On 07/03/2016 16:05, Anton Wuerfel wrote: > Hello, > > for an university project I am implementing RFC3161 time stamps into git. > when creating a TSQ it is possible to force the TSA server to include > its signing certificate in the TSR. However, I was wondering how to > extract this certificate at the client side, as neither 'openssl ts > -reply' nor 'openssl ts -verify' seemed to offer an appropriate > functionality. As the TSA field in TST_INFO is optional according to > RFC3161 and might be unspecified, it is not a reliable way to > determine the issuer of the timestamp signature. I would like to > display the issuers name to the user if verification of the timestamp > failed or the corresponding public key was not found in the user's > certificate store. > > Is there any built-in way to extract the issuer's certificate from a TSR? > > Regards, > Anton Wuerfel IMHO that extra copy of the TSA server cert inside the TSR is a complete and utter waste of bandwidth, not just for the TSA communication, but for all the places where the complete timestamp is subsequently carried around and/or stored (in this case, the ever-growing git repository). The obvious way to find this info is to not look inside the TSR structure, but to look at the surrounding SignedData (PKCS#7/CMS) structure. This is the same as for most other CMS signatures and includes signer identification and certificate chain in the usual way. Of cause, if a git repository contains many RFC3161 time stamps from the same TSAs, it may pay off to define the format as storing a (reversibly) transformed form where all the common stuff is in a separate part of the file format. The sizes are large enough that a method such as deflate/zip/gzip/zlib will have trouble eliminating the redundancy efficiently on its own, while larger size algorithms such as bzip2 or lzma should handle it nicely if the time stamps are stored close together. Another option, if the git format has a binary delta algorithm already is to store the timestamps as patches/deltas from prior timestamps, and letting the delta algorithm recognize the large sequences of identical bytes. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded
