Compare commits

...

4 Commits

Author SHA1 Message Date
34857ae4b0 Allow the signature_index to be None
When the signature_index is not set, the name's sinature zone is generated from a random int.
2024-10-15 07:47:58 +02:00
89cb05fce1 Add openssl to Dockerfile
This change adds the openssl CLI to the Dockerfile to ensure necessary cryptographic functionalities are available. It helps in maintaining secure communications and other operations that depend on openssl.
2024-10-11 16:19:32 +02:00
3716c3ce78 create a new script dedicated for signing for vendee certificates 2024-10-11 16:13:34 +02:00
c8042a6f84 Integrate local OpenSSL TSA for timestamping
Replaced HTTPTimeStamper with LocalOpensslTimestamp for TSA operations using a local OpenSSL CLI. Updated related configurations and dependencies to support this change, enhancing the timestamping process's reliability and security.
2024-10-11 16:13:34 +02:00
9 changed files with 187 additions and 17 deletions

View File

@@ -4,6 +4,9 @@ FROM python:3.10-alpine
# Set working directory
WORKDIR /app
# add required clis
RUN apk add --no-cache openssl
# Copy requirements.txt to the Docker container
COPY requirements.txt .

View File

@@ -1,4 +1,5 @@
import io
from random import randint
from typing import Optional
from pyhanko import stamp
@@ -7,11 +8,15 @@ from pyhanko.sign import signers, timestamps, fields
from pyhanko_certvalidator import ValidationContext
from typing_extensions import Buffer
from pythonProject.timestamp import LocalOpensslTimestamp
class SignOrchestrator:
"""Orchestrate the signature on document"""
def __init__(self, pkcs12_path: str, timestamp_url: str, pkcs12_password: Optional[bytes] = None):
def __init__(self, pkcs12_path: str,
tsa_config_path: str, tsa_password: str, tsa_cert_chain: str,
pkcs12_password: Optional[bytes] = None):
# Load signer key material from PKCS#12 file
# This assumes that any relevant intermediate certs are also included
# in the PKCS#12 file.
@@ -20,9 +25,7 @@ class SignOrchestrator:
)
# Set up a timestamping client to fetch timestamps tokens
self.timestamper = timestamps.HTTPTimeStamper(
url=timestamp_url,
)
self.timestamper = LocalOpensslTimestamp(tsa_config_path, tsa_password, tsa_cert_chain)
self.stamp_style = stamp.TextStampStyle(
stamp_text="Signé par:\n%(signer_text)s\nLe %(ts)s",
@@ -47,8 +50,8 @@ class SignOrchestrator:
reason=reason,
)
def sign(self, reason: str, signature_index: int, input_content: Buffer, on_page: int, box_place: (int, int, int, int), signer_text: str) -> io.BytesIO:
field_name = 'Signature' + str(signature_index)
def sign(self, reason: str, signature_index: int|None, input_content: Buffer, on_page: int, box_place: (int, int, int, int), signer_text: str) -> io.BytesIO:
field_name = 'Signature' + str(signature_index) if signature_index is not None else 'Signature'+ str(randint(1000, 99999999999))
signature_meta = self._make_signature_metadata(reason, field_name)
pdf_signer = signers.PdfSigner(

View File

@@ -1,9 +1,19 @@
from sign import SignOrchestrator
orchestrator = SignOrchestrator('./assets/dummy.p12','http://freetsa.org/tsr', pkcs12_password=None)
"""
This is a script to sign a file with the dummy assets
It is created mainly for testing purpose
"""
orchestrator = SignOrchestrator('./assets/dummy.p12',
'/home/julien/dev/chill/sign-pdf-worker/ts-authority/rootca.conf',
'5678',
'/home/julien/dev/chill/sign-pdf-worker/ts-authority/ca/tsa-chain.pem',
pkcs12_password=None)
with open('./assets/test.pdf', 'rb') as input:
signed_content = orchestrator.sign(reason="first signer", signature_index=0,
signed_content = orchestrator.sign(reason="first signer", signature_index=None,
input_content=input.read(), box_place=(300, 600, 500, 660), on_page=0,
signer_text="Mme Caroline Diallo")
@@ -11,9 +21,9 @@ with open('./assets/test.pdf', 'rb') as input:
output.write(signed_content.read())
with open('./assets/test_signed_0.pdf', 'rb') as input:
signed_content = orchestrator.sign(reason="second signer", signature_index=1,
input_content=input.read(), box_place=(100, 600, 300, 660), on_page=0,
signer_text="M. Bah Mamadou")
signed_content = orchestrator.sign(reason="second signer", signature_index=None,
input_content=input.read(), box_place=(100, 600, 300, 660), on_page=0,
signer_text="M. Bah Mamadou")
with open('./assets/test_signed_1.pdf', 'wb') as output:
output.write(signed_content.read())
with open('./assets/test_signed_1.pdf', 'wb') as output:
output.write(signed_content.read())

View File

@@ -0,0 +1,29 @@
from sign import SignOrchestrator
"""
This is a script to sign a file with the dummy assets
It is created mainly for testing purpose
"""
orchestrator = SignOrchestrator('/run/user/1000/ca/cachet.p12',
'/home/julien/dev/chill/sign-pdf-worker/ts-authority/vendee-tsa.conf',
'xxxxxxxxxxxxxxxxxxx',
'/run/user/1000/ca/tsa-chain.pem',
pkcs12_password=b"xxxxxxxxxxxxxxxx")
with open('./assets/test.pdf', 'rb') as input:
signed_content = orchestrator.sign(reason="first signer", signature_index=0,
input_content=input.read(), box_place=(300, 600, 500, 660), on_page=0,
signer_text="Mme Caroline Diallo")
with open('./assets/test_signed_0.pdf', 'wb') as output:
output.write(signed_content.read())
with open('./assets/test_signed_0.pdf', 'rb') as input:
signed_content = orchestrator.sign(reason="second signer", signature_index=1,
input_content=input.read(), box_place=(100, 600, 300, 660), on_page=0,
signer_text="M. Bah Mamadou")
with open('./assets/test_signed_1.pdf', 'wb') as output:
output.write(signed_content.read())

View File

@@ -0,0 +1,64 @@
import logging
import os
from asn1crypto import tsp
from asn1crypto.tsp import TimeStampResp
from pyhanko.sign.timestamps import TimeStamper
import subprocess
LOGGER = logging.getLogger(__name__)
LOGGER.setLevel(os.environ.get('LOG_LEVEL', logging.DEBUG))
class LocalOpensslTimestamp(TimeStamper):
"""
Apply a timestamp using a local openssl cli.
The class provides methods to request a timestamp response from a local OpenSSL TSA cli.
"""
def __init__(self, path_config: str, password: str, path_chain: str):
super().__init__()
self.path_conf = path_config
self.password = password
self.path_chain = path_chain
def request_tsa_response(self, req: tsp.TimeStampReq) -> tsp.TimeStampResp:
with open('/tmp/request.tsq', 'wb') as request:
request.write(req.dump())
cmd = [
'openssl', 'ts', '-reply',
'-config', self.path_conf,
'-queryfile', '/tmp/request.tsq',
'-chain', self.path_chain,
'-out', '/tmp/response.tsr',
'-passin', f'pass:{self.password}'
]
try:
subprocess.run(cmd, capture_output=True, check=True, timeout=10)
except subprocess.CalledProcessError as e:
LOGGER.error("Could not generate a timestamp")
LOGGER.error(f"response code: {e.returncode}")
LOGGER.error(f"stderr: {e.stderr}")
LOGGER.error(f"stdout: {e.stdout}")
LOGGER.error(f"error: {e.output}")
raise Exception("could not generate a timestamp")
except subprocess.TimeoutExpired as e:
LOGGER.error("timeout expired")
LOGGER.error(f"stderr: {e.stderr}")
LOGGER.error(f"stdout: {e.stdout}")
LOGGER.error(f"error: {e.output}")
raise e
with open('/tmp/response.tsr', mode='rb') as f:
tsp = TimeStampResp.load(f.read())
os.unlink('/tmp/response.tsr')
return tsp
async def async_request_tsa_response(self, req: tsp.TimeStampReq) -> tsp.TimeStampResp:
return self.request_tsa_response(req)

View File

@@ -19,13 +19,14 @@ for v in ['AMQP_URL', 'PKCS12_PATH', 'TIMESTAMP_URL', 'QUEUE_IN', 'EXCHANGE_OUT'
DSN = os.environ.get('AMQP_URL')
PKCS12_PATH = os.environ.get('PKCS12_PATH')
TIMESTAMP_URL = os.environ.get('TIMESTAMP_URL')
QUEUE_IN = os.environ.get('QUEUE_IN')
EXCHANGE_OUT = os.environ.get('EXCHANGE_OUT')
OUT_ROUTING_KEY = os.environ.get('OUT_ROUTING_KEY')
TSA_CONFIG_PATH = os.environ.get('TSA_CONFIG_PATH')
TSA_CERT_CHAIN = os.environ.get('TSA_CERT_CHAIN')
TSA_KEY_PASSWORD = os.environ.get('TSA_KEY_PASSWORD')
orchestrator = sign.SignOrchestrator(PKCS12_PATH, TIMESTAMP_URL, pkcs12_password=os.environ.get('PKCS12_PASSWORD', None))
orchestrator = sign.SignOrchestrator(PKCS12_PATH, TSA_CONFIG_PATH, TSA_KEY_PASSWORD, TSA_CERT_CHAIN, pkcs12_password=os.environ.get('PKCS12_PASSWORD', None))
parameters = pika.URLParameters(DSN)
connection = pika.BlockingConnection(parameters)

View File

@@ -151,3 +151,17 @@ The OK response ensures that the original signed timestamp is correctly authoriz
openssl ts -verify -data /etc/hosts -in /tmp/response.tsr -CAfile ca/root-ca.pem -untrusted ca/tsa.pem
```
# Préparation pour Vendée
## Extraire les infos
```bash
openssl pkcs12 -info -in horodatage.p12 -legacy
```
Ca demandera un mot de passe pour déchiffrer, et un autre mot de passe pour chiffrer la clé qui apparaitra.
- on recopie la clé et on fait un copier-coller dans /run/user/1000/ca/private/tsa.key
- on recopie tous les certificats, on supprime les interligne, et on colle ça dans /run/user/1000/ca/tsa-chain.pem
- on recopie le premier certificat, pour céer /run/user/1000/ca/tsa.crt

View File

@@ -138,7 +138,7 @@ subjectKeyIdentifier = hash
default_tsa = tsa_config1
[ tsa_config1 ]
dir = . # TSA root directory, same as root-ca
dir = /home/julien/dev/chill/sign-pdf-worker/ts-authority # TSA root directory, same as root-ca
serial = $dir/ca/tsa_serial # current serial number (mandatory)
signer_cert = $dir/ca/tsa.crt # signing certificate (optional)
certs = $dir/ca/tsa-chain.pem # certification chain (optional)

View File

@@ -0,0 +1,46 @@
#
# rootca.conf
#
# See Ristic OpenSSL Cookbook URL above.
oid_section = new_oids
[ new_oids ]
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
[ tsa ]
default_tsa = tsa_config1
[ tsa_config1 ]
dir = /run/user/1000/ca # TSA root directory, same as root-ca
serial = $dir/tsa_serial # current serial number (mandatory)
signer_cert = $dir/tsa.crt # signing certificate (optional)
certs = $dir/tsa-chain.pem # certification chain (optional)
signer_key = $dir/private/tsa.key # tsa private key (optional)
default_policy = tsa_policy1
signer_digest = sha256 # digest to use for signing (optional)
other_policies = tsa_policy2,tsa_policy3 # other policies (optional)
digests = sha256,sha384,sha512 # acceptable digests (mandatory)
accuracy = secs:1,millisecs:500,microsecs:100 # accuracy optional
ordering = yes # is ordering defined? (optional, default: no)
tsa_name = yes # must tsa name be included in reply? (opt., default: no)
ess_cert_id_chain = yes # must ess cert id change be incl? (opt., default: no)
ess_cert_id_alg = sha256 # alg to compute cert. id (optional, default: sha1)
# added, was missing in the blog post
crypto_device = builtin
# The tsa_ext extension is
# used to create the tsa cert tsa.crt
[ tsa_ext ]
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:false
extendedKeyUsage = critical,timeStamping
keyUsage = critical,nonRepudiation
subjectKeyIdentifier = hash