Figure 13: Sequence diagram of the Signing process
|
Nr. |
Step |
Components |
Description |
|
6 Signing |
|||
|
6.1 Signer Authentication |
|||
|
6.1.1 |
The Signer performs the authentication process. |
Signer, SSSrv/UI, IdP |
( 61 doingAuthentificationSigner ) Subprocess that authenticates the Signer based on the identification means used. The result is the ID token for the Signer, which signals that authentication has been successfully performed. |
|
6.2 Signature Information Selection |
|||
|
6.2.1 (optional) |
The Signer requests the list of KeyIDs and associated certificates corresponding to the ID token from the SSSrv/UI. |
Signer, SSSrv/UI |
requestListOfKeyIDsCerts |
|
6.2.2 (optional) |
The SSSrv/UI checks the request for the list of KeyIDs and associated certificates. |
SSSrv/UI |
checkRequest ListOfKeyIDsCerts |
|
6.2.3 (optional) |
The SSSrv/UI queries the KM for the KeyID list that matches the specified ID token. |
SSSrv/UI, KM |
requestListOfKeyIDsCerts |
|
6.2.4 (optional) |
The KM checks the request for the list of KeyIDs. |
KM |
checkRequest ListOfKeyIDsCerts |
|
6.2.5 (optional) |
The KM sends the KeyID list with the corresponding certificate information back to the SSSrv/UI. |
KM, SSSrv /UI |
returnListOfKeyIDsCerts |
|
6.2.6 (optional) |
The SSSrv/UI delivers the identified KeyIDs and associated certificates to the Signer. |
SSSrv/UI, Signer |
deliverListOfKeyIDsCerts |
|
6.2.7 |
The Signer selects the certificate and thus the associated KeyID to be used for signing, selects the data to be signed, and makes a declaration of intent to sign. |
Signer |
selectKeyIDByCertificate selectDTBS declareWillForSigning The declaration of intent is realized via a checkbox. The SHA512 hash of the document and the certificate details of the certificate used for the signature are displayed to the user. |
|
6.3 SAD Generation |
|||
|
6.3.1 |
The Signer requests the SSSrv/UI to log in for Signing. |
Signer, SSSrv/UI |
loginForSigning |
|
6.3.2 |
The SSSrv/UI checks the request for logging in for Signing. |
SSSrv/UI |
checkRequestLoginForSigning |
|
6.3.3 |
The SSSrv/UI requests tu login for Signing at the RSAPI. |
SSSrv/UI, RSAPI |
loginForSigning |
|
6.3.4 |
The RSAPI generates the temporary SAD Signing Key. |
RSAPI |
generateSADSigningKey |
|
6.3.5 |
The RSAPI requests the enhancement of the Signers ID token at the IdP (handling over the public SAd Signing key). |
RSAPI, IdP |
requestEnhancementOfSignerIDToken |
|
6.3.6 |
The IdP checks the request for enhancing theID token of the Signer. |
IdP |
checkRequestEnhancementOfSignerIDToken |
|
6.3.7 |
The IdP sets the Signing relevant scope extensionen in the ID token. |
IdP |
setScopeExtension |
|
6.3.8 |
The IdP sets the Public SAD Signing Key in thr ID Token. |
IdP |
setPublicSADSigningKey |
|
6.3.9 |
The IdP confirms the RSAPI the enhancement of the ID token. |
IdP, RSAPI |
confirmEnhancementOfSignerIDToken |
|
6.3.10 |
The RSAPI provides the Signature API to the SSSrv/UI. |
RSAPI, SSSrv/UI |
provideSignatureAPI |
|
6.3.11 |
The SSSrv/UI provides the SignatureAPI to the Signer. |
SSSrv/UI, Signer |
provideSignatureAPI |
|
6.3.12 |
The Signer generates the Hash Value(s) for the data to be remotely signed. |
Signer |
generateHashValues |
|
6.3.13 |
The Signer requests Signing at the SSSrv/UI. |
Signer, SSSrv/UI |
requestSigning |
|
6.3.14 |
The SSSrv/UI checks the request for Signing. |
SSSrv/UI |
checkRequestSigning |
|
6.3.15 |
The SSSrv/UI requests Signing at the RSAPI. |
SSSrv/UI, RSAPI |
requestSigning |
|
6.3.16 |
The RSAPI checks the request for Signing. |
RSAPI |
checkRequestSigning |
|
6.3.17 |
The RSAPI requests the SAK for the generation of the SAD. |
RSAPI, SAK |
requestGenerationOfSAD |
|
6.3.18 |
The SAK checks the requests for generation of the SAD. |
SAK |
checkRequestGenerationOfSAD |
|
6.3.19 |
The SAK generates the SAD. |
SAK |
generateSAD |
|
6.3.20 |
The SAK returns the SAD to the RSAPI. |
SAK, RSAPI |
returnSAD |
|
6.3.21 |
The RSAPI signs the SAD with the pregenerated SAD Signing Key. |
RSAPI |
signSADWithSADSigningKey |
|
6.4 Signing Key Activation |
|||
|
6.4.1 |
The SAK/OS requests the SSA to create a signature by submitting a request to the SSA with the signed SADs. |
SAK/OS, SSA |
requestSigning A remote signature request is sent from the SAK/OS to the SSA. Its format is given by SAP or its specification. The request contains the SAD. |
|
6.4.2 |
The SSA checks the authorization regarding the request to create a signature. |
SSA |
checkRequestSigning |
|
6.4.3 |
The SSA requests the SAM to sign. |
SSA, SAM |
requestSigning |
|
6.4.4 |
The SAM checks the request to create a signature. |
SAM |
checkRequestSigning |
|
6.4.5 |
The SAM checks whether the Signer is authenticated. |
SAM |
checkSignerAuthentication |
|
6.4.6 |
The SAM checks the validity of the declaration of intent to sign. |
SAM |
checkValidityOfSAD |
|
6.4.7 |
The SAM requests the KM to send the wrapped key belonging to the KeyID. |
SAM, KM |
requestWrappedKey |
|
6.4.8 |
The KM checks the request for delivery of the wrapped key. |
KM |
checkRequestWrappedKey |
|
6.4.9 |
The KM responds to the SAM by returning the wrapped key associated with the KeyID. |
KM, SAM |
returnWrappedKey |
|
6.4.10 |
The SAM checks the validity of the signature of the wrapped key. |
SAM |
checkSignatureOfWrappedKey |
|
6.4.11 |
The SAM checks whether: the KeyIDs contained in the SAD and the Wrapped match, and whether. the UserID contained in the Wrapped Key and the ID Token of the SAD match.the KeyID between |
SAM |
checkMatchingOfUserIDKeyID |
|
6.4.12 |
The SAM verifies that the algorithm chosen by the Signer for signature creation is compatible and acceptable for use. |
SAM |
checkCompatibilityOfAlgorithm |
|
6.4.13 |
The SAM activates the private remote signature key. |
SAM |
activatePrivateKey |
|
6.5 Signature Value Creation |
|||
|
6.5.1 |
The SAM requests the SCDev to sign the DTBS/R. |
SAM, SCDev |
requestSigningOfDTBSR |
|
6.5.2 |
The SCDev signs the DTBS/R with the signature key referenced by the KeyID. |
SCDev |
signDTBSR |
|
6.5.3 |
The SCDev confirms the signature of the DTBS/R by returning the signature value to the SAM. |
SCDev, SAM |
confirmSigningOfDTBSR |
|
6.5.4 |
The SAM deactivates the private key. |
SAM |
deactivatePrivateKey |
|
6.5.5 |
The SAM responds to the SSA and confirms the creation of the signature value. |
SAM, SSA |
confirmSigning |
|
6.5.6 |
The SSA checks the validity of the certificate. |
SSA |
checkValidityOfCertificate |
|
6.5.7 |
The SSA responds to the SAK /OS and confirms the creation of the signature value. |
SSA, SAK /OS |
confirmSigning |
|
- |
The SAK/OS generates the signature container to represent the signed data. |
SAK/OS |
createSignatureContainer |
|
- |
The SAK/OS checks the signed data and the validity of the Signer certificate. |
SAK/OS |
checkSignature |
|
6.5.8 |
The SAK/OS confirms the creation of the (remote) signature to the SSSrv/UI. |
SAK/OS, SSSrv/UI |
confirmCreationOfSignature |
|
6.5.9 |
The SSSrv/UI responds to the Signer by handing over the signed data, thus confirming the remote signing. |
SSSrv/UI, Signer |
confirmSigning |
Table 13: Step-by-step description Signing process