JankariTechUG/GitTrustedTimestamps
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Activity

Updated documentation.

Browse Source 
Improved script verbosity.
Locally added second TSA so that commits in this repository will contain
two timestamps as an example.
This commit is contained in:
Matthias Bühlmann
2021-02-16 19:54:19 +01:00
parent e3789a3e3e
commit 86c39dc7c4
3 changed files with 28 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
README.md
View File

@@ -85,13 +85,20 @@ The `issuer_hash` for both files corresponds to the ESSCertID or ESSCertIDv2 has
# How to validate timestamps: # How to validate timestamps:
Ultimately the responsibility of validating the timestamps lies with the party who wishes to proof/disprove that they are valid. Ultimately the responsibility (and criteria) for validating the timestamps lies with the party who wishes to proof/disprove that they are valid and the policy being used.
This repository does come however with an implementation to do so. To use it, simply run `.git/hooks/validate.sh` This repository does come however with an [implementation](hooks/validate.sh) that validates the created timestamps according to the criteria listed below. To use it, simply run `.git/hooks/validate.sh`
`validate.sh` will iterate over the entire commit history of the current branch and for each *timestamp commit* will: `validate.sh` will iterate over the entire commit history of the current branch and for each *timestamp commit* will:
- Check that the digest contained in the token matches the commit hash of the timestamped commit - Check that the digest contained in the token matches the commit hash of the timestamped commit
- Checks that the TSA certificate was valid at the time of timestamping, by using historic CRL data - Checks that the TSA certificate was valid at the time of timestamping, by using historic CRL data
- Checks whether the TSA certificate or any intermediate certificate in the chain has been revoked and if so, whether the revocationCode matches the acceptable revocation reasons discussed in chapter 4 of the RFC3161 specification (https://tools.ietf.org/html/rfc3161) - Checks whether the TSA certificate or any intermediate certificate in the chain has been revoked and if so, whether the revocationCode matches the acceptable revocation reasons discussed in chapter 4 of the RFC3161 specification (https://tools.ietf.org/html/rfc3161)
- A commit containing multiple timestamps will be considered valid if there is at least one valid timestamp token (a warning will be printed if there are additional timestamps that are considered invalid)
To perform these checks, the same trusted rootCAs from the `.git/hooks/trustanchors` folder are used.
No other checks are performed. In particular, a timestamp-token is considered valid beyond the expiration date of its signing certificate if it hasn't been revoked due to a reason other than those specified in chapter 4.1 of the RFC3161 specification.
The curent implementation of the validate.sh script also does not consider whether the hashing algorithms used in the timestamp-token or the keylength of the signing certificate are still considered secure.
The script exits with exit code 0 if all tests passed, and with exit code 1 otherwise.
# Author # Author

19
hooks/timestamping
View File

@@ -51,6 +51,7 @@ exit_trap() {
trap "exit_trap" EXIT trap "exit_trap" EXIT
OUT_STREAM=/dev/null OUT_STREAM=/dev/null
#uncomment for verbose output
#OUT_STREAM=/dev/stdout #OUT_STREAM=/dev/stdout
#echo red text #echo red text
@@ -186,22 +187,32 @@ request_token() {
local REQ_FILE="$TMP_DIR"/token_req.tsq local REQ_FILE="$TMP_DIR"/token_req.tsq
if [ "$REQUEST_CERTS" = true ]; then if [ "$REQUEST_CERTS" = true ]; then
if ! openssl ts -query -cert -digest "$DIGEST" -"$ALGO" -out "$REQ_FILE" &> "$OUT_STREAM"; then if ! openssl ts -query -cert -digest "$DIGEST" -"$ALGO" -out "$REQ_FILE" &> "$OUT_STREAM"; then
echo "Failed to create token query" echo "Error: Failed to create token query"
return 1 return 1
fi fi
else else
if ! openssl ts -query -digest "$DIGEST" -"$ALGO" -out "$REQ_FILE" &> "$OUT_STREAM"; then if ! openssl ts -query -digest "$DIGEST" -"$ALGO" -out "$REQ_FILE" &> "$OUT_STREAM"; then
echo "Failed to create token query" echo "Error: Failed to create token query"
return 1 return 1
fi fi
fi fi
local RESPONSE_FILE="$TMP_DIR"/response.tsr local RESPONSE_FILE="$TMP_DIR"/response.tsr
if ! curl "$TSA_URL" -H "$CONTENT_TYPE" -H "$ACCEPT_TYPE" --data-binary @"$REQ_FILE" --output "$RESPONSE_FILE" &> "$OUT_STREAM"; then if ! curl "$TSA_URL" -H "$CONTENT_TYPE" -H "$ACCEPT_TYPE" --data-binary @"$REQ_FILE" --output "$RESPONSE_FILE" &> "$OUT_STREAM"; then
echo "Failed to get response from $TSA_URL" echo "Error: Failed to get response from $TSA_URL"
return 1
fi
local RESPONSE_STATUS=$(openssl ts -reply -in "$RESPONSE_FILE" -text 2> "$OUT_STREAM" | awk '/Status: /{print; exit}' | sed 's/Status: //' | sed 's/\.//')
if [ "$RESPONSE_STATUS" != "Granted" ]; then
echo "Error: Token request was not granted."
local STATUS_INFO=$(openssl ts -reply -in "$RESPONSE_FILE" -text 2> "$OUT_STREAM" | awk '/Status info:/{f=1} f {print} /Failure info: /{exit}')
echo "$STATUS_INFO"
echo "Note: If rejection reason is unrecognized or unsupported algorithm, then this tsa cannot be used for this repository, since it uses --object-format=$ALGO"
echo "The token request was:"
openssl ts -query -in "$REQ_FILE" -text 2> "$OUT_STREAM"
return 1 return 1
fi fi
if ! openssl ts -reply -in "$RESPONSE_FILE" -token_out -out "$OUTPUT_FILE" &> "$OUT_STREAM"; then if ! openssl ts -reply -in "$RESPONSE_FILE" -token_out -out "$OUTPUT_FILE" &> "$OUT_STREAM"; then
echo "Not a valid TSA response in file $RESPONSE_FILE" echo "Error: Not a valid TSA response in file $RESPONSE_FILE"
return 1 return 1
fi fi
return 0 return 0

5
hooks/trust.sh
View File

@@ -59,7 +59,10 @@ fi
DUMMY_DIGEST=$(echo "0" | git hash-object --stdin) DUMMY_DIGEST=$(echo "0" | git hash-object --stdin)
DUMMY_TOKEN="$TMP_DIR"/token.tst DUMMY_TOKEN="$TMP_DIR"/token.tst
request_token "$TSA_URL" "$DUMMY_DIGEST" false "$DUMMY_TOKEN" if ! request_token "$TSA_URL" "$DUMMY_DIGEST" false "$DUMMY_TOKEN"; then
echo_error "Token request failed, thus the TSA $TSA_URL cannot be added to trusted TSAs."
exit 1
fi
CERTIFICATES="$TMP_DIR"/certificates.pem CERTIFICATES="$TMP_DIR"/certificates.pem
build_certificate_chain_for_token "$DUMMY_TOKEN" "$DUMMY_DIGEST" "$TSA_URL" "$CERTIFICATES" build_certificate_chain_for_token "$DUMMY_TOKEN" "$DUMMY_DIGEST" "$TSA_URL" "$CERTIFICATES"