OK, It looks like this signing service is (quite unusually)
not providing the certificate in its message, which is quite
unusual.
All it provides is some information /about/ that certificate,
specifically it provides the following info:
The certificate was issued to C=US, O=Symantec Corporation,
OU=Symantec Trust Network,
CN=Symantec SHA256 TimeStamping Signer - G1
The certificate was issued by C=US, O=Symantec Corporation,
OU=Symantec Trust Network, CN=Symantec SHA256 TimeStamping CA
The certificate serial number (in hex) is
54 F3 7D A1 71 67 51 BC 6A 8D 0A D2 74 B2 8B 13
The certificate fingerprint (SHA-256) is
82 D5 56 DB DB 5D AD 5FA0 7B B6 07 26 A6 D8 6E
73 0B 5B B7 29 88 5B B6DE 4F F2 75 29 02 2C FC
Someone with knowledge of the Symantec/Verisign/Thawte/GeoTrust/
TrustCenter repository web site may be able to use this
information to download the missing certificates, but there
is no information in this file that would allow a computer
to do this.
I wonder if changing some parameter in the timestamp request
would cause the Symantec server to return a more complete
timestamp token.
Or maybe something else is failing.
On 23/04/2016 00:54, Alex Samad wrote:
Here is a dump.
I can see the CN - but I could see that before.
There is also a RSA - maybe a signature or maybe is the public key for the cert.
I would expect to see some signed data (sha + symantec cert + time)
and also the public cert ( and maybe the intermediaries..)
<30 82 03 AB>
0 939: SEQUENCE {
<30 03>
4 3: SEQUENCE {
<02 01>
6 1: INTEGER 0
: }
<30 82 03 A2>
9 930: SEQUENCE {
<06 09>
13 9: OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2)
: (PKCS #7)
<A0 82 03 93>
24 915: [0] {
<30 82 03 8F>
28 911: SEQUENCE {
<02 01>
32 1: INTEGER 3
<31 0D>
35 13: SET {
<30 0B>
37 11: SEQUENCE {
<06 09>
39 9: OBJECT IDENTIFIER sha-256 (2 16 840 1 101 3 4 2 1)
: (NIST Algorithm)
: }
: }
<30 82 01 1B>
50 283: SEQUENCE {
<06 0B>
54 11: OBJECT IDENTIFIER tSTInfo (1 2 840 113549 1 9 16 1 4)
: (S/MIME Content Types)
<A0 82 01 0A>
67 266: [0] {
<04 82 01 06>
71 262: OCTET STRING, encapsulates {
<30 82 01 02>
75 258: SEQUENCE {
<02 01>
79 1: INTEGER 1
<06 0B>
82 11: OBJECT IDENTIFIER '2 16 840 1 113733 1 7 23 3'
<30 31>
95 49: SEQUENCE {
<30 0D>
97 13: SEQUENCE {
<06 09>
99 9: OBJECT IDENTIFIER sha-256 (2 16 840 1 101 3 4 2 1)
: (NIST Algorithm)
<05 00>
110 0: NULL
: }
<04 20>
112 32: OCTET STRING
: 8C 6D 95 5B E0 CD 8B C9 .m.[....
: DF 8C AB 57 45 C4 69 E6 ...WE.i.
: 7A B9 CE CB 14 8F 55 25 z.....U%
: 91 2E 57 37 3E 5C B8 D5
: }
<02 14>
146 20: INTEGER
: 57 0B 9C 3A 11 CA 31 8E W..:..1.
: 24 78 D3 68 0C 0F EF D9 $x.h....
: 23 8E 06 AB #...
<18 0F>
168 15: GeneralizedTime 19/04/2016 03:52:25 GMT
<30 03>
185 3: SEQUENCE {
<02 01>
187 1: INTEGER 30
: }
<02 08>
190 8: INTEGER 58 0E 59 D8 7F 39 6B 25
<A0 81 86>
200 134: [0] {
<A4 81 83>
203 131: [4] {
<30 81 80>
206 128: SEQUENCE {
<31 0B>
209 11: SET {
<30 09>
211 9: SEQUENCE {
<06 03>
213 3: OBJECT IDENTIFIER countryName (2 5 4 6)
: (X.520 DN component)
<13 02>
218 2: PrintableString 'US'
: }
: }
<31 1D>
222 29: SET {
<30 1B>
224 27: SEQUENCE {
<06 03>
226 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
: (X.520 DN component)
<13 14>
231 20: PrintableString 'Symantec Corporation'
: }
: }
<31 1F>
253 31: SET {
<30 1D>
255 29: SEQUENCE {
<06 03>
257 3: OBJECT IDENTIFIER
: organizationalUnitName (2 5 4 11)
: (X.520 DN component)
<13 16>
262 22: PrintableString 'Symantec Trust Network'
: }
: }
<31 31>
286 49: SET {
<30 2F>
288 47: SEQUENCE {
<06 03>
290 3: OBJECT IDENTIFIER commonName (2 5 4 3)
: (X.520 DN component)
<13 28>
295 40: PrintableString 'Symantec SHA256
TimeStamping Signer - G1'
: }
: }
: }
: }
: }
: }
: }
: }
: }
<31 82 02 5A>
337 602: SET {
<30 82 02 56>
341 598: SEQUENCE {
<02 01>
345 1: INTEGER 1
<30 81 8B>
348 139: SEQUENCE {
<30 77>
351 119: SEQUENCE {
<31 0B>
353 11: SET {
<30 09>
355 9: SEQUENCE {
<06 03>
357 3: OBJECT IDENTIFIER countryName (2 5 4 6)
: (X.520 DN component)
<13 02>
362 2: PrintableString 'US'
: }
: }
<31 1D>
366 29: SET {
<30 1B>
368 27: SEQUENCE {
<06 03>
370 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
: (X.520 DN component)
<13 14>
375 20: PrintableString 'Symantec Corporation'
: }
: }
<31 1F>
397 31: SET {
<30 1D>
399 29: SEQUENCE {
<06 03>
401 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
: (X.520 DN component)
<13 16>
406 22: PrintableString 'Symantec Trust Network'
: }
: }
<31 28>
430 40: SET {
<30 26>
432 38: SEQUENCE {
<06 03>
434 3: OBJECT IDENTIFIER commonName (2 5 4 3)
: (X.520 DN component)
<13 1F>
439 31: PrintableString 'Symantec SHA256 TimeStamping CA'
: }
: }
: }
<02 10>
472 16: INTEGER 54 F3 7D A1 71 67 51 BC 6A 8D 0A D2 74
B2 8B 13
: }
<30 0B>
490 11: SEQUENCE {
<06 09>
492 9: OBJECT IDENTIFIER sha-256 (2 16 840 1 101 3 4 2 1)
: (NIST Algorithm)
: }
<A0 81 A4>
503 164: [0] {
<30 1A>
506 26: SEQUENCE {
<06 09>
508 9: OBJECT IDENTIFIER contentType (1 2 840 113549 1 9 3)
: (PKCS #9)
<31 0D>
519 13: SET {
<06 0B>
521 11: OBJECT IDENTIFIER tSTInfo (1 2 840 113549 1 9 16 1 4)
: (S/MIME Content Types)
: }
: }
<30 1C>
534 28: SEQUENCE {
<06 09>
536 9: OBJECT IDENTIFIER signingTime (1 2 840 113549 1 9 5)
: (PKCS #9)
<31 0F>
547 15: SET {
<17 0D>
549 13: UTCTime 19/04/2016 03:52:25 GMT
: }
: }
<30 2F>
564 47: SEQUENCE {
<06 09>
566 9: OBJECT IDENTIFIER messageDigest (1 2 840 113549 1 9 4)
: (PKCS #9)
<31 22>
577 34: SET {
<04 20>
579 32: OCTET STRING
: 98 1B CF E1 5D 96 79 D6 ....].y.
: 47 53 3E 27 A1 0C 57 4E GS>'..WN
: 62 48 8E 43 F8 B5 17 D4 bH.C....
: 1C 8F 9A 86 ED D7 A6 B4
: }
: }
<30 37>
613 55: SEQUENCE {
<06 0B>
615 11: OBJECT IDENTIFIER
: signingCertificateV2 (1 2 840 113549 1 9 16 2 47)
: (S/MIME Authenticated Attributes)
<31 28>
628 40: SET {
<30 26>
630 38: SEQUENCE {
<30 24>
632 36: SEQUENCE {
<30 22>
634 34: SEQUENCE {
<04 20>
636 32: OCTET STRING
: 82 D5 56 DB DB 5D AD 5F ..V..]._
: A0 7B B6 07 26 A6 D8 6E .{..&..n
: 73 0B 5B B7 29 88 5B B6 s.[.).[.
: DE 4F F2 75 29 02 2C FC
: }
: }
: }
: }
: }
: }
<30 0B>
670 11: SEQUENCE {
<06 09>
672 9: OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1)
: (PKCS #1)
: }
<04 82 01 00>
683 256: OCTET STRING
: 77 60 BE 64 F1 4C 04 B9 w`.d.L..
: 4D 64 39 59 DC 53 27 02 Md9Y.S'.
: 06 1F 0C C7 31 EC 5B A2 ....1.[.
: 79 FB CA A3 07 DE D3 E6 y.......
: 88 CE 84 37 4C 20 EF DF ...7L ..
: 9B BB D4 0B 6F DC 42 05 ....o.B.
: DA 8D 22 EF 24 A8 46 68 ..".$.Fh
: 79 DA CB B5 A9 CD F6 7E y......~
: D5 B8 D4 DD B4 44 5F 40 .....D_@
: 0A A2 59 C8 3B 2C 52 6F ..Y.;,Ro
: BE 88 6C D3 A4 F6 3C B1 ..l...<.
: 52 27 25 E3 E9 6F 4A 2B R'%..oJ+
: C6 C4 CD EA 73 65 6C 04 ....sel.
: 9A A4 79 4E A4 95 F4 F7 ..yN....
: 1C C6 2E E8 D3 4B 01 8F .....K..
: F2 0B 80 6C 28 67 3E 10 ...l(g>.
: D7 76 1E C5 4E BF 87 37 .v..N..7
: CB 99 51 81 74 5C 50 57 ..Q.t\PW
: 80 3F 5D 3E 84 76 12 0A .?]>.v..
: B0 A3 99 DF E5 3B A4 8F .....;..
: DE 04 50 A8 E6 D0 00 6D ..P....m
: 61 21 B1 A9 A9 D6 05 79 a!.....y
: 0A 00 FA D5 1D A6 D6 F8 ........
: 6A 22 07 E5 BC 01 C1 E0 j"......
: 10 09 BD 92 09 B5 B7 29 .......)
: 8B 6A 4D 28 C4 63 7A 4C .jM(.czL
: 8E 7A AF 87 5D BE A4 BD .z..]...
: C1 20 9A D0 82 57 03 21 . ...W.!
: F3 E2 6F F5 44 22 F9 27 ..o.D".'
: 41 9C 66 27 BB 52 39 E2 A.f'.R9.
: 4B C8 2B 82 58 AC 0E AF K.+.X...
: 8D AE A5 C7 A5 1A A3 5E
: }
: }
: }
: }
: }
: }
On 19 April 2016 at 14:29, Jakob Bohm <jb-open...@wisemo.com> wrote:
On 19/04/2016 05:55, Alex Samad wrote:
Hi
I have a SHA.sha file
/usr/bin/openssl ts -query -data SHA.sha -sha256 | /usr/bin/curl -s -H
Content-Type:application/timestamp-query --data-binary @-
http://sha256timestamp.ws.symantec.com/sha256/timestamp > SHA.sha.tsr
/usr/bin/openssl ts -reply -in SHA.sha.tsr -text > SHA.sha.ts.txt
cat SHA.sha.ts.txt
Status info:
Status: Granted.
Status description: unspecified
Failure info: unspecified
TST info:
Version: 1
Policy OID: 2.16.840.1.113733.1.7.23.3
Hash Algorithm: sha256
Message data:
0000 - 8c 6d 95 5b e0 cd 8b c9-df 8c ab 57 45 c4 69 e6
.m.[.......WE.i.
0010 - 7a b9 ce cb 14 8f 55 25-91 2e 57 37 3e 5c b8 d5
z.....U%..W7>\..
Serial number: 0x570B9C3A11CA318E2478D3680C0FEFD9238E06AB
Time stamp: Apr 19 03:52:25 2016 GMT
Accuracy: 0x1E seconds, unspecified millis, unspecified micros
Ordering: no
Nonce: 0x580E59D87F396B25
TSA: DirName:/C=US/O=Symantec Corporation/OU=Symantec Trust
Network/CN=Symantec SHA256 TimeStamping Signer - G1
Extensions:
But when I go to verify it
openssl ts -verify -data SHA.sha -in SHA.sha.tsr
Verification: FAILED
140569777235784:error:2107C080:PKCS7
routines:PKCS7_get0_signers:signer certificate not
found:pk7_smime.c:476:
is this because I didn't provide a cert to sign it with ?
No, it is because it cannot find the certificate that Symantec
used to sign the response, specifically the certificate with
Subject name "/C=US/O=Symantec Corporation/OU=Symantec Trust
Network/CN=Symantec SHA256 TimeStamping Signer - G1".
I am kind of disappointed in how little detail is included in
the output from ts -reply -text, I expected it to output all
the fields, similar to what other openssl commands do when
passed the -text option.
So I guess the next step would be to dump SHA.sha.tsr using
Peter Gutmann's dumpasn1.c program, something like
openssl base64 -d -in SHA.sha.tsr -out SHA.sha.tsr.bin
dumpasn1 -v SHA.sha.tsr.bin
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
