Discuss this help topic in SecureBlackbox Forum

Add signature to CMS

Adding a signature to a CMS is a multi-stage process. Its complexity depends on exactly what you need to obtain on the output. A CMS signature is an elaborated data structure, and setting up its parameters might end up in quite a code.

First, add a signature to TElSignedCMSMessage with its AddSignature() method: int sigIndex = cms.AddSignature(); Obtain the signature object: TElCMSSignature sig = cms.get_Signatures(sigIndex); So far its is only an unsigned template. You have to fill it with necessary pieces of information and sign.

The properties you would normally set first are SigningTime, FingerprintAlgorithm, and DigestAlgorithm. You may also set some custom (signed or unsigned) attributes.

sig.SigningTime = DateTime.UtcNow;
sig.FingerprintAlgorithm = SBConstants.Unit.SB_ALGORITHM_DGST_SHA256;
sig.DigestAlgorithm = SBConstants.Unit.SB_ALGORITHM_DGST_SHA256;
Signature timestamps are added after the signature is actually finalized (signed).

The 'message digest' signed attribute is added automatically, you don't need to set it.

You can use the SigningOptions flags to tune up the process: sig.SigningOptions = sig.SigningOptions | SBCMS.Unit.csoUseGeneralizedTimeFormat | SBCMS.Unit.csoIncludeCertToMessage;

Finally, it is time to finalize the signature by calling its Sign() method. sig.Sign(cert, null); Note, to perform signing you need a certificate with the associated private key loaded into a TElX509Certificate object.

You may wish to include a complete chain of certificates to the signature. In this case, load your chain into TElMemoryCertStorage, and pass via the second parameter of the Sign() call: sig.Sign(cert, chain); Your new signature is complete now. You can save the updated CMS structure to a stream with its Save() method, or continue working with it. For instance, you can timestamp the signature you've just created or add another signature to the CMS message.

How To articles about Cryptographic Message Syntax (CMS)

Discuss this help topic in SecureBlackbox Forum