Can you add a timestamped no-tamper-proof to a PDF without “signing” it?

0
votes

When signing a PDF using digital signature, one can use a trusted timestamping service to add a time-stamp token that is signed by the timestamping authority. When viewing the signature of the PDF then, it will say that it contains a signed timestamp and that it has not been tampered with since that time (if it hasn't).

Technically what happens isn that the hash of the pdf content gets sent to the TSA (RCF3161), that hash is put into a structure together with the current timestamp (as determined by the timestamping authority) plus some metadata and that is then signed and sent back. This then provides proof that a PDF has not been changed since this point in time.

Technically it should be possible therefore to create such a timestamp proof without signing the document itself with an additional signature. Is that somehow supported though by the PDF standard (and also in terms of Acrobat Reader then being able to show this timestamp somehow)?

Of course I could just do it manually, take the SHA-256 hash of the file's binary representation, send it to the TSA service and store the received token in an external file, but preferrably I'd like to embedd the no-tamper proof into the PDF and such that Acrobat Reader can display it.

Is this possible? If so, how?

1
pdftimestampdigital-signatureacrobatrfc3161
Technically it's no problem. That's called document timestamps. See ISO 32000-2:2017 section 12.8.5 "Document timestamp (DTS) dictionary".mkl
Thank you, this indeed looks like what I'm looking for! Is this compatible with PDF/A? Is there a way to create those with Acrobat Reader? optimally I'd like to have a cli tool or be able to do it through some library - but first I want to test how they are displayed later in Acrobat Readermatthias_buehlmann

1 Answers

4
votes

You can embed pure RFC 3161 time stamps in a PDF. This construct is called a document timestamp.

This structure has been originally specified in ETSI TS 102 778-4 (Annex A.2) in 2009 as a means to purely timestamp a previously signed PDF with some validation related information added in revisions after the signed one. As PAdES developed, this specification finally found its way into ETSI EN 319 142-1 (section 5.4.3).

While ETSI could only specify the structure as extension to ISO 32000-1 (PDF 1.7), the responsible ISO committee added it to the core ISO 32000-2 (PDF 2) in 2017.

Concerning your questions in comments:

Is this compatible with PDF/A?

I think they are not compatible with PDF/A-1, PDF/A-2, and PDF/A-3. As PDF/A-4 is based on ISO 32000-2, though, I assume it will be compatible. (I have not yet had a look at ISO 19005-4...)

Is there a way to create those with Acrobat Reader?

It should be possible with some Adobe Acrobat version. It is (currently) not possible with the base Adobe Acrobat Reader version. Probably, though, Adobe Acrobat Reader with some of its fee-based, built-in tools can create them.

optimally I'd like to have a cli tool or be able to do it through some library

Any not outdated general PDF signing library should support the creation of document time stamps.

but first I want to test how they are displayed later in Acrobat Reader

Like this:

https://kb.itextpdf.com/home/it7kb/faq/how-to-enable-ltv-for-a-timestamp-signature

The first entry is a Signature with an embedded signature timestamp, the second entry is a document time stamp.