I have created a simple (and possibly buggy) library that would allow you to add an RFC 3161 timestamp to an existing PKCS #7 or CMS signature.
Note that it has been tested only on Ubuntu 16.04 and it depends on
curl package installed with
So with this library, for adding the timestamp you only need to do something like:
<?php $updatedCms = CmsTimestamper::addTimestampToCms($originalCmsAsPem, "http://tsa.starfieldtech.com");
The library and a demonstration class can be found in https://github.com/hablutzel1/phpcmstimestamper.
Finally, to verify the previous timestamp you could save the updated CMS and verify it with the following set of commands:
# Extract CMS signature value. See RFC 3161, "APPENDIX A". $ openssl asn1parse -noout -in cms_updated_with_ts.pem -out cms_updated_with_ts.der && dd bs=1 skip=1164 count=256 if=cms_updated_with_ts.der > cms_signature.bin # Extract TimeStampToken from CMS. $ openssl asn1parse -noout -in cms_updated_with_ts.pem -offset 1445 -length 1931 -out tst.der # Verify TimeStampToken against CMS signature value. $ openssl ts -verify -data cms_signature.bin -in tst.der -token_in -CAfile Starfield_Class_2_Certification_Authority.crt # Display timestamp details. $ openssl ts -reply -token_in -in tst.der -text