Description of filters in Nexus Timestamp Server

This article includes updates for Nexus Timestamp Server 2.3.0.

This article describes all filters that can be used in a timestamp service in Nexus Timestamp Server. A filter can be in either filters.properties (for global timestamp service settings) or service.properties (defined for each timestamp service), but a good rule is that any filter with its own defined parameters should be in the service.properties because of bigger flexibility when using more than one timestamp service.

Except where otherwise noted, the filters are defined in or under the package "com.nexussafe.nano.filters".

AuditFilter

This is a pre-processing filter.

These parameters define the audit log.

Parameter	Description	Possible values	Default value
logger.name	A unique name used for this logger.	String	${service}
handler.type	Optional. A logging handler type.	timerolling	-
handler.pattern	Optional. A log file name pattern. Can be used to introduce per timestamp service audit logging.	String	-
audittimestamprequest	Optional. Set to true if the timestamp request shall be logged.	true/false	false
audittimestampresponse	Optional. Set to true if the timestamp response shall be logged.	true/false	false
audittimestampclientip	Optional. Set to true if the client IP address shall be logged.	true/false	false

Example: AuditFilter

CODE

[filter.AuditManager]
class=com.nexussafe.nano.filters.AuditFilter
#logger.name=${service}
handler.type=timerolling
handler.pattern=${var}/logs/%ty-%<tm-%<td/${service}.audit.log
audittimestamprequest=true
audittimestampresponse=true
audittimestampclientip=true

ClockFilter

This is a pre-processing filter.

This filter injects the clock into the context.

Parameter	Description	Possible values	Default value
clock.type	The type of clock to inject.	virtual, real	real
clock.time	Applicable only if clock.type=virtual. The number of milliseconds past since the epoch (seconds since midnight 1 jan 1970).	Number	-

Example: ClockFilter

CODE

[filter.RealClock]
class=com.nexussafe.nano.filters.ClockFilter

TransactionMonitorFilter

This is a pre-processing filter.

This filter injects the transaction identification into the context.

This filter takes no extra parameters.

Example:TransactionMonitorFIlter

CODE

[filter.TransactionMonitor]
class=com.nexussafe.nano.filters.TransactionMonitorFilter

timestamp.AccuracyFilter

This filter is optional.

Implements the type Accuracy as it is specified in the RFC3161 protocol, section 2.4.2.

The AccuracyFilter must be placed after the GeneralizedTimeFilter in the filter chain.

Parameter

Description

Possible values

Default value

seconds

Number of seconds.

Number

0

milliseconds

Number of milliseconds between 1-999.

Number

0

Example:timestamp.AccuracyFilter

CODE

[filter.Accuracy]
class=com.nexussafe.nano.filters.timestamp.AccuracyFilter
seconds=10
millis=45

timestamp.TimestampRespFilter

This filter is mandatory.

Creates the Timestamp response from a signed timestamp token.

This filter takes no extra parameters.

Example:timestamp.TimestampRespFilter

CODE

[filter.TimestampResponse]
class=com.nexussafe.nano.filters.timestamp.TimestampRespFilter

timestamp.GeneralizedTimeFilter

This filter is mandatory.

Add Generalized time to timestamp token as it is specified the RFC3161 protocol, section 2.4.2.

This filter takes no extra parameters.

Example:timestamp.GeneralizedTimeFilter

CODE

[filter.GeneralizedTime]
class=com.nexussafe.nano.filters.timestamp.GeneralizedTimeFilter

timestamp.MessageImprintFilter

This filter is mandatory.

Checks the MessageImprint from the timestamp request.

Parameter	Description	Possible values	Default value
digestalgorithm	The digest algorithm used to hash the message.	SHA-1, SHA-256, SHA-512	SHA-256

Example: timestamp.MessageImprintFilter

CODE

[filter.MessageImprint]
digestalgorithm=SHA-256
class=com.nexussafe.nano.filters.timestamp.MessageImprintFilter

timestamp.NonceFilter

This filter is mandatory.

Copies the nonce, if exists in the timestamp request, to the timestamp response as it is specified the RFC3161 protocol, section 2.4.2.

This filter takes no extra parameters.

Example: timestamp.NonceFilter

CODE

[filter.Nonce]
class=com.nexussafe.nano.filters.timestamp.NonceFilter

timestamp.OrderingFilter

This filter is optional.

Add ordering to the timestamp response as it is specified the RFC3161 protocol, section 2.4.2.

Parameter	Description	Possible values	Default value
ordering	Ordering as defined in RFC3161.	true/false	false

Example: timestamp.OrderingFilter

CODE

[filter.Ordering]
class=com.nexussafe.nano.filters.timestamp.OrderingFilter
ordering=true

timestamp.SerialnumberFilter

This filter is mandatory.

Adds a generated serial number in the Timestamp response as it is specified the RFC3161 protocol, section 2.4.2.

This filter takes no extra parameters.

Example: timestamp.SerialnumberFilter

CODE

[filter.Serialnumber]
class=com.nexussafe.nano.filters.timestamp.SerialnumberFilter

timestamp.timestamp.SetTSANameFilter

This filter is optional.

Add GeneralName to timestamp token as it is specified the RFC3161 protocol, section 2.4.2. This filter uses the Global Service Settings.

Parameter

Description

Possible values

Default value

usesubject

Used to decide if the Subject shall be used for GeneralName in the Timestamp. Only one of this and the following parameters shall be set at the same time or non of them.

true/false

false

usesubjectaltname

Used to define the SubjectAltName to use for GeneralName in the Timestamp

0=OtherName,

1=Rfc822Name,

2=DnsName,

3=X400Address,

4=DirectoryName,

5=EdiPartyName,

6=Uri,

7=IpAddress,

8=RegisteredId

-1, means that SubjectAltName is not used.

tsaname

Used to define a static name as GeneralName in the Timestamp.

true/false

-

Example: timestamp.SetTSANameFilter

CODE

[filter.SetTSAName]
class=com.nexussafe.nano.filters.timestamp.SetTSANameFilter
usesubject=true
#usesubjectaltname=-1
#tsaname=http://timestamping.nexusgroup.com/

timestamp.StorageFilter

This filter is optional and disabled by default.

Sets where to store the timestamp information. The information can be stored in a database per timestamp service or in the same database as other timestamp services.

Parameter	Description	Possible values	Default value
storage	Set this parameter if information shall be stored in the same database as other timestamp services. A value of "system" corresponds to use the same database as other timestamp services else this parameter shall not be set.	String	-
storage.database.jdbcDriver	The JDBC driver class.	String	-
storage.database.jdbcUrl	The JDBC URL or path to a file.	String	-
storage.database.jdbcUser	The user accessing the database.	String	-
storage.database.jdbcPassword	The users password.	String	-

Example: timestamp.StorageFilter - Same database as other services

CODE

[filter.StoreTimestampResponse]
class=com.nexussafe.nano.filters.timestamp.StorageFilter
storage=system

Example: timestamp.StorageFilter - Own database for this service

CODE

# PostgreSQL settings
[filter.StoreTimestampResponse]
class=com.nexussafe.nano.filters.timestamp.StorageFilter
storage.database.jdbcDriver=org.postgresql.Driver
storage.database.jdbcUrl=jdbc:postgresql://localhost:5432/timestamp
storage.database.jdbcUser=postgres
storage.database.jdbcPassword=postgres

It is important to check the order of the filters. See an example when using an external database here: Filter chains used in Nexus Timestamp Server, section "Order of filters".

timestamp.TimestampTokenFilter/AcTimestampTokenFilter

This filter is mandatory.

Handles the signing of a timestamp token. This filter is responsible for signing the timestamp token. It needs a keystore with the TSA signing key. This filter uses the Global Service Settings.

Parameter	Description	Possible values	Default value
digest	The digest algorithm used to hash the signature.	SHA-1, SHA-256, SHA-512	SHA-256
certIDHashAlgorithm	The hash algorithm used in the signer certificate to generate the identifier value. Uses ESSCertID according to RFC3161 as default. If specified, it will use ESSCertIDv2 according to RFC 5816.	SHA-1, SHA-256, SHA-512 and more (ESSCertIDv2).	SHA-1 (ESSCertID)

Example: timestamp.TimestampTokenFilter

Corresponds to timestamp request

CODE

[filter.TimestampToken]
class=com.nexussafe.nano.filters.timestamp.TimestampTokenFilter
digest=SHA-256
certIDHashAlgorithm=SHA-256

Example: timestamp.AcTimestampTokenFilter

Corresponds to authenticode timestamp request

CODE

[filter.AcTimestampToken]
class=com.nexussafe.nano.filters.timestamp.AcTimestampTokenFilter
digest=SHA-256
certIDHashAlgorithm=SHA-1

timestamp.TSAPolicyFilter

This filter is mandatory.

Verifies the policy, as it is specified the RFC3161 protocol, section 2.4.2. Used when creating the Timestamp response.

Parameter	Description	Possible values	Default value
policy	Specifies the policy used to create a timestamp response.	String	-

Example: timestamp.TSAPolicyFilter

CODE

[filter.TSAPolicy]
class=com.nexussafe.nano.filters.timestamp.TSAPolicyFilter
policy=1.2.3.4.5.6.7

timestamp.TSTInfoFilter

This filter is mandatory.

Create the timestamp token.

This filter takes no extra parameters.

Example: timestamp.TSTInfoFilter

CODE

[filter.TSTInfo]
class=com.nexussafe.nano.filters.timestamp.TSTInfoFilter

ntp.NTPFilter

This filter is optional.

Verifies local time against NTP servers and denies timestamps if local clock is out of sync. An NTP time is considered valid if the server replies within a specified time and if the the time passes the accuracy test (if enabled). The NTP filter will also forward its valid time results (see ntpMinValid) to the timestamp.AccuracyFilter.

Parameter	Description	Possible values	Default value
ntpUrl.<N>	The NTP servers' URLs to compare against.	String	-
ntpMinValid	The minimum required NTP servers that has to pass in order for the timestamp to be considered valid. If set to 0, all NTP servers have to pass.	Number	0
ntpUpdateFreq	Specifies the time, in seconds, how frequently the NTP server times should be updated. If set to 0, the NTP server times are updated on demand (not recommended).	Number	30
ntpUpdateLog	Specifies which NTP server update status that should be logged during each update.	Mask (passed, failed, none)	passed \| failed
ntpAccuracy	The accuracy, in milliseconds, to compare the NTP times against during each update. If set to 0 this accuracy check is disabled.	Number	1000
ntpTimeout	Specifies the time out, in milliseconds, of an NTP request. If a server times out, it will be marked as failed during that sequence update (invalid).	Number	500

Example: ntp.NTPFilter

CODE

[filter.NTPTimeManager]
class=com.nexussafe.nano.filters.ntp.NTPFilter
ntpUrl.0=10.75.28.15
ntpUrl.1=10.75.28.16
ntpMinValid=2
ntpUpdateFreq=30
ntpUpdateLog=passed|failed
ntpAccuracy=1000
ntpTimeout=500

validation.CertificateVerificationFilter

This filter is optional.

Verifies a certificate towards a trusted store specified in the service.properties file. This filter expects a user certificate to be sent through the chain. Requires that you have TLS connector with client authentication enabled, see heading "Define TLS connector to manage client authentication" in Define connectors in Nexus Timestamp Server.

Parameter	Description	Possible values	Default value
truststore	Path to the trusted store to verify towards.	Path	-
addissuers	The issuers found in the store should be added to the context so that they are available for filters executing after the certificate verification filter.	true/false	false
checktime	If set to false, disables the control of the certificate's validity time.	true/false	true

Example: validation.CertificateVerificationFilter

CODE

[filter.CertificateVerifier]
class=com.nexussafe.nano.filters.validation.CertificateVerificationFilter
truststore=${ServiceDir}/certs
addissuers=true
checktime=true

validation.CrlValidationFilter

This filter is optional.

Validates a certificate using CRLs. This filter expects a user certificate to be sent through the chain. Requires that you have TLS connector with client authentication enabled, see heading "Define TLS connector to manage client authentication" in Define connectors in Nexus Timestamp Server. ISO 8601 is a format for the representation of dates and times and intervals.

Parameter	Description	Possible values	Default value
validator.cache	Name of the shared cache (defined in timestamp.properties).	Path	-
validator.cache.directory	Where downloaded CRLs are stored.	Path	-
validator.cache.truststore	Where trusted CRL issuers are stored.	Path	-
validator.cache.maxAge	Defines the maximum age in seconds. A value of -1 corresponds to unlimited.	Number	-1
validator.cache.provider.<N>.type	Type of CRL provider.	pull	pull
validator.cache.provider.<N>.period	The time the thread should wait until it tries to fetch a new CRL.	ISO 8601 time expression, period.	PT1H
validator.cache.provider.<N>.margin	Specifies how long before "nextUpdate" to issue a new fetch.	ISO 8601 time expression, period.	PT3S
validator.cache.provider.<N>.fetcher.<M>.url	URL to fetch CRL from, <M> is the sequence number of possible URLs for this thread.	URL, no URL encoding needed.	-

Example: validation.CrlValidationFilter

CODE

[filter.CrlValidator]
class=com.nexussafe.nano.filters.validation.CrlValidationFilter
validator.cache.directory=${ServiceDir}/crls
validator.cache.truststore=${ServiceDir}/certs
validator.cache.provider.1.type=pull
validator.cache.provider.1.period=PT30M
validator.cache.provider.1.margin=PT2S

validation.SimpleOcspValidationFilter

This filter is optional.

Validates a certificate using OCSP. Similar to “validation.OCSPValidationFilter” but simpler in the sense that it provides no configuration options for validation. It will use the default values for each “ocsp“-parameter listed under “validation.OCSPValidationFilter”, except for “propagateResponse” which is forced to “true”.

This filter expects a user certificate to be sent through the chain. This requires that you have TLS connector with client authentication enabled, see heading "Define TLS connector to manage client authentication" in Define connectors in Nexus Timestamp Server.

Parameter	Description	Possible values	Default value
signer.password	The password for the key.	String	-
signer.store	Path to p12 or jks. If a password is needed to decrypt a PKCS#12 file, it is passed after the filename, separated by a colon.	Path	-
signer.store.pin	The PKCS#12 file password.	String	-
signer.alias	The name of the key in the store. If there is only one key in the store, it can be omitted.	String	-
truststore	Directory with trusted root certificates, or name of service wide or server wide shared trust store.	Path, String	-
responder.< N>.url	Responder url for responder N in a list of responders.	URL	-

Example: validation.SimpleOcspValidationFilter

CODE

[filter.SimpleOcspValidation]
class=com.nexussafe.nano.filters.validation.SimpleOcspValidationFilter
truststore=default store
signer.password=1234
signer.store=${ServiceDir}/keys/OCSP.p12
signer.store.pin=1234
ocsp.responder.1.url=http://localhost:8080/basic

validation.OCSPValidationFilter

This filter is optional.

Validates a certificate using OCSP. This filter expects a user certificate to be sent through the chain. Requires that you have TLSconnector with client authentication enabled, see heading "Define TLS connector to manage client authentication" in Define connectors in Nexus Timestamp Server.

Parameter	Description	Possible values	Default value
ocsp.signRequest	Specifies if requests to the OCSP server should be signed.	true/false	true
ocsp.allowTrustedSigners	If true, enables “direct trust”, where an OCSP responder certificate is trusted if it is present in the trust store.	true/false	false
ocsp.allowCriticalExtensions	Specifies if OCSP responses with critical extensions should be accepted.	true/false	false
ocsp.compareNonce	Specifies whether to compare the nonce from the OCSP request in the OCSP response or not.	true/false	true
ocsp.responder.< N>.url	Responder URL for responder N in a list of responders. If URL has scheme https, the ocsp.ssl parameters need to be configured.	URL	-
propagateResponse	Enables returning of the OCSP response to the application.	true/false	false
ocsp.allowIndirectDelegation	Allows the responder certificate to be a delegate of a certificate in the trust store	true/false	false
ocsp.allowResponderRevocationCheck	If a responder is not in the trust store, or does not have the extension ocsp-nocheck in its responder certificate, enable this to allow checking the responder’s certificate for revocation.	true/false	false
ocsp.responsemaxage	Specifies the maximum interval in seconds that the “thisUpdate” attribute might differ from the system time. If set to-1 nocheck is performed.	Number, -1	-1
ocsp.producedatskew	Specifies the maximum interval in seconds that the “producedAt” attribute timestamp is allowed to differ from system time. If set to -1 no check is performed.	Number, -1	-1
ocsp.nextupdateskew	Specifies the maximum interval in seconds that the “nextUpdate” attribute might differ from the system time.	Number	120
ocsp.dontCheckResponderRevocation	Do not check the responder’s certificate for revocation, assume it is ok.	true/false	false
ocsp.useNonce	Use nonce in the OCSP revocation request.	true/false	true
ocsp.signer.alias	The name of the key in the store; if there is only one key in the store, it can be left blank.	String	-
ocsp.signer.password	The password for thekey.	String	-
ocsp.signer.store	Path to p12 or jks. If a password is needed to decrypt a PKCS#12 file, it is passed after the filename separated by a colon.	Path	-
ocsp.signer.store.pin	The PKCS#12 file password.	String	-
ocsp.truststore	Name of service wide or server wide shared trust store.	String	-
ocsp.doPost	If false, attempt to use HTTP GET. Uses POST anyway if the OCSP request is longer than 255 bytes.	true/false	true
ocsp.useAIA	Determines whether to use authority access information (AIA) for validation if it is defined in the certificate. Otherwise uses only the OCSP validation list.	true/false	true
ocsp.AIAFirst	Determines whether the request should be validated towards the AIA before the OCSP validation list.	true/false	true
checkResponderExpiration	Determines whether to check if the signer certificate of the OCSP response from the responder has expired.	true/false	true
ocsp.ssl.trust	Directory with trusted root certificates for the TLS handshake.	Path	-
ocsp.ssl.keys	Path to PKCS#12 file which holds the client key and certificate chain for the TLS handshake.	Path	-
ocsp.ssl.pin	The PKCS#12 file password.	String	-
ocsp.verifyHostname	Toggle hostname verification in the TLS handshake.	true/false	true
ocsp.socketTimeout	Determines the socket timeout value (seconds) for the connections.	Number	10
ocsp.connectTimeout	Determines the timeout (seconds) until a new connection is fully established.	Number	10
ocsp.validateAfterInactivity	Defines period of inactivity (seconds) after which persistent connections must be re-validated prior to being leased to the consumer.	Number	10
ocsp.timeToLive	Defines the total span of time (seconds) connections can be kept alive or execute requests.	Number	60
ocsp.maxTotalConnections	Defines the maximum number of connections that can be open simultaneously.	Number	30
ocsp.maxTotalConnectionsPerRoute	Defines the maximum number of connections per route in the connection pool.	Number	15

Example: validation.OCSPValidationFilter

CODE

[filter.OcspValidator]
class=com.nexussafe.nano.filters.validation.OcspValidationFilter
ocsp.truststore=default store
ocsp.compareNonce=true
ocsp.signRequest=true
ocsp.signer.password=1234
ocsp.signer.store=${ServiceDir}/keys/OCSP.p12
ocsp.signer.store.pin=1234
ocsp.responder.1.url=http://localhost:8080/basic

validation.RevocationValidationFilter

This filter is optional.

Validates certificates against revocation using OCSP, CRLs or a combination. This filter expects a user certificate to be sent through the chain. Requires that you have TLS connector with client authentication enabled, see heading "Define TLS connector to manage client authentication" in Define connectors in Nexus Timestamp Server.

Parameter	Description	Possible values	Default value
validator.type	The validator type to use. first and roundrobin takes a list of validators to delegate to.	first, roundrobin, ocsp, crl	-
validator.validator.<N>.type	If validator.type=first. Will try the validators in this list in order until a definite answer is received. If validator.type=roundrobin. Will query the validators in a round robin fashion.	ocsp, crl	-
validator.validator.<N>.<param>	See the CrlValidationFilter or the ocsp parameter for the OcspValidationFilter (depending on type) for a specification of <param>s.	-	-

Example: validation.RevocationValidationFilter

CODE

[filter.RevocationValidation]
class=com.nexussafe.nano.filters.validation.RevocationValidationFilter
validator.type=first
validator.validator.1.type=ocsp
validator.validator.1.signer.store=${ServiceDir}/keys/OCSP.p12
validator.validator.1.signer.store.pin=1234
validator.validator.1.signer.password=1234
validator.validator.1.responder.1.url=http://my.responder.com/...
validator.validator.1.truststore=default store
validator.validator.2.type=crl
validator.validator.2.cache.directory=${ServiceDir}/crls
validator.validator.2.cache.truststore=default store
validator.validator.2.cache.provider.1.type=pull
validator.validator.2.cache.provider.1.fetcher.1.url=ldap://...