sign-pdf-worker/ts-authority
Julien Fastré c8042a6f84
Integrate local OpenSSL TSA for timestamping
Replaced HTTPTimeStamper with LocalOpensslTimestamp for TSA operations using a local OpenSSL CLI. Updated related configurations and dependencies to support this change, enhancing the timestamping process's reliability and security.
2024-10-11 16:13:34 +02:00
..
.gitignore write readme to generate timestamps 2024-10-11 12:43:25 +02:00
README.md write readme to generate timestamps 2024-10-11 12:43:25 +02:00
rootca.conf Integrate local OpenSSL TSA for timestamping 2024-10-11 16:13:34 +02:00

Set up CA

Sources:

Create directory

# mkdir certs db private  ## should already be created
# chmod 700 private  ## should already be set
touch db/index
openssl rand -hex 16 > db/serial
echo 1001 >  db/crlnumber
echo 01 > tsa_serial

Create files for certificate authority

Create a new private key and root CA certificate request in one step:

openssl req -new -newkey rsa:2048 -config ./rootca.conf -out ca/root-ca.csr -keyout ca/private/root-ca.key

Dont forget the password youll need it again and again below.

Now self-sign the certificate request.

openssl ca -selfsign -config ./rootca.conf -in ca/root-ca.csr -out ca/root-ca.crt -extensions ca_ext

Check the certificate:

openssl x509 -text -in ca/root-ca.crt -noout

Create certificate for timestamp

To proceed, we first make a key and a certificate request for a non-CA certificate. We use the -subj option so we dont have to use a configuration file for this step. The Country (C=US) and Organization (O=Example Inc.) elements must match the root certificate.

openssl req -new \
    -newkey rsa:2048 \
    -subj "/C=US/O=Example Inc./OU=Engineering/CN=Example Inc. TSA Responder" \
    -keyout ca/private/tsa.key \
    -out ca/tsa.csr

You should use a different password for the tsa.key private key.

Then we generate a non-CA certificate using the -extension tsa_ext command line option which points to the required extendedKeyUsage in the configuration file.

openssl ca -config ./rootca.conf -in ca/tsa.csr -out ca/tsa.crt -extensions tsa_ext -days 365

Sign with the root-ca.key private key password, and commit to the database.

Examine the new TSA certificate as follows:

openssl x509 -in ca/tsa.crt -text -noout

Ensure that it has CA: false , keyUsage nonRepudiation, and extendedKeyUsage timeStamping.

Requests to the time stamp service usually require that the reply include the certificate chain of the service. We now create the certificate chain as follows:

First, extract just the PEM form of the x509 certificates for root-ca.crt and tsa.crt :

openssl x509 -in ca/root-ca.crt -outform PEM -out ca/root-ca.pem
openssl x509 -in ca/tsa.crt -outform PEM -out ca/tsa.pem

Next, concatenate the two bare certificates ensuring that the root certificate is last in the file:

cat ca/tsa.pem ca/root-ca.pem  > ca/tsa-chain.pem

You can verify this chain by just viewing the file:

cat ca/tsa-chain.pem

Generate a timestamp request

Ok! We are now ready to create a time stamp request. First, we prepare a query:

openssl ts -query -config ./rootca.conf -cert -data /etc/hosts -out /tmp/request.tsq 

View the request with

openssl ts -query -in /tmp/request.tsq -text

Note that since we did not request certificate checking (using the -cert option in the request command above), the text output of this command shows “Certificate required: no”. Also, note that we did not specify our own configuration file in the above example.

If you want to use a stronger digest algorithm, specify it on the command line (sha512 requested here):

openssl ts -query -config ./rootca.conf -data /etc/hosts -out /tmp/request.tsr -sha512

Generating a reply

We can now process a reply to the the request. Note that the openssl ts -reply sub-command does require a configuration file, including the all the tsa sections. In particular, it uses the tsa_policy1(2,3) options we added at the top of the file.

Here (and everywhere you utilize the services of the tsa.crt certificate), you must enter the password for the tsa certificate private key.

openssl ts -reply -config ./rootca.conf -queryfile /tmp/request.tsq -chain ca/tsa-chain.pem -out /tmp/response.tsr
openssl ts -reply -config ./rootca.conf -in /tmp/response.tsr -text

Verification

Openssl can also verify the received timestamp ensuring that the data file or data digest the query was based on still applies to the current version of the file.

openssl ts -verify -queryfile /tmp/request.tsq -in /tmp/response.tsr -CAfile ca/root-ca.pem -untrusted ca/tsa.pem

The OK response ensures that the original signed timestamp is correctly authorized by the root and tsa certificates (in PEM format).

openssl ts -verify -data /etc/hosts -in /tmp/response.tsr -CAfile ca/root-ca.pem -untrusted ca/tsa.pem