Discuss this help topic in SecureBlackbox Forum

Obtain timestamp

This article explains how to contact an RFC3161-compliant TSA and obtain a timestamp for the given data. This is the lowest level of data timestamping where you interact directly with a TSA by sending it a hash of data and retrieving a timestamp CMS blob. If you need to create a timestamped CMS signature or add a timestamp to the existing CMS signature, please consult this article instead. How to create a higher-level RFC5544-timestamped document is explained here.

SecureBlackbox provides three components capable of talking RFC3161, all being the descendants of TElCustomTSPClient class: TElHTTPTSPClient, TElFileTSPClient, and TElSocketTSPClient. Each component is capable of communicating to the TSA via the specific protocol. TElHTTPTSPClient is intended to be used over HTTP or HTTPS; TElSocketTSPClient works with TSAs providing plain TCP access; TElFileTSPClient can be used with any other kind of transport (it allows users to direct requests wherever they need).

Code snippets below illustrate how to use TElHTTPTSPClient because HTTP(S) transport is most widely used by TSA services. The sibling components are supposed to be used in a very similar manner; the only differences will be specific to configuring the particular transport.

  1. Choose digest algorithm and compute the hash over the data to be timestamped. You can use TElHashFunction class: byte[] hash = TElHashFunction.Hash(SBConstants.Unit.SB_ALGORITHM_DGST_SHA256, Encoding.UTF8.GetBytes("timestamped message"));
  2. Create an instance of the timestamping component and set it up:
    TElHTTPTSPClient tspClient = new TElHTTPTSPClient();
    // when using HTTP-based TSP client we need to create a TElHTTPSClient component and set it up:
    TElHTTPSClient httpClient = new TElHTTPSClient();
    tspClient.HTTPClient = httpClient;
    tspClient.URL = "http://www.mytsa.com/tsa";
    Note: you have to handle the HTTPS client's OnCertificateValidate event if your TSA is accessed via HTTPS.
  3. Configure the TSP client. At least the HashAlgorithm property should be set to reflect the hash algorithm used on the first step (it is often referred to as 'message imprint'): tspClient.HashAlgorithm = SBConstants.Unit.SB_ALGORITHM_DGST_SHA256; Occasionally, you might need to set RequestFormat to TSBTSPRequestFormat.tsfCMS. It forces the TSP client to compose the request in CMS format rather than in plain RFC3161. This feature is useful to deal with some exotic responders that only work with CMS requests. You also need to load your signing certificate into certificate storage and assign it to the TSP client's CertStorage property in this case.
  4. Pass the hash obtained on the first step to the TSP client's Timestamp() method. Don't forget to allocate several variables to collect the output:
    int serverResult = 0;
    int failureInfo = 0;
    byte[] replyCms = null;
    int res = tspClient.Timestamp(hash, ref serverResult, ref failureInfo, ref replyCms);
    If the request executes successfully (res is 0), serverResult will indicate the status response returned by the service. If serverResult is psGranted or psGrantedWithMods, the replyCms will contain the timestamp CMS. You can also access the details of the returned timestamp (such as date/time, TSA credentials and the CMS itself) via the TSP client's TSPInfo property.

How To articles about TSP (Timestamping Protocol)

Discuss this help topic in SecureBlackbox Forum