Versions Compared

Old Version 3

changes.mady.by.user Ylva Andersson

Saved on

compared with

New Version 4

changes.mady.by.user Josefin Klang

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This article describes all filters that can be used in a timestamp service in Nexus Timestamp Server. A filter can be in either filters.properties (for global timestamp service settings) or service.properties (defined for each timestamp service), but a good rule is that any filter with its own defined parameters should be in the service.properties because of bigger flexibility when using more than one timestamp service.

Except where otherwise noted, the filters are defined in or under the package "com.nexussafe.nano.filters".


Expand
titleAuditFilter

This is a pre-processing filter.

These parameters define the audit log.

ParameterDescriptionPossible valuesDefault value

logger.name

A unique name used for this logger.

String${service}

handler.type

Optional. A logging handler type.

timerolling

-

handler.pattern

Optional. A log file name pattern. Can be used to introduce per timestamp service audit logging.

String-

audittimestamprequest

Optional. Set to true if the timestamp request shall be logged.

true/falsefalse

audittimestampresponse

Optional. Set to true if the timestamp response shall be logged.

true/falsefalse

Example

Code Block
titleExample: AuditFilter
[filter.AuditManager]
class=com.nexussafe.nano.filters.AuditFilter
#logger.name=${service}
handler.type=timerolling
handler.pattern=${var}/logs/%ty-%<tm-%<td/${service}.audit.log
audittimestamprequest=true
audittimestampresponse=true



Expand
titleClockFilter

This is a pre-processing filter.

This filter injects the clock into the context.

Parameter Description Possible valuesDefault value

clock.type

The type of clock to inject.

virtual, realreal
clock.time

Applicable only if clock.type=virtual. The number of milliseconds past since the epoch (seconds since midnight 1 jan 1970).

Number-

Example

Code Block
titleExample: ClockFilter
[filter.RealClock]
class=com.nexussafe.nano.filters.ClockFilter



Expand
titleTransactionMonitorFilter

This is a pre-processing filter.

This filter injects the transaction identification into the context.

This filter takes no extra parameters.

Example

Code Block
titleExample:TransactionMonitorFIlter
[filter.TransactionMonitor]
class=com.nexussafe.nano.filters.TransactionMonitorFilter



Expand
titletimestamp.AccuracyFilter

This filter is optional.

Implements the type Accuracy as it is specified in the RFC3161 protocol, section 2.4.2.

Note

The AccuracyFilter must be placed after the GeneralizedTimeFilter in the filter chain.


Parameter Description Possible valuesDefault value
secondsNumber of seconds.Number0

milliseconds


Number of milliseconds between 1-999.

Number0

Example

Code Block
titleExample:timestamp.AccuracyFilter
[filter.Accuracy]
class=com.nexussafe.nano.filters.timestamp.AccuracyFilter
seconds=10
millis=45



Expand
titletimestamp.TimestampRespFilter

This filter is mandatory.

Creates the Timestamp response from a signed timestamp token.

This filter takes no extra parameters.

Example

Code Block
titleExample:timestamp.TimestampRespFilter
[filter.TimestampResponse]
class=com.nexussafe.nano.filters.timestamp.TimestampRespFilter



Expand
titletimestamp.GeneralizedTimeFilter

This filter is mandatory.

Add Generalized time to timestamp token as it is specified the RFC3161 protocol, section 2.4.2.

This filter takes no extra parameters.

Example


Code Block
titleExample:timestamp.GeneralizedTimeFilter
[filter.GeneralizedTime]
class=com.nexussafe.nano.filters.timestamp.GeneralizedTimeFilter



Expand
titletimestamp.MessageImprintFilter

This filter is mandatory.

Checks the MessageImprint from the timestamp request. 

Parameter Description Possible valuesDefault value
digestalgorithm

The digest algorithm used to hash the message.

SHA-1, SHA-256, SHA-512

SHA-256

Example

Code Block
titleExample: timestamp.MessageImprintFilter
[filter.MessageImprint]
digestalgorithm=SHA-256
class=com.nexussafe.nano.filters.timestamp.MessageImprintFilter



Expand
titletimestamp.NonceFilter

This filter is mandatory.

Copies the nonce, if exists in the timestamp request, to the timestamp response as it is specified the RFC3161 protocol, section 2.4.2.

This filter takes no extra parameters.

Example

Code Block
titleExample: timestamp.NonceFilter
[filter.Nonce]
class=com.nexussafe.nano.filters.timestamp.NonceFilter



Expand
titletimestamp.OrderingFilter

This filter is optional.

Add ordering to the timestamp response as it is specified the RFC3161 protocol, section 2.4.2.

Parameter Description Possible valuesDefault value

ordering

Ordering as defined in RFC3161.

true/false

false

Example

Code Block
titleExample: timestamp.OrderingFilter
[filter.Ordering]
class=com.nexussafe.nano.filters.timestamp.OrderingFilter
ordering=true



Expand
titletimestamp.SerialnumberFilter

This filter is mandatory.

Adds a generated serial number in the Timestamp response as it is specified the RFC3161 protocol, section 2.4.2.

This filter takes no extra parameters.

Example

Code Block
titleExample: timestamp.SerialnumberFilter
[filter.Serialnumber]
class=com.nexussafe.nano.filters.timestamp.SerialnumberFilter



Expand
titletimestamp.timestamp.SetTSANameFilter

This filter is optional.

Add GeneralName to timestamp token as it is specified the RFC3161 protocol, section 2.4.2. This filter uses the Global Service Settings.

Parameter Description Possible valuesDefault value

usesubject

Used to decide if the Subject shall be used for GeneralName in the Timestamp. Only one of this and the following parameters shall be set at the same time or non of them.

true/falsefalse

usesubjectaltname

Used to define the SubjectAltName to use for GeneralName in the Timestamp

0=OtherName,

1=Rfc822Name,

2=DnsName,

3=X400Address,

4=DirectoryName,

5=EdiPartyName,

6=Uri,

7=IpAddress,

8=RegisteredId

-1, means that SubjectAltName is not used.

tsaname

Used to define a static name as GeneralName in the Timestamp.

true/false-

Example

Code Block
titleExample: timestamp.SetTSANameFilter
[filter.SetTSAName]
class=com.nexussafe.nano.filters.timestamp.SetTSANameFilter
usesubject=true
#usesubjectaltname=-1
#tsaname=http://timestamping.nexusgroup.com/



Expand
titletimestamp.StorageFilter

This filter is optional and disabled by default as an embedded Derby database reduces performance..

Sets where to store the timestamp information. The information can be stored in a database per timestamp service or in the same database as other timestamp services.

Excerpt


Parameter Description Possible valuesDefault value

storage 

Set this parameter if information shall be stored in the same database as other timestamp services. A value of "system" corresponds to use the same database as other timestamp services else this parameter shall not be set.

String-

storage.database.jdbcDriver

The JDBC driver class.

String

-

storage.database.jdbcUrl

The JDBC URL or path to a file.

String-
storage.database.jdbcUserThe user accessing the database.String-
storage.database.jdbcPasswordThe users password.String

-


Examples

Code Block
titleExample: timestamp.StorageFilter - Same database as other services
[filter.StoreTimestampResponse]
class=com.nexussafe.nano.filters.timestamp.StorageFilter
storage=system


Code Block
titleExample: timestamp.StorageFilter - Own database for this service
# Derby (embedded mode) settings
[filter.StoreTimestampResponse]
class=com.nexussafe.nano.filters.timestamp.StorageFilter
storage.database.jdbcDriver=org.apache.derby.jdbc.EmbeddedDriver
storage.database.jdbcUrl=jdbc:derby:${var}/${Service}
storage.database.jdbcUser=app


Note

It is important to check the order of the filters. See an example when using an external database here: Filter chains used in Nexus Timestamp Server, section "Order of filters".



Expand
titletimestamp.TimestampTokenFilter

This filter is mandatory.

Handles the signing of a timestamp token. Will only sign if the signer certificate is valid and also validates the PrivateKeyUsagePeriod if present. This filter uses the Global Service Settings.

Parameter Description Possible valuesDefault value
digestThe digest algorithm used to hash the signature.SHA-1, SHA-256, SHA-512SHA-256
certIDHashAlgorithm

The hash algorithm used in the signer certificate to generate the identifier value. Uses ESSCertID according to  RFC3161 as default. If specified, it will use ESSCertIDv2 according to RFC 5816.

SHA-1, SHA-256, SHA-512 and more (ESSCertIDv2).SHA-1 (ESSCertID)

Example

Code Block
titleExample: timestamp.TimestampTokenFilter
[filter.TimestampToken]
class=com.nexussafe.nano.filters.timestamp.TimestampTokenFilter
digest=SHA-256
certIDHashAlgorithm=SHA-256



Expand
titletimestamp.TSAPolicyFilter

This filter is mandatory.

Verifies the policy, as it is specified the RFC3161 protocol, section 2.4.2. Used when creating the Timestamp response.

Parameter Description Possible valuesDefault value
policySpecifies the policy used to create a timestamp response.String-

Example

Code Block
titleExample: timestamp.TSAPolicyFilter
[filter.TSAPolicy]
class=com.nexussafe.nano.filters.timestamp.TSAPolicyFilter
policy=1.2.3.4.5.6.7



Expand
titletimestamp.TSTInfoFilter

This filter is mandatory.

Create the timestamp token.

This filter takes no extra parameters.

Example

Code Block
titleExample: timestamp.TSTInfoFilter
[filter.TSTInfo]
class=com.nexussafe.nano.filters.timestamp.TSTInfoFilter



Expand
titlentp.NTPFilter

This filter is optional.

Verifies local time against NTP servers and denies timestamps if local clock is out of sync. An NTP time is considered valid if the server replies within a specified time and if the the time passes the accuracy test (if enabled). The NTP filter will also forward its valid time results (see ntpMinValid) to the timestamp.AccuracyFilter.

Parameter Description Possible valuesDefault value
ntpUrl.<N>The NTP servers' URLs to compare against.String-
ntpMinValid

The minimum required NTP servers that has to pass in order for the timestamp to be considered valid. If set to 0, all NTP servers have to pass.Number0
ntpUpdateFreqSpecifies the time, in seconds, how frequently the NTP server times should be updated. If set to 0, the NTP server times are updated on demand (not recommended).Number30
ntpUpdateLogSpecifies which NTP server update status that should be logged during each update.Mask (passed, failed, none)passed | failed
ntpAccuracyThe accuracy, in milliseconds, to compare the NTP times against during each update. If set to 0 this accuracy check is disabled.Number1000
ntpTimeout Specifies the time out, in milliseconds, of an NTP request. If a server times out, it will be marked as failed during that sequence update (invalid).Number500

Example

Code Block
titleExample: ntp.NTPFilter
[filter.NTPTimeManager]
class=com.nexussafe.nano.filters.ntp.NTPFilter
ntpUrl.0=10.75.28.15
ntpUrl.1=10.75.28.16
ntpMinValid=2
ntpUpdateFreq=30
ntpUpdateLog=passed|failed
ntpAccuracy=1000
ntpTimeout=500



Expand
titlevalidation.CertificateVerificationFilter

This filter is optional.

Verifies a certificate towards a trusted store specified in the service.properties file. This filter expects a user certificate to be sent through the chain. Requires that you have TLS connector with client authentication enabled, see heading "Define TLS connector to manage client authentication" in Define connectors in Nexus Timestamp Server.

Parameter Description Possible valuesDefault value
truststorePath to the trusted store to verify towards.Path-
addissuers

The issuers found in the store should be added to the context so that they are available for filters executing after the certificate verification filter.true/falsefalse
checktimeIf set to false, disables the control of the certificate's validity time.true/falsetrue

Example

Code Block
titleExample: validation.CertificateVerificationFilter
[filter.CertificateVerifier]
class=com.nexussafe.nano.filters.validation.CertificateVerificationFilter
truststore=${ServiceDir}/certs
addissuers=true
checktime=true



Expand
titlevalidation.CrlValidationFilter

This filter is optional.

Validates a certificate using CRLs. This filter expects a user certificate to be sent through the chain. Requires that you have TLS connector with client authentication enabled, see heading "Define TLS connector to manage client authentication" in Define connectors in Nexus Timestamp ServerISO 8601 is a format for the representation of dates and times and intervals.

Parameter Description Possible valuesDefault value
validator.cache Name of the shared cache (defined in timestamp.properties).Path-
validator.cache.directoryWhere downloaded CRLs are stored.Path-
validator.cache.truststore Where trusted CRL issuers are stored.Path-
validator.cache.maxAgeDefines the maximum age in seconds. A value of -1 corresponds to unlimited.Number-1
validator.cache.provider.<N>.typeType of CRL provider.pullpull
validator.cache.provider.<N>.periodThe time the thread should wait until it tries to fetch a new CRL.ISO 8601 time expression, period.PT1H
validator.cache.provider.<N>.marginSpecifies how long before "nextUpdate" to issue a new fetch.ISO 8601 time expression, period.PT3S
validator.cache.provider.<N>.fetcher.<M>.urlURL to fetch CRL from, <M> is the sequence number of possible URLs for this thread.URL, no URL encoding needed.-

Example

Code Block
titleExample: validation.CrlValidationFilter
[filter.CrlValidator]
class=com.nexussafe.nano.filters.validation.CrlValidationFilter
validator.cache.directory=${ServiceDir}/crls
validator.cache.truststore=${ServiceDir}/certs
validator.cache.provider.1.type=pull
validator.cache.provider.1.period=PT30M
validator.cache.provider.1.margin=PT2S



Expand
titlevalidation.SimpleOcspValidationFilter

This filter is optional.

Validates a certificate using OCSP. Similar to “validation.OCSPValidationFilter” but simpler in the sense that it provides no configuration options for validation. It will use the default values for each “ocsp“-parameter listed under “validation.OCSPValidationFilter”, except for “propagateResponse” which is forced to “true”.

This filter expects a user certificate to be sent through the chain. This requires that you have TLS connector with client authentication enabled, see heading "Define TLS connector to manage client authentication" in Define connectors in Nexus Timestamp Server.

Parameter Description Possible valuesDefault value
signer.passwordThe password for the key.String-
signer.storePath to p12 or jks. If a password is needed to decrypt a PKCS#12 file, it is passed after the filename, separated by a colon.Path-
signer.store.pinThe PKCS#12 file password.String-

signer.alias

The name of the key in the store. If there is only one key in the store, it can be omitted.

String

-

truststoreDirectory with trusted root certificates, or name of service wide or server wide shared trust store.Path, String-

responder.< N>.url

Responder url for responder N in a list of responders.

URL

-

Example

Code Block
titleExample: validation.SimpleOcspValidationFilter
[filter.SimpleOcspValidation]
class=com.nexussafe.nano.filters.validation.SimpleOcspValidationFilter
truststore=default store
signer.password=1234
signer.store=${ServiceDir}/keys/OCSP.p12
signer.store.pin=1234



Expand
titlevalidation.OCSPValidationFilter

This filter is optional.

Validates a certificate using OCSP. This filter expects a user certificate to be sent through the chain. Requires that you have TLSconnector with client authentication enabled, see heading "Define TLS connector to manage client authentication" in Define connectors in Nexus Timestamp Server.

Parameter Description Possible valuesDefault value
ocsp.signRequestSpecifies if requests to the OCSP server should be signed.true/falsetrue
ocsp.allowTrustedSignersIf true, enables “direct trust”, where an OCSP responder certificate is trusted if it is present in the trust store.true/falsefalse
ocsp.allowCriticalExtensionsSpecifies if OCSP responses with critical extensions should be accepted.true/falsefalse
ocsp.compareNonceSpecifies whether to compare the nonce from the OCSP request in the OCSP response or not.true/falsetrue
ocsp.responder.< N>.urlResponder url for responder N in a list of responders.URL-
propagateResponseEnables returning of the OCSP response to the application.true/falsefalse
ocsp.allowIndirectDelegationAllows the responder certificate to be a delegate of a certificate in the trust storetrue/falsefalse
ocsp.allowResponderRevocationCheck

If a responder is not in the trust store, or does not have the extension ocsp-nocheck in its responder certificate, enable this to allow checking the responder’s certificate for revocation.true/falsefalse
ocsp.responsemaxageSpecifies the maximum interval in seconds that the “thisUpdate” attribute might differ from the system time. If set to-1 nocheck is performed.Number, -1-1
ocsp.producedatskewSpecifies the maximum interval in seconds that the “producedAt” attribute timestamp is allowed to differ from system time. If set to -1 no check is performed.Number, -1-1
ocsp.nextupdateskewSpecifies the maximum interval in seconds that the “nextUpdate” attribute might differ from the system time.Number120
ocsp.dontCheckResponderRevocationDo not check the responder’s certificate for revocation, assume it is ok.true/falsefalse
ocsp.useNonce Use nonce in the OCSP revocation request.true/falsetrue
ocsp.signer.aliasThe name of the key in the store; if there is only one key in the store, it can be left blank.String-
ocsp.signer.password The password for thekey.String-
ocsp.signer.storePath to p12 or jks. If a password is needed to decrypt a PKCS#12 file, it is passed after the filename separated by a colon.Path-
ocsp.signer.store.pinThe PKCS#12 file password.String-
ocsp.truststoreDirectory with trusted root certificates, or name of service wide or server wide shared trust store.Path, String-
ocsp.algorithmIdAlgorithm for hashing issuer name and key in certificate ID.String SHA-1
ocsp.doPostIf false, attempt to use HTTP GET. Uses POST anyway if the OCSP request is longer than 255 bytes.true/falsetrue
ocsp.useAIADetermines whether to use authority access information (AIA) for validation if it is defined in the certificate. Otherwise uses only the OCSP validation list.true/falsetrue
ocsp.AIAFirstDetermines whether the request should be validated towards the AIA before the OCSP validation list.true/falsetrue

checkResponderExpiration

Determines whether to check if the signer certificate of the OCSP response from the responder has expired.

true/false

true

Example

Code Block
titleExample: validation.OCSPValidationFilter
[filter.OcspValidator]
class=com.nexussafe.nano.filters.validation.OcspValidationFilter
ocsp.truststore=default store
ocsp.compareNonce=true
ocsp.signRequest=true
ocsp.signer.password=1234
ocsp.signer.store=${ServiceDir}/keys/OCSP.p12
ocsp.signer.store.pin=1234



Expand
titlevalidation.RevocationValidationFilter

This filter is optional.

Validates certificates against revocation using OCSP, CRLs or a combination. This filter expects a user certificate to be sent through the chain. Requires that you have TLS connector with client authentication enabled, see heading "Define TLS connector to manage client authentication" in Define connectors in Nexus Timestamp Server.

Parameter Description Possible valuesDefault value
validator.typeThe validator type to use. first and roundrobin takes a list of validators to delegate to.first, roundrobin, ocsp, crl-
validator.validator.<N>.typeIf validator.type=first. Will try the validators in this list in order until a definite answer is received. If validator.type=roundrobin. Will query the validators in a round robin fashion.ocsp, crl-
validator.validator.<N>.<param>See the CrlValidationFilter or the ocsp parameter for the OcspValidationFilter (depending on type) for a specification of <param>s.--

Example

Code Block
titleExample: validation.RevocationValidationFilter
[filter.RevocationValidation]
class=com.nexussafe.nano.filters.validation.RevocationValidationFilter
validator.type=first
validator.validator.1.type=ocsp
validator.validator.1.signer.store=${ServiceDir}/keys/OCSP.p12
validator.validator.1.signer.store.pin=1234
validator.validator.1.signer.password=1234
validator.validator.1.responder.1.url=http://my.responder.com/...
validator.validator.1.truststore=default store
validator.validator.2.type=crl
validator.validator.2.cache.directory=${ServiceDir}/crls
validator.validator.2.cache.truststore=default store
validator.validator.2.cache.provider.1.type=pull
validator.validator.2.cache.provider.1.fetcher.1.url=ldap://...

Related information