Documentation on usage

[pjrobertson]

Congrats on reaching 1.0!

I realise this client is fairly new, but it'd be great to have some simple docs on usage in the README. So far I only have the tests to go on. A simple explanation on how to build a TSQ, send to server, verify certs + timestamping cert would be much appreciated!

This is about as far as I've got from trying to decipher the unit tests...

import requests
from rfc3161_client.base import HashAlgorithm, TimestampRequestBuilder, TimeStampRequest
from rfc3161_client.verify import VerifierBuilder


tsr: TimeStampRequest = TimestampRequestBuilder(
    data="my message",
    hash_algorithm=HashAlgorithm.SHA256,
    nonce=True,
    cert_req=True,
).build()

headers = {"Content-Type": "application/timestamp-query", "Accept": "application/timestamp-reply"}

res = requests.post("http://timestamp.digicert.com", headers=headers, data=tsr.dump())

verifier = VerifierBuilder().build()
...

[woodruffw]

Thanks @pjrobertson! Yeah, docs are something we certainly need to improve here.

It's a bit context sensitive, but here's an example of using the VerifierBuilder API in another codebase that might help out a bit: https://github.com/sigstore/sigstore-python/blob/99948d5b80525a5a104e904ffea58169dc6e0629/sigstore/verify/verifier.py#L121-L165

And as for the signing/TSQ side:

https://github.com/sigstore/sigstore-python/blob/99948d5b80525a5a104e904ffea58169dc6e0629/sigstore/_internal/timestamp.py#L84-L121

I hope those two links help! If you run into any issues/problems, I'd be happy to help more as well.

[pjrobertson]

Thanks, very helpful! I'll use those two links as a reference and see how it goes - will let you know if I have more questions.

[pjrobertson]

So I think I'm getting there, here's how far I've got so far:

import requests
from rfc3161_client import (
    TimestampRequestBuilder,
    TimeStampResponse,
    decode_timestamp_response,
)
from rfc3161_client.base import HashAlgorithm

def sign_data(self, tsa_url: str, bytes_data: bytes) -> TimeStampResponse:
    # see https://github.com/sigstore/sigstore-python/blob/99948d5b80525a5a104e904ffea58169dc6e0629/sigstore/_internal/timestamp.py#L84-L121

    timestamp_request = (
            TimestampRequestBuilder().data(bytes_data).nonce(nonce=True).build()
        )

    try:
        response = self.session.post(tsa_url, data=timestamp_request.as_bytes(), timeout=10)
        response.raise_for_status()
    except requests.RequestException as e:
        logger.error(f"Error while sending request to {tsa_url=}: {e}")
        raise

    # Check that we can parse the response but do not *verify* it
    try:
        timestamp_response = decode_timestamp_response(response.content)
    except ValueError as e:
        logger.error(f"Invalid timestamp response from server {tsa_url}: {e}")
        raise

    return timestamp_response


sign_data(tsa_url="http://timestamp.digicert.com", byte_data=b"message")

This is currently throwing the following error on decode_timestamp_response

*** ValueError: ASN.1 parse error: ParseError { kind: InvalidSetOrdering, location: ["RawTimeStampResp::time_stamp_token", "TimeStampToken::content", "SignedData::certificates", 1] }

Is it possible that the decoding only works for the sigstore tsa servers?

[woodruffw]

Is it possible that the decoding only works for the sigstore tsa servers?

Decoding should work for any TSA that's RFC 3161 compliant -- there are unfortunately a lot of non-compliant TSAs out there, including DigiCert's.

We have a matrix of TSAs we've tested against here: #46

In your specific case, it looks like DigiCert is returning an ASN.1 SET ordering that's invalid in DER, which means that they aren't RFC 3161 compliant (since RFC 3161 requires DER, not a BER encoding). That in turn means we can't parse the responses it gives us, since rust-asn1 is intentionally very strict about rejecting invalid DER.

[woodruffw]

To expound a bit: it looks like the TimeStampResp contains a SignedData whose certificates field is not ordered correctly. DER says that SET OF must be ordered by serialized value, but a common error that applications make is serializing in order of occurrence, i.e. serializing whatever order of elements was passed to them.

[pjrobertson]

Thanks for all the help so far - sorry, I'm only just getting to this now. I've also come across pyca/cryptography#12124 which I see you have been commenting on. I've got the timestamping request/response all working, now I'm just stuck on the verifying part using cryptography and the root certs. Here's what I have so far, but none of the certs seem to be valid (perhaps because of what's mentioned about supporting additional x509 extensions)?. They're all throwing Error while verifying certificates: Unable to verify certificate

    def verify_signed(self, timestamp_response: TimeStampResponse, signature: bytes) ->  None:
        """
        Verify a Signed Timestamp using the build in trusted roots (does this work, or do we need the TSA root?)
        """

        trusted_root_path = self.cert_authorities or certifi.where()
        cert_authorities = []

        with open(trusted_root_path, 'rb') as f:
            cert_authorities = x509.load_pem_x509_certificates(f.read())

        if not cert_authorities:
            raise ValueError(f"No trusted roots found in {trusted_root_path}.")
        

        for certificate in cert_authorities:
            builder = VerifierBuilder()
            builder.add_root_certificate(certificate)

            verifier = builder.build()
            try:
                verifier.verify(timestamp_response, signature)
                return certificate
            except Rfc3161VerificationError as e:
                logger.debug(f"Unable to verify Timestamp with CA {certificate.subject}: {e}")
                continue
        
        return False

Can you point me to how you got this working in sigstore - I see you have your own TSA certs that you are verifying against. Is it only possible to verify with these, and not with a root certificate bundle?

Once this is all working, I'll write up some docs which will hopefully help others!

[woodruffw]

Here's what I have so far, but none of the certs seem to be valid (perhaps because of what's mentioned about supporting additional x509 extensions)?. They're all throwing Error while verifying certificates: Unable to verify certificate

Hmm, could you share the chain/trust root you're attempting to verify with? This library currently uses rust-openssl to do the chain building/path validation and not PyCA Cryptography's APIs, in part because we haven't moved over to the newly stabilized policy APIs yet. Given that, there's a decent chance that OpenSSL's verification APIs (or the way we've configured them) might be unhappy with something about your intermediates or roots.

[pjrobertson]

So right now I'm using the root from certifi.where() which is this: https://github.com/certifi/python-certifi/blob/master/certifi/cacert.pem

Here's a complete code example that you can run, it timestamps 'message' with the server 'http://timestamp.identrust.com'

import requests
from rfc3161_client import (
    TimestampRequestBuilder,
    TimeStampResponse,
    decode_timestamp_response,
    VerifierBuilder
)
from rfc3161_client import VerificationError as Rfc3161VerificationError
from cryptography import x509
import certifi

def verify_signed(timestamp_response: TimeStampResponse, signature: bytes) ->  None:
    """
    Verify a Signed Timestamp using the TSA provided by the Trusted Root.
    """

    trusted_root_path = certifi.where()
    cert_authorities = []

    with open(trusted_root_path, 'rb') as f:
        cert_authorities = x509.load_pem_x509_certificates(f.read())

    if not cert_authorities:
        raise ValueError(f"No trusted roots found in {trusted_root_path}.")
    

    for certificate in cert_authorities:
        builder = VerifierBuilder()
        builder.add_root_certificate(certificate)

        verifier = builder.build()
        try:
            verifier.verify(timestamp_response, signature)
            return certificate
        except Rfc3161VerificationError as e:
            print(f"Unable to verify Timestamp with CA {certificate.subject}: {e}")
            continue
    
    return False

def sign_data(tsa_url: str, bytes_data: bytes) -> TimeStampResponse:
    # see https://github.com/sigstore/sigstore-python/blob/99948d5b80525a5a104e904ffea58169dc6e0629/sigstore/_internal/timestamp.py#L84-L121

    session = requests.Session()
    session.headers.update({
        "Content-Type": "application/timestamp-query",
        "User-Agent": f"My TSP Client",
        "Accept": "application/timestamp-reply",
    })

    timestamp_request = (
            TimestampRequestBuilder().data(bytes_data).nonce(nonce=True).build()
        )
    try:
        response = session.post(tsa_url, data=timestamp_request.as_bytes(), timeout=10)
        response.raise_for_status()
    except requests.RequestException as e:
        raise

    # Check that we can parse the response but do not *verify* it
    try:
        timestamp_response = decode_timestamp_response(response.content)
    except ValueError as e:
        raise
    return timestamp_response


if __name__ == "__main__":
    message = b"my message"
    timestamp_response = sign_data(tsa_url="http://timestamp.identrust.com", bytes_data=message)
    verify_signed(timestamp_response, message)

[woodruffw]

So right now I'm using the root from certifi.where() which is this: certifi/python-certifi@master/certifi/cacert.pem

I think that won't work: certifi provides a trust root for the Web PKI, but the TSA ecosystem is a completely different PKI with no (or very few) common roots.

Since you're timestamping against IdenTrust, you probably need to use their CAs explicitly. They seem to be listed here: https://www.identrust.com/support/downloads (search for "Timestamp" to see all of them, including roots and intermediates).

(To my knowledge, there's unfortunately no "standard" trust root for timestamping, since it's a much smaller and more fragmented ecosystem than the Web PKI.)

[pjrobertson]

So I'm looking into this further, and the certs returned by the TSA do seem to have a valid trust chain back to a root cert. Here's the chain for the Identrust server - the 'IdenTrust Commercial Root CA 1' Root Cert is a built-in system cert/part of certifi. Here they are:

So on closer inspection, the failure is because the leaf cert does not have the the 'critical' key set on it for oid 2.5.29.37. That means verify.py:222 fails with The certificate does not contain the critical EKU extension see code.

Here's what the extension looks like: <Extension(oid=<ObjectIdentifier(oid=2.5.29.37, name=extendedKeyUsage)>, critical=False, value=<ExtendedKeyUsage([<ObjectIdentifier(oid=1.3.6.1.5.5.7.3.8, name=timeStamping)>])>)>

I think it should be possible to verify against the certificates even if critical=False, because there are cases where certs are used for other purposes. The explanation of oid 2.5.29.37 seems to say this is ok.

Would it be possible to alter the code allow you to pass a critical_only flag to builder.verify() to enable or disable critical checking?

Here's that intermediate cert as a reference:

[woodruffw]

Sorry for the delay here @pjrobertson. Looks like you're right about the CA chaining -- I'm surprised the Web CA and TSA share a common root here (more precisely, I'm surprised CABF allows this!), but that does indeed make this a non-trust-root issue.

If I'm following this right, this is indeed a bug on our side, but not exactly the thing you've changed in #119 -- we currently check that all "leaf" certs contain a critical EKU, but this is what RFC 3161 says:

2.3. Identification of the TSA

The TSA MUST sign each time-stamp message with a key reserved
specifically for that purpose. A TSA MAY have distinct private keys,
e.g., to accommodate different policies, different algorithms,
different private key sizes or to increase the performance. The
corresponding certificate MUST contain only one instance of the
extended key usage field extension as defined in [RFC2459] Section
4.2.1.13 with KeyPurposeID having value:

id-kp-timeStamping. This extension MUST be critical.

Source: https://www.ietf.org/rfc/rfc3161.txt

In other words: we should enforce the critical EKU on the TSA cert, but not on TrustID Timestamping CA 3 or any other intermediate CA members of the response chain. If I'm looking at the TrustID chain correctly, this should be fine -- TrustID Timestamp Authority certificate does have a critical EKU, it's just the other chain members that don't (and this is fine).

(Separately, I noticed that there's another bug in our verification: we assert a critical EKU, but we don't actually check that the EKU contains id-kp-timeStamping. We should be doing that! CC @DarkaMaul)

TL;DR: This is indeed a bug, but we can't drop the critical EKU requirement on TSAs entirely since it's a hard requirement of RFC 3161. However, we can fix this in a way that should fix your particular use case 🙂