Got a bit further ======= #!/bin/bash rm -f /tmp/test.data* /tmp/sym.cer cat > /tmp/test.data <<EOF This is a test A test EOF cat > /tmp/symINT.cer << EOF # Signing cert public key #Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec SHA256 TimeStamping CA #Subject: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec SHA256 TimeStamping Signer - G1 -----BEGIN CERTIFICATE----- MIIFSzCCBDOgAwIBAgIQVPN9oXFnUbxqjQrSdLKLEzANBgkqhkiG9w0BAQsFADB3 MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxKDAmBgNVBAMTH1N5bWFudGVj IFNIQTI1NiBUaW1lU3RhbXBpbmcgQ0EwHhcNMTYwMTEyMDAwMDAwWhcNMjcwNDEx MjM1OTU5WjCBgDELMAkGA1UEBhMCVVMxHTAbBgNVBAoTFFN5bWFudGVjIENvcnBv cmF0aW9uMR8wHQYDVQQLExZTeW1hbnRlYyBUcnVzdCBOZXR3b3JrMTEwLwYDVQQD EyhTeW1hbnRlYyBTSEEyNTYgVGltZVN0YW1waW5nIFNpZ25lciAtIEcxMIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn/vfjx+nz54+GsvraK3PJxzugVWp hwhY5YFNCRTg7dDz1A8/IbYeDjTU8WgKb32Pidny6qfYJTikjDbK7ijPM/h1Pdid z5LdVuP2sHlUZrVFgkNE0mqxqxeiw+XvAOon8yeIDoc89m68qez2uy5qdwYivfq4 f8MkB/c/u0yw/0PLk8oSqpUkAJCyKzai0t3Ss9GZMt3P9MxzFkmDfyTr7XhG0+5f bEJlG2eN8CYaDl6HblqPoIJ+bp/NJt69Ye9EXkWLqJTTHAQyof+kp6KqdwHbKt4P TJI2xmmsXISArSX17TDDaB0X2wpNmjR4WQGbawKFOOIncaIUVDBgkyBIIwIDAQAB o4IBxzCCAcMwDAYDVR0TAQH/BAIwADBmBgNVHSAEXzBdMFsGC2CGSAGG+EUBBxcD MEwwIwYIKwYBBQUHAgEWF2h0dHBzOi8vZC5zeW1jYi5jb20vY3BzMCUGCCsGAQUF BwICMBkaF2h0dHBzOi8vZC5zeW1jYi5jb20vcnBhMEAGA1UdHwQ5MDcwNaAzoDGG L2h0dHA6Ly90cy1jcmwud3Muc3ltYW50ZWMuY29tL3NoYTI1Ni10c3MtY2EuY3Js MBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMIMA4GA1UdDwEB/wQEAwIHgDB3BggrBgEF BQcBAQRrMGkwKgYIKwYBBQUHMAGGHmh0dHA6Ly90cy1vY3NwLndzLnN5bWFudGVj LmNvbTA7BggrBgEFBQcwAoYvaHR0cDovL3RzLWFpYS53cy5zeW1hbnRlYy5jb20v c2hhMjU2LXRzcy1jYS5jZXIwKAYDVR0RBCEwH6QdMBsxGTAXBgNVBAMTEFRpbWVT dGFtcC0yMDQ4LTQwHQYDVR0OBBYEFO1rYM87WPg+Msy/pOir6OqiUEJ/MB8GA1Ud IwQYMBaAFK9j1sqjToVy4Ke8QfMpojh/gHViMA0GCSqGSIb3DQEBCwUAA4IBAQCi jV5dHe5O0pP9T+X0babwiUVVuwjKqyShFiTJTxfBn/TdAprCR8Cp3IiJd8GGhvHV SZbz+x6Y1skdNSOImYpi4XWoTXinPewkgBWeaNQ6pMJM3HFslp2OHgwubFIBnlaQ P6Jeks222kEaJIOheqNf/o07bznRP0FfVhwnDOV8BdhnNojlsMLDBKNaVrgSBI7U nCRrG2a0vqAa4bXN7ONEpLE855LzWN3f6LFYS3BLzpAAzNyj0dJudRZURALvG1RE Y+i1cMi5R5pbRcRudpoYsfcQM8gLUfVVjP0hHkGPTj6QXYAByLwkfoZoFBUUNDV0 SbeHUinWll6ioxbUsNN7 -----END CERTIFICATE----- # CA for signing cert #Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2008 VeriSign, Inc. - For authorized use only, CN=VeriSign Universal Root Certification Authority #Subject: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec SHA256 TimeStamping CA -----BEGIN CERTIFICATE----- MIIFODCCBCCgAwIBAgIQewWx1EloUUT3yYnSnBmdEjANBgkqhkiG9w0BAQsFADCB vTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwOCBWZXJp U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MTgwNgYDVQQDEy9W ZXJpU2lnbiBVbml2ZXJzYWwgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAe Fw0xNjAxMTIwMDAwMDBaFw0zMTAxMTEyMzU5NTlaMHcxCzAJBgNVBAYTAlVTMR0w GwYDVQQKExRTeW1hbnRlYyBDb3Jwb3JhdGlvbjEfMB0GA1UECxMWU3ltYW50ZWMg VHJ1c3QgTmV0d29yazEoMCYGA1UEAxMfU3ltYW50ZWMgU0hBMjU2IFRpbWVTdGFt cGluZyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALtZnVlVT52M cl0agaLrVfOwAa08cawyjwVrhponADKXak3JZBRLKbvC2Sm5Luxjs+HPPwtWkPhi G37rpgfi3n9ebUA41JEG50F8eRzLy60bv9iVkfPw7mz4rZY5Ln/BJ7h4OcWEpe3t r4eOzo3HberSmLU6Hx45ncP0mqj0hOHE0XxxxgYptD/kgw0mw3sIPk35CrczSf/K O9T1sptL4YiZGvXA6TMU1t/HgNuR7v68kldyd/TNqMz+CfWTN76ViGrF3PSxS9TO 6AmRX7WEeTWKeKwZMo8jwTJBG1kOqT6xzPnWK++32OTVHW0ROpL2k8mc40juu1MO 1DaXhnjFoTcCAwEAAaOCAXcwggFzMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8E CDAGAQH/AgEAMGYGA1UdIARfMF0wWwYLYIZIAYb4RQEHFwMwTDAjBggrBgEFBQcC ARYXaHR0cHM6Ly9kLnN5bWNiLmNvbS9jcHMwJQYIKwYBBQUHAgIwGRoXaHR0cHM6 Ly9kLnN5bWNiLmNvbS9ycGEwLgYIKwYBBQUHAQEEIjAgMB4GCCsGAQUFBzABhhJo dHRwOi8vcy5zeW1jZC5jb20wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL3Muc3lt Y2IuY29tL3VuaXZlcnNhbC1yb290LmNybDATBgNVHSUEDDAKBggrBgEFBQcDCDAo BgNVHREEITAfpB0wGzEZMBcGA1UEAxMQVGltZVN0YW1wLTIwNDgtMzAdBgNVHQ4E FgQUr2PWyqNOhXLgp7xB8ymiOH+AdWIwHwYDVR0jBBgwFoAUtnf6aUhHn1MS1cLq BzJ2B9GXBxkwDQYJKoZIhvcNAQELBQADggEBAHXqsC3VNBlcMkX+DuHUT6Z4wW/X 6t3cT/OhyIGI96ePFeZAKa3mXfSi2VZkhHEwKt0eYRdmIFYGmBmNXXHy+Je8Cf0c kUfJ4uiNA/vMkC/WCmxOM+zWtJPITJBjSDlAIcTd1m6JmDy1mJfoqQa3CcmPU1dB kC/hHk1O3MoQeGxCbvC2xfhhXFL1TvZrjfdKer7zzf0D19n2A6gP41P3CnXsxnUu qmaFBJm3+AZX4cYO9uiv2uybGB+queM6AL/OipTLAduexzi7D1Kr0eOUA2AKTaD+ J20UMvw/l0Dhv5mJ2+Q5FL3a5NPD6itas5VYVQR9x5rsIwONhSrS/66pYYE= -----END CERTIFICATE----- EOF cat > /tmp/symCA.cer << EOF #Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2008 VeriSign, Inc. - For authorized use only, CN=VeriSign Universal Root Certification Authority #Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2008 VeriSign, Inc. - For authorized use only, CN=VeriSign Universal Root Certification Authority -----BEGIN CERTIFICATE----- MIIEuTCCA6GgAwIBAgIQQBrEZCGzEyEDDrvkEhrFHTANBgkqhkiG9w0BAQsFADCB vTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwOCBWZXJp U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MTgwNgYDVQQDEy9W ZXJpU2lnbiBVbml2ZXJzYWwgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAe Fw0wODA0MDIwMDAwMDBaFw0zNzEyMDEyMzU5NTlaMIG9MQswCQYDVQQGEwJVUzEX MBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0 IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAyMDA4IFZlcmlTaWduLCBJbmMuIC0gRm9y IGF1dGhvcml6ZWQgdXNlIG9ubHkxODA2BgNVBAMTL1ZlcmlTaWduIFVuaXZlcnNh bCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEAx2E3XrEBNNti1xWb/1hajCMj1mCOkdeQmIN65lgZOIzF 9uVkhbSicfvtvbnazU0AtMgtc6XHaXGVHzk8skQHnOgO+k1KxCHfKWGPMiJhgsWH H26MfF8WIFFE0XBPV+rjHOPMee5Y2A7Cs0WTwCznmhcrewA3ekEzeOEz4vMQGn+H LL729fdC4uW/h2KJXwBL38Xd5HVEMkE6HnFuacsLdUYI0crSK5XQz/u5QGtkjFdN /BMReYTtXlT2NJ8IAfMQJQYXStrxHXpma5hgZqTZ79IugvHw7wnqRMkVauIDbjPT rJ9VAMf2CGqUuV/c4DPxhGD5WycRtPwW8rtWaoAljQIDAQABo4GyMIGvMA8GA1Ud EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMG0GCCsGAQUFBwEMBGEwX6FdoFsw WTBXMFUWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFI/l0xqGrI2Oa8PPgGrUSBgs exkuMCUWI2h0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28uZ2lmMB0GA1Ud DgQWBBS2d/ppSEefUxLVwuoHMnYH0ZcHGTANBgkqhkiG9w0BAQsFAAOCAQEASvj4 sAPmLGd75JR3Y8xuTPl9Dg3cyLk1uXBPY/ok+myDjEedO2Pzmvl2MpWRsXe8rJq+ seQxIcaBlVZaDrHC1LGmWazxY8u4TB1ZkErvkBYoH1quEPuBUDgMbMzxPcP1Y+Oz 4yHJJDnp/RVmRvQbEdBNc6N9Rvk97ahfYtTxP/jgdFcrGJ2BtMQo2pSXpXDrrB2+ BxHw1dvd5Yzw1TKwg+ZX4o+/vqGqvz0dtdQ46tewXDpPaj+PwGZsY6rp2aQW9IHR lRQOfc2VNNnSj3BzgXucfr2YYdhFh5iQxeuGMMY1v/D/w1WIg0vvBZIGcfK4mJO3 7M2CYfE45k+XmCpajQ== -----END CERTIFICATE----- EOF /usr/bin/openssl ts -query -data /tmp/test.data -sha256 -out /tmp/test.data.tsq -no_nonce /usr/bin/curl -s -H Content-Type:application/timestamp-query --data-binary @/tmp/test.data.tsq http://sha256timestamp.ws.symantec.com/sha256/timestamp -o /tmp/test.data.tsr #/usr/bin/openssl ts -query -data /tmp/test.data -sha256 | /usr/bin/curl -s -H Content-Type:application/timestamp-query --data-binary @- http://sha256timestamp.ws.symantec.com/sha256/timestamp > /tmp/test.data.tsr /usr/bin/openssl ts -reply -in /tmp/test.data.tsr -text > /tmp/test.data.tsr.txt #openssl ts -verify -data /tmp/test.data -in /tmp/test.data.tsr #openssl ts -verify -data /tmp/test.data -in /tmp/test.data.tsr -untrusted /tmp/symINT.cer openssl ts -verify -data /tmp/test.data -in /tmp/test.data.tsr -untrusted /tmp/symINT.cer -CAfile /tmp/symCA.cer ======= results in this Verification: FAILED 140328034314056:error:2F067065:time stamp routines:TS_CHECK_SIGNING_CERTS:ess signing certificate error:ts_rsp_verify.c:291: which lead me to this http://openssl.6102.n7.nabble.com/possible-Bug-in-OpenSSL-rfc-3161-TSA-service-tt43128.html#none Not sure if there has been any work on this since then. On 29 April 2016 at 11:25, Alex Samad <alex at samad.com.au> wrote: > Okay I have the cert from sym > > -----BEGIN CERTIFICATE----- > MIIFSzCCBDOgAwIBAgIQVPN9oXFnUbxqjQrSdLKLEzANBgkqhkiG9w0BAQsFADB3 > MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd > BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxKDAmBgNVBAMTH1N5bWFudGVj > IFNIQTI1NiBUaW1lU3RhbXBpbmcgQ0EwHhcNMTYwMTEyMDAwMDAwWhcNMjcwNDEx > MjM1OTU5WjCBgDELMAkGA1UEBhMCVVMxHTAbBgNVBAoTFFN5bWFudGVjIENvcnBv > cmF0aW9uMR8wHQYDVQQLExZTeW1hbnRlYyBUcnVzdCBOZXR3b3JrMTEwLwYDVQQD > EyhTeW1hbnRlYyBTSEEyNTYgVGltZVN0YW1waW5nIFNpZ25lciAtIEcxMIIBIjAN > BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn/vfjx+nz54+GsvraK3PJxzugVWp > hwhY5YFNCRTg7dDz1A8/IbYeDjTU8WgKb32Pidny6qfYJTikjDbK7ijPM/h1Pdid > z5LdVuP2sHlUZrVFgkNE0mqxqxeiw+XvAOon8yeIDoc89m68qez2uy5qdwYivfq4 > f8MkB/c/u0yw/0PLk8oSqpUkAJCyKzai0t3Ss9GZMt3P9MxzFkmDfyTr7XhG0+5f > bEJlG2eN8CYaDl6HblqPoIJ+bp/NJt69Ye9EXkWLqJTTHAQyof+kp6KqdwHbKt4P > TJI2xmmsXISArSX17TDDaB0X2wpNmjR4WQGbawKFOOIncaIUVDBgkyBIIwIDAQAB > o4IBxzCCAcMwDAYDVR0TAQH/BAIwADBmBgNVHSAEXzBdMFsGC2CGSAGG+EUBBxcD > MEwwIwYIKwYBBQUHAgEWF2h0dHBzOi8vZC5zeW1jYi5jb20vY3BzMCUGCCsGAQUF > BwICMBkaF2h0dHBzOi8vZC5zeW1jYi5jb20vcnBhMEAGA1UdHwQ5MDcwNaAzoDGG > L2h0dHA6Ly90cy1jcmwud3Muc3ltYW50ZWMuY29tL3NoYTI1Ni10c3MtY2EuY3Js > MBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMIMA4GA1UdDwEB/wQEAwIHgDB3BggrBgEF > BQcBAQRrMGkwKgYIKwYBBQUHMAGGHmh0dHA6Ly90cy1vY3NwLndzLnN5bWFudGVj > LmNvbTA7BggrBgEFBQcwAoYvaHR0cDovL3RzLWFpYS53cy5zeW1hbnRlYy5jb20v > c2hhMjU2LXRzcy1jYS5jZXIwKAYDVR0RBCEwH6QdMBsxGTAXBgNVBAMTEFRpbWVT > dGFtcC0yMDQ4LTQwHQYDVR0OBBYEFO1rYM87WPg+Msy/pOir6OqiUEJ/MB8GA1Ud > IwQYMBaAFK9j1sqjToVy4Ke8QfMpojh/gHViMA0GCSqGSIb3DQEBCwUAA4IBAQCi > jV5dHe5O0pP9T+X0babwiUVVuwjKqyShFiTJTxfBn/TdAprCR8Cp3IiJd8GGhvHV > SZbz+x6Y1skdNSOImYpi4XWoTXinPewkgBWeaNQ6pMJM3HFslp2OHgwubFIBnlaQ > P6Jeks222kEaJIOheqNf/o07bznRP0FfVhwnDOV8BdhnNojlsMLDBKNaVrgSBI7U > nCRrG2a0vqAa4bXN7ONEpLE855LzWN3f6LFYS3BLzpAAzNyj0dJudRZURALvG1RE > Y+i1cMi5R5pbRcRudpoYsfcQM8gLUfVVjP0hHkGPTj6QXYAByLwkfoZoFBUUNDV0 > SbeHUinWll6ioxbUsNN7 > -----END CERTIFICATE----- > > > openssl x509 -in newsym1.cer -noout -subject > subject= /C=US/O=Symantec Corporation/OU=Symantec Trust > Network/CN=Symantec SHA256 TimeStamping Signer - G1 > > > Still getting > > openssl ts -verify -data SHA.sha -in SHA.sha.tsr -CApath newsym1.cer > Verification: FAILED > 139630315571016:error:2107C080:PKCS7 > routines:PKCS7_get0_signers:signer certificate not > found:pk7_smime.c:476: > > > > > > On 27 April 2016 at 14:53, Jakob Bohm <jb-openssl at wisemo.com> wrote: >> OK, It looks like this signing service is (quite unusually) >> not providing the certificate in its message, which is quite >> unusual. >> >> All it provides is some information /about/ that certificate, >> specifically it provides the following info: >> >> The certificate was issued to C=US, O=Symantec Corporation, >> OU=Symantec Trust Network, >> CN=Symantec SHA256 TimeStamping Signer - G1 >> >> The certificate was issued by C=US, O=Symantec Corporation, >> OU=Symantec Trust Network, CN=Symantec SHA256 TimeStamping CA >> >> The certificate serial number (in hex) is >> 54 F3 7D A1 71 67 51 BC 6A 8D 0A D2 74 B2 8B 13 >> >> The certificate fingerprint (SHA-256) is >> 82 D5 56 DB DB 5D AD 5FA0 7B B6 07 26 A6 D8 6E >> 73 0B 5B B7 29 88 5B B6DE 4F F2 75 29 02 2C FC >> >> Someone with knowledge of the Symantec/Verisign/Thawte/GeoTrust/ >> TrustCenter repository web site may be able to use this >> information to download the missing certificates, but there >> is no information in this file that would allow a computer >> to do this. >> >> I wonder if changing some parameter in the timestamp request >> would cause the Symantec server to return a more complete >> timestamp token. >> >> Or maybe something else is failing. >> >> >> >> On 23/04/2016 00:54, Alex Samad wrote: >>> >>> Here is a dump. >>> >>> I can see the CN - but I could see that before. >>> >>> There is also a RSA - maybe a signature or maybe is the public key for the >>> cert. >>> >>> I would expect to see some signed data (sha + symantec cert + time) >>> and also the public cert ( and maybe the intermediaries..) >>> >>> >>> <30 82 03 AB> >>> 0 939: SEQUENCE { >>> <30 03> >>> 4 3: SEQUENCE { >>> <02 01> >>> 6 1: INTEGER 0 >>> : } >>> <30 82 03 A2> >>> 9 930: SEQUENCE { >>> <06 09> >>> 13 9: OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2) >>> : (PKCS #7) >>> <A0 82 03 93> >>> 24 915: [0] { >>> <30 82 03 8F> >>> 28 911: SEQUENCE { >>> <02 01> >>> 32 1: INTEGER 3 >>> <31 0D> >>> 35 13: SET { >>> <30 0B> >>> 37 11: SEQUENCE { >>> <06 09> >>> 39 9: OBJECT IDENTIFIER sha-256 (2 16 840 1 101 3 4 2 1) >>> : (NIST Algorithm) >>> : } >>> : } >>> <30 82 01 1B> >>> 50 283: SEQUENCE { >>> <06 0B> >>> 54 11: OBJECT IDENTIFIER tSTInfo (1 2 840 113549 1 9 16 1 4) >>> : (S/MIME Content Types) >>> <A0 82 01 0A> >>> 67 266: [0] { >>> <04 82 01 06> >>> 71 262: OCTET STRING, encapsulates { >>> <30 82 01 02> >>> 75 258: SEQUENCE { >>> <02 01> >>> 79 1: INTEGER 1 >>> <06 0B> >>> 82 11: OBJECT IDENTIFIER '2 16 840 1 113733 1 7 23 3' >>> <30 31> >>> 95 49: SEQUENCE { >>> <30 0D> >>> 97 13: SEQUENCE { >>> <06 09> >>> 99 9: OBJECT IDENTIFIER sha-256 (2 16 840 1 101 3 >>> 4 2 1) >>> : (NIST Algorithm) >>> <05 00> >>> 110 0: NULL >>> : } >>> <04 20> >>> 112 32: OCTET STRING >>> : 8C 6D 95 5B E0 CD 8B C9 .m.[.... >>> : DF 8C AB 57 45 C4 69 E6 ...WE.i. >>> : 7A B9 CE CB 14 8F 55 25 z.....U% >>> : 91 2E 57 37 3E 5C B8 D5 >>> : } >>> <02 14> >>> 146 20: INTEGER >>> : 57 0B 9C 3A 11 CA 31 8E W..:..1. >>> : 24 78 D3 68 0C 0F EF D9 $x.h.... >>> : 23 8E 06 AB #... >>> <18 0F> >>> 168 15: GeneralizedTime 19/04/2016 03:52:25 GMT >>> <30 03> >>> 185 3: SEQUENCE { >>> <02 01> >>> 187 1: INTEGER 30 >>> : } >>> <02 08> >>> 190 8: INTEGER 58 0E 59 D8 7F 39 6B 25 >>> <A0 81 86> >>> 200 134: [0] { >>> <A4 81 83> >>> 203 131: [4] { >>> <30 81 80> >>> 206 128: SEQUENCE { >>> <31 0B> >>> 209 11: SET { >>> <30 09> >>> 211 9: SEQUENCE { >>> <06 03> >>> 213 3: OBJECT IDENTIFIER countryName (2 5 4 6) >>> : (X.520 DN component) >>> <13 02> >>> 218 2: PrintableString 'US' >>> : } >>> : } >>> <31 1D> >>> 222 29: SET { >>> <30 1B> >>> 224 27: SEQUENCE { >>> <06 03> >>> 226 3: OBJECT IDENTIFIER organizationName (2 5 >>> 4 10) >>> : (X.520 DN component) >>> <13 14> >>> 231 20: PrintableString 'Symantec Corporation' >>> : } >>> : } >>> <31 1F> >>> 253 31: SET { >>> <30 1D> >>> 255 29: SEQUENCE { >>> <06 03> >>> 257 3: OBJECT IDENTIFIER >>> : organizationalUnitName (2 5 4 11) >>> : (X.520 DN component) >>> <13 16> >>> 262 22: PrintableString 'Symantec Trust >>> Network' >>> : } >>> : } >>> <31 31> >>> 286 49: SET { >>> <30 2F> >>> 288 47: SEQUENCE { >>> <06 03> >>> 290 3: OBJECT IDENTIFIER commonName (2 5 4 3) >>> : (X.520 DN component) >>> <13 28> >>> 295 40: PrintableString 'Symantec SHA256 >>> TimeStamping Signer - G1' >>> : } >>> : } >>> : } >>> : } >>> : } >>> : } >>> : } >>> : } >>> : } >>> <31 82 02 5A> >>> 337 602: SET { >>> <30 82 02 56> >>> 341 598: SEQUENCE { >>> <02 01> >>> 345 1: INTEGER 1 >>> <30 81 8B> >>> 348 139: SEQUENCE { >>> <30 77> >>> 351 119: SEQUENCE { >>> <31 0B> >>> 353 11: SET { >>> <30 09> >>> 355 9: SEQUENCE { >>> <06 03> >>> 357 3: OBJECT IDENTIFIER countryName (2 5 4 6) >>> : (X.520 DN component) >>> <13 02> >>> 362 2: PrintableString 'US' >>> : } >>> : } >>> <31 1D> >>> 366 29: SET { >>> <30 1B> >>> 368 27: SEQUENCE { >>> <06 03> >>> 370 3: OBJECT IDENTIFIER organizationName (2 5 4 10) >>> : (X.520 DN component) >>> <13 14> >>> 375 20: PrintableString 'Symantec Corporation' >>> : } >>> : } >>> <31 1F> >>> 397 31: SET { >>> <30 1D> >>> 399 29: SEQUENCE { >>> <06 03> >>> 401 3: OBJECT IDENTIFIER organizationalUnitName (2 5 >>> 4 11) >>> : (X.520 DN component) >>> <13 16> >>> 406 22: PrintableString 'Symantec Trust Network' >>> : } >>> : } >>> <31 28> >>> 430 40: SET { >>> <30 26> >>> 432 38: SEQUENCE { >>> <06 03> >>> 434 3: OBJECT IDENTIFIER commonName (2 5 4 3) >>> : (X.520 DN component) >>> <13 1F> >>> 439 31: PrintableString 'Symantec SHA256 TimeStamping >>> CA' >>> : } >>> : } >>> : } >>> <02 10> >>> 472 16: INTEGER 54 F3 7D A1 71 67 51 BC 6A 8D 0A D2 74 >>> B2 8B 13 >>> : } >>> <30 0B> >>> 490 11: SEQUENCE { >>> <06 09> >>> 492 9: OBJECT IDENTIFIER sha-256 (2 16 840 1 101 3 4 2 1) >>> : (NIST Algorithm) >>> : } >>> <A0 81 A4> >>> 503 164: [0] { >>> <30 1A> >>> 506 26: SEQUENCE { >>> <06 09> >>> 508 9: OBJECT IDENTIFIER contentType (1 2 840 113549 1 9 >>> 3) >>> : (PKCS #9) >>> <31 0D> >>> 519 13: SET { >>> <06 0B> >>> 521 11: OBJECT IDENTIFIER tSTInfo (1 2 840 113549 1 9 >>> 16 1 4) >>> : (S/MIME Content Types) >>> : } >>> : } >>> <30 1C> >>> 534 28: SEQUENCE { >>> <06 09> >>> 536 9: OBJECT IDENTIFIER signingTime (1 2 840 113549 1 9 >>> 5) >>> : (PKCS #9) >>> <31 0F> >>> 547 15: SET { >>> <17 0D> >>> 549 13: UTCTime 19/04/2016 03:52:25 GMT >>> : } >>> : } >>> <30 2F> >>> 564 47: SEQUENCE { >>> <06 09> >>> 566 9: OBJECT IDENTIFIER messageDigest (1 2 840 113549 1 >>> 9 4) >>> : (PKCS #9) >>> <31 22> >>> 577 34: SET { >>> <04 20> >>> 579 32: OCTET STRING >>> : 98 1B CF E1 5D 96 79 D6 ....].y. >>> : 47 53 3E 27 A1 0C 57 4E GS>'..WN >>> : 62 48 8E 43 F8 B5 17 D4 bH.C.... >>> : 1C 8F 9A 86 ED D7 A6 B4 >>> : } >>> : } >>> <30 37> >>> 613 55: SEQUENCE { >>> <06 0B> >>> 615 11: OBJECT IDENTIFIER >>> : signingCertificateV2 (1 2 840 113549 1 9 16 2 >>> 47) >>> : (S/MIME Authenticated Attributes) >>> <31 28> >>> 628 40: SET { >>> <30 26> >>> 630 38: SEQUENCE { >>> <30 24> >>> 632 36: SEQUENCE { >>> <30 22> >>> 634 34: SEQUENCE { >>> <04 20> >>> 636 32: OCTET STRING >>> : 82 D5 56 DB DB 5D AD 5F ..V..]._ >>> : A0 7B B6 07 26 A6 D8 6E .{..&..n >>> : 73 0B 5B B7 29 88 5B B6 s.[.).[. >>> : DE 4F F2 75 29 02 2C FC >>> : } >>> : } >>> : } >>> : } >>> : } >>> : } >>> <30 0B> >>> 670 11: SEQUENCE { >>> <06 09> >>> 672 9: OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 >>> 1) >>> : (PKCS #1) >>> : } >>> <04 82 01 00> >>> 683 256: OCTET STRING >>> : 77 60 BE 64 F1 4C 04 B9 w`.d.L.. >>> : 4D 64 39 59 DC 53 27 02 Md9Y.S'. >>> : 06 1F 0C C7 31 EC 5B A2 ....1.[. >>> : 79 FB CA A3 07 DE D3 E6 y....... >>> : 88 CE 84 37 4C 20 EF DF ...7L .. >>> : 9B BB D4 0B 6F DC 42 05 ....o.B. >>> : DA 8D 22 EF 24 A8 46 68 ..".$.Fh >>> : 79 DA CB B5 A9 CD F6 7E y......~ >>> : D5 B8 D4 DD B4 44 5F 40 .....D_@ >>> : 0A A2 59 C8 3B 2C 52 6F ..Y.;,Ro >>> : BE 88 6C D3 A4 F6 3C B1 ..l...<. >>> : 52 27 25 E3 E9 6F 4A 2B R'%..oJ+ >>> : C6 C4 CD EA 73 65 6C 04 ....sel. >>> : 9A A4 79 4E A4 95 F4 F7 ..yN.... >>> : 1C C6 2E E8 D3 4B 01 8F .....K.. >>> : F2 0B 80 6C 28 67 3E 10 ...l(g>. >>> : D7 76 1E C5 4E BF 87 37 .v..N..7 >>> : CB 99 51 81 74 5C 50 57 ..Q.t\PW >>> : 80 3F 5D 3E 84 76 12 0A .?]>.v.. >>> : B0 A3 99 DF E5 3B A4 8F .....;.. >>> : DE 04 50 A8 E6 D0 00 6D ..P....m >>> : 61 21 B1 A9 A9 D6 05 79 a!.....y >>> : 0A 00 FA D5 1D A6 D6 F8 ........ >>> : 6A 22 07 E5 BC 01 C1 E0 j"...... >>> : 10 09 BD 92 09 B5 B7 29 .......) >>> : 8B 6A 4D 28 C4 63 7A 4C .jM(.czL >>> : 8E 7A AF 87 5D BE A4 BD .z..]... >>> : C1 20 9A D0 82 57 03 21 . ...W.! >>> : F3 E2 6F F5 44 22 F9 27 ..o.D".' >>> : 41 9C 66 27 BB 52 39 E2 A.f'.R9. >>> : 4B C8 2B 82 58 AC 0E AF K.+.X... >>> : 8D AE A5 C7 A5 1A A3 5E >>> : } >>> : } >>> : } >>> : } >>> : } >>> : } >>> >>> On 19 April 2016 at 14:29, Jakob Bohm <jb-openssl at wisemo.com> wrote: >>>> >>>> On 19/04/2016 05:55, Alex Samad wrote: >>>>> >>>>> Hi >>>>> >>>>> I have a SHA.sha file >>>>> >>>>> /usr/bin/openssl ts -query -data SHA.sha -sha256 | /usr/bin/curl -s -H >>>>> Content-Type:application/timestamp-query --data-binary @- >>>>> http://sha256timestamp.ws.symantec.com/sha256/timestamp > SHA.sha.tsr >>>>> >>>>> /usr/bin/openssl ts -reply -in SHA.sha.tsr -text > SHA.sha.ts.txt >>>>> >>>>> >>>>> cat SHA.sha.ts.txt >>>>> Status info: >>>>> Status: Granted. >>>>> Status description: unspecified >>>>> Failure info: unspecified >>>>> >>>>> TST info: >>>>> Version: 1 >>>>> Policy OID: 2.16.840.1.113733.1.7.23.3 >>>>> Hash Algorithm: sha256 >>>>> Message data: >>>>> 0000 - 8c 6d 95 5b e0 cd 8b c9-df 8c ab 57 45 c4 69 e6 >>>>> .m.[.......WE.i. >>>>> 0010 - 7a b9 ce cb 14 8f 55 25-91 2e 57 37 3e 5c b8 d5 >>>>> z.....U%..W7>\.. >>>>> Serial number: 0x570B9C3A11CA318E2478D3680C0FEFD9238E06AB >>>>> Time stamp: Apr 19 03:52:25 2016 GMT >>>>> Accuracy: 0x1E seconds, unspecified millis, unspecified micros >>>>> Ordering: no >>>>> Nonce: 0x580E59D87F396B25 >>>>> TSA: DirName:/C=US/O=Symantec Corporation/OU=Symantec Trust >>>>> Network/CN=Symantec SHA256 TimeStamping Signer - G1 >>>>> Extensions: >>>>> >>>>> >>>>> But when I go to verify it >>>>> >>>>> openssl ts -verify -data SHA.sha -in SHA.sha.tsr >>>>> Verification: FAILED >>>>> 140569777235784:error:2107C080:PKCS7 >>>>> routines:PKCS7_get0_signers:signer certificate not >>>>> found:pk7_smime.c:476: >>>>> >>>>> is this because I didn't provide a cert to sign it with ? >>>> >>>> No, it is because it cannot find the certificate that Symantec >>>> used to sign the response, specifically the certificate with >>>> Subject name "/C=US/O=Symantec Corporation/OU=Symantec Trust >>>> Network/CN=Symantec SHA256 TimeStamping Signer - G1". >>>> >>>> I am kind of disappointed in how little detail is included in >>>> the output from ts -reply -text, I expected it to output all >>>> the fields, similar to what other openssl commands do when >>>> passed the -text option. >>>> >>>> So I guess the next step would be to dump SHA.sha.tsr using >>>> Peter Gutmann's dumpasn1.c program, something like >>>> >>>> openssl base64 -d -in SHA.sha.tsr -out SHA.sha.tsr.bin >>>> dumpasn1 -v SHA.sha.tsr.bin >>>> >>>> >> >> >> Enjoy >> >> Jakob >> -- >> Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com >> Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 >> This public discussion message is non-binding and may contain errors. >> WiseMo - Remote Service Management for PCs, Phones and Embedded >> >> -- >> openssl-users mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
