XAdES-BES

167 views
Skip to first unread message

debackerl

unread,
Feb 21, 2012, 4:52:39 AM2/21/12
to eID Applet
Hello,

While testing eID DSS RC6, I have discovered that XAdES-BES is not
supported.

To test it, I have opened a signature created by the DSS Portal, and
removed the UnsignedSignatureProperties tag, so that it becomes a
XAdES-BES instead of XAdES-X-L. The DSS accepted the X-L but not the
BES.

I checked the source code, in
be.fedict.eid.dss.spi.utils.XAdESValidation, in validate(), the code
is taking for granted that SignatureTimeStamp tag and others will be
present, while it's false for XAdES-BES signatures.

Is it by design, or a bug?

The reason why it's important is because before asking a TimeStamping
Authority to generate to TimeStamp token, I want to be sure the
signature sent by the customer is valid. Otherwise, attackers could
send thousands of rogue certificates, making us send them to TSA, and
costing us a lot because TSA is not free.

Thanks

Laurent Debacker

Frank Cornelis

unread,
Feb 21, 2012, 5:15:15 AM2/21/12
to eid-a...@googlegroups.com
Hi Laurent,


Of course XAdES-BES is not supported as this offers no long-term
validity and is thus completely useless.

While constructing the XAdES-X-L, the eID DSS will only extend the
XAdES-BES to a T,C,X,X-L if the PKCS#1 signature was OK and if the
signatory is trusted (checked via the eID Trust Service). So this check
is inherent part of the construction of the XAdES-X-L by the eID DSS.


Kind Regards,
Frank.

debackerl

unread,
Feb 22, 2012, 9:31:52 AM2/22/12
to eID Applet
Thanks Frank,

What's the API to turn a XAdES-BES in XAdES-X-L? I check the Signing
API of DSS, but I see this 'target' parameter. So I guess it will load
a web page with your Java applet to sign the documents, which we
obviously can't use.

I understand it would be useless let client applications check XAdES-
BES signatures if the DSS offers an API to turn BES in X-L. I guess
there must be one, the one used by your Java applet to send XAdES-BES
signatures to the server, but I can't find it in your code.

Thanks for your support.

Laurent Debacker

Frank Cornelis

unread,
Feb 22, 2012, 9:40:02 AM2/22/12
to eid-a...@googlegroups.com
Hi Laurent,


The eID DSS does not expose Java API's. The eID DSS exposes DSS
protocols and should be used as a service.
In the future the eID DSS validation web service will be extended with
functionality to upgrade signatures. But this will only cover XAdES-X-L
to XAdES-A (and XAdES-A to XAdES-A).


Kind Regards,
Frank.

debackerl

unread,
Feb 22, 2012, 10:08:03 AM2/22/12
to eID Applet
Okay but then I don't see why you said checking XAdES-BES was useless
if you can't upgrade BES to X-L. It is still interesting in many
cases, e.g. signatures happening outside the browser.

Thanks for your help, we will have to check for an alternative.

Laurent Debacker

Frank Cornelis

unread,
Feb 22, 2012, 2:40:53 PM2/22/12
to eid-a...@googlegroups.com
Hi Laurent,


You don't have to upgrade to XAdES-X-L yourself. The eID DSS delivers
XAdES-X-L right from the start.

The focus of eID DSS is to be able to create electronic signatures
within a browser.


Kind Regards,
Frank.

Reply all
Reply to author
Forward
0 new messages