Table of Contents

P4 XAdES-X LONG (Type 1)

General Information

Long-term and OCSP-based Secure Electronic Signature Policies (Profile P4) is defined by Information and Communication Technologies Authority (ICTA) in Electronic Signature Usage Profiles which is a guide of signature profiles for Turkey. In this profile, long term compatibility is provided with ES-X LONG and ES-A signature formats. In addition, this profile requires the use of OCSP for end-user certification revocation control. These requirements are provided by the XAdES-X LONG Type 1 signature format in accordance with the P4 profile.

The ES-X LONG Type 1 (Extended Long Electronic Signature with Time Type 1) signature is based on the ES-T signature. In addition to ES-T signature, it includes the root and sub-root certificates of the certification authority and the CRL and OCSP responses for signature verification. This enables the signature to be validated for a long period of time.

This data, which is added to the signature file, is used while performing signature verification. It does not need to connect to any external system for signature verification and to obtain verification data; all data required for verification is accessed from the contents of the signature file. It is the most recommended signature format thanks to these features.

P4 XAdES-X Long

The following table specifies the signature properties that must be included in the signature file for P4 XAdES-X LONG signature format:

Signature Properties P4 XAdES-X LONG
Signed Attributes Reference/DigestValue M
SigningCertificate M
SigningTime M
DataObjectFormat/MimeType M
CommitmentTypeIndication O
SignatureProductionPlace O
SignerRole O
AllDataObjectsTimeStamp IndividualDataObjectsTimeStamp O
SignaturePolicyIdentifierM
-SigPolicyQualifier M
–SPURI M
–SPUserNotice O
Unsigned Attributes CounterSignature O
SignatureTimeStamp M
XAdESv141:TimeStampValidationData/CertificateValues M
XAdESv141:TimeStampValidationData/RevocationValues M
CompleteCertificateRefs M
AttributeCertificateRefs O
CompleteRevocationRefsM
AttributeRevocationRefsO
CertificateValuesM
AttrAuthoritiesCertValuesO
RevocationValuesM
AttributeRevocationValuesO
SigAndRefsTimeStampM
RefsOnlyTimeStamp-
xadesv141:ArchiveTimeStampO

M: Must - It is mandatory to provide the specified substance. If the substance is not provided, the e-signature conformity assessment will result in a negative.

O: Optional – It is optional to provide the specified substance. If the substance is not provided, the e-signature conformity assessment will not result in a negative.

- : This means that the attribute is not in the signature format.

Procedure

You can access the P4 XAdES-X LONG Type 1 Enveloping Test Package from here.

You can access the P4 XAdES-X LONG Type 1 Detached Test Package from here.

You can access test root certificates from here.

The following table provides the names and properties of the signature files to be used in the procedures:

M/O Signed Document Name Signed Document Property Validation ResultExplanation
M P4_1 Valid (All signed attributes are added) VALID All signed attributes must be displayed in the validation result
O P4_2.doc Signature file with a macro inserted content INVALID The signature should not be verified
M P4_3 Contradictory signature file including “DataObjectFormat/MimeType” attribute with “image/jpeg” value although the actual content type is “Application/pdf” INVALID Signature verification details must be shown.
M P4_4Signature file with “SigPolicyId” having another value than P4 OID (2.16.792.1.61.0.1.5070.3.3.1) INVALID Signature verification details must be shown.
M P4_5Signature file with “SigPolicyHash” having another hash value than P4 hash value INVALID Signature verification details must be shown.
M P4_6Signature file with “SPUserNotice” having P4 user notice VALID P4 user notice must be shown.
M P4_7Signature file with “SigningCertificate” hash algorithm is SHA-1 INVALID Signature verification details must be shown.
M P4_8Signature file without “SigningTime” INVALID Signature verification details must be shown.
M P4_9Signature file having three hours earlier “SigningTime” than “SignatureTimeStamp” INVALID “SignatureTimeStamp” must be taken no later than two hours after the signing time. Signature verification details must be shown.
M P4_10Signature file with qualified certificate revocation value CRL rather than OCSP INVALID Signature verification details must be shown.
O P4_11Signature file with ”SignatureTimeStamp” which do not have “signatureTimeStamp” root certificate (TS server is TSC1) INVALID The signature must not be verified.
M P4_12Signature file with ” SignatureTimeStamp” which do not have “signatureTimeStamp” CRL (TS server is TSC1) INVALID Signature verification details must be shown.
M P4_13 Signature file with a forged “SigningCertificate” attribute INVALID Signature verification details must be shown.
M P4_14 Signature file with a forged ”Reference/DigestValue” attribute INVALID Signature verification details must be shown.
M P4_15 Signature file in which SHA-1 digest algorithm is used VALID The signature must be archived.
M P4_16 Signature file with a forged signature INVALID Signature verification details must be shown.
M P4_17 Signature file signed by a certificate with an omitted “non-repudiation” field in the key usage extension INVALID Signature verification details must be shown.
M P4_18 Signer certificate with an omitted “UserNotice” text field in the “CertificatePolicies” extension INVALID Signature verification details must be shown.
M P4_19 Signer certificate with an omitted ETSI OID in “QualifiedCertificateStatements” extension INVALID Signature verification details must be shown.
M P4_20 Signer certificate with an omitted ICTA OID in “QualifiedCertificateStatements” extension INVALID Signature verification details must be shown.
O P4_21 Signature file which has a PDF/A-3 content with attachment INVALID The signature should not be verified.
M P4_22 Signer certificate has expired before signature timestamp INVALID Signature verification details must be shown.
M P4_23 Signer certificate has a forged signature INVALID Signature verification details must be shown.
M P4_24Signer certificate has revoked before signature timestamp (Revocation check is available only via OCSP) INVALID Signature verification details must be shown.
M P4_25 Signer certificate revoked in OCSP after signature timestamp VALID
M P4_26 The validity of signer certificate has to be checked via an expired OCSP response INVALID Signature verification details must be shown.
M P4_27 The validity of signer certificate has to be checked via an OCSP response having forged signature INVALID Signature verification details must be shown.
M P4_28 The validity of signer certificate has to be checked via an OCSP response which is signed by an expired OCSP certificate INVALID Signature verification details must be shown.
M P4_29 The validity of signer certificate has to be checked via an OCSP response which is signed by a signature forged OCSP certificate INVALID Signature verification details must be shown.
M P4_30 The validity of signer certificate has to be checked via an OCSP response which is signed by a revoked OCSP certificate INVALID Signature verification details must be shown.
M P4_31 The validity of signer certificate has to be checked via an OCSP response which is signed by a revoked OCSP certificate. The OCSP certificate is revoked after signature timestamp VALID
M P4_32 Signer certificate has a monetary limit which is equal to “0” CHOICE*
O P4_33 Signer certificate has a usage restriction defined in “QC Statements” extension INVALID The signature should not be verified.
M P4_34 The validity of signer certificate has to be checked via an OCSP response which is generated for a different certificate INVALID Signature verification details must be shown.
M P4_35 Signer certificate is issued by an intermediate CA certificate having a forged signature INVALID Signature verification details must be shown.
M P4_36 The root certificate has a forged signature INVALID Signature verification details must be shown.
M P4_37 Signature timestamp has a “TSTInfo” with a forged “messageImprint” field (TS server is TSA1) INVALID Signature verification details must be shown.
M P4_38 Signature timestamp has a forged signature (TS server is TSA2) INVALID Signature verification details must be shown.
M P4_39 Signature timestamp is signed by an expired certificate (TS server is TSA3) INVALID Signature verification details must be shown.
M P4_40 Signature timestamp is signed by a certificate with a forged signature (TS server is TSA4) INVALID Signature verification details must be shown.
M P4_41 Signature timestamp is signed by a revoked certificate. The revocation time is before the signing time (TS server is TSA5) INVALID Signature verification details must be shown.
M P4_42 Signature timestamp is signed by a revoked certificate. The revocation time is after the signature timestamp (TS server is TSA5) VALID
M P4_43 Signature timestamp is signed by a certificate whose issuer certificate signature is forged (TS server is TSB) INVALID Signature verification details must be shown.
M P4_44 Signature timestamp is signed by a valid certificate (TS server is TSC1) VALID
M P4_45 Signature timestamp is signed by a certificate which references an expired CRL (TS server is TSC2) INVALID Signature verification details must be shown.
M P4_46 Signature timestamp is signed by a certificate which references a CRL with a forged signature (TS server is TSC3) INVALID Signature verification details must be shown.
M P4_47Signature file with a ”Complete certificate references” attribute which does not have a root certificate reference INVALID Signature verification details must be shown.
M P4_48Signature file with a ”Complete certificate references” attribute which has a wrong root certificate reference INVALID Signature verification details must be shown.
M P4_49Signature file with a ”Complete certificate references” attribute which does not have an intermediate CA certificate reference INVALID Signature verification details must be shown.
M P4_50Signature file with a ”Complete certificate references” attribute which has a wrong intermediate CA certificate reference INVALID Signature verification details must be shown.
M P4_51Signature file with a ”Complete revocation references” attribute which does not have a CRL reference for intermediate CA INVALID Signature verification details must be shown.
M P4_52Signature file with a ”Complete revocation references” attribute which has a wrong CRL reference for intermediate CA INVALID Signature verification details must be shown.
M P4_53Signature file with a ”Complete revocation references” attribute which does not have an OCSP reference for signer certificate INVALID Signature verification details must be shown.
M P4_54Signature file with a ”Complete revocation references” attribute which has a wrong OCSP reference for signer certificate INVALID Signature verification details must be shown.
M P4_55Signature file with a ”Certificate values” attribute which does not have a root certificate value INVALID Signature verification details must be shown.
M P4_57Signature file with a ”Certificate values” attribute which does not have an intermediate CA certificate value INVALID Signature verification details must be shown.
M P4_59Signature file with a ”Revocation Values” attribute which does not have a CRL value for intermediate CA certificate INVALID Signature verification details must be shown.
M P4_61Signature file with ”Revocation values” attribute which does not have an OCSP value for signer certificate INVALID Signature verification details must be shown.
M P4_63 “sigAndRefTimeStamp” has a “TSTInfo” with a forged “messageImprint” field (TS server is TSA1) INVALID Signature verification details must be shown.
M P4_64 “sigAndRefTimeStamp” has a forged signature (TS server is TSA2) INVALID Signature verification details must be shown.
M P4_65 “sigAndRefTimeStamp” is signed by an expired certificate (TS server is TSA3) INVALID Signature verification details must be shown.
M P4_66 “sigAndRefTimeStamp” is signed by a certificate with a forged signature (TS server is TSA4) INVALID Signature verification details must be shown.
M P4_67 “sigAndRefTimeStamp” is signed by a revoked certificate. The revocation time is before the signing time (TS server is TSA5) INVALID Signature verification details must be shown.
M P4_68 “sigAndRefTimeStamp” is signed by a revoked certificate. The revocation time is after the signature timestamp (TS server is TSA5) VALID
M P4_69 “sigAndRefTimeStamp” is signed by a certificate whose issuer certificate is forged (TS server is TSB) INVALID Signature verification details must be shown.
M P4_70 “sigAndRefTimeStamp” is signed by a valid certificate (TS server is TSC1) VALID
M P4_71 “sigAndRefTimeStamp” is signed by a certificate which references an expired CRL (TS server is TSC2) INVALID Signature verification details must be shown.
M P4_72 “sigAndRefTimeStamp” is signed by a certificate which references a CRL with a forged signature (TS server is TSC3) INVALID Signature verification details must be shown.
O P4_73 “sigAndRefTimeStamp” root certificate is not added to the signature file (TS server TSC1) INVALID The Signature should not be verified.
M P4_74 “sigAndRefTimeStamp” CRL is not added to the signature file (TS server TSC1) INVALID Signature verification details must be shown.
M P4_93_s Counter signature file signed by two signers. Second signer has a valid certificate, but the first signer certificate is revoked in OCSP INVALID Validation result of the each signer must be shown in a hierarchical order similar to the tree structure. Signature verification details must be shown.
M P4_93_p Parallel signature file signed by two signers. Second signer has a valid certificate, but the first signer certificate is revoked in OCSP INVALID Validation result of the each signer must be shown in a hierarchical order similar to the tree structure. Signature verification details must be shown.
O P4_129 Signature file without a “DataObjectFormat/MimeType” attribute INVALID The signature should not be verified.

* One of the following methods must be selected when verifying the signed document if the signer certificate includes a monetary limit: