[openssl-users] Question about timestamps

Jakob Bohm jb-openssl at wisemo.com
Fri Apr 8 06:26:21 UTC 2016 

Try something like

$OPENSSL ts -reply -in ${FL}.tsr -text -noout

(Not sure if it accepts the -noout option or not).

On 08/04/2016 08:01, Alex Samad wrote:
> Okay, how do I dump the intermediaries then ?
>
>
>
> On 8 April 2016 at 15:49, Jakob Bohm <jb-openssl at wisemo.com> wrote:
>> On 08/04/2016 07:39, Alex Samad wrote:
>>> Hi
>>>
>>> I am trying to use a rfc3161 timestamp service to record timestamps.
>>>
>>>
>>> Basically I have a sha of some files and I would like to sign the file.
>>>
>>> basically I am using something like this
>>>
>>> # Generate Query and send
>>> $OPENSSL ts -query -data "$FL" -sha256 | $CURL -s -H
>>> "Content-Type:application/timestamp-query" --data-binary "@-" $TSA >
>>> "${FL}.tsr"
>>>
>>> $OPENSSL ts -reply -in "${FL}.tsr" -text > "${FL}.ts.txt"
>>>
>>>
>>> where FL = is file.
>>>
>>> What I want to be able to do is verify the .tsr file
>>>
>>> testing that with
>>>
>>> openssl ts -verify -data SHA.sha -in SHA.sha.tsr
>>>
>>>
>>> where SHA.sha is the original FL
>>>
>>> but I get
>>>
>>> Verification: FAILED
>>> 140221656393544:error:2107C080:PKCS7
>>> routines:PKCS7_get0_signers:signer certificate not
>>> found:pk7_smime.c:476:
>>>
>>> from the text output
>>>    cat *.txt
>>> Status info:
>>> Status: Granted.
>>> Status description: unspecified
>>> Failure info: unspecified
>>>
>>> TST info:
>>> Version: 1
>>> Policy OID: 2.16.840.1.113733.1.7.23.3
>>> Hash Algorithm: sha256
>>> Message data:
>>>       0000 - 8c 6d 95 5b e0 cd 8b c9-df 8c ab 57 45 c4 69 e6
>>> .m.[.......WE.i.
>>>       0010 - 7a b9 ce cb 14 8f 55 25-91 2e 57 37 3e 5c b8 d5
>>> z.....U%..W7>\..
>>> Serial number: 0xBEAF663E1CD2F0D029C1A641AD2F9137A5F097C9
>>> Time stamp: Apr  8 04:58:08 2016 GMT
>>> Accuracy: 0x1E seconds, unspecified millis, unspecified micros
>>> Ordering: no
>>> Nonce: 0x8E67A9941BCB2570
>>> TSA: DirName:/C=US/O=Symantec Corporation/OU=Symantec Trust
>>> Network/CN=Symantec SHA256 TimeStamping Signer - G1
>>> Extensions:
>> I think this certificate is the end entity certificate
>> for the Symantec time stamping server that responded to
>> your request.
>>
>> If you dump the full contents of the TSR it should include
>> that certificate somewhere, plus a chain leading to a
>> public root which is hopefully in your list of trusted
>> certificates or at least available via some other secure
>> method.
>>

Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list