Document package
The document package in Posten signering is based on the ASiC-E standard (Associated Signature Containers, Extended form). The profile is designed to be similar to that used for Digital mailbox to residents. Read more about the profile used for ASiC at the end of this document.
Contents
The package is in ZIP format and contains:
the document to be signed (a PDF or plain text file)
the file
manifest.xml
which describes metadata for the document (subjects, who must sign, etc.)the file
META-INF/signatures.xml
which is the signature for the entire document package.
Document
For information about document restrictions, see Document format. This file is referenced with the required href
-attribute i n``document`` element in manifest.xml
. See examples for signature requests in direct flow and signature requests in portal flow.
Manifest
The file manifest.xml
follows the schema direct-and-portal.xsd, which again imports direct.xsd and portal.xsd.
See how to create requests in direct flow and portal flow for examples of different ways in which the elements can be built up.
Signatures
The file signatures.xml
follows the schema http://uri.etsi.org/2918/v1.2.1#
. See Thirdparty (catalogue) for copies of the relevant standard schemas.
Examples of complete signatures.xml
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<XAdESSignatures xmlns="http://uri.etsi.org/2918/v1.2.1#">
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#" Id="Signature">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference Id="ID_0" URI="document.pdf">
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ=</DigestValue>
</Reference>
<Reference Id="ID_1" URI="manifest.xml">
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>xTqm6xkL7NOjnf5oYa+m0+XKzq1cwWMkcoESLa+/Lko=</DigestValue>
</Reference>
<Reference Type="http://uri.etsi.org/01903#SignedProperties" URI="#SignedProperties">
<Transforms>
<Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>cV6hPhJ6f8hnl0J9czhubj08rWhJmzCQsomxODfYyYM=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>VTc0CBKyuDD0DRsJx7JJf6c2iH+TndFcx1aj0nP99snV6magufrPR8JSYadWIn4QICpHFcpAp5s+
XgIY9jfkAVLtAbiko9VcRpSopP1zj6tM3lrSaoo/lBKP0rWNZCQiNgw8f3pkGbi1bUKVwhbRI4XF
+bc2rZiZoaWgOByhsFZ25hWrl+GgC3PNsEzA+WN3JbGAq00xtKudRG1vMjdjfsGtmvFYVQ0xQlUY
5Vxdfovoia3x6zm5zbHWRQdVoUTS3vv5Mv6GAs7JAnDwSNxRVSizN5QB6xB60xRn+BFwdVedQTMa
cuReWIxY2r8yocS9MAZxFG+4SAHGxjJkNkglHg==
</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIDYzCCAkugAwIBAgIEIyZ/HzANBgkqhkiG9w0BAQsFADBiMQswCQYDVQQGEwJOTzELMAkGA1UE
CBMCTk8xDTALBgNVBAcTBE9zbG8xETAPBgNVBAoTCEF2c2VuZGVyMREwDwYDVQQLEwhBdnNlbmRl
cjERMA8GA1UEAxMIQXZzZW5kZXIwHhcNMTQwNTIwMTIxMDA3WhcNMTUwNTE1MTIxMDA3WjBiMQsw
CQYDVQQGEwJOTzELMAkGA1UECBMCTk8xDTALBgNVBAcTBE9zbG8xETAPBgNVBAoTCEF2c2VuZGVy
MREwDwYDVQQLEwhBdnNlbmRlcjERMA8GA1UEAxMIQXZzZW5kZXIwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQCOq505/fn9fDCZjvMlSWJNEj0kVLeFo233MEfhOUOhU44Q7ClGLJfEIdMr
ZCzWR58Eo8Fn90bEIosI8rCvw8XsNaDaeVgZ3PDtXTuA8luL/IphWXfuHxdmFm3LPD0XIQS+V8pg
J215NIScrZGkgBKjb7uVo+usGYUpqkbjl5kctTziRZo0k2i73iJd1+DjPGZ2OzAR1lMb8EEWheiX
qE+pRwpHQOkMiRlNrZxDD1mTJR2RLYYp/guW93YbIgJv4mhV3ZpJL8idU2YECkM5p6Wg2wfznCyx
ZU0E5Us4SvuDPrg48ELe140AtXQb8xyuGrLhCm5JyHhAFJM0IoiGQwqPAgMBAAGjITAfMB0GA1Ud
DgQWBBSpQuhFDLFSUauhNrCbx+g8QXv9oTANBgkqhkiG9w0BAQsFAAOCAQEAHAENC+ZsxNSXOb6D
e90uHqkEJFFZF3CfdtRHx23s2wjDFJI4CEY8WHsOD90ynOyDZV/sWcu1Emi1nZ7rEdtt/wKfhIdI
CBzZ+GkU04niu+jpM9OCk1JS1LU+e+ljz6ZL7OZVegTE6tLI8JwfInf7dBjSBnf69Gs4xRK/TmO5
i5KipdivkTGXJCaLf8lwFM3bxM5t0H8AzbrHc0JVVTTXHjbIvgg7JhFuiC1z1vM6hsplOysb9gFP
89AvNttWcdSb0rQAVz0rjl+GKzM07Aw4tYBl8j42POtjMCjV5e0TCeNfLfnZ3r9DCSUNlAwhisoX
l5gXsb+YU/RPOlg+xh5xRA==
</X509Certificate>
</X509Data>
</KeyInfo>
<Object>
<QualifyingProperties xmlns="http://uri.etsi.org/01903/v1.3.2#"
xmlns:ns2="http://www.w3.org/2000/09/xmldsig#" Target="#Signature">
<SignedProperties Id="SignedProperties">
<SignedSignatureProperties>
<SigningTime>2015-11-25T15:45:42.115+01:00</SigningTime>
<SigningCertificate>
<Cert>
<CertDigest>
<ns2:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ns2:DigestValue>6Gko40cr8upGenUAxIT6bBVcRfo=</ns2:DigestValue>
</CertDigest>
<IssuerSerial>
<ns2:X509IssuerName>CN=Avsender, OU=Avsender, O=Avsender, L=Oslo, ST=NO, C=NO</ns2:X509IssuerName>
<ns2:X509SerialNumber>589725471</ns2:X509SerialNumber>
</IssuerSerial>
</Cert>
</SigningCertificate>
</SignedSignatureProperties>
<SignedDataObjectProperties>
<DataObjectFormat ObjectReference="#ID_0">
<MimeType>application/pdf</MimeType>
</DataObjectFormat>
<DataObjectFormat ObjectReference="#ID_1">
<MimeType>application/xml</MimeType>
</DataObjectFormat>
</SignedDataObjectProperties>
</SignedProperties>
</QualifyingProperties>
</Object>
</Signature>
</XAdESSignatures>
Standards used in the document package
It must be possible to validate the integrity of documents and metadata in the digital signature service many years after receipt. This is ensured by packing the information in a document package protected with digital signatures, as described below. In practice, this is a zip file with a given structure that contains a digital signature of the contents.
Standards
Standard |
Document |
Version |
---|---|---|
ETSI, ETSI TS 102 918 |
Electronic Signatures and Infrastructures (ESI); Associated Signature [1] |
ETSI, 2013-06. |
ETSI, ETSI TS 103 174 |
Electronic Signatures and Infrastructures (ESI); ASiC Baseline Profile [2] |
ETSI, 2013-06. |
ETSI, ETSI TS 101 903 |
Electronic Signatures and Infrastructures (ESI); XML Advanced Electronic Signatures (XAdES) [6] |
ETSI, 2010-12. |
ETSI, ETSI TS 103 171 |
Electronic Signatures and Infrastructures (ESI); XAdES Baseline Profile [7] |
ETSI, 2012-03. |
ASiC profile for the document package
The document is packaged in a document package together with metadata in accordance with ASiC (ETSI TS 102 918) [1], and further limited according to the profile defined in Baseline Profile (ETSI TS 103 174) [2]. Additional restrictions are as follows:
Requirements |
Fields |
Comments |
---|---|---|
requirement 6.1 [3] |
ASiC conformance |
Should be “ASiC‑E XAdES” |
requirement 8.1 [4] |
SiC‑E Media type identification |
Should be “ASiC file extension is”.asice |
requirement 8.2 [4] |
SiC‑E Signed data object |
All files outside of the META-INF catalogue shall be signed |
requirement 8.3.1 [5] |
SiC‑E XAdES signature |
There should only be one signature in the META-INF catalogue, with the name signatures.xml. This signature shall cover all other files in the container, and the sender’s organization certificate shall be used for signing. |
requirement 8.3.2 [5] |
equirements for the contents of Container” refererer til “6.2.2 punkt 4b) “META-INF/manifest.xml” if present […] i”ASiC”:etsi1 |
This file should not be present |
Signature in the document package
The document package should be signed by the “Data Controller”, but may be signed by the “Data Processor”.
The signature must be in accordance with XAdES (ETSI TS 101 903) [6] with the baseline profile defined in XAdES Baseline Profile (ETSI TS 103 171) [7] (B-Level Conformance). Additional restrictions are as follows:
Requirements |
Fields |
Comments |
---|---|---|
requirement 5.1 [8] |
Algorithm requirements |
The signing algorithm should be rsa-sha256. The finger print algorithm in the references should be sha256. The finger print algorithm in CertDigest should be sha1 |
requirement 6.2.1 [9] |
Placement of the signing certificate |
All certificates from the organization certificate and up to and included a trusted root should be included |
requirement 6.2.2 [10] |
Canonicalization of ds:SignedInfo element |
Should be xml-c14n11. Can be REC-xml-c14n-20010315 |
requirement 6.2.3 [10] |
Profile of ds:Reference element |
All documents should be included, and references outside of the document package are not allowed |
requirement 6.2.4 [11] |
Transforms within ds:Reference element |
All file references should be without transform, and the reference to SignedProperties should be REC-xml-c14n-20010315 |
requirement 6.3.1 [11] |
Profile of xades:SigningCertificate element |
No further limitations |
requirement 6.3.2 [12] |
Profile of xades:SigningTime element |
The time indication should be correct within the interval of +/- 5 seconds |
requirement 6.3.3 [12] |
Profile of xades:DataObjectFormat element |
Only MimeType and ObjectReference should be present |
Footnotes