We are trying to embed Timestamp signature as a unsigned attribute in CMS format but after stamping signature in PDF, PDF viewer giving the signature includes an embeded timestamp but it is invalid message.
We have used internal TSA service (self sigined) TSA and bouncy castle API for crypto and signing operations. But don't know what is happening with timestamp. Could anyone know what is wrong I am doing.
hello_signed.pdf Also added Java code base and signed pdf sample for reference.
Any help would be appreciated.
There is an issue in the TSTInfo
structure, its tsa
member is
C = IN,S = MH,L = NSDL,O = NSDL,OU = NSDL,CN = NSDL,E = nsdl@nsdl.co.in
but your TSA certificate has the inverse subject
E = nsdl@nsdl.co.in,CN = NSDL,OU = NSDL,O = NSDL,L = NSDL,S = MH,C = IN
According to RFC 3161, the purpose of the tsa field is to give a hint in identifying the name of the TSA. If present, it MUST correspond to one of the subject names included in the certificate that is to be used to verify the token.
Thus, an attentive validator cannot use the certificate you supplied for verifying the time stamp.
I don't know whether that's the only issue but it's definitively a show-stopper.