Features description

An overview of the possibilities of the QES application

QES application

Available at:

EN TL and QES Applications (gov.sk)
SK https://qes.webnode.sk/ and Aplikácie TL a QES (gov.sk)

Program QES

The application QES.zip v.1.0.0.xx (32-bit, SHA-256, zip, 3.7 MB) / QES64.zip v.1.0.0.xx (64-bit, SHA-512, zip, 4.6 MB) has been developed by NSA officer to be used by supervisory body for supervisory tasks. This application is provided free of charge for anybody, especially for public sector bodies which must fulfil obligations of Articles 27(3) and 37(3) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market.

The application QES.zip can be used for timestamping and for signature or seal creation in accordance with Commission Implementing Decision (EU) 2015/1506 (PDF documents, *.* documents, EXE - applications or any type of documents especially in ASiC (ZIP) container, which can be also nested). The application QES can be used in accordance with Commission Implementing Decision (EU) 2015/1505 for BETA signature/seal validation

  1. of qualified electronic signature,
  2. of qualified electronic seal,
  3. of qualified electronic time-stamp, as well as
  4. for browsing with the possibility to export and view authorized documents from ASiC and PDF containers.
  • This application can be used directly without installation. After saving the application into directory with writing access permission it is possible to launch the application directly or to create a shortcut stored at desktop and launch the application through this shortcut.
  • To use a smart card (e.g. eID card) it is necessary to insert the smart card into the smart-card-reader and to click the button "Reconnect keys", select smart card driver and enter the PIN. Then click the button "Save settings" to store selected options.
  • If the list of documents contains more than one file, all files will be signed separately or if check box "ASiC-E" is checked then files will be stored in ZIP file where they will be signed with one signature (ASiC).
  • If the list of documents contains ASiC (zip) container, by double-click on this container the signature container browser is open where any other documents can be inserted or the order of the documents can be changed and additional signature of all documents in ASiC container can be created.
  • If the list of documents contains PDF file (PDF container), by double-click on this container the signature container browser is open where the signed or timestamped PDF documents can be seen - the last signature or timestamp of PDF document is used for PDF document identification (DSId). Each signature or timestamp protects all previous changes in PDF (e.g. changed fields of PDF form) and previous signatures or timestamps of PDF document.
  • If the list of documents contains documents signed separately, e.g. in the list is the file "figure.png" and the signature is stored in the file "figure.png.p7s" (signature file is not included in the list), then
  1. by signing (click on the button "Add signature") a new signature is stored in a new file if "figure.png.p7s" does not exist, otherwise it will add the signature as a parallel signature into the file "figure.png.p7s" and
  2. by timestamping (click on the button "Add timestamp") only one timestamp is included as signature timestamp in the file "figure.png.p7s" and if the file "figure.png.p7s" does not exist (document is not signed), the timestamp is included in the file "figure.png.tst" which will be included later in the new signature as content timestamp in the file "figure.png.p7s" or in ASiC-S container.
  • If within the application a container of the ZEPf (.ZEP) format, containing the signature, is opened, saving in ASiC-S will be automatically offered. If an (.eml) signed document is opened, signed in (.ZEP), saving the enveloped document in (.eml) file will be offered.
  • In browsing the signature container ASiC or PDF the application counts all the signatures and time-stamps and displays their number. After entering the signature number or time-stamp number the application will mark the signed or time-stamped documents. User can subsequently export them from the container for further usage. After clicking the DSId button the identifier of the marked signature or time-stamp will be saved into the (*.PDF.DSId) file or (*.ASiCE.DSId) file of the browsed container. It is possible to send the identifier in the (*.DSId) file together with the container file to a relying party for working only with the documents which had been secured by this signature or time-stamp. Example of signature identifier usage for viewing the secured documents of the container in the command line:
  1. "QES.exe /p doc.pdf /DSId doc.pdf.DSId" or
  2. "QES.exe /a doc.asice /DSId doc.asice.DSId".
  • Beta validation has been implemented.

Requires: Windows

Mac OS X, Unix - Linux; FreeBSD, Ubuntu, Debian, Red Hat, SUSE, Mandriva, Slackwar, PC-BSD, OpenSolaris and Solaris through e.g. Wine - Free implementation of Windows on Unix https://www.winehq.org/ or VirtualBox https://www.virtualbox.org/

The QES application can be used in the command line.

Command line usage: QES??.exe [inputFile]...[inputFile] [operation] [operationOutputOrInputFile] [operation] [operationOutputOrInputFile] [inputFile]...[inputFile]

The values of command line are processed according to the value of [operation]:

[-i] Install QES application as default local user application for opening (associations) of ASiC files (*.asice, *.asics, *.sce, *.scs), (*.zep) and (*.p7m).
[-u] Uninstall QES application as default local user application for opening (associations) of ASiC files (*.asice, *.asics, *.sce, *.scs), (*.zep) and (*.p7m).

[-v] Validation of PDF [-p] or ASiC [-a] where DSId [-DSId] is used to select a signature or a timestamp. This QES application is used to create and to view the validation report.

[-vf] Validation as described in [-v] and the output validation file is specified in operationOutputOrInputFile. This QES application is used to create and to store the validation report into the specified file without a view (QES application is closed after creation of this report).

[-vfu] Validation as described in [-vf] and used CRL or OCSP responses are stored in PDF or ASiC (update). This QES application is used to update PDF or ASiC with the validation data (QES application is closed after PDF or ASiC update). 

["*.QCFG"] If QES.EXE has only one parameter "*.QCFG" file name as a renamed ZIP file then the usage is:

- The root directory of "*.QCFG" can contain any files (*.*), containers (*.zip, *.pdf, *.asice, *.asics, *.scs, *.sce), signatures (*.p7s, *.p7m, *.pdf, *.xml), timeStamp (*.tst) or one or more files with identifier of the signature of the document (*.DSId).

- The directory "META-INF" can be included and contains configuration file "*.cfg" with the same structure as defined for the switch [-c] where x of the "FILE=x" line contains only the file name (without the path) of files stored in the root directory of "*.QCFG".
The signature or timestamp will be created and stored in "*.QCFG" ZIP file if directory "META-INF" of "*.QCFG" contains configuration file "*.cfg".
According to the first identifier of the signature of the document (*.DSId) the protected documents in ASiC or PDF container are selected, e.g. can be later exported or viewed by users, if configuration file "*.cfg" is not included in "META-INF" directory of "*.QCFG".
If errors arise in the application when "*.QCFG" is processed, the size of the "*.QCFG" file is set to zero after application exit, otherwise the content of the "*.QCFG" file is updated.
[-a] ASiC file is specified in operationOutputOrInputFile, e.g. when application signs input files or when application is used to view the list of documents stored in ASiC.

[-p] PDF file is specified in operationOutputOrInputFile, e.g. when application is used to view the list of protected PDF documents stored in PDF file.

[-DSId] DSId file is specified in operationOutputOrInputFile. DSId is used to select a signature or timestamp and to select signed or timestamped documents when application is used to view documents stored in ASiC or in PDF container.

[-r] Recursively wildcards will be used when searching for input files.

[-c] Configuration file UTF8 (*.txt) is specified in operationOutputOrInputFile. User or document management system creates the configuration file as defined in ISO 14533-4 for PreservationIntegrityList.

The configuration file is used to download files and upload signatures of signed files. The configuration file consists of one or more pairs of locations of the local files or of http/https addresses of remote files. The first file location of the pair is a location of a signed document and the second file location is a location of signature of the document used for documents exchanged with, e.g. document management system.

The text of the PreservationIntegrityList must consist of 3 types of subsequent text lines: mandatory "FILE=x", mandatory "HASH=x" and optional "NOTICE=x" followed by a single EOL marker. If the line is "HASH=x", the x shall be a Base64 (IETF RFC 4648) encoded DId. If the line is "NOTICE=x", the x shall be MIME Content-Type defined in IETF RFC 2045.

If the signature file has specified in "HASH=x" the x value, the signature file is downloaded and used for the creation of e.g. parallel signature, otherwise x is an empty string.

If http/https is used, the file name is the name specified in: a path of the http address, in a http Content-Disposition header attribute (where "=?utf-8?b? ... ?=" encoding of the file name can be used) or temporary file name is created according to the Content-Type: specified in "NOTICE=x" or specified in Content-Type in a received http header.

The format of the signature is selected according to the Content-Type specified in "NOTICE=x" of the signature file "FILE=x":

  • ASiC-E "NOTICE=Content-Type: application/vnd.etsi.asic-s+zip"

  • ASiC-E "NOTICE=Content-Type: application/vnd.etsi.asic-e+zip"

  • CMS AdES external "NOTICE=Content-Type: application/pkcs7-signature"

  • CMS AdES internal "NOTICE=Content-Type: application/pkcs7-mime"

  • PDF AdES "NOTICE=Content-Type: application/pdf"

  • XML AdES enveloped "NOTICE=Content-Type: application/xml"
  • The format of the document timestamp is selected according to the "NOTICE=Content-Type: application/vnd.etsi.timestamp-token" specified in "NOTICE=x" of the signature file "FILE=x", where:

The timestamp is ASiC if the signature file extension is one of the ASiC extensions.

The timestamp is PDF document timestamp if the signature file extension is ".pdf".

In the other cases the timestamp is the document timestamp "*.tst".

If document management system is used the fields DocMngSysWebURL (http address of document management system) and DocMngURLErrorPut of "QES.INI" file must be specified. The file path specified in DocMngSysDirectory contains the history of files stored in separate directories, which can be deleted, e.g. by document management system or by users.

For each new signature or document timestamp is created the identifier in the file (*.DSId). If http/https address is used for the signature file upload, then new parameter "&DSId=base64" is included if address already contains any parameters. If the signature file path in the configuration file is a file path (it is not http address) the uploaded file name of the DSId is the signature file name connected with a new extension ".DSId".

[-w] The QES application can also be started in "Web Signer" mode by clicking the "Run Web Signer" button, or in the command line with the "-w" parameter, e.g. "QES.EXE -W" at computer startup. Systems requiring signature or validation, e.g. web page of the browser, creates a connection to QES via the address https://localhost:8080 and sends via http POST the file "*.QCFG" (renamed ZIP) containing documents for signing and the directory "META-INF" with the configuration file "*.cfg " (TXT in UTF-8). The file "*.cfg" contains a list of pairs of names of documents to be signed and files with the type of signature in which the signature will be saved. A QES application running as a Web Signer, upon receiving an http POST request, will display the QES application as a signing/validation request. When "Add Signature..." button is pressed, it sends the signed files in "*.QCFG" file as a response to POST, and when validating, the received file "*.QCFG" is sent after closing the QES application. The web browser, after signing in QES, receives a *.QCFG file with the result of signing in the return from http POST. When calling for validation (only for PDF and ASiC format), e.g. after signing after resending the *.QCFG file, only one file (*.DSId) identifying the signature for validation should remain in the QCFG file, if the QCFG contains multiple files (*.DSId), only one will be used. See Clause 3.3 of ISO 14533-4:2019(en), Processes, data elements and documents in commerce, industry and administration - Long term signature profiles - Part 4: Attributes pointing to (external) proof of existence objects used in long term signature formats (PoEAttributes). If a premature termination occurs during signing or validation, QES will return info in the http protocol state in the return from the POST call. The system requesting the signature will get a "*.QCFG" containing either signed files or, in case of an error, the "*.QCFG" file has zero size and the following http status:

404: 'Not Found' - If the file could not be sent

408: 'Request Time-out' - If the signer did not sign within the specified time - 10 min

412: 'Precondition Failed' - If the signing did not take place, either due to a mistake by the signer, or by terminating the application without signing.

[-e] Output file/directory is specified in operationOutputOrInputFile - (It has not yet been implemented) Export signed or timestamped document(s) with identified signature or timestamp to the file. If the operationOutputOrInputFile file is ASiC, files are exported to this ASiC file.

Wildcards (*?) and directory are allowed in inputFile.

The application can read the input files also from "QES??List.txt" file, where each line contains one input file.

Additional conditions can be modified in saved settings "QES??.INI" file, see application part in "QES??.INI" file:

isASiCAsZip=(0/1) - The file extension of the newly created ASiC is "*.ZIP" instead of "*.ASICE" to help with practical manipulation with container - used as ZIP packaging application with additional protection.

isDSIdForNew=(0/1) - DSId file is created for a new signature or timestamp as "*.p7s.DSId", "*.tst.DSId", "*.ASiCxx.DSId" in the same directory.

isFileTmpPDF=(0/1) - instead of memory the temp files are used - but that slows down the application

SelectedUserCert= - selected signer certificate

PKCS11dll= PKCS#11 smart card driver DLL library of your smart card, e.g. C:\Program Files (x86)\EAC MW klient\pkcs11_x86.dll

FileKeys= path of Soft token file, e.g. PKCS#12 (*.p12, *.pfx) or another private key file store (*.pem, *.p15, ...)

OffLineTSLDirectory= Directory where trusted lists will be stored or other validation data, e.g. CRL or OCSP responses

cvPredefinedPDFSignatureSize= 24000 - if the size is too small for PDF creation, application shows a message where expected size for the next try (based on certificate or timestamp size used in unsuccessful try) is recommended

isLog=(0/1) enables the logs

isPSS=(0/1) enables the RSA PSS signature creation

isContentTS=(0/1) content timestamp will be included

isPlugTestRe=(0/1) enables the validation report format of the ETSI PlugTest 

closeOnSigOrTS=(0/1) the application is closed after signing or timestamping

TSAOID= Optional TSA Policy OID

DocMngSysDirectory=Directory used for storing documents exchanged with document management system, e.g. with Fabasoft

DocMngSysWebURL= http address of document management system

DocMngURLErrorPut= http address of document management system which is used for uploading an error string message using a http/https PUT method if application is used with /c parameter e.g. "QES.EXE /c cfg.txt" and application is closed with an error or without successful creation of signatures or timestamps of files specified in, e.g. cfg.txt file.

ClientCertStorageTLSPassword= password to access the private key stored in ClientCertStorageTLSFile when SSL\TLS client authentication is requested by the server
ClientCertStorageTLSFile= the private key and client certificate store used when SSL\TLS client authentication is requested by the server
DeleteDMSDirOnExit=(0/1) the content of DocMngSysDirectory is deleted on exiting the application
CheckBoxOnline=(0/1) Application is connected to the network (internet)

CheckBoxProxyURL=(0/1) Http proxy is used

EditProxyURL.Text proxy address, = e.g. 10.0.250.5

EditProxyPort.Text= proxy port, e.g. 8080

EditProxUName.Text= proxy user name

EditProxUPasswd.Text= proxy password

EditProxyURLNotUsed.Text= addresses used directly without proxy, e.g. ep.nbusr.sk,127.0.0.1

ComboBoxProxAuthType.Text= type of proxy authentication, e.g. NoAuthentication

EditTLURL.Text= trusted list (TL) address of frequently used TL (other TL will be accessed by URL stored in this TL, with signer certificate, pointing to EC TL and EC TL contains URL to the other TL with signer certificate of other TL), e.g. https://ep.nbu.gov.sk/kca/tsl/tsl.xml

EditDId1.Text= Document identifier (DId) of TL signer certificate (base64 encoded)

EditDId2.Text= Document identifier (DId) of TL signer certificate (base64 encoded)

EditDId3.Text= Document identifier (DId) of TL signer certificate (base64 encoded)

EditDId4.Text= sequence of Document identifiers (DId) of TL signer certificate (base64 encoded) separated by "{DId-"

LICENCE

LICENCE for the QES program which locks (secures) files to prevent the file modification (electronic signing program)

FREEWARE software, Free QES

Licence agreement with the user of the program

1. This program can be used for free for signing/viewing/verifying purposes.

2. Since this program is provided for free by this Licence, there is no guarantee ensured within the limits permitted by law. Copyright holders or other parties provide the program "as it is" without any guarantee either expressed or consequent, including but not limited to, guarantees of marketability and suitability for certain purposes, unless otherwise stated in written form. Regarding the quality and efficiency of the program, all risks are taken by the user. If some defects occur in the program, the user is responsible for all maintenance costs, repair costs and remedy costs required.

3. In no case, except if it is required by applicable law or it has been agreed in written form, any copyright holder as well as any other party which may modify or distribute the program in compliance with the previous provisions is not responsible for damage, including all general, specific, random or consequent damage as a result of usage or the incapability to use the program (including but not limited to, losses or data distortion, or permanent damage caused by the user or by third parties or the function failure of the program in cooperation with other programs), and also in case the copyright holder or the other party was warned of possibility of such damage.

4. This program must not be transferred back to source code or assembler (reverse engineering).

Copyright (c) Ing. Peter Rybár

National Security Authority

Author of the program: Peter Rybar BXSoft.info@gmail.com

© 2023 QES application - BX Soft
Powered by Webnode
Create your website for free! This website was made with Webnode. Create your own for free today! Get started