Authoritative timestamping: Some silly games

This post was written by eli on March 30, 2012
Posted Under: Linux,Software

Ever wanted to prove you knew something before everyone else? Here’s the way: You write it down in a file, and timestamp it. Then, when you want to prove you were there first, you’ll show the original file, the signed timestamp, and then everyone know you’re a hopeless geek.

But this can help a bit if something goes wrong with timestamp servers used to sign software.

Anyhow, I have to admit I know very little about this issue. In particular, I have no idea how to dissect the timestamp file (tsr). Ideas are welcome as comments below.

You may need to install a certain package (or several):

# yum install openssl-perl

And this can never hurt:

$ man ts

Now suppose that the file containing our genius knowledge is in thefile.txt.

$ openssl ts -query -data thefile.txt -cert -out request.tsq

This created the request to be sent to the timestamp server. The important part is that the hash of thefile.txt is in there, so the timestamping is specific to the file.

Now read the manual a bit again…

$ man tsget

and go timestamping!

$ /etc/pki/tls/misc/tsget -h http://tsa.starfieldtech.com -o timestamp.tsr request.tsq

Pardon my weird path. This is how yum installed it.

The server mentioned above is GoDaddy’s official timestamp server, so the reply stored in timestamp.tsr is a real proof. If you want to use this in court, expect to pay a lot to experts and hope the judge doesn’t kick you out before you’re done with all the technicalities. But hey, that’s a watertight proof you paid nothing to get (and it’s probably worth accordingly).

It would be wonderful to know what’s actually in that timestamp. I know for a fact that the file’s hash has to be there, as well as the digital signature of the issuer of the time stamp. Lacking a better tool to peek inside, I just went:

$ strings -n 10 timestamp.tsr
20120330152409Z
Starfield Technologies, Inc.1200
)Starfield Class 2 Certification Authority0
110503070000Z
160503070000Z0
Scottsdale1%0#
Starfield Technologies, Inc.1301
*http://certs.starfieldtech.com/repository/1&0$
Starfield Timestamp Authority0

http://ocsp.starfieldtech.com/08

'http://crl.starfieldtech.com/sfroot.crl0S
+https://certs.starfieldtech.com/repository/0
Starfield Technologies, Inc.1200
)Starfield Class 2 Certification Authority
120330152409Z0

So there are some clues here. I dissector to cleartext would be nice, though. Ideas, anyone?

Reader Comments

Most file formats used by PKI are based on ASN.1-DER. Use `openssl asn1parse -inform der` or Gutmann’s `dumpasn1` to examine certificates, timestamp requests, etc.

#1 
Written By Mantas on April 6th, 2016 @ 18:05

Thanks, that worked. More precisely, I went

openssl asn1parse -inform der < timestamp.tsr

and got a lot of mumbo-jumbo that seems to have a meaning. :)

#2 
Written By eli on April 6th, 2016 @ 18:45

Add a Comment

required, use real name
required, will not be published
optional, your blog address