Commit c7235be6 authored by Ulf Möller's avatar Ulf Möller
Browse files

RFC 3161 compliant time stamp request creation, response generation 

and response verification.

Submitted by: Zoltan Glozik <zglozik@opentsa.org>
Reviewed by: Ulf Moeller
parent 1c17d91c

CHANGES

+4 −0
Original line number Diff line number Diff line
@@ -4,6 +4,10 @@ 


 Changes between 0.9.8a and 0.9.9  [xx XXX xxxx]



  *) Add RFC 3161 compliant time stamp request creation, response generation

     and response verification functionality.

     [Zoltán Glózik <zglozik@opentsa.org>, The OpenTSA Project]



  *) Add initial support for TLS extensions, specifically for the server_name

     extension so far.  The SSL_SESSION, SSL_CTX, and SSL data structures now

     have new members for a host name.  The SSL data structure has an

Makefile.org

+1 −1
Original line number Diff line number Diff line
@@ -116,7 +116,7 @@ SDIRS= \ 
	bn ec rsa dsa ecdsa dh ecdh dso engine \

	buffer bio stack lhash rand err \

	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5 \

	store pqueue

	store pqueue ts

# keep in mind that the above list is adjusted by ./Configure

# according to no-xxx arguments...

apps/Makefile

+4 −4
Original line number Diff line number Diff line
@@ -31,7 +31,7 @@ LIBSSL=-L.. -lssl 


PROGRAM= openssl



SCRIPTS=CA.sh CA.pl

SCRIPTS=CA.sh CA.pl tsget



EXE= $(PROGRAM)$(EXE_EXT)
@@ -39,7 +39,7 @@ E_EXE= verify asn1pars req dgst dh dhparam enc passwd gendh errstr \ 
	ca crl rsa rsautl dsa dsaparam ec ecparam \

	x509 genrsa gendsa s_server s_client speed \

	s_time version pkcs7 crl2pkcs7 sess_id ciphers nseq pkcs12 \

	pkcs8 spkac smime rand engine ocsp prime

	pkcs8 spkac smime rand engine ocsp prime ts



PROGS= $(PROGRAM).c
@@ -56,7 +56,7 @@ E_OBJ= verify.o asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o er 
	x509.o genrsa.o gendsa.o s_server.o s_client.o speed.o \

	s_time.o $(A_OBJ) $(S_OBJ) $(RAND_OBJ) version.o sess_id.o \

	ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o smime.o rand.o engine.o \

	ocsp.o prime.o

	ocsp.o prime.o ts.o



E_SRC=	verify.c asn1pars.c req.c dgst.c dh.c enc.c passwd.c gendh.c errstr.c ca.c \

	pkcs7.c crl2p7.c crl.c \
@@ -64,7 +64,7 @@ E_SRC= verify.c asn1pars.c req.c dgst.c dh.c enc.c passwd.c gendh.c errstr.c ca. 
	x509.c genrsa.c gendsa.c s_server.c s_client.c speed.c \

	s_time.c $(A_SRC) $(S_SRC) $(RAND_SRC) version.c sess_id.c \

	ciphers.c nseq.c pkcs12.c pkcs8.c spkac.c smime.c rand.c engine.c \

	ocsp.c prime.c

	ocsp.c prime.c ts.c



SRC=$(E_SRC)

apps/openssl-vms.cnf

+40 −2
Original line number Diff line number Diff line
@@ -21,12 +21,17 @@ oid_section = new_oids 


[ new_oids ]



# We can add new OIDs in here for use by 'ca' and 'req'.

# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.

# Add a simple OID like this:

# testoid1=1.2.3.4

# Or use config file substitution like this:

# testoid2=${testoid1}.5.6



# Policies used by the TSA examples.

tsa_policy1 = 1.2.3.4.1

tsa_policy2 = 1.2.3.4.5.6

tsa_policy3 = 1.2.3.4.5.7



####################################################################

[ ca ]

default_ca	= CA_default		# The default ca section
@@ -188,7 +193,7 @@ nsComment = "OpenSSL Generated Certificate" 


# PKIX recommendations harmless if included in all certificates.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid,issuer:always

authorityKeyIdentifier=keyid,issuer



# This stuff is for subjectAltName and issuerAltname.

# Import the email address.
@@ -207,6 +212,9 @@ authorityKeyIdentifier=keyid,issuer:always 
#nsCaPolicyUrl

#nsSslServerName



# This is required for TSA certificates.

extendedKeyUsage = critical,timeStamping



[ v3_req ]



# Extensions to add to a certificate request
@@ -311,3 +319,33 @@ authorityKeyIdentifier=keyid,issuer:always 


# This really needs to be in place for it to be a proxy certificate.

proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo



####################################################################

[ tsa ]



default_tsa = tsa_config1	# the default TSA section



[ tsa_config1 ]



# These are used by the TSA reply generation only.

dir		= sys\$disk:[.demoCA		# TSA root directory

serial		= $dir]tsaserial.	# The current serial number (mandatory)

crypto_device	= builtin		# OpenSSL engine to use for signing

signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate

					# (optional)

certs		= $dir.cacert.pem]	# Certificate chain to include in reply

					# (optional)

signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)



default_policy	= tsa_policy1		# Policy if request did not specify it

					# (optional)

other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)

digests		= md5, sha1		# Acceptable message digests (mandatory)

accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)

clock_precision_digits  = 0	# number of digits after dot. (optional)

ordering		= yes	# Is ordering defined for timestamps?

				# (optional, default: no)

tsa_name		= yes	# Must the TSA name be included in the reply?

				# (optional, default: no)

ess_cert_id_chain	= no	# Must the ESS cert id chain be included?

				# (optional, default: no)

apps/openssl.cnf

+39 −1
Original line number Diff line number Diff line
@@ -21,12 +21,17 @@ oid_section = new_oids 


[ new_oids ]



# We can add new OIDs in here for use by 'ca' and 'req'.

# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.

# Add a simple OID like this:

# testoid1=1.2.3.4

# Or use config file substitution like this:

# testoid2=${testoid1}.5.6



# Policies used by the TSA examples.

tsa_policy1 = 1.2.3.4.1

tsa_policy2 = 1.2.3.4.5.6

tsa_policy3 = 1.2.3.4.5.7



####################################################################

[ ca ]

default_ca	= CA_default		# The default ca section
@@ -206,6 +211,9 @@ authorityKeyIdentifier=keyid,issuer 
#nsCaPolicyUrl

#nsSslServerName



# This is required for TSA certificates.

extendedKeyUsage = critical,timeStamping



[ v3_req ]



# Extensions to add to a certificate request
@@ -310,3 +318,33 @@ authorityKeyIdentifier=keyid,issuer:always 


# This really needs to be in place for it to be a proxy certificate.

proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo



####################################################################

[ tsa ]



default_tsa = tsa_config1	# the default TSA section



[ tsa_config1 ]



# These are used by the TSA reply generation only.

dir		= ./demoCA		# TSA root directory

serial		= $dir/tsaserial	# The current serial number (mandatory)

crypto_device	= builtin		# OpenSSL engine to use for signing

signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate

					# (optional)

certs		= $dir/cacert.pem	# Certificate chain to include in reply

					# (optional)

signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)



default_policy	= tsa_policy1		# Policy if request did not specify it

					# (optional)

other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)

digests		= md5, sha1		# Acceptable message digests (mandatory)

accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)

clock_precision_digits  = 0	# number of digits after dot. (optional)

ordering		= yes	# Is ordering defined for timestamps?

				# (optional, default: no)

tsa_name		= yes	# Must the TSA name be included in the reply?

				# (optional, default: no)

ess_cert_id_chain	= no	# Must the ESS cert id chain be included?

				# (optional, default: no)