XAdES (short for "XML Advanced Electronic Signatures") is a set of extensions to XML-DSig
recommendation making it suitable for advanced electronic signatures. W3C and ETSI maintain and update XAdES together.
While XML-DSig is a general framework for digitally signing documents, XAdES specifies precise profiles of XML-DSig
making it compliant with the European eIDAS regulation (Regulation on electronic identification and trust services
for electronic transactions in the internal market). The eIDAS regulation enhances and repeals the Electronic Signatures
Directive 1999/93/EC. EIDAS is legally binding in all EU member states since July 2014.
An electronic signature that has been created in compliance with eIDAS has the same legal value as a handwritten signature.
An electronic signature, technically implemented based on XAdES has the status of an advanced electronic signature.
This means that
it is uniquely linked to the signatory;
it is capable of identifying the signatory;
only the signatory has control of the data used for the signature creation;
it can be identified if data attached to the signature has been changed after signing.
A resulting property of XAdES is that electronically signed documents can remain valid for long periods,
even if underlying cryptographic algorithms are broken.
However, courts are not obliged to accept XAdES-based electronic signatures as evidence in their proceedings; at least in EU,
this is compulsory only for "qualified" signatures. A "qualified electronic signature" needs to be doted with a digital
certificate, encrypted by a security signature creation device, and the identity of the owner of this signing-certificate must
have been verified according to the "high" assurance level of the eIDAS regulation.
XAdES defines six profiles (forms) differing in protection level offered.
XAdES-B (also named XAdES-BES for "Basic Electronic Signature"), basic form just satisfying Directive legal requirements for advanced signature;
XAdES-T (timestamp), adding timestamp field to protect against repudiation;
XAdES-C (complete), adding references to verification data (certificates and revocation lists) to the signed documents to allow off-line verification and verification in future (but does not store the actual data);
XAdES-X (extended), adding timestamps on the references introduced by XAdES-C to protect against possible compromise of certificates in chain in future;
XAdES-XL (extended long-term), adding actual certificates and revocation lists to the signed document to allow verification in future even if their original source is not available;
XAdES-A (archival), adding the possibility for periodical timestamping (e.g. each year) of the archived document to prevent compromise caused by weakening signature during a long storage period.
For XAdES_BASELINE extension, the -B level contains immutable signed properties. Once this level is created,
these properties cannot be changed.
The levels -T/-LT/-LTA add unsigned properties to the signature. This means that the properties of these levels could be added afterwards to
any AdES signature. This addition helps to make the signature more resistant to cryptographic attacks on a longer period of time.
The extension of the signature is incremental, i.e. when you want to extend the signature to the level -LT the lower level (-T)
will also be added.
By default, XAdES_BASELINE_B will be used. You can use any of the following enum types to setup signature level
by using constants provided by class XAdES.SIGNATURELEVEL
XAdES_BASELINE_B: Basic Electronic Signature The lowest and simplest version just containing the SignedInfo, SignatureValue, KeyInfo and SignedProperties. This level combines the old -BES and -EPES levels.
XAdES_BASELINE_T: Signature with a timestamp. A timestamp regarding the time of signing is added to protect against repudiation.
XAdES_BASELINE_LT:Signature with Long Term Data Certificates and revocation data are embedded to allow verification in future even if their original source is not available. This level is equivalent to the old XAdES_XL level.
XAdES_BASELINE_LTA: Signature with Long Term Data and Archive timestamp. By using periodical timestamping (e.g. each year) compromising is prevented which could be caused by weakening previous signatures during a long-time storage period. This level is equivalent to the old XAdES_A level.
LT and LTA requires revocation list.
2 Signature packaging
You can select from any of the following signature packaging:
ENVELOPED, The signature is integrated inside the XML document.
ENVELOPING, The signature includes the XML document encoded in base64.
DETACHED, The signature without the document is returned.
3 Enum constants
For either signature level, signature packaging and digest algorithm and enum constant is provided.
The following example signs a document using XAdES_BASELINE_T (XAdES_BASELINE_B with timestamp) using ENVELOPED packaging.
// Load a keystore
var ks = new Ax.ks.KeyStoreManager("https://bitbucket.org/deister/axional-docs-resources/raw/master/KeyStores/swview/jks-files/jack.jks", "secret");
// Load an XML document
var src = new Ax.xml.XMLDocument(new Ax.net.URL('https://bitbucket.org/deister/axional-docs-resources/raw/master/XML/books.xml'));
// Sign the document using keystore private key alias "jack" with password "moon"
var tmp = new Ax.crypt.XAdES(src)
.sign(ks, "jack", "moon")