diff --git a/pythonProject/sign_individual_protected_CA.py b/pythonProject/sign_individual_protected_CA.py new file mode 100644 index 0000000..019d349 --- /dev/null +++ b/pythonProject/sign_individual_protected_CA.py @@ -0,0 +1,29 @@ +from sign import SignOrchestrator + +""" +This is a script to sign a file with the dummy assets + +It is created mainly for testing purpose +""" + +orchestrator = SignOrchestrator('/run/user/1000/ca/cachet.p12', + '/home/julien/dev/chill/sign-pdf-worker/ts-authority/vendee-tsa.conf', + 'xxxxxxxxxxxxxxxxxxx', + '/run/user/1000/ca/tsa-chain.pem', + pkcs12_password=b"xxxxxxxxxxxxxxxx") + +with open('./assets/test.pdf', 'rb') as input: + signed_content = orchestrator.sign(reason="first signer", signature_index=0, + input_content=input.read(), box_place=(300, 600, 500, 660), on_page=0, + signer_text="Mme Caroline Diallo") + + with open('./assets/test_signed_0.pdf', 'wb') as output: + output.write(signed_content.read()) + +with open('./assets/test_signed_0.pdf', 'rb') as input: + signed_content = orchestrator.sign(reason="second signer", signature_index=1, + input_content=input.read(), box_place=(100, 600, 300, 660), on_page=0, + signer_text="M. Bah Mamadou") + + with open('./assets/test_signed_1.pdf', 'wb') as output: + output.write(signed_content.read()) diff --git a/ts-authority/README.md b/ts-authority/README.md index 8da5311..7b8bdd0 100644 --- a/ts-authority/README.md +++ b/ts-authority/README.md @@ -151,3 +151,17 @@ The OK response ensures that the original signed timestamp is correctly authoriz openssl ts -verify -data /etc/hosts -in /tmp/response.tsr -CAfile ca/root-ca.pem -untrusted ca/tsa.pem ``` + +# Préparation pour Vendée + +## Extraire les infos + +```bash +openssl pkcs12 -info -in horodatage.p12 -legacy +``` + +Ca demandera un mot de passe pour déchiffrer, et un autre mot de passe pour chiffrer la clé qui apparaitra. + +- on recopie la clé et on fait un copier-coller dans /run/user/1000/ca/private/tsa.key +- on recopie tous les certificats, on supprime les interligne, et on colle ça dans /run/user/1000/ca/tsa-chain.pem +- on recopie le premier certificat, pour céer /run/user/1000/ca/tsa.crt diff --git a/ts-authority/vendee-tsa.conf b/ts-authority/vendee-tsa.conf new file mode 100644 index 0000000..ed803ce --- /dev/null +++ b/ts-authority/vendee-tsa.conf @@ -0,0 +1,46 @@ +# +# rootca.conf +# +# See Ristic OpenSSL Cookbook URL above. + +oid_section = new_oids + +[ new_oids ] +tsa_policy1 = 1.2.3.4.1 +tsa_policy2 = 1.2.3.4.5.6 +tsa_policy3 = 1.2.3.4.5.7 + + +[ tsa ] + +default_tsa = tsa_config1 + +[ tsa_config1 ] +dir = /run/user/1000/ca # TSA root directory, same as root-ca +serial = $dir/tsa_serial # current serial number (mandatory) +signer_cert = $dir/tsa.crt # signing certificate (optional) +certs = $dir/tsa-chain.pem # certification chain (optional) +signer_key = $dir/private/tsa.key # tsa private key (optional) +default_policy = tsa_policy1 +signer_digest = sha256 # digest to use for signing (optional) +other_policies = tsa_policy2,tsa_policy3 # other policies (optional) +digests = sha256,sha384,sha512 # acceptable digests (mandatory) +accuracy = secs:1,millisecs:500,microsecs:100 # accuracy optional +ordering = yes # is ordering defined? (optional, default: no) +tsa_name = yes # must tsa name be included in reply? (opt., default: no) +ess_cert_id_chain = yes # must ess cert id change be incl? (opt., default: no) +ess_cert_id_alg = sha256 # alg to compute cert. id (optional, default: sha1) + +# added, was missing in the blog post +crypto_device = builtin + +# The tsa_ext extension is +# used to create the tsa cert tsa.crt + +[ tsa_ext ] + +authorityKeyIdentifier = keyid:always +basicConstraints = critical,CA:false +extendedKeyUsage = critical,timeStamping +keyUsage = critical,nonRepudiation +subjectKeyIdentifier = hash