I’m currently building a TimeStamp server using BouncyCastle. Server is working well but on the client side, when I want to validate the TimeStampResponse received I’m getting the following error:
org.bouncycastle.cms.CMSException: content-type attribute value does not match eContentType
On the server side, I’m including the content-type attribute like this:
ASN1EncodableVector signedAttributes = new ASN1EncodableVector();
signedAttributes.add(new Attribute(CMSAttributes.contentType, new DERSet(new ASN1ObjectIdentifier("1.2.840.113549.1.7.1"))));
signedAttributes.add(new Attribute(CMSAttributes.messageDigest, new DERSet(new DEROctetString(request.getMessageImprintDigest()))));
signedAttributes.add(new Attribute(CMSAttributes.signingTime, new DERSet(new DERUTCTime(timeStampDate))));
AttributeTable signedAttributesTable = new AttributeTable(signedAttributes);
signedAttributesTable.toASN1EncodableVector();
//Linking Attribute Table to the signBuilder (linked to JKS Certificate)
DefaultSignedAttributeTableGenerator signedAttributeGenerator = new DefaultSignedAttributeTableGenerator(signedAttributesTable);
signBuilder.setSignedAttributeGenerator(signedAttributeGenerator);
signBuilder.setUnsignedAttributeGenerator(new SimpleAttributeTableGenerator(new AttributeTable(new Hashtable<String, String>())));
......
and on the client side:
Collection<X509CertificateHolder> tstMatches = response.getTimeStampToken().getCertificates().getMatches(response.getTimeStampToken().getSID());
X509CertificateHolder holder = tstMatches.iterator().next();
java.security.cert.X509Certificate tstCert = new JcaX509CertificateConverter().getCertificate(holder);
System.out.println("Cert Date exp: "+tstCert.getNotAfter());
SignerInformationVerifier siv = new JcaSimpleSignerInfoVerifierBuilder().setProvider("BC").build(tstCert);
AttributeTable att = response.getTimeStampToken().getSignedAttributes();
System.out.println("Content-type: "+att.get(CMSAttributes.contentType).getAttrValues().getObjectAt(0));
if(bytesToHex(response.getTimeStampToken().getTimeStampInfo().getMessageImprintDigest()).equals(bytesToHex(digest))) {
System.out.println("TimeStamp is valid, imprint is identical");
}
try {
response.getTimeStampToken().validate(siv);
}catch(Exception e) {
System.out.println("Still getting issue with Content Type: "+e.toString());
}
It seems that I include correctly the content-type in my TimeStampToken (“1.2.840.113549.1.7.1”) but I don’t know where is the eContentType and don’t know where I can check it.
EDIT 1: May be I’m not clear in my answer…I’ll try to reformulate… How can I access eContentType of a TimeStampToken ?
What BouncyCastle is comparing ?
Advertisement
Answer
After multiple readings, I’ve seen that adding contentType Attribute is making this kind of error, as I’m already building the TimeStampResponse based on the request, the content type is already taken into account.
It make a conflict on the BouncyCastle Library, so by removing the line :
//signedAttributes.add(new Attribute(CMSAttributes.contentType, new DERSet(new ASN1ObjectIdentifier("1.2.840.113549.1.7.1"))));
everything works fine, my TimeStampResponse is validated correctly.