3

I have a SOAP request, which needs to be redesigned, because SoapUI can't handle binary responses properly. I decided to make it Java based. I found this really useful, but not sure, how functions come on code snippets. I have

  • DigestValue
  • SignatureValue
  • X509Certificate

defined in SOAP request and not sure how to transform these information to send request to my tsendpint. I tried TSAClientBouncyCastle too, but not sure why we need login credentials. I left empty those fields, but it finish all the time with

TSAClientBouncyCastle@1f0e140b

message.

I call TSAClientBouncyCastle class from Main with constructor.

It is the main part, it should decode data.

   // Get TSA response as a byte array
    InputStream inp = tsaConnection.getInputStream();
    ByteArrayOutputStream baos = new ByteArrayOutputStream();
    byte[] buffer = new byte[1024];
    int bytesRead = 0;
    while ((bytesRead = inp.read(buffer, 0, buffer.length)) >= 0) {
        baos.write(buffer, 0, bytesRead);
    }
    byte[] respBytes = baos.toByteArray();

    String encoding = tsaConnection.getContentEncoding();
    if (encoding != null && encoding.equalsIgnoreCase("base64")) {
        respBytes = Base64.decode(new String(respBytes));
    }
plaidshirt
  • 5,189
  • 19
  • 91
  • 181
  • I do not understand the relationship between the elements of your question. 1) Soap requests do not require RFC3161 timestamps. 2) You want to verify a timestamp (question title) 3) But you are using a TSAClient to request a new Timestamp 4) Where the error comes from? What data are you timestamping? Show your code – pedrofb Jul 26 '17 at 09:55
  • @pedrofb : Sorry, yes, it is not so clear. I have a defined request, for which the answer in SoapUI is not human readable. Raw response contains also question marks and rectangles, so I think I cannot get some ascii based information with SoapUI. I have to get value of PKIStatus. That is what I named as verification. I need a TSAClient, with I can get maybe ASCII information from tsendpoint's response. – plaidshirt Jul 26 '17 at 12:04
  • 1
    A Time Stamp Authority (TSA) generates a proof that a datum existed before a particular time. It uses a protocol and format defined in RFC3161. If that is your intention, you can not verify another message with a TSA. If you see strange characters it is because your messages are binary, not text. Probably the TSA is returning an error with content-type `application/timestamp-reply`. I still do not understand your use case. I can not help you – pedrofb Jul 26 '17 at 12:26
  • @pedrofb : Yes, I know it is binary, that is why I tried to convert it in SoapUI. My use case is to check this value from timestamping response: `status PKIStatusInfo`, as defined in protocol. So verification stands for to check this value. That is why I try to get response somehow in ASCII. – plaidshirt Jul 26 '17 at 12:37
  • You can not convert a timeramp-reply to ASCII. In the code you linked you have an example to parse it with bouncycastle. `TimeStampResponse response = new TimeStampResponse(respBytes); response.getStatus()` Is this what you are looking for? – pedrofb Jul 26 '17 at 12:42
  • I think from code yes, but I didn't seen any input yet. I am new in cryptography, so I try to get somehow this status value, that is why I try out different methods. What do you think, what is the easiest way to get PKIStatus? – plaidshirt Jul 26 '17 at 13:01
  • It is using bouncycastle to parse the response with the code I attached. I posted the details below – pedrofb Jul 26 '17 at 13:19
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/150196/discussion-between-pedrofb-and-plaidshirt). – pedrofb Jul 26 '17 at 13:40

1 Answers1

1

A Time Stamp Authority (TSA) generates a proof that a datum existed before a particular time. It uses a protocol and format defined in RFC3161.

A time-stamping response is as follows (see RFC3161-section 2.4.2):

TimeStampResp ::= SEQUENCE  {
  status                  PKIStatusInfo,
  timeStampToken          TimeStampToken     OPTIONAL  }

You can parse the response of content-type application/timestamp-reply with BouncyCastle to obtain PKIStatusInfo

TimeStampResponse response = new TimeStampResponse(tsaInputStream);
int status = response.getStatus();

The possible values are

PKIStatus ::= INTEGER {
  granted                (0),
  -- when the PKIStatus contains the value zero a TimeStampToken, as
     requested, is present.
  grantedWithMods        (1),
   -- when the PKIStatus contains the value one a TimeStampToken,
     with modifications, is present.
  rejection              (2),
  waiting                (3),
  revocationWarning      (4),
   -- this message contains a warning that a revocation is
   -- imminent
  revocationNotification (5)
   -- notification that a revocation has occurred  }
pedrofb
  • 37,271
  • 5
  • 94
  • 142
  • Thanks! The solution I linked in my question also uses this library, but I have no user credentials, only X509Data. – plaidshirt Jul 26 '17 at 13:37