OpenOTP Electronic Signature and Secure Transaction Approval
1. Overview and Requirements
RCDevs offer now an easy way to sign any documents at anytime to all third party signatories. OpenOTP signature is a solution which is deployed on premise or in the cloud. Integrate OpenOTP signature in your infrastructure will allow electronic signatures for your company users (LDAP users). If you want to extend your signature processes to external users (users not part of your LDAP directory/directories configured with your WebADM), you have to integrate OpenOTP with YumiSign platform which requires a YumiSign API Key configured in OpenOTP settings. This YumiSign API Key is under YumiSign licensing and must be requested to RCDevs sales team. On premise signature with OpenOTP is under OpenOTP licensing. For more information regarding OpenOTP Signature and YumiSign licensing, contact RCDevs sales team.
The requirements to implement on premise electronic signature with RCDevs solutions are the following:
- Have WebADM and OpenOTP v2 installed and configured in your infrastructure,
- Communications allowed between your WebADM/OpenOTP infrastructure and https://cloud.rcdevs.com,
- Push mechanisms configured with your WebADM/OpenOTP infrastructure,
- OpenOTP Token mobile application. This application is used to authenticate the user and to provide him the documents/transactions who needs to be signed.
- OpenOTP License supporting signature features. (CONFIRM for PSD2 and SIGN for Advanced/Qualified signature).
- For qualified signature, a qualified signature creation device (QSCD) is required to achieve the signature.
RCDevs provides different ways to easily integrate electronic signature in your infrastructure:
-
Mail integration: RCDevs provides a mail integration with a postfix server designed to work with OpenOTP signature backend. This functionnality allows you to send an email to anybody part of your company and submit him a document for signature. This integration is user-friendly and very simple to use.
-
Plugins integrations: Simply download, install and configure signature plugins developped by RCDevs in your system like Nextcloud, EDM, SharePoint, Git and more coming soon.
-
User Self-Service Desk application: The web application User Self-Service Desk provides a new functionnality which allows you to submit a document for signature to yourself simply by drag and drop that document on a dedicated SelfDesk web page.
-
Custom integrations through APIs: Integrate OpenOTP signature APIs anywhere you need by implementing REST API calls part of your website, web banking, intranet, extranet, e-commerce website or even create a custom signature portal dedicated for that purpose and much more. This is the most flexible, powerful and customizable integration. To have an idea of what is possible with OpenOTP APIs Signature, visit and test YumiSign which is based on OpenOTP signature backend.
2. Signatories scenarios
We identified 3 common signing scenarios in the world of the signature to cover the different needs:
- Submit a document for signature to yourself,
- Submit a document for signature to someone or to multiple collaborators part of your company,
- Submit a document for signature to someone else not part of your company (External signatures require the easy to use YumiSign platform).
For items 1 and 2 we will talk about “Corporate Signatories” scenarios. Corporate scenarios involve that the signatories are part of LDAP directories configured with WebADM/OpenOTP.
For item 3 we will talk about “External signatories” scenario. External signatories scenario involves a signatory user which is not part of your LDAP directory configured with OpenOTP. The bridge between your on premise OpenOTP Signature integrations and external users is YumiSign platform. YumiSign will orchestrate the external accounts creation and the signature requests which is triggered from your OpenOTP backend. A subscription to YumiSign platform is required when YumiSign is involved. Licensing is based on who initiated the signature request. It is always free for the signatory for a request initiate by someone else.
These 3 scenarios are covered by RCDevs Signature solutions.
3. Signature levels
According to European Commission and electronic signatures regulation, there are 3 levels of electronic signature:
-
Simple electronic signatures: “An electronic signature is defined as “data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign”. Thus, something as simple as writing your name under an e-mail might constitute an electronic signature.”
-
Advanced electronic signatures (AdES): An advanced electronic signature is an electronic signature which is additionally:
- uniquely linked to and capable of identifying the signatory;
- created in a way that allows the signatory to retain control;
- linked to the document in a way that any subsequent change of the data is detectable.
-
Qualified electronic signatures (QES): A qualified electronic signature is an advanced electronic signature which is additionally:
- created by a qualified signature creation device (QSCD);
- is based on a qualified certificate for electronic signatures;
- it is equivalent to a handwritten signature.
RCDevs is providing Standard, Advanced and Qualified signatures which meet the criteria of European Commission. See below, how it works with RCDevs solutions.
4. RCDevs transaction and signature solutions
RCDevs provides 3 kinds of electronic transactions/signatures (Simple, Advanced and Qualified Signatures) and also extra features like document sealing and timestamping. For the signature appears in Green in Adobe Reader, everything is related to what Adobde Reader is trusting. For more information regarding the Trust in Adobe Reader, have a look on the section 5 of this documentation.
The difference between a Transaction and an Electonic signature with RCDevs solutions is the fact that a document is attached to the request or not. Both types of request are using the same APIs. In the 2 types of requests, a signature is performed but at different levels/layers. When a document is attached, the document itself is signed, this is the scenario of electronic document signing. When there is no document attached to the request, it becomes a transaction and what is signed is the data attached to the transaction. Both kind of request can be signed in Standard, Advanced or Qualified mode.
4.1 Electronic Transactions
- Standard Transaction Signing: This integration can be deployed for corporate signatories only. The user beforehand registered a Token on his LDAP account and his mobile. Electronic transaction can be used to validate a payment, a bank transfert, be involved for hierarchy approval for a particular action… everything that needs to be securely approved before an event occurs. Found below, an example of electronic transaction built with the Transaction tester of WebADM:
Once submitted, the request is prompted on the user mobile. User can review the transactions details and optional the form attached. Then he approve or deny the request.
Proof of the transaction generated on the backend :
Mobile Transaction Confirmation
Started: 2022-06-03 10:16:35
Stopped: 2022-06-03 10:16:42
User DN: CN=yoann traut,OU=SUPAdmins,DC=support,DC=rcdevs,DC=com
User IP: 192.168.3.132
Client ID: OpenOTP
Client IP: 192.168.4.20
Hash Data: ff620fda9bde137f50f18173ded2b8f343f92c49 (Nonce + Data)
OTP Token: Token #1 (TOTP)
OTP Algo: SHA1
OTP Key: 3275721181 (CRC32)
OTP Nonce: f3abeb492249b93f5d14c642b9ef3a359807c57b
OTP Result: 718173DE (OATH)
Transaction Details (Base64)
PGh0bWwgc3R5bGU9ImNvbG9yOndoaXRlIj4NCjxiPlNhbXBsZSBDb25maXJtYXRp
b248L2I+PGJyPg0KPGJyPg0KQWNjb3VudDogRXhhbXBsZTxicj4NCkFtb3VudDog
WFhYLlhYIEV1cm9zPGJyPg0KPC9odG1sPg==
This methods can be used to have a secure confirmation of a transaction to meet PSD2 regulation.
- Advanced Transaction Signing: This integration can be deployed for corporate signatories only. Corporate signatories (users part of your LDAP backends connected to your OpenOTP suite), can use WebADM or Corporate user certificates: SignScope=Local (WebADM can be configured as Standalone CA or Subordinate CA of your existing entreprise CA). The user beforehand registered a Token on his LDAP account and his mobile. The Transaction signing is performed with user’s certificate. Technically, this level of Advanced confirmation is equivalent to Qualified signature in terms of cryptography operations. The difference is that the Advanced Transaction Signing do not use a Qualified Signature/Seal Creation Device (QSCD). Instead, it uses a compagny user certificate (SignScope=Local) or a certificate issued by RCDevs root CA (SignScope=Global).
The user will be prompted on his mobile to create a new certificate (user-friendly CSR prompt). The CSR and the key will be generated on the mobile based on information provided by WebADM PKI service. Once generated, the CSR will be sent from the mobile to your WebADM PKI service (Rsignd) and signed by the WebADM CA. That certificate will be then sent back to the mobile and registered in WebADM SQL database. The certificate will be stored in the keychain of the mobile. Transaction will then be signed by the freshly generated key that never left the mobile and the signed transaction will be sent back to the OpenOTP/Yumisign backend. Certificates issued by WebADM for signing purpose are valid for 1 month. After 1 month, the certificate is expired and will needs to be renewed. This renewal operation is done automatically in signature workflow. Certificate issued on mobiles can be revoked at any time through WebADM Admin GUI > Databases > Client, Server and Mobile Certificates. Found below, the certificate issued for that user in the Client, Server and Mobile Certificates database :
Corporate Certicate issued by WebADM PKI are listed here (SignScope=Local).
Certificates issued by RCDevs Root CA are also under your control as they are stored in your WebADM SQL database. Then you can revoke a user certificate issued by RCDevs CA at anytime by clicking Enabled button on the corresponding certificat. When a certificate has been revoked by a WebADM administrator, the concerned user can not sign document anymore.
Revocation can be cancelled at some point by clicking again Enabled button on the appropriate certificat.
Found below, details of Transaction signed with a Corporate issued certificate (SignScope = Local). A P7M file is returned by the API for each transaction. That file is a Cryptographic Message Syntax (CMS) and can be read with the following OpenSSL command :
openssl asn1parse -in output.p7m -inform der
Which result with the following :
0:d=0 hl=4 l=8880 cons: SEQUENCE
4:d=1 hl=2 l= 9 prim: OBJECT :pkcs7-signedData
15:d=1 hl=4 l=8865 cons: cont [ 0 ]
19:d=2 hl=4 l=8861 cons: SEQUENCE
23:d=3 hl=2 l= 1 prim: INTEGER :01
26:d=3 hl=2 l= 15 cons: SET
28:d=4 hl=2 l= 13 cons: SEQUENCE
30:d=5 hl=2 l= 9 prim: OBJECT :sha256
41:d=5 hl=2 l= 0 prim: NULL
43:d=3 hl=3 l= 137 cons: SEQUENCE
46:d=4 hl=2 l= 9 prim: OBJECT :pkcs7-data
57:d=4 hl=2 l= 124 cons: cont [ 0 ]
59:d=5 hl=2 l= 122 prim: OCTET STRING :<html style="color:white">
<b>Sample Signature</b><br>
<br>
Dummy Information #1<br>
Dummy Information #2<br>
</html>
183:d=3 hl=4 l=1819 cons: cont [ 0 ]
187:d=4 hl=4 l= 971 cons: SEQUENCE
191:d=5 hl=4 l= 691 cons: SEQUENCE
195:d=6 hl=2 l= 3 cons: cont [ 0 ]
197:d=7 hl=2 l= 1 prim: INTEGER :02
200:d=6 hl=2 l= 2 prim: INTEGER :B2
204:d=6 hl=2 l= 13 cons: SEQUENCE
206:d=7 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
217:d=7 hl=2 l= 0 prim: NULL
219:d=6 hl=2 l= 52 cons: SEQUENCE
221:d=7 hl=2 l= 25 cons: SET
223:d=8 hl=2 l= 23 cons: SEQUENCE
225:d=9 hl=2 l= 3 prim: OBJECT :commonName
230:d=9 hl=2 l= 16 prim: UTF8STRING :WebADM CA #20034
248:d=7 hl=2 l= 23 cons: SET
250:d=8 hl=2 l= 21 cons: SEQUENCE
252:d=9 hl=2 l= 3 prim: OBJECT :organizationName
257:d=9 hl=2 l= 14 prim: UTF8STRING :Support RCDevs
273:d=6 hl=2 l= 30 cons: SEQUENCE
275:d=7 hl=2 l= 13 prim: UTCTIME :220602104934Z
290:d=7 hl=2 l= 13 prim: UTCTIME :220702104934Z
305:d=6 hl=3 l= 139 cons: SEQUENCE
308:d=7 hl=2 l= 14 cons: SET
310:d=8 hl=2 l= 12 cons: SEQUENCE
312:d=9 hl=2 l= 3 prim: OBJECT :surname
317:d=9 hl=2 l= 5 prim: UTF8STRING :traut
324:d=7 hl=2 l= 14 cons: SET
326:d=8 hl=2 l= 12 cons: SEQUENCE
328:d=9 hl=2 l= 3 prim: OBJECT :givenName
333:d=9 hl=2 l= 5 prim: UTF8STRING :yoann
340:d=7 hl=2 l= 33 cons: SET
342:d=8 hl=2 l= 31 cons: SEQUENCE
344:d=9 hl=2 l= 9 prim: OBJECT :emailAddress
355:d=9 hl=2 l= 18 prim: UTF8STRING :support@rcdevs.com
375:d=7 hl=2 l= 20 cons: SET
377:d=8 hl=2 l= 18 cons: SEQUENCE
379:d=9 hl=2 l= 3 prim: OBJECT :commonName
384:d=9 hl=2 l= 11 prim: UTF8STRING :yoann traut
397:d=7 hl=2 l= 23 cons: SET
399:d=8 hl=2 l= 21 cons: SEQUENCE
401:d=9 hl=2 l= 3 prim: OBJECT :organizationName
406:d=9 hl=2 l= 14 prim: UTF8STRING :RCDevs Support
422:d=7 hl=2 l= 23 cons: SET
424:d=8 hl=2 l= 21 cons: SEQUENCE
426:d=9 hl=2 l= 3 prim: OBJECT :2.5.4.97
431:d=9 hl=2 l= 14 prim: UTF8STRING :VATLU-00000000
447:d=6 hl=4 l= 290 cons: SEQUENCE
451:d=7 hl=2 l= 13 cons: SEQUENCE
453:d=8 hl=2 l= 9 prim: OBJECT :rsaEncryption
464:d=8 hl=2 l= 0 prim: NULL
466:d=7 hl=4 l= 271 prim: BIT STRING
741:d=6 hl=3 l= 142 cons: cont [ 3 ]
744:d=7 hl=3 l= 139 cons: SEQUENCE
747:d=8 hl=2 l= 94 cons: SEQUENCE
749:d=9 hl=2 l= 8 prim: OBJECT :Authority Information Access
759:d=9 hl=2 l= 82 prim: OCTET STRING [HEX DUMP]:3050302506082B060105050730018619687474703A2F2F3139322E3136382E342E33312F6F6373702F302706082B06010505073002861B687474703A2F2F3139322E3136382E342E33312F6361636572742F
843:d=8 hl=2 l= 41 cons: SEQUENCE
845:d=9 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points
850:d=9 hl=2 l= 34 prim: OCTET STRING [HEX DUMP]:3020301EA01CA01A8618687474703A2F2F3139322E3136382E342E33312F63726C2F
886:d=5 hl=2 l= 13 cons: SEQUENCE
888:d=6 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
899:d=6 hl=2 l= 0 prim: NULL
901:d=5 hl=4 l= 257 prim: BIT STRING
1162:d=4 hl=4 l= 840 cons: SEQUENCE
1166:d=5 hl=4 l= 560 cons: SEQUENCE
1170:d=6 hl=2 l= 3 cons: cont [ 0 ]
1172:d=7 hl=2 l= 1 prim: INTEGER :02
1175:d=6 hl=2 l= 20 prim: INTEGER :0AD37EE93FDBFE67F1115F96850D4495C8DA6DEF
1197:d=6 hl=2 l= 13 cons: SEQUENCE
1199:d=7 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
1210:d=7 hl=2 l= 0 prim: NULL
1212:d=6 hl=2 l= 52 cons: SEQUENCE
1214:d=7 hl=2 l= 25 cons: SET
1216:d=8 hl=2 l= 23 cons: SEQUENCE
1218:d=9 hl=2 l= 3 prim: OBJECT :commonName
1223:d=9 hl=2 l= 16 prim: UTF8STRING :WebADM CA #20034
1241:d=7 hl=2 l= 23 cons: SET
1243:d=8 hl=2 l= 21 cons: SEQUENCE
1245:d=9 hl=2 l= 3 prim: OBJECT :organizationName
1250:d=9 hl=2 l= 14 prim: UTF8STRING :Support RCDevs
1266:d=6 hl=2 l= 32 cons: SEQUENCE
1268:d=7 hl=2 l= 13 prim: UTCTIME :210426130149Z
1283:d=7 hl=2 l= 15 prim: GENERALIZEDTIME :20710414130149Z
1300:d=6 hl=2 l= 52 cons: SEQUENCE
1302:d=7 hl=2 l= 25 cons: SET
1304:d=8 hl=2 l= 23 cons: SEQUENCE
1306:d=9 hl=2 l= 3 prim: OBJECT :commonName
1311:d=9 hl=2 l= 16 prim: UTF8STRING :WebADM CA #20034
1329:d=7 hl=2 l= 23 cons: SET
1331:d=8 hl=2 l= 21 cons: SEQUENCE
1333:d=9 hl=2 l= 3 prim: OBJECT :organizationName
1338:d=9 hl=2 l= 14 prim: UTF8STRING :Support RCDevs
1354:d=6 hl=4 l= 290 cons: SEQUENCE
1358:d=7 hl=2 l= 13 cons: SEQUENCE
1360:d=8 hl=2 l= 9 prim: OBJECT :rsaEncryption
1371:d=8 hl=2 l= 0 prim: NULL
1373:d=7 hl=4 l= 271 prim: BIT STRING
1648:d=6 hl=2 l= 80 cons: cont [ 3 ]
1650:d=7 hl=2 l= 78 cons: SEQUENCE
1652:d=8 hl=2 l= 29 cons: SEQUENCE
1654:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
1659:d=9 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:041428A7DC1346E132C0CC1421BD7726117EFE230517
1683:d=8 hl=2 l= 31 cons: SEQUENCE
1685:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
1690:d=9 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:3016801428A7DC1346E132C0CC1421BD7726117EFE230517
1716:d=8 hl=2 l= 12 cons: SEQUENCE
1718:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
1723:d=9 hl=2 l= 5 prim: OCTET STRING [HEX DUMP]:30030101FF
1730:d=5 hl=2 l= 13 cons: SEQUENCE
1732:d=6 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
1743:d=6 hl=2 l= 0 prim: NULL
1745:d=5 hl=4 l= 257 prim: BIT STRING
2006:d=3 hl=2 l= 0 cons: cont [ 1 ]
2008:d=3 hl=4 l=6872 cons: SET
2012:d=4 hl=4 l=6868 cons: SEQUENCE
2016:d=5 hl=2 l= 1 prim: INTEGER :01
2019:d=5 hl=2 l= 58 cons: SEQUENCE
2021:d=6 hl=2 l= 52 cons: SEQUENCE
2023:d=7 hl=2 l= 25 cons: SET
2025:d=8 hl=2 l= 23 cons: SEQUENCE
2027:d=9 hl=2 l= 3 prim: OBJECT :commonName
2032:d=9 hl=2 l= 16 prim: UTF8STRING :WebADM CA #20034
2050:d=7 hl=2 l= 23 cons: SET
2052:d=8 hl=2 l= 21 cons: SEQUENCE
2054:d=9 hl=2 l= 3 prim: OBJECT :organizationName
2059:d=9 hl=2 l= 14 prim: UTF8STRING :Support RCDevs
2075:d=6 hl=2 l= 2 prim: INTEGER :B2
2079:d=5 hl=2 l= 13 cons: SEQUENCE
2081:d=6 hl=2 l= 9 prim: OBJECT :sha256
2092:d=6 hl=2 l= 0 prim: NULL
2094:d=5 hl=3 l= 160 cons: cont [ 0 ]
2097:d=6 hl=2 l= 24 cons: SEQUENCE
2099:d=7 hl=2 l= 9 prim: OBJECT :contentType
2110:d=7 hl=2 l= 11 cons: SET
2112:d=8 hl=2 l= 9 prim: OBJECT :pkcs7-data
2123:d=6 hl=2 l= 47 cons: SEQUENCE
2125:d=7 hl=2 l= 9 prim: OBJECT :messageDigest
2136:d=7 hl=2 l= 34 cons: SET
2138:d=8 hl=2 l= 32 prim: OCTET STRING [HEX DUMP]:AB66B49FBBC6F1A3B69A52E4018D530264E6C906C49F8059D28A79D1245E325D
2172:d=6 hl=2 l= 55 cons: SEQUENCE
2174:d=7 hl=2 l= 11 prim: OBJECT :1.2.840.113549.1.9.16.2.47
2187:d=7 hl=2 l= 40 cons: SET
2189:d=8 hl=2 l= 38 cons: SEQUENCE
2191:d=9 hl=2 l= 36 cons: SEQUENCE
2193:d=10 hl=2 l= 34 cons: SEQUENCE
2195:d=11 hl=2 l= 32 prim: OCTET STRING [HEX DUMP]:C57B3CF43DC7FDAEE473122966509829D29AA07B911D46E54682C9E0DD9BBC7F
2229:d=6 hl=2 l= 26 cons: SEQUENCE
2231:d=7 hl=2 l= 9 prim: OBJECT :signingTime
2242:d=7 hl=2 l= 13 cons: SET
2244:d=8 hl=2 l= 11 prim: UTCTIME :2206031252Z
2257:d=5 hl=2 l= 13 cons: SEQUENCE
2259:d=6 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
2270:d=6 hl=2 l= 0 prim: NULL
2272:d=5 hl=4 l= 256 prim: OCTET STRING [HEX DUMP]:033DB25DF1F17A30C28B8E20029D453C7BD9475121F09667FDF902AF7149C2A226EAEC5042718604E097A07B900A1A3506F6D4FCA2A920FE066F8A4929083387E8963BC1D259B746823EFC6FCD3A638F41E187D35A026DB239317CC3D3A83E4B686B5F00F7B39F3E783BE7B77D4F7547F3DB7775D78C6514C88E542A940F5197760F865337EF655B92D748CDF907C2E0941D0C906AD9B01DF83AC1004CD61D672F613DE4D9707BC37BDF48DA784FDAB39D73353D65A481F62117004D4E2DC5DBAA0742B35DEF6D56A575227D6292680B38AD9DDEAA8A1CFE119D0677C4B4FD256C18BA164E55784B8FAD10A47D8E2E774A802B78B389A51AB379ADB3A0B75BAD
2532:d=5 hl=4 l=6348 cons: cont [ 1 ]
2536:d=6 hl=4 l=3103 cons: SEQUENCE
2540:d=7 hl=2 l= 11 prim: OBJECT :id-smime-aa-timeStampToken
2553:d=7 hl=4 l=3086 cons: SET
2557:d=8 hl=4 l=3082 cons: SEQUENCE
2561:d=9 hl=2 l= 9 prim: OBJECT :pkcs7-signedData
2572:d=9 hl=4 l=3067 cons: cont [ 0 ]
2576:d=10 hl=4 l=3063 cons: SEQUENCE
2580:d=11 hl=2 l= 1 prim: INTEGER :03
2583:d=11 hl=2 l= 13 cons: SET
2585:d=12 hl=2 l= 11 cons: SEQUENCE
2587:d=13 hl=2 l= 9 prim: OBJECT :sha256
2598:d=11 hl=4 l= 282 cons: SEQUENCE
2602:d=12 hl=2 l= 11 prim: OBJECT :id-smime-ct-TSTInfo
2615:d=12 hl=4 l= 265 cons: cont [ 0 ]
2619:d=13 hl=4 l= 261 prim: OCTET STRING [HEX DUMP]:30820101020101060B2A84680186F6770204010E3031300D0609608648016503040201050004209B7D073AA62FAEB2535638F9EB1FA3892158D7A1B23F7FE8A9A4B61E164B77C7020711C379A702E5BA180F32303232303630333132353232385A30030201010211009FDBDBCD36F3ADC12EB24097A573C33AA06AA4683066310B300906035504061302504C3121301F060355040A0C1841737365636F20446174612053797374656D7320532E412E3119301706035504030C1043657274756D205154535420323031373119301706035504610C10564154504C2D35313730333539343538A11E301C06082B06010505070103010100040D300B30090607040081975E0101
2884:d=11 hl=4 l=1700 cons: cont [ 0 ]
2888:d=12 hl=4 l=1696 cons: SEQUENCE
2892:d=13 hl=4 l=1160 cons: SEQUENCE
2896:d=14 hl=2 l= 3 cons: cont [ 0 ]
2898:d=15 hl=2 l= 1 prim: INTEGER :02
2901:d=14 hl=2 l= 20 prim: INTEGER :1193735F17C17E144D3F928F619BBFD5027DB1E9
2923:d=14 hl=2 l= 13 cons: SEQUENCE
2925:d=15 hl=2 l= 9 prim: OBJECT :sha512WithRSAEncryption
2936:d=15 hl=2 l= 0 prim: NULL
2938:d=14 hl=2 l= 111 cons: SEQUENCE
2940:d=15 hl=2 l= 11 cons: SET
2942:d=16 hl=2 l= 9 cons: SEQUENCE
2944:d=17 hl=2 l= 3 prim: OBJECT :countryName
2949:d=17 hl=2 l= 2 prim: PRINTABLESTRING :PL
2953:d=15 hl=2 l= 29 cons: SET
2955:d=16 hl=2 l= 27 cons: SEQUENCE
2957:d=17 hl=2 l= 3 prim: OBJECT :organizationName
2962:d=17 hl=2 l= 20 prim: UTF8STRING :Narodowy Bank Polski
2984:d=15 hl=2 l= 38 cons: SET
2986:d=16 hl=2 l= 36 cons: SEQUENCE
2988:d=17 hl=2 l= 3 prim: OBJECT :commonName
2993:d=17 hl=2 l= 29 prim: UTF8STRING :Narodowe Centrum Certyfikacji
3024:d=15 hl=2 l= 25 cons: SET
3026:d=16 hl=2 l= 23 cons: SEQUENCE
3028:d=17 hl=2 l= 3 prim: OBJECT :2.5.4.97
3033:d=17 hl=2 l= 16 prim: UTF8STRING :VATPL-5250008198
3051:d=14 hl=2 l= 30 cons: SEQUENCE
3053:d=15 hl=2 l= 13 prim: UTCTIME :170315102318Z
3068:d=15 hl=2 l= 13 prim: UTCTIME :280315235959Z
3083:d=14 hl=2 l= 102 cons: SEQUENCE
3085:d=15 hl=2 l= 11 cons: SET
3087:d=16 hl=2 l= 9 cons: SEQUENCE
3089:d=17 hl=2 l= 3 prim: OBJECT :countryName
3094:d=17 hl=2 l= 2 prim: PRINTABLESTRING :PL
3098:d=15 hl=2 l= 33 cons: SET
3100:d=16 hl=2 l= 31 cons: SEQUENCE
3102:d=17 hl=2 l= 3 prim: OBJECT :organizationName
3107:d=17 hl=2 l= 24 prim: UTF8STRING :Asseco Data Systems S.A.
3133:d=15 hl=2 l= 25 cons: SET
3135:d=16 hl=2 l= 23 cons: SEQUENCE
3137:d=17 hl=2 l= 3 prim: OBJECT :commonName
3142:d=17 hl=2 l= 16 prim: UTF8STRING :Certum QTST 2017
3160:d=15 hl=2 l= 25 cons: SET
3162:d=16 hl=2 l= 23 cons: SEQUENCE
3164:d=17 hl=2 l= 3 prim: OBJECT :2.5.4.97
3169:d=17 hl=2 l= 16 prim: UTF8STRING :VATPL-5170359458
3187:d=14 hl=4 l= 546 cons: SEQUENCE
3191:d=15 hl=2 l= 13 cons: SEQUENCE
3193:d=16 hl=2 l= 9 prim: OBJECT :rsaEncryption
3204:d=16 hl=2 l= 0 prim: NULL
3206:d=15 hl=4 l= 527 prim: BIT STRING
3737:d=14 hl=4 l= 315 cons: cont [ 3 ]
3741:d=15 hl=4 l= 311 cons: SEQUENCE
3745:d=16 hl=2 l= 22 cons: SEQUENCE
3747:d=17 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage
3752:d=17 hl=2 l= 1 prim: BOOLEAN :255
3755:d=17 hl=2 l= 12 prim: OCTET STRING [HEX DUMP]:300A06082B06010505070308
3769:d=16 hl=2 l= 12 cons: SEQUENCE
3771:d=17 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
3776:d=17 hl=2 l= 1 prim: BOOLEAN :255
3779:d=17 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:3000
3783:d=16 hl=3 l= 172 cons: SEQUENCE
3786:d=17 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
3791:d=17 hl=3 l= 164 prim: OCTET STRING [HEX DUMP]:3081A1801429B3C8C4DFA387F866051258FD462AB8980D7987A173A471306F310B300906035504061302504C311D301B060355040A0C144E61726F646F77792042616E6B20506F6C736B693126302406035504030C1D4E61726F646F77652043656E7472756D20436572747966696B61636A693119301706035504610C10564154504C2D35323530303038313938821440F8F78AB0E364105691C8D9E02CF8C1C6400A46
3958:d=16 hl=2 l= 49 cons: SEQUENCE
3960:d=17 hl=2 l= 3 prim: OBJECT :X509v3 Certificate Policies
3965:d=17 hl=2 l= 1 prim: BOOLEAN :255
3968:d=17 hl=2 l= 39 prim: OCTET STRING [HEX DUMP]:302530230604551D2000301B301906082B06010505070201160D7777772E6E63636572742E706C
4009:d=16 hl=2 l= 14 cons: SEQUENCE
4011:d=17 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage
4016:d=17 hl=2 l= 1 prim: BOOLEAN :255
4019:d=17 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030206C0
4025:d=16 hl=2 l= 29 cons: SEQUENCE
4027:d=17 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
4032:d=17 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414B2BD12CB0781E27BA3B0611D4A4379A887F4D076
4056:d=13 hl=2 l= 13 cons: SEQUENCE
4058:d=14 hl=2 l= 9 prim: OBJECT :sha512WithRSAEncryption
4069:d=14 hl=2 l= 0 prim: NULL
4071:d=13 hl=4 l= 513 prim: BIT STRING
4588:d=11 hl=4 l=1051 cons: SET
4592:d=12 hl=4 l=1047 cons: SEQUENCE
4596:d=13 hl=2 l= 1 prim: INTEGER :01
4599:d=13 hl=3 l= 135 cons: SEQUENCE
4602:d=14 hl=2 l= 111 cons: SEQUENCE
4604:d=15 hl=2 l= 11 cons: SET
4606:d=16 hl=2 l= 9 cons: SEQUENCE
4608:d=17 hl=2 l= 3 prim: OBJECT :countryName
4613:d=17 hl=2 l= 2 prim: PRINTABLESTRING :PL
4617:d=15 hl=2 l= 29 cons: SET
4619:d=16 hl=2 l= 27 cons: SEQUENCE
4621:d=17 hl=2 l= 3 prim: OBJECT :organizationName
4626:d=17 hl=2 l= 20 prim: UTF8STRING :Narodowy Bank Polski
4648:d=15 hl=2 l= 38 cons: SET
4650:d=16 hl=2 l= 36 cons: SEQUENCE
4652:d=17 hl=2 l= 3 prim: OBJECT :commonName
4657:d=17 hl=2 l= 29 prim: UTF8STRING :Narodowe Centrum Certyfikacji
4688:d=15 hl=2 l= 25 cons: SET
4690:d=16 hl=2 l= 23 cons: SEQUENCE
4692:d=17 hl=2 l= 3 prim: OBJECT :2.5.4.97
4697:d=17 hl=2 l= 16 prim: UTF8STRING :VATPL-5250008198
4715:d=14 hl=2 l= 20 prim: INTEGER :1193735F17C17E144D3F928F619BBFD5027DB1E9
4737:d=13 hl=2 l= 13 cons: SEQUENCE
4739:d=14 hl=2 l= 9 prim: OBJECT :sha256
4750:d=14 hl=2 l= 0 prim: NULL
4752:d=13 hl=4 l= 356 cons: cont [ 0 ]
4756:d=14 hl=2 l= 26 cons: SEQUENCE
4758:d=15 hl=2 l= 9 prim: OBJECT :contentType
4769:d=15 hl=2 l= 13 cons: SET
4771:d=16 hl=2 l= 11 prim: OBJECT :id-smime-ct-TSTInfo
4784:d=14 hl=2 l= 28 cons: SEQUENCE
4786:d=15 hl=2 l= 9 prim: OBJECT :signingTime
4797:d=15 hl=2 l= 15 cons: SET
4799:d=16 hl=2 l= 13 prim: UTCTIME :220603125228Z
4814:d=14 hl=2 l= 47 cons: SEQUENCE
4816:d=15 hl=2 l= 9 prim: OBJECT :messageDigest
4827:d=15 hl=2 l= 34 cons: SET
4829:d=16 hl=2 l= 32 prim: OCTET STRING [HEX DUMP]:DE9DE66106E93BB55DECFAA09EBEC7C6C8FDC3482CF46C5070B76DEBAAFD1E1B
4863:d=14 hl=2 l= 55 cons: SEQUENCE
4865:d=15 hl=2 l= 11 prim: OBJECT :1.2.840.113549.1.9.16.2.47
4878:d=15 hl=2 l= 40 cons: SET
4880:d=16 hl=2 l= 38 cons: SEQUENCE
4882:d=17 hl=2 l= 36 cons: SEQUENCE
4884:d=18 hl=2 l= 34 cons: SEQUENCE
4886:d=19 hl=2 l= 32 prim: OCTET STRING [HEX DUMP]:673BE8A1DA927DB63CCAB7CB3E7AC352DC3AEB6A8DA3E2A359CA158D0A440DB8
4920:d=14 hl=3 l= 189 cons: SEQUENCE
4923:d=15 hl=2 l= 11 prim: OBJECT :id-smime-aa-signingCertificate
4936:d=15 hl=3 l= 173 cons: SET
4939:d=16 hl=3 l= 170 cons: SEQUENCE
4942:d=17 hl=3 l= 167 cons: SEQUENCE
4945:d=18 hl=3 l= 164 cons: SEQUENCE
4948:d=19 hl=2 l= 20 prim: OCTET STRING [HEX DUMP]:6E23CDB967F06D3FDA85316C5B47361CD55542AC
4970:d=19 hl=3 l= 139 cons: SEQUENCE
4973:d=20 hl=2 l= 115 cons: SEQUENCE
4975:d=21 hl=2 l= 113 cons: cont [ 4 ]
4977:d=22 hl=2 l= 111 cons: SEQUENCE
4979:d=23 hl=2 l= 11 cons: SET
4981:d=24 hl=2 l= 9 cons: SEQUENCE
4983:d=25 hl=2 l= 3 prim: OBJECT :countryName
4988:d=25 hl=2 l= 2 prim: PRINTABLESTRING :PL
4992:d=23 hl=2 l= 29 cons: SET
4994:d=24 hl=2 l= 27 cons: SEQUENCE
4996:d=25 hl=2 l= 3 prim: OBJECT :organizationName
5001:d=25 hl=2 l= 20 prim: UTF8STRING :Narodowy Bank Polski
5023:d=23 hl=2 l= 38 cons: SET
5025:d=24 hl=2 l= 36 cons: SEQUENCE
5027:d=25 hl=2 l= 3 prim: OBJECT :commonName
5032:d=25 hl=2 l= 29 prim: UTF8STRING :Narodowe Centrum Certyfikacji
5063:d=23 hl=2 l= 25 cons: SET
5065:d=24 hl=2 l= 23 cons: SEQUENCE
5067:d=25 hl=2 l= 3 prim: OBJECT :2.5.4.97
5072:d=25 hl=2 l= 16 prim: UTF8STRING :VATPL-5250008198
5090:d=20 hl=2 l= 20 prim: INTEGER :1193735F17C17E144D3F928F619BBFD5027DB1E9
5112:d=13 hl=2 l= 13 cons: SEQUENCE
5114:d=14 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
5125:d=14 hl=2 l= 0 prim: NULL
5127:d=13 hl=4 l= 512 prim: OCTET STRING [HEX DUMP]:47ECE4C54DA2CA8E0D6BFFA0D16392C00A36D4EC0EB59B8378C2AB2F5672B5CFD15085FF31209CD9E224853305FB0B34C0E9F9EC0A09D3B30B4126FA4EB2DEA8230B68AEC33F6EA9CEF4AB7B9EC955EA5D539F3EBB2161EC79A37C274AA47A1EF0636239564631A692726052236B0111C842DCB0A79D15901706C490EF181EB204157E2AE5259375DA548380A964CC908A455930CBEBBA738E2AC128E267B136B14E66BFDABB437C842911AEE5723E9B998B96FC68EF0A4DC86814F8B0EC2BDE0CFB20ED2382683571425867D947D4AB830AFD615A3629C575C51EC94C89C7B6A6D9713CD61B6D51C751428E4373292875994FBCAA9387DF6962C356803A30F912BF95CEF4CC9CF951DF5CC14F9D54880C80CD5BCB8DC6FD57C874B832A87156399BAF361129080FD1B7B8E9D0F6984B180F62412A678053FC0D57F8BF089DAF5F03598A94DB297021FA27FFF61E18CBBCFFB7EC74AD1130B94B398FBBE68417118076BFAE2134B9A158411458C9106498E765D032633D9C32C0E8B41B036A99EC4B1AB368EB0749F4AB26213B3CB91D11FADCA4D2F4AB26988AB820B2BD20AAF0A16F3EE5D3289DFB11892038B5231A4E9DCD4CBD1EBBF751013994A569F9D048FA8E476E7EE9A14532CCDC157000FA109474F05B32D5CB32E44A177C54EB4EBFF97A8A7D50EA92AAB5573B44226F8E9228F1A9C1CC5B5D4FB4F6F86D0AC6BA
5643:d=6 hl=4 l=3237 cons: SEQUENCE
5647:d=7 hl=2 l= 6 prim: OBJECT :0.4.0.1733.2.4
5655:d=7 hl=4 l=3225 cons: SET
5659:d=8 hl=4 l=3221 cons: SEQUENCE
5663:d=9 hl=2 l= 9 prim: OBJECT :pkcs7-signedData
5674:d=9 hl=4 l=3206 cons: cont [ 0 ]
5678:d=10 hl=4 l=3202 cons: SEQUENCE
5682:d=11 hl=2 l= 1 prim: INTEGER :03
5685:d=11 hl=2 l= 13 cons: SET
5687:d=12 hl=2 l= 11 cons: SEQUENCE
5689:d=13 hl=2 l= 9 prim: OBJECT :sha256
5700:d=11 hl=4 l= 281 cons: SEQUENCE
5704:d=12 hl=2 l= 11 prim: OBJECT :id-smime-ct-TSTInfo
5717:d=12 hl=4 l= 264 cons: cont [ 0 ]
5721:d=13 hl=4 l= 260 prim: OCTET STRING [HEX DUMP]:30820100020101060B2A84680186F6770204010E3031300D060960864801650304020105000420EA1E42681AC3F814DFE4A3A924E0874512BAB22BDEC38BF570F0B2FAAA9BB8F0020711C379A702E5C4180F32303232303630333132353232385A300302010102101FCF8909AAEE0A415F8C9A990EF08B73A06AA4683066310B300906035504061302504C3121301F060355040A0C1841737365636F20446174612053797374656D7320532E412E3119301706035504030C1043657274756D205154535420323031373119301706035504610C10564154504C2D35313730333539343538A11E301C06082B06010505070103010100040D300B30090607040081975E0101
5985:d=11 hl=4 l=1700 cons: cont [ 0 ]
5989:d=12 hl=4 l=1696 cons: SEQUENCE
5993:d=13 hl=4 l=1160 cons: SEQUENCE
5997:d=14 hl=2 l= 3 cons: cont [ 0 ]
5999:d=15 hl=2 l= 1 prim: INTEGER :02
6002:d=14 hl=2 l= 20 prim: INTEGER :1193735F17C17E144D3F928F619BBFD5027DB1E9
6024:d=14 hl=2 l= 13 cons: SEQUENCE
6026:d=15 hl=2 l= 9 prim: OBJECT :sha512WithRSAEncryption
6037:d=15 hl=2 l= 0 prim: NULL
6039:d=14 hl=2 l= 111 cons: SEQUENCE
6041:d=15 hl=2 l= 11 cons: SET
6043:d=16 hl=2 l= 9 cons: SEQUENCE
6045:d=17 hl=2 l= 3 prim: OBJECT :countryName
6050:d=17 hl=2 l= 2 prim: PRINTABLESTRING :PL
6054:d=15 hl=2 l= 29 cons: SET
6056:d=16 hl=2 l= 27 cons: SEQUENCE
6058:d=17 hl=2 l= 3 prim: OBJECT :organizationName
6063:d=17 hl=2 l= 20 prim: UTF8STRING :Narodowy Bank Polski
6085:d=15 hl=2 l= 38 cons: SET
6087:d=16 hl=2 l= 36 cons: SEQUENCE
6089:d=17 hl=2 l= 3 prim: OBJECT :commonName
6094:d=17 hl=2 l= 29 prim: UTF8STRING :Narodowe Centrum Certyfikacji
6125:d=15 hl=2 l= 25 cons: SET
6127:d=16 hl=2 l= 23 cons: SEQUENCE
6129:d=17 hl=2 l= 3 prim: OBJECT :2.5.4.97
6134:d=17 hl=2 l= 16 prim: UTF8STRING :VATPL-5250008198
6152:d=14 hl=2 l= 30 cons: SEQUENCE
6154:d=15 hl=2 l= 13 prim: UTCTIME :170315102318Z
6169:d=15 hl=2 l= 13 prim: UTCTIME :280315235959Z
6184:d=14 hl=2 l= 102 cons: SEQUENCE
6186:d=15 hl=2 l= 11 cons: SET
6188:d=16 hl=2 l= 9 cons: SEQUENCE
6190:d=17 hl=2 l= 3 prim: OBJECT :countryName
6195:d=17 hl=2 l= 2 prim: PRINTABLESTRING :PL
6199:d=15 hl=2 l= 33 cons: SET
6201:d=16 hl=2 l= 31 cons: SEQUENCE
6203:d=17 hl=2 l= 3 prim: OBJECT :organizationName
6208:d=17 hl=2 l= 24 prim: UTF8STRING :Asseco Data Systems S.A.
6234:d=15 hl=2 l= 25 cons: SET
6236:d=16 hl=2 l= 23 cons: SEQUENCE
6238:d=17 hl=2 l= 3 prim: OBJECT :commonName
6243:d=17 hl=2 l= 16 prim: UTF8STRING :Certum QTST 2017
6261:d=15 hl=2 l= 25 cons: SET
6263:d=16 hl=2 l= 23 cons: SEQUENCE
6265:d=17 hl=2 l= 3 prim: OBJECT :2.5.4.97
6270:d=17 hl=2 l= 16 prim: UTF8STRING :VATPL-5170359458
6288:d=14 hl=4 l= 546 cons: SEQUENCE
6292:d=15 hl=2 l= 13 cons: SEQUENCE
6294:d=16 hl=2 l= 9 prim: OBJECT :rsaEncryption
6305:d=16 hl=2 l= 0 prim: NULL
6307:d=15 hl=4 l= 527 prim: BIT STRING
6838:d=14 hl=4 l= 315 cons: cont [ 3 ]
6842:d=15 hl=4 l= 311 cons: SEQUENCE
6846:d=16 hl=2 l= 22 cons: SEQUENCE
6848:d=17 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage
6853:d=17 hl=2 l= 1 prim: BOOLEAN :255
6856:d=17 hl=2 l= 12 prim: OCTET STRING [HEX DUMP]:300A06082B06010505070308
6870:d=16 hl=2 l= 12 cons: SEQUENCE
6872:d=17 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
6877:d=17 hl=2 l= 1 prim: BOOLEAN :255
6880:d=17 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:3000
6884:d=16 hl=3 l= 172 cons: SEQUENCE
6887:d=17 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
6892:d=17 hl=3 l= 164 prim: OCTET STRING [HEX DUMP]:3081A1801429B3C8C4DFA387F866051258FD462AB8980D7987A173A471306F310B300906035504061302504C311D301B060355040A0C144E61726F646F77792042616E6B20506F6C736B693126302406035504030C1D4E61726F646F77652043656E7472756D20436572747966696B61636A693119301706035504610C10564154504C2D35323530303038313938821440F8F78AB0E364105691C8D9E02CF8C1C6400A46
7059:d=16 hl=2 l= 49 cons: SEQUENCE
7061:d=17 hl=2 l= 3 prim: OBJECT :X509v3 Certificate Policies
7066:d=17 hl=2 l= 1 prim: BOOLEAN :255
7069:d=17 hl=2 l= 39 prim: OCTET STRING [HEX DUMP]:302530230604551D2000301B301906082B06010505070201160D7777772E6E63636572742E706C
7110:d=16 hl=2 l= 14 cons: SEQUENCE
7112:d=17 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage
7117:d=17 hl=2 l= 1 prim: BOOLEAN :255
7120:d=17 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030206C0
7126:d=16 hl=2 l= 29 cons: SEQUENCE
7128:d=17 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
7133:d=17 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414B2BD12CB0781E27BA3B0611D4A4379A887F4D076
7157:d=13 hl=2 l= 13 cons: SEQUENCE
7159:d=14 hl=2 l= 9 prim: OBJECT :sha512WithRSAEncryption
7170:d=14 hl=2 l= 0 prim: NULL
7172:d=13 hl=4 l= 513 prim: BIT STRING
7689:d=11 hl=4 l=1191 cons: SET
7693:d=12 hl=4 l=1187 cons: SEQUENCE
7697:d=13 hl=2 l= 1 prim: INTEGER :01
7700:d=13 hl=3 l= 135 cons: SEQUENCE
7703:d=14 hl=2 l= 111 cons: SEQUENCE
7705:d=15 hl=2 l= 11 cons: SET
7707:d=16 hl=2 l= 9 cons: SEQUENCE
7709:d=17 hl=2 l= 3 prim: OBJECT :countryName
7714:d=17 hl=2 l= 2 prim: PRINTABLESTRING :PL
7718:d=15 hl=2 l= 29 cons: SET
7720:d=16 hl=2 l= 27 cons: SEQUENCE
7722:d=17 hl=2 l= 3 prim: OBJECT :organizationName
7727:d=17 hl=2 l= 20 prim: UTF8STRING :Narodowy Bank Polski
7749:d=15 hl=2 l= 38 cons: SET
7751:d=16 hl=2 l= 36 cons: SEQUENCE
7753:d=17 hl=2 l= 3 prim: OBJECT :commonName
7758:d=17 hl=2 l= 29 prim: UTF8STRING :Narodowe Centrum Certyfikacji
7789:d=15 hl=2 l= 25 cons: SET
7791:d=16 hl=2 l= 23 cons: SEQUENCE
7793:d=17 hl=2 l= 3 prim: OBJECT :2.5.4.97
7798:d=17 hl=2 l= 16 prim: UTF8STRING :VATPL-5250008198
7816:d=14 hl=2 l= 20 prim: INTEGER :1193735F17C17E144D3F928F619BBFD5027DB1E9
7838:d=13 hl=2 l= 13 cons: SEQUENCE
7840:d=14 hl=2 l= 9 prim: OBJECT :sha256
7851:d=14 hl=2 l= 0 prim: NULL
7853:d=13 hl=4 l= 356 cons: cont [ 0 ]
7857:d=14 hl=2 l= 26 cons: SEQUENCE
7859:d=15 hl=2 l= 9 prim: OBJECT :contentType
7870:d=15 hl=2 l= 13 cons: SET
7872:d=16 hl=2 l= 11 prim: OBJECT :id-smime-ct-TSTInfo
7885:d=14 hl=2 l= 28 cons: SEQUENCE
7887:d=15 hl=2 l= 9 prim: OBJECT :signingTime
7898:d=15 hl=2 l= 15 cons: SET
7900:d=16 hl=2 l= 13 prim: UTCTIME :220603125228Z
7915:d=14 hl=2 l= 47 cons: SEQUENCE
7917:d=15 hl=2 l= 9 prim: OBJECT :messageDigest
7928:d=15 hl=2 l= 34 cons: SET
7930:d=16 hl=2 l= 32 prim: OCTET STRING [HEX DUMP]:D2F188F6D11416D409E9F4F8C16D1936D49357FEC25CFBF65C46AFE9346B28BA
7964:d=14 hl=2 l= 55 cons: SEQUENCE
7966:d=15 hl=2 l= 11 prim: OBJECT :1.2.840.113549.1.9.16.2.47
7979:d=15 hl=2 l= 40 cons: SET
7981:d=16 hl=2 l= 38 cons: SEQUENCE
7983:d=17 hl=2 l= 36 cons: SEQUENCE
7985:d=18 hl=2 l= 34 cons: SEQUENCE
7987:d=19 hl=2 l= 32 prim: OCTET STRING [HEX DUMP]:673BE8A1DA927DB63CCAB7CB3E7AC352DC3AEB6A8DA3E2A359CA158D0A440DB8
8021:d=14 hl=3 l= 189 cons: SEQUENCE
8024:d=15 hl=2 l= 11 prim: OBJECT :id-smime-aa-signingCertificate
8037:d=15 hl=3 l= 173 cons: SET
8040:d=16 hl=3 l= 170 cons: SEQUENCE
8043:d=17 hl=3 l= 167 cons: SEQUENCE
8046:d=18 hl=3 l= 164 cons: SEQUENCE
8049:d=19 hl=2 l= 20 prim: OCTET STRING [HEX DUMP]:6E23CDB967F06D3FDA85316C5B47361CD55542AC
8071:d=19 hl=3 l= 139 cons: SEQUENCE
8074:d=20 hl=2 l= 115 cons: SEQUENCE
8076:d=21 hl=2 l= 113 cons: cont [ 4 ]
8078:d=22 hl=2 l= 111 cons: SEQUENCE
8080:d=23 hl=2 l= 11 cons: SET
8082:d=24 hl=2 l= 9 cons: SEQUENCE
8084:d=25 hl=2 l= 3 prim: OBJECT :countryName
8089:d=25 hl=2 l= 2 prim: PRINTABLESTRING :PL
8093:d=23 hl=2 l= 29 cons: SET
8095:d=24 hl=2 l= 27 cons: SEQUENCE
8097:d=25 hl=2 l= 3 prim: OBJECT :organizationName
8102:d=25 hl=2 l= 20 prim: UTF8STRING :Narodowy Bank Polski
8124:d=23 hl=2 l= 38 cons: SET
8126:d=24 hl=2 l= 36 cons: SEQUENCE
8128:d=25 hl=2 l= 3 prim: OBJECT :commonName
8133:d=25 hl=2 l= 29 prim: UTF8STRING :Narodowe Centrum Certyfikacji
8164:d=23 hl=2 l= 25 cons: SET
8166:d=24 hl=2 l= 23 cons: SEQUENCE
8168:d=25 hl=2 l= 3 prim: OBJECT :2.5.4.97
8173:d=25 hl=2 l= 16 prim: UTF8STRING :VATPL-5250008198
8191:d=20 hl=2 l= 20 prim: INTEGER :1193735F17C17E144D3F928F619BBFD5027DB1E9
8213:d=13 hl=2 l= 13 cons: SEQUENCE
8215:d=14 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
8226:d=14 hl=2 l= 0 prim: NULL
8228:d=13 hl=4 l= 512 prim: OCTET STRING [HEX DUMP]:02E4D0B4A0B078C1254B32FC550B79E521CFF0538EC20940B2E89BAD75557B7270EB69C3A41DDCAE148E7C586F89EF638505093436F932AC1AC3D982382C8E1E9F04DC3A3ABA87E518E7DFB13A3239FADFE7FC9092BA0EB13203E758531CAB826B2FBF41AFE9CA94D33E06C46D3A5C09AE9D6E14B3F36914997C7B8D564508245E1F65EE14248A50FE868D21A4AFD0BDF64CB81BC371E6830A751D5C849AA6F7C1900DAE484C89763C8E5CD3D316FFFE225CE415B146488DC9044D967650163FE8667E53F5D2709DC351B34D9B4621D5732DB05A97967059EAB5E40FD227C953699CDE608F8CBB0A35271BEB716A389F9891B785DBC980779F4FDC83D05ED55F1552E7FE76F339D9351BFD512A177F21B04DA71F78B31C2EA6E1B2A2E249FCFA2A11C1699092F30EE0F616C156E0887FFB0F631A9516D490A6F72F94977BE49411951CB2752DCA8CBBAD5F290812754946C536575C45D4C998146CB5BAECE28AE03C2B406DB52EDFDECFF9151AD21A1C2B761A7FE353F4B6377B8C39D55AD3BAE513847DCBEF3C5CE55BD502FB1DE2B4EAF43EE061FF3BEF95BCF625227D410E366E578808AA6FB374D2461C1ED5DC130CF50A22DC4F1A6AD1FDF617A1B4E98897C393BEDC9C9C4F258A4E470CFC723A60F63437EFEADEBFEF00537DFBB5E4E8BAC431273018CA88C7E7D9509E9415F03053FC270ADE94DD7C10249C79FF53A6
8744:d=13 hl=3 l= 137 cons: cont [ 1 ]
8747:d=14 hl=3 l= 134 cons: SEQUENCE
8750:d=15 hl=2 l= 7 prim: OBJECT :0.4.0.19122.1.5
8759:d=15 hl=2 l= 123 cons: SET
8761:d=16 hl=2 l= 121 cons: SEQUENCE
8763:d=17 hl=2 l= 11 cons: SEQUENCE
8765:d=18 hl=2 l= 9 prim: OBJECT :sha256
8776:d=17 hl=2 l= 68 cons: SEQUENCE
8778:d=18 hl=2 l= 32 prim: OCTET STRING [HEX DUMP]:C57B3CF43DC7FDAEE473122966509829D29AA07B911D46E54682C9E0DD9BBC7F
8812:d=18 hl=2 l= 32 prim: OCTET STRING [HEX DUMP]:9D60CAD043EE1B4216B7B977946477DE997FC0F95BE422FDEABE42E51006F4DF
8846:d=17 hl=2 l= 0 cons: SEQUENCE
8848:d=17 hl=2 l= 34 cons: SEQUENCE
8850:d=18 hl=2 l= 32 prim: OCTET STRING [HEX DUMP]:5314884A9C21F74D0D4057600D8C0425C48FD9FDE0A48DFE231C879F300C20EA
What has been signed (the transaction details) and the information related to the user certificate are containted in the CMS output. For more information regarding CMS, have a look on the rfc5652
Details of the certificate used for the previous transaction on the WebADM backend:
Found below, details of Transaction signed with a certificate issued RCDevs CA (SignScope = Global). A P7M file is returned by the API for each transaction. That file is a Cryptographic Message Syntax (CMS) and can be read with the following OpenSSL command :
openssl asn1parse -in output_global.p7m -inform der
0:d=0 hl=4 l=10376 cons: SEQUENCE
4:d=1 hl=2 l= 9 prim: OBJECT :pkcs7-signedData
15:d=1 hl=4 l=10361 cons: cont [ 0 ]
19:d=2 hl=4 l=10357 cons: SEQUENCE
23:d=3 hl=2 l= 1 prim: INTEGER :01
26:d=3 hl=2 l= 15 cons: SET
28:d=4 hl=2 l= 13 cons: SEQUENCE
30:d=5 hl=2 l= 9 prim: OBJECT :sha256
41:d=5 hl=2 l= 0 prim: NULL
43:d=3 hl=3 l= 137 cons: SEQUENCE
46:d=4 hl=2 l= 9 prim: OBJECT :pkcs7-data
57:d=4 hl=2 l= 124 cons: cont [ 0 ]
59:d=5 hl=2 l= 122 prim: OCTET STRING :<html style="color:white">
<b>Sample Signature</b><br>
<br>
Dummy Information #1<br>
Dummy Information #2<br>
</html>
183:d=3 hl=4 l=3201 cons: cont [ 0 ]
187:d=4 hl=4 l=1488 cons: SEQUENCE
191:d=5 hl=4 l= 952 cons: SEQUENCE
195:d=6 hl=2 l= 3 cons: cont [ 0 ]
197:d=7 hl=2 l= 1 prim: INTEGER :02
200:d=6 hl=2 l= 16 prim: INTEGER :2931ADDC08407664F6FF6690A2514146
218:d=6 hl=2 l= 13 cons: SEQUENCE
220:d=7 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
231:d=7 hl=2 l= 0 prim: NULL
233:d=6 hl=3 l= 149 cons: SEQUENCE
236:d=7 hl=2 l= 11 cons: SET
238:d=8 hl=2 l= 9 cons: SEQUENCE
240:d=9 hl=2 l= 3 prim: OBJECT :countryName
245:d=9 hl=2 l= 2 prim: PRINTABLESTRING :LU
249:d=7 hl=2 l= 27 cons: SET
251:d=8 hl=2 l= 25 cons: SEQUENCE
253:d=9 hl=2 l= 3 prim: OBJECT :organizationName
258:d=9 hl=2 l= 18 prim: UTF8STRING :RCDevs Security SA
278:d=7 hl=2 l= 38 cons: SET
280:d=8 hl=2 l= 36 cons: SEQUENCE
282:d=9 hl=2 l= 3 prim: OBJECT :organizationalUnitName
287:d=9 hl=2 l= 29 prim: UTF8STRING :Certificate Autority Services
318:d=7 hl=2 l= 35 cons: SET
320:d=8 hl=2 l= 33 cons: SEQUENCE
322:d=9 hl=2 l= 3 prim: OBJECT :commonName
327:d=9 hl=2 l= 26 prim: UTF8STRING :Enterprise Intermediate CA
355:d=7 hl=2 l= 28 cons: SET
357:d=8 hl=2 l= 26 cons: SEQUENCE
359:d=9 hl=2 l= 9 prim: OBJECT :emailAddress
370:d=9 hl=2 l= 13 prim: IA5STRING :ca@rcdevs.com
385:d=6 hl=2 l= 30 cons: SEQUENCE
387:d=7 hl=2 l= 13 prim: UTCTIME :220602105208Z
402:d=7 hl=2 l= 13 prim: UTCTIME :220702105208Z
417:d=6 hl=3 l= 139 cons: SEQUENCE
420:d=7 hl=2 l= 23 cons: SET
422:d=8 hl=2 l= 21 cons: SEQUENCE
424:d=9 hl=2 l= 3 prim: OBJECT :organizationName
429:d=9 hl=2 l= 14 prim: UTF8STRING :RCDevs Support
445:d=7 hl=2 l= 14 cons: SET
447:d=8 hl=2 l= 12 cons: SEQUENCE
449:d=9 hl=2 l= 3 prim: OBJECT :givenName
454:d=9 hl=2 l= 5 prim: UTF8STRING :yoann
461:d=7 hl=2 l= 20 cons: SET
463:d=8 hl=2 l= 18 cons: SEQUENCE
465:d=9 hl=2 l= 3 prim: OBJECT :commonName
470:d=9 hl=2 l= 11 prim: UTF8STRING :yoann traut
483:d=7 hl=2 l= 14 cons: SET
485:d=8 hl=2 l= 12 cons: SEQUENCE
487:d=9 hl=2 l= 3 prim: OBJECT :surname
492:d=9 hl=2 l= 5 prim: UTF8STRING :traut
499:d=7 hl=2 l= 33 cons: SET
501:d=8 hl=2 l= 31 cons: SEQUENCE
503:d=9 hl=2 l= 9 prim: OBJECT :emailAddress
514:d=9 hl=2 l= 18 prim: UTF8STRING :support@rcdevs.com
534:d=7 hl=2 l= 23 cons: SET
536:d=8 hl=2 l= 21 cons: SEQUENCE
538:d=9 hl=2 l= 3 prim: OBJECT :2.5.4.97
543:d=9 hl=2 l= 14 prim: UTF8STRING :VATLU-00000000
559:d=6 hl=4 l= 290 cons: SEQUENCE
563:d=7 hl=2 l= 13 cons: SEQUENCE
565:d=8 hl=2 l= 9 prim: OBJECT :rsaEncryption
576:d=8 hl=2 l= 0 prim: NULL
578:d=7 hl=4 l= 271 prim: BIT STRING
853:d=6 hl=4 l= 290 cons: cont [ 3 ]
857:d=7 hl=4 l= 286 cons: SEQUENCE
861:d=8 hl=3 l= 169 cons: SEQUENCE
864:d=9 hl=2 l= 8 prim: OBJECT :Authority Information Access
874:d=9 hl=2 l= 1 prim: BOOLEAN :255
877:d=9 hl=3 l= 153 prim: OCTET STRING [HEX DUMP]:308196306B06082B06010505073002865F687474703A2F2F636C6F75642E7263646576732E636F6D2F6361636572742F37643033613564343630373433646365373034306433303962633466356436373234623434656363643565353063636433383861626263633431353735666635302706082B06010505073001861B687474703A2F2F636C6F75642E7263646576732E636F6D2F63726C
1033:d=8 hl=2 l= 112 cons: SEQUENCE
1035:d=9 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution Points
1040:d=9 hl=2 l= 1 prim: BOOLEAN :255
1043:d=9 hl=2 l= 102 prim: OCTET STRING [HEX DUMP]:30643062A060A05E865C687474703A2F2F636C6F75642E7263646576732E636F6D2F63726C2F37643033613564343630373433646365373034306433303962633466356436373234623434656363643565353063636433383861626263633431353735666635
1147:d=5 hl=2 l= 13 cons: SEQUENCE
1149:d=6 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
1160:d=6 hl=2 l= 0 prim: NULL
1162:d=5 hl=4 l= 513 prim: BIT STRING
1679:d=4 hl=4 l=1705 cons: SEQUENCE
1683:d=5 hl=4 l=1169 cons: SEQUENCE
1687:d=6 hl=2 l= 3 cons: cont [ 0 ]
1689:d=7 hl=2 l= 1 prim: INTEGER :02
1692:d=6 hl=2 l= 16 prim: INTEGER :481F9E54FC957C9031F993E36F41B20F
1710:d=6 hl=2 l= 13 cons: SEQUENCE
1712:d=7 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
1723:d=7 hl=2 l= 0 prim: NULL
1725:d=6 hl=3 l= 137 cons: SEQUENCE
1728:d=7 hl=2 l= 11 cons: SET
1730:d=8 hl=2 l= 9 cons: SEQUENCE
1732:d=9 hl=2 l= 3 prim: OBJECT :countryName
1737:d=9 hl=2 l= 2 prim: PRINTABLESTRING :LU
1741:d=7 hl=2 l= 27 cons: SET
1743:d=8 hl=2 l= 25 cons: SEQUENCE
1745:d=9 hl=2 l= 3 prim: OBJECT :organizationName
1750:d=9 hl=2 l= 18 prim: PRINTABLESTRING :RCDevs Security SA
1770:d=7 hl=2 l= 38 cons: SET
1772:d=8 hl=2 l= 36 cons: SEQUENCE
1774:d=9 hl=2 l= 3 prim: OBJECT :organizationalUnitName
1779:d=9 hl=2 l= 29 prim: PRINTABLESTRING :Certificate Autority Services
1810:d=7 hl=2 l= 23 cons: SET
1812:d=8 hl=2 l= 21 cons: SEQUENCE
1814:d=9 hl=2 l= 3 prim: OBJECT :commonName
1819:d=9 hl=2 l= 14 prim: PRINTABLESTRING :RCDevs Root CA
1835:d=7 hl=2 l= 28 cons: SET
1837:d=8 hl=2 l= 26 cons: SEQUENCE
1839:d=9 hl=2 l= 9 prim: OBJECT :emailAddress
1850:d=9 hl=2 l= 13 prim: IA5STRING :ca@rcdevs.com
1865:d=6 hl=2 l= 30 cons: SEQUENCE
1867:d=7 hl=2 l= 13 prim: UTCTIME :220316153029Z
1882:d=7 hl=2 l= 13 prim: UTCTIME :320313153029Z
1897:d=6 hl=3 l= 149 cons: SEQUENCE
1900:d=7 hl=2 l= 11 cons: SET
1902:d=8 hl=2 l= 9 cons: SEQUENCE
1904:d=9 hl=2 l= 3 prim: OBJECT :countryName
1909:d=9 hl=2 l= 2 prim: PRINTABLESTRING :LU
1913:d=7 hl=2 l= 27 cons: SET
1915:d=8 hl=2 l= 25 cons: SEQUENCE
1917:d=9 hl=2 l= 3 prim: OBJECT :organizationName
1922:d=9 hl=2 l= 18 prim: UTF8STRING :RCDevs Security SA
1942:d=7 hl=2 l= 38 cons: SET
1944:d=8 hl=2 l= 36 cons: SEQUENCE
1946:d=9 hl=2 l= 3 prim: OBJECT :organizationalUnitName
1951:d=9 hl=2 l= 29 prim: UTF8STRING :Certificate Autority Services
1982:d=7 hl=2 l= 35 cons: SET
1984:d=8 hl=2 l= 33 cons: SEQUENCE
1986:d=9 hl=2 l= 3 prim: OBJECT :commonName
1991:d=9 hl=2 l= 26 prim: UTF8STRING :Enterprise Intermediate CA
2019:d=7 hl=2 l= 28 cons: SET
2021:d=8 hl=2 l= 26 cons: SEQUENCE
2023:d=9 hl=2 l= 9 prim: OBJECT :emailAddress
2034:d=9 hl=2 l= 13 prim: IA5STRING :ca@rcdevs.com
2049:d=6 hl=4 l= 546 cons: SEQUENCE
2053:d=7 hl=2 l= 13 cons: SEQUENCE
2055:d=8 hl=2 l= 9 prim: OBJECT :rsaEncryption
2066:d=8 hl=2 l= 0 prim: NULL
2068:d=7 hl=4 l= 527 prim: BIT STRING
2599:d=6 hl=3 l= 254 cons: cont [ 3 ]
2602:d=7 hl=3 l= 251 cons: SEQUENCE
2605:d=8 hl=2 l= 12 cons: SEQUENCE
2607:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
2612:d=9 hl=2 l= 5 prim: OCTET STRING [HEX DUMP]:30030101FF
2619:d=8 hl=2 l= 29 cons: SEQUENCE
2621:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
2626:d=9 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:04146A850593B549D28E6D5A6C984B6C0FCF8D572963
2650:d=8 hl=3 l= 190 cons: SEQUENCE
2653:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
2658:d=9 hl=3 l= 182 prim: OCTET STRING [HEX DUMP]:3081B380142AD61E5A3EA439A9660A485280D44948E70F453FA1818FA4818C308189310B3009060355040613024C55311B3019060355040A131252434465767320536563757269747920534131263024060355040B131D4365727469666963617465204175746F72697479205365727669636573311730150603550403130E52434465767320526F6F74204341311C301A06092A864886F70D010901160D6361407263646576732E636F6D820900A13A312587444085
2843:d=8 hl=2 l= 11 cons: SEQUENCE
2845:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage
2850:d=9 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:03020106
2856:d=5 hl=2 l= 13 cons: SEQUENCE
2858:d=6 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
2869:d=6 hl=2 l= 0 prim: NULL
2871:d=5 hl=4 l= 513 prim: BIT STRING
3388:d=3 hl=2 l= 0 cons: cont [ 1 ]
3390:d=3 hl=4 l=6986 cons: SET
3394:d=4 hl=4 l=6982 cons: SEQUENCE
3398:d=5 hl=2 l= 1 prim: INTEGER :01
3401:d=5 hl=3 l= 170 cons: SEQUENCE
3404:d=6 hl=3 l= 149 cons: SEQUENCE
3407:d=7 hl=2 l= 11 cons: SET
3409:d=8 hl=2 l= 9 cons: SEQUENCE
3411:d=9 hl=2 l= 3 prim: OBJECT :countryName
3416:d=9 hl=2 l= 2 prim: PRINTABLESTRING :LU
3420:d=7 hl=2 l= 27 cons: SET
3422:d=8 hl=2 l= 25 cons: SEQUENCE
3424:d=9 hl=2 l= 3 prim: OBJECT :organizationName
3429:d=9 hl=2 l= 18 prim: UTF8STRING :RCDevs Security SA
3449:d=7 hl=2 l= 38 cons: SET
3451:d=8 hl=2 l= 36 cons: SEQUENCE
3453:d=9 hl=2 l= 3 prim: OBJECT :organizationalUnitName
3458:d=9 hl=2 l= 29 prim: UTF8STRING :Certificate Autority Services
3489:d=7 hl=2 l= 35 cons: SET
3491:d=8 hl=2 l= 33 cons: SEQUENCE
3493:d=9 hl=2 l= 3 prim: OBJECT :commonName
3498:d=9 hl=2 l= 26 prim: UTF8STRING :Enterprise Intermediate CA
3526:d=7 hl=2 l= 28 cons: SET
3528:d=8 hl=2 l= 26 cons: SEQUENCE
3530:d=9 hl=2 l= 9 prim: OBJECT :emailAddress
3541:d=9 hl=2 l= 13 prim: IA5STRING :ca@rcdevs.com
3556:d=6 hl=2 l= 16 prim: INTEGER :2931ADDC08407664F6FF6690A2514146
3574:d=5 hl=2 l= 13 cons: SEQUENCE
3576:d=6 hl=2 l= 9 prim: OBJECT :sha256
3587:d=6 hl=2 l= 0 prim: NULL
3589:d=5 hl=3 l= 160 cons: cont [ 0 ]
3592:d=6 hl=2 l= 24 cons: SEQUENCE
3594:d=7 hl=2 l= 9 prim: OBJECT :contentType
3605:d=7 hl=2 l= 11 cons: SET
3607:d=8 hl=2 l= 9 prim: OBJECT :pkcs7-data
3618:d=6 hl=2 l= 47 cons: SEQUENCE
3620:d=7 hl=2 l= 9 prim: OBJECT :messageDigest
3631:d=7 hl=2 l= 34 cons: SET
3633:d=8 hl=2 l= 32 prim: OCTET STRING [HEX DUMP]:AB66B49FBBC6F1A3B69A52E4018D530264E6C906C49F8059D28A79D1245E325D
3667:d=6 hl=2 l= 55 cons: SEQUENCE
3669:d=7 hl=2 l= 11 prim: OBJECT :1.2.840.113549.1.9.16.2.47
3682:d=7 hl=2 l= 40 cons: SET
3684:d=8 hl=2 l= 38 cons: SEQUENCE
3686:d=9 hl=2 l= 36 cons: SEQUENCE
3688:d=10 hl=2 l= 34 cons: SEQUENCE
3690:d=11 hl=2 l= 32 prim: OCTET STRING [HEX DUMP]:A2F1F421DED9D9786E1113345D8DA5272D8B247C6F87AB5568D3D88F5ACC9B14
3724:d=6 hl=2 l= 26 cons: SEQUENCE
3726:d=7 hl=2 l= 9 prim: OBJECT :signingTime
3737:d=7 hl=2 l= 13 cons: SET
3739:d=8 hl=2 l= 11 prim: UTCTIME :2206031328Z
3752:d=5 hl=2 l= 13 cons: SEQUENCE
3754:d=6 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
3765:d=6 hl=2 l= 0 prim: NULL
3767:d=5 hl=4 l= 256 prim: OCTET STRING [HEX DUMP]:2871DB1220E0A0E20D34D36560DA574D046723CFACE8613C276BA0157319508F7A9A01D4774370959BA939F20677C8098598DAA247F2B3C64417D572E082A94D784428FEEB17B045D3F204EF8BD8DAD9B994B495DB46A00565C0162A1F13A0B51BF98FBBA415F63A4887FB878653F08D0B02F837FE0FB5D1F43699ADA4C71E150512316B095A49A1395147AF862B8CCB1798587C6FE2F199DDFAE97F7616C544920AA36125CAFB33FB889A32AF0C607AFA0D34120E6900C0FA3FDAC9DC60042FA7E41E780235D328288601FAA6F3983DB45014C32F821FA56A286F7D3264A124D37DFE9B8F3329A477AFBCD82E826C61400CC2531B2D1F0496C099F0730E3232
4027:d=5 hl=4 l=6349 cons: cont [ 1 ]
4031:d=6 hl=4 l=3103 cons: SEQUENCE
4035:d=7 hl=2 l= 11 prim: OBJECT :id-smime-aa-timeStampToken
4048:d=7 hl=4 l=3086 cons: SET
4052:d=8 hl=4 l=3082 cons: SEQUENCE
4056:d=9 hl=2 l= 9 prim: OBJECT :pkcs7-signedData
4067:d=9 hl=4 l=3067 cons: cont [ 0 ]
4071:d=10 hl=4 l=3063 cons: SEQUENCE
4075:d=11 hl=2 l= 1 prim: INTEGER :03
4078:d=11 hl=2 l= 13 cons: SET
4080:d=12 hl=2 l= 11 cons: SEQUENCE
4082:d=13 hl=2 l= 9 prim: OBJECT :sha256
4093:d=11 hl=4 l= 282 cons: SEQUENCE
4097:d=12 hl=2 l= 11 prim: OBJECT :id-smime-ct-TSTInfo
4110:d=12 hl=4 l= 265 cons: cont [ 0 ]
4114:d=13 hl=4 l= 261 prim: OCTET STRING [HEX DUMP]:30820101020101060B2A84680186F6770204010E3031300D060960864801650304020105000420904D90BCBC6F70A0602F5607D013949E711D4338558F99090E7702267BFC4058020711C379A7041AAC180F32303232303630333133323833325A3003020101021100AA22F00AEAA7F79AE44959C773882C3EA06AA4683066310B300906035504061302504C3121301F060355040A0C1841737365636F20446174612053797374656D7320532E412E3119301706035504030C1043657274756D205154535420323031373119301706035504610C10564154504C2D35313730333539343538A11E301C06082B06010505070103010100040D300B30090607040081975E0101
4379:d=11 hl=4 l=1700 cons: cont [ 0 ]
4383:d=12 hl=4 l=1696 cons: SEQUENCE
4387:d=13 hl=4 l=1160 cons: SEQUENCE
4391:d=14 hl=2 l= 3 cons: cont [ 0 ]
4393:d=15 hl=2 l= 1 prim: INTEGER :02
4396:d=14 hl=2 l= 20 prim: INTEGER :1193735F17C17E144D3F928F619BBFD5027DB1E9
4418:d=14 hl=2 l= 13 cons: SEQUENCE
4420:d=15 hl=2 l= 9 prim: OBJECT :sha512WithRSAEncryption
4431:d=15 hl=2 l= 0 prim: NULL
4433:d=14 hl=2 l= 111 cons: SEQUENCE
4435:d=15 hl=2 l= 11 cons: SET
4437:d=16 hl=2 l= 9 cons: SEQUENCE
4439:d=17 hl=2 l= 3 prim: OBJECT :countryName
4444:d=17 hl=2 l= 2 prim: PRINTABLESTRING :PL
4448:d=15 hl=2 l= 29 cons: SET
4450:d=16 hl=2 l= 27 cons: SEQUENCE
4452:d=17 hl=2 l= 3 prim: OBJECT :organizationName
4457:d=17 hl=2 l= 20 prim: UTF8STRING :Narodowy Bank Polski
4479:d=15 hl=2 l= 38 cons: SET
4481:d=16 hl=2 l= 36 cons: SEQUENCE
4483:d=17 hl=2 l= 3 prim: OBJECT :commonName
4488:d=17 hl=2 l= 29 prim: UTF8STRING :Narodowe Centrum Certyfikacji
4519:d=15 hl=2 l= 25 cons: SET
4521:d=16 hl=2 l= 23 cons: SEQUENCE
4523:d=17 hl=2 l= 3 prim: OBJECT :2.5.4.97
4528:d=17 hl=2 l= 16 prim: UTF8STRING :VATPL-5250008198
4546:d=14 hl=2 l= 30 cons: SEQUENCE
4548:d=15 hl=2 l= 13 prim: UTCTIME :170315102318Z
4563:d=15 hl=2 l= 13 prim: UTCTIME :280315235959Z
4578:d=14 hl=2 l= 102 cons: SEQUENCE
4580:d=15 hl=2 l= 11 cons: SET
4582:d=16 hl=2 l= 9 cons: SEQUENCE
4584:d=17 hl=2 l= 3 prim: OBJECT :countryName
4589:d=17 hl=2 l= 2 prim: PRINTABLESTRING :PL
4593:d=15 hl=2 l= 33 cons: SET
4595:d=16 hl=2 l= 31 cons: SEQUENCE
4597:d=17 hl=2 l= 3 prim: OBJECT :organizationName
4602:d=17 hl=2 l= 24 prim: UTF8STRING :Asseco Data Systems S.A.
4628:d=15 hl=2 l= 25 cons: SET
4630:d=16 hl=2 l= 23 cons: SEQUENCE
4632:d=17 hl=2 l= 3 prim: OBJECT :commonName
4637:d=17 hl=2 l= 16 prim: UTF8STRING :Certum QTST 2017
4655:d=15 hl=2 l= 25 cons: SET
4657:d=16 hl=2 l= 23 cons: SEQUENCE
4659:d=17 hl=2 l= 3 prim: OBJECT :2.5.4.97
4664:d=17 hl=2 l= 16 prim: UTF8STRING :VATPL-5170359458
4682:d=14 hl=4 l= 546 cons: SEQUENCE
4686:d=15 hl=2 l= 13 cons: SEQUENCE
4688:d=16 hl=2 l= 9 prim: OBJECT :rsaEncryption
4699:d=16 hl=2 l= 0 prim: NULL
4701:d=15 hl=4 l= 527 prim: BIT STRING
5232:d=14 hl=4 l= 315 cons: cont [ 3 ]
5236:d=15 hl=4 l= 311 cons: SEQUENCE
5240:d=16 hl=2 l= 22 cons: SEQUENCE
5242:d=17 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage
5247:d=17 hl=2 l= 1 prim: BOOLEAN :255
5250:d=17 hl=2 l= 12 prim: OCTET STRING [HEX DUMP]:300A06082B06010505070308
5264:d=16 hl=2 l= 12 cons: SEQUENCE
5266:d=17 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
5271:d=17 hl=2 l= 1 prim: BOOLEAN :255
5274:d=17 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:3000
5278:d=16 hl=3 l= 172 cons: SEQUENCE
5281:d=17 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
5286:d=17 hl=3 l= 164 prim: OCTET STRING [HEX DUMP]:3081A1801429B3C8C4DFA387F866051258FD462AB8980D7987A173A471306F310B300906035504061302504C311D301B060355040A0C144E61726F646F77792042616E6B20506F6C736B693126302406035504030C1D4E61726F646F77652043656E7472756D20436572747966696B61636A693119301706035504610C10564154504C2D35323530303038313938821440F8F78AB0E364105691C8D9E02CF8C1C6400A46
5453:d=16 hl=2 l= 49 cons: SEQUENCE
5455:d=17 hl=2 l= 3 prim: OBJECT :X509v3 Certificate Policies
5460:d=17 hl=2 l= 1 prim: BOOLEAN :255
5463:d=17 hl=2 l= 39 prim: OCTET STRING [HEX DUMP]:302530230604551D2000301B301906082B06010505070201160D7777772E6E63636572742E706C
5504:d=16 hl=2 l= 14 cons: SEQUENCE
5506:d=17 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage
5511:d=17 hl=2 l= 1 prim: BOOLEAN :255
5514:d=17 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030206C0
5520:d=16 hl=2 l= 29 cons: SEQUENCE
5522:d=17 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
5527:d=17 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414B2BD12CB0781E27BA3B0611D4A4379A887F4D076
5551:d=13 hl=2 l= 13 cons: SEQUENCE
5553:d=14 hl=2 l= 9 prim: OBJECT :sha512WithRSAEncryption
5564:d=14 hl=2 l= 0 prim: NULL
5566:d=13 hl=4 l= 513 prim: BIT STRING
6083:d=11 hl=4 l=1051 cons: SET
6087:d=12 hl=4 l=1047 cons: SEQUENCE
6091:d=13 hl=2 l= 1 prim: INTEGER :01
6094:d=13 hl=3 l= 135 cons: SEQUENCE
6097:d=14 hl=2 l= 111 cons: SEQUENCE
6099:d=15 hl=2 l= 11 cons: SET
6101:d=16 hl=2 l= 9 cons: SEQUENCE
6103:d=17 hl=2 l= 3 prim: OBJECT :countryName
6108:d=17 hl=2 l= 2 prim: PRINTABLESTRING :PL
6112:d=15 hl=2 l= 29 cons: SET
6114:d=16 hl=2 l= 27 cons: SEQUENCE
6116:d=17 hl=2 l= 3 prim: OBJECT :organizationName
6121:d=17 hl=2 l= 20 prim: UTF8STRING :Narodowy Bank Polski
6143:d=15 hl=2 l= 38 cons: SET
6145:d=16 hl=2 l= 36 cons: SEQUENCE
6147:d=17 hl=2 l= 3 prim: OBJECT :commonName
6152:d=17 hl=2 l= 29 prim: UTF8STRING :Narodowe Centrum Certyfikacji
6183:d=15 hl=2 l= 25 cons: SET
6185:d=16 hl=2 l= 23 cons: SEQUENCE
6187:d=17 hl=2 l= 3 prim: OBJECT :2.5.4.97
6192:d=17 hl=2 l= 16 prim: UTF8STRING :VATPL-5250008198
6210:d=14 hl=2 l= 20 prim: INTEGER :1193735F17C17E144D3F928F619BBFD5027DB1E9
6232:d=13 hl=2 l= 13 cons: SEQUENCE
6234:d=14 hl=2 l= 9 prim: OBJECT :sha256
6245:d=14 hl=2 l= 0 prim: NULL
6247:d=13 hl=4 l= 356 cons: cont [ 0 ]
6251:d=14 hl=2 l= 26 cons: SEQUENCE
6253:d=15 hl=2 l= 9 prim: OBJECT :contentType
6264:d=15 hl=2 l= 13 cons: SET
6266:d=16 hl=2 l= 11 prim: OBJECT :id-smime-ct-TSTInfo
6279:d=14 hl=2 l= 28 cons: SEQUENCE
6281:d=15 hl=2 l= 9 prim: OBJECT :signingTime
6292:d=15 hl=2 l= 15 cons: SET
6294:d=16 hl=2 l= 13 prim: UTCTIME :220603132832Z
6309:d=14 hl=2 l= 47 cons: SEQUENCE
6311:d=15 hl=2 l= 9 prim: OBJECT :messageDigest
6322:d=15 hl=2 l= 34 cons: SET
6324:d=16 hl=2 l= 32 prim: OCTET STRING [HEX DUMP]:2ABF6C698DCD284B060D2BE498A4144E9F42048F67589E74227D72075AF923C7
6358:d=14 hl=2 l= 55 cons: SEQUENCE
6360:d=15 hl=2 l= 11 prim: OBJECT :1.2.840.113549.1.9.16.2.47
6373:d=15 hl=2 l= 40 cons: SET
6375:d=16 hl=2 l= 38 cons: SEQUENCE
6377:d=17 hl=2 l= 36 cons: SEQUENCE
6379:d=18 hl=2 l= 34 cons: SEQUENCE
6381:d=19 hl=2 l= 32 prim: OCTET STRING [HEX DUMP]:673BE8A1DA927DB63CCAB7CB3E7AC352DC3AEB6A8DA3E2A359CA158D0A440DB8
6415:d=14 hl=3 l= 189 cons: SEQUENCE
6418:d=15 hl=2 l= 11 prim: OBJECT :id-smime-aa-signingCertificate
6431:d=15 hl=3 l= 173 cons: SET
6434:d=16 hl=3 l= 170 cons: SEQUENCE
6437:d=17 hl=3 l= 167 cons: SEQUENCE
6440:d=18 hl=3 l= 164 cons: SEQUENCE
6443:d=19 hl=2 l= 20 prim: OCTET STRING [HEX DUMP]:6E23CDB967F06D3FDA85316C5B47361CD55542AC
6465:d=19 hl=3 l= 139 cons: SEQUENCE
6468:d=20 hl=2 l= 115 cons: SEQUENCE
6470:d=21 hl=2 l= 113 cons: cont [ 4 ]
6472:d=22 hl=2 l= 111 cons: SEQUENCE
6474:d=23 hl=2 l= 11 cons: SET
6476:d=24 hl=2 l= 9 cons: SEQUENCE
6478:d=25 hl=2 l= 3 prim: OBJECT :countryName
6483:d=25 hl=2 l= 2 prim: PRINTABLESTRING :PL
6487:d=23 hl=2 l= 29 cons: SET
6489:d=24 hl=2 l= 27 cons: SEQUENCE
6491:d=25 hl=2 l= 3 prim: OBJECT :organizationName
6496:d=25 hl=2 l= 20 prim: UTF8STRING :Narodowy Bank Polski
6518:d=23 hl=2 l= 38 cons: SET
6520:d=24 hl=2 l= 36 cons: SEQUENCE
6522:d=25 hl=2 l= 3 prim: OBJECT :commonName
6527:d=25 hl=2 l= 29 prim: UTF8STRING :Narodowe Centrum Certyfikacji
6558:d=23 hl=2 l= 25 cons: SET
6560:d=24 hl=2 l= 23 cons: SEQUENCE
6562:d=25 hl=2 l= 3 prim: OBJECT :2.5.4.97
6567:d=25 hl=2 l= 16 prim: UTF8STRING :VATPL-5250008198
6585:d=20 hl=2 l= 20 prim: INTEGER :1193735F17C17E144D3F928F619BBFD5027DB1E9
6607:d=13 hl=2 l= 13 cons: SEQUENCE
6609:d=14 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
6620:d=14 hl=2 l= 0 prim: NULL
6622:d=13 hl=4 l= 512 prim: OCTET STRING [HEX DUMP]:9D82002012068C5AFCEE96E9609AE5204A5641947E46A84A57EAC5F29F30868B54F61CA652ABAE8582CF08853672E05F309EDBF0DFDC2632AE2B8318BEF6AAA2EAEB49456CEE5919FA38EA59F9965E5F2BAEEAA48C219A69B220B5555F47B2DB2BE4B545304CDD186224E564AF8AF7FA9860C003BDE432932436757CF0E901BF54E2B7EABE45B1D8D1E930CA16092AC5E778BE7DC5CB6289FF33979E93F7DA8943D11F4AA1DC4C911FEB6F53C597200EB5BAE9B28D6F6C947ECCD7D2FE3C9AAD5B753274AC2E7244852733F23D604F3A3C036750191C7CF2270AF9A172FE4E76623C54C249D4563CF91C61E0C90C62AEA720E117B2DF917F5C8219705A0F9F2B6AE17141014E313F9ACFE41D995F50C6F963C8E13F86ABA747B5A924512A875BB8C13568371C78601E4F52260C15FE26D21B10E6BCCC4666C54F6EB6F40FC2C166F7449EB7EADB0B4A8F3E3D5B1BA9C6F8BDA99051DC6DCA1E3B20D774113022118056B93A9BEFDB57A83CC2A64B31C24C4E29C549DFA968970541CF62A495372CB2C617D7FF4F1D692CB846C6BC65C12143005EF6C81C6986AB69BB5F21E4DE99AC229FE375ED3A93422F73108FF4E0FFD86E8214613301803FC555420DEB83FF402BA15FEA692AD186B1B664E42440B5FBF8BCE904DDC1118B87BB1B4C89EB24FF15798392D5827FFC24E084006823EBCCDC8685CB943B5686421A61E737B3
7138:d=6 hl=4 l=3238 cons: SEQUENCE
7142:d=7 hl=2 l= 6 prim: OBJECT :0.4.0.1733.2.4
7150:d=7 hl=4 l=3226 cons: SET
7154:d=8 hl=4 l=3222 cons: SEQUENCE
7158:d=9 hl=2 l= 9 prim: OBJECT :pkcs7-signedData
7169:d=9 hl=4 l=3207 cons: cont [ 0 ]
7173:d=10 hl=4 l=3203 cons: SEQUENCE
7177:d=11 hl=2 l= 1 prim: INTEGER :03
7180:d=11 hl=2 l= 13 cons: SET
7182:d=12 hl=2 l= 11 cons: SEQUENCE
7184:d=13 hl=2 l= 9 prim: OBJECT :sha256
7195:d=11 hl=4 l= 282 cons: SEQUENCE
7199:d=12 hl=2 l= 11 prim: OBJECT :id-smime-ct-TSTInfo
7212:d=12 hl=4 l= 265 cons: cont [ 0 ]
7216:d=13 hl=4 l= 261 prim: OCTET STRING [HEX DUMP]:30820101020101060B2A84680186F6770204010E3031300D060960864801650304020105000420A4B3E4741FC2CB36B36685B7FAC01A61BB638D45B93B36FFD95CFD3C4BC016C3020711C379A7036F1B180F32303232303630333133323833325A3003020101021100D944A59C55C4660D5A7FF6E98962AEB0A06AA4683066310B300906035504061302504C3121301F060355040A0C1841737365636F20446174612053797374656D7320532E412E3119301706035504030C1043657274756D205154535420323031373119301706035504610C10564154504C2D35313730333539343538A11E301C06082B06010505070103010100040D300B30090607040081975E0101
7481:d=11 hl=4 l=1700 cons: cont [ 0 ]
7485:d=12 hl=4 l=1696 cons: SEQUENCE
7489:d=13 hl=4 l=1160 cons: SEQUENCE
7493:d=14 hl=2 l= 3 cons: cont [ 0 ]
7495:d=15 hl=2 l= 1 prim: INTEGER :02
7498:d=14 hl=2 l= 20 prim: INTEGER :1193735F17C17E144D3F928F619BBFD5027DB1E9
7520:d=14 hl=2 l= 13 cons: SEQUENCE
7522:d=15 hl=2 l= 9 prim: OBJECT :sha512WithRSAEncryption
7533:d=15 hl=2 l= 0 prim: NULL
7535:d=14 hl=2 l= 111 cons: SEQUENCE
7537:d=15 hl=2 l= 11 cons: SET
7539:d=16 hl=2 l= 9 cons: SEQUENCE
7541:d=17 hl=2 l= 3 prim: OBJECT :countryName
7546:d=17 hl=2 l= 2 prim: PRINTABLESTRING :PL
7550:d=15 hl=2 l= 29 cons: SET
7552:d=16 hl=2 l= 27 cons: SEQUENCE
7554:d=17 hl=2 l= 3 prim: OBJECT :organizationName
7559:d=17 hl=2 l= 20 prim: UTF8STRING :Narodowy Bank Polski
7581:d=15 hl=2 l= 38 cons: SET
7583:d=16 hl=2 l= 36 cons: SEQUENCE
7585:d=17 hl=2 l= 3 prim: OBJECT :commonName
7590:d=17 hl=2 l= 29 prim: UTF8STRING :Narodowe Centrum Certyfikacji
7621:d=15 hl=2 l= 25 cons: SET
7623:d=16 hl=2 l= 23 cons: SEQUENCE
7625:d=17 hl=2 l= 3 prim: OBJECT :2.5.4.97
7630:d=17 hl=2 l= 16 prim: UTF8STRING :VATPL-5250008198
7648:d=14 hl=2 l= 30 cons: SEQUENCE
7650:d=15 hl=2 l= 13 prim: UTCTIME :170315102318Z
7665:d=15 hl=2 l= 13 prim: UTCTIME :280315235959Z
7680:d=14 hl=2 l= 102 cons: SEQUENCE
7682:d=15 hl=2 l= 11 cons: SET
7684:d=16 hl=2 l= 9 cons: SEQUENCE
7686:d=17 hl=2 l= 3 prim: OBJECT :countryName
7691:d=17 hl=2 l= 2 prim: PRINTABLESTRING :PL
7695:d=15 hl=2 l= 33 cons: SET
7697:d=16 hl=2 l= 31 cons: SEQUENCE
7699:d=17 hl=2 l= 3 prim: OBJECT :organizationName
7704:d=17 hl=2 l= 24 prim: UTF8STRING :Asseco Data Systems S.A.
7730:d=15 hl=2 l= 25 cons: SET
7732:d=16 hl=2 l= 23 cons: SEQUENCE
7734:d=17 hl=2 l= 3 prim: OBJECT :commonName
7739:d=17 hl=2 l= 16 prim: UTF8STRING :Certum QTST 2017
7757:d=15 hl=2 l= 25 cons: SET
7759:d=16 hl=2 l= 23 cons: SEQUENCE
7761:d=17 hl=2 l= 3 prim: OBJECT :2.5.4.97
7766:d=17 hl=2 l= 16 prim: UTF8STRING :VATPL-5170359458
7784:d=14 hl=4 l= 546 cons: SEQUENCE
7788:d=15 hl=2 l= 13 cons: SEQUENCE
7790:d=16 hl=2 l= 9 prim: OBJECT :rsaEncryption
7801:d=16 hl=2 l= 0 prim: NULL
7803:d=15 hl=4 l= 527 prim: BIT STRING
8334:d=14 hl=4 l= 315 cons: cont [ 3 ]
8338:d=15 hl=4 l= 311 cons: SEQUENCE
8342:d=16 hl=2 l= 22 cons: SEQUENCE
8344:d=17 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage
8349:d=17 hl=2 l= 1 prim: BOOLEAN :255
8352:d=17 hl=2 l= 12 prim: OCTET STRING [HEX DUMP]:300A06082B06010505070308
8366:d=16 hl=2 l= 12 cons: SEQUENCE
8368:d=17 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
8373:d=17 hl=2 l= 1 prim: BOOLEAN :255
8376:d=17 hl=2 l= 2 prim: OCTET STRING [HEX DUMP]:3000
8380:d=16 hl=3 l= 172 cons: SEQUENCE
8383:d=17 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
8388:d=17 hl=3 l= 164 prim: OCTET STRING [HEX DUMP]:3081A1801429B3C8C4DFA387F866051258FD462AB8980D7987A173A471306F310B300906035504061302504C311D301B060355040A0C144E61726F646F77792042616E6B20506F6C736B693126302406035504030C1D4E61726F646F77652043656E7472756D20436572747966696B61636A693119301706035504610C10564154504C2D35323530303038313938821440F8F78AB0E364105691C8D9E02CF8C1C6400A46
8555:d=16 hl=2 l= 49 cons: SEQUENCE
8557:d=17 hl=2 l= 3 prim: OBJECT :X509v3 Certificate Policies
8562:d=17 hl=2 l= 1 prim: BOOLEAN :255
8565:d=17 hl=2 l= 39 prim: OCTET STRING [HEX DUMP]:302530230604551D2000301B301906082B06010505070201160D7777772E6E63636572742E706C
8606:d=16 hl=2 l= 14 cons: SEQUENCE
8608:d=17 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage
8613:d=17 hl=2 l= 1 prim: BOOLEAN :255
8616:d=17 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030206C0
8622:d=16 hl=2 l= 29 cons: SEQUENCE
8624:d=17 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
8629:d=17 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:0414B2BD12CB0781E27BA3B0611D4A4379A887F4D076
8653:d=13 hl=2 l= 13 cons: SEQUENCE
8655:d=14 hl=2 l= 9 prim: OBJECT :sha512WithRSAEncryption
8666:d=14 hl=2 l= 0 prim: NULL
8668:d=13 hl=4 l= 513 prim: BIT STRING
9185:d=11 hl=4 l=1191 cons: SET
9189:d=12 hl=4 l=1187 cons: SEQUENCE
9193:d=13 hl=2 l= 1 prim: INTEGER :01
9196:d=13 hl=3 l= 135 cons: SEQUENCE
9199:d=14 hl=2 l= 111 cons: SEQUENCE
9201:d=15 hl=2 l= 11 cons: SET
9203:d=16 hl=2 l= 9 cons: SEQUENCE
9205:d=17 hl=2 l= 3 prim: OBJECT :countryName
9210:d=17 hl=2 l= 2 prim: PRINTABLESTRING :PL
9214:d=15 hl=2 l= 29 cons: SET
9216:d=16 hl=2 l= 27 cons: SEQUENCE
9218:d=17 hl=2 l= 3 prim: OBJECT :organizationName
9223:d=17 hl=2 l= 20 prim: UTF8STRING :Narodowy Bank Polski
9245:d=15 hl=2 l= 38 cons: SET
9247:d=16 hl=2 l= 36 cons: SEQUENCE
9249:d=17 hl=2 l= 3 prim: OBJECT :commonName
9254:d=17 hl=2 l= 29 prim: UTF8STRING :Narodowe Centrum Certyfikacji
9285:d=15 hl=2 l= 25 cons: SET
9287:d=16 hl=2 l= 23 cons: SEQUENCE
9289:d=17 hl=2 l= 3 prim: OBJECT :2.5.4.97
9294:d=17 hl=2 l= 16 prim: UTF8STRING :VATPL-5250008198
9312:d=14 hl=2 l= 20 prim: INTEGER :1193735F17C17E144D3F928F619BBFD5027DB1E9
9334:d=13 hl=2 l= 13 cons: SEQUENCE
9336:d=14 hl=2 l= 9 prim: OBJECT :sha256
9347:d=14 hl=2 l= 0 prim: NULL
9349:d=13 hl=4 l= 356 cons: cont [ 0 ]
9353:d=14 hl=2 l= 26 cons: SEQUENCE
9355:d=15 hl=2 l= 9 prim: OBJECT :contentType
9366:d=15 hl=2 l= 13 cons: SET
9368:d=16 hl=2 l= 11 prim: OBJECT :id-smime-ct-TSTInfo
9381:d=14 hl=2 l= 28 cons: SEQUENCE
9383:d=15 hl=2 l= 9 prim: OBJECT :signingTime
9394:d=15 hl=2 l= 15 cons: SET
9396:d=16 hl=2 l= 13 prim: UTCTIME :220603132832Z
9411:d=14 hl=2 l= 47 cons: SEQUENCE
9413:d=15 hl=2 l= 9 prim: OBJECT :messageDigest
9424:d=15 hl=2 l= 34 cons: SET
9426:d=16 hl=2 l= 32 prim: OCTET STRING [HEX DUMP]:9CC19DC5360E7182C878E44C3B6A79FBEF819961AD8F8D852DBD4AA925503258
9460:d=14 hl=2 l= 55 cons: SEQUENCE
9462:d=15 hl=2 l= 11 prim: OBJECT :1.2.840.113549.1.9.16.2.47
9475:d=15 hl=2 l= 40 cons: SET
9477:d=16 hl=2 l= 38 cons: SEQUENCE
9479:d=17 hl=2 l= 36 cons: SEQUENCE
9481:d=18 hl=2 l= 34 cons: SEQUENCE
9483:d=19 hl=2 l= 32 prim: OCTET STRING [HEX DUMP]:673BE8A1DA927DB63CCAB7CB3E7AC352DC3AEB6A8DA3E2A359CA158D0A440DB8
9517:d=14 hl=3 l= 189 cons: SEQUENCE
9520:d=15 hl=2 l= 11 prim: OBJECT :id-smime-aa-signingCertificate
9533:d=15 hl=3 l= 173 cons: SET
9536:d=16 hl=3 l= 170 cons: SEQUENCE
9539:d=17 hl=3 l= 167 cons: SEQUENCE
9542:d=18 hl=3 l= 164 cons: SEQUENCE
9545:d=19 hl=2 l= 20 prim: OCTET STRING [HEX DUMP]:6E23CDB967F06D3FDA85316C5B47361CD55542AC
9567:d=19 hl=3 l= 139 cons: SEQUENCE
9570:d=20 hl=2 l= 115 cons: SEQUENCE
9572:d=21 hl=2 l= 113 cons: cont [ 4 ]
9574:d=22 hl=2 l= 111 cons: SEQUENCE
9576:d=23 hl=2 l= 11 cons: SET
9578:d=24 hl=2 l= 9 cons: SEQUENCE
9580:d=25 hl=2 l= 3 prim: OBJECT :countryName
9585:d=25 hl=2 l= 2 prim: PRINTABLESTRING :PL
9589:d=23 hl=2 l= 29 cons: SET
9591:d=24 hl=2 l= 27 cons: SEQUENCE
9593:d=25 hl=2 l= 3 prim: OBJECT :organizationName
9598:d=25 hl=2 l= 20 prim: UTF8STRING :Narodowy Bank Polski
9620:d=23 hl=2 l= 38 cons: SET
9622:d=24 hl=2 l= 36 cons: SEQUENCE
9624:d=25 hl=2 l= 3 prim: OBJECT :commonName
9629:d=25 hl=2 l= 29 prim: UTF8STRING :Narodowe Centrum Certyfikacji
9660:d=23 hl=2 l= 25 cons: SET
9662:d=24 hl=2 l= 23 cons: SEQUENCE
9664:d=25 hl=2 l= 3 prim: OBJECT :2.5.4.97
9669:d=25 hl=2 l= 16 prim: UTF8STRING :VATPL-5250008198
9687:d=20 hl=2 l= 20 prim: INTEGER :1193735F17C17E144D3F928F619BBFD5027DB1E9
9709:d=13 hl=2 l= 13 cons: SEQUENCE
9711:d=14 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
9722:d=14 hl=2 l= 0 prim: NULL
9724:d=13 hl=4 l= 512 prim: OCTET STRING [HEX DUMP]:2FA7848088B2C73BB0E2D89DCD51875A2E195DA21A19A33C6443872DC725480F7616744CA2197FBDBD84135998C37FB4D53A8CC0BF03E9D4A881EC6C47B752CF6596E458610E8D646385100BC3C01565D7EC7A1B4C818EC4DE459F98DB0490D631C220CF041999F2D76D09C19429E85919363787A25590052124CFF2974CD2019071915EEA1D3D2FF62C1EC5B7EEE97CCFDEAF8F1C2E4E14C50F29C774B5F2A2B832F13BC3A27D8F28772945D3CFD7B20C6948B2B67ABA92AE8E9CE72D52529881727B27D1F7B1404E7D7AD0F30E50894C35189E22C708394FBED6B4DDD2FEFCDEEC099814673D291E643EF0682FC21485040C4BF02B9F846B63CB7DA691537FC35B29A1E645A2BB15F90857AA39CE33271305B5B1B0B2ED5CE6D0962EC5121D94E1051677C7FE68EAA54C46C3BFBE05BEB0868EA833CEE1FB583888B5F6E8335F423A54BAD4B621C183C67B33623BCFEFFB00E258434987CC4279889C6778A3FDDC2CEAD316793CD85F93B5A782EC4F2DA0F8F7126F6B8AA8D3F8DEF367F7C4C476C0DC9720B3C0BA82BF72B8D82214D2F51BE285E7D77B1E940D0CD128105B2B1E3A9C1176F548CDA46EA0EF49669B9338A6524E3F35BF9F9650418BF0937AD6651E20D003FD40808B993FFE830077DC74D28F9D087EECD7C88063CEA66F3A7B6E36D9FDB76181322622FD8177214AF57C09C360CFC91BAF8A8BC662E93AF7
10240:d=13 hl=3 l= 137 cons: cont [ 1 ]
10243:d=14 hl=3 l= 134 cons: SEQUENCE
10246:d=15 hl=2 l= 7 prim: OBJECT :0.4.0.19122.1.5
10255:d=15 hl=2 l= 123 cons: SET
10257:d=16 hl=2 l= 121 cons: SEQUENCE
10259:d=17 hl=2 l= 11 cons: SEQUENCE
10261:d=18 hl=2 l= 9 prim: OBJECT :sha256
10272:d=17 hl=2 l= 68 cons: SEQUENCE
10274:d=18 hl=2 l= 32 prim: OCTET STRING [HEX DUMP]:A2F1F421DED9D9786E1113345D8DA5272D8B247C6F87AB5568D3D88F5ACC9B14
10308:d=18 hl=2 l= 32 prim: OCTET STRING [HEX DUMP]:18E09DAD90ADFF8E86BB286CED830265228D99EF55EC95F591BC44CB5799E19C
10342:d=17 hl=2 l= 0 cons: SEQUENCE
10344:d=17 hl=2 l= 34 cons: SEQUENCE
10346:d=18 hl=2 l= 32 prim: OCTET STRING [HEX DUMP]:F7F16BB6C200530F8C5C8AB5B90A3774BD0FB343F07373A7F404ED589274DBD0
What has been signed (the transaction details) and the information related to the user certificate are containted in the CMS output. For more information regarding CMS, have a look on the rfc5652 Details of the certificate issued by RCDevs CA on the WebADM backend:
- Qualified Transaction Signing: This integration can be deployed for corporate signatories only. It allows collaborators to submit transaction requests to anybody part of the company. That kind of transation requires a qualified signature/seal creation device (QSCD) like electronic ID cards, passport… from the signatories. Please, refer to European Commission website for more information about QSCD. Transaction will then be signed by the users’ QSCD. Signing and Login certificates of the QSCD can be stored on the LDAP user account for login purposes in other integrations.
4.2 Electonic Signature
- Standard Signature: This integration can be deployed for corporate signatories. The user beforehand registered a Token on his LDAP account and his mobile.Manual signature and paraph can be alternatively asked, in that case the user will be prompted to draw his signature and paraphs from his mobile after the document review. These metadata will be added to the final document by RCDevs microservices. This kind of signature method can be used to meet Simple Electronic Signature of European Commission regulation (it is even much more secure than what European Commission qualified as “Simple Signature”).
Found below, a document signed in Standard mode.
Here, you can see that the paraphs has been added at the bottom of the first page.
On the top, you can found the watermark which include the VAT number of the company .
RCDevs provides the seal functionality in Signature processes in order to prevent document alteration after signature.
- Advanced signature: This integration can be deployed for corporate and external signatories. Corporate signatories (users part of your LDAP backends connected to your OpenOTP suite), can use WebADM or Corporate user certificates (WebADM can be configured as Standalone CA or Subordinate CA of your existing entreprise CA). External users will use certificate issued by RCDevs root CA through YumiSign platform Signatures with users not part of your LDAP servers will always require YumiSign as bridge between your integrations and the signatories. Technically, this level of signature is equivalent to Qualified signature in terms of cryptography operations. The difference is that Advanced Signature do not use Qualified Signature/Seal Creation Device, it uses a company user certificate or a certificate issued by RCDevs root CA. If the user do not has any certificate registered on his mobile issued by WebADM PKI or RCDevs root CA for signing purposes, then during the first Advanced Signature request sent to that user, he will be prompted on his mobile to create a new certificate (user-friendly CSR prompt). The CSR and the key will be generated on the mobile based on information provided by WebADM PKI service (RSignd). Once generated, the CSR will be sent to your WebADM PKI service (Rsignd) and signed by the WebADM CA or by RCDevs Root CA according to the chosen scope. That certificate will be then sent back to the mobile and registered in the SQL database of WebADM. The certificate will be stored on the mobile. Document will then be signed by the freshly generated key that never left the mobile and sent back to the OpenOTP/Yumisign backend once signature is completed. Certificates issued by WebADM for signing purpose are valid for 1 month. After 1 month, the certificate is expired and will needs to be renewed. This is done automatically. Certificate issued on mobiles can be revoked at any time through WebADM Admin GUI > Databases > Client, Server and Mobile Certificates.
Found below, a document signed with a Corporate issued certificate (SignScope = Local) :
Found below, the certificate issued for that user in the Client, Server and Mobile Certificates database :
Found below, a document signed by a certificate issued by RCDevs Root CA (SignScope = Global) :
- Qualified Signatures: This integration can be deployed for corporate and external signatories. It allows collaborators to submit signature requests of any documents to anybody part of the company or involve external signatories through YumiSign platform. It requires a qualified signature/seal creation device (QSCD) like electornic ID cards, passport… from the signatorie(s). Please, refer to European Commission website for more information about QSCD.
The certificate used for the signatiure can be optionally registered on the user account for login purpose in other integrations.
Found below, an example of Qualified signed document.
Other options provided by RCDevs using RCDevs cloud services are :
- Timestamping: RCDevs provides timestamping functionnality. In all signature workflow including a document and involving RCDevs micro-services, a timestamping is applied to the document which is signed and prepared by RCDevs micro-services. The timestamping of documents is done by a Certum QTST 2017 Certificate which can be visualized through Adobe Reader. Trusted timestamping is the process of securely keeping track of the creation and modification time of a document. The owner of the document should not be able to change it once it has been recorded.
- Seal: RCDevs provides electronic sealing functionnality. That functionnality is a stamp linked to a legal person like a firm. It guarantees the identity of the issuer and the integrity of the document. Sealing performed by RCDevs are done by a Seal certificate issued by RCDevs Certificate Authority. You need to Trust the CA certificate of RCDevs in order to see the sealing without any trust issue in Adobe Reader (green status). If you do not trust it, then it will appears in orange in Adobe Reader.
5. Issued Identities Trusts and Know Your Customer (KYC)
There is different level of Trust according to the kind of signature your are going to implement/use because different third parties can be involved. As you probably understood, digital certificates can be issued by your Organization CA (WebADM CA/SignScope=local), by RCDevs Root CA (SignScope=Global) and by Public CAs issuing QSCD identitie.
5.1 Simple signature Trust
For mobile, no user certificate is involved in the signature processes. When a document is attached to the request, handwritten signature and optionally the paraphs (when multiple pages are contained in the document) are asked to the signatory when the signature request is prompted on their mobile. Paraphs and Handwritten signature are afterward added to the document (if any) through RCDevs Micro Services. Once the handwritten signature and paraphs has been added, a seal is applied by RCDevs with a Seal certificate issued by RCDevs CA. RCDevs CA in that scenario needs to be Trusted.
Then, a timestamping is applied by a Certum timestamping certificate by RCDevs Micro Services.
5.2 Advanced signature Trust
If the SignScope is Global, then identities are issued by RCDevs Root CA. From RCDevs point of view, an issued certificate is always linked to a company. Information of the company like VAT number, will always be attached to every certificates issued for users of that company in order to identify the user and the company. The KYC of the company is then done by RCDevs each time a new customer choose RCDevs solutions. A dedicated page will be available soon to explain how new customers are onboaded by RCDevs, discribing identity validation process of the company made by RCDevs.
5.3 Qualified signature Trust
If the SignScope is eidas, then you have to trust the public CAs that issues QSCD identities. It is the highest level of Trust and this method must be used for any legal document. The KYC here is achieved by public CAs, governments, QSCD issuers.
6. Signatures and Transactions Requests Delivery methods
With RCDevs solutions, the end-users mobiles are the key point to achieve an electronic signature or transaction. We deported this feature to the mobiles because the phones goes with your users wherever they are. That way they can sign any document at anytime from anywhere with their mobile and OpenOTP Token application without login on a third party system to review and sign a document. The user’s mobile must be beforehand linked to the user account through a Token enrollment. This is the RCDevs philosophy applied to electronic signature world. The request delivery are then linked to an OATH Token registered on the user account and mobile.
RCDevs provides 2 differents ways to deliver a signature/transation request which needs to be signed or approved:
-
By a push notification: With that method, the user is instantaneously notified when a transaction or a signature request is in pending by receiving a push notification on his mobile. Once the request is arrived on the mobile, the user can press the notification and then the signature workflow is starting from end-user/signatory perspective. Document attached to a signature request are not transiting in the push notification. The Push request received is a Signature ticket which refer to a transaction on the OpenOTP backend. The OpenOTP Token application will then contact the Mobile Endpoint URL of your WebADM/OpenOTP infrastructure and fetch the document.
-
By scanning a QRCode: With that method, the signing request/transaction is fetched by scanning a transaction QRCode with OpenOTP Token. Only the user for whom the signature transaction QRCode has been generated can scan the QRCode with his mobile and fetch the signature request from the server. All exchanges between OpenOTP backend and OpenOTP Tokens applications are 2 ways signed. If signatures mismatch with one of them, the transactions can not be decrypted or proceeded.
Both methods are very secure and are based on OTP validations, asymmetric encryption/decryption processes in background to proceed any requests. On top of that, each exchange between OpenOTP backends and mobiles are signed. If one condition mismatch, the request can not be proceeded or completed.
In both scenario, when a document is attached, the document is downloaded on mobiles from your OpenOTP backend. Documents are never transiting through push notification.
These 2 delivery methods can be synchronous or asynchronous.
The difference between these both delivery methods is the fact that the third party system that triggered the signature request will actively wait the response of the signatory in synchronous mode. In asynchronous mode, the third party system (initiator of the signature request) will regularly pull the status of pending transactions on the backend. Once the transaction is done on the backend, the third party system will be notify and the workflow can continu from third party system perspective.
In synchronous mode, the third party system initiator of the signature request is actively waiting the end of the transaction previously initiated. The maximum timeout of synchronous requests is 5 minutes. This mode is more relevant for short delay transaction like a payment, secure approval to access a ressource or to immediately sign a document which has been already reviewed. Once the 5 minutes timeout is exceeded, the transaction is cancelled on the backend and the initiator of the signature request is notified. If you choose that methods, please configure the timeout of third party integrations accordingly.
The asynchronous mode is the prefered one for document signing and long time transactions. Third party system initiator of the signature/transaction request is not actively waiting for the response. Instead, a record is maintained and the tird party system will regularly pull the OpenOTP signature system to be notified when a transaction has been done by the user. If a the 3rd party system is notified that a transaction/signature process is done, then it will ask to the signature system to return the data related to a transaction/signature (the signed document/transaction). The maximum timeout of asynchronous requests is up to 30 days. Once the timeout is exceeded, the transaction is cancelled and the initiator of the signature request is notified.
Signature/Transaction requests are stored in the Redis database of WebADM
If you clear the WebADM Session Data from WebADM GUI > Admin tab, all pending transaction/signature requests will be destoy on the backend and will not be recoverable!!
7. API Methods
7.1 API Settings description
Found below, descriptions of parameters of the different methods and possible values:
7.1.3 Requests parameters
- username: To which user you want to send the signature request. Can be a username, UPN, email address according to your WebADM configuration.
- domain: WebADM domain name where the user/signatory must be searched.
- recipient: email address of an external user where YumiSign platform will be involved.
- data: Can contain a description of the coming operation prompted to the user on the mobile:
- file: base64 encoded of the file going to be signed.
- mode: auto, CaDES, PaDES or XaDES (beta).
- async: true or false -> asynchrone or synchrone request.
- settings: e.g CaDESMode=embedded or CaDESMode=detached.
- issuer: Who issued the signature request.
- client: Who triggered the signature request.
- source: User IP which can be retrieve and passed to the API.
- setting: Can be used to pilote the API calls on the fly to change various settings. E.g : CaDESMode=embedded
- Virtual: Allow to override a user attribut value by another. E.g: mail=user_other_mail@mail.com.
- qrFormat: Format of the QRCode containing the request. Can be PNG or JPEG.
- QrSizing: Define the size of the generated QRcode. Default value is 5.
- QrMarging: Define the size of the QRcode margin. Default value is 3.
- addCert: 1, 2 or 3.
__1__=Register the signing certificate only. When signing certificate will be used or generated through OpenOTP Token Application, it will be registered on the LDAP user account in userCertificate attribut. That certificate will be flagged by OpenOTP backend as signing certificate in WebADM User Data and will afterward be required for next signature requests. (Applicable to Advanced and Qualified Signature).
__2__=Register Login certificate. This is usefull for PKI logins. You can register the authentication certificates of electronic ID card for example to use it for login purpose in other integrations.
__3__=Register Signin and Login certificates. Many signature devices like electronic ID card comes up with 2 certificates. One is for signature purpose and the other for authentication.
For signature or PKI authentication works with OpenOTP suite, the user certificate must be set on the user account in your LDAP backend and valid. We provide an easy way to achieve the certificate enrollment by API piloting. By default, 1 will be requested. Also note that the Certificate Authorities that issued the user signing certifiate must be trusted by OpenOTP. To check or add a CA trust, login on your WebADM Admin portal, click Admin tab > Trusted CA Certificates. Import the CA certificate(s) you need for signing or Trust the public eiDas list fetched from RCDevs cloud services on your OpenOTP backend. That way, you limit the perimeter of allowed certificates/country used for signature purposes.
- timeout: Define the timeout of the confirm/signature requests. For async=true, max value is 5min. For async=false, the maximum value is 1 month.
- scan: Trigger the camera of the user for a picture of him before confirm/signing request/document.
- form: Attach a HTML form which must be completed by the user before he can continues the confirm/signature workflow. Form reponses is returned in the response.
7.1.2 Responses parameters
- session: ID of a session started on the backend.
- sendPush: True of False. Send a push or not.
- code: Status code returned for a request. 0=error, 1=success, 2=session started and in pending,
- error: Details of the error if any
- message: Details of the code returned.
- comment: If request refused by the user, a reject message can be asked to the end user and the reponse is returned in that parameter.
- file: Return the signed file in base64 binary.
- jsonData: Return the jsonData of pending transactions.
- cert: Return the certificate which has been used for signature purposes.
7.2 Standard Signature/Transactions approval (PSD2)
Transactionnal confirmation (PSD2) and mobile signature are using the same API methods of OpenOTP.
The difference between both is the fact that a document is attached to the request or not.
If a document is attached, then you will enter in mobile signature scenario.
If no document is attached, then yo will enter in Transactions approval (PSD2) scenario.
Found below, the different API methods and an example.
7.2.1 Mobile signature methods
Mobile signature API methods are called CONFIRM and the related API methods are the following one:
Build Mobile signature with the 2 folowing methods :
- openotpNormalConfirmRequest (Internal user signatory) :
<message name="openotpNormalConfirmRequest">
<part name="username" type="xsd:string"/>
<part name="domain" type="xsd:string"/>
<part name="data" type="xsd:string"/>
<part name="file" type="xsd:base64Binary"/>
<part name="form" type="xsd:base64Binary"/>
<part name="scan" type="xsd:boolean"/>
<part name="async" type="xsd:boolean"/>
<part name="timeout" type="xsd:integer"/>
<part name="issuer" type="xsd:string"/>
<part name="client" type="xsd:string"/>
<part name="source" type="xsd:string"/>
<part name="settings" type="xsd:string"/>
<part name="virtual" type="xsd:string"/>
</message>
- openotpExternConfirmRequest (External user signatory). This request requires YumiSign platform. Communications between OpenOTP and YumiSign require a YumiSign API key that must be configured under OpenOTP configuration.
<message name="openotpExternConfirmRequest">
<part name="recipient" type="xsd:string"/>
<part name="file" type="xsd:base64Binary"/>
<part name="scan" type="xsd:boolean"/>
<part name="async" type="xsd:boolean"/>
<part name="timeout" type="xsd:integer"/>
<part name="issuer" type="xsd:string"/>
<part name="client" type="xsd:string"/>
<part name="source" type="xsd:string"/>
<part name="settings" type="xsd:string"/>
</message>
Method use for the response of the 2 previous methods:
- openotpConfirmResponse (Response to previous request, that kind of request is done by the mobile to OpenOTP) :
<message name="openotpConfirmResponse">
<part name="code" type="xsd:integer"/>
<part name="error" type="xsd:string"/>
<part name="message" type="xsd:string"/>
<part name="session" type="xsd:string"/>
<part name="timeout" type="xsd:integer"/>
<part name="comment" type="xsd:string"/>
<part name="file" type="xsd:base64Binary"/>
<part name="form" type="xsd:base64Binary"/>
</message>
- openotpCheckConfirmRequest
In order to check the status of a confirmation request, a Check method is available. You can check the status of any transactions by providing the session ID returned in the API response for a transaction you are looking for the result.
<message name="openotpCheckConfirmRequest">
<part name="session" type="xsd:string"/>
</message>
- openotpOfflineConfirmRequest
This method generates a QRCode for an associated transaction and is only available for corporate usage. It is not available for external signatories because for the external signatory, the signature workflow will be initiated on YumiSign and the signatory will have the choice to receive the transaction/signature request by Push notification or by QRCode through YumiSign.
<message name="openotpConfirmQRCodeRequest">
<part name="username" type="xsd:string"/>
<part name="domain" type="xsd:string"/>
<part name="data" type="xsd:string"/>
<part name="file" type="xsd:base64Binary"/>
<part name="form" type="xsd:base64Binary"/>
<part name="scan" type="xsd:boolean"/>
<part name="async" type="xsd:boolean"/>
<part name="timeout" type="xsd:integer"/>
<part name="issuer" type="xsd:string"/>
<part name="client" type="xsd:string"/>
<part name="source" type="xsd:string"/>
<part name="settings" type="xsd:string"/>
<part name="qrFormat" type="xsd:string"/>
<part name="qrSizing" type="xsd:integer"/>
<part name="qrMargin" type="xsd:integer"/>
<part name="virtual" type="xsd:string"/>
</message>
- openotpConfirmQRCodeResponse
Return related information to previous request.
The response for the previous request is the following
<message name="openotpConfirmQRCodeResponse">
<part name="code" type="xsd:integer"/>
<part name="error" type="xsd:string"/>
<part name="message" type="xsd:string"/>
<part name="session" type="xsd:string"/>
<part name="timeout" type="xsd:integer"/>
<part name="qrImage" type="xsd:base64Binary"/>
</message>
- openotpTouchConfirmRequest
This methods can be use to re-send or convert (Push to QRCOde or QRCode to Push) a request base on the session number :
- openotpTouchConfirmResponse
This provide the response of the previous request.
7.2.2 Transaction Confirmation/Mobile Signature example
7.2.2.1 Request
OpenOTP will build a transaction request based on information provided to the API.
The hash of this transaction will be calculated. A random nonce is generated per transaction and then added to the previous hash. We then have a “Hash Data” containing hashed Nonce and Data.
Found on next section, an example of a transaction and the report generate by the system when transaction has been completed by the end user.
Transaction request built through OpenOTP signature tester:
7.2.2.2 Request prompted on the mobile
Found below, the details and mobile view of the transaction previously built and started:
Request approved by the user:
Response has been successfully submitted to the signature backend.
7.2.2.4 Cryptographic report of the transaction
Once the transaction has been completed successfully, a report of that transaction is generated by OpenOTP signature system. Below, the report details:
Secure Transaction
Started: 2022-02-10 16:51:55
Stopped: 2022-02-10 16:52:04
User DN: CN=John Doe,CN=Users,DC=support,DC=rcdevs,DC=com
User IP: 84.12.76.106
Client ID: RCBank
Client IP: 192.168.4.20
Hash Data: d5ec3a4660de1ebc429ed8f7f4e946e706b76cd3 (Nonce + Data)
OTP Token: Token #1 (TOTP)
OTP Algo: SHA1
OTP Key: 1015170774 (CRC32)
OTP Nonce: 46a4feffcad38af3c972521c4c3d0d61995e7d7a
OTP Result: 4660DE1E (OATH)
Transaction Details (Base64)
PGh0bWwgc3R5bGU9ImNvbG9yOndoaXRlIj4NCjxiPlBsZWFzZSwgY29uZmlybSBw
YXltZW50IG9uIFJDRGV2cyBzdG9yZTwvYj48YnI+DQo8YnI+DQpBY2NvdW50OiBM
VVhDRVlYMjM0ODdYWFhYWFhYWFhYWFg8YnI+DQpBbW91bnQ6IDQ5OTkuMzYgRXVy
b3M8YnI+DQo8L2h0bWw+
Details of data report:
Date of transaction start:
Started: 2022-02-10 16:51:55
Date of transaction stop:
Stopped:2022-02-10 16:52:04
Who perform the transaction:
User DN: CN=John Doe,CN=Users,DC=support,DC=rcdevs,DC=com
User IP Address retrieved by a third party system:
User IP: 84.12.76.106
Client system identifier. Allow WebADM administrator to identify which client system perfomed the signature request.
Client ID: RCBank
Client system IP which performed the confirmation request.
Client IP: 192.168.4.20
Concatenation of Nonce and data hashes.
Hash Data: d5ec3a4660de1ebc429ed8f7f4e946e706b76cd3 (Nonce + Data)
Token ID and type of OATH token used for that transaction.
OTP Token: Token #1 (TOTP)
OTP algorithm used for that transaction:
OTP Algo: SHA1
OTP key (CR32) used for the transaction. (Hash of the real key)
OTP Key: 1015170774 (CRC32)
Nonce generated and used in Hash Data. Mandatory to make any transaction unique. Even if the “same” transaction is replayed on the server, the nonce will change.
OTP Nonce: 46a4feffcad38af3c972521c4c3d0d61995e7d7a
Important to verify the transaction afterward.
OTP Result: 4660DE1E (OATH)
Base64 encoded of content retrieved by OpenOTP sent by API client in data parameter.
Transaction Details (Base64)
PGh0bWwgc3R5bGU9ImNvbG9yOndoaXRlIj4NCjxiPlBsZWFzZSwgY29uZmlybSBw
YXltZW50IG9uIFJDRGV2cyBzdG9yZTwvYj48YnI+DQo8YnI+DQpBY2NvdW50OiBM
VVhDRVlYMjM0ODdYWFhYWFhYWFhYWFg8YnI+DQpBbW91bnQ6IDQ5OTkuMzYgRXVy
b3M8YnI+DQo8L2h0bWw+
7.2.2.5 Report validation
The following PHP algorithm allows you to verify the cryptographic report generated by the signature system. To check a report, you need to provide 3 input data:
- the base64_decode value: it refers to the Transaction Details.
- the nonce value: it refers to the OTP Nonce value.
- the key value: it refers to the user TokenKey value available in the WebADM user’s data on the user account:
Based on input data and if everything is correct and has not been altered, the algorithm should return you the OTP Result available in the transaction details. If it returns the same value, then everything is correct.
<?php
$data = base64_decode("PGh0bWwgc3R5bGU9ImNvbG9yOndoaXRlIj4NCjxiPlBsZWFzZSwgY29uZmlybSBw
YXltZW50IG9uIFJDRGV2cyBzdG9yZTwvYj48YnI+DQo8YnI+DQpBY2NvdW50OiBM
VVhDRVlYMjM0ODdYWFhYWFhYWFhYWFg8YnI+DQpBbW91bnQ6IDQ5OTkuMzYgRXVy
b3M8YnI+DQo8L2h0bWw+");
$nonce = hex2bin("46a4feffcad38af3c972521c4c3d0d61995e7d7a");
$key = hex2bin("3b552d82189668c37621eb5ae7dd7db28e4a21a6");
echo push_check_otp($nonce.$data, $key);
function push_check_otp ($xxx, $key) {
if (strlen($xxx) < 20 || $key == NULL) return -1;
switch (strlen($key)) {
case 32:
$algo = 'SHA256';
break;
case 64:
$algo = 'SHA512';
break;
default:
$algo = 'SHA1';
break;
}
// HMAC
if (!$hash = hash_hmac($algo, $xxx, $key)) return -1;
// convert to dec
$hmac_result = array();
foreach (str_split($hash, 2) as $hex) $hmac_result[] = hexdec($hex);
// find offset
if ($algo == 'SHA1') $offset = $hmac_result[19] & 0xf;
elseif ($algo == 'SHA256') $offset = $hmac_result[31] & 0xf;
elseif ($algo == 'SHA512') $offset = $hmac_result[63] & 0xf;
else return -1;
// algorithm from RFC
$otp = ((($hmac_result[$offset] & 0x7f) << 24) |
(($hmac_result[$offset+1] & 0xff) << 16) |
(($hmac_result[$offset+2] & 0xff) << 8) |
($hmac_result[$offset+3] & 0xff));
$otp = strval(base_convert($otp, 10, 16));
$otp = str_pad($otp, 8, '0', STR_PAD_LEFT);
return $otp;
}
Result returned:
[root@webadm1 ~]# php confirmation_validator.php
4660de1e
[root@webadm1 ~]#
It is a match.
If a document is attached to the request, then the document will be prompted on the user mobile. The final document can optionally be prepared by RCDevs micro-services in order to add handwritten signature, paraphs, timestamp and document sealing.
7.3 Advanced and Qualified Signatures
Advanced and Qualified signatures are using the same API methods described below. The fact that an Advanced signature or a Qualified signature is requested is related to an OpenOTP to a SOAP setting named “Signature Validity scope (SignScope)". That setting is controllable by the client system sending the signature request to OpenOTP SOAP API or by client policy and can have 3 values:
- Local: Advanced signature with user certificates issued by internal WebADM CA. This should be used for internal signatories.
- Global: Advanced signature with user certificates issued by RCDevs Root CA. This should be used when external users are involved in a signature workflow with Yumisign.
- eIDAS: Qualified signature with external eIDAS signing devices (ex. eID Cards).
The SignScope must be passed in settings parameter of the SOAP request as the below example:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:openotp">
<soapenv:Header/>
<soapenv:Body>
<urn:openotpNormalSign>
<username>John</username>
<domain>support</domain>
<data>Payement approval requested for 9999,99€
Please, sign the following contract with your electronic ID card.
</data>
<file>XXXXXXXXXXXXXX</file>
<mode>cades</mode>
<async>true</async>
<timeout>2000000</timeout>
<issuer>Bank XXXX</issuer>
<client>RCDevs online store</client>
<source>x.x.x.x</source>
<settings>SignScope=eIDAS</settings>
<virtual></virtual>
<addCert>1</addCert>
</urn:openotpNormalSign>
</soapenv:Body>
</soapenv:Envelope>
This will result to the following logs on the backend :
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] New openotpNormalSign SOAP request
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] > Username: john
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] > Domain: support
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] > Client ID: RCDevs online store
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] > Source IP: x.x.x.x
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] > Settings: SignScope=eIDAS
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] > Data: 127 Bytes
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] > File: 1130303 Bytes
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] > Add Cert: Yes
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] > Async Mode: Yes
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] > Mode: CADES
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] > Timeout: 2000000
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] > Issuer: Bank XXXX
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] Enforcing client policy: RCDevs online store (matched client ID)
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] Registered openotpNormalSign request
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] Resolved LDAP user: CN=yoann traut,OU=SUPAdmins,DC=support,DC=rcdevs,DC=com (cached)
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] Resolved LDAP groups: otp,wifi_users (cached)
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] Resolved source location: US
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] Found user language: EN
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] Found 1 user mobiles: +33 658506140
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] Found 1 user emails: john@xxx.com
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] Found 26 user settings: MaxTries=3,BlockNotify=MAIL,ExpireNotify=MAIL,GeoFence=Yes,MobileTimeout=30,EnableConfirm=Yes,ChallengeTimeout=90,SelfRegister=Yes,PasswordReset=Yes,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,RejectComment=Yes,FileUpload=Yes,ConfirmOffline=Yes,SignVerify=No,SignScope=Local,CaDESMode=Embedded
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] Found 5 user data: TokenType,TokenKey,TokenState,TokenID,TokenSerial
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] Found 1 registered OTP token (TOTP)
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] Signature session required
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] Sent push notification for token #1 (session e0AwDDtHqGcFLEn9)
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] Started Push signature session of ID e0AwDDtHqGcFLEn9 valid for 2000000 seconds
[2022-05-30 18:42:39] [10.2.3.3:62199] [OpenOTP:CUCX30IC] Sent pending session response
7.3.1 Corporate Signatories requests
7.3.1.1 Push Delivery
Allow you to submit a signature request through Push notification.
<message name="openotpNormalSignRequest">
<part name="username" type="xsd:string"/>
<part name="domain" type="xsd:string"/>
<part name="data" type="xsd:string"/>
<part name="file" type="xsd:base64Binary"/>
<part name="mode" type="xsd:string"/>
<part name="async" type="xsd:boolean"/>
<part name="timeout" type="xsd:integer"/>
<part name="issuer" type="xsd:string"/>
<part name="client" type="xsd:string"/>
<part name="source" type="xsd:string"/>
<part name="settings" type="xsd:string"/>
<part name="virtual" type="xsd:string"/>
<part name="addCert" type="xsd:integer"/>
</message>
7.3.1.2 QRCode delivery
Allow you to submit a signature request through QRCode.
<message name="openotpSignQRCodeRequest">
<part name="username" type="xsd:string"/>
<part name="domain" type="xsd:string"/>
<part name="data" type="xsd:string"/>
<part name="file" type="xsd:base64Binary"/>
<part name="mode" type="xsd:string"/>
<part name="async" type="xsd:boolean"/>
<part name="timeout" type="xsd:integer"/>
<part name="issuer" type="xsd:string"/>
<part name="client" type="xsd:string"/>
<part name="source" type="xsd:string"/>
<part name="settings" type="xsd:string"/>
<part name="qrFormat" type="xsd:string"/>
<part name="qrSizing" type="xsd:integer"/>
<part name="qrMargin" type="xsd:integer"/>
<part name="virtual" type="xsd:string"/>
<part name="addCert" type="xsd:boolean"/>
</message>
7.3.2 External Signatories request
Allow you to involve an external signatory though YumiSign.
<message name="openotpExternSignRequest">
<part name="recipient" type="xsd:string"/>
<part name="file" type="xsd:base64Binary"/>
<part name="mode" type="xsd:string"/>
<part name="async" type="xsd:boolean"/>
<part name="timeout" type="xsd:integer"/>
<part name="issuer" type="xsd:string"/>
<part name="client" type="xsd:string"/>
<part name="source" type="xsd:string"/>
<part name="settings" type="xsd:string"/>
</message>
7.3.3 Signature Response
<message name="openotpSignResponse">
<part name="code" type="xsd:integer"/>
<part name="error" type="xsd:string"/>
<part name="message" type="xsd:string"/>
<part name="session" type="xsd:string"/>
<part name="timeout" type="xsd:integer"/>
<part name="comment" type="xsd:string"/>
<part name="file" type="xsd:base64Binary"/>
<part name="cert" type="xsd:base64Binary"/>
</message>
7.4 Relaunch transaction/signature invitation
For asynchronous transactions, it is possible to relaunch a transaction/signing request based on the transaction session’s id. This will have the effect of send a new push notification on the user’s phone if you perform this call to resend a push. It also allow you to generate the QRCode related to a specific transaction if you want to fallback to QRCode method once the transaction flow is already started. The QRcode can afterward be provided to the concerned user.
7.4.1 Request
<message name="openotpTouchConfirmRequest">
<part name="session" type="xsd:string"/>
<part name="sendPush" type="xsd:boolean"/>
<part name="qrFormat" type="xsd:string"/>
<part name="qrSizing" type="xsd:integer"/>
<part name="qrMargin" type="xsd:integer"/>
</message>
7.4.2 Response
<message name="openotpTouchConfirmResponse">
<part name="code" type="xsd:integer"/>
<part name="error" type="xsd:string"/>
<part name="message" type="xsd:string"/>
<part name="timeout" type="xsd:integer"/>
<part name="qrImage" type="xsd:base64Binary"/>
</message>
7.5 Sealing
Allow you to seal a document.
7.5.1 Request
<message name="openotpSealRequest">
<part name="file" type="xsd:base64Binary"/>
<part name="mode" type="xsd:string"/>
<part name="client" type="xsd:string"/>
<part name="source" type="xsd:string"/>
<part name="settings" type="xsd:string"/>
</message>
7.5.2 Response
<message name="openotpSealResponse">
<part name="code" type="xsd:integer"/>
<part name="error" type="xsd:string"/>
<part name="message" type="xsd:string"/>
<part name="file" type="xsd:base64Binary"/>
</message>
7.6 List requests
Allow you to list all pending (confirmation and sign) requests.
7.6.1 Request
<message name="openotpListRequest" />
7.6.2 Response
<message name="openotpListResponse">
<part name="code" type="xsd:string"/>
<part name="error" type="xsd:string"/>
<part name="message" type="xsd:string"/>
<part name="jsonData" type="tns:string"/>
</message>
8. OpenOTP Signature server configuration
There is only few settings under OpenOTP configuration which allow you to cutomize your signature and confirmation workflow. Found settings and explanation below:
-
Offline confirmation: Only usable for Advanced signatures;
-
Reject comment: Ask the signatory to provide a comment if he rejects the signature request. The reject comment appears on the mobile after clicking Reject button when signature request is received on the mobile.
-
Upload Signed Files: The signed file is uploaded afterwards at its original place (share, redis, Couchbase…)
-
Qualified Signature check: The device used to sign must be issued by eIDAS/EUTL trusted identity provider. If not, then the signature is rejected.
-
Require Trusted Certificate: If enabled, the certificate used for signature purpose must be registered on the user account. Enrollment of the user certificate can be requested to the user through the API and is automatically enrolled on the user account if requested. Registered signing certificates are stored on user account in attribut used for WebADM data storage.
-
Qualified CaDES mode: Embedded or Detached. Please, refer to european regulation for more information regarding CaDES modes.
-
YumiSign API Key: Required to involve external signatories.
That is all for OpenOTP Signature settings, most of settings are controlled by the requests performed to the API.
9. End-users enrollments needed to achieve a signature
In every scenarios, a push Token needs to be registered on the user’s account and mobile with OpenOTP Token application.
9.1 Mobile signatures
For mobile signatures, only a Push Token needs to be registered on the user’s account and mobile.
9.2 Advanced Signatures
For Advanced Signatures, a Push Token and a user certificate is involved in the signature process. If the user do not has any certificate registered on his LDAP account and mobile which can be used for this purpose, then during the first Advanced Signature request, he will be prompted on his mobile to create it (user-friendly CSR prompt). The CSR will be sent to your WebADM Rsignd service (PKI service) and signed by the WebADM CA. That certificate will be then sent back to the mobile and registered on the user LDAP account. Document will then be signed by the freshly generated key that never left the mobile and sent back to the OpenOTP/Yumisign backend once signature is completed. Found below, few screenshot of automatic certificate enrollement when no certificate is registered on OpenOTP Token application:
Signature request prompted on the mobile:
Document attached to the request prompted on the mobile:
No certificate registered on the mobile, user is prompted to generate one :
The user must click on Generate button, the CSR is going to be submitted to your WebADM-RSignd service.
Document signed and submitted to the backend.
The certificate is generated for a short period. When certificate is expired it will be automatically renewed. The mobile certificate are stored in the SQL database. You can access the certificates database by accessing WebADM Admin portal > Databases tab > Client, Server and Mobile Certificates menu.
9.3 Qualified Signatures
When qualified signature is requested, the user must use a QSCD device to perform the signature. The user will be invited on his mobile to plug a card reader in order to insert his eID card. RCDevs also provides the possibility to use NFC which do not require any external reader. In that case, the user will be prompted to put his eID card close to the NFC reader of his phone.
See below, screenshots from the mobile application for a qualified signature:
Signature request prompted on the mobile:
Document attached to the request prompted on the mobile:
User is prompted to plug his eID reader on the phone:
Reader is detected, user is invited to plug is electronic ID card in the reader:
Once the card in inserted, the card is readed by OpenOTP Token application and user is prompted to provide the PIN code protecting the electronic ID card:
eID card is unlocked, signing certificate is going to be used to sign the document attached to the request. Once the document is signed from the mobile, the document is sent to OpenOTP backend for certificate revocation checks. The QSCD validity is checked by the OpenOTP backend with the revocation methods provided in the certificate used for the signature (OSCP/CRL checks). Once the validity checks has been passed successfully, the document is finalized and ready to be repatriated on the third party system. If the OCSP/CRL checks failed, the signed document is rejected and dropped and the transaction is terminiated on the backend.
Signature submitted to the backend :
The WebADM administrators have the control on which QSCD is allowed. This is done by trusting the CA certificate of the QSCD certificate issuer. From WebADM admin GUI, click Admin tab, then Trusted CA certificates:
If the CA that issued the QSCD certificate is not in the trusted list, then the signature process will fail. RCDevs micro-services maintains the public CA certificates list which where each CA certificate can be installed manually or automatically fetched when a CA certificate has expired and needs to be renewed.
10. Integration examples
10.1 Postfix Milter
With that mail integration, RCDevs covers the corporate scenarios described in the part 2 of that documentation. External signatories can not be involved through this integration for security reasons.
User’s accounts must be activated in WebADM and must have a push token registered on their account.
If your mail domain is company.com, then the postfix server that will run the RCDevs scripts to trigger signature workflow can be configured with an MX domain in sign.company.com for example.
The postfix milter will parses the email addresses and the subject of email received on the sign.company.com MX domain. Based on information configured on the postfix server, the postfix Milter will detect the patern added in the email address (in our example it is sign) which will indicate that it is a signature request and the correct user’s email is without the pattern configured in the milter configuration. Then it sends the signature request and the document to OpenOTP servers.
The workflow of that integration is the following:
Consider a main MX Domain as rcdevs.com. Postfix server is configured with RCDevs Milter with a 2nd MX domain : sign.rcdevs.com
-
Send a email to user@sign.rcdevs.com containing the document that needs to be signed
-
Email arrives on the postfix server,
-
Email parsed by RCDevs postfix milter in order to :
- Identify the sender;
- Identify the recipient;
- Identify the level of signature requested (advanced or qualified);
-
Signature request built (according to information retrieved in the email) by RCDevs postfix scripts and submitted to OpenOTP server.
-
OpenOTP server notifies the user by mail that a signature request is pending and the push request is submitted to the user’s phone. A QRcode of the transaction is attached to the mail sent in order to fetch the pending transaction in case the notification has not been received or is not available anymore on the mobile.
-
The user has now to press the push notification received or scan the QRCode attached to the email with OpenOTP Token application.
-
The signature request is now prompted on the user’s phone through OpenOTP Token.
-
User reviews the document he is going to sign from his mobile and once the document is reviewed, he can sign it.
-
Once the signature is done, the document is prepared by RCDevs micro-services. Timestamping and Seals are applied to the document once signature has been done.
-
Once the document is signed, timestamped and selead, it is sent to the original sender.
10.1.1 Submit a document for signature to yourself
Submit a document for signature to yourself is very simple once this integration is configured. The process is the same as explained before, but instead sending a signature request to someone else, you can just send the request to self@sign.rcdevs.com. Then the postfix milter will parse the mail request, identify the sender of that mail and submit the request to the sender (you).
10.1.2 Submit a document for signature to an internal collaborator
Submit a document for signature to a collaborator is very simple once this integration is configured.
The process is the same as explained before, but instead sending a signature request to yourself, you can just send the request to that user email address by using the sign MX domain configured. For e.g, I want to send a signature request to john.doe@rcdevs.com user. You just have to attach the document to your email and send the email to john.doe@sign.rcdevs.com. The email will be relayed to the postfix milter servers and be parsed. The postfix milter will prepare the signature request and submit it to OpenOTP. The signature workflow is started and sender and recipient(s) are notified. Once the signature process is done by the recipient, the signed document is sent back to the different signatories.
10.1.3 Level of signature requested
The level of the signature requested must be putted in the email subject field. You have the choice between :
- Standard,
- Advanced,
- Qualified
In advanced mode, local scope or global scope is under the control of the WebADM Administrator.
10.2 RCDevs Plugins
RCDevs is developing and providing multiple integration plugins for signature purposes for different products. We started with Nextcloud and Sharepoint. We will continue with Git, CRMs and more… Do not hesitate to share with us the signature plugins you would need in order to make developments move forward and prioritize the ones needed first.
10.2.1 Nextcloud
Nexcloud signature integration is covered by a plugin installable on Nextcloud servers. All Nextcloud servers part of the same cluster must have the plugin installed and configured. Have a look on the Nextcloud Integration documentation
10.2.2 Sharepoint
Plugin under development.
10.2.3 Signature portal
RCDevs is also developing an easy to use end-user web-application portal like other web applications provided by RCDevs and hosted on WebADM backend (selfdesk, selfreg…) but dedicated to elecronic signatures for your end-users. From that portal, corporate users will be able to send signature request to anybody part the company but also to external users involving YumiSign. That portal is not downloadable at the moment as it is under development.
10.3 Custom integrations
Custom integrations offer a very high flexibility in signature workflow and treatments. It is achieved through API calls and API piloting. Integration and configuration can be complex, do not hesitate to contact RCDevs Service team for that kind of integration.
10.4 SelfDesk Integration (Self Signature only)
Self-Service Desk application allow you to submit a document for signature to yourself. Have a look on the following Self-Service Desk documentation for more information.