EldoS | Feel safer!

Software components for data protection, secure storage and transfer

How to create a detached PAdES LTV Signature

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
Posted: 07/13/2011 05:33:42
by Milan Kovarik (Basic support level)
Joined: 07/13/2011
Posts: 9


How is possible to create (and verify) a detached PAdES LTV signature please?

We need to create and verify a standalone time stamp.

Thank you,

Milan Kovarik
Posted: 07/13/2011 06:24:20
by Ken Ivanov (EldoS Corp.)

Thank you for contacting us.

Could you please elaborate, from what do you expect this signature to be detached?
Posted: 07/13/2011 06:59:42
by Milan Kovarik (Basic support level)
Joined: 07/13/2011
Posts: 9

Thank you for the promt reply.

Our customer get PDF attachments. Some of them are locked against signing. So we want to sign these attachments by a detached timestamp signature (following PAdES LTV to legally ensure the date we get it) in another p7s file.
Posted: 07/13/2011 07:14:09
by Ken Ivanov (EldoS Corp.)

Thank you for the explanation.

PAdES does not support detached signatures (PAdES signature is always assumed to be included to a PDF document). Therefore, if you are unable to modify the documents, PAdES is not an option. Instead, please consider using CAdES signatures, which offer the same archival capabilities as PAdES-LTV.

SecureBlackbox offers CAdES functionality in two forms: as a set of lower-level CMS classes (TElSignedCMSMessage, TElCMSSignature etc.), and a higher-level TElCAdESSignatureProcessor class which is easier to deal with, but gives less flexibility.
Posted: 07/13/2011 08:45:29
by Milan Kovarik (Basic support level)
Joined: 07/13/2011
Posts: 9

Thank you for you fast answer.

I'm still struggle with a way how to make a signature without using my certificate - only with the time stamp signature provided by TSP authority... It was the reason why we wanted to use PAdES.

If CAdES is able to do it - please can you explain me how? I found an example with CAdES in provided examples - CMSManager, but there is always needed to have own certificate.

My goal:
Get the SHA2 hash from the file
Send hash to TSP provider
Get the response according to RFC 3161
Use this response to create a valid signature without using own certificate
Verify result
Posted: 07/13/2011 08:59:06
by Ken Ivanov (EldoS Corp.)

Do you need to comply to some digital signature standard, or you are free in choosing the standard to use in your product? If the latter is the case, why not to store timestamps received from a TSA along with the documents timestamped in this way? You will always be able to process timestamps with TElClientTSPInfo class shipped with SecureBlackbox, and validate the TSA chain with TElX509CertificateValidator class.
Posted: 07/13/2011 09:02:12
by Eugene Mayevski (EldoS Corp.)

FYI: We have a suggestion in the wishlist for supporting a standard of timestamping generic data.

Sincerely yours
Eugene Mayevski
Posted: 07/13/2011 09:42:41
by Milan Kovarik (Basic support level)
Joined: 07/13/2011
Posts: 9

We are free in choosing, so we can store it away.

Now I store the TSP response in file, but can't open it by TElClientTSPInfo. There is only one suitable method for this ParseCMS(..) and it returns me -1

I provided it as attachmnent.

[ Download ]
Posted: 07/13/2011 10:06:41
by Ken Ivanov (EldoS Corp.)

The attached document is of TimeStampResp type. Basically, it's simply a TSP CMS, enveloped into an outer SEQUENCE:

TimeStampResp ::= SEQUENCE {
status PKIStatusInfo,
timeStampToken TimeStampToken OPTIONAL }

The exact way of working out this situation depends on the method in which you get timestamps from the TSA (though the idea is pretty straightforward - you need to unenvelope the timeStampToken before passing it to TElClientTSPInfo). Do you use SBB classes to read timestamps, or some third-party components are used?
Posted: 07/13/2011 10:48:23
by Milan Kovarik (Basic support level)
Joined: 07/13/2011
Posts: 9

Thank you very much - I have used 3rd party component to communicate with TSP provider and it seems that there is a problem with SHA2 hash computing. I rewrite it now to use TElHTTPSClient and it seems to work :)

Last question - how can I recognize that the integration is not corrupted? -

May I use following code?
TElSignedCMSMessage message = new TElSignedCMSMessage();         
message.Open(cms, data, 0, 0);
var valRes = message.get_Signatures(0).Validate();

Best regards,

Milan Kovarik
Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.



Topic viewed 4012 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!