatures in PDF TC ID Description Pass criteria Signature attributes PAdES/CMS/1 This is the simplest CMS digital signatures in PDF with minimum requirements and signature dictionary entry
34、M (signing time). The signature shall be an approval signature as defined in ISO 32000-1 1. Positive validation. The signature dictionary shall contain Type, Contents, Filter, SubFilter, M and ByteRange entries. The DER-encoded PKCS #7 binary data object included in the Contents entry shall include
35、the SigningCertificate (in SignedData.certificates field), ContentType and SignerInfo attributes. SignatureDictionary o Type o Sig o Filter o Adobe.PPKLite o SubFilter o adbe.pkcs7.detached o M o ByteRange o Contents (DER PKCS #7) o Certificates o SigningCertificate o ContentType o SignerInfo PAdES/
36、CMS/2 This test case tests a CMS digital signature in PDF with signature time stamp attribute which ensures the time of signing, Location attribute which describes where the data was signed (CPU host name or physical location), Reason attribute that describes the reason for the signing, ContactInfo
37、attribute that provides information to enable a recipient to contact the signer to verify the signature. Positive validation. The signature dictionary shall contain Type, Contents, Filter, SubFilter, Reason, Location, ContactInfo and ByteRange entries. The DER-encoded PKCS #7 binary data object incl
38、uded in the Contents entry shall include the SigningCertificate (in SignedData.certificates field), ContentType, SignerInfo and SignatureTimestamp attributes. SignatureDictionary o Type o Sig o Filter o Adobe.PPKLite o SubFilter o adbe.pkcs7.detached o Reason o Location o ContactInfo o ByteRange o C
39、ontents (DER PKCS #7) o Certificates o SigningCertificate o ContentType o SignerInfo o SignatureTS PAdES/CMS/3 This test case tests a CMS digital signature in PDF with signature time stamp attribute which ensures the time of signing and adbe Revocation Information attribute to ensure revocation chec
40、ks for the signing certificate and its issuer certificates. Certificate revocation list, described in IETF RFC 5280 6 shall be used. Positive validation. The signature dictionary shall contain Type, Contents, Filter, SubFilter, and ByteRange entries. The DER-encoded PKCS #7 binary data object includ
41、ed in the Contents entry shall include the SigningCertificate (in SignedData.certificates field), ContentType, SignerInfo, SignatureTimestamp and RevocationInfo attributes. SignatureDictionary o Type o Sig o Filter o Adobe.PPKLite o SubFilter o adbe.pkcs7.detached o ByteRange o Contents (DER PKCS #7
42、) o Certificates o SigningCertificate o ContentType o SignerInfo o SignatureTS o RevocationInfo square4 Crls ETSI ETSI TS 119 144-3 V1.1.1 (2016-06)8 TC ID Description Pass criteria Signature attributes PAdES/CMS/4 This test case tests a CMS digital signature in PDF with signature time stamp attribu
43、te which ensures the time of signing and adbe Revocation Information attribute to ensure revocation checks for the signers certificate and its issuer certificates. OCSP responses, described in IETF RFC 6960 5 shall be used. Positive validation. The signature dictionary shall contain Type, Contents,
44、Filter, SubFilter, and ByteRange entries. The DER-encoded PKCS #7 binary data object included in the Contents entry shall include the SigningCertificate (in SignedData.certificates field), ContentType, SignerInfo, SignatureTimestamp and RevocationInfo attributes. SignatureDictionary o Type o Sig o F
45、ilter o Adobe.PPKLite o SubFilter o adbe.pkcs7.detached o ByteRange o Contents (DER PKCS #7) o Certificates o SigningCertificate o ContentType o SignerInfo o SignatureTS o RevocationInfo square4 OCSP resp PAdES/CMS/5 This test case tests a CMS serial digital signature in PDF. The signed document sha
46、ll include 2 serial signatures. Positive validation. The signed document shall contain 2 serial signatures. The signature dictionary of every signature shall contain Type, Contents, Filter, SubFilter, M and ByteRange entries. The DER-encoded PKCS #7 binary data object included in the Contents entry
47、shall include the SigningCertificate (in SignedData.certificates field), ContentType and SignerInfo attributes. SignatureDictionary (2 entries) o Type o Sig o Filter o Adobe.PPKLite o SubFilter o adbe.pkcs7.detached o ByteRange o M o Contents (DER PKCS #7) o Certificates o SigningCertificate o Conte
48、ntType o SignerInfo PAdES/CMS/6 This test case tests a CMS certification digital signature in PDF with signing time and LegalContentAttestation attributes. Positive validation. The signature dictionary shall contain Type, Contents, Filter, SubFilter, M, Reference and ByteRange entries. The DER-encod
49、ed PKCS #7 binary data object included in the Contents entry shall include the SigningCertificate (in SignedData.certificates field), ContentType and SignerInfo attributes. The attestation entry in the LegalAttestationDictionary shall be valued. LegalAttestationDictionary SignatureDictionary o Type o Sig o Filter o Adobe.PPKLite o SubFilter o adbe.pkcs7.detached o ByteRange o M o Reference o DocMDP o Contents (DER PKCS #7) o Certificates o SigningCertificate o Conte