Authoritative timestamping: Some silly games
Ever wanted to prove you knew something before everyone else? Here’s the way: You write it down in a file, and timestamp it. Then, when you want to prove you were there first, you’ll show the original file, the signed timestamp, and then everyone know you’re a hopeless geek.
But this can help a bit if something goes wrong with timestamp servers used to sign software.
Anyhow, I have to admit I know very little about this issue. In particular, I have no idea how to dissect the timestamp file (tsr). Ideas are welcome as comments below.
You may need to install a certain package (or several):
# yum install openssl-perl
And this can never hurt:
$ man ts
Now suppose that the file containing our genius knowledge is in thefile.txt.
$ openssl ts -query -data thefile.txt -cert -out request.tsq
This created the request to be sent to the timestamp server. The important part is that the hash of thefile.txt is in there, so the timestamping is specific to the file.
Now read the manual a bit again…
$ man tsget
and go timestamping!
$ /etc/pki/tls/misc/tsget -h http://tsa.starfieldtech.com -o timestamp.tsr request.tsq
Pardon my weird path. This is how yum installed it.
The server mentioned above is GoDaddy’s official timestamp server, so the reply stored in timestamp.tsr is a real proof. If you want to use this in court, expect to pay a lot to experts and hope the judge doesn’t kick you out before you’re done with all the technicalities. But hey, that’s a watertight proof you paid nothing to get (and it’s probably worth accordingly).
It would be wonderful to know what’s actually in that timestamp. I know for a fact that the file’s hash has to be there, as well as the digital signature of the issuer of the time stamp. Lacking a better tool to peek inside, I just went:
$ strings -n 10 timestamp.tsr 20120330152409Z Starfield Technologies, Inc.1200 )Starfield Class 2 Certification Authority0 110503070000Z 160503070000Z0 Scottsdale1%0# Starfield Technologies, Inc.1301 *http://certs.starfieldtech.com/repository/1&0$ Starfield Timestamp Authority0 http://ocsp.starfieldtech.com/08 'http://crl.starfieldtech.com/sfroot.crl0S +https://certs.starfieldtech.com/repository/0 Starfield Technologies, Inc.1200 )Starfield Class 2 Certification Authority 120330152409Z0
So there are some clues here. I dissector to cleartext would be nice, though. Ideas, anyone?
Reader Comments
Most file formats used by PKI are based on ASN.1-DER. Use `openssl asn1parse -inform der` or Gutmann’s `dumpasn1` to examine certificates, timestamp requests, etc.
Thanks, that worked. More precisely, I went
openssl asn1parse -inform der < timestamp.tsr
and got a lot of mumbo-jumbo that seems to have a meaning. :)