It's a pure-php RFC3161 Client (query, reply, no verify). Targeting minimal dependencies: only curl, hash extensions needed. It does not shell out to openssl. The ASN.1/DER Encoding is "hand-crafted".

This only supports SHA512 hashes in the Query.

This client is supplied the end-point on creation, it creates the hash and query and then requests the reply. Both of those string-data (tsq, tsr) should be saved along w/the content that would be verifed.

$url = 'https://freetsa.org/tsr'; // Pick One
$tac = new \Edoceo\Radix\RFC3161($url);
$tsq = $tac->query($file);
$tsr = $tac->reply();

The files can be manually examined using the openssl too.

# View Query:
openssl ts -query -in tsa-query.der -text
# View Reply:
openssl ts -reply -in tsa-reply.der -text

This library does not support verification, it's better left to an external/independent tool. Generally, the person doing the verification is different than the person doing the assertion.

openssl ts -verify \
	-queryfile tsa-query.der -in tsa-reply.der \
	-CAfile tsa-root.pem -untrusted tsa-cert.pem

There are loads of them, this gist is pretty complete.

• url: http://timestamp.apple.com/ts01
• docs: ?

You'll need to fetch the certificates from Apple Certificate Authority. Once downloaded, they should be converted

wget https://www.apple.com/appleca/AppleIncRootCertificate.cer
openssl x509 -inform der -in AppleIncRootCertificate.cer -out AppleIncRootCertificate.pem
wget https://www.apple.com/certificateauthority/AppleTimestampCA.cer
openssl x509 -in AppleTimestampCA.cer -out AppleTimestampCA.pem

• url: http://timestamp.digicert.com/
• docs: https://knowledge.digicert.com/solution/SO912.html

This system requires an account with DigiStamp.

• url: https://tsa.digistamp.com
• docs: https://www.digistamp.com/support/repository-of-timestamp-public-key-certificates

Delivers what it says on the tin; not as widely trusted as others (yet)

• url: https://freetsa.org/tsr