OpenTSA |
![[Powered by Debian]](debian.png)
|
Introduction
| Status
| Test TSA service
| Time Stamp client (HTTP(S))
| Download
| License
| Mailing lists
| Contact
| Credit
| Resources
The aim of the OpenTSA project is to develop an
RFC 3161 compliant,
stable, secure, open source and free time stamping authority client and server
application. The following deliverables have already been produced:
-
Time Stamp patch for OpenSSL: The time stamp request creation,
response generation and response verification functionality is
implemented as an extension to the latest stable version of
OpenSSL. This patch adds a new ts command to OpenSSL with
which the time stamping operations can be carried out. This patch and
the time stamp client have been merged into the official version of OpenSSL
and will be available from openssl-0.9.9 onwards.
-
Time Stamp client: A simple command-line driven TSA client that
can be used for creating and sending time stamp requests over HTTP or
HTTPS to a TSA and for receiving and verifying the responses. The
utility is distributed with the OpenSSL Time Stamp patch.
-
Time Stamp module for Apache: This package is an extension
module for the latest stable version of the Apache HTTP server. Using
the functionality of the OpenSSL Time Stamp patch this module functions as an
RFC 3161 compliant
time stamp server over HTTP and HTTPS transport protocols, issued time stamp
tokens can be stored in a MySQL or a FireBird database.
Plans for the future:
- Support for Hardware Security Modules: let us know if you can support the
project with the donation of an HSM (even if you can lend it only for a short
period of time). Support for HSMs has already been added, users reported it
to work with NCipher.
- Interoperability tests with other TSP implementations.
If you find this project useful we would be glad to hear about what
problems you could solve with the OpenTSA software, so please do not hesitate to
provide feedback to us.
This web site is going to be updated regularly with new releases when
they become available.
- New
23 Sep 2006: New time stamp patch and mod_tsa releases. Support for
PostgreSQL added by Tatoku Ogaito. New test certificates have been created and
published here.
-
2 Sep 2006: I had to have my e-mail address changed due to the large
volumes of spam I have received. Please see this for
the new contact details.
-
25 Feb 2006: New Time
Stamp patch release with minor fixes. See changelog for details.
-
19 Feb 2006: New Time
Stamp patch release with minor fixes.
-
12 Nov 2005: New Time
Stamp patch release with updates to the new openssl-0.9.8a release.
New mod_tsa release that supports
apache 2.0.x.
New test system has been set up with new certificates running on
ns.szikszi.hu, see below.
-
08 May 2005: New Time
Stamp patch release with updates to the new openssl-0.9.7g bug fix
release. A new TSA test certificate has been issued for the test TSA
service running on info.szikszi.hu.
-
09 November 2004: New Time
Stamp patch release with updates to the new openssl-0.9.7e bug fix release.
New mod_tsa release with support
for the FireBird database
server, thanks to Clizio Merli for developing the FireBird support.
- 04 August 2004: As you may have noticed there have been intermittent
network problems of the ISP hosting the OpenTSA web content and mailing lists,
I apologise for the inconvenience caused. From now on the content is hosted
at a new ISP, thanks to Danilo Antonelli for offering free web space.
The mailing lists are still out of service, but feel free to
contact me if you have any questions or feedback.
- 20 March 2004: New Time
Stamp patch release with updates to the new openssl-0.9.7d bug fix release.
- 1 February 2004: Link to the mailing list archive is added to
the lists section.
- 12 November 2003: New Time
Stamp patch release with a CMS bug fix.
- 09 October 2003: New Time
Stamp patch release with updates to the new openssl-0.9.7c bug fix release.
- 23 August 2003: New
mod_tsa
release with engine (HSM) support, look at the new TSACryptoDevice
directive in the mod_tsa
documentation.
- 8 August 2003: New Time Stamp patch release with more flexible client
API for time stamp verification and with support for OpenSSL engines. See
the new crypto_device option in
ts(1). I would appreciate your
success/failure reports with different HSMs. Engine support will be added to
mod_tsa soon, too.
- 4 June 2003: Test TSA server is updated to the latest mod_tsa
version and the tsa_info.crt certificate is changed for
a new certificate having the critical flag of the extended key usage set.
- 15 May 2003: New Time Stamp patch and mod_tsa release for
openssl-0.9.7b, see the change log for modifications. Important change:
the latest time stamp client and mod_tsa will refuse to use a TSA certificate
whose extended key usage extension is not critical, as required by RFC 3161.
The test server running on info.szikszi.hu is configured with a certificate
containing non-critical extended key usage, so it cannot be used with
the latest release. A new test server will be set up with a correct certificate
soon, please check back next week.
- 22 February 2003: New Time Stamp patch and mod_tsa release updated to
the new OpenSSL release. Web-site has been moved to the new server of
the OpenTSA project.
- 25 January 2003: New Time Stamp patch for
openssl-0.9.7. OpenTSA mailing lists have been
set up.
- 23 November 2002: New Time Stamp patch release with minor
modifications and new mod_tsa module with support for storing time stamp
tokens in a MySQL database.
- 06 November 2002: TSA service is up again.
- IMPORTANT: 05 November 2002: The test TSA service is temporarily
unavailable, because the server is being re-installed. It will probably be
available in a couple of days. Sorry.
- 20 October 2002: Public test TSA service is available.
- 08 October 2002: New release of Time Stamp patch: a new
tsget command was added that can send time stamp requests to a TSA.
Changelog information was added to the releases.
-
22 September 2002: New release of Time Stamp patch: bug fixes
(PKIFreeText encoding, Win32 build), new -digest command line parameter
and update to the latest openssl-0.9.6g release.
-
23 June 2002: First release of mod_tsa for Apache.
-
20 June 2002: New release of Time Stamp OpenSSL patch. Previous
versions regarded time stamp tokens with missing message digest algorithm
parameters invalid, this bug is fixed.
-
09 June 2002: New release of Time Stamp OpenSSL patch. Includes
bug fixes and support for handling time stamp tokens (ContentInfo)
beside time stamp responses (TimeStampResp).
-
10 May 2002: First alpha release of the Time Stamp OpenSSL patch
is released. Although it was developed and tested on SuSE Linux 7.2 and
OpenBSD 3.0 it should work on all UNIX platforms supported by OpenSSL.
An RFC 3161
compliant public TSA service has been made available only for
testing the time stamping technology in general and the OpenTSA
implementation in particular. No measures were taken to ensure the
accuracy of the time source and the protection of the server or
private keys, therefore the generated time stamps do not provide
sufficient evidence for the existence of the data before the date
included in the time stamp.
You may send any kind of packet to the access points specified below
(including malformed ones), but please do not execute performance
tests against it and do not connect to other open ports of the
server. If you cannot access the server or experience problems please report
to
.
The use of this service is subject to the disclaimer below.
Service access points
| http://ns.szikszi.hu:8080/tsa |
| https://ns.szikszi.hu:8443/tsa |
Profile
The service provides time stamps according to the following policy:
1.3.6.1.4.1.3029.54.11940.54. The text of the policy is "we sign
anything that arrives".
Accepted message digest algorithms: SHA-1, MD5.
Signature algorithm: sha1WithRSAEncryption.
If the TSA certificate request field is set to true in the time
stamp request the result will include the full certificate chain.
Certificates
You really need just the Root CA certificate, the others are here
just for completeness.
| Root CA certificate for both SSL and TSA certificates: |
cacert.crt |
| TSA certificate: |
tsa_ns.crt |
| Server certificate for HTTPS: |
ns.crt |
Examples
You can use the tsget utility (included in the time stamp patch) to
connect to the server.
Getting a time stamp over HTTP (assuming that file.tsq is a
valid time stamp request):
$ tsget -h http://ns.szikszi.hu:8080/tsa file.tsq
And over HTTPS (assuming that cacert.crt contains the root CA
of the SSL server certificate):
$ tsget -h https://ns.szikszi.hu:8443/tsa -C cacert.crt file.tsq
The result is written to file.tsr.
Disclaimer
This service is provided by the OpenTSA project ``as is'' and any
expressed or implied warranties, including, but not limited to, the
implied warranties of merchantability and fitness for a particular
purpose are disclaimed. In no event shall the OpenTSA project or
its contributors be liable for any direct, indirect, incidental,
special, exemplary, or consequential damages (including, but
not limited to, procurement of substitute goods or services;
loss of use, data, or profits; or business interruption)
however caused and on any theory of liability, whether in contract,
strict liability, or tort (including negligence or otherwise)
arising in any way out of the use of this service, even if advised
of the possibility of such damage.
(This section is here for historical reasons. The tsget command can be
used as an HTTP(S) client instead.)
The Time Stamp OpenSSL patch can be used for creating a time stamp request
and verifying the response, however, it cannot transfer the request to a TSA
server. This can be done e.g. with the curl
HTTP(S) client utility, if the TSA supports HTTP(S) and not just TCP/IP.
Here is an example how to create a request, store it in a file (request.tsq),
send it to a TSA server (http://localhost:8080/tsa) and store
the time stamp response in a file (response.tsr).
$ openssl ts -query -data letter -cert | tee request.tsq | \
curl -s -S -H 'Content-Type: application/timestamp-query' \
--data-binary @- http://localhost:8080/tsa -o response.tsr
Time Stamping Patch snapshots for OpenSSL
| Patch |
Installation |
Manual |
Change log |
Required software |
|
ts-20060923-0_9_8c-patch.gz
Latest |
instructions |
ts(1),
tsget(1) |
ChangeLog-20060923 |
openssl-0.9.8c
Perl 5
libcurl (with perl binding)
|
|
ts-20060225-0_9_8a-patch.gz
|
instructions |
ts(1),
tsget(1) |
ChangeLog-20060225 |
openssl-0.9.8a
Perl 5
libcurl (with perl binding)
|
|
ts-20060219-0_9_8a-patch.gz |
instructions |
ts(1),
tsget(1) |
ChangeLog-20060219 |
openssl-0.9.8a
Perl 5
libcurl (with perl binding)
|
|
ts-20051030-0_9_8a-patch.gz |
instructions |
ts(1),
tsget(1) |
ChangeLog-20051030 |
openssl-0.9.8a
Perl 5
libcurl (with perl binding)
|
|
ts-20050508-0_9_7g-patch.gz |
instructions |
ts(1),
tsget(1) |
ChangeLog-20050508 |
openssl-0.9.7g
Perl 5
libcurl (with perl binding)
|
|
ts-20041109-0_9_7e-patch.gz
|
instructions |
ts(1),
tsget(1) |
ChangeLog-20041109 |
openssl-0.9.7e
Perl 5
libcurl (with perl binding)
|
|
ts-20040320-0_9_7d-patch.gz |
instructions |
ts(1),
tsget(1) |
ChangeLog-20040320 |
openssl-0.9.7d
Perl 5
libcurl (with perl binding)
|
|
ts-20031112-0_9_7c-patch.gz |
instructions |
ts(1),
tsget(1) |
ChangeLog-20031112 |
openssl-0.9.7c
Perl 5
libcurl (with perl binding)
|
|
ts-20031008-0_9_7c-patch.gz |
instructions |
ts(1),
tsget(1) |
ChangeLog-20031008 |
openssl-0.9.7c
Perl 5
libcurl (with perl binding)
|
|
ts-20030806-0_9_7b-patch.gz |
instructions |
ts(1),
tsget(1) |
ChangeLog-20030806 |
openssl-0.9.7b
Perl 5
libcurl (with perl binding)
|
|
ts-20030515-0_9_7b-patch.gz
|
instructions |
ts(1),
tsget(1) |
ChangeLog-20030515 |
openssl-0.9.7b
Perl 5
libcurl (with perl binding)
|
|
ts-20030222-0_9_7a-patch.gz |
instructions |
ts(1),
tsget(1) |
ChangeLog-20030222 |
openssl-0.9.7a
Perl 5
libcurl (with perl binding)
|
|
ts-20030125-0_9_7-patch.gz |
instructions |
ts(1),
tsget(1) |
ChangeLog-20030125 |
openssl-0.9.7
Perl 5
libcurl (with perl binding)
|
|
ts-20021123-0_9_6g-patch.gz |
instructions |
ts(1),
tsget(1) |
ChangeLog-20021123 |
openssl-engine-0.9.6g
Perl 5
libcurl (with perl binding)
|
|
ts-20021008-0_9_6g-patch.gz |
instructions |
ts(1),
tsget(1) |
ChangeLog-20021008 |
openssl-engine-0.9.6g
Perl 5
libcurl (with perl binding)
|
|
ts-20020922-0_9_6g-patch.gz |
instructions |
ts(1) |
ChangeLog-20020922 |
openssl-engine-0.9.6g |
|
ts-20020620-0_9_6d-patch.gz |
instructions |
ts(1) |
ChangeLog-20020620 |
openssl-engine-0.9.6d |
|
ts-20020609-0_9_6d-patch.gz |
instructions |
ts(1) |
ChangeLog-20020609 |
openssl-engine-0.9.6d |
|
ts-20020510-0_9_6d-patch.gz |
instructions |
ts(1) |
ChangeLog-20020510 |
openssl-engine-0.9.6d |
mod_tsa module snapshots for Apache
The license for the patch kit is the same as that of OpenSSL, you can
find it here.
The license for mod_tsa is based on the OpenSSL license as well,
here it is.
IMPORTANT: From 04th August 2004 the mailing lists are temporarily out of
service until an unspecified date. As soon as I have the networking
infrastructure I will enable the lists again.
The misc mailing list archive is available here:
[2003],
[2004].
Your e-mail address is handled confidentally, it is never going to
be disclosed to any 3rd-parties.
If you have any problems, questions or feedback please write to
Zoltán Glózik at
.
-
Thanks to Tatoku Ogaito for contributing PostgreSQL support to mod_tsa.
-
Thanks to Dirk Datzert for contributing a patch for the Apache 2.0.x support.
-
Thanks to László Kovács (SZIKSZI)
for providing the necessary resources for the test TSA service.
-
Thanks to Danilo Antonelli
(http://www.starmaster.org/)
for the opentsa.org domain and the free web space.
-
Thanks to Clizio Merli for contributing the FireBird support for mod_tsa.
-
This product includes software developed by the OpenSSL Project
for use in the OpenSSL Toolkit.
(http://www.openssl.org/)
-
This product includes cryptographic software written by Eric Young
(eay@cryptsoft.com).
-
This product includes software written by Tim
Hudson (tjh@cryptsoft.com).
Zoltan Glozik
$Id: index.html,v 1.57 2006/09/23 20:32:50 zglozik Exp $