XAdES-A on ei-dss

95 views
Skip to first unread message

angel....@keensoft.es

unread,
Jun 12, 2013, 1:27:28 PM6/12/13
to eid-a...@googlegroups.com
XAdES-A production on EI-DSS may not be complete. References for TSA Certificates are not included on the signature. 

It's planned any further development on this issue?

Thanks

Frank Cornelis

unread,
Jun 13, 2013, 3:59:24 AM6/13/13
to eid-a...@googlegroups.com
Hi,


The eID DSS supports XAdES-X-L. Every XAdES timestamp also has a
corresponding xadesv141:TimeStampValidationData element containing all
required revocation data for a full PKI validation of the TSA
certificate chain.


Kind Regards,
Frank.
> --
> You received this message because you are subscribed to the Google
> Groups "eID Applet" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to eid-applet+...@googlegroups.com.
> To post to this group, send email to eid-a...@googlegroups.com.
> Visit this group at http://groups.google.com/group/eid-applet?hl=en-US.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>

angel....@keensoft.es

unread,
Jun 18, 2013, 3:59:30 AM6/18/13
to eid-a...@googlegroups.com, frank.c...@fedict.be
Thanks, Frank.

I was wrong.

The real problem is that revocation data is not included:

RevocationData[token=Certificate[subjectName="CN=NOMBRE XXXX - NIF XXXX, OU=500050546, OU=FNMT Clase 2 CA, O=FNMT, C=ES",issuedBy="OU=FNMT Clase 2 CA, O=FNMT, C=ES"],data=*** NO VALIDATION DATA AVAILABLE ***]

Maybe I'm loosing some configuration required?

Thanks in advance!

angel....@keensoft.es

unread,
Jun 18, 2013, 6:43:09 AM6/18/13
to eid-a...@googlegroups.com, frank.c...@fedict.be
By the way, I'm using Spanish TSL (https://sede.minetur.gob.es/prestadores/tsl/tsl.xml) which is not signed. Maybe should I perform any extension on ReloadableTrustListCertificateSource?

Thanks


On Thursday, June 13, 2013 9:59:24 AM UTC+2, Frank Cornelis wrote:

angel....@keensoft.es

unread,
Jun 18, 2013, 10:46:54 AM6/18/13
to eid-a...@googlegroups.com, frank.c...@fedict.be, angel....@keensoft.es
Finally I got it working.

<bean id="TrustedListSource"
class="eu.europa.ec.markt.dss.validation.tsl.ReloadableTrustListCertificateSource"
init-method="refresh">
<property name="tslLoader" ref="httpDataLoader" />
<property name="checkSignature" value="false"/>
<property name="lotlUrl" value="https://sede.minetur.gob.es/prestadores/tsl/tsl.xml"/>
</bean>

I have also included a modification on eu/europa/ec/markt/dss/validation/tsl/TrustedListsCertificateSource.java

184: TrustStatusList lotl = null;
        try {
            lotl = getTrustStatusList(lotlUrl, lotlCert);

// Added certificate load for custom LOTL
loadAllCertificatesFromOneTSL(lotl, true);

        } catch (NotETSICompliantException e) {
            LOG.severe("TSL not compliant with ETSI " + e.getMessage());
        }
 
Regards
Reply all
Reply to author
Forward
0 new messages