I'm building a digital signature module that must conform to EU digital signature directives.
I'm starting from an old but well-working Java module to sign documents in CAdES format.
Also, the application is made by a client (desktop JAR executable) and a server part. The client has been developed only to interact with smart card that is connected to a USB reader, the rest happens on the web server.
Current signing clients support two ways of signing and timestamping a file: I can use "Sign and timestamp" function or I can first sign a document and then timestamp it.
From the legal point of view, both produce the same result.
My question is: from the techincal point of view, is it correct to state that when I sign a document with CAdES (RFC 5126, 140 pages I haven't been able to read all) the output file is the same both when I use a combined "sign and timestamp" function or use the two functions in sequence?
Let me rephrase: is it not possible according to the standard to have an enclosure that both represents a digital signature and a timestamp? Does the standard require to timestamp the signed document or vice versa?
What I want to achieve is to sign the document on client side (using smartcard) and then timestamping the file on server (without touching old client code) and producing the same exact result as if I was signing and timestamping a file on the client.