2.5.2.6 XAdES Elements

  • Article

XML Advanced Electronic Signatures [XAdES] extensions to xmldsig signatures MAY<32> be present in either binary or ECMA-376 documents [ECMA-376] when using xmldsig signatures. XAdES-EPES through XAdES-X-L extensions are specified within a signature. Unless otherwise specified, any optional elements as specified in [XAdES] are ignored.

The Object element containing the information as specified in [XAdES] has a number of optional elements, and many of the elements have more than one method specified. A document compliant with this file format uses the following options:

  • The SignedSignatureProperties element MUST contain a SigningCertificate property as specified in [XAdES] section 7.2.2.

  • A SigningTime element MUST be present as specified in [XAdES] section 7.2.1.

  • A SignaturePolicyIdentifier element MUST be present as specified in [XAdES] section 7.2.3.

  • If the information as specified in [XAdES] contains a time stamp as specified by the requirements for XAdES-T, the time stamp information MUST be specified as an EncapsulatedTimeStamp element containing DER encoded ASN.1. data.

  • If the information as specified in [XAdES] contains references to validation data, the certificates used in the certificate chain, except for the signing certificate, MUST be contained within the CompleteCertificateRefs element as specified in [XAdES] section 7.4.1. In addition, for the signature to be considered a well-formed XAdES-C signature, a CompleteRevocationRefs element MUST be present, as specified in [XAdES] section 7.4.2.

  • If the information as specified in [XAdES] contains time stamps on references to validation data, the SigAndRefsTimestamp element as specified in [XAdES] section 7.5.1 and [XAdES] section 7.5.1.1 MUST be used. The SigAndRefsTimestamp element MUST specify the time stamp information as an EncapsulatedTimeStamp element containing DER encoded ASN.1. data.

  • If the information as specified in [XAdES] contains properties for data validation values, the CertificateValues and RevocationValues elements MUST be constructed as specified in [XAdES] section 7.6.1 and [XAdES] section 7.6.2. Except for the signing certificate, all certificates used in the validation chain MUST be entered into the CertificateValues element.

There MUST be a Reference element specifying the digest of the SignedProperties element, as specified in [XAdES], section 6.2.1. A Reference element is placed in one of two parent elements, as specified in [XMLDSig]:

  • The SignedInfo element of the top-level Signature XML.

  • A Manifest element contained within an Object element.

A document compliant with this file format SHOULD<33> place the Reference element specifying the digest of the SignedProperties element within the SignedInfo element. If the Reference element is instead placed in a Manifest element, the containing Object element MUST have an id attribute set to "idXAdESReferenceObject".