I have earlier covered the basics of trusted timestamping using the 'openssl ts' client. See blog post for 2014, 2016 and 2017 for those stories. But some times I want to integrate the timestamping in other code, and recently I needed to integrate it into Python. After searching a bit, I found the rfc3161 library which seemed like a good fit, but I soon discovered it only worked for python version 2, and I needed something that work with python version 3. Luckily I next came across the rfc3161ng library, a fork of the original rfc3161 library. Not only is it working with python 3, it have fixed a few of the bugs in the original library, and it has an active maintainer. I decided to wrap it up and make it available in Debian, and a few days ago it entered Debian unstable and testing.
Using the library is fairly straight forward. The only slightly problematic step is to fetch the required certificates to verify the timestamp. For some services it is straight forward, while for others I have not yet figured out how to do it. Here is a small standalone code example based on of the integration tests in the library code:
#!/usr/bin/python3
"""
Python 3 script demonstrating how to use the rfc3161ng module to
get trusted timestamps.
The license of this code is the same as the license of the rfc3161ng
library, ie MIT/BSD.
"""
import os
import pyasn1.codec.der
import rfc3161ng
import subprocess
import tempfile
import urllib.request
def store(f, data):
f.write(data)
f.flush()
f.seek(0)
def fetch(url, f=None):
response = urllib.request.urlopen(url)
data = response.read()
if f:
store(f, data)
return data
def main():
with tempfile.NamedTemporaryFile() as cert_f,\
tempfile.NamedTemporaryFile() as ca_f,\
tempfile.NamedTemporaryFile() as msg_f,\
tempfile.NamedTemporaryFile() as tsr_f:
# First fetch certificates used by service
certificate_data = fetch('https://freetsa.org/files/tsa.crt', cert_f)
ca_data_data = fetch('https://freetsa.org/files/cacert.pem', ca_f)
# Then timestamp the message
timestamper = \
rfc3161ng.RemoteTimestamper('http://freetsa.org/tsr',
certificate=certificate_data)
data = b"Python forever!\n"
tsr = timestamper(data=data, return_tsr=True)
# Finally, convert message and response to something 'openssl ts' can verify
store(msg_f, data)
store(tsr_f, pyasn1.codec.der.encoder.encode(tsr))
args = ["openssl", "ts", "-verify",
"-data", msg_f.name,
"-in", tsr_f.name,
"-CAfile", ca_f.name,
"-untrusted", cert_f.name]
subprocess.check_call(args)
if '__main__' == __name__:
main()
The code fetches the required certificates, store them as temporary files, timestamp a simple message, store the message and timestamp to disk and ask 'openssl ts' to verify the timestamp. A timestamp is around 1.5 kiB in size, and should be fairly easy to store for future use.
As usual, if you use Bitcoin and want to show your support of my activities, please send Bitcoin donations to my address 15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b.