Insert Time-stamp into CMS Signed Data

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Insert Time-stamp into CMS Signed Data

Harakiri
Hello,

rfc 3161 defines in "APPENDIX A - Signature Time-stamp
attribute using CMS" a way to include a timestamp
within a cms object.

Since it has to be put into the unsigned attributes i
believe a good example to implement this would be the
existing method of CMSSignedData.replaceSigners
because the description says

"You would probably only want to do this if you wanted
to change the unsigned attributes associated with a
signer".

Now, can anyone give me further information how i
include the TimeStampToken.getEncoded() into the CMS ?

I guess the field unauthenticatedAttributes in
SignerInfo is suitable - but what is the correct
syntax ?

Anyone could explain this in more detail ? thanks

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com 

Reply | Threaded
Open this post in threaded view
|

Re: Insert Time-stamp into CMS Signed Data

Karsten Ohme
Harakiri wrote:

> Hello,
>
> rfc 3161 defines in "APPENDIX A - Signature Time-stamp
> attribute using CMS" a way to include a timestamp
> within a cms object.
>
> Since it has to be put into the unsigned attributes i
> believe a good example to implement this would be the
> existing method of CMSSignedData.replaceSigners
> because the description says
>
> "You would probably only want to do this if you wanted
> to change the unsigned attributes associated with a
> signer".
>
> Now, can anyone give me further information how i
> include the TimeStampToken.getEncoded() into the CMS ?
>
> I guess the field unauthenticatedAttributes in
> SignerInfo is suitable - but what is the correct
> syntax ?
>
> Anyone could explain this in more detail ? thanks

CMSSignedDataGenerator gen = new CMSSignedDataGenerator();

Hashtable attrs = new Hashtable();

attrs.put(<DERObjectIdentifier>, <DERObject>);

AttributeTable unsignedAttr = new AttributeTable(attrs);

                gen.addSigner(privKey, cert, CMSSignedGenerator.DIGEST_SHA1,
                                signedAttr, unsignedAttr);

Karsten

>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com 
>


Reply | Threaded
Open this post in threaded view
|

Re: Insert Time-stamp into CMS Signed Data

Harakiri
Thanks,

but this example is when i create a timestamp prior
signing - i actually want to add the timestamp after
the signing... because the timestamp should be
generated over the signed hash

Regards

--- Karsten Ohme <[hidden email]> wrote:

> Harakiri wrote:
> > Hello,
> >
> > rfc 3161 defines in "APPENDIX A - Signature
> Time-stamp
> > attribute using CMS" a way to include a timestamp
> > within a cms object.
> >
> > Since it has to be put into the unsigned
> attributes i
> > believe a good example to implement this would be
> the
> > existing method of CMSSignedData.replaceSigners
> > because the description says
> >
> > "You would probably only want to do this if you
> wanted
> > to change the unsigned attributes associated with
> a
> > signer".
> >
> > Now, can anyone give me further information how i
> > include the TimeStampToken.getEncoded() into the
> CMS ?
> >
> > I guess the field unauthenticatedAttributes in
> > SignerInfo is suitable - but what is the correct
> > syntax ?
> >
> > Anyone could explain this in more detail ? thanks
>
> CMSSignedDataGenerator gen = new
> CMSSignedDataGenerator();
>
> Hashtable attrs = new Hashtable();
>
> attrs.put(<DERObjectIdentifier>, <DERObject>);
>
> AttributeTable unsignedAttr = new
> AttributeTable(attrs);
>
> gen.addSigner(privKey, cert,
> CMSSignedGenerator.DIGEST_SHA1,
> signedAttr, unsignedAttr);
>
> Karsten
>
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam?  Yahoo! Mail has the best spam
> protection around
> > http://mail.yahoo.com 
> >
>
>


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com 

Reply | Threaded
Open this post in threaded view
|

Re: Insert Time-stamp into CMS Signed Data

Massimiliano_Ziccardi
In reply to this post by Harakiri

I did it this way:

     /**
      * Utility method. Adds the signature timestamp token to the produced
P7M
      * @param fP7MFile The file to be opened to add the timestamp
      * @throws IOException On any I/O error
      * @throws TimeStampException On any Timestamp error
      */
     private void addSignatureTimestamp(File fP7MFile) throws IOException,
TimeStampException
     {
          CStreamHandler h = new CStreamHandler();
          try
          {
               TimeStampService tss = new
TimeStampService(m_oTsData.getHost(), m_oTsData.getPort(),
m_oTsData.getPolicyOID());

               InputStream in = h.getBufferedInputStream(fP7MFile);
               CMSSignedData oSignedData;
               try
               {
                    oSignedData = new CMSSignedData(in);
                    in.close();
               }
               catch (CMSException e)
               {
                    throw new IOException(e.getMessage());
               }

               SignerInformationStore oOrigSignerInfoStore =
oSignedData.getSignerInfos();
               SignerInformationStore oNewSignerInformationStore = null;

               // Insert a signature timestamp for every signature present
in the PKCS#7
               List vNewSigners = new ArrayList();

               Collection ovSigners = oOrigSignerInfoStore.getSigners();
               for (Iterator iter = ovSigners.iterator(); iter.hasNext();)
               {
                    SignerInformation oSi = (SignerInformation) iter.next
();

                    TimeStamp signatureTs = tss.requestTimeStamp(new
ByteArrayInputStream(oSi.getSignature()));
                    Hashtable ht = new Hashtable();
                    DERObject derObj = new ASN1InputStream(new
ByteArrayInputStream(signatureTs.toDER())).readObject();
                    DERSet derSet = new DERSet(derObj);

                    Attribute unsignAtt = new
Attribute(CETSIFile.id_signatureTimeStampToken, derSet);
                    ht.put(CETSIFile.id_signatureTimeStampToken,
unsignAtt);

                    AttributeTable unsignedAtts = new AttributeTable(ht);


vNewSigners.add(SignerInformation.replaceUnsignedAttributes(oSi,
unsignedAtts));
               }

               oNewSignerInformationStore = new
SignerInformationStore(vNewSigners);

               CMSSignedData oNewSd =
CMSSignedData.replaceSigners(oSignedData, oNewSignerInformationStore);
               h.getBufferedOutputStream(fP7MFile).write(oNewSd.getEncoded
());
          }
          finally
          {
               h.closeAll();
          }
     }



                                                                                                                                               
                    Harakiri                                                                                                                  
                    <harakiri_23@y       To:     [hidden email]                                                                  
                    ahoo.com>            cc:                                                                                                  
                                         Subject:     Re: [dev-crypto] Insert Time-stamp into CMS Signed Data                                  
                    13/09/2006                                                                                                                
                    21.36                                                                                                                      
                                                                                                                                               
                                                                                                                                               




Thanks,

but this example is when i create a timestamp prior
signing - i actually want to add the timestamp after
the signing... because the timestamp should be
generated over the signed hash

Regards

--- Karsten Ohme <[hidden email]> wrote:

> Harakiri wrote:
> > Hello,
> >
> > rfc 3161 defines in "APPENDIX A - Signature
> Time-stamp
> > attribute using CMS" a way to include a timestamp
> > within a cms object.
> >
> > Since it has to be put into the unsigned
> attributes i
> > believe a good example to implement this would be
> the
> > existing method of CMSSignedData.replaceSigners
> > because the description says
> >
> > "You would probably only want to do this if you
> wanted
> > to change the unsigned attributes associated with
> a
> > signer".
> >
> > Now, can anyone give me further information how i
> > include the TimeStampToken.getEncoded() into the
> CMS ?
> >
> > I guess the field unauthenticatedAttributes in
> > SignerInfo is suitable - but what is the correct
> > syntax ?
> >
> > Anyone could explain this in more detail ? thanks
>
> CMSSignedDataGenerator gen = new
> CMSSignedDataGenerator();
>
> Hashtable attrs = new Hashtable();
>
> attrs.put(<DERObjectIdentifier>, <DERObject>);
>
> AttributeTable unsignedAttr = new
> AttributeTable(attrs);
>
>                    gen.addSigner(privKey, cert,
> CMSSignedGenerator.DIGEST_SHA1,
>                                         signedAttr, unsignedAttr);
>
> Karsten
>
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam?  Yahoo! Mail has the best spam
> protection around
> > http://mail.yahoo.com
> >
>
>


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com