Website Download Support
 

Discuss this help topic in SecureBlackbox Forum

Configure TSP server

TSP server components included in SecureBlackbox implement solely the TSP (RFC3161) functionality. To process HTTP requests, they require external HTTP(S) components. Either HTTPBlackbox, or any other HTTP implementation allowing to pass dedicated TSP requests for external handling, will do.

Prior to implementing the TSP server, the HTTP server component needs to be set up and configured. Your server should be able to: (1) handle POST requests with 'application/timestamp-query' content type; (2) forward them to the request handler; (3) receive results from the handler; (4) send them back as an HTTP response with 'application/timestamp-reply' content type.

The TSP request handler expects a properly formed TSP request on input (received from the HTTP server), and returns the corresponding TSP response.

  1. Create a TElFileTSPServer object: TElFileTSPServer tspServer = new TElFileTSPServer();
  2. Each TSP server must have its signing certificate used to sign the responses. Load the certificate (and, optionally, the rest of its chain) into TElMemoryCertStorage and assign the storage object to the server's Certificates property. The TSP signing certificate must include the associated private key (it may be non-exportable, for instance, located on a hardware device). 
    
TElMemoryCertStorage signingCerts = new TElMemoryCertStorage();
signingCerts.Add(signingCert, true);
signingCerts.Add(caCert, true);
tspServer.Certificates = signingCerts;
  3. Load the received request into the server object: tspServer.LoadRequestFromStream(request);
  4. Configure response parameters: 
    
tspServer.TSPInfo.Time = DateTime.UtcNow;
tspServer.TSPInfo.TSAName.NameType = TSBGeneralName.gnDirectoryName;
tspServer.TSPInfo.TSAName.DirectoryName.Assign(signingCert.SubjectRDN);
tspServer.TSPInfo.TSANameSet = true;
  5. Decide on the server result, failure information flag, and call SaveReplyToStream() to sign the time and serialize the signature to a RFC3161-compliant timestamp: 
    
// possible values: psGranted, psGrantedWithMods, psRejection, psWaiting, psRevocationWarning, psRevocationNotification, psKeyUpdateWarning
int serverResult = SBPKICommon.Unit.psGranted;

// possible values: SBPKICommon.Unit.pfiBadAlg, pfiBadMessageCheck, pfiBadRequest, pfiBadTime, pfiBadCertId, pfiBadDataFormat,
// pfiWrongAuthority, pfiIncorrectData, pfiMissingTimeStamp, pfiBadPOP
int failureInfo = 0; // is ignored if serverResult is psGranted or psGrantedWithMods

bool res = tspServer.SaveReplyToStream(serverResult, failureInfo, destStream);
    If res is true, the signing has succeeded. Pass the contents of destStream back to the HTTP server. It will forward the response to the connected client with the 'application/timestamp-reply' content type.
You could notice from the above description that a dedicated TElFileTSPServer object is needed for each incoming request. For small environments, you might be fine with creating individual TElFileTSPServer object for every new request. However, some sort of object pooling may be needed for heavily loaded environments.

How To articles about TSP (Timestamping Protocol)

Discuss this help topic in SecureBlackbox Forum

Copyright (c) 2018, /n software, inc.