问题
I'm trying to understand if and how I should validate a PAdES signature with an embedded timestamp. This embedded timestamp is obtained from a timestamp authority (TSA).
If the signature includes crl file or ocsp response, we should generally first validate the chain of certificates from the signature is not expired nor revoked at the date corresponding to this timestamp.
As the timestamp from a TSA is also signed, I'm trying to figure out if I should also validate the chain of certificates of this timestamp and how to validate it ?
With Bouncy Castle API, it's quite easy to validate a timestamp through the following code
TimeStampToken.validate((SignerInformationVerifier paramSignerInformationVerifier))
However this method doesn't verify if the chain of certificates is not expired nor revoked. Moreover as the embedded timestamp do not contain any crl file nor ocsp response, it is not possible to validate the chain of certificates at the date the timestamp has been embedded in the signature.
So how could we possibly validate a PAdES signature if we can't fully validate the chain of certificates of the TSA at the date corresponding to the embedded timestamp?
来源:https://stackoverflow.com/questions/16105496/should-i-validate-an-embedded-timestamp-in-a-pades-signature-when-doing-signatur