Home/ Questions/Q 6649409
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-26T00:46:14+00:00

I’m trying to understand java APIs for digital signatures. I should use custom cryptoprovider

  • 0

I’m trying to understand java APIs for digital signatures.
I should use custom cryptoprovider to compose digital signature. I know how to sign document and get detached signature using this CSP, now I need to add timestamp and certificate status to this signature(to make signature valid for government authorities). These thing are done using TSP and OCSP.
The question:

  1. where should get TSP client?
  2. am I right that it is sufficient to use built in java OCSP support
    for verifing certificate?
  3. does tsp and verification info somehow connected with CMS?
  4. the last and the most interesting: what should I do with timestamp
    info and cert verification info: would it be detached files or they
    are parts of signature??
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    where should get TSP client?

    To use CMS, TSP and OCSP you might want to check out Bouncy Castle. They have support for all of those in the main package as well as the supplementary CMS and TSP packages.

    am I right that it is sufficient to use built in java OCSP support for verifing certificate?

    Although the standard PKIX certificate validation mechanism supports OCSP it might make sense to integrate e.g. the Bouncy Castle OCSP code in the form of a custom PKIXCertPathChecker. You can either add it on top of the existing validation or make it a full-fledged replacement, instructions can be found here. We had problems using the built-in OCSP support when connecting through a proxy, so we replaced the default using this technique in the past.

    does tsp and verification info somehow connected with CMS?

    The timestamp response that the TSP server sends you is nothing more than another CMS SignedData, so in itself again a kind of signature. What you typically do in order to avoid myriads of separate files is using the unsigned properties feature of CMS to include your timestamp within the original signature itself. You simply add the timestamp as an unsigned signature property in the usignedAttrs field of SignerInfo, therefore minimizing the separate files to exactly one, the signature itself which embeds all additional information within the signedAttrs and unsignedAttrs fields.

    the last and the most interesting: what should I do with timestamp info and cert verification info: would it be detached files or they are parts of signature??

    Timestamps I have already described; the validation info such as CRLs and OCSP responses can be embedded within the “crls” field of SignedData. You can add these whenever you want without breaking the actual signature – these contents as well as the unsigned properties will not be taken into account for either generating or verifying the signature.

    If you embed the information using just the CMS (RFC 5652) means you will end up with a fairly proprietary scheme. Depending on your needs, this might already be good enough. If you should need something more interoperable, however, you might want to look into CAdES (ETSI TS 101 733), a free ETSI standard that can be downloaded at http://pda.etsi.org. That standard provides more information on how to properly embed additional signature data such as timestamps and revocation information.

    • 0