|
|
|
|
|||||||||
|
VERS STORY | STANDARD | ASSESSMENT | PROJECTS | DIGITAL ARCHIVE | TRAINING | TOOLKIT | PUBLICATIONS | |
|
|||||||||
|
|||||
|
5.3 Structure of Signature Block and Lock Signature Block A Signature Block contains one digital signature and all the information necessary to verify the signature. The structure of the Signature Block is shown in the following figure.
Figure 16. The contents of a Signature Block. A Lock Signature Block is identical. The contents of the signature block are:
The structure of a Lock Signature Block is identical to that of a Signature Block. An example of a Signature Block follows: <vers:SignatureBlock vers:id="Revision:1-Signature:1"> <vers:SignatureFormatDescription> The contents of this VEO are signed using the SHA-1 hash algorithm and the DSA digital signature algorithm. SHA-1 is defined in Secure Hash Standard, FIPS PUB 180-1, National Institute of Standards and Technology, US Department of Commerce, 17 April 1995 (http://csrc.nist.gov/publications/fips/fips180-1/fip180-1.pdf). The DSA algorithm is defined in Digital Signature Standard (DSS), FIPS PUB 186-2, National Institute of Standards and Technology US Department of Commerce, 27 January 2000 (http://csrc.nist.gov/publications/fips/fips186-2/fip186-2-change1.pdf). Details of the public keys are encoded as X.509 certificates in the vers:CertificateBlock elements. X.509 certificates are defined in "Information technology - Open Systems Interconnection - The Directory: Public-key and attribute certificate frameworks", ITU-T Recommendation X.509 (2000). The signature and certificates are encoded using Base64. Base64 is defined in Multipurpose Internet Mail Extensions (MIME) Part One: Format of Internet Message Bodies, Section 6.8, Base64 Content-Transfer-Encoding, IETF RFC 2045, N. Freed & N. Borenstein, November 1996, (http://www.ietf.org/rfc/rfc2045.txt?number=2045). The signature covers the contents of the vers:SignedObject element starting with the 'less than' symbol of the vers:SignedObject start tag, up to and including the 'greater than' symbol of the vers:SignedObject end tag. Before verifying the signature all whitespace (Unicode characters U+0009, U+000A, U+000D, and U+0020) must be removed from the text. </vers:SignatureFormatDescription> <vers:SignatureAlgorithm> <vers:SignatureAlgorithmIdentifier> 1.2.840.10040.4.3 </vers:SignatureAlgorithmIdentifier> </vers:SignatureAlgorithm> <vers:SignatureDate>2003-03-20T11:27:48-10:00</vers:SignatureDate> <vers:Signer>PROV Notary (Notary for PROV generated VEOs)</vers:Signer> <vers:Signature> MCwCFChPTcPBV+KkuBb9YZcQEbMbfos7AhQG8yrd91Hz0D5pefIXZutJFwdHbg== </vers:Signature> <vers:CertificateBlock> <vers:Certificate> MIICoTCCAmGgAwIBAgIBETAJBgcqhkjOOAQDMEAxCzAJBgNVBAYTAkFVMSAwHgYDVQQKExdEb2Rn eSBCcm9zIENlcnRpZmljYXRlczEPMA0GA1UEAxMGUm9vdENBMB4XDTAzMDEyMjEwNTQxNloXDTAz MDEyMzAxNDA1NlowMjELMAkGA1UEBhMCQVUxDTALBgNVBAoTBFBST1YxFDASBgNVBAMTC1BST1Yg Tm90YXJ5MIIBtDCCASkGByqGSM44BAEwggEcAoGA/X9TgR11EilS30qcLuzk5/YRt1I870QAwx4/ gLZRJmlFXUAiUftZPY1Y+r/F9bow9subVWzXgTuAHTRv8mZgt2uZUKWkn5/oBHsQIsJPu6nX/rfG G/g7V+fGqKYVDwT7g/bTxR7DAjVUE1oWkTL2dfOuK2HXKu/yIgMZndFIAccCFJdgUI8VIwvMspK5 gqLrhAvwWBz1AoGA9+GghdabPd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCB gLRJFnEj6EwoFhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhR kImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoDgYQAAoGAy6h2g/EwZaGzotoIX726y32CzI1rwaNF reYce1JvOfq94KpVqu79fQl+4tjSyxi0TS/H2RVfcdrKP+8uLTx4CQjzON2uqlvv84Lhg+Dhxc2E JpH9RlbQa3B0RvILTjeGylcwmVUj+brdT5+foBhQHTIaeHdQsMddzJeB7QVG1cgwCQYHKoZIzjgE AwMvADAsAhR+T7l7OSF0w9uG65gBeXGzwkMQ9AIUAvB9N2i62E9od7uDZHF1opxP0l4= </vers:Certificate> <vers:Certificate> MIICrzCCAm+gAwIBAgIBETAJBgcqhkjOOAQDMEAxCzAJBgNVBAYTAkFVMSAwHgYDVQQKExdEb2Rn eSBCcm9zIENlcnRpZmljYXRlczEPMA0GA1UEAxMGUm9vdENBMB4XDTAzMDEyMjEwNTIyMVoXDTAz MDEyMzAxMzkwMVowQDELMAkGA1UEBhMCQVUxIDAeBgNVBAoTF0RvZGd5IEJyb3MgQ2VydGlmaWNh dGVzMQ8wDQYDVQQDEwZSb290Q0EwggG0MIIBKQYHKoZIzjgEATCCARwCgYD9f1OBHXUSKVLfSpwu 7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR+1k9jVj6v8X1ujD2y5tVbNeBO4AdNG/yZmC3a5lQpaSf n+gEexAiwk+7qdf+t8Yb+DtX58aophUPBPuD9tPFHsMCNVQTWhaRMvZ1864rYdcq7/IiAxmd0UgB xwIUl2BQjxUjC8yykrmCouuEC/BYHPUCgYD34aCF1ps93su8q1w2uFe5eZSvu/o66oL5V0wLPQeC Z1FZV4661FlP5nEHEIGAtEkWcSPoTCgWE7fPCTKMyKbhPBZ6i1R8jSjgo64eK7OmdZFuo38L+iE1 YvH7YnoBJDvMpPG+qFGQiaiD3+Fa5Z8GkotmXoB7VSVkAUw7/s9JKgOBhAACgYCmx50D/58WrFwa vjkxGr+Qq9uSQQAzte7gTOlmC1O3P6iYY5zmhZ/uWrXfieZPUK3DGyZfZ3HtG7//U+TgezgYTmyh uiUIDzWOZlMJCU9CZrKcB5CWfqLY6ijxucMS3NedcbwgOlzVHhfcR+yqLIKh7plogBZYfQttrfSs wuxJ0TAJBgcqhkjOOAQDAy8AMCwCFD9uWkymtSsiUriiKFEtjfXptP0rAhQ/m2+vVX+W3CpUBiH4 F8cZ5Blhyg== </vers:Certificate> </vers:CertificateBlock> </vers:SignatureBlock> 5.3.1 Indication of hash and signature algorithms The hash and digital signature algorithms used to sign the VEO are identified by the vers:SignatureAlgorithm element. By using this element a program can automatically select the correct program to verify the signature. The contents of this element are derived from the signature algorithm identification used in X.509 certificates. The only element used is the Signature Algorithm Identifier (M150), as no current algorithm appears to use the Signature Algorithm Parameters (M151) element, but the element may be used if required. The signature algorithm identifiers used are the ones used in X.509 certificates. These identify a pair of algorithms: a hash algorithm and a digital signature algorithm. The identifiers are ASN.1 Object Identifiers (OIDs) and take the form of a sequence of numbers (the identifier space forms a tree, and each number in the sequence identifies a branch in a path through the tree). OIDs have several representations. The most convenient form for mixed human and computer use is the 'dot form'. In this form the numbers are represented textually separated, by dots: for example the string '1.2.840.113549.1.1.5'. There is a binary form of OIDs, but the text form is easy for computers to process and is easier for humans to read. 5.3.2 Representation of certificates VERS uses X.509 certificates encoded using the Distinguished Encoding Rules (DER). References to the standards defining these formats are given in the Specification. A good summary of certificates and the DER encoding can be found in [RFC2459]. Certificates should not be included in the encoded form used to contain a certificate and associated private key (the private key used to sign a VEO must never be included in the VEO). Examples of such formats are
As binary objects, certificates are encoded in Base64 for inclusion in the VEO. Digital signature implementations will normally directly accept DER-encoded certificates, and will often accept Base64-encoded certificates. A Signature Block (M134) contains one or more Certificate Blocks (M139) elements. Each Certificate Block holds a certificate chain that can be used to verify the digital signature. Each Certificate Block contains a sequence of one or more Certificate (M139) elements. Each Certificate (M139) holds a certificate. The Certificate Blocks are ordered so that:
Only certificates necessary to verify the signature are to be included in the Signature Block. | |||||
 |
 |
|
