试试这个

TimeStampToken token = new TimeStampToken(new CMSSignedData(response));

InputStream in = new FileInputStream("tsp.cer");
CertificateFactory factory = CertificateFactory.getInstance("X.509");

X509Certificate cert = (X509Certificate) factory.generateCertificate(in);

//RSA Signature processing with BC
X509CertificateHolder holder = new X509CertificateHolder(cert.getEncoded());
SignerInformationVerifier siv = new BcRSASignerInfoVerifierBuilder(new DefaultDigestAlgorithmIdentifierFinder(), new BcDigestCalculatorProvider()).build(holder);

//Signature processing with JCA and other provider
//X509CertificateHolder holderJca = new JcaX509CertificateHolder(cert);
//SignerInformationVerifier sivJca = new JcaSimpleSignerInfoVerifierBuilder().setProvider("anotherprovider").build(holderJca);

token.validate(siv);

查看BC Version 2 APIs文档的验证SignerInformation对象部分，了解有关使用BC API进行签名验证的更多信息

您正在以正确的方式创建SignerInformationVerifier，您可以在示例代码中找到另一种为基于JCA/JCE提供程序的解决方案创建SignerInformationVerifier的方法