How to validate a TimeStampToken using a .cer file from filesystem?

Question

There are two validate methods in the TimeStampToken class (bctsp-jdk16-1.46.jar), one of them is deprecated.

The deprecated method uses a X509Certificate as argument, and that's quite easy to create.

InputStream inPFX = getClass().getClassLoader().getResourceAsStream("tsp.cer");
CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC");
X509Certificate cert = (X509Certificate) cf.generateCertificate(inPFX);

// The validate method just takes the X509Certificate object
token.validate(cert, "BC");

The new method uses a SignerInformationVerifier object. I found a way to create a SignerInformationVerifier (not sure it's the right way), but I still need a X509CertificateHolder object.

• How do I create the X509CertificateHolder from a file on the filesystem (*.cer file)
• Is this the correct way to create a SignerInformationVerifier to validate the TimeStampToken?

My current code looks like this:

TimeStampToken token = new TimeStampToken(new CMSSignedData(response));

X509CertificateHolder x = // HOW TODO THIS?

// create the SignerInformationVerifier object
DigestAlgorithmIdentifierFinder daif = new DefaultDigestAlgorithmIdentifierFinder();
DigestCalculatorProvider dcp = new BcDigestCalculatorProvider();
SignerInformationVerifier siv = new BcRSASignerInfoVerifierBuilder(daif, dcp).build(x509ch);

// use the new validate method
token.validate(siv);

Answer 1

Try this

TimeStampToken token = new TimeStampToken(new CMSSignedData(response));

InputStream in = new FileInputStream("tsp.cer");
CertificateFactory factory = CertificateFactory.getInstance("X.509");

X509Certificate cert = (X509Certificate) factory.generateCertificate(in);

//RSA Signature processing with BC
X509CertificateHolder holder = new X509CertificateHolder(cert.getEncoded());
SignerInformationVerifier siv = new BcRSASignerInfoVerifierBuilder(new DefaultDigestAlgorithmIdentifierFinder(), new BcDigestCalculatorProvider()).build(holder);

//Signature processing with JCA and other provider
//X509CertificateHolder holderJca = new JcaX509CertificateHolder(cert);
//SignerInformationVerifier sivJca = new JcaSimpleSignerInfoVerifierBuilder().setProvider("anotherprovider").build(holderJca);

token.validate(siv);

Take a look at Verifying a SignerInformation object section of BC Version 2 APIs documentation for additional information about signature verification with BC API.

You are creating the SignerInformationVerifier in the right way, you can find attached at the sample code another way to create the SignerInformationVerifier for a JCA/JCE provider based solution.