CMS Signature Timestamp Token Validation

Validating the timestamp tokens found in the unauthenticated attributes of a PKCS#7 / CMS signature means confirming that the time at which the signature existed is backed by a trusted third-party Time Stamping Authority (TSA) — and that the timestamp has not been tampered with.

Background

In CMS/PKCS#7, you can attach timestamp tokens as unauthenticated attributes (i.e., outside the signed data). These tokens are usually issued by a Time Stamp Authority (TSA) using the RFC 3161 standard.

The unauthenticated attribute might contain an object like:

id-aa-timeStampToken OBJECT IDENTIFIER ::= 1.2.840.113549.1.9.16.2.14

Which wraps a ContentInfo structure containing the timestamp token (TST).

What Validation Involves

Validating a timestamp token includes several steps:

1. Extract the Timestamp Token
  • Locate the id-aa-timeStampToken attribute in the CMS unauthenticatedAttributes.
2. Verify the Token’s Signature
  • The timestamp token itself is a signed CMS message from the TSA.
  • You must verify its signature using the TSA’s certificate.
  • This ensures the token came from a trusted authority.
3. Verify Message Imprint Matches
  • The timestamp token includes a messageImprint (a hash).
  • You must ensure this hash matches the hash of the CMS signature value.
  • This confirms the timestamp applies to *that exact signature*.
4. Validate TSA Certificate
  • Check that the TSA certificate:
    • Is trusted (e.g., issued by a known CA)
    • Is not revoked
    • Was valid at the time the timestamp was issued
5. Check the Timestamp Date
  • Extract the genTime from the timestamp.
  • This gives you a verifiable, cryptographically signed time when the signature existed.

Why It's Important

  • Proves the signature existed at a specific time
  • Supports long-term validation even after the signing certificate expires
  • Helps ensure non-repudiation

Example using Chilkat

Android™ Classic ASP AutoIt C Python C++ C# DataFlex Delphi Visual FoxPro Go Java Node.js Objective-C Perl PHP PowerBuilder PowerShell PureBasic Ruby Swift Tcl Visual Basic 6.0 VB.NET VBScript Xojo

Summary

Validating a timestamp token in the unauthenticated attributes of a PKCS#7/CMS signature means verifying the TSA-issued token’s signature, confirming it applies to the actual signature, and trusting the TSA’s certificate — to cryptographically prove when the signature existed.