signserver-develop

Re: [SignServer-develop] Signserver setup and jboss

[Konstantinos D. <ksd...@cs...>]

Hello,

I uploaded at pastern the output of the jboss standalone, the link is the following: http://pastebin.ca/3601286 <http://pastebin.ca/3601286>
I can spot some things that go wrong, but i would appreciate a more detailed help.

Thank you very much in advance,
Konstantinos Dimkas
> On 13 May 2016, at 14:36, Markus Kilås <ma...@pr...> wrote:
> 
> On 05/13/2016 01:26 PM, Markus Kilås wrote:
>> Hello Konstantinos,
>> 
>> Questions and answers like this could be very useful for other people as
>> well so please use the mailing list so that everybody can benefit from
>> the discussion. Alternatively if you need professional support you can
>> contact sa...@pr....
>> 
>> Regards,
>> Markus
>> 
>> 
>> -------- Forwarded Message --------
>> Subject: 	Signserver setup and jboss
>> Date: 	Fri, 13 May 2016 12:53:47 +0300
>> From: 	Konstantinos Dimkas <ksd...@cs...>
>> To: 	Markus Kilås <ma...@pr...>
>> 
>> 
>> 
>> Hello Markus,
>> 
>> Thank you very much for your advice for the sign server setup. I am
>> still facing some problems with the installation and i could not
>> overcome the “No EJB handler available”. Due to the fact that i am new
>> to PKI (and i am still an intern at a non-profit organisation) i would
>> really appreciate it if you can point out to me a source with some more
>> detailed installation guidelines, i was not able to find more
>> instructions except from the official documentation. Also i would like
>> to know if there is a playbook for ansible to set up
>> jboss and signserver.
>> 
>> 
>> Thank you very much for your time,
>> Konstantinos Dimkas
>> 
>> 
> 
> Did you check the output from the application server log?
> Without knowing if the application has started correctly we can only
> make wild guesses about what could be the problem.
> You could upload the server log to paste bin like, https://pastebin.ca/
> and send the link here.
> 
> Original discussion:
> https://sourceforge.net/p/signserver/mailman/message/35036165/
> Cheers,
> Markus
> 
> 
> ------------------------------------------------------------------------------
> Mobile security can be enabling, not merely restricting. Employees who
> bring their own devices (BYOD) to work are irked by the imposition of MDM
> restrictions. Mobile Device Manager Plus allows you to control only the
> apps on BYO-devices by containerizing them, leaving personal data untouched!
> https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
> _______________________________________________
> SignServer-develop mailing list
> Sig...@li...
> https://lists.sourceforge.net/lists/listinfo/signserver-develop
> 

Re: [SignServer-develop] Fwd: Signserver setup and jboss

[Markus K. <ma...@pr...>]

On 05/13/2016 01:26 PM, Markus Kilås wrote:
> Hello Konstantinos,
> 
> Questions and answers like this could be very useful for other people as
> well so please use the mailing list so that everybody can benefit from
> the discussion. Alternatively if you need professional support you can
> contact sa...@pr....
> 
> Regards,
> Markus
> 
> 
> -------- Forwarded Message --------
> Subject: 	Signserver setup and jboss
> Date: 	Fri, 13 May 2016 12:53:47 +0300
> From: 	Konstantinos Dimkas <ksd...@cs...>
> To: 	Markus Kilås <ma...@pr...>
> 
> 
> 
> Hello Markus,
> 
> Thank you very much for your advice for the sign server setup. I am
> still facing some problems with the installation and i could not
> overcome the “No EJB handler available”. Due to the fact that i am new
> to PKI (and i am still an intern at a non-profit organisation) i would
> really appreciate it if you can point out to me a source with some more
> detailed installation guidelines, i was not able to find more
> instructions except from the official documentation. Also i would like
> to know if there is a playbook for ansible to set up
> jboss and signserver.
> 
> 
> Thank you very much for your time,
> Konstantinos Dimkas
> 
> 

Did you check the output from the application server log?
Without knowing if the application has started correctly we can only
make wild guesses about what could be the problem.
You could upload the server log to paste bin like, https://pastebin.ca/
and send the link here.

Original discussion:
https://sourceforge.net/p/signserver/mailman/message/35036165/
Cheers,
Markus

[SignServer-develop] Fwd: Signserver setup and jboss

[Markus K. <ma...@pr...>]

Hello Konstantinos,

Questions and answers like this could be very useful for other people as
well so please use the mailing list so that everybody can benefit from
the discussion. Alternatively if you need professional support you can
contact sa...@pr....

Regards,
Markus


-------- Forwarded Message --------
Subject: 	Signserver setup and jboss
Date: 	Fri, 13 May 2016 12:53:47 +0300
From: 	Konstantinos Dimkas <ksd...@cs...>
To: 	Markus Kilås <ma...@pr...>



Hello Markus,

Thank you very much for your advice for the sign server setup. I am
still facing some problems with the installation and i could not
overcome the “No EJB handler available”. Due to the fact that i am new
to PKI (and i am still an intern at a non-profit organisation) i would
really appreciate it if you can point out to me a source with some more
detailed installation guidelines, i was not able to find more
instructions except from the official documentation. Also i would like
to know if there is a playbook for ansible to set up
jboss and signserver.


Thank you very much for your time,
Konstantinos Dimkas

Re: [SignServer-develop] What kind of PDF signature is available is Signserver ?

[Luc P. <luc...@gm...>]

Hi,

Thanks for your answer !

Regards.

2016-05-01 19:31 GMT+02:00 Markus Kilås <ma...@pr...>:

> On 05/01/2016 06:14 PM, Luc Pallavidino wrote:
> > 2016-04-23 18:18 GMT+02:00 Markus Kilås <ma...@pr...
> > <mailto:ma...@pr...>>:
> >
> >     On 04/20/2016 05:28 PM, Luc Pallavidino wrote:
> >     > Hi,
> >     >
> >     > We use Signserver, and we want to know what kind of PDF signature
> is
> >     > available in Signserver ?
> >     > Is it PADES ? PADES-BES ? PADES-EPES ?
> >     >
> >     > Thank you for your helps.
> >     >
> >     > Regards,
> >
> >     Hi Luc,
> >
> >     SignServer does not currently implement PDF Advanced Signatures. Only
> >     normal PDF signatures are supported.
> >
> >     In the long run we hope to add support for all of the forms from the
> >     PAdES Baseline profile.
> >
> >     Cheers,
> >     Markus
> >     PrimeKey Solutions
> >
> >     Save time and money with an Enterprise support subscription. Please
> see
> >     www.primekey.se <http://www.primekey.se> for more information.
> >     https://www.primekey.se/technologies/products-overview/
> >     https://www.primekey.se/service-support/support/
> >
> >
> > hi Markus,
> >
> > Thanks for your answer. Do you know what is the name of the standard
> > used in Signserver for the "normal PDF signatures " ?
> >
> > Regards,
> >
>
> That would be the "adbe.pkcs7.detached" sub filter as defined in ISO
> 32000-1, so basically a detached PKCS#7 but embedded in the PDF.
>
>
> Cheers,
> Markus
> PrimeKey Solutions
>
>
>
> ------------------------------------------------------------------------------
> Find and fix application performance issues faster with Applications
> Manager
> Applications Manager provides deep performance insights into multiple
> tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> _______________________________________________
> SignServer-develop mailing list
> Sig...@li...
> https://lists.sourceforge.net/lists/listinfo/signserver-develop
>



-- 

Pallavidino Luc                         Tél. : +33-6-8070-3133
                                        Mail :
luc...@gm... <pal...@ho...>
Ingénieur en monétique et sécurité des systèmes

Re: [SignServer-develop] Signing hash document

[Markus K. <ma...@pr...>]

On 05/04/2016 06:58 PM, Arnaud Defos wrote:
> Hi everyone !
> 
> Is it possible to sign just hash of documents instead of all content ?
> Especially with PDF documents ? How does it work ?
> 
> Thanks for your answer
> 
> 
> Arnaud
> 

Hi Arnaud,

Actually it is a hash of the (new) PDF document that is signed
(excluding the part where the signature will be put).

Maybe what you are asking for is if it would be possible to just _send_
a hash of the document to SignServer to have it signed without having to
send the content?

This could potentially be done like this:
1) Client would first have to construct the new PDF where it is enough
room allocated for the signature
2) It would the compute the digest of the new PDF excluding the room for
the signature
3) Send this digest to SignServer
4) SignServer would create and return the signature
5) Client would put the signature in the PDF

As you can see this requires support for this in the client application.

We are considering implementing support for a similar scheme in
SignServer's SignClient (client CLI) application but for code signing
using Authenticode (see https://jira.primekey.se/browse/DSS-1182 for
example).


Cheers,
Markus
PrimeKey Solutions

Save time and money with an Enterprise support subscription. Please see
www.primekey.se for more information.
https://www.primekey.se/technologies/products-overview/
https://www.primekey.se/service-support/support/

[SignServer-develop] Signing hash document

[Arnaud D. <arn...@gm...>]

Hi everyone !

Is it possible to sign just hash of documents instead of all content ?
Especially with PDF documents ? How does it work ?

Thanks for your answer


Arnaud

Re: [SignServer-develop] What kind of PDF signature is available is Signserver ?

[Markus K. <ma...@pr...>]

On 05/01/2016 06:14 PM, Luc Pallavidino wrote:
> 2016-04-23 18:18 GMT+02:00 Markus Kilås <ma...@pr...
> <mailto:ma...@pr...>>:
>
>     On 04/20/2016 05:28 PM, Luc Pallavidino wrote:
>     > Hi,
>     >
>     > We use Signserver, and we want to know what kind of PDF signature is
>     > available in Signserver ?
>     > Is it PADES ? PADES-BES ? PADES-EPES ?
>     >
>     > Thank you for your helps.
>     >
>     > Regards,
> 
>     Hi Luc,
> 
>     SignServer does not currently implement PDF Advanced Signatures. Only
>     normal PDF signatures are supported.
> 
>     In the long run we hope to add support for all of the forms from the
>     PAdES Baseline profile.
> 
>     Cheers,
>     Markus
>     PrimeKey Solutions
> 
>     Save time and money with an Enterprise support subscription. Please see
>     www.primekey.se <http://www.primekey.se> for more information.
>     https://www.primekey.se/technologies/products-overview/
>     https://www.primekey.se/service-support/support/
> 
> 
> hi Markus,
>
> Thanks for your answer. Do you know what is the name of the standard
> used in Signserver for the "normal PDF signatures " ?
>
> Regards,
>

That would be the "adbe.pkcs7.detached" sub filter as defined in ISO
32000-1, so basically a detached PKCS#7 but embedded in the PDF.


Cheers,
Markus
PrimeKey Solutions

Re: [SignServer-develop] What kind of PDF signature is available is Signserver ?

[Luc P. <luc...@gm...>]

hi Markus,

Thanks for your answer. Do you know what is the name of the standard used
in Signserver for the "normal PDF signatures " ?

Regards,

2016-04-23 18:18 GMT+02:00 Markus Kilås <ma...@pr...>:

> On 04/20/2016 05:28 PM, Luc Pallavidino wrote:
> > Hi,
> >
> > We use Signserver, and we want to know what kind of PDF signature is
> > available in Signserver ?
> > Is it PADES ? PADES-BES ? PADES-EPES ?
> >
> > Thank you for your helps.
> >
> > Regards,
>
> Hi Luc,
>
> SignServer does not currently implement PDF Advanced Signatures. Only
> normal PDF signatures are supported.
>
> In the long run we hope to add support for all of the forms from the
> PAdES Baseline profile.
>
> Cheers,
> Markus
> PrimeKey Solutions
>
> Save time and money with an Enterprise support subscription. Please see
> www.primekey.se for more information.
> https://www.primekey.se/technologies/products-overview/
> https://www.primekey.se/service-support/support/
>
>
>
> ------------------------------------------------------------------------------
> Find and fix application performance issues faster with Applications
> Manager
> Applications Manager provides deep performance insights into multiple
> tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> _______________________________________________
> SignServer-develop mailing list
> Sig...@li...
> https://lists.sourceforge.net/lists/listinfo/signserver-develop
>



-- 

Pallavidino Luc                         Tél. : +33-6-8070-3133
                                        Mail :
luc...@gm... <pal...@ho...>
Ingénieur en monétique et sécurité des systèmes

Re: [SignServer-develop] What kind of PDF signature is available is Signserver ?

[Markus K. <ma...@pr...>]

On 04/20/2016 05:28 PM, Luc Pallavidino wrote:
> Hi,
> 
> We use Signserver, and we want to know what kind of PDF signature is
> available in Signserver ?
> Is it PADES ? PADES-BES ? PADES-EPES ?
> 
> Thank you for your helps.
> 
> Regards,

Hi Luc,

SignServer does not currently implement PDF Advanced Signatures. Only
normal PDF signatures are supported.

In the long run we hope to add support for all of the forms from the
PAdES Baseline profile.

Cheers,
Markus
PrimeKey Solutions

Save time and money with an Enterprise support subscription. Please see
www.primekey.se for more information.
https://www.primekey.se/technologies/products-overview/
https://www.primekey.se/service-support/support/

Re: [SignServer-develop] No EJB receiver available for handling

[Markus K. <ma...@pr...>]

>> On 04/13/2016 11:37 AM, Konstantinos Dimkas wrote:
>>> Hi all,
>>>
>>> I am new to PKI and EJBCA and i am trying to set up SignServer to
>>> timestamp documents. I followed the manual from sign server.org
>>> <http://server.org>
>>> <http://server.org> and there were no problems at the setup, but when i
>>> run the command /signserver reload 1,/ i get the error “No EJB receiver
>>> available for handling” as described here:
>>> https://developer.jboss.org/message/747360?_sscc=t. I added the
>>> following two lines as described in the solution
>>> ( jndiProps.put("jboss.naming.client.ejb.context",
>>> true); jndiProps.put(Context.URL_PKG_PREFIXES,
>>> "org.jboss.ejb.client.naming”); ) at the signclient executable that is
>>> located at sign server/bin/signclient but the error is still there.
>>> Could it be another problem, or i have to add it to another file?
>>>
>>> Thanks for your time,
>>> Konstantinos Dimkas
>>>
>>
>> Hi Konstantinos,
>> You should not have to do any changes to signclient.
>>
>> The "No EJB recevier available for handling" means that the CLI
>> (signclient) was not able to talk to SignServer within the application
>> server.
>>
>> There are a number of possible reasons for this like:
>> a) If the application server is not running. Check in output/log that
>> the applications server has started correctly
>> b) If the SignServer application failed to deploy within the application
>> server (or was not deployed). Check in the output/log that SignServer
>> has started and that there is not other error messages.
>> c) If the right application server is not pointed out. Typically you
>> would set the APPSRV_HOME environment variable and point it to the
>> correct application server.
>> d) If you are using WildFly you would need to change the port the CLI is
>> using from the default 4447 to 8080 by editing the following file:
>> conf/jboss7/jboss-ejb-client.properties
>>
>>
>> Cheers,
>> Markus
>> PrimeKey Solutions
>>
>> Save time and money with an Enterprise support subscription. Please see
>> www.primekey.se <http://www.primekey.se> for more information.
>> https://www.primekey.se/technologies/products-overview/
>> https://www.primekey.se/service-support/support/
On 04/20/2016 10:46 AM, Konstantinos Dimkas wrote:
> Hi Markus,
>
> Sorry for the late response, but i was flooded with tasks last week.
>
> I am working at the EJBCA VM and i only downloaded signserver. So i
> suppose that JBoss should work OK, as i did not have to make any changes.
> As for the variable, it has the following value: $APPSRV_HOME = /opt/jboss
> And i am not using wildfly
> What should i try in order to get it working?
>
>
> Thank you for your time,
> I Really appreciate your help!
>
> Konstantinos Dimkas
>
>> On 13 Apr 2016, at 13:52, Markus Kilås <ma...@pr...
>> <mailto:ma...@pr...>> wrote:
>>

Hi Konstantinos,

You need to check a) and b) from above, i.e. check for errors in the
application server log.

Also it might not be possible to run both EJBCA and SignServer at the
same time in the same application server. This might only work for
certain combinations of EJBCA and SignServer versions and are in
generally not something that we support.

Cheers,
Markus
PrimeKey Solutions

[SignServer-develop] What kind of PDF signature is available is Signserver ?

[Luc P. <luc...@gm...>]

Hi,

We use Signserver, and we want to know what kind of PDF signature is
available in Signserver ?
Is it PADES ? PADES-BES ? PADES-EPES ?

Thank you for your helps.

Regards,

Re: [SignServer-develop] No EJB receiver available for handling

[Konstantinos D. <ksd...@cs...>]

Hi Markus,

Sorry for the late response, but i was flooded with tasks last week.

I am working at the EJBCA VM and i only downloaded signserver. So i suppose that JBoss should work OK, as i did not have to make any changes.
As for the variable, it has the following value: $APPSRV_HOME = /opt/jboss
And i am not using wildfly
What should i try in order to get it working?


Thank you for your time,
I Really appreciate your help!

Konstantinos Dimkas

> On 13 Apr 2016, at 13:52, Markus Kilås <ma...@pr...> wrote:
> 
> On 04/13/2016 11:37 AM, Konstantinos Dimkas wrote:
>> Hi all,
>> 
>> I am new to PKI and EJBCA and i am trying to set up SignServer to
>> timestamp documents. I followed the manual from sign server.org
>> <http://server.org> and there were no problems at the setup, but when i
>> run the command /signserver reload 1,/ i get the error “No EJB receiver
>> available for handling” as described here:
>> https://developer.jboss.org/message/747360?_sscc=t. I added the
>> following two lines as described in the solution
>> ( jndiProps.put("jboss.naming.client.ejb.context",
>> true); jndiProps.put(Context.URL_PKG_PREFIXES,
>> "org.jboss.ejb.client.naming”); ) at the signclient executable that is
>> located at sign server/bin/signclient but the error is still there. 
>> Could it be another problem, or i have to add it to another file?
>> 
>> Thanks for your time,
>> Konstantinos Dimkas
>> 
> 
> Hi Konstantinos,
> You should not have to do any changes to signclient.
> 
> The "No EJB recevier available for handling" means that the CLI
> (signclient) was not able to talk to SignServer within the application
> server.
> 
> There are a number of possible reasons for this like:
> a) If the application server is not running. Check in output/log that
> the applications server has started correctly
> b) If the SignServer application failed to deploy within the application
> server (or was not deployed). Check in the output/log that SignServer
> has started and that there is not other error messages.
> c) If the right application server is not pointed out. Typically you
> would set the APPSRV_HOME environment variable and point it to the
> correct application server.
> d) If you are using WildFly you would need to change the port the CLI is
> using from the default 4447 to 8080 by editing the following file:
> conf/jboss7/jboss-ejb-client.properties
> 
> 
> Cheers,
> Markus
> PrimeKey Solutions
> 
> Save time and money with an Enterprise support subscription. Please see
> www.primekey.se for more information.
> https://www.primekey.se/technologies/products-overview/
> https://www.primekey.se/service-support/support/
> 
> 
> ------------------------------------------------------------------------------
> Find and fix application performance issues faster with Applications Manager
> Applications Manager provides deep performance insights into multiple tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> _______________________________________________
> SignServer-develop mailing list
> Sig...@li...
> https://lists.sourceforge.net/lists/listinfo/signserver-develop
> 

Re: [SignServer-develop] No EJB receiver available for handling

[Markus K. <ma...@pr...>]

On 04/13/2016 11:37 AM, Konstantinos Dimkas wrote:
> Hi all,
> 
> I am new to PKI and EJBCA and i am trying to set up SignServer to
> timestamp documents. I followed the manual from sign server.org
> <http://server.org> and there were no problems at the setup, but when i
> run the command /signserver reload 1,/ i get the error “No EJB receiver
> available for handling” as described here:
> https://developer.jboss.org/message/747360?_sscc=t. I added the
> following two lines as described in the solution
> ( jndiProps.put("jboss.naming.client.ejb.context",
> true); jndiProps.put(Context.URL_PKG_PREFIXES,
> "org.jboss.ejb.client.naming”); ) at the signclient executable that is
> located at sign server/bin/signclient but the error is still there. 
> Could it be another problem, or i have to add it to another file?
> 
> Thanks for your time,
> Konstantinos Dimkas
> 

Hi Konstantinos,
You should not have to do any changes to signclient.

The "No EJB recevier available for handling" means that the CLI
(signclient) was not able to talk to SignServer within the application
server.

There are a number of possible reasons for this like:
a) If the application server is not running. Check in output/log that
the applications server has started correctly
b) If the SignServer application failed to deploy within the application
server (or was not deployed). Check in the output/log that SignServer
has started and that there is not other error messages.
c) If the right application server is not pointed out. Typically you
would set the APPSRV_HOME environment variable and point it to the
correct application server.
d) If you are using WildFly you would need to change the port the CLI is
using from the default 4447 to 8080 by editing the following file:
conf/jboss7/jboss-ejb-client.properties


Cheers,
Markus
PrimeKey Solutions

Save time and money with an Enterprise support subscription. Please see
www.primekey.se for more information.
https://www.primekey.se/technologies/products-overview/
https://www.primekey.se/service-support/support/

[SignServer-develop] No EJB receiver available for handling

[Konstantinos D. <ksd...@cs...>]

Hi all,

I am new to PKI and EJBCA and i am trying to set up SignServer to timestamp documents. I followed the manual from sign server.org and there were no problems at the setup, but when i run the command signserver reload 1, i get the error “No EJB receiver available for handling” as described here: https://developer.jboss.org/message/747360?_sscc=t <https://developer.jboss.org/message/747360?_sscc=t>. I added the following two lines as described in the solution ( jndiProps.put("jboss.naming.client.ejb.context", true); jndiProps.put(Context.URL_PKG_PREFIXES, "org.jboss.ejb.client.naming”); ) at the signclient executable that is located at sign server/bin/signclient but the error is still there. 
Could it be another problem, or i have to add it to another file?

Thanks for your time,
Konstantinos Dimkas

Re: [SignServer-develop] SigServer - Level 2 sole control

[André C. <and...@te...>]

Hi Markus

Best thanks for your response. I think is correct, that level 2 sole control
must be supported by the SSCD or HSM if you consider the Slide 15. What's
about the slide 17? If I understand slide 17 right, level 2 sole control can
also implemented with a "simpler" shaping, because the signing server is
responsible for the multi factor authentication of the signer. The SSCD
itself is "only" responsible for nonce creation and the validation of the
nonce + 1 factor SAD hash and DTBS (e.g. document hash). Under the adoption
that a SSCD supports level 2 sole control, does the SignServer is able to
produces signed hashes with level 2 sole control by default? If not, what
has to be modified and what are the estimated effort?

Cheers,
André

-----Ursprüngliche Nachricht-----
Von: Markus Kilås [mailto:ma...@pr...]
Gesendet: Montag, 4. April 2016 10:08
An: sig...@li...
Betreff: Re: [SignServer-develop] SigServer - Level 2 sole control

On 03/31/2016 09:34 AM, André Clerc wrote:
> Dear SignServer developper
>
>
>
> On behalf of a customer, I send you this e-mail because he is
> interested in a signing solution. Unlike to CRS, where a CA creates
> and sign certificates, the customer would like to have signed hash values
(e.g.:
> hash of a document, code, etc.). These hash values refer to a document
> will be produced by an external application (please see illustration
> below or in the attachment).
>
>
>
> cid:image002.png@01D1893B.2C9FA1F0
>
>
>
>
>
> As a special criteria the customer is interested in particular for a
> possible implementation of the *level 2 sole control* regarding TS 419
> 241 respectively EN 419 241. Our understanding with respect to level 2
> sole control have I added to the PS. If EJBCA dose currently not
> support level 2 sole control, what is the size of the estimated
> effort/cost and what kind problems there are still to be resolved.
>
>
>
> Your sincerely
>
> André Clerc
>
>
>
> *PS:*Our understanding with respect to Level 2 Sole Control is such
> that, a commitment to release a signature have to be protect by
> multiple factors. One allowed way for a multi-factor authentication is
> provided by the signature creation device itself. Another method is a
> multi-factor authentication of the signer by the server signing
> application followed by a commitment protect by 1 factor (please
> review the attached diagram in the slide 13 and 17) in a secure way.
>

Hi André,


I have only had a quick look but from what I have seen I agree with your
understanding that in the level 2 you would need to have some support for
this provided by the SSCD itself. I am not sure what devices exists with
this functionality though.


Cheers,
Markus

>
>
>
>
>
>
> --
>
> André Clerc
>
> Expert IT Security Consultant
>
>
>
> *TEMET AG*
>
> Basteiplatz 5, CH-8001 Zürich
>
> T: +41 79 222 22 54 | Büro: +41 44 302 24 42
>
> and...@te... <mailto:and...@te...>| www.temet.ch
> <http://www.temet.ch/>



----------------------------------------------------------------------------
--
_______________________________________________
SignServer-develop mailing list
Sig...@li...
https://lists.sourceforge.net/lists/listinfo/signserver-develop

Re: [SignServer-develop] SigServer - Level 2 sole control

[Markus K. <ma...@pr...>]

On 03/31/2016 09:34 AM, André Clerc wrote:
> Dear SignServer developper
> 
>  
> 
> On behalf of a customer, I send you this e-mail because he is interested
> in a signing solution. Unlike to CRS, where a CA creates and sign
> certificates, the customer would like to have signed hash values (e.g.:
> hash of a document, code, etc.). These hash values refer to a document
> will be produced by an external application (please see illustration
> below or in the attachment).
> 
>  
> 
> cid:image002.png@01D1893B.2C9FA1F0
> 
>  
> 
>  
> 
> As a special criteria the customer is interested in particular for a
> possible implementation of the *level 2 sole control* regarding TS 419
> 241 respectively EN 419 241. Our understanding with respect to level 2
> sole control have I added to the PS. If EJBCA dose currently not support
> level 2 sole control, what is the size of the estimated effort/cost and
> what kind problems there are still to be resolved.
> 
>  
> 
> Your sincerely
> 
> André Clerc
> 
>  
> 
> *PS:*Our understanding with respect to Level 2 Sole Control is such
> that, a commitment to release a signature have to be protect by multiple
> factors. One allowed way for a multi-factor authentication is provided
> by the signature creation device itself. Another method is a
> multi-factor authentication of the signer by the server signing
> application followed by a commitment protect by 1 factor (please review
> the attached diagram in the slide 13 and 17) in a secure way.
> 

Hi André,


I have only had a quick look but from what I have seen I agree with your
understanding that in the level 2 you would need to have some support
for this provided by the SSCD itself. I am not sure what devices exists
with this functionality though.


Cheers,
Markus

>  
> 
>  
> 
>  
> 
> --
> 
> André Clerc
> 
> Expert IT Security Consultant
> 
>  
> 
> *TEMET AG*
> 
> Basteiplatz 5, CH-8001 Zürich
> 
> T: +41 79 222 22 54 | Büro: +41 44 302 24 42
> 
> and...@te... <mailto:and...@te...>| www.temet.ch
> <http://www.temet.ch/>

Re: [SignServer-develop] About timestamp response

[Markus K. <ma...@pr...>]

On 03/08/2016 03:02 PM, Markus Kilås wrote:
> On 03/08/2016 02:55 PM, Martin Kannel wrote:
>> Hi Markus!
>>
>> Thanks for quick reply!
>>
>> On 08.03.2016 15:31, Markus Kilås wrote:
>>> On 03/08/2016 01:57 PM, Martin Kannel wrote:
>>>> I'd like to ask is there possibility to configure SignServer
>>>> (TimeStampSigner) so, that timestamp responses contain always the
>>>> extension "qcStatements" with the value "esi4-qtstStatement-1"? If yes,
>>>> then how?
>>>>
>>>> (I saw only ACCEPTEDEXTENSION parameter in the manual, but that's not
>>>> it?)
>>> Maybe not exactly what you want but I think the idea with
>>> ACCEPTEDEXTENSIONS would be that if the request contains an extension
>>> with that OID it would be included (copied) to the response.
>> Yes, you're right, that's not what I need, but it's good to know that if
>> the request contains an extension with the OID, then it is copied to the
>> response.
>> I'll try to test it.
>>>> That kind of requirement may be raised when applying ETSI EN 319 422
>>>> V1.0.0 standard (see chapter 9.1):
>>>> "When a time-stamp token is a qualified electronic time-stamp as per
>>>> Regulation (EU) No 910/2014 [i.3], it should contain one instance of the
>>>> qcStatements extension with the syntax as defined in IETF RFC 3739
>>>> [i.5], clause 3.2.6. If the qcStatements extension is present, it shall
>>>> contain one instance of the statement "esi4-qtstStatement-1" defined in
>>>> annex B."
>>>>
>>> If the qcStatements OID is included in ACCEPTEDEXTENSION and the request
>>> contains it then I think it would be included.
>>>
>>> I haven't looked into those documents yet but if I understand what you
>>> have sent the TSA should add the extension itself and not take it from
>>> the request, right?
>> Yes, right.
>> I understand those documents the same way. The addition of this
>> extension should be time-stamp token's (timestampstigner) responsibility.
>>
>> Any chance it would be implemented in one of the future releases of
>> SignServer? :-)
> 
> It is not currently on the roadmap but we are always interested in
> contributions in case you would like to implement it and supply the
> patches.
> 
> Otherwise, in case you would like us to implement it you can send a
> request to start the discussion about it with sa...@pr... .
> 
> 
> BR,
> Markus
> PrimeKey
> 
> PrimeKey Solutions offers a commercial EJBCA & SignServer support
> subscription and training. Please see www.primekey.se or contact
> in...@pr... for more information.
> https://www.primekey.se/Services/Support/
> https://www.primekey.se/Services/Training/
> 
>>
>> Regards,
>> Martin
>>
>>> BR,
>>> Markus
>>>
>>
> 
> 
> 

Hi,

Just to let you all know that the implementation with support for the
qCStatement extension has been scheduled in
https://jira.primekey.se/browse/DSS-1165 and will most likely be
available in the next release of SignServer Enterprise.


Regards,
Markus
PrimeKey Solutions

[SignServer-develop] SigServer - Level 2 sole control

[André C. <and...@te...>]

Dear SignServer developper



On behalf of a customer, I send you this e-mail because he is interested in
a signing solution. Unlike to CRS, where a CA creates and sign
certificates, the customer would like to have signed hash values (e.g.:
hash of a document, code, etc.). These hash values refer to a document will
be produced by an external application (please see illustration below or in
the attachment).



[image: cid:image002.png@01D1893B.2C9FA1F0]





As a special criteria the customer is interested in particular for a
possible implementation of the *level 2 sole control* regarding TS 419 241
respectively EN 419 241. Our understanding with respect to level 2 sole
control have I added to the PS. If EJBCA dose currently not support level 2
sole control, what is the size of the estimated effort/cost and what kind
problems there are still to be resolved.



Your sincerely

André Clerc



*PS:* Our understanding with respect to Level 2 Sole Control is such that,
a commitment to release a signature have to be protect by multiple factors.
One allowed way for a multi-factor authentication is provided by the
signature creation device itself. Another method is a multi-factor
authentication of the signer by the server signing application followed by
a commitment protect by 1 factor (please review the attached diagram in the
slide 13 and 17) in a secure way.







--

André Clerc

Expert IT Security Consultant



*TEMET AG*

Basteiplatz 5, CH-8001 Zürich

T: +41 79 222 22 54 | Büro: +41 44 302 24 42

and...@te... | www.temet.ch

Re: [SignServer-develop] About timestamp response

[Markus K. <ma...@pr...>]

On 03/08/2016 02:55 PM, Martin Kannel wrote:
> Hi Markus!
> 
> Thanks for quick reply!
> 
> On 08.03.2016 15:31, Markus Kilås wrote:
>> On 03/08/2016 01:57 PM, Martin Kannel wrote:
>>> I'd like to ask is there possibility to configure SignServer
>>> (TimeStampSigner) so, that timestamp responses contain always the
>>> extension "qcStatements" with the value "esi4-qtstStatement-1"? If yes,
>>> then how?
>>>
>>> (I saw only ACCEPTEDEXTENSION parameter in the manual, but that's not
>>> it?)
>> Maybe not exactly what you want but I think the idea with
>> ACCEPTEDEXTENSIONS would be that if the request contains an extension
>> with that OID it would be included (copied) to the response.
> Yes, you're right, that's not what I need, but it's good to know that if
> the request contains an extension with the OID, then it is copied to the
> response.
> I'll try to test it.
>>> That kind of requirement may be raised when applying ETSI EN 319 422
>>> V1.0.0 standard (see chapter 9.1):
>>> "When a time-stamp token is a qualified electronic time-stamp as per
>>> Regulation (EU) No 910/2014 [i.3], it should contain one instance of the
>>> qcStatements extension with the syntax as defined in IETF RFC 3739
>>> [i.5], clause 3.2.6. If the qcStatements extension is present, it shall
>>> contain one instance of the statement "esi4-qtstStatement-1" defined in
>>> annex B."
>>>
>> If the qcStatements OID is included in ACCEPTEDEXTENSION and the request
>> contains it then I think it would be included.
>>
>> I haven't looked into those documents yet but if I understand what you
>> have sent the TSA should add the extension itself and not take it from
>> the request, right?
> Yes, right.
> I understand those documents the same way. The addition of this
> extension should be time-stamp token's (timestampstigner) responsibility.
> 
> Any chance it would be implemented in one of the future releases of
> SignServer? :-)

It is not currently on the roadmap but we are always interested in
contributions in case you would like to implement it and supply the
patches.

Otherwise, in case you would like us to implement it you can send a
request to start the discussion about it with sa...@pr... .


BR,
Markus
PrimeKey

PrimeKey Solutions offers a commercial EJBCA & SignServer support
subscription and training. Please see www.primekey.se or contact
in...@pr... for more information.
https://www.primekey.se/Services/Support/
https://www.primekey.se/Services/Training/

> 
> Regards,
> Martin
> 
>> BR,
>> Markus
>>
> 



-- 
Kind regards,
Markus Kilås
PKI Specialist

PrimeKey Solutions AB

Lundagatan 16
SE-171 63 Solna
Sweden

Phone: +46 70 424 94 85
Email: mar...@pr...

https://www.primekey.se

Re: [SignServer-develop] About timestamp response

[Martin K. <mar...@cy...>]

Hi Markus!

Thanks for quick reply!

On 08.03.2016 15:31, Markus Kilås wrote:
> On 03/08/2016 01:57 PM, Martin Kannel wrote:
>> I'd like to ask is there possibility to configure SignServer
>> (TimeStampSigner) so, that timestamp responses contain always the
>> extension "qcStatements" with the value "esi4-qtstStatement-1"? If yes,
>> then how?
>>
>> (I saw only ACCEPTEDEXTENSION parameter in the manual, but that's not it?)
> Maybe not exactly what you want but I think the idea with
> ACCEPTEDEXTENSIONS would be that if the request contains an extension
> with that OID it would be included (copied) to the response.
Yes, you're right, that's not what I need, but it's good to know that if 
the request contains an extension with the OID, then it is copied to the 
response.
I'll try to test it.
>> That kind of requirement may be raised when applying ETSI EN 319 422
>> V1.0.0 standard (see chapter 9.1):
>> "When a time-stamp token is a qualified electronic time-stamp as per
>> Regulation (EU) No 910/2014 [i.3], it should contain one instance of the
>> qcStatements extension with the syntax as defined in IETF RFC 3739
>> [i.5], clause 3.2.6. If the qcStatements extension is present, it shall
>> contain one instance of the statement "esi4-qtstStatement-1" defined in
>> annex B."
>>
> If the qcStatements OID is included in ACCEPTEDEXTENSION and the request
> contains it then I think it would be included.
>
> I haven't looked into those documents yet but if I understand what you
> have sent the TSA should add the extension itself and not take it from
> the request, right?
Yes, right.
I understand those documents the same way. The addition of this 
extension should be time-stamp token's (timestampstigner) responsibility.

Any chance it would be implemented in one of the future releases of 
SignServer? :-)

Regards,
Martin

> BR,
> Markus
>

Re: [SignServer-develop] About timestamp response

[Markus K. <ma...@pr...>]

On 03/08/2016 01:57 PM, Martin Kannel wrote:
> Hi signserver users!

Hi Martin,

> 
> I'd like to ask is there possibility to configure SignServer
> (TimeStampSigner) so, that timestamp responses contain always the
> extension "qcStatements" with the value "esi4-qtstStatement-1"? If yes,
> then how?
> 
> (I saw only ACCEPTEDEXTENSION parameter in the manual, but that's not it?)

Maybe not exactly what you want but I think the idea with
ACCEPTEDEXTENSIONS would be that if the request contains an extension
with that OID it would be included (copied) to the response.

> 
> That kind of requirement may be raised when applying ETSI EN 319 422
> V1.0.0 standard (see chapter 9.1):
> "When a time-stamp token is a qualified electronic time-stamp as per
> Regulation (EU) No 910/2014 [i.3], it should contain one instance of the
> qcStatements extension with the syntax as defined in IETF RFC 3739
> [i.5], clause 3.2.6. If the qcStatements extension is present, it shall
> contain one instance of the statement "esi4-qtstStatement-1" defined in
> annex B."
> 

If the qcStatements OID is included in ACCEPTEDEXTENSION and the request
contains it then I think it would be included.

I haven't looked into those documents yet but if I understand what you
have sent the TSA should add the extension itself and not take it from
the request, right?

BR,
Markus

> I'm using signserver-ce-3.7.0.
> 
> Thanks and
> Cheers!
> 



-- 
Kind regards,
Markus Kilås
PKI Specialist

PrimeKey Solutions AB

Lundagatan 16
SE-171 63 Solna
Sweden

Phone: +46 70 424 94 85
Email: mar...@pr...

https://www.primekey.se

[SignServer-develop] About timestamp response

[Martin K. <mar...@cy...>]

Hi signserver users!

I'd like to ask is there possibility to configure SignServer 
(TimeStampSigner) so, that timestamp responses contain always the 
extension "qcStatements" with the value "esi4-qtstStatement-1"? If yes, 
then how?

(I saw only ACCEPTEDEXTENSION parameter in the manual, but that's not it?)

That kind of requirement may be raised when applying ETSI EN 319 422 
V1.0.0 standard (see chapter 9.1):
"When a time-stamp token is a qualified electronic time-stamp as per 
Regulation (EU) No 910/2014 [i.3], it should contain one instance of the 
qcStatements extension with the syntax as defined in IETF RFC 3739 
[i.5], clause 3.2.6. If the qcStatements extension is present, it shall 
contain one instance of the statement "esi4-qtstStatement-1" defined in 
annex B."

I'm using signserver-ce-3.7.0.

Thanks and
Cheers!

-- 
Martin

Re: [SignServer-develop] Compile error - cannot find DeployTools-Ant-1.1.2.jar

[Chirpy S. <chi...@gm...>]

Thank you!

I was able to download the binary version and deploy it on JBoss 7.1.1 with
all the default settings (no database).
Next step will be to define a signer worker and sign something - will let
you know if I have any problems.

Best regards,
somesh

On Tue, Feb 9, 2016 at 12:02 PM, Markus Kilås <ma...@pr...> wrote:

> On 02/09/2016 08:19 PM, Chirpy Soft wrote:
> > Hi all,
> >
> > I'm trying to compile SignServer 3.7 and see this error
> >
> > BUILD FAILED
> > /opt/signserver/res/deploytools/build-impl.xml:99: Missing
> > /opt/signserver/lib/ext/DeployTools-Ant-1.1.2.jar
> >
> > There indeed is no jar in that location but a DeployTools-1.1.2.pom
> > which indicates something to do with Maven?
> >
> > Please help.
> >
> > Thank you,
> > igor
> >
>
> Hi igor!
> Which download of SignServer are you using?
>
> For every version there are three different notice the end of the file
> names:
> 1) signserver-ce-3.7.0.zip
> The first contains both sources and all dependencies needed to build an
> deploy SignServer.
>
> 2) signserver-ce-3.7.0-bin.zip
> The second contains an already built SignServer and its dependencies
> ready to be deployed but no sources.
>
> 3) signserver-ce-3.7.0.src.tar.gz
> The third contains only the sources and can not be built without first
> gathering all the required dependencies.
>
> Number two is recommended as you don't have to build and can go directly
> with "bin/ant deploy" otherwise you use the first one and "bin/ant build
> deploy".
>
> Let me know if this helps.
>
>
> Cheers,
> Markus
> PrimeKey Solutions
>
> Save time and money with an Enterprise support subscription. Please see
> www.primekey.se for more information.
> https://www.primekey.se/technologies/products-overview/
> https://www.primekey.se/service-support/support/
>
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
> _______________________________________________
> SignServer-develop mailing list
> Sig...@li...
> https://lists.sourceforge.net/lists/listinfo/signserver-develop
>

Re: [SignServer-develop] Compile error - cannot find DeployTools-Ant-1.1.2.jar

[Markus K. <ma...@pr...>]

On 02/09/2016 08:19 PM, Chirpy Soft wrote:
> Hi all,
> 
> I'm trying to compile SignServer 3.7 and see this error
> 
> BUILD FAILED
> /opt/signserver/res/deploytools/build-impl.xml:99: Missing
> /opt/signserver/lib/ext/DeployTools-Ant-1.1.2.jar
> 
> There indeed is no jar in that location but a DeployTools-1.1.2.pom
> which indicates something to do with Maven?
> 
> Please help.
> 
> Thank you,
> igor
> 

Hi igor!
Which download of SignServer are you using?

For every version there are three different notice the end of the file
names:
1) signserver-ce-3.7.0.zip
The first contains both sources and all dependencies needed to build an
deploy SignServer.

2) signserver-ce-3.7.0-bin.zip
The second contains an already built SignServer and its dependencies
ready to be deployed but no sources.

3) signserver-ce-3.7.0.src.tar.gz
The third contains only the sources and can not be built without first
gathering all the required dependencies.

Number two is recommended as you don't have to build and can go directly
with "bin/ant deploy" otherwise you use the first one and "bin/ant build
deploy".

Let me know if this helps.


Cheers,
Markus
PrimeKey Solutions

Save time and money with an Enterprise support subscription. Please see
www.primekey.se for more information.
https://www.primekey.se/technologies/products-overview/
https://www.primekey.se/service-support/support/

[SignServer-develop] Compile error - cannot find DeployTools-Ant-1.1.2.jar

[Chirpy S. <chi...@gm...>]

Hi all,

I'm trying to compile SignServer 3.7 and see this error

BUILD FAILED
/opt/signserver/res/deploytools/build-impl.xml:99: Missing
/opt/signserver/lib/ext/DeployTools-Ant-1.1.2.jar

There indeed is no jar in that location but a DeployTools-1.1.2.pom which
indicates something to do with Maven?

Please help.

Thank you,
igor