Digital Signature Timestamping and Revocation information in PDF OID
We already have an complete Electronic Signature PKI setup. We issues user end certifcates with conformance to CCA India and this certificate is further used for electronic signature. After issuance of electronic signature CMS response PDF utility stamp this response in PDF for digital signing of document.
Now for new change request from CCA, need to build 1.2.840.113583.1.1.8 OID with CRL and OCSP and digital signature timestamping with bouncy castle API in Java.
Below is the change description
In the case of PKCS7 signature format, all issuer certificates up to root CA certificate and CRLs/OCSP responses of each issuer certificates should be included in the response. In case, the number CRL entries are more than 5, only OCSP responses are allowed. The signature should also be time stamped using the timestamping services of CA. The revocation information should be included under pdfRevocationInfoArchival (1.2.840.113583.1.1.8 )
We are using bouncy castle API for building certificates and signing it in HSM but for this change request, we are not able to understand where this time stamp change will be integrated. CCA want signature issuer will timestamp the signature and embed it in CMS response. But this can be done at client side also because, signing of hash happens first and the then timestamping the signature hash and embed it in response. is it correct approach?
any help would be appreciated...