“Long-term and OCSP-based Secure Electronic Signature Policies (Profile P4)” is defined by Information and Communication Technologies Authority (ICTA) in Electronic Signature Usage Profiles which is a guide of signature profiles for Turkey. In this profile, long term compatibility is provided with ES-X LONG and ES-A signature formats. In addition, this profile requires the use of OCSP for end-user certification revocation control. These requirements are provided by the CAdES-X LONG signature format in accordance with the P4 profile.
In ECP Applications, Electronic Signature and Paraph Electronic Signature are in P4 CAdES X-LONG format.
The ES-X LONG signature is based on the ES-T signature. In addition to the ES-T signature, it includes the root and sub-root certificates of the certificate authority and the CRL and OCSP responses for signature validation. This enables the signature to be validated for a long period of time.
When signature validation is performed, this data is added to the signature file. It does not need to connect to any external system for signature validation and to obtain validation data; all data required for verification is accessed from the contents of the signature file.
The following table specifies the signature properties that must be included in the signature file for P4 CAdES-X LONG signature format:
Signature Properties | P4 CAdES-X LONG | |
---|---|---|
Signed Attributes | Content-type | M |
Message-digest | M | |
ESS signing-certificate v2 | M | |
Signing-time | M | |
Content-hints | O | |
Mime-type | M | |
Content-reference | O | |
Content-identifier | O | |
Commitment-type-indication | O | |
Signer-location | O | |
Content-time-stamp | O | |
Signature-policy-identifier | M | |
-sigPolicyQualifiers | M | |
-spuri | M | |
-sp-user-notice | O | |
Unsigned Attributes | CounterSignature | O |
Signature-time-stamp | M | |
-SignedData/certificates | M | |
-SignedData/crls | M | |
Complete-certificate-references | M | |
Complete-revocation-references | M | |
Certificate-values | M | |
Revocation-values | M | |
CAdES-C-time-stamp | - | |
CAdES-C-time-stamped-certs-crls-references | - | |
Archive-time-stamp | - |
M: Must - It is mandatory to provide the specified substance. If the substance is not provided, the e-signature evaluation will result in a negative.
O: Optional – If the substance is not provided, the e-signature assessment will not result in a negative.
- : This means that the feature is not in the signature format.
It is recommended not to use optional attributes unless needed.
You can access P4 CAdES-X LONG Detached Test Package from here.
You can access P4 CAdES-X LONG Attached Test Package from here.
You can access test root certificates here.
The following table provides the names and properties of the signature files to be used in the procedures:
M/O | Signed Document Name | Signed Document Property | Validation Result | Explanation |
---|---|---|---|---|
M | P4_1 | Valid (Revocation check is available only via OCSP and all signed attributes are added) | VALID | All signed attributes must be displayed in the validation result |
O | P4_2.doc | Signature file with a macro inserted content | INVALID | The signature should not be verified |
M | P4_3 | Contradictory signature file including “mime-type” attribute with “image/jpeg” value although the actual content type is “Application/pdf” | INVALID | Signature verification details must be shown. |
M | P4_4 | Signature file with “SigPolicyId” having another value than P4 OID (2.16.792.1.61.0.1.5070.3.3.1) | INVALID | Signature verification details must be shown. |
M | P4_5 | Signature file with “SigPolicyHash” having another hash value than P4 hash value | INVALID | Signature verification details must be shown. |
M | P4_6 | Signature file with “SPUserNotice” having P4 user notice | VALID | P4 user notice must be shown. |
M | P4_7 | Signature file with “ESS-Signing-Certificate” hash algorithm is SHA-1 | INVALID | Signature verification details must be shown. |
M | P4_8 | Signature file without “SigningTime” | INVALID | Signature verification details must be shown. |
M | P4_9 | Signature file having three hours earlier “SigningTime” than “SignatureTimeStamp” | INVALID | “SignatureTimeStamp” must be taken no later than two hours after the signing time. Signature verification details must be shown. |
M | P4_10 | Signature file with qualified certificate revocation value CRL rather than OCSP | INVALID | Signature verification details must be shown. |
O | P4_11 | Signature file with ”SignatureTimeStamp” which do not have “signatureTimeStamp” root certificate (TS server is TSC1) | INVALID | The signature must not be verified. |
M | P4_12 | Signature file with ” SignatureTimeStamp” which do not have “signatureTimeStamp” CRL (TS server is TSC1) | INVALID | Signature verification details must be shown. |
M | P4_13 | Signature file with a forged “ESS Signing-Certificate-v2” attribute | INVALID | Signature verification details must be shown. |
M | P4_14 | Signature file with a forged ”message-digest” attribute | INVALID | Signature verification details must be shown. |
M | P4_15 | Signature file in which SHA-1 digest algorithm is used | VALID | The signature must be archived. |
M | P4_16 | Signature file with a forged signature | INVALID | Signature verification details must be shown. |
M | P4_17 | Signature file signed by a certificate with an omitted “non-repudiation” field in the key usage extension | INVALID | Signature verification details must be shown. |
M | P4_18 | Signer certificate with an omitted “UserNotice” text field in the “CertificatePolicies” extension | INVALID | Signature verification details must be shown. |
M | P4_19 | Signer certificate with an omitted ETSI OID in “QualifiedCertificateStatements” extension | INVALID | Signature verification details must be shown. |
M | P4_20 | Signer certificate with an omitted ICTA OID in “QualifiedCertificateStatements” extension | INVALID | Signature verification details must be shown. |
O | P4_21 | Signature file which has a PDF/A-3 content with attachment | INVALID | The signature should not be verified. |
M | P4_22 | Signer certificate has expired before signature timestamp | INVALID | Signature verification details must be shown. |
M | P4_23 | Signer certificate has a forged signature | INVALID | Signature verification details must be shown. |
M | P4_24 | Signer certificate has revoked in OCSP before signature timestamp | INVALID | Signature verification details must be shown. |
M | P4_25 | Signer certificate revoked in OCSP after signature timestamp | VALID | |
M | P4_26 | The validity of signer certificate has to be checked via an expired OCSP response | INVALID | Signature verification details must be shown. |
M | P4_27 | The validity of signer certificate has to be checked via an OCSP response having forged signature | INVALID | Signature verification details must be shown. |
M | P4_28 | The validity of signer certificate has to be checked via an OCSP response which is signed by an expired OCSP certificate | INVALID | Signature verification details must be shown. |
M | P4_29 | The validity of signer certificate has to be checked via an OCSP response which is signed by a signature forged OCSP certificate | INVALID | Signature verification details must be shown. |
M | P4_30 | The validity of signer certificate has to be checked via an OCSP response which is signed by a revoked OCSP certificate | INVALID | Signature verification details must be shown. |
M | P4_31 | The validity of signer certificate has to be checked via an OCSP response which is signed by a revoked OCSP certificate. The OCSP certificate is revoked after signature timestamp | VALID | |
M | P4_32 | Signer certificate has a monetary limit which is equal to “0” | CHOICE* | |
O | P4_33 | Signer certificate has a usage restriction defined in “QC Statements” extension | INVALID | The signature should not be verified. |
M | P4_34 | The validity of signer certificate has to be checked via an OCSP response which is generated for a different certificate | INVALID | Signature verification details must be shown. |
M | P4_35 | Signer certificate is issued by an intermediate CA certificate having a forged signature | INVALID | Signature verification details must be shown. |
M | P4_36 | The root certificate has a forged signature | INVALID | Signature verification details must be shown. |
M | P4_37 | Signature timestamp has a “TSTInfo” with a forged “messageImprint” field (TS server is TSA1) | INVALID | Signature verification details must be shown. |
M | P4_38 | Signature timestamp has a forged signature (TS server is TSA2) | INVALID | Signature verification details must be shown. |
M | P4_39 | Signature timestamp is signed by an expired certificate (TS server is TSA3) | INVALID | Signature verification details must be shown. |
M | P4_40 | Signature timestamp is signed by a certificate with a forged signature (TS server is TSA4) | INVALID | Signature verification details must be shown. |
M | P4_41 | Signature timestamp is signed by a revoked certificate. The revocation time is before the signing time (TS server is TSA5) | INVALID | Signature verification details must be shown. |
M | P4_42 | Signature timestamp is signed by a revoked certificate. The revocation time is after the signature timestamp (TS server is TSA5) | VALID | |
M | P4_43 | Signature timestamp is signed by a certificate whose issuer certificate signature is forged (TS server is TSB) | INVALID | Signature verification details must be shown. |
M | P4_44 | Signature timestamp is signed by a valid certificate (TS Server is TSC1) | VALID | |
M | P4_45 | Signature timestamp is signed by a certificate which references an expired CRL (TS server is TSC2) | INVALID | Signature verification details must be shown. |
M | P4_46 | Signature timestamp is signed by a certificate which references a CRL with a forged signature (TS server is TSC3) | INVALID | Signature verification details must be shown. |
M | P4_47 | Signature file with a ”Complete certificate references” attribute which does not have a root certificate reference | INVALID | Signature verification details must be shown. |
M | P4_48 | Signature file with a ”Complete certificate references” attribute which has a wrong root certificate reference | INVALID | Signature verification details must be shown. |
M | P4_49 | Signature file with a ”Complete certificate references” attribute which does not have an intermediate CA certificate reference | INVALID | Signature verification details must be shown. |
M | P4_50 | Signature file with a ”Complete certificate references” attribute which has a wrong intermediate CA certificate reference | INVALID | Signature verification details must be shown. |
M | P4_51 | Signature file with a ”Complete revocation references” attribute which does not have a CRL reference for intermediate CA | INVALID | Signature verification details must be shown. |
M | P4_52 | Signature file with a ”Complete revocation references” attribute which has a wrong CRL reference for intermediate CA | INVALID | Signature verification details must be shown. |
M | P4_53 | Signature file with a ”Complete revocation references” attribute which does not have an OCSP reference for signer certificate | INVALID | Signature verification details must be shown. |
M | P4_54 | Signature file with a “Complete revocation references” attribute which has a wrong OCSP reference for signer certificate | INVALID | Signature verification details must be shown. |
M | P4_55 | Signature file with a “Certificate values” attribute which does not have a root certificate value | INVALID | Signature verification details must be shown. |
M | P4_57 | Signature file with a “Certificate values” attribute which does not have an intermediate CA certificate value | INVALID | Signature verification details must be shown. |
M | P4_59 | Signature file with a “Revocation Values” attribute which does not have a CRL value for intermediate CA certificate | INVALID | Signature verification details must be shown. |
M | P4_61 | Signature file with “Revocation values” attribute which does not have an OCSP value for signer certificate | INVALID | Signature verification details must be shown. |
M | P4_93_s | Counter signature file signed by two signers. Second signer has a valid certificate, but the first signer certificate is revoked in OCSP | INVALID | Validation result of the each signer must be shown in a hierarchical order similar to the tree structure. Signature verification details must be shown. |
M | P4_93_p | Parallel signature file signed by two signers. Second signer has a valid certificate, but the first signer certificate is revoked in OCSP | INVALID | Each signature validation result must be shown in a hierarchical order similar to the tree structure. The details of the error should be reported to the user. |
O | P4_129 | Signature file without a “mime-type” attribute | INVALID | The signature should not be verified. |
* One of the following methods must be selected when verifying the signed document if the signer certificate includes a monetary limit: