===== Creating Different Signature Types =====

This section provides brief explanations for the signature types that are frequently used. 
You should read the document "E-Signature  Profiles" before deciding on which signature type is proper for you. 
See the document [[http://www.etsi.org/deliver/etsi_ts/101700_101799/101733/02.02.01_60/ts_101733v020201p.pdf|TS ETSI 101 733]] for detailed information about signature types.

==== BES ====

BES is the simplest type of signature guarantees only the identity of the signer. Since the signing time can not be detected, the signature can only be verified until the signer certificate expires. After the certificate expires, the signature can not be verified. Although BES signature can include signing time information as a signed attribute that attribute has no legal validity.

<sxh java;title:Java>
BaseSignedData bs = new BaseSignedData();		
bs.addContent(new SignableByteArray("test".getBytes())); 
			
//Since SigningTime attribute is optional,add it to optional attributes list
List<IAttribute> optionalAttributes = new ArrayList<IAttribute>();
optionalAttributes.add(new SigningTimeAttr(Calendar.getInstance()));
			
HashMap<String, Object> params = new HashMap<String, Object>();
params.put(EParameters.P_CERT_VALIDATION_POLICY, VALIDATION_POLICY);
				
bs.addSigner(ESignatureType.TYPE_BES, cert, signer, optionalAttributes, params);
</sxh>

<sxh csharp;title:C#>
BaseSignedData bs = new BaseSignedData();
bs.addContent(new SignableByteArray(Encoding.ASCII.GetBytes("test")));

//Since SigningTime attribute is optional,add it to optional attributes list
List<IAttribute> optionalAttributes = new List<IAttribute>();
optionalAttributes.Add(new SigningTimeAttr(DateTime.UtcNow));

Dictionary<String, Object> params_ = new Dictionary<String, Object>();
params_[EParameters.P_CERT_VALIDATION_POLICY] = VALIDATION_POLICY;

bs.addSigner(ESignatureType.TYPE_BES, cert, signer, optionalAttributes, params_);
</sxh>

To access the signing time in the signed attribute the sample code [[esya:cades:imza-zamani|here ]] can be used.
The signing time stated by the signer can not be used because he may not have stated the correct time. For example the user certificate may be revoked by the user stated a time before the revocation time in the signature. Therefore the signing time attribute in BES has no legal validity.

{{ :esya:cades:cades.png | Şekil 16 Intentionally False Statement Scenario }}

==== EST ====

EST signatures can be created from BES by adding a timestamp showingt the signing time. When creating the signatures timestamp settings must be specified. The sample code below shows how to create EST signature.

<sxh java;title:Java>
BaseSignedData bs = new BaseSignedData();		
bs.addContent(new SignableByteArray("test".getBytes()));
				
HashMap<String, Object> params = new HashMap<String, Object>();		
//ilerli for getting signaturetimestamp
TSSettings tsSettings = new TSSettings("http://zd.ug.net", 21,
"12345678".toCharArray(),DigestAlg.SHA1);
params.put(EParameters.P_TSS_INFO, tsSettings);	
params.put(EParameters.P_CERT_VALIDATION_POLICY, TestConstants.getPolicy());
				
//add signer
bs.addSigner(ESignatureType.TYPE_EST, cert, signer, null, params);
</sxh>

<sxh csharp;title:C#>
BaseSignedData bs = new BaseSignedData();
bs.addContent(new SignableByteArray(Encoding.ASCII.GetBytes("test")));
Dictionary<String, Object> params_ = new Dictionary<String, Object>();
//ilerli for getting signaturetimestamp
TSSettings tsSettings = new TSSettings("http://zd.ug.net", 21, "12345678",,DigestAlg.SHA1);
params_[EParameters.P_TSS_INFO] = tsSettings;
params_[EParameters.P_CERT_VALIDATION_POLICY] = TestConstants.getPolicy();

//add signer
bs.addSigner(ESignatureType.TYPE_EST, cert, signer, null, params_);
</sxh>

Since the signing time can be determined by the timestamp, verification of EST signatures is possible even after the signing certificate expires. To get the signing time the code [[esya:cades:imza-zamani|here ]] can be used. 

==== ESXLong ====

An ESXLong signature is also an EST signature. As addition to EST,  ESXLong signature also includes the certificate validation data to be used during signature verification. Because of that, when creating an EXLong signature first the signing certificate must be validated and the validation data created and this data must be included in the signature. Thus, the signature can be verified after the certificate expires even if the validation data is not accessible outside. The sama sample code as the one for EST creation can be  used for ESXLong creation just by changing the signature type.

==== ESA ====

Cryptographic algorithms may weaken in time due to scientific and technological advances. ESA signature type is designed for this problem. Although the algorithm used to create the signature is secure currently , it may 
get unreliable after 10 years.The signatures must be converted to ESA type before the signatur algorithm becomes insecure. When converting to ESA, the signature algorithm must be changed with more secure ones. This process must be repeated whenever the current signature algorithm starts to be considered as weakened.

Another reason for converting a signature to ESA may be to prevent signature modification. ESA protects all counter signatures which held as countersignature attributes of the signature. Hence counter signatures do not require independent archive time-stamps. If any counter signature exists, it cannot be upgraded or removed from signature tree. In CAdES-A with archive timestamp v2 attribute, no new counter signature or validation data can be added too. In CAdES-A with archive timestamp v3 attribute, these addition are allowed. 

ESA can not be created from scratch. Firstly, a signature of another signature type must be created then it can be converted to ESA. During this conversion archival type timestamp is used.

<sxh java;title:Java>
byte [] signatureFile = AsnIO.dosyadanOKU(TestConstants.getDirectory() +  "testdata/ESXLong-1.p7s");
BaseSignedData bs = new BaseSignedData(signatureFile);
		
Map<String,Object>parameters = new HashMap<String, Object>();
		
//Archive time stamp is added to signature, so time stamp settings are needed.
parameters.put(EParameters.P_TSS_INFO, TestConstants.getTSSettings());
parameters.put(EParameters.P_CERT_VALIDATION_POLICY, TestConstants.getPolicy());
		
bs.getSignerList().get(0).convert(ESignatureType.TYPE_ESA, parameters);
		
AsnIO.dosyayaz(bs.getEncoded(), TestConstants.getDirectory()+"testdata/ESA-2.p7s");
</sxh>
<sxh csharp;title:C#>
byte[] content = AsnIO.dosyadanOKU(TestConstants.getDirectory() + "testdata\\ ESXLong-1.p7s");
BaseSignedData bs = new BaseSignedData(content);

Dictionary<String, Object> parameters = new Dictionary<String, Object>();

//Archive time stamp is added to signature, so time stamp settings are needed.
parameters[EParameters.P_TSS_INFO] = TestConstants.getTSSettings();
parameters[EParameters.P_CERT_VALIDATION_POLICY] = TestConstants.getPolicy();

bs.getSignerList()[0].convert(ESignatureType.TYPE_ESA, parameters);

AsnIO.dosyayaz(bs.getEncoded(), TestConstants.getDirectory() + "testdata\\ESA-2.p7s");
</sxh>