CODEWITHSUNDEEP
pdftimestampitextdigital-signature
Michael Leruth
Michael Leruth

Reputation: 1

Adding signature timestamp on existing PDF signature

I have an existing signed PDF and I would like to add a timestamp on this signature and, optionally, add revocation infos (CRL/OCSP).

Does anyone know how I can do this in Java (preferably using iTextpdf library) ?

Thank you in advance!

Michaël

Upvotes: 0

Views: 2030

Answers (1)

Bruno Lowagie
Bruno Lowagie

Reputation: 77606

I assume that you are referring to adding a "document security store" and "document-level timestamp" (RFC 3161) as defined in the PAdES-5 standard. This is explained in section 5.4 of my book.

This is an example of a method that can add both:

public void addLtv(
    String src, String dest,
    OcspClient ocsp, CrlClient crl, TSAClient tsa)
    throws IOException, DocumentException, GeneralSecurityException {
    PdfReader r = new PdfReader(src);
    FileOutputStream fos = new FileOutputStream(dest);
    PdfStamper stp = PdfStamper.createSignature(r, fos, '\0', null, true);
    LtvVerification v = stp.getLtvVerification();
    AcroFields fields = stp.getAcroFields();
    List<String> names = fields.getSignatureNames();
    String sigName = names.get(names.size() - 1);
    PdfPKCS7 pkcs7 = fields.verifySignature(sigName);
    if (pkcs7.isTsp())
        System.out.println("TIMESTAMP!");
    for (String name : names) {
        v.addVerification(name, ocsp, crl,
             LtvVerification.CertificateOption.WHOLE_CHAIN,
             LtvVerification.Level.OCSP_CRL,
             LtvVerification.CertificateInclusion.NO);
    }
    PdfSignatureAppearance sap = stp.getSignatureAppearance();
    LtvTimestamp.timestamp(sap, tsa, null);
}

Note that this method writes "TIMESTAMP" to the System.out if the last signature that was added was a document-level timestamp.

Important: After answering this question, I saw the comment by mkl: Adding revocation information afterwards is only possible using mechanisms beyond the current PDF standard I SO 32000-1, e.g. PAdES part 4. My answer obviously assumes that you are talking about signatures applied using the PAdES standards. Maybe that wasn't clear in my first sentence starting with "I assume".

Upvotes: 3

Related Questions