I want to use the timestamp parameter of the -tsajava jarsigner tool . The timestamp service, which I mean, requires authentication. To do this, you get a personalized soft token to identify yourself on the timestamp server.
My question is: is this authentication supported with the jarsigner tool? In other words: does jarsigner support RFC 3161 (print-time protocol) and RFC 2246 (authentication)?
There is a -tsacertjarsigner option . The documentation states:
If "-tsacert alias" appears on the command line when signing the JAR file, then a time stamp is created for the signature. The alias identifies the TSA public key certificate in the keystore that is currently in effect. The login certificate is verified to expand access to subject information containing a URL identifying the location of the TSA.
What bothers me is the wording "a time stamp is created for the signature." What does it mean? In addition, the wording “alias identifies the TSA public key certificate” is confusing: it seems that it is used to check the time stamp (because it is a public key) not to identify the requester (since it is not a private key).
In addition: the certificate I want to sign with is not a soft token, but is stored on a smart card. It cannot be exported to the keystore. Therefore, I have to use the options -keystore NONE -storetype PKCS11. I think that for this reason the option -tsacert aliascannot be used, because it requires a real keystore containing a soft token.
source
share