Offline PDF timestamping using iText - McMap

About

Offline PDF timestamping using iText

Asked 24/1, 2014 at 12:56 Answered 24/1, 2014 at 15:26

Solved pdf itext digital-signature trusted-timestamp

M

1

1

is it possible to timestamp PDF document offline using iText or any other component?

I've googled standard solution utilizing iText and TSAClient class but it requires TSA as online service. We have certificate from TSA (including private key) whose purpose is to create timestamp signatures but I can't find any technical way how to do it with iText.

Thanks for any guidance. Richmond

Mawson answered 24/1, 2014 at 12:56 Comment(5)

have you looked at PDFStamper? – Estoppel 24/1, 2014 at 13:0

You set up a time stamping server locally; then you can use it from your code as an online time stamp server. – Wieldy 24/1, 2014 at 13:26

Hi, I did look to PFDStamper but all samples utilize TSA as online service (via TSAClient class). We don't have any TSA server (either online or local), we only have certificate (including private key) from that server. – Mawson 24/1, 2014 at 13:38

You can build your own TSP server and run it locally (even right in your application) or as mkl suggested, implement your own interface. To build TSP server (as well as perform the complete sequence of operations, including PDF signing and timestamping) you can use our SecureBlackbox library. – Vanhorn 24/1, 2014 at 16:20

While this is possible on a technical level, it is not a good idea. The TSA is supposed to acts as an impartial third party. If you are your own TSA you just state that "I approve that I did not lie". – Telencephalon 9/10, 2023 at 12:34

W

1

I've googled standard solution utilizing iText and TSAClient class but it requires TSA as online service.

TSAClient is not a final class but merely an interface:

/**
 * Time Stamp Authority client (caller) interface.
 * <p>
 * Interface used by the PdfPKCS7 digital signature builder to call
 * Time Stamp Authority providing RFC 3161 compliant time stamp token.
 * @author Martin Brunecky, 07/17/2007
 * @since   2.1.6
 */
public interface TSAClient {
    /**
     * Get the time stamp token size estimate.
     * Implementation must return value large enough to accomodate the entire token
     * returned by getTimeStampToken() _prior_ to actual getTimeStampToken() call.
     * @return  an estimate of the token size
     */
    public int getTokenSizeEstimate();

    /**
     * Get RFC 3161 timeStampToken.
     * Method may return null indicating that timestamp should be skipped.
     * @param caller PdfPKCS7 - calling PdfPKCS7 instance (in case caller needs it)
     * @param imprint byte[] - data imprint to be time-stamped
     * @return byte[] - encoded, TSA signed data of the timeStampToken
     * @throws Exception - TSA request failed
     */
    public byte[] getTimeStampToken(PdfPKCS7 caller, byte[] imprint) throws Exception;

}

Thus, all you have to do is implement that interface to generate time stamps in any way you want. Even though the comments seem to imply some online service, you merely have to return some byte[] time stamp stamping the given byte[] imprint.

That been said, time stamping like that does not really merit the name. Can you guarantee the time stamps you intend to create to be correct within an acceptable error range?

Thus, you hardly will find an existing TSAClient implementation for that. But existing security libraries (like Bouncy Castle) should make creating time stamp request responses quite easy.

Wieldy answered 24/1, 2014 at 15:26 Comment(5)

Thanks! I looks like good direction! I understand your point that it is certainly not typical usage of timestamp. But we are totally ok that timestamp would be based on local time on server doing the timestamp. I have currently no idea how to create timestamp over data in "byte[] imprint" input parameter. I reviewed SecureBlackbox and Councy Castle implementation and noticed only "online" implementation using standard online TSA. Can you please guide me how to timestamp data in imprint parameter? – Mawson 27/1, 2014 at 7:43

I am not a BouncyCastle expert. Fundamentally you could take RFC 3161 and according to the ASN.1 definitions in there build a timestamp using the BC ASN.1 builder and wrapper classes. Most likely there already is some BC helper class doing that for you. You may want to ask a separate SO question along the lines of "How to build a RFC 3161 time stamp using Bouncy Castle". That been said, we are totally ok that timestamp would be based on local time on server doing the timestamp - you are totally ok, but do the PDFs remain in your organization? If not, the recipients may not be. – Wieldy 27/1, 2014 at 8:2

Thanks, I am aware well about trust issue of created timestamps in this way. I will ask separately about RFC 3161. I found only implementation of it by SecureBlackbox components but they're quite expensive. – Mawson 27/1, 2014 at 8:14

On the BC main page I read " Generators / Processors for TSP (RFC 3161 & RFC 5544)." The classes org.bouncycastle.tsp.TimeStampResponseGenerator and org.bouncycastle.tsp.TimeStampTokenGenerator look quite promising. – Wieldy 27/1, 2014 at 8:34

Hi, yes, saw them, similar to them is CMSTimeStampedDataGenerator which seems to do what I want. – Mawson 27/1, 2014 at 10:2

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.