[openssl-users] help with timestamping

Jakob Bohm jb-openssl at wisemo.com
Tue Apr 19 04:29:52 UTC 2016


On 19/04/2016 05:55, Alex Samad wrote:
> Hi
>
> I have a SHA.sha file
>
> /usr/bin/openssl ts -query -data SHA.sha -sha256 | /usr/bin/curl -s -H
> Content-Type:application/timestamp-query --data-binary @-
> http://sha256timestamp.ws.symantec.com/sha256/timestamp > SHA.sha.tsr
>
> /usr/bin/openssl ts -reply -in SHA.sha.tsr -text  > SHA.sha.ts.txt
>
>
> cat SHA.sha.ts.txt
> Status info:
> Status: Granted.
> Status description: unspecified
> Failure info: unspecified
>
> TST info:
> Version: 1
> Policy OID: 2.16.840.1.113733.1.7.23.3
> Hash Algorithm: sha256
> Message data:
>      0000 - 8c 6d 95 5b e0 cd 8b c9-df 8c ab 57 45 c4 69 e6   .m.[.......WE.i.
>      0010 - 7a b9 ce cb 14 8f 55 25-91 2e 57 37 3e 5c b8 d5   z.....U%..W7>\..
> Serial number: 0x570B9C3A11CA318E2478D3680C0FEFD9238E06AB
> Time stamp: Apr 19 03:52:25 2016 GMT
> Accuracy: 0x1E seconds, unspecified millis, unspecified micros
> Ordering: no
> Nonce: 0x580E59D87F396B25
> TSA: DirName:/C=US/O=Symantec Corporation/OU=Symantec Trust
> Network/CN=Symantec SHA256 TimeStamping Signer - G1
> Extensions:
>
>
> But when I go to verify it
>
>   openssl ts -verify -data SHA.sha -in SHA.sha.tsr
> Verification: FAILED
> 140569777235784:error:2107C080:PKCS7
> routines:PKCS7_get0_signers:signer certificate not
> found:pk7_smime.c:476:
>
> is this because I didn't provide a cert to sign it with ?
No, it is because it cannot find the certificate that Symantec
used to sign the response, specifically the certificate with
Subject name "/C=US/O=Symantec Corporation/OU=Symantec Trust
Network/CN=Symantec SHA256 TimeStamping Signer - G1".

I am kind of disappointed in how little detail is included in
the output from ts -reply -text, I expected it to output all
the fields, similar to what other openssl commands do when
passed the -text option.

So I guess the next step would be to dump SHA.sha.tsr using
Peter Gutmann's dumpasn1.c program, something like

openssl base64 -d -in SHA.sha.tsr -out SHA.sha.tsr.bin
dumpasn1 -v SHA.sha.tsr.bin


Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded



More information about the openssl-users mailing list