Signing jar with timestamp and authentication at the timestamp server

Question

I want to use the timestamp option -tsa of the java jarsigner tool. The timestamp service I have in mind requires authentication. For this purpose you get a personalized soft token to identify yourself at the timestamp server.

My question: Is this authentication supported by the jarsigner tool? In other words: does jarsigner support RFC 3161 (Time-Stamp Protocol) and RFC 2246 (Authentication)?

There is an option -tsacert of the jarsigner. The documentation states:

If "-tsacert alias" appears on the command line when signing a JAR file then a timestamp is generated for the signature. The alias identifies the TSA's public key certificate in the keystore that is currently in effect. The entry's certificate is examined for a Subject Information Access extension that contains a URL identifying the location of the TSA.

What I am confused by is the wording "a timestamp is generated for the signature". What does this mean? Also the wording "the alias identifies the TSA's public key certificate" is confusing: it seems that it is used to verify the timestamp (because it's a public key) not to identify the requester (because it is not a private key).

Moreover: The certificate with which I want to sign is not a soft token but is stored on a smart card. It can not be exported to a keystore. Therefore I have to use the options -keystore NONE -storetype PKCS11. I think that for this reason the option -tsacert alias can't be used because it needs a real keystore which contains the soft token.

Answer 1

Signed Jarfile validity is bounded by the validity of the certificate used to sign.

Timestamping can only say when the jarfile was signed.

For signing the jarfile, pvtkey is a must. For timestamping, no key is required technically, just a hash of it.

Refer the link below for more, https://www.digistamp.com/technical/how-a-digital-time-stamp-works/

Thank you.