Discuss this help topic in SecureBlackbox Forum

Add elements for CMS signature archiving

'Signature archiving' is generally understood as converting the signature to a form in which it does not need external information sources for validation. In other words, an archived signature contains all the information needed to establish its validity without contacting CAs and their representatives (CRLs, OCSP responders, certificate directories). Often such signatures are additionally certified by a trusted third party by the means of the special, archival, timestamps, made over the entire signature content.

While it is generally easier to archive signatures with the TElCAdESSignatureProcessor class, TElSignedCMSMessage-based hierarchy might also be useful in certain circumstances.

The low-level signature archiving assumes that you have (or can obtain) the following information:

  1. The whole certificate chain for the signing certificate;
  2. OCSP responses and CRLs for all certificates where assumed;
  3. Whole certificate chains for every timestamp and the OCSP certificate involved
  4. OCSP responses and CRLs for all such certificates.

To archive the signature, obtain a signature object (TElCMSSignature) first. It can be either a brand new CMS message and its signature, or an already existing signed message loaded into a TElSignedCMSMessage object.

Complete the following:

  1. Add all your certificates to the signature by adding all TElX509Certificate objects to the mesage's Certificates list;
  2. Add all CRLs you have to the TElSignedCMSMessage.CRLs storage;
  3. Add all your OCSP responses to the TElSignedCMSMessage.OCSPResponses collection.
Now save the updated signature with the message's Save() method.

Note that the above actions do not affect the integrity of the signature; they only extend it with the validation elements. The signature itself remains valid.

How To articles about Cryptographic Message Syntax (CMS)

Discuss this help topic in SecureBlackbox Forum