policy.constraint.xml Maven / Gradle / Ivy
<ConstraintsParameters Name="QES AdESQC TL based" xmlns="http://dss.esig.europa.eu/validation/policy"> <Description>Validate electronic signatures and indicates whether they are Advanced electronic Signatures (AdES), AdES supported by a Qualified Certificate (AdES/QC) or a Qualified electronic Signature (QES). All certificates and their related chains supporting the signatures are validated against the EU Member State Trusted Lists (this includes signer's certificate and certificates used to validate certificate validity status services - CRLs, OCSP, and time-stamps). </Description> <SignatureConstraints> <AcceptablePolicies Level="FAIL"> <Id>ANY_POLICY</Id> <Id>NO_POLICY</Id> </AcceptablePolicies> <PolicyAvailable Level="FAIL" /> <PolicyHashMatch Level="FAIL" /> <AcceptableFormats Level="FAIL"> <Id>*</Id> <!-- ALL --> </AcceptableFormats> <BasicSignatureConstraints> <ReferenceDataExistence Level="FAIL" /> <ReferenceDataIntact Level="FAIL" /> <SignatureIntact Level="FAIL" /> <ProspectiveCertificateChain Level="FAIL" /> <TrustedServiceTypeIdentifier Level="WARN"> <Id>http://uri.etsi.org/TrstSvc/Svctype/CA/QC</Id> </TrustedServiceTypeIdentifier> <TrustedServiceStatus Level="FAIL"> <Id>http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/undersupervision</Id> <Id>http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/accredited</Id> <Id>http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/supervisionincessation</Id> </TrustedServiceStatus> <SigningCertificate> <Recognition Level="FAIL" /> <Signature Level="FAIL" /> <NotExpired Level="FAIL" /> <RevocationDataAvailable Level="FAIL" /> <RevocationDataNextUpdatePresent Level="WARN" /> <RevocationDataFreshness Level="WARN" /> <KeyUsage Level="WARN"> <Id>nonRepudiation</Id> </KeyUsage> <NotRevoked Level="FAIL" /> <NotOnHold Level="FAIL" /> <Qualification Level="WARN" /> <SupportedBySSCD Level="WARN" /> <IssuedToLegalPerson Level="INFORM" /> <Cryptographic Level="FAIL"> <AcceptableEncryptionAlgo> <Algo>RSA</Algo> <Algo>DSA</Algo> <Algo>ECDSA</Algo> </AcceptableEncryptionAlgo> <MiniPublicKeySize> <Algo Size="128">DSA</Algo> <Algo Size="1024">RSA</Algo> <Algo Size="192">ECDSA</Algo> </MiniPublicKeySize> <AcceptableDigestAlgo> <Algo>SHA1</Algo> <Algo>SHA224</Algo> <Algo>SHA256</Algo> <Algo>SHA384</Algo> <Algo>SHA512</Algo> <Algo>RIPEMD160</Algo> </AcceptableDigestAlgo> </Cryptographic> </SigningCertificate> <CACertificate> <Signature Level="FAIL" /> <NotExpired Level="FAIL" /> <RevocationDataAvailable Level="FAIL" /> <RevocationDataNextUpdatePresent Level="WARN" /> <RevocationDataFreshness Level="WARN" /> <NotRevoked Level="FAIL" /> <NotOnHold Level="FAIL" /> <Cryptographic Level="FAIL"> <AcceptableEncryptionAlgo> <Algo>RSA</Algo> <Algo>DSA</Algo> <Algo>ECDSA</Algo> </AcceptableEncryptionAlgo> <MiniPublicKeySize> <Algo Size="128">DSA</Algo> <Algo Size="1024">RSA</Algo> <Algo Size="192">ECDSA</Algo> </MiniPublicKeySize> <AcceptableDigestAlgo> <Algo>SHA1</Algo> <Algo>SHA224</Algo> <Algo>SHA256</Algo> <Algo>SHA384</Algo> <Algo>SHA512</Algo> <Algo>RIPEMD160</Algo> </AcceptableDigestAlgo> </Cryptographic> </CACertificate> <Cryptographic Level="FAIL"> <AcceptableEncryptionAlgo> <Algo>RSA</Algo> <Algo>DSA</Algo> <Algo>ECDSA</Algo> </AcceptableEncryptionAlgo> <MiniPublicKeySize> <Algo Size="128">DSA</Algo> <Algo Size="1024">RSA</Algo> <Algo Size="192">ECDSA</Algo> </MiniPublicKeySize> <AcceptableDigestAlgo> <Algo>SHA1</Algo> <Algo>SHA224</Algo> <Algo>SHA256</Algo> <Algo>SHA384</Algo> <Algo>SHA512</Algo> <Algo>RIPEMD160</Algo> </AcceptableDigestAlgo> </Cryptographic> </BasicSignatureConstraints> <SignedAttributes> <SigningCertificatePresent Level="FAIL" /> <SigningCertificateSigned Level="FAIL" /> <CertDigestPresent Level="FAIL" /> <CertDigestMatch Level="FAIL" /> <IssuerSerialMatch Level="WARN" /> <SigningTime Level="FAIL" /> <!-- <ContentType Level="FAIL" value="1.2.840.113549.1.7.1" /> <ContentHints Level="FAIL" value="*" /> <CommitmentTypeIndication Level="FAIL"> <Id>1.2.840.113549.1.9.16.6.1</Id> <Id>1.2.840.113549.1.9.16.6.4</Id> <Id>1.2.840.113549.1.9.16.6.5</Id> <Id>1.2.840.113549.1.9.16.6.6</Id> </CommitmentTypeIndication> <SignerLocation Level="FAIL" /> <ContentTimeStamp Level="FAIL" /> --> </SignedAttributes> <UnsignedAttributes> <!-- <CounterSignature Level="IGNORE" /> check presence --> </UnsignedAttributes> </SignatureConstraints> <Timestamp> <TimestampDelay Level="FAIL" Unit="DAYS" Value="0" /> <MessageImprintDataFound Level="FAIL" /> <MessageImprintDataIntact Level="FAIL" /> <RevocationTimeAgainstBestSignatureTime Level="FAIL" /> <BestSignatureTimeBeforeIssuanceDateOfSigningCertificate Level="FAIL" /> <SigningCertificateValidityAtBestSignatureTime Level="FAIL" /> <AlgorithmReliableAtBestSignatureTime Level="FAIL" /> <Coherence Level="WARN" /> <BasicSignatureConstraints> <ReferenceDataExistence Level="FAIL" /> <ReferenceDataIntact Level="FAIL" /> <SignatureIntact Level="FAIL" /> <ProspectiveCertificateChain Level="WARN" /> <TrustedServiceTypeIdentifier Level="WARN"> <Id>http://uri.etsi.org/TrstSvc/Svctype/TSA</Id> <Id>http://uri.etsi.org/TrstSvc/Svctype/TSA/QTST</Id> <Id>http://uri.etsi.org/TrstSvc/Svctype/TSA/TSS-QC</Id> <Id>http://uri.etsi.org/TrstSvc/Svctype/TSA/TSS-AdESQCandQES</Id> </TrustedServiceTypeIdentifier> <TrustedServiceStatus Level="WARN"> <Id>http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/undersupervision</Id> <Id>http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/accredited</Id> <Id>http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/supervisionincessation</Id> </TrustedServiceStatus> <SigningCertificate> <Recognition Level="FAIL" /> <Signature Level="FAIL" /> <NotExpired Level="FAIL" /> <RevocationDataAvailable Level="FAIL" /> <RevocationDataNextUpdatePresent Level="WARN" /> <RevocationDataFreshness Level="WARN" /> <NotRevoked Level="FAIL" /> <NotOnHold Level="FAIL" /> <Cryptographic Level="FAIL"> <AcceptableEncryptionAlgo> <Algo>RSA</Algo> <Algo>DSA</Algo> <Algo>ECDSA</Algo> </AcceptableEncryptionAlgo> <MiniPublicKeySize> <Algo Size="128">DSA</Algo> <Algo Size="1024">RSA</Algo> <Algo Size="192">ECDSA</Algo> </MiniPublicKeySize> <AcceptableDigestAlgo> <Algo>SHA1</Algo> <Algo>SHA224</Algo> <Algo>SHA256</Algo> <Algo>SHA384</Algo> <Algo>SHA512</Algo> <Algo>RIPEMD160</Algo> </AcceptableDigestAlgo> </Cryptographic> </SigningCertificate> <CACertificate> <Signature Level="FAIL" /> <NotExpired Level="FAIL" /> <RevocationDataAvailable Level="WARN" /> <RevocationDataNextUpdatePresent Level="WARN" /> <RevocationDataFreshness Level="WARN" /> <NotRevoked Level="FAIL" /> <NotOnHold Level="FAIL" /> <Cryptographic Level="FAIL"> <AcceptableEncryptionAlgo> <Algo>RSA</Algo> <Algo>DSA</Algo> <Algo>ECDSA</Algo> </AcceptableEncryptionAlgo> <MiniPublicKeySize> <Algo Size="128">DSA</Algo> <Algo Size="1024">RSA</Algo> <Algo Size="192">ECDSA</Algo> </MiniPublicKeySize> <AcceptableDigestAlgo> <Algo>SHA1</Algo> <Algo>SHA224</Algo> <Algo>SHA256</Algo> <Algo>SHA384</Algo> <Algo>SHA512</Algo> <Algo>RIPEMD160</Algo> </AcceptableDigestAlgo> </Cryptographic> </CACertificate> <Cryptographic Level="FAIL"> <AcceptableEncryptionAlgo> <Algo>RSA</Algo> <Algo>DSA</Algo> <Algo>ECDSA</Algo> </AcceptableEncryptionAlgo> <MiniPublicKeySize> <Algo Size="128">DSA</Algo> <Algo Size="1024">RSA</Algo> <Algo Size="192">ECDSA</Algo> </MiniPublicKeySize> <AcceptableDigestAlgo> <Algo>SHA1</Algo> <Algo>SHA224</Algo> <Algo>SHA256</Algo> <Algo>SHA384</Algo> <Algo>SHA512</Algo> <Algo>RIPEMD160</Algo> </AcceptableDigestAlgo> </Cryptographic> </BasicSignatureConstraints> </Timestamp> <Revocation> <RevocationFreshness Level="FAIL" Unit="DAYS" Value="0" /> <BasicSignatureConstraints> <ReferenceDataExistence Level="FAIL" /> <ReferenceDataIntact Level="FAIL" /> <SignatureIntact Level="FAIL" /> <ProspectiveCertificateChain Level="WARN" /> <TrustedServiceTypeIdentifier Level="WARN"> <Id>http://uri.etsi.org/TrstSvc/Svctype/CA/QC</Id> <Id>http://uri.etsi.org/TrstSvc/Svctype/Certstatus/CRL</Id> <Id>http://uri.etsi.org/TrstSvc/Svctype/Certstatus/CRL/QC</Id> <Id>http://uri.etsi.org/TrstSvc/Svctype/Certstatus/OCSP</Id> <Id>http://uri.etsi.org/TrstSvc/Svctype/Certstatus/OCSP/QC</Id> </TrustedServiceTypeIdentifier> <TrustedServiceStatus Level="WARN"> <Id>http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/undersupervision</Id> <Id>http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/accredited</Id> <Id>http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/supervisionincessation</Id> </TrustedServiceStatus> <SigningCertificate> <Recognition Level="FAIL" /> <Signature Level="FAIL" /> <NotExpired Level="FAIL" /> <RevocationDataAvailable Level="FAIL" /> <RevocationDataNextUpdatePresent Level="WARN" /> <RevocationDataFreshness Level="WARN" /> <NotRevoked Level="FAIL" /> <NotOnHold Level="FAIL" /> <Cryptographic Level="WARN"> <AcceptableEncryptionAlgo> <Algo>RSA</Algo> <Algo>DSA</Algo> <Algo>ECDSA</Algo> </AcceptableEncryptionAlgo> <MiniPublicKeySize> <Algo Size="128">DSA</Algo> <Algo Size="1024">RSA</Algo> <Algo Size="192">ECDSA</Algo> </MiniPublicKeySize> <AcceptableDigestAlgo> <Algo>SHA1</Algo> <Algo>SHA224</Algo> <Algo>SHA256</Algo> <Algo>SHA384</Algo> <Algo>SHA512</Algo> <Algo>RIPEMD160</Algo> </AcceptableDigestAlgo> </Cryptographic> </SigningCertificate> <CACertificate> <Signature Level="FAIL" /> <NotExpired Level="FAIL" /> <RevocationDataAvailable Level="WARN" /> <RevocationDataNextUpdatePresent Level="WARN" /> <RevocationDataFreshness Level="WARN" /> <NotRevoked Level="FAIL" /> <NotOnHold Level="FAIL" /> <Cryptographic Level="FAIL"> <AcceptableEncryptionAlgo> <Algo>RSA</Algo> <Algo>DSA</Algo> <Algo>ECDSA</Algo> </AcceptableEncryptionAlgo> <MiniPublicKeySize> <Algo Size="128">DSA</Algo> <Algo Size="1024">RSA</Algo> <Algo Size="192">ECDSA</Algo> </MiniPublicKeySize> <AcceptableDigestAlgo> <Algo>SHA1</Algo> <Algo>SHA224</Algo> <Algo>SHA256</Algo> <Algo>SHA384</Algo> <Algo>SHA512</Algo> <Algo>RIPEMD160</Algo> </AcceptableDigestAlgo> </Cryptographic> </CACertificate> <Cryptographic Level="FAIL"> <AcceptableEncryptionAlgo> <Algo>RSA</Algo> <Algo>DSA</Algo> <Algo>ECDSA</Algo> </AcceptableEncryptionAlgo> <MiniPublicKeySize> <Algo Size="128">DSA</Algo> <Algo Size="1024">RSA</Algo> <Algo Size="192">ECDSA</Algo> </MiniPublicKeySize> <AcceptableDigestAlgo> <Algo>SHA1</Algo> <Algo>SHA224</Algo> <Algo>SHA256</Algo> <Algo>SHA384</Algo> <Algo>SHA512</Algo> <Algo>RIPEMD160</Algo> </AcceptableDigestAlgo> </Cryptographic> </BasicSignatureConstraints> </Revocation> <Cryptographic /> <!-- <Cryptographic> <AlgoExpirationDate Format="yyyy-MM-dd"> <Algo Date="2017-02-24">SHA1</Algo> <Algo Date="2035-02-24">SHA224</Algo> <Algo Date="2035-02-24">SHA256</Algo> <Algo Date="2035-02-24">SHA384</Algo> <Algo Date="2035-02-24">SHA512</Algo> <Algo Date="2017-02-24">RIPEMD160</Algo> <Algo Date="2017-02-24">DSA128</Algo> <Algo Date="2015-02-24">RSA1024</Algo> <Algo Date="2015-02-24">RSA1536</Algo> <Algo Date="2020-02-24">RSA2048</Algo> <Algo Date="2020-02-24">RSA3072</Algo> <Algo Date="2035-02-24">RSA4096</Algo> <Algo Date="2035-02-24">ECDSA192</Algo> <Algo Date="2035-02-24">ECDSA256</Algo> </AlgoExpirationDate> </Cryptographic> --> </ConstraintsParameters>