[openssl-users] help with timestamping
Alex Samad
alex at samad.com.au
Fri Apr 29 01:25:43 UTC 2016
Okay I have the cert from sym
-----BEGIN CERTIFICATE-----
MIIFSzCCBDOgAwIBAgIQVPN9oXFnUbxqjQrSdLKLEzANBgkqhkiG9w0BAQsFADB3
MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd
BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxKDAmBgNVBAMTH1N5bWFudGVj
IFNIQTI1NiBUaW1lU3RhbXBpbmcgQ0EwHhcNMTYwMTEyMDAwMDAwWhcNMjcwNDEx
MjM1OTU5WjCBgDELMAkGA1UEBhMCVVMxHTAbBgNVBAoTFFN5bWFudGVjIENvcnBv
cmF0aW9uMR8wHQYDVQQLExZTeW1hbnRlYyBUcnVzdCBOZXR3b3JrMTEwLwYDVQQD
EyhTeW1hbnRlYyBTSEEyNTYgVGltZVN0YW1waW5nIFNpZ25lciAtIEcxMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn/vfjx+nz54+GsvraK3PJxzugVWp
hwhY5YFNCRTg7dDz1A8/IbYeDjTU8WgKb32Pidny6qfYJTikjDbK7ijPM/h1Pdid
z5LdVuP2sHlUZrVFgkNE0mqxqxeiw+XvAOon8yeIDoc89m68qez2uy5qdwYivfq4
f8MkB/c/u0yw/0PLk8oSqpUkAJCyKzai0t3Ss9GZMt3P9MxzFkmDfyTr7XhG0+5f
bEJlG2eN8CYaDl6HblqPoIJ+bp/NJt69Ye9EXkWLqJTTHAQyof+kp6KqdwHbKt4P
TJI2xmmsXISArSX17TDDaB0X2wpNmjR4WQGbawKFOOIncaIUVDBgkyBIIwIDAQAB
o4IBxzCCAcMwDAYDVR0TAQH/BAIwADBmBgNVHSAEXzBdMFsGC2CGSAGG+EUBBxcD
MEwwIwYIKwYBBQUHAgEWF2h0dHBzOi8vZC5zeW1jYi5jb20vY3BzMCUGCCsGAQUF
BwICMBkaF2h0dHBzOi8vZC5zeW1jYi5jb20vcnBhMEAGA1UdHwQ5MDcwNaAzoDGG
L2h0dHA6Ly90cy1jcmwud3Muc3ltYW50ZWMuY29tL3NoYTI1Ni10c3MtY2EuY3Js
MBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMIMA4GA1UdDwEB/wQEAwIHgDB3BggrBgEF
BQcBAQRrMGkwKgYIKwYBBQUHMAGGHmh0dHA6Ly90cy1vY3NwLndzLnN5bWFudGVj
LmNvbTA7BggrBgEFBQcwAoYvaHR0cDovL3RzLWFpYS53cy5zeW1hbnRlYy5jb20v
c2hhMjU2LXRzcy1jYS5jZXIwKAYDVR0RBCEwH6QdMBsxGTAXBgNVBAMTEFRpbWVT
dGFtcC0yMDQ4LTQwHQYDVR0OBBYEFO1rYM87WPg+Msy/pOir6OqiUEJ/MB8GA1Ud
IwQYMBaAFK9j1sqjToVy4Ke8QfMpojh/gHViMA0GCSqGSIb3DQEBCwUAA4IBAQCi
jV5dHe5O0pP9T+X0babwiUVVuwjKqyShFiTJTxfBn/TdAprCR8Cp3IiJd8GGhvHV
SZbz+x6Y1skdNSOImYpi4XWoTXinPewkgBWeaNQ6pMJM3HFslp2OHgwubFIBnlaQ
P6Jeks222kEaJIOheqNf/o07bznRP0FfVhwnDOV8BdhnNojlsMLDBKNaVrgSBI7U
nCRrG2a0vqAa4bXN7ONEpLE855LzWN3f6LFYS3BLzpAAzNyj0dJudRZURALvG1RE
Y+i1cMi5R5pbRcRudpoYsfcQM8gLUfVVjP0hHkGPTj6QXYAByLwkfoZoFBUUNDV0
SbeHUinWll6ioxbUsNN7
-----END CERTIFICATE-----
openssl x509 -in newsym1.cer -noout -subject
subject= /C=US/O=Symantec Corporation/OU=Symantec Trust
Network/CN=Symantec SHA256 TimeStamping Signer - G1
Still getting
openssl ts -verify -data SHA.sha -in SHA.sha.tsr -CApath newsym1.cer
Verification: FAILED
139630315571016:error:2107C080:PKCS7
routines:PKCS7_get0_signers:signer certificate not
found:pk7_smime.c:476:
On 27 April 2016 at 14:53, Jakob Bohm <jb-openssl at wisemo.com> wrote:
> OK, It looks like this signing service is (quite unusually)
> not providing the certificate in its message, which is quite
> unusual.
>
> All it provides is some information /about/ that certificate,
> specifically it provides the following info:
>
> The certificate was issued to C=US, O=Symantec Corporation,
> OU=Symantec Trust Network,
> CN=Symantec SHA256 TimeStamping Signer - G1
>
> The certificate was issued by C=US, O=Symantec Corporation,
> OU=Symantec Trust Network, CN=Symantec SHA256 TimeStamping CA
>
> The certificate serial number (in hex) is
> 54 F3 7D A1 71 67 51 BC 6A 8D 0A D2 74 B2 8B 13
>
> The certificate fingerprint (SHA-256) is
> 82 D5 56 DB DB 5D AD 5FA0 7B B6 07 26 A6 D8 6E
> 73 0B 5B B7 29 88 5B B6DE 4F F2 75 29 02 2C FC
>
> Someone with knowledge of the Symantec/Verisign/Thawte/GeoTrust/
> TrustCenter repository web site may be able to use this
> information to download the missing certificates, but there
> is no information in this file that would allow a computer
> to do this.
>
> I wonder if changing some parameter in the timestamp request
> would cause the Symantec server to return a more complete
> timestamp token.
>
> Or maybe something else is failing.
>
>
>
> On 23/04/2016 00:54, Alex Samad wrote:
>>
>> Here is a dump.
>>
>> I can see the CN - but I could see that before.
>>
>> There is also a RSA - maybe a signature or maybe is the public key for the
>> cert.
>>
>> I would expect to see some signed data (sha + symantec cert + time)
>> and also the public cert ( and maybe the intermediaries..)
>>
>>
>> <30 82 03 AB>
>> 0 939: SEQUENCE {
>> <30 03>
>> 4 3: SEQUENCE {
>> <02 01>
>> 6 1: INTEGER 0
>> : }
>> <30 82 03 A2>
>> 9 930: SEQUENCE {
>> <06 09>
>> 13 9: OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2)
>> : (PKCS #7)
>> <A0 82 03 93>
>> 24 915: [0] {
>> <30 82 03 8F>
>> 28 911: SEQUENCE {
>> <02 01>
>> 32 1: INTEGER 3
>> <31 0D>
>> 35 13: SET {
>> <30 0B>
>> 37 11: SEQUENCE {
>> <06 09>
>> 39 9: OBJECT IDENTIFIER sha-256 (2 16 840 1 101 3 4 2 1)
>> : (NIST Algorithm)
>> : }
>> : }
>> <30 82 01 1B>
>> 50 283: SEQUENCE {
>> <06 0B>
>> 54 11: OBJECT IDENTIFIER tSTInfo (1 2 840 113549 1 9 16 1 4)
>> : (S/MIME Content Types)
>> <A0 82 01 0A>
>> 67 266: [0] {
>> <04 82 01 06>
>> 71 262: OCTET STRING, encapsulates {
>> <30 82 01 02>
>> 75 258: SEQUENCE {
>> <02 01>
>> 79 1: INTEGER 1
>> <06 0B>
>> 82 11: OBJECT IDENTIFIER '2 16 840 1 113733 1 7 23 3'
>> <30 31>
>> 95 49: SEQUENCE {
>> <30 0D>
>> 97 13: SEQUENCE {
>> <06 09>
>> 99 9: OBJECT IDENTIFIER sha-256 (2 16 840 1 101 3
>> 4 2 1)
>> : (NIST Algorithm)
>> <05 00>
>> 110 0: NULL
>> : }
>> <04 20>
>> 112 32: OCTET STRING
>> : 8C 6D 95 5B E0 CD 8B C9 .m.[....
>> : DF 8C AB 57 45 C4 69 E6 ...WE.i.
>> : 7A B9 CE CB 14 8F 55 25 z.....U%
>> : 91 2E 57 37 3E 5C B8 D5
>> : }
>> <02 14>
>> 146 20: INTEGER
>> : 57 0B 9C 3A 11 CA 31 8E W..:..1.
>> : 24 78 D3 68 0C 0F EF D9 $x.h....
>> : 23 8E 06 AB #...
>> <18 0F>
>> 168 15: GeneralizedTime 19/04/2016 03:52:25 GMT
>> <30 03>
>> 185 3: SEQUENCE {
>> <02 01>
>> 187 1: INTEGER 30
>> : }
>> <02 08>
>> 190 8: INTEGER 58 0E 59 D8 7F 39 6B 25
>> <A0 81 86>
>> 200 134: [0] {
>> <A4 81 83>
>> 203 131: [4] {
>> <30 81 80>
>> 206 128: SEQUENCE {
>> <31 0B>
>> 209 11: SET {
>> <30 09>
>> 211 9: SEQUENCE {
>> <06 03>
>> 213 3: OBJECT IDENTIFIER countryName (2 5 4 6)
>> : (X.520 DN component)
>> <13 02>
>> 218 2: PrintableString 'US'
>> : }
>> : }
>> <31 1D>
>> 222 29: SET {
>> <30 1B>
>> 224 27: SEQUENCE {
>> <06 03>
>> 226 3: OBJECT IDENTIFIER organizationName (2 5
>> 4 10)
>> : (X.520 DN component)
>> <13 14>
>> 231 20: PrintableString 'Symantec Corporation'
>> : }
>> : }
>> <31 1F>
>> 253 31: SET {
>> <30 1D>
>> 255 29: SEQUENCE {
>> <06 03>
>> 257 3: OBJECT IDENTIFIER
>> : organizationalUnitName (2 5 4 11)
>> : (X.520 DN component)
>> <13 16>
>> 262 22: PrintableString 'Symantec Trust
>> Network'
>> : }
>> : }
>> <31 31>
>> 286 49: SET {
>> <30 2F>
>> 288 47: SEQUENCE {
>> <06 03>
>> 290 3: OBJECT IDENTIFIER commonName (2 5 4 3)
>> : (X.520 DN component)
>> <13 28>
>> 295 40: PrintableString 'Symantec SHA256
>> TimeStamping Signer - G1'
>> : }
>> : }
>> : }
>> : }
>> : }
>> : }
>> : }
>> : }
>> : }
>> <31 82 02 5A>
>> 337 602: SET {
>> <30 82 02 56>
>> 341 598: SEQUENCE {
>> <02 01>
>> 345 1: INTEGER 1
>> <30 81 8B>
>> 348 139: SEQUENCE {
>> <30 77>
>> 351 119: SEQUENCE {
>> <31 0B>
>> 353 11: SET {
>> <30 09>
>> 355 9: SEQUENCE {
>> <06 03>
>> 357 3: OBJECT IDENTIFIER countryName (2 5 4 6)
>> : (X.520 DN component)
>> <13 02>
>> 362 2: PrintableString 'US'
>> : }
>> : }
>> <31 1D>
>> 366 29: SET {
>> <30 1B>
>> 368 27: SEQUENCE {
>> <06 03>
>> 370 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
>> : (X.520 DN component)
>> <13 14>
>> 375 20: PrintableString 'Symantec Corporation'
>> : }
>> : }
>> <31 1F>
>> 397 31: SET {
>> <30 1D>
>> 399 29: SEQUENCE {
>> <06 03>
>> 401 3: OBJECT IDENTIFIER organizationalUnitName (2 5
>> 4 11)
>> : (X.520 DN component)
>> <13 16>
>> 406 22: PrintableString 'Symantec Trust Network'
>> : }
>> : }
>> <31 28>
>> 430 40: SET {
>> <30 26>
>> 432 38: SEQUENCE {
>> <06 03>
>> 434 3: OBJECT IDENTIFIER commonName (2 5 4 3)
>> : (X.520 DN component)
>> <13 1F>
>> 439 31: PrintableString 'Symantec SHA256 TimeStamping
>> CA'
>> : }
>> : }
>> : }
>> <02 10>
>> 472 16: INTEGER 54 F3 7D A1 71 67 51 BC 6A 8D 0A D2 74
>> B2 8B 13
>> : }
>> <30 0B>
>> 490 11: SEQUENCE {
>> <06 09>
>> 492 9: OBJECT IDENTIFIER sha-256 (2 16 840 1 101 3 4 2 1)
>> : (NIST Algorithm)
>> : }
>> <A0 81 A4>
>> 503 164: [0] {
>> <30 1A>
>> 506 26: SEQUENCE {
>> <06 09>
>> 508 9: OBJECT IDENTIFIER contentType (1 2 840 113549 1 9
>> 3)
>> : (PKCS #9)
>> <31 0D>
>> 519 13: SET {
>> <06 0B>
>> 521 11: OBJECT IDENTIFIER tSTInfo (1 2 840 113549 1 9
>> 16 1 4)
>> : (S/MIME Content Types)
>> : }
>> : }
>> <30 1C>
>> 534 28: SEQUENCE {
>> <06 09>
>> 536 9: OBJECT IDENTIFIER signingTime (1 2 840 113549 1 9
>> 5)
>> : (PKCS #9)
>> <31 0F>
>> 547 15: SET {
>> <17 0D>
>> 549 13: UTCTime 19/04/2016 03:52:25 GMT
>> : }
>> : }
>> <30 2F>
>> 564 47: SEQUENCE {
>> <06 09>
>> 566 9: OBJECT IDENTIFIER messageDigest (1 2 840 113549 1
>> 9 4)
>> : (PKCS #9)
>> <31 22>
>> 577 34: SET {
>> <04 20>
>> 579 32: OCTET STRING
>> : 98 1B CF E1 5D 96 79 D6 ....].y.
>> : 47 53 3E 27 A1 0C 57 4E GS>'..WN
>> : 62 48 8E 43 F8 B5 17 D4 bH.C....
>> : 1C 8F 9A 86 ED D7 A6 B4
>> : }
>> : }
>> <30 37>
>> 613 55: SEQUENCE {
>> <06 0B>
>> 615 11: OBJECT IDENTIFIER
>> : signingCertificateV2 (1 2 840 113549 1 9 16 2
>> 47)
>> : (S/MIME Authenticated Attributes)
>> <31 28>
>> 628 40: SET {
>> <30 26>
>> 630 38: SEQUENCE {
>> <30 24>
>> 632 36: SEQUENCE {
>> <30 22>
>> 634 34: SEQUENCE {
>> <04 20>
>> 636 32: OCTET STRING
>> : 82 D5 56 DB DB 5D AD 5F ..V..]._
>> : A0 7B B6 07 26 A6 D8 6E .{..&..n
>> : 73 0B 5B B7 29 88 5B B6 s.[.).[.
>> : DE 4F F2 75 29 02 2C FC
>> : }
>> : }
>> : }
>> : }
>> : }
>> : }
>> <30 0B>
>> 670 11: SEQUENCE {
>> <06 09>
>> 672 9: OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1
>> 1)
>> : (PKCS #1)
>> : }
>> <04 82 01 00>
>> 683 256: OCTET STRING
>> : 77 60 BE 64 F1 4C 04 B9 w`.d.L..
>> : 4D 64 39 59 DC 53 27 02 Md9Y.S'.
>> : 06 1F 0C C7 31 EC 5B A2 ....1.[.
>> : 79 FB CA A3 07 DE D3 E6 y.......
>> : 88 CE 84 37 4C 20 EF DF ...7L ..
>> : 9B BB D4 0B 6F DC 42 05 ....o.B.
>> : DA 8D 22 EF 24 A8 46 68 ..".$.Fh
>> : 79 DA CB B5 A9 CD F6 7E y......~
>> : D5 B8 D4 DD B4 44 5F 40 .....D_@
>> : 0A A2 59 C8 3B 2C 52 6F ..Y.;,Ro
>> : BE 88 6C D3 A4 F6 3C B1 ..l...<.
>> : 52 27 25 E3 E9 6F 4A 2B R'%..oJ+
>> : C6 C4 CD EA 73 65 6C 04 ....sel.
>> : 9A A4 79 4E A4 95 F4 F7 ..yN....
>> : 1C C6 2E E8 D3 4B 01 8F .....K..
>> : F2 0B 80 6C 28 67 3E 10 ...l(g>.
>> : D7 76 1E C5 4E BF 87 37 .v..N..7
>> : CB 99 51 81 74 5C 50 57 ..Q.t\PW
>> : 80 3F 5D 3E 84 76 12 0A .?]>.v..
>> : B0 A3 99 DF E5 3B A4 8F .....;..
>> : DE 04 50 A8 E6 D0 00 6D ..P....m
>> : 61 21 B1 A9 A9 D6 05 79 a!.....y
>> : 0A 00 FA D5 1D A6 D6 F8 ........
>> : 6A 22 07 E5 BC 01 C1 E0 j"......
>> : 10 09 BD 92 09 B5 B7 29 .......)
>> : 8B 6A 4D 28 C4 63 7A 4C .jM(.czL
>> : 8E 7A AF 87 5D BE A4 BD .z..]...
>> : C1 20 9A D0 82 57 03 21 . ...W.!
>> : F3 E2 6F F5 44 22 F9 27 ..o.D".'
>> : 41 9C 66 27 BB 52 39 E2 A.f'.R9.
>> : 4B C8 2B 82 58 AC 0E AF K.+.X...
>> : 8D AE A5 C7 A5 1A A3 5E
>> : }
>> : }
>> : }
>> : }
>> : }
>> : }
>>
>> On 19 April 2016 at 14:29, Jakob Bohm <jb-openssl at wisemo.com> wrote:
>>>
>>> On 19/04/2016 05:55, Alex Samad wrote:
>>>>
>>>> Hi
>>>>
>>>> I have a SHA.sha file
>>>>
>>>> /usr/bin/openssl ts -query -data SHA.sha -sha256 | /usr/bin/curl -s -H
>>>> Content-Type:application/timestamp-query --data-binary @-
>>>> http://sha256timestamp.ws.symantec.com/sha256/timestamp > SHA.sha.tsr
>>>>
>>>> /usr/bin/openssl ts -reply -in SHA.sha.tsr -text > SHA.sha.ts.txt
>>>>
>>>>
>>>> cat SHA.sha.ts.txt
>>>> Status info:
>>>> Status: Granted.
>>>> Status description: unspecified
>>>> Failure info: unspecified
>>>>
>>>> TST info:
>>>> Version: 1
>>>> Policy OID: 2.16.840.1.113733.1.7.23.3
>>>> Hash Algorithm: sha256
>>>> Message data:
>>>> 0000 - 8c 6d 95 5b e0 cd 8b c9-df 8c ab 57 45 c4 69 e6
>>>> .m.[.......WE.i.
>>>> 0010 - 7a b9 ce cb 14 8f 55 25-91 2e 57 37 3e 5c b8 d5
>>>> z.....U%..W7>\..
>>>> Serial number: 0x570B9C3A11CA318E2478D3680C0FEFD9238E06AB
>>>> Time stamp: Apr 19 03:52:25 2016 GMT
>>>> Accuracy: 0x1E seconds, unspecified millis, unspecified micros
>>>> Ordering: no
>>>> Nonce: 0x580E59D87F396B25
>>>> TSA: DirName:/C=US/O=Symantec Corporation/OU=Symantec Trust
>>>> Network/CN=Symantec SHA256 TimeStamping Signer - G1
>>>> Extensions:
>>>>
>>>>
>>>> But when I go to verify it
>>>>
>>>> openssl ts -verify -data SHA.sha -in SHA.sha.tsr
>>>> Verification: FAILED
>>>> 140569777235784:error:2107C080:PKCS7
>>>> routines:PKCS7_get0_signers:signer certificate not
>>>> found:pk7_smime.c:476:
>>>>
>>>> is this because I didn't provide a cert to sign it with ?
>>>
>>> No, it is because it cannot find the certificate that Symantec
>>> used to sign the response, specifically the certificate with
>>> Subject name "/C=US/O=Symantec Corporation/OU=Symantec Trust
>>> Network/CN=Symantec SHA256 TimeStamping Signer - G1".
>>>
>>> I am kind of disappointed in how little detail is included in
>>> the output from ts -reply -text, I expected it to output all
>>> the fields, similar to what other openssl commands do when
>>> passed the -text option.
>>>
>>> So I guess the next step would be to dump SHA.sha.tsr using
>>> Peter Gutmann's dumpasn1.c program, something like
>>>
>>> openssl base64 -d -in SHA.sha.tsr -out SHA.sha.tsr.bin
>>> dumpasn1 -v SHA.sha.tsr.bin
>>>
>>>
>
>
> Enjoy
>
> Jakob
> --
> Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
> Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
> This public discussion message is non-binding and may contain errors.
> WiseMo - Remote Service Management for PCs, Phones and Embedded
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
More information about the openssl-users
mailing list