How to add unsignedAttrs to a custom signature?

When signing our digest of signedAttrs our Signature Provider returns a Timestamp Token (since they are also our Time Stamp Authority).

According to the RFC-5652 and RFC-3161 standards the TimeStamp token must be added as an Unsigned Attribute in the unsignedAttrs field of the SignerInfo.

How can we accomplish this?

You do not need to add generic unsigned attributes in order to embed a timestamp token. Please note that generally speaking, unsigned attributes can and should be inserted after signing.

With our SDK, it is done as follows (after a user-type signature has already been signed, the embedded timestamp is inserted into it):

TimestampingConfiguration tst_config(g_timestamping_URL);
VerificationOptions opts(VerificationOptions::e_compatibility_and_archiving);

/* It is necessary to add to the VerificationOptions a trusted root certificate corresponding to
the chain used by the timestamp authority to sign the timestamp token, in order for the timestamp
response to be verifiable during DocTimeStamp signing. */

/* By default, we only check online for revocation of certificates using the newer and lighter
OCSP protocol as opposed to CRL, due to lower resource usage and greater reliability. However,
it may be necessary to enable online CRL revocation checking in order to verify some timestamps
(i.e. those that do not have an OCSP responder URL for all non-trusted certificates). */

TimestampingResult result(certification_sig_field.GenerateContentsWithEmbeddedTimestamp(tst_config, opts);

vector<UChar> cms_with_timestamp(result.GetData());
if (result.GetStatus())
    doc.SaveCustomSignature(, cms_with_timestamp.size(),
        certification_sig_field, in_outpath);
    cout << "Embedded timestamping failed: " << result.GetString() << "\n";
    return false;

See here for a Guide also covering this.