Discuss this help topic in SecureBlackbox Forum

Load CMS message

Archiving a CAdES signature Within the context of CAdES signatures, archiving normally means making the signature verifiable offline, or, more precisely, without having access to any external sources of validation information. Essentially, the process of archiving consists of thorough validation of the signature, during which all the needed validation information - such as main and subordinate certificate chains, revocation elements, timestamps - is collected and added to the signature blob. A signature created in such way remains verifiable independently of any external services as long as certificates involved in its creation are valid. Archived signatures must be updated from time to time following expiration of certificates that were used to create it. This is done by including an extra timestamp from a trusted third party that confirms the authenticity of the content at the moment of updating. All the validation elements needed to validate the new TSA response (which is called the 'archival timestamp') are also added to the signature on this stage. When the certificate the last archival timestamp was made with is about to expire, another archival timestamp is added - and so on. This means that an archived signature grows with time, as more and more validation timestamps and elements are added to it. When verifying the signature, the verifier validates the original signature first, and then check that a chain of archival timestamps made later certifies each other correctly. The last timestamp is validated 'at the current moment', which means that the validation may involve contacting online revocation sources. To archive a CAdES signature (either already archived or not), do the following: 1. Load the CMS blob into a TElSignedCMSMessage object and get the TElCMSSignature object corresponding to the signature: TElCMSSignature sig = cms.get_Signatures(0); 2. Create a TElCAdESSignatureProcessor object, passing the signature object to its constructor: TElCAdESSignatureProcessor processor = new TElCAdESSignatureProcessor(sig); 3. Call processor's Archive(), ArchiveBaseline() or ArchiveExtended() method. The exact method depends on the signature profile you need to be compliant with - standard, Baseline or Extended. Your guidance will normally state which exactly substandard your signatures should be compliant to. If it doesn't or you are unsure, use Archive(). All three methods require a properly configured TSP client component to be provided. Please see how to configure the TSP client here. processor.Archive(tspClient); 4. Save the updated CMS with TElSignedCMSMessage.Save() call.

Discuss this help topic in SecureBlackbox Forum