The Verification Service module can be used to enhance existing basic signatures to more advanced signatures as part of the signature verification process. The signature enhancement is requested by including specific flags in the request to the Verification service.

Two interfaces of verification service are supported for signature enhancement, Business application can send the signature/certificate verification/validation requests on:

  • DSS Interface
    An OASIS Digital Signature Service (DSS) Interface: Particularly the “Advanced Electronic Signature (AdES) Profiles of OASIS DSS Version 1.0”.
  • HTTP Interface
    An optimized HTTP/S Interface:This provides the same signature verification and enhancement service, but using a faster HTTP/S interface.


The Ascertia ADSS Client SDK implements both interfaces using high-level Java and .NET APIs and this is the easiest way of implementing these services within a business application environment. For further details see the ADSS Server Developers Guide.

The table below describes the formats ADSS Server supports for signature enhancement:

Source Signature Format

How to Enhance

PDF Signatures (ISO 32000-1 and PAdES)

According to PAdES specification PDF ISO 32000-1 signatures are equivalent to PAdES Part 2 signatures, and this specification allows to convert the existing PDF ISO 32000-1 signatures (PAdES Part 2) / PAdES Part 3 signatures to PAdES Part 4 signature by adding the revocation information for the signer/signature timestamp certificates along with addition of an RFC 3161 compliant document timestamp signature. These enhanced signatures will no more be ISO 32000-1 rather these will become PAdES Part 4 signatures as stated above.

There are two possible ways to send the signature enhancement request to ADSS Verification Service:

  • Sending the signed PDF document in the request
    ADSS Verification Service performs the following steps to enhance the existing signatures in the signed PDF document:
    1. Extract and verify all existing signatures inside the PDF document e.g. User Signature, Signature Timestamp and Document Timestamp etc
    2. Add the revocation information for each certificate chain into the DSS dictionary of the PDF document as per PAdES specifications
    3. Adding an RFC 3161 compliant document timestamp signature.


  • Sending signatures only
    For this client application must use the ADSS Client API to enhance the existing signatures. The client application must perform the following steps to enhance the existing signatures using multiple ADSS Client API calls:
    1. Extract all the embedded CMS/PKCS#7 signature
    2. Send the signature value to ADSS Server for verification one by one
    3. Receive the signer’s certificate chain revocation information in response and embed it inside the PDF document for each signature as per PAdES specifications
    4. Adding an RFC 3161 compliant document timestamp signature.

Note:
These are the details when different signature types enhanced to PAdES Part 4 signatures

  • Standard PDF Signature:
    The revocation information for the signer certificate will be added inside the PDF (DSS Dictionary) and a document timestamp signature will be applied.
  • PDF signature with embedded timestamp:
    The revocation information for the signer and Signature timestamp certificate will be added inside the PDF (DSS Dictionary) and a document timestamp signature will be applied.
  • PDF Signature with embedded timestamp and revocation information (equivalent PAdES Part 2):
    The revocation information for the Signature timestamp certificate will be added inside the PDF (DSS Dictionary) if missing and a document timestamp signature will be applied.
  • PAdES-BES (Basic PAdES Part 3 Signature):
    The revocation information for the signer certificate will be added inside the PDF (DSS Dictionary) and a document timestamp signature will be applied.
  • PAdES-T (Basic PAdES Part 3 Signature with embedded timestamp):
    The revocation information for the signer and Signature timestamp certificate will be added inside the PDF (DSS Dictionary) and a document timestamp signature will be applied.
  • PAdES-LTV (PAdES Part 4, PAdES-LTV with document timestamp):
    The revocation information for the existing document timestamp certificate will be added inside the PDF (DSS Dictionary) and another document timestamp signature will be applied.

CAdES-BES

ADSS Server can verify and enhance CAdES signatures to the relevant long-term signature profiles, such as:

  • CAdES-T
  • CAdES-C
  • CAdES-X
  • CAdES-XL
  • CAdES-A

XAdES-BES

ADSS Server can verify and enhance XAdES signatures to the relevant long-term signature profiles, such as:

  • XAdES-T
  • XAdES-C
  • XAdES-X
  • XAdES-XL
  • XAdES-A

PKCS#7/CMS

A PKCS#7/CMS signature can be enhanced to include a timestamp as defined by the ISO 32000-1 PDF specifications (as explained above).

There is no standard specification for enhancing such signatures to other long-term signature profiles (e.g. no standard way for embedding revocation information). If this is required then it is recommended to start with a basic CAdES-BES format signature and then enhance this to the relevant CAdES signature profile as explained above


See also

Configuring the Verification Service
Transactions Log Viewer
Logs Archiving
Alerts
Verification Management Reporting
Verification Service Interface URLs