The qualification status determination is based on ETSI TS 119 615 standard (cf. [R14]), that requires extraction of information from a certificate (i.e. QcStatements, see [R27]) and from a Trusted List (under TSPService corresponding to the certificate).
For more information about how to verify a certificate qualification status using DSS, please see the section [CertificateValidation].
A certificate can be for electronic signature, for electronic seal or for website authentication.
A qualified certificate shall comply with the eIDAS regulation [R12], for each type:
-
Qualified certificate for electronic signature - shall comply with Annex I "REQUIREMENTS FOR QUALIFIED CERTIFICATES FOR ELECTRONIC SIGNATURES" of eIDAS Regulation;
-
Qualified certificate for electronic seals - shall comply with Annex III "REQUIREMENTS FOR QUALIFIED CERTIFICATES FOR ELECTRONIC SEALS" of eIDAS Regulation;
-
Qualified certificate for web authentication - shall comply with Annex IV "REQUIREMENTS FOR QUALIFIED CERTIFICATES FOR WEBSITE AUTHENTICATION" of eIDAS Regulation;
The certificate type determination is based on ETSI TS 119 615 standard (cf. [R14]). The validation process takes into account the following factors but not limited to:
-
The certificate type defined in QcStatements (see [R27]). One of the following values is supported:
-
qc-type-esign(OID "0.4.0.1862.1.6.1") - identifies a certificate for a electronic signature; -
qc-type-eseal(OID "0.4.0.1862.1.6.2") - identifies a certificate for a electronic seal; -
qc-type-web(OID "0.4.0.1862.1.6.3") - identifies a certificate for a web authentication.
-
-
Information extracted from a TSP Service issued the certificate (from a Trusted List). The type of certificate may be 'overruled' based on the defined Qualifiers.
For more information about the validation process please see the ETSI TS 119 615 standard (cf. [R14]).
In order to determine a type and qualification of certificate, the CertificateVerifier can be used, provided the relevant information extracted from a Trusted List(s).
An example of a qualification data extraction for a certificate, can be found below:
link:../../../test/java/eu/europa/esig/dss/cookbook/example/validate/CertificateQualificationTest.java[role=include]With DSS, it is possible to validate a SSL certificate against the EUMS TL and the ETSI TS 119 615 (cf. [R14]) to determine if it is a Qualified certificate for WebSite Authentication (QWAC).
DSS provides a special class SSLCertificateLoader allowing to extract the SSL certificate chain from the given URL. The qualification verification is similar to the example defined in chapter Certificate Qualification determination.
link:../../../test/java/eu/europa/esig/dss/cookbook/example/validate/QWACValidationTest.java[role=include]eIDAS Regulation (cf. [R12]) defines the following types of an electronic signature:
-
(simple) electronic signature - data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign;
-
advanced electronic signature - an electronic signature which meets the requirements set out in Article 26 of eIDAS Regulation [R12];
-
qualified electronic signature - an advanced electronic signature that is created by a qualified electronic signature creation device, and which is based on a qualified certificate for electronic signatures.
To have a qualified status an electronic signature/seal shall satisfy the following requirements but not limited to:
-
the signing-certificate shall be qualified at the certificate’s issuance time;
-
the signing-certificate shall be qualified at the best-signature-time;
-
the signing-certificate shall have a type of for eSignature or for eSeal, respectively to the signature type;
-
the signature shall be created using Qualified Signature Creation Device (QSCD).
In order to determine a type and qualification of a signature, an instance of SignedDocumentValidator can be used, provided the relevant information is extracted from a Trusted List(s).
An example of a qualification data extraction for a signature, can be found below:
link:../../../test/java/eu/europa/esig/dss/cookbook/example/validate/SignatureQualificationTest.java[role=include]ETSI TS 119 615 ([R14]) specifies standardized procedures for the determination of the qualification of a timestamp. DSS is able to determine a qualification level of a timestamp if a relative information about TrustServiceProviders is provided to a certificate verifier (loaded automatically to a trusted certificate source with [tlValidationJob]).
Three qualification levels are supported by DSS and can be obtained :
-
QTSA(issued from a granted trust service with TSA/QTST type at the timestamp production time); -
TSAany other from a known trust anchor; -
N/Afor others.
In order to determine a type and qualification of signature, an instance of DetachedTimestampValidator can be used for a detached CMS time-stamp verification, provided the relevant information extracted from a Trusted List(s).
|
Note
|
For standalone time-stamps within different containers (e.g. PDF or ASiC) a corresponding instance of a TimestampValidator shall be used.
|
The following example verifies the qualification level of a timestamp:
link:../../../test/java/eu/europa/esig/dss/cookbook/example/validate/TimestampValidationTest.java[role=include]