Default Validation Policy
The following is a default validation policy for AdES Validator. It can be overwritten by custom validation policy using the VALIDATION_POLICY
property of the AdES Validator
<ConstraintsParameters Name="QES AdESQC TL based" xmlns="http://dss.esig.europa.eu/validation/policy">
<Description>Validate electronic signatures and indicates whether they are Advanced electronic Signatures (AdES), AdES supported by a Qualified Certificate (AdES/QC) or a
Qualified electronic Signature (QES). All certificates and their related chains supporting the signatures are validated against the EU Member State Trusted Lists (this includes
signer's certificate and certificates used to validate certificate validity status services - CRLs, OCSP, and time-stamps).
</Description>
<ContainerConstraints>
<AcceptableContainerTypes Level="FAIL">
<Id>ASiC-S</Id>
<Id>ASiC-E</Id>
</AcceptableContainerTypes>
<!-- <ZipCommentPresent Level="WARN" /> -->
<!-- <AcceptableZipComment Level="WARN"> -->
<!-- <Id>mimetype=application/vnd.etsi.asic-s+zip</Id> -->
<!-- <Id>mimetype=application/vnd.etsi.asic-e+zip</Id> -->
<!-- </AcceptableZipComment> -->
<MimeTypeFilePresent Level="FAIL" />
<AcceptableMimeTypeFileContent Level="WARN">
<Id>application/vnd.etsi.asic-s+zip</Id>
<Id>application/vnd.etsi.asic-e+zip</Id>
</AcceptableMimeTypeFileContent>
<ManifestFilePresent Level="FAIL" />
<SignedFilesPresent Level="FAIL" />
<AllFilesSigned Level="WARN" />
</ContainerConstraints>
<SignatureConstraints>
<StructuralValidation Level="WARN" />
<AcceptablePolicies Level="FAIL">
<Id>ANY_POLICY</Id>
<Id>NO_POLICY</Id>
</AcceptablePolicies>
<PolicyAvailable Level="FAIL" />
<PolicyHashMatch Level="FAIL" />
<AcceptableFormats Level="FAIL">
<Id>*</Id>
</AcceptableFormats>
<BasicSignatureConstraints>
<ReferenceDataExistence Level="FAIL" />
<ReferenceDataIntact Level="FAIL" />
<ManifestEntryObjectExistence Level="WARN" />
<SignatureIntact Level="FAIL" />
<SignatureDuplicated Level="FAIL" />
<ProspectiveCertificateChain Level="FAIL" />
<SignerInformationStore Level="FAIL" />
<PdfPageDifference Level="FAIL" />
<PdfAnnotationOverlap Level="WARN" />
<PdfVisualDifference Level="WARN" />
<!-- <TrustedServiceTypeIdentifier Level="WARN"> -->
<!-- <Id>http://uri.etsi.org/TrstSvc/Svctype/CA/QC</Id> -->
<!-- </TrustedServiceTypeIdentifier> -->
<!-- <TrustedServiceStatus Level="FAIL"> -->
<!-- <Id>http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/undersupervision</Id> -->
<!-- <Id>http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/accredited</Id> -->
<!-- <Id>http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/supervisionincessation</Id> -->
<!-- <Id>http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/granted</Id> -->
<!-- <Id>http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/withdrawn</Id> -->
<!-- </TrustedServiceStatus> -->
<SigningCertificate>
<Recognition Level="FAIL" />
<Signature Level="FAIL" />
<NotExpired Level="FAIL" />
<AuthorityInfoAccessPresent Level="WARN" />
<RevocationInfoAccessPresent Level="WARN" />
<RevocationDataAvailable Level="FAIL" />
<RevocationDataNextUpdatePresent Level="WARN" />
<RevocationDataFreshness Level="FAIL" />
<KeyUsage Level="WARN">
<Id>nonRepudiation</Id>
</KeyUsage>
<SerialNumberPresent Level="WARN" />
<NotRevoked Level="FAIL" />
<NotOnHold Level="FAIL" />
<NotSelfSigned Level="WARN" />
<!-- <Qualification Level="WARN" /> -->
<!-- <SupportedByQSCD Level="WARN" /> -->
<!-- <IssuedToNaturalPerson Level="INFORM" /> -->
<!-- <IssuedToLegalPerson Level="INFORM" /> -->
<UsePseudonym Level="INFORM" />
<Cryptographic />
</SigningCertificate>
<CACertificate>
<Signature Level="FAIL" />
<NotExpired Level="FAIL" />
<RevocationDataAvailable Level="FAIL" />
<RevocationDataNextUpdatePresent Level="WARN" />
<RevocationDataFreshness Level="FAIL" />
<NotRevoked Level="FAIL" />
<NotOnHold Level="FAIL" />
<Cryptographic />
</CACertificate>
<Cryptographic />
</BasicSignatureConstraints>
<SignedAttributes>
<SigningCertificatePresent Level="FAIL" />
<UnicitySigningCertificate Level="WARN" />
<SigningCertificateRefersCertificateChain Level="WARN" />
<CertDigestPresent Level="FAIL" />
<CertDigestMatch Level="FAIL" />
<IssuerSerialMatch Level="WARN" />
<SigningTime Level="FAIL" />
<MessageDigestOrSignedPropertiesPresent Level="FAIL" />
<!-- <ContentType Level="FAIL" value="1.2.840.113549.1.7.1" />
<ContentHints Level="FAIL" value="*" />
<CommitmentTypeIndication Level="FAIL">
<Id>1.2.840.113549.1.9.16.6.1</Id>
<Id>1.2.840.113549.1.9.16.6.4</Id>
<Id>1.2.840.113549.1.9.16.6.5</Id>
<Id>1.2.840.113549.1.9.16.6.6</Id>
</CommitmentTypeIndication>
<SignerLocation Level="FAIL" />
<ContentTimeStamp Level="FAIL" /> -->
</SignedAttributes>
<UnsignedAttributes>
<!-- <CounterSignature Level="IGNORE" /> check presence -->
</UnsignedAttributes>
</SignatureConstraints>
<CounterSignatureConstraints>
<BasicSignatureConstraints>
<ReferenceDataExistence Level="FAIL" />
<ReferenceDataIntact Level="FAIL" />
<SignatureIntact Level="FAIL" />
<SignatureDuplicated Level="FAIL" />
<ProspectiveCertificateChain Level="FAIL" />
<!-- <TrustedServiceTypeIdentifier Level="WARN"> -->
<!-- <Id>http://uri.etsi.org/TrstSvc/Svctype/CA/QC</Id> -->
<!-- </TrustedServiceTypeIdentifier> -->
<!-- <TrustedServiceStatus Level="FAIL"> -->
<!-- <Id>http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/undersupervision</Id> -->
<!-- <Id>http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/accredited</Id> -->
<!-- <Id>http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/supervisionincessation</Id> -->
<!-- <Id>http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/granted</Id> -->
<!-- <Id>http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/withdrawn</Id> -->
<!-- </TrustedServiceStatus> -->
<SigningCertificate>
<Recognition Level="FAIL" />
<Signature Level="FAIL" />
<NotExpired Level="FAIL" />
<AuthorityInfoAccessPresent Level="WARN" />
<RevocationInfoAccessPresent Level="WARN" />
<RevocationDataAvailable Level="FAIL" />
<RevocationDataNextUpdatePresent Level="WARN" />
<RevocationDataFreshness Level="FAIL" />
<KeyUsage Level="WARN">
<Id>nonRepudiation</Id>
</KeyUsage>
<SerialNumberPresent Level="WARN" />
<NotRevoked Level="FAIL" />
<NotOnHold Level="FAIL" />
<NotSelfSigned Level="WARN" />
<!-- <Qualification Level="WARN" /> -->
<!-- <SupportedByQSCD Level="WARN" /> -->
<!-- <IssuedToNaturalPerson Level="INFORM" /> -->
<!-- <IssuedToLegalPerson Level="INFORM" /> -->
<UsePseudonym Level="INFORM" />
<Cryptographic />
</SigningCertificate>
<CACertificate>
<Signature Level="FAIL" />
<NotExpired Level="FAIL" />
<RevocationDataAvailable Level="FAIL" />
<RevocationDataNextUpdatePresent Level="WARN" />
<RevocationDataFreshness Level="FAIL" />
<NotRevoked Level="FAIL" />
<NotOnHold Level="FAIL" />
<Cryptographic />
</CACertificate>
<Cryptographic />
</BasicSignatureConstraints>
<SignedAttributes>
<SigningCertificatePresent Level="FAIL" />
<CertDigestPresent Level="FAIL" />
<CertDigestMatch Level="FAIL" />
<IssuerSerialMatch Level="WARN" />
<SigningTime Level="FAIL" />
<MessageDigestOrSignedPropertiesPresent Level="FAIL" />
<!-- <ContentType Level="FAIL" value="1.2.840.113549.1.7.1" />
<ContentHints Level="FAIL" value="*" />
<CommitmentTypeIndication Level="FAIL">
<Id>1.2.840.113549.1.9.16.6.1</Id>
<Id>1.2.840.113549.1.9.16.6.4</Id>
<Id>1.2.840.113549.1.9.16.6.5</Id>
<Id>1.2.840.113549.1.9.16.6.6</Id>
</CommitmentTypeIndication>
<SignerLocation Level="FAIL" />
<ContentTimeStamp Level="FAIL" /> -->
</SignedAttributes>
</CounterSignatureConstraints>
<Timestamp>
<TimestampDelay Level="IGNORE" Unit="DAYS" Value="0" />
<RevocationTimeAgainstBestSignatureTime Level="FAIL" />
<BestSignatureTimeBeforeExpirationDateOfSigningCertificate Level="FAIL" />
<Coherence Level="WARN" />
<BasicSignatureConstraints>
<ReferenceDataExistence Level="FAIL" />
<ReferenceDataIntact Level="FAIL" />
<SignatureIntact Level="FAIL" />
<ProspectiveCertificateChain Level="FAIL" />
<SigningCertificate>
<Recognition Level="FAIL" />
<Signature Level="FAIL" />
<NotExpired Level="FAIL" />
<RevocationDataAvailable Level="FAIL" />
<RevocationDataNextUpdatePresent Level="WARN" />
<RevocationDataFreshness Level="FAIL" />
<ExtendedKeyUsage Level="WARN">
<Id>timeStamping</Id>
</ExtendedKeyUsage>
<NotRevoked Level="FAIL" />
<NotOnHold Level="FAIL" />
<NotSelfSigned Level="WARN" />
<Cryptographic />
</SigningCertificate>
<CACertificate>
<Signature Level="FAIL" />
<NotExpired Level="FAIL" />
<RevocationDataAvailable Level="WARN" />
<RevocationDataNextUpdatePresent Level="WARN" />
<RevocationDataFreshness Level="FAIL" />
<NotRevoked Level="FAIL" />
<NotOnHold Level="FAIL" />
<Cryptographic />
</CACertificate>
<Cryptographic />
</BasicSignatureConstraints>
<SignedAttributes>
<SigningCertificatePresent Level="WARN" />
<!-- <UnicitySigningCertificate Level="WARN" /> RFC 5816 -->
<CertDigestPresent Level="WARN" />
<AllCertDigestsMatch Level="WARN" />
<IssuerSerialMatch Level="WARN" />
</SignedAttributes>
</Timestamp>
<Revocation>
<RevocationFreshness Level="IGNORE" Unit="DAYS" Value="0" />
<UnknownStatus Level="FAIL" />
<SelfIssuedOCSP Level="WARN" />
<BasicSignatureConstraints>
<ReferenceDataExistence Level="FAIL" />
<ReferenceDataIntact Level="FAIL" />
<SignatureIntact Level="FAIL" />
<ProspectiveCertificateChain Level="FAIL" />
<SigningCertificate>
<Recognition Level="FAIL" />
<Signature Level="FAIL" />
<NotExpired Level="FAIL" />
<RevocationDataAvailable Level="FAIL" />
<RevocationDataNextUpdatePresent Level="WARN" />
<RevocationDataFreshness Level="FAIL" />
<NotRevoked Level="FAIL" />
<NotOnHold Level="FAIL" />
<Cryptographic />
</SigningCertificate>
<CACertificate>
<Signature Level="FAIL" />
<NotExpired Level="FAIL" />
<RevocationDataAvailable Level="WARN" />
<RevocationDataNextUpdatePresent Level="WARN" />
<RevocationDataFreshness Level="FAIL" />
<NotRevoked Level="FAIL" />
<NotOnHold Level="FAIL" />
<Cryptographic />
</CACertificate>
<Cryptographic />
</BasicSignatureConstraints>
</Revocation>
<Cryptographic Level="FAIL">
<AcceptableEncryptionAlgo>
<Algo>RSA</Algo>
<Algo>DSA</Algo>
<Algo>ECDSA</Algo>
<Algo>PLAIN-ECDSA</Algo>
<!-- <Algo>Ed25519</Algo> Not referenced in ETSI/SOGIS -->
</AcceptableEncryptionAlgo>
<MiniPublicKeySize>
<Algo Size="160">DSA</Algo>
<Algo Size="1024">RSA</Algo>
<Algo Size="160">ECDSA</Algo>
<Algo Size="160">PLAIN-ECDSA</Algo>
<!-- <Algo Size="24">Ed25519</Algo> Not referenced in ETSI/SOGIS -->
</MiniPublicKeySize>
<AcceptableDigestAlgo>
<Algo>MD2</Algo>
<Algo>MD5</Algo>
<Algo>SHA1</Algo>
<Algo>SHA224</Algo>
<Algo>SHA256</Algo>
<Algo>SHA384</Algo>
<Algo>SHA512</Algo>
<Algo>SHA3-224</Algo>
<Algo>SHA3-256</Algo>
<Algo>SHA3-384</Algo>
<Algo>SHA3-512</Algo>
<Algo>RIPEMD160</Algo>
<Algo>WHIRLPOOL</Algo>
</AcceptableDigestAlgo>
<AlgoExpirationDate Format="yyyy">
<!-- Digest algorithms -->
<Algo Date="2005">MD2</Algo> <!-- The same as for MD5 -->
<Algo Date="2005">MD5</Algo> <!-- ETSI TS 102 176-1 (Historical) V2.1.1 -->
<Algo Date="2009">SHA1</Algo> <!-- ETSI TS 102 176-1 (Historical) V2.0.0 -->
<Algo Date="2023">SHA224</Algo> <!-- ETSI 119 312 V1.3.1 -->
<Algo Date="2026">SHA256</Algo> <!-- ETSI 119 312 V1.3.1 -->
<Algo Date="2026">SHA384</Algo> <!-- ETSI 119 312 V1.3.1 -->
<Algo Date="2026">SHA512</Algo> <!-- ETSI 119 312 V1.3.1 -->
<Algo Date="2026">SHA3-224</Algo> <!-- ETSI 119 312 V1.3.1 -->
<Algo Date="2026">SHA3-256</Algo> <!-- ETSI 119 312 V1.3.1 -->
<Algo Date="2026">SHA3-384</Algo> <!-- ETSI 119 312 V1.3.1 -->
<Algo Date="2026">SHA3-512</Algo> <!-- ETSI 119 312 V1.3.1 -->
<Algo Date="2011">RIPEMD160</Algo> <!-- ETSI TS 102 176-1 (Historical) V2.0.0 -->
<Algo Date="2015">WHIRLPOOL</Algo> <!-- ETSI 119 312 V1.1.1 -->
<!-- end Digest algorithms -->
<!-- Encryption algorithms -->
<Algo Date="2013" Size="160">DSA</Algo> <!-- ETSI TS 102 176-1 (Historical) V2.1.1 -->
<Algo Date="2013" Size="192">DSA</Algo> <!-- ETSI TS 102 176-1 (Historical) V2.1.1 -->
<Algo Date="2023" Size="224">DSA</Algo> <!-- ETSI 119 312 V1.3.1 -->
<Algo Date="2026" Size="256">DSA</Algo> <!-- ETSI 119 312 V1.3.1 -->
<Algo Date="2009" Size="1024">RSA</Algo> <!-- ETSI TS 102 176-1 (Historical) V2.0.0 -->
<Algo Date="2016" Size="1536">RSA</Algo> <!-- ETSI 119 312 V1.1.1 -->
<Algo Date="2023" Size="1900">RSA</Algo> <!-- ETSI 119 312 V1.3.1 -->
<Algo Date="2026" Size="3000">RSA</Algo> <!-- ETSI 119 312 V1.3.1 -->
<Algo Date="2013" Size="160">ECDSA</Algo> <!-- ETSI TS 102 176-1 (Historical) V2.1.1 -->
<Algo Date="2013" Size="192">ECDSA</Algo> <!-- ETSI TS 102 176-1 (Historical) V2.1.1 -->
<Algo Date="2016" Size="224">ECDSA</Algo> <!-- ETSI 119 312 V1.1.1 -->
<Algo Date="2026" Size="256">ECDSA</Algo> <!-- ETSI 119 312 V1.3.1 -->
<Algo Date="2026" Size="384">ECDSA</Algo> <!-- ETSI 119 312 V1.3.1 -->
<Algo Date="2026" Size="512">ECDSA</Algo> <!-- ETSI 119 312 V1.3.1 -->
<Algo Date="2013" Size="160">PLAIN-ECDSA</Algo> <!-- ETSI TS 102 176-1 (Historical) V2.1.1 -->
<Algo Date="2013" Size="192">PLAIN-ECDSA</Algo> <!-- ETSI TS 102 176-1 (Historical) V2.1.1 -->
<Algo Date="2016" Size="224">PLAIN-ECDSA</Algo> <!-- ETSI 119 312 V1.1.1 -->
<Algo Date="2026" Size="256">PLAIN-ECDSA</Algo> <!-- ETSI 119 312 V1.3.1 -->
<Algo Date="2026" Size="384">PLAIN-ECDSA</Algo> <!-- ETSI 119 312 V1.3.1 -->
<Algo Date="2026" Size="512">PLAIN-ECDSA</Algo> <!-- ETSI 119 312 V1.3.1 -->
<!-- <Algo Date="2026" Size="32">Ed25519</Algo> Not referenced in ETSI/SOGIS -->
<!-- end Encryption algorithms -->
</AlgoExpirationDate>
</Cryptographic>
<Model Value="SHELL" />
<!-- eIDAS REGL 910/EU/2014 -->
<eIDAS>
<TLFreshness Level="WARN" Unit="HOURS" Value="6" />
<TLNotExpired Level="WARN" />
<TLWellSigned Level="WARN" />
<TLVersion Level="FAIL" value="5" />
</eIDAS>
</ConstraintsParameters>