Discuss this help topic in SecureBlackbox Forum

Using timestamping services with CAdES components

Timestamping services form a principal component of the CAdES framework. Besides doing their main job of signature time certification, they are also used to create the so-called archival signatures. In this sense timestamping services act as trusted third parties rather than basic time service suppliers.

Most TSAs can be contacted via the dedicated timestamping protocol (TSP) defined by RFC 3161. The protocol records are normally sent over an HTTP(S) connection, yet, plain TCP transports are also used occasionally.

To add a timestamp of any kind to a signature you need to use one of the TSP components provided by SecureBlackbox. Normally this is going to be TElHTTPTSPClient used with HTTP(S)-capable TSAs. In some cases, TElSocketTSPClient for plain TCP connections.

The example below illustrates timestamping using TElHTTPTSPClient. However, if you understand use of TElHTTPTSPClient component, cracking a much simpler TElSocketTSPClient is a piece of cake.

Assume you have a CMS, a signature in it, and you need to add a timestamp of some kind (signature timestamp, content timestamp, or archival timestamp). First of all, create and set up the timestamping objects:

  1. Create an instance of TElHTTPTSPClient class: TElHTTPTSPClient tsp = new TElHTTPTSPClient();
  2. Create an HTTP transport object (TElHTTPSClient): TElHTTPSClient cli = new TElHTTPSClient();
  3. Attach the transport to the TSP component: tsp.HTTPClient = cli;
  4. Configure the TSP component by setting the TSA server URL and the hash algorithm you want to use:
    tsp.URL = "http://tsa.authority.com"; // assign your TSA URL here
    tsp.HashAlgorithm = SBConstants.Unit.SB_ALGORITHM_DGST_SHA256;
  5. You might need to provide user credentials if your timestamping service requires authorization:
    cli.RequestParameters.Username = "user";
    cli.RequestParameters.Password = "password";
  6. (optional) If your TSA should be accessed via HTTPS protocol, configure the TLS side of the transport component. At least you should handle the OnCertificateValidate event and perform proper certificate validation inside the handler.
Your timestamping components are now ready and you can use them to create or upgrade signatures: processor.CreateT(cert, tsp); or processor.UpgradeToT(tsp); When two timestamps are needed (signature and archival, for instance), you can use the same object twice: processor.UpgradeToBaselineLTA(tsp, tsp);

How To articles about CAdES

Discuss this help topic in SecureBlackbox Forum