Adding support for ESTEID SK 2015 certification chain

kristiu edited this page Sep 2, 2016 · 5 revisions

The following information applies only for DigiDoc4j versions earlier than v1.0.2!

Since version 1.0.2 of the library, ESTEID-SK 2015 support has been added to the library in case of all signature formats, no additional configuration is needed.

DigiDoc4j library uses different trusted certification chain management mechanisms in case of different file formats. Adding support for ESTEID-SK 2015 depends on the supported file formats and the chosen trusted certificates management implementation.

BDOC 2.1 (ASiC-E) format

In case of BDOC 2.1 format, the certificates trust management is done directly by DigiDoc4j library. By default, DigiDoc4j library uses TSL lists for trusted certification chain management (but trusted certificates management can also be done manually via the library's API).

Supporting ESTEID-SK 2015 depends on the following TSL usage settings:

  • If the library's default TSL mechanism is used for trusted certificates management then the library's user doesn't have to make any changes. The library downloads the appropriate TSL automatically.
  • If the trusted certificates are handled manually then the ESTEID-SK 2015 certificate must be loaded as a trusted certificate analogously as the other CA certificates.

DDOC (DIGIDOC-XML 1.3) format

In case of DDOC (DIGIDOC-XML 1.3) format, DigiDoc4j uses JDigiDoc library as a base library. The certificates trust management is done by JDigiDoc library but configuration settings must be defined in DigiDoc4j library's digidoc4j.yaml file.

In order to add ESTEID-SK 2015 support, specify the location of the ESTEID-SK 2015 certificate file in digidoc4j.yaml, for example:

DIGIDOC_CAS:
- DIGIDOC_CA:
    NAME: AS Sertifitseerimiskeskus
    TRADENAME: SK
    CERTS:
...
      - jar://certs/ESTEID-SK 2015.crt

Notes:

  • In the sample above, the configuration entry must refer to the location of the ESTEID-SK 2015 file that can be accessed by the library.
    • For example, the value jar://certs/ESTEID-SK 2015.crt means that the certificate is named ESTEID-SK 2015.crt and the file is placed in a .jar archive's certs folder. In this case, the jar archive must be included in classpath for the library to access it.
    • The certificate file may also be placed outside a jar archive, to an arbitrary location in the file system. In this case, the parameter value must specify path and file name of the certificate.
    • Note that in case of JDigiDoc library's version 3.12 and above, the certificate is already included in the jdigidoc-*.jar archive, with path certs/ESTEID-SK 2015.crt.
  • The ESTEID-SK 2015 certificate file must be in PEM format.