This article won’t be pariculary interesting for the most readers. My aim is to help the billions of developers that are confused about dealing with trusted timestamping<\/b>. If you don’t know what Trusted Timestamps are, carry on.<\/p>\nExplanation of the concept behind Trusted Timestamps<\/h2>\n
I can’t put it better as Wikipedia (Trusted timestamping<\/a>) does:<\/p>\n \nTrusted timestamping is the process of securely keeping track of the creation and modification time of a document. Security here means that no one \u2014 not even the owner of the document \u2014 should be able to change it once it has been recorded provided that the timestamper’s integrity is never compromised.\n<\/p><\/blockquote>\n The workflow is as follows:<\/p>\n Trusted Timestamping is particulary interesting for applications which deal with very critical data. You can’t simply store a hash in your database when the attacker might have access to all your systems and comes from within your company (e.g. the admin itself). He would be able to simply manipulate the hashed data and overwrite the old hash in your database. Another point is to prove in court that there has no manipulation happened – definitely necessary when dealing with money.<\/p>\n As mentioned above, this requires the openssl ts-command which is availible in openssl versions newer than 0.99 (check with command openssl version<\/i>).<\/p>\n Furthermore CURL is required. Ah, and you have to be able to use the exec<\/a>-function of PHP, which might be disabled at some shared hosts.<\/p>\n We’ll be creating a Trusted Timestamp-Class that is able to handle anything from creating requestfiles over signing them at the TSA to verifying the integrity. Let’s start.<\/p>\n You throw a hash in and the method returns the path to the newly created Timestamp Requestfile. If you’re curious what the 2>&1<\/i> appendix to the executed command is for: This redirects the error-stream STDERR to STDOUT, so exec<\/a> will be able to also return the error description if something goes wrong.<\/p>\n Now that we’ve created our Requestfile, we want to send it to the TSA in order to get our Timestamp-Response binary certificate signed string. For that, we use CURL to transmit our Requestfile. After we get our response, we base64-encode<\/a> it because handling with binary strings can be a pain in the ass, especially when you want to write it to the database. We return the base64-encoded responsestring and the extracted unix timestamp (will be shown in the next method).<\/p>\n We want to be sure that an attacker can’t simply make a new TSA request to sign his manipulated data and delete the old TSA request with the real data. So we have to pull the exact unix timestamp from the Timestamp Response, when our Request has been signed.<\/p>\n Wohow, that’s a lot of code. But what’s happening isn’t very complicated. We do some verification of our parameters and then mess around with return-codes from the openssl ts-command to see if our hash is still valid when checking against our Timestamp Response. We also check, if the unix timestamp of signing is still the same. It’s important to mention that we need the certificate chain<\/b> (usually pem-format) of the TSA. Our method expects the path to the certificate-file in the last parameter. The certificate chain for the DFN-Service<\/a> can be found here.<\/p>\n Umm… nothing spectacular.<\/p>\n The code should speak for itself.<\/p>\n Okay, okay… There you are, the complete class:<\/p>\n I hope you will find any use in this, don’t hesitate to ask if something is not clear to you.<\/p>\n This class is released under the MIT License<\/a>.<\/p>\n The guys at the DFN gave me the allowance to use their service as an example for my blogpost. The service is free. You’ll find further information to the DFN service at this point<\/a>. Please also respect the DFN Charter<\/a> (Google Translator is your friend).<\/p>\n","protected":false},"excerpt":{"rendered":" This article won’t be pariculary interesting for the most readers. My aim is to help the billions of developers that are confused about dealing with trusted timestamping. If you don’t know what Trusted Timestamps are, carry on. Explanation of the … Weiterlesen \n
Why has this to be so complicated?<\/h2>\n
Preconditions<\/h2>\n
\n
Let’s go!<\/h2>\n
Create the Requestfile<\/h3>\n
\r\n\r\npublic static function createRequestfile ($hash)\r\n{\r\n\tif (strlen($hash) !== 40)\r\n\t\tthrow new Exception("Invalid hash.");\r\n\t\t\r\n\t$outfilepath = self::createTempFile();\r\n\t$cmd = "openssl ts -query -digest ".escapeshellarg($hash)." -cert -out ".escapeshellarg($outfilepath);\r\n\r\n\t$retarray = array();\r\n\texec($cmd." 2>&1", $retarray, $retcode);\r\n\t\r\n\tif ($retcode !== 0)\r\n\t\tthrow new Exception("OpenSSL does not seem to be installed: ".implode(", ", $retarray));\r\n\t\r\n\tif (stripos($retarray[0], "openssl:Error") !== false)\r\n\t\tthrow new Exception("There was an error with OpenSSL. Is version >= 0.99 installed?: ".implode(", ", $retarray));\r\n\r\n\treturn $outfilepath;\r\n}\r\n<\/pre>\nSign Requestfile<\/h3>\n
\r\npublic static function signRequestfile ($requestfile_path, $tsa_url)\r\n{\r\n\tif (!file_exists($requestfile_path))\r\n\t\tthrow new Exception("The Requestfile was not found");\r\n\r\n\t$ch = curl_init();\r\n\tcurl_setopt($ch, CURLOPT_URL, $tsa_url);\r\n\tcurl_setopt($ch, CURLOPT_RETURNTRANSFER, true);\r\n\tcurl_setopt($ch, CURLOPT_TIMEOUT, 10);\r\n\tcurl_setopt($ch, CURLOPT_POST, 1);\r\n\tcurl_setopt($ch, CURLOPT_BINARYTRANSFER, 1);\r\n\tcurl_setopt($ch, CURLOPT_POSTFIELDS, file_get_contents($requestfile_path));\r\n\tcurl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application\/timestamp-query'));\r\n\tcurl_setopt($ch, CURLOPT_USERAGENT, "Mozilla\/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"); \r\n\t$binary_response_string = curl_exec($ch);\r\n\t$status = curl_getinfo($ch, CURLINFO_HTTP_CODE);\r\n\tcurl_close($ch);\r\n\t\r\n\tif ($status != 200 || !strlen($binary_response_string))\r\n\t\tthrow new Exception("The request failed");\r\n\t\r\n\t$base64_response_string = base64_encode($binary_response_string);\r\n\t\r\n\t$response_time = self::getTimestampFromAnswer ($base64_response_string);\r\n\t\r\n\treturn array("response_string" => $base64_response_string,\r\n\t\t\t\t "response_time" => $response_time);\r\n}\r\n<\/pre>\nGet the Unix-Timestamp from the Timestamp Response<\/h3>\n
\r\npublic static function getTimestampFromAnswer ($base64_response_string)\r\n{\r\n\t$binary_response_string = base64_decode($base64_response_string);\r\n\r\n\t$responsefile = self::createTempFile($binary_response_string);\r\n\r\n\t$cmd = "openssl ts -reply -in ".escapeshellarg($responsefile)." -text";\r\n\t\r\n\t$retarray = array();\r\n\texec($cmd." 2>&1", $retarray, $retcode);\r\n\t\r\n\tif ($retcode !== 0)\r\n\t\tthrow new Exception("The reply failed: ".implode(", ", $retarray));\r\n\t\r\n\t$matches = array();\r\n\t$response_time = 0;\r\n\r\n\t\/*\r\n\t * Format of answer:\r\n\t * \r\n\t * Foobar: some stuff\r\n\t * Time stamp: 21.08.2010 blabla GMT\r\n\t * Somestuff: Yayayayaya\r\n\t *\/\r\n\tforeach ($retarray as $retline)\r\n\t{\r\n\t\tif (preg_match("~^Time\\sstamp\\:\\s(.*)~", $retline, $matches))\r\n\t\t{\r\n\t\t\t$response_time = strtotime($matches[1]);\r\n\t\t\tbreak;\t\t\r\n\t\t}\r\n\t}\r\n\r\n\tif (!$response_time)\r\n\t\tthrow new Exception("The Timestamp was not found");\t\r\n\t\t\r\n\treturn $response_time;\r\n}\r\n<\/pre>\nThe Validation<\/h3>\n
\r\npublic static function validate ($hash, $base64_response_string, $response_time, $tsa_cert_file)\r\n{\r\n\tif (strlen($hash) !== 40)\r\n\t\tthrow new Exception("Invalid Hash");\r\n\t\r\n\t$binary_response_string = base64_decode($base64_response_string);\r\n\t\r\n\tif (!strlen($binary_response_string))\r\n\t\tthrow new Exception("There was no response-string");\t\r\n\t\t\r\n\tif (!intval($response_time))\r\n\t\tthrow new Exception("There is no valid response-time given");\r\n\t\r\n\tif (!file_exists($tsa_cert_file))\r\n\t\tthrow new Exception("The TSA-Certificate could not be found");\r\n\t\r\n\t$responsefile = self::createTempFile($binary_response_string);\r\n\r\n\t$cmd = "openssl ts -verify -digest ".escapeshellarg($hash)." -in ".escapeshellarg($responsefile)." -CAfile ".escapeshellarg($tsa_cert_file);\r\n\t\r\n\t$retarray = array();\r\n\texec($cmd." 2>&1", $retarray, $retcode);\r\n\t\r\n\t\/*\r\n\t * just 2 "normal" cases: \r\n\t * \t1) Everything okay -> retcode 0 + retarray[0] == "Verification: OK"\r\n\t * 2) Hash is wrong -> retcode 1 + strpos(retarray[somewhere], "message imprint mismatch") !== false\r\n\t * \r\n\t * every other case (Certificate not found \/ invalid \/ openssl is not installed \/ ts command not known)\r\n\t * are being handled the same way -> retcode 1 + any retarray NOT containing "message imprint mismatch"\r\n\t *\/\r\n\t\r\n\tif ($retcode === 0 && strtolower(trim($retarray[0])) == "verification: ok")\r\n\t{\r\n\t\tif (self::getTimestampFromAnswer ($base64_response_string) != $response_time)\r\n\t\t\tthrow new Exception("The responsetime of the request was changed");\r\n\t\t\r\n\t\treturn true;\r\n\t}\r\n\r\n\tforeach ($retarray as $retline)\r\n\t{\r\n\t\tif (stripos($retline, "message imprint mismatch") !== false)\r\n\t\t\treturn false;\r\n\t}\r\n\r\n\tthrow new Exception("Systemcommand failed: ".implode(", ", $retarray));\r\n}\r\n<\/pre>\nOur Helper-Function to create a tempfile<\/h3>\n
\r\npublic static function createTempFile ($str = "")\r\n{\r\n\t$tempfilename = tempnam(sys_get_temp_dir(), rand());\r\n\r\n\tif (!file_exists($tempfilename))\r\n\t\tthrow new Exception("Tempfile could not be created");\r\n\t\t\r\n\tif (!empty($str) && !file_put_contents($tempfilename, $str))\r\n\t\tthrow new Exception("Could not write to tempfile");\r\n\r\n\treturn $tempfilename;\r\n}\r\n<\/pre>\nHow do I use this class?<\/h2>\n
\r\nrequire_once "TrustedTimestamps.php";\r\n\r\n$my_hash = sha1("Some Data for testing");\r\n\r\n$requestfile_path = TrustedTimestamps::createRequestfile($my_hash);\r\n\r\n$response = TrustedTimestamps::signRequestfile($requestfile_path, "http:\/\/zeitstempel.dfn.de");\r\nprint_r($response);\r\n\/*\r\nArray\r\n(\r\n [response_string] => Shitload of text (base64-encoded Timestamp-Response of the TSA)\r\n [response_time] => 1299098823\r\n)\r\n*\/\r\n\r\necho TrustedTimestamps::getTimestampFromAnswer($response['response_string']); \/\/1299098823\r\n\r\n$tsa_cert_chain_file = "chain.txt"; \/\/from https:\/\/pki.pca.dfn.de\/global-services-ca\/pub\/cacert\/chain.txt\r\n\r\n$validate = TrustedTimestamps::validate($my_hash, $response['response_string'], $response['response_time'], $tsa_cert_chain_file); \r\nvar_dump($validate); \/\/bool(true)\r\n\r\n\/\/now with an incorrect hash. Same goes for a manipulated response string or response time\r\n$validate = TrustedTimestamps::validate(sha1("im not the right hash"), $response['response_string'], $response['response_time'], $tsa_cert_chain_file);\r\nvar_dump($validate); \/\/bool(false)\r\n<\/pre>\nI don’t want to copy and paste all your little code samples!<\/h2>\n
\r\n<?php\r\n\/**\r\n * TrustedTimestamps.php - Creates Timestamp Requestfiles, processes the request at a Timestamp Authority (TSA) after RFC 3161\r\n *\r\n * Released under the MIT license (opensource.org\/licenses\/MIT) Copyright (c) 2015 David M\u00fcller\r\n *\r\n * bases on OpenSSL and RFC 3161: http:\/\/www.ietf.org\/rfc\/rfc3161.txt\r\n *\r\n * WARNING: \r\n * \tneeds openssl ts, which is availible in OpenSSL versions >= 0.99\r\n * \tThis is currently (2011-03-02) not the case in Debian\r\n * \t(see http:\/\/stackoverflow.com\/questions\/5043393\/openssl-ts-command-not-working-trusted-timestamps)\r\n * \t-> Possibility: Debian Experimentals -> http:\/\/wiki.debian.org\/DebianExperimental\r\n * \r\n * For OpenSSL on Windows, see\r\n * \thttp:\/\/www.slproweb.com\/products\/Win32OpenSSL.html\r\n * \thttp:\/\/www.switch.ch\/aai\/support\/howto\/openssl-windows.html\r\n * \r\n * @version 0.3\r\n * @author David M\u00fcller\r\n * @package trustedtimestamps\r\n*\/\r\n\r\nclass TrustedTimestamps\r\n{\r\n \/**\r\n * Creates a Timestamp Requestfile from a hash\r\n *\r\n * @param string $hash: The hashed data (sha1)\r\n * @return string: path of the created timestamp-requestfile\r\n *\/\r\n\tpublic static function createRequestfile ($hash)\r\n\t{\r\n\t\tif (strlen($hash) !== 40)\r\n\t\t\tthrow new Exception("Invalid Hash.");\r\n\t\t\t\r\n\t\t$outfilepath = self::createTempFile();\r\n\t\t$cmd = "openssl ts -query -digest ".escapeshellarg($hash)." -cert -out ".escapeshellarg($outfilepath);\r\n\r\n\t\t$retarray = array();\r\n\t\texec($cmd." 2>&1", $retarray, $retcode);\r\n\t\t\r\n\t\tif ($retcode !== 0)\r\n\t\t\tthrow new Exception("OpenSSL does not seem to be installed: ".implode(", ", $retarray));\r\n\t\t\r\n\t\tif (stripos($retarray[0], "openssl:Error") !== false)\r\n\t\t\tthrow new Exception("There was an error with OpenSSL. Is version >= 0.99 installed?: ".implode(", ", $retarray));\r\n\r\n\t\treturn $outfilepath;\r\n\t}\r\n\r\n \/**\r\n * Signs a timestamp requestfile at a TSA using CURL\r\n *\r\n * @param string $requestfile_path: The path to the Timestamp Requestfile as created by createRequestfile\r\n * @param string $tsa_url: URL of a TSA such as http:\/\/zeitstempel.dfn.de\r\n * @return array of response_string with the unix-timetamp of the timestamp response and the base64-encoded response_string\r\n *\/\r\n\tpublic static function signRequestfile ($requestfile_path, $tsa_url)\r\n\t{\r\n\t\tif (!file_exists($requestfile_path))\r\n\t\t\tthrow new Exception("The Requestfile was not found");\r\n\r\n\t\t$ch = curl_init();\r\n\t\tcurl_setopt($ch, CURLOPT_URL, $tsa_url);\r\n\t\tcurl_setopt($ch, CURLOPT_RETURNTRANSFER, true);\r\n\t\tcurl_setopt($ch, CURLOPT_TIMEOUT, 10);\r\n\t\tcurl_setopt($ch, CURLOPT_POST, 1);\r\n\t\tcurl_setopt($ch, CURLOPT_BINARYTRANSFER, 1);\r\n\t\tcurl_setopt($ch, CURLOPT_POSTFIELDS, file_get_contents($requestfile_path));\r\n\t\tcurl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application\/timestamp-query'));\r\n\t\tcurl_setopt($ch, CURLOPT_USERAGENT, "Mozilla\/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"); \r\n\t\t$binary_response_string = curl_exec($ch);\r\n\t\t$status = curl_getinfo($ch, CURLINFO_HTTP_CODE);\r\n\t\tcurl_close($ch);\r\n\t\t\r\n\t\tif ($status != 200 || !strlen($binary_response_string))\r\n\t\t\tthrow new Exception("The request failed");\r\n\t\t\r\n\t\t$base64_response_string = base64_encode($binary_response_string);\r\n\t\t\r\n\t\t$response_time = self::getTimestampFromAnswer ($base64_response_string);\r\n\t\t\r\n\t\treturn array("response_string" => $base64_response_string,\r\n\t\t\t\t\t "response_time" => $response_time);\r\n\t}\r\n\r\n \/**\r\n * Extracts the unix timestamp from the base64-encoded response string as returned by signRequestfile\r\n *\r\n * @param string $base64_response_string: Response string as returned by signRequestfile\r\n * @return int: unix timestamp\r\n *\/\r\n\tpublic static function getTimestampFromAnswer ($base64_response_string)\r\n\t{\r\n\t\t$binary_response_string = base64_decode($base64_response_string);\r\n\r\n\t\t$responsefile = self::createTempFile($binary_response_string);\r\n\r\n\t\t$cmd = "openssl ts -reply -in ".escapeshellarg($responsefile)." -text";\r\n\t\t\r\n\t\t$retarray = array();\r\n\t\texec($cmd." 2>&1", $retarray, $retcode);\r\n\t\t\r\n\t\tif ($retcode !== 0)\r\n\t\t\tthrow new Exception("The reply failed: ".implode(", ", $retarray));\r\n\t\t\r\n\t\t$matches = array();\r\n\t\t$response_time = 0;\r\n\r\n\t\t\/*\r\n\t\t * Format of answer:\r\n\t\t * \r\n\t\t * Foobar: some stuff\r\n\t\t * Time stamp: 21.08.2010 blabla GMT\r\n\t\t * Somestuff: Yayayayaya\r\n\t\t *\/\r\n\t\tforeach ($retarray as $retline)\r\n\t\t{\r\n\t\t\tif (preg_match("~^Time\\sstamp\\:\\s(.*)~", $retline, $matches))\r\n\t\t\t{\r\n\t\t\t\t$response_time = strtotime($matches[1]);\r\n\t\t\t\tbreak;\t\t\r\n\t\t\t}\r\n\t\t}\r\n\r\n\t\tif (!$response_time)\r\n\t\t\tthrow new Exception("The Timestamp was not found");\t\r\n\t\t\t\r\n\t\treturn $response_time;\r\n\t}\r\n\r\n \/**\r\n *\r\n * @param string $hash: sha1 hash of the data which should be checked\r\n * @param string $base64_response_string: The response string as returned by signRequestfile\r\n * @param int $response_time: The response time, which should be checked\r\n * @param string $tsa_cert_file: The path to the TSAs certificate chain (e.g. https:\/\/pki.pca.dfn.de\/global-services-ca\/pub\/cacert\/chain.txt)\r\n * @return <type>\r\n *\/\r\n\tpublic static function validate ($hash, $base64_response_string, $response_time, $tsa_cert_file)\r\n\t{\r\n\t\tif (strlen($hash) !== 40)\r\n\t\t\tthrow new Exception("Invalid Hash");\r\n\t\t\r\n\t\t$binary_response_string = base64_decode($base64_response_string);\r\n\t\t\r\n\t\tif (!strlen($binary_response_string))\r\n\t\t\tthrow new Exception("There was no response-string");\t\r\n\t\t\t\r\n\t\tif (!intval($response_time))\r\n\t\t\tthrow new Exception("There is no valid response-time given");\r\n\t\t\r\n\t\tif (!file_exists($tsa_cert_file))\r\n\t\t\tthrow new Exception("The TSA-Certificate could not be found");\r\n\t\t\r\n\t\t$responsefile = self::createTempFile($binary_response_string);\r\n\r\n\t\t$cmd = "openssl ts -verify -digest ".escapeshellarg($hash)." -in ".escapeshellarg($responsefile)." -CAfile ".escapeshellarg($tsa_cert_file);\r\n\t\t\r\n\t\t$retarray = array();\r\n\t\texec($cmd." 2>&1", $retarray, $retcode);\r\n\t\t\r\n\t\t\/*\r\n\t\t * just 2 "normal" cases: \r\n\t\t * \t1) Everything okay -> retcode 0 + retarray[0] == "Verification: OK"\r\n\t\t * 2) Hash is wrong -> retcode 1 + strpos(retarray[somewhere], "message imprint mismatch") !== false\r\n\t\t * \r\n\t\t * every other case (Certificate not found \/ invalid \/ openssl is not installed \/ ts command not known)\r\n\t\t * are being handled the same way -> retcode 1 + any retarray NOT containing "message imprint mismatch"\r\n\t\t *\/\r\n\t\t\r\n\t\tif ($retcode === 0 && strtolower(trim($retarray[0])) == "verification: ok")\r\n\t\t{\r\n\t\t\tif (self::getTimestampFromAnswer ($base64_response_string) != $response_time)\r\n\t\t\t\tthrow new Exception("The responsetime of the request was changed");\r\n\t\t\t\r\n\t\t\treturn true;\r\n\t\t}\r\n\r\n\t\tforeach ($retarray as $retline)\r\n\t\t{\r\n\t\t\tif (stripos($retline, "message imprint mismatch") !== false)\r\n\t\t\t\treturn false;\r\n\t\t}\r\n\r\n\t\tthrow new Exception("Systemcommand failed: ".implode(", ", $retarray));\r\n\t}\r\n\r\n \/**\r\n * Create a tempfile in the systems temp path\r\n *\r\n * @param string $str: Content which should be written to the newly created tempfile\r\n * @return string: filepath of the created tempfile\r\n *\/\r\n\tpublic static function createTempFile ($str = "")\r\n\t{\r\n\t\t$tempfilename = tempnam(sys_get_temp_dir(), rand());\r\n\r\n\t\tif (!file_exists($tempfilename))\r\n\t\t\tthrow new Exception("Tempfile could not be created");\r\n\t\t\t\r\n\t\tif (!empty($str) && !file_put_contents($tempfilename, $str))\r\n\t\t\tthrow new Exception("Could not write to tempfile");\r\n\r\n\t\treturn $tempfilename;\r\n\t}\r\n}\r\n<\/pre>\nLicense<\/h2>\n
Credits: Thanks to the DFN!<\/h2>\n