Discuss this help topic in SecureBlackbox Forum

Add timestamp to CMS signature

Signature timestamping is a technique which allows to certify the contents and creation time of an electronic signature with an independent trusted third party. Essentially, a timestamp is a regular electronic signature created by a dedicated trusted entity called timestamping authority (TSA), made over a value of another electronic signature (the one being timestamped), and containing its creation time. Timestamping authorities are expected to maintain accurate time records, and normally their authority to issue timestamps is delegated by some higher-level certification authority (CA).

The majority of TSAs can be contacted via a special timestamping protocol (TSP) defined in RFC 3161. The protocol records are normally sent over the HTTP(S) connection, yet, plain TCP transports are also used occasionally.

To timestamp a signature you will need to use one of TSP components included in SecureBlackbox. In most cases this is going to be TElHTTPTSPClient (intended to be used with HTTP(S)-capable TSAs). Occasionally, the TElSocketTSPClient (plain TCP) class will be used. This article deals with the former, more widely used, component. If you understand how to use TElHTTPTSPClient, cracking a much simpler TElSocketTSPClient would be a piece of cake.

Assume that you've created or loaded a CMS signature in a TElCMSSignature object. To timestamp this signature:

  1. Create an instance of TElHTTPTSPClient class: TElHTTPTSPClient tsp = new TElHTTPTSPClient();
  2. Create an HTTP transport object (TElHTTPSClient): TElHTTPSClient cli = new TElHTTPSClient();
  3. Attach the transport to the TSP component: tsp.HTTPClient = cli;
  4. Configure the TSP component by setting the TSA server's URL and the hash algorithm you want to use:
    tsp.URL = "http://tsa.authority.com"; // assign your TSA URL here
    tsp.HashAlgorithm = SBConstants.Unit.SB_ALGORITHM_DGST_SHA256;
  5. (optional) If your TSA should be accessed via HTTPS protocol, configure the TLS side of the transport component. At least, you should handle the OnCertificateValidate event and perform proper certificate validation inside the handler.
  6. You're all set to timestamp the signature now: int idx = sig.AddTimestamp(tsp); The idx value returned by the call indicates the index of the new timestamp in the signature's Timestamps[] list.
You can add as many timestamps to the signature as you want. They all certify the signature independently of each other, and do not affect each other.

The same approach can be used to add content and archival timestamps to your signatures.

How To articles about Cryptographic Message Syntax (CMS)

Discuss this help topic in SecureBlackbox Forum