Time stamp
Within the DFN-PKI a time stamp service can be used.
The time stamp service of the DFN is used to certify the status quo of a file at a certain point in time by a trustworthy instance (here DFN-PKI).
The DFN time stamp service can be used for non-commercial purposes within the framework of the DFN statutes.
A separate certificate is not necessary.
The time stamp server can be reached via the URL http://zeitstempel.dfn.de - a query of this URL in the browser is not possible (warning). Programs such as Adobe Acrobat or openssl (from version 1.0, see below) but also components from Microsoft or Java can be used. In addition, the libraries BouncyCastle are available for Java and C# and BouncyCastlePP is a port of BouncyCastle for C++.
According to information from DFN openssl (>= 1.1.xx) should work - but if necessary openssl has to be built by yourself
build openssl yourself |
cd ~ git clone https://github.com/openssl/openssl.git cd openssl ./Configure linux-x86_64 ./config --prefix=${HOME}/opt/openssl --openssldir=${HOME}/opt/openssl make make test export OPENSSL=${HOME}/opt/openssl export C_INCLUDE_PATH=$OPENSSL/include export LIBRARY_PATH=$OPENSSL/lib export LD_LIBRARY_PATH=$LIBRARY_PATH:$LD_LIBRARY_PATH export OPENSSL_PREFIX=${OPENSSL} echo ${OPENSSL} echo ${C_INCLUDE_PATH} echo ${LD_LIBRARY_PATH} echo ${OPENSSL_PREFIX} ${HOME}/opt/openssl/bin/openssl OpenSSL> version OpenSSL 1.1.1-pre5-dev xx XXX xxxx OpenSSL> |
[[ -f ${HOME}/opt/openssl/bin/openssl ]] && (export MYOPENSSL="${HOME}/opt/openssl/bin/openssl") || (export MYOPENSSL="openssl") |
Generate example cod |
echo -e "#\!/usr/bin/env bash\n\n#© by ra@rwth-aachen.de\n\n echo 'hello dfn timestamp world'\n\n#########\n# EOF" > dfn-timestamp-test.sh chmod 750 dfn-timestamp-test.sh ./dfn-timestamp-test.sh hello dfn timestamp world |
generate "timestamp request" |
${MYOPENSSL} ts -query -data dfn-timestamp-test.sh -cert -sha256 -no_nonce -out dfn-timestamp-test.tsq |
Send the "timestamp request" to the timestamp server |
curl -s -S -k -H "Content-Type: application/timestamp-query" --data-binary @dfn-timestamp-test.tsq "http://zeitstempel.dfn.de" -o dfn-timestamp-test.tsr |
Verification of time stam |
wget https://pki.pca.dfn.de/global-services-ca/pub/cacert/chain.txt ${MYOPENSSL} ts -verify -in dfn-timestamp-test.tsr -data dfn-timestamp-test.sh -CAfile chain.txt ${MYOPENSSL} ts -verify -queryfile dfn-timestamp-test.tsq -in dfn-timestamp-test.tsr -CAfile chain.txt |
|
| Verification of "timestamp response" |
openssl ts -reply -in dfn-timestamp-test.tsr -text Status info: Status: Granted. Status description: Operation Okay Failure info: unspecified TST info: Version: 1 Policy OID: 1.3.6.1.4.1.22177.300.22.1 Hash Algorithm: sha256 Message data: 0000 - 79 ae 3e 21 6f 52 92 ea-f0 00 78 73 fe 95 06 2b y.>!oR....xs...+ 0010 - ce 0c 26 29 89 8f e2 62-dd 9c 06 a5 3a 1f b9 dc ..&)...b....:... Serial number: 0x840AA89C8C03C5373E2680B1A2F61CBE132EBBF1 Time stamp: Nov 30 08:50:24 2016 GMT Accuracy: unspecified Ordering: no Nonce: unspecified TSA: unspecified Extensions: |
Further information:
- RFC 3161 - " Internet X.509 Public Key Infrastructure Time-Stamp Protocol "
- Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC.
- Bundesdruckerei: "D-TRUST timestamp - confirm receipt times for electronic documents in a legally compliant manner" (in German)
- Ruhr-Uni-Bochum: "Cryptography with Bouncy Castle"
- Wikipedia: Comparison of cryptography libraries
- Microsoft: CryptRetrieveTimeStamp functionBSI:
- "Electronic signatures, seals and timestamps."
- eIDAS Regulation on Electronic Identification and Trust Services
- DFN-PKI
- Questions and answers on code signing with certificates from the DFN-PKI
- FAQ timestamp service
- Time stamp service of DFN-PKI now with SHA-2 signatures
