-
-
Save Manouchehri/fd754e402d98430243455713efada710 to your computer and use it in GitHub Desktop.
https://rfc3161.ai.moda | |
https://rfc3161.ai.moda/adobe | |
https://rfc3161.ai.moda/microsoft | |
https://rfc3161.ai.moda/apple | |
https://rfc3161.ai.moda/any | |
http://rfc3161.ai.moda | |
http://timestamp.digicert.com | |
http://timestamp.globalsign.com/tsa/r6advanced1 | |
http://rfc3161timestamp.globalsign.com/advanced | |
http://timestamp.sectigo.com | |
http://timestamp.apple.com/ts01 | |
http://tsa.mesign.com | |
http://time.certum.pl | |
https://freetsa.org | |
http://tsa.startssl.com/rfc3161 | |
http://dse200.ncipher.com/TSS/HttpTspServer | |
http://zeitstempel.dfn.de | |
https://ca.signfiles.com/tsa/get.aspx | |
http://services.globaltrustfinder.com/adss/tsa | |
https://tsp.iaik.tugraz.at/tsp/TspRequest | |
http://timestamp.entrust.net/TSS/RFC3161sha2TS | |
http://timestamp.acs.microsoft.com |
Hi, @Manouchehri. I wonder if there is any document discribing diffrences between each suffix of
https://rfc3161.ai.moda/[*]
?
That would be really great as I am wondering what are the differences too!
The https://rfc3161.ai.moda/[*] load balancer sounds really great. Unfortunately we are not able to use it as our custom (time)stamping service needs to have list of all used TSA CAs root certificates to consider them trusted.
Would it be possible to have a list with links to root certificates of all active CAs used for https://rfc3161.ai.moda/[*] so we could download them?
maybe it will be useful to someone:
#!/bin/bash
#
# tests TSA servers
#
# copyright: public domain / MIT
#
# 1. creates a random hash and nonce
# 2. creates a .tsq file and sends it to the server
# 3. collects certificates from response and saves to .p7b file
# 4. saves validity of certificates from the chain
# 5. saves http address from which any missing certificates can be downloaded
#
# RUN:
# ./tsa_batch.sh
#
hashedMessage_rand () {
echo "$(openssl rand -hex 64)" | cut -c1-64
}
# md5 cut -c1-32
# sha1 cut -c1-40
# sha224 cut -c1-56
# sha256 cut -c1-64
# sha384 cut -c1-96
# sha512 cut -c1-128
#hashedMessage="00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff"
# change:
# parameter.1 = FORMAT:HEX,OCTETSTRING:$(hashedMessage_rand)
# to:
# parameter.1 = FORMAT:HEX,OCTETSTRING:${hashedMessage}
# sha1/sha256/sha384/sha512
algorithmIdentifier="sha256"
# ~128 bits entropy
nonce_32 () {
echo "$(shuf -i 1-7 -n 1)$(openssl rand -hex 20)" | cut -c1-32
}
asn1parse_timestamp_request () {
cat <<-EOF
asn1 = SEQUENCE:TimeStampReq
[ TimeStampReq ]
parameter.0 = INTEGER:1
parameter.1 = SEQUENCE:messageImprint
#parameter.2 = OID:1.2.3.4
parameter.3 = INTEGER:0x$(nonce_32)
parameter.4 = BOOLEAN:TRUE
[ messageImprint ]
parameter.0 = SEQUENCE:hashAlgorithm
parameter.1 = FORMAT:HEX,OCTETSTRING:$(hashedMessage_rand)
[ hashAlgorithm ]
parameter.0 = OID:${algorithmIdentifier}
parameter.1 = NULL
EOF
}
generate_tsr () {
cat <(echo "$(asn1parse_timestamp_request)") | openssl asn1parse -genconf /dev/stdin -noout -out "${ts_name}_timestamp_query.tsq" && \
openssl ts -query -config /dev/null -text -in "${ts_name}_timestamp_query.tsq" > "${ts_name}_timestamp_query.tsq.txt" && \
curl ${tsr_server} -H 'Content-Type: application/timestamp-query' -s -S --data-binary "@${ts_name}_timestamp_query.tsq" -o "${ts_name}_timestamp_response.tsr" && \
openssl ts -reply -config /dev/null -text -in "${ts_name}_timestamp_response.tsr" > "${ts_name}_timestamp_response.tsr.txt" && \
openssl ts -reply -config /dev/null -token_out -in "${ts_name}_timestamp_response.tsr" | openssl pkcs7 -inform DER -print_certs -text | grep -C1 "Not After" > "${ts_name}_chain_validity.txt" && \
openssl ts -reply -config /dev/null -token_out -in "${ts_name}_timestamp_response.tsr" | openssl pkcs7 -inform DER -print_certs | awk '/^-----BEGIN CERTIFICATE-----/{n++;s=1}s{print}/^-----END CERTIFICATE-----/{s=0}' | openssl crl2pkcs7 -inform PEM -outform DER -nocrl -certfile /dev/stdin -out "${ts_name}_chain.p7b" && \
echo "====" >> "${ts_name}_chain_validity.txt" && \
openssl ts -reply -config /dev/null -token_out -in "${ts_name}_timestamp_response.tsr" | openssl pkcs7 -inform DER -print_certs -text | grep -C0 "CA Issuers" >> "${ts_name}_chain_validity.txt"
echo "DONE :: ${tsr_server}"
echo "-------"
#dumpasn1 -apz "${ts_name}_timestamp_response.tsr" | awk '{ sub(/[ \t]+$/, ""); print }' > "${ts_name}_timestamp_response.tsr.dumpasn1.txt"
}
# https://gist.github.com/Manouchehri/fd754e402d98430243455713efada710
ts_name="digicert"
tsr_server="http://timestamp.digicert.com"
generate_tsr
ts_name="globalsign"
tsr_server="http://aatl-timestamp.globalsign.com/tsa/aohfewat2389535fnasgnlg5m23"
generate_tsr
ts_name="sectigo"
tsr_server="https://timestamp.sectigo.com"
generate_tsr
ts_name="sectigo_2"
tsr_server="https://timestamp.sectigo.com/qualified"
generate_tsr
ts_name="entrust"
tsr_server="http://timestamp.entrust.net/TSS/RFC3161sha2TS"
generate_tsr
ts_name="swisssign"
tsr_server="http://tsa.swisssign.net"
generate_tsr
ts_name="quovadisglobal"
tsr_server="http://ts.quovadisglobal.com/ch"
generate_tsr
ts_name="quovadisglobal_2"
tsr_server="http://ts.quovadisglobal.com/eu"
generate_tsr
ts_name="ssl_com"
tsr_server="http://ts.ssl.com"
generate_tsr
ts_name="identrust"
tsr_server="http://timestamp.identrust.com"
generate_tsr
ts_name="belgium"
tsr_server="http://tsa.belgium.be/connect"
generate_tsr
ts_name="cartaodecidadao"
tsr_server="http://ts.cartaodecidadao.pt/tsa/server"
generate_tsr
ts_name="accv_es"
tsr_server="http://tss.accv.es:8318/tsa"
generate_tsr
ts_name="baltstamp"
tsr_server="http://tsa.baltstamp.lt"
generate_tsr
ts_name="aped_gr"
tsr_server="https://timestamp.aped.gov.gr/qtss"
generate_tsr
ts_name="sep_bg"
tsr_server="http://tsa.sep.bg"
generate_tsr
ts_name="izenpe"
tsr_server="http://tsa.izenpe.com"
generate_tsr
ts_name="certum"
tsr_server="http://time.certum.pl"
generate_tsr
ts_name="symantec"
tsr_server="http://sha256timestamp.ws.symantec.com/sha256/timestamp"
generate_tsr
ts_name="globalsign"
tsr_server="http://rfc3161timestamp.globalsign.com/advanced"
generate_tsr
ts_name="globalsign_2"
tsr_server="http://timestamp.globalsign.com/tsa/r6advanced1"
generate_tsr
ts_name="apple"
tsr_server="http://timestamp.apple.com/ts01"
generate_tsr
ts_name="trustwave"
tsr_server="http://timestamp.ssl.trustwave.com"
generate_tsr
ts_name="freetsa"
tsr_server="https://freetsa.org/tsr"
generate_tsr
ts_name="zeitstempel"
tsr_server="http://zeitstempel.dfn.de"
generate_tsr
ts_name="catcert_cat"
tsr_server="http://psis.catcert.cat/psis/catcert/tsp"
generate_tsr
ts_name="codegic"
tsr_server="http://pki.codegic.com/codegic-service/timestamp"
generate_tsr
#ts_name="mesign"
#tsr_server="https://tsa.mesign.com"
#generate_tsr
ts_name="wotrus"
tsr_server="https://tsa.wotrus.com"
generate_tsr
ts_name="lex_persona"
tsr_server="http://tsa.lex-persona.com/tsa"
generate_tsr
ts_name="cesnet"
tsr_server="https://tsa.cesnet.cz:5817/tsa"
generate_tsr
ts_name="cesnet_2"
tsr_server="https://tsa.cesnet.cz:3162/tsa"
generate_tsr
ts_name="signfiles"
tsr_server="http://ca.signfiles.com/TSAServer.aspx"
generate_tsr
#ts_name="signfiles_2"
#tsr_server="https://ca.signfiles.com/tsa/get.aspx"
#generate_tsr
ts_name="aloahacoin"
tsr_server="http://aloahacoin.chain-provider.com/tsa.aspx"
generate_tsr
ts_name="sinpe_cr"
tsr_server="http://tsa.sinpe.fi.cr/tsaHttp/"
generate_tsr
ts_name="mahidol_th"
tsr_server="https://tsa.mahidol.ac.th/tsa/get.aspx"
generate_tsr
ts_name="cra_ge"
tsr_server="http://tsa.cra.ge/signserver/tsa?workerName=qtsa"
generate_tsr
ts_name="gob_hn"
tsr_server="http://tss.cnbs.gob.hn/TSS/HttpTspServer"
generate_tsr
ts_name="mconnect"
tsr_server="https://time.mconnect.mc"
generate_tsr
ts_name="tugraz_at"
tsr_server="https://tsp.iaik.tugraz.at/tsp/TspRequest"
generate_tsr
#ts_name="safecreative"
#tsr_server="http://tsa.safecreative.org"
#generate_tsr
#ts_name="comodoca"
#tsr_server="http://timestamp.comodoca.com/rfc3161"
#generate_tsr
ts_name="nowina_lu"
tsr_server="http://dss.nowina.lu/pki-factory/tsa/good-tsa"
generate_tsr
#
# other
#
# Digidoc4_Client
#ts_name="sk_ee"
#tsr_server="http://tsa.sk.ee/"
#generate_tsr
# EOF
If you choose one between the Adobe: European Union Trusted Lists, and Adobe Approved Trust List, which is more widely accepted? I'm assuming the EU has a higher level of trust and works everywhere?
Symantec's timestamp server appears to be defunct. See this.
We switched to the Azure Code Signing timestamp server: http://timestamp.acs.microsoft.com
Would it be possible to have a list with links to root certificates of all active CAs used for https://rfc3161.ai.moda/[*] so we could download them?
I've exposed https://rfc3161.ai.moda/servers.json for now, does that work or still not quite?
We switched to the Azure Code Signing timestamp server: http://timestamp.acs.microsoft.com
Thanks, I've added that one for Windows signing on https://rfc3161.ai.moda!
Would it be possible to have a list with links to root certificates of all active CAs used for https://rfc3161.ai.moda/[*] so we could download them?
I've exposed https://rfc3161.ai.moda/servers.json for now, does that work or still not quite?
I mean list of URLs to all CAs root certificates so we can download them and put to trusted list.
I can find one for ssl.com for example: https://www.ssl.com/how-to/install-ssl-com-ca-root-certificates/#ftoc-heading-4
But where can I find CA root certificate for TSA http://timestamp.acs.microsoft.com
The thing is we cannot make proper TSA request without having it's CA root certificate in local trusted list.
When the TSA can be done with any server from the list https://rfc3161.ai.moda/servers.json (thanks, that's quite nice), we need to have all root certificates in one place.
Hello! What can these servers be used for? Are they suitable for productive systems?
I am currently looking for a solution to sign log entries with some kind of trusted timestamp.
@Pique7 You can use them for anything, many folks are using https://rfc3161.ai.moda
in production. We serve a few million requests per month now I think, with higher uptime than the majority of any single RFC3161 server (since we have automatic failovers).
How can i verify the timestamp? I get a response from a random server. But i also would like to verify this response locally. But for that i need CA and intermediate files i think. Could u also expose those/add them to the server list? I assume your backend has them in order to verify the response. Bonus for a example command :)
Hi @JohnPlanetary , thank you for this feedback.
I don't want to take over this excellent gist about RFC3161 TSAs (thank you @Manouchehri ) with a discussion of TimestampIt!, therefore I've started a new gist to respond: https://gist.github.com/rschultheis/ea3b17017f520b4b3dcca270fc8dd1b6.
I'd love to keep the discussion going over there, but to quickly respond to one point:
This is what the TimestampIt! verification key replica repos are for: https://github.com/timestampit/keychain/. More info in my new gist 💚