-
-
Save Manouchehri/fd754e402d98430243455713efada710 to your computer and use it in GitHub Desktop.
https://rfc3161.ai.moda | |
https://rfc3161.ai.moda/adobe | |
https://rfc3161.ai.moda/microsoft | |
https://rfc3161.ai.moda/apple | |
https://rfc3161.ai.moda/any | |
http://rfc3161.ai.moda | |
http://timestamp.digicert.com | |
http://timestamp.globalsign.com/tsa/r6advanced1 | |
http://rfc3161timestamp.globalsign.com/advanced | |
http://timestamp.sectigo.com | |
http://timestamp.apple.com/ts01 | |
http://tsa.mesign.com | |
http://time.certum.pl | |
https://freetsa.org | |
http://tsa.startssl.com/rfc3161 | |
http://dse200.ncipher.com/TSS/HttpTspServer | |
http://zeitstempel.dfn.de | |
https://ca.signfiles.com/tsa/get.aspx | |
http://services.globaltrustfinder.com/adss/tsa | |
https://tsp.iaik.tugraz.at/tsp/TspRequest | |
http://timestamp.entrust.net/TSS/RFC3161sha2TS | |
http://timestamp.acs.microsoft.com |
Would it be possible to have a list with links to root certificates of all active CAs used for https://rfc3161.ai.moda/[*] so we could download them?
I've exposed https://rfc3161.ai.moda/servers.json for now, does that work or still not quite?
We switched to the Azure Code Signing timestamp server: http://timestamp.acs.microsoft.com
Thanks, I've added that one for Windows signing on https://rfc3161.ai.moda!
Would it be possible to have a list with links to root certificates of all active CAs used for https://rfc3161.ai.moda/[*] so we could download them?
I've exposed https://rfc3161.ai.moda/servers.json for now, does that work or still not quite?
I mean list of URLs to all CAs root certificates so we can download them and put to trusted list.
I can find one for ssl.com for example: https://www.ssl.com/how-to/install-ssl-com-ca-root-certificates/#ftoc-heading-4
But where can I find CA root certificate for TSA http://timestamp.acs.microsoft.com
The thing is we cannot make proper TSA request without having it's CA root certificate in local trusted list.
When the TSA can be done with any server from the list https://rfc3161.ai.moda/servers.json (thanks, that's quite nice), we need to have all root certificates in one place.
Hello! What can these servers be used for? Are they suitable for productive systems?
I am currently looking for a solution to sign log entries with some kind of trusted timestamp.
@Pique7 You can use them for anything, many folks are using https://rfc3161.ai.moda
in production. We serve a few million requests per month now I think, with higher uptime than the majority of any single RFC3161 server (since we have automatic failovers).
How can i verify the timestamp? I get a response from a random server. But i also would like to verify this response locally. But for that i need CA and intermediate files i think. Could u also expose those/add them to the server list? I assume your backend has them in order to verify the response. Bonus for a example command :)
@chimmmpie I have made a script that extracts the .cer / .crt from a timestamping service
#!/usr/bin/env bash
set -o errexit
set -o nounset
set -o pipefail
# Check that we have the name of the TSA service as a first arg and the URL as a second arg
if [ "$#" -ne 2 ]; then
echo "Illegal number of parameters"
echo "Usage: $0 <TSA_URL> <TSA_NAME>"
exit 1
fi
TSA_URL=$1
TSA_NAME=$2
echo "==> We are trying to get the TSA certificate from the following service : $TSA_NAME ($TSA_URL)"
echo "==> Sending a signature request..."
openssl rand 256 | openssl ts -query -data - -cert -sha256 | curl -s -S --data-binary @- "$TSA_URL" --header "Content-Type: application/timestamp-query" -o - -v > "$TSA_NAME.reply.tsr"
echo "==> Verifying the response..."
openssl ts -reply -text -in "$TSA_NAME.reply.tsr" || (echo "==> Verification failed :" && cat "$TSA_NAME.reply.tsr" && rm "$TSA_NAME.reply.tsr" && exit 1)
echo "==> Extracting the token..."
openssl ts -reply -in "$TSA_NAME.reply.tsr" -token_out -out "$TSA_NAME.token.tk"
echo "==> Extracting the TSA certificate..."
openssl pkcs7 -inform DER -in "$TSA_NAME.token.tk" -print_certs -outform PEM -out "$TSA_NAME.cer"
echo "==> Extracting the TSA certificate as a .crt..."
openssl x509 -inform PEM -in "$TSA_NAME.cer" -out "$TSA_NAME.crt"
rm "$TSA_NAME.reply.tsr" "$TSA_NAME.token.tk"
Call it like ./request_crt.sh http://timestamp.acs.microsoft.com/ microsoft
to get everything in microsoft.crt
I have made a script that extracts the .cer / .crt from a timestamping service
Thanks, that is great!
Would it be possible to make version of the script that downloads all certs for servers provided by https://rfc3161.ai.moda/servers.json?
@chimmmpie I have made a script that extracts the .cer / .crt from a timestamping service
That looks interesting. But it would suggest to me that the cert is already in the response? Or does anyone think that some of the openssl commands will fetch it in the background?
The -cert
part in openssl ts -query -data - -cert -sha256
asks the TSA to return its cert as well
@Pique7 You can use them for anything, many folks are using
https://rfc3161.ai.moda
in production. We serve a few million requests per month now I think, with higher uptime than the majority of any single RFC3161 server (since we have automatic failovers).
Thanks for your reply. Now I have another question:
The TSA certificate of my current test response has a validity of 10 years. I thinks that's a lot. But what can I do when the TSA certificate expires? Sorry if this question is too stupid or off-topic/misplaced.
The signature should still be considered valid (in my opinion), since it was signed within the original lifetime of the CA. It just can’t (or rather shouldn’t) be used for new signatures.
You shouldn’t have to do anything. All of the upstream servers for rfc3161.ai.moda should rollover to using a new certificates long before the current ones expire.
I you want to see the CA that was used in the response for your request, you can use asn1parse. Example:
openssl rand 512 | openssl ts -query -data - -cert -sha512 | curl -s -S --data-binary @- https://rfc3161.ai.moda -o - -v | openssl asn1parse -in /dev/stdin -inform DER -dump
Thanks for tip.
But once again: we are not able to generate a time stamp unless we have CA root certificate in the local "trusted" list.
Would it be possible to provide a list (URLs) of all available timestamping CA root certificates?
@vasekkral Sure. Note, these certificates do change over time.
#!/usr/bin/env bash
# Available cryptographic hash algorithms for timestamp requests
# These algorithms are tried sequentially until a successful response is received
hash_algorithms=(
"sha512" "blake2b512" "blake2s256" "md4" "md5" "md5-sha1" "mdc2" "ripemd"
"ripemd160" "rmd160" "sha1" "sha224" "sha256" "sha3-224" "sha3-256"
"sha3-384" "sha3-512" "sha384" "sha512-224" "sha512-256" "shake128"
"shake256" "sm3" "ssl3-md5" "ssl3-sha1" "whirlpool"
)
# Attempts to obtain a timestamp token from a TSA server using specified parameters
# Returns 0 on success, 1 on failure
try_timestamp_request() {
local url="$1" # TSA server endpoint
local hash_algo="$2" # Cryptographic hash algorithm
local tmp_query="$3" # Path to store the timestamp request
local tmp_reply="$4" # Path to store the server's response
local tmp_token="$5" # Path to store the extracted timestamp token
# Process flow:
# 1. Generate random data as input
# 2. Create a timestamp query using the specified hash algorithm
# 3. Send the query to the TSA server
# 4. Extract the timestamp token from the response
if openssl rand 512 | \
openssl ts -query -data - -cert -"$hash_algo" > "$tmp_query" 2>/dev/null && \
curl -H "Content-Type: application/timestamp-query" \
-H "Accept: application/timestamp-reply" \
-s -S --data-binary @"$tmp_query" "$url" -o "$tmp_reply" && \
openssl ts -reply -in "$tmp_reply" -token_out -out "$tmp_token" 2>/dev/null; then
return 0 # All operations completed successfully
else
return 1 # One or more operations failed
fi
}
# Main processing loop: Retrieve and process TSA server information
curl -s https://rfc3161.ai.moda/servers.json | \
jq -r '.[] | {name: .name, url: .url} | @json' | \
while read -r line; do
# Extract server details from JSON response
name=$(echo "$line" | jq -r '.name') # Server's friendly name
url=$(echo "$line" | jq -r '.url') # Server's API endpoint
# Create filesystem-safe server name by removing special characters
safe_name=$(echo "$name" | tr -c '[:alnum:]' '_' | tr -s '_' | sed 's/^_//;s/_$//')
# Create temporary storage for request/response data
tmp_query=$(mktemp)
tmp_reply=$(mktemp)
tmp_token=$(mktemp)
success=false # Tracks if any attempt succeeded
successful_hash="" # Records which hash algorithm worked
# Try each hash algorithm until successful
for hash_algo in "${hash_algorithms[@]}"; do
echo "Trying $hash_algo for $name..."
if try_timestamp_request "$url" "$hash_algo" "$tmp_query" "$tmp_reply" "$tmp_token"; then
success=true
successful_hash="$hash_algo"
break
fi
done
if [ "$success" = true ]; then
# Extract and save the CA certificate from the successful response
if openssl pkcs7 -inform DER -in "$tmp_token" -print_certs -outform PEM -out "${safe_name}.pem" 2>/dev/null; then
echo "Successfully extracted CA certificate for: $name (using $successful_hash)"
echo "$name,$url,$successful_hash" >> successful_servers.log
else
echo "$url" >> failed_ca_certs.log
echo "Failed to extract CA certificate for: $name"
fi
else
echo "$url" >> failed_ca_certs.log
echo "Failed to get timestamp response from: $name (tried all hash algorithms)"
fi
# Cleanup temporary files to prevent disk space issues
rm -f "$tmp_query" "$tmp_reply" "$tmp_token"
done
This will dump the full certificate chain for all of the CAs. e.g. this is what my folder looks like after running the script:
APED.pem Entrust.pem QuoVadis_China.pem
Adacom.pem FreeTSA.pem QuoVadis_EU.pem
Aloaha.pem GlobalSign.pem SDA_GOV_GE.pem
Apple.pem IdenTrust.pem SEP_Bulgaria.pem
Azure.pem Instituto_dos_Registos_e_do_Notariado_I_P.pem SSL_com.pem
BalTstamp.pem Izenpe.pem Sectigo.pem
Belgium_Federal_Goverment.pem Lex_Persona.pem SwissSign.pem
CNBS.pem Mahidol_University.pem Swiss_Goverment.pem
CatCert.pem MeSign.pem TSA_SINPE.pem
Certum.pem Netlock.pem successful_servers.log
Digicert.pem QuoVadis.pem
We switched to the Azure Code Signing timestamp server: http://timestamp.acs.microsoft.com