[openssl-users] help with timestamping
Alex Samad
alex at samad.com.au
Tue May 3 04:20:22 UTC 2016
Got a bit further
=======
#!/bin/bash
rm -f /tmp/test.data* /tmp/sym.cer
cat > /tmp/test.data <<EOF
This is a test
A test
EOF
cat > /tmp/symINT.cer << EOF
# Signing cert public key
#Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network,
CN=Symantec SHA256 TimeStamping CA
#Subject: C=US, O=Symantec Corporation, OU=Symantec Trust Network,
CN=Symantec SHA256 TimeStamping Signer - G1
-----BEGIN CERTIFICATE-----
MIIFSzCCBDOgAwIBAgIQVPN9oXFnUbxqjQrSdLKLEzANBgkqhkiG9w0BAQsFADB3
MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd
BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxKDAmBgNVBAMTH1N5bWFudGVj
IFNIQTI1NiBUaW1lU3RhbXBpbmcgQ0EwHhcNMTYwMTEyMDAwMDAwWhcNMjcwNDEx
MjM1OTU5WjCBgDELMAkGA1UEBhMCVVMxHTAbBgNVBAoTFFN5bWFudGVjIENvcnBv
cmF0aW9uMR8wHQYDVQQLExZTeW1hbnRlYyBUcnVzdCBOZXR3b3JrMTEwLwYDVQQD
EyhTeW1hbnRlYyBTSEEyNTYgVGltZVN0YW1waW5nIFNpZ25lciAtIEcxMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn/vfjx+nz54+GsvraK3PJxzugVWp
hwhY5YFNCRTg7dDz1A8/IbYeDjTU8WgKb32Pidny6qfYJTikjDbK7ijPM/h1Pdid
z5LdVuP2sHlUZrVFgkNE0mqxqxeiw+XvAOon8yeIDoc89m68qez2uy5qdwYivfq4
f8MkB/c/u0yw/0PLk8oSqpUkAJCyKzai0t3Ss9GZMt3P9MxzFkmDfyTr7XhG0+5f
bEJlG2eN8CYaDl6HblqPoIJ+bp/NJt69Ye9EXkWLqJTTHAQyof+kp6KqdwHbKt4P
TJI2xmmsXISArSX17TDDaB0X2wpNmjR4WQGbawKFOOIncaIUVDBgkyBIIwIDAQAB
o4IBxzCCAcMwDAYDVR0TAQH/BAIwADBmBgNVHSAEXzBdMFsGC2CGSAGG+EUBBxcD
MEwwIwYIKwYBBQUHAgEWF2h0dHBzOi8vZC5zeW1jYi5jb20vY3BzMCUGCCsGAQUF
BwICMBkaF2h0dHBzOi8vZC5zeW1jYi5jb20vcnBhMEAGA1UdHwQ5MDcwNaAzoDGG
L2h0dHA6Ly90cy1jcmwud3Muc3ltYW50ZWMuY29tL3NoYTI1Ni10c3MtY2EuY3Js
MBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMIMA4GA1UdDwEB/wQEAwIHgDB3BggrBgEF
BQcBAQRrMGkwKgYIKwYBBQUHMAGGHmh0dHA6Ly90cy1vY3NwLndzLnN5bWFudGVj
LmNvbTA7BggrBgEFBQcwAoYvaHR0cDovL3RzLWFpYS53cy5zeW1hbnRlYy5jb20v
c2hhMjU2LXRzcy1jYS5jZXIwKAYDVR0RBCEwH6QdMBsxGTAXBgNVBAMTEFRpbWVT
dGFtcC0yMDQ4LTQwHQYDVR0OBBYEFO1rYM87WPg+Msy/pOir6OqiUEJ/MB8GA1Ud
IwQYMBaAFK9j1sqjToVy4Ke8QfMpojh/gHViMA0GCSqGSIb3DQEBCwUAA4IBAQCi
jV5dHe5O0pP9T+X0babwiUVVuwjKqyShFiTJTxfBn/TdAprCR8Cp3IiJd8GGhvHV
SZbz+x6Y1skdNSOImYpi4XWoTXinPewkgBWeaNQ6pMJM3HFslp2OHgwubFIBnlaQ
P6Jeks222kEaJIOheqNf/o07bznRP0FfVhwnDOV8BdhnNojlsMLDBKNaVrgSBI7U
nCRrG2a0vqAa4bXN7ONEpLE855LzWN3f6LFYS3BLzpAAzNyj0dJudRZURALvG1RE
Y+i1cMi5R5pbRcRudpoYsfcQM8gLUfVVjP0hHkGPTj6QXYAByLwkfoZoFBUUNDV0
SbeHUinWll6ioxbUsNN7
-----END CERTIFICATE-----
# CA for signing cert
#Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c)
2008 VeriSign, Inc. - For authorized use only, CN=VeriSign Universal
Root Certification Authority
#Subject: C=US, O=Symantec Corporation, OU=Symantec Trust Network,
CN=Symantec SHA256 TimeStamping CA
-----BEGIN CERTIFICATE-----
MIIFODCCBCCgAwIBAgIQewWx1EloUUT3yYnSnBmdEjANBgkqhkiG9w0BAQsFADCB
vTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwOCBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MTgwNgYDVQQDEy9W
ZXJpU2lnbiBVbml2ZXJzYWwgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAe
Fw0xNjAxMTIwMDAwMDBaFw0zMTAxMTEyMzU5NTlaMHcxCzAJBgNVBAYTAlVTMR0w
GwYDVQQKExRTeW1hbnRlYyBDb3Jwb3JhdGlvbjEfMB0GA1UECxMWU3ltYW50ZWMg
VHJ1c3QgTmV0d29yazEoMCYGA1UEAxMfU3ltYW50ZWMgU0hBMjU2IFRpbWVTdGFt
cGluZyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALtZnVlVT52M
cl0agaLrVfOwAa08cawyjwVrhponADKXak3JZBRLKbvC2Sm5Luxjs+HPPwtWkPhi
G37rpgfi3n9ebUA41JEG50F8eRzLy60bv9iVkfPw7mz4rZY5Ln/BJ7h4OcWEpe3t
r4eOzo3HberSmLU6Hx45ncP0mqj0hOHE0XxxxgYptD/kgw0mw3sIPk35CrczSf/K
O9T1sptL4YiZGvXA6TMU1t/HgNuR7v68kldyd/TNqMz+CfWTN76ViGrF3PSxS9TO
6AmRX7WEeTWKeKwZMo8jwTJBG1kOqT6xzPnWK++32OTVHW0ROpL2k8mc40juu1MO
1DaXhnjFoTcCAwEAAaOCAXcwggFzMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8E
CDAGAQH/AgEAMGYGA1UdIARfMF0wWwYLYIZIAYb4RQEHFwMwTDAjBggrBgEFBQcC
ARYXaHR0cHM6Ly9kLnN5bWNiLmNvbS9jcHMwJQYIKwYBBQUHAgIwGRoXaHR0cHM6
Ly9kLnN5bWNiLmNvbS9ycGEwLgYIKwYBBQUHAQEEIjAgMB4GCCsGAQUFBzABhhJo
dHRwOi8vcy5zeW1jZC5jb20wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL3Muc3lt
Y2IuY29tL3VuaXZlcnNhbC1yb290LmNybDATBgNVHSUEDDAKBggrBgEFBQcDCDAo
BgNVHREEITAfpB0wGzEZMBcGA1UEAxMQVGltZVN0YW1wLTIwNDgtMzAdBgNVHQ4E
FgQUr2PWyqNOhXLgp7xB8ymiOH+AdWIwHwYDVR0jBBgwFoAUtnf6aUhHn1MS1cLq
BzJ2B9GXBxkwDQYJKoZIhvcNAQELBQADggEBAHXqsC3VNBlcMkX+DuHUT6Z4wW/X
6t3cT/OhyIGI96ePFeZAKa3mXfSi2VZkhHEwKt0eYRdmIFYGmBmNXXHy+Je8Cf0c
kUfJ4uiNA/vMkC/WCmxOM+zWtJPITJBjSDlAIcTd1m6JmDy1mJfoqQa3CcmPU1dB
kC/hHk1O3MoQeGxCbvC2xfhhXFL1TvZrjfdKer7zzf0D19n2A6gP41P3CnXsxnUu
qmaFBJm3+AZX4cYO9uiv2uybGB+queM6AL/OipTLAduexzi7D1Kr0eOUA2AKTaD+
J20UMvw/l0Dhv5mJ2+Q5FL3a5NPD6itas5VYVQR9x5rsIwONhSrS/66pYYE=
-----END CERTIFICATE-----
EOF
cat > /tmp/symCA.cer << EOF
#Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c)
2008 VeriSign, Inc. - For authorized use only, CN=VeriSign Universal
Root Certification Authority
#Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c)
2008 VeriSign, Inc. - For authorized use only, CN=VeriSign Universal
Root Certification Authority
-----BEGIN CERTIFICATE-----
MIIEuTCCA6GgAwIBAgIQQBrEZCGzEyEDDrvkEhrFHTANBgkqhkiG9w0BAQsFADCB
vTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwOCBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MTgwNgYDVQQDEy9W
ZXJpU2lnbiBVbml2ZXJzYWwgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAe
Fw0wODA0MDIwMDAwMDBaFw0zNzEyMDEyMzU5NTlaMIG9MQswCQYDVQQGEwJVUzEX
MBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0
IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAyMDA4IFZlcmlTaWduLCBJbmMuIC0gRm9y
IGF1dGhvcml6ZWQgdXNlIG9ubHkxODA2BgNVBAMTL1ZlcmlTaWduIFVuaXZlcnNh
bCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAx2E3XrEBNNti1xWb/1hajCMj1mCOkdeQmIN65lgZOIzF
9uVkhbSicfvtvbnazU0AtMgtc6XHaXGVHzk8skQHnOgO+k1KxCHfKWGPMiJhgsWH
H26MfF8WIFFE0XBPV+rjHOPMee5Y2A7Cs0WTwCznmhcrewA3ekEzeOEz4vMQGn+H
LL729fdC4uW/h2KJXwBL38Xd5HVEMkE6HnFuacsLdUYI0crSK5XQz/u5QGtkjFdN
/BMReYTtXlT2NJ8IAfMQJQYXStrxHXpma5hgZqTZ79IugvHw7wnqRMkVauIDbjPT
rJ9VAMf2CGqUuV/c4DPxhGD5WycRtPwW8rtWaoAljQIDAQABo4GyMIGvMA8GA1Ud
EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMG0GCCsGAQUFBwEMBGEwX6FdoFsw
WTBXMFUWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFI/l0xqGrI2Oa8PPgGrUSBgs
exkuMCUWI2h0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28uZ2lmMB0GA1Ud
DgQWBBS2d/ppSEefUxLVwuoHMnYH0ZcHGTANBgkqhkiG9w0BAQsFAAOCAQEASvj4
sAPmLGd75JR3Y8xuTPl9Dg3cyLk1uXBPY/ok+myDjEedO2Pzmvl2MpWRsXe8rJq+
seQxIcaBlVZaDrHC1LGmWazxY8u4TB1ZkErvkBYoH1quEPuBUDgMbMzxPcP1Y+Oz
4yHJJDnp/RVmRvQbEdBNc6N9Rvk97ahfYtTxP/jgdFcrGJ2BtMQo2pSXpXDrrB2+
BxHw1dvd5Yzw1TKwg+ZX4o+/vqGqvz0dtdQ46tewXDpPaj+PwGZsY6rp2aQW9IHR
lRQOfc2VNNnSj3BzgXucfr2YYdhFh5iQxeuGMMY1v/D/w1WIg0vvBZIGcfK4mJO3
7M2CYfE45k+XmCpajQ==
-----END CERTIFICATE-----
EOF
/usr/bin/openssl ts -query -data /tmp/test.data -sha256 -out
/tmp/test.data.tsq -no_nonce
/usr/bin/curl -s -H Content-Type:application/timestamp-query
--data-binary @/tmp/test.data.tsq
http://sha256timestamp.ws.symantec.com/sha256/timestamp -o
/tmp/test.data.tsr
#/usr/bin/openssl ts -query -data /tmp/test.data -sha256 |
/usr/bin/curl -s -H Content-Type:application/timestamp-query
--data-binary @-
http://sha256timestamp.ws.symantec.com/sha256/timestamp >
/tmp/test.data.tsr
/usr/bin/openssl ts -reply -in /tmp/test.data.tsr -text >
/tmp/test.data.tsr.txt
#openssl ts -verify -data /tmp/test.data -in /tmp/test.data.tsr
#openssl ts -verify -data /tmp/test.data -in /tmp/test.data.tsr
-untrusted /tmp/symINT.cer
openssl ts -verify -data /tmp/test.data -in /tmp/test.data.tsr
-untrusted /tmp/symINT.cer -CAfile /tmp/symCA.cer
=======
results in this
Verification: FAILED
140328034314056:error:2F067065:time stamp
routines:TS_CHECK_SIGNING_CERTS:ess signing certificate
error:ts_rsp_verify.c:291:
which lead me to this
http://openssl.6102.n7.nabble.com/possible-Bug-in-OpenSSL-rfc-3161-TSA-service-tt43128.html#none
Not sure if there has been any work on this since then.
On 29 April 2016 at 11:25, Alex Samad <alex at samad.com.au> wrote:
> Okay I have the cert from sym
>
> -----BEGIN CERTIFICATE-----
> MIIFSzCCBDOgAwIBAgIQVPN9oXFnUbxqjQrSdLKLEzANBgkqhkiG9w0BAQsFADB3
> MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd
> BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxKDAmBgNVBAMTH1N5bWFudGVj
> IFNIQTI1NiBUaW1lU3RhbXBpbmcgQ0EwHhcNMTYwMTEyMDAwMDAwWhcNMjcwNDEx
> MjM1OTU5WjCBgDELMAkGA1UEBhMCVVMxHTAbBgNVBAoTFFN5bWFudGVjIENvcnBv
> cmF0aW9uMR8wHQYDVQQLExZTeW1hbnRlYyBUcnVzdCBOZXR3b3JrMTEwLwYDVQQD
> EyhTeW1hbnRlYyBTSEEyNTYgVGltZVN0YW1waW5nIFNpZ25lciAtIEcxMIIBIjAN
> BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn/vfjx+nz54+GsvraK3PJxzugVWp
> hwhY5YFNCRTg7dDz1A8/IbYeDjTU8WgKb32Pidny6qfYJTikjDbK7ijPM/h1Pdid
> z5LdVuP2sHlUZrVFgkNE0mqxqxeiw+XvAOon8yeIDoc89m68qez2uy5qdwYivfq4
> f8MkB/c/u0yw/0PLk8oSqpUkAJCyKzai0t3Ss9GZMt3P9MxzFkmDfyTr7XhG0+5f
> bEJlG2eN8CYaDl6HblqPoIJ+bp/NJt69Ye9EXkWLqJTTHAQyof+kp6KqdwHbKt4P
> TJI2xmmsXISArSX17TDDaB0X2wpNmjR4WQGbawKFOOIncaIUVDBgkyBIIwIDAQAB
> o4IBxzCCAcMwDAYDVR0TAQH/BAIwADBmBgNVHSAEXzBdMFsGC2CGSAGG+EUBBxcD
> MEwwIwYIKwYBBQUHAgEWF2h0dHBzOi8vZC5zeW1jYi5jb20vY3BzMCUGCCsGAQUF
> BwICMBkaF2h0dHBzOi8vZC5zeW1jYi5jb20vcnBhMEAGA1UdHwQ5MDcwNaAzoDGG
> L2h0dHA6Ly90cy1jcmwud3Muc3ltYW50ZWMuY29tL3NoYTI1Ni10c3MtY2EuY3Js
> MBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMIMA4GA1UdDwEB/wQEAwIHgDB3BggrBgEF
> BQcBAQRrMGkwKgYIKwYBBQUHMAGGHmh0dHA6Ly90cy1vY3NwLndzLnN5bWFudGVj
> LmNvbTA7BggrBgEFBQcwAoYvaHR0cDovL3RzLWFpYS53cy5zeW1hbnRlYy5jb20v
> c2hhMjU2LXRzcy1jYS5jZXIwKAYDVR0RBCEwH6QdMBsxGTAXBgNVBAMTEFRpbWVT
> dGFtcC0yMDQ4LTQwHQYDVR0OBBYEFO1rYM87WPg+Msy/pOir6OqiUEJ/MB8GA1Ud
> IwQYMBaAFK9j1sqjToVy4Ke8QfMpojh/gHViMA0GCSqGSIb3DQEBCwUAA4IBAQCi
> jV5dHe5O0pP9T+X0babwiUVVuwjKqyShFiTJTxfBn/TdAprCR8Cp3IiJd8GGhvHV
> SZbz+x6Y1skdNSOImYpi4XWoTXinPewkgBWeaNQ6pMJM3HFslp2OHgwubFIBnlaQ
> P6Jeks222kEaJIOheqNf/o07bznRP0FfVhwnDOV8BdhnNojlsMLDBKNaVrgSBI7U
> nCRrG2a0vqAa4bXN7ONEpLE855LzWN3f6LFYS3BLzpAAzNyj0dJudRZURALvG1RE
> Y+i1cMi5R5pbRcRudpoYsfcQM8gLUfVVjP0hHkGPTj6QXYAByLwkfoZoFBUUNDV0
> SbeHUinWll6ioxbUsNN7
> -----END CERTIFICATE-----
>
>
> openssl x509 -in newsym1.cer -noout -subject
> subject= /C=US/O=Symantec Corporation/OU=Symantec Trust
> Network/CN=Symantec SHA256 TimeStamping Signer - G1
>
>
> Still getting
>
> openssl ts -verify -data SHA.sha -in SHA.sha.tsr -CApath newsym1.cer
> Verification: FAILED
> 139630315571016:error:2107C080:PKCS7
> routines:PKCS7_get0_signers:signer certificate not
> found:pk7_smime.c:476:
>
>
>
>
>
> On 27 April 2016 at 14:53, Jakob Bohm <jb-openssl at wisemo.com> wrote:
>> OK, It looks like this signing service is (quite unusually)
>> not providing the certificate in its message, which is quite
>> unusual.
>>
>> All it provides is some information /about/ that certificate,
>> specifically it provides the following info:
>>
>> The certificate was issued to C=US, O=Symantec Corporation,
>> OU=Symantec Trust Network,
>> CN=Symantec SHA256 TimeStamping Signer - G1
>>
>> The certificate was issued by C=US, O=Symantec Corporation,
>> OU=Symantec Trust Network, CN=Symantec SHA256 TimeStamping CA
>>
>> The certificate serial number (in hex) is
>> 54 F3 7D A1 71 67 51 BC 6A 8D 0A D2 74 B2 8B 13
>>
>> The certificate fingerprint (SHA-256) is
>> 82 D5 56 DB DB 5D AD 5FA0 7B B6 07 26 A6 D8 6E
>> 73 0B 5B B7 29 88 5B B6DE 4F F2 75 29 02 2C FC
>>
>> Someone with knowledge of the Symantec/Verisign/Thawte/GeoTrust/
>> TrustCenter repository web site may be able to use this
>> information to download the missing certificates, but there
>> is no information in this file that would allow a computer
>> to do this.
>>
>> I wonder if changing some parameter in the timestamp request
>> would cause the Symantec server to return a more complete
>> timestamp token.
>>
>> Or maybe something else is failing.
>>
>>
>>
>> On 23/04/2016 00:54, Alex Samad wrote:
>>>
>>> Here is a dump.
>>>
>>> I can see the CN - but I could see that before.
>>>
>>> There is also a RSA - maybe a signature or maybe is the public key for the
>>> cert.
>>>
>>> I would expect to see some signed data (sha + symantec cert + time)
>>> and also the public cert ( and maybe the intermediaries..)
>>>
>>>
>>> <30 82 03 AB>
>>> 0 939: SEQUENCE {
>>> <30 03>
>>> 4 3: SEQUENCE {
>>> <02 01>
>>> 6 1: INTEGER 0
>>> : }
>>> <30 82 03 A2>
>>> 9 930: SEQUENCE {
>>> <06 09>
>>> 13 9: OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2)
>>> : (PKCS #7)
>>> <A0 82 03 93>
>>> 24 915: [0] {
>>> <30 82 03 8F>
>>> 28 911: SEQUENCE {
>>> <02 01>
>>> 32 1: INTEGER 3
>>> <31 0D>
>>> 35 13: SET {
>>> <30 0B>
>>> 37 11: SEQUENCE {
>>> <06 09>
>>> 39 9: OBJECT IDENTIFIER sha-256 (2 16 840 1 101 3 4 2 1)
>>> : (NIST Algorithm)
>>> : }
>>> : }
>>> <30 82 01 1B>
>>> 50 283: SEQUENCE {
>>> <06 0B>
>>> 54 11: OBJECT IDENTIFIER tSTInfo (1 2 840 113549 1 9 16 1 4)
>>> : (S/MIME Content Types)
>>> <A0 82 01 0A>
>>> 67 266: [0] {
>>> <04 82 01 06>
>>> 71 262: OCTET STRING, encapsulates {
>>> <30 82 01 02>
>>> 75 258: SEQUENCE {
>>> <02 01>
>>> 79 1: INTEGER 1
>>> <06 0B>
>>> 82 11: OBJECT IDENTIFIER '2 16 840 1 113733 1 7 23 3'
>>> <30 31>
>>> 95 49: SEQUENCE {
>>> <30 0D>
>>> 97 13: SEQUENCE {
>>> <06 09>
>>> 99 9: OBJECT IDENTIFIER sha-256 (2 16 840 1 101 3
>>> 4 2 1)
>>> : (NIST Algorithm)
>>> <05 00>
>>> 110 0: NULL
>>> : }
>>> <04 20>
>>> 112 32: OCTET STRING
>>> : 8C 6D 95 5B E0 CD 8B C9 .m.[....
>>> : DF 8C AB 57 45 C4 69 E6 ...WE.i.
>>> : 7A B9 CE CB 14 8F 55 25 z.....U%
>>> : 91 2E 57 37 3E 5C B8 D5
>>> : }
>>> <02 14>
>>> 146 20: INTEGER
>>> : 57 0B 9C 3A 11 CA 31 8E W..:..1.
>>> : 24 78 D3 68 0C 0F EF D9 $x.h....
>>> : 23 8E 06 AB #...
>>> <18 0F>
>>> 168 15: GeneralizedTime 19/04/2016 03:52:25 GMT
>>> <30 03>
>>> 185 3: SEQUENCE {
>>> <02 01>
>>> 187 1: INTEGER 30
>>> : }
>>> <02 08>
>>> 190 8: INTEGER 58 0E 59 D8 7F 39 6B 25
>>> <A0 81 86>
>>> 200 134: [0] {
>>> <A4 81 83>
>>> 203 131: [4] {
>>> <30 81 80>
>>> 206 128: SEQUENCE {
>>> <31 0B>
>>> 209 11: SET {
>>> <30 09>
>>> 211 9: SEQUENCE {
>>> <06 03>
>>> 213 3: OBJECT IDENTIFIER countryName (2 5 4 6)
>>> : (X.520 DN component)
>>> <13 02>
>>> 218 2: PrintableString 'US'
>>> : }
>>> : }
>>> <31 1D>
>>> 222 29: SET {
>>> <30 1B>
>>> 224 27: SEQUENCE {
>>> <06 03>
>>> 226 3: OBJECT IDENTIFIER organizationName (2 5
>>> 4 10)
>>> : (X.520 DN component)
>>> <13 14>
>>> 231 20: PrintableString 'Symantec Corporation'
>>> : }
>>> : }
>>> <31 1F>
>>> 253 31: SET {
>>> <30 1D>
>>> 255 29: SEQUENCE {
>>> <06 03>
>>> 257 3: OBJECT IDENTIFIER
>>> : organizationalUnitName (2 5 4 11)
>>> : (X.520 DN component)
>>> <13 16>
>>> 262 22: PrintableString 'Symantec Trust
>>> Network'
>>> : }
>>> : }
>>> <31 31>
>>> 286 49: SET {
>>> <30 2F>
>>> 288 47: SEQUENCE {
>>> <06 03>
>>> 290 3: OBJECT IDENTIFIER commonName (2 5 4 3)
>>> : (X.520 DN component)
>>> <13 28>
>>> 295 40: PrintableString 'Symantec SHA256
>>> TimeStamping Signer - G1'
>>> : }
>>> : }
>>> : }
>>> : }
>>> : }
>>> : }
>>> : }
>>> : }
>>> : }
>>> <31 82 02 5A>
>>> 337 602: SET {
>>> <30 82 02 56>
>>> 341 598: SEQUENCE {
>>> <02 01>
>>> 345 1: INTEGER 1
>>> <30 81 8B>
>>> 348 139: SEQUENCE {
>>> <30 77>
>>> 351 119: SEQUENCE {
>>> <31 0B>
>>> 353 11: SET {
>>> <30 09>
>>> 355 9: SEQUENCE {
>>> <06 03>
>>> 357 3: OBJECT IDENTIFIER countryName (2 5 4 6)
>>> : (X.520 DN component)
>>> <13 02>
>>> 362 2: PrintableString 'US'
>>> : }
>>> : }
>>> <31 1D>
>>> 366 29: SET {
>>> <30 1B>
>>> 368 27: SEQUENCE {
>>> <06 03>
>>> 370 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
>>> : (X.520 DN component)
>>> <13 14>
>>> 375 20: PrintableString 'Symantec Corporation'
>>> : }
>>> : }
>>> <31 1F>
>>> 397 31: SET {
>>> <30 1D>
>>> 399 29: SEQUENCE {
>>> <06 03>
>>> 401 3: OBJECT IDENTIFIER organizationalUnitName (2 5
>>> 4 11)
>>> : (X.520 DN component)
>>> <13 16>
>>> 406 22: PrintableString 'Symantec Trust Network'
>>> : }
>>> : }
>>> <31 28>
>>> 430 40: SET {
>>> <30 26>
>>> 432 38: SEQUENCE {
>>> <06 03>
>>> 434 3: OBJECT IDENTIFIER commonName (2 5 4 3)
>>> : (X.520 DN component)
>>> <13 1F>
>>> 439 31: PrintableString 'Symantec SHA256 TimeStamping
>>> CA'
>>> : }
>>> : }
>>> : }
>>> <02 10>
>>> 472 16: INTEGER 54 F3 7D A1 71 67 51 BC 6A 8D 0A D2 74
>>> B2 8B 13
>>> : }
>>> <30 0B>
>>> 490 11: SEQUENCE {
>>> <06 09>
>>> 492 9: OBJECT IDENTIFIER sha-256 (2 16 840 1 101 3 4 2 1)
>>> : (NIST Algorithm)
>>> : }
>>> <A0 81 A4>
>>> 503 164: [0] {
>>> <30 1A>
>>> 506 26: SEQUENCE {
>>> <06 09>
>>> 508 9: OBJECT IDENTIFIER contentType (1 2 840 113549 1 9
>>> 3)
>>> : (PKCS #9)
>>> <31 0D>
>>> 519 13: SET {
>>> <06 0B>
>>> 521 11: OBJECT IDENTIFIER tSTInfo (1 2 840 113549 1 9
>>> 16 1 4)
>>> : (S/MIME Content Types)
>>> : }
>>> : }
>>> <30 1C>
>>> 534 28: SEQUENCE {
>>> <06 09>
>>> 536 9: OBJECT IDENTIFIER signingTime (1 2 840 113549 1 9
>>> 5)
>>> : (PKCS #9)
>>> <31 0F>
>>> 547 15: SET {
>>> <17 0D>
>>> 549 13: UTCTime 19/04/2016 03:52:25 GMT
>>> : }
>>> : }
>>> <30 2F>
>>> 564 47: SEQUENCE {
>>> <06 09>
>>> 566 9: OBJECT IDENTIFIER messageDigest (1 2 840 113549 1
>>> 9 4)
>>> : (PKCS #9)
>>> <31 22>
>>> 577 34: SET {
>>> <04 20>
>>> 579 32: OCTET STRING
>>> : 98 1B CF E1 5D 96 79 D6 ....].y.
>>> : 47 53 3E 27 A1 0C 57 4E GS>'..WN
>>> : 62 48 8E 43 F8 B5 17 D4 bH.C....
>>> : 1C 8F 9A 86 ED D7 A6 B4
>>> : }
>>> : }
>>> <30 37>
>>> 613 55: SEQUENCE {
>>> <06 0B>
>>> 615 11: OBJECT IDENTIFIER
>>> : signingCertificateV2 (1 2 840 113549 1 9 16 2
>>> 47)
>>> : (S/MIME Authenticated Attributes)
>>> <31 28>
>>> 628 40: SET {
>>> <30 26>
>>> 630 38: SEQUENCE {
>>> <30 24>
>>> 632 36: SEQUENCE {
>>> <30 22>
>>> 634 34: SEQUENCE {
>>> <04 20>
>>> 636 32: OCTET STRING
>>> : 82 D5 56 DB DB 5D AD 5F ..V..]._
>>> : A0 7B B6 07 26 A6 D8 6E .{..&..n
>>> : 73 0B 5B B7 29 88 5B B6 s.[.).[.
>>> : DE 4F F2 75 29 02 2C FC
>>> : }
>>> : }
>>> : }
>>> : }
>>> : }
>>> : }
>>> <30 0B>
>>> 670 11: SEQUENCE {
>>> <06 09>
>>> 672 9: OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1
>>> 1)
>>> : (PKCS #1)
>>> : }
>>> <04 82 01 00>
>>> 683 256: OCTET STRING
>>> : 77 60 BE 64 F1 4C 04 B9 w`.d.L..
>>> : 4D 64 39 59 DC 53 27 02 Md9Y.S'.
>>> : 06 1F 0C C7 31 EC 5B A2 ....1.[.
>>> : 79 FB CA A3 07 DE D3 E6 y.......
>>> : 88 CE 84 37 4C 20 EF DF ...7L ..
>>> : 9B BB D4 0B 6F DC 42 05 ....o.B.
>>> : DA 8D 22 EF 24 A8 46 68 ..".$.Fh
>>> : 79 DA CB B5 A9 CD F6 7E y......~
>>> : D5 B8 D4 DD B4 44 5F 40 .....D_@
>>> : 0A A2 59 C8 3B 2C 52 6F ..Y.;,Ro
>>> : BE 88 6C D3 A4 F6 3C B1 ..l...<.
>>> : 52 27 25 E3 E9 6F 4A 2B R'%..oJ+
>>> : C6 C4 CD EA 73 65 6C 04 ....sel.
>>> : 9A A4 79 4E A4 95 F4 F7 ..yN....
>>> : 1C C6 2E E8 D3 4B 01 8F .....K..
>>> : F2 0B 80 6C 28 67 3E 10 ...l(g>.
>>> : D7 76 1E C5 4E BF 87 37 .v..N..7
>>> : CB 99 51 81 74 5C 50 57 ..Q.t\PW
>>> : 80 3F 5D 3E 84 76 12 0A .?]>.v..
>>> : B0 A3 99 DF E5 3B A4 8F .....;..
>>> : DE 04 50 A8 E6 D0 00 6D ..P....m
>>> : 61 21 B1 A9 A9 D6 05 79 a!.....y
>>> : 0A 00 FA D5 1D A6 D6 F8 ........
>>> : 6A 22 07 E5 BC 01 C1 E0 j"......
>>> : 10 09 BD 92 09 B5 B7 29 .......)
>>> : 8B 6A 4D 28 C4 63 7A 4C .jM(.czL
>>> : 8E 7A AF 87 5D BE A4 BD .z..]...
>>> : C1 20 9A D0 82 57 03 21 . ...W.!
>>> : F3 E2 6F F5 44 22 F9 27 ..o.D".'
>>> : 41 9C 66 27 BB 52 39 E2 A.f'.R9.
>>> : 4B C8 2B 82 58 AC 0E AF K.+.X...
>>> : 8D AE A5 C7 A5 1A A3 5E
>>> : }
>>> : }
>>> : }
>>> : }
>>> : }
>>> : }
>>>
>>> On 19 April 2016 at 14:29, Jakob Bohm <jb-openssl at wisemo.com> wrote:
>>>>
>>>> On 19/04/2016 05:55, Alex Samad wrote:
>>>>>
>>>>> Hi
>>>>>
>>>>> I have a SHA.sha file
>>>>>
>>>>> /usr/bin/openssl ts -query -data SHA.sha -sha256 | /usr/bin/curl -s -H
>>>>> Content-Type:application/timestamp-query --data-binary @-
>>>>> http://sha256timestamp.ws.symantec.com/sha256/timestamp > SHA.sha.tsr
>>>>>
>>>>> /usr/bin/openssl ts -reply -in SHA.sha.tsr -text > SHA.sha.ts.txt
>>>>>
>>>>>
>>>>> cat SHA.sha.ts.txt
>>>>> Status info:
>>>>> Status: Granted.
>>>>> Status description: unspecified
>>>>> Failure info: unspecified
>>>>>
>>>>> TST info:
>>>>> Version: 1
>>>>> Policy OID: 2.16.840.1.113733.1.7.23.3
>>>>> Hash Algorithm: sha256
>>>>> Message data:
>>>>> 0000 - 8c 6d 95 5b e0 cd 8b c9-df 8c ab 57 45 c4 69 e6
>>>>> .m.[.......WE.i.
>>>>> 0010 - 7a b9 ce cb 14 8f 55 25-91 2e 57 37 3e 5c b8 d5
>>>>> z.....U%..W7>\..
>>>>> Serial number: 0x570B9C3A11CA318E2478D3680C0FEFD9238E06AB
>>>>> Time stamp: Apr 19 03:52:25 2016 GMT
>>>>> Accuracy: 0x1E seconds, unspecified millis, unspecified micros
>>>>> Ordering: no
>>>>> Nonce: 0x580E59D87F396B25
>>>>> TSA: DirName:/C=US/O=Symantec Corporation/OU=Symantec Trust
>>>>> Network/CN=Symantec SHA256 TimeStamping Signer - G1
>>>>> Extensions:
>>>>>
>>>>>
>>>>> But when I go to verify it
>>>>>
>>>>> openssl ts -verify -data SHA.sha -in SHA.sha.tsr
>>>>> Verification: FAILED
>>>>> 140569777235784:error:2107C080:PKCS7
>>>>> routines:PKCS7_get0_signers:signer certificate not
>>>>> found:pk7_smime.c:476:
>>>>>
>>>>> is this because I didn't provide a cert to sign it with ?
>>>>
>>>> No, it is because it cannot find the certificate that Symantec
>>>> used to sign the response, specifically the certificate with
>>>> Subject name "/C=US/O=Symantec Corporation/OU=Symantec Trust
>>>> Network/CN=Symantec SHA256 TimeStamping Signer - G1".
>>>>
>>>> I am kind of disappointed in how little detail is included in
>>>> the output from ts -reply -text, I expected it to output all
>>>> the fields, similar to what other openssl commands do when
>>>> passed the -text option.
>>>>
>>>> So I guess the next step would be to dump SHA.sha.tsr using
>>>> Peter Gutmann's dumpasn1.c program, something like
>>>>
>>>> openssl base64 -d -in SHA.sha.tsr -out SHA.sha.tsr.bin
>>>> dumpasn1 -v SHA.sha.tsr.bin
>>>>
>>>>
>>
>>
>> Enjoy
>>
>> Jakob
>> --
>> Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
>> Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
>> This public discussion message is non-binding and may contain errors.
>> WiseMo - Remote Service Management for PCs, Phones and Embedded
>>
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
More information about the openssl-users
mailing list