Skip to content

Latest commit

 

History

History
103 lines (68 loc) · 4.63 KB

eIDAS.adoc

File metadata and controls

103 lines (68 loc) · 4.63 KB
Raw

1. eIDAS

1.1. Overview of certificates

1.1.1. Type of certificate

A certificate can be for electronic signature, for electronic seal or for website authentication.

1.1.2. Qualified status of certificate

Explanations as well as an example on the determination of the qualified status of a certificate are presented in section [CertificateValidation].

1.2. How certificate type and qualification are represented in DSS

1.2.1. Certificate Qualification determination

In order to determine a type and qualification of certificate, the CertificateVerifier can be used, provided the relevant information extracted from a Trusted List(s).

An example of a qualification data extraction for a certificate, can be found below:

Certificate qualification validation
link:../../../test/java/eu/europa/esig/dss/cookbook/example/validate/CertificateQualificationTest.java[role=include]

1.2.2. Qualified certificate for WebSite Authentication (QWAC)

With DSS, it is possible to validate SSL certificate against the EUMS TL and the ETSI TS 119 615 (cf. [R14]) to determine if it is a Qualified certificate for WebSite Authentication (QWAC).

DSS provides a special class SSLCertificateLoader allowing to extract the SSL certificate chain from the given URL. The qualification verification is similar to the example defined in chapter Certificate Qualification determination.

Validate an SSL certificate and retrieve its qualification level
link:../../../test/java/eu/europa/esig/dss/cookbook/example/validate/QWACValidationTest.java[role=include]

1.3. Overview of AdES signatures

1.3.1. Type of AdES

Under eIDAS, there exist advanced electronic signatures and seals.

1.3.2. Qualified status of AdES signature

Below is an example of the validation and verification of the qualified status of an AdES signature:

1.4. How signature type and qualification are represented in DSS

1.4.1. Signature Qualification determination

In order to determine a type and qualification of a signature, an instance of SignedDocumentValidator can be used, provided the relevant information is extracted from a Trusted List(s).

An example of a qualification data extraction for a signature, can be found below:

Signature qualification validation
link:../../../test/java/eu/europa/esig/dss/cookbook/example/validate/SignatureQualificationTest.java[role=include]

1.5. Verifying the qualified status of timestamp

ETSI TS 119 615 ([R14]) specifies standardized procedures for the determination of the qualification of a timestamp. DSS is able to determine a qualification level of a timestamp if a relative information about TrustServiceProviders is provided to a certificate verifier (loaded automatically to a trusted certificate source with [tlValidationJob]).

Three qualification levels are supported by DSS and can be obtained :

  • QTSA (issued from a granted trust service with TSA/QTST type at the timestamp production time);

  • TSA any other from a known trust anchor;

  • N/A for others.

In order to determine a type and qualification of signature, an instance of DetachedTimestampValidator can be used for a detached CMS time-stamp verification, provided the relevant information extracted from a Trusted List(s).

Note
 For standalone time-stamps within different containers (e.g. PDF or ASiC) a corresponding instance of a TimestampValidator shall be used.

The following example verifies the qualification level of a timestamp:

Validate a timestamp and retrieve its qualification level
link:../../../test/java/eu/europa/esig/dss/cookbook/example/validate/TimestampValidationTest.java[role=include]