Skip to content

Timestamp

Timestamping is the process of securely keeping track of the creation and modification times of documents. It is used to demonstrate the existence of some information before a certain date, making it impossible for the owner of such information to modify it without compromising the timestamp applied.

1. Timestamp Information

The user can request timestamping all the evidences (documents, photos, videos, etc...) collected during the validation process. There are 3 Timestamp Authorities available (check the API definition, and also, as mentioned in there, this action should be done right before confirming the validation).

Danger

It is important to note that the "standard" TSA does not provide any service level agreement (SLA) and its availability is not guaranteed. For these reasons, it should only be used in testing and pre-production environments.

Once this process is done, the user can request all the evidences together with the timestamp files: a timestamp request (.tsq file) and a timestamp response (.tsr file), that could be used to verify the integrity of the evidences in the future.

If the user has made use of the timestamp feature in the IDV process, the user can retrieve information about the timestamp, such as when the evidences were signed, used encryption algorithm or extra information about the TSA.

To retrieve these information, the user will have to run the following command (just for linux users):

openssl ts -reply -in TimestampResponse-{TSA}.tsr -text

where {TSA} is the Timestamp Authority used in the process.

Timestamp Verification

The user can also verify that the evidences have not been altered after the date the timestamp vouches for.

There are two possible checks:

  • Verification with the timestamp request and timestamp response files (.tsq and .tsr) returned by Veridas' Digital Onboarding service.
  • Generate a timestamp request from the evidences and verify it with the timestamp response returned by Veridas' Digital Onboarding service.

1. Verification with the timestamp request and timestamp response files (.tsq and .tsr) returned by Veridas' Digital Onboarding service

Depending on the used Timestamp Authority, the following steps must be followed:

Standard TSA

  1. Download the TSA certificates

    https://freetsa.org/files/tsa.crt

    https://freetsa.org/files/cacert.pem

  2. Verify the integrity of the process (for linux users)

    openssl ts -verify -in TimestampResponse-standard.tsr -queryfile TimestampRequest-standard.tsq -CAfile cacert.pem -untrusted tsa.crt
    

Izenpe TSA

  1. Download the TSA certificates

    https://www.izenpe.eus/contenidos/informacion/cas_izenpe/es_cas/adjuntos/IZENPE_ROOT_QC.crt

    https://www.izenpe.eus/contenidos/informacion/cas_izenpe/es_cas/adjuntos/SUBCA_QC_TSA.crt

    https://www.izenpe.eus/contenidos/informacion/cas_izenpe/es_cas/adjuntos/TSA_timestamp_signing_4.crt

  2. Convert certificates (for linux users)

    openssl x509 -inform der -in IZENPE_ROOT_QC.crt -out izenpe1.pem
    
    openssl x509 -inform der -in SUBCA_QC_TSA.crt -out izenpe2.pem
    
  3. Concatenate certificates (for linux users)

    cat izenpe1.pem izenpe2.pem > izenpe.pem`
    
  4. Verify the integrity of the process (for linux users)

    openssl ts -verify -in TimestampResponse-izenpe.tsr -queryfile TimestampRequest-izenpe.tsq -CAfile izenpe.pem -untrusted TSA_timestamp_signing_4.crt
    

FNMT TSA

  1. Download the TSA certificates

    https://www.sede.fnmt.gob.es/documents/10445900/10526749/AC_Raiz_FNMT-RCM_SHA256.cer

    https://www.sede.fnmt.gob.es/documents/10445900/10526749/AC_Unidades_Sellado_Tiempo.cer

  2. Convert certificates (for linux users)

    openssl x509 -inform der -in AC_Raiz_FNMT-RCM_SHA256.cer -out fnmt.pem
    
    openssl x509 -inform der -in AC_Unidades_Sellado_Tiempo.cer -out fnmt.crt
    
  3. Verify the integrity of the process (for linux users)

    openssl ts -verify -in TimestampResponse-fnmt.tsr -queryfile TimestampRequest-fnmt.tsq -CAfile fnmt.pem -untrusted fnmt.crt
    

2. Generate a timestamp request from the evidences and verify it with the timestamp response returned by Veridas' Digital Onboarding service

The logic we follow to generate a timestamp for the evidences is the following:

  1. We generate a hash (SHA-512) of the content of each one of the evidences.
  2. These hashes are sorted and concatenated into a file.
  3. With this last file we generate a timestamp request (.tsq file) that will be sent to one of the available TSA's (timestamp authorities).

So, it can be easily proved that a tsr belongs to a validation data (evidences) by generating a new tsq file from the validation evidences and then verifying it against the tsr returned by Veridas' Digital Onboarding service. If this verification is correct, then it can be affirmed that these evidences were used to generate the tsr.

To generate a new tsq file, we provide a python script that does this task:

generate_tsq.py

import os
import hashlib
import sys
import subprocess


def compute_hash(path, size=131072):
    sha512 = hashlib.sha512()
    with open(path, 'rb') as file_:
        while True:
            data = file_.read(size)
            if not data:
                file_.close()
                return sha512.hexdigest()
            sha512.update(data)


def hash_extracted_data(dir_name):
    hashed_evidences = []
    with os.scandir(dir_name) as files:
        for file_ in files:
            hashed_evidences.append(compute_hash(file_.path))

    files.close()

    if len(hashed_evidences) > 0:
        return sorted(hashed_evidences)

    return None


def save_hashes_into_file(hashed_evidences):
    final_hash = ''
    for i in hashed_evidences:
        final_hash += i

    with open('final_hash.txt', 'w') as file_:
        file_.write(final_hash)
        file_.close()


def generate_tsq():
    ssl_command = 'openssl ts -query -data final_hash.txt -no_nonce -sha512 -cert -out file.tsq'
    subprocess.check_output(
        ssl_command.split(' '),
        stderr=subprocess.DEVNULL
    )


def main():
    evidence_folder = sys.argv[1] # set unzipped evidences path
    hashes = hash_extracted_data(evidence_folder)
    save_hashes_into_file(hashes)
    generate_tsq()


if __name__ == '__main__':
    main()

Usage: python generate_tsq.py evidence_folder
where evidence_folder is the path to the folder with all the unzipped evidences.

Now, to verify the timestamp, use the following command:

openssl ts -verify -in TimestampResponse-{TSA}.tsr -queryfile file.tsq -CAfile {TSA}.pem -untrusted {TSA}.crt

where:

  • {TSA} is the Timestamp Authority used in the process.
  • TimestampResponse-{TSA}.tsr is the timestamp response obtained from the timestamp.zip file returned by Veridas' Digital Onboarding service.
  • file.tsq is the timestamp request obtained from the python script.
  • {TSA}.pem and {TSA}.crt are the certificates that can be obtained in the first check.