La estructura de una firma CMS viene definida en la RFC 3852 y mantiene la compatibilidad con PKCS

PAe - @Firma
the accesskey _ mod _ content

@Firma

@firma es la solución tecnológica en la que se basa la Plataforma de validación y firma electrónica del Ministerio. La versión actual de @firma es la 6.1 y constituye una evolución de la versión 4.0 a partir de la aportación de múltiples Organismos Públicos cooperantes.

@firma es un producto robusto e integral, desarrollada inicialmente por la Junta de Andalucía, cedida al resto de las Administraciones Públicas con el objeto de fomentar y extender el desarrollo de la Administración Electrónica y la Sociedad de la Información.

It is a solution based on free software, open standards and in java: web servers Apache, JBOSS, operating system Solaris/Linux, AXIS, etc.

Services provided by platform for validation of certificates and electronic signature of the Ministry (@firma) are provided to the public administrations without economic cost.

The most common form of use of service is @firma mode. This mode is that the platform @firma the ministry provides services of validation of certificates and electronic signatures via web services. applications wishing to use the services of @firma, connect through the network SARA to the web services of @firma the ministry. Mode is recommended for those agencies with a volume of monthly validations medium/low. The Ministry provides a platform equal to the production to agencies wishing to use the services of @firma testing, and a service support for managing the high and integrations.

There is another way of using @firma, the federal model. This Only recommended for those agencies with a volume of transactions very high. The Ministry provides @firma software, so that the agency install it and administered in its dependencies. In this case the deployment, installation and administration is the responsibility of the agency. The Ministry will provide updates and patches of software according to be generated.

You can consult the available services or model Province through the FAQ.

You can find all the information about @firma in the initiative of PAE created for this purpose. In the download area of this initiative can find documentation of services as well as the examples of integration.

Para tener acceso a la documentación completa debe ser un usuario registrado en el portal PAE, así como acceder al portal mediante la Intranet Administrativa (Red SARA).

There is a support team available to cooperate with the different government agencies providing all the necessary information about the use of services as well as to cooperate in the activities of test and integration of systems to services of the platform.

This focus is accessible ONLY FOR APPLICATION DEVELOPERS OF The public administrations. To communicate an incidence or support request to the center of Attention to Integrators and developers (CAID) fill the Web form of opening of applications for technical support:
- Access the form

Horario de soporte: de Lunes a Jueves de 08:30 a 18:30 y viernes 08:30 a 15:00.

Through the suite @firma services, it also offers:

  • A client of Signature for the creation of signatures in local.
  • A service of time-stamping ( TS@ ).
  • A component for the integration of the signature in the organizational workflows ( Port@firmas ).
  • A demonstrator @firma services: validation of signatures and digital certificates, creation of digital signatures, etc.

@Firma services are available free of charge for those public administrations who request it. The service is provided through the network SARA (Administrative Intranet), so to use it is necessary to be connected to the network.

Agreements have been signed with all the autonomous communities to allow the use of @firma services applications electronic administrations they so wish. In the case of local entities, some Autonomous Communities included in the convention the possibility of accessing @firma services via accessions.

They can also use the service universities, through the CRUE Iris and network.

The Ministry provides a support service as support for the integration of computer applications that go to make use of the services of validating @firma in different government agencies. Within this support, the ministry provides a platform of evidence that can be used by government agencies during the integration of their applications.

For testing services signature validation that provides the ministry, it is not necessary to hold any act of commitment by any of the parties, and without any cost.

To be able to perform requests to services provided by the validation platform, it must meet the following points:

  1. Use of the Intranet Administrative: Requests may only be performed from machines connected to the Administrative Intranet (SARA Network) and with access permissions on the platform. Therefore be identified those machines from which you are going to perform the tests and request support of @firma ( Access the form ) permiso de acceso a las IPs internas de dichas máquinas.
    Para ello se deberá cumplimentar el fichero correspondiente con la información de las mismas y enviarlo a soporte de @firma para su alta efectiva. Puede descargar el formulario de alta del área de descargas de la página web de @firma, en el portal de administración electrónica ( http://administracionelectronica.gob.es/ctt/afirma ). Para acceder a la documentación se necesita estar registrado en el portal y acceder al mismo desde la Intranet Administrativa (red SARA).
  2. Identification of applications: In order to monitor the activity of applications and the platform (both in evidence as in production), requests should be conducted by applications identified in the platform through certificate or username and password on the platform.
  3. Create a client of Web Service: Once you have permissions it is necessary to develop a client of Web Service to make the request to services published in the platform.
    Para desarrollar el Cliente Web Service, se proporciona a los integradores la descripción del servicio web de destino. Para ello, la plataforma especifica para cada Servicio Web (WS en adelante) el fichero WSDL que incluye la URL del WS, el mensaje de petición con el XML schema de entrada y el mensaje de respuesta devuelto por el servicio. Asimismo, también se proporciona información en el área de descargas de la página web de @firma, en el portal de administración electrónica ( http://administracionelectronica.gob.es/ctt/afirma ), in the restricted area for registered users. Besides the WSDL And XML provides a kit example of integration, both for Java platforms as .NET.

Currently have been made available to users of @firma several mailing lists to which you can subscribe. Through these lists will receive notices concerning important changes related to the project to which are linked (updates, interventions, etc).
For more information, please refer to the contact section of the different projects (signature @firma platform, client of signing TS@ …).

To integrate into @firma, it is necessary to follow the steps that are defined as follows:

  1. To be connected to the network SARA.
  2. Ponerse en contacto con el servicio de soporte y facilitar sus datos de contacto.
  3. The support team will inform you of the prerequisites and provide the form to access control that the agency must complete. Together with the documentation of welcome, facilitate the programming Manual of WS of @firma together with the technical instructions necessary to connect applications of electronic administration services to the platform @firma.
  4. El organismo debe conectar las aplicaciones de servicios de administración electrónica para acceder  a la Plataforma a través de servicios web implementados en tecnología Microsoft® o Java.
  5. Finally, to access all the documentation you must be a registered user, for this, access the page of PAE and register how user in the right menu: "Access to Users" - > "Register".

 

The ACL (access Control list) is a model of data request access and use of the services of @firma (EXCEL form). It contains a number of data required for the integration of the Body in the platform. Below, explains the various fields of the form:

• Instructions (Tab): Instructions for backfilling of ACL.
• Application (Tab): The data requested in this tab will be filled if you use the services and/or TRABAJAR OCSP @firma platform.
or set of data "data to fill by systems": you must indicate the IP from which you access to services of @Firma and data of a person/communications systems with which can contact you in case of any problems of connection.
o Conjunto de datos "Datos a rellenar por el Organismo" :
or set of data "Environment": Bring the environment to which you want to access (Development, production or both).
o Conjunto de datos "Volumen de transacciones mensuales" : Indicar el número aproximado de transacciones que se realizarán por entorno en un mes.
o Conjunto de datos "Volumen de transacciones por minuto" : Indicar el número aproximado de transacciones que se realizarán por entorno en un minuto.
or set of data "Application": you have to specify the name of the application to add, a brief description of the application and agency (ministry and General Direction, autonomous community or Local Entity) for which is developing the aplicación.los data of the person responsible for the implementation, with whom we will contact in case notifications about the misma.Breve description of the telematic services that will carry the application and URL where will be the same.

o En caso de solicitar acceso a través de WS :
- Format of the signature of Respuesta.- signature format with which you want the strong platform messages of response to their requests for service.
- Método de autorización.- Método con el que autenticarán sus mensajes de petición de servicio a la plataforma @Firma. Se recomienda con certificado.

o En caso de solicitar acceso a través de OCSP :
- Public part of the certificate signatory in Base64 format (PEM). The petitions OCSP must be signed by what should enclose the public part of the certificate.

There are two environments of exploitation of the platform @firma: one called development, for testing by agencies, and one of production, which correspond to the real environment of the platform. Both environments have similar characteristics, except that the development puts at the disposal of agencies for testing applications integration, not being allowed evidence in the production environment.
The url of access to services of the development platform, from within the inter-governmental network (SARA) is:
http://des-afirma.redsara.es/afirmaws/services/ (WS)
https :// des-afirma.redsara.es/afirmaws/services/( WS safe mode)
La url de acceso a los servicios de la plataforma de producción, desde dentro de la red interadministrativa (SARA) es:
http://afirma.redsara.es/afirmaws/services/ (WS)
https :// afirma.redsara.es/afirmaws/services/( WS safe mode)
The URL of service OCSP are:
http://des-afirma.redsara.es/servidorOcsp/servidorOCSP
http://afirma.redsara.es/servidorOcsp/servidorOCSP

Service requests made through web services (Web Services - WS) must be conducted by ports 8080 OR 443. Requests to service ValidarCertificado through OCSP should be directed to port 80.

Puede obtener dicho documento (ACL_Nuevo.xls) en el "Área de descargas" de la iniciativa “ Validation platform of electronic signature @firma ” in subparagraph "Template high IP and application".

El Modelo Federado de la plataforma @firma consiste en una copia del software de esta Plataforma, lista para ser instalada en el entorno del Organismo solicitante.

To obtain this model Province, must be sent a request to the support of the platform ( Access the form ), from where you specify the steps to follow.

Es posible validar mediante la plataforma @firma todos los certificados incluidos en el documento que pueden consultar en este link .

Como primer paso, se ha de comprobar que es un certificado soportado por el Ministerio de Industria, Tecnología y Comercio

https :// sedeaplicaciones2.minetur.gob.es/suppliers/ (Opens in new window)

y, en caso afirmativo, ha de ser solicitado al soporte de la plataforma @firma ( Access the form ).

You can find the kit of certificates of test in the Area of downloads from the portal del PAE of this initiative.

All certificates of kit have been generated by real certification authorities, although the certificates are evidence. Do not correspond in any case to testing environments of the PSCs.

  • Services of validation of certificates:
    validate certificates or through WS: standard DSS.
    validate certificates or basic TRABAJAR.
    validate certificates or OCSP.
    obtain information or a certificate
  • Services of validation of signatures:
    o Validación de firmas mediante WS: estándar DSS: incluye validación de firmas longevas.
    or validation of signatures WS basic.
  • Service of Upgrade signatures (through use of the service DSSAfirmaVerify).
  • Other services deprecados. The platform offers other services, whose use and evolution estaestá being discontinued, substituting for other components of the Suite of products of @firma. (See the FAQ corresponding to the services deprecados)

At the moment there are various alternatives to send petitions authenticated @firma platform, according to this scheme:

  • Petitions WS: it is necessary to add a header (
    ) the SOAP of the request. This header has sent either the username and password configured for the implementation petitioner, or signing the petition through a digital certificate configured for this application.
  • Petitions OCSP: Requests have signature sent through a digital certificate configured for the application, and include the requestor name.

Tanto el usuario y password como el certificado firmante son indicados en el fichero ACL mediante el que se solicita el alta o la modificación de la aplicación.

We must remember that from the day 31 January 2012 will be mandatory send petitions authenticated.

Indeed exists in the platform of @firma a web service that allows you to obtain the information of the fields or attributes of a given certificate. This service is called ObtenerInfoCertificado. To invoke this webservice, at the request, we must indicate the certificate base64 encoded for the extraction of information.
Existe además otro servicio, ValidarCertificado, que además de validarlo, nos permite extraer información de los atributos del certificado de la misma manera que se obtiene desde el servicio ObtenerInfoCertificado, siempre y cuando se especifique esta opción en la petición.

The signature durable formats are those that allow an electronic signature power validated once it has expired the electronic certificate with that were signed.

En estos momentos la plataforma @firma permite validar todos los formatos longevos, a través del servicio web de validación de firmas DSS. También proporciona un servicio de upgrade de firmas (mediante uso del servicio DSSAfirmaVerify), que, a partir de una firma simple (BES/EPES) sin evidencias de validación, devuelve la misma firma en formato longevo.

Los formatos longevos son: T, C, X, X-1, X-2, X-L. X-L-1, X-L-2 y A.

Para más información sobre la firma longeva, puede consultar el documento de estándares soportados por @firma, disponible en la página web de la plataforma en el PAE: http://administracionelectronica.gob.es/ctt/afirma

The platform supports @firma algorithms SHA2 SHA1 and hash algorithms and signature RSA and elliptic curves.

The platform @firma supports the following canonicalización algorithms:

 

Currently there are several services obsolete (identified as deprecated is put in the download Area). In these services is no longer possible to give higher, because it is not going to evolve if there are technological changes that make unusable, so it is not recommended to start an integration with them; in the case of being used, it is recommended to migrate to the alternative solutions.

Among the solutions above, these are:

  • For services of generation of signing/cofirma in server: A API integrators for inclusion in your developments and make the signatures on local.
  • For the service of signing in two phases, will provide a service of proof of signature configurable.

The client signing is a client application of electronic signature that runs on the user's COMPUTER. It is based on Java Applets, so it is necessary to have installed Java virtual machine, which will be the environment where will run the application.

Puede encontrar toda la información sobre el mismo en la iniciativa del @Firma client .

Aunque la respuesta (el mensaje de salida, no así el envelope SOAP) efectivamente no lleva indicado el encoding, éste es UTF-8. Es decir, todo lo que retorna la plataforma está codificado en UTF-8.

The service of time-stamping allows time stamps of electronic documents that agencies provide the service. A seal of time is an electronic signature done by an authority of Time-stamping (TSA) that allows us to show that the data supplied exists and has not been altered from a specific time (from a reliable source of time).

To include time stamps electro signatures, you can use the service of upgrade of @firma (through use of the service DSSAfirmaVerify).

The ministry also makes available to the public administrations an authority of time stamp ( TS@ ). Through this service the user, in addition, you can validate a time stamp issued from the platform @firma.

If you need more information about the same, you can contact our service of CAID (support) or consult the initiative PAE Authority of time-stamping TS@

La respuesta que proporciona @firma a las consultas de firmas y certificados de los organismos van firmadas y selladas por la plataforma.

El sello de tiempo de la petición SOAP lo encontrará en el elemento "EncapsulatedTimeStamp" dentro de las "UnsignedProperties" de la firma del SOAP, que se encuentra en el Header de dicha petición, siempre y cuando tenga como formato de respuesta XAdES-T.

Validation of the string consists of validating the certificate sent to the platform and intermediate certificates for the certificate to validate the CA that issued the certificate.

Dado que el parser XML interpreta los tabuladores y los espacios como elementos, no se permitirán en las integraciones la inclusión de espacios entre las etiquetas de cierre y las de apertura.

Any response OCSP, apart from the status information of the certificate, may contain three news fields are: -producedAt: indicates the time when the message is signed response. -thisUpdate: shows the moment in which it knows that information on the state of the certificate is correct. -nextUpdate: indicates which is the instant the next update of the state of the certificate.
In short, the fields thisUpdate nextUpdate and define a time interval in which can be valid OCSP response, i.e., a reply will be valid or reliable if the moment in which it receives is inside the interval mentioned, otherwise, the information provided on the state of the certificate is not "reliable".

It is an attribute of a petition OCSP that, in the case of being forwarded to the platform @firma, must be indicated in this attribute the application Identifier petitioner.

If, the platform accepts Standard Digital Signature.

Lo que se incluye en UTF-8 es el contenido del XML, la plataforma utiliza el ISO-8859-1 para codificar y decodificar en base 64.

General access point
General access point

Related links Related links

Prominent