FreeTSA & Digitorus' Timestamp SDK
- 3 minutes read - 520 wordsI wrote recently about some exploration of Timestamping with OriginStamp. Since writing that post, I had some supportive feedback from the helpful folks at OriginStamp and plan to continue exploring that solution.
Meanwhile, OriginStamp exposed me to timestamping and trusted timestamping and I discovered freeTSA.org.
What’s the point? These services provide authoritative proof of the existence of a digital asset before some point in time; OriginStamp provides a richer service and uses multiple timestamp authorities including Bitcoin, Ethereum and rather interestingly a German Newspaper’s Trusted Timestamp.
So, a quick detour today with Golang and FreeTSA and its trusted timestamping service.
NB RFC 3161: Internet X.509 PKI Time-Stamp Protocol (TSP)
NB OpenSSL includes a Timestamping Authority Tool (openssl ts)
Bash
The FreeTSA provides a command-line example.
Here’s my spin on it (with minimal tweaks) that uses a simple string rather than a file to mirror my OriginStamp examples:
# The message to Timestamp
MESG="Frederik Jack is a bubbly Border Collie"
# Filename for Timestamp Request (/tmp/${FILE}.tsq) and Response (/tmp/${FILE}.tsr)
FILE="file"
# Create a Timestamp Request and persist it
DIGEST=$(\
printf ${MESG} \
| sha256sum \
| head --bytes 64)
openssl ts -query \
-digest ${DIGEST} \
-sha256 \
-no_nonce \
-cert \
-out /tmp/${FILE}.tsq
# Submit the Request to FreeTSA and persist the Response
curl \
--silent \
--header "Content-Type: application/timestamp-query" \
--data-binary "@/tmp/${FILE}.tsq" \
https://freetsa.org/tsr \
> /tmp/${FILE}.tsr
# Download the FreeTSA certs to /tmp
wget \
--output-document=/tmp/tsa.crt \
https://freetsa.org/files/tsa.crt
wget \
--output-document=/tmp/cacert.pem \
https://freetsa.org/files/cacert.pem
# Validate that the certs' hashes match the published hashes
GOT=$(openssl x509 -noout -modulus -in /tmp/tsa.crt \
| sha256sum \
| head --bytes 64)
WANT="899ba3d9f777e2a74bdd34302bc06cb3f7a46ac1f565ee128f79fd5dab99d68b"
if [ ${GOT} != ${WANT} ]
then
echo "hashes don't match!"
exit 1
fi
GOT=$(openssl x509 -noout -modulus -in /tmp/cacert.pem \
| sha256sum \
| head --bytes 64)
WANT="a4b1a0a81aef68be1cc985d0f83bd6539cfe84174587f900e15ffe3f65433056"
if [ ${GOT} != ${WANT} ]
then
echo "hashes don't match!"
exit 1
fi
# Use OpenSSL Timestamp tool to verify the Request|Response
openssl ts -verify \
-in /tmp/${FILE}.tsr \
-queryfile /tmp/${FILE}.tsq \
-CAfile /tmp/cacert.pem \
-untrusted /tmp/tsa.crt
# Tidy
rm /tmp/${FILE}.ts? /tmp/cacert.pem /tmp/tsa.crt
You’re looking for “Verification: OK”
Golang
I was surprised to find only a couple of Golang implementations of the RFC.
Digitorus’ SDK appears (!?) legit and I used that.
See: https://github.com/DazWilkin/FreeTSA
The Digtorus Timestamp SDK makes it trivial to create Timestamp Requests:
tsq,err := timestamp.CreateRequest(
strings.NewReader(*mesg),
×tamp.RequestOptions{
Hash: crypto.SHA256,
},
)
Which may then be POSTed to the FreeTSA service to generate a DER-endoded Response (resp), that may be parsed back into a Timestamp struct:
ts, err := timestamp.ParseResponse(tsr)
You may test this implementation:
# The message to Timestamp
MESG="Frederik Jack is a bubbly Border Collie"
# Filename for Timestamp Request and Response
FILE="file"
# Create a Timestamp Request and persist it
# Submit it to FreeTSA and persist the Response
go run github.com/DazWilkin/FreeTSA \
--mesg=${MESG} \
--file=${FILE}
# Download the FreeTSA certs to /tmp
wget \
--output-document=/tmp/tsa.crt \
https://freetsa.org/files/tsa.crt
wget \
--output-document=/tmp/cacert.pem \
https://freetsa.org/files/cacert.pem
# Use OpenSSL Timestamp tool to verify the Request|Response
openssl ts -verify \
-in /tmp/${FILE}.tsr \
-queryfile /tmp/${FILE}.tsq \
-CAfile /tmp/cacert.pem \
-untrusted /tmp/tsa.crt
# Tidy
rm /tmp/${FILE}.ts? /tmp/cacert.pem /tmp/tsa.crt
That’s all!