1

There is a way to create packages, add some parts and sign it with a X509Certificate.

I would also like to add a timestamping signature to the package.

If the certificate expires or gets revoked the signature should remain valid if the package parts have been timestamped before the expiration/revokation.

P.S. I'm using the System.IO.Packaging.Package class defined in the WindowsBase.dll assembly.

Michael Damatov
  • 15,253
  • 10
  • 46
  • 71

2 Answers2

0

The following solution works it you're both the creator and the consumer of the package:

  1. Use a secure Internet server to get the trusted timestamp.
  2. Redefine the certificate chain policy to include the timestamp validation in the certificate chain.
Michael Damatov
  • 15,253
  • 10
  • 46
  • 71
  • I have a trusted timestamp, but am trying to understand how to include that when signing. However, I would not be the consumer of the package... Can you elaborate on the 2nd step? – Joel Briggs Oct 02 '14 at 14:56
0

Digital signatures in System.IO.Packaging rely on XMLDSIG. Tusted Timestamping (or secure timestamping) in terms of RFC 3161 was added on top with XML Advanced Electronic Signatures (XAdES) and the XAdES-T Profile. Microsoft Office documents use System.IO.Packaging as their format and so the Microsoft Documentation (MS-OFFCRYPTO) mentions XAdES-T as the form used.

Unfortunately there is no built in support in the .NET Framework itself. While Microsoft Office has the ability to utilize trusted time stamps for digital signatures.

Microsoft France published a library to support the standards in 2012 but it went offline and is not maintained anymore. But there is a snapshot of the sources on Github.

There are also a few other libraries your might consider helpful

Daniel Fisher lennybacon
  • 3,865
  • 1
  • 30
  • 38