Menu
▾
▴
Re: [SignServer-develop] TimeStamp ACCEPTEDPOLICIES
|
From: Markus K. <ma...@pr...> - 2015-08-27 14:07:04
|
On 08/24/2015 11:34 AM, Martin Rublik wrote: > Dear all, Hi Martin, > > according to > http://www.signserver.org/manual/complete.en.html#Time-stamp%20Signer it is > possible to set/limit timestamping policies by modifiying ACCEPTEDPOLICIES property. > > If this property is null does it mean that TimeStampReq (TSR) cannot include > policy (reqPolicy)? Yes, I think that would be the case as no policy is then allowed to be requested. > > I've tested the beahviour with signserver-ce-3.6.2 and the result was following. > If I crafted a TSR without reqPolicy a tiemstamp was issued with > DEFAULTTSAPOLICYOID. If I crafted a TSR with a dummy policy (1.2.3) the > timestamp was denied with following error message: > "request contains unknown policy." > > following debug message is logged: > "11:15:50,908 DEBUG [org.signserver.module.tsa.TimeStampSigner] > (http--0.0.0.0-8080-1) Time stamp response status: 2: request contains unknown > policy." > > I guess it is because private method makeSetOfProperty of TimeStampSigner class > creates an empty set if ACCEPTEDPOLICIES are null. Therefore validation method > (validate method of TimeStampRequest class) fails. > > Is this expected beahviour? Yes, I think this is the expected behaviour. The rational is that you would only sign the time-stamp according to the policies you have decided to support. If a request comes in with a policy that you have not listed as a policy that you support (and thus claim to fulfil), then the request is rejected. If the request contains a policy OID then this must be the policy used in the token as explained in RFC#3161: "The policy field MUST indicate the TSA's policy under which the response was produced. If a similar field was present in the TimeStampReq, then it MUST have the same value, otherwise an error (unacceptedPolicy) MUST be returned. " Let me know if you think I missed something. Cheers, Markus > > > Thank you for the clarification, kind regards > > Martin Rublik > > ------------------------------------------------------------------------------ > _______________________________________________ > SignServer-develop mailing list > Sig...@li... > https://lists.sourceforge.net/lists/listinfo/signserver-develop > -- Kind regards, Markus Kilås PKI Specialist PrimeKey Solutions AB Lundagatan 16 SE-171 63 Solna Sweden Phone: +46 70 424 94 85 Email: mar...@pr... https://www.primekey.se |
