Updated documentation.
Improved script verbosity. Locally added second TSA so that commits in this repository will contain two timestamps as an example.
This commit is contained in:
Matthias Bühlmann
11
README.md
11
README.md
@@ -85,13 +85,20 @@ The `issuer_hash` for both files corresponds to the ESSCertID or ESSCertIDv2 has
|
||||
|
||||
# How to validate timestamps:
|
||||
|
||||
Ultimately the responsibility of validating the timestamps lies with the party who wishes to proof/disprove that they are valid.
|
||||
This repository does come however with an implementation to do so. To use it, simply run `.git/hooks/validate.sh`
|
||||
Ultimately the responsibility (and criteria) for validating the timestamps lies with the party who wishes to proof/disprove that they are valid and the policy being used.
|
||||
This repository does come however with an [implementation](hooks/validate.sh) that validates the created timestamps according to the criteria listed below. To use it, simply run `.git/hooks/validate.sh`
|
||||
|
||||
`validate.sh` will iterate over the entire commit history of the current branch and for each *timestamp commit* will:
|
||||
- Check that the digest contained in the token matches the commit hash of the timestamped commit
|
||||
- Checks that the TSA certificate was valid at the time of timestamping, by using historic CRL data
|
||||
- Checks whether the TSA certificate or any intermediate certificate in the chain has been revoked and if so, whether the revocationCode matches the acceptable revocation reasons discussed in chapter 4 of the RFC3161 specification (https://tools.ietf.org/html/rfc3161)
|
||||
- A commit containing multiple timestamps will be considered valid if there is at least one valid timestamp token (a warning will be printed if there are additional timestamps that are considered invalid)
|
||||
|
||||
To perform these checks, the same trusted rootCAs from the `.git/hooks/trustanchors` folder are used.
|
||||
No other checks are performed. In particular, a timestamp-token is considered valid beyond the expiration date of its signing certificate if it hasn't been revoked due to a reason other than those specified in chapter 4.1 of the RFC3161 specification.
|
||||
The curent implementation of the validate.sh script also does not consider whether the hashing algorithms used in the timestamp-token or the keylength of the signing certificate are still considered secure.
|
||||
|
||||
The script exits with exit code 0 if all tests passed, and with exit code 1 otherwise.
|
||||
|
||||
# Author
|
||||
|
||||
|
||||
@@ -51,6 +51,7 @@ exit_trap() {
|
||||
trap "exit_trap" EXIT
|
||||
|
||||
OUT_STREAM=/dev/null
|
||||
#uncomment for verbose output
|
||||
#OUT_STREAM=/dev/stdout
|
||||
|
||||
#echo red text
|
||||
@@ -186,22 +187,32 @@ request_token() {
|
||||
local REQ_FILE="$TMP_DIR"/token_req.tsq
|
||||
if [ "$REQUEST_CERTS" = true ]; then
|
||||
if ! openssl ts -query -cert -digest "$DIGEST" -"$ALGO" -out "$REQ_FILE" &> "$OUT_STREAM"; then
|
||||
echo "Failed to create token query"
|
||||
echo "Error: Failed to create token query"
|
||||
return 1
|
||||
fi
|
||||
else
|
||||
if ! openssl ts -query -digest "$DIGEST" -"$ALGO" -out "$REQ_FILE" &> "$OUT_STREAM"; then
|
||||
echo "Failed to create token query"
|
||||
echo "Error: Failed to create token query"
|
||||
return 1
|
||||
fi
|
||||
fi
|
||||
local RESPONSE_FILE="$TMP_DIR"/response.tsr
|
||||
if ! curl "$TSA_URL" -H "$CONTENT_TYPE" -H "$ACCEPT_TYPE" --data-binary @"$REQ_FILE" --output "$RESPONSE_FILE" &> "$OUT_STREAM"; then
|
||||
echo "Failed to get response from $TSA_URL"
|
||||
echo "Error: Failed to get response from $TSA_URL"
|
||||
return 1
|
||||
fi
|
||||
local RESPONSE_STATUS=$(openssl ts -reply -in "$RESPONSE_FILE" -text 2> "$OUT_STREAM" | awk '/Status: /{print; exit}' | sed 's/Status: //' | sed 's/\.//')
|
||||
if [ "$RESPONSE_STATUS" != "Granted" ]; then
|
||||
echo "Error: Token request was not granted."
|
||||
local STATUS_INFO=$(openssl ts -reply -in "$RESPONSE_FILE" -text 2> "$OUT_STREAM" | awk '/Status info:/{f=1} f {print} /Failure info: /{exit}')
|
||||
echo "$STATUS_INFO"
|
||||
echo "Note: If rejection reason is unrecognized or unsupported algorithm, then this tsa cannot be used for this repository, since it uses --object-format=$ALGO"
|
||||
echo "The token request was:"
|
||||
openssl ts -query -in "$REQ_FILE" -text 2> "$OUT_STREAM"
|
||||
return 1
|
||||
fi
|
||||
if ! openssl ts -reply -in "$RESPONSE_FILE" -token_out -out "$OUTPUT_FILE" &> "$OUT_STREAM"; then
|
||||
echo "Not a valid TSA response in file $RESPONSE_FILE"
|
||||
echo "Error: Not a valid TSA response in file $RESPONSE_FILE"
|
||||
return 1
|
||||
fi
|
||||
return 0
|
||||
|
||||
@@ -59,7 +59,10 @@ fi
|
||||
DUMMY_DIGEST=$(echo "0" | git hash-object --stdin)
|
||||
DUMMY_TOKEN="$TMP_DIR"/token.tst
|
||||
|
||||
request_token "$TSA_URL" "$DUMMY_DIGEST" false "$DUMMY_TOKEN"
|
||||
if ! request_token "$TSA_URL" "$DUMMY_DIGEST" false "$DUMMY_TOKEN"; then
|
||||
echo_error "Token request failed, thus the TSA $TSA_URL cannot be added to trusted TSAs."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
CERTIFICATES="$TMP_DIR"/certificates.pem
|
||||
build_certificate_chain_for_token "$DUMMY_TOKEN" "$DUMMY_DIGEST" "$TSA_URL" "$CERTIFICATES"
|
||||
|
||||
Reference in New Issue
Block a user