Validation of XAdES-X and XAdES-X-L forms

[GoogleCodeExporter]

While the library can create XAdES-X and XAdES-X-L forms by extending XAdES-C 
document it can't validate them.

Related: issue 18.

What version of the product are you using? On what operating system?
1.3.0

Please provide any additional information below.
Preliminary patches (not final) to add support for XAdES-X and XAdES-X-L forms 
are attached.

Missing features:
1. Code does not use the time from SigAndRefsTimeStamp to validate 
SignatureTimeStamp 
2. Does not add support for optional tags: AttrAuthoritiesCertValues or 
AttributeRevocationValues.
3. Does not use CertificateValues or RevocationValues for checking the validity 
of Signature (still depends on validator to have proper CRLs and Certificates)

Original issue reported on code.google.com by [email protected] on 16 Oct 2012 at 5:21

Attachments:

• xades-x-verification
• xades-x-verification-tests
• xades-x-l-verification-and-tests

[GoogleCodeExporter]

New set of patches (still not final) to add support for XAdES-X and XAdES-X-L 
forms.

Missing features:
1. Code does not use the time from SigAndRefsTimeStamp to validate 
SignatureTimeStamp (requires complete verifier rewrite)
2. Does not create optional tags: AttrAuthoritiesCertValues or 
AttributeRevocationValues.
3. Because of 2: no test cases for those properties

It finally does use certificates and CRLs encoded in properties.

Patches based on rev 248.

Original comment by [email protected] on 29 Oct 2012 at 5:19

Attachments:

• 0001-basic-support-for-XAdES-X-signature-verification.patch
• 0002-add-tests-for-enriching-C-form-to-X-and-verification.patch
• 0003-preliminary-support-for-XAdES-X-L-form-verification.patch
• 0004-fix-test-case-broken-by-revision-247-changed-paths.patch
• 0005-extract-certs-and-CRLs-from-X-L-form-tags.patch
• 0006-add-support-for-AttrAuthoritiesCertValues-and-Attrib.patch

[GoogleCodeExporter]

Small fix in patch 6: wrong ToXmlConverter was used for 
AttrAuthoritiesCertValues

Original comment by [email protected] on 30 Oct 2012 at 10:29

Attachments:

• 0006-add-support-for-AttrAuthoritiesCertValues-and-Attrib.patch

[GoogleCodeExporter]

Basically final patches to add support for XAdES-X and XAdES-X-L properties.

As the use of time from SigAndRefsTimeStamp to verify SignatureTimestamp 
requires verifier rewrite, it's still not done. It does create optional tags: 
AttrAuthoritiesCertValues, AttributeRevocationValues and tests for their 
creation. As the verifier can't handle partial failures in verification, the 
tests are only preliminary.

Big changes: separate verifier for TimeStamps and Signature (different 
TrustAnchors, different certificate stores and different revocation 
information) and ability to add certificate stores (certs and CRLs) in 
certificate validation providers.

Original comment by [email protected] on 5 Nov 2012 at 2:40

Attachments:

• 0001-fix-test-case-broken-by-revision-247-changed-paths.patch
• 0002-basic-support-for-XAdES-X-signature-verification.patch
• 0003-add-tests-for-enriching-C-form-to-X-and-verification.patch
• 0004-preliminary-support-for-XAdES-X-L-form-verification.patch
• 0005-extract-certs-and-CRLs-from-X-L-form-tags.patch
• 0006-add-support-for-AttrAuthoritiesCertValues-and-Attrib.patch
• 0007-test-creation-of-optional-X-L-form-properties.patch
• 0008-add-certificates-and-CRLs-used-in-verification-of-Ti.patch
• 0009-separate-certificate-verifiers-for-TimeStamps-and-Si.patch

[GoogleCodeExporter]

Final patches to add support for XAdES-X and XAdES-X-L properties.

Both creation (by extending the signature from lower forms only!) and 
validation is functioning correctly. That is, if you have XAdES-X-L document 
with current CRLs inside you need only CA certificates to validate it.

Patches up to 0009 are exactly the same as in Comment #3, both verifier and 
unmarshallers have been rewritten to a hybrid approach: finding the property is 
done using DOM while the unmarshalling of the property itself is done using 
JXAB. The verifier can handle partial failures in verification.

Original comment by [email protected] on 15 Dec 2012 at 7:00

Attachments:

• 0001-fix-test-case-broken-by-revision-247-changed-paths.patch
• 0002-basic-support-for-XAdES-X-signature-verification.patch
• 0003-add-tests-for-enriching-C-form-to-X-and-verification.patch
• 0004-preliminary-support-for-XAdES-X-L-form-verification.patch
• 0005-extract-certs-and-CRLs-from-X-L-form-tags.patch
• 0006-add-support-for-AttrAuthoritiesCertValues-and-Attrib.patch
• 0007-test-creation-of-optional-X-L-form-properties.patch
• 0008-add-certificates-and-CRLs-used-in-verification-of-Ti.patch
• 0009-separate-certificate-verifiers-for-TimeStamps-and-Si.patch
• 0010-backend-for-generating-our-own-certificates-for-test.patch
• 0011-test-XAdES-X-L-form-with-minimal-trust-anchors.patch
• 0012-add-tests-of-CertPathBuilder.patch
• 0013-fix-test01_T_ver2-caused-by-bug-in-X509CRLSelector.patch
• 0014-use-the-new-verifier-implementation.patch
• 0015-create-hybrid-approach-unmarshaller.patch

[GoogleCodeExporter]

rest of patches to comment #4

This closes the issue.

Original comment by [email protected] on 15 Dec 2012 at 7:04

Attachments:

• 0016-create-hybrid-verifier.patch
• 0017-provide-XML-location-information-to-TimeStampVerifie.patch
• 0018-constraints-on-time-stamps-certificates-and-CRLs.patch
• 0019-allow-for-creation-of-C-form-from-T-form-with-curren.patch
• 0020-make-PKIX-certificate-validator-more-tolerant-of-inp.patch
• 0021-PKIX-cert-validator-should-be-tolerant-of-input.patch
• 0022-make-verifiers-of-EncapsulatedPKIData-collect-the-PK.patch
• 0023-fix-XadesVerifierErrosTest-tests.patch
• 0024-extend-XadesHybridVerifier-to-XAdES-X-L-support.patch
• 0025-documentation-fixes.patch

[GoogleCodeExporter]

all patches in single file to ease download

Original comment by [email protected] on 27 Dec 2012 at 5:34

Attachments:

• xades-x-l-support.zip

[GoogleCodeExporter]

Here a SVN-patch including all the changes from Hubert K.
Taken from Comment 6 and applied one-by-one on revision #248.

Original comment by [email protected] on 8 Jan 2013 at 8:59

Attachments:

• issue#55-X-L-support_complete.zip

[GoogleCodeExporter]

SVN CLI client in 1.7 (I tested 1.7.5) does support git patches, you can just 
`svn patch` them. It's the TortoiseSVN that lacks support for git-styled 
unified diff files.

Original comment by [email protected] on 9 Jan 2013 at 3:01

[redarqas]

This issue is still open, is xdes4j v1.3.2 support XAdES-X and XAdES-X-L ? or should I apply patches to the current master to get XAdES-X-L working ?

[luisgoncalves]

The patches have not been applied to the code base so xades4j doesn't support X-L. In addition, the patches were not revised.

[redarqas]

thanks @luisgoncalves, are you planning to include X-L support in a future release? (notify @yanoz)

[luisgoncalves]

Unfortunately I can't say it's planned. I'd like to add that support as well as other aspects discussed with Hubert (the developer that submitted the patches), but I haven't been able to keep up with the library development. Nevertheless, it is not forgotten (e.g. I participated on ETSI plugtests last fall). I'd like to catch up on developments eventually...

[leonardoavs]

Is this issue closed, and the xades4j is supporting validation of XL forms it? I mean could I validate a File with the XL form?

[luisgoncalves]

Hello @leonardoavs, this issue isn't closed because X-L support is not completely integrated in the lib.

Work from community developers over time has been merged in #146 into the xades-x-l-a branch. However, a lot of stuff changed (breaking changes) and a full review of the code is still to be done. You can build the lib from that branch and try the new features. Note that you'll have to be using the tests as documentation.