Discuss this help topic in SecureBlackbox Forum

Countersign CMS signature

'Countersigning a signature' means 'signing an existing signature'. A countersignature is always created over an existing signature and is used whenever a third party wants to certify the integrity of the original signature, or the information contained in it. In the CMS structure, a countersignature is stored as an unsigned attribute (so you can add or remove countersignatures without affecting the integrity of the signature). Format-wise, a countersignature is a valid CMS signature itself, therefore it may contain its own countersignatures, effectively forming a signature tree.

To add a countersignature:

  1. Get the original signature (it should be finalised/signed) as a TElCMSSignature object.
  2. Add a countersignature placeholder by calling the AddCountersignature() method of the signature object. Remember to get the index of the new countersignature: int idx = sig.AddCountersignature();
  3. Get the countersignature object: TElCMSSignature csig = sig.get_Countersignatures(idx);
  4. Set up the properties of the countersignature as needed. Remember not to set the content-type field, it is illegal for countersignatures to have their own content types!
    csig.SigningTime = DateTime.UtcNow;
    csig.DigestAlgorithm = SBConstants.Unit.SB_ALGORITHM_DGST_SHA256;
  5. Complete the countersignature by signing it, just as you do with normal signatures: csig.Sign(cert, null);
  6. Save the modified CMS.

How To articles about Cryptographic Message Syntax (CMS)

Discuss this help topic in SecureBlackbox Forum