CMS签名-时间戳和时间戳有什么区别？柜台签名 [英] CMS Signature - What is the difference Time Stamp & Counter Signature

问题描述

我正在尝试使用BouncyCastle在C＃中为数字Siganture（带有本地TimeStamp证书）添加时间戳。我对TimeStamp的理解是要签署当前时间。不确定是否应该是当前时间+原始签名内容？

I am trying to TimeStamp a Digital Siganture (with a local TimeStamp certificate) in C# with BouncyCastle. My understanding about TimeStamp is that it is to sign the current time. Not sure if it should be current time + original signature content? Please help on this also.

我的主要困惑是，是否将生成的时间戳添加到原始签名的Singed / Unsigned属性中。还是将其添加为CounterSignature？

My main confusion is if the generated TimeStamp be added to Singed/Unsigned attributes of original signature. OR it will be added as a CounterSignature?

推荐答案

时间戳记的目的是证明签名是在给定时间之前创建的，因此带时间戳的您必须在数字签名和当前时间上签名。时间戳必须作为unsigned属性添加到CMS签名中。除了SignatureTimeStampToken本身就是签名。

Time stamp's goal is to prove that signature was created before a given time, so with time stamp you must sign the digital signature and the current time. Time stamp must be added to CMS signature as unsigned attribute. Besides SignatureTimeStampToken is a signature itself.

要向CMS添加时间戳，可以使用具有1.2.840.113549.1.9.16.2.14对象的Signature时间戳属性。标识符并具有ASN.1类型（以下信息均摘录自 CMS 和 TSP RFC）

To add a time stamp to CMS you can use a Signature time-stamp attribute which has 1.2.840.113549.1.9.16.2.14 object identifier and has ASN.1 Type (the information below is all extracted from CMS and TSP RFCs)

SignatureTimeStampToken ::= TimeStampToken

TimeStampToken ::= ContentInfo
 -- contentType is id-signedData ([CMS])
 -- content is SignedData ([CMS])

SignedData ::= SEQUENCE {
    version CMSVersion,
    digestAlgorithms DigestAlgorithmIdentifiers,
    encapContentInfo EncapsulatedContentInfo,
    certificates [0] IMPLICIT CertificateSet OPTIONAL,
    crls [1] IMPLICIT RevocationInfoChoices OPTIONAL,
    signerInfos SignerInfos }

在TimeStampToken中领域SignedData构造的EncapsulatedContentInfo类型具有以下含义：

In TimeStampToken the fields of type EncapsulatedContentInfo of the SignedData construct have the following meanings:

eContentType是唯一指定内容类型的对象标识符。对于时间戳记令牌，其定义为：

eContentType is an object identifier that uniquely specifies the content type. For a time-stamp token it is defined as:

    id-ct-TSTInfo  OBJECT IDENTIFIER ::= { iso(1) member-body(2)
    us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) ct(1) 4}

eContent本身就是内容，以八位字节串的形式携带。eContent应该是TSTInfo的DER编码值。

eContent is the content itself, carried as an octet string.The eContent SHALL be the DER-encoded value of TSTInfo.

时间戳记令牌不得包含TSA签名以外的任何签名。 TSA证书的证书标识符（ESSCertID）必须作为signerInfo属性包含在SigningCertificate属性内。

The time-stamp token MUST NOT contain any signatures other than the signature of the TSA. The certificate identifier (ESSCertID) of the TSA certificate MUST be included as a signerInfo attribute inside a SigningCertificate attribute.

    TSTInfo ::= SEQUENCE  {
       version                      INTEGER  { v1(1) },
       policy                       TSAPolicyId,
       messageImprint               MessageImprint,
             -- MUST have the same value as the similar field in
             -- TimeStampReq
       serialNumber                 INTEGER,
            -- Time-Stamping users MUST be ready to accommodate integers
            -- up to 160 bits.
       genTime                      GeneralizedTime,
       accuracy                     Accuracy                 OPTIONAL,
       ordering                     BOOLEAN             DEFAULT FALSE,
       nonce                        INTEGER                  OPTIONAL,
             -- MUST be present if the similar field was present
             -- in TimeStampReq.  In that case it MUST have the same value.
       tsa                          [0] GeneralName          OPTIONAL,
       extensions                   [1] IMPLICIT Extensions   OPTIONAL  }

希望这会有所帮助，

这篇关于CMS签名-时间戳和时间戳有什么区别？柜台签名的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！