{"id":21991082,"url":"https://github.com/dnl50/tsa","last_synced_at":"2025-04-30T13:49:53.628Z","repository":{"id":44899382,"uuid":"420442323","full_name":"dnl50/tsa","owner":"dnl50","description":"Java implementation of a RFC3161 Time Stamp Authority ","archived":false,"fork":false,"pushed_at":"2024-12-21T15:22:50.000Z","size":1095,"stargazers_count":25,"open_issues_count":1,"forks_count":3,"subscribers_count":1,"default_branch":"develop","last_synced_at":"2025-04-25T03:01:32.630Z","etag":null,"topics":["bouncycastle","graalvm-native-image","quarkus","rfc3161","rfc5816","sveltekit","time-stamp"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dnl50.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-10-23T14:57:12.000Z","updated_at":"2025-04-18T22:24:59.000Z","dependencies_parsed_at":"2023-12-28T12:55:22.300Z","dependency_job_id":"d74fceec-5ab0-460b-a0e9-d286c0582db4","html_url":"https://github.com/dnl50/tsa","commit_stats":null,"previous_names":["dnl50/tsa","dnl50/tsa-server"],"tags_count":26,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dnl50%2Ftsa","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dnl50%2Ftsa/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dnl50%2Ftsa/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dnl50%2Ftsa/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dnl50","download_url":"https://codeload.github.com/dnl50/tsa/tar.gz/refs/heads/develop","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251714680,"owners_count":21631770,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bouncycastle","graalvm-native-image","quarkus","rfc3161","rfc5816","sveltekit","time-stamp"],"created_at":"2024-11-29T20:06:38.848Z","updated_at":"2025-04-30T13:49:53.621Z","avatar_url":"https://github.com/dnl50.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Time Stamp Authority\n\nThis is a Java implementation of a Time Stamp Authority using the Time-Stamp Protocol (_TSP_) as defined\nin [RFC 3161](https://tools.ietf.org/html/rfc3161) and [RFC 5816](https://tools.ietf.org/html/rfc5816).\nIt uses [Bouncy Castle](https://www.bouncycastle.org/java.html) and [Quarkus](https://quarkus.io) under the hood.\n\nThe application utilizes GraalVM's Native Image technology, which leads to a very small memory footprint of about\n10 MB and a near instant startup in about 50 milliseconds.\n\n## Docker Images\n\nDocker images are automatically published to [Docker Hub](https://hub.docker.com/r/dnl50/tsa-server).\n\nBy default, the embedded H2 database writes its data to the `/work/data/tsa.mv.db` file. Mounting a directory or a named\nvolume to the `/work/data` will make the DB data persistent.\n\nThe keystore containing the certificate and private key used to sign the requests with is loaded\nfrom `/work/keystore.p12` by default.\n\nThere are two Docker Image variants: _Native_ and _JVM_.\nNative Images (e.g. `dnl50/tsa-server:3.1.0`) are only available for `x86-64`. The JVM variant\n(e.g. `dnl50/tsa-server:3.1.0-jvm`) is available for `x86-64` and `arm64`.\n\n## Features\n\n### Time Stamping\n\nThe main purpose of this application is to sign TSP requests using\nthe [HTTP Protocol](https://datatracker.ietf.org/doc/html/rfc3161.html#section-3.4). The application therefore offers an\nHTTP endpoint under `/sign` which accepts `POST` requests with the content type `application/timestamp-query`. The\nASN.1 DER-encoded Timestamp Request must be supplied in the request body.\n\nThe following OpenSSL commands can be used to send a timestamp request for an existing file:\n\n```bash\n# create a timestamp request\nopenssl ts -query -data /path/to/file -sha512 -cert -out request.tsq\n\n# send the request using cURL\ncurl -X POST --data-binary @request.tsq --header \"Content-Type: application/timestamp-query\" http://localhost:8080/sign -o response.tsr\n````\n\n### Web UI\n\n⚠️ The Web UI ist yet to be reimplemented after the migration to Quarkus ⚠️\n\n### REST API\n\nThe available REST endpoints are documented in a OpenAPI specification which can be downloaded from\nthe [release page](https://github.com/dnl50/tsa/releases).\n\n### WebSocket Endpoint\n\nThe application exposes an WebSocket endpoint under `/history/responses`. The JSON representation of every TSP\nresponse will be broadcast there.\n\n## Configuration\n\nAll Parameters mentioned below can be configured in variety of ways. Please refer to\nthe [Quarkus Documentation](https://quarkus.io/guides/config-reference#configuration-sources) for more information.\n\n| Parameter Name                 | Mandatory | Default Value | Description                                                                                                                                                                                                                                         |\n|--------------------------------|-----------|---------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| `tsa.ess-cert-id-algorithm`    | No        | SHA256        | The hash algorithm which is used to calculate the TSA's certificate identifier (ESSCertIDv2).                                                                                                                                                       |\n| `tsa.signing-digest-algorithm` | No        | SHA256        | The hash algorithm which is used to calculate the TSP requests digest, which will be signed by the TSA.                                                                                                                                             |\n| `tsa.accepted-hash-algorithms` | No        | SHA256,SHA512 | Comma-separated list of hash algorithm names/OIDs which are accepted by the Time Stamp Authority.                                                                                                                                                   |\n| `tsa.policy-oid`               | No        | 1.2           | The OID of the policy under which the TSP responses are produced.                                                                                                                                                                                   |\n| `tsa.keystore.path`            | Yes       |               | The path of the PKCS#12 archive containing the certificate and private key used to sign TSP requests. Prefixing the path with `classpath:` will result in the PKCS#12 archive from being loaded from the classpath (not supported in native image). |\n| `tsa.keystore.password`        | No        |               | The password of the PKCS#12 archive.                                                                                                                                                                                                                |\n| `tsa.include-tsa-name`         | No        | true          | Specifies whether the [`tsa` Field in the `TSTInfo`](https://datatracker.ietf.org/doc/html/rfc3161#autoid-8) should include the subject of the certificate.                                                                                         |\n\n### Logging\n\nBy default, all log messages will be printed to STDOUT. Please refer to\nthe [Quarkus Documentation](https://quarkus.io/guides/logging) for further information on how to configure the log\noutput.\n\n## Issuing a signing certificate\n\nThe signing certificate used by the Time Stamp Authority must be an RSA, DSA or EC certificate with\nan [Extended Key Usage](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.12) extension marked as _critical_.\nThe only `KeyPurposeId` present in the sequence must be `id-kp-timeStamping` (OID `1.3.6.1.5.5.7.3.8`).\n\n### Issuing a CA and TSA certificate with OpenSSL\n\n\u003e You should use a certificate issued by a trusted third party for production use\n\nTo issue a signing certificate using a custom CA, you can use the following commands:\n\nFirst, create a file named `tsa-x509-extensions.cnf` with the following content:\n\n```\n[v3_ca]\nbasicConstraints = CA:TRUE\nkeyUsage = digitalSignature, keyCertSign\n\n[usr_timestamping]\nbasicConstraints = CA:FALSE\nkeyUsage = digitalSignature, nonRepudiation\nextendedKeyUsage = critical, timeStamping\n```\n\nThis file contains the extension profiles which are used later.\n\nThen create a new private key for the CA:\n\n```bash\nopenssl ecparam -genkey -name secp384r1 -out ca.privkey\n```\n\nAfter that, create a CSR (_Certificate Signing Request_) for the CA certificate\n\n```bash\nopenssl req -new -key ca.privkey -out cacertreq.pem\n```\n\nand sign it with CA's private key created before\n\n```bash\nopenssl x509 -req -in cacertreq.pem -extfile tsa-x509-extensions.cnf -extensions v3_ca -key ca.privkey -out cacert.pem\n```\n\nAfter that you can create a new private key which will be used by the TSA to sign the timestamp requests:\n\n```bash\nopenssl ecparam -genkey -name secp384r1 -out tsa.privkey\n```\n\nThen create a CSR for it\n\n```bash\nopenssl req -new -key tsa.privkey -out tsacertreq.pem\n```\n\nand issue a certificate using the CA certificate and private key created before:\n\n```bash\nopenssl x509 -req -in tsacertreq.pem -extfile tsa-x509-extensions.cnf -extensions usr_timestamping -CA cacert.pem -CAkey ca.privkey -CAcreateserial -out tsacert.pem\n```\n\nThe TSA certificate and private key can then be put into a PKCS#12 keystore which can be used by the application:\n\n```bash\nopenssl pkcs12 -export -CAfile cacert.pem -chain -in tsacert.pem -inkey tsa.privkey -out tsa-keystore.p12 \n```\n\n## Development\n\n### Running in development mode\n\nIn normal operation, no signing certificate is configured by default since you probably want to use your own/your\norganizations key pair and not a self-signed key pair I issued to use in integration tests. Configuring a file system\npath to a valid certificate for development is error-prone though. That's what the development mode is for. It is\nautomatically enabled when running Quarkus using the `quarkusDev` Gradle Task. The dev mode has the following effects:\n\n* application data is written into an in-memory Database which will be scrapped on application shutdown\n* uses a self-signed EC certificate for signing TSP requests\n\n### Using the code formatter\n\nThe source code is formatted using the Eclipse Code Formatter. The formatter config file is located\nunder `/eclipse-formatter.xml`. A custom import order configuration file os located under `/spotless.importorder`. The\ncode can also be formatted using the [Spotless Gradle Plugin](https://github.com/diffplug/spotless). Just execute\nthe `spotlessApply` Gradle Task and you are good to go!\n\n## License\n\nThis project is licensed under the terms of the MIT license.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdnl50%2Ftsa","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdnl50%2Ftsa","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdnl50%2Ftsa/lists"}