验证RFC 3161可信时间戳

Question

在我的构建过程中,我想要包含符合RFC-3161标准的TSA的时间戳.在运行时,代码将验证此时间戳​​,最好不需要第三方库的帮助.(这是一个.NET应用程序,所以我可以随时使用标准的哈希和非对称加密功能.)

RFC 3161依赖于ASN.1和X.690以及诸如此类的东西,实现起来并不简单,所以至少现在,我正在使用Bouncy Castle来生成TimeStampReq(请求)并解析TimeStampResp(响应).我只是无法弄清楚如何验证响应.

到目前为止,我已经弄清楚如何提取签名本身,公共证书,创建时间戳的时间,以及我发送的消息imprint摘要和nonce(用于构建时验证).我无法弄清楚的是如何将这些数据放在一起以生成散列和签名的数据.

这是我正在做什么以及我想做什么的粗略概念.这是测试代码,所以我采取了一些快捷方式.一旦我得到了有效的东西,我将不得不清理一些事情并以正确的方式完成它们.

构建时生成时间戳:

// a lot of fully-qualified type names here to make sure it's clear what I'm using

static void WriteTimestampToBuild(){
    var dataToTimestamp = Encoding.UTF8.GetBytes("The rain in Spain falls mainly on the plain");
    var hashToTimestamp = new System.Security.Cryptography.SHA1Cng().ComputeHash(dataToTimestamp);
    var nonce = GetRandomNonce();
    var tsr = GetTimestamp(hashToTimestamp, nonce, "http://some.rfc3161-compliant.server");

    var tst = tsr.TimeStampToken;
    var tsi = tst.TimeStampInfo;

    ValidateNonceAndHash(tsi, hashToTimestamp, nonce);

    var cms = tst.ToCmsSignedData();

    var signer =
        cms.GetSignerInfos().GetSigners()
        .Cast<Org.BouncyCastle.Cms.SignerInformation>().First();
        // TODO: handle multiple signers?

    var signature = signer.GetSignature();

    var cert =
        tst.GetCertificates("Collection").GetMatches(signer.SignerID)
        .Cast<Org.BouncyCastle.X509.X509Certificate>().First();
        // TODO: handle multiple certs (for one or multiple signers)?

    ValidateCert(cert);

    var timeString = tsi.TstInfo.GenTime.TimeString;
    var time = tsi.GenTime; // not sure which is more useful
    // TODO: Do I care about tsi.TstInfo.Accuracy or tsi.GenTimeAccuracy?

    var serialNumber = tsi.SerialNumber.ToByteArray(); // do I care?

    WriteToBuild(cert.GetEncoded(), signature, timeString/*or time*/, serialNumber);
    // TODO: Do I need to store any more values?
}

static Org.BouncyCastle.Math.BigInteger GetRandomNonce(){
    var rng = System.Security.Cryptography.RandomNumberGenerator.Create();
    var bytes = new byte[10]; // TODO: make it a random length within a range
    rng.GetBytes(bytes);
    return new Org.BouncyCastle.Math.BigInteger(bytes);
}

static Org.BouncyCastle.Tsp.TimeStampResponse GetTimestamp(byte[] hash, Org.BouncyCastle.Math.BigInteger nonce, string url){
    var reqgen = new Org.BouncyCastle.Tsp.TimeStampRequestGenerator();
    reqgen.SetCertReq(true);
    var tsrequest = reqgen.Generate(Org.BouncyCastle.Tsp.TspAlgorithms.Sha1, hash, nonce);
    var data = tsrequest.GetEncoded();

    var webreq = WebRequest.CreateHttp(url);
    webreq.Method = "POST";
    webreq.ContentType = "application/timestamp-query";
    webreq.ContentLength = data.Length;
    using(var reqStream = webreq.GetRequestStream())
        reqStream.Write(data, 0, data.Length);
    using(var respStream = webreq.GetResponse().GetResponseStream())
        return new Org.BouncyCastle.Tsp.TimeStampResponse(respStream);
}

static void ValidateNonceAndHash(Org.BouncyCastle.Tsp.TimeStampTokenInfo tsi, byte[] hashToTimestamp, Org.BouncyCastle.Math.BigInteger nonce){
    if(tsi.Nonce != nonce)
        throw new Exception("Nonce doesn't match.  Man-in-the-middle attack?");

    var messageImprintDigest = tsi.GetMessageImprintDigest();

    var hashMismatch =
        messageImprintDigest.Length != hashToTimestamp.Length ||
        Enumerable.Range(0, messageImprintDigest.Length).Any(i=>
            messageImprintDigest[i] != hashToTimestamp[i]
        );

    if(hashMismatch)
        throw new Exception("Message imprint doesn't match.  Man-in-the-middle attack?");
}

static void ValidateCert(Org.BouncyCastle.X509.X509Certificate cert){
    // not shown, but basic X509Chain validation; throw exception on failure
    // TODO: Validate certificate subject and policy
}

static void WriteToBuild(byte[] cert, byte[] signature, string time/*or DateTime time*/, byte[] serialNumber){
    // not shown
}

运行时的时间戳验证(客户端站点):

// a lot of fully-qualified type names here to make sure it's clear what I'm using

static void VerifyTimestamp(){
    var timestampedData = Encoding.UTF8.GetBytes("The rain in Spain falls mainly on the plain");
    var timestampedHash = new System.Security.Cryptography.SHA1Cng().ComputeHash(timestampedData);

    byte[] certContents;
    byte[] signature;
    string time; // or DateTime time
    byte[] serialNumber;

    GetDataStoredDuringBuild(out certContents, out signature, out time, out serialNumber);

    var cert = new System.Security.Cryptography.X509Certificates.X509Certificate2(certContents);

    ValidateCert(cert);

    var signedData = MagicallyCombineThisStuff(timestampedHash, time, serialNumber);
    // TODO: What other stuff do I need to magically combine?

    VerifySignature(signedData, signature, cert);

    // not shown: Use time from timestamp to validate cert for other signed data
}

static void GetDataStoredDuringBuild(out byte[] certContents, out byte[] signature, out string/*or DateTime*/ time, out byte[] serialNumber){
    // not shown
}

static void ValidateCert(System.Security.Cryptography.X509Certificates.X509Certificate2 cert){
    // not shown, but basic X509Chain validation; throw exception on failure
}

static byte[] MagicallyCombineThisStuff(byte[] timestampedhash, string/*or DateTime*/ time, byte[] serialNumber){
    // HELP!
}

static void VerifySignature(byte[] signedData, byte[] signature, System.Security.Cryptography.X509Certificates.X509Certificate2 cert){
    var key = (RSACryptoServiceProvider)cert.PublicKey.Key;
    // TODO: Handle DSA keys, too
    var okay = key.VerifyData(signedData, CryptoConfig.MapNameToOID("SHA1"), signature);
    // TODO: Make sure to use the same hash algorithm as the TSA
    if(!okay)
        throw new Exception("Timestamp doesn't match!  Don't trust this!");
}

正如你可能猜到的那样,我认为我被卡住了就是这个MagicallyCombineThisStuff功能.

Answer 1

我终于弄明白了.它应该不足为奇,但答案是令人作呕的复杂和间接的.

这个难题的缺失部分在RFC 5652中.在我阅读(嗯,浏览过)该文档之前,我并不真正了解TimeStampResp结构.

让我简要描述TimeStampReq和TimeStampResp结构.该请求的有趣领域是:

• "消息印记",它是要加时间戳的数据的哈希值
• 用于创建消息印记的哈希算法的OID
• 可选的"nonce",它是客户端选择的标识符,用于验证响应是否专门为此请求生成.这实际上只是一个盐,用于避免重放攻击和检测错误.

响应的内容是CMS SignedData结构.这个结构中的领域包括:

• 用于签署响应的证书
• 包含TSTInfo结构的EncapsulatedContentInfo成员.重要的是,这种结构包含:
  • 在请求中发送的消息印记
  • 请求中发送的nonce
  • TSA认证的时间
• 一组SignerInfo结构,通常只有一个结构.对于每个SignerInfo,结构中的有趣字段是:
  • 一系列"签名属性".该序列的DER编码BLOB是实际签名的.这些属性包括:
    • TSA认证的时间(再次)
    • TSTInfo结构的DER编码BLOB的散列
  • 发行者和序列号或主题密钥标识符,用于从SignedData结构中找到的证书集中标识签名者的证书
  • 签名本身

验证时间戳的基本过程如下:

• 读取带时间戳的数据,并使用时间戳请求中使用的相同散列算法重新计算消息印记.
• 读取时间戳请求中使用的随机数,该时间戳必须与时间戳一起存储以用于此目的.
• 读取并解析TimeStampResp结构.
• 验证TSTInfo结构是否包含正确的消息印记和随机数.
• 从TimeStampResp中,读取证书.
• 对于每个SignerInfo:
  • 找到该签名者的证书(应该只有一个).
  • 验证证书.
  • 使用该证书,验证签名者的签名.
  • 验证签名的属性是否包含TSTInfo结构的正确哈希

如果一切正常,那么我们知道所有签名的属性都是有效的,因为它们已经签名,并且由于这些属性包含TSTInfo结构的散列,那么我们也知道这也没关系.因此,我们验证了自TSA给出的时间以来,带时间戳的数据没有变化.

因为签名数据是DER编码的BLOB(其中包含不同的DER编码BLOB的散列,其中包含验证者实际关心的信息),所以在客户端(验证者)上无法理解X的某种库.690编码和ASN.1类型.因此,我承认在客户端以及构建过程中包括Bouncy Castle,因为我没有时间自己实施这些标准.

我添加和验证时间戳的代码类似于以下内容:

构建时生成时间戳:

// a lot of fully-qualified type names here to make sure it's clear what I'm using

static void WriteTimestampToBuild(){
    var dataToTimestamp = ... // see OP
    var hashToTimestamp = ... // see OP
    var nonce = ... // see OP
    var tsq = GetTimestampRequest(hashToTimestamp, nonce);
    var tsr = GetTimestampResponse(tsq, "http://some.rfc3161-compliant.server");

    ValidateTimestamp(tsq, tsr);
    WriteToBuild("tsq-hashalg", Encoding.UTF8.GetBytes("SHA1"));
    WriteToBuild("nonce", nonce.ToByteArray());
    WriteToBuild("timestamp", tsr.GetEncoded());
}

static Org.BouncyCastle.Tsp.TimeStampRequest GetTimestampRequest(byte[] hash, Org.BouncyCastle.Math.BigInteger nonce){
    var reqgen = new TimeStampRequestGenerator();
    reqgen.SetCertReq(true);
    return reqgen.Generate(TspAlgorithms.Sha1/*assumption*/, hash, nonce);
}
static void GetTimestampResponse(Org.BouncyCastle.Tsp.TimeStampRequest tsq, string url){
    // similar to OP
}

static void ValidateTimestamp(Org.BouncyCastle.Tsp.TimeStampRequest tsq, Org.BouncyCastle.Tsp.TimeStampResponse tsr){
    // same as client code, see below
}

static void WriteToBuild(string key, byte[] value){
    // not shown
}

运行时的时间戳验证(客户端站点):

/* Just like in the OP, I've used fully-qualified names here to avoid confusion.
 * In my real code, I'm not doing that, for readability's sake.
 */

static DateTime GetTimestamp(){
    var timestampedData = ReadFromBuild("timestamped-data");
    var hashAlg         = Encoding.UTF8.GetString(ReadFromBuild("tsq-hashalg"));
    var timestampedHash = System.Security.Cryptography.HashAlgorithm.Create(hashAlg).ComputeHash(timestampedData);
    var nonce           = new Org.BouncyCastle.Math.BigInteger(ReadFromBuild("nonce"));
    var tsq             = new Org.BouncyCastle.Tsp.TimeStampRequestGenerator().Generate(System.Security.Cryptography.CryptoConfig.MapNameToOID(hashAlg), timestampedHash, nonce);
    var tsr             = new Org.BouncyCastle.Tsp.TimeStampResponse(ReadFromBuild("timestamp"));

    ValidateTimestamp(tsq, tsr);

    // if we got here, the timestamp is okay, so we can trust the time it alleges
    return tsr.TimeStampToken.TimeStampInfo.GenTime;
}


static void ValidateTimestamp(Org.BouncyCastle.Tsp.TimeStampRequest tsq, Org.BouncyCastle.Tsp.TimeStampResponse tsr){
    /* This compares the nonce and message imprint and whatnot in the TSTInfo.
     * It throws an exception if they don't match.  This doesn't validate the
     * certs or signatures, though.  We still have to do that in order to trust
     * this data.
     */
    tsr.Validate(tsq);

    var tst       = tsr.TimeStampToken;
    var timestamp = tst.TimeStampInfo.GenTime;
    var signers   = tst.ToCmsSignedData().GetSignerInfos().GetSigners().Cast<Org.BouncyCastle.Cms.SignerInformation>();
    var certs     = tst.GetCertificates("Collection");
    foreach(var signer in signers){
        var signerCerts = certs.GetMatches(signer.SignerID).Cast<Org.BouncyCastle.X509.X509Certificate>().ToList();
        if(signerCerts.Count != 1)
            throw new Exception("Expected exactly one certificate for each signer in the timestamp");

        if(!signerCerts[0].IsValid(timestamp)){
            /* IsValid only checks whether the given time is within the certificate's
             * validity period.  It doesn't verify that it's a valid certificate or
             * that it hasn't been revoked.  It would probably be better to do that
             * kind of thing, just like I'm doing for the signing certificate itself.
             * What's more, I'm not sure it's a good idea to trust the timestamp given
             * by the TSA to verify the validity of the TSA's certificate.  If the
             * TSA's certificate is compromised, then an unauthorized third party could
             * generate a TimeStampResp with any timestamp they wanted.  But this is a
             * chicken-and-egg scenario that my brain is now too tired to keep thinking
             * about.
             */
            throw new Exception("The timestamp authority's certificate is expired or not yet valid.");
        }
        if(!signer.Verify(signerCerts[0])){ // might throw an exception, might not ... depends on what's wrong
            /* I'm pretty sure that signer.Verify verifies the signature and that the
             * signed attributes contains a hash of the TSTInfo.  It also does some
             * stuff that I didn't identify in my list above.
             * Some verification errors cause it to throw an exception, some just
             * cause it to return false.  If it throws an exception, that's great,
             * because that's what I'm counting on.  If it returns false, let's
             * throw an exception of our own.
             */
            throw new Exception("Invalid signature");
        }
    }
}

static byte[] ReadFromBuild(string key){
    // not shown
}