signserver-develop

[SignServer-develop] TimeStamp ACCEPTEDPOLICIES

[Martin R. <mar...@gm...>]

Dear all,

according to
http://www.signserver.org/manual/complete.en.html#Time-stamp%20Signer it is
possible to set/limit timestamping policies by modifiying ACCEPTEDPOLICIES property.

If this property is null does it mean that TimeStampReq (TSR) cannot include
policy (reqPolicy)?

I've tested the beahviour with signserver-ce-3.6.2 and the result was following.
If I crafted a TSR without reqPolicy a tiemstamp was issued with
DEFAULTTSAPOLICYOID. If I crafted a TSR with a dummy policy (1.2.3) the
timestamp was denied with following error message:
"request contains unknown policy."

following debug message is logged:
"11:15:50,908 DEBUG [org.signserver.module.tsa.TimeStampSigner]
(http--0.0.0.0-8080-1) Time stamp response status: 2: request contains unknown
policy."

I guess it is because private method makeSetOfProperty of TimeStampSigner class
creates an empty set if ACCEPTEDPOLICIES are null. Therefore validation method
(validate method of TimeStampRequest class) fails.

Is this expected beahviour?


Thank you for the clarification, kind regards

Martin Rublik

Re: [SignServer-develop] TimeStamp ACCEPTEDPOLICIES

[Markus K. <ma...@pr...>]

On 08/24/2015 11:34 AM, Martin Rublik wrote:
> Dear all,

Hi Martin,

> 
> according to
> http://www.signserver.org/manual/complete.en.html#Time-stamp%20Signer it is
> possible to set/limit timestamping policies by modifiying ACCEPTEDPOLICIES property.
> 
> If this property is null does it mean that TimeStampReq (TSR) cannot include
> policy (reqPolicy)?

Yes, I think that would be the case as no policy is then allowed to be
requested.

> 
> I've tested the beahviour with signserver-ce-3.6.2 and the result was following.
> If I crafted a TSR without reqPolicy a tiemstamp was issued with
> DEFAULTTSAPOLICYOID. If I crafted a TSR with a dummy policy (1.2.3) the
> timestamp was denied with following error message:
> "request contains unknown policy."
> 
> following debug message is logged:
> "11:15:50,908 DEBUG [org.signserver.module.tsa.TimeStampSigner]
> (http--0.0.0.0-8080-1) Time stamp response status: 2: request contains unknown
> policy."
> 
> I guess it is because private method makeSetOfProperty of TimeStampSigner class
> creates an empty set if ACCEPTEDPOLICIES are null. Therefore validation method
> (validate method of TimeStampRequest class) fails.
> 
> Is this expected beahviour?

Yes, I think this is the expected behaviour. The rational is that you
would only sign the time-stamp according to the policies you have
decided to support. If a request comes in with a policy that you have
not listed as a policy that you support (and thus claim to fulfil), then
the request is rejected. If the request contains a policy OID then this
must be the policy used in the token as explained in RFC#3161:

"The policy field MUST indicate the TSA's policy under which the
   response was produced.  If a similar field was present in the
   TimeStampReq, then it MUST have the same value, otherwise an error
   (unacceptedPolicy) MUST be returned. "


Let me know if you think I missed something.

Cheers,
Markus

> 
> 
> Thank you for the clarification, kind regards
> 
> Martin Rublik
> 
> ------------------------------------------------------------------------------
> _______________________________________________
> SignServer-develop mailing list
> Sig...@li...
> https://lists.sourceforge.net/lists/listinfo/signserver-develop
> 



-- 
Kind regards,
Markus Kilås
PKI Specialist

PrimeKey Solutions AB

Lundagatan 16
SE-171 63 Solna
Sweden

Phone: +46 70 424 94 85
Email: mar...@pr...

https://www.primekey.se

Re: [SignServer-develop] TimeStamp ACCEPTEDPOLICIES

[Martin R. <mar...@gm...>]

On 27. 8. 2015 16:06, Markus Kilås wrote:
> Yes, I think this is the expected behaviour. The rational is that you
> would only sign the time-stamp according to the policies you have
> decided to support. If a request comes in with a policy that you have
> not listed as a policy that you support (and thus claim to fulfil), then
> the request is rejected. If the request contains a policy OID then this
> must be the policy used in the token as explained in RFC#3161:
> 
> "The policy field MUST indicate the TSA's policy under which the
>    response was produced.  If a similar field was present in the
>    TimeStampReq, then it MUST have the same value, otherwise an error
>    (unacceptedPolicy) MUST be returned. "
> 
> 
> Let me know if you think I missed something.
> 
> Cheers,
> Markus


Hi,

thank you for your response, I think this is correct behaviour.

I was just a little confused. The confusion was because if ACCEPTEDPOLICIES are
null then even requests that contain DEFAULTTSAPOLICYOID are rejected.

Perhaps more explicit text would be fine in documentation:

ACCEPTEDPOLICIES = A ';' separated string containing accepted policies, can be
null if it shouldn't be used. When not used, time stamp request MUST NOT include
a policy identifier. (OPTIONAL, Recommended)

Thanks

Martin

Re: [SignServer-develop] TimeStamp ACCEPTEDPOLICIES

[Markus K. <ma...@pr...>]

On 08/27/2015 02:37 PM, Martin Rublik wrote:
> On 27. 8. 2015 16:06, Markus Kilås wrote:
>> Yes, I think this is the expected behaviour. The rational is that you
>> would only sign the time-stamp according to the policies you have
>> decided to support. If a request comes in with a policy that you have
>> not listed as a policy that you support (and thus claim to fulfil), then
>> the request is rejected. If the request contains a policy OID then this
>> must be the policy used in the token as explained in RFC#3161:
>>
>> "The policy field MUST indicate the TSA's policy under which the
>>    response was produced.  If a similar field was present in the
>>    TimeStampReq, then it MUST have the same value, otherwise an error
>>    (unacceptedPolicy) MUST be returned. "
>>
>>
>> Let me know if you think I missed something.
>>
>> Cheers,
>> Markus
> 
> 
> Hi,
> 
> thank you for your response, I think this is correct behaviour.
> 
> I was just a little confused. The confusion was because if ACCEPTEDPOLICIES are
> null then even requests that contain DEFAULTTSAPOLICYOID are rejected.
> 
> Perhaps more explicit text would be fine in documentation:
> 
> ACCEPTEDPOLICIES = A ';' separated string containing accepted policies, can be
> null if it shouldn't be used. When not used, time stamp request MUST NOT include
> a policy identifier. (OPTIONAL, Recommended)
> 
> Thanks
> 
> Martin
> 

Thanks Martin,

I updated the documentation with the following explanation:

A ';' separated string containing accepted policies. Note that only
policies listed in this property are allowed to be requested. If the
property does not contain any policies then no policy can be requested.
Requests not including any policy would use the default policy
regardless of this property but requests explicitly requesting the
default policy would still not be allowed unless it is listed in this
property. (OPTIONAL, Recommended)


Cheers,
Markus
PrimeKey Solutions

Re: [SignServer-develop] TimeStamp ACCEPTEDPOLICIES

[Martin R. <mar...@gm...>]

> Thanks Martin,
> 
> I updated the documentation with the following explanation:
> 
> A ';' separated string containing accepted policies. Note that only
> policies listed in this property are allowed to be requested. If the
> property does not contain any policies then no policy can be requested.
> Requests not including any policy would use the default policy
> regardless of this property but requests explicitly requesting the
> default policy would still not be allowed unless it is listed in this
> property. (OPTIONAL, Recommended)
> 

Great,

Thank you.

Martin