This article describes all filters that can be used in a timestamp service in Nexus Timestamp Server. A filter can be in either filters.properties (for global timestamp service settings) or service.properties (defined for each timestamp service), but a good rule is that any filter with its own defined parameters should be in the service.properties because of bigger flexibility when using more than one timestamp service.
Except where otherwise noted, the filters are defined in or under the package "com.nexussafe.nano.filters".
AuditFilter
This is a pre-processing filter.
These parameters define the audit log.
| Parameter | Description | Possible values | Default value |
|---|
logger.name | A unique name used for this logger. | String | ${service} |
handler.type | Optional. A logging handler type. | timerolling | - |
handler.pattern | Optional. A log file name pattern. Can be used to introduce per timestamp service audit logging. | String | - |
audittimestamprequest | Optional. Set to true if the timestamp request shall be logged. | true/false | false |
audittimestampresponse | Optional. Set to true if the timestamp response shall be logged. | true/false | false |
Example
Example: AuditFilter
CODE
[filter.AuditManager]
class=com.nexussafe.nano.filters.AuditFilter
#logger.name=${service}
handler.type=timerolling
handler.pattern=${var}/logs/%ty-%<tm-%<td/${service}.audit.log
audittimestamprequest=true
audittimestampresponse=true
ClockFilter
This is a pre-processing filter.
This filter injects the clock into the context.
| Parameter | Description | Possible values | Default value |
|---|
clock.type | The type of clock to inject. | virtual, real | real |
| clock.time | Applicable only if clock.type=virtual. The number of milliseconds past since the epoch (seconds since midnight 1 jan 1970). | Number | - |
Example
Example: ClockFilter
CODE
[filter.RealClock]
class=com.nexussafe.nano.filters.ClockFilter
TransactionMonitorFilter
This is a pre-processing filter.
This filter injects the transaction identification into the context.
This filter takes no extra parameters.
Example
Example:TransactionMonitorFIlter
CODE
[filter.TransactionMonitor]
class=com.nexussafe.nano.filters.TransactionMonitorFilter
timestamp.AccuracyFilter
This filter is optional.
Implements the type Accuracy as it is specified in the RFC3161 protocol, section 2.4.2.
The AccuracyFilter must be placed after the GeneralizedTimeFilter in the filter chain.
| Parameter | Description | Possible values | Default value |
|---|
| seconds | Number of seconds. | Number | 0 |
milliseconds
| Number of milliseconds between 1-999. | Number | 0 |
Example
Example:timestamp.AccuracyFilter
CODE
[filter.Accuracy]
class=com.nexussafe.nano.filters.timestamp.AccuracyFilter
seconds=10
millis=45
timestamp.TimestampRespFilter
This filter is mandatory.
Creates the Timestamp response from a signed timestamp token.
This filter takes no extra parameters.
Example
Example:timestamp.TimestampRespFilter
CODE
[filter.TimestampResponse]
class=com.nexussafe.nano.filters.timestamp.TimestampRespFilter
timestamp.GeneralizedTimeFilter
This filter is mandatory.
Add Generalized time to timestamp token as it is specified the RFC3161 protocol, section 2.4.2.
This filter takes no extra parameters.
Example
Example:timestamp.GeneralizedTimeFilter
CODE
[filter.GeneralizedTime]
class=com.nexussafe.nano.filters.timestamp.GeneralizedTimeFilter
timestamp.MessageImprintFilter
This filter is mandatory.
Checks the MessageImprint from the timestamp request.
| Parameter | Description | Possible values | Default value |
|---|
| digestalgorithm | The digest algorithm used to hash the message. | SHA-1, SHA-256, SHA-512 | SHA-256 |
Example
Example: timestamp.MessageImprintFilter
CODE
[filter.MessageImprint]
digestalgorithm=SHA-256
class=com.nexussafe.nano.filters.timestamp.MessageImprintFilter
timestamp.NonceFilter
This filter is mandatory.
Copies the nonce, if exists in the timestamp request, to the timestamp response as it is specified the RFC3161 protocol, section 2.4.2.
This filter takes no extra parameters.
Example
Example: timestamp.NonceFilter
CODE
[filter.Nonce]
class=com.nexussafe.nano.filters.timestamp.NonceFilter
timestamp.OrderingFilter
This filter is optional.
Add ordering to the timestamp response as it is specified the RFC3161 protocol, section 2.4.2.
| Parameter | Description | Possible values | Default value |
|---|
ordering | Ordering as defined in RFC3161. | true/false | false |
Example
Example: timestamp.OrderingFilter
CODE
[filter.Ordering]
class=com.nexussafe.nano.filters.timestamp.OrderingFilter
ordering=true
timestamp.SerialnumberFilter
This filter is mandatory.
Adds a generated serial number in the Timestamp response as it is specified the RFC3161 protocol, section 2.4.2.
This filter takes no extra parameters.
Example
Example: timestamp.SerialnumberFilter
CODE
[filter.Serialnumber]
class=com.nexussafe.nano.filters.timestamp.SerialnumberFilter
timestamp.timestamp.SetTSANameFilter
This filter is optional.
Add GeneralName to timestamp token as it is specified the RFC3161 protocol, section 2.4.2. This filter uses the Global Service Settings.
| Parameter | Description | Possible values | Default value |
|---|
usesubject | Used to decide if the Subject shall be used for GeneralName in the Timestamp. Only one of this and the following parameters shall be set at the same time or non of them. | true/false | false |
usesubjectaltname | Used to define the SubjectAltName to use for GeneralName in the Timestamp | 0=OtherName, 1=Rfc822Name, 2=DnsName, 3=X400Address, 4=DirectoryName, 5=EdiPartyName, 6=Uri, 7=IpAddress, 8=RegisteredId | -1, means that SubjectAltName is not used. |
tsaname | Used to define a static name as GeneralName in the Timestamp. | true/false | - |
Example
Example: timestamp.SetTSANameFilter
CODE
[filter.SetTSAName]
class=com.nexussafe.nano.filters.timestamp.SetTSANameFilter
usesubject=true
#usesubjectaltname=-1
#tsaname=http://timestamping.nexusgroup.com/
timestamp.StorageFilter
This filter is optional and disabled by default as an embedded Derby database reduces performance..
Sets where to store the timestamp information. The information can be stored in a database per timestamp service or in the same database as other timestamp services.
| Parameter | Description | Possible values | Default value |
|---|
storage | Set this parameter if information shall be stored in the same database as other timestamp services. A value of "system" corresponds to use the same database as other timestamp services else this parameter shall not be set. | String | - |
storage.database.jdbcDriver | The JDBC driver class. | String | - |
storage.database.jdbcUrl | The JDBC URL or path to a file. | String | - |
| storage.database.jdbcUser | The user accessing the database. | String | - |
| storage.database.jdbcPassword | The users password. | String | - |
Examples
Example: timestamp.StorageFilter - Same database as other services
CODE
[filter.StoreTimestampResponse]
class=com.nexussafe.nano.filters.timestamp.StorageFilter
storage=system
Example: timestamp.StorageFilter - Own database for this service
CODE
# Derby (embedded mode) settings
[filter.StoreTimestampResponse]
class=com.nexussafe.nano.filters.timestamp.StorageFilter
storage.database.jdbcDriver=org.apache.derby.jdbc.EmbeddedDriver
storage.database.jdbcUrl=jdbc:derby:${var}/${Service}
storage.database.jdbcUser=app
timestamp.TimestampTokenFilter
This filter is mandatory.
Handles the signing of a timestamp token. Will only sign if the signer certificate is valid and also validates the PrivateKeyUsagePeriod if present. This filter uses the Global Service Settings.
| Parameter | Description | Possible values | Default value |
|---|
| digest | The digest algorithm used to hash the signature. | SHA-1, SHA-256, SHA-512 | SHA-256 |
| certIDHashAlgorithm | The hash algorithm used in the signer certificate to generate the identifier value. Uses ESSCertID according to RFC3161 as default. If specified, it will use ESSCertIDv2 according to RFC 5816. | SHA-1, SHA-256, SHA-512 and more (ESSCertIDv2). | SHA-1 (ESSCertID) |
Example
Example: timestamp.TimestampTokenFilter
CODE
[filter.TimestampToken]
class=com.nexussafe.nano.filters.timestamp.TimestampTokenFilter
digest=SHA-256
certIDHashAlgorithm=SHA-256
timestamp.TSAPolicyFilter
This filter is mandatory.
Verifies the policy, as it is specified the RFC3161 protocol, section 2.4.2. Used when creating the Timestamp response.
| Parameter | Description | Possible values | Default value |
|---|
| policy | Specifies the policy used to create a timestamp response. | String | - |
Example
Example: timestamp.TSAPolicyFilter
CODE
[filter.TSAPolicy]
class=com.nexussafe.nano.filters.timestamp.TSAPolicyFilter
policy=1.2.3.4.5.6.7
timestamp.TSTInfoFilter
This filter is mandatory.
Create the timestamp token.
This filter takes no extra parameters.
Example
Example: timestamp.TSTInfoFilter
CODE
[filter.TSTInfo]
class=com.nexussafe.nano.filters.timestamp.TSTInfoFilter
ntp.NTPFilter
This filter is optional.
Verifies local time against NTP servers and denies timestamps if local clock is out of sync. An NTP time is considered valid if the server replies within a specified time and if the the time passes the accuracy test (if enabled). The NTP filter will also forward its valid time results (see ntpMinValid) to the timestamp.AccuracyFilter.
| Parameter | Description | Possible values | Default value |
|---|
| ntpUrl.<N> | The NTP servers' URLs to compare against. | String | - |
ntpMinValid
| The minimum required NTP servers that has to pass in order for the timestamp to be considered valid. If set to 0, all NTP servers have to pass. | Number | 0 |
| ntpUpdateFreq | Specifies the time, in seconds, how frequently the NTP server times should be updated. If set to 0, the NTP server times are updated on demand (not recommended). | Number | 30 |
| ntpUpdateLog | Specifies which NTP server update status that should be logged during each update. | Mask (passed, failed, none) | passed | failed |
| ntpAccuracy | The accuracy, in milliseconds, to compare the NTP times against during each update. If set to 0 this accuracy check is disabled. | Number | 1000 |
| ntpTimeout | Specifies the time out, in milliseconds, of an NTP request. If a server times out, it will be marked as failed during that sequence update (invalid). | Number | 500 |
Example
Example: ntp.NTPFilter
CODE
[filter.NTPTimeManager]
class=com.nexussafe.nano.filters.ntp.NTPFilter
ntpUrl.0=10.75.28.15
ntpUrl.1=10.75.28.16
ntpMinValid=2
ntpUpdateFreq=30
ntpUpdateLog=passed|failed
ntpAccuracy=1000
ntpTimeout=500
validation.CertificateVerificationFilter
This filter is optional.
Verifies a certificate towards a trusted store specified in the service.properties file. This filter expects a user certificate to be sent through the chain. Requires that you have TLS connector with client authentication enabled, see heading "Define TLS connector to manage client authentication" in Define connectors in Nexus Timestamp Server.
| Parameter | Description | Possible values | Default value |
|---|
| truststore | Path to the trusted store to verify towards. | Path | - |
addissuers
| The issuers found in the store should be added to the context so that they are available for filters executing after the certificate verification filter. | true/false | false |
| checktime | If set to false, disables the control of the certificate's validity time. | true/false | true |
Example
Example: validation.CertificateVerificationFilter
CODE
[filter.CertificateVerifier]
class=com.nexussafe.nano.filters.validation.CertificateVerificationFilter
truststore=${ServiceDir}/certs
addissuers=true
checktime=true
validation.CrlValidationFilter
This filter is optional.
Validates a certificate using CRLs. This filter expects a user certificate to be sent through the chain. Requires that you have TLS connector with client authentication enabled, see heading "Define TLS connector to manage client authentication" in Define connectors in Nexus Timestamp Server. ISO 8601 is a format for the representation of dates and times and intervals.
| Parameter | Description | Possible values | Default value |
|---|
| validator.cache | Name of the shared cache (defined in timestamp.properties). | Path | - |
| validator.cache.directory | Where downloaded CRLs are stored. | Path | - |
| validator.cache.truststore | Where trusted CRL issuers are stored. | Path | - |
| validator.cache.maxAge | Defines the maximum age in seconds. A value of -1 corresponds to unlimited. | Number | -1 |
| validator.cache.provider.<N>.type | Type of CRL provider. | pull | pull |
| validator.cache.provider.<N>.period | The time the thread should wait until it tries to fetch a new CRL. | ISO 8601 time expression, period. | PT1H |
| validator.cache.provider.<N>.margin | Specifies how long before "nextUpdate" to issue a new fetch. | ISO 8601 time expression, period. | PT3S |
| validator.cache.provider.<N>.fetcher.<M>.url | URL to fetch CRL from, <M> is the sequence number of possible URLs for this thread. | URL, no URL encoding needed. | - |
Example
Example: validation.CrlValidationFilter
CODE
[filter.CrlValidator]
class=com.nexussafe.nano.filters.validation.CrlValidationFilter
validator.cache.directory=${ServiceDir}/crls
validator.cache.truststore=${ServiceDir}/certs
validator.cache.provider.1.type=pull
validator.cache.provider.1.period=PT30M
validator.cache.provider.1.margin=PT2S
validation.SimpleOcspValidationFilter
This filter is optional.
Validates a certificate using OCSP. Similar to “validation.OCSPValidationFilter” but simpler in the sense that it provides no configuration options for validation. It will use the default values for each “ocsp“-parameter listed under “validation.OCSPValidationFilter”, except for “propagateResponse” which is forced to “true”.
This filter expects a user certificate to be sent through the chain. This requires that you have TLS connector with client authentication enabled, see heading "Define TLS connector to manage client authentication" in Define connectors in Nexus Timestamp Server.
| Parameter | Description | Possible values | Default value |
|---|
| signer.password | The password for the key. | String | - |
| signer.store | Path to p12 or jks. If a password is needed to decrypt a PKCS#12 file, it is passed after the filename, separated by a colon. | Path | - |
| signer.store.pin | The PKCS#12 file password. | String | - |
signer.alias | The name of the key in the store. If there is only one key in the store, it can be omitted. | String | - |
| truststore | Directory with trusted root certificates, or name of service wide or server wide shared trust store. | Path, String | - |
responder.< N>.url | Responder url for responder N in a list of responders. | URL | - |
Example
Example: validation.SimpleOcspValidationFilter
CODE
[filter.SimpleOcspValidation]
class=com.nexussafe.nano.filters.validation.SimpleOcspValidationFilter
truststore=default store
signer.password=1234
signer.store=${ServiceDir}/keys/OCSP.p12
signer.store.pin=1234
validation.OCSPValidationFilter
This filter is optional.
Validates a certificate using OCSP. This filter expects a user certificate to be sent through the chain. Requires that you have TLSconnector with client authentication enabled, see heading "Define TLS connector to manage client authentication" in Define connectors in Nexus Timestamp Server.
| Parameter | Description | Possible values | Default value |
|---|
| ocsp.signRequest | Specifies if requests to the OCSP server should be signed. | true/false | true |
| ocsp.allowTrustedSigners | If true, enables “direct trust”, where an OCSP responder certificate is trusted if it is present in the trust store. | true/false | false |
| ocsp.allowCriticalExtensions | Specifies if OCSP responses with critical extensions should be accepted. | true/false | false |
| ocsp.compareNonce | Specifies whether to compare the nonce from the OCSP request in the OCSP response or not. | true/false | true |
| ocsp.responder.< N>.url | Responder url for responder N in a list of responders. | URL | - |
| propagateResponse | Enables returning of the OCSP response to the application. | true/false | false |
| ocsp.allowIndirectDelegation | Allows the responder certificate to be a delegate of a certificate in the trust store | true/false | false |
ocsp.allowResponderRevocationCheck
| If a responder is not in the trust store, or does not have the extension ocsp-nocheck in its responder certificate, enable this to allow checking the responder’s certificate for revocation. | true/false | false |
| ocsp.responsemaxage | Specifies the maximum interval in seconds that the “thisUpdate” attribute might differ from the system time. If set to-1 nocheck is performed. | Number, -1 | -1 |
| ocsp.producedatskew | Specifies the maximum interval in seconds that the “producedAt” attribute timestamp is allowed to differ from system time. If set to -1 no check is performed. | Number, -1 | -1 |
| ocsp.nextupdateskew | Specifies the maximum interval in seconds that the “nextUpdate” attribute might differ from the system time. | Number | 120 |
| ocsp.dontCheckResponderRevocation | Do not check the responder’s certificate for revocation, assume it is ok. | true/false | false |
| ocsp.useNonce | Use nonce in the OCSP revocation request. | true/false | true |
| ocsp.signer.alias | The name of the key in the store; if there is only one key in the store, it can be left blank. | String | - |
| ocsp.signer.password | The password for thekey. | String | - |
| ocsp.signer.store | Path to p12 or jks. If a password is needed to decrypt a PKCS#12 file, it is passed after the filename separated by a colon. | Path | - |
| ocsp.signer.store.pin | The PKCS#12 file password. | String | - |
| ocsp.truststore | Directory with trusted root certificates, or name of service wide or server wide shared trust store. | Path, String | - |
| ocsp.algorithmId | Algorithm for hashing issuer name and key in certificate ID. | String | SHA-1 |
| ocsp.doPost | If false, attempt to use HTTP GET. Uses POST anyway if the OCSP request is longer than 255 bytes. | true/false | true |
| ocsp.useAIA | Determines whether to use authority access information (AIA) for validation if it is defined in the certificate. Otherwise uses only the OCSP validation list. | true/false | true |
| ocsp.AIAFirst | Determines whether the request should be validated towards the AIA before the OCSP validation list. | true/false | true |
checkResponderExpiration | Determines whether to check if the signer certificate of the OCSP response from the responder has expired. | true/false | true |
Example
Example: validation.OCSPValidationFilter
CODE
[filter.OcspValidator]
class=com.nexussafe.nano.filters.validation.OcspValidationFilter
ocsp.truststore=default store
ocsp.compareNonce=true
ocsp.signRequest=true
ocsp.signer.password=1234
ocsp.signer.store=${ServiceDir}/keys/OCSP.p12
ocsp.signer.store.pin=1234
validation.RevocationValidationFilter
This filter is optional.
Validates certificates against revocation using OCSP, CRLs or a combination. This filter expects a user certificate to be sent through the chain. Requires that you have TLS connector with client authentication enabled, see heading "Define TLS connector to manage client authentication" in Define connectors in Nexus Timestamp Server.
| Parameter | Description | Possible values | Default value |
|---|
| validator.type | The validator type to use. first and roundrobin takes a list of validators to delegate to. | first, roundrobin, ocsp, crl | - |
| validator.validator.<N>.type | If validator.type=first. Will try the validators in this list in order until a definite answer is received. If validator.type=roundrobin. Will query the validators in a round robin fashion. | ocsp, crl | - |
| validator.validator.<N>.<param> | See the CrlValidationFilter or the ocsp parameter for the OcspValidationFilter (depending on type) for a specification of <param>s. | - | - |
Example
Example: validation.RevocationValidationFilter
CODE
[filter.RevocationValidation]
class=com.nexussafe.nano.filters.validation.RevocationValidationFilter
validator.type=first
validator.validator.1.type=ocsp
validator.validator.1.signer.store=${ServiceDir}/keys/OCSP.p12
validator.validator.1.signer.store.pin=1234
validator.validator.1.signer.password=1234
validator.validator.1.responder.1.url=http://my.responder.com/...
validator.validator.1.truststore=default store
validator.validator.2.type=crl
validator.validator.2.cache.directory=${ServiceDir}/crls
validator.validator.2.cache.truststore=default store
validator.validator.2.cache.provider.1.type=pull
validator.validator.2.cache.provider.1.fetcher.1.url=ldap://...
