Validation of XAdES-X and XAdES-X-L forms

[GoogleCodeExporter]

While the library can create XAdES-X and XAdES-X-L forms by extending XAdES-C 
document it can't validate them.

Related: issue 18.

What version of the product are you using? On what operating system?
1.3.0

Please provide any additional information below.
Preliminary patches (not final) to add support for XAdES-X and XAdES-X-L forms 
are attached.

Missing features:
1. Code does not use the time from SigAndRefsTimeStamp to validate 
SignatureTimeStamp 
2. Does not add support for optional tags: AttrAuthoritiesCertValues or 
AttributeRevocationValues.
3. Does not use CertificateValues or RevocationValues for checking the validity 
of Signature (still depends on validator to have proper CRLs and Certificates)

Original issue reported on code.google.com by hubert.k...@gmail.com on 16 Oct 2012 at 5:21

Attachments:

• xades-x-verification
• xades-x-verification-tests
• xades-x-l-verification-and-tests

[GoogleCodeExporter]

New set of patches (still not final) to add support for XAdES-X and XAdES-X-L 
forms.

Missing features:
1. Code does not use the time from SigAndRefsTimeStamp to validate 
SignatureTimeStamp (requires complete verifier rewrite)
2. Does not create optional tags: AttrAuthoritiesCertValues or 
AttributeRevocationValues.
3. Because of 2: no test cases for those properties

It finally does use certificates and CRLs encoded in properties.

Patches based on rev 248.

Original comment by hubert.k...@gmail.com on 29 Oct 2012 at 5:19

Attachments:

• 0001-basic-support-for-XAdES-X-signature-verification.patch
• 0002-add-tests-for-enriching-C-form-to-X-and-verification.patch
• 0003-preliminary-support-for-XAdES-X-L-form-verification.patch
• 0004-fix-test-case-broken-by-revision-247-changed-paths.patch
• 0005-extract-certs-and-CRLs-from-X-L-form-tags.patch
• 0006-add-support-for-AttrAuthoritiesCertValues-and-Attrib.patch

[GoogleCodeExporter]

Small fix in patch 6: wrong ToXmlConverter was used for 
AttrAuthoritiesCertValues

Original comment by hubert.k...@gmail.com on 30 Oct 2012 at 10:29

Attachments:

• 0006-add-support-for-AttrAuthoritiesCertValues-and-Attrib.patch

[GoogleCodeExporter]

Basically final patches to add support for XAdES-X and XAdES-X-L properties.

As the use of time from SigAndRefsTimeStamp to verify SignatureTimestamp 
requires verifier rewrite, it's still not done. It does create optional tags: 
AttrAuthoritiesCertValues, AttributeRevocationValues and tests for their 
creation. As the verifier can't handle partial failures in verification, the 
tests are only preliminary.

Big changes: separate verifier for TimeStamps and Signature (different 
TrustAnchors, different certificate stores and different revocation 
information) and ability to add certificate stores (certs and CRLs) in 
certificate validation providers.

Original comment by hubert.k...@gmail.com on 5 Nov 2012 at 2:40

Attachments:

• 0001-fix-test-case-broken-by-revision-247-changed-paths.patch
• 0002-basic-support-for-XAdES-X-signature-verification.patch
• 0003-add-tests-for-enriching-C-form-to-X-and-verification.patch
• 0004-preliminary-support-for-XAdES-X-L-form-verification.patch
• 0005-extract-certs-and-CRLs-from-X-L-form-tags.patch
• 0006-add-support-for-AttrAuthoritiesCertValues-and-Attrib.patch
• 0007-test-creation-of-optional-X-L-form-properties.patch
• 0008-add-certificates-and-CRLs-used-in-verification-of-Ti.patch
• 0009-separate-certificate-verifiers-for-TimeStamps-and-Si.patch

[GoogleCodeExporter]

Final patches to add support for XAdES-X and XAdES-X-L properties.

Both creation (by extending the signature from lower forms only!) and 
validation is functioning correctly. That is, if you have XAdES-X-L document 
with current CRLs inside you need only CA certificates to validate it.

Patches up to 0009 are exactly the same as in Comment #3, both verifier and 
unmarshallers have been rewritten to a hybrid approach: finding the property is 
done using DOM while the unmarshalling of the property itself is done using 
JXAB. The verifier can handle partial failures in verification.

Original comment by hubert.k...@gmail.com on 15 Dec 2012 at 7:00

Attachments:

• 0001-fix-test-case-broken-by-revision-247-changed-paths.patch
• 0002-basic-support-for-XAdES-X-signature-verification.patch
• 0003-add-tests-for-enriching-C-form-to-X-and-verification.patch
• 0004-preliminary-support-for-XAdES-X-L-form-verification.patch
• 0005-extract-certs-and-CRLs-from-X-L-form-tags.patch
• 0006-add-support-for-AttrAuthoritiesCertValues-and-Attrib.patch
• 0007-test-creation-of-optional-X-L-form-properties.patch
• 0008-add-certificates-and-CRLs-used-in-verification-of-Ti.patch
• 0009-separate-certificate-verifiers-for-TimeStamps-and-Si.patch
• 0010-backend-for-generating-our-own-certificates-for-test.patch
• 0011-test-XAdES-X-L-form-with-minimal-trust-anchors.patch
• 0012-add-tests-of-CertPathBuilder.patch
• 0013-fix-test01_T_ver2-caused-by-bug-in-X509CRLSelector.patch
• 0014-use-the-new-verifier-implementation.patch
• 0015-create-hybrid-approach-unmarshaller.patch

[GoogleCodeExporter]

rest of patches to comment #4

This closes the issue.

Original comment by hubert.k...@gmail.com on 15 Dec 2012 at 7:04

Attachments:

• 0016-create-hybrid-verifier.patch
• 0017-provide-XML-location-information-to-TimeStampVerifie.patch
• 0018-constraints-on-time-stamps-certificates-and-CRLs.patch
• 0019-allow-for-creation-of-C-form-from-T-form-with-curren.patch
• 0020-make-PKIX-certificate-validator-more-tolerant-of-inp.patch
• 0021-PKIX-cert-validator-should-be-tolerant-of-input.patch
• 0022-make-verifiers-of-EncapsulatedPKIData-collect-the-PK.patch
• 0023-fix-XadesVerifierErrosTest-tests.patch
• 0024-extend-XadesHybridVerifier-to-XAdES-X-L-support.patch
• 0025-documentation-fixes.patch

[GoogleCodeExporter]

all patches in single file to ease download

Original comment by hubert.k...@gmail.com on 27 Dec 2012 at 5:34

Attachments:

• xades-x-l-support.zip

[GoogleCodeExporter]

Here a SVN-patch including all the changes from Hubert K.
Taken from Comment 6 and applied one-by-one on revision #248.

Original comment by boehme.a...@gmail.com on 8 Jan 2013 at 8:59

Attachments:

• issue#55-X-L-support_complete.zip

[GoogleCodeExporter]

SVN CLI client in 1.7 (I tested 1.7.5) does support git patches, you can just 
`svn patch` them. It's the TortoiseSVN that lacks support for git-styled 
unified diff files.

Original comment by hubert.k...@gmail.com on 9 Jan 2013 at 3:01