Discuss this help topic in SecureBlackbox Forum

Add timestamp to the Authenticode signature

Contents of this article assumes you have are familiar with general Authenticode signing.

TElAuthenticodeManager allows to include timestamp into each Authenticode signature in the executable file. The process consists of the following steps:

  1. Create a request for a TSP service by calling the TElAuthenticodeSignature.StartTimestamp() method and pass the desired timestamp type. This can either be a "trusted timestamp" (a weird name applied by the Authenticode specification to a standard RFC 3161 timestamp), or a "legacy timestamp" (an older variant of the base64-encoded TSP protocol). byte[] tspRequest = signature.StartTimestamp(TSBAuthenticodeTimestampType.actTrusted); The method returns the request you have to send to a TSP service of the correspondent type. If an error occured, an exception is thrown.
  2. Send the request to the TSP service of your choise and get a reply from it. It's possible to use any transport for this.

    A sample code to send a "trusted" (RFC3161) timestamp request using TElHTTPSClient and TElHTTPTSPClient components:
    
    TElHTTPSClient httpClient = new TElHTTPSClient();
    TElHTTPTSPClient tspClient = new TElHTTPTSPClient();
    tspClient.HTTPClient = httpClient;
    
    tspClient.HashAlgorithm = signature.SignatureDigestAlgorithm;
    tspClient.RequestFormat = SBTSPClient.__Global.tsfRFC3161;
    tspClient.URL = "http://tsa.myserver.com";
    
    int serverResult = 0;
    int failureInfo = 0;
    byte[] tspReply = null;
    
    int err = tspClient.Timestamp(tspRequest, serverResult, failureInfo, tspReply);
    
    if (err != 0)
    {
        // handle the error
    }
    A sample code to send a "legacy" timestamp request using TElHTTPSClient component:
    
    TElHTTPSClient httpClient = new TElHTTPSClient();
    
    MemoryStream tempStream = new MemoryStream();
    httpClient.OutputStream = tempStream;
    
    int status = httpClient.Post("http://tsa.myserver.com", tspRequest);
    
    byte[] tspReply;
    
    if (status != 200)
    {
    	// handle the error
    }
    else
    {
    	tspReply = SBStreams.__Global.StreamReadAll(tempStream);
    }
    
  3. Call the TElAuthenticodeSignature.CompleteTimestamp() method and pass the received reply to it. The newly created timestamp becomes available using the TElAuthenticodeSignature.Timestamp property. signature.CompleteTimestamp(tspReply);

Note, that the timestamping server must support MS Authenticode timestamps. SecureBlackbox's TElCustomTSPServer does process MS Authenticode timestamping requests and produces MS Authenticode timestamping replies.

How To articles related to MS Authenticode

Discuss this help topic in SecureBlackbox Forum