Discuss this help topic in SecureBlackbox Forum

Archive CAdES signature

In CAdES context, archiving means making the signature verifiable offline. Essentially, a CAdES-A (archival) signature contains all validation information, and doesn't need external sources for verification. The process of archiving consists of thorough validation of the signature during which all relevant validation information (main and subordinate certificate chains, revocation elements, timestamps, etc.) is collected and added to the signature blob. The signature created in such way remains verifiable independently of any external services as long as certificates involved in its creation are valid.

Archival signatures must be updated from time to time following the expiration of the certificates used to create it. This is done by including an extra timestamp from a trusted third party that confirms the authenticity of the content at the moment of updating. All validation elements required to validate new TSA response ('archival timestamp') are also added to the signature at this point.

When the certificate the last archival timestamp was made with is about to expire, another archival timestamp is added, and so on.

This means that an archived signature grows with time, as more and more validation timestamps and elements are added. To verify the archival signature, the original signature should be verified first. Then the verifier should check that the chain of appended archival timestamps certifies each other correctly. Finally, the last timestamp is validated 'at the current moment', which may imply contacting online revocation sources.

The step-by-step instruction below explains how to archive a CAdES signature (either already archived or not) with SecureBlackbox:

  1. Load the CMS blob into a TElSignedCMSMessage object and get the required signature object: TElCMSSignature sig = cms.get_Signatures(0);
  2. Create a TElCAdESSignatureProcessor object passing the signature object to its constructor: TElCAdESSignatureProcessor processor = new TElCAdESSignatureProcessor(sig);
  3. Call the processor's Archive(), ArchiveBaseline() or ArchiveExtended() method. The choice of the exact method depends on the signature profile you need to be compliant with: standard, Baseline or Extended, correspondingly. If you are unsure which profile to choose, use Archive().
    Note, all three methods require a properly configured TSP client component as a parameter: processor.Archive(tspClient);
  4. Save the updated CMS using TElSignedCMSMessage.Save() call.

How To articles about CAdES

Discuss this help topic in SecureBlackbox Forum