The PDF Java Toolkit implementation of time stamping is based on the specification provided in the Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP), Request for Comments 3161 from the Internet Engineering Task Force (IETF).
The primary purpose of time stamping is to demonstrate that data in a PDF document was added at a specific date and time to that document. Timestamps do not determine the exact signing time.
Timestamping is supported for PKCS7 signature types, PKCS7-Detached and PKCS7-SHA1, but not for PKCS1 signatures.
Adding a timestamp during signing involves retrieving the timeStamp from a TimeStamping server, and adding it as an unsigned property of the PKCS7 signature. This is done in accordance with Appendix A of the RFC3161. The timeStamp is over the signature value only and is indirectly tied to the document.
For a sample of document timestamping, see TimeStampSignature.java.
To support timestamping during signing follow these steps:
- Implement the TimeStampProvider interface.
- Register your TimeStampProvider in SignatureOptions.
TimeStampProvider tsProvider = new MyTimeStampProvider();sigOptions.registerTimeStampProvider(tsProvider);
- Sign the document.
This is similar to all the other cases using the SignatureManager.sign(..) method.
sigMgr.sign(sigField, sigOptions, credentials, byteWriter);
During the signing process, the computed signature value is sent to the TimeStampProvider.setDataToTimestamp(dataToTimestamp) method.
Use TimeStampProvider.getTimeStampToken() to retrieve the hex encoded timestamptoken bytes. PDF Java Toolkit assumes that the timestamp request and response validation has happened prior to this.
The timestamp token is added as an unsigned attribute of the PKCS7 SignerInfo object using the OID string 1.2.840.1135220.127.116.11.2.14.
- Verify that the timestamp is present in the signed PDF document.
Open the signed PDF document in Acrobat, click on the Signature and view the properties. The summary should say Signature is timestamped.