Skip to content

Commit 2e8168b

Browse files
committed
Time-Stamp Protocol (RFC 3161)
Implementation in wolfCrypt OpenSSL compatibility layer in wolfSSL Added tests, certificates, examples.
1 parent 18c9684 commit 2e8168b

73 files changed

Lines changed: 18261 additions & 27 deletions

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.github/workflows/no-malloc.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -74,6 +74,14 @@ jobs:
7474
"--enable-curve448", "--enable-mlkem", "--enable-staticmemory",
7575
"CFLAGS=-DWOLFSSL_NO_MALLOC -pedantic -Wdeclaration-after-statement -Wnull-dereference -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"],
7676
"check": false,
77+
"run": [["./wolfcrypt/test/testwolfcrypt"]]},
78+
{"name": "tps-staticmemory", "minutes": 0.8,
79+
"configure": ["--enable-ecc", "--enable-rsa", "--enable-keygen",
80+
"--enable-ed25519", "--enable-curve25519", "--enable-ed448",
81+
"--enable-curve448", "--enable-mlkem", "--enable-tsp",
82+
"--enable-staticmemory",
83+
"CFLAGS=-DWOLFSSL_NO_MALLOC -pedantic -Wdeclaration-after-statement -Wnull-dereference -DTEST_LIBWOLFSSL_SOURCES_INCLUSION_SEQUENCE"],
84+
"check": false,
7785
"run": [["./wolfcrypt/test/testwolfcrypt"]]}
7886
]
7987
EOF

.github/workflows/os-check.yml

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -306,6 +306,37 @@ jobs:
306306
{"name": "pkcs7", "minutes": 1.3,
307307
"comment": "PKCS#7 without RSA-PSS",
308308
"configure": ["--enable-pkcs7"]},
309+
{"name": "tsp", "minutes": 1.3,
310+
"comment": "Time-Stamp Protocol",
311+
"configure": ["--enable-tsp"]},
312+
{"name": "tsp-openssl", "minutes": 1.3,
313+
"comment": "Time-Stamp Protocol with OpenSSL compat",
314+
"configure": ["--enable-tsp", "--enable-opensslall"]},
315+
{"name": "tsp-no-ecc", "minutes": 1.3,
316+
"comment": "Time-Stamp Protocol without ECC",
317+
"configure": ["--enable-tsp", "--disable-ecc"]},
318+
{"name": "tsp-no-rsa", "minutes": 1.3,
319+
"comment": "Time-Stamp Protocol without RSA",
320+
"configure": ["--enable-tsp", "--disable-rsa"]},
321+
{"name": "tsp-smallstack", "minutes": 1.3,
322+
"comment": "Time-Stamp Protocol Small Stack",
323+
"configure": ["--enable-tsp", "CPPFLAGS=-DWOLFSSL_SMALL_STACK"]},
324+
{"name": "tsp-min-hash-str", "minutes": 1.3,
325+
"comment": "Time-Stamp Protocol Minimum 128-bit hash strength",
326+
"configure": ["--enable-tsp",
327+
"CPPFLAGS=-DWC_TSP_MIN_HASH_STRENGTH_BITS=128"]},
328+
{"name": "tsp-requester", "minutes": 1.3,
329+
"comment": "Time-Stamp Protocol Requester",
330+
"configure": ["--enable-tsp", "--enable-opensslall",
331+
"CPPFLAGS=-DWOLFSSL_TSP_REQUESTER"]},
332+
{"name": "tsp-responder", "minutes": 1.3,
333+
"comment": "Time-Stamp Protocol Responder",
334+
"configure": ["--enable-tsp", "--enable-opensslall",
335+
"CPPFLAGS=-DWOLFSSL_TSP_RESPONDER"]},
336+
{"name": "tsp-verifier", "minutes": 1.3,
337+
"comment": "Time-Stamp Protocol Verifier",
338+
"configure": ["--enable-tsp", "--enable-opensslall",
339+
"CPPFLAGS=-DWOLFSSL_TSP_VERIFIER"]},
309340
{"name": "no-tls-cryptocb-aesgcm-setkey-free", "minutes": 1.3,
310341
"configure": ["--disable-tls", "--enable-cryptocb", "--enable-aesgcm",
311342
"CPPFLAGS=-DWOLF_CRYPTO_CB_AES_SETKEY -DWOLF_CRYPTO_CB_FREE"]},

.gitignore

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -72,6 +72,9 @@ examples/sctp/sctp-client-dtls
7272
examples/asn1/asn1
7373
examples/pem/pem
7474
examples/ocsp_responder/ocsp_responder
75+
examples/tsp/tsp_query
76+
examples/tsp/tsp_reply
77+
examples/tsp/tsp_verify
7578
server_ready
7679
snifftest
7780
output

CMakeLists.txt

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2021,6 +2021,9 @@ endif()
20212021
set(WOLFSSL_PKCS7_HELP_STRING "Enable PKCS7 (default: disabled)")
20222022
add_option(WOLFSSL_PKCS7 ${WOLFSSL_PKCS7_HELP_STRING} "no" "yes;no")
20232023

2024+
set(WOLFSSL_TSP_HELP_STRING "Enable RFC 3161 Time-Stamp Protocol (default: disabled)")
2025+
add_option(WOLFSSL_TSP ${WOLFSSL_TSP_HELP_STRING} "no" "yes;no")
2026+
20242027
set(WOLFSSL_TPM_HELP_STRING "Enable wolfTPM options (default: disabled)")
20252028
add_option(WOLFSSL_TPM ${WOLFSSL_TPM_HELP_STRING} "no" "yes;no")
20262029

@@ -2412,6 +2415,12 @@ if(WOLFSSL_AESCFB)
24122415
endif()
24132416

24142417

2418+
if(WOLFSSL_TSP)
2419+
list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_TSP")
2420+
# Requires PKCS7 for time-stamp token creation and verification
2421+
override_cache(WOLFSSL_PKCS7 "yes")
2422+
endif()
2423+
24152424
if(WOLFSSL_PKCS7)
24162425
list(APPEND WOLFSSL_DEFINITIONS "-DHAVE_PKCS7")
24172426
override_cache(WOLFSSL_AESKEYWRAP "yes")
@@ -2965,6 +2974,8 @@ if(WOLFSSL_EXAMPLES)
29652974
tests/api/test_asn.c
29662975
tests/api/test_pkcs7.c
29672976
tests/api/test_pkcs12.c
2977+
tests/api/test_tsp.c
2978+
tests/api/test_ossl_tsp.c
29682979
tests/api/test_pwdbased.c
29692980
tests/api/test_ossl_asn1.c
29702981
tests/api/test_ossl_bio.c

IDE/INTIME-RTOS/libwolfssl.vcxproj

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -87,6 +87,7 @@
8787
<ClCompile Include="..\..\wolfcrypt\src\sp_x86_64.c" />
8888
<ClCompile Include="..\..\wolfcrypt\src\srp.c" />
8989
<ClCompile Include="..\..\wolfcrypt\src\tfm.c" />
90+
<ClCompile Include="..\..\wolfcrypt\src\tsp.c" />
9091
<ClCompile Include="..\..\wolfcrypt\src\wc_encrypt.c" />
9192
<ClCompile Include="..\..\wolfcrypt\src\wc_port.c" />
9293
<ClCompile Include="..\..\wolfcrypt\src\wolfevent.c" />

IDE/INTIME-RTOS/wolfssl-lib.vcxproj

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -185,6 +185,7 @@
185185
<ClCompile Include="..\..\wolfcrypt\src\signature.c" />
186186
<ClCompile Include="..\..\wolfcrypt\src\srp.c" />
187187
<ClCompile Include="..\..\wolfcrypt\src\tfm.c" />
188+
<ClCompile Include="..\..\wolfcrypt\src\tsp.c" />
188189
<ClCompile Include="..\..\wolfcrypt\src\wc_encrypt.c" />
189190
<ClCompile Include="..\..\wolfcrypt\src\wc_port.c" />
190191
<ClCompile Include="..\..\wolfcrypt\src\wc_slhdsa.c" />

IDE/WIN10/wolfssl-fips.vcxproj

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -285,6 +285,7 @@
285285
<ClCompile Include="..\..\wolfcrypt\src\integer.c" />
286286
<ClCompile Include="..\..\wolfcrypt\src\pkcs7.c" />
287287
<ClCompile Include="..\..\wolfcrypt\src\tfm.c" />
288+
<ClCompile Include="..\..\wolfcrypt\src\tsp.c" />
288289
<ClCompile Include="..\..\src\internal.c" />
289290
<ClCompile Include="..\..\src\wolfio.c" />
290291
<ClCompile Include="..\..\wolfcrypt\src\kdf.c" />

certs/include.am

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,14 @@ EXTRA_DIST += \
3737
certs/client-ca-cert.pem \
3838
certs/dh2048.pem \
3939
certs/server-cert.pem \
40+
certs/tsa-bad-ku-cert.pem \
41+
certs/tsa-extra-eku-cert.pem \
42+
certs/tsa-chain-cert.pem \
43+
certs/tsa-chain-key.pem \
44+
certs/tsa-cert.pem \
45+
certs/tsa-ecc-cert.pem \
46+
certs/tsa-ecc-key.pem \
47+
certs/tsa-key.pem \
4048
certs/server-ecc.pem \
4149
certs/server-ecc-self.pem \
4250
certs/server-ecc-comp.pem \
@@ -119,6 +127,14 @@ EXTRA_DIST += \
119127
certs/ecc-keyPub.der \
120128
certs/server-key.der \
121129
certs/server-cert.der \
130+
certs/tsa-key.der \
131+
certs/tsa-cert.der \
132+
certs/tsa-ecc-key.der \
133+
certs/tsa-ecc-cert.der \
134+
certs/tsa-bad-ku-cert.der \
135+
certs/tsa-extra-eku-cert.der \
136+
certs/tsa-chain-cert.der \
137+
certs/tsa-chain-key.der \
122138
certs/server-ecc-comp.der \
123139
certs/server-ecc.der \
124140
certs/server-ecc-self.der \

certs/renewcerts.sh

Lines changed: 123 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,17 @@
3939
# aia/multi-aia-cert.pem
4040
# aia/overflow-aia-cert.pem
4141
# sia/timestamping-sia-cert.pem
42+
# tsa-cert.pem
43+
# tsa-cert.der
44+
# tsa-ecc-cert.pem
45+
# tsa-ecc-cert.der
46+
# tsa-bad-ku-cert.pem
47+
# tsa-bad-ku-cert.der
48+
# tsa-extra-eku-cert.pem
49+
# tsa-extra-eku-cert.der
50+
# tsa-chain-cert.pem
51+
# tsa-chain-cert.der
52+
# intermediate/ca-int-cert.der
4253
# updates the following crls:
4354
# crl/cliCrl.pem
4455
# crl/crl.pem
@@ -216,6 +227,118 @@ run_renewcerts(){
216227
echo "End of section"
217228
echo "---------------------------------------------------------------------"
218229

230+
############################################################
231+
######## update the self-signed (2048-bit) tsa-cert.pem ###
232+
############################################################
233+
echo "Updating 2048-bit tsa-cert.pem"
234+
echo ""
235+
openssl req -new -key tsa-key.pem -config ./renewcerts/wolfssl.cnf -nodes -subj "/C=US/ST=Montana/L=Bozeman/O=wolfSSL/OU=TSA-2048/CN=www.wolfssl.com/emailAddress=info@wolfssl.com" -out tsa-cert.csr
236+
check_result $? "Step 1"
237+
238+
openssl x509 -req -in tsa-cert.csr -days 1000 -extfile ./renewcerts/wolfssl.cnf -extensions tsa_cert -signkey tsa-key.pem -out tsa-cert.pem
239+
check_result $? "Step 2"
240+
rm tsa-cert.csr
241+
242+
openssl x509 -in tsa-cert.pem -text > tmp.pem
243+
check_result $? "Step 3"
244+
mv tmp.pem tsa-cert.pem
245+
246+
openssl x509 -in tsa-cert.pem -outform der -out tsa-cert.der
247+
check_result $? "Step 4"
248+
echo "End of section"
249+
echo "---------------------------------------------------------------------"
250+
251+
############################################################
252+
## update the intermediate-issued tsa-chain-cert.pem ######
253+
############################################################
254+
echo "Updating 2048-bit tsa-chain-cert.pem"
255+
echo ""
256+
openssl req -new -key tsa-chain-key.pem -config ./renewcerts/wolfssl.cnf -nodes -subj "/C=US/ST=Montana/L=Bozeman/O=wolfSSL/OU=TSA-chain-2048/CN=www.wolfssl.com/emailAddress=info@wolfssl.com" -out tsa-chain-cert.csr
257+
check_result $? "Step 1"
258+
259+
openssl x509 -req -in tsa-chain-cert.csr -days 1000 -extfile ./renewcerts/wolfssl.cnf -extensions tsa_cert -CA intermediate/ca-int-cert.pem -CAkey intermediate/ca-int-key.pem -CAcreateserial -out tsa-chain-cert.pem
260+
check_result $? "Step 2"
261+
rm tsa-chain-cert.csr
262+
rm -f intermediate/ca-int-cert.srl
263+
264+
openssl x509 -in tsa-chain-cert.pem -text > tmp.pem
265+
check_result $? "Step 3"
266+
mv tmp.pem tsa-chain-cert.pem
267+
268+
openssl x509 -in tsa-chain-cert.pem -outform der -out tsa-chain-cert.der
269+
check_result $? "Step 4"
270+
271+
# DER of the issuing intermediate CA - consumed as a cert buffer
272+
# (certs_test.h) for the TSA chain verification test. Derived from the
273+
# existing PEM; not removed.
274+
openssl x509 -in intermediate/ca-int-cert.pem -outform der -out intermediate/ca-int-cert.der
275+
check_result $? "Step 5"
276+
echo "End of section"
277+
echo "---------------------------------------------------------------------"
278+
279+
############################################################
280+
########## update the self-signed tsa-ecc-cert.pem ########
281+
############################################################
282+
echo "Updating tsa-ecc-cert.pem"
283+
echo ""
284+
openssl req -new -key tsa-ecc-key.pem -config ./renewcerts/wolfssl.cnf -nodes -subj "/C=US/ST=Montana/L=Bozeman/O=wolfSSL/OU=TSA-ECC/CN=www.wolfssl.com/emailAddress=info@wolfssl.com" -out tsa-ecc-cert.csr
285+
check_result $? "Step 1"
286+
287+
openssl x509 -req -in tsa-ecc-cert.csr -days 1000 -extfile ./renewcerts/wolfssl.cnf -extensions tsa_cert -signkey tsa-ecc-key.pem -out tsa-ecc-cert.pem
288+
check_result $? "Step 2"
289+
rm tsa-ecc-cert.csr
290+
291+
openssl x509 -in tsa-ecc-cert.pem -text > tmp.pem
292+
check_result $? "Step 3"
293+
mv tmp.pem tsa-ecc-cert.pem
294+
295+
openssl x509 -in tsa-ecc-cert.pem -outform der -out tsa-ecc-cert.der
296+
check_result $? "Step 4"
297+
echo "End of section"
298+
echo "---------------------------------------------------------------------"
299+
300+
############################################################
301+
## update the self-signed (2048-bit) tsa-bad-ku-cert.pem ##
302+
############################################################
303+
echo "Updating 2048-bit tsa-bad-ku-cert.pem"
304+
echo ""
305+
openssl req -new -key tsa-key.pem -config ./renewcerts/wolfssl.cnf -nodes -subj "/C=US/ST=Montana/L=Bozeman/O=wolfSSL/OU=TSA-bad-ku-2048/CN=www.wolfssl.com/emailAddress=info@wolfssl.com" -out tsa-bad-ku-cert.csr
306+
check_result $? "Step 1"
307+
308+
openssl x509 -req -in tsa-bad-ku-cert.csr -days 1000 -extfile ./renewcerts/wolfssl.cnf -extensions tsa_bad_ku_cert -signkey tsa-key.pem -out tsa-bad-ku-cert.pem
309+
check_result $? "Step 2"
310+
rm tsa-bad-ku-cert.csr
311+
312+
openssl x509 -in tsa-bad-ku-cert.pem -text > tmp.pem
313+
check_result $? "Step 3"
314+
mv tmp.pem tsa-bad-ku-cert.pem
315+
316+
openssl x509 -in tsa-bad-ku-cert.pem -outform der -out tsa-bad-ku-cert.der
317+
check_result $? "Step 4"
318+
echo "End of section"
319+
echo "---------------------------------------------------------------------"
320+
321+
###############################################################
322+
## update the self-signed (2048-bit) tsa-extra-eku-cert.pem ##
323+
###############################################################
324+
echo "Updating 2048-bit tsa-extra-eku-cert.pem"
325+
echo ""
326+
openssl req -new -key tsa-key.pem -config ./renewcerts/wolfssl.cnf -nodes -subj "/C=US/ST=Montana/L=Bozeman/O=wolfSSL/OU=TSA-extra-eku-2048/CN=www.wolfssl.com/emailAddress=info@wolfssl.com" -out tsa-extra-eku-cert.csr
327+
check_result $? "Step 1"
328+
329+
openssl x509 -req -in tsa-extra-eku-cert.csr -days 1000 -extfile ./renewcerts/wolfssl.cnf -extensions tsa_extra_eku_cert -signkey tsa-key.pem -out tsa-extra-eku-cert.pem
330+
check_result $? "Step 2"
331+
rm tsa-extra-eku-cert.csr
332+
333+
openssl x509 -in tsa-extra-eku-cert.pem -text > tmp.pem
334+
check_result $? "Step 3"
335+
mv tmp.pem tsa-extra-eku-cert.pem
336+
337+
openssl x509 -in tsa-extra-eku-cert.pem -outform der -out tsa-extra-eku-cert.der
338+
check_result $? "Step 4"
339+
echo "End of section"
340+
echo "---------------------------------------------------------------------"
341+
219342
############################################################
220343
#### update the self-signed (1024-bit) client-cert.pem #####
221344
############################################################

certs/renewcerts/wolfssl.cnf

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -452,3 +452,30 @@ DNS.1 = www.example.org
452452
URI.1 = https://www.wolfssl.com/
453453
otherName.2 = 2.16.840.1.101.3.6.6;FORMAT:HEX,OCT:D1:38:10:D8:28:AF:2C:10:84:35:15:A1:68:58:28:AF:02:10:86:A2:84:E7:39:C3:EB
454454

455+
456+
# TSA certificate extensions - RFC 3161 time-stamping only
457+
[ tsa_cert ]
458+
subjectKeyIdentifier = hash
459+
authorityKeyIdentifier = keyid:always,issuer:always
460+
basicConstraints = CA:false
461+
subjectAltName = DNS:tsa.wolfssl.com
462+
keyUsage = critical, digitalSignature
463+
extendedKeyUsage = critical, timeStamping
464+
465+
# TSA certificate extensions with wrong key usage - for failure testing
466+
[ tsa_bad_ku_cert ]
467+
subjectKeyIdentifier = hash
468+
authorityKeyIdentifier = keyid:always,issuer:always
469+
basicConstraints = CA:false
470+
keyUsage = critical, keyEncipherment
471+
extendedKeyUsage = critical, timeStamping
472+
473+
# TSA certificate extensions with an extra (non-timeStamping) extended key
474+
# usage - for failure testing. The extra purpose is an unrecognized OID so the
475+
# time-stamping bit is still the only one set; rejection relies on the count.
476+
[ tsa_extra_eku_cert ]
477+
subjectKeyIdentifier = hash
478+
authorityKeyIdentifier = keyid:always,issuer:always
479+
basicConstraints = CA:false
480+
keyUsage = critical, digitalSignature
481+
extendedKeyUsage = critical, timeStamping, 1.3.6.1.4.1.99999.1

0 commit comments

Comments
 (0)