Add Custom TSA During Digital XML Signature

[AbrarJahin]

Request to add Custom TSA for storing signing time during XML Signature Using System.Security.Cryptography.Xml.SignedXml

Hi, I like to sign an XML Document. I am seeing that the signature time is taken from the system time. My concern is if the system time is not accurate, that what would happen? In that case, the time should come from a trusted TSA and the TSA should be customisable. And there should also be a TSA Url checker so that we can find from code that if the TSA is reachable from the current network or not. This functionality should be optional because otherwise every time we need to sign a file, the internet should be needed. By default, the time should be taken from the local system, but if a TSA Url is given, then the time should be taken from the TSA.

Proposed API

I like to create a signed XML like current way, but like to have a way to add a TSA Url during sign like this-

.......................
.......................
SignedXml signedXml = new SignedXml(xmlDocument);
signedXml.SigningKey = certificate.PrivateKey;
Reference reference = new Reference();
//reference.TsaUri = "http://ca.signfiles.com/TSAServer.aspx";
reference.TsaUri = "http://timestamp.globalsign.com/scripts/timstamp.dll";
//reference.TsaUri = "https://timestamp.geotrust.com/tsa"
reference.Uri = "";
reference.Id = Base64EncodedCurrentTime();
//reference.TransformChain = ;            
XmlDsigEnvelopedSignatureTransform env = new XmlDsigEnvelopedSignatureTransform(true);
reference.AddTransform(env);
signedXml.AddReference(reference);
.......................
.......................

In this example reference.TsaUri is used for signing the document.

Usage Examples

.......................................
.......................................
Reference reference = new Reference();
reference.TsaUri = "http://timestamp.globalsign.com/scripts/timstamp.dll";
.......................................
.......................................

Alternative Designs

Risks

The option of setting TSA should be optional, in default case(if no TSA URL is given), then the time can be taken from local PC. Otherwise, completely local situation (where no server is available), signing may not be possible.

[ghost]

Tagging subscribers to this area: @bartonjs, @vcsjones, @krwq, @jeffhandley See info in area-owners.md if you want to be subscribed.

[krwq]

would it make sense to allow user to manually provide timestamp instead? User can take time from the timestamp server or other source themselves. Also we wouldn't couple networking into SignedXml.

[AbrarJahin]

It makes sense because all time servers are not allowed in all networks (some secured networks). Currently, time is coming from the local PC which is problematic because local Pc time can be modified easily. If it comes from any TSA, that would be surely better than this if app running in user PC, for the server it doesn't matter most.

If we like to develop an application for some secured networks like national security, in that case, time should come from TSA or any server and all servers are not accessible in all national secured infrastructures. I am trying to develop an app for this type of cases where the government is willing to set up a local TSA for secured networks or intranets.

[AbrarJahin]

@krwq , I like to contribute to developing this library for this case as I am actively working in this field and it is an open-source project. Is this possible? If yes, can you please provide me a way how can I contribute? Thanks

[krwq]

@AbrarJahin really nice to hear this! Couple of ways you can help:

• take a look at the bugs if you can help fixing them. We don't have a designated list of issues and it's put in the same bucket with other System.Security bugs but a good estimation for the bugs to take a look is this query: https://github.com/dotnet/runtime/issues?q=is%3Aopen+is%3Aissue+label%3Aarea-System.Security+xml
• for API suggestions if they're approved you can go ahead and start implementing them
• if API suggestion is not approved yet please make sure to address all feedback in the issue and ping me to help to get this reviewed
• improving code coverage is another great way of helping here

make sure that if you find any security bugs to not write about them directly on github and instead to write to secure@microsoft.com (and there might be a bounty for good finds if you go this way 😄)