How to add timestamping signature to System.IO.Packaging.Package?

396 views Asked by At

There is a way to create packages, add some parts and sign it with a X509Certificate.

I would also like to add a timestamping signature to the package.

If the certificate expires or gets revoked the signature should remain valid if the package parts have been timestamped before the expiration/revokation.

P.S. I'm using the System.IO.Packaging.Package class defined in the WindowsBase.dll assembly.

2

There are 2 answers

1
Michael Damatov On BEST ANSWER

The following solution works it you're both the creator and the consumer of the package:

  1. Use a secure Internet server to get the trusted timestamp.
  2. Redefine the certificate chain policy to include the timestamp validation in the certificate chain.
0
Daniel Fisher  lennybacon On

Digital signatures in System.IO.Packaging rely on XMLDSIG. Tusted Timestamping (or secure timestamping) in terms of RFC 3161 was added on top with XML Advanced Electronic Signatures (XAdES) and the XAdES-T Profile. Microsoft Office documents use System.IO.Packaging as their format and so the Microsoft Documentation (MS-OFFCRYPTO) mentions XAdES-T as the form used.

Unfortunately there is no built in support in the .NET Framework itself. While Microsoft Office has the ability to utilize trusted time stamps for digital signatures.

Microsoft France published a library to support the standards in 2012 but it went offline and is not maintained anymore. But there is a snapshot of the sources on Github.

There are also a few other libraries your might consider helpful