conf.constraint.xml Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of digidoc4j Show documentation
Show all versions of digidoc4j Show documentation
DigiDoc4j is a Java library for digitally signing documents and creating digital signature containers
of signed documents
The newest version!
<ConstraintsParameters Name="QES AdESQC TL based" xmlns="http://dss.esig.europa.eu/validation/policy">
<Description>RIA customized validation policy</Description>
<SignatureConstraints>
<StructuralValidation Level="INFORM"/>
<AcceptablePolicies Level="FAIL">
<Id>ANY_POLICY</Id>
<Id>NO_POLICY</Id>
</AcceptablePolicies>
<PolicyAvailable Level="FAIL"/>
<PolicyHashMatch Level="INFORM"/>
<AcceptableFormats Level="FAIL">
<Id>*</Id> <!-- ALL -->
</AcceptableFormats>
<BasicSignatureConstraints>
<ReferenceDataExistence Level="FAIL"/>
<ReferenceDataIntact Level="FAIL"/>
<ManifestEntryObjectExistence Level="WARN" />
<SignatureIntact Level="FAIL"/>
<SignatureDuplicated Level="FAIL"/>
<ProspectiveCertificateChain Level="FAIL"/>
<SignerInformationStore Level="FAIL"/>
<ByteRange Level="IGNORE" />
<ByteRangeCollision Level="WARN" />
<PdfSignatureDictionary Level="IGNORE" />
<PdfPageDifference Level="IGNORE" />
<PdfAnnotationOverlap Level="WARN" />
<PdfVisualDifference Level="WARN" />
<DocMDP Level="WARN" />
<FieldMDP Level="WARN" />
<SigFieldLock Level="WARN" />
<UndefinedChanges Level="WARN" />
<SigningCertificate>
<Recognition Level="FAIL"/>
<Signature Level="FAIL"/>
<NotExpired Level="FAIL"/>
<AuthorityInfoAccessPresent Level="WARN"/>
<RevocationInfoAccessPresent Level="WARN"/>
<RevocationDataAvailable Level="FAIL"/>
<AcceptableRevocationDataFound Level="FAIL"/>
<CRLNextUpdatePresent Level="WARN"/>
<RevocationFreshness Level="IGNORE" Unit="DAYS" Value="0" />
<KeyUsage Level="FAIL">
<Id>nonRepudiation</Id>
</KeyUsage>
<PolicyTree Level="WARN" />
<NameConstraints Level="WARN" />
<SupportedCriticalExtensions Level="WARN">
<Id>2.5.29.15</Id> <!-- keyUsage -->
<Id>2.5.29.32</Id> <!-- certificatePolicies -->
<Id>2.5.29.17</Id> <!-- subjectAlternativeName -->
<Id>2.5.29.19</Id> <!-- basicConstraints -->
<Id>2.5.29.30</Id> <!-- nameConstraints -->
<Id>2.5.29.36</Id> <!-- policyConstraints -->
<Id>2.5.29.37</Id> <!-- extendedKeyUsage -->
<Id>2.5.29.31</Id> <!-- CRLDistributionPoints -->
<Id>2.5.29.54</Id> <!-- inhibitAnyPolicy -->
<Id>1.3.6.1.5.5.7.1.3</Id> <!-- QCStatements -->
<!-- policyMappings 2.5.29.33 not supported -->
</SupportedCriticalExtensions>
<ForbiddenExtensions Level="IGNORE">
<Id>1.3.6.1.5.5.7.48.1.5</Id> <!-- ocsp_noCheck -->
</ForbiddenExtensions>
<IssuerName Level="IGNORE" />
<SerialNumberPresent Level="FAIL"/>
<NotRevoked Level="FAIL"/>
<NotOnHold Level="FAIL"/>
<RevocationIssuerNotExpired Level="INFORM" />
<NotSelfSigned Level="FAIL"/>
<UsePseudonym Level="INFORM"/>
<Cryptographic Level="FAIL">
<AcceptableEncryptionAlgo>
<Algo>RSA</Algo>
<Algo>DSA</Algo>
<Algo>ECDSA</Algo>
</AcceptableEncryptionAlgo>
<MiniPublicKeySize>
<Algo Size="1024">RSA</Algo>
<Algo Size="128">DSA</Algo>
<Algo Size="192">ECDSA</Algo>
</MiniPublicKeySize>
<AcceptableDigestAlgo>
<Algo>SHA1</Algo>
<Algo>SHA224</Algo>
<Algo>SHA256</Algo>
<Algo>SHA384</Algo>
<Algo>SHA512</Algo>
<Algo>SHA3-224</Algo>
<Algo>SHA3-256</Algo>
<Algo>SHA3-384</Algo>
<Algo>SHA3-512</Algo>
<Algo>RIPEMD160</Algo>
</AcceptableDigestAlgo>
</Cryptographic>
</SigningCertificate>
<CACertificate>
<Signature Level="FAIL"/>
<NotExpired Level="FAIL"/>
<RevocationDataAvailable Level="FAIL"/>
<AcceptableRevocationDataFound Level="IGNORE" />
<CRLNextUpdatePresent Level="WARN"/>
<RevocationFreshness Level="IGNORE" Unit="DAYS" Value="0" />
<CA Level="IGNORE" />
<MaxPathLength Level="IGNORE" />
<KeyUsage Level="IGNORE">
<Id>keyCertSign</Id>
</KeyUsage>
<PolicyTree Level="WARN" />
<NameConstraints Level="WARN" />
<SupportedCriticalExtensions Level="WARN">
<Id>2.5.29.15</Id> <!-- keyUsage -->
<Id>2.5.29.32</Id> <!-- certificatePolicies -->
<Id>2.5.29.17</Id> <!-- subjectAlternativeName -->
<Id>2.5.29.19</Id> <!-- basicConstraints -->
<Id>2.5.29.30</Id> <!-- nameConstraints -->
<Id>2.5.29.36</Id> <!-- policyConstraints -->
<Id>2.5.29.37</Id> <!-- extendedKeyUsage -->
<Id>2.5.29.31</Id> <!-- CRLDistributionPoints -->
<Id>2.5.29.54</Id> <!-- inhibitAnyPolicy -->
<Id>1.3.6.1.5.5.7.1.3</Id> <!-- QCStatements -->
<!-- policyMappings 2.5.29.33 not supported -->
</SupportedCriticalExtensions>
<ForbiddenExtensions Level="IGNORE">
<Id>1.3.6.1.5.5.7.48.1.5</Id> <!-- ocsp_noCheck -->
</ForbiddenExtensions>
<IssuerName Level="IGNORE" />
<NotRevoked Level="FAIL"/>
<NotOnHold Level="FAIL"/>
<Cryptographic Level="FAIL">
<AcceptableEncryptionAlgo>
<Algo>RSA</Algo>
<Algo>DSA</Algo>
<Algo>ECDSA</Algo>
</AcceptableEncryptionAlgo>
<MiniPublicKeySize>
<Algo Size="1024">RSA</Algo>
<Algo Size="128">DSA</Algo>
<Algo Size="192">ECDSA</Algo>
</MiniPublicKeySize>
<AcceptableDigestAlgo>
<Algo>SHA1</Algo>
<Algo>SHA224</Algo>
<Algo>SHA256</Algo>
<Algo>SHA384</Algo>
<Algo>SHA512</Algo>
<Algo>SHA3-224</Algo>
<Algo>SHA3-256</Algo>
<Algo>SHA3-384</Algo>
<Algo>SHA3-512</Algo>
<Algo>RIPEMD160</Algo>
</AcceptableDigestAlgo>
</Cryptographic>
</CACertificate>
<Cryptographic Level="FAIL">
<AcceptableEncryptionAlgo>
<Algo>RSA</Algo>
<Algo>DSA</Algo>
<Algo>ECDSA</Algo>
</AcceptableEncryptionAlgo>
<MiniPublicKeySize>
<Algo Size="1024">RSA</Algo>
<Algo Size="128">DSA</Algo>
<Algo Size="192">ECDSA</Algo>
</MiniPublicKeySize>
<AcceptableDigestAlgo>
<Algo>SHA1</Algo>
<Algo>SHA224</Algo>
<Algo>SHA256</Algo>
<Algo>SHA384</Algo>
<Algo>SHA512</Algo>
<Algo>SHA3-224</Algo>
<Algo>SHA3-256</Algo>
<Algo>SHA3-384</Algo>
<Algo>SHA3-512</Algo>
<Algo>RIPEMD160</Algo>
</AcceptableDigestAlgo>
</Cryptographic>
</BasicSignatureConstraints>
<SignedAttributes>
<SigningCertificatePresent Level="FAIL"/>
<UnicitySigningCertificate Level="WARN"/>
<SigningCertificateRefersCertificateChain Level="WARN" />
<SigningCertificateDigestAlgorithm Level="WARN" />
<CertDigestPresent Level="FAIL"/>
<CertDigestMatch Level="FAIL"/>
<IssuerSerialMatch Level="WARN"/>
<KeyIdentifierMatch Level="WARN" />
<SigningTime Level="FAIL"/>
<MessageDigestOrSignedPropertiesPresent Level="FAIL" />
<EllipticCurveKeySize Level="WARN" />
<!--<ContentType Level="FAIL" value="1.2.840.113549.1.7.1" />
<ContentHints Level="FAIL" value="*" />
<CommitmentTypeIndication Level="FAIL">
<Id>1.2.840.113549.1.9.16.6.1</Id>
<Id>1.2.840.113549.1.9.16.6.4</Id>
<Id>1.2.840.113549.1.9.16.6.5</Id>
<Id>1.2.840.113549.1.9.16.6.6</Id>
</CommitmentTypeIndication>
<SignerLocation Level="FAIL" />
<ContentTimeStamp Level="FAIL" /> -->
</SignedAttributes>
<UnsignedAttributes>
<!-- <CounterSignature Level="IGNORE" /> check presence -->
</UnsignedAttributes>
</SignatureConstraints>
<CounterSignatureConstraints>
<BasicSignatureConstraints>
<ReferenceDataExistence Level="FAIL"/>
<ReferenceDataIntact Level="FAIL"/>
<SignatureIntact Level="FAIL"/>
<SignatureDuplicated Level="FAIL" />
<ProspectiveCertificateChain Level="FAIL"/>
<SigningCertificate>
<Recognition Level="FAIL"/>
<Signature Level="FAIL"/>
<NotExpired Level="FAIL"/>
<AuthorityInfoAccessPresent Level="WARN"/>
<RevocationInfoAccessPresent Level="WARN"/>
<RevocationDataAvailable Level="FAIL"/>
<AcceptableRevocationDataFound Level="FAIL" />
<CRLNextUpdatePresent Level="WARN"/>
<RevocationFreshness Level="IGNORE" Unit="DAYS" Value="0" />
<KeyUsage Level="WARN">
<Id>nonRepudiation</Id>
</KeyUsage>
<PolicyTree Level="WARN" />
<NameConstraints Level="WARN" />
<SupportedCriticalExtensions Level="WARN">
<Id>2.5.29.15</Id> <!-- keyUsage -->
<Id>2.5.29.32</Id> <!-- certificatePolicies -->
<Id>2.5.29.17</Id> <!-- subjectAlternativeName -->
<Id>2.5.29.19</Id> <!-- basicConstraints -->
<Id>2.5.29.30</Id> <!-- nameConstraints -->
<Id>2.5.29.36</Id> <!-- policyConstraints -->
<Id>2.5.29.37</Id> <!-- extendedKeyUsage -->
<Id>2.5.29.31</Id> <!-- CRLDistributionPoints -->
<Id>2.5.29.54</Id> <!-- inhibitAnyPolicy -->
<Id>1.3.6.1.5.5.7.1.3</Id> <!-- QCStatements -->
<!-- policyMappings 2.5.29.33 not supported -->
</SupportedCriticalExtensions>
<ForbiddenExtensions Level="FAIL">
<Id>1.3.6.1.5.5.7.48.1.5</Id> <!-- ocsp_noCheck -->
</ForbiddenExtensions>
<IssuerName Level="FAIL" />
<SerialNumberPresent Level="WARN"/>
<NotRevoked Level="FAIL"/>
<NotOnHold Level="FAIL"/>
<NotSelfSigned Level="FAIL"/>
<!-- <QcCompliance Level="WARN" /> -->
<!-- <QcSSCD Level="WARN" /> -->
<!-- <IssuedToNaturalPerson Level="INFORM" /> -->
<!-- <IssuedToLegalPerson Level="INFORM" /> -->
<UsePseudonym Level="INFORM"/>
<Cryptographic/>
</SigningCertificate>
<CACertificate>
<Signature Level="FAIL"/>
<NotExpired Level="FAIL"/>
<RevocationDataAvailable Level="FAIL"/>
<AcceptableRevocationDataFound Level="FAIL" />
<CRLNextUpdatePresent Level="WARN"/>
<RevocationFreshness Level="IGNORE" Unit="DAYS" Value="0" />
<CA Level="FAIL" />
<MaxPathLength Level="FAIL" />
<KeyUsage Level="FAIL">
<Id>keyCertSign</Id>
</KeyUsage>
<PolicyTree Level="WARN" />
<NameConstraints Level="WARN" />
<SupportedCriticalExtensions Level="WARN">
<Id>2.5.29.15</Id> <!-- keyUsage -->
<Id>2.5.29.32</Id> <!-- certificatePolicies -->
<Id>2.5.29.17</Id> <!-- subjectAlternativeName -->
<Id>2.5.29.19</Id> <!-- basicConstraints -->
<Id>2.5.29.30</Id> <!-- nameConstraints -->
<Id>2.5.29.36</Id> <!-- policyConstraints -->
<Id>2.5.29.37</Id> <!-- extendedKeyUsage -->
<Id>2.5.29.31</Id> <!-- CRLDistributionPoints -->
<Id>2.5.29.54</Id> <!-- inhibitAnyPolicy -->
<Id>1.3.6.1.5.5.7.1.3</Id> <!-- QCStatements -->
<!-- policyMappings 2.5.29.33 not supported -->
</SupportedCriticalExtensions>
<ForbiddenExtensions Level="FAIL">
<Id>1.3.6.1.5.5.7.48.1.5</Id> <!-- ocsp_noCheck -->
</ForbiddenExtensions>
<IssuerName Level="FAIL" />
<NotRevoked Level="FAIL"/>
<NotOnHold Level="FAIL"/>
<Cryptographic/>
</CACertificate>
<Cryptographic/>
</BasicSignatureConstraints>
<SignedAttributes>
<SigningCertificatePresent Level="FAIL"/>
<UnicitySigningCertificate Level="WARN" />
<SigningCertificateRefersCertificateChain Level="WARN" />
<SigningCertificateDigestAlgorithm Level="WARN" />
<CertDigestPresent Level="FAIL"/>
<CertDigestMatch Level="FAIL"/>
<IssuerSerialMatch Level="WARN"/>
<KeyIdentifierMatch Level="WARN" />
<SigningTime Level="FAIL"/>
<MessageDigestOrSignedPropertiesPresent Level="FAIL"/>
<EllipticCurveKeySize Level="WARN" />
<!-- <ContentType Level="FAIL" value="1.2.840.113549.1.7.1" />
<ContentHints Level="FAIL" value="*" />
<CommitmentTypeIndication Level="FAIL">
<Id>1.2.840.113549.1.9.16.6.1</Id>
<Id>1.2.840.113549.1.9.16.6.4</Id>
<Id>1.2.840.113549.1.9.16.6.5</Id>
<Id>1.2.840.113549.1.9.16.6.6</Id>
</CommitmentTypeIndication>
<SignerLocation Level="FAIL" />
<ContentTimeStamp Level="FAIL" /> -->
</SignedAttributes>
</CounterSignatureConstraints>
<Timestamp>
<TimestampDelay Level="IGNORE" Unit="DAYS" Value="0"/>
<RevocationTimeAgainstBestSignatureTime Level="FAIL"/>
<BestSignatureTimeBeforeExpirationDateOfSigningCertificate Level="FAIL"/>
<Coherence Level="FAIL"/>
<BasicSignatureConstraints>
<ReferenceDataExistence Level="FAIL"/>
<ReferenceDataIntact Level="FAIL"/>
<SignatureIntact Level="FAIL"/>
<ProspectiveCertificateChain Level="FAIL"/>
<ByteRange Level="IGNORE" />
<ByteRangeCollision Level="WARN" />
<PdfSignatureDictionary Level="IGNORE" />
<PdfPageDifference Level="IGNORE" />
<PdfAnnotationOverlap Level="WARN" />
<PdfVisualDifference Level="WARN" />
<DocMDP Level="WARN" />
<FieldMDP Level="WARN" />
<SigFieldLock Level="WARN" />
<UndefinedChanges Level="WARN" />
<SigningCertificate>
<Recognition Level="FAIL"/>
<Signature Level="FAIL"/>
<NotExpired Level="FAIL"/>
<RevocationDataAvailable Level="FAIL"/>
<AcceptableRevocationDataFound Level="IGNORE" />
<CRLNextUpdatePresent Level="WARN"/>
<RevocationFreshness Level="IGNORE" Unit="DAYS" Value="0" />
<ExtendedKeyUsage Level="FAIL">
<Id>timeStamping</Id>
</ExtendedKeyUsage>
<PolicyTree Level="WARN" />
<NameConstraints Level="WARN" />
<SupportedCriticalExtensions Level="WARN">
<Id>2.5.29.15</Id> <!-- keyUsage -->
<Id>2.5.29.32</Id> <!-- certificatePolicies -->
<Id>2.5.29.17</Id> <!-- subjectAlternativeName -->
<Id>2.5.29.19</Id> <!-- basicConstraints -->
<Id>2.5.29.30</Id> <!-- nameConstraints -->
<Id>2.5.29.36</Id> <!-- policyConstraints -->
<Id>2.5.29.37</Id> <!-- extendedKeyUsage -->
<Id>2.5.29.31</Id> <!-- CRLDistributionPoints -->
<Id>2.5.29.54</Id> <!-- inhibitAnyPolicy -->
<Id>1.3.6.1.5.5.7.1.3</Id> <!-- QCStatements -->
<!-- policyMappings 2.5.29.33 not supported -->
</SupportedCriticalExtensions>
<ForbiddenExtensions Level="IGNORE">
<Id>1.3.6.1.5.5.7.48.1.5</Id> <!-- ocsp_noCheck -->
</ForbiddenExtensions>
<IssuerName Level="IGNORE" />
<NotRevoked Level="FAIL"/>
<NotOnHold Level="FAIL"/>
<NotSelfSigned Level="FAIL"/>
<Cryptographic Level="FAIL">
<AcceptableEncryptionAlgo>
<Algo>RSA</Algo>
<Algo>DSA</Algo>
<Algo>ECDSA</Algo>
</AcceptableEncryptionAlgo>
<MiniPublicKeySize>
<Algo Size="1024">RSA</Algo>
<Algo Size="128">DSA</Algo>
<Algo Size="256">ECDSA</Algo>
</MiniPublicKeySize>
<AcceptableDigestAlgo>
<Algo>SHA1</Algo>
<Algo>SHA224</Algo>
<Algo>SHA256</Algo>
<Algo>SHA384</Algo>
<Algo>SHA512</Algo>
<Algo>SHA3-224</Algo>
<Algo>SHA3-256</Algo>
<Algo>SHA3-384</Algo>
<Algo>SHA3-512</Algo>
<Algo>RIPEMD160</Algo>
</AcceptableDigestAlgo>
</Cryptographic>
</SigningCertificate>
<CACertificate>
<Signature Level="FAIL"/>
<NotExpired Level="FAIL"/>
<RevocationDataAvailable Level="FAIL"/>
<AcceptableRevocationDataFound Level="WARN" />
<CRLNextUpdatePresent Level="WARN"/>
<RevocationFreshness Level="IGNORE" Unit="DAYS" Value="0" />
<CA Level="IGNORE" />
<MaxPathLength Level="IGNORE" />
<KeyUsage Level="IGNORE">
<Id>keyCertSign</Id>
</KeyUsage>
<PolicyTree Level="WARN" />
<NameConstraints Level="WARN" />
<SupportedCriticalExtensions Level="WARN">
<Id>2.5.29.15</Id> <!-- keyUsage -->
<Id>2.5.29.32</Id> <!-- certificatePolicies -->
<Id>2.5.29.17</Id> <!-- subjectAlternativeName -->
<Id>2.5.29.19</Id> <!-- basicConstraints -->
<Id>2.5.29.30</Id> <!-- nameConstraints -->
<Id>2.5.29.36</Id> <!-- policyConstraints -->
<Id>2.5.29.37</Id> <!-- extendedKeyUsage -->
<Id>2.5.29.31</Id> <!-- CRLDistributionPoints -->
<Id>2.5.29.54</Id> <!-- inhibitAnyPolicy -->
<Id>1.3.6.1.5.5.7.1.3</Id> <!-- QCStatements -->
<!-- policyMappings 2.5.29.33 not supported -->
</SupportedCriticalExtensions>
<ForbiddenExtensions Level="IGNORE">
<Id>1.3.6.1.5.5.7.48.1.5</Id> <!-- ocsp_noCheck -->
</ForbiddenExtensions>
<IssuerName Level="IGNORE" />
<NotRevoked Level="FAIL"/>
<NotOnHold Level="FAIL"/>
<Cryptographic Level="FAIL">
<AcceptableEncryptionAlgo>
<Algo>RSA</Algo>
<Algo>DSA</Algo>
<Algo>ECDSA</Algo>
</AcceptableEncryptionAlgo>
<MiniPublicKeySize>
<Algo Size="1024">RSA</Algo>
<Algo Size="128">DSA</Algo>
<Algo Size="256">ECDSA</Algo>
</MiniPublicKeySize>
<AcceptableDigestAlgo>
<Algo>SHA1</Algo>
<Algo>SHA224</Algo>
<Algo>SHA256</Algo>
<Algo>SHA384</Algo>
<Algo>SHA512</Algo>
<Algo>SHA3-224</Algo>
<Algo>SHA3-256</Algo>
<Algo>SHA3-384</Algo>
<Algo>SHA3-512</Algo>
<Algo>RIPEMD160</Algo>
</AcceptableDigestAlgo>
</Cryptographic>
</CACertificate>
<Cryptographic Level="FAIL">
<AcceptableEncryptionAlgo>
<Algo>RSA</Algo>
<Algo>DSA</Algo>
<Algo>ECDSA</Algo>
</AcceptableEncryptionAlgo>
<MiniPublicKeySize>
<Algo Size="128">DSA</Algo>
<Algo Size="1024">RSA</Algo>
<Algo Size="192">ECDSA</Algo>
</MiniPublicKeySize>
<AcceptableDigestAlgo>
<Algo>SHA1</Algo>
<Algo>SHA224</Algo>
<Algo>SHA256</Algo>
<Algo>SHA384</Algo>
<Algo>SHA512</Algo>
<Algo>SHA3-224</Algo>
<Algo>SHA3-256</Algo>
<Algo>SHA3-384</Algo>
<Algo>SHA3-512</Algo>
<Algo>RIPEMD160</Algo>
</AcceptableDigestAlgo>
</Cryptographic>
</BasicSignatureConstraints>
<SignedAttributes>
<SigningCertificatePresent Level="WARN"/>
<UnicitySigningCertificate Level="WARN"/>
<SigningCertificateRefersCertificateChain Level="IGNORE" />
<!-- <SigningCertificateDigestAlgorithm Level="WARN" /> TODO : too strict to enforce now -->
<CertDigestPresent Level="WARN"/>
<CertDigestMatch Level="WARN"/>
<IssuerSerialMatch Level="WARN"/>
</SignedAttributes>
<TSAGeneralNameContentMatch Level="IGNORE" />
</Timestamp>
<Revocation>
<UnknownStatus Level="FAIL" />
<OCSPResponderIdMatch Level="IGNORE" />
<SelfIssuedOCSP Level="WARN" />
<BasicSignatureConstraints>
<ReferenceDataExistence Level="FAIL"/>
<ReferenceDataIntact Level="FAIL"/>
<SignatureIntact Level="FAIL"/>
<ProspectiveCertificateChain Level="FAIL"/>
<SigningCertificate>
<Recognition Level="FAIL"/>
<Signature Level="FAIL"/>
<NotExpired Level="FAIL"/>
<RevocationDataAvailable Level="FAIL"/>
<AcceptableRevocationDataFound Level="IGNORE" />
<CRLNextUpdatePresent Level="WARN"/>
<RevocationFreshness Level="IGNORE" Unit="DAYS" Value="0"/>
<PolicyTree Level="WARN" />
<NameConstraints Level="WARN" />
<SupportedCriticalExtensions Level="WARN">
<Id>2.5.29.15</Id> <!-- keyUsage -->
<Id>2.5.29.32</Id> <!-- certificatePolicies -->
<Id>2.5.29.17</Id> <!-- subjectAlternativeName -->
<Id>2.5.29.19</Id> <!-- basicConstraints -->
<Id>2.5.29.30</Id> <!-- nameConstraints -->
<Id>2.5.29.36</Id> <!-- policyConstraints -->
<Id>2.5.29.37</Id> <!-- extendedKeyUsage -->
<Id>2.5.29.31</Id> <!-- CRLDistributionPoints -->
<Id>2.5.29.54</Id> <!-- inhibitAnyPolicy -->
<Id>1.3.6.1.5.5.7.1.3</Id> <!-- QCStatements -->
<Id>1.3.6.1.5.5.7.48.1.5</Id> <!-- ocsp_noCheck -->
<!-- policyMappings 2.5.29.33 not supported -->
</SupportedCriticalExtensions>
<IssuerName Level="IGNORE" />
<NotRevoked Level="FAIL"/>
<NotOnHold Level="FAIL"/>
<Cryptographic Level="WARN">
<AcceptableEncryptionAlgo>
<Algo>RSA</Algo>
<Algo>DSA</Algo>
<Algo>ECDSA</Algo>
</AcceptableEncryptionAlgo>
<MiniPublicKeySize>
<Algo Size="1024">RSA</Algo>
<Algo Size="128">DSA</Algo>
<Algo Size="256">ECDSA</Algo>
</MiniPublicKeySize>
<AcceptableDigestAlgo>
<Algo>SHA1</Algo>
<Algo>SHA224</Algo>
<Algo>SHA256</Algo>
<Algo>SHA384</Algo>
<Algo>SHA512</Algo>
<Algo>SHA3-224</Algo>
<Algo>SHA3-256</Algo>
<Algo>SHA3-384</Algo>
<Algo>SHA3-512</Algo>
<Algo>RIPEMD160</Algo>
</AcceptableDigestAlgo>
</Cryptographic>
</SigningCertificate>
<CACertificate>
<Signature Level="FAIL"/>
<NotExpired Level="FAIL"/>
<RevocationDataAvailable Level="FAIL"/>
<AcceptableRevocationDataFound Level="WARN" />
<CRLNextUpdatePresent Level="WARN"/>
<RevocationFreshness Level="IGNORE" Unit="DAYS" Value="0" />
<CA Level="IGNORE" />
<MaxPathLength Level="IGNORE" />
<KeyUsage Level="IGNORE">
<Id>keyCertSign</Id>
</KeyUsage>
<PolicyTree Level="WARN" />
<NameConstraints Level="WARN" />
<SupportedCriticalExtensions Level="WARN">
<Id>2.5.29.15</Id> <!-- keyUsage -->
<Id>2.5.29.32</Id> <!-- certificatePolicies -->
<Id>2.5.29.17</Id> <!-- subjectAlternativeName -->
<Id>2.5.29.19</Id> <!-- basicConstraints -->
<Id>2.5.29.30</Id> <!-- nameConstraints -->
<Id>2.5.29.36</Id> <!-- policyConstraints -->
<Id>2.5.29.37</Id> <!-- extendedKeyUsage -->
<Id>2.5.29.31</Id> <!-- CRLDistributionPoints -->
<Id>2.5.29.54</Id> <!-- inhibitAnyPolicy -->
<Id>1.3.6.1.5.5.7.1.3</Id> <!-- QCStatements -->
<!-- policyMappings 2.5.29.33 not supported -->
</SupportedCriticalExtensions>
<ForbiddenExtensions Level="IGNORE">
<Id>1.3.6.1.5.5.7.48.1.5</Id> <!-- ocsp_noCheck -->
</ForbiddenExtensions>
<IssuerName Level="IGNORE" />
<NotRevoked Level="FAIL"/>
<NotOnHold Level="FAIL"/>
<Cryptographic Level="FAIL">
<AcceptableEncryptionAlgo>
<Algo>RSA</Algo>
<Algo>DSA</Algo>
<Algo>ECDSA</Algo>
</AcceptableEncryptionAlgo>
<MiniPublicKeySize>
<Algo Size="1024">RSA</Algo>
<Algo Size="128">DSA</Algo>
<Algo Size="256">ECDSA</Algo>
</MiniPublicKeySize>
<AcceptableDigestAlgo>
<Algo>SHA1</Algo>
<Algo>SHA224</Algo>
<Algo>SHA256</Algo>
<Algo>SHA384</Algo>
<Algo>SHA512</Algo>
<Algo>SHA3-224</Algo>
<Algo>SHA3-256</Algo>
<Algo>SHA3-384</Algo>
<Algo>SHA3-512</Algo>
<Algo>RIPEMD160</Algo>
</AcceptableDigestAlgo>
</Cryptographic>
</CACertificate>
<Cryptographic Level="FAIL">
<AcceptableEncryptionAlgo>
<Algo>RSA</Algo>
<Algo>DSA</Algo>
<Algo>ECDSA</Algo>
</AcceptableEncryptionAlgo>
<MiniPublicKeySize>
<Algo Size="128">DSA</Algo>
<Algo Size="1024">RSA</Algo>
<Algo Size="192">ECDSA</Algo>
</MiniPublicKeySize>
<AcceptableDigestAlgo>
<Algo>SHA1</Algo>
<Algo>SHA224</Algo>
<Algo>SHA256</Algo>
<Algo>SHA384</Algo>
<Algo>SHA512</Algo>
<Algo>SHA3-224</Algo>
<Algo>SHA3-256</Algo>
<Algo>SHA3-384</Algo>
<Algo>SHA3-512</Algo>
<Algo>RIPEMD160</Algo>
</AcceptableDigestAlgo>
</Cryptographic>
</BasicSignatureConstraints>
</Revocation>
<EvidenceRecord>
<DataObjectExistence Level="FAIL" />
<DataObjectIntact Level="FAIL" />
<DataObjectFound Level="FAIL" />
<DataObjectGroup Level="WARN" />
<Cryptographic />
</EvidenceRecord>
<Model Value="SHELL"/>
<!-- eIDAS REGL 910/EU/2014 -->
<eIDAS>
<TLFreshness Level="WARN" Unit="HOURS" Value="6" />
<TLNotExpired Level="FAIL" />
<TLWellSigned Level="WARN" />
<TLVersion Level="FAIL" value="5" />
</eIDAS>
</ConstraintsParameters>