El controlador PKCS# By default, the OpenSC PKCS# In the case of many PKCS

PAe - Cliente@Firma
accesskey _ mod _ content

Cliente@Firma

The client of signature is a client application of Electronic Signature that runs in the user's PC. It is based on Java Applets, so you must have the Java virtual machine, which will be the environment where you will be implemented such implementation.

Basically, the client receives data and returns signed, utilizing existing certificates installed in the (keystore) of the browser where it is running at that time. Why is implemented in the customer is because the codification of an electronic signature is carried out in the user's computer, using the private key of the selected certificate, which lies in your PC.

If your certificate lies in a smart card (Italy) or tokenUSB, these are automatically loaded in the via the drivers (drivers) devices, for which they will be accessible from the client of signature.

El cliente de firma es un Applet Java. Este tipo de aplicación tiene la peculiaridad que se ejecuta siempre en el ordenador del usuario; para ejecutarlo, el navegador debe soportar JAVA (se trata de una tecnología para aplicaciones software independiente de la plataforma) utilizando lo que se llama el Entorno de Ejecución de Java (JRE) que será donde se ejecute el cliente de firma.

For a Java Applet with access to the protected resources of the PC, such as read files locally or carry out an electronic signature, it should be digitally signed by the company that has developed, and only if the user is confident that company (by using an applet signed, the user must accept a security warning that tells you who owns the application) the client will be implemented.

The company has been signed with a certificate of the ministry of the presidency. The certificate details are shown below:

SUBJECT:
• SERIALNUMBER = S2811001C,
• CN = Signature Code. Mpr. D.G. Momentum Of The Administration,
• OU = D.G. For Impluso Of Administration,
• Or = Ministry Of The Presidency,
• L = Madrid,
• ST = Madrid,
• C = IS

ISSUER:
• CN = AC Camerfirma Codesign v2,
• Or = AC Camerfirma SA,
• OU = http://www.camerfirma.com,
• SERIALNUMBER = A82743287,
• L = Madrid (see current address at www.camerfirma.com/address),
• EMAILADDRESS = info@camerfirma.com,
• C = IS

The minimum use of a client of Signature are as follows:

Supported browsers so far include:

• Firefox 3.0 and above.
• Internet Explorer 7 o superior, en 32 y 64 bits.
• Google Chrome 4 or higher.
• Apple's Safari 4 or higher.
• Opera 10 or more.

The operating systems supported are:
• Windows XP SP3/Vista SP2/7 SP1/Server 2003 SP2/Server 2008 SP2 and above
• Linux 2.6 (Guadalinex and Ubuntu) and higher.
• Mac OS X 10.6.8 and 10.7.2 (Snow Leopard and Lion).

JRE:
• JRE 5 (1.5 update 22) or higher installed on your browser (only in browsers compatible with Java 5). The compatibility with Java 5 is a functionality to extinguish, it is recommended to Java 6 update
• JRE 6 ó JRE 7 instalado en el navegador (1.6 update 30 o 7 update 2 recomendadas)
 

The client allows creating digital signatures in different formats (by default Kadesh). Globally - are the following formats and standards of electronic signature:

• CMS: Represented by the chain “ CMS/PKCS # 7 ”.
• Kadesh: Represented by the “ Kadesh chain ”.
• XMLDSig Internally Detached: Represented by the chain “ XMLDSig Detached ”.
• XMLDSig Enveloping: Represented by the chain “ XMLDSig Enveloping ”.
• XMLDSig Enveloped: Represented by the chain “ XMLDSig Enveloped ”.
• XAdES Internally Detached: Represented by the chain “ XAdES Detached ”.
• XAdES Enveloping: Represented by the chain “ XAdES Enveloping ”.
• XAdES Enveloped: Represented by the chain “ XAdES Enveloped ”.
• PAdES: Represented by the chain “ Automatically ”.
• ODF (Open Document Format): Represented by the chain “ ODF ”.
• OOXML (Office Open XML): Represented by the “ OOXML chain ”.

The format you can change the method setSignatureFormat received as a parameter string representing the format in question.

Variants EPES of signature formats which support them will be generated automatically when formatting signature and a policy of signing (for more information are encouraged to consult the documentation for the Client of Signature).
 

La clase “clienteFirma” tiene el método “setShowHashMessage” que recibe como parámetro un valor booleano (true o false) que indica si se mostrará o no dicha ventana.

The variable "baseDownloadURL" specifies the location where the installation files reside, if not found in the same directory as the HTML. These files are the .ZIP "" and customer plug-ins. The variable "basis" specifies the location where the installer files, if not found in the same directory as the HTML. These files are the ".JAR file" and "version.properties".

The Client of Signature operates in local, and therefore does not engage in connection with any platform for Signing and/or time-stamping, so it is not possible to generate signatures with time stamp. One option is to use to obtain such signatures is to use the Upgrade of signature of the continental @firma, with which it is possible to add a time stamp firms generated with the client of Signature, an updated XAdES Signature to XAdES-T.

Sometimes, the windows of the customer lost focus lainteracción, making it impossible for the user. This error by mistake recognized by SunMicrosystems from JRE 1.5.0 that blocks certain Java in windows Internet Explorer and Mozilla, losing the focus and making it impossible for user interaction.

En muchos casos este error se solventa al cambiar el foco a otras ventanas, o minimizar/maximizar el navegador, para intentar que recupere el foco, aunque no siempre resulta efectivo, por lo que se deberá reiniciar el navegador y reintentar la operación. En caso de problemas graves con alguna aplicación Web concreta, es recomendable el uso de Internet Explorer, en donde el problema aparece en menor medida.


• draw the reader's Italy and insert just at the time that requests for the Central Repository of certificates of Mozilla Firefox (before it could be introduced). it is possible that Mozilla/Firefox to reopen the meeting in the process (pre-empting the Client @firma), so you might need to repeat the operation.
• we can use to Mozilla/Firefox to close the meeting by clicking on “ Log out ” with “ Italy device PKCS # 11 Module ” selected “ security ” of the settings menu of Mozilla Firefox. As in the previous method, it is sometimes necessary to repeat several times, since Mozilla/Firefox automatically opens the communication with italy without giving time to the client @firma to use it. On other occasions, the button is disabled while Mozilla/Firefox has an open meeting against the device, which is not possible to apply this method.

This problem affects predominantly on Linux, Solaris and Mac OS X. Has not been detected in any case in any version of Windows.

An alternative solution in UNIX systems (Linux, Solaris, Mac OSX) is to change the configuration of OpenSC (product which underlies the PKCS # 11 of these platforms in Italy (indicating that should never be blocked access to smart cards.

For this indication must change the configuration file of OpenSC, usually located in/etc/opensc/opensc.conf and ensure that contains a line uncommented with the option lock _ login = false;:

# eleven you authenticate to the card via C _ Login.
# This is to prevent other users or other applications
# from connecting to the card and perform crypto operations
# (which may be possible because you have already authenticated
# with the card). Thus this setting is very secure.
#
# This behavior is a known violation of PKCS # 11 specification,
# and is forced due to limitation of the OpenSC framework.
#
# However now eleven one application has started using your
# card with C_Login, no other application can use it, until
# the first is done and calls C _ Logout or C _ Finalize.

# until you exit the application.
#
# Thus it is impossible to use several smart card aware
# applications at the same time, e.g. you cannot run both
# Firefox and Thunderbird at the same time, if both are
# configured to use your smart card.
#
# Default: true
lock _ login = false;

Given that this change may have implications of the security council with other smart cards (the security of Italy is not compromised by him, as implemented additional measures of protection, such as the implementing legislation CWA-14890), undertaken only if these amendments is completely sure its implications.

In some Linux distributions (as Guadalinex v6) climate have no effect on closures with Italy, which will not solve the problem).

The client updates the Apache API Xalan and Apache Xerces of Java 5 by the latest versions available to date of publication of this. These versions are fully compatible with the previous included with Java 5, thereby not introduce any problems of compatibility.

In addition, if it detects the version 5 of the JRE is installed security provider SunMSCAPI in its version 6, as originally Java 5 not do so. This installation does not change or update any functionality, it also adds entirely new possibilities, so it is not possible to involving compatibility issue.

During the creation of a String of Java from a binary obtained in turn decoding Base64 can a perversion, the special characters XML files if you enter a mismatched encoding in the constructor of the class String. The quickest solution is not to indicate codification and rely on the capacities of Java format auto-detección. If this Java auto-detección continues to provide incorrect results can always obtain the XML directly as text instead of using the Base64 getSignatureText method () instead of getSignatureBase64Encoded ().

If you enter the PIN of evil, Italy (the browser does not detect your certificates, even if the user if you enter correctly.

The problem is one of the CSP (Cryptographic Service Provider) of the electronic identity card and the best way to solve it is to extract and insert in italy the card reader and re-authenticate.

In the case of Mozilla Firefox, you may have to close and reopen your browser to restart the meeting of the client and identify the certificates.

Sometimes it can happen that the browser does not detect the introduction of mining or Italy (or another smart card) in the reader, so if we have not introduced previously card to boot the client of signature, it did not find the certificate. Another potential case is that once loaded the customer, you draw a card and, by making a signing operation, the browser to display the card's certificates (even if it is no longer present) failing to try to use it.

This is a problem of the browser in the management of cryptographic devices (PKCS # 11 for Mozilla and CSP for Internet Explorer), which does not inform the open session in the changes occurring in the same.

The quickest solution to the problem is the insert the card before the charge to the customers of signature.

This application Única window of the Social insurance ” parts of the JRE replacing libraries vital to the Client by versions @firma already obsolete.

If you need the Client inter-operar @firma with the implementation of Window Única from Social security, please file a bug against the latter.

Consulte las sección 13.1 del manual del integrador para más información sobre el despliegue del Cliente de Firma en servidores Web que requieren identificación de los usuarios mediante certificado cliente.

El cliente necesita, dentro de la rama Java 5, al menos la versión 1.5u18 (se recomienda encarecidamente la actualización a Java 6u18 o al menos Java 5u22). Si está usando versiones de Java anteriores a 1.5u18 actualice su entorno de ejecución de Java (JRE) a una versión más moderna.

The client signing the style sheets of XML file : The current version of the customer of Signature did allow signatures stylesheets, given that the style sheets of an XML can be classified in different ways, the client adopts different strategies for each type of statement and according to the option of signing.

The signatures XMLDSig generated are not compatible with SOAP : This functionality is considered to be included in future versions of the customer.

Certain validators do not accept some of the signatures generated by the client @firma : Check in detail the matrix of compatibility and the “ IMPORTANT NOTES ” of the manual of the XML format.

The Client does not create signatures XML using fingerprints SHA-2 Error: The Java 6845600 (http://bugs.sun.com/view _ bug.do? bug _ id = 6845600) affects the generation of signatures and XML with SHA-256 SHA-512. In order to overcome these problems must use Java 6u30 or Java 7u2..
 

The Client produces an error of derreferenciación when generating XAdES signature : javax.xml.crypto.URIReferenceException: Errors in the early versions of Java 7 produced internal problems of derreferenciación when generating signatures XAdEScuandose configures the property “ contentTypeOid ”. These bugs are fixed Java in Java 7 u4. update this version of java 7 or higher to solve the problem.
 

The Client does not permit the signing of PDF with certain certificates

The signatures of PDF documents undertaken externally (that is the method used by the client) have a maximum size of octets positions within the PDF.

As the signing includes full certification chain, if this is very extensive can exhausted this space and lead to an invalid signature or corrupt. If this happens, please contact customer service to users of the customer @firma sending a copy of its signing certificate and the full trust chain. Always have very careful not to send never private parties of the certificates.

When loading the client @firma appears the installer component for the introduction of the privileged user password, but i do not wish to introduce or for security reasons or although enter the process ends in error.

For the use of the repository of Mozilla Firefox on Mac OS X requires that the NSS libraries are located within a path of burden of libraries, but Firefox when installed on Mac OS X install on your own directory, without adding this to the list of cargo routes of libraries.
Para sortear esta dificultad, el Cliente @firma, mediante su componente instalador (BootLoader), intenta crear enlaces simbólicos de estas bibliotecas desde el directorio de Firefox a /usr/lib, carpeta dentro de la lista de directorios de carga de bibliotecas. Para realizar esta copia, se necesitan ciertos privilegios, y es por esta razón por la que se solicita la contraseña de usuario privilegiado.

For more information see the Manual of inclusive and the guide of incidences of Customer Signature.
 

 

It is not possible to enter the warehouse and Mozilla Firefox 11 senior

Mozilla Firefox 11 introduces changes its library access to the certificate. These changes may affect the Client from @firma access your warehouse in systems where it is not possible to load these libraries.
 

There are many reasons why we may not load libraries correctly. If you cannot access the certs from Mozilla Firefox, try to add the directory of libraries with Firefox on the PATH of the system (please refer to your specific operating system).
 

Taking into consideration:
• must add the directory path for Firefox.
• if it has several versions of Firefox be sure to indicate the route of the version that is going to use the client @firma and do not add more than one.
• the architecture of the browser must be the same as that of Java. Preferably, use versions of Mozilla Firefox and 32-bit Java.
 

In older versions of Internet Explorer is not possible to have simultaneously open two or more pages that contain different instances of @firma Client

It is possible that in previous versions of 7 and Internet Explorer to open a second page containing the client @firma taking another open already executing cargo judgements in the second or a general malfunctioning.
Upgrade to the latest version of Internet Explorer available for Windows operating system and at least version 6u30 of the Java runtime environment (JRE) in order to overcome these problems. If for any reason you cannot update Internet Explorer try using another Web browser, like Google Chrome.

The Client is not working properly in Windows on IA64 architecture (Intel Itanium)

The IA64 architecture in Windows is not supported by the client and it will not be in the near future.

The Client totally crashes when i am using it as a native application Windows to use a smartcard

Some applications native Windows which make use of smart cards and italy (desktop application, ActiveX controls in the websites of Internet Explorer …) interfere in the functioning of the Java SunMSCAPI libraries for the use of certificates of the operating system. This interference causes any attempt to a Java application to access the certs from Windows when you have inserted the smart card in the reader while the other application is also running, generate an internal error in the Java virtual machine that closes instantly affected implementation.
 

This is a problem generated by native Windows applications that access ICSC recommended non and defects in the library, which is in charge of SunMSCAPI access to certs from Windows, which cannot be treated, impeding operate when these access not recommended.
 

In general, it should seek to avoid the situation where an application to install a smart card while uses the signature. To do so, it is important to distinguish the use of the two applications that access the card by extraction and reintegration of the same in the reader or simply closing the rest of the applications while using one of them.
 

If this error will result, you may need to close the application Windows that produces the incompatibility and restart the application (website) that integrates the client @firma.

No es posible acceder al almacén de Firefox en sistemas Windows con Java 6u32 o superior y Java 7u4 o superior

La JRE de Oracle para Windows utiliza a partir de las versiones u32 de Java 6 y u4 de Java 7 el entorno de ejecución de Visual C++ 2010. El Cliente @firma no podrá acceder al almacén de Firefox si no cuenta con este entorno de ejecución instalado en su sistema. Puede descargarlo desde:
http://www.microsoft.com/download/en/details.aspx? id = 5555
 

The client does not allow italy use secure devices, or other signature creation digital envelopes to open

Certain issuers of certificates in secure devices, residents of that signature limit at source can be used to these.

In the case of Italy (and other devices), it is not allowed to use digital open envelopes for not being that use authorized by the issuer. Should always avoid send digital envelopes individuals if you're not sure that your certificates (at its closed part) will contribute to a later meeting.

It is not possible to enter into a Web page with the format XMLDSig/XAdES Enveloped

XAdES/XMLDSig Enveloped accepts only sign an XML file, and not all HTML pages are compatible XML.

Check if HTML pages that you want to sign with the strict compliance with XHTML format (that it is compatible XML) and if you do not select another format signatures.

One of the generated signature formats with the customer @firma adequately ask on other platforms.

Always check the matrices of compatibility of the customer to verify that the formats are not subject to problems of adequacy regulations/standards (when this happens will thus be indicated) and which of those who do not have these problems are supported by its platform validadora.

Some of signature creation devices do not work with signature multi-fase.

These limitations are imposed by manufacturers of the signature creation devices and circumventing them is not possible. Please consult the manufacturer of your device to verify signatures functionality may be restricted.

La configuración de filtros de certificados produce un error cuando se establece un filtro de gran tamaño.

This error occurs when using a filter of certificates through “ setCertFilter deprecado (String) ” or “ setMandatoryCertificateCondition (String) ”.
By concatenating/nested parentheses many expressions of this kind the JVM requiring disable the filter. It must be avoided using filters with many expressions.
It is advisable to migrate applications to the new system of filters based on the RFC 2254. filters Can be established through this kind involved “ setCertFilterRFC2254 (String, String, boolean) ”.
 

When deployed the client in environments where HTML pages are generated dynamically unable to load the Applet

HTML pages provided as an example need some changes when it wants to deploy the client on servers where pages are generated dynamically (for example, on a server Portlets portals):
• Java libraries of the client (JAR) should be placed in a static address within the Web server, such as: http://dirección/directorio_clases
• The JavaScript (libraries JS) should be included within the page that invokes the Applet can be generated and dynamically, but you must edit the file constantes.js to indicate their absolute by URL:

/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* Global installable. *
* If this is not set, is in the same directory (the HTML). *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
var baseDownloadURL = http://direccion/directorio_clases;

/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* Path to the installer. *
* If this is not set, is in the same directory (the HTML). *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
var basis = http://direccion/directorio_clases;

The Client of @firma, at its first run, copy certain files to the user's hard drive to ensure proper implementation. These files are in great majority native binary libraries, however, if the user uses the Java runtime environment on your version 5 also provides an update on certain Java classes. Specifically, the list of installed files is as follows:

• Java 5 and above
Atos Origin Windows Short Path Name Utility (would only be installed on Windows systems). Necessary Solely for the support of the keys to Mozilla/Firefox. Is located in the compressed file ShortPathName.zip. Installation directory: $HOME/afirma.5/aoutil/
- ShortPathName.dll
Java Deploy Utility Library for Windows (would only be installed on Windows systems) located in the compressed file deploy.zip. Installation directory: $HOME/afirma.5/aoutil/
- aodeploy.dll

• Únicamente Java 5 (not needed in the next major release)
Compatibility pack of the customer with Java 5 (Linux/Windows). Needed in order to use Java since 5 of the features built into the current versions of Java. This package is mandatory when running the client from this version of Java. Installation directory: $JAVA _ HOME/lib/endorsed
- states _ 5 _ java _ 5.jar
JavaMS-CAPI Native Library (would only be installed on Windows systems). Necessary Solely for the support of the Windows key/Internet Explorer. Is located in the compressed file capi.zip. Installation directory: $JAVA _ HOME/bin/
- sunmscapi.dll
Runtime environment Microsoft Visual C + + 7.1 (would only be installed on Windows systems). Necessary Solely for the support of the Windows key/Internet Explorer, it is a unit arising from the previous library located in the compressed file msvcr71.zip. Installation directory: $LIBRARY _ PATH/
- find msvcr71.dll
Java MS-CAPI Provider (would only be installed on Windows systems). Necessary Solely for the support of the Windows key/Internet Explorer. Is located in the compressed file mscapiJar.zip. Installation directory: $JAVA _ HOME/lib/ext/
- sunmscapi.jar
In the installation directory, the following strings represent directories of the operating system dependent on the installation:
1. $HOME Directorio de usuario (por ejemplo, /export/home/user en un sistema Linux o C:\Documents and Settings\user en un sistema Windows)
2. $JAVA _ HOME Directory of installation of Java
3. $LIBRARY_PATH Directorio de bibliotecas del sistema (por ejemplo, /lib en un sistema Linux o C:\Windows\SYSTEM32 en un sistema MS-Windows 32 Bits)
Of the three directories, the first presents no special needs with regard to permits, since users will always have the appropriate on him, but the other two may be restricted to reading, writing, or which may result in an installation failed.
Given the subject to the requirements for permits are used only if you use the version 5 of the Java runtime environment, there are two possibilities for resolving the possible errors of facility:
1. Updating Java 6 (recommended solution).
2. Change of user permissions of the directories affected.
a. See the manual of user of your operating system for changed permission in directories.
3. Manual installation of libraries.
you must extract the compressed ZIP (see the manual of your operating system for ZIP file decompression) in the appropriate folder.
(b. After the decompression should also set the permissions of directories and libraries descomprimidas:
i. The directories should have read, it is not necessary to write permissions.
ii. Libraries need permits of reading and execution, it is not necessary to write permissions.

Subscribe to the youtube channel of OBSAE
Subscribe to the youtube channel of OBSAE

Links Links

Highlights