https://github.com/corpus-solutions/tsa-server
portable Time Stamp Server (over HTTP)
https://github.com/corpus-solutions/tsa-server
Last synced: 4 months ago
JSON representation
portable Time Stamp Server (over HTTP)
- Host: GitHub
- URL: https://github.com/corpus-solutions/tsa-server
- Owner: corpus-solutions
- License: apache-2.0
- Created: 2015-12-12T09:14:58.000Z (over 10 years ago)
- Default Branch: master
- Last Pushed: 2017-10-17T10:15:45.000Z (over 8 years ago)
- Last Synced: 2024-04-20T14:52:45.830Z (almost 2 years ago)
- Language: Groovy
- Homepage:
- Size: 9.77 KB
- Stars: 44
- Watchers: 9
- Forks: 5
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-systools - portable Time Stamp Server (over HTTP)
README
# portable Time Stamp Server (over HTTP)
This is server for Time-Stamp Protocol via HTTP server (https://tools.ietf.org/html/rfc3161 3.4.)
https://en.wikipedia.org/wiki/Trusted_timestamping
All operations are based on OpenSSL extension called ts. From version 0.9.8 it is a part of openssl binary so patching is not required anymore.
It is based on idea from Grzegorz Golec (http://gregs.eu/linux-time-stamp-server/), but his server received request from tcp connection. Java libraries uses only HTTP to send TSA request, so i wrote this http version of TSA server.
## USAGE:
* install groovy
* groovy ./server.groovy
* curl -X POST -H "Content-Type:application/timestamp-query" -d @mycertificatefile localhost:318 -v
* or call it from Java using class TSAClientBouncyCastle(itext).
## Requirements
* groovy (and java of cource)
* OpenSSL > 0.9.8
* CA or request for certificate
* certificate for TSA signing
## Installation:
You need ssl key and certificate that can be used for Timestamping.
This certificate must have attributes:
* keyUsage = nonRepudiation
* extendedKeyUsage = timeStamping, critical
Contant your certification authority to get this cert or for testing create self signed (see below)
Than configure openssl in openssl.cnf:
```sh
[ tsa ]
default_tsa = tsa_config1 # the default TSA section
[ tsa_config1 ]
# These are used by the TSA reply generation only.
dir = /etc/ssl/tsa # TSA root directory
serial = $dir/serial # The current serial number (mandatory)
crypto_device = builtin # OpenSSL engine to use for signing
signer_cert = $dir/tsa.crt # The TSA signing certificate
signer_key = $dir/tsa.key # The TSA private key
certs = $dir/cacert.pem # Certificate chain to include in reply # (optional)
default_policy = tsa_policy1 # Policy if request did not specify it # (optional)
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
digests = md5, sha1 # Acceptable message digests (mandatory)
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
clock_precision_digits = 0 # number of digits after dot. (optional)
ordering = yes # Is ordering defined for timestamps? # (optional, default: no)
tsa_name = yes # Must the TSA name be included in the reply? # (optional, default: no)
ess_cert_id_chain = no # Must the ESS cert id chain be included? # (optional, default: no)
```
tsa_policy1 must be defined in new_oids section like this:
```
oid_section = new_oids
[ new_oids ]
tsa_policy1=1.1.1.1
```
## openssl tutorial:
use the following command to generate tsa.key:
```
openssl genrsa -des3 -out tsa.key 4096
```
than create certificate request for certification authority:
```
openssl req -new -key tsa.key -out tsa.csr
```
If you don't have certificates and use fake self signed authority, or you use openssl on your own, generate your cert:
create a file extKey.cnf with the extendedKeyUsage inside
```
extendedKeyUsage = critical,timeStamping
```
Add use it when creating the request :
```
openssl x509 -req -days 730 -in tsa.csr -CA tsaroot.crt -CAkey tsaroot.key -out tsa.crt -extfile extKey.cnf
```