~~NOTOC~~
====== 8. Digital Signatures ======

<WRAP round info>
**Scenarios:** 4 \\
**FFI Functions:** ~30 \\
**Status:** ⏳ Planned
</WRAP>

This category covers all scenarios for creating and verifying digital signatures. Document signing, code signing, and timestamps with ML-DSA.

----

===== Scenarios =====

^  ID  ^  Scenario  ^  Description  ^  Complexity  ^  Status  ^
| [[.:dokument_signieren|8.1]] | Sign Document | Sign PDF, XML, JSON | ⭐⭐⭐ | ⏳ |
| [[.:code_signieren|8.2]] | Sign Code | Executables, DLLs, Packages | ⭐⭐⭐ | ⏳ |
| [[.:timestamp|8.3]] | Timestamp | Trusted Timestamp (RFC 3161) | ⭐⭐⭐⭐ | ⏳ |
| [[.:signatur_verifizieren|8.4]] | Verify Signature | Validate signatures | ⭐⭐ | ⏳ |

----

===== Signature Workflow =====

<mermaid>
flowchart LR
    subgraph SIGN["✍️ Signing"]
        DOC[Document/Code]
        HASH[Calculate Hash]
        SIG[Create Signature]
    end

    subgraph VERIFY["✅ Verification"]
        VHASH[Calculate Hash]
        VSIG[Verify Signature]
        VCERT[Validate Certificate]
    end

    DOC --> HASH --> SIG
    DOC --> VHASH
    SIG --> VSIG
    VSIG --> VCERT

    style SIG fill:#e8f5e9
    style VCERT fill:#e3f2fd
</mermaid>

----

===== Signature Algorithms =====

^  Mode  ^  Algorithm  ^  Signature Length  ^  Standard  ^
| **PostQuantum** | ML-DSA-65 | 3309 Bytes | NIST FIPS 204 |
| **Hybrid** | ECDSA P-384 + ML-DSA-65 | ~3400 Bytes | Composite Signatures |
| **Classic** | ECDSA P-384 | 96 Bytes | NIST FIPS 186-5 |

<WRAP round tip>
**Recommendation:** Use hybrid signatures for long-term archival. Both signatures must be broken.
</WRAP>

----

===== Signature Formats =====

^  Format  ^  Application  ^  Contains  ^
| **CMS/PKCS#7** | General, E-Mail | Signature + Certificate + optional Timestamp |
| **XML-DSig** | SOAP, SAML | Signature in XML structure |
| **JWS** | REST APIs, JWT | JSON Web Signature |
| **Authenticode** | Windows PE | Code Signing for EXE/DLL |

----

===== Industry-Specific Requirements =====

^  Industry  ^  Signature Type  ^  Requirements  ^
| **Healthcare** | Qualified Signature (QES) | eIDAS compliant, gematik |
| **Automotive** | Code Signing | UNECE R156, Secure Boot |
| **Energy** | Document + Timestamp | Audit requirements, NIS2 |
| **Industry 4.0** | Firmware Signing | IEC 62443 |

----

===== Quick Start Code =====

==== Sign Document ====

<code csharp>
using WvdS.Security.Cryptography.Signatures.Extensions.PQ;

// Load signing key
var signingKey = ctx.LoadPrivateKey("signing.key.pem", password);
var signingCert = ctx.LoadCertificate("signing.crt.pem");

// Sign document (CMS/PKCS#7)
byte[] document = File.ReadAllBytes("vertrag.pdf");
var signature = ctx.SignData(
    data: document,
    privateKey: signingKey,
    certificate: signingCert,
    mode: CryptoMode.Hybrid,
    options: new SignatureOptions
    {
        IncludeCertificate = true,
        AddTimestamp = true,
        TimestampServer = "http://timestamp.example.com"
    }
);

File.WriteAllBytes("vertrag.pdf.p7s", signature);
</code>

==== Verify Signature ====

<code csharp>
// Load signature
byte[] signature = File.ReadAllBytes("vertrag.pdf.p7s");
byte[] document = File.ReadAllBytes("vertrag.pdf");

// Verify
var result = ctx.VerifySignature(
    data: document,
    signature: signature,
    trustStore: trustStore
);

if (result.IsValid)
{
    Console.WriteLine($"Signed by: {result.SignerCertificate.Subject}");
    Console.WriteLine($"Timestamp: {result.Timestamp}");
}
</code>

----

===== Related Categories =====

^  Category  ^  Relationship  ^
| [[.:zertifikate:start|3. Issue Certificates]] | Code signing certificates |
| [[.:validierung:start|5. Validation]] | Validate signature certificate |
| [[.:authentifizierung:start|9. Authentication]] | Signature as authentication method |

----

<< [[en:int:pqcrypt:szenarien:verschluesselung:start|← 7. Encryption]] | [[en:int:pqcrypt:szenarien:start|↑ Scenarios]] | [[.:authentifizierung:start|9. Authentication →]] >>

----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//

{{tag>category signatures signing cms timestamp}}