Jeden z programistów przygotowujących aplikację do przesyłania danych do GIIF
zwrócił nam uwagę, na plik który po przesłaniu do MF zwraca błąd: 401 „Brak ważnego podpisu.”
pomimo, że ten sam plik waliduje się w oprogramowaniu KIR Szafir i Certum SmartSign.
Aby przeanalizować problem stworzyłem dodatkowe wywołanie w systemie testowym:
Po wywołaniu otrzymałem poniższą odpowiedź (skroconą dla ochrony danych osobowych), nie trzeba się w nią wgłębiać
zamieszczam ją wyłącznie dla zilustrowania czego spodziewać się po wywołaniu:
----------------Validation report--------------- <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <DetailedReport xmlns="http://dss.esig.europa.eu/validation/detailed-report"> <Signatures Id="id-0d5c90b084135f343a2314d0ea973930"> <ValidationProcessBasicSignatures BestSignatureTime="2019-04-16T08:34:14"> <Constraint Id="id-0d5c90b084135f343a2314d0ea973930"> <Name NameId="ADEST_ROBVPIIC">Is the result of the Basic Validation Process conclusive?</Name> <Status>NOT OK</Status> <Error NameId="ADEST_ROBVPIIC_ANS">The result of the Basic validation process is not conclusive!</Error> </Constraint> <Conclusion> <Indication>FAILED</Indication> <SubIndication>SIG_CONSTRAINTS_FAILURE</SubIndication> <Errors NameId="BBB_SAV_ISQPSTP_ANS">The signed qualifying property: 'signing-time' is not present!</Errors> </Conclusion> </ValidationProcessBasicSignatures> <ValidationSignatureQualification SignatureQualification="Not AdES but QC with QSCD"> <Constraint> <Name NameId="QUAL_IS_ADES">Is the signature/seal an acceptable AdES (ETSI EN 319 102-1) ?</Name> <Status>WARNING</Status> <Warning NameId="QUAL_IS_ADES_INV">The signature/seal is not a valid AdES!</Warning> </Constraint> <Constraint> <Name NameId="QUAL_TRUSTED_CERT_PATH">Is the certificate path trusted?</Name> <Status>OK</Status> </Constraint> <Constraint Id="EU"> <Name NameId="QUAL_TRUSTED_LIST_ACCEPT">Is the trusted list acceptable?</Name> <Status>OK</Status> </Constraint> <Constraint Id="PL"> <Name NameId="QUAL_TRUSTED_LIST_ACCEPT">Is the trusted list acceptable?</Name> <Status>OK</Status> </Constraint> <Constraint> <Name NameId="QUAL_QC_AT_ST">Is the certificate qualified at (best) signing time?</Name> <Status>OK</Status> </Constraint> <Constraint> <Name NameId="QUAL_FOR_SIGN_AT_ST">Is the certificate for eSig at (best) signing time?</Name> <Status>OK</Status> </Constraint> <Constraint> <Name NameId="QUAL_QC_AT_CC">Is the certificate qualified at issuance time?</Name> <Status>OK</Status> </Constraint> <Constraint> <Name NameId="QUAL_QSCD_AT_ST">Is the private key on a QSCD at (best) signing time?</Name> <Status>OK</Status> </Constraint> <Conclusion> <Indication>INDETERMINATE</Indication> <Warnings NameId="QUAL_IS_ADES_INV">The signature/seal is not a valid AdES!</Warnings> </Conclusion> <ValidationCertificateQualification DateTime="2019-02-11T22:14:08" ValidationTime="CERTIFICATE_ISSUANCE_TIME" CertificateQualification="QC Cert for ESig with QSCD"> <Constraint> <Name NameId="QUAL_HAS_CAQC">Is the certificate related to a CA/QC?</Name> <Status>OK</Status> </Constraint> <Constraint> <Name NameId="QUAL_HAS_GRANTED">Is the certificate related to a trust service with a granted status?</Name> <Status>OK</Status> </Constraint> <Constraint> <Name NameId="QUAL_TL_SERV_CONS">Is the trust service consistent ?</Name> <Status>OK</Status> </Constraint> <Constraint> <Name NameId="QUAL_IS_TRUST_CERT_MATCH_SERVICE">Is the trusted certificate match the trust service ?</Name> <Status>OK</Status> </Constraint> <Constraint> <Name NameId="QUAL_QC_AT_CC">Is the certificate qualified at issuance time?</Name> <Status>OK</Status> </Constraint> <Constraint> <Name NameId="QUAL_FOR_SIGN_AT_CC">Is the certificate for eSig at issuance time?</Name> <Status>OK</Status> </Constraint> <Constraint> <Name NameId="QUAL_QSCD_AT_CC">Is the private key on a QSCD at issuance time?</Name> <Status>OK</Status> </Constraint> <Conclusion> <Indication>PASSED</Indication> </Conclusion> </ValidationCertificateQualification> <ValidationCertificateQualification DateTime="2019-04-16T08:34:14" ValidationTime="BEST_SIGNATURE_TIME" CertificateQualification="QC Cert for ESig with QSCD"> <Constraint> <Name NameId="QUAL_HAS_CAQC">Is the certificate related to a CA/QC?</Name> <Status>OK</Status> </Constraint> <Constraint> <Name NameId="QUAL_HAS_GRANTED">Is the certificate related to a trust service with a granted status?</Name> <Status>OK</Status> </Constraint> <Constraint> <Name NameId="QUAL_TL_SERV_CONS">Is the trust service consistent ?</Name> <Status>OK</Status> </Constraint> <Constraint> <Name NameId="QUAL_IS_TRUST_CERT_MATCH_SERVICE">Is the trusted certificate match the trust service ?</Name> <Status>OK</Status> </Constraint> <Constraint> <Name NameId="QUAL_QC_AT_ST">Is the certificate qualified at (best) signing time?</Name> <Status>OK</Status> </Constraint> <Constraint> <Name NameId="QUAL_FOR_SIGN_AT_ST">Is the certificate for eSig at (best) signing time?</Name> <Status>OK</Status> </Constraint> <Constraint> <Name NameId="QUAL_QSCD_AT_ST">Is the private key on a QSCD at (best) signing time?</Name> <Status>OK</Status> </Constraint> <Conclusion> <Indication>PASSED</Indication> </Conclusion> </ValidationCertificateQualification> </ValidationSignatureQualification> </Signatures> <BasicBuildingBlocks Id="id-0d5c90b084135f343a2314d0ea973930" Type="SIGNATURE"> <FC> <Constraint> <Name NameId="BBB_FC_IEFF">Is the expected format found?</Name> <Status>OK</Status> </Constraint> <Conclusion> <Indication>PASSED</Indication> </Conclusion> </FC> <ISC> <Constraint> <Name NameId="BBB_ICS_ISCI">Is there an identified candidate for the signing certificate?</Name> <Status>OK</Status> </Constraint> <Constraint> <Name NameId="BBB_ICS_ISCS">Is the signing certificate signed?</Name> <Status>OK</Status> </Constraint> <Constraint> <Name NameId="BBB_ICS_ISASCP">Is the signed attribute: 'signing-certificate' present?</Name> <Status>OK</Status> </Constraint> <Constraint> <Name NameId="BBB_ICS_ISACDP">Is the signed attribute: 'cert-digest' of the certificate present?</Name> <Status>OK</Status> </Constraint> <Constraint> <Name NameId="BBB_ICS_ICDVV">Is the certificate's digest value valid?</Name> <Status>OK</Status> </Constraint> <Constraint> <Name NameId="BBB_ICS_AIDNASNE">Are the issuer distinguished name and the serial number equal?</Name> <Status>OK</Status> </Constraint> <Conclusion> <Indication>PASSED</Indication> </Conclusion> <CertificateChain> <ChainItem Id="[...]"> <Source>UNKNOWN</Source> </ChainItem> <ChainItem Id="ED380189EB280F5D86C914BFDD28D89795E5676AE893F3C3D75B12F3E42CC914"> <Source>TRUSTED_LIST</Source> </ChainItem> </CertificateChain> </ISC> <VCI> <Constraint> <Name NameId="BBB_VCI_ISPK">Is the signature policy known?</Name> <Status>OK</Status> </Constraint> <Conclusion> <Indication>PASSED</Indication> </Conclusion> </VCI> <CV> <Constraint> <Name NameId="BBB_CV_IRDOF">Is the reference data object(s) found?</Name> <Status>OK</Status> </Constraint> <Constraint> <Name NameId="BBB_CV_IRDOI">Is the reference data object(s) intact?</Name> <Status>OK</Status> </Constraint> <Constraint> <Name NameId="BBB_CV_ISI">Is the signature intact?</Name> <Status>OK</Status> </Constraint> <Conclusion> <Indication>PASSED</Indication> </Conclusion> </CV> <SAV> <Constraint> <Name NameId="BBB_SAV_ISQPSTP">Is signed qualifying property: 'signing-time' present?</Name> <Status>NOT OK</Status> <Error NameId="BBB_SAV_ISQPSTP_ANS">The signed qualifying property: 'signing-time' is not present!</Error> </Constraint> <Conclusion> <Indication>FAILED</Indication> <SubIndication>SIG_CONSTRAINTS_FAILURE</SubIndication> <Errors NameId="BBB_SAV_ISQPSTP_ANS">The signed qualifying property: 'signing-time' is not present!</Errors> </Conclusion> </SAV> <XCV> <Constraint> <Name NameId="BBB_XCV_CCCBB">Can the certificate chain be built till the trust anchor?</Name> <Status>OK</Status> </Constraint> <Constraint Id="0FF278B32EDFED379544338C15EC9BC9EC6DE753C6FC6C68CBB8F7A831D44F21"> <Name NameId="BBB_XCV_SUB">Is the certificate validation concluant ?</Name> <Status>OK</Status> </Constraint> <Constraint Id="ED380189EB280F5D86C914BFDD28D89795E5676AE893F3C3D75B12F3E42CC914"> <Name NameId="BBB_XCV_SUB">Is the certificate validation concluant ?</Name> <Status>OK</Status> </Constraint> <Conclusion> <Indication>PASSED</Indication> </Conclusion> <SubXCV Id="0FF278B32EDFED379544338C15EC9BC9EC6DE753C6FC6C68CBB8F7A831D44F21" TrustAnchor="false"> <Constraint> <Name NameId="QUAL_UNIQUE_CERT">Is the certificate unique ?</Name> <Status>OK</Status> </Constraint> <Constraint> <Name NameId="BBB_XCV_PSEUDO_USE">Is pseudo used ?</Name> <Status>OK</Status> </Constraint> <Constraint> <Name NameId="BBB_XCV_ISNSSC">Is not self-signed certificate?</Name> <Status>OK</Status> </Constraint> <Constraint> <Name NameId="BBB_XCV_ICSI">Is the certificate's signature intact?</Name> <Status>OK</Status> </Constraint> <Constraint> <Name NameId="ASCCM">Are signature cryptographic constraints met?</Name> <Status>OK</Status> <AdditionalInfo>Validation time : 2019-04-16 08:34</AdditionalInfo> </Constraint> <Constraint> <Name NameId="BBB_XCV_ISCGKU">Has the signer's certificate given key-usage?</Name> <Status>OK</Status> <AdditionalInfo>Key usage : nonRepudiation, digitalSignature</AdditionalInfo> </Constraint> <Constraint> <Name NameId="BBB_XCV_AIA_PRES">Is authority info access present?</Name> <Status>OK</Status> </Constraint> <Constraint> <Name NameId="BBB_XCV_REVOC_PRES">Is revocation info access present?</Name> <Status>OK</Status> </Constraint> <Constraint> <Name NameId="BBB_XCV_ICTIVRSC">Is the current time in the validity range of the signer's certificate?</Name> <Status>OK</Status> <AdditionalInfo>Certificate validity : 2019-02-11 22:14 to 2021-02-10 22:14</AdditionalInfo> </Constraint> <Constraint> <Name NameId="BBB_XCV_ISCR">Is the certificate not revoked?</Name> <Status>OK</Status> </Constraint> <Constraint> <Name NameId="BBB_XCV_ISCOH">Is the certificate on hold?</Name> <Status>OK</Status> </Constraint> <Constraint> <Name NameId="BBB_XCV_RFC">Is the revocation freshness check concluant ?</Name> <Status>OK</Status> </Constraint> <Conclusion> <Indication>PASSED</Indication> </Conclusion> <RFC Id="0ff278b32edfed379544338c15ec9bc9ec6de753c6fc6c68cbb8f7a831d44f21e656ce513922afbffee4a2af979d95462dba58f56cc74ecb44430c908e9c2586"> <Constraint> <Name NameId="BBB_XCV_IRDPFC">Is the revocation data present for the certificate?</Name> <Status>OK</Status> </Constraint> <Constraint> <Name NameId="BBB_RFC_NUP">Is there a Next Update defined for the revocation data?</Name> <Status>OK</Status> </Constraint> <Constraint> <Name NameId="BBB_RFC_IRIF">Is the revocation information fresh for the certificate?</Name> <Status>OK</Status> <AdditionalInfo>Next update : 2019-04-17 05:46</AdditionalInfo> </Constraint> <Constraint> <Name NameId="ASCCM">Are signature cryptographic constraints met?</Name> <Status>OK</Status> <AdditionalInfo>Validation time : 2019-04-16 08:34</AdditionalInfo> </Constraint> <Conclusion> <Indication>PASSED</Indication> </Conclusion> </RFC> </SubXCV> <SubXCV Id="ED380189EB280F5D86C914BFDD28D89795E5676AE893F3C3D75B12F3E42CC914" TrustAnchor="true"> <Conclusion> <Indication>PASSED</Indication> </Conclusion> </SubXCV> </XCV> <CertificateChain> <ChainItem Id="[...]"> <Source>UNKNOWN</Source> </ChainItem> <ChainItem Id="ED380189EB280F5D86C914BFDD28D89795E5676AE893F3C3D75B12F3E42CC914"> <Source>TRUSTED_LIST</Source> </ChainItem> </CertificateChain> <Conclusion> <Indication>FAILED</Indication> <SubIndication>SIG_CONSTRAINTS_FAILURE</SubIndication> <Errors NameId="BBB_SAV_ISQPSTP_ANS">The signed qualifying property: 'signing-time' is not present!</Errors> </Conclusion> </BasicBuildingBlocks> <TLAnalysis CountryCode="EU"> <Constraint> <Name NameId="QUAL_TL_FRESH">Is the trusted list fresh ?</Name> <Status>OK</Status> </Constraint> <Constraint> <Name NameId="QUAL_TL_EXP">Is the trusted list not expired ?</Name> <Status>OK</Status> </Constraint> <Constraint> <Name NameId="QUAL_TL_VERSION">Is the trusted list has the expected version ?</Name> <Status>OK</Status> </Constraint> <Constraint> <Name NameId="QUAL_TL_WS">Is the trusted list well signed ?</Name> <Status>OK</Status> </Constraint> <Conclusion> <Indication>PASSED</Indication> </Conclusion> </TLAnalysis> <TLAnalysis CountryCode="PL"> <Constraint> <Name NameId="QUAL_TL_FRESH">Is the trusted list fresh ?</Name> <Status>OK</Status> </Constraint> <Constraint> <Name NameId="QUAL_TL_EXP">Is the trusted list not expired ?</Name> <Status>OK</Status> </Constraint> <Constraint> <Name NameId="QUAL_TL_VERSION">Is the trusted list has the expected version ?</Name> <Status>OK</Status> </Constraint> <Constraint> <Name NameId="QUAL_TL_WS">Is the trusted list well signed ?</Name> <Status>OK</Status> </Constraint> <Conclusion> <Indication>PASSED</Indication> </Conclusion> </TLAnalysis> </DetailedReport>
----------------Simple report------------------- <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <SimpleReport xmlns="http://dss.esig.europa.eu/validation/simple-report"> <Policy> <PolicyName>QES AdESQC TL based</PolicyName> <PolicyDescription>Validate electronic signatures and indicates whether they are Advanced electronic Signatures (AdES), AdES supported by a Qualified Certificate (AdES/QC) or a Qualified electronic Signature (QES). All certificates and their related chains supporting the signatures are validated against the EU Member State Trusted Lists (this includes signer's certificate and certificates used to validate certificate validity status services - CRLs, OCSP, and time-stamps). </PolicyDescription> </Policy> <ValidationTime>2019-04-16T08:34:14</ValidationTime> <DocumentName></DocumentName> <ValidSignaturesCount>0</ValidSignaturesCount> <SignaturesCount>1</SignaturesCount> <Signature Id="id-0d5c90b084135f343a2314d0ea973930" SignatureFormat="CAdES-BASELINE-T"> <BestSignatureTime>2019-04-16T08:34:14</BestSignatureTime> <SignedBy>[...]</SignedBy> <CertificateChain> <Certificate> <id>[...]</id> <qualifiedName>[...]</qualifiedName> </Certificate> <Certificate> <id>ED380189EB280F5D86C914BFDD28D89795E5676AE893F3C3D75B12F3E42CC914</id> <qualifiedName>Certum QCA 2017</qualifiedName> </Certificate> </CertificateChain> <SignatureLevel description="Not Advanced Electronic Signature but supported by a Qualified Certificate">Not AdES but QC with QSCD</SignatureLevel> <Indication>TOTAL_FAILED</Indication> <SubIndication>SIG_CONSTRAINTS_FAILURE</SubIndication> <Errors>The result of the Basic validation process is not conclusive!</Errors> <Errors>The signed qualifying property: 'signing-time' is not present!</Errors> <Warnings>The signature/seal is not a valid AdES!</Warnings> <SignatureScope name="Full document" scope="FullSignatureScope">Full document</SignatureScope> </Signature> </SimpleReport>
Istotny jest poniższy fragment w sekcji Simple report.
1 2 3 4
<Indication>TOTAL_FAILED</Indication> <SubIndication>SIG_CONSTRAINTS_FAILURE</SubIndication> <Errors>The result of the Basic validation process is not conclusive!</Errors> <Errors>The signed qualifying property: 'signing-time' is not present!</Errors>
Jak widać problem leży w atrybucie signing-time. Początkowo podejrzewałem, że atrybut ten nie został umieszczony
w dokumencie lub znalazł się wśród nie podpisanych atrybutów.
Jednak po wydaniu polecenia:
1
openssl cms -cmsout -noout -inform DER -in plik.sig -inform DER -print
Dates between 1 January 1950 and 31 December 2049 (inclusive) MUST be
encoded as UTCTime. Any dates with year values before 1950 or after
2049 MUST be encoded as GeneralizedTime.
Czyli plik był odrzucany, gdyż walidator rygorystycznie przestrzega zgodności ze RFC 5652,
na którym bazuje specyfikacja CAdES.