Time Stamp Protocol Module

Parse and return responses to RFC3161 Time Stamp Protocol requests.

What does it do?

This module implements a Time Stamp Protocol endpoint that supports assertions of proof that a datum existed before a particular time.

Based on configuration, an incoming POST request with a content type of application/timestamp-query is received, the datum is signed, and the response is returned as application/timestamp-reply.

Module Integration

The mod_timestamp module is a frontend module and will not do anything useful until mod_timestamp has been combined with one or more backend modules listed below. The mod_timestamp module uses the following hooks to make a serial number and obtain the time, and suitable backend modules must be configured to implement each hook as needed.

All frontend modules run within a standard Apache httpd request, and standard httpd functionality applies in all cases.

Make Serial Hook

This hook generates the serial number to be included in the timestamp response. The hook is mandatory, and the request will be rejected if left unconfigured.

mod_ca_simple Allows a serial number to be generated at random.
mod_ca_disk Allows a serial number to be assigned from a counter stored on disk.

Get Time Hook

This hooks returns the time to be used when generating the timestamp. The hook is mandatory, and the request will be rejected if left unconfigured.

mod_ca_simple Returns the system time provided by the underlying operating system.

Examples

Basic Example

The simplest case: generate a timestamp for anybody who wants one.

                  
LoadModule ca_module /usr/local/libexec/apache-modules/mod_ca.so
LoadModule ca_simple_module /usr/local/libexec/apache-modules/mod_ca_simple.so
LoadModule timestamp_module /usr/local/libexec/apache-modules/mod_timestamp.so

# backend configuration:
<IfModule mod_ca_simple.c>
  # use system clock as the time source
  CASimpleTime on
  # assign a random serial number
  CASimpleSerialRandom on
</IfModule>

# frontend configuration:
<IfModule mod_timestamp.c>
  <Location /timestamp>
    SetHandler timestamp
    # sign with this certificate...
    TimestampSigningCertificate /etc/pki/ssl/timestamp.cert
    # ...and private key
    TimestampSigningKey /etc/pki/ssl/timestamp.key
    # use a sha256 digest
    TimestampDigest SHA256
    # set the policy to an oid of your choice
    TimestampDefaultPolicy 1.2.3.4

    # Allow anyone to get a signed timestamp
    require all granted
  </Location>
</IfModule>

                

Note that it is essential that the timestamp sever certifcate (as set with TimestampSigningCertificate) has the key usage extensions cirtical and timeStamping

These can be set by openssl (e.g. when testing) with:


# Generate an unencrypted keypair and a request.
#
openssl req -newkey rsa:1024 -nodes \
   -subj   "/C=NL/ST=Zuid-Holland/L=Leiden/O=TimeServices/CN=Churchtower" \
   -keyout /etc/pki/ssl/timestamp.key \
   -out    /tmp/timestamp.csr 

# Create a config file:
#
echo extendedKeyUsage=critical,timeStamping > ts.cnf

# And (self sign) the request; with the required timestamp
# key usage
#
openssl x509 -req -days 365 \
    -in      /tmp/timestamp.csr \
    -signkey /etc/pki/ssl/timestamp.key \
    -out     /etc/pki/ssl/timestamp.cert.pem -extfile ts.cnf

# And delete the request - it is no longer needed.
rm /tmp/timestmap.csr

Logged In Example

A more typical scenario: generate a timestamp for a logged in user.

In this example it is assumed that Apache configuration exists that authenticates a user against a database, directory, a token, or a previous certificate.

                  
# backend configuration:
<IfModule mod_ca_simple.c>
  # use system clock as the time source
  CASimpleTime on
  # assign a random serial number
  CASimpleSerialRandom on
</IfModule>

# frontend configuration:
<IfModule mod_timestamp.c>
  <Location /timestamp>
    SetHandler timestamp
    # standard Apache authorisation
    Require valid-user
    # sign with this certificate...
    TimestampSigningCertificate /etc/pki/ssl/timestamp.cert
    # ...and private key
    TimestampSigningKey /etc/pki/ssl/timestamp.key
    # use a sha256 digest
    TimestampDigest SHA256
    # set the policy to an oid of your choice
    TimestampDefaultPolicy 1.2.3.4
  </Location>
</IfModule>

                

Client implementations for RFC3160 can be found for most languages; and some applications have these build in (in that case -the URI to enter for the above examples would be https://fqdn.com/timestamp.

It is also possible to use OpenSSL its build in ts utility; an example is show below; where a file caled my-novel.doc is timestamped (any binary file will do).

  1. First create a signing request for the file. What actually gets signed is the SHA256 (specified by the -cert flag).
    
    openssl ts -query -data my-novel.doc -cert -sha256 -no_nonce -out request.tsq
    
  2. Then offer this to the signing server (assumed here to run localhost); as an HTTP POST request with the right content type. The reply is signed receipt (in binary, DER, format).
    
    curl -H Content-type:application/timestamp-query --data-binary @request.tsq http://127.0.0.1/timestamp > reply.tsq
    
  3. You can now dump the content of this reply;
    
    openssl ts -reply -text -in reply.tsq
    openssl asn1parse -inform DER -in reply.tsq
    

    or, better, verify it against the timestamp certificate (or, with the chain, against any of the higher CA certificates as the root):

    
    openssl ts -verify -in reqply.tsq  -data my-novel.doc -CAfile /etc/pki/ssl/timestamp.cert
    

    Note: As we dit not set a 'nonce' in step 1 - we did not get one back (which you can use to verify against the one in the request). And in this particular case - we get a random `serial' number set by the time server (As we set CASimpleSerialRandom to on in the servr configuration).

    In this case - we simply use the certificate set in the configuration file of the signing timeserver (by TimestampSigningCertificate) to verify. So we have no chain issues.

Handler Reference

The following parameters to the SetHandler directive are supported.

timestamp Handler

After calling the make serial hook, and the get time hook, return the time stamped response.

SetHandler timestamp

Directive Reference

TimestampSigningCertificate Directive

Description Set to the name of the signing certificate.
Syntax TimestampSigningCertificate filename
Default none
Context server config, virtual host, directory, .htaccess
Status Frontend
Module mod_timestamp
Compatibility Introduced in mod_timestamp 0.2.0 and works with Apache HTTP Server 2.4.0 and later

Set to the name of the signing certificate.

TimestampSigningKey Directive

Description Set to the name of the signing key.
Syntax TimestampSigningKey filename
Default none
Context server config, virtual host, directory, .htaccess
Status Frontend
Module mod_timestamp
Compatibility Introduced in mod_timestamp 0.2.0 and works with Apache HTTP Server 2.4.0 and later

Set to the name of the signing key.

TimestampCertificateChain Directive

Description Set to the name of a file containing the rest of the certificate chain.
Syntax TimestampCertificateChain filename
Default none
Context server config, virtual host, directory, .htaccess
Status Frontend
Module mod_timestamp
Compatibility Introduced in mod_timestamp 0.2.0 and works with Apache HTTP Server 2.4.0 and later

Set to the name of a file containing the rest of the certificate chain.

TimestampSize Directive

Description Set to the maximum size of the timestamp request from the client.
Syntax TimestampSize bytes
Default TimestampSize 131072
Context server config, virtual host, directory, .htaccess
Status Frontend
Module mod_timestamp
Compatibility Introduced in mod_timestamp 0.2.0 and works with Apache HTTP Server 2.4.0 and later

Set to the maximum size of the timestamp request from the client. This value cannot be smaller than 4096 bytes.

TimestampLocation Directive

Description Set the URL location of the WADL returned by the OPTIONS method.
Syntax TimestampLocation url
Default TimestampLocation [current-URL]
Context server config, virtual host, directory, .htaccess
Status Frontend
Module mod_timestamp
Compatibility Introduced in mod_timestamp 0.2.0 and works with Apache HTTP Server 2.4.0 and later

Set the URL location of the WADL returned by the OPTIONS method.

TimestampPolicy Directive

Description Add the given policy to the timestamp.
Syntax TimestampPolicy oid
Default None
Context server config, virtual host, directory, .htaccess
Status Frontend
Module mod_timestamp
Compatibility Introduced in mod_timestamp 0.2.0 and works with Apache HTTP Server 2.4.0 and later

Add the given policy to the timestamp.

TimestampDefaultPolicy Directive

Description Set the given policy as the default timestamp policy.
Syntax TimestampDefaultPolicy oid
Default None
Context server config, virtual host, directory, .htaccess
Status Frontend
Module mod_timestamp
Compatibility Introduced in mod_timestamp 0.2.0 and works with Apache HTTP Server 2.4.0 and later

Set the given policy as the default timestamp policy.

TimestampDigest Directive

Description Add the given digest to the timestamp.
Syntax TimestampDigest digest
Default None
Context server config, virtual host, directory, .htaccess
Status Frontend
Module mod_timestamp
Compatibility Introduced in mod_timestamp 0.2.0 and works with Apache HTTP Server 2.4.0 and later

Add the given digest to the timestamp.

TimestampIncludeChain Directive

Description Indicate whether the certificate chain should be included.
Syntax TimestampIncludeChain flag
Default TimestampIncludeChain off
Context server config, virtual host, directory, .htaccess
Status Frontend
Module mod_timestamp
Compatibility Introduced in mod_timestamp 0.2.0 and works with Apache HTTP Server 2.4.0 and later

Indicate whether the certificate chain should be included in the ESS signing certificate attribute within the response.

TimestampOrdering Directive

Description Set ordering to true in the response.
Syntax TimestampOrdering flag
Default TimestampOrdering off
Context server config, virtual host, directory, .htaccess
Status Frontend
Module mod_timestamp
Compatibility Introduced in mod_timestamp 0.2.0 and works with Apache HTTP Server 2.4.0 and later

Set ordering to true in the response.

TimestampTsaName Directive

Description Set to include the TSA name in the response.
Syntax TimestampTsaName flag
Default TimestampTsaName off
Context server config, virtual host, directory, .htaccess
Status Frontend
Module mod_timestamp
Compatibility Introduced in mod_timestamp 0.2.0 and works with Apache HTTP Server 2.4.0 and later

Set to include the TSA name in the response.

TimestampClockPrecisionDigits Directive

Description Set the number of clock precision digits.
Syntax TimestampClockPrecisionDigits number
Default None
Context server config, virtual host, directory, .htaccess
Status Frontend
Module mod_timestamp
Compatibility Introduced in mod_timestamp 0.2.0 and works with Apache HTTP Server 2.4.0 and later

Set the number of clock precision digits.