8. Digital Signatures

Scenarios: 4
FFI Functions: ~30
Status: ⏳ Planned

This category covers all scenarios for creating and verifying digital signatures. Document signing, code signing, and timestamps with ML-DSA.

Scenarios

ID	Scenario	Description	Complexity	Status
8.1	Sign Document	Sign PDF, XML, JSON	⭐⭐⭐	⏳
8.2	Sign Code	Executables, DLLs, Packages	⭐⭐⭐	⏳
8.3	Timestamp	Trusted Timestamp (RFC 3161)	⭐⭐⭐⭐	⏳
8.4	Verify Signature	Validate signatures	⭐⭐	⏳

Signature Workflow

flowchart LR subgraph SIGN["✍️ Signing"] DOC[Document/Code] HASH[Calculate Hash] SIG[Create Signature] end subgraph VERIFY["✅ Verification"] VHASH[Calculate Hash] VSIG[Verify Signature] VCERT[Validate Certificate] end DOC --> HASH --> SIG DOC --> VHASH SIG --> VSIG VSIG --> VCERT style SIG fill:#e8f5e9 style VCERT fill:#e3f2fd

Signature Algorithms

Mode	Algorithm	Signature Length	Standard
PostQuantum	ML-DSA-65	3309 Bytes	NIST FIPS 204
Hybrid	ECDSA P-384 + ML-DSA-65	~3400 Bytes	Composite Signatures
Classic	ECDSA P-384	96 Bytes	NIST FIPS 186-5

Recommendation: Use hybrid signatures for long-term archival. Both signatures must be broken.

Signature Formats

Format	Application	Contains
CMS/PKCS#7	General, E-Mail	Signature + Certificate + optional Timestamp
XML-DSig	SOAP, SAML	Signature in XML structure
JWS	REST APIs, JWT	JSON Web Signature
Authenticode	Windows PE	Code Signing for EXE/DLL

Industry-Specific Requirements

Industry	Signature Type	Requirements
Healthcare	Qualified Signature (QES)	eIDAS compliant, gematik
Automotive	Code Signing	UNECE R156, Secure Boot
Energy	Document + Timestamp	Audit requirements, NIS2
Industry 4.0	Firmware Signing	IEC 62443

Quick Start Code

Sign Document

using WvdS.Security.Cryptography.Signatures.Extensions.PQ;
 
// Load signing key
var signingKey = ctx.LoadPrivateKey("signing.key.pem", password);
var signingCert = ctx.LoadCertificate("signing.crt.pem");
 
// Sign document (CMS/PKCS#7)
byte[] document = File.ReadAllBytes("vertrag.pdf");
var signature = ctx.SignData(
    data: document,
    privateKey: signingKey,
    certificate: signingCert,
    mode: CryptoMode.Hybrid,
    options: new SignatureOptions
    {
        IncludeCertificate = true,
        AddTimestamp = true,
        TimestampServer = "http://timestamp.example.com"
    }
);
 
File.WriteAllBytes("vertrag.pdf.p7s", signature);

Verify Signature

// Load signature
byte[] signature = File.ReadAllBytes("vertrag.pdf.p7s");
byte[] document = File.ReadAllBytes("vertrag.pdf");
 
// Verify
var result = ctx.VerifySignature(
    data: document,
    signature: signature,
    trustStore: trustStore
);
 
if (result.IsValid)
{
    Console.WriteLine($"Signed by: {result.SignerCertificate.Subject}");
    Console.WriteLine($"Timestamp: {result.Timestamp}");
}

Related Categories

Category	Relationship
3. Issue Certificates	Code signing certificates
5. Validation	Validate signature certificate
9. Authentication	Signature as authentication method

« ← 7. Encryption | ↑ Scenarios | 9. Authentication → »

Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional

category, signatures, signing, cms, timestamp