Re: [openssl-users] help with timestamping

Mon, 18 Apr 2016 21:30:36 -0700 

On 19/04/2016 05:55, Alex Samad wrote:

Hi

I have a SHA.sha file

/usr/bin/openssl ts -query -data SHA.sha -sha256 | /usr/bin/curl -s -H
Content-Type:application/timestamp-query --data-binary @-
http://sha256timestamp.ws.symantec.com/sha256/timestamp > SHA.sha.tsr

/usr/bin/openssl ts -reply -in SHA.sha.tsr -text  > SHA.sha.ts.txt


cat SHA.sha.ts.txt
Status info:
Status: Granted.
Status description: unspecified
Failure info: unspecified

TST info:
Version: 1
Policy OID: 2.16.840.1.113733.1.7.23.3
Hash Algorithm: sha256
Message data:
     0000 - 8c 6d 95 5b e0 cd 8b c9-df 8c ab 57 45 c4 69 e6   .m.[.......WE.i.
     0010 - 7a b9 ce cb 14 8f 55 25-91 2e 57 37 3e 5c b8 d5   z.....U%..W7>\..
Serial number: 0x570B9C3A11CA318E2478D3680C0FEFD9238E06AB
Time stamp: Apr 19 03:52:25 2016 GMT
Accuracy: 0x1E seconds, unspecified millis, unspecified micros
Ordering: no
Nonce: 0x580E59D87F396B25
TSA: DirName:/C=US/O=Symantec Corporation/OU=Symantec Trust
Network/CN=Symantec SHA256 TimeStamping Signer - G1
Extensions:


But when I go to verify it

  openssl ts -verify -data SHA.sha -in SHA.sha.tsr
Verification: FAILED
140569777235784:error:2107C080:PKCS7
routines:PKCS7_get0_signers:signer certificate not
found:pk7_smime.c:476:

is this because I didn't provide a cert to sign it with ?

No, it is because it cannot find the certificate that Symantec
used to sign the response, specifically the certificate with
Subject name "/C=US/O=Symantec Corporation/OU=Symantec Trust
Network/CN=Symantec SHA256 TimeStamping Signer - G1".

I am kind of disappointed in how little detail is included in
the output from ts -reply -text, I expected it to output all
the fields, similar to what other openssl commands do when
passed the -text option.

So I guess the next step would be to dump SHA.sha.tsr using
Peter Gutmann's dumpasn1.c program, something like

openssl base64 -d -in SHA.sha.tsr -out SHA.sha.tsr.bin
dumpasn1 -v SHA.sha.tsr.bin


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Reply via email to