TSA fixes

Signed-off-by: Janos SUTO <sj@acts.hu>
This commit is contained in:
Janos SUTO 2020-10-17 20:03:07 +02:00
parent 39fd0899b0
commit 4a131f3058
2 changed files with 55 additions and 48 deletions

View File

@ -1,11 +1,11 @@
<?php <?php
define(COUNT, 'count'); define('COUNT', 'count');
define(HASH_VALUE, 'hash_value'); define('HASH_VALUE', 'hash_value');
define(RESPONSE_STRING, 'response_string'); define('RESPONSE_STRING', 'response_string');
define(RESPONSE_TIME, 'response_time'); define('RESPONSE_TIME', 'response_time');
define(START_ID, 'start_id'); define('START_ID', 'start_id');
define(STOP_ID, 'stop_id'); define('STOP_ID', 'stop_id');
ini_set("session.save_path", "/tmp"); ini_set("session.save_path", "/tmp");
@ -19,25 +19,25 @@ $lopts = array(
'mode:', 'mode:',
'verbose' 'verbose'
); );
if ( $options = getopt( $opts, $lopts ) ) if ( $options = getopt( $opts, $lopts ) )
{ {
if ( isset($options['webui']) ) if ( isset($options['webui']) )
{ {
$webuidir = $options['webui']; $webuidir = $options['webui'];
} else } else
{ {
echo "\nError: must provide path to WebUI directory\n\n"; echo "\nError: must provide path to WebUI directory\n\n";
display_help(); display_help();
exit; exit;
} }
if ( isset($options['mode']) && $options['mode'] == 'time') { if ( isset($options['mode']) && $options['mode'] == 'time') {
$mode = $options['mode']; $mode = $options['mode'];
} }
if ( isset($options['h']) ) if ( isset($options['h']) )
{ {
display_help(); display_help();
exit; exit;
@ -49,7 +49,7 @@ if ( $options = getopt( $opts, $lopts ) )
} }
} else { } else {
display_help(); display_help();
exit; exit;
} }
require_once($webuidir . "/config.php"); require_once($webuidir . "/config.php");
@ -136,12 +136,12 @@ function get_hash_values() {
if(MODE == 'time') { $stop_id = $start_id + $count - 1; } if(MODE == 'time') { $stop_id = $start_id + $count - 1; }
return array( return [
START_ID => $start_id, START_ID => $start_id,
STOP_ID => $stop_id, STOP_ID => $stop_id,
COUNT => $count, COUNT => $count,
HASH_VALUE => sha1($s) HASH_VALUE => sha1($s)
); ];
} }

View File

@ -32,7 +32,7 @@ class TrustedTimestamps
{ {
if (strlen($hash) !== 40) if (strlen($hash) !== 40)
throw new Exception("Invalid Hash."); throw new Exception("Invalid Hash.");
$outfilepath = self::createTempFile(); $outfilepath = self::createTempFile();
$cmd = OPENSSL_BINARY . " ts -query -digest ".escapeshellarg($hash)." -cert -out ".escapeshellarg($outfilepath); $cmd = OPENSSL_BINARY . " ts -query -digest ".escapeshellarg($hash)." -cert -out ".escapeshellarg($outfilepath);
@ -41,7 +41,7 @@ class TrustedTimestamps
if ($retcode !== 0) if ($retcode !== 0)
throw new Exception("OpenSSL does not seem to be installed: ".implode(", ", $retarray)); throw new Exception("OpenSSL does not seem to be installed: ".implode(", ", $retarray));
if (count($retarray) > 0 && stripos($retarray[0], "openssl:Error") !== false) if (count($retarray) > 0 && stripos($retarray[0], "openssl:Error") !== false)
throw new Exception("There was an error with OpenSSL. Is version >= 0.99 installed?: ".implode(", ", $retarray)); throw new Exception("There was an error with OpenSSL. Is version >= 0.99 installed?: ".implode(", ", $retarray));
@ -72,14 +72,14 @@ class TrustedTimestamps
$binary_response_string = curl_exec($ch); $binary_response_string = curl_exec($ch);
$status = curl_getinfo($ch, CURLINFO_HTTP_CODE); $status = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch); curl_close($ch);
if ($status != 200 || !strlen($binary_response_string)) if ($status != 200 || !strlen($binary_response_string))
throw new Exception("The request failed"); throw new Exception("The request failed");
$base64_response_string = base64_encode($binary_response_string); $base64_response_string = base64_encode($binary_response_string);
$response_time = self::getTimestampFromAnswer ($base64_response_string); $response_time = self::getTimestampFromAnswer ($base64_response_string);
return array("response_string" => $base64_response_string, return array("response_string" => $base64_response_string,
"response_time" => $response_time); "response_time" => $response_time);
} }
@ -97,13 +97,13 @@ class TrustedTimestamps
$responsefile = self::createTempFile($binary_response_string); $responsefile = self::createTempFile($binary_response_string);
$cmd = OPENSSL_BINARY . " ts -reply -in ".escapeshellarg($responsefile)." -text"; $cmd = OPENSSL_BINARY . " ts -reply -in ".escapeshellarg($responsefile)." -text";
$retarray = array(); $retarray = array();
exec($cmd." 2>&1", $retarray, $retcode); exec($cmd." 2>&1", $retarray, $retcode);
if ($retcode !== 0) if ($retcode !== 0)
throw new Exception("The reply failed: ".implode(", ", $retarray)); throw new Exception("The reply failed: ".implode(", ", $retarray));
$matches = array(); $matches = array();
$response_time = 0; $response_time = 0;
@ -119,13 +119,13 @@ class TrustedTimestamps
if (preg_match("~^Time\sstamp\:\s(.*)~", $retline, $matches)) if (preg_match("~^Time\sstamp\:\s(.*)~", $retline, $matches))
{ {
$response_time = strtotime($matches[1]); $response_time = strtotime($matches[1]);
break; break;
} }
} }
if (!$response_time) if (!$response_time)
throw new Exception("The Timestamp was not found"); throw new Exception("The Timestamp was not found");
return $response_time; return $response_time;
} }
@ -141,25 +141,25 @@ class TrustedTimestamps
{ {
if (strlen($hash) !== 40) if (strlen($hash) !== 40)
throw new Exception("Invalid Hash"); throw new Exception("Invalid Hash");
$binary_response_string = base64_decode($base64_response_string); $binary_response_string = base64_decode($base64_response_string);
if (!strlen($binary_response_string)) if (!strlen($binary_response_string))
throw new Exception("There was no response-string"); throw new Exception("There was no response-string");
if (!intval($response_time)) if (!intval($response_time))
throw new Exception("There is no valid response-time given"); throw new Exception("There is no valid response-time given");
if (!file_exists($tsa_cert_file)) if (!file_exists($tsa_cert_file))
throw new Exception("The TSA-Certificate could not be found"); throw new Exception("The TSA-Certificate could not be found");
$responsefile = self::createTempFile($binary_response_string); $responsefile = self::createTempFile($binary_response_string);
$cmd = OPENSSL_BINARY . " ts -verify -digest ".escapeshellarg($hash)." -in ".escapeshellarg($responsefile)." -CAfile ".escapeshellarg($tsa_cert_file); $cmd = OPENSSL_BINARY . " ts -verify -digest ".escapeshellarg($hash)." -in ".escapeshellarg($responsefile)." -CAfile ".escapeshellarg($tsa_cert_file);
$retarray = array(); $retarray = array();
exec($cmd." 2>&1", $retarray, $retcode); exec($cmd." 2>&1", $retarray, $retcode);
/* /*
* just 2 "normal" cases: * just 2 "normal" cases:
* 1) Everything okay -> retcode 0 + retarray[0] == "Verification: OK" * 1) Everything okay -> retcode 0 + retarray[0] == "Verification: OK"
@ -167,14 +167,23 @@ class TrustedTimestamps
* *
* every other case (Certificate not found / invalid / openssl is not installed / ts command not known) * every other case (Certificate not found / invalid / openssl is not installed / ts command not known)
* are being handled the same way -> retcode 1 + any retarray NOT containing "message imprint mismatch" * are being handled the same way -> retcode 1 + any retarray NOT containing "message imprint mismatch"
*
* For openssl 1.1.x it's 2 lines actually:
*
* Using configuration from /usr/lib/ssl/openssl.cnf
* Verification: OK
*
*/ */
if ($retcode === 0 && strtolower(trim($retarray[0])) == "verification: ok") if ($retcode === 0) {
{ foreach ($retarray as $line) {
if (self::getTimestampFromAnswer ($base64_response_string) != $response_time) if(strtolower(trim($line)) == "verification: ok") {
throw new Exception("The responsetime of the request was changed"); if (self::getTimestampFromAnswer ($base64_response_string) != $response_time)
throw new Exception("The responsetime of the request was changed");
return true;
return true;
}
}
} }
foreach ($retarray as $retline) foreach ($retarray as $retline)
@ -198,12 +207,10 @@ class TrustedTimestamps
if (!file_exists($tempfilename)) if (!file_exists($tempfilename))
throw new Exception("Tempfile could not be created"); throw new Exception("Tempfile could not be created");
if (!empty($str) && !file_put_contents($tempfilename, $str)) if (!empty($str) && !file_put_contents($tempfilename, $str))
throw new Exception("Could not write to tempfile"); throw new Exception("Could not write to tempfile");
return $tempfilename; return $tempfilename;
} }
} }
?>