Timestamp reply validation

Thu, 13 Jun 2013 02:45:23 -0700 

Hello,

I'm beginning with TSA and I'm wondering if it is possible to validate
a timestamp request against a unique (self signed) certificate.

Now I can do :
$ openssl ts -verify -queryfile file.tsq -in file.tsr -CAfile demoCA/cacert.pem -untrusted demoCA/tsacert.pem
I add the 'cacert.pem' certificate to the trusted diretory (hash simlink) but it didn't help : $ openssl ts -verify -queryfile file.tsq -in file.tsr -CAfile demoCA/cacert.pem 
signer certificate not found

Please, may someone tell me what I'm missing ?
Nicolas.

Here is my testing envirenoment (on debian wheezy) :
============================================================================
#!/bin/bash

# Configuration
cp /etc/ssl/openssl.cnf .
sed -i -e 's/\# extendedKeyUsage/extendedKeyUsage/' openssl.cnf
mkdir demoCA
mkdir demoCA/private
mkdir demoCA/newcerts
touch demoCA/index.txt
echo "0000000000000001" > demoCA/serial
echo "0000000000000001" > demoCA/tsaserial
export OPENSSL_CONF=$PWD/openssl.cnf

# CA Cert (no password for the script usage!)
openssl genrsa 1024 > demoCA/private/cakey.pem
openssl req -new -x509 -days 365 -key demoCA/private/cakey.pem > demoCA/newcerts/cacert.pem <<EOF 
FR
France
Ulis
Me
R&D
CA-Me
nro...@me.fr
EOF
cp demoCA/newcerts/cacert.pem demoCA

# TSA Cert
openssl genrsa 1024 > demoCA/private/tsakey.pem
openssl req -new -key demoCA/private/tsakey.pem > tsacert.csr <<EOF
FR
France
Ulis
Me
R&D
CA-Me
nro...@me.fr


EOF
openssl ca -in tsacert.csr > demoCA/newcerts/tsacert.pem <<EOF
y
y
EOF
cp demoCA/newcerts/tsacert.pem demoCA

# Token query
cowsay "yƩ" > file.txt
openssl ts -query -data file.txt -policy tsa_policy1 > file.tsq
openssl ts -query -in file.tsq -text

# Token reply
openssl ts -reply -queryfile file.tsq -inkey demoCA/private/tsakey.pem -signer demoCA/tsacert.pem > file.tsr 
openssl ts -reply -in file.tsr -text

# Token validation
openssl ts -verify -queryfile file.tsq -in file.tsr -CAfile demoCA/cacert.pem -untrusted demoCA/tsacert.pem openssl ts -verify -data file.txt -in file.tsr -CAfile demoCA/cacert.pem -untrusted demoCA/tsacert.pem 
============================================================================
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to