[openssl-users] Question about timestamps

Jakob Bohm jb-openssl at wisemo.com
Fri Apr 8 05:49:57 UTC 2016


On 08/04/2016 07:39, Alex Samad wrote:
> Hi
>
> I am trying to use a rfc3161 timestamp service to record timestamps.
>
>
> Basically I have a sha of some files and I would like to sign the file.
>
> basically I am using something like this
>
> # Generate Query and send
> $OPENSSL ts -query -data "$FL" -sha256 | $CURL -s -H
> "Content-Type:application/timestamp-query" --data-binary "@-" $TSA >
> "${FL}.tsr"
>
> $OPENSSL ts -reply -in "${FL}.tsr" -text > "${FL}.ts.txt"
>
>
> where FL = is file.
>
> What I want to be able to do is verify the .tsr file
>
> testing that with
>
> openssl ts -verify -data SHA.sha -in SHA.sha.tsr
>
>
> where SHA.sha is the original FL
>
> but I get
>
> Verification: FAILED
> 140221656393544:error:2107C080:PKCS7
> routines:PKCS7_get0_signers:signer certificate not
> found:pk7_smime.c:476:
>
> from the text output
>   cat *.txt
> Status info:
> Status: Granted.
> Status description: unspecified
> Failure info: unspecified
>
> TST info:
> Version: 1
> Policy OID: 2.16.840.1.113733.1.7.23.3
> Hash Algorithm: sha256
> Message data:
>      0000 - 8c 6d 95 5b e0 cd 8b c9-df 8c ab 57 45 c4 69 e6   .m.[.......WE.i.
>      0010 - 7a b9 ce cb 14 8f 55 25-91 2e 57 37 3e 5c b8 d5   z.....U%..W7>\..
> Serial number: 0xBEAF663E1CD2F0D029C1A641AD2F9137A5F097C9
> Time stamp: Apr  8 04:58:08 2016 GMT
> Accuracy: 0x1E seconds, unspecified millis, unspecified micros
> Ordering: no
> Nonce: 0x8E67A9941BCB2570
> TSA: DirName:/C=US/O=Symantec Corporation/OU=Symantec Trust
> Network/CN=Symantec SHA256 TimeStamping Signer - G1
> Extensions:
I think this certificate is the end entity certificate
for the Symantec time stamping server that responded to
your request.

If you dump the full contents of the TSR it should include
that certificate somewhere, plus a chain leading to a
public root which is hopefully in your list of trusted
certificates or at least available via some other secure
method.

>
>
>
> I am guessing my problem is the above certificate is not in the ssl
> path. and currently I am unable to find it on the symantec site.
>
> Am I doing the right think ?
> I have also looked at global sign and similar issue, find the cert
>
> what am i missing


Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded



More information about the openssl-users mailing list