Add RFC 3161 timestamp to existing PKCS #7/CMS signature in PHP

I have created a simple (and possibly buggy) library that would allow you to add an RFC 3161 timestamp to an existing PKCS #7 or CMS signature.

Note that it has been tested only on Ubuntu 16.04 and it depends on curl package installed with apt-get.

So with this library, for adding the timestamp you only need to do something like:

$updatedCms = CmsTimestamper::addTimestampToCms($originalCmsAsPem, "");

The library and a demonstration class can be found in

Finally, to verify the previous timestamp you could save the updated CMS and verify it with the following set of commands:

# Extract CMS signature value. See RFC 3161, "APPENDIX A".
$ openssl asn1parse -noout -in cms_updated_with_ts.pem -out cms_updated_with_ts.der && dd bs=1 skip=1164 count=256 if=cms_updated_with_ts.der > cms_signature.bin
# Extract TimeStampToken from CMS.
$ openssl asn1parse -noout -in cms_updated_with_ts.pem -offset 1445 -length 1931 -out tst.der
# Verify TimeStampToken against CMS signature value.
$ openssl ts -verify -data cms_signature.bin -in tst.der -token_in -CAfile Starfield_Class_2_Certification_Authority.crt
# Display timestamp details.
$ openssl ts -reply -token_in -in tst.der -text


Leave a Reply

Your email address will not be published. Required fields are marked *