Discuss this help topic in SecureBlackbox Forum

Add attributes to CMS

Besides the digital signature itself, a CMS signature structure may contain additional records called attributes. Attributes can be signed, i.e., included in the signature calculation and covered by the signature, or unsigned. Unsigned attributes are stored alongside the signature but not covered by it.

Signed attributes can only be adjusted on the signature creation stage. Unsigned attributes can be changed, added or removed from the existing signature without affecting its validity. Timestamps, countersignatures and validation elements are typically included as unsigned attributes.

Each attribute is identified by its own object identifier (OID). SecureBlackbox provides a built-in support for a number of common attributes such as Signing Time, Content Type, Signing Certificate, Signer Location and others. You can also add custom attributes by providing their OIDs and encoded values.

Most of the built-in attributes are defined as the descendants of the TElCMSProperty class and exposed as the read-only properties of the TElCMSSignature object. The Included and Signed fields of each attribute indicate whether it is included to the signature, and whether it should be included as signed. The default values of the Signed property of different attribute classes are set in accordance with standard guidelines and best attribute use practices.

Some attributes such as SigningTime, ContentType and MimeType are published as simple types (DateTime, byte[] and string). These may be altered directly.

Some attributes such as Signing Certificate, Signing Time, Content Type, and Message Digest are added automatically by the Sign() method (controlled by the SigningOptions flags).

The example below illustrates how to set signature attributes:

TElCMSSignature sig = cms.get_Signatures(0);

// Setting 'simple' attributes
sig.SigningTime = DateTime.UtcNow;
sig.ContentType = SBConstants.Unit.SB_OID_PKCS7_DATA;

// Setting 'standard' attributes
sig.SignerLocation.Included = true;
sig.SignerLocation.Signed = true;
sig.SignerLocation.CountryName.Value = "GB";
sig.SignerLocation.LocalityName.Value = "London";

sig.SignaturePolicy.Included = true;
sig.SignaturePolicy.Signed = true;
sig.SignaturePolicy.PolicyIdentifier = SBStrUtils.Unit.StrToOID("");
sig.SignaturePolicy.PolicyHash.HashAlgorithm = SBConstants.Unit.SB_ALGORITHM_DGST_SHA1;
sig.SignaturePolicy.PolicyHash.HashValue = policyHash;

// Setting custom attribute
sig.CustomUnsignedAttributes.Count = 1;
sig.CustomUnsignedAttributes.set_Attributes(0, SBStrUtils.Unit.StrToOID(""));

How To articles about Cryptographic Message Syntax (CMS)

Discuss this help topic in SecureBlackbox Forum