mirror of
https://bitbucket.org/jsuto/piler.git
synced 2024-12-24 18:50:12 +01:00
Updated timestamp algorithm to use sha256
Signed-off-by: Janos SUTO <sj@acts.hu>
This commit is contained in:
parent
42b650f4f1
commit
740855769f
@ -2,6 +2,10 @@
|
||||
- Introduced the raw: search label
|
||||
- Added Italian translation. Credits: Stefano Gatto
|
||||
- timestamp signing sorts by 'id' column
|
||||
- timestamp hash value defaults to sha256
|
||||
|
||||
Be sure to apply util/db-upgrade.sql
|
||||
|
||||
|
||||
1.3.12:
|
||||
-------
|
||||
|
@ -463,7 +463,7 @@ create table if not exists `timestamp` (
|
||||
`id` bigint unsigned not null auto_increment,
|
||||
`start_id` bigint default 0,
|
||||
`stop_id` bigint default 0,
|
||||
`hash_value` char(40),
|
||||
`hash_value` varchar(128),
|
||||
`count` int default 0,
|
||||
`response_time` bigint default 0,
|
||||
`response_string` blob not null,
|
||||
|
1
util/db-upgrade.sql
Normal file
1
util/db-upgrade.sql
Normal file
@ -0,0 +1 @@
|
||||
alter table timestamp change column hash_value hash_value varchar(128) default null;
|
@ -12,11 +12,13 @@ ini_set("session.save_path", "/tmp");
|
||||
$webuidir = "";
|
||||
$verbose = 0;
|
||||
$mode = "unit";
|
||||
$algo = "sha256";
|
||||
|
||||
$opts = 'h::v';
|
||||
$lopts = array(
|
||||
'webui:',
|
||||
'mode:',
|
||||
'algo:',
|
||||
'verbose'
|
||||
);
|
||||
|
||||
@ -37,6 +39,10 @@ if ( $options = getopt( $opts, $lopts ) )
|
||||
$mode = $options['mode'];
|
||||
}
|
||||
|
||||
if ( isset($options['algo']) ) {
|
||||
$algo = $options['algo'];
|
||||
}
|
||||
|
||||
if ( isset($options['h']) )
|
||||
{
|
||||
display_help();
|
||||
@ -66,6 +72,7 @@ Registry::set('db', $db);
|
||||
Registry::set('DB_DRIVER', DB_DRIVER);
|
||||
|
||||
define('MODE', $mode);
|
||||
define('ALGO', $algo);
|
||||
|
||||
|
||||
$data = get_hash_values();
|
||||
@ -143,7 +150,7 @@ function get_hash_values() {
|
||||
START_ID => $start_id,
|
||||
STOP_ID => $stop_id,
|
||||
COUNT => $count,
|
||||
HASH_VALUE => sha1($s)
|
||||
HASH_VALUE => hash(ALGO, $s)
|
||||
];
|
||||
|
||||
}
|
||||
|
@ -371,7 +371,14 @@ class ModelSearchMessage extends Model {
|
||||
$s .= $q['digest'];
|
||||
}
|
||||
|
||||
$computed_hash = sha1($s);
|
||||
$len = strlen($query->row['hash_value']);
|
||||
if($len == 64)
|
||||
$algo='sha256';
|
||||
elseif($len == 128)
|
||||
$algo='sha512';
|
||||
else
|
||||
$algo='sha1';
|
||||
$computed_hash = hash($algo, $s);
|
||||
|
||||
if(MEMCACHED_ENABLED) {
|
||||
$memcache->add($cache_key, $computed_hash, 0, MEMCACHED_TTL);
|
||||
|
@ -15,6 +15,11 @@
|
||||
* http://www.slproweb.com/products/Win32OpenSSL.html
|
||||
* http://www.switch.ch/aai/support/howto/openssl-windows.html
|
||||
*
|
||||
* 2021-10-26 Frank Schmirler:
|
||||
* - extract certificate chain from TSResponse and feed into ts -verify as -untrusted
|
||||
* - unlink temporary files
|
||||
* - support for sha256 and sha512 hashes
|
||||
*
|
||||
* @version 0.3
|
||||
* @author David Müller
|
||||
* @package trustedtimestamps
|
||||
@ -25,16 +30,22 @@ class TrustedTimestamps
|
||||
/**
|
||||
* Creates a Timestamp Requestfile from a hash
|
||||
*
|
||||
* @param string $hash: The hashed data (sha1)
|
||||
* @param string $hash: The hashed data (sha1, sha256 or sha512)
|
||||
* @return string: path of the created timestamp-requestfile
|
||||
*/
|
||||
public static function createRequestfile ($hash)
|
||||
{
|
||||
if (strlen($hash) !== 40)
|
||||
if (strlen($hash) === 40)
|
||||
$digest="-sha1";
|
||||
elseif (strlen($hash) === 64)
|
||||
$digest="-sha256";
|
||||
elseif (strlen($hash) === 128)
|
||||
$digest="-sha512";
|
||||
else
|
||||
throw new Exception("Invalid Hash.");
|
||||
|
||||
$outfilepath = self::createTempFile();
|
||||
$cmd = OPENSSL_BINARY . " ts -query -digest ".escapeshellarg($hash)." -cert -out ".escapeshellarg($outfilepath);
|
||||
$cmd = OPENSSL_BINARY . " ts -query $digest -digest ".escapeshellarg($hash)." -cert -out ".escapeshellarg($outfilepath);
|
||||
|
||||
$retarray = array();
|
||||
exec($cmd." 2>&1", $retarray, $retcode);
|
||||
@ -106,6 +117,8 @@ class TrustedTimestamps
|
||||
$retarray = array();
|
||||
exec($cmd." 2>&1", $retarray, $retcode);
|
||||
|
||||
unlink($responsefile);
|
||||
|
||||
if ($retcode !== 0)
|
||||
throw new Exception("The reply failed: ".implode(", ", $retarray));
|
||||
|
||||
@ -144,7 +157,7 @@ class TrustedTimestamps
|
||||
*/
|
||||
public static function validate ($hash, $base64_response_string, $response_time, $tsa_cert_file)
|
||||
{
|
||||
if (strlen($hash) !== 40)
|
||||
if (strlen($hash) !== 40 && strlen($hash) !== 64 && strlen($hash) !== 128)
|
||||
throw new Exception("Invalid Hash");
|
||||
|
||||
$binary_response_string = base64_decode($base64_response_string);
|
||||
@ -160,11 +173,22 @@ class TrustedTimestamps
|
||||
|
||||
$responsefile = self::createTempFile($binary_response_string);
|
||||
|
||||
$cmd = OPENSSL_BINARY . " ts -verify -digest ".escapeshellarg($hash)." -in ".escapeshellarg($responsefile)." -CAfile ".escapeshellarg($tsa_cert_file);
|
||||
/*
|
||||
* extract chain from response
|
||||
* openssl ts -verify does not include them for verification despite of the man page stating otherwise
|
||||
*/
|
||||
$untrustedfile = self::createTempFile();
|
||||
$cmd = OPENSSL_BINARY . " ts -reply -in ".escapeshellarg($responsefile)." -token_out | " . OPENSSL_BINARY . " pkcs7 -inform DER -print_certs -out ".escapeshellarg($untrustedfile);
|
||||
shell_exec($cmd);
|
||||
|
||||
$cmd = OPENSSL_BINARY . " ts -verify -digest ".escapeshellarg($hash)." -in ".escapeshellarg($responsefile)." -CAfile ".escapeshellarg($tsa_cert_file)." -untrusted ".escapeshellarg($untrustedfile);
|
||||
|
||||
$retarray = array();
|
||||
exec($cmd." 2>&1", $retarray, $retcode);
|
||||
|
||||
unlink($untrustedfile);
|
||||
unlink($responsefile);
|
||||
|
||||
/*
|
||||
* just 2 "normal" cases:
|
||||
* 1) Everything okay -> retcode 0 + retarray[0] == "Verification: OK"
|
||||
|
Loading…
Reference in New Issue
Block a user