Scenarij 8.3: Vremenska oznaka (Timestamp)
Kategorija: Digitalni potpisi
Složenost: ⭐⭐⭐ (Srednja)
Preduvjeti: Postojeći potpis, pristup TSA
Procijenjeno vrijeme: 10-15 minuta
Opis
Ovaj scenarij opisuje dodavanje vremenskih oznaka digitalnim potpisima (RFC 3161). Vremenske oznake dokazuju da je potpis postojao u određenom trenutku i omogućuju:
- Dugoročnu validaciju - Potpis ostaje valjan nakon isteka certifikata
- Dokazivost - Egzaktan trenutak potpisa je dokumentiran
- Usklađenost - Obavezno za eIDAS kvalificirane potpise
Koncept:
- Hash potpisa se šalje Timestamp Authority (TSA)
- TSA potpisuje hash s vremenskom oznakom
- Timestamp-Token se prilaže potpisu
Tijek rada
flowchart LR
SIG[Potpis] --> HASH[Hash potpisa]
HASH --> REQ[TSA Zahtjev]
REQ -->|HTTP POST| TSA[Timestamp Authority]
TSA --> TOKEN[Timestamp Token]
TOKEN --> ATTACH[Prilaganje potpisu]
ATTACH --> OUTPUT[Potpis s vremenskom oznakom]
style TSA fill:#e8f5e9
style OUTPUT fill:#e3f2fd
Primjer koda: RFC 3161 Timestamp Request
using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ; using System.Security.Cryptography; using System.Security.Cryptography.Pkcs; using var ctx = PqCryptoContext.Initialize(); // Učitavanje potpisa var signature = File.ReadAllBytes("document.sig"); // Izračun hasha potpisa var signatureHash = SHA256.HashData(signature); // Kreiranje Timestamp Requesta (RFC 3161) var tsRequest = new Rfc3161TimestampRequest( messageHash: signatureHash, hashAlgorithm: HashAlgorithmName.SHA256, requestedPolicyId: null, // Default Policy nonce: GenerateNonce(), requestSignerCertificates: true ); // Slanje zahtjeva TSA-i using var http = new HttpClient(); var content = new ByteArrayContent(tsRequest.Encode()); content.Headers.ContentType = new MediaTypeHeaderValue("application/timestamp-query"); var response = await http.PostAsync("http://timestamp.digicert.com", content); var tsResponseBytes = await response.Content.ReadAsByteArrayAsync(); // Parsiranje odgovora var tsResponse = Rfc3161TimestampToken.Decode(tsResponseBytes, out int bytesConsumed); // Validacija if (!tsResponse.VerifySignatureForHash(signatureHash, HashAlgorithmName.SHA256, out var signerCert, null)) { throw new CryptographicException("Timestamp potpis nije valjan"); } // Spremanje tokena File.WriteAllBytes("document.sig.tst", tsResponse.AsSignedCms().Encode()); Console.WriteLine("Vremenska oznaka primljena:"); Console.WriteLine($" Vrijeme: {tsResponse.TokenInfo.Timestamp}"); Console.WriteLine($" TSA: {signerCert.Subject}"); Console.WriteLine($" Policy: {tsResponse.TokenInfo.PolicyId}");
Primjer koda: Dodavanje vremenske oznake CMS potpisu
public class TimestampService { private readonly string _tsaUrl; private readonly HttpClient _http; public TimestampService(string tsaUrl) { _tsaUrl = tsaUrl; _http = new HttpClient { Timeout = TimeSpan.FromSeconds(30) }; } public async Task<SignedCms> AddTimestamp(SignedCms signedCms) { foreach (var signerInfo in signedCms.SignerInfos) { // Hash potpisa za vremensku oznaku var signatureHash = SHA256.HashData(signerInfo.GetSignature()); // Timestamp Request var tsRequest = new Rfc3161TimestampRequest( signatureHash, HashAlgorithmName.SHA256, requestedPolicyId: null, nonce: GenerateNonce(), requestSignerCertificates: true ); // Slanje TSA-i var content = new ByteArrayContent(tsRequest.Encode()); content.Headers.ContentType = new MediaTypeHeaderValue("application/timestamp-query"); var response = await _http.PostAsync(_tsaUrl, content); response.EnsureSuccessStatusCode(); var tsResponseBytes = await response.Content.ReadAsByteArrayAsync(); var tsToken = Rfc3161TimestampToken.Decode(tsResponseBytes, out _); // Dodavanje kao Unsigned Attribute var timestampAttr = new AsnEncodedData( new Oid("1.2.840.113549.1.9.16.2.14"), // id-aa-timeStampToken tsToken.AsSignedCms().Encode() ); signerInfo.AddUnsignedAttribute(timestampAttr); } return signedCms; } private byte[] GenerateNonce() { var nonce = new byte[8]; RandomNumberGenerator.Fill(nonce); return nonce; } }
Validacija Timestamp-Tokena
public class TimestampValidator { public TimestampValidationResult Validate( byte[] timestampToken, byte[] originalSignature, X509Certificate2Collection? trustedTsaCerts = null) { var result = new TimestampValidationResult(); try { var tsToken = Rfc3161TimestampToken.Decode(timestampToken, out _); result.Timestamp = tsToken.TokenInfo.Timestamp; result.PolicyId = tsToken.TokenInfo.PolicyId?.Value; // Provjera hasha var expectedHash = SHA256.HashData(originalSignature); if (!tsToken.TokenInfo.GetMessageHash().ReadOnlySpan.SequenceEqual(expectedHash)) { result.IsValid = false; result.Error = "Hash se ne podudara"; return result; } // Provjera potpisa if (!tsToken.VerifySignatureForHash(expectedHash, HashAlgorithmName.SHA256, out var tsaCert, trustedTsaCerts)) { result.IsValid = false; result.Error = "TSA potpis nije valjan"; return result; } result.TsaCertificate = tsaCert; // Provjera TSA lanca certifikata var chain = new X509Chain(); chain.ChainPolicy.RevocationMode = X509RevocationMode.Online; if (trustedTsaCerts != null) { chain.ChainPolicy.CustomTrustStore.AddRange(trustedTsaCerts); chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust; } result.IsValid = chain.Build(tsaCert); if (!result.IsValid) { result.Error = "TSA lanac certifikata nije valjan"; } } catch (Exception ex) { result.IsValid = false; result.Error = ex.Message; } return result; } } public class TimestampValidationResult { public bool IsValid { get; set; } public DateTimeOffset? Timestamp { get; set; } public string? PolicyId { get; set; } public X509Certificate2? TsaCertificate { get; set; } public string? Error { get; set; } }
Timestamp Authorities (TSAs)
| Pružatelj | URL | Kvalificirani (eIDAS) |
|---|---|---|
| DigiCert | http://timestamp.digicert.com | Ne |
| Sectigo | http://timestamp.sectigo.com | Ne |
| GlobalSign | http://timestamp.globalsign.com | Ne |
| D-TRUST | http://zeitstempel.2.1.3.bundesdruckerei.de | Da |
| SwissSign | http://tsa.swisscom.com/tsa | Da |
| Bundesdruckerei | http://ts.2.bundesdruckerei.de | Da |
eIDAS: Za kvalificirane elektroničke potpise potreban je kvalificirani TSA.
Dugoročno arhiviranje (LTA)
public class LongTermArchive { public async Task ExtendValidation( SignedCms signedCms, string tsaUrl, X509Certificate2Collection validationData) { // 1. Ugrađivanje validacijskih podataka (Certifikati, CRL-ovi, OCSP) AddValidationData(signedCms, validationData); // 2. Dodavanje Archive Timestampa var timestampService = new TimestampService(tsaUrl); await timestampService.AddArchiveTimestamp(signedCms); // Ovaj proces se može periodički ponavljati // kako bi potpis ostao dugoročno validiran } }
Zahtjevi specifični za industriju
| Primjena | Vremenska oznaka obavezna? | Kvalificirana? |
|---|---|---|
| Code Signing | Obavezno | Ne |
| eIDAS QES | Obavezno | Da |
| PDF/A-Arhiviranje | Preporučeno | Ovisno o zahtjevima |
| S/MIME | Opcionalno | Ne |
| Zdravstvo | Obavezno | Ovisno o zemlji |
Povezani scenariji
| Povezanost | Scenarij | Opis |
|---|---|---|
| Preduvjet | 8.1 Potpisivanje dokumenata | Kreiranje potpisa |
| Preduvjet | 8.2 Potpisivanje koda | Code-Signature |
| Sljedeći korak | 8.4 Verifikacija potpisa | Validacija |
« ← 8.2 Potpisivanje koda | ↑ Pregled potpisa | 8.4 Verifikacija potpisa → »
Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional
Zuletzt geändert: 30.01.2026. u 00:34
