Discuss this help topic in SecureBlackbox Forum

Use the timestamp for signing

Obtaining a timestamp over data This article explains how to contact an RFC3161-compliant TSA and obtain a timestamp for a given data. This is the lowest level of data timestamping where you interact directly with a TSA by sending it a hash of data and retrieving a timestamp CMS blob. If you need to create a timestamped CMS signature, or to add a timestamp to existing CMS signature, please see this article instead. If you need to create a higher-level RFC5544-timestamped document, please see this article. SecureBlackbox comes with three components capable of talking RFC3161, with all being descendants of TElCustomTSPClient class - namely, TElHTTPTSPClient, TElFileTSPClient and TElSocketTSPClient. Each descendant is capable of communicating to the TSA via a dedicated protocol. TElHTTPTSPClient is intended to be used with TSAs accessible via HTTP or HTTPS protocol, TElSocketTSPClient works with TSAs providing plain TCP access, and TElFileTSPClient can be used with any other kind of transport, as it allows the component user to get in the middle of the process and direct the request wherever they need. We are going to illustrate the use of TElHTTPTSPClient here, as HTTP(S) is the most widely transport used by TSA services. The sibling components are supposed to be used in very similar manner; the only differences would actually be specific to setting up the parameters of the particular transport. 1. On this preparation stage you should decide which digest algorithm to use and calculate a hash over your data to be timestamped. You can use TElHashFunction class to calculate the hash: byte[] hash = TElHashFunction.Hash(SBConstants.Unit.SB_ALGORITHM_DGST_SHA256, Encoding.UTF8.GetBytes("timestamped message")); 2. Create an instance of proper timestamping component and set it up: TElHTTPTSPClient tspClient = new TElHTTPTSPClient(); // if using HTTP-based TSP client, we need to create a TElHTTPSClient component and set it up: TElHTTPSClient httpClient = new TElHTTPSClient(); tspClient.HTTPClient = httpClient; tspClient.URL = "http://www.mytsa.com/tsa"; Note: you will need to handle the TElHTTPSClient.OnCertificateValidate event if your TSA is to be accessed via HTTPS. 3. Configure the TSP client. At least the HashAlgorithm property should be assigned to reflect the hash algorithm that you used to calculate the hash over your data (often referred to as 'message imprint'): tspClient.HashAlgorithm = SBConstants.Unit.SB_ALGORITHM_DGST_SHA256; In certain cases, quite rare though, you might need to set RequestFormat to TSBTSPRequestFormat.tsfCMS to make the component compose the request in CMS format rather than in plain RFC3161. This is because some exotic responders only work with CMS requests. You will also need to put your signing certificate to a certificate storage and assign it to the CertStorage property in this case. 4. Pass the hash obtained on stage 1 to the TSP client's Timestamp() method. You will also need to allocate several variables to receive the output: int serverResult = 0; int failureInfo = 0; byte[] replyCms = null; int res = tspClient.Timestamp(hash, ref serverResult, ref failureInfo, ref replyCms); If the request executes successfully (check that res is 0), the serverResult will indicate the status response returned by the service (one of psGranted, psGrantedWithMods, psRejection, psWaiting, psRevocationWarning, psRevocationNotification or psKeyUpdateWarning flags). If serverResult is psGranted or psGrantedWithMods, the replyCms will contain the timestamp CMS. You can also access the details of the returned timestamp (such as date/time, TSA credentials and the CMS itself) via the TSP client's TSPInfo property.

Discuss this help topic in SecureBlackbox Forum