bashclub/piler
1
0
Fork 0
mirror of https://bitbucket.org/jsuto/piler.git synced 2024-11-08 01:41:59 +01:00
Code Issues Packages Projects Releases Wiki Activity

Updated timestamp algorithm to use sha256

Browse Source 
Signed-off-by: Janos SUTO <sj@acts.hu>
This commit is contained in:
Janos SUTO 2021-12-09 11:20:18 +01:00
parent 42b650f4f1
commit 740855769f
6 changed files with 51 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
RELEASE_NOTES
View File

@ -2,6 +2,10 @@
- Introduced the raw: search label - Introduced the raw: search label
- Added Italian translation. Credits: Stefano Gatto - Added Italian translation. Credits: Stefano Gatto
- timestamp signing sorts by 'id' column - timestamp signing sorts by 'id' column
- timestamp hash value defaults to sha256
Be sure to apply util/db-upgrade.sql
1.3.12: 1.3.12:
------- -------

2
util/db-mysql.sql
View File

@ -463,7 +463,7 @@ create table if not exists `timestamp` (
`id` bigint unsigned not null auto_increment, `id` bigint unsigned not null auto_increment,
`start_id` bigint default 0, `start_id` bigint default 0,
`stop_id` bigint default 0, `stop_id` bigint default 0,
`hash_value` char(40), `hash_value` varchar(128),
`count` int default 0, `count` int default 0,
`response_time` bigint default 0, `response_time` bigint default 0,
`response_string` blob not null, `response_string` blob not null,

1
util/db-upgrade.sql Normal file
View File

@ -0,0 +1 @@
alter table timestamp change column hash_value hash_value varchar(128) default null;

9
util/sign.php
View File

@ -12,11 +12,13 @@ ini_set("session.save_path", "/tmp");
$webuidir = ""; $webuidir = "";
$verbose = 0; $verbose = 0;
$mode = "unit"; $mode = "unit";
$algo = "sha256";
$opts = 'h::v'; $opts = 'h::v';
$lopts = array( $lopts = array(
'webui:', 'webui:',
'mode:', 'mode:',
'algo:',
'verbose' 'verbose'
); );
@ -37,6 +39,10 @@ if ( $options = getopt( $opts, $lopts ) )
$mode = $options['mode']; $mode = $options['mode'];
} }
if ( isset($options['algo']) ) {
$algo = $options['algo'];
}
if ( isset($options['h']) ) if ( isset($options['h']) )
{ {
display_help(); display_help();
@ -66,6 +72,7 @@ Registry::set('db', $db);
Registry::set('DB_DRIVER', DB_DRIVER); Registry::set('DB_DRIVER', DB_DRIVER);
define('MODE', $mode); define('MODE', $mode);
define('ALGO', $algo);
$data = get_hash_values(); $data = get_hash_values();
@ -143,7 +150,7 @@ function get_hash_values() {
START_ID => $start_id, START_ID => $start_id,
STOP_ID => $stop_id, STOP_ID => $stop_id,
COUNT => $count, COUNT => $count,
HASH_VALUE => sha1($s) HASH_VALUE => hash(ALGO, $s)
]; ];
} }

9
webui/model/search/message.php
View File

@ -371,7 +371,14 @@ class ModelSearchMessage extends Model {
$s .= $q['digest']; $s .= $q['digest'];
} }
$computed_hash = sha1($s); $len = strlen($query->row['hash_value']);
if($len == 64)
$algo='sha256';
elseif($len == 128)
$algo='sha512';
else
$algo='sha1';
$computed_hash = hash($algo, $s);
if(MEMCACHED_ENABLED) { if(MEMCACHED_ENABLED) {
$memcache->add($cache_key, $computed_hash, 0, MEMCACHED_TTL); $memcache->add($cache_key, $computed_hash, 0, MEMCACHED_TTL);

34
webui/system/helper/TrustedTimestamps.php
View File

@ -15,6 +15,11 @@
* http://www.slproweb.com/products/Win32OpenSSL.html * http://www.slproweb.com/products/Win32OpenSSL.html
* http://www.switch.ch/aai/support/howto/openssl-windows.html * http://www.switch.ch/aai/support/howto/openssl-windows.html
* *
* 2021-10-26 Frank Schmirler:
* - extract certificate chain from TSResponse and feed into ts -verify as -untrusted
* - unlink temporary files
* - support for sha256 and sha512 hashes
*
* @version 0.3 * @version 0.3
* @author David Müller * @author David Müller
* @package trustedtimestamps * @package trustedtimestamps
@ -25,16 +30,22 @@ class TrustedTimestamps
/** /**
* Creates a Timestamp Requestfile from a hash * Creates a Timestamp Requestfile from a hash
* *
* @param string $hash: The hashed data (sha1) * @param string $hash: The hashed data (sha1, sha256 or sha512)
* @return string: path of the created timestamp-requestfile * @return string: path of the created timestamp-requestfile
*/ */
public static function createRequestfile ($hash) public static function createRequestfile ($hash)
{ {
if (strlen($hash) !== 40) if (strlen($hash) === 40)
$digest="-sha1";
elseif (strlen($hash) === 64)
$digest="-sha256";
elseif (strlen($hash) === 128)
$digest="-sha512";
else
throw new Exception("Invalid Hash."); throw new Exception("Invalid Hash.");
$outfilepath = self::createTempFile(); $outfilepath = self::createTempFile();
$cmd = OPENSSL_BINARY . " ts -query -digest ".escapeshellarg($hash)." -cert -out ".escapeshellarg($outfilepath); $cmd = OPENSSL_BINARY . " ts -query $digest -digest ".escapeshellarg($hash)." -cert -out ".escapeshellarg($outfilepath);
$retarray = array(); $retarray = array();
exec($cmd." 2>&1", $retarray, $retcode); exec($cmd." 2>&1", $retarray, $retcode);
@ -106,6 +117,8 @@ class TrustedTimestamps
$retarray = array(); $retarray = array();
exec($cmd." 2>&1", $retarray, $retcode); exec($cmd." 2>&1", $retarray, $retcode);
unlink($responsefile);
if ($retcode !== 0) if ($retcode !== 0)
throw new Exception("The reply failed: ".implode(", ", $retarray)); throw new Exception("The reply failed: ".implode(", ", $retarray));
@ -144,7 +157,7 @@ class TrustedTimestamps
*/ */
public static function validate ($hash, $base64_response_string, $response_time, $tsa_cert_file) public static function validate ($hash, $base64_response_string, $response_time, $tsa_cert_file)
{ {
if (strlen($hash) !== 40) if (strlen($hash) !== 40 && strlen($hash) !== 64 && strlen($hash) !== 128)
throw new Exception("Invalid Hash"); throw new Exception("Invalid Hash");
$binary_response_string = base64_decode($base64_response_string); $binary_response_string = base64_decode($base64_response_string);
@ -160,11 +173,22 @@ class TrustedTimestamps
$responsefile = self::createTempFile($binary_response_string); $responsefile = self::createTempFile($binary_response_string);
$cmd = OPENSSL_BINARY . " ts -verify -digest ".escapeshellarg($hash)." -in ".escapeshellarg($responsefile)." -CAfile ".escapeshellarg($tsa_cert_file); /*
* extract chain from response
* openssl ts -verify does not include them for verification despite of the man page stating otherwise
*/
$untrustedfile = self::createTempFile();
$cmd = OPENSSL_BINARY . " ts -reply -in ".escapeshellarg($responsefile)." -token_out | " . OPENSSL_BINARY . " pkcs7 -inform DER -print_certs -out ".escapeshellarg($untrustedfile);
shell_exec($cmd);
$cmd = OPENSSL_BINARY . " ts -verify -digest ".escapeshellarg($hash)." -in ".escapeshellarg($responsefile)." -CAfile ".escapeshellarg($tsa_cert_file)." -untrusted ".escapeshellarg($untrustedfile);
$retarray = array(); $retarray = array();
exec($cmd." 2>&1", $retarray, $retcode); exec($cmd." 2>&1", $retarray, $retcode);
unlink($untrustedfile);
unlink($responsefile);
/* /*
* just 2 "normal" cases: * just 2 "normal" cases:
* 1) Everything okay -> retcode 0 + retarray[0] == "Verification: OK" * 1) Everything okay -> retcode 0 + retarray[0] == "Verification: OK"