3. Timestamp Tokens per RFC 3161: COSE Header Parameters
この節では COSE timestamp token header parameters の RFC テキストを保持し, CTT and TTC modes, TimeStampToken handling, MessageImprint computation, COSE_Sign and COSE_Sign1 examples, IANA registrations, security considerations を扱う.
RFC 原文
3. Timestamp Tokens per RFC 3161: COSE Header Parameters
The two modes described in Sections 2.2 and 2.1 use different inputs
into the timestamping machinery and consequently create different
kinds of bindings between COSE and TST. To clearly separate their
semantics, two different COSE header parameters are defined as
described in the following subsections.
3.1. 3161-ctt
The 3161-ctt COSE _unprotected_ header parameter MUST be used for the
mode described in Section 2.1.
The 3161-ctt unprotected header parameter contains a DER-encoded TST
[RFC3161] wrapped in a CBOR byte string (Major type 2).
The MessageImprint sent in the request to the TSA MUST be
* the hash of the CBOR-encoded signature field of the COSE_Sign1
message, or
* the hash of the CBOR-encoded signatures field of the COSE_Sign
message.
In either case, to minimize dependencies, the hash algorithm SHOULD
be the same as the algorithm used for signing the COSE message. This
may not be possible if the timestamp token has been obtained outside
the processing context in which the COSE object is assembled.
Refer to Sections 3.1.1 and 3.1.2 for concrete examples of
MessageImprint computation.
3.1.1. MessageImprint Computation for COSE_Sign1
The following illustrates how MessageImprint is computed using a
sample COSE_Sign1 message.
Given the COSE_Sign1 message
18(
[
/ protected h'a10126' / << {
/ alg / 1:-7 / ECDSA 256 /
} >>,
/ unprotected / {
/ kid / 4:'11'
},
/ payload / 'This is the content.',
/ signature / h'8eb33e4ca31d1c465ab05aac34cc6b23d58fef5c083106c4
d25a91aef0b0117e2af9a291aa32e14ab834dc56ed2a223444547e01f11d3b0916e5
a4c345cacb36'
]
)
the bstr-wrapped signature
58 40 # bytes(64)
8eb33e4ca31d1c465ab05aac34cc6b23
d58fef5c083106c4d25a91aef0b0117e
2af9a291aa32e14ab834dc56ed2a2234
44547e01f11d3b0916e5a4c345cacb36
(including the heading bytes 0x5840) is used as input for computing
the MessageImprint.
When using SHA-256, the resulting MessageImprint is
SEQUENCE {
SEQUENCE {
OBJECT IDENTIFIER sha-256 (2 16 840 1 101 3 4 2 1)
NULL
}
OCTET STRING
44 C2 41 9D 13 1D 53 D5 55 84 B5 DD 33 B7 88 C2
4E 55 1C 6D 44 B1 AF C8 B2 B8 5E 69 54 76 3B 4E
}
3.1.2. MessageImprint Computation for COSE_Sign
The following illustrates how MessageImprint is computed using a
sample COSE_Sign message.
Given the COSE_Sign message
98(
[
/ protected / h'',
/ unprotected / {},
/ payload / 'This is the content.',
/ signatures / [
[
/ protected h'a10126' / << {
/ alg / 1:-7 / ECDSA 256 /
} >>,
/ unprotected / {
/ kid / 4:'11'
},
/ signature / h'e2aeafd40d69d19dfe6e52077c5d7ff4e408282cbefb
5d06cbf414af2e19d982ac45ac98b8544c908b4507de1e90b717c3d34816fe926a2b
98f53afd2fa0f30a'
]
]
]
)
the signatures array
81 # array(1)
83 # array(3)
43 # bytes(3)
a10126
a1 # map(1)
04 # unsigned(4)
42 # bytes(2)
3131 # "11"
58 40 # bytes(64)
e2aeafd40d69d19dfe6e52077c5d7ff4
e408282cbefb5d06cbf414af2e19d982
ac45ac98b8544c908b4507de1e90b717
c3d34816fe926a2b98f53afd2fa0f30a
is used as input for computing the MessageImprint.
When using SHA-256, the resulting MessageImprint is
SEQUENCE {
SEQUENCE {
OBJECT IDENTIFIER sha-256 (2 16 840 1 101 3 4 2 1)
NULL
}
OCTET STRING
80 3F AD A2 91 2D 6B 7A 83 3A 27 BD 96 1C C0 5B
C1 CC 16 47 59 B1 C5 6F 7A A7 71 E4 E2 15 26 F7
}
3.2. 3161-ttc
The 3161-ttc COSE _protected_ header parameter MUST be used for the
mode described in Section 2.2.
The 3161-ttc protected header parameter contains a DER-encoded TST
[RFC3161] wrapped in a CBOR byte string (Major type 2).
The MessageImprint sent to the TSA (Section 2.4 of [RFC3161]) MUST be
the hash of the payload of the COSE Signed Message. This does not
include the bstr wrapping -- only the payload bytes. (For an
example, see Appendix A.1.)
To minimize dependencies, the hash algorithm used for signing the
COSE message SHOULD be the same as the algorithm used in the
MessageImprint [RFC3161]. However, this may not be possible if the
timestamp requester and the COSE message signer are different
entities.