時間戳記¶

use NextPDF\Security\TsaClient;
use NextPDF\Security\TsaConfig;

$tsa = TsaClient::create(
    config: TsaConfig::create(
        url: 'https://tsa.example.com/tsa',
        hashAlgorithm: 'SHA-256',
        timeout: 30,  // 秒
    ),
);

// 手動請求時間戳記（測試用）
$hash = hash('sha256', $documentContent, binary: true);
$timestampToken = $tsa->requestTimestamp(
    hashedMessage: $hash,
    nonce: random_bytes(8),  // 防重放攻擊
    requestCertificate: true, // 在回應中包含 TSA 憑證
);

// timestampToken 為 DER 編碼的 TimeStampToken（TSTInfo）

use NextPDF\Security\PadesOrchestrator;
use NextPDF\Security\SigningOptions;
use NextPDF\Security\SignatureLevel;

$orchestrator = PadesOrchestrator::create(tsa: $tsa);

$signedPdf = $orchestrator->sign(
    pdf: $pdfBytes,
    certificate: $cert,
    options: SigningOptions::create(
        level: SignatureLevel::PadesB_T,  // 自動請求時間戳記
    ),
);

use NextPDF\Security\DocumentTimestampOptions;

// 對整份 PDF 加蓋文件時間戳記（不含憑證簽章）
$timestampedPdf = $orchestrator->addDocumentTimestamp(
    pdf: $pdfBytes,
    options: DocumentTimestampOptions::create(
        fieldName: 'DocumentTimestamp',
        pageNumber: 1,
        position: Rectangle::fromXY(x: 100.0, y: 10.0, width: 70.0, height: 15.0),
    ),
);

use NextPDF\Security\TimestampValidator;

$validator = TimestampValidator::create();
$result = $validator->validateToken(
    token: $timestampToken,
    trustedRoots: TrustStore::fromFile('/path/to/trusted-roots.pem'),
);

if ($result->isValid()) {
    $genTime = $result->getGenerationTime();
    echo "Timestamp issued at: " . $genTime->format(DateTimeInterface::RFC3339);
}