Discuss this help topic in SecureBlackbox Forum
Use the timestamp for signing
Setting up a TSP server Note: TSP server components included in SecureBlackbox only implement TSP (RFC3161) functionality and require external HTTP(S) server components for HTTP request processing. Functionality offered by HTTPBlackbox, as well as any other compatible HTTP implementation allowing to pass dedicated TSP requests for external handling, will do. Implementing the TSP server requires a preparatory stage which is dedicated to preparation and setup of the HTTP server. Your server should be capable of handling POST requests with 'application/timestamp-query' content type and forwarding them to the request handler, receiving a result from the handler and sending them back in HTTP response with 'application/timestamp-reply' content type. Implementing the TSP request handler involves the steps given below. It expects a properly formed TSP request on input (received from the HTTP server), and returns the corresponding TSP response. 1. Create a TElFileTSPServer object: TElFileTSPServer tspServer = new TElFileTSPServer(); 2. Each TSP server must have its signing certificate, which it uses for signing the responses. Load the certificate (and, optionally, the rest of its chain) into a TElMemoryCertStorage object and assign the storage object to the Certificates property of the server. The TSP signing certificate must include the associated private key. It may be non-exportable, e.g. if it is located on a hardware device. TElMemoryCertStorage signingCerts = new TElMemoryCertStorage(); signingCerts.Add(signingCert, true); signingCerts.Add(caCert, true); tspServer.Certificates = signingCerts; 3. Load the received request into the server object: tspServer.LoadRequestFromStream(request); 4. Configure response parameters: tspServer.TSPInfo.Time = DateTime.UtcNow; tspServer.TSPInfo.TSAName.NameType = TSBGeneralName.gnDirectoryName; tspServer.TSPInfo.TSAName.DirectoryName.Assign(signingCert.SubjectRDN); tspServer.TSPInfo.TSANameSet = true; 5. Decide on server result, failure information flag and call SaveReplyToStream() to sign the time and serialize the signature to a RFC3161-compliant timestamp: // possible values: psGranted, psGrantedWithMods, psRejection, psWaiting, psRevocationWarning, psRevocationNotification, psKeyUpdateWarning int serverResult = SBPKICommon.Unit.psGranted; // possible values: SBPKICommon.Unit.pfiBadAlg, pfiBadMessageCheck, pfiBadRequest, pfiBadTime, pfiBadCertId, pfiBadDataFormat, // pfiWrongAuthority, pfiIncorrectData, pfiMissingTimeStamp, pfiBadPOP int failureInfo = 0; // is ignored if serverResult is psGranted or psGrantedWithMods bool res = tspServer.SaveReplyToStream(serverResult, failureInfo, destStream); If res is true, the signing was successful. Pass the contents of destStream back to the HTTP server so that it could forward it to the connected client with 'application/timestamp-reply' content type. Note: as you can see from the above, you will need to use a dedicated TElFileTSPServer object for every incoming request. For small environments, you might be fine with creating individual TElFileTSPServer object for every new request; you might also need to use some sort of object pooling for more heavily loaded environments.