I am trying to get my content timestamped so I know when it was changed. First I used a shell script but I want to implement it in my python program. the shell script works fine for now but I can't get the python version to work for me.
This is the working shell version
openssl ts -query -data "$in_file" -sha1 -cert | curl -o "$out_file" -sSH 'Content-Type: application/timestamp-query' --data-binary @- "$ts_server"
openssl ts -verify -data "$in_file" -in "$out_file" -CAfile "/usr/lib/ssl/certs/Certum_Trusted_Network_CA.pem"
openssl ts -reply -in "$out_file" -text
cert = file('/usr/lib/ssl/certs/Certum_Trusted_Network_CA.pem').read()
rt = rfc3161.RemoteTimestamper('http://time.certum.pl/', certificate=cert)
data_to_sign = file('test_content').read()
>>> (False, 'Bad signature')
The problem lies in the library rfc3161 that I used. It seems like the author does not include check for TSA authority certificate so I had to make a change to the library.
The changed code is in
check_timestamp function. You have to change the code block for certificate loading with this one:
if certificate != "": try: certificate = X509.load_cert_der_string(encoder.encode(signed_data['certificates'])) except: raise AttributeError("missing certificate") else: try: certificate = X509.load_cert_string(certificate) except: certificate = X509.load_cert_der_string(certificate)
Now the verification is working as expected.