Skip to content

Commit

Permalink
Allow only qualified TimeStamp-s
Browse files Browse the repository at this point in the history 
IB-8250

Signed-off-by: Raul Metsma <[email protected]>
  • Loading branch information
@metsma
metsma committed Nov 15, 2024
1 parent 346d983 commit 16b6728
Show file tree
Hide file tree
Showing 7 changed files with 252 additions and 89 deletions.
105 changes: 90 additions & 15 deletions test/data/EE_T-CA-withdrawn-granted-before.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@
</AdditionalInformation>
</OtherTSLPointer>
</PointersToOtherTSL>
<ListIssueDateTime>2024-10-25T12:16:59Z</ListIssueDateTime>
<ListIssueDateTime>2024-11-14T12:53:48Z</ListIssueDateTime>
<NextUpdate>
<dateTime>2027-08-20T21:00:00Z</dateTime>
</NextUpdate>
Expand Down Expand Up @@ -126,8 +126,8 @@
<X509SubjectName>1.2.840.113549.1.9.1=#1609706b6940736b2e6565,CN=TEST of ESTEID-SK 2011,O=AS Sertifitseerimiskeskus,C=EE</X509SubjectName>
</DigitalId>
</ServiceDigitalIdentity>
<ServiceStatus>http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/undersupervision</ServiceStatus>
<StatusStartingTime>2013-04-23T01:00:00Z</StatusStartingTime>
<ServiceStatus>http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/granted</ServiceStatus>
<StatusStartingTime>2016-06-30T22:00:00Z</StatusStartingTime>
<TSPServiceDefinitionURI>
<URI xml:lang="et">https://sk.ee/repositoorium/CP/</URI>
<URI xml:lang="en">https://sk.ee/en/repository/CP/</URI>
Expand All @@ -137,7 +137,7 @@
<ecc:Qualifications>
<ecc:QualificationElement>
<ecc:Qualifiers>
<ecc:Qualifier uri="http://uri.etsi.org/TrstSvc/TrustedList/SvcInfoExt/QCWithSSCD"/>
<ecc:Qualifier uri="http://uri.etsi.org/TrstSvc/TrustedList/SvcInfoExt/QCWithQSCD"/>
</ecc:Qualifiers>
<ecc:CriteriaList assert="atLeastOne">
<ecc:KeyUsage>
Expand Down Expand Up @@ -180,8 +180,83 @@
<X509SubjectName>1.2.840.113549.1.9.1=#1609706b6940736b2e6565,CN=TEST of ESTEID-SK 2011,O=AS Sertifitseerimiskeskus,C=EE</X509SubjectName>
</DigitalId>
</ServiceDigitalIdentity>
<ServiceStatus>http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/withdrawn</ServiceStatus>
<ServiceStatus>http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/undersupervision</ServiceStatus>
<StatusStartingTime>2013-04-23T01:00:00Z</StatusStartingTime>
<ServiceInformationExtensions>
<Extension Critical="true">
<ecc:Qualifications>
<ecc:QualificationElement>
<ecc:Qualifiers>
<ecc:Qualifier uri="http://uri.etsi.org/TrstSvc/TrustedList/SvcInfoExt/QCWithSSCD"/>
</ecc:Qualifiers>
<ecc:CriteriaList assert="atLeastOne">
<ecc:KeyUsage>
<ecc:KeyUsageBit name="digitalSignature">true</ecc:KeyUsageBit>
</ecc:KeyUsage>
<ecc:KeyUsage>
<ecc:KeyUsageBit name="nonRepudiation">true</ecc:KeyUsageBit>
</ecc:KeyUsage>
<ecc:Description> This service issues qualified certificates for e-signing and e-authentication within the same process. The Relying Party shall make distinction by inspection of keyUsage field contents - e-signature certificates have nonRepudation bit set exclusively. Any certificate issued under the CA/QC Sdi certificate and is issued as a QC (i.e. containing a QcCompliance statement) and that has either its nR or its dS bit set is to be considered as supported by an SSCD</ecc:Description>
</ecc:CriteriaList>
</ecc:QualificationElement>
<ecc:QualificationElement>
<ecc:Qualifiers>
<ecc:Qualifier uri="http://uri.etsi.org/TrstSvc/TrustedList/SvcInfoExt/QCStatement"/>
</ecc:Qualifiers>
<ecc:CriteriaList assert="all">
<ecc:KeyUsage>
<ecc:KeyUsageBit name="nonRepudiation">true</ecc:KeyUsageBit>
</ecc:KeyUsage>
<ecc:Description>All certificates issued under this CA/QC service that have nonRepudiation bit set exclusively are issued as qualified certificates</ecc:Description>
</ecc:CriteriaList>
</ecc:QualificationElement>
</ecc:Qualifications>
</Extension>
</ServiceInformationExtensions>
</ServiceHistoryInstance>
<ServiceHistoryInstance>
<ServiceTypeIdentifier>http://uri.etsi.org/TrstSvc/Svctype/CA/QC</ServiceTypeIdentifier>
<ServiceName>
<Name xml:lang="en">TEST of ESTEID-SK 2011: Test certificates for Estonian ID-card, the residence permit card, digital personal identification document</Name>
</ServiceName>
<ServiceDigitalIdentity>
<DigitalId>
<X509SubjectName>1.2.840.113549.1.9.1=#1609706b6940736b2e6565,CN=TEST of ESTEID-SK 2011,O=AS Sertifitseerimiskeskus,C=EE</X509SubjectName>
</DigitalId>
</ServiceDigitalIdentity>
<ServiceStatus>http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/supervisionrevoked</ServiceStatus>
<StatusStartingTime>2013-04-22T11:49:30Z</StatusStartingTime>
<ServiceInformationExtensions>
<Extension Critical="true">
<ecc:Qualifications>
<ecc:QualificationElement>
<ecc:Qualifiers>
<ecc:Qualifier uri="http://uri.etsi.org/TrstSvc/TrustedList/SvcInfoExt/QCWithSSCD"/>
</ecc:Qualifiers>
<ecc:CriteriaList assert="atLeastOne">
<ecc:KeyUsage>
<ecc:KeyUsageBit name="digitalSignature">true</ecc:KeyUsageBit>
</ecc:KeyUsage>
<ecc:KeyUsage>
<ecc:KeyUsageBit name="nonRepudiation">true</ecc:KeyUsageBit>
</ecc:KeyUsage>
<ecc:Description> This service issues qualified certificates for e-signing and e-authentication within the same process. The Relying Party shall make distinction by inspection of keyUsage field contents - e-signature certificates have nonRepudation bit set exclusively. Any certificate issued under the CA/QC Sdi certificate and is issued as a QC (i.e. containing a QcCompliance statement) and that has either its nR or its dS bit set is to be considered as supported by an SSCD</ecc:Description>
</ecc:CriteriaList>
</ecc:QualificationElement>
<ecc:QualificationElement>
<ecc:Qualifiers>
<ecc:Qualifier uri="http://uri.etsi.org/TrstSvc/TrustedList/SvcInfoExt/QCStatement"/>
</ecc:Qualifiers>
<ecc:CriteriaList assert="all">
<ecc:KeyUsage>
<ecc:KeyUsageBit name="nonRepudiation">true</ecc:KeyUsageBit>
</ecc:KeyUsage>
<ecc:Description>All certificates issued under this CA/QC service that have nonRepudiation bit set exclusively are issued as qualified certificates</ecc:Description>
</ecc:CriteriaList>
</ecc:QualificationElement>
</ecc:Qualifications>
</Extension>
</ServiceInformationExtensions>
</ServiceHistoryInstance>
<ServiceHistoryInstance>
<ServiceTypeIdentifier>http://uri.etsi.org/TrstSvc/Svctype/CA/QC</ServiceTypeIdentifier>
Expand Down Expand Up @@ -1268,15 +1343,15 @@
</TSPServices>
</TrustServiceProvider>
</TrustServiceProviderList>
<ds:Signature Id="S0"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#TEST-EE"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>kmrurajB2DUoGerpIpzT0cLQXjGjpuCzE+xQVzsG1yc=</ds:DigestValue></ds:Reference><ds:Reference Type="http://uri.etsi.org/01903#SignedProperties" URI="#SignedProperties"><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>41y3D+yzwpY8RtCSTw7NJLpjasMlzqFHFsV8/0w3oF0=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>n19MrUkLHyKLt4xGYEHqdEjOJpVvgNyLngu3be7eIhkERVQf/n/XBLNJ+W+xXr+8VGy3sbqtQgLq
vHcrnjPwWNQJtHWkLSG+9Rf9iioEiRD8jEyr6SQcFEYI/rCMa9/YKHMmwlI7gqpBjtGjrBm8E84b
IDljjNhlOHf13bVQ6fNn1K9PiMM3wDafJOgxVZxaULc/DQdAGdEIInyAT1+h1fvXbic9QWzGu53m
uUg8MkgdxZGSn5JAbYhsxmb+6ny58VhB5YbtxCsh4mdTMpDneIimOrQ6txmOt1b7ZFiLv7xytnGi
uLOBmusYPO+Rc9vhzkTv7pow9P6k0YMoCFFH7ZWA4J02uT6Et51lSWnqJTzg1/MYSwVUw5LAA+wF
EG3ctDa2zZXduI/K/0Tf8HFqPNz8cHTV5byfj9Eikt3syswj2eKtgkoikzVcv5Jv8T1+HKM8R3h5
B7UHI7X5C7u+IgIAXmdIU9KY2AMlArVE6hmKeKrjU60N9vPuC16SyCDViiKzb3UZBAn+JUqB7pyc
uzXZThlf6FhIe+YWA8+Y4SklyaRYNJCP30bF1u7wqqoGOv4eGzI+EjbEmysqyVD4dUGXfe4wDxZZ
fSG4b0NzvJ7R1tBSnCanG2Pe0ApT4tbZZPahk/27Zf7JTnrLnFDn6+N4z/kX/ICZ9zukyByBO6A=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIEvDCCAqQCCQCL/COUVyiGjTANBgkqhkiG9w0BAQUFADAgMQswCQYDVQQGEwJFRTERMA8GA1UE
<ds:Signature Id="S0"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#TEST-EE"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>VF6xnSjZgXBz/O2/zE43UPn+KAU78ph8rgFirFgJsSU=</ds:DigestValue></ds:Reference><ds:Reference Type="http://uri.etsi.org/01903#SignedProperties" URI="#SignedProperties"><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>iXborqllzZoYoiY7MhNIPYC6h70pzYcuUqUmQJHHNbQ=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>YwwBeCDy63wc5KH0jd7o0K+HxYeUpWblF8kDRxTSx/NOktZxaMUnv6HHJz2Xe8bWaRfOk5n5Mzzy
OtOKBhWUL7B3EZMjbQcvC+am73U3aXgQOJZ4LLBUVGZ55dpARw/0MN0jXK9iMx41PlDutn0L5Vkj
EB1fnTkKx79ef35xzecbYvMrG7A6xi9bZHH8dmFhTtPUUYdQY4pD3EME/Wl/gzQ7oCITwm7+sMzW
t5GWfKyPd9DuUl1CHHYr9WaaTPVf3d+9Tj+fb8TKGZikeYaHDq0mxqYi0c6MFJx7o8aABCy+GGH5
Ga7ci5OexGYyHjMtI4aMNF3V2so/IokpcdZLimOLEvewTsBuCszKpJgnuA2wzJNA3LILAhD2Mfpu
2ZBT3cVtjM3GlhMcK8ScUnu0hOrJX0Gq5xTp7sGaguCQZ6vwEAxk4MROzh83LXrDnDHhT3/c88RN
iZgFum4Q/GuXfrIM0TAajt0YKy/qgqJkq4qyQOxumuJ3F/bXn/0nQjx2EJg6nRmlH/DImQQcY1B3
/aWPA9X2irx7twRmxcTK21dA/B+zjD+k9U8NzSOzjdLAhEW2U5SJP8bc1qWMLjvHHnykURBarycZ
3ATO2liwEibHamASol+SzC4LDorVXYg8cEdSsWCzqtLEKbIX5QZGpAvWcfutL3tac7JMzye5pIw=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIEvDCCAqQCCQCL/COUVyiGjTANBgkqhkiG9w0BAQUFADAgMQswCQYDVQQGEwJFRTERMA8GA1UE
AwwIVGVzdCBUU0wwHhcNMTgxMTE1MTI1MjU1WhcNMjgxMTEyMTI1MjU1WjAgMQswCQYDVQQGEwJF
RTERMA8GA1UEAwwIVGVzdCBUU0wwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDfFK0f
YeGrdngMZXZndDEpcl9pjGGNpbie3+ch5mDqObUe+OL45b4+SfPapriVRNBa+m5T1TuijP7Kb8sT
Expand All @@ -1297,4 +1372,4 @@ AzcmODU9uMRRBlGOWK8UQg05exc518heICmudSbgSyQLGqzVoI4kybhmBA3w93KEXJSXlnU7hBzo
YDP2d1g46Ay59UtvLycS1kxe0jVjxxRnh/f9aPbMwUYBzEC0naUzMeJtElHLHgW4HT6PLgFImgLL
Fh8dnYJUzn35wz10g3YBA61YUJuODpapKHixn/2X/t/8Vf1vqr/VwiwUglNQj+P78Fdb3T56JsYR
G1bdf6nz5dvv4qtLoG+OjPI/tiLjh2ktqaMjeVmlQFchy/C5Lr48d9IGmo+x2ECYSWVvwzxI7PIb
YBI4oaPjh2zKIrz/AlY2RmqMMA==</ds:X509Certificate></ds:X509Data></ds:KeyInfo><ds:Object><xades:QualifyingProperties Target="#S0"><xades:SignedProperties Id="SignedProperties"><xades:SignedSignatureProperties><xades:SigningTime>2024-10-25T09:16:59Z</xades:SigningTime><xades:SigningCertificate><xades:Cert><xades:CertDigest><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>nk6Dlz6rjsOp9TaNXJg0RNj/m53oC7RGzdDHcZ7jrfo=</ds:DigestValue></xades:CertDigest><xades:IssuerSerial><ds:X509IssuerName>CN=Test TSL, C=EE</ds:X509IssuerName><ds:X509SerialNumber>10086976385427474061</ds:X509SerialNumber></xades:IssuerSerial></xades:Cert></xades:SigningCertificate></xades:SignedSignatureProperties></xades:SignedProperties></xades:QualifyingProperties></ds:Object></ds:Signature></TrustServiceStatusList>
YBI4oaPjh2zKIrz/AlY2RmqMMA==</ds:X509Certificate></ds:X509Data></ds:KeyInfo><ds:Object><xades:QualifyingProperties Target="#S0"><xades:SignedProperties Id="SignedProperties"><xades:SignedSignatureProperties><xades:SigningTime>2024-11-14T10:53:48Z</xades:SigningTime><xades:SigningCertificate><xades:Cert><xades:CertDigest><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>nk6Dlz6rjsOp9TaNXJg0RNj/m53oC7RGzdDHcZ7jrfo=</ds:DigestValue></xades:CertDigest><xades:IssuerSerial><ds:X509IssuerName>CN=Test TSL, C=EE</ds:X509IssuerName><ds:X509SerialNumber>10086976385427474061</ds:X509SerialNumber></xades:IssuerSerial></xades:Cert></xades:SigningCertificate></xades:SignedSignatureProperties></xades:SignedProperties></xades:QualifyingProperties></ds:Object></ds:Signature></TrustServiceStatusList>
Loading

0 comments on commit 16b6728

Please sign in to comment.