openSSL verify RFC 3161 TimeStampResp signed with self-signed certificate

北城以北 提交于 2019-12-08 18:09:31

First, this isn't really a programming or development question, and probalby belongs instead on superuser, unix.SX, or maybe security.SX .

Second, it works for me (verifies okay) if I reconstruct the situation you describe with 'obvious' defaults for the information you omitted or redacted, on all recent releases (1.0.0-2,1.1.0). All I can suggest is, look carefully at exactly what's in your certs. One obvious possibility: did you make the TSA name (cert Subject) the same as the CA name? That makes chaining fail, resulting in the type of verify error you got.

Third, there is no option in openssl ts -verify to do other than the normal verification sequence. But a successful TimeStampResp is just a SEQUENCE containing a simple header (a sub-SEQUENCE containing INTEGER 0) and a CMS SignedData which is the Timestamp Token. You can extract the CMS SignedData part -- manually with openssl asn1parse -inform d to find its offset which is usually 9 and then adding -strparse 9 -out signedtst or just something simple like tail -c +10 <tsresp >signedtst (added) or more easily with an option I somehow missed before: openssl ts -reply -in response -token_out -out signedtst -- then use

 openssl cms -verify -noverify -certfile signercert -inform der -in signedtst -binary -out tstinfo

(yes -verify -noverify!) to verify the signature on the signed data by the cert (i.e. by the TSA) but not verify the cert itself (against a chain ending in the truststore, and the required ExtKeyUsage, plus OpenSSL's -purpose timestampsign also constrains KeyUsage although I don't see this in the standard) and also extract the signed body which you can then manually parse with

openssl asn1parse -inform der -in tstinfo [-i]

although that's not as convenient as having it labelled and formatted for you.

ADDED: There are some added options in 1.1.0 that I apparently missed; see https://stackoverflow.com/a/52134401/2868801

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!