12.2 XAdES Signature Syntax Basics | Secure XML: The New Syntax for Signatures and Encryption

This section covers the basic elements for expressing and containing the additional information to create ETSI advanced signatures.

12.2.1 Qualifying and Qualifying Reference Properties

QualifyingProperties elements serves as a container for the SignedProperties and UnsignedProperties elements described below while QualifyingPropertiesReference elements point to such elements. Their schema is as follows:

 <!-- Start QualifyingProperties --> <xsd:element name="QualifyingProperties"              type="QualifyingPropertiesType"/> <xsd:complexType name="QualifyingPropertiesType">  <xsd:sequence>   <xsd:element name="SignedProperties"                type="SignedPropertiesType"                minOccurs="0"/>   <xsd:element name="UnsignedProperties"                type="UnsignedPropertiesType"                minOccurs="0"/>  </xsd:sequence>  <xsd:attribute name="Target" type="xsd:anyURI"                 use="required"/>  <xsd:attribute name="Id" type="xsd:ID" use="optional"/> </xsd:complexType> <!-- End QualifyingProperties --> <!-- Start QualifyingPropertiesReference--> <xsd:element name="QualifyingPropertiesReference"              type="QualifyingPropertiesReferenceType"/> <xsd:complexType name="QualifyingPropertiesReferenceType">  <xsd:sequence>   <xsd:element name="Transforms" type="ds:TransformsType"                minOccurs="0"/>  </xsd:sequence>  <xsd:attribute name="URI" type="xsd:anyURI"                 use="required"/>  <xsd:attribute name="Id" type="xsd:ID" use="optional"/> </xsd:complexType> <!-- End QualifyingPropertiesReference-->

12.2.2 Signed and Unsigned Properties

The SignedProperties and UnsignedPropreties elements include the ad di tional information required that make a signature qualify as an XAdES. The Signed Properties element, in turn, has SignedSignatureProperties and SignedDataObjectProperties children. The UnsignedProperties element has UnsignedSignatureProperties and UnsignedDataObjectProperties children.

The schemas for these elements appear below.

The SignedProperties Element

 <xsd:element name="SignedProperties"              type="SignedPropertiesType" /> <xsd:complexType name="SignedPropertiesType">   <xsd:sequence>     <xsd:element name="SignedSignatureProperties"              type="SignedSignaturePropertiesType"/>     <xsd:element name="SignedDataObjectProperties"              type="SignedDataObjectPropertiesType"/>   </xsd:sequence>   <xsd:attribute name="Id" type="xsd:ID" use="optional"/> </xsd:complexType>

The UnsignedProperties Element

 <xsd:element name="UnsignedProperties"              type="UnsignedPropertiesType" /> <xsd:complexType name="UnsignedPropertiesType">   <xsd:sequence>     <xsd:element name="UnsignedSignatureProperties"              type="UnsignedSignaturePropertiesType"              minOccurs="0"/>     <xsd:element name="UnsignedDataObjectProperties"              type="UnsignedDataObjectPropertiesType"              minOccurs="0"/>   </xsd:sequence>   <xsd:attribute name="Id" type="xsd:ID" use="optional"/> </xsd:complexType>

The SignedSignatureProperties Element

 <xsd:element name="SignedSignatureProperties"              type="SignedSignaturePropertiesType" /> <xsd:complexType name="SignedSignaturePropertiesType">   <xsd:sequence>     <xsd:element name="SigningTime" type="xsd:dateTime"/>     <xsd:element name="SigningCertificate"                  type="CertificateIDListType"/>     <xsd:element name="SignaturePolicyIdentifier"                  type="SignaturePolicyIdentifierType"/>     <xsd:element name="SignatureProductionPlace"                  type="SignatureProductionPlaceType"              minOccurs="0"/>     <xsd:element name="SignerRole" type="SignerRoleType"              minOccurs="0"/>   </xsd:sequence> </xsd:complexType>

The SignedDataObjectProperties Element

 <xsd:element name="SignedDataObjectProperties"              type="SignedDataObjectPropertiesType" /> <xsd:complexType name="SignedDataObjectPropertiesType">   <xsd:sequence>     <xsd:element name="DataObjectFormat"                  type="DataObjectFormatType"                  minOccurs="0" maxOccurs="unbounded"/>     <xsd:element name="CommitmentTypeIndication"                  type="CommitmentTypeIndicationType"                  minOccurs="0"                  maxOccurs="unbounded"/>     <xsd:element name="AllDataObjectsTimeStamp"                  type="TimeStampType"/>     <xsd:element name="IndividualObjectsTimeStamp"                  type="TimeStampType"/>   </xsd:sequence> </xsd:complexType>

The UnsignedSignatureProperties Element

 <xsd:element name="UnsignedSignatureProperties"              type="UnsignedSignaturePropertiesType" /> <xsd:complexType name="UnsignedSignaturePropertiesType">   <xsd:sequence>     <xsd:element name="CounterSignature"                  type="ds:SignatureType"                  minOccurs="0"/>     <xsd:element name="SignatureTimeStamp"                  type="TimestampType"                  minOccurs="0" maxOccurs="unbounded"/>     <xsd:element name="CompleteCertificateRefs"                  type="CompleteCertificateRefsType"                  minOccurs="0"/>     <xsd:element name="CompleteRevocationRefs"                  type="CompleteRevocationRefsType"                  minOccurs="0"/>     <xsd:choice>       <xsd:element name="SigAndRefsTimeStamp"                    type="TimestampType"                    minOccurs="0" maxOccurs="unbounded"/>       <xsd:element name="RefsOnlyTimeStamp"                    type="TimestampType"                    minOccurs="0" maxOccurs="unbounded"/>     </xsd:choice>     <xsd:element name="CertificatesValues"                  type="CertificatesValuesType"                  minOccurs="0"/>     <xsd:element name="RevocationValues"                  type="RevocationValuesType"                  minOccurs="0"/>     <xsd:element name="ArchiveTimeStamp"                  type="TimestampType"                  minOccurs="0" maxOccurs="unbounded"/>   <xsd:sequence> </xsd:complexType>

The UnsignedDataObjectProperties Element

 <xsd:element name="UnsignedDataObjectsProperties"              type="UnsignedDataObjectsPropertiesTypes" /> <xsd:complexType name="UnsignedDataObjectPropertiesType">   <xsd:sequence>     <xsd:element name="unsignedDataObjectProperty"              type="AnyType"              minOccurs="0" maxOccurs="unbounded"/>   </xsd:sequence> </xsd:complexType>

12.2.3 Basic Elements

The ETSI signature schema specifies a number of basic types, which are described in the following sections.

The AnyType Data Type

AnyType is a complete wildcard. You can put whatever you want into an element with this type, including mixed content and arbitrary attributes.

 <!-- Start AnyType --> <xsd:element name="Any" type="AnyType" /> <xsd:complexType name="AnyType" mixed="true">   <xsd:sequence>     <xsd:any namespace="##any"/>   </xsd:sequence>   <xsd:anyAttribute namespace="##any"/> </xsd:complexType>

The ObjectIdentifierType Data Type

Object identifiers (OIDs) are hierarchically allocated unique identifiers that are used heavily in ASN.1 and ASN.1-based ISO standards (e.g., X.509v3). Elements with this type not only let you specify an OID but also give a text description, corresponding URI, and so on.

 <!-- Start ObjectIdentifierType --> <xsd:element name="ObjectIdentifier"              type="ObjectIdentifierType" /> <xsd:complexType name="ObjectIdentiferType">   <xsd:sequence>     <xsd:element name="Identifier" type="IdentifierType"/>     <xsd:element name="Description" type="xsd:string"                  minOccurs="0"/>     <xsd:element name="DocumentationReferences"                  type="DocumentationReferencesType"                  minOccurs="0"/>   </xsd:sequence> </xsd:complexType> <xsd:complexType name="IdentifierType">   <xsd:complexContent>     <xsd:extension base="xsd:anyURI">       <xsd:attribute name="Qualifier"                      type="QualifierType"                      use="optional"/>     </xsd:extension>   </xsd:complexContent> </xsd:complexType> <xsd:simpleType name="QualifierType">   <xsd:restriction base="xsd:string">     <xsd:enumeration value="OIDAsURI"/>     <xsd:enumeration value="OIDAsURN"/>   </xsd:restriction> </xsd:simpleType> <xsd:complexType name="DocumentationReferencesType"   <xsd:sequence maxOccurs="unbounded">     <xsd:element name="DocumentationReference"                  type="xsd:anyURI"/>   </xsd:sequence> </xsd:complexType>

The EncapsulatedPKIValueType Data Type

This type is supplied for elements that contain binary ISO public key in frastructure items. It permits arbitrary binary content, encoded in base-64 [RFC 2045].

 <!-- Start EncapsulatedPKIDataType --> <xsd:element name="EncapsulatedPKIData"              type="EncapsulatedPKIDataType" /> <xsd:complexType name="EncapsulatedPKIDataType">   <xsd:complexContent>     <xsd:extension base="base64Binary">       <xsd:attribute name="Id" type="xsd:ID"                      use="optional"/>     </xsd:extension>   </xsd:complexContent> </xsd:complexType>

The TimeStampType Data Type

Time stamps are a very important part of ETSI advanced signatures. You send a digest of the data you want time stamped to a Timestamp Authority. This authority signs and returns the data, with the result including the digest value, identity of the authority, and time of the stamping. It proves that the data existed before the time of stamping.

 <!-- Start TimeStampType --> <xsd:element name="TimeStamp"              type="TimeStampType" /> <xsd:complexType name="TimeStampType">   <xsd:sequence>     <xsd:element name="HashDataInfos"                  type="HashDataInfoType">                  maxOccurs="unbounded"/>     <xsd:choice>       <xsd:element name="EncapsulatedTimeStamp"                    type="EncapsulatedPKIDataType"/>       <xsd:element name="XMLTimeStamp" type="AnyType"/>     </xsd:choice>   </xsd:sequence> </xsd:complexType> <xsd:complexType name="HashDataInfosType">   <xsd:sequence>     <xsd:element name="Transforms"                  type="ds:TransformsType"/>                  minOccurs="0"/>   </xsd:sequence> </xsd:complexType>

Each HashDataInfo element uses the usual XML Security reference URI and optional Transforms element to provide input for computing the hash sent to the Timestamp Authority.