User Tools

Site Tools


en:xades_x-long

XAdES-X LONG (Type 1)

General Information

ES-X LONG Type 1 (Extended Long Electronic Signature with Time Type 1) signature is based on the ES-T signature. In addition to ES-T signature, it includes the root and sub-root certificates of the certification authority and the CRL and OCSP responses for signature verification. This enables the signature to be validated for a long period of time.

This data, which is added to the signature file, is used while performing signature verification. It does not need to connect to any external system for signature verification and to obtain verification data; all data required for verification is accessed from the contents of the signature file. It is the most recommended signature format thanks to these features.

XAdES-X Long

The following table specifies the signature properties that must be included in the signature file for XAdES-X LONG Type 1 signature format:

Signature Properties XAdES-X Long Type 1
Signed Attributes Reference/DigestValue M
SigningCertificate M
SigningTime O
DataObjectFormat/MimeType M
CommitmentTypeIndication O
SignatureProductionPlace O
SignerRole O
AllDataObjectsTimeStamp O
SignaturePolicyIdentifierO
Unsigned AttributesCounterSignature O
SignatureTimeStamp M
CompleteCertificateRefs M
CompleteRevocationRefsM
CertificateValuesM
RevocationValuesM
SigAndRefsTimeStampM
RefsOnlyTimeStamp-
xadesv141:ArchiveTimeStamp-

M: Must - It is mandatory to provide the specified substance. If the substance is not provided, the e-signature conformity assessment will result in a negative.

O: Optional – It is optional to provide the specified substance. If the substance is not provided, the e-signature conformity assessment will not result in a negative.

- : This means that the attribute is not in the signature format.

It is recommended not to use optional attributes unless needed.

The timestamp received from the user's system clock or the owner of the signature application does not guarantee the accuracy of the signing time as it is not signed by a trusted server. For this reason, it is not recommended to use the signing time attribute. If it is used, it must be adjusted so that it is left behind from the timestamp.

Procedure

You can access the XAdES-X LONG Type 1 Enveloping Test Package from here.

You can access the XAdES-X LONG Type 1 Detached Test Package from here.

You can access test root certificates from here.

The following table provides the names and properties of the signature files to be used in the procedures:

M/O Signed Document Name Signed Document Property Validation ResultExplanation
M ESXL1_1Valid (Revocation check is available only via CRL and all signed attributes are added) VALID All signed attributes must be displayed in the validation result
O ESXL1_2.doc Signature file with a macro inserted content INVALID The signature should not be verified
M ESXL1_3 Contradictory signature file including “DataObjectFormat/MimeType” attribute with “image/jpeg” value although the actual content type is “Application/pdf” INVALID Signature verification details must be shown
M ESXL1_4Signature file with a forged “SigningCertificate” attribute INVALID Signature verification details must be shown.
M ESXL1_5Signature file with a forged “Reference/DigestValue” attribute INVALID Signature verification details must be shown.
M ESXL1_6Signature file in which SHA-1 digest algorithm is used VALID The signature must be archived.
M ESXL1_7Signature file with a forged signature INVALID Signature verification details must be shown.
M ESXL1_8Valid (Revocation check is available only via OCSP) VALID
M ESXL1_9Signature file signed by a certificate with an omitted “non-repudiation” field in the key usage extension INVALID Signature verification details must be shown.
M ESXL1_10Signer certificate with an omitted “UserNotice” text field in the “CertificatePolicies” extension INVALID Signature verification details must be shown.
M ESXL1_11Signer certificate with an omitted ETSI OID in “QualifiedCertificateStatements” extension INVALID Signature verification details must be shown.
M ESXL1_12Signer certificate with an omitted ICTA OID in “QualifiedCertificateStatements” extension INVALID Signature verification details must be shown.
O ESXL1_13Signature file which has a PDF/A-3 content with attachment INVALID The signature must not be verified.
M ESXL1_14Signer certificate has expired before signature timestamp INVALID Signature verification details must be shown.
M ESXL1_15Signer certificate has a forged signature INVALID Signature verification details must be shown.
M ESXL1_16_1Signature file signed by a revoked certificate before signature timestamp (Revocation check is available only via CRL) INVALID Signature verification details must be shown.
M ESXL1_16_2Signer certificate has revoked after signature timestamp (Revocation check is available only via CRL) VALID
M ESXL1_17_1Signer certificate has revoked before signature timestamp (Revocation check is available only via OCSP) INVALID Signature verification details must be shown.
M ESXL1_17_2Signer certificate revoked in OCSP after signature timestamp (Revocation check is available only via OCSP) VALID
M ESXL1_18The validity of signer certificate has to be checked via an expired CRL. The CRL has expired before signature timestamp INVALID Signature verification details must be shown.
M ESXL1_19The validity of signer certificate has to be checked via a signature forged CRL INVALID Signature verification details must be shown.
M ESXL1_20The validity of signer certificate has to be checked via an expired OCSP response INVALID Signature verification details must be shown.
M ESXL1_21The validity of signer certificate has to be checked via an OCSP response having forged signature INVALID Signature verification details must be shown.
M ESXL1_22The validity of signer certificate has to be checked via an OCSP response which is signed by an expired OCSP certificate INVALID Signature verification details must be shown.
M ESXL1_23The validity of signer certificate has to be checked via an OCSP response which is signed by a signature forged OCSP certificate INVALID Signature verification details must be shown.
O ESXL1_24_1 The validity of signer certificate has to be checked via an OCSP response which is signed by a revoked OCSP certificate VALID The signature should be verified. “The sub-root certificate's revocation status is checked by CRL, because of revoked OCSP certificate.” detailed message should be shown.
M ESXL1_24_2 The validity of signer certificate has to be checked via an OCSP response which is signed by a revoked OCSP certificate. The OCSP certificate is revoked after signature timestamp VALID
M ESXL1_25 Signer certificate has a monetary limit which is equal to “0” CHOICE*
O ESXL1_26 Signer certificate has a usage restriction defined in “QC Statements” extension INVALID The signature should not be verified.
M ESXL1_27 The validity of signer certificate has to be checked via an OCSP response which is generated for a different certificate INVALID Signature verification details must be shown.
M ESXL1_28 Signer certificate is issued by an intermediate CA certificate having a forged signature INVALID Signature verification details must be shown.
M ESXL1_29_1 Signer certificate is issued by an intermediate CA certificate which is revoked in CRL before signature timestamp INVALID Signature verification details must be shown.
M ESXL1_29_2 Signer certificate is issued by an intermediate CA certificate which is revoked in CRL after signature timestamp VALID
M ESXL1_30 Signer certificate is issued by an intermediate CA certificate whose validity has to be checked via an expired CRL INVALID Signature verification details must be shown.
M ESXL1_31 Signer certificate is issued by an intermediate CA certificate whose validity has to be checked via a forged signature CRL INVALID Signature verification details must be shown.
M ESXL1_32_1 Signer certificate is issued by an intermediate CA certificate which is revoked in OCSP before signature timestamp INVALID Signature verification details must be shown.
M ESXL1_32_2 Signer certificate is issued by an intermediate CA certificate which is revoked in OCSP after signature timestamp VALID
M ESXL1_33 Signer certificate is issued by an intermediate CA certificate whose validity has to be checked via an expired OCSP response INVALID Signature verification details must be shown.
M ESXL1_34 The validity of intermediate CA certificate has to be checked via an OCSP response which has a forged signature INVALID Signature verification details must be shown.
M ESXL1_35 The validity of intermediate CA certificate has to be checked via an OCSP response which is signed by an expired OCSP certificate INVALID Signature verification details must be shown.
M ESXL1_36 The validity of intermediate CA certificate has to be checked via an OCSP response which is signed by a signature forged OCSP certificate INVALID Signature verification details must be shown.
O ESXL1_37_1 The validity of intermediate CA certificate has to be checked via an OCSP response which is signed by a revoked OCSP certificate VALID The signature should be verified. “The sub-root certificate's revocation status is checked by CRL, because of revoked OCSP certificate.” detailed message should be shown.
M ESXL1_37_2 The validity of intermediate CA certificate has to be checked via an OCSP response which is signed by a revoked OCSP certificate. The revocation time is after signature timestamp VALID
M ESXL1_38 The root certificate has a forged signature INVALID Signature verification details must be shown.
M ESXL1_39_s Counter signature file signed by two signers. Second signer has a valid certificate, but the first signer is configured with the required intermediate CA certificate which is revoked INVALID Validation result of the each signer must be shown in a hierarchical order similar to the tree structure. Signature verification details must be shown.
M ESXL1_39_p Parallel signature file signed by two signers. Second signer has a valid certificate, but the first signer is configured with the required intermediate CA certificate which is revoked INVALID Validation result of the each signer must be shown in a hierarchical order similar to the tree structure. Signature verification details must be shown.
M ESXL1_40 Signature timestamp has a “TSTInfo” with a forged “messageImprint” field (TS server is TSA1) INVALID Signature verification details must be shown.
M ESXL1_41 Signature timestamp has a forged signature (TS server is TSA2) INVALID Signature verification details must be shown.
M ESXL1_42 Signature timestamp is signed by an expired certificate (TS server is TSA3) INVALID Signature verification details must be shown.
M ESXL1_43 Signature timestamp is signed by a certificate with a forged signature (TS server is TSA4) INVALID Signature verification details must be shown.
M ESXL1_44 Signature timestamp is signed by a revoked certificate. The revocation time is before the signing time (TS server is TSA5) INVALID Signature verification details must be shown.
M ESXL1_45 Signature timestamp is signed by a revoked certificate. The revocation time is after the signature timestamp (TS server is TSA5) VALID
M ESXL1_46 Signature timestamp is signed by a certificate whose issuer certificate is forged (TS server is TSB) INVALID Signature verification details must be shown.
M ESXL1_47 Signature timestamp is signed by a valid certificate (TS server is TSC1) VALID
M ESXL1_48 Signature timestamp is signed by a certificate which references an expired CRL (TS server is TSC2) INVALID Signature verification details must be shown.
M ESXL1_49 Signature timestamp is signed by a certificate which references a CRL with a forged signature (TS server is TSC3) INVALID Signature verification details must be shown.
M ESXL1_50 Signature file with a ”Complete certificate references” attribute which does not have a root certificate reference INVALID Signature verification details must be shown.
M ESXL1_51 Signature file with a ”Complete certificate references” attribute which has a wrong root certificate reference INVALID Signature verification details must be shown.
M ESXL1_52 Signature file with a ”Complete certificate references” attribute which does not have an intermediate CA certificate reference INVALID Signature verification details must be shown.
M ESXL1_53 Signature file with a ”Complete certificate references” attribute which has a wrong intermediate CA certificate reference INVALID Signature verification details must be shown.
M ESXL1_54 Signature file with a ”Complete revocation references” attribute which does not have a CRL reference for intermediate CA INVALID Signature verification details must be shown.
M ESXL1_55 Signature file with a ”Complete revocation references” attribute which has a wrong CRL reference for intermediate CA INVALID Signature verification details must be shown.
M ESXL1_56 Signature file with a ”Complete revocation references” attribute which does not have a CRL reference for signer certificate INVALID Signature verification details must be shown.
M ESXL1_57 Signature file with a ”Complete revocation references” attribute which has a wrong CRL reference for signer certificate INVALID Signature verification details must be shown.
M ESXL1_58 Signature file with a ”Complete revocation references” attribute which does not have an OCSP Reference for intermediate CA INVALID Signature verification details must be shown.
M ESXL1_59 Signature file with a ”Complete revocation references” attribute which has a wrong OCSP Reference for intermediate CA INVALID Signature verification details must be shown.
M ESXL1_60 Signature file with a ”Complete revocation references” attribute which does not have an OCSP reference for signer certificate INVALID Signature verification details must be shown.
M ESXL1_61 Signature file with a ”Complete revocation references” attribute which has a wrong OCSP reference for signer certificate INVALID Signature verification details must be shown.
M ESXL1_62_1 “sigAndRefTimeStamp” has a “TSTInfo” with a forged “messageImprint” field (TS server is TSA1) INVALID Signature verification details must be shown.
M ESXL1_63_1 “sigAndRefTimeStamp” has a forged signature (TS server is TSA2) INVALID Signature verification details must be shown.
M ESXL1_64_1 “sigAndRefTimeStamp” is signed by an expired certificate (TS server is TSA3) INVALID Signature verification details must be shown.
M ESXL1_65_1 “sigAndRefTimeStamp” is signed by a certificate with a forged signature (TS server is TSA4) INVALID Signature verification details must be shown.
M ESXL1_66_1 “sigAndRefTimeStamp” is signed by a revoked certificate. The revocation time is before the signing time (TS server is TSA5) INVALID Signature verification details must be shown.
M ESXL1_67_1 “sigAndRefTimeStamp” is signed by a revoked certificate. The revocation time is after the signature timestamp (TS server is TSA5) VALID
M ESXL1_68_1 “sigAndRefTimeStamp” is signed by a certificate whose issuer certificate is forged (TS server is TSB) INVALID Signature verification details must be shown.
M ESXL1_69_1 “sigAndRefTimeStamp” is signed by a valid certificate (TS server is TSC1) VALID
M ESXL1_70_1 “sigAndRefTimeStamp” is signed by a certificate which references an expired CRL (TS server is TSC2) INVALID Signature verification details must be shown.
M ESXL1_71_1 “sigAndRefTimeStamp” is signed by a certificate which references a CRL with a forged signature (TS server is TSC3) INVALID Signature verification details must be shown.
M ESXL1_72 Signature file with a ”Certificate Values” attribute which does not have a root certificate value INVALID Signature verification details must be shown.
M ESXL1_74 Signature file with a ”Certificate Values” attribute which does not have an intermediate CA certificate value INVALID Signature verification details must be shown.
M ESXL1_76 Signature file with a ”Revocation Values” attribute which does not have a CRL value for intermediate CA certificate INVALID Signature verification details must be shown.
M ESXL1_78 Signature file with a ”Revocation values” attribute which does not have a CRL for signer certificate INVALID Signature verification details must be shown.
M ESXL1_80 Signature file with a ”Revocation values” attribute which does not have an OCSP value for intermediate CA certificate INVALID Signature verification details must be shown.
M ESXL1_82 Signature file with ”Revocation values” attribute which does not have an OCSP value for signer certificate INVALID Signature verification details must be shown.
O ESXL1_94 “signatureTimeStamp” root certificate is not added to the signature file (TS server TSC1) INVALID The signature should not be verified.
M ESXL1_95 “signatureTimeStamp” CRL is not added to the signature file (TS server TSC1) INVALID Signature verification details must be shown.
O ESXL1_110 Signature file without a “DataObjectFormat/MimeType” attribute INVALID The signature should not be verified.

* One of the following methods must be selected when verifying the signed document if the signer certificate includes a monetary limit:

  • “INVALID Signature” message must be displayed. The description of the error should be reported to the user.
  • The monetary limit of the certificate is compared with the monetary limit of the signed document and if the monetary limit of the certificate is sufficient for the monetary value of the signed document, “VALID Signature” message must be displayed.
  • In the case where the monetary limit of the certificate is not compared with the monetary limit of the signed document, the user should be warned that the signer certificate has a monetary limit and “VALID Signature” message must be displayed.
en/xades_x-long.txt · Last modified: 2023/07/14 12:55