Additional Information. OpenLimit Middleware Version 3 Server Product Version: 1.2 Help Manual. Date: Document version: 1.

Transcription

1 Additional Information OpenLimit Middleware Version 3 Server Product Version: 1.2 Help Manual Date: Document version: 1.1

2 OpenLimit SignCubes AG 2012 This documentation is the intellectual property of OpenLimit SignCubes AG. It may not be duplicated or published (either completely or in part) without the prior written consent of OpenLimit SignCubes AG, irrespective of the method or the means employed, be they electronic or mechanical. The software or hardware descriptions used in this documentation, as well as the company or brand names, are in most cases registered trademarks or brands and are, as such, the property of the relevant manufacturers. They are used without their free and unrestricted use having been warranted. We essentially conform to the writing conventions used by the manufacturers. The inclusion of product and commercial names etc. in this documentation even without this being indicated specifically does not justify the assumption that the use of such names can be considered as being unrestricted under the terms of protective legislation on trademarks and brand-names. This documentation offers administrators help on how to react to errors and provides solutions for possible problems when working with the OpenLimit Middleware Version 3 Server 1.2 (in short: OpenLimit V3 Server). In individual cases there can be variations concerning processes described in the documentation and the actual application. The OpenLimit SignCubes AG is not liable for possible variations and its consequences. Please send any information or comments you may have to documentation@openlimit.com. OpenLimit SignCubes AG Zugerstraße 76 B CH Baar Switzerland 2

3 Contents 1 Before The First Start How to install the OpenLimit V3 Server? What needs to be configured before the first start? What conflicts may arise? Ports OpenLimit V3 Server Operation How to start the OpenLimit V3 Server? Why is the error message No authorization displayed during startup? Why is it not allowed to pack the archive on windows? How do I find out if the OpenLimit V3 Server is running? How to stop the OpenLimit V3 Server? Why does SELinux limit the operation of the OpenLimit V3 Server? Certificates Where are the certificates managed? Trusted Lists How are trusted lists published? How to import new trusted lists? Update Why is the OpenLimit V3 Server not working anymore after an update? Network Why can t I find the OpenLimit V3 Server in the network? How can I operate the OpenLimit V3 Server without network connection? Logging and Diagnosability General When to use which LogLevel?

4 7.3 Which formats are suitable for logging output? Diagnosing Network Problems Limiting log output Evaluation of return values via logs a , Strongest verification result e , Strongest verification result e , Strongest verification result OCSP Cache Is it possible to set cache time of OCSP responses? Why is a new OCSP response requested? Timestamps Why is it not possible to retrieve timestamps? AdminTool Where to find the AdminTool? Is it possible to import several certificates at the same time? Is it possible to delete several certificates at the same time? How to change the TrustLevel of an existing certificate? Changing from NEUTRAL to TRUSTED Changing from NEUTRAL or TRUSTED to NOT_TRUSTED Changing to NEUTRAL Changing NOT_TRUSTED Electronic Signature Verification What are the possible signature verification results? SIQ_E_VRF_INCOMPLETE (e ) SIQ_E_VRF_NOSIGNATURES (e ) SIQ_E_VRF_WRONGMESSAGEDIGEST (e ) SIQ_E_VRF_WRONGSIGNATURE (e ) SIQ_E_VRF_WRONGCERTIFICATE (e )

5 SIQ_E_VRF_CERTIFICATE (a ) SIQ_E_VRF_WEAKALGORITHM (a ) SIQ_E_VRF_INFORMATION (61002FF0) SIQ_E_VRF_SUCCESS (21002FFF) General Questions Which hash algorithms are supported? Which signature types are supported? Signature container Technical signatures Padding process How to contact the support team? Return Values Glossary

6 1 Before The First Start 1.1 How to install the OpenLimit V3 Server? The administration manual of the OpenLimit Version 3 Server describes how to install the software under opt/olsc within a newly created service tag. It is recommended to install the software in your environment as it is described in the manual. However, the software can be installed in other places as well. 1.2 What needs to be configured before the first start? The software has already been pre-configured at the factory. Further special configuration settings are not required. 1.3 What conflicts may arise? Ports The product provides a web service on port If the product should be accessed from remote computers, firewall settings need to be configured in a way that communication for this port is allowed. If you configure the software in a way that the service uses an alternative port, the appropriate firewall settings need to be made provided that the software should be used by a remote system. In general, there should be no conflicts on the local machine regarding the used ports. However, if the software repeatedly interrupts the starting process, you should check if other services are already running that prevent the software from starting properly. The following programs, for instance, can be used to display open network connections, occupied ports and data traffic: Nmap / Zenmap (with GUI): EtherApe: 6

7 2 OpenLimit V3 Server Operation 2.1 How to start the OpenLimit V3 Server? As it is described in the administration manual, the software can be started either manually via the start script startserver.sh or by using the script for automatic startup (see chapter 2.3 Optional Start/Stop Script). 2.2 Why is the error message No authorization displayed during startup? Please ensure that access authorization of siqservice is set to executable. 2.3 Why is it not allowed to pack the archive on windows? The OpenLimit V3 Server distribution includes so-called symbolic links. These links are very important for the operation of the OpenLimit V3 Server and will be destroyed (resp. can no longer be used under Linux) if they are written again under Windows. 2.4 How do I find out if the OpenLimit V3 Server is running? An easy way to find it out is to look at the listing of active processes running in the operating system. The process siqservice has to be available. Moreover, you should check if the preset port, stored in the file siqsemk_svr.cfg,on the assigned network adapter is occupied by the software. Selecting the AdminTool for managing certificates and having a closer look at the list of stored certificates is an easy functional test. 2.5 How to stop the OpenLimit V3 Server? The software can be stopped either manually via the commands kill -15 or kill -9 from the command line or it can be stopped automatically during shutdown of the operating system by using a start/stop script that has been created by you before. 2.6 Why does SELinux limit the operation of the OpenLimit V3 Server? The security mechanism SELinux, that performs access control of running processes, can run on RedHat. Too restrictive settings can have a negative influence on successful OpenLimit V3 Server operation. 7

8 3 Certificates 3.1 Where are the certificates managed? The OpenLimit Middleware Version 3 Server independently manages certificates that are required for certificate chain creation during electronic signature verification. The AdminTool is a tool to import electronic certificates into the software or to export them. The certificates are stored and managed in the file bcuser.db in the userhome directory in folder.olsc. If you intend to create a backup of the configuration, this file has to be included in your backup as well. The certificates are stored in a SQLite based database which can be viewed with a SQLite browser, if required. On no account you should perform manipulations directly in this database file but always use the AdminTool for managing electronic certificates within the OpenLimit Version 3 Server that is included in the delivery. 4 Trusted Lists 4.1 How are trusted lists published? The OpenLimit software requires trusted lists for the identification of accredited and registered CSP s especially for the German market. This is especially required concerning registered CSP s because certificates of these certificate service providers cannot be traced back to the root certificate of the Federal Network Agency but each CSP has an individual approval. You will automatically receive notification on available new trusted lists after you have registered on the site and stored the information of using the software OpenLimit Middleware Version 3 Server. 4.2 How to import new trusted lists? The new trusted list is provided in a way that it can be copied directly into the installation directory of the OpenLimit Middleware. 5 Update 5.1 Why is the OpenLimit V3 Server not working anymore after an update? Changing the configuration database of the OpenLimit V3 Server can lead to inconsistencies between your local configuration and the basic configuration. 8

9 Please always pay attention to the release notes of the respective update. It informs about possible incompatibilities (if known). 6 Network 6.1 Why can t I find the OpenLimit V3 Server in the network? Please check the setting of the options SOAPHost and SOAPPort in section [ECARD] of the file siqsemksrv_svr.cfg in the directory bin. Concerning the option SOAPHost, please ensure that the IP or the correct IP address of the network card to be used is set. The OpenLimit V3 Server is bound to all available addresses in the network (network cards) via the IP If is set as IP, the OpenLimit V3 Server is only locally available and cannot be activated via network. The option SOAPPort has to comply with the settings of the associated application (SDK-Client). In any event, please check the settings of the associated application. 6.2 How can I operate the OpenLimit V3 Server without network connection? To operate the OpenLimit V3 Server locally, please set the value of the option SOAPHost in section [ECARD] in the file siqsemksrv_svr.cfg in the directory bin to Logging and Diagnosability 7.1 General When using a software product, it cannot be excluded that documents cannot be processed as expected or the software is even unintentionally terminated, e.g. caused by a crash. You can do the following to analyze and isolate problems that occur: In case of problems with specific documents (e.g. document signatures cannot be found or processed), it is recommended to temporarily set the maximum LogLevel and process the respective document again. In case of software crashes, a core dump is additionally required. Please use the additional parameter d to start the software so that a core dump will be automatically created in the event of a crash. Together with the available log information, the core dump is sent to the service unit which is responsible for product support. The binary files of the OpenLimit Version 3 Server are delivered with debug information so that it is possible to create a core dump. The specific analysis of the crash is then performed by the manufacturer. 9

10 7.2 When to use which LogLevel? For normal operation, it is recommended to set information to ERROR and FATAL, in order to have at least a hint for the cause in case of an error. In case of a running error analysis, e.g. when analyzing documents that have not been processed or even concerning the termination of programs, it is recommended to set the LogLevel to ALL. Please note that increasing the LogLevel, in turn, reduces the processing speed of the software. In other words, at full logging capacity it is not possible to process the same volume of documents as with a limited LogLevel. Moreover, please note that an enhanced logging can lead to the creation of large log files. If you decide to work with enhanced logging in normal operation, you should necessarily limit the size of created log files (please see the Administration Manual, Chapter Details on the individual configuration sections) and regularly check the available hard disc space for created log files. Specification of the LogLevel to be displayed can be made as follows: LogLevel=FATAL,ERROR,WARN The following LogLevels can be set: LogLevel parameters ALL FATAL ERROR WARN DEBUG INFO TRACE HINT Description Includes all further LogLevels Displays fatal errors Displays errors Displays warnings (the process keeps running) Displays debug information (internal processes as well) Displays information Displays common trace data (e.g. access and leave a function) Information on content errors (no need for action for administrators) Table 1: Possible LogLevel parameters 7.3 Which formats are suitable for logging output? You can adjust the format for logging output to your needs and with it the level resp. amount of output details. The output into the log file is created according to the specifications an d in the indicated order. Determine the details to be displayed as follows: Format= DateTime, Thread, LogModule, FileName, Line, LogLevel LogMsg 10

11 The following table shows the individual parameters and what they create in the log file: Format parameters Examples for logging output DateTime ( :21:30.468) Thread LogModule FileName t...464d Tmain (Linux-Thread ID and internal OpenLimit V3 Server ID) m[siqservice] siqinitfini.hpp Line 33: LogLevel LogMsg [DEBUG] Module logging initialized - plogger 0x5552f0 Table 2: (Logging) Possible format parameters 7.4 Diagnosing Network Problems It may be that it is permanently not possible to retrieve OCSP responses or timestamps. This is often caused by using a proxy for internal network protection. Therefore, please check the following if communication problems occur: If the proxy has been entered correctly in the configuration of the software If firewall configuration allows communication on the required ports with the protocols needed. 7.5 Limiting log output Please pay attention to the information on the configuration of log output (7.2 When to use which LogLevel? resp. 7.3 Which formats are suitable for logging output?). If the LogLevel or the format of log output is set too low or to extensive, logging will not be helpful. If a suitable log output file exists, please search for the error that has been displayed by th e application. Now you should trace the thread back in which the error occurred to the first log of [HINT]. Usually, in doing so, log output is reduced to an analyzable amount. 7.6 Evaluation of return values via logs a , Strongest verification result The return value a (see SIQ_E_VRF_CERTIFICATE (a )) is returned if one of the following cases applies to the mentioned certificate: 1. The certificate is not available. 2. The certificate does not have the TrustLevel TRUSTED. 3. Certificate revocation verification could not be performed. 11

12 No revocation list signing certificate The revocation list signing certificate is not available. Log output: [HINT] CRL object has no signing certificate. Validation is impossible! [HINT] VERIFICATION CERT: CRL IGNORED AND REVOC_CERTSTATUS is set to UNKNOWN for C=DE,ST=Berlin,L=Berlin,O=OLSC- Test,OU=Test,CN=LA-User Solution: Import the missing certificate. No root revocation list certificate The root revocation list certificate is missing. Log output: [HINT] VRFCert : e , Invalid OSCP rejected for 'C=DE,ST=Berlin,L=Berlin,O=OLSC-Test,OU=Test,CN=LA-CA-OCSP': verification error [HINT] VRFCert : e , Invalid OSCP rejected for 'C=DE,ST=Berlin,L=Berlin,O=OLSC-Test,OU=Test,CN=LA-User': verification error [HINT] VRFCchn : e , No certificate signature result for 'C=DE,ST=Berlin,L=Berlin,O=OLSC-Test,OU=Test,CN=LA-Root-CA-OCSP'. Validation is impossible! Solution: Import the missing certificate. Root revocation list certificate TrustLevel NEUTRAL The TrustLevel of the root revocation list certificate is NEUTRAL. Log output: [HINT] VRFCchn : e , ROOT CERTIFICATE 'C=DE,ST=Berlin,L=Berlin,O=OLSC-Test,OU=Test,CN=LA-Root-CA-CRL' is NEUTRAL. [HINT] VRFCert : e , Invalid OSCP rejected for 'C=DE,ST=Berlin,L=Berlin,O=OLSC-Test,OU=Test,CN=LA-CA-OCSP': verification error [HINT] VRFCert : e , Invalid OSCP rejected for 'C=DE,ST=Berlin,L=Berlin,O=OLSC-Test,OU=Test,CN=LA-User': verification error Solution: The TrustLevel has to be TRUSTED, in order to receive a positive verification result. Please set the TrustLevel to TRUSTED. Please note that a certificate can have the TrustLevel NOT_TRUSTED due to a special reason. Before specifying the status again, please try to comprehend who set the status and when. 12

13 Root revocation list certificate TrustLevel NOT_TRUSTED The TrustLevel of the root revocation list certificate is NOT_TRUSTED. Log output: [HINT] VRFCchn : e , Root certificate 'C=DE,ST=Berlin,L=Berlin,O=OLSC-Test,OU=Test,CN=LA-Root-CA-CRL' is UNTRUSTED. [HINT] VRFCchn : e , TRUSTLEVEL_NOT_TRUSTED for ROOT Certificate 'C=DE,ST=Berlin,L=Berlin,O=OLSC-Test,OU=Test,CN=LA- Root-CA-CRL'! [HINT] VRFCert : e , Invalid OSCP rejected for 'C=DE,ST=Berlin,L=Berlin,O=OLSC-Test,OU=Test,CN=LA-CA-OCSP': verification error [HINT] VRFCert : e , Invalid OSCP rejected for 'C=DE,ST=Berlin,L=Berlin,O=OLSC-Test,OU=Test,CN=LA-User': verification error Solution: The TrustLevel has to be TRUSTED in order to receive a positive verification result. Please set the TrustLevel to TRUSTED. Please note that a certificate can have the TrustLevel NOT_TRUSTED due to a special reason. Before specifying the status again, please try to comprehend who set the status and when. No revocation information has been requested The root revocation list certificate is not available. Log output: [HINT] VRFCert : Failed to get CRL for 'C=DE,ST=Berlin,L=Berlin,O=OLSC-Test,OU=Test,CN=LA-User' [HINT] Failed to prepare RevocCheckBase for 'C=DE,ST=Berlin,L=Berlin,O=OLSC-Test,OU=Test,CN=LA-User' Solution: Please check your network connection as well as the addresses of revocation verification services and ensure availability of these services e , Strongest verification result The return value a (see SIQ_E_VRF_INCOMPLETE (e )) is returned if one of the following cases applies to the mentioned certificate: 1. The certificate is not available. 2. The certificate does not have the TrustLevel TRUSTED. No signature certificate The signature certificate is not embedded into the signature. Log output: [ERROR] NO SignerCertificate found 13

14 [HINT] SignerInfo has no signing certificate. Validation is impossible! Solution: Embed the signature certificate into the signature. No CA certificate The required CA certificate for signing is not available. Log output: [HINT] VRFCchn : e , No certificate signature result for 'C=DE,ST=Berlin,L=Berlin,O=OLSC-Test,OU=Test,CN=LA-User'. Validation is impossible! Solution: Import the missing certificate. No root certificate The required root certificate for signing is not available. Log output: [HINT] VRFCchn : e , No certificate signature result for 'C=DE,ST=Berlin,L=Berlin,O=OLSC-Test,OU=Test,CN=LA-CA'. Validation is impossible! Solution: Import the missing certificate. Root certificate TrustLevel NEUTRAL The TrustLevel of the root revocation list certificate is NEUTRAL. Log output: [HINT] VRFCchn : e , ROOT CERTIFICATE 'C=DE,ST=Berlin,L=Berlin,O=OLSC-Test,OU=Test,CN=LA-Root' is NEUTRAL. [HINT] VRFCert : e , Invalid OSCP rejected for 'C=DE,ST=Berlin,L=Berlin,O=OLSC-Test,OU=Test,CN=LA-CA': verification error [HINT] VRFCert : e , Invalid OSCP rejected for 'C=DE,ST=Berlin,L=Berlin,O=OLSC-Test,OU=Test,CN=LA-User': verification error Solution: The TrustLevel has to be TRUSTED in order to receive a positive verification result. Please set the TrustLevel to TRUSTED. Please note that a certificate can have the TrustLevel NOT_TRUSTED due to a special reason. Before specifying the status again, please try to comprehend who set the status and when. 14

15 7.6.3 e , Strongest verification result The return value a (see SIQ_E_VRF_WRONGCERTIFICATE (e )) is returned if the following case applies to the mentioned certificate: 1. The certificate is not available. Root certificate TrustLevel NOT_TRUSTED The TrustLevel of the root revocation list certificate is NOT_TRUSTED. Log output: [HINT] VRFCchn : e , ROOT CERTIFICATE 'C=DE,ST=Berlin,L=Berlin,O=OLSC-Test,OU=Test,CN=LA-Root' is NOT_TRUSTED. [HINT] VRFCchn : e , TRUSTLEVEL_NOT_TRUSTED for ROOT Certificate 'C=DE,ST=Berlin,L=Berlin,O=OLSC-Test,OU=Test,CN=LA- Root'! Solution: The TrustLevel has to be TRUSTED in order to receive a positive verification result. Please set the TrustLevel to TRUSTED. Please note that a certificate can have the TrustLevel NOT_TRUSTED due to a special reason. Before specifying the status again, please try to comprehend who set the status and when. 8 OCSP Cache 8.1 Is it possible to set cache time of OCSP responses? No, currently it is not possible to set the duration of providing OCSP responses for the OCSP cache. 8.2 Why is a new OCSP response requested? The OCSP cache provides OCSP responses for certificates each for a time period of 15 minutes and is deletes them afterwards. If an OCSP response is requested again for this certificate after the predetermined period, a new OCSP response is provided. This OCSP response is again stored in the OCSP cache and provided for 15 minutes. 15

16 9 Timestamps 9.1 Why is it not possible to retrieve timestamps? Due to the fact that retrieving timestamps depends on the availability of the Time Stamping Authority, irregularities can occur. The servers of the time stamping authorities have different performance capacities and therefore different response times. If the response time exceeds the specified timeout of the OpenLimit V3 Server, OpenLimit V3 Server connection will be cancelled. In this case the error code e100ff0f will be displayed in the logging. To adapt the timeout of the OpenLimit V3 Server, please use the file siqpolicies.cfg in the directory /home/olsc/v3server/bin/.in doing so, you can compensate the server response time of the time stamping authority. In this case the value of option Policy needs to be adjusted. The value is specified in milliseconds: [Timeout_TSP] Policy="10000" 10 AdminTool 10.1 Where to find the AdminTool? The AdminTool can be found under /home/olsc/v3server/bin/ext in the OpenLimit V3 Server directory Is it possible to import several certificates at the same time? No, currently it is not possible to import several certificates into the certificate database at the same time Is it possible to delete several certificates at the same time? No, currently it is not possible to delete several certificates from the certificate database at the same time How to change the TrustLevel of an existing certificate? Changing from NEUTRAL to TRUSTED java -jar OLSC_SOL_AdminTool.jar -importcertv3 cacert <filename> TrustLevel TRUSTED 16

17 Changing from NEUTRAL or TRUSTED to NOT_TRUSTED java -jar OLSC_SOL_AdminTool.jar -importcertv3 cacert <filename> TrustLevel NOT_TRUSTED Changing to NEUTRAL It is not possible to change the TrustLevel to NEUTRAL afterwards as it is the initial status for certificate import, if no TrustLevel is set during import Changing NOT_TRUSTED Once the TrustLevel NOT_TRUSTED has been assigned for a certificate, it cannot be changed anymore. To change the certificate s TrustLevel, the certificate has to be deleted from the certificate database and be imported again. To do so, please follow the steps below: To TRUSTED: java -jar OLSC_SOL_AdminTool.jar -removecertv3 -cacert <filename> java -jar OLSC_SOL_AdminTool.jar -importcertv3 cacert <filename> TrustLevel TRUSTED oder To NEUTRAL: java -jar OLSC_SOL_AdminTool.jar -removecertv3 -cacert <filename> java -jar OLSC_SOL_AdminTool.jar -importcertv3 cacert <filename> 17

18 11 Electronic Signature Verification 11.1 What are the possible signature verification results? SIQ_E_VRF_INCOMPLETE (e ) SIQ_E_VRF_INCOMPLETE is always displayed if verification does not lead to a binding statement due to the fact that available information is not sufficient for status information. The following cases lead to SIQ_E_VRF_INCOMPLETE: The trust status for the signature certificate cannot be determined (certificate chain does not contain a trusted CA or root certificate) The certificate chain could not be created, i.e. the certificate publisher is unknown. Use of algorithms or formats that are not supported by the software There are many different reasons for such a verification result when analyzing a file. A frequent cause is an unknown root certificate respectively both an unknown root and CA certificate. It is the case if the XML data stream contains a reference to the original signature certificate during signature verification but the reference to a CA or root certificate is missing. These situations are typical for CMS containers that include no further certificates except for the signature certificate or that are based on a root instance unknown in the configuration of the product. Sometimes unknown algorithms have been used for signature creation. It can be recognized by the verification data stream as well because in this case information about the executed verification of cryptographic checksums or signatures is missing in this case. Result: No positive signature verification result SIQ_E_VRF_NOSIGNATURES (e ) If there is no verifiable signature during signature verification, SIQ_E_VRF_NOSIGNATURES is displayed. This verification result means that there in fact are no available signatures or the signatures included in the document could not be processed by the software. This problem can occur if the document is damaged (e.g. a PDF document structurally damaged in a way that the signature cannot be found) or the kind of signature encoding is unknown to the software. Formats such as PGP signatures in base64 encoding, for example, cannot be processed for verification by the OpenLimit Middleware. Result: Signature verification has not been performed. 18

19 SIQ_E_VRF_WRONGMESSAGEDIGEST (e ) The following case leads to SIQ_E_VRF_WRONGMESSAGEDIGEST: The calculated data hash value and the hash value included in the signedatttributes of the signature are not equal In case that the electronic signature has directly been computed on the data (e.g. PKCS #7 without signedattributes) and the calculated hash value differs from the hash value included in the signature, SIQ_E_VRF_WRONGSIGNATURE is returned. Result: The signature is invalid. In case of detached signature files the reason may be that signature and the document considered appropriate do not belong together SIQ_E_VRF_WRONGSIGNATURE (e ) The following cases lead to SIQ_E_VRF_WRONGSIGNATURE: The cryptographic signature could not be calculated with the public key of the signature certificate A signature uses already invalid algorithms at signature creation time Result: The signature is invalid. Indeed, if the referenced signature certificate is missing or a certificate chain to a trust anchor cannot be created, status SIQ_E_VRF_INCOMPLETE is displayed SIQ_E_VRF_WRONGCERTIFICATE (e ) SIQ_E_VRF_WRONGCERTIFICATE is always displayed if the signature has been created with the key indicated in the certificate but the certificate itself should not have been used. The following cases lead to SIQ_E_VRF_WRONGCERTIFICATE: The signature has been created outside the validity period of the signature certificate The signature certificate was revoked at signature creation time The certificate was not suitable for signing (certificate usage) A CA or root certificate was revoked or the application is not explicitly allowed according to the verification policy This error code indicates that the used signature certificate is not suitable for signature creation. This is for instance the case with certificates that are created with tools such as OpenSSL and do not have the required attributes for signature creation. Result: The signature is invalid. 19

20 SIQ_E_VRF_CERTIFICATE (a ) The following case leads to SIQ_E_VRF_CERTIFICATE: The cryptographic signature was correctly verified by using the public key of the signature certificate and the appropriate certificates used for the signing process are trustworthy. However, there are erroneous statuses or verification information is missing (certificate revocation lists and OCSP responses) In this case availability of required online connections for validity or revocation information retrieval must be checked. If this error code is still permanently displayed it can be caused by the fact that one of the certificates includes a wrong URL for requesting OCSP responses or certificate revocation list retrieval. Then the OpenLimit Middleware configuration needs to be modified, as there is no automatism available to avoid this situation. Basically the signature verification result should be better than SIQ_E_VRF_CERTIFICATE, as this code only guarantees a successful technical verification (i.e. the verification of hash values and technical signatures) but does not provide any information concerning signature validity. Result: The signature is technically correct SIQ_E_VRF_WEAKALGORITHM (a ) The following cases lead to SIQ_E_VRF_WEAKALGORITHM: A hash or signature algorithm used for signing does not meet current verification requirements according to the internal algorithm catalog An algorithm used for signature creation was considered secure at verification time but currently is considered insecure. In contrast to code E_WARNING this error code is evaluated as error. Algorithms declared as broken can generally get the status SIQ_E_VRF_WEAKALGORITHM. The signature is no longer trustworthy as technical security of the verified signature is in question. Result: The signature is invalid SIQ_E_VRF_INFORMATION (61002FF0) The following case leads to SIQ_E_VRF_INFORMATION: Verification according to a special verification policy was executed with a positive verification result but a final statement cannot be made. This is the case with valid / current certificate revocation lists that have been published prior to signing time without an automatic OCSP verification. Another common situation leading to this message is the use of certificate revocation lists published prior to signature creation time. In this case it is important that the software can retrieve current certificate revocation lists from the internet for successful signature verification operation. 20

21 Sometimes certificate revocation lists without a Next Update field are published. The verification of signatures that use those certificate revocation lists and no OCSP responses are provided cannot lead to a better verification result. Details concerning the actual verification process need to be checked similar to the other problem cases with the help of the generated XML data stream. Result: The signature is technically correct SIQ_E_VRF_SUCCESS (21002FFF) The following case leads to SIQ_E_VRF_SUCCESS: Based on the applied verification policy a complete and successful verification could be carried out. Result: The signature is valid. 21

22 12 General Questions 12.1 Which hash algorithms are supported? The following algorithms are supported: MD-5 (not suitable for QES) SHA-1 (no longer suitable for QES) SHA-224 SHA-256 SHA-384 SHA-512 RIPEMD (no longer suitable for QES) 12.2 Which signature types are supported? Signature container CMS (Cryptographic Message Syntax) PKCS #7 (Public Key Cryptographic Syntax Part 7) Technical signatures PKCS #1 DSA ECDSA Padding process PSS-Padding PKCS #1 Version 1.5 DinSig-Padding 12.3 How to contact the support team? If you have problems you cannot solve, please contact the OpenLimit Support: Phone:

23 13 Return Values All return values of the OpenLimit V3 Server are listed here. The table is sorted in ascending order by return values. Return value in the logging: Return values are listed here as they occur in the logging in order to analyze special events. Identifier: Represents the internal name of the corresponding return value. Meaning: Here you can find information on the appropriate return value as well as notes on how to proceed. Return Value in the logging Identifier Meaning 0 SIQ_E_NULL SIQ_E_NULL is a generic initialize value. In case this values is being returned, the expected functionality has not been executed. This value is only returned, after an unexpected error occurred SIQ_E_SUCCESS The function has been successfully performed SIQ_E_VRF_AUTHORIZATION_TRUE The certificate is authorized for the requested intended use FFF SIQ_E_VRF_SUCCESS All verification steps have been successfully completed SIQ_E_PKISTATUS_GRANTED During timestamp request, the service reported a successful response SIQ_E_OCSPSTATUS_SUCCESSFUL During OCSP request, the OCSP responder reported a successful response FF0 SIQ_E_VRF_INFORMATION Verification according to a special verification policy was executed with a positive verification result but a final statement cannot be made. This is the case with valid / current certificate revocation lists that have been published prior to signing time without an automatic OCSP verification. a SIQ_E_VRF_CERTIFICATE Certificate validation could not be performed. Possible causes are: One or more certificates of the certificate chain have expired; revocation or certificate status information retrieval failed; PKCS#1 signature could be verified but another error occurred that could not be specified any further. a SIQ_E_VRF_WEAKALGORITHM The used signature and hash algorithm of the verified signature is weak and does not provide sufficient evidential value. a SIQ_E_VRF_SIGNERROLE_CERTIFIC ATE During the verification of the 'SignerRole' item, the following warning message has been displayed: the used certificate could not be verified. 23

24 Return Value in the logging a a a Identifier SIQ_E_VRF_SIGNERROLE_WEAKALGO RITHM SIQ_E_VRF_COUNTERSIGNATURE_CE RTIFICATE SIQ_E_VRF_COUNTERSIGNATURE_WE AKALGORITHM Meaning During the verification of the 'SignerRole' item, the following warning message has been displayed: the used algorithms no longer fulfill security suitability requirements. During countersignature verification, the following warning message has been displayed: the certificate used for countersignature could not be verified. During countersignature verification, the following warning message has been displayed: the algorithms used for countersignature no longer fulfill security suitability requirements. a SIQ_E_VRF_CRL_CERTIFICATE During CRL verification, the following warning message has been displayed: the certificate used for CRL could not be verified. a SIQ_E_VRF_CRL_WEAKALGORITHM During CRL verification, the following warning message has been displayed: the algorithms included in the CRL no longer fulfill security suitability requirements. a a a SIQ_E_VRF_TIMESTAMP_CERTIFICA TE SIQ_E_VRF_TIMESTAMP_WEAKALGOR ITHM SIQ_E_VRF_CERTCHAIN_WEAKALGOR ITHM During timestamp verification, the following warning message has been displayed: the timestamp certificate could not be verified. During timestamp verification, the following warning message has been displayed: the algorithms included in the timestamp no longer fulfill security suitability requirements. During certificate chain verification, the following warning message has been displayed: the algorithms in one of the used certificates no longer fulfill security suitability requirements. a10020f1 SIQ_E_VRF_REVOCATIONFOUND Is currently not being used. a SIQ_E_PKISTATUS_GRANTED_WITHM ODS During timestamp request, the service reported a successful response, but modifications to the request were necessary. a SIQ_E_OCSPSTATUS_TRYLATER During OCSP request, the OCSP responder reported that the request should be repeated later on. a100ff14 SIQ_E_INTERRUPTED During certificate chain creation the thread has been interrupted. e SIQ_E_VRF_INCOMPLETE The signature verification is incomplete. Possible causes are: Certificate chain could not be created; the root certificate could not be found; unknown PKCS#1 signature algorithm; the user certificate could not be verified successfully. e SIQ_E_VRF_NOSIGNATURES No signature to be verified could be found. There are no available verification results. e SIQ_E_VRF_WRONGMESSAGEDIGEST The displayed hash value of the signed data does not comply with the calculated hash value. e SIQ_E_VRF_WRONGSIGNATURE The PKCS#1 signature is invalid. 24

25 Return Value in the logging Identifier Meaning e SIQ_E_VRF_WRONGCERTIFICATE Invalid authorization. A public key could not be found. e SIQ_E_VRF_WRONGDIGESTALG The hash value does not comply with the calculated hash value. e SIQ_E_VRF_UNKNOWNDIGESTALG This hash algorithm is unknown. e SIQ_E_VRF_NODIGEST No hash value could be found. e SIQ_E_VRF_NOCONTENT The corresponding content could not be found. e SIQ_E_VRF_DIGESTSTATEUNKNOWN Hash value verification has not been performed. Verification status of the hash value is unknown. e SIQ_E_VRF_NODTBS The signed data according to RFC 5652 have not been found. e SIQ_E_VRF_UNKNOWNSIGNATUREALG An unknown algorithm has been used for signature creation. e SIQ_E_VRF_NOSIGNATURE No signature has been found. e SIQ_E_VRF_SIGNATURESTATEUNKNO WN Signature verification has not been performed. Verification status of the signature is unknown. e SIQ_E_VRF_UNKNOWNCERTTIME The validity period of the certificate could not be determined. e SIQ_E_VRF_CERTTIMEEXPIRED The certificate was already expired at the specified reference time. e SIQ_E_VRF_CERTTIMEINVALID The certificate was not valid at the specified reference time. e SIQ_E_VRF_UNKNOWNALGSTRENGTH Security suitability of the used algorithm could not be determined. e SIQ_E_VRF_CHECKALGSTRENGTH Algorithm strength needs to be verified for the intended purpose. e SIQ_E_VRF_CERTREVOKED According to OCSP or certificate revocation lists, the certificate is revoked. e SIQ_E_VRF_UNKNOWN_REVOCVALUE_ TIME The time of revocation check resp. validation cannot be determined. e SIQ_E_VRF_EXPIRED_REVOCVALUE The validity period of the last revocation check resp. validation is expired. e SIQ_E_VRF_INVALID_REVOCVALUE_ TIME The time of revocation check resp. validation lies in the future. e SIQ_E_VRF_UNKNOWNTIME SigningTime could not be determined. e SIQ_E_VRF_BADKEYSIZE The length of the used key does not meet the requirements. e SIQ_E_VRF_UNTRUSTED Is currently not being used. 25

26 Return Value in the logging e e Identifier SIQ_E_VRF_NOCERTCHAINCHECK_OC SP SIQ_E_VRF_NOCERTCHAINCHECK_CR L Meaning Is currently not being used. Is currently not being used. e SIQ_E_VRF_NOSIGNERCERT No signature certificate has been found. e SIQ_E_VRF_AUTHORIZATION_FALSE The certificate is not authorized for the intended purpose. e e e e e e e e e e e SIQ_E_VRF_AUTHORIZATION_UNKNO WN SIQ_E_VRF_SIGNERROLE_INCOMPLE TE SIQ_E_VRF_SIGNERROLE_NOSIGNAT URES SIQ_E_VRF_SIGNERROLE_WRONGMES SAGEDIGEST SIQ_E_VRF_SIGNERROLE_WRONGSIG NATURE SIQ_E_VRF_SIGNERROLE_WRONGCER TIFICATE SIQ_E_VRF_COUNTERSIGNATURE_IN COMPLETE SIQ_E_VRF_COUNTERSIGNATURE_NO SIGNATURES SIQ_E_VRF_COUNTERSIGNATURE_WR ONGMESSAGEDIGEST SIQ_E_VRF_COUNTERSIGNATURE_WR ONGSIGNATURE SIQ_E_VRF_COUNTERSIGNATURE_WR ONGCERTIFICATE Certificate authorization for the intended purpose is unknown. During the verification of the 'SignerRole' item, the following error occurred: the signature could not be completely verified. During the verification of the 'SignerRole' item, the following error occurred: no signatures have been found. During the verification of the 'SignerRole' item, the following error occurred: the checksum (Message Digest) is not correct. During the verification of the 'SignerRole' item, the following error occurred: the signature is invalid. During the verification of the 'SignerRole' item, the following error occurred: the used certificate is invalid. During countersignature verification, the following error occurred: the signature of the countersignature could not be completely verified. During countersignature verification, the following error occurred: no signatures have been found in the countersignature. During countersignature verification, the following error occurred: the checksum (Message Digest) of the countersignature is not correct. During countersignature verification, the following error occurred: the signature of the countersignature is invalid. During countersignature verification, the following error occurred: the certificate used for countersignature is invalid. e SIQ_E_VRF_CRL_INCOMPLETE During CRL verification, the following error occurred: the CRL signature could not be verified. e SIQ_E_VRF_CRL_NOSIGNATURES During CRL verification, the following error occurred: no signatures have been found in the CRL. e SIQ_E_VRF_CRL_WRONGMESSAGEDIG EST During CRL verification, the following error occurred: the checksum (Message Digest) of the CRL is not correct. 26

27 Return Value in the logging Identifier Meaning e SIQ_E_VRF_CRL_WRONGSIGNATURE During CRL verification, the following error occurred: the CRL signature is invalid. e SIQ_E_VRF_CRL_WRONGCERTIFICAT E During CRL verification, the following error occurred: the certificate used in the CRL is invalid. e SIQ_E_VRF_OCSP_INCOMPLETE During OCSP response verification, the following error occurred: the signature of the OCSP response could not be completely verified. e SIQ_E_VRF_OCSP_NOSIGNATURES During OCSP response verification, the following error occurred: no signatures have been found in the OCSP response. e SIQ_E_VRF_OCSP_WRONGMESSAGEDI GEST During OCSP response verification, the following error occurred: the checksum (Message Digest) of the OCSP response is not correct. e SIQ_E_VRF_OCSP_WRONGSIGNATURE During OCSP response verification, the following error occurred: the signature of the OCSP response is invalid. e SIQ_E_VRF_OCSP_WRONGCERTIFICA TE During OCSP response verification, the following error occurred: the certificate used for OCSP response is invalid. e SIQ_E_VRF_OCSP_CERTIFICATE During OCSP response verification, the following warning message has been displayed: the certificate used in the OCSP response could not be verified. e SIQ_E_VRF_OCSP_WEAKALGORITHM During OCSP response verification, the following warning message has been displayed: the algorithms included in the OCSP response no longer fulfill security suitability requirements. e e e e e e SIQ_E_VRF_TIMESTAMP_INCOMPLET E SIQ_E_VRF_TIMESTAMP_NOSIGNATU RES SIQ_E_VRF_TIMESTAMP_WRONGMESS AGEDIGEST SIQ_E_VRF_TIMESTAMP_WRONGSIGN ATURE SIQ_E_VRF_TIMESTAMP_WRONGCERT IFICATE SIQ_E_VRF_CERTCHAIN_INCOMPLET E During timestamp verification, the following error occurred: the signature of the timestamp could not be completely verified. During timestamp verification, the following error occurred: no signatures have been found in the timestamp. During timestamp verification, the following error occurred: the checksum (Message Digest) of the timestamp is not correct. During timestamp verification, the following error occurred: the signature of the timestamp is invalid. During timestamp verification, the following error occurred: the certificate used in the timestamp is invalid. During certificate chain verification, the following error occurred: the certificate chain could not be completely verified. e SIQ_E_VRF_CERTCHAIN_NOCHAIN During certificate chain verification, the following error occurred: the certificate chain is incomplete. e SIQ_E_VRF_CERTCHAIN_WRONGCERT IFICATE During certificate chain verification, the following error occurred: at least one of the used certificates is invalid or revoked. 27

28 Return Value in the logging Identifier Meaning e1002ff1 SIQ_E_VRF_NOREVOCATIONCHECK No certificate revocation check resp. validation has been performed. e SIQ_E_XML_XML An error occurred during XML data processing. e SIQ_E_XML_DOM An error occurred during XML DOM tree processing. e SIQ_E_XML_DSIG An error occurred during XML signature verification. e SIQ_E_XML_XADES An error occurred during XAdES signature processing. e SIQ_E_XML_XPATH An error occurred during the processing of the XPath- Statement. e SIQ_E_XML_REFDATA During XML data processing an error occurred concerning the referenced data. e SIQ_E_PKISTATUS_REJECTION During timestamp request, the service reported request rejection. e SIQ_E_PKISTATUS_WAITING During timestamp request, the service reported that the request is in the queue. e e e e SIQ_E_PKISTATUS_REVOCATION_WA RNING SIQ_E_PKISTATUS_REVOCATION_NO TIFICATION SIQ_E_OCSPSTATUS_MALFORMEDREQ UEST SIQ_E_OCSPSTATUS_INTERNALERRO R During timestamp request, the service displayed a warning message concerning the upcoming certificate revocation. During timestamp request, the service reported that the certificate has been revoked. During OCSP request the OCSP responder reported that the format of the request is incorrect. During OCSP request the OCSP responder reported an internal error. e SIQ_E_OCSPSTATUS_SIGREQUIRED During OCSP request the OCSP responder reported that the request needs to be signed and therefore could not be processed. e SIQ_E_OCSPSTATUS_UNAUTHORIZED During OCSP request the OCSP responder reported that the request could not be successfully authorized. e SIQ_E_OCSPSTATUS_UNKNOWNCERTI FICATE During OCSP request the OCSP responder reported that the requested certificate is unknown. e SIQ_E_CACERT_NOTFOUND During OCSP request the following error occurred: the CA certificate is unknown. e100f000 SIQ_E_MSU Unauthorized manipulation / security-related modification has been detected. Operation will be terminated. e100f001 SIQ_E_MSU_MODULEMISSED Is currently not being used. e100f002 SIQ_E_MSU_MODULEALTERED Is currently not being used. e100f003 SIQ_E_MSU_INPUTDATAALTERED Is currently not being used. e100f004 SIQ_E_MSU_OUTPUTDATAALTERED Is currently not being used. 28

29 Return Value in the logging Identifier Meaning e100f00f SIQ_E_MSU_SCARDDATAALTERED Is currently not being used. e100ff00 SIQ_E_UNSUPPORTED This functionality is not supported. e100ff01 SIQ_E_NOTFOUND 1 The requested data have not been found. e100ff02 SIQ_E_IGNORED This data is ignored. e100ff03 SIQ_E_EOF The end of data or file is reached. e100ff04 SIQ_E_SIZE A general size error occurred. e100ff05 SIQ_E_INITIALIZATION An error occurred during initialization. e100ff06 SIQ_E_LOCK This functionality is locked. e100ff07 SIQ_E_WRONG_SECURITYCONDITION The security requirements are not fulfilled so that operation cannot be performed. This is the case, for example, if an operation has been requested that requires PIN entry prior to verification but this PIN has not been entered yet. e100ff08 SIQ_E_FILE_EXISTS The specified file already exists. e100ff09 SIQ_E_FILE_NOTFOUND The specified file has not been found. e100ff0a SIQ_E_FILE_NOTWRITEABLE The specified file is not writeable; e.g. the file is read only. e100ff0b SIQ_E_SESSIONALREADYEXISTING The specified session already exists. e100ff0d SIQ_E_MISSINGREFTIME The reference time is missing, e.g. during signature verification. e100ff0e SIQ_E_MISSINGCERTIFICATE The certificate is not available, e.g. during signature verification. e100ff0f SIQ_E_NOCONNECTION A connection is not possible, e.g. a network connection or RMI connection. e100ff10 SIQ_E_SOAPRESULT The SOAP result could not be set. e100ff11 SIQ_E_ALREADYEXISTS The data already exists. e100ff12 SIQ_E_UPDATE A software update is required. e100ff13 SIQ_E_AMBIGUITY Ambiguities occurred during certificate chain creation. e100ff14 SIQ_E_INCOMPLETE The result of certificate chain creation is incomplete. 1 If this error value occurs in connection with the message: T11: : sequenceid=2107 ERROR [com.openlimit.sdk.wsbridge.csiqsdkwsbridgeiportimpl]=csiqdojobimpl failed: e100ff01 (date, time and sequenceid can vary), this is a common error message that does not represent a process error. In this context, more accurately the message should have the Log-Level 'DEBUG'. 29

30 Return Value in the logging Identifier Meaning e100ff15 SIQ_E_MALFORMEDURL The format of the specified URL is incorrect. e100ff16 SIQ_E_NETWORKIO An error occurred during input/output at the network interface. e100ff17 SIQ_E_NUMBERFORMAT The specified number format is invalid. e100ff18 SIQ_E_NATIVELIB The link to a program library is incorrect. e100ff30 SIQ_E_SOAP SOAP communication failed. e100ff31 SIQ_E_JVM Communication with the Java Virtual Machine failed. e100ff32 SIQ_E_JENVIRONMENT The Java runtime environment required for JNI is invalid. e100ff33 SIQ_E_CLASSLOADER The ClassLoader could not be initialized. e100ff34 SIQ_E_JNI_CLASS A requested Java class has not been found. e100ff35 SIQ_E_JNI_METHOD The Java method has not been found during the use of JNI. e100ff36 SIQ_E_JNI_FIELD The Java data field has not been found during the use of JNI. e100ff37 SIQ_E_NOMORETHREADS There are no available threads left. e100ff38 SIQ_E_PROXY A Proxy error occurred. e100fff0 SIQ_E_NOTIMPLEMENTED This functionality is not implemented. e100fff1 SIQ_E_FORBIDDEN In this context it is forbidden to perform the requested function; e.g. when creating a write-protected file. e100fff2 SIQ_E_IMPOSSIBLE Performing the requested function is not possible in this context. e100fff3 SIQ_E_CONFIG There is a configuration error. e100fff4 SIQ_E_ABORT A criterion of interruption has been reached. e100fff5 SIQ_E_USERABORT The user aborted the operation. e100fff7 SIQ_E_TIMEOUT A timeout has occurred. e100fff9 SIQ_E_POINTER The used pointer is invalid. This error code often occurs in connection with incorrectly used interfaces. e100fffa SIQ_E_MEMORY An error occurred during memory allocation. This error occurs if storage provisioning failed. The software should be restarted. e100fffb SIQ_E_BUFFER The buffer size is invalid. This error code often occurs in connection with incorrectly used interfaces. This error code is also displayed if not existing data is requested from the interface. 30

31 Return Value in the logging Identifier Meaning e100fffc SIQ_E_PARAMETER The used parameter is invalid. This error code often occurs in connection with incorrectly used interfaces. e100fffd SIQ_E_HANDLEUSAGE Invalid use of the job handle. e100fffe SIQ_E_HANDLE The job handle is invalid. This error code often occurs in connection with incorrectly used interfaces. e100ffff SIQ_E_UNEXPECTED An unexpected error occurred. It is a generic error with different causes. e SIQ_E_SC_NEEDSACTIVATION The smart card PIN has to be activated. e SIQ_E_SC_WRONGPIN The smart card PIN is invalid. e SIQ_E_SC_LOCKED The smart card is locked. e SIQ_E_SC_ALREADYCONNECTED The smart card is already connected. e SIQ_E_SC_CANNOTSHAREDEVICE Accessing the smart card in the shared mode is not possible. e SIQ_E_SC_PIN_LOCKED The smart card PIN is locked. e SIQ_E_SC_WRONGCAN A wrong CAN has been entered. e SIQ_E_SC_CONFIRM An error occurred because a new value has been set and needs to be confirmed. e SIQ_E_SCT_VENDOR The terminal manufacturer is unknown. e SIQ_E_SCT_PRODUCT The terminal is unknown. e SIQ_E_SCT_NEW_SOFTWARE The firmware version or driver version is newer than the tested version. e SIQ_E_SCT_OLD_SOFTWARE The firmware version or driver version is older than the tested version. e150ff01 SIQ_E_MISSINGCHIPAUTHINFO Information on smart card authentication cannot be found. e150ff02 SIQ_E_MISSINGCHIPAUTH_DOMAINP ARAMETERINFO The domain parameters for smart card authentication have not been specified. e150ff03 SIQ_E_MISSINGEFCARDACCESS The file EF.CardAccess is missing. e150ff04 SIQ_E_INVALIDEFCARDACCESS The file EF.CardAccess is invalid and cannot be parsed. e150ff05 SIQ_E_MISSINGRIINFO The RI information determined from the file EF.CardAccess is invalid. e150ff06 SIQ_E_MISSINGEFCARDSECURITY The file EF.CardSecurity is missing. e150ff07 SIQ_E_INVALIDEFCARDSECURITY The file EF.CardSecurity is invalid. 31

32 14 Glossary A Accredited Certificate Advanced Certificate Algorithm Catalog C Certification Service Provider Checksum (Hash Value) CMS-Container (RFC 5652) CSP D DSA E ECDSA H Hash Value (Checksum) Hash-Algorithmus Host J Java Virtual Machine (JVM) JVM O OCSP Response P Padding Process PKCS # PKCS # Port Q QES Qualified Certificate R Revocation List RSA S Service tag Signature Algorithm Signature Container Signature Process SignedAttributes SignerInfos T Technical Signature Time Stamping Authority Timestamps Trusted List TrustLevel TSA U UnsignedAttributes

33 A Accredited Certificate A certification service provider (CSP) is considered accredited if its trust center received a confirmation by the Federal Network Agency due to regular inspections by the Federal Office for Information Security or other accredited inspection authorities. As a result the accredited certification service provider receives a qualified certificate by the Federal Network Agency the root instance for qualified certificates with provider accreditation in Germany. A signature certificate signed with this qualified certificate is colloquially called accredited certificate. Accredited certificates are used to create accredited signatures. Advanced Certificate Advanced certificates can be created by everyone and applied for various purposes (encryption, signature, authentication etc.). However, advanced certificates are not suitable to unequivocally guarantee signature authenticity, because the private key applied may not be as secure as it is the case with qualified certificates, for example. Algorithm Catalog The reliability of a qualified electronic signature primarily depends on the strength of the underlying cryptographic algorithms. In the so-called algorithm catalog, an overview of the suitability of algorithms for qualified electronic signatures according to the German Signature Act, algorithms are listed, that are considered suitable for qualified electronic signatures at least for the coming years (i.e. currently by the end of 2017). This overview of algorithms and the appropriate parameters that are considered suitable for the creation of signature keys, the hash of data to be signed the creation and verification of qualified electronic signatures as well as the suitability expiration date are published by the Federal Network Agency in the German Federal Gazette or please see: n/algorithmen_node.html Suitability is redefined annually and if required. You will automatically receive notification on available new algorithm catalogs after you have registered on the site and stored the information of using the software OpenLimit Middleware Version 3 Server. The new algorithm catalog is provided in a way that it can be copied directly into the i nstallation directory of the OpenLimit Middleware. Signatures with algorithms, losing evidential value according to the algorithm catalog that become weak need to be renewed in good time before expiration, i.e. signed data needs to be signed again with a suitable algorithm. 33

34 C D Checksum (Hash Value) See Hash Value (Checksum). CMS-Container (RFC 5652) A CMS container is a kind of envelope such as PKCS #7 which is used to protect signed or encrypted data. CMS is an enhancement of the PKCS #7 standard. It supports electronic signatures and encryption even with multiple encapsulations, i.e. it can contain one or more SignerInfos (see SignerInfos) and signed data. Moreover, this format allows attribute signatures (SignedAttributes) that are a part of the SignerInfos concerning CMS-containers. This is the main difference compared to a PKCS #7-container. A container or detached signature can contain several electronic signatures which apply to the same original document. CSP CSP stands for Certification Service Provider (cf. Certification Service Provider). Certification Service Provider A certification service provider (CSP) issues certificates. Depending on the suitability which is verified by the Federal Network Agency, certification service providers can issue cer tificates of different qualities. (see chapter 3.1 Certificate Qualities of the Administration Manual). E DSA The Digital Signature Algorithm (DSA) is a standard for digital signatures of the US government. It was recommended by the National Institute of Standards and Technology (NIST) to be included in their Digital Signature Standard (DSS). In contrast to RSA, DSA is a signature process that does not include a related encryption process. The DSA is based on the discrete logarithms in finite fields and does not use elliptic curves. H ECDSA The Elliptic Curve Digital Signature Algorithm (ECDSA) is a signature and encryption process. Elliptic Curve Cryptography refers to asymmetric cryptosystems that use elliptic curve operations over finite fields and are not based on discrete logarithms. In contrast to the conventional asymmetric cryptographic methods DSA or RSA (see RSA), these procedures use considerably shorter keys. Hash-Algorithm A hash algorithm is the algorithm used for hash value calculation (see Hash Value (Checksum)). 34

35 J Hash Value (Checksum) A hash value is a simple measure to guarantee data integrity during data transfer or data storage. Bits, bytes or another fundamental component of message data is transferred to a specified hash algorithm. This algorithm calculates the hash value from the transferred data. Thus, the use of the same hash algorithm during hash value verification provid es evidence if the content of the message has changed. Host The term host is used to describe a computer within a computer network usually hosting a server. A host can have several servers, usually bound to different IP addresses (network cards). Concerning the OpenLimit V3 Server the server is bound in the file siqsemksrv_svr.cfg via option SOAPHost. For a description, please see chapter Binding the OpenLimit V3 Server to a Network Address of the Administration Manual. O Java Virtual Machine (JVM) The JVM is the part of the Java Runtime Environment for Java programs which is responsible for the execution of the Java bytecode. Normally, each started Java program is executed in its own virtual machine. The OpenLimit V3 Server uses a Java distribution provided by the manufacturer. With the distribution a JVM is created for the OpenLimit V3 Server when the server is started. JVM See Java Virtual Machine (JVM). P OCSP Response OCSP stands for Online Certificate Status Protocol. An OCSP response provides information on the certificate revocation status which is offered on request via the corresponding address included in the certificate. The response is a binding statement on the validity status of the certificate at this point in time because this validity information can be requested exclusively by a trusted provider. Another possibility of verifying the revocation status of a certificate is the use of certificate revocation lists (see Revocation Lists). Padding Process A padding process is applied to additionally secure the data to be encrypted resp. signed. For this purpose the data is filled with information that depends on the particular padding process. This way the data is concealed and decoding is facilitated. The following padding processes are supported: 35

36 Q PKCS #1 PSS (Probabilistic Signature Scheme) PKCS #1 Version 1.5 DinSig-Padding PKCS (Public-Key Cryptography Standards) means a number of cryptographic specifications produced by RSA Laboratories, each being provided with a unique number (#1, #2, #3 ). PKCS #1 is the RSA Cryptography Standard for technical signature of data. PKCS #7 PKCS (Public-Key Cryptography Standards) means a number of cryptographic specifications of RSA Laboratories, each being provided with a unique number (#1, #2, #3 ). PKCS #7 is the specification of the signature container according to RFC 2315 from 1998 that can contain one or more SignerInfos (SignerInfos) and signed data. However, the SignerInfos of the PKCS #7 container cannot contain SignedAttributes which is the main difference compared to a CMS- Container (RFC 5652). Port A port is part of the network address and unique per host. A physical computer can have several servers as long as these servers communicate over different ports. Here it is important that connected applications (SDK-Clients) are set according to the appropriate ports as well. The port of the OpenLimit V3 Server can be set in the file siqsemksrv_svr.cfg via option SOAPPort. For further information, please see chapter Binding the OpenLimit V3 Server to a Network Address. QES A QES (Qualified Electronic Signature) is an electronic signature that has been created with a qualified certificate according to SigG. See Qualified Certificate. For further information, please see: e.html Qualified Certificate Qualified and accredited certificates are characterized by the fact that they are issued by a registered or accredited certification service provider (CSP). These certification service providers are verified by the Federal Network Agency and have to guarantee, amongst others, that the issued pair of keys for the respective certificate is unambiguous and can be related to a natural person without doubt. Moreover, qualified and accredited certificates have to meet the requirements of the Federal Network Agency concerning the quality of applied cryptographic algorithms (hash and signature algorithms). The assigned certificate must have been signed by the certification service provider with a qualified electronic signature. It can exclusively be applied for signing and it must be indicated that it is a qualified certificate ( cf. SigG profile in Common-PKI). 36

37 R S RSA RSA (named after Ronald L. Rivest, Adi Shamir and Leonard Adleman) is an asymmetric cryptosystem used for encryption and digital signature as well (among others, in PKCS #1). The RSA cryptosystem uses one pair of keys: a private key that is used for decrypting or signing data and a public key for encryption or signature verification. The private key is kept secret. Service tag A service tag is a user under Linux only created to operate a service in a hardened environment. The hardening is achieved by limiting user rights exclusively to execution rights within the used folder. In doing so, accessing the system via this user can be prevented. Signature Algorithm A signature algorithm is the algorithm used to calculate technical signatures (see Technical Signature). The used signature algorithm depends on the signature process (see Signature Process). Signature Container A signature container (see CMS-Container (RFC 5652)) is a kind of envelope that is used to protect signed or encrypted data. It supports electronic signatures and encryption even with multiple encapsulations. In addition, this format allows signing attributes together with is content, e.g. signature creation time. Signature Process The specified procedure of technical signature creation is called signature process. SignedAttributes SignedAttributes include gathered signature information and belong to the SignerInfos (see SignerInfos) of the signature. Usually those contain the hash value of data, the time of signature creation and the content type. SignedAttributes are a part of the SignerInfos. For further details, please see RFC SignerInfos The SignerInfos contain information about version, signature certificate, signed attributes (cf. SignedAttributes), unsigned attributes (cf. UnsignedAttributes), technical signature (cf. Technical Signature) as well as signature and hash algorithm information (cf. Signature Algorithm & Hash- Algorithm). A signature container (cf. Signature Container) can contain several SignerInfos. A signature container with several signatures included, contains several SignerInfos as well. Revocation List In addition to online certificate status information (OCSP responses, cf. OCSP Response) certificate revocation lists offer the possibility of receiving certificate revocation informa tion. A certificate revocation list includes a list of revocation information on certificates. The 37

38 T certificates used for signing can be verified against the list. Depending on the respective certificate, revocation information is requested by the provider included in the certificate in order to be informed about the certificate status. U Technical Signature The actual PKCS #1-, resp. DSA- or ECDSA signature is called technical signature. Time Stamping Authority The Time Stamping Authority is the service provider for requested timestamps. Timestamps are always signed by the time stamping authority. This signature is verified as well by the OpenLimit Version 3 in connection with a verified signature. Timestamps Timestamps serve as proof of data existence at a certain point in time. This point in time is issued by a Time Stamping Authority (TSA) (cp. Time Stamping Authority). A timestamp is provided on request and is always signed by the TSA. Thus, the requesting person receives reliable information on the signature creation time. Trusted List Applying a trusted list signed by the manufacturer, the certificates of registered and accredited certification service providers are transmitted to the software. TrustLevel The TrustLevel is the trust status of a certificate which is specified by the user. The trust status is of special importance for signature verification. If it is not possible to determine the TrustLevel of a certificate used for signing, a statement on the validity of a signature cannot be made. OpenLimit Version 3 contains a preconfigured trust base that is called DefTrustBase. These certificates serve as a basis for signature validation and therefore the trust status of these certificates cannot be modified by the user. TSA TSA stands for Time Stamping Authority (cf. Time Stamping Authority) UnsignedAttributes UnsignedAttributes can be a part of the SignerInfo (cf. SignerInfos) according to RFC In compliance with CAdES-A specification, token for timestamps as well as revocation information are stored here. 38