OpenSSL to request and verify time stamps


OpenSSL is an open-source tool that is popular with Internet software developers. It includes a command line tool that can be used to retrieve and verify DigiStamp timestamps.


You download OpenSSL for Unix systems here.  For Windows you will need to choose a pre-compiled using a search like this  

Details: OpenSSL is used by software developers and it is officially distributed in C source code format. On Unix systems a C compiler is commonly available, in other cases it is more difficult to get OpenSSL running. If you are just using the command line portion of the tool a pre-compiled version is likely adequate.


Summary, this is the command to verify an e-TimeStamp using OpenSSL:

openssl ts -verify -data "your original timestamped file" -in "timestamp.p7s" -token_in -CAfile com.digistamp.bundle.pem 

The response you should see from the OpenSSL command is  Verification: OK  In the example, the file "com.digistamp.bundle.pem" is DigiStamp's Root CA certificates that you download from here as part of the one-time installation of OpenSSL. 

 

Below are more details and examples of using the OpenSSL libraries to request a standard RFC3161 time stamp from DigiStamp TSA servers.


If you are using PHP to retrieve timestamps then you could use the examples below or this API Toolkit.

  • Create a time stamp request 

 The output is a time stamp request that contains the SHA 256 hash value of your data; ready to be sent to DigiStamp.

openssl ts -query -data "YOUR FILE" -cert -sha256 -no_nonce -out request.tsq

  • Transmit the request to DigiStamp 

The curl program transmits your request to the DigiStamp TSA servers.

 Example of sending a request to test servers.

cat request.tsq | curl -s -S -H 'Content-Type: application/timestamp-query' --data-binary @- http://ACCT:PASSWORD@tsatest.digistamp.com -o response.tsr

 

Example of sending a request to DigiStamp production servers using an SSL connection:

cat request.tsq | curl -s -S -H 'Content-Type: application/timestamp-query' --data-binary @- https://ACCT:PASSWORD@tsa.digistamp.com -o response.tsr

 

The timestamp returned to you should be approximately 2800 bytes. If an error did occur then the output file will contain information to help you debug. To debug open the file response.tsr with a text editor and, for example, it would contain text and other data including account not verified if there was a password problem. Otherwise if the token generation was successful then the response file consists of a response status (TimeStampResp) and the time stamp token itself (ContentInfo).

  • Retrieve root certificate 

The public key used to verify the digital signature is normally bundled in the timestamp file. The missing part is the "Root CA" certificate. We use the Root CA certificate to tell OpenSSL to trust timestamp certificates from DigiStamp. This download is commonly done just one time. 

 

Retrieve the DigiStamp CA certificates for the TEST environment here:

https://www.digistamp.com/pubkeys/com.digistamp.bundle.test.pem 

 

For Production:

https://www.digistamp.com/pubkeys/com.digistamp.bundle.pem  

 

More information about certificates and details about the DigiStamp public key repository here.

  • Verify the time stamp 

There are two versions of the verify function.

The first way to verify the timestamp is recalculating the hash value of your file and then verifying the time stamp. Processing confirms that the time stamp has a valid signature from DigiStamp and that your input file has not changed. The verification is done locally on your machine, independently; there is no need to access DigiStamp servers.

openssl ts -verify -in response.tsr -data "your original timestamped file" -CAfile com.digistamp.bundle.pem

This second method can be done immediately after receiving the reponse and does not require that your input data file be hashed again. Instead, the hash value is taken from the time stamp request that was created in step 1. The time stamp request is not normally saved after this step. Your original data and the timestamp (named "response.tsr" in the example) need to be saved.


openssl ts -verify -in response.tsr -queryfile request.tsq -CAfile com.digistamp.bundle.pem

The above examples are for the DigiStamp Production environment. For testing you would use: -CAfile  com.digistamp.bundle.test.pem

 

To see the protected time, use this command and check the field labeled "Time Stamp".

openssl ts -reply -in response.tsr -text

or

openssl ts -reply -in "timestamp.p7s" -token_in -text

  • Additional notes 

We offer a free web-based viewing tool that will allow you to see the time in the timestamps.

 

To see our complete set of solutions click here. You can easily purchase some e-TimeStamps or contact us for a quote.