"cms signature - what is the difference time stamp & counter signature" Code Answer


time stamp's goal is to prove that signature was created before a given time, so with time stamp you must sign the digital signature and the current time. time stamp must be added to cms signature as unsigned attribute. besides signaturetimestamptoken is a signature itself.

to add a time stamp to cms you can use a signature time-stamp attribute which has 1.2.840.113549. object identifier and has asn.1 type (the information below is all extracted from cms and tsp rfcs)

signaturetimestamptoken ::= timestamptoken

timestamptoken ::= contentinfo
 -- contenttype is id-signeddata ([cms])
 -- content is signeddata ([cms])

signeddata ::= sequence {
    version cmsversion,
    digestalgorithms digestalgorithmidentifiers,
    encapcontentinfo encapsulatedcontentinfo,
    certificates [0] implicit certificateset optional,
    crls [1] implicit revocationinfochoices optional,
    signerinfos signerinfos }

in timestamptoken the fields of type encapsulatedcontentinfo of the signeddata construct have the following meanings:

econtenttype is an object identifier that uniquely specifies the content type. for a time-stamp token it is defined as:

    id-ct-tstinfo  object identifier ::= { iso(1) member-body(2)
    us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) ct(1) 4}

econtent is the content itself, carried as an octet string.the econtent shall be the der-encoded value of tstinfo.

the time-stamp token must not contain any signatures other than the signature of the tsa. the certificate identifier (esscertid) of the tsa certificate must be included as a signerinfo attribute inside a signingcertificate attribute.

    tstinfo ::= sequence  {
       version                      integer  { v1(1) },
       policy                       tsapolicyid,
       messageimprint               messageimprint,
             -- must have the same value as the similar field in
             -- timestampreq
       serialnumber                 integer,
            -- time-stamping users must be ready to accommodate integers
            -- up to 160 bits.
       gentime                      generalizedtime,
       accuracy                     accuracy                 optional,
       ordering                     boolean             default false,
       nonce                        integer                  optional,
             -- must be present if the similar field was present
             -- in timestampreq.  in that case it must have the same value.
       tsa                          [0] generalname          optional,
       extensions                   [1] implicit extensions   optional  }

hope this helps,

By mtak on July 7 2022

Answers related to “cms signature - what is the difference time stamp & counter signature”

Only authorized users can answer the Search term. Please sign in first, or register a free account.