I am trying to TimeStamp a Digital Siganture (with a local TimeStamp certificate) in C# with BouncyCastle. My understanding about TimeStamp is that it is to sign the current time. Not sure if it should be current time + original signature content? Please help on this also.
My main confusion is if the generated TimeStamp be added to Singed/Unsigned attributes of original signature. OR it will be added as a CounterSignature?
Time stamp's goal is to prove that signature was created before a given time, so with time stamp you must sign the digital signature and the current time. Time stamp must be added to CMS signature as unsigned attribute. Besides SignatureTimeStampToken is a signature itself.
To add a time stamp to CMS you can use a Signature time-stamp attribute which has 1.2.840.113549.1.9.16.2.14 object identifier and has ASN.1 Type (the information below is all extracted from CMS and TSP RFCs)
SignatureTimeStampToken ::= TimeStampToken
TimeStampToken ::= ContentInfo
-- contentType is id-signedData ([CMS])
-- content is SignedData ([CMS])
SignedData ::= SEQUENCE {
version CMSVersion,
digestAlgorithms DigestAlgorithmIdentifiers,
encapContentInfo EncapsulatedContentInfo,
certificates [0] IMPLICIT CertificateSet OPTIONAL,
crls [1] IMPLICIT RevocationInfoChoices OPTIONAL,
signerInfos SignerInfos }
In TimeStampToken the fields of type EncapsulatedContentInfo of the SignedData construct have the following meanings:
eContentType is an object identifier that uniquely specifies the content type. For a time-stamp token it is defined as:
id-ct-TSTInfo OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) ct(1) 4}
eContent is the content itself, carried as an octet string.The eContent SHALL be the DER-encoded value of TSTInfo.
The time-stamp token MUST NOT contain any signatures other than the signature of the TSA. The certificate identifier (ESSCertID) of the TSA certificate MUST be included as a signerInfo attribute inside a SigningCertificate attribute.
TSTInfo ::= SEQUENCE {
version INTEGER { v1(1) },
policy TSAPolicyId,
messageImprint MessageImprint,
-- MUST have the same value as the similar field in
-- TimeStampReq
serialNumber INTEGER,
-- Time-Stamping users MUST be ready to accommodate integers
-- up to 160 bits.
genTime GeneralizedTime,
accuracy Accuracy OPTIONAL,
ordering BOOLEAN DEFAULT FALSE,
nonce INTEGER OPTIONAL,
-- MUST be present if the similar field was present
-- in TimeStampReq. In that case it MUST have the same value.
tsa [0] GeneralName OPTIONAL,
extensions [1] IMPLICIT Extensions OPTIONAL }
Hope this helps,