Tcl
Tcl
RFC3161 Timestamp Client - Fetch from Timestamp Authority (TSA) and Verify
See more HTTP Examples
Sends an RFC 3161 timestamp request to a TSA (Timestamp Authority) server and validates the timestamp token response.Chilkat Tcl Downloads
load ./chilkat.dll
set success 0
# This requires the Chilkat API to have been previously unlocked.
# See Global Unlock Sample for sample code.
# First sha-256 hash the data that is to be timestamped.
# In this example, the data is the string "Hello World"
set crypt [new_CkCrypt2]
CkCrypt2_put_HashAlgorithm $crypt "sha256"
CkCrypt2_put_EncodingMode $crypt "base64"
set base64Hash [CkCrypt2_hashStringENC $crypt "Hello World"]
set http [new_CkHttp]
set requestToken [new_CkBinData]
set optionalPolicyOid ""
set addNonce 0
set requestTsaCert 1
# Create a time-stamp request token
set success [CkHttp_CreateTimestampRequest $http "sha256" $base64Hash $optionalPolicyOid $addNonce $requestTsaCert $requestToken]
if {$success == 0} then {
puts [CkHttp_lastErrorText $http]
delete_CkCrypt2 $crypt
delete_CkHttp $http
delete_CkBinData $requestToken
exit
}
# Send the time-stamp request token to the TSA.
# This is the equivalent of the following CURL command:
# curl -H "Content-Type: application/timestamp-query" --data-binary '@file.tsq' https://freetsa.org/tsr > file.tsr
set tsaUrl "https://freetsa.org/tsr"
# Another timestamp server you could try is: http://timestamp.digicert.com
set tsaUrl "http://timestamp.digicert.com"
set resp [new_CkHttpResponse]
set success [CkHttp_HttpBd $http "POST" $tsaUrl $requestToken "application/timestamp-query" $resp]
if {$success == 0} then {
puts [CkHttp_lastErrorText $http]
delete_CkCrypt2 $crypt
delete_CkHttp $http
delete_CkBinData $requestToken
delete_CkHttpResponse $resp
exit
}
# Get the timestamp reply from the HTTP response object.
set timestampReply [new_CkBinData]
CkHttpResponse_GetBodyBd $resp $timestampReply
# Show the base64 encoded timestamp reply.
puts [CkBinData_getEncoded $timestampReply base64]
# Let's verify the timestamp reply against the TSA's cert, which we've previously downloaded.
# See https://freetsa.org/index_en.php
set tsaCert [new_CkCert]
set success [CkCert_LoadFromFile $tsaCert "qa_data/certs/freetsa.org.cer"]
if {$success == 0} then {
puts [CkCert_lastErrorText $tsaCert]
delete_CkCrypt2 $crypt
delete_CkHttp $http
delete_CkBinData $requestToken
delete_CkHttpResponse $resp
delete_CkBinData $timestampReply
delete_CkCert $tsaCert
exit
}
# The VerifyTimestampReply method will return one of the following values:
# -1: The timestampReply does not contain a valid timestamp reply.
# -2: The timestampReply is a valid timestamp reply, but failed verification using the public key of the tsaCert.
# 0: Granted and verified.
# 1: Granted and verified, with mods (see RFC 3161)
# 2: Rejected.
# 3: Waiting.
# 4: Revocation Warning
# 5: Revocation Notification
set pkiStatus [CkHttp_VerifyTimestampReply $http $timestampReply $tsaCert]
if {$pkiStatus < 0} then {
puts [CkHttp_lastErrorText $http]
delete_CkCrypt2 $crypt
delete_CkHttp $http
delete_CkBinData $requestToken
delete_CkHttpResponse $resp
delete_CkBinData $timestampReply
delete_CkCert $tsaCert
exit
}
puts "pkiStatus = $pkiStatus"
set json [new_CkJsonObject]
CkHttp_GetLastJsonData $http $json
CkJsonObject_put_EmitCompact $json 0
puts [CkJsonObject_emit $json]
# The JSON looks like the following.
# Use this online tool to generate parsing code from sample JSON:
# Generate Parsing Code from JSON
# {
# "timestampReply": {
# "pkiStatus": {
# "value": 0,
# "meaning": "granted"
# }
# },
# "pkcs7": {
# "verify": {
# "digestAlgorithms": [
# "sha256"
# ],
# "signerInfo": [
# {
# "cert": {
# "serialNumber": "04CD3F8568AE76C61BB0FE7160CCA76D",
# "issuerCN": "DigiCert SHA2 Assured ID Timestamping CA",
# "digestAlgOid": "2.16.840.1.101.3.4.2.1",
# "digestAlgName": "SHA256"
# },
# "contentType": "1.2.840.113549.1.9.16.1.4",
# "signingTime": "200405023019Z",
# "messageDigest": "f14zOsdnN9vyyV3HjjBiLzNDi1PF28hAFMODxNkNRZs=",
# "signingAlgOid": "1.2.840.113549.1.1.1",
# "signingAlgName": "RSA-PKCSV-1_5",
# "authAttr": {
# "1.2.840.113549.1.9.3": {
# "name": "contentType",
# "oid": "1.2.840.113549.1.9.16.1.4"
# },
# "1.2.840.113549.1.9.5": {
# "name": "signingTime",
# "utctime": "200405023019Z"
# },
# "1.2.840.113549.1.9.16.2.12": {
# "name": "signingCertificate",
# "der": "MBowGDAWBBQDJb1QXtqWMC3CL0+gHkwovig0xQ=="
# },
# "1.2.840.113549.1.9.4": {
# "name": "messageDigest",
# "digest": "f14zOsdnN9vyyV3HjjBiLzNDi1PF28hAFMODxNkNRZs="
# }
# }
# }
# ]
# }
# }
# }
set signingTime [new_CkDtObj]
set authAttrSigningTimeUtctime [new_CkDtObj]
set timestampReplyPkiStatusValue [CkJsonObject_IntOf $json "timestampReply.pkiStatus.value"]
set timestampReplyPkiStatusMeaning [CkJsonObject_stringOf $json "timestampReply.pkiStatus.meaning"]
set i 0
set count_i [CkJsonObject_SizeOfArray $json "pkcs7.verify.digestAlgorithms"]
while {$i < $count_i} {
CkJsonObject_put_I $json $i
set strVal [CkJsonObject_stringOf $json "pkcs7.verify.digestAlgorithms[i]"]
set i [expr $i + 1]
}
set i 0
set count_i [CkJsonObject_SizeOfArray $json "pkcs7.verify.signerInfo"]
while {$i < $count_i} {
CkJsonObject_put_I $json $i
set certSerialNumber [CkJsonObject_stringOf $json "pkcs7.verify.signerInfo[i].cert.serialNumber"]
set certIssuerCN [CkJsonObject_stringOf $json "pkcs7.verify.signerInfo[i].cert.issuerCN"]
set certDigestAlgOid [CkJsonObject_stringOf $json "pkcs7.verify.signerInfo[i].cert.digestAlgOid"]
set certDigestAlgName [CkJsonObject_stringOf $json "pkcs7.verify.signerInfo[i].cert.digestAlgName"]
set contentType [CkJsonObject_stringOf $json "pkcs7.verify.signerInfo[i].contentType"]
CkJsonObject_DtOf $json "pkcs7.verify.signerInfo[i].signingTime" 0 $signingTime
set messageDigest [CkJsonObject_stringOf $json "pkcs7.verify.signerInfo[i].messageDigest"]
set signingAlgOid [CkJsonObject_stringOf $json "pkcs7.verify.signerInfo[i].signingAlgOid"]
set signingAlgName [CkJsonObject_stringOf $json "pkcs7.verify.signerInfo[i].signingAlgName"]
set authAttrContentTypeName [CkJsonObject_stringOf $json "pkcs7.verify.signerInfo[i].authAttr.\"1.2.840.113549.1.9.3\".name"]
set authAttrContentTypeOid [CkJsonObject_stringOf $json "pkcs7.verify.signerInfo[i].authAttr.\"1.2.840.113549.1.9.3\".oid"]
set authAttrSigningTimeName [CkJsonObject_stringOf $json "pkcs7.verify.signerInfo[i].authAttr.\"1.2.840.113549.1.9.5\".name"]
CkJsonObject_DtOf $json "pkcs7.verify.signerInfo[i].authAttr.\"1.2.840.113549.1.9.5\".utctime" 0 $authAttrSigningTimeUtctime
set authAttrSigningCertificateName [CkJsonObject_stringOf $json "pkcs7.verify.signerInfo[i].authAttr.\"1.2.840.113549.1.9.16.2.12\".name"]
set authAttrSigningCertificateDer [CkJsonObject_stringOf $json "pkcs7.verify.signerInfo[i].authAttr.\"1.2.840.113549.1.9.16.2.12\".der"]
set authAttrMessageDigestName [CkJsonObject_stringOf $json "pkcs7.verify.signerInfo[i].authAttr.\"1.2.840.113549.1.9.4\".name"]
set authAttrMessageDigestDigest [CkJsonObject_stringOf $json "pkcs7.verify.signerInfo[i].authAttr.\"1.2.840.113549.1.9.4\".digest"]
set i [expr $i + 1]
}
delete_CkCrypt2 $crypt
delete_CkHttp $http
delete_CkBinData $requestToken
delete_CkHttpResponse $resp
delete_CkBinData $timestampReply
delete_CkCert $tsaCert
delete_CkJsonObject $json
delete_CkDtObj $signingTime
delete_CkDtObj $authAttrSigningTimeUtctime