用于签名时间戳的 VRI

VRI for Signature TimeStamp

我对如何为 PAdES 签名内的时间戳创建 VRI 条目有疑问。

假设有一个带有签名的 pdf 文档,并且这个签名有一个嵌入时间戳。

示例:

\Sig
[...]
\Contents <1234567890ABCDEF[...]>
[...]
Type \DSS
\VRI <<
     \Hash1 object1
     \Hash2 object2
>>
[...]

Hash1 很容易计算:它是整个签名哈希,包括时间戳 ( 1234567890ABCDEF[...] )

但是Hash2...应该用什么来计算呢?在ETSI文档中是这样写的(PAdES LTV Profile - Part 4 - V1.1.2 page 12):

For a Time-stamp's signature it is the bytes of the Time-stamp itself since the Time-stamp token is a signed data object

但我必须说这并没有多大帮助。是timeStampToken吗?只有内容?什么是 "The time-stamp itself"?

有谁知道澄清这一点的文件吗?参考实现

你引用的定义

For a Time-stamp's signature it is the bytes of the Time-stamp itself since the Time-stamp token is a signed data object

来自 ETSI TS,它首先定义了 pades LTV 结构。

同时,该 TS 已被 ETSI EN 319 142-1 取代,其中定义被重新表述为:

For document signatures or document time-stamp signatures the bytes that are hashed shall be those of the complete hexadecimal string in the entry with the key Contents of the associated Signature Dictionary containing the signature's DER-encoded binary data object (e.g. PKCS#7, CMS or CAdES objects).

因此,对于文档时间戳,就像常规签名一样简单地进行。

顺便说一句,同范数规定:

The VRI dictionary should not be used. The inclusion of VRI dictionary entries is optional. All validation material referenced in VRI entries is also referenced in DSS entries

因此您可能根本不需要这些条目。


我刚刚意识到你应该

there is a pdf document with a Signature and this signature has an embed timestamp.

诚然,嵌入式时间戳不受上述引用的约束。但实际上,时间戳令牌是一个 ContentInfo 对象包装 SignedData 对象,就像常规 CMS 签名容器一样。因此,时间戳令牌是要散列的对象。