CODEWITHSUNDEEP
xmlxml-dsig
Riugos
Riugos

Reputation: 23

Xades multiple signatures

Hi everyone and thanks in advance for the help.

My goal is to let two or more different persons to deal with a document incrementally:

How can I do it? According to the standard, XAdES specific xml elements (such as the ID of the certificate used to sign) are all inside the <object> element (in signed properties sub-element), which in my opinion implies that only one person can sign the object (i.e. the document) at a time without having to overwrite the signature data.

Am I wrong? Someone can help me undestanding if there's a way i did not considered?

Thanks,

A.

Upvotes: 1

Views: 2130

Answers (2)

Riugos
Riugos

Reputation: 23

I didn't think that it was possibile to have more references inside a countersignature element, since a counter signature for me is a signature on a previously made signature, but the standard doesn't prohibit it, maybe you're right. Thank you.

Other considerations, just to be sure that I understood correctly 1) nested countersignature element will be needed as the number of counter signers grows, and this is ok for the ETSI standard 2) why countersignature element has been created? is it not possibile to create more signature elements inside the same container node that make references to each other and to the text section of interest via the reference element? I'm considering the example you posted, in which the data element was internally attached and there was a single signature: adding more signature elements with the correct references will make me able to obtain the same behaviour or there are limitations that I didn't identified?

Thank you all for the contribution.

Edit:

Answer 1) I would say yes, as the spec says: "Applications MAY add other ds:Reference elements referencing the ds:SignatureValue elements of previously existent CounterSignature elements. This allows for building arbitrarily long chains of explicit countersignatures."

Answer 2) Well, I suppose it is your decision... about countersignatures, they say: "The only purpose of this definition is to serve as an easy identification of a signature as actually being a countersignature." So, if you decide that it is easier (add the reasons that make sense to you here...) to do that as a signatures and not as countersignatures, you can.

See the xades spec: ETSI TS 101 903 V1.4.2 (2010-12) http://www.etsi.org/deliver/etsi_ts%5C101900_101999%5C101903%5C01.04.02_60%5Cts_101903v010402p.pdf

See Chapter 7.2.4 and Annex C.

Upvotes: 0

brun0sa
brun0sa

Reputation: 104

My 2 cents...

This looks a case to use counter signatures.

  • To make sure that one only signs parts of the document, you have to work with the xpath transformers in the reference.

  • The second person will counter sign the previous signature and probably you also need to add the references (xpath?) the new sections that he edited.

You have some research to do...

Link to an example of a counter signature from xades4j: https://github.com/luisgoncalves/xades4j/blob/master/src/test/xml/document.signed.bes.cs.xml

EDIT:

See the xades spec: ETSI TS 101 903 V1.4.2 (2010-12) http://www.etsi.org/deliver/etsi_ts%5C101900_101999%5C101903%5C01.04.02_60%5Cts_101903v010402p.pdf See Chapter 7.2.4 and Annex C.

Answer 1) I would say yes, as the spec says: "Applications MAY add other ds:Reference elements referencing the ds:SignatureValue elements of previously existent CounterSignature elements. This allows for building arbitrarily long chains of explicit countersignatures."

Answer 2) Well, I suppose it is your decision... about countersignatures, they say: "The only purpose of this definition is to serve as an easy identification of a signature as actually being a countersignature." So, if you decide that it is easier (add the reasons that make sense to you here...) to do that as a signatures and not as countersignatures, you can.

Upvotes: 1

Related Questions