[openssl-users] help with timestamping

Jakob Bohm jb-openssl at wisemo.com
Wed Apr 27 04:53:34 UTC 2016


OK, It looks like this signing service is (quite unusually)
not providing the certificate in its message, which is quite
unusual.

All it provides is some information /about/ that certificate,
specifically it provides the following info:

The certificate was issued to C=US, O=Symantec Corporation,
OU=Symantec Trust Network,
CN=Symantec SHA256 TimeStamping Signer - G1

The certificate was issued by C=US, O=Symantec Corporation,
OU=Symantec Trust Network, CN=Symantec SHA256 TimeStamping CA

The certificate serial number (in hex) is
54 F3 7D A1 71 67 51 BC 6A 8D 0A D2 74 B2 8B 13

The certificate fingerprint (SHA-256) is
82 D5 56 DB DB 5D AD 5FA0 7B B6 07 26 A6 D8 6E
73 0B 5B B7 29 88 5B B6DE 4F F2 75 29 02 2C FC

Someone with knowledge of the Symantec/Verisign/Thawte/GeoTrust/
TrustCenter repository web site may be able to use this
information to download the missing certificates, but there
is no information in this file that would allow a computer
to do this.

I wonder if changing some parameter in the timestamp request
would cause the Symantec server to return a more complete
timestamp token.

Or maybe something else is failing.


On 23/04/2016 00:54, Alex Samad wrote:
> Here is a dump.
>
> I can see the CN - but I could see that before.
>
> There is also a RSA - maybe a signature or maybe is the public key for the cert.
>
> I would expect to see some signed data (sha + symantec cert + time)
> and also the public cert ( and maybe the intermediaries..)
>
>
>      <30 82 03 AB>
>    0 939: SEQUENCE {
>      <30 03>
>    4   3:   SEQUENCE {
>      <02 01>
>    6   1:     INTEGER 0
>         :     }
>      <30 82 03 A2>
>    9 930:   SEQUENCE {
>      <06 09>
>   13   9:     OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2)
>         :       (PKCS #7)
>      <A0 82 03 93>
>   24 915:     [0] {
>      <30 82 03 8F>
>   28 911:       SEQUENCE {
>      <02 01>
>   32   1:         INTEGER 3
>      <31 0D>
>   35  13:         SET {
>      <30 0B>
>   37  11:           SEQUENCE {
>      <06 09>
>   39   9:             OBJECT IDENTIFIER sha-256 (2 16 840 1 101 3 4 2 1)
>         :               (NIST Algorithm)
>         :             }
>         :           }
>      <30 82 01 1B>
>   50 283:         SEQUENCE {
>      <06 0B>
>   54  11:           OBJECT IDENTIFIER tSTInfo (1 2 840 113549 1 9 16 1 4)
>         :             (S/MIME Content Types)
>      <A0 82 01 0A>
>   67 266:           [0] {
>      <04 82 01 06>
>   71 262:             OCTET STRING, encapsulates {
>      <30 82 01 02>
>   75 258:               SEQUENCE {
>      <02 01>
>   79   1:                 INTEGER 1
>      <06 0B>
>   82  11:                 OBJECT IDENTIFIER '2 16 840 1 113733 1 7 23 3'
>      <30 31>
>   95  49:                 SEQUENCE {
>      <30 0D>
>   97  13:                   SEQUENCE {
>      <06 09>
>   99   9:                     OBJECT IDENTIFIER sha-256 (2 16 840 1 101 3 4 2 1)
>         :                       (NIST Algorithm)
>      <05 00>
> 110   0:                     NULL
>         :                     }
>      <04 20>
> 112  32:                   OCTET STRING
>         :                     8C 6D 95 5B E0 CD 8B C9    .m.[....
>         :                     DF 8C AB 57 45 C4 69 E6    ...WE.i.
>         :                     7A B9 CE CB 14 8F 55 25    z.....U%
>         :                     91 2E 57 37 3E 5C B8 D5
>         :                   }
>      <02 14>
> 146  20:                 INTEGER
>         :                   57 0B 9C 3A 11 CA 31 8E    W..:..1.
>         :                   24 78 D3 68 0C 0F EF D9    $x.h....
>         :                   23 8E 06 AB                #...
>      <18 0F>
> 168  15:                 GeneralizedTime 19/04/2016 03:52:25 GMT
>      <30 03>
> 185   3:                 SEQUENCE {
>      <02 01>
> 187   1:                   INTEGER 30
>         :                   }
>      <02 08>
> 190   8:                 INTEGER 58 0E 59 D8 7F 39 6B 25
>      <A0 81 86>
> 200 134:                 [0] {
>      <A4 81 83>
> 203 131:                   [4] {
>      <30 81 80>
> 206 128:                     SEQUENCE {
>      <31 0B>
> 209  11:                       SET {
>      <30 09>
> 211   9:                         SEQUENCE {
>      <06 03>
> 213   3:                           OBJECT IDENTIFIER countryName (2 5 4 6)
>         :                             (X.520 DN component)
>      <13 02>
> 218   2:                           PrintableString 'US'
>         :                           }
>         :                         }
>      <31 1D>
> 222  29:                       SET {
>      <30 1B>
> 224  27:                         SEQUENCE {
>      <06 03>
> 226   3:                           OBJECT IDENTIFIER organizationName (2 5 4 10)
>         :                             (X.520 DN component)
>      <13 14>
> 231  20:                           PrintableString 'Symantec Corporation'
>         :                           }
>         :                         }
>      <31 1F>
> 253  31:                       SET {
>      <30 1D>
> 255  29:                         SEQUENCE {
>      <06 03>
> 257   3:                           OBJECT IDENTIFIER
>         :                             organizationalUnitName (2 5 4 11)
>         :                             (X.520 DN component)
>      <13 16>
> 262  22:                           PrintableString 'Symantec Trust Network'
>         :                           }
>         :                         }
>      <31 31>
> 286  49:                       SET {
>      <30 2F>
> 288  47:                         SEQUENCE {
>      <06 03>
> 290   3:                           OBJECT IDENTIFIER commonName (2 5 4 3)
>         :                             (X.520 DN component)
>      <13 28>
> 295  40:                           PrintableString 'Symantec SHA256
> TimeStamping Signer - G1'
>         :                           }
>         :                         }
>         :                       }
>         :                     }
>         :                   }
>         :                 }
>         :               }
>         :             }
>         :           }
>      <31 82 02 5A>
> 337 602:         SET {
>      <30 82 02 56>
> 341 598:           SEQUENCE {
>      <02 01>
> 345   1:             INTEGER 1
>      <30 81 8B>
> 348 139:             SEQUENCE {
>      <30 77>
> 351 119:               SEQUENCE {
>      <31 0B>
> 353  11:                 SET {
>      <30 09>
> 355   9:                   SEQUENCE {
>      <06 03>
> 357   3:                     OBJECT IDENTIFIER countryName (2 5 4 6)
>         :                       (X.520 DN component)
>      <13 02>
> 362   2:                     PrintableString 'US'
>         :                     }
>         :                   }
>      <31 1D>
> 366  29:                 SET {
>      <30 1B>
> 368  27:                   SEQUENCE {
>      <06 03>
> 370   3:                     OBJECT IDENTIFIER organizationName (2 5 4 10)
>         :                       (X.520 DN component)
>      <13 14>
> 375  20:                     PrintableString 'Symantec Corporation'
>         :                     }
>         :                   }
>      <31 1F>
> 397  31:                 SET {
>      <30 1D>
> 399  29:                   SEQUENCE {
>      <06 03>
> 401   3:                     OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
>         :                       (X.520 DN component)
>      <13 16>
> 406  22:                     PrintableString 'Symantec Trust Network'
>         :                     }
>         :                   }
>      <31 28>
> 430  40:                 SET {
>      <30 26>
> 432  38:                   SEQUENCE {
>      <06 03>
> 434   3:                     OBJECT IDENTIFIER commonName (2 5 4 3)
>         :                       (X.520 DN component)
>      <13 1F>
> 439  31:                     PrintableString 'Symantec SHA256 TimeStamping CA'
>         :                     }
>         :                   }
>         :                 }
>      <02 10>
> 472  16:               INTEGER 54 F3 7D A1 71 67 51 BC 6A 8D 0A D2 74
> B2 8B 13
>         :               }
>      <30 0B>
> 490  11:             SEQUENCE {
>      <06 09>
> 492   9:               OBJECT IDENTIFIER sha-256 (2 16 840 1 101 3 4 2 1)
>         :                 (NIST Algorithm)
>         :               }
>      <A0 81 A4>
> 503 164:             [0] {
>      <30 1A>
> 506  26:               SEQUENCE {
>      <06 09>
> 508   9:                 OBJECT IDENTIFIER contentType (1 2 840 113549 1 9 3)
>         :                   (PKCS #9)
>      <31 0D>
> 519  13:                 SET {
>      <06 0B>
> 521  11:                   OBJECT IDENTIFIER tSTInfo (1 2 840 113549 1 9 16 1 4)
>         :                     (S/MIME Content Types)
>         :                   }
>         :                 }
>      <30 1C>
> 534  28:               SEQUENCE {
>      <06 09>
> 536   9:                 OBJECT IDENTIFIER signingTime (1 2 840 113549 1 9 5)
>         :                   (PKCS #9)
>      <31 0F>
> 547  15:                 SET {
>      <17 0D>
> 549  13:                   UTCTime 19/04/2016 03:52:25 GMT
>         :                   }
>         :                 }
>      <30 2F>
> 564  47:               SEQUENCE {
>      <06 09>
> 566   9:                 OBJECT IDENTIFIER messageDigest (1 2 840 113549 1 9 4)
>         :                   (PKCS #9)
>      <31 22>
> 577  34:                 SET {
>      <04 20>
> 579  32:                   OCTET STRING
>         :                     98 1B CF E1 5D 96 79 D6    ....].y.
>         :                     47 53 3E 27 A1 0C 57 4E    GS>'..WN
>         :                     62 48 8E 43 F8 B5 17 D4    bH.C....
>         :                     1C 8F 9A 86 ED D7 A6 B4
>         :                   }
>         :                 }
>      <30 37>
> 613  55:               SEQUENCE {
>      <06 0B>
> 615  11:                 OBJECT IDENTIFIER
>         :                   signingCertificateV2 (1 2 840 113549 1 9 16 2 47)
>         :                   (S/MIME Authenticated Attributes)
>      <31 28>
> 628  40:                 SET {
>      <30 26>
> 630  38:                   SEQUENCE {
>      <30 24>
> 632  36:                     SEQUENCE {
>      <30 22>
> 634  34:                       SEQUENCE {
>      <04 20>
> 636  32:                         OCTET STRING
>         :                           82 D5 56 DB DB 5D AD 5F    ..V..]._
>         :                           A0 7B B6 07 26 A6 D8 6E    .{..&..n
>         :                           73 0B 5B B7 29 88 5B B6    s.[.).[.
>         :                           DE 4F F2 75 29 02 2C FC
>         :                         }
>         :                       }
>         :                     }
>         :                   }
>         :                 }
>         :               }
>      <30 0B>
> 670  11:             SEQUENCE {
>      <06 09>
> 672   9:               OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1)
>         :                 (PKCS #1)
>         :               }
>      <04 82 01 00>
> 683 256:             OCTET STRING
>         :               77 60 BE 64 F1 4C 04 B9    w`.d.L..
>         :               4D 64 39 59 DC 53 27 02    Md9Y.S'.
>         :               06 1F 0C C7 31 EC 5B A2    ....1.[.
>         :               79 FB CA A3 07 DE D3 E6    y.......
>         :               88 CE 84 37 4C 20 EF DF    ...7L ..
>         :               9B BB D4 0B 6F DC 42 05    ....o.B.
>         :               DA 8D 22 EF 24 A8 46 68    ..".$.Fh
>         :               79 DA CB B5 A9 CD F6 7E    y......~
>         :               D5 B8 D4 DD B4 44 5F 40    .....D_@
>         :               0A A2 59 C8 3B 2C 52 6F    ..Y.;,Ro
>         :               BE 88 6C D3 A4 F6 3C B1    ..l...<.
>         :               52 27 25 E3 E9 6F 4A 2B    R'%..oJ+
>         :               C6 C4 CD EA 73 65 6C 04    ....sel.
>         :               9A A4 79 4E A4 95 F4 F7    ..yN....
>         :               1C C6 2E E8 D3 4B 01 8F    .....K..
>         :               F2 0B 80 6C 28 67 3E 10    ...l(g>.
>         :               D7 76 1E C5 4E BF 87 37    .v..N..7
>         :               CB 99 51 81 74 5C 50 57    ..Q.t\PW
>         :               80 3F 5D 3E 84 76 12 0A    .?]>.v..
>         :               B0 A3 99 DF E5 3B A4 8F    .....;..
>         :               DE 04 50 A8 E6 D0 00 6D    ..P....m
>         :               61 21 B1 A9 A9 D6 05 79    a!.....y
>         :               0A 00 FA D5 1D A6 D6 F8    ........
>         :               6A 22 07 E5 BC 01 C1 E0    j"......
>         :               10 09 BD 92 09 B5 B7 29    .......)
>         :               8B 6A 4D 28 C4 63 7A 4C    .jM(.czL
>         :               8E 7A AF 87 5D BE A4 BD    .z..]...
>         :               C1 20 9A D0 82 57 03 21    . ...W.!
>         :               F3 E2 6F F5 44 22 F9 27    ..o.D".'
>         :               41 9C 66 27 BB 52 39 E2    A.f'.R9.
>         :               4B C8 2B 82 58 AC 0E AF    K.+.X...
>         :               8D AE A5 C7 A5 1A A3 5E
>         :             }
>         :           }
>         :         }
>         :       }
>         :     }
>         :   }
>
> On 19 April 2016 at 14:29, Jakob Bohm <jb-openssl at wisemo.com> wrote:
>> On 19/04/2016 05:55, Alex Samad wrote:
>>> Hi
>>>
>>> I have a SHA.sha file
>>>
>>> /usr/bin/openssl ts -query -data SHA.sha -sha256 | /usr/bin/curl -s -H
>>> Content-Type:application/timestamp-query --data-binary @-
>>> http://sha256timestamp.ws.symantec.com/sha256/timestamp > SHA.sha.tsr
>>>
>>> /usr/bin/openssl ts -reply -in SHA.sha.tsr -text  > SHA.sha.ts.txt
>>>
>>>
>>> cat SHA.sha.ts.txt
>>> Status info:
>>> Status: Granted.
>>> Status description: unspecified
>>> Failure info: unspecified
>>>
>>> TST info:
>>> Version: 1
>>> Policy OID: 2.16.840.1.113733.1.7.23.3
>>> Hash Algorithm: sha256
>>> Message data:
>>>       0000 - 8c 6d 95 5b e0 cd 8b c9-df 8c ab 57 45 c4 69 e6
>>> .m.[.......WE.i.
>>>       0010 - 7a b9 ce cb 14 8f 55 25-91 2e 57 37 3e 5c b8 d5
>>> z.....U%..W7>\..
>>> Serial number: 0x570B9C3A11CA318E2478D3680C0FEFD9238E06AB
>>> Time stamp: Apr 19 03:52:25 2016 GMT
>>> Accuracy: 0x1E seconds, unspecified millis, unspecified micros
>>> Ordering: no
>>> Nonce: 0x580E59D87F396B25
>>> TSA: DirName:/C=US/O=Symantec Corporation/OU=Symantec Trust
>>> Network/CN=Symantec SHA256 TimeStamping Signer - G1
>>> Extensions:
>>>
>>>
>>> But when I go to verify it
>>>
>>>    openssl ts -verify -data SHA.sha -in SHA.sha.tsr
>>> Verification: FAILED
>>> 140569777235784:error:2107C080:PKCS7
>>> routines:PKCS7_get0_signers:signer certificate not
>>> found:pk7_smime.c:476:
>>>
>>> is this because I didn't provide a cert to sign it with ?
>> No, it is because it cannot find the certificate that Symantec
>> used to sign the response, specifically the certificate with
>> Subject name "/C=US/O=Symantec Corporation/OU=Symantec Trust
>> Network/CN=Symantec SHA256 TimeStamping Signer - G1".
>>
>> I am kind of disappointed in how little detail is included in
>> the output from ts -reply -text, I expected it to output all
>> the fields, similar to what other openssl commands do when
>> passed the -text option.
>>
>> So I guess the next step would be to dump SHA.sha.tsr using
>> Peter Gutmann's dumpasn1.c program, something like
>>
>> openssl base64 -d -in SHA.sha.tsr -out SHA.sha.tsr.bin
>> dumpasn1 -v SHA.sha.tsr.bin
>>
>>


Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded



More information about the openssl-users mailing list