mirror of
https://bitbucket.org/jsuto/piler.git
synced 2024-12-24 19:20:12 +01:00
Updated timestamp algorithm to use sha256
Signed-off-by: Janos SUTO <sj@acts.hu>
This commit is contained in:
parent
42b650f4f1
commit
740855769f
@ -2,6 +2,10 @@
|
|||||||
- Introduced the raw: search label
|
- Introduced the raw: search label
|
||||||
- Added Italian translation. Credits: Stefano Gatto
|
- Added Italian translation. Credits: Stefano Gatto
|
||||||
- timestamp signing sorts by 'id' column
|
- timestamp signing sorts by 'id' column
|
||||||
|
- timestamp hash value defaults to sha256
|
||||||
|
|
||||||
|
Be sure to apply util/db-upgrade.sql
|
||||||
|
|
||||||
|
|
||||||
1.3.12:
|
1.3.12:
|
||||||
-------
|
-------
|
||||||
|
@ -463,7 +463,7 @@ create table if not exists `timestamp` (
|
|||||||
`id` bigint unsigned not null auto_increment,
|
`id` bigint unsigned not null auto_increment,
|
||||||
`start_id` bigint default 0,
|
`start_id` bigint default 0,
|
||||||
`stop_id` bigint default 0,
|
`stop_id` bigint default 0,
|
||||||
`hash_value` char(40),
|
`hash_value` varchar(128),
|
||||||
`count` int default 0,
|
`count` int default 0,
|
||||||
`response_time` bigint default 0,
|
`response_time` bigint default 0,
|
||||||
`response_string` blob not null,
|
`response_string` blob not null,
|
||||||
|
1
util/db-upgrade.sql
Normal file
1
util/db-upgrade.sql
Normal file
@ -0,0 +1 @@
|
|||||||
|
alter table timestamp change column hash_value hash_value varchar(128) default null;
|
@ -12,11 +12,13 @@ ini_set("session.save_path", "/tmp");
|
|||||||
$webuidir = "";
|
$webuidir = "";
|
||||||
$verbose = 0;
|
$verbose = 0;
|
||||||
$mode = "unit";
|
$mode = "unit";
|
||||||
|
$algo = "sha256";
|
||||||
|
|
||||||
$opts = 'h::v';
|
$opts = 'h::v';
|
||||||
$lopts = array(
|
$lopts = array(
|
||||||
'webui:',
|
'webui:',
|
||||||
'mode:',
|
'mode:',
|
||||||
|
'algo:',
|
||||||
'verbose'
|
'verbose'
|
||||||
);
|
);
|
||||||
|
|
||||||
@ -37,6 +39,10 @@ if ( $options = getopt( $opts, $lopts ) )
|
|||||||
$mode = $options['mode'];
|
$mode = $options['mode'];
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ( isset($options['algo']) ) {
|
||||||
|
$algo = $options['algo'];
|
||||||
|
}
|
||||||
|
|
||||||
if ( isset($options['h']) )
|
if ( isset($options['h']) )
|
||||||
{
|
{
|
||||||
display_help();
|
display_help();
|
||||||
@ -66,6 +72,7 @@ Registry::set('db', $db);
|
|||||||
Registry::set('DB_DRIVER', DB_DRIVER);
|
Registry::set('DB_DRIVER', DB_DRIVER);
|
||||||
|
|
||||||
define('MODE', $mode);
|
define('MODE', $mode);
|
||||||
|
define('ALGO', $algo);
|
||||||
|
|
||||||
|
|
||||||
$data = get_hash_values();
|
$data = get_hash_values();
|
||||||
@ -143,7 +150,7 @@ function get_hash_values() {
|
|||||||
START_ID => $start_id,
|
START_ID => $start_id,
|
||||||
STOP_ID => $stop_id,
|
STOP_ID => $stop_id,
|
||||||
COUNT => $count,
|
COUNT => $count,
|
||||||
HASH_VALUE => sha1($s)
|
HASH_VALUE => hash(ALGO, $s)
|
||||||
];
|
];
|
||||||
|
|
||||||
}
|
}
|
||||||
|
@ -371,7 +371,14 @@ class ModelSearchMessage extends Model {
|
|||||||
$s .= $q['digest'];
|
$s .= $q['digest'];
|
||||||
}
|
}
|
||||||
|
|
||||||
$computed_hash = sha1($s);
|
$len = strlen($query->row['hash_value']);
|
||||||
|
if($len == 64)
|
||||||
|
$algo='sha256';
|
||||||
|
elseif($len == 128)
|
||||||
|
$algo='sha512';
|
||||||
|
else
|
||||||
|
$algo='sha1';
|
||||||
|
$computed_hash = hash($algo, $s);
|
||||||
|
|
||||||
if(MEMCACHED_ENABLED) {
|
if(MEMCACHED_ENABLED) {
|
||||||
$memcache->add($cache_key, $computed_hash, 0, MEMCACHED_TTL);
|
$memcache->add($cache_key, $computed_hash, 0, MEMCACHED_TTL);
|
||||||
|
@ -15,6 +15,11 @@
|
|||||||
* http://www.slproweb.com/products/Win32OpenSSL.html
|
* http://www.slproweb.com/products/Win32OpenSSL.html
|
||||||
* http://www.switch.ch/aai/support/howto/openssl-windows.html
|
* http://www.switch.ch/aai/support/howto/openssl-windows.html
|
||||||
*
|
*
|
||||||
|
* 2021-10-26 Frank Schmirler:
|
||||||
|
* - extract certificate chain from TSResponse and feed into ts -verify as -untrusted
|
||||||
|
* - unlink temporary files
|
||||||
|
* - support for sha256 and sha512 hashes
|
||||||
|
*
|
||||||
* @version 0.3
|
* @version 0.3
|
||||||
* @author David Müller
|
* @author David Müller
|
||||||
* @package trustedtimestamps
|
* @package trustedtimestamps
|
||||||
@ -25,16 +30,22 @@ class TrustedTimestamps
|
|||||||
/**
|
/**
|
||||||
* Creates a Timestamp Requestfile from a hash
|
* Creates a Timestamp Requestfile from a hash
|
||||||
*
|
*
|
||||||
* @param string $hash: The hashed data (sha1)
|
* @param string $hash: The hashed data (sha1, sha256 or sha512)
|
||||||
* @return string: path of the created timestamp-requestfile
|
* @return string: path of the created timestamp-requestfile
|
||||||
*/
|
*/
|
||||||
public static function createRequestfile ($hash)
|
public static function createRequestfile ($hash)
|
||||||
{
|
{
|
||||||
if (strlen($hash) !== 40)
|
if (strlen($hash) === 40)
|
||||||
|
$digest="-sha1";
|
||||||
|
elseif (strlen($hash) === 64)
|
||||||
|
$digest="-sha256";
|
||||||
|
elseif (strlen($hash) === 128)
|
||||||
|
$digest="-sha512";
|
||||||
|
else
|
||||||
throw new Exception("Invalid Hash.");
|
throw new Exception("Invalid Hash.");
|
||||||
|
|
||||||
$outfilepath = self::createTempFile();
|
$outfilepath = self::createTempFile();
|
||||||
$cmd = OPENSSL_BINARY . " ts -query -digest ".escapeshellarg($hash)." -cert -out ".escapeshellarg($outfilepath);
|
$cmd = OPENSSL_BINARY . " ts -query $digest -digest ".escapeshellarg($hash)." -cert -out ".escapeshellarg($outfilepath);
|
||||||
|
|
||||||
$retarray = array();
|
$retarray = array();
|
||||||
exec($cmd." 2>&1", $retarray, $retcode);
|
exec($cmd." 2>&1", $retarray, $retcode);
|
||||||
@ -106,6 +117,8 @@ class TrustedTimestamps
|
|||||||
$retarray = array();
|
$retarray = array();
|
||||||
exec($cmd." 2>&1", $retarray, $retcode);
|
exec($cmd." 2>&1", $retarray, $retcode);
|
||||||
|
|
||||||
|
unlink($responsefile);
|
||||||
|
|
||||||
if ($retcode !== 0)
|
if ($retcode !== 0)
|
||||||
throw new Exception("The reply failed: ".implode(", ", $retarray));
|
throw new Exception("The reply failed: ".implode(", ", $retarray));
|
||||||
|
|
||||||
@ -144,7 +157,7 @@ class TrustedTimestamps
|
|||||||
*/
|
*/
|
||||||
public static function validate ($hash, $base64_response_string, $response_time, $tsa_cert_file)
|
public static function validate ($hash, $base64_response_string, $response_time, $tsa_cert_file)
|
||||||
{
|
{
|
||||||
if (strlen($hash) !== 40)
|
if (strlen($hash) !== 40 && strlen($hash) !== 64 && strlen($hash) !== 128)
|
||||||
throw new Exception("Invalid Hash");
|
throw new Exception("Invalid Hash");
|
||||||
|
|
||||||
$binary_response_string = base64_decode($base64_response_string);
|
$binary_response_string = base64_decode($base64_response_string);
|
||||||
@ -160,11 +173,22 @@ class TrustedTimestamps
|
|||||||
|
|
||||||
$responsefile = self::createTempFile($binary_response_string);
|
$responsefile = self::createTempFile($binary_response_string);
|
||||||
|
|
||||||
$cmd = OPENSSL_BINARY . " ts -verify -digest ".escapeshellarg($hash)." -in ".escapeshellarg($responsefile)." -CAfile ".escapeshellarg($tsa_cert_file);
|
/*
|
||||||
|
* extract chain from response
|
||||||
|
* openssl ts -verify does not include them for verification despite of the man page stating otherwise
|
||||||
|
*/
|
||||||
|
$untrustedfile = self::createTempFile();
|
||||||
|
$cmd = OPENSSL_BINARY . " ts -reply -in ".escapeshellarg($responsefile)." -token_out | " . OPENSSL_BINARY . " pkcs7 -inform DER -print_certs -out ".escapeshellarg($untrustedfile);
|
||||||
|
shell_exec($cmd);
|
||||||
|
|
||||||
|
$cmd = OPENSSL_BINARY . " ts -verify -digest ".escapeshellarg($hash)." -in ".escapeshellarg($responsefile)." -CAfile ".escapeshellarg($tsa_cert_file)." -untrusted ".escapeshellarg($untrustedfile);
|
||||||
|
|
||||||
$retarray = array();
|
$retarray = array();
|
||||||
exec($cmd." 2>&1", $retarray, $retcode);
|
exec($cmd." 2>&1", $retarray, $retcode);
|
||||||
|
|
||||||
|
unlink($untrustedfile);
|
||||||
|
unlink($responsefile);
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* just 2 "normal" cases:
|
* just 2 "normal" cases:
|
||||||
* 1) Everything okay -> retcode 0 + retarray[0] == "Verification: OK"
|
* 1) Everything okay -> retcode 0 + retarray[0] == "Verification: OK"
|
||||||
|
Loading…
Reference in New Issue
Block a user