I want to use the timestamp option -tsa of the java jarsigner tool. The timestamp service I have in mind requires authentication. For this purpose you get a personalized soft token to identify yourself at the timestamp server.
My question: Is this authentication supported by the jarsigner tool? In other words: does jarsigner support RFC 3161 (Time-Stamp Protocol) and RFC 2246 (Authentication)?
There is an option -tsacert of the jarsigner. The documentation states:
If "-tsacert alias" appears on the command line when signing a JAR file then a timestamp is generated for the signature. The alias identifies the TSA's public key certificate in the keystore that is currently in effect. The entry's certificate is examined for a Subject Information Access extension that contains a URL identifying the location of the TSA.
What I am confused by is the wording "a timestamp is generated for the signature". What does this mean? Also the wording "the alias identifies the TSA's public key certificate" is confusing: it seems that it is used to verify the timestamp (because it's a public key) not to identify the requester (because it is not a private key).
Moreover: The certificate with which I want to sign is not a soft token but is stored on a smart card. It can not be exported to a keystore. Therefore I have to use the options -keystore NONE -storetype PKCS11. I think that for this reason the option -tsacert alias can't be used because it needs a real keystore which contains the soft token.