1

is it possible to timestamp PDF document offline using iText or any other component?

I've googled standard solution utilizing iText and TSAClient class but it requires TSA as online service. We have certificate from TSA (including private key) whose purpose is to create timestamp signatures but I can't find any technical way how to do it with iText.

Thanks for any guidance. Richmond

divanov
  • 6,173
  • 3
  • 32
  • 51
user3232054
  • 65
  • 1
  • 5
  • have you looked at PDFStamper? – epoch Jan 24 '14 at 13:00
  • 1
    You set up a time stamping server locally; then you can use it from your code as an online time stamp server. – mkl Jan 24 '14 at 13:26
  • Hi, I did look to PFDStamper but all samples utilize TSA as online service (via TSAClient class). We don't have any TSA server (either online or local), we only have certificate (including private key) from that server. – user3232054 Jan 24 '14 at 13:38
  • You can build your own TSP server and run it locally (even right in your application) or as mkl suggested, implement your own interface. To build TSP server (as well as perform the complete sequence of operations, including PDF signing and timestamping) you can use our SecureBlackbox library. – Eugene Mayevski 'Callback Jan 24 '14 at 16:20

1 Answers1

1

I've googled standard solution utilizing iText and TSAClient class but it requires TSA as online service.

TSAClient is not a final class but merely an interface:

/**
 * Time Stamp Authority client (caller) interface.
 * <p>
 * Interface used by the PdfPKCS7 digital signature builder to call
 * Time Stamp Authority providing RFC 3161 compliant time stamp token.
 * @author Martin Brunecky, 07/17/2007
 * @since   2.1.6
 */
public interface TSAClient {
    /**
     * Get the time stamp token size estimate.
     * Implementation must return value large enough to accomodate the entire token
     * returned by getTimeStampToken() _prior_ to actual getTimeStampToken() call.
     * @return  an estimate of the token size
     */
    public int getTokenSizeEstimate();

    /**
     * Get RFC 3161 timeStampToken.
     * Method may return null indicating that timestamp should be skipped.
     * @param caller PdfPKCS7 - calling PdfPKCS7 instance (in case caller needs it)
     * @param imprint byte[] - data imprint to be time-stamped
     * @return byte[] - encoded, TSA signed data of the timeStampToken
     * @throws Exception - TSA request failed
     */
    public byte[] getTimeStampToken(PdfPKCS7 caller, byte[] imprint) throws Exception;

}

Thus, all you have to do is implement that interface to generate time stamps in any way you want. Even though the comments seem to imply some online service, you merely have to return some byte[] time stamp stamping the given byte[] imprint.

That been said, time stamping like that does not really merit the name. Can you guarantee the time stamps you intend to create to be correct within an acceptable error range?

Thus, you hardly will find an existing TSAClient implementation for that. But existing security libraries (like Bouncy Castle) should make creating time stamp request responses quite easy.

mkl
  • 90,588
  • 15
  • 125
  • 265
  • Thanks! I looks like good direction! I understand your point that it is certainly not typical usage of timestamp. But we are totally ok that timestamp would be based on local time on server doing the timestamp. I have currently no idea how to create timestamp over data in "byte[] imprint" input parameter. I reviewed SecureBlackbox and Councy Castle implementation and noticed only "online" implementation using standard online TSA. Can you please guide me how to timestamp data in imprint parameter? – user3232054 Jan 27 '14 at 07:43
  • I am not a BouncyCastle expert. Fundamentally you could take RFC 3161 and according to the ASN.1 definitions in there build a timestamp using the BC ASN.1 builder and wrapper classes. Most likely there already is some BC helper class doing that for you. You may want to ask a separate SO question along the lines of "How to build a RFC 3161 time stamp using Bouncy Castle". That been said, *we are totally ok that timestamp would be based on local time on server doing the timestamp* - **you** are totally ok, but do the PDFs remain in your organization? If not, **the recipients** may not be. – mkl Jan 27 '14 at 08:02
  • Thanks, I am aware well about trust issue of created timestamps in this way. I will ask separately about RFC 3161. I found only implementation of it by SecureBlackbox components but they're quite expensive. – user3232054 Jan 27 '14 at 08:14
  • On the [BC main page](http://www.bouncycastle.org/) I read " **Generators** / Processors for TSP (RFC 3161 & RFC 5544)." The classes `org.bouncycastle.tsp.TimeStampResponseGenerator` and `org.bouncycastle.tsp.TimeStampTokenGenerator` look quite promising. – mkl Jan 27 '14 at 08:34
  • Hi, yes, saw them, similar to them is CMSTimeStampedDataGenerator which seems to do what I want. – user3232054 Jan 27 '14 at 10:02