[openssl-users] help with timestamping
Jakob Bohm
jb-openssl at wisemo.com
Wed Apr 27 04:53:34 UTC 2016
OK, It looks like this signing service is (quite unusually)
not providing the certificate in its message, which is quite
unusual.
All it provides is some information /about/ that certificate,
specifically it provides the following info:
The certificate was issued to C=US, O=Symantec Corporation,
OU=Symantec Trust Network,
CN=Symantec SHA256 TimeStamping Signer - G1
The certificate was issued by C=US, O=Symantec Corporation,
OU=Symantec Trust Network, CN=Symantec SHA256 TimeStamping CA
The certificate serial number (in hex) is
54 F3 7D A1 71 67 51 BC 6A 8D 0A D2 74 B2 8B 13
The certificate fingerprint (SHA-256) is
82 D5 56 DB DB 5D AD 5FA0 7B B6 07 26 A6 D8 6E
73 0B 5B B7 29 88 5B B6DE 4F F2 75 29 02 2C FC
Someone with knowledge of the Symantec/Verisign/Thawte/GeoTrust/
TrustCenter repository web site may be able to use this
information to download the missing certificates, but there
is no information in this file that would allow a computer
to do this.
I wonder if changing some parameter in the timestamp request
would cause the Symantec server to return a more complete
timestamp token.
Or maybe something else is failing.
On 23/04/2016 00:54, Alex Samad wrote:
> Here is a dump.
>
> I can see the CN - but I could see that before.
>
> There is also a RSA - maybe a signature or maybe is the public key for the cert.
>
> I would expect to see some signed data (sha + symantec cert + time)
> and also the public cert ( and maybe the intermediaries..)
>
>
> <30 82 03 AB>
> 0 939: SEQUENCE {
> <30 03>
> 4 3: SEQUENCE {
> <02 01>
> 6 1: INTEGER 0
> : }
> <30 82 03 A2>
> 9 930: SEQUENCE {
> <06 09>
> 13 9: OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2)
> : (PKCS #7)
> <A0 82 03 93>
> 24 915: [0] {
> <30 82 03 8F>
> 28 911: SEQUENCE {
> <02 01>
> 32 1: INTEGER 3
> <31 0D>
> 35 13: SET {
> <30 0B>
> 37 11: SEQUENCE {
> <06 09>
> 39 9: OBJECT IDENTIFIER sha-256 (2 16 840 1 101 3 4 2 1)
> : (NIST Algorithm)
> : }
> : }
> <30 82 01 1B>
> 50 283: SEQUENCE {
> <06 0B>
> 54 11: OBJECT IDENTIFIER tSTInfo (1 2 840 113549 1 9 16 1 4)
> : (S/MIME Content Types)
> <A0 82 01 0A>
> 67 266: [0] {
> <04 82 01 06>
> 71 262: OCTET STRING, encapsulates {
> <30 82 01 02>
> 75 258: SEQUENCE {
> <02 01>
> 79 1: INTEGER 1
> <06 0B>
> 82 11: OBJECT IDENTIFIER '2 16 840 1 113733 1 7 23 3'
> <30 31>
> 95 49: SEQUENCE {
> <30 0D>
> 97 13: SEQUENCE {
> <06 09>
> 99 9: OBJECT IDENTIFIER sha-256 (2 16 840 1 101 3 4 2 1)
> : (NIST Algorithm)
> <05 00>
> 110 0: NULL
> : }
> <04 20>
> 112 32: OCTET STRING
> : 8C 6D 95 5B E0 CD 8B C9 .m.[....
> : DF 8C AB 57 45 C4 69 E6 ...WE.i.
> : 7A B9 CE CB 14 8F 55 25 z.....U%
> : 91 2E 57 37 3E 5C B8 D5
> : }
> <02 14>
> 146 20: INTEGER
> : 57 0B 9C 3A 11 CA 31 8E W..:..1.
> : 24 78 D3 68 0C 0F EF D9 $x.h....
> : 23 8E 06 AB #...
> <18 0F>
> 168 15: GeneralizedTime 19/04/2016 03:52:25 GMT
> <30 03>
> 185 3: SEQUENCE {
> <02 01>
> 187 1: INTEGER 30
> : }
> <02 08>
> 190 8: INTEGER 58 0E 59 D8 7F 39 6B 25
> <A0 81 86>
> 200 134: [0] {
> <A4 81 83>
> 203 131: [4] {
> <30 81 80>
> 206 128: SEQUENCE {
> <31 0B>
> 209 11: SET {
> <30 09>
> 211 9: SEQUENCE {
> <06 03>
> 213 3: OBJECT IDENTIFIER countryName (2 5 4 6)
> : (X.520 DN component)
> <13 02>
> 218 2: PrintableString 'US'
> : }
> : }
> <31 1D>
> 222 29: SET {
> <30 1B>
> 224 27: SEQUENCE {
> <06 03>
> 226 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
> : (X.520 DN component)
> <13 14>
> 231 20: PrintableString 'Symantec Corporation'
> : }
> : }
> <31 1F>
> 253 31: SET {
> <30 1D>
> 255 29: SEQUENCE {
> <06 03>
> 257 3: OBJECT IDENTIFIER
> : organizationalUnitName (2 5 4 11)
> : (X.520 DN component)
> <13 16>
> 262 22: PrintableString 'Symantec Trust Network'
> : }
> : }
> <31 31>
> 286 49: SET {
> <30 2F>
> 288 47: SEQUENCE {
> <06 03>
> 290 3: OBJECT IDENTIFIER commonName (2 5 4 3)
> : (X.520 DN component)
> <13 28>
> 295 40: PrintableString 'Symantec SHA256
> TimeStamping Signer - G1'
> : }
> : }
> : }
> : }
> : }
> : }
> : }
> : }
> : }
> <31 82 02 5A>
> 337 602: SET {
> <30 82 02 56>
> 341 598: SEQUENCE {
> <02 01>
> 345 1: INTEGER 1
> <30 81 8B>
> 348 139: SEQUENCE {
> <30 77>
> 351 119: SEQUENCE {
> <31 0B>
> 353 11: SET {
> <30 09>
> 355 9: SEQUENCE {
> <06 03>
> 357 3: OBJECT IDENTIFIER countryName (2 5 4 6)
> : (X.520 DN component)
> <13 02>
> 362 2: PrintableString 'US'
> : }
> : }
> <31 1D>
> 366 29: SET {
> <30 1B>
> 368 27: SEQUENCE {
> <06 03>
> 370 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
> : (X.520 DN component)
> <13 14>
> 375 20: PrintableString 'Symantec Corporation'
> : }
> : }
> <31 1F>
> 397 31: SET {
> <30 1D>
> 399 29: SEQUENCE {
> <06 03>
> 401 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
> : (X.520 DN component)
> <13 16>
> 406 22: PrintableString 'Symantec Trust Network'
> : }
> : }
> <31 28>
> 430 40: SET {
> <30 26>
> 432 38: SEQUENCE {
> <06 03>
> 434 3: OBJECT IDENTIFIER commonName (2 5 4 3)
> : (X.520 DN component)
> <13 1F>
> 439 31: PrintableString 'Symantec SHA256 TimeStamping CA'
> : }
> : }
> : }
> <02 10>
> 472 16: INTEGER 54 F3 7D A1 71 67 51 BC 6A 8D 0A D2 74
> B2 8B 13
> : }
> <30 0B>
> 490 11: SEQUENCE {
> <06 09>
> 492 9: OBJECT IDENTIFIER sha-256 (2 16 840 1 101 3 4 2 1)
> : (NIST Algorithm)
> : }
> <A0 81 A4>
> 503 164: [0] {
> <30 1A>
> 506 26: SEQUENCE {
> <06 09>
> 508 9: OBJECT IDENTIFIER contentType (1 2 840 113549 1 9 3)
> : (PKCS #9)
> <31 0D>
> 519 13: SET {
> <06 0B>
> 521 11: OBJECT IDENTIFIER tSTInfo (1 2 840 113549 1 9 16 1 4)
> : (S/MIME Content Types)
> : }
> : }
> <30 1C>
> 534 28: SEQUENCE {
> <06 09>
> 536 9: OBJECT IDENTIFIER signingTime (1 2 840 113549 1 9 5)
> : (PKCS #9)
> <31 0F>
> 547 15: SET {
> <17 0D>
> 549 13: UTCTime 19/04/2016 03:52:25 GMT
> : }
> : }
> <30 2F>
> 564 47: SEQUENCE {
> <06 09>
> 566 9: OBJECT IDENTIFIER messageDigest (1 2 840 113549 1 9 4)
> : (PKCS #9)
> <31 22>
> 577 34: SET {
> <04 20>
> 579 32: OCTET STRING
> : 98 1B CF E1 5D 96 79 D6 ....].y.
> : 47 53 3E 27 A1 0C 57 4E GS>'..WN
> : 62 48 8E 43 F8 B5 17 D4 bH.C....
> : 1C 8F 9A 86 ED D7 A6 B4
> : }
> : }
> <30 37>
> 613 55: SEQUENCE {
> <06 0B>
> 615 11: OBJECT IDENTIFIER
> : signingCertificateV2 (1 2 840 113549 1 9 16 2 47)
> : (S/MIME Authenticated Attributes)
> <31 28>
> 628 40: SET {
> <30 26>
> 630 38: SEQUENCE {
> <30 24>
> 632 36: SEQUENCE {
> <30 22>
> 634 34: SEQUENCE {
> <04 20>
> 636 32: OCTET STRING
> : 82 D5 56 DB DB 5D AD 5F ..V..]._
> : A0 7B B6 07 26 A6 D8 6E .{..&..n
> : 73 0B 5B B7 29 88 5B B6 s.[.).[.
> : DE 4F F2 75 29 02 2C FC
> : }
> : }
> : }
> : }
> : }
> : }
> <30 0B>
> 670 11: SEQUENCE {
> <06 09>
> 672 9: OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1)
> : (PKCS #1)
> : }
> <04 82 01 00>
> 683 256: OCTET STRING
> : 77 60 BE 64 F1 4C 04 B9 w`.d.L..
> : 4D 64 39 59 DC 53 27 02 Md9Y.S'.
> : 06 1F 0C C7 31 EC 5B A2 ....1.[.
> : 79 FB CA A3 07 DE D3 E6 y.......
> : 88 CE 84 37 4C 20 EF DF ...7L ..
> : 9B BB D4 0B 6F DC 42 05 ....o.B.
> : DA 8D 22 EF 24 A8 46 68 ..".$.Fh
> : 79 DA CB B5 A9 CD F6 7E y......~
> : D5 B8 D4 DD B4 44 5F 40 .....D_@
> : 0A A2 59 C8 3B 2C 52 6F ..Y.;,Ro
> : BE 88 6C D3 A4 F6 3C B1 ..l...<.
> : 52 27 25 E3 E9 6F 4A 2B R'%..oJ+
> : C6 C4 CD EA 73 65 6C 04 ....sel.
> : 9A A4 79 4E A4 95 F4 F7 ..yN....
> : 1C C6 2E E8 D3 4B 01 8F .....K..
> : F2 0B 80 6C 28 67 3E 10 ...l(g>.
> : D7 76 1E C5 4E BF 87 37 .v..N..7
> : CB 99 51 81 74 5C 50 57 ..Q.t\PW
> : 80 3F 5D 3E 84 76 12 0A .?]>.v..
> : B0 A3 99 DF E5 3B A4 8F .....;..
> : DE 04 50 A8 E6 D0 00 6D ..P....m
> : 61 21 B1 A9 A9 D6 05 79 a!.....y
> : 0A 00 FA D5 1D A6 D6 F8 ........
> : 6A 22 07 E5 BC 01 C1 E0 j"......
> : 10 09 BD 92 09 B5 B7 29 .......)
> : 8B 6A 4D 28 C4 63 7A 4C .jM(.czL
> : 8E 7A AF 87 5D BE A4 BD .z..]...
> : C1 20 9A D0 82 57 03 21 . ...W.!
> : F3 E2 6F F5 44 22 F9 27 ..o.D".'
> : 41 9C 66 27 BB 52 39 E2 A.f'.R9.
> : 4B C8 2B 82 58 AC 0E AF K.+.X...
> : 8D AE A5 C7 A5 1A A3 5E
> : }
> : }
> : }
> : }
> : }
> : }
>
> On 19 April 2016 at 14:29, Jakob Bohm <jb-openssl at wisemo.com> wrote:
>> On 19/04/2016 05:55, Alex Samad wrote:
>>> Hi
>>>
>>> I have a SHA.sha file
>>>
>>> /usr/bin/openssl ts -query -data SHA.sha -sha256 | /usr/bin/curl -s -H
>>> Content-Type:application/timestamp-query --data-binary @-
>>> http://sha256timestamp.ws.symantec.com/sha256/timestamp > SHA.sha.tsr
>>>
>>> /usr/bin/openssl ts -reply -in SHA.sha.tsr -text > SHA.sha.ts.txt
>>>
>>>
>>> cat SHA.sha.ts.txt
>>> Status info:
>>> Status: Granted.
>>> Status description: unspecified
>>> Failure info: unspecified
>>>
>>> TST info:
>>> Version: 1
>>> Policy OID: 2.16.840.1.113733.1.7.23.3
>>> Hash Algorithm: sha256
>>> Message data:
>>> 0000 - 8c 6d 95 5b e0 cd 8b c9-df 8c ab 57 45 c4 69 e6
>>> .m.[.......WE.i.
>>> 0010 - 7a b9 ce cb 14 8f 55 25-91 2e 57 37 3e 5c b8 d5
>>> z.....U%..W7>\..
>>> Serial number: 0x570B9C3A11CA318E2478D3680C0FEFD9238E06AB
>>> Time stamp: Apr 19 03:52:25 2016 GMT
>>> Accuracy: 0x1E seconds, unspecified millis, unspecified micros
>>> Ordering: no
>>> Nonce: 0x580E59D87F396B25
>>> TSA: DirName:/C=US/O=Symantec Corporation/OU=Symantec Trust
>>> Network/CN=Symantec SHA256 TimeStamping Signer - G1
>>> Extensions:
>>>
>>>
>>> But when I go to verify it
>>>
>>> openssl ts -verify -data SHA.sha -in SHA.sha.tsr
>>> Verification: FAILED
>>> 140569777235784:error:2107C080:PKCS7
>>> routines:PKCS7_get0_signers:signer certificate not
>>> found:pk7_smime.c:476:
>>>
>>> is this because I didn't provide a cert to sign it with ?
>> No, it is because it cannot find the certificate that Symantec
>> used to sign the response, specifically the certificate with
>> Subject name "/C=US/O=Symantec Corporation/OU=Symantec Trust
>> Network/CN=Symantec SHA256 TimeStamping Signer - G1".
>>
>> I am kind of disappointed in how little detail is included in
>> the output from ts -reply -text, I expected it to output all
>> the fields, similar to what other openssl commands do when
>> passed the -text option.
>>
>> So I guess the next step would be to dump SHA.sha.tsr using
>> Peter Gutmann's dumpasn1.c program, something like
>>
>> openssl base64 -d -in SHA.sha.tsr -out SHA.sha.tsr.bin
>> dumpasn1 -v SHA.sha.tsr.bin
>>
>>
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
More information about the openssl-users
mailing list