X-Git-Url: http://pere.pagekite.me/gitweb/homepage.git/blobdiff_plain/6150c7a64a43c3644a1f02db495c0d22651e2624..48242bda221d48f034db275c4758ac81cc92d31b:/blog/archive/2018/10/10.rss

diff --git a/blog/archive/2018/10/10.rss b/blog/archive/2018/10/10.rss
index c35ee7c49f..46e18aa3a2 100644
--- a/blog/archive/2018/10/10.rss
+++ b/blog/archive/2018/10/10.rss
@@ -6,6 +6,112 @@
                 <link>http://people.skolelinux.org/pere/blog/</link>
 
 	
+	<item>
+		<title>Fetching trusted timestamps using the rfc3161ng python module</title>
+		<link>http://people.skolelinux.org/pere/blog/Fetching_trusted_timestamps_using_the_rfc3161ng_python_module.html</link>        
+		<guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Fetching_trusted_timestamps_using_the_rfc3161ng_python_module.html</guid>
+                <pubDate>Mon, 8 Oct 2018 12:30:00 +0200</pubDate>
+		<description>&lt;p&gt;I have  earlier covered the basics of trusted timestamping using the
+&#39;openssl ts&#39; client.  See blog post for
+&lt;a href=&quot;http://people.skolelinux.org/pere/blog/Public_Trusted_Timestamping_services_for_everyone.html&quot;&gt;2014&lt;/a&gt;,
+&lt;a href=&quot;http://people.skolelinux.org/pere/blog/syslog_trusted_timestamp___chain_of_trusted_timestamps_for_your_syslog.html&quot;&gt;2016&lt;/a&gt;
+and
+&lt;a href=&quot;http://people.skolelinux.org/pere/blog/Idea_for_storing_trusted_timestamps_in_a_Noark_5_archive.html&quot;&gt;2017&lt;/a&gt;
+for those stories.  But some times I want to integrate the timestamping
+in other code, and recently I needed to integrate it into Python.
+After searching a bit, I found
+&lt;a href=&quot;https://dev.entrouvert.org/projects/python-rfc3161&quot;&gt;the
+rfc3161 library&lt;/a&gt; which seemed like a good fit, but I soon
+discovered it only worked for python version 2, and I needed something
+that work with python version 3.  Luckily I next came across
+&lt;a href=&quot;https://github.com/trbs/rfc3161ng/&quot;&gt;the rfc3161ng library&lt;/a&gt;,
+a fork of the original rfc3161 library.  Not only is it working with
+python 3, it have fixed a few of the bugs in the original library, and
+it has an active maintainer.  I decided to wrap it up and make it
+&lt;a href=&quot;https://tracker.debian.org/pkg/python-rfc3161ng&quot;&gt;available in
+Debian&lt;/a&gt;, and a few days ago it entered Debian unstable and testing.&lt;/p&gt;
+
+&lt;p&gt;Using the library is fairly straight forward.  The only slightly
+problematic step is to fetch the required certificates to verify the
+timestamp.  For some services it is straight forward, while for others
+I have not yet figured out how to do it.  Here is a small standalone
+code example based on of the integration tests in the library code:&lt;/p&gt;
+
+&lt;pre&gt;
+#!/usr/bin/python3
+
+&quot;&quot;&quot;
+
+Python 3 script demonstrating how to use the rfc3161ng module to
+get trusted timestamps.
+
+The license of this code is the same as the license of the rfc3161ng
+library, ie MIT/BSD.
+
+&quot;&quot;&quot;
+
+import os
+import pyasn1.codec.der
+import rfc3161ng
+import subprocess
+import tempfile
+import urllib.request
+
+def store(f, data):
+    f.write(data)
+    f.flush()
+    f.seek(0)
+
+def fetch(url, f=None):
+    response = urllib.request.urlopen(url)
+    data = response.read()
+    if f:
+        store(f, data)
+    return data
+
+def main():
+    with tempfile.NamedTemporaryFile() as cert_f,\
+    	 tempfile.NamedTemporaryFile() as ca_f,\
+    	 tempfile.NamedTemporaryFile() as msg_f,\
+    	 tempfile.NamedTemporaryFile() as tsr_f:
+
+        # First fetch certificates used by service
+        certificate_data = fetch(&#39;https://freetsa.org/files/tsa.crt&#39;, cert_f)
+        ca_data_data = fetch(&#39;https://freetsa.org/files/cacert.pem&#39;, ca_f)
+
+        # Then timestamp the message
+        timestamper = \
+            rfc3161ng.RemoteTimestamper(&#39;http://freetsa.org/tsr&#39;,
+                                        certificate=certificate_data)
+        data = b&quot;Python forever!\n&quot;
+        tsr = timestamper(data=data, return_tsr=True)
+
+        # Finally, convert message and response to something &#39;openssl ts&#39; can verify
+        store(msg_f, data)
+        store(tsr_f, pyasn1.codec.der.encoder.encode(tsr))
+        args = [&quot;openssl&quot;, &quot;ts&quot;, &quot;-verify&quot;,
+                &quot;-data&quot;, msg_f.name,
+	        &quot;-in&quot;, tsr_f.name,
+		&quot;-CAfile&quot;, ca_f.name,
+                &quot;-untrusted&quot;, cert_f.name]
+        subprocess.check_call(args)
+
+if &#39;__main__&#39; == __name__:
+   main()
+&lt;/pre&gt;
+
+&lt;p&gt;The code fetches the required certificates, store them as temporary
+files, timestamp a simple message, store the message and timestamp to
+disk and ask &#39;openssl ts&#39; to verify the timestamp.  A timestamp is
+around 1.5 kiB in size, and should be fairly easy to store for future
+use.&lt;/p&gt;
+
+&lt;p&gt;As usual, if you use Bitcoin and want to show your support of my
+activities, please send Bitcoin donations to my address
+&lt;b&gt;&lt;a href=&quot;bitcoin:15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b&quot;&gt;15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b&lt;/a&gt;&lt;/b&gt;.&lt;/p&gt;
+</description>
+	</item>
+	
 	<item>
 		<title>Automatic Google Drive sync using grive in Debian</title>
 		<link>http://people.skolelinux.org/pere/blog/Automatic_Google_Drive_sync_using_grive_in_Debian.html</link>        
