[openssl-users] help with timestamping

Alex Samad alex at samad.com.au
Tue May 3 04:20:22 UTC 2016


Got a bit further


=======
#!/bin/bash


rm -f /tmp/test.data* /tmp/sym.cer


cat > /tmp/test.data <<EOF
This is a test
A test
EOF







cat > /tmp/symINT.cer << EOF
# Signing cert public key
#Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network,
CN=Symantec SHA256 TimeStamping CA
#Subject: C=US, O=Symantec Corporation, OU=Symantec Trust Network,
CN=Symantec SHA256 TimeStamping Signer - G1
-----BEGIN CERTIFICATE-----
MIIFSzCCBDOgAwIBAgIQVPN9oXFnUbxqjQrSdLKLEzANBgkqhkiG9w0BAQsFADB3
MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd
BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxKDAmBgNVBAMTH1N5bWFudGVj
IFNIQTI1NiBUaW1lU3RhbXBpbmcgQ0EwHhcNMTYwMTEyMDAwMDAwWhcNMjcwNDEx
MjM1OTU5WjCBgDELMAkGA1UEBhMCVVMxHTAbBgNVBAoTFFN5bWFudGVjIENvcnBv
cmF0aW9uMR8wHQYDVQQLExZTeW1hbnRlYyBUcnVzdCBOZXR3b3JrMTEwLwYDVQQD
EyhTeW1hbnRlYyBTSEEyNTYgVGltZVN0YW1waW5nIFNpZ25lciAtIEcxMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn/vfjx+nz54+GsvraK3PJxzugVWp
hwhY5YFNCRTg7dDz1A8/IbYeDjTU8WgKb32Pidny6qfYJTikjDbK7ijPM/h1Pdid
z5LdVuP2sHlUZrVFgkNE0mqxqxeiw+XvAOon8yeIDoc89m68qez2uy5qdwYivfq4
f8MkB/c/u0yw/0PLk8oSqpUkAJCyKzai0t3Ss9GZMt3P9MxzFkmDfyTr7XhG0+5f
bEJlG2eN8CYaDl6HblqPoIJ+bp/NJt69Ye9EXkWLqJTTHAQyof+kp6KqdwHbKt4P
TJI2xmmsXISArSX17TDDaB0X2wpNmjR4WQGbawKFOOIncaIUVDBgkyBIIwIDAQAB
o4IBxzCCAcMwDAYDVR0TAQH/BAIwADBmBgNVHSAEXzBdMFsGC2CGSAGG+EUBBxcD
MEwwIwYIKwYBBQUHAgEWF2h0dHBzOi8vZC5zeW1jYi5jb20vY3BzMCUGCCsGAQUF
BwICMBkaF2h0dHBzOi8vZC5zeW1jYi5jb20vcnBhMEAGA1UdHwQ5MDcwNaAzoDGG
L2h0dHA6Ly90cy1jcmwud3Muc3ltYW50ZWMuY29tL3NoYTI1Ni10c3MtY2EuY3Js
MBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMIMA4GA1UdDwEB/wQEAwIHgDB3BggrBgEF
BQcBAQRrMGkwKgYIKwYBBQUHMAGGHmh0dHA6Ly90cy1vY3NwLndzLnN5bWFudGVj
LmNvbTA7BggrBgEFBQcwAoYvaHR0cDovL3RzLWFpYS53cy5zeW1hbnRlYy5jb20v
c2hhMjU2LXRzcy1jYS5jZXIwKAYDVR0RBCEwH6QdMBsxGTAXBgNVBAMTEFRpbWVT
dGFtcC0yMDQ4LTQwHQYDVR0OBBYEFO1rYM87WPg+Msy/pOir6OqiUEJ/MB8GA1Ud
IwQYMBaAFK9j1sqjToVy4Ke8QfMpojh/gHViMA0GCSqGSIb3DQEBCwUAA4IBAQCi
jV5dHe5O0pP9T+X0babwiUVVuwjKqyShFiTJTxfBn/TdAprCR8Cp3IiJd8GGhvHV
SZbz+x6Y1skdNSOImYpi4XWoTXinPewkgBWeaNQ6pMJM3HFslp2OHgwubFIBnlaQ
P6Jeks222kEaJIOheqNf/o07bznRP0FfVhwnDOV8BdhnNojlsMLDBKNaVrgSBI7U
nCRrG2a0vqAa4bXN7ONEpLE855LzWN3f6LFYS3BLzpAAzNyj0dJudRZURALvG1RE
Y+i1cMi5R5pbRcRudpoYsfcQM8gLUfVVjP0hHkGPTj6QXYAByLwkfoZoFBUUNDV0
SbeHUinWll6ioxbUsNN7
-----END CERTIFICATE-----
# CA for signing cert
#Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c)
2008 VeriSign, Inc. - For authorized use only, CN=VeriSign Universal
Root Certification Authority
#Subject: C=US, O=Symantec Corporation, OU=Symantec Trust Network,
CN=Symantec SHA256 TimeStamping CA
-----BEGIN CERTIFICATE-----
MIIFODCCBCCgAwIBAgIQewWx1EloUUT3yYnSnBmdEjANBgkqhkiG9w0BAQsFADCB
vTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwOCBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MTgwNgYDVQQDEy9W
ZXJpU2lnbiBVbml2ZXJzYWwgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAe
Fw0xNjAxMTIwMDAwMDBaFw0zMTAxMTEyMzU5NTlaMHcxCzAJBgNVBAYTAlVTMR0w
GwYDVQQKExRTeW1hbnRlYyBDb3Jwb3JhdGlvbjEfMB0GA1UECxMWU3ltYW50ZWMg
VHJ1c3QgTmV0d29yazEoMCYGA1UEAxMfU3ltYW50ZWMgU0hBMjU2IFRpbWVTdGFt
cGluZyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALtZnVlVT52M
cl0agaLrVfOwAa08cawyjwVrhponADKXak3JZBRLKbvC2Sm5Luxjs+HPPwtWkPhi
G37rpgfi3n9ebUA41JEG50F8eRzLy60bv9iVkfPw7mz4rZY5Ln/BJ7h4OcWEpe3t
r4eOzo3HberSmLU6Hx45ncP0mqj0hOHE0XxxxgYptD/kgw0mw3sIPk35CrczSf/K
O9T1sptL4YiZGvXA6TMU1t/HgNuR7v68kldyd/TNqMz+CfWTN76ViGrF3PSxS9TO
6AmRX7WEeTWKeKwZMo8jwTJBG1kOqT6xzPnWK++32OTVHW0ROpL2k8mc40juu1MO
1DaXhnjFoTcCAwEAAaOCAXcwggFzMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8E
CDAGAQH/AgEAMGYGA1UdIARfMF0wWwYLYIZIAYb4RQEHFwMwTDAjBggrBgEFBQcC
ARYXaHR0cHM6Ly9kLnN5bWNiLmNvbS9jcHMwJQYIKwYBBQUHAgIwGRoXaHR0cHM6
Ly9kLnN5bWNiLmNvbS9ycGEwLgYIKwYBBQUHAQEEIjAgMB4GCCsGAQUFBzABhhJo
dHRwOi8vcy5zeW1jZC5jb20wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL3Muc3lt
Y2IuY29tL3VuaXZlcnNhbC1yb290LmNybDATBgNVHSUEDDAKBggrBgEFBQcDCDAo
BgNVHREEITAfpB0wGzEZMBcGA1UEAxMQVGltZVN0YW1wLTIwNDgtMzAdBgNVHQ4E
FgQUr2PWyqNOhXLgp7xB8ymiOH+AdWIwHwYDVR0jBBgwFoAUtnf6aUhHn1MS1cLq
BzJ2B9GXBxkwDQYJKoZIhvcNAQELBQADggEBAHXqsC3VNBlcMkX+DuHUT6Z4wW/X
6t3cT/OhyIGI96ePFeZAKa3mXfSi2VZkhHEwKt0eYRdmIFYGmBmNXXHy+Je8Cf0c
kUfJ4uiNA/vMkC/WCmxOM+zWtJPITJBjSDlAIcTd1m6JmDy1mJfoqQa3CcmPU1dB
kC/hHk1O3MoQeGxCbvC2xfhhXFL1TvZrjfdKer7zzf0D19n2A6gP41P3CnXsxnUu
qmaFBJm3+AZX4cYO9uiv2uybGB+queM6AL/OipTLAduexzi7D1Kr0eOUA2AKTaD+
J20UMvw/l0Dhv5mJ2+Q5FL3a5NPD6itas5VYVQR9x5rsIwONhSrS/66pYYE=
-----END CERTIFICATE-----

EOF



cat > /tmp/symCA.cer << EOF
#Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c)
2008 VeriSign, Inc. - For authorized use only, CN=VeriSign Universal
Root Certification Authority
#Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c)
2008 VeriSign, Inc. - For authorized use only, CN=VeriSign Universal
Root Certification Authority
-----BEGIN CERTIFICATE-----
MIIEuTCCA6GgAwIBAgIQQBrEZCGzEyEDDrvkEhrFHTANBgkqhkiG9w0BAQsFADCB
vTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwOCBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MTgwNgYDVQQDEy9W
ZXJpU2lnbiBVbml2ZXJzYWwgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAe
Fw0wODA0MDIwMDAwMDBaFw0zNzEyMDEyMzU5NTlaMIG9MQswCQYDVQQGEwJVUzEX
MBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0
IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAyMDA4IFZlcmlTaWduLCBJbmMuIC0gRm9y
IGF1dGhvcml6ZWQgdXNlIG9ubHkxODA2BgNVBAMTL1ZlcmlTaWduIFVuaXZlcnNh
bCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAx2E3XrEBNNti1xWb/1hajCMj1mCOkdeQmIN65lgZOIzF
9uVkhbSicfvtvbnazU0AtMgtc6XHaXGVHzk8skQHnOgO+k1KxCHfKWGPMiJhgsWH
H26MfF8WIFFE0XBPV+rjHOPMee5Y2A7Cs0WTwCznmhcrewA3ekEzeOEz4vMQGn+H
LL729fdC4uW/h2KJXwBL38Xd5HVEMkE6HnFuacsLdUYI0crSK5XQz/u5QGtkjFdN
/BMReYTtXlT2NJ8IAfMQJQYXStrxHXpma5hgZqTZ79IugvHw7wnqRMkVauIDbjPT
rJ9VAMf2CGqUuV/c4DPxhGD5WycRtPwW8rtWaoAljQIDAQABo4GyMIGvMA8GA1Ud
EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMG0GCCsGAQUFBwEMBGEwX6FdoFsw
WTBXMFUWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFI/l0xqGrI2Oa8PPgGrUSBgs
exkuMCUWI2h0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28uZ2lmMB0GA1Ud
DgQWBBS2d/ppSEefUxLVwuoHMnYH0ZcHGTANBgkqhkiG9w0BAQsFAAOCAQEASvj4
sAPmLGd75JR3Y8xuTPl9Dg3cyLk1uXBPY/ok+myDjEedO2Pzmvl2MpWRsXe8rJq+
seQxIcaBlVZaDrHC1LGmWazxY8u4TB1ZkErvkBYoH1quEPuBUDgMbMzxPcP1Y+Oz
4yHJJDnp/RVmRvQbEdBNc6N9Rvk97ahfYtTxP/jgdFcrGJ2BtMQo2pSXpXDrrB2+
BxHw1dvd5Yzw1TKwg+ZX4o+/vqGqvz0dtdQ46tewXDpPaj+PwGZsY6rp2aQW9IHR
lRQOfc2VNNnSj3BzgXucfr2YYdhFh5iQxeuGMMY1v/D/w1WIg0vvBZIGcfK4mJO3
7M2CYfE45k+XmCpajQ==
-----END CERTIFICATE-----
EOF


/usr/bin/openssl ts -query -data /tmp/test.data -sha256 -out
/tmp/test.data.tsq -no_nonce


/usr/bin/curl -s -H Content-Type:application/timestamp-query
--data-binary @/tmp/test.data.tsq
http://sha256timestamp.ws.symantec.com/sha256/timestamp -o
/tmp/test.data.tsr


#/usr/bin/openssl ts -query -data /tmp/test.data -sha256 |
/usr/bin/curl -s -H Content-Type:application/timestamp-query
--data-binary @-
http://sha256timestamp.ws.symantec.com/sha256/timestamp >
/tmp/test.data.tsr

/usr/bin/openssl ts -reply -in /tmp/test.data.tsr -text  >
/tmp/test.data.tsr.txt

#openssl ts -verify -data /tmp/test.data -in /tmp/test.data.tsr
#openssl ts -verify -data /tmp/test.data -in /tmp/test.data.tsr
-untrusted /tmp/symINT.cer
openssl ts -verify -data /tmp/test.data -in /tmp/test.data.tsr
-untrusted /tmp/symINT.cer  -CAfile /tmp/symCA.cer

=======


results in this
Verification: FAILED
140328034314056:error:2F067065:time stamp
routines:TS_CHECK_SIGNING_CERTS:ess signing certificate
error:ts_rsp_verify.c:291:


which lead me to this
http://openssl.6102.n7.nabble.com/possible-Bug-in-OpenSSL-rfc-3161-TSA-service-tt43128.html#none

Not sure if there has been any work on this since then.


On 29 April 2016 at 11:25, Alex Samad <alex at samad.com.au> wrote:
> Okay I have the cert from sym
>
> -----BEGIN CERTIFICATE-----
> MIIFSzCCBDOgAwIBAgIQVPN9oXFnUbxqjQrSdLKLEzANBgkqhkiG9w0BAQsFADB3
> MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd
> BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxKDAmBgNVBAMTH1N5bWFudGVj
> IFNIQTI1NiBUaW1lU3RhbXBpbmcgQ0EwHhcNMTYwMTEyMDAwMDAwWhcNMjcwNDEx
> MjM1OTU5WjCBgDELMAkGA1UEBhMCVVMxHTAbBgNVBAoTFFN5bWFudGVjIENvcnBv
> cmF0aW9uMR8wHQYDVQQLExZTeW1hbnRlYyBUcnVzdCBOZXR3b3JrMTEwLwYDVQQD
> EyhTeW1hbnRlYyBTSEEyNTYgVGltZVN0YW1waW5nIFNpZ25lciAtIEcxMIIBIjAN
> BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn/vfjx+nz54+GsvraK3PJxzugVWp
> hwhY5YFNCRTg7dDz1A8/IbYeDjTU8WgKb32Pidny6qfYJTikjDbK7ijPM/h1Pdid
> z5LdVuP2sHlUZrVFgkNE0mqxqxeiw+XvAOon8yeIDoc89m68qez2uy5qdwYivfq4
> f8MkB/c/u0yw/0PLk8oSqpUkAJCyKzai0t3Ss9GZMt3P9MxzFkmDfyTr7XhG0+5f
> bEJlG2eN8CYaDl6HblqPoIJ+bp/NJt69Ye9EXkWLqJTTHAQyof+kp6KqdwHbKt4P
> TJI2xmmsXISArSX17TDDaB0X2wpNmjR4WQGbawKFOOIncaIUVDBgkyBIIwIDAQAB
> o4IBxzCCAcMwDAYDVR0TAQH/BAIwADBmBgNVHSAEXzBdMFsGC2CGSAGG+EUBBxcD
> MEwwIwYIKwYBBQUHAgEWF2h0dHBzOi8vZC5zeW1jYi5jb20vY3BzMCUGCCsGAQUF
> BwICMBkaF2h0dHBzOi8vZC5zeW1jYi5jb20vcnBhMEAGA1UdHwQ5MDcwNaAzoDGG
> L2h0dHA6Ly90cy1jcmwud3Muc3ltYW50ZWMuY29tL3NoYTI1Ni10c3MtY2EuY3Js
> MBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMIMA4GA1UdDwEB/wQEAwIHgDB3BggrBgEF
> BQcBAQRrMGkwKgYIKwYBBQUHMAGGHmh0dHA6Ly90cy1vY3NwLndzLnN5bWFudGVj
> LmNvbTA7BggrBgEFBQcwAoYvaHR0cDovL3RzLWFpYS53cy5zeW1hbnRlYy5jb20v
> c2hhMjU2LXRzcy1jYS5jZXIwKAYDVR0RBCEwH6QdMBsxGTAXBgNVBAMTEFRpbWVT
> dGFtcC0yMDQ4LTQwHQYDVR0OBBYEFO1rYM87WPg+Msy/pOir6OqiUEJ/MB8GA1Ud
> IwQYMBaAFK9j1sqjToVy4Ke8QfMpojh/gHViMA0GCSqGSIb3DQEBCwUAA4IBAQCi
> jV5dHe5O0pP9T+X0babwiUVVuwjKqyShFiTJTxfBn/TdAprCR8Cp3IiJd8GGhvHV
> SZbz+x6Y1skdNSOImYpi4XWoTXinPewkgBWeaNQ6pMJM3HFslp2OHgwubFIBnlaQ
> P6Jeks222kEaJIOheqNf/o07bznRP0FfVhwnDOV8BdhnNojlsMLDBKNaVrgSBI7U
> nCRrG2a0vqAa4bXN7ONEpLE855LzWN3f6LFYS3BLzpAAzNyj0dJudRZURALvG1RE
> Y+i1cMi5R5pbRcRudpoYsfcQM8gLUfVVjP0hHkGPTj6QXYAByLwkfoZoFBUUNDV0
> SbeHUinWll6ioxbUsNN7
> -----END CERTIFICATE-----
>
>
> openssl x509 -in newsym1.cer -noout -subject
> subject= /C=US/O=Symantec Corporation/OU=Symantec Trust
> Network/CN=Symantec SHA256 TimeStamping Signer - G1
>
>
> Still getting
>
>  openssl ts -verify -data SHA.sha -in SHA.sha.tsr  -CApath newsym1.cer
> Verification: FAILED
> 139630315571016:error:2107C080:PKCS7
> routines:PKCS7_get0_signers:signer certificate not
> found:pk7_smime.c:476:
>
>
>
>
>
> On 27 April 2016 at 14:53, Jakob Bohm <jb-openssl at wisemo.com> wrote:
>> OK, It looks like this signing service is (quite unusually)
>> not providing the certificate in its message, which is quite
>> unusual.
>>
>> All it provides is some information /about/ that certificate,
>> specifically it provides the following info:
>>
>> The certificate was issued to C=US, O=Symantec Corporation,
>> OU=Symantec Trust Network,
>> CN=Symantec SHA256 TimeStamping Signer - G1
>>
>> The certificate was issued by C=US, O=Symantec Corporation,
>> OU=Symantec Trust Network, CN=Symantec SHA256 TimeStamping CA
>>
>> The certificate serial number (in hex) is
>> 54 F3 7D A1 71 67 51 BC 6A 8D 0A D2 74 B2 8B 13
>>
>> The certificate fingerprint (SHA-256) is
>> 82 D5 56 DB DB 5D AD 5FA0 7B B6 07 26 A6 D8 6E
>> 73 0B 5B B7 29 88 5B B6DE 4F F2 75 29 02 2C FC
>>
>> Someone with knowledge of the Symantec/Verisign/Thawte/GeoTrust/
>> TrustCenter repository web site may be able to use this
>> information to download the missing certificates, but there
>> is no information in this file that would allow a computer
>> to do this.
>>
>> I wonder if changing some parameter in the timestamp request
>> would cause the Symantec server to return a more complete
>> timestamp token.
>>
>> Or maybe something else is failing.
>>
>>
>>
>> On 23/04/2016 00:54, Alex Samad wrote:
>>>
>>> Here is a dump.
>>>
>>> I can see the CN - but I could see that before.
>>>
>>> There is also a RSA - maybe a signature or maybe is the public key for the
>>> cert.
>>>
>>> I would expect to see some signed data (sha + symantec cert + time)
>>> and also the public cert ( and maybe the intermediaries..)
>>>
>>>
>>>      <30 82 03 AB>
>>>    0 939: SEQUENCE {
>>>      <30 03>
>>>    4   3:   SEQUENCE {
>>>      <02 01>
>>>    6   1:     INTEGER 0
>>>         :     }
>>>      <30 82 03 A2>
>>>    9 930:   SEQUENCE {
>>>      <06 09>
>>>   13   9:     OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2)
>>>         :       (PKCS #7)
>>>      <A0 82 03 93>
>>>   24 915:     [0] {
>>>      <30 82 03 8F>
>>>   28 911:       SEQUENCE {
>>>      <02 01>
>>>   32   1:         INTEGER 3
>>>      <31 0D>
>>>   35  13:         SET {
>>>      <30 0B>
>>>   37  11:           SEQUENCE {
>>>      <06 09>
>>>   39   9:             OBJECT IDENTIFIER sha-256 (2 16 840 1 101 3 4 2 1)
>>>         :               (NIST Algorithm)
>>>         :             }
>>>         :           }
>>>      <30 82 01 1B>
>>>   50 283:         SEQUENCE {
>>>      <06 0B>
>>>   54  11:           OBJECT IDENTIFIER tSTInfo (1 2 840 113549 1 9 16 1 4)
>>>         :             (S/MIME Content Types)
>>>      <A0 82 01 0A>
>>>   67 266:           [0] {
>>>      <04 82 01 06>
>>>   71 262:             OCTET STRING, encapsulates {
>>>      <30 82 01 02>
>>>   75 258:               SEQUENCE {
>>>      <02 01>
>>>   79   1:                 INTEGER 1
>>>      <06 0B>
>>>   82  11:                 OBJECT IDENTIFIER '2 16 840 1 113733 1 7 23 3'
>>>      <30 31>
>>>   95  49:                 SEQUENCE {
>>>      <30 0D>
>>>   97  13:                   SEQUENCE {
>>>      <06 09>
>>>   99   9:                     OBJECT IDENTIFIER sha-256 (2 16 840 1 101 3
>>> 4 2 1)
>>>         :                       (NIST Algorithm)
>>>      <05 00>
>>> 110   0:                     NULL
>>>         :                     }
>>>      <04 20>
>>> 112  32:                   OCTET STRING
>>>         :                     8C 6D 95 5B E0 CD 8B C9    .m.[....
>>>         :                     DF 8C AB 57 45 C4 69 E6    ...WE.i.
>>>         :                     7A B9 CE CB 14 8F 55 25    z.....U%
>>>         :                     91 2E 57 37 3E 5C B8 D5
>>>         :                   }
>>>      <02 14>
>>> 146  20:                 INTEGER
>>>         :                   57 0B 9C 3A 11 CA 31 8E    W..:..1.
>>>         :                   24 78 D3 68 0C 0F EF D9    $x.h....
>>>         :                   23 8E 06 AB                #...
>>>      <18 0F>
>>> 168  15:                 GeneralizedTime 19/04/2016 03:52:25 GMT
>>>      <30 03>
>>> 185   3:                 SEQUENCE {
>>>      <02 01>
>>> 187   1:                   INTEGER 30
>>>         :                   }
>>>      <02 08>
>>> 190   8:                 INTEGER 58 0E 59 D8 7F 39 6B 25
>>>      <A0 81 86>
>>> 200 134:                 [0] {
>>>      <A4 81 83>
>>> 203 131:                   [4] {
>>>      <30 81 80>
>>> 206 128:                     SEQUENCE {
>>>      <31 0B>
>>> 209  11:                       SET {
>>>      <30 09>
>>> 211   9:                         SEQUENCE {
>>>      <06 03>
>>> 213   3:                           OBJECT IDENTIFIER countryName (2 5 4 6)
>>>         :                             (X.520 DN component)
>>>      <13 02>
>>> 218   2:                           PrintableString 'US'
>>>         :                           }
>>>         :                         }
>>>      <31 1D>
>>> 222  29:                       SET {
>>>      <30 1B>
>>> 224  27:                         SEQUENCE {
>>>      <06 03>
>>> 226   3:                           OBJECT IDENTIFIER organizationName (2 5
>>> 4 10)
>>>         :                             (X.520 DN component)
>>>      <13 14>
>>> 231  20:                           PrintableString 'Symantec Corporation'
>>>         :                           }
>>>         :                         }
>>>      <31 1F>
>>> 253  31:                       SET {
>>>      <30 1D>
>>> 255  29:                         SEQUENCE {
>>>      <06 03>
>>> 257   3:                           OBJECT IDENTIFIER
>>>         :                             organizationalUnitName (2 5 4 11)
>>>         :                             (X.520 DN component)
>>>      <13 16>
>>> 262  22:                           PrintableString 'Symantec Trust
>>> Network'
>>>         :                           }
>>>         :                         }
>>>      <31 31>
>>> 286  49:                       SET {
>>>      <30 2F>
>>> 288  47:                         SEQUENCE {
>>>      <06 03>
>>> 290   3:                           OBJECT IDENTIFIER commonName (2 5 4 3)
>>>         :                             (X.520 DN component)
>>>      <13 28>
>>> 295  40:                           PrintableString 'Symantec SHA256
>>> TimeStamping Signer - G1'
>>>         :                           }
>>>         :                         }
>>>         :                       }
>>>         :                     }
>>>         :                   }
>>>         :                 }
>>>         :               }
>>>         :             }
>>>         :           }
>>>      <31 82 02 5A>
>>> 337 602:         SET {
>>>      <30 82 02 56>
>>> 341 598:           SEQUENCE {
>>>      <02 01>
>>> 345   1:             INTEGER 1
>>>      <30 81 8B>
>>> 348 139:             SEQUENCE {
>>>      <30 77>
>>> 351 119:               SEQUENCE {
>>>      <31 0B>
>>> 353  11:                 SET {
>>>      <30 09>
>>> 355   9:                   SEQUENCE {
>>>      <06 03>
>>> 357   3:                     OBJECT IDENTIFIER countryName (2 5 4 6)
>>>         :                       (X.520 DN component)
>>>      <13 02>
>>> 362   2:                     PrintableString 'US'
>>>         :                     }
>>>         :                   }
>>>      <31 1D>
>>> 366  29:                 SET {
>>>      <30 1B>
>>> 368  27:                   SEQUENCE {
>>>      <06 03>
>>> 370   3:                     OBJECT IDENTIFIER organizationName (2 5 4 10)
>>>         :                       (X.520 DN component)
>>>      <13 14>
>>> 375  20:                     PrintableString 'Symantec Corporation'
>>>         :                     }
>>>         :                   }
>>>      <31 1F>
>>> 397  31:                 SET {
>>>      <30 1D>
>>> 399  29:                   SEQUENCE {
>>>      <06 03>
>>> 401   3:                     OBJECT IDENTIFIER organizationalUnitName (2 5
>>> 4 11)
>>>         :                       (X.520 DN component)
>>>      <13 16>
>>> 406  22:                     PrintableString 'Symantec Trust Network'
>>>         :                     }
>>>         :                   }
>>>      <31 28>
>>> 430  40:                 SET {
>>>      <30 26>
>>> 432  38:                   SEQUENCE {
>>>      <06 03>
>>> 434   3:                     OBJECT IDENTIFIER commonName (2 5 4 3)
>>>         :                       (X.520 DN component)
>>>      <13 1F>
>>> 439  31:                     PrintableString 'Symantec SHA256 TimeStamping
>>> CA'
>>>         :                     }
>>>         :                   }
>>>         :                 }
>>>      <02 10>
>>> 472  16:               INTEGER 54 F3 7D A1 71 67 51 BC 6A 8D 0A D2 74
>>> B2 8B 13
>>>         :               }
>>>      <30 0B>
>>> 490  11:             SEQUENCE {
>>>      <06 09>
>>> 492   9:               OBJECT IDENTIFIER sha-256 (2 16 840 1 101 3 4 2 1)
>>>         :                 (NIST Algorithm)
>>>         :               }
>>>      <A0 81 A4>
>>> 503 164:             [0] {
>>>      <30 1A>
>>> 506  26:               SEQUENCE {
>>>      <06 09>
>>> 508   9:                 OBJECT IDENTIFIER contentType (1 2 840 113549 1 9
>>> 3)
>>>         :                   (PKCS #9)
>>>      <31 0D>
>>> 519  13:                 SET {
>>>      <06 0B>
>>> 521  11:                   OBJECT IDENTIFIER tSTInfo (1 2 840 113549 1 9
>>> 16 1 4)
>>>         :                     (S/MIME Content Types)
>>>         :                   }
>>>         :                 }
>>>      <30 1C>
>>> 534  28:               SEQUENCE {
>>>      <06 09>
>>> 536   9:                 OBJECT IDENTIFIER signingTime (1 2 840 113549 1 9
>>> 5)
>>>         :                   (PKCS #9)
>>>      <31 0F>
>>> 547  15:                 SET {
>>>      <17 0D>
>>> 549  13:                   UTCTime 19/04/2016 03:52:25 GMT
>>>         :                   }
>>>         :                 }
>>>      <30 2F>
>>> 564  47:               SEQUENCE {
>>>      <06 09>
>>> 566   9:                 OBJECT IDENTIFIER messageDigest (1 2 840 113549 1
>>> 9 4)
>>>         :                   (PKCS #9)
>>>      <31 22>
>>> 577  34:                 SET {
>>>      <04 20>
>>> 579  32:                   OCTET STRING
>>>         :                     98 1B CF E1 5D 96 79 D6    ....].y.
>>>         :                     47 53 3E 27 A1 0C 57 4E    GS>'..WN
>>>         :                     62 48 8E 43 F8 B5 17 D4    bH.C....
>>>         :                     1C 8F 9A 86 ED D7 A6 B4
>>>         :                   }
>>>         :                 }
>>>      <30 37>
>>> 613  55:               SEQUENCE {
>>>      <06 0B>
>>> 615  11:                 OBJECT IDENTIFIER
>>>         :                   signingCertificateV2 (1 2 840 113549 1 9 16 2
>>> 47)
>>>         :                   (S/MIME Authenticated Attributes)
>>>      <31 28>
>>> 628  40:                 SET {
>>>      <30 26>
>>> 630  38:                   SEQUENCE {
>>>      <30 24>
>>> 632  36:                     SEQUENCE {
>>>      <30 22>
>>> 634  34:                       SEQUENCE {
>>>      <04 20>
>>> 636  32:                         OCTET STRING
>>>         :                           82 D5 56 DB DB 5D AD 5F    ..V..]._
>>>         :                           A0 7B B6 07 26 A6 D8 6E    .{..&..n
>>>         :                           73 0B 5B B7 29 88 5B B6    s.[.).[.
>>>         :                           DE 4F F2 75 29 02 2C FC
>>>         :                         }
>>>         :                       }
>>>         :                     }
>>>         :                   }
>>>         :                 }
>>>         :               }
>>>      <30 0B>
>>> 670  11:             SEQUENCE {
>>>      <06 09>
>>> 672   9:               OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1
>>> 1)
>>>         :                 (PKCS #1)
>>>         :               }
>>>      <04 82 01 00>
>>> 683 256:             OCTET STRING
>>>         :               77 60 BE 64 F1 4C 04 B9    w`.d.L..
>>>         :               4D 64 39 59 DC 53 27 02    Md9Y.S'.
>>>         :               06 1F 0C C7 31 EC 5B A2    ....1.[.
>>>         :               79 FB CA A3 07 DE D3 E6    y.......
>>>         :               88 CE 84 37 4C 20 EF DF    ...7L ..
>>>         :               9B BB D4 0B 6F DC 42 05    ....o.B.
>>>         :               DA 8D 22 EF 24 A8 46 68    ..".$.Fh
>>>         :               79 DA CB B5 A9 CD F6 7E    y......~
>>>         :               D5 B8 D4 DD B4 44 5F 40    .....D_@
>>>         :               0A A2 59 C8 3B 2C 52 6F    ..Y.;,Ro
>>>         :               BE 88 6C D3 A4 F6 3C B1    ..l...<.
>>>         :               52 27 25 E3 E9 6F 4A 2B    R'%..oJ+
>>>         :               C6 C4 CD EA 73 65 6C 04    ....sel.
>>>         :               9A A4 79 4E A4 95 F4 F7    ..yN....
>>>         :               1C C6 2E E8 D3 4B 01 8F    .....K..
>>>         :               F2 0B 80 6C 28 67 3E 10    ...l(g>.
>>>         :               D7 76 1E C5 4E BF 87 37    .v..N..7
>>>         :               CB 99 51 81 74 5C 50 57    ..Q.t\PW
>>>         :               80 3F 5D 3E 84 76 12 0A    .?]>.v..
>>>         :               B0 A3 99 DF E5 3B A4 8F    .....;..
>>>         :               DE 04 50 A8 E6 D0 00 6D    ..P....m
>>>         :               61 21 B1 A9 A9 D6 05 79    a!.....y
>>>         :               0A 00 FA D5 1D A6 D6 F8    ........
>>>         :               6A 22 07 E5 BC 01 C1 E0    j"......
>>>         :               10 09 BD 92 09 B5 B7 29    .......)
>>>         :               8B 6A 4D 28 C4 63 7A 4C    .jM(.czL
>>>         :               8E 7A AF 87 5D BE A4 BD    .z..]...
>>>         :               C1 20 9A D0 82 57 03 21    . ...W.!
>>>         :               F3 E2 6F F5 44 22 F9 27    ..o.D".'
>>>         :               41 9C 66 27 BB 52 39 E2    A.f'.R9.
>>>         :               4B C8 2B 82 58 AC 0E AF    K.+.X...
>>>         :               8D AE A5 C7 A5 1A A3 5E
>>>         :             }
>>>         :           }
>>>         :         }
>>>         :       }
>>>         :     }
>>>         :   }
>>>
>>> On 19 April 2016 at 14:29, Jakob Bohm <jb-openssl at wisemo.com> wrote:
>>>>
>>>> On 19/04/2016 05:55, Alex Samad wrote:
>>>>>
>>>>> Hi
>>>>>
>>>>> I have a SHA.sha file
>>>>>
>>>>> /usr/bin/openssl ts -query -data SHA.sha -sha256 | /usr/bin/curl -s -H
>>>>> Content-Type:application/timestamp-query --data-binary @-
>>>>> http://sha256timestamp.ws.symantec.com/sha256/timestamp > SHA.sha.tsr
>>>>>
>>>>> /usr/bin/openssl ts -reply -in SHA.sha.tsr -text  > SHA.sha.ts.txt
>>>>>
>>>>>
>>>>> cat SHA.sha.ts.txt
>>>>> Status info:
>>>>> Status: Granted.
>>>>> Status description: unspecified
>>>>> Failure info: unspecified
>>>>>
>>>>> TST info:
>>>>> Version: 1
>>>>> Policy OID: 2.16.840.1.113733.1.7.23.3
>>>>> Hash Algorithm: sha256
>>>>> Message data:
>>>>>       0000 - 8c 6d 95 5b e0 cd 8b c9-df 8c ab 57 45 c4 69 e6
>>>>> .m.[.......WE.i.
>>>>>       0010 - 7a b9 ce cb 14 8f 55 25-91 2e 57 37 3e 5c b8 d5
>>>>> z.....U%..W7>\..
>>>>> Serial number: 0x570B9C3A11CA318E2478D3680C0FEFD9238E06AB
>>>>> Time stamp: Apr 19 03:52:25 2016 GMT
>>>>> Accuracy: 0x1E seconds, unspecified millis, unspecified micros
>>>>> Ordering: no
>>>>> Nonce: 0x580E59D87F396B25
>>>>> TSA: DirName:/C=US/O=Symantec Corporation/OU=Symantec Trust
>>>>> Network/CN=Symantec SHA256 TimeStamping Signer - G1
>>>>> Extensions:
>>>>>
>>>>>
>>>>> But when I go to verify it
>>>>>
>>>>>    openssl ts -verify -data SHA.sha -in SHA.sha.tsr
>>>>> Verification: FAILED
>>>>> 140569777235784:error:2107C080:PKCS7
>>>>> routines:PKCS7_get0_signers:signer certificate not
>>>>> found:pk7_smime.c:476:
>>>>>
>>>>> is this because I didn't provide a cert to sign it with ?
>>>>
>>>> No, it is because it cannot find the certificate that Symantec
>>>> used to sign the response, specifically the certificate with
>>>> Subject name "/C=US/O=Symantec Corporation/OU=Symantec Trust
>>>> Network/CN=Symantec SHA256 TimeStamping Signer - G1".
>>>>
>>>> I am kind of disappointed in how little detail is included in
>>>> the output from ts -reply -text, I expected it to output all
>>>> the fields, similar to what other openssl commands do when
>>>> passed the -text option.
>>>>
>>>> So I guess the next step would be to dump SHA.sha.tsr using
>>>> Peter Gutmann's dumpasn1.c program, something like
>>>>
>>>> openssl base64 -d -in SHA.sha.tsr -out SHA.sha.tsr.bin
>>>> dumpasn1 -v SHA.sha.tsr.bin
>>>>
>>>>
>>
>>
>> Enjoy
>>
>> Jakob
>> --
>> Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
>> Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
>> This public discussion message is non-binding and may contain errors.
>> WiseMo - Remote Service Management for PCs, Phones and Embedded
>>
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


More information about the openssl-users mailing list