ETSI TS 119 144-3 V1.1.1 (2016-06)

ETSI TS 119 144-3 V1.1.1 (2016-06)






TECHNICAL SPECIFICATION
Electronic Signatures and Infrastructures (ESI);
PAdES digital signatures -
Testing Conformance and Interoperability;
Part 3: Test suites for testing interoperability of additional
PAdES signatures

---------------------- Page: 1 ----------------------
2 ETSI TS 119 144-3 V1.1.1 (2016-06)



Reference
DTS/ESI-0019144-3
Keywords
conformance, e-commerce, electronic signature,
PAdES, profile, security, testing

ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
The present document can be downloaded from:
http://www.etsi.org/standards-search
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the
print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
https://portal.etsi.org/TB/ETSIDeliverableStatus.aspx
If you find errors in the present document, please send your comment to one of the following services:
https://portal.etsi.org/People/CommiteeSupportStaff.aspx
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying
and microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© European Telecommunications Standards Institute 2016.
All rights reserved.

TM TM TM
DECT , PLUGTESTS , UMTS and the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members.
TM
3GPP and LTE™ are Trade Marks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.
GSM® and the GSM logo are Trade Marks registered and owned by the GSM Association.
ETSI

---------------------- Page: 2 ----------------------
3 ETSI TS 119 144-3 V1.1.1 (2016-06)
Contents
Intellectual Property Rights . 4
Foreword . 4
Modal verbs terminology . 4
1 Scope . 5
2 References . 5
2.1 Normative references . 5
2.2 Informative references . 6
3 Definitions and abbreviations . 6
3.1 Definitions . 6
3.2 Abbreviations . 6
4 Testing CMS digital signatures in PDF interoperability . 6
4.1 Introduction . 6
4.2 Testing CMS digital signatures in PDF . 6
5 Testing interoperability of PAdES-E-BES and PAdES-E-EPES signatures . 8
5.1 Introduction . 8
5.2 Testing PAdES-E-BES signatures . 9
5.3 Testing PAdES-E-EPES signatures . 11
6 Testing interoperability of PAdES-E-LTV signatures . 11
6.1 Testing PAdES-E-LTV signatures . 11
7 Testing interoperability of XAdES signatures signing XML content in PDF . 15
7.1 Introduction . 15
7.2 Testing XAdES signatures of XML documents embedded in PDF containers . 15
7.3 Testing XAdES signatures on XFA forms . 16
8 Testing negative additional PAdES signatures. 16
8.1 CMS digital signatures in PDF test cases . 16
8.2 PAdES-E-BES and PAdES-E-EPES test cases . 17
8.3 PAdES-E-LTV test cases . 17
History . 18


ETSI

---------------------- Page: 3 ----------------------
4 ETSI TS 119 144-3 V1.1.1 (2016-06)
Intellectual Property Rights
IPRs essential or potentially essential to the present document may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (https://ipr.etsi.org/).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Foreword
This Technical Specification (TS) has been produced by ETSI Technical Committee Electronic Signatures and
Infrastructures (ESI).
The present document is part 3 of a multi-part deliverable covering PAdES digital signatures - Testing Conformance
and Interoperability. Full details of the entire series can be found in part 1 [i.1].
Modal verbs terminology
In the present document "shall", "shall not", "should", "should not", "may", "need not", "will", "will not", "can" and
"cannot" are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of
provisions).
"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.
ETSI

---------------------- Page: 4 ----------------------
5 ETSI TS 119 144-3 V1.1.1 (2016-06)
1 Scope
The present document defines a number of test suites to assess the interoperability between implementations claiming
conformance to additional PAdES signatures profiles [3].
The present document defines test suites for each profile defined in ETSI EN 319 142-2 [3].
Test suites also cover augmentation of additional PAdES signatures and negative test cases.
These test suites are agnostic of the PKI infrastructure. Any PKI infrastructure can be used including the one based on
EU Member States Trusted Lists.
2 References
2.1 Normative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
Referenced documents which are not found to be publicly available in the expected location might be found at
http://docbox.etsi.org/Reference.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long term validity.
The following referenced documents are necessary for the application of the present document.
[1] ISO 32000-1: "Document management - Portable document format - Part 1: PDF 1.7".
NOTE: Available at http://www.adobe.com/devnet/acrobat/pdfs/PDF32000_2008.pdf.
[2] ETSI EN 319 132-1: "Electronic Signatures and Infrastructures (ESI); XAdES digital signatures;
Part 1: Building blocks and XAdES baseline signatures".
[3] ETSI EN 319 142-2: " Electronic Signatures and Infrastructures (ESI); PAdES digital signatures;
Part 2: Additional PAdES signatures profiles".
[4] ETSI EN 319 122-1: "Electronic Signatures and Infrastructures (ESI); CAdES digital signatures;
Part 1: Building blocks and CAdES baseline signatures".
[5] IETF RFC 6960: "X.509 Internet Public Key Infrastructure Online Certificate Status Protocol -
OCSP".
[6] IETF RFC 5280 (2008): "Internet X.509 Public Key Infrastructure Certificate and Certificate
Revocation List (CRL) Profile".
ETSI

---------------------- Page: 5 ----------------------
6 ETSI TS 119 144-3 V1.1.1 (2016-06)
2.2 Informative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long term validity.
The following referenced documents are not necessary for the application of the present document but they assist the
user with regard to a particular subject area.
[i.1] ETSI TR 119 144-1: "Electronic Signatures and Infrastructures (ESI); PAdES digital signatures -
Testing Conformance and Interoperability; Part 1: Overview".
[i.2] ETSI TR 119 001: "Electronic Signatures and Infrastructures (ESI); The framework for
standardization of signatures; Definitions and abbreviations".
[i.3] ETSI EN 319 102-1: "Electronic Signatures and Infrastructures (ESI); Procedures for Creation and
Validation of AdES Digital Signatures; Part 1: Creation and Validation".
3 Definitions and abbreviations
3.1 Definitions
For the purposes of the present document, the terms and definitions given in ETSI TR 119 001 [i.2] and the following
apply:
negative test case: test case for a signature whose validation according to ETSI EN 319 102-1 [i.3] would not result in
TOTAL-PASSED
3.2 Abbreviations
For the purposes of the present document, the abbreviations given in ETSI TR 119 001 [i.2] and the following apply:
XFA XML Forms Architecture
4 Testing CMS digital signatures in PDF
interoperability
4.1 Introduction
This clause refers to clause 4 of ETSI EN 319 142-2 [3]. The test cases in this clause have been defined for different
combinations of CMS digital signatures in PDF attributes. They test the use of PDF signatures, as described in
ISO 32000-1 [1] and based on CMS.
Mandatory attributes for CMS digital signatures in PDF described in ETSI EN 319 142-2 [3], clause 4.2, shall be
present.
4.2 Testing CMS digital signatures in PDF
The test cases in this clause have been defined for different combinations of CMS/PDF attributes but the following
minimum requirements shall be satisfied.
Mandatory attributes for CMS digital signatures in PDF described in ETSI EN 319 142-2 [3], clause 4, shall be present.
ETSI

---------------------- Page: 6 ----------------------
7 ETSI TS 119 144-3 V1.1.1 (2016-06)
Table 1 shows which attributes are required to generate CMS digital signatures in PDF for each test case.
Table 1: Test cases for CMS digital signatures in PDF
TC ID Description Pass criteria Signature attributes
PAdES/CMS/1 This is the simplest CMS Positive validation.
• SignatureDictionary
digital signatures in PDF The signature dictionary shall o Type
with minimum requirements contain Type, Contents, Filter, o Sig
and signature dictionary SubFilter, M and ByteRange
o Filter
entry M (signing time). The entries. o Adobe.PPKLite
signature shall be an The DER-encoded PKCS #7
o SubFilter
approval signature as binary data object included in the
o adbe.pkcs7.detached
defined in ISO 32000-1 [1]. Contents entry shall include the o M
SigningCertificate (in
o ByteRange
SignedData.certificates field),
o Contents (DER PKCS #7)
ContentType and SignerInfo o Certificates
attributes.
o SigningCertificate
o ContentType
o SignerInfo
PAdES/CMS/2 This test case tests a CMS Positive validation.
• SignatureDictionary
digital signature in PDF with The signature dictionary shall o Type
signature time stamp contain Type, Contents, Filter, o Sig
attribute which ensures the SubFilter, Reason, Location,
o Filter
time of signing, Location
ContactInfo and ByteRange o Adobe.PPKLite
attribute which describes entries.
o SubFilter
where the data was signed The DER-encoded PKCS #7
o adbe.pkcs7.detached
(CPU host name or physical binary data object included in the o Reason
location), Reason attribute Contents entry shall include the
o Location
that describes the reason SigningCertificate (in
o ContactInfo
for the signing, ContactInfo SignedData.certificates field), o ByteRange
attribute that provides ContentType, SignerInfo and
o Contents (DER PKCS #7)
information to enable a SignatureTimestamp attributes.
o Certificates
recipient to contact the o SigningCertificate
signer to verify the
o ContentType
signature.
o SignerInfo
o SignatureTS
PAdES/CMS/3 This test case tests a CMS Positive validation.
• SignatureDictionary
digital signature in PDF with The signature dictionary shall o Type
signature time stamp contain Type, Contents, Filter, o Sig
attribute which ensures the SubFilter, and ByteRange
o Filter
time of signing and adbe entries. o Adobe.PPKLite
Revocation Information The DER-encoded PKCS #7
o SubFilter
attribute to ensure binary data object included in the
o adbe.pkcs7.detached
revocation checks for the Contents entry shall include the o ByteRange
signing certificate and its SigningCertificate (in
o Contents (DER PKCS #7)
issuer certificates. SignedData.certificates field),
o Certificates
Certificate revocation list, ContentType, SignerInfo, o SigningCertificate
described in IETF SignatureTimestamp and
o ContentType
RFC 5280 [6] shall be used. RevocationInfo attributes.
o SignerInfo
o SignatureTS
o RevocationInfo
Crls
ETSI

---------------------- Page: 7 ----------------------
8 ETSI TS 119 144-3 V1.1.1 (2016-06)
TC ID Description Pass criteria Signature attributes
PAdES/CMS/4 This test case tests a CMS Positive validation.
• SignatureDictionary
digital signature in PDF with The signature dictionary shall
o Type
signature time stamp contain Type, Contents, Filter,
o Sig
attribute which ensures the SubFilter, and ByteRange
o Filter
time of signing and adbe entries. o Adobe.PPKLite
Revocation Information The DER-encoded PKCS #7 o SubFilter
attribute to ensure binary data object included in the
o adbe.pkcs7.detached
revocation checks for the Contents entry shall include the o ByteRange
signer's certificate and its SigningCertificate (in
o Contents (DER PKCS #7)
issuer certificates. OCSP SignedData.certificates field),
o Certificates
responses, described in ContentType, SignerInfo, o SigningCertificate
IETF RFC 6960 [5] shall be SignatureTimestamp and
o ContentType
used. RevocationInfo attributes.
o SignerInfo
o SignatureTS
o RevocationInfo
OCSP resp
PAdES/CMS/5 This test case tests a CMS Positive validation. The signed • SignatureDictionary (2 entries)
serial digital signature in document shall contain 2 serial
o Type
PDF. The signed document signatures. o Sig
shall include 2 serial The signature dictionary of every
o Filter
signatures. signature shall contain Type,
o Adobe.PPKLite
Contents, Filter, SubFilter, M and o SubFilter
ByteRange entries.
o adbe.pkcs7.detached
The DER-encoded PKCS #7
o ByteRange
binary data object included in the o M
Contents entry shall include the
o Contents (DER PKCS #7)
SigningCertificate (in
o Certificates
SignedData.certificates field), o SigningCertificate
ContentType and SignerInfo
o ContentType
attributes.
o SignerInfo
PAdES/CMS/6 This test case tests a CMS Positive validation. • LegalAttestationDictionary
certification digital signature The signature dictionary shall
• SignatureDictionary
in PDF with signing time
contain Type, Contents, Filter,
o Type
and LegalContentAttestation SubFilter, M, Reference and
o Sig
attributes. ByteRange entries.
o Filter
The DER-encoded PKCS #7
o Adobe.PPKLite
binary data object included in the
o SubFilter
Contents entry shall include the
o adbe.pkcs7.detached
SigningCertificate (in
o ByteRange
SignedData.certificates field),
o M
ContentType and SignerInfo
o Reference
attributes. The attestation entry in
o DocMDP
the LegalAttestationDictionary
o Contents (DER PKCS #7)
shall be valued.
o Certificates
o SigningCertificate
o ContentType
o SignerInfo

5 Testing interoperability of PAdES-E-BES and
PAdES-E-EPES signatures
5.1 Introduction
This clause refers to clauses 5.3 of ETSI EN 319 142-2 [3]. The test cases in this clause have been defined for different
combinations of PAdES-E-BES and PAdES-E-EPES signatures attributes.
Mandatory attributes for PAdES-E-BES and PAdES-E-EPES signatures described in ETSI EN 319 142-2 [3],
clauses 5.2, 5.3 and 5.4, shall be present.
ETSI

---------------------- Page: 8 ----------------------
9 ETSI TS 119 144-3 V1.1.1 (2016-06)
5.2 Testing PAdES-E-BES signatures
Table 2 shows which attributes are required to generate PAdES-E-BES signatures for each test case.
Table 2: Test cases for PAdES-E-BES signatures
TC ID Description Pass criteria Signature attributes
PAdES/BES/1 This test case tests the Positive validation. • SignatureDictionary
simplest PAdES-E-BES The signature dictionary shall o Type
signature without contain Type, Contents, Filter,
o Sig
signature-time-stamp and SubFilter, M and ByteRange o Filter
with M entry in signature entries.
o Adobe.PPKLite
dictionary. ContentType, The DER-encoded CMS binary
o SubFilter
ESSSigningCertificateV2 data object included in the o ETSI.CAdES.detache
and MessageDigest Contents entry shall include the
d
attributes shall be added to SigningCertificate (in
o M
the PDF signature as SignedData.certificates field), o ByteRange
specified in CAdES [4]. ContentType,
o Contents (DER CMS)
ESSSigningCertificateV2 and
o Certificates
MessageDigest attributes. o SigningCertificate
o ContentType
o MessageDigest
o ESSSigningCertificat
eV2
PAdES/BES/2 This test case tests a Positive validation. • SignatureDictionary
PAdES-E-BES signature The signature dictionary shall
o Type
without signature-time- contain Type, Contents, Filter,
o Sig
stamp and with M, Location, SubFilter, M, Location, Reason, o Filter
Reason and ContactInfo ContactInfo and ByteRange
o Adobe.PPKLite
entries in signature entries.
o SubFilter
dictionary. ContentType, The DER-encoded CMS binary o ETSI.CAdES.detache
ESSSigningCertificateV2 data object included in the
d
and MessageDigest Contents entry shall include the
o M
attributes shall be added to SigningCertificate (in o Location
the PDF signature as SignedData.certificates field),
o Reason
specified in CAdES [4]. ContentType,
o ContactInfo
ESSSigningCertificateV2 and o ByteRange
MessageDigest attributes.
o Contents (DER CMS) )
o Certificates
o SigningCertificate
o ContentType
o MessageDigest
o ESSSigningCertificat
eV2
PAdES/BES/3 This test case tests the Positive validation. • SignatureDictionary
simplest PAdES-E-BES The signature dictionary shall
o Type
signature with contain Type, Contents, Filter,
o Sig
signature-time-stamp SubFilter and ByteRange entries. o Filter
attribute. ContentType, The DER-encoded CMS binary
o Adobe.PPKLite
ESSSigningCertificateV2, data object included in the
o SubFilter
MessageDigest and Contents entry shall include the o ETSI.CAdES.detache
SignatureTimeStamp SigningCertificate (in
d
attributes shall be added to SignedDat
...