~~NOTOC~~
====== Scenario 8.3: Timestamp ======
**Category:** [[.:start|Digital Signatures]] \\
**Complexity:** ⭐⭐⭐ (Medium) \\
**Prerequisites:** Signature available, TSA access \\
**Estimated Time:** 10-15 Minutes
----
===== Description =====
This scenario describes **adding timestamps** to digital signatures (RFC 3161). Timestamps prove that a signature existed at a specific point in time and enable:
* **Long-term validation** - Signature remains valid after certificate expiration
* **Provability** - Exact signature time documented
* **Compliance** - Required for eIDAS qualified signatures
**Concept:**
* Signature hash is sent to Timestamp Authority (TSA)
* TSA signs the hash with time information
* Timestamp token is attached to the signature
----
===== Workflow =====
flowchart LR
SIG[Signature] --> HASH[Hash of Signature]
HASH --> REQ[TSA Request]
REQ -->|HTTP POST| TSA[Timestamp Authority]
TSA --> TOKEN[Timestamp Token]
TOKEN --> ATTACH[Attach to Signature]
ATTACH --> OUTPUT[Signature with Timestamp]
style TSA fill:#e8f5e9
style OUTPUT fill:#e3f2fd
----
===== Code Example: RFC 3161 Timestamp Request =====
using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ;
using System.Security.Cryptography;
using System.Security.Cryptography.Pkcs;
using var ctx = PqCryptoContext.Initialize();
// Load signature
var signature = File.ReadAllBytes("document.sig");
// Calculate hash of signature
var signatureHash = SHA256.HashData(signature);
// Create timestamp request (RFC 3161)
var tsRequest = new Rfc3161TimestampRequest(
messageHash: signatureHash,
hashAlgorithm: HashAlgorithmName.SHA256,
requestedPolicyId: null, // Default Policy
nonce: GenerateNonce(),
requestSignerCertificates: true
);
// Send request to TSA
using var http = new HttpClient();
var content = new ByteArrayContent(tsRequest.Encode());
content.Headers.ContentType = new MediaTypeHeaderValue("application/timestamp-query");
var response = await http.PostAsync("http://timestamp.digicert.com", content);
var tsResponseBytes = await response.Content.ReadAsByteArrayAsync();
// Parse response
var tsResponse = Rfc3161TimestampToken.Decode(tsResponseBytes, out int bytesConsumed);
// Validate
if (!tsResponse.VerifySignatureForHash(signatureHash, HashAlgorithmName.SHA256, out var signerCert, null))
{
throw new CryptographicException("Timestamp signature invalid");
}
// Save token
File.WriteAllBytes("document.sig.tst", tsResponse.AsSignedCms().Encode());
Console.WriteLine("Timestamp received:");
Console.WriteLine($" Time: {tsResponse.TokenInfo.Timestamp}");
Console.WriteLine($" TSA: {signerCert.Subject}");
Console.WriteLine($" Policy: {tsResponse.TokenInfo.PolicyId}");
----
===== Code Example: Add Timestamp to CMS Signature =====
public class TimestampService
{
private readonly string _tsaUrl;
private readonly HttpClient _http;
public TimestampService(string tsaUrl)
{
_tsaUrl = tsaUrl;
_http = new HttpClient { Timeout = TimeSpan.FromSeconds(30) };
}
public async Task AddTimestamp(SignedCms signedCms)
{
foreach (var signerInfo in signedCms.SignerInfos)
{
// Signature hash for timestamp
var signatureHash = SHA256.HashData(signerInfo.GetSignature());
// Timestamp request
var tsRequest = new Rfc3161TimestampRequest(
signatureHash,
HashAlgorithmName.SHA256,
requestedPolicyId: null,
nonce: GenerateNonce(),
requestSignerCertificates: true
);
// Send to TSA
var content = new ByteArrayContent(tsRequest.Encode());
content.Headers.ContentType = new MediaTypeHeaderValue("application/timestamp-query");
var response = await _http.PostAsync(_tsaUrl, content);
response.EnsureSuccessStatusCode();
var tsResponseBytes = await response.Content.ReadAsByteArrayAsync();
var tsToken = Rfc3161TimestampToken.Decode(tsResponseBytes, out _);
// Add as unsigned attribute
var timestampAttr = new AsnEncodedData(
new Oid("1.2.840.113549.1.9.16.2.14"), // id-aa-timeStampToken
tsToken.AsSignedCms().Encode()
);
signerInfo.AddUnsignedAttribute(timestampAttr);
}
return signedCms;
}
private byte[] GenerateNonce()
{
var nonce = new byte[8];
RandomNumberGenerator.Fill(nonce);
return nonce;
}
}
----
===== Validate Timestamp Token =====
public class TimestampValidator
{
public TimestampValidationResult Validate(
byte[] timestampToken,
byte[] originalSignature,
X509Certificate2Collection? trustedTsaCerts = null)
{
var result = new TimestampValidationResult();
try
{
var tsToken = Rfc3161TimestampToken.Decode(timestampToken, out _);
result.Timestamp = tsToken.TokenInfo.Timestamp;
result.PolicyId = tsToken.TokenInfo.PolicyId?.Value;
// Verify hash
var expectedHash = SHA256.HashData(originalSignature);
if (!tsToken.TokenInfo.GetMessageHash().ReadOnlySpan.SequenceEqual(expectedHash))
{
result.IsValid = false;
result.Error = "Hash does not match";
return result;
}
// Verify signature
if (!tsToken.VerifySignatureForHash(expectedHash, HashAlgorithmName.SHA256, out var tsaCert, trustedTsaCerts))
{
result.IsValid = false;
result.Error = "TSA signature invalid";
return result;
}
result.TsaCertificate = tsaCert;
// Validate TSA certificate chain
var chain = new X509Chain();
chain.ChainPolicy.RevocationMode = X509RevocationMode.Online;
if (trustedTsaCerts != null)
{
chain.ChainPolicy.CustomTrustStore.AddRange(trustedTsaCerts);
chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
}
result.IsValid = chain.Build(tsaCert);
if (!result.IsValid)
{
result.Error = "TSA certificate chain invalid";
}
}
catch (Exception ex)
{
result.IsValid = false;
result.Error = ex.Message;
}
return result;
}
}
public class TimestampValidationResult
{
public bool IsValid { get; set; }
public DateTimeOffset? Timestamp { get; set; }
public string? PolicyId { get; set; }
public X509Certificate2? TsaCertificate { get; set; }
public string? Error { get; set; }
}
----
===== Timestamp Authorities (TSAs) =====
^ Provider ^ URL ^ Qualified (eIDAS) ^
| DigiCert | http://timestamp.digicert.com | No |
| Sectigo | http://timestamp.sectigo.com | No |
| GlobalSign | http://timestamp.globalsign.com | No |
| D-TRUST | http://zeitstempel.2.1.3.bundesdruckerei.de | **Yes** |
| SwissSign | http://tsa.swisscom.com/tsa | **Yes** |
| Bundesdruckerei | http://ts.2.bundesdruckerei.de | **Yes** |
**eIDAS:** A qualified TSA is required for qualified electronic signatures.
----
===== Long-Term Archival (LTA) =====
public class LongTermArchive
{
public async Task ExtendValidation(
SignedCms signedCms,
string tsaUrl,
X509Certificate2Collection validationData)
{
// 1. Embed validation data (certificates, CRLs, OCSP)
AddValidationData(signedCms, validationData);
// 2. Add archive timestamp
var timestampService = new TimestampService(tsaUrl);
await timestampService.AddArchiveTimestamp(signedCms);
// This process can be repeated periodically
// to keep the signature validatable long-term
}
}
----
===== Industry-Specific Requirements =====
^ Application ^ Timestamp Required? ^ Qualified? ^
| **Code Signing** | Required | No |
| **eIDAS QES** | Required | Yes |
| **PDF/A Archival** | Recommended | Depending on requirements |
| **S/MIME** | Optional | No |
| **Healthcare** | Required | Depending on country |
----
===== Related Scenarios =====
^ Relationship ^ Scenario ^ Description ^
| **Prerequisite** | [[.:dokument_signieren|8.1 Sign Document]] | Create signature |
| **Prerequisite** | [[.:code_signieren|8.2 Sign Code]] | Code signature |
| **Next Step** | [[.:signatur_verifizieren|8.4 Verify Signature]] | Validation |
----
<< [[.:code_signieren|← 8.2 Sign Code]] | [[.:start|↑ Signatures Overview]] | [[.:signatur_verifizieren|8.4 Verify Signature →]] >>
{{tag>scenario signature timestamp tsa rfc3161 longterm}}
----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//