The DSS framework allows an independent document timestamping (without a signature). These are standalone time assertions, i.e. that no augmentation to the level BASELINE-T nor a creation of a signature to this level occurs.
The following Document Signature Services support the standalone timestamping :
-
PAdESService- adds a timestamp to a PDF document; -
ASiCWithCAdESService- creates a timestamped ASiC container with provided documents.
DSS also provides a validation service for timestamped documents.
When timestamping a PDF document, a standalone timestamp can be used, creating a new revision. This algorithm ensures that no existing signature nor timestamp will not be broken, for example because of adding the timestamp to the existing CMS signature (as it can be done in CAdES or XAdES, for instance). The same timestamping procedure is used for timestamping a PDF document without embedded signatures.
The code below illustrates a time-stamping process for a PDF document.
link:../../../test/java/eu/europa/esig/dss/cookbook/example/timestamp/TimestampPDFTest.java[role=include]Standalone time assertions can be used in both ASiC-S and ASiC-E containers:
* In ASiC-S a timestamp is created on the original document or a ZIP-archive containing the original documents;
* In ASiC-E a timestamp is created on a Manifest file listing the multiple data objects included in the container.
A typical example illustrating a time-stamping process that encapsulates the provided documents and the generated time-stamp to an ASiC-E container can be found below
link:../../../test/java/eu/europa/esig/dss/cookbook/example/timestamp/TimestampWithContainerTest.java[role=include]In order to create an ASiC-S, just change the expected container property in the example above:
link:../../../test/java/eu/europa/esig/dss/cookbook/example/timestamp/TimestampWithContainerTest.java[role=include]It is also worth noting that time assertions can cover each other, i.e. that a timestamp can be added over previously created timestamps. In this case, the validation data for a timestamp is incorporated within the previous (last) time assertion and the digest of that timestamp is added to the new created ArchiveManifest XML file, which is covered by a new timestamp.
This is a procedure similar to the augmentation of ASiC with CAdES with multiple LTA levels. LTA timestamps are created in different time-assertion files instead of an archive-time-stamp attribute like it is the case in a CAdES signature.
This concept is illustrated in the following schema using the ASiC format as an example
As well as a single timestamp creation, DSS provides a validation service for timestamped documents. The timestamp validation process represents the one described in section "5.4 Time-stamp validation building block" of [R09]. The validation process is similar to the signature validation process. An appropriate validator will be selected automatically. In total, DSS supports timestamp-alone validation for the following file formats:
-
Detached CMS timestamp (
DetachedTimestampValidator) - a detached signed content must be provided (or its digest); -
PDF document (
PDFDocumentValidator); -
ASiC CAdES container with a timestamp (
ASiCWithCAdESTimestampValidator).
The validation process can be run with the following inputs:
link:../../../test/java/eu/europa/esig/dss/cookbook/example/timestamp/TimestampPDFTest.java[role=include]The produced reports use the same structure as for the signature validation reports.
You can find an example of a produced timestamp Detailed Report here.