Create a dedicated timestamper which use the openssl cli and custom certificates #2
29
pythonProject/sign_individual_protected_CA.py
Normal file
29
pythonProject/sign_individual_protected_CA.py
Normal file
@ -0,0 +1,29 @@
|
||||
from sign import SignOrchestrator
|
||||
|
||||
"""
|
||||
This is a script to sign a file with the dummy assets
|
||||
|
||||
It is created mainly for testing purpose
|
||||
"""
|
||||
|
||||
orchestrator = SignOrchestrator('/run/user/1000/ca/cachet.p12',
|
||||
'/home/julien/dev/chill/sign-pdf-worker/ts-authority/vendee-tsa.conf',
|
||||
'xxxxxxxxxxxxxxxxxxx',
|
||||
'/run/user/1000/ca/tsa-chain.pem',
|
||||
pkcs12_password=b"xxxxxxxxxxxxxxxx")
|
||||
|
||||
with open('./assets/test.pdf', 'rb') as input:
|
||||
signed_content = orchestrator.sign(reason="first signer", signature_index=0,
|
||||
input_content=input.read(), box_place=(300, 600, 500, 660), on_page=0,
|
||||
signer_text="Mme Caroline Diallo")
|
||||
|
||||
with open('./assets/test_signed_0.pdf', 'wb') as output:
|
||||
output.write(signed_content.read())
|
||||
|
||||
with open('./assets/test_signed_0.pdf', 'rb') as input:
|
||||
signed_content = orchestrator.sign(reason="second signer", signature_index=1,
|
||||
input_content=input.read(), box_place=(100, 600, 300, 660), on_page=0,
|
||||
signer_text="M. Bah Mamadou")
|
||||
|
||||
with open('./assets/test_signed_1.pdf', 'wb') as output:
|
||||
output.write(signed_content.read())
|
@ -151,3 +151,17 @@ The OK response ensures that the original signed timestamp is correctly authoriz
|
||||
openssl ts -verify -data /etc/hosts -in /tmp/response.tsr -CAfile ca/root-ca.pem -untrusted ca/tsa.pem
|
||||
```
|
||||
|
||||
|
||||
# Préparation pour Vendée
|
||||
|
||||
## Extraire les infos
|
||||
|
||||
```bash
|
||||
openssl pkcs12 -info -in horodatage.p12 -legacy
|
||||
```
|
||||
|
||||
Ca demandera un mot de passe pour déchiffrer, et un autre mot de passe pour chiffrer la clé qui apparaitra.
|
||||
|
||||
- on recopie la clé et on fait un copier-coller dans /run/user/1000/ca/private/tsa.key
|
||||
- on recopie tous les certificats, on supprime les interligne, et on colle ça dans /run/user/1000/ca/tsa-chain.pem
|
||||
- on recopie le premier certificat, pour céer /run/user/1000/ca/tsa.crt
|
||||
|
46
ts-authority/vendee-tsa.conf
Normal file
46
ts-authority/vendee-tsa.conf
Normal file
@ -0,0 +1,46 @@
|
||||
#
|
||||
# rootca.conf
|
||||
#
|
||||
# See Ristic OpenSSL Cookbook URL above.
|
||||
|
||||
oid_section = new_oids
|
||||
|
||||
[ new_oids ]
|
||||
tsa_policy1 = 1.2.3.4.1
|
||||
tsa_policy2 = 1.2.3.4.5.6
|
||||
tsa_policy3 = 1.2.3.4.5.7
|
||||
|
||||
|
||||
[ tsa ]
|
||||
|
||||
default_tsa = tsa_config1
|
||||
|
||||
[ tsa_config1 ]
|
||||
dir = /run/user/1000/ca # TSA root directory, same as root-ca
|
||||
serial = $dir/tsa_serial # current serial number (mandatory)
|
||||
signer_cert = $dir/tsa.crt # signing certificate (optional)
|
||||
certs = $dir/tsa-chain.pem # certification chain (optional)
|
||||
signer_key = $dir/private/tsa.key # tsa private key (optional)
|
||||
default_policy = tsa_policy1
|
||||
signer_digest = sha256 # digest to use for signing (optional)
|
||||
other_policies = tsa_policy2,tsa_policy3 # other policies (optional)
|
||||
digests = sha256,sha384,sha512 # acceptable digests (mandatory)
|
||||
accuracy = secs:1,millisecs:500,microsecs:100 # accuracy optional
|
||||
ordering = yes # is ordering defined? (optional, default: no)
|
||||
tsa_name = yes # must tsa name be included in reply? (opt., default: no)
|
||||
ess_cert_id_chain = yes # must ess cert id change be incl? (opt., default: no)
|
||||
ess_cert_id_alg = sha256 # alg to compute cert. id (optional, default: sha1)
|
||||
|
||||
# added, was missing in the blog post
|
||||
crypto_device = builtin
|
||||
|
||||
# The tsa_ext extension is
|
||||
# used to create the tsa cert tsa.crt
|
||||
|
||||
[ tsa_ext ]
|
||||
|
||||
authorityKeyIdentifier = keyid:always
|
||||
basicConstraints = critical,CA:false
|
||||
extendedKeyUsage = critical,timeStamping
|
||||
keyUsage = critical,nonRepudiation
|
||||
subjectKeyIdentifier = hash
|
Loading…
Reference in New Issue
Block a user