This is a an implementation of NTS in Python 3.
This code is based on Daniel Franke's hackathon code which implemented parts of the NTS protocol: "Quick and dirty implementation of Network Time Security for the IETF 101 hackathon" which are in the Public domain.
Christer Weinigel email@example.com made some fixes to the implementation and added a NTSKE server, a NTS/UDP server and a NTS/UDP client.
Debian 10 or Ubuntu 18.04. Debian 9 and Ubuntu 16.04 do not work due to the openssl libraries being too old.
Install the following packages:
apt-get install git gcc binutils cmake libssl-dev python3-cffi
The NTS server and client need a modified version of Python 3 to work. The reason for this is that the NTS protocol uses the key exporter functions of OpenSSL and those are not supported in the stock OpenSSL wrapper in Python 3.
Install some pacages needed to build Python 3:
apt-get install git build-essential cmake pkg-config libssl-dev libffi-dev libz-dev wget
Clone the modified Python 3 repository:
git clone -b export_keying_material-3.7.4 https://github.com/Netnod/cpython.git
LDFLAGS=-Wl,-rpath,$PREFIX/lib ./configure --prefix=/opt/python-nts
mkdir -p /opt/python-nts/ssl
ln -sf /etc/ssl/ca-certificates.crt /opt/python-nts/ssl/cert.pem
ln -sf /etc/ssl/certs /opt/python-nts/ssl/certs
/opt/python-nts/bin/python3 -m pip install cffi
Clone the repository:
git clone --recursive https://github.com/Netnod/nts-poc-python.git
Testing the Python implementation
I've tested this implementation on Ubuntu 18.04. The scripts require Python 3.6, even though they are written to be compatible with Python 2.7. I haven't figured out why Python 2.7 doesn't work yet.
Warning: don't remove the assert sys.version_info == 3 from the files. It might seem like it's working, but the SSL.Connection will return corrupt data with some NTS servers.
Change directory to the top of the nts-poc-python tree:
cd nts-poc-python ./build.sh
To start the NTSKE server, open a terminal and run:
The server uses server.ini for its configuration. The default is for the NTSKE server to listen on TCP port 4446. The master keys are stored in the directory "server_keys". If no master key exists, the NTSKE server will create a new master key.
To start the NTP/UDP server, open a terminal and run:
The server uses the file "server.ini" for its configuration. The default is for the NTSKE server to listen on TCP port 4123.
Run the NTSKE client to talk to the NTSKE server and save the results to the file "client.ini" and not perform certicate verification (-v).
/opt/python-nts/bin/python3 ntske_client.py -v localhost 4446
Run the NTS client to talk to the NTS server and get a timestamped packet back.
If you want to talk to a different NTS server than the one specified in client.ini you can specify the NTS server on the command line:
python ntsts_client.py host port
If you want to rotate the master key, run server_helper.py:
This will create a new key in the server_keys directory which will be read by ntske-server.py or nts-server.py on the next request.