blog/data/2018-10-08-debian-python-trusted-timestamp.txt

   1 Title: Fetching trusted timestamps using the rfc3161ng python module
   2 Tags: english, sikkerhet, noark5
   3 Date: 2018-10-08 12:30
   4
   5 <p>I have  earlier covered the basics of trusted timestamping using the
   6 'openssl ts' client.  See blog post for
   7 <a href="http://www.hungry.com/~pere/blog/Public_Trusted_Timestamping_services_for_everyone.html">2014</a>,
   8 <a href="http://www.hungry.com/~pere/blog/syslog_trusted_timestamp___chain_of_trusted_timestamps_for_your_syslog.html">2016</a>
   9 and
  10 <a href="http://www.hungry.com/~pere/blog/Idea_for_storing_trusted_timestamps_in_a_Noark_5_archive.html">2017</a>
  11 for those stories.  But some times I want to integrate the timestamping
  12 in other code, and recently I needed to integrate it into Python.
  13 After searching a bit, I found
  14 <a href="https://dev.entrouvert.org/projects/python-rfc3161">the
  15 rfc3161 library</a> which seemed like a good fit, but I soon
  16 discovered it only worked for python version 2, and I needed something
  17 that work with python version 3.  Luckily I next came across
  18 <a href="https://github.com/trbs/rfc3161ng/">the rfc3161ng library</a>,
  19 a fork of the original rfc3161 library.  Not only is it working with
  20 python 3, it have fixed a few of the bugs in the original library, and
  21 it has an active maintainer.  I decided to wrap it up and make it
  22 <a href="https://tracker.debian.org/pkg/python-rfc3161ng">available in
  23 Debian</a>, and a few days ago it entered Debian unstable and testing.</p>
  24
  25 <p>Using the library is fairly straight forward.  The only slightly
  26 problematic step is to fetch the required certificates to verify the
  27 timestamp.  For some services it is straight forward, while for others
  28 I have not yet figured out how to do it.  Here is a small standalone
  29 code example based on of the integration tests in the library code:</p>
  30
  31 <pre>
  32 #!/usr/bin/python3
  33
  34 """
  35
  36 Python 3 script demonstrating how to use the rfc3161ng module to
  37 get trusted timestamps.
  38
  39 The license of this code is the same as the license of the rfc3161ng
  40 library, ie MIT/BSD.
  41
  42 """
  43
  44 import os
  45 import pyasn1.codec.der
  46 import rfc3161ng
  47 import subprocess
  48 import tempfile
  49 import urllib.request
  50
  51 def store(f, data):
  52     f.write(data)
  53     f.flush()
  54     f.seek(0)
  55
  56 def fetch(url, f=None):
  57     response = urllib.request.urlopen(url)
  58     data = response.read()
  59     if f:
  60         store(f, data)
  61     return data
  62
  63 def main():
  64     with tempfile.NamedTemporaryFile() as cert_f,\
  65          tempfile.NamedTemporaryFile() as ca_f,\
  66          tempfile.NamedTemporaryFile() as msg_f,\
  67          tempfile.NamedTemporaryFile() as tsr_f:
  68
  69         # First fetch certificates used by service
  70         certificate_data = fetch('https://freetsa.org/files/tsa.crt', cert_f)
  71         ca_data_data = fetch('https://freetsa.org/files/cacert.pem', ca_f)
  72
  73         # Then timestamp the message
  74         timestamper = \
  75             rfc3161ng.RemoteTimestamper('http://freetsa.org/tsr',
  76                                         certificate=certificate_data)
  77         data = b"Python forever!\n"
  78         tsr = timestamper(data=data, return_tsr=True)
  79
  80         # Finally, convert message and response to something 'openssl ts' can verify
  81         store(msg_f, data)
  82         store(tsr_f, pyasn1.codec.der.encoder.encode(tsr))
  83         args = ["openssl", "ts", "-verify",
  84                 "-data", msg_f.name,
  85                 "-in", tsr_f.name,
  86                 "-CAfile", ca_f.name,
  87                 "-untrusted", cert_f.name]
  88         subprocess.check_call(args)
  89
  90 if '__main__' == __name__:
  91    main()
  92 </pre>
  93
  94 <p>The code fetches the required certificates, store them as temporary
  95 files, timestamp a simple message, store the message and timestamp to
  96 disk and ask 'openssl ts' to verify the timestamp.  A timestamp is
  97 around 1.5 kiB in size, and should be fairly easy to store for future
  98 use.</p>
  99
 100 <p>As usual, if you use Bitcoin and want to show your support of my
 101 activities, please send Bitcoin donations to my address
 102 <b><a href="bitcoin:15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b">15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b</a></b>.</p>