Description of filters in Nexus Timestamp Server
This article includes updates for Nexus Timestamp Server 2.3.0.
This article describes all filters that can be used in a timestamp service in Nexus Timestamp Server. A filter can be in either filters.properties (for global timestamp service settings) or service.properties (defined for each timestamp service), but a good rule is that any filter with its own defined parameters should be in the service.properties because of bigger flexibility when using more than one timestamp service.
Except where otherwise noted, the filters are defined in or under the package "com.nexussafe.nano.filters
".
AuditFilter
This is a pre-processing filter.
These parameters define the audit log.
Parameter | Description | Possible values | Default value |
---|---|---|---|
A unique name used for this logger. | String | ${service} | |
handler.type | Optional. A logging handler type. | timerolling | - |
handler.pattern | Optional. A log file name pattern. Can be used to introduce per timestamp service audit logging. | String | - |
audittimestamprequest | Optional. Set to true if the timestamp request shall be logged. | true/false | false |
audittimestampresponse | Optional. Set to true if the timestamp response shall be logged. | true/false | false |
audittimestampclientip | Optional. Set to true if the client IP address shall be logged. | true/false | false |
Example: AuditFilter
[filter.AuditManager]
class=com.nexussafe.nano.filters.AuditFilter
#logger.name=${service}
handler.type=timerolling
handler.pattern=${var}/logs/%ty-%<tm-%<td/${service}.audit.log
audittimestamprequest=true
audittimestampresponse=true
audittimestampclientip=true
ClockFilter
This is a pre-processing filter.
This filter injects the clock into the context.
Parameter | Description | Possible values | Default value |
---|---|---|---|
clock.type | The type of clock to inject. | virtual, real | real |
clock.time | Applicable only if clock.type=virtual. The number of milliseconds past since the epoch (seconds since midnight 1 jan 1970). | Number | - |
Example: ClockFilter
[filter.RealClock]
class=com.nexussafe.nano.filters.ClockFilter
TransactionMonitorFilter
This is a pre-processing filter.
This filter injects the transaction identification into the context.
This filter takes no extra parameters.
Example:TransactionMonitorFIlter
[filter.TransactionMonitor]
class=com.nexussafe.nano.filters.TransactionMonitorFilter
timestamp.AccuracyFilter
This filter is optional.
Implements the type Accuracy as it is specified in the RFC3161 protocol, section 2.4.2.
The AccuracyFilter must be placed after the GeneralizedTimeFilter in the filter chain.
Parameter | Description | Possible values | Default value |
---|---|---|---|
seconds | Number of seconds. | Number | 0 |
milliseconds | Number of milliseconds between 1-999. | Number | 0 |
Example:timestamp.AccuracyFilter
[filter.Accuracy]
class=com.nexussafe.nano.filters.timestamp.AccuracyFilter
seconds=10
millis=45
timestamp.TimestampRespFilter
This filter is mandatory.
Creates the Timestamp response from a signed timestamp token.
This filter takes no extra parameters.
Example:timestamp.TimestampRespFilter
[filter.TimestampResponse]
class=com.nexussafe.nano.filters.timestamp.TimestampRespFilter
timestamp.GeneralizedTimeFilter
This filter is mandatory.
Add Generalized time to timestamp token as it is specified the RFC3161 protocol, section 2.4.2.
This filter takes no extra parameters.
Example:timestamp.GeneralizedTimeFilter
[filter.GeneralizedTime]
class=com.nexussafe.nano.filters.timestamp.GeneralizedTimeFilter
timestamp.MessageImprintFilter
This filter is mandatory.
Checks the MessageImprint from the timestamp request.
Parameter | Description | Possible values | Default value |
---|---|---|---|
digestalgorithm | The digest algorithm used to hash the message. | SHA-1, SHA-256, SHA-512 | SHA-256 |
Example: timestamp.MessageImprintFilter
[filter.MessageImprint]
digestalgorithm=SHA-256
class=com.nexussafe.nano.filters.timestamp.MessageImprintFilter
timestamp.NonceFilter
This filter is mandatory.
Copies the nonce, if exists in the timestamp request, to the timestamp response as it is specified the RFC3161 protocol, section 2.4.2.
This filter takes no extra parameters.
Example: timestamp.NonceFilter
[filter.Nonce]
class=com.nexussafe.nano.filters.timestamp.NonceFilter
timestamp.OrderingFilter
This filter is optional.
Add ordering to the timestamp response as it is specified the RFC3161 protocol, section 2.4.2.
Parameter | Description | Possible values | Default value |
---|---|---|---|
ordering | Ordering as defined in RFC3161. | true/false | false |
Example: timestamp.OrderingFilter
[filter.Ordering]
class=com.nexussafe.nano.filters.timestamp.OrderingFilter
ordering=true
timestamp.SerialnumberFilter
This filter is mandatory.
Adds a generated serial number in the Timestamp response as it is specified the RFC3161 protocol, section 2.4.2.
This filter takes no extra parameters.
Example: timestamp.SerialnumberFilter
[filter.Serialnumber]
class=com.nexussafe.nano.filters.timestamp.SerialnumberFilter
timestamp.timestamp.SetTSANameFilter
This filter is optional.
Add GeneralName to timestamp token as it is specified the RFC3161 protocol, section 2.4.2. This filter uses the Global Service Settings.
Parameter | Description | Possible values | Default value |
---|---|---|---|
usesubject | Used to decide if the Subject shall be used for GeneralName in the Timestamp. Only one of this and the following parameters shall be set at the same time or non of them. | true/false | false |
usesubjectaltname | Used to define the SubjectAltName to use for GeneralName in the Timestamp | 0=OtherName, 1=Rfc822Name, 2=DnsName, 3=X400Address, 4=DirectoryName, 5=EdiPartyName, 6=Uri, 7=IpAddress, 8=RegisteredId | -1, means that SubjectAltName is not used. |
tsaname | Used to define a static name as GeneralName in the Timestamp. | true/false | - |
Example: timestamp.SetTSANameFilter
[filter.SetTSAName]
class=com.nexussafe.nano.filters.timestamp.SetTSANameFilter
usesubject=true
#usesubjectaltname=-1
#tsaname=http://timestamping.nexusgroup.com/
timestamp.StorageFilter
This filter is optional and disabled by default.
Sets where to store the timestamp information. The information can be stored in a database per timestamp service or in the same database as other timestamp services.
Parameter | Description | Possible values | Default value |
---|---|---|---|
storage | Set this parameter if information shall be stored in the same database as other timestamp services. A value of "system" corresponds to use the same database as other timestamp services else this parameter shall not be set. | String | - |
storage.database.jdbcDriver | The JDBC driver class. | String | - |
storage.database.jdbcUrl | The JDBC URL or path to a file. | String | - |
storage.database.jdbcUser | The user accessing the database. | String | - |
storage.database.jdbcPassword | The users password. | String | - |
Example: timestamp.StorageFilter - Same database as other services
[filter.StoreTimestampResponse]
class=com.nexussafe.nano.filters.timestamp.StorageFilter
storage=system
Example: timestamp.StorageFilter - Own database for this service
# PostgreSQL settings
[filter.StoreTimestampResponse]
class=com.nexussafe.nano.filters.timestamp.StorageFilter
storage.database.jdbcDriver=org.postgresql.Driver
storage.database.jdbcUrl=jdbc:postgresql://localhost:5432/timestamp
storage.database.jdbcUser=postgres
storage.database.jdbcPassword=postgres
It is important to check the order of the filters. See an example when using an external database here: Filter chains used in Nexus Timestamp Server, section "Order of filters".
timestamp.TimestampTokenFilter/AcTimestampTokenFilter
This filter is mandatory.
Handles the signing of a timestamp token. This filter is responsible for signing the timestamp token. It needs a keystore with the TSA signing key. This filter uses the Global Service Settings.
Parameter | Description | Possible values | Default value |
---|---|---|---|
digest | The digest algorithm used to hash the signature. | SHA-1, SHA-256, SHA-512 | SHA-256 |
certIDHashAlgorithm | The hash algorithm used in the signer certificate to generate the identifier value. Uses ESSCertID according to RFC3161 as default. If specified, it will use ESSCertIDv2 according to RFC 5816. | SHA-1, SHA-256, SHA-512 and more (ESSCertIDv2). | SHA-1 (ESSCertID) |
Example: timestamp.TimestampTokenFilter
Corresponds to timestamp request
[filter.TimestampToken]
class=com.nexussafe.nano.filters.timestamp.TimestampTokenFilter
digest=SHA-256
certIDHashAlgorithm=SHA-256
Example: timestamp.AcTimestampTokenFilter
Corresponds to authenticode timestamp request
[filter.AcTimestampToken]
class=com.nexussafe.nano.filters.timestamp.AcTimestampTokenFilter
digest=SHA-256
certIDHashAlgorithm=SHA-1
timestamp.TSAPolicyFilter
This filter is mandatory.
Verifies the policy, as it is specified the RFC3161 protocol, section 2.4.2. Used when creating the Timestamp response.
Parameter | Description | Possible values | Default value |
---|---|---|---|
policy | Specifies the policy used to create a timestamp response. | String | - |
Example: timestamp.TSAPolicyFilter
[filter.TSAPolicy]
class=com.nexussafe.nano.filters.timestamp.TSAPolicyFilter
policy=1.2.3.4.5.6.7
timestamp.TSTInfoFilter
This filter is mandatory.
Create the timestamp token.
This filter takes no extra parameters.
Example: timestamp.TSTInfoFilter
[filter.TSTInfo]
class=com.nexussafe.nano.filters.timestamp.TSTInfoFilter
ntp.NTPFilter
This filter is optional.
Verifies local time against NTP servers and denies timestamps if local clock is out of sync. An NTP time is considered valid if the server replies within a specified time and if the the time passes the accuracy test (if enabled). The NTP filter will also forward its valid time results (see ntpMinValid) to the timestamp.AccuracyFilter.
Parameter | Description | Possible values | Default value |
---|---|---|---|
ntpUrl.<N> | The NTP servers' URLs to compare against. | String | - |
ntpMinValid | The minimum required NTP servers that has to pass in order for the timestamp to be considered valid. If set to 0, all NTP servers have to pass. | Number | 0 |
ntpUpdateFreq | Specifies the time, in seconds, how frequently the NTP server times should be updated. If set to 0, the NTP server times are updated on demand (not recommended). | Number | 30 |
ntpUpdateLog | Specifies which NTP server update status that should be logged during each update. | Mask (passed, failed, none) | passed | failed |
ntpAccuracy | The accuracy, in milliseconds, to compare the NTP times against during each update. If set to 0 this accuracy check is disabled. | Number | 1000 |
ntpTimeout | Specifies the time out, in milliseconds, of an NTP request. If a server times out, it will be marked as failed during that sequence update (invalid). | Number | 500 |
Example: ntp.NTPFilter
[filter.NTPTimeManager]
class=com.nexussafe.nano.filters.ntp.NTPFilter
ntpUrl.0=10.75.28.15
ntpUrl.1=10.75.28.16
ntpMinValid=2
ntpUpdateFreq=30
ntpUpdateLog=passed|failed
ntpAccuracy=1000
ntpTimeout=500
validation.CertificateVerificationFilter
This filter is optional.
Verifies a certificate towards a trusted store specified in the service.properties file. This filter expects a user certificate to be sent through the chain. Requires that you have TLS connector with client authentication enabled, see heading "Define TLS connector to manage client authentication" in Define connectors in Nexus Timestamp Server.
Parameter | Description | Possible values | Default value |
---|---|---|---|
truststore | Path to the trusted store to verify towards. | Path | - |
addissuers | The issuers found in the store should be added to the context so that they are available for filters executing after the certificate verification filter. | true/false | false |
checktime | If set to false, disables the control of the certificate's validity time. | true/false | true |
Example: validation.CertificateVerificationFilter
[filter.CertificateVerifier]
class=com.nexussafe.nano.filters.validation.CertificateVerificationFilter
truststore=${ServiceDir}/certs
addissuers=true
checktime=true
validation.CrlValidationFilter
This filter is optional.
Validates a certificate using CRLs. This filter expects a user certificate to be sent through the chain. Requires that you have TLS connector with client authentication enabled, see heading "Define TLS connector to manage client authentication" in Define connectors in Nexus Timestamp Server. ISO 8601 is a format for the representation of dates and times and intervals.
Parameter | Description | Possible values | Default value |
---|---|---|---|
validator.cache | Name of the shared cache (defined in timestamp.properties). | Path | - |
validator.cache.directory | Where downloaded CRLs are stored. | Path | - |
validator.cache.truststore | Where trusted CRL issuers are stored. | Path | - |
validator.cache.maxAge | Defines the maximum age in seconds. A value of -1 corresponds to unlimited. | Number | -1 |
validator.cache.provider.<N>.type | Type of CRL provider. | pull | pull |
validator.cache.provider.<N>.period | The time the thread should wait until it tries to fetch a new CRL. | ISO 8601 time expression, period. | PT1H |
validator.cache.provider.<N>.margin | Specifies how long before "nextUpdate" to issue a new fetch. | ISO 8601 time expression, period. | PT3S |
validator.cache.provider.<N>.fetcher.<M>.url | URL to fetch CRL from, <M> is the sequence number of possible URLs for this thread. | URL, no URL encoding needed. | - |
Example: validation.CrlValidationFilter
[filter.CrlValidator]
class=com.nexussafe.nano.filters.validation.CrlValidationFilter
validator.cache.directory=${ServiceDir}/crls
validator.cache.truststore=${ServiceDir}/certs
validator.cache.provider.1.type=pull
validator.cache.provider.1.period=PT30M
validator.cache.provider.1.margin=PT2S
validation.SimpleOcspValidationFilter
This filter is optional.
Validates a certificate using OCSP. Similar to “validation.OCSPValidationFilter” but simpler in the sense that it provides no configuration options for validation. It will use the default values for each “ocsp“-parameter listed under “validation.OCSPValidationFilter”, except for “propagateResponse” which is forced to “true”.
This filter expects a user certificate to be sent through the chain. This requires that you have TLS connector with client authentication enabled, see heading "Define TLS connector to manage client authentication" in Define connectors in Nexus Timestamp Server.
Parameter | Description | Possible values | Default value |
---|---|---|---|
signer.password | The password for the key. | String | - |
signer.store | Path to p12 or jks. If a password is needed to decrypt a PKCS#12 file, it is passed after the filename, separated by a colon. | Path | - |
signer.store.pin | The PKCS#12 file password. | String | - |
signer.alias | The name of the key in the store. If there is only one key in the store, it can be omitted. | String | - |
truststore | Directory with trusted root certificates, or name of service wide or server wide shared trust store. | Path, String | - |
responder.< N>.url | Responder url for responder N in a list of responders. | URL | - |
Example: validation.SimpleOcspValidationFilter
[filter.SimpleOcspValidation]
class=com.nexussafe.nano.filters.validation.SimpleOcspValidationFilter
truststore=default store
signer.password=1234
signer.store=${ServiceDir}/keys/OCSP.p12
signer.store.pin=1234
ocsp.responder.1.url=http://localhost:8080/basic
validation.OCSPValidationFilter
This filter is optional.
Validates a certificate using OCSP. This filter expects a user certificate to be sent through the chain. Requires that you have TLSconnector with client authentication enabled, see heading "Define TLS connector to manage client authentication" in Define connectors in Nexus Timestamp Server.
Parameter | Description | Possible values | Default value |
---|---|---|---|
ocsp.signRequest | Specifies if requests to the OCSP server should be signed. | true/false | true |
ocsp.allowTrustedSigners | If true, enables “direct trust”, where an OCSP responder certificate is trusted if it is present in the trust store. | true/false | false |
ocsp.allowCriticalExtensions | Specifies if OCSP responses with critical extensions should be accepted. | true/false | false |
ocsp.compareNonce | Specifies whether to compare the nonce from the OCSP request in the OCSP response or not. | true/false | true |
ocsp.responder.< N>.url | Responder URL for responder N in a list of responders. If URL has scheme https, the ocsp.ssl parameters need to be configured. | URL | - |
propagateResponse | Enables returning of the OCSP response to the application. | true/false | false |
ocsp.allowIndirectDelegation | Allows the responder certificate to be a delegate of a certificate in the trust store | true/false | false |
ocsp.allowResponderRevocationCheck | If a responder is not in the trust store, or does not have the extension ocsp-nocheck in its responder certificate, enable this to allow checking the responder’s certificate for revocation. | true/false | false |
ocsp.responsemaxage | Specifies the maximum interval in seconds that the “thisUpdate” attribute might differ from the system time. If set to-1 nocheck is performed. | Number, -1 | -1 |
ocsp.producedatskew | Specifies the maximum interval in seconds that the “producedAt” attribute timestamp is allowed to differ from system time. If set to -1 no check is performed. | Number, -1 | -1 |
ocsp.nextupdateskew | Specifies the maximum interval in seconds that the “nextUpdate” attribute might differ from the system time. | Number | 120 |
ocsp.dontCheckResponderRevocation | Do not check the responder’s certificate for revocation, assume it is ok. | true/false | false |
ocsp.useNonce | Use nonce in the OCSP revocation request. | true/false | true |
ocsp.signer.alias | The name of the key in the store; if there is only one key in the store, it can be left blank. | String | - |
ocsp.signer.password | The password for thekey. | String | - |
ocsp.signer.store | Path to p12 or jks. If a password is needed to decrypt a PKCS#12 file, it is passed after the filename separated by a colon. | Path | - |
ocsp.signer.store.pin | The PKCS#12 file password. | String | - |
ocsp.truststore | Name of service wide or server wide shared trust store. | String | - |
ocsp.doPost | If false, attempt to use HTTP GET. Uses POST anyway if the OCSP request is longer than 255 bytes. | true/false | true |
ocsp.useAIA | Determines whether to use authority access information (AIA) for validation if it is defined in the certificate. Otherwise uses only the OCSP validation list. | true/false | true |
ocsp.AIAFirst | Determines whether the request should be validated towards the AIA before the OCSP validation list. | true/false | true |
checkResponderExpiration | Determines whether to check if the signer certificate of the OCSP response from the responder has expired. | true/false | true |
ocsp.ssl.trust | Directory with trusted root certificates for the TLS handshake. | Path | - |
ocsp.ssl.keys | Path to PKCS#12 file which holds the client key and certificate chain for the TLS handshake. | Path | - |
ocsp.ssl.pin | The PKCS#12 file password. | String | - |
ocsp.verifyHostname | Toggle hostname verification in the TLS handshake. | true/false | true |
ocsp.socketTimeout | Determines the socket timeout value (seconds) for the connections. | Number | 10 |
ocsp.connectTimeout | Determines the timeout (seconds) until a new connection is fully established. | Number | 10 |
ocsp.validateAfterInactivity | Defines period of inactivity (seconds) after which persistent connections must be re-validated prior to being leased to the consumer. | Number | 10 |
ocsp.timeToLive | Defines the total span of time (seconds) connections can be kept alive or execute requests. | Number | 60 |
ocsp.maxTotalConnections | Defines the maximum number of connections that can be open simultaneously. | Number | 30 |
ocsp.maxTotalConnectionsPerRoute | Defines the maximum number of connections per route in the connection pool. | Number | 15 |
Example: validation.OCSPValidationFilter
[filter.OcspValidator]
class=com.nexussafe.nano.filters.validation.OcspValidationFilter
ocsp.truststore=default store
ocsp.compareNonce=true
ocsp.signRequest=true
ocsp.signer.password=1234
ocsp.signer.store=${ServiceDir}/keys/OCSP.p12
ocsp.signer.store.pin=1234
ocsp.responder.1.url=http://localhost:8080/basic
validation.RevocationValidationFilter
This filter is optional.
Validates certificates against revocation using OCSP, CRLs or a combination. This filter expects a user certificate to be sent through the chain. Requires that you have TLS connector with client authentication enabled, see heading "Define TLS connector to manage client authentication" in Define connectors in Nexus Timestamp Server.
Parameter | Description | Possible values | Default value |
---|---|---|---|
validator.type | The validator type to use. first and roundrobin takes a list of validators to delegate to. | first, roundrobin, ocsp, crl | - |
validator.validator.<N>.type | If validator.type=first. Will try the validators in this list in order until a definite answer is received. If validator.type=roundrobin. Will query the validators in a round robin fashion. | ocsp, crl | - |
validator.validator.<N>.<param> | See the CrlValidationFilter or the ocsp parameter for the OcspValidationFilter (depending on type) for a specification of <param>s. | - | - |
Example: validation.RevocationValidationFilter
[filter.RevocationValidation]
class=com.nexussafe.nano.filters.validation.RevocationValidationFilter
validator.type=first
validator.validator.1.type=ocsp
validator.validator.1.signer.store=${ServiceDir}/keys/OCSP.p12
validator.validator.1.signer.store.pin=1234
validator.validator.1.signer.password=1234
validator.validator.1.responder.1.url=http://my.responder.com/...
validator.validator.1.truststore=default store
validator.validator.2.type=crl
validator.validator.2.cache.directory=${ServiceDir}/crls
validator.validator.2.cache.truststore=default store
validator.validator.2.cache.provider.1.type=pull
validator.validator.2.cache.provider.1.fetcher.1.url=ldap://...