Implement TimeStamping feature

[hidasw]

Also add some file for parsing asn.1 data, and logging (debug only).
should merged with main tcpdf.php but its not meet oop standar yet.
still use procedural style.

[CLAassistant]

All committers have signed the CLA.

[hidasw]

should before $this->applyTSA($signature)

[hidasw]

i''m increasing this size to provide enough space to place tsa response data. and sometimes need more, depend on tsa response data size.

[williamdes]

I think this file and function should be removed from this pull-request

[hidasw]

yes it for debug only

[williamdes]

can you do some code cleanup and formatting please ?
It's really hard to read

[hidasw]

I'll try to rewrite with more readable soon..

[williamdes]

can you indent this with spaces and move all this code into a protected function you would call here to fetch the signature ?
That would avoid adding that much code into this function

Also, I think you could keep the actual value of signature_max_length and only increase it (if the value < what you need) when calling the signature process ?
Would that keep other pdf documents the same as before (the ones without a signature)

[hidasw]

i think signature_max_length value have to be reserved before signing process, thats why it not set to 0. will padded by zero after signing. this value affect only signed file size to several kilobytes. Tried to lower this value around 14k and still done with apple tsa.
want move to object oriented but not at the moment. maybe to closed this pull request while i'll periodically update script.

[williamdes]

Please do not close this pull request
If you invite me on your repository I may clean up the implementation for you

[hidasw]

ok.

[williamdes]

Can I start pushing work or do you have more to push first?

[hidasw]

okay, up to you.
i'm currently improving asn.1 parser and have been stuck on recursion for last few days. cz i'm working alone.

[hidasw]

wait for awhile. i'm updating code to classes.

[williamdes]

okay, let me know

[hidasw]

I have done, please review and make some corrections if needed.
I've minimized the script, considering most of the general purpose asn.1 encoders/decoders use complex libraries.

[williamdes]

all this file seems quite old, what is it source ?
what is the license of this code ?

[hidasw]

no, it useless. just progress mark. i'm forget to remove some comment line.

[williamdes]

I think you should rename the function starting with asn1_ so it had less changes to collide with existing functions at the user level

Or prefix them with tcpdf_

[hidasw]

altough renaming that, the procedural style function too exposed indeed, plan to built a class for that but dont know how to do it. cause its so impractice when repeatedly write "new" or "$this->".

[williamdes]

use static

class Foo {
public static function doFoo() {}
}

Foo::doFoo();

Should be way easier

[hidasw]

I think so, but I need to simplify and compacting the script first.

[williamdes]

@nicolaasuni what minimal set of changes would be accepted ?

Some of it could go into a new library ?
Would everything be accepted ?

[parallels999]

https://github.com/dealfonso/sapp/blob/main/pdfsign.php

[hidasw]

https://github.com/dealfonso/sapp/blob/main/pdfsign.php

but it for signing, which already implemented here

[nicolaasuni]

@williamdes Wouldn't be possible to use the default openssl_* PHP functions (as in the current version) instead or re-implementing the cryptography function from scratch?
I will look into port this functionality into tc-lib-pdf but I am not keen on rewriting crypto libs.

[williamdes]

Thanks for the feedback, @hidasw what do you think ?

[hidasw]

We using openssl for cryptographic functions (encrypt/decrypt). For ocsp/ts/crl operations, php openssl does not have those functions natively, even for asn.1 parsing. So it requires its own independent function or using a library like phpseclib.

[williamdes]

Can you at least copy the functions from phpseclib so we can know they are safely implemented ?

[hidasw]

@williamdes
Unfortunately in phpseclib there is no function for ocsp, ts and crl. There is asn.1 function but it looks too complicated with namespace and many files included. You can compare with my script.
If you are looking for a library for ocsp, crl and ts functions, it is definitely related to the asn.1 function contained in the library. It will be difficult to separate them.

[williamdes]

This documentation is misleading since the function already existed in prior versions
could you update this to reflect that it already existed ?

[hidasw]

probably remove the previous comment, right?

[williamdes]

thanks, that's better

[williamdes]

Very nice !
When I find time I will do some polishing of the code indentation

[evamtinez]

Hi @hidasw,

I have noticed that the code does not validate the TSA URL at any point, and passing an invalid URL does not display any error. It simply does not apply the timestamp to the signature. I wanted to ask if this is a functionality planned to be added to the pull request.

Thanks

[hidasw]

@evamtinez
Last time I checked the script was running fine on php 7.4. I haven't had time to test thoroughly on php 8 or php 5.4.
What version of PHP are you currently using?
For the display error problem, I can't display it in the output buffer because it will go into the PDF file (currently I haven't used the error handler in TCPDF).
To view the log, it is in the '../signature.log' file in the TCPDF directory. Can be set in the tcpdf_cmssignature class by setting $writeLog which is true by default.
To really make sure that there are no unhandled error notifications in the PDF file, please open the PDF file in a text editor and make sure there are no PHP error notifications in the PDF file.

[evamtinez]

@evamtinez Last time I checked the script was running fine on php 7.4. I haven't had time to test thoroughly on php 8 or php 5.4. What version of PHP are you currently using? For the display error problem, I can't display it in the output buffer because it will go into the PDF file (currently I haven't used the error handler in TCPDF). To view the log, it is in the '../signature.log' file in the TCPDF directory. Can be set in the tcpdf_cmssignature class by setting $writeLog which is true by default. To really make sure that there are no unhandled error notifications in the PDF file, please open the PDF file in a text editor and make sure there are no PHP error notifications in the PDF file.

I'm using PHP 7.2.

I can see the log file correctly, but it would be helpful to get an error if the timestamp is invalid. For instance, if I set a timestamp to something like tsa.example.org (which doesn’t exist), the document appears to be signed correctly, and the process returns OK, but the PDF file doesn’t have the timestamp.

I’m handling this error in the class I'm using in my project, but I'm unsure if it needs to be directly integrated into the TCPDF library. In my implementation, before setting the timestamp, I call a validation function to check if the TSA is valid. However, this validation could be directly implemented in the setTimestamp function. What do you think?

Thanks

[hidasw]

@evamtinez
Generally tsa is optional, so it's probably better to ignore it if it fails than to abort the entire signature.

I think so.
Since first PR, I thought about providing an option to cancel the process if timestamp or LTV validation fails. But maybe this does not cancel the signature field/signature appearance that has been called, so it will provide null data in the signature which makes the signature invalid. I haven't tried it yet, maybe someday.

As a note, for the current version, if the validation process fails on one of certificate chains, then this certificate chain up to the root CA is not embedded in the pdf. (to be fixed in the next update).
Thank's for suggestion.

[evamtinez]

Hi @hidasw ,

The signature time is not being created properly because in this line you are passing a date in the format 'ymdHis' as the second parameter of the date() function instead of a timestamp.

I found this bug while working on a project that uses PHP 7.2.

Feel free to ask if you need any further assistance!

[hidasw]

plan to use strtotime or date class, but need to manage while converting 4 digits year to 2 digits. if year is 70, some app treat it as 1970 and other as 2070. also for time zone difference.

[rsvitak]

I am testing this fork and after I added the curl_setopt($ch, CURLOPT_USERPWD, 'username:password'); in the sendReq function (tcpdf_cmssignature.php) it successfuly requested the specified TSA, but I don't think the TSR was added correctly (I am testing the final pdf file with pdfsig utility though).

However, I would like to ask you if you have idea how to add ONLY the the timestamp signature, not the ID signiture /certificate?

[hidasw]

whats the mean "but I don't think the TSR was added correctly", is there a problem with tsresponse?
About timestamp only, I see that Adobe reader can do it, but I have never tried with php script. I also don't understand what the timestamp is for without a digital signature.

[rsvitak]

I am sorry for the late reply, I am struggling with this topic. Everything about PDF format and cryptography is new to me. What I am looking for perfectly demonstrates this: https://stackoverflow.com/questions/65807104/can-you-add-a-timestamped-no-tamper-proof-to-a-pdf-without-signing-it

My situation is: I have a working TSA, I am able to create a valid TSQ of a whole PDF file, send it to the TSA and I receive the valid TSR. As I am generating my PDF files in PHP (currently with DomPdf, but I believe I can switch to TCPDF) I am trying to get to the state the TSR is embedded into the PDF.

Currently I am able to embed the timestamp into the signiture, but as I have only a self generated certificate the acrobat says the validity of the signiture is unknown.

Therefore my question is how to embed ONLY the RFC3161, i.e. /Type /DocTimeStamp object into the PDF.

I do appologize for chaotic and unprecise expressions but hopefully it's understandable what I mean.

[rsvitak]

I was able to get access to an Adobe Acrobat, configure time stamp authority and sign a PDF document only with the DTS. Here is a screenshot how it's then displayed in Acrobat. This is what I need to achieve with TCPDF:

[rsvitak]

I was finally ably to achieve the same result as when adding the TSA timestamp to the document by modifying (locally) this fork.

I made a dirty solution - added support to "special" signiture certificate (signature_data['signcert']) "DTS-ONLY" which turns the signing procedure to adding just the TSR response into the /Type /DocTimeStamp PDF section.

I modified these files:
tcpdf.php:

7660c7660
<               if ($this->sign) {
---
>               if ($this->sign || !empty($this->signature_data_tsa)) {
13415a13416,13423
>               if ($this->signature_data['signcert']==='DTS-ONLY') {
>                       $out .= '<<'."\n".'/Filter /Adobe.PPKLite'."\n";
>                       $out .= '/SubFilter /ETSI.RFC3161'."\n";
>                       $out .= TCPDF_STATIC::$byterange_string."\n";
>                       $out .= '/Contents<'.str_repeat('0', $this->signature_max_length).'>'."\n";
>                       $out .= '/Type /DocTimeStamp'."\n";
>                       $out .= '/V 0'."\n";
>               } else {
13475a13484
>       }

include/tcpdf_cmssignature.php:

77a78
>     curl_setopt($ch, CURLOPT_USERPWD, $this->signature_data_tsa['username'].':'.$this->signature_data_tsa['password']);
425a429,430
> 
>     if ($this->signature_data['signcert']!=='DTS-ONLY') {
580a586,596
>    
>     } else {
>       $this->log .= ("info: DTS-ONLY starts ...\n");
>       if ($TSTInfo=self::createTimestamp($binaryData, $hashAlgorithm)) {
>          $this->log .= ("info: DTS-ONLY SUCCESS.\n");
>       } else {
>          $this->log .= ("info: DTS-ONLY FAILED!\n");
>       }
>       $pkcs7ContentInfo=$TSTInfo;
>     }
> 

I am signing my documents with this simple code now:

$pdf=new TCPDF();
$pdf->setSignature('DTS-ONLY', file_get_contents('postsignum_tsa_tsu1.pem'), '', '', 1, []);
$pdf->setTimeStamp(TSA_URL, TSA_USERNAME, TSA_PASSWORD);
$pdf->loadHtml($html);
$pdf->setSignatureAppearance(20,10,50,15);
$output=$pdf->Output($filename,'S');

I get results like this which is exactly what I wanted to achieve:

[KruzstofWren]

I was finally ably to achieve the same result as when adding the TSA timestamp to the document by modifying (locally) this fork.

I made a dirty solution - added support to "special" signiture certificate (signature_data['signcert']) "DTS-ONLY" which turns the signing procedure to adding just the TSR response into the /Type /DocTimeStamp PDF section.

I modified these files: tcpdf.php:

7660c7660
<               if ($this->sign) {
---
>               if ($this->sign || !empty($this->signature_data_tsa)) {
13415a13416,13423
>               if ($this->signature_data['signcert']==='DTS-ONLY') {
>                       $out .= '<<'."\n".'/Filter /Adobe.PPKLite'."\n";
>                       $out .= '/SubFilter /ETSI.RFC3161'."\n";
>                       $out .= TCPDF_STATIC::$byterange_string."\n";
>                       $out .= '/Contents<'.str_repeat('0', $this->signature_max_length).'>'."\n";
>                       $out .= '/Type /DocTimeStamp'."\n";
>                       $out .= '/V 0'."\n";
>               } else {
13475a13484
>       }

include/tcpdf_cmssignature.php:

425a429,430
> 
>     if ($this->signature_data['signcert']!=='DTS-ONLY') {
580a586,596
>    
>     } else {
>       $this->log .= ("info: DTS-ONLY starts ...\n");
>       if ($TSTInfo=self::createTimestamp($binaryData, $hashAlgorithm)) {
>          $this->log .= ("info: DTS-ONLY SUCCESS.\n");
>       } else {
>          $this->log .= ("info: DTS-ONLY FAILED!\n");
>       }
>       $pkcs7ContentInfo=$TSTInfo;
>     }
> 

I am signing my documents with this simple code now:

$pdf=new TCPDF();
$pdf->setSignature('DTS-ONLY', file_get_contents('postsignum_tsa_tsu1.pem'), '', '', 1, []);
$pdf->setTimeStamp(TSA_URL, TSA_USERNAME, TSA_PASSWORD);
$pdf->loadHtml($html);
$pdf->setSignatureAppearance(20,10,50,15);
$output=$pdf->Output($filename,'S');

I get results like this which is exactly what I wanted to achieve:

Please, can I ask @rsvitak i see you use postsignum TSA. Please can you help me with URL to create on this. I cant go throw autenticatin process. Many thx...
$pdf->setTimeStamp('https://tsa.postsignum.cz:444/TSS/HttpTspServer/', TSA_USERNAME, TSA_PASSWORD);
??
Many thx

[rsvitak]

@KruzstofWren I had to update the list of changes I made to the @hidasw code in my comment above, thank you for tour post. This is neccessary to add to the sendReq function in the include/tcpdf_cmssignature.pdf to make the code send the autentication data to the server:
curl_setopt($ch, CURLOPT_USERPWD, $this->signature_data_tsa['username'].':'.$this->signature_data_tsa['password']);

[hidasw]

@rsvitak
Good news, you can add support for timestamp only.
I don't know much about pdf structure.
Maybe in the future it would be nice to add an option for timestamp only.

[KruzstofWren]

@KruzstofWren I had to update the list of changes I made to the @hidasw code in my comment above, thank you for tour post. This is neccessary to add to the sendReq function in the include/tcpdf_cmssignature.pdf to make the code send the autentication data to the server: curl_setopt($ch, CURLOPT_USERPWD, $this->signature_data_tsa['username'].':'.$this->signature_data_tsa['password']);

Many thx for reaction. But still, in logs i have this fail...

info : Timestamping process start...info: sending TSA query to "https://tsa.postsignum.cz:444/TSS/HttpTspServer/"...
info : TSA query OK
info : Parsing Timestamp response...FAILED!

Something more i need edit?

[hidasw]

@KruzstofWren I had to update the list of changes I made to the @hidasw code in my comment above, thank you for tour post. This is neccessary to add to the sendReq function in the include/tcpdf_cmssignature.pdf to make the code send the autentication data to the server: curl_setopt($ch, CURLOPT_USERPWD, $this->signature_data_tsa['username'].':'.$this->signature_data_tsa['password']);

Many thx for reaction. But still, in logs i have this fail...

info : Timestamping process start...info: sending TSA query to "https://tsa.postsignum.cz:444/TSS/HttpTspServer/"... info : TSA query OK info : Parsing Timestamp response...FAILED!

Something more i need edit?

I can't test it since tsa uses authentication.
But I can analyze it if I get the tsa response.
You can save the response to a file.
In the sendReq() function before return:

  $h = fopen('tsaResp.der','w');
  fwrite($h, $body);
  fclose($h);

parse the response with openssl:
openssl asn1parse -i -inform der -in tsaResp.der

Let me know whats wrong.

[rsvitak]

I have stored my modifications to https://github.com/rsvitak/TCPDF to avoid missunderstandings with description of my modifications in my post #617 (comment).

[KruzstofWren]

@KruzstofWren I had to update the list of changes I made to the @hidasw code in my comment above, thank you for tour post. This is neccessary to add to the sendReq function in the include/tcpdf_cmssignature.pdf to make the code send the autentication data to the server: curl_setopt($ch, CURLOPT_USERPWD, $this->signature_data_tsa['username'].':'.$this->signature_data_tsa['password']);

Many thx for reaction. But still, in logs i have this fail...
info : Timestamping process start...info: sending TSA query to "https://tsa.postsignum.cz:444/TSS/HttpTspServer/"... info : TSA query OK info : Parsing Timestamp response...FAILED!
Something more i need edit?

I can't test it since tsa uses authentication. But I can analyze it if I get the tsa response. You can save the response to a file. In the sendReq() function before return:

  $h = fopen('tsaResp.der','w');
  fwrite($h, $body);
  fclose($h);

parse the response with openssl: openssl asn1parse -i -inform der -in tsaResp.der

Let me know whats wrong.

All is working great now. Only mistake is on my side....right URL for https://www.postsignum.cz is: https://www3.postsignum.cz/TSS/TSS_user/
Many thx to all, your are the best!

[KruzstofWren]

If i may, last question. Do you think is much diference bettwen SIGN or CERTIFICATE document? Images are down ... I dont see any diference. Both document have timestamp...

[rsvitak]

@KruzstofWren I am not very sure in this topic, but the difference could be in the authority that proves the "stamp"? Maybe if you could paste the "TCPDF" commands used to create the documents, or if you can provide the final PDF files, it would be easier to tell more...

[KruzstofWren]

@KruzstofWren I am not very sure in this topic, but the difference could be in the authority that proves the "stamp"? Maybe if you could paste the "TCPDF" commands used to create the documents, or if you can provide the final PDF files, it would be easier to tell more...

This two type of commands

$pdf->setTimeStamp('https://www3.postsignum.cz/TSS/TSS_user/', USER, PASS);
VS
$pdf->setTimeStamp('DTS-ONLY', USER, PASS);

And final PDF are diferent with show type of certification.... SIGN or CERTIFICATE in pannel of certification in Adobe Reader

VS