Hello kapetr, I have successfully time-stamped with TSA server "https://www.postsignum.cz/DEMOTSA/TSS_user/"; (u: demoTSA, p: demoTSA2010), using 2 Time-stamp clients: 1. Adobe Reader 10.1.3 2. Serbian Post Time-stamp client: http://www.ca.posta.rs/download/Time-Stamp%20klijent%20aplikacija%20Poste%20v1.2.zip
PostSignum TSA server is Thales (nCipher). Thales (nCipher) time stamp server can be configured to choose three locations where TAC (Time Attribute Certificate) V2 attribute certificate will be stored: 1. CertificateChoices1 with ESSCertID (compatibility mode) The Time Attribute Certificate is encoded in the CHOICE [1] field in the CertificateChoices and the SHA-1 hash of the TAC is stored in the ESSCertID. 2. CertificateChoices2 with ESSCertID (RFC3369 & 3852) This option puts the Time Attribute certificate into the CHOICE [2] field in the CertificateChoices and sets the CMS version of the Time Stamp Token to 4 (because a V2 attribute certificate is present). Note: Adobe Acrobat time-stamping support rejects CMS V4 as a bad version number. If you are using Adobe Acrobat time-stamping, Thales recommend continuing to use an older option that is Acrobat-compatible until a fix from Adobe is made available. 3. SignerAttribute (RFC3126 & ETSI) This option puts the entire TAC into a signed attribute. In this case, the hash of the TAC is not included in the ESSCertID because it would be redundant and RFC3126 requires it not to be present. This option also adds the SigningTime signed attribute (redundant but required by the RFC) and the SignaturePolicyId signed attribute. The policy is NULL because a time-stamp token already must include a PolicyID in the TSTInfo. My conclusion is that PostSignum TSA server is configured with the first of the above options "1. CertificateChoices1 with ESSCertID (compatibility mode)". When Thales (nCipher) time-stamp server is configured that way, OpenSSL is unable to read TSA response. For example: ----------------------------------------------------------- C:\Program Files\OpenSSL-Win32\bin>openssl ts -reply -in postsignum-Response.tsr -text Using configuration from C:\Program Files\OpenSSL-Win32\bin\openssl.cfg 608:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:.\crypto\asn 1\tasn_dec.c:1320: 608:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:.\c rypto\asn1\tasn_dec.c:382:Type=X509 608:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 er ror:.\crypto\asn1\tasn_dec.c:712:Field=cert, Type=PKCS7_SIGNED 608:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 er ror:.\crypto\asn1\tasn_dec.c:752: 608:error:0D08403A:asn1 encoding routines:ASN1_TEMPLATE_EX_D2I:nested asn1 error :.\crypto\asn1\tasn_dec.c:580:Field=d.sign, Type=PKCS7 608:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 er ror:.\crypto\asn1\tasn_dec.c:752:Field=token, Type=TS_RESP C:\Program Files\OpenSSL-Win32\bin> ----------------------------------------------------------- Administrator of PostSignum TSA can solve the problem with OpenSSL in 2 ways: 1. To configure TAC: "3. SignerAttribute (RFC3126 & ETSI)", or 2. Exclude TAC from certificate list. He can use this option to support time-stamp client software that cannot decode the TAC. This option is required if you must support SUN jarsigner. SUN Jarsigner cannot decode the TAC and cannot support time-stamp tokens that include the TAC in the certificate list. Useful link: http://www.ietf.org/mail-archive/web/pkix/current/msg14787.html Dragan -- View this message in context: http://openssl.6102.n7.nabble.com/possible-Bug-in-OpenSSL-rfc-3161-TSA-service-tp43128p44380.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
