I want to use the timestamp option -tsa
of the java jarsigner tool. The timestamp service I have in mind requires authentication. For this purpose you get a personalized soft token to identify yourself at the timestamp server.
My question: Is this authentication supported by the jarsigner tool? In other words: does jarsigner support RFC 3161 (Time-Stamp Protocol) and RFC 2246 (Authentication)?
There is an option -tsacert
of the jarsigner. The documentation states:
If "-tsacert alias" appears on the command line when signing a JAR file then a timestamp is generated for the signature. The alias identifies the TSA's public key certificate in the keystore that is currently in effect. The entry's certificate is examined for a Subject Information Access extension that contains a URL identifying the location of the TSA.
What I am confused by is the wording "a timestamp is generated for the signature". What does this mean? Also the wording "the alias identifies the TSA's public key certificate" is confusing: it seems that it is used to verify the timestamp (because it's a public key) not to identify the requester (because it is not a private key).
Moreover: The certificate with which I want to sign is not a soft token but is stored on a smart card. It can not be exported to a keystore. Therefore I have to use the options -keystore NONE -storetype PKCS11
. I think that for this reason the option -tsacert alias
can't be used because it needs a real keystore which contains the soft token.
Signed Jarfile validity is bounded by the validity of the certificate used to sign.
Timestamping can only say when the jarfile was signed.
For signing the jarfile, pvtkey is a must. For timestamping, no key is required technically, just a hash of it.
Refer the link below for more, https://www.digistamp.com/technical/how-a-digital-time-stamp-works/
Thank you.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With