pyauth / tsp-client Goto Github PK

View Code? Open in Web Editor NEW

4.0 1.0 1.0 49 KB

A Python IETF Time-Stamp Protocol (TSP) (RFC 3161) client

License: Apache License 2.0

Makefile 11.11% Python 88.89%

rfc-3161 time-stamp-protocol tsp rfc3161 tsa

tsp-client's Introduction

tsp-client: An IETF Time-Stamp Protocol (TSP) (RFC 3161) client

tsp-client is an implementation of the RFC 3161 TSP protocol in Python.

TSP is used for point-in-time attestation and non-repudiation as part of various electronic signature and code signing schemes, including eIDAS XAdES (tsp-client is used by SignXML to implement XAdES).

Installation

pip install tsp-client

Synopsis

from tsp_client import TSPSigner, TSPVerifier

# Sign a message online by transmitting its digest to the timestamp authority
message = b"abc"
signer = TSPSigner()
signed = signer.sign(message)  # Returns raw bytes of the verified timestamp token.

# Verify a presented timestamp token offline using the original message
verified = TSPVerifier().verify(signed, message=message)

# Or sign and verify using the message digest (digest algorithm may vary)
import hashlib

digest = hashlib.sha512(message).digest()

signer.sign(message_digest=digest)
verified = TSPVerifier().verify(signed, message_digest=digest)

print(verified.tst_info)  # Parsed TSTInfo (CMS SignedData) structure
print(verified.signed_attrs)  # Parsed CMS SignedAttributes structure

Specifying a custom TSA

To provide a timestamped signature with non-repudiation verifiable via a chain of trust, TSP requires the use of a TSA (time-stamp authority) server when generating timestamp tokens. TSA servers can be thought of as digital notaries. Verification of tokens can be done offline using your system's certificate authority (CA) trust store.

By default, tsp-client uses the DigiCert TSA server when signing tokens. To use a different TSA, set the SigningSettings.tsp_server attribute as follows:

from tsp_client import TSPSigner, TSPVerifier, SigningSettings
signing_settings = SigningSettings(tsp_server="http://timestamp.identrust.com")
signer = TSPSigner()
signed = signer.sign(message, signing_settings=signing_settings)

There is currently no credible public TSA that offers HTTPS transport security and does not apply throttling. DigiCert provides a relatively high throughput public TSA endpoint, but your message digests and tokens will be transmitted unencrypted over the network. As an alternative, Sectigo offers an HTTPS TSA (https://timestamp.sectigo.com) but applies throttling so is only suitable for low throughput applications.

The European Union maintains a list of trusted TSAs as part of the eIDAS dashboard, however this list only serves as a root of trust and does not link directly to the TSA endpoints of listed providers.

Authors

Andrey Kislyuk

License

Copyright 2022-2023, Andrey Kislyuk and tsp-client contributors. Licensed under the terms of the Apache License, Version 2.0. Distribution of the LICENSE and NOTICE files with source copies of this package and derivative works is REQUIRED as specified by the Apache License.

tsp-client's People

Contributors

Stargazers

Watchers

Forkers

mcallistersean

tsp-client's Issues

provide separate client executable

I would appreciate a separate execuatable "tsp-client" or something that I can call to have a file timestamped.

Feature request: allow to pass digest instead of message

tsp-client takes a message and hashes it. This is inefficient for large files because they have to be help in memory. Python 3.11 added helper functions for efficient hashing of files: https://docs.python.org/3/library/hashlib.html#file-hashing. It would be nice if we were able to use them.

I propose the extend the interface of TSPSigner.sign() so that it takes either a message or a digest. That would allow users to pass a digest without breaking backwards compatibility.

Documentation link does not exist

The link to Documentation does not exist.

https://pyauth.github.io/tsp-client/

test/test.py fails trying to verify

running test.py fails with this output.

This is in a Linux Mint 20 system with python 3.8.

`
EE

ERROR: test_basic_tsp_client_operations (main.TestTSPClient)

Traceback (most recent call last):
File "./test.py", line 36, in test_basic_tsp_client_operations
signed = self.signer.sign(message)
File "/lvm1/home/sl/work/work23/tsr/tsp-client/tsp_client/signer.py", line 65, in sign
verify_result = self._verifier.verify(tst, nonce=nonce, message_digest=digest)
File "/lvm1/home/sl/work/work23/tsr/tsp-client/tsp_client/verifier.py", line 173, in verify
signing_cert = self._extract_signing_cert(signer_info, certificates=certificates)
File "/lvm1/home/sl/work/work23/tsr/tsp-client/tsp_client/verifier.py", line 123, in _extract_signing_cert
store = self._get_ca_store()
File "/lvm1/home/sl/work/work23/tsr/tsp-client/tsp_client/verifier.py", line 98, in _get_ca_store
store.load_locations(cafile=ca_pem_file, capath=ca_path) # type: ignore
AttributeError: 'X509Store' object has no attribute 'load_locations'

======================================================================
ERROR: test_set_custom_tsa (main.TestTSPClient)

Traceback (most recent call last):
File "./test.py", line 60, in test_set_custom_tsa
signed = self.signer.sign(message, signing_settings=signing_settings)
File "/lvm1/home/sl/work/work23/tsr/tsp-client/tsp_client/signer.py", line 65, in sign
verify_result = self._verifier.verify(tst, nonce=nonce, message_digest=digest)
File "/lvm1/home/sl/work/work23/tsr/tsp-client/tsp_client/verifier.py", line 173, in verify
signing_cert = self._extract_signing_cert(signer_info, certificates=certificates)
File "/lvm1/home/sl/work/work23/tsr/tsp-client/tsp_client/verifier.py", line 123, in _extract_signing_cert
store = self._get_ca_store()
File "/lvm1/home/sl/work/work23/tsr/tsp-client/tsp_client/verifier.py", line 98, in _get_ca_store
store.load_locations(cafile=ca_pem_file, capath=ca_path) # type: ignore
AttributeError: 'X509Store' object has no attribute 'load_locations'

Ran 2 tests in 0.296s

FAILED (errors=2)