A time-stamp signer in SignServer acquires the current time through its configured TimeSource. The SignServer TimeSource implementation is responsible for returning the time (if available). The time-stamp signer calls the TimeSource for every request to get the current time.
If the current time cannot be acquired from the TimeSource, the time-stamp signer will not issue the time-stamp token and instead respond to the signing request with the failure message: "Time source is not available".
Time source implementations
The following time source implementations are available in SignServer:
- LocalComputerTimeSource: Time received from the local operating system.
- StatusReadingLocalComputerTimeSource: Time received from the local operating system with the additional condition that the time is considered to be in sync with a reliable time source (according to ETSI EN 319 421 - V1.1.1 (2016-03).
Local computer time source
The default implementation is called the LocalComputerTimeSource which gets the time from the operating system. Using this TimeSource the time is always available, however it relies on the time as configured on the local server which might not be synchronized with a reliable time source. This TimeSource will not detect if the time jumps or drifts out of synchronization.
Status reading local computer time source
The TimeSource implementation StatusReadingLocalComputerTimeSource also gets the time from the operating system but only if the time is considered to be in sync with a reliable time source.
In SignServer, the StatusRepository component contains a set of pre-defined named properties. Each property can have a value and an optional expiration time. The value of status properties (and their expiration) can be updated by external applications and/or scripts using the command line interface, or by calling a special worker. Signers can query the StatusRepository for the value of a property that has not yet expired.
The TimeSource will query a property called TIMESOURCE0_INSYNC and if enabled and not expired, the time source will consider the time to be in sync with a reliable time source.
It is the responsibility of an external application and/or service (such as the SignServer TimeMonitor) to monitor the status of the local time and update the status property accordingly. By setting the status to in sync, the external application asserts that it has checked that the local time was synchronized with some configured accuracy with a reliable time source at the time the property was updated. By also setting an expiration time on the value, the application can indicate a maximum time the assertion is valid, and the application is expected to update the value before that. This assures that if the monitoring application fails for any reason, the value will expire and no more time-stamp tokens are issued until it is back.
It is assumed that the monitoring application performs its checks of the local time and updates the status properties often as this has a direct impact on the number of time-stamp tokens that could be incorrectly issued after a loss of time synchronization has happened.