Standard compliant mode for the RFC 3161 timestamper

ebourg · Feb 6, 2024 · b821003 · b821003
1 parent ed8ffb3
commit b821003
Showing 1 changed file with 17 additions and 2 deletions.
diff --git a/jsign-core/src/main/java/net/jsign/timestamp/RFC3161Timestamper.java b/jsign-core/src/main/java/net/jsign/timestamp/RFC3161Timestamper.java
@@ -23,13 +23,16 @@
 import org.bouncycastle.asn1.DERSet;
 import org.bouncycastle.asn1.cms.Attribute;
 import org.bouncycastle.asn1.tsp.TimeStampResp;
+import org.bouncycastle.cms.CMSException;
 import org.bouncycastle.cms.CMSSignedData;
 import org.bouncycastle.tsp.TimeStampRequest;
 import org.bouncycastle.tsp.TimeStampRequestGenerator;
 import org.bouncycastle.tsp.TimeStampResponse;
 
 import net.jsign.DigestAlgorithm;
-import net.jsign.asn1.authenticode.AuthenticodeObjectIdentifiers;
+
+import static net.jsign.asn1.authenticode.AuthenticodeObjectIdentifiers.*;
+import static org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers.*;
 
 /**
  * RFC 3161 timestamping.
@@ -40,10 +43,22 @@
  */
 public class RFC3161Timestamper extends Timestamper {
 
+    /**
+     * Tells if the timestamp should use the standard Signature Time-stamp attribute
+     * defined in RFC 3161 or the Authenticode specific attribute SPC_RFC3161_OBJID.
+     */
+    private boolean standardAttribute = false;
+
     public RFC3161Timestamper() {
         setURL("http://timestamp.sectigo.com");
     }
 
+    @Override
+    public CMSSignedData timestamp(DigestAlgorithm algo, CMSSignedData sigData) throws TimestampingException, IOException, CMSException {
+        standardAttribute = !SPC_INDIRECT_DATA_OBJID.equals(sigData.getSignedContent().getContentType());
+        return super.timestamp(algo, sigData);
+    }
+
     protected CMSSignedData timestamp(DigestAlgorithm algo, byte[] encryptedDigest) throws IOException, TimestampingException {
         TimeStampRequestGenerator reqgen = new TimeStampRequestGenerator();
         reqgen.setCertReq(true);
@@ -86,6 +101,6 @@ protected CMSSignedData timestamp(DigestAlgorithm algo, byte[] encryptedDigest)
 
     @Override
     protected Attribute getCounterSignature(CMSSignedData token) {
-        return new Attribute(AuthenticodeObjectIdentifiers.SPC_RFC3161_OBJID, new DERSet(token.toASN1Structure()));
+        return new Attribute(standardAttribute ? id_aa_signatureTimeStampToken : SPC_RFC3161_OBJID, new DERSet(token.toASN1Structure()));
     }
 }