Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Openssl verify Symantec timestamp
489 views
Skip to first unread message
typ...@gmail.com
Jul 26, 2016, 11:33:01 AM7/26/16
to
Hello,
I don't understand why OpenSSL fail to verify a Symantec issued timestamp.
Here is the procedure:
1. Create a dummy test file (I.e. a text file containing only few text characters)
2. Run a timestamp request: /usr/local/bin/openssl ts -query -data "test.txt" -sha256 -cert | curl -o "test.txt.tsr" -sSH 'Content-Type: application/timestamp-query' --data-binary @- "http://sha256timestamp.ws.symantec.com/sha256/timestamp"
3. Check the timestamp: openssl ts -reply -in test.txt.tsr -text
Here, we can see that timestamp is proper issued:
--------------------------------------------------
Status info:
Status: Granted.
Status description: unspecified
Failure info: unspecified
TST info:
Version: 1
Policy OID: 2.16.840.1.113733.1.7.23.3
Hash Algorithm: sha256
Message data:
0000 - e2 ae 3d b6 45 60 82 84-4b a2 39 72 dc 32 71 e9 ..=.E`..K.9r.2q.
0010 - 15 5d e9 20 3b 56 49 de-76 3f 6b 1b 22 78 97 06 .]. ;VI.v?k."x..
Serial number: 0xE473292F026EB26003ABBEC11DD47AA87D7E7B40
Time stamp: Jul 26 14:51:21 2016 GMT
Accuracy: 0x1E seconds, unspecified millis, unspecified micros
Ordering: no
Nonce: 0x1E9132A8C55D7643
TSA: DirName:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec SHA256 TimeStamping Signer - G1
Extensions:
--------------------------------------------------
4. Let's verify the timestamp (what will be done in court, so the ultimate purpose of all the stuff):
openssl ts -verify -data test.txt -in test.txt.tsr -CAfile ./cert.pem
And this is the result:
--------------------------------------------------
Verification: FAILED
4415378440:error:2F06D064:time stamp routines:TS_VERIFY_CERT:certificate verify error:ts_rsp_verify.c:264:Verify error:unable to get local issuer certificate
--------------------------------------------------
According to several searches, this means that the certificate "cert.pem" is not the proper one, I mean the root certificate of the time stamping authority.
5. Well, I'm pretty sure that this certificate is the good one. Why ? Because I dumped the timestamp to extract these info with command openssl asn1parse -inform der -in test.txt.tsr -out test.out-dump:
--EXTRACT FROM THE COMPLETE ANSWER-----
395:d=10 hl=2 l= 3 prim: OBJECT :countryName
400:d=10 hl=2 l= 2 prim: PRINTABLESTRING :US
404:d=8 hl=2 l= 23 cons: SET
406:d=9 hl=2 l= 21 cons: SEQUENCE
408:d=10 hl=2 l= 3 prim: OBJECT :organizationName
413:d=10 hl=2 l= 14 prim: PRINTABLESTRING :VeriSign, Inc.
429:d=8 hl=2 l= 31 cons: SET
431:d=9 hl=2 l= 29 cons: SEQUENCE
433:d=10 hl=2 l= 3 prim: OBJECT :organizationalUnitName
438:d=10 hl=2 l= 22 prim: PRINTABLESTRING :VeriSign Trust Network
462:d=8 hl=2 l= 58 cons: SET
464:d=9 hl=2 l= 56 cons: SEQUENCE
466:d=10 hl=2 l= 3 prim: OBJECT :organizationalUnitName
471:d=10 hl=2 l= 49 prim: PRINTABLESTRING :(c) 2008 VeriSign, Inc. - For authorized use only
522:d=8 hl=2 l= 56 cons: SET
524:d=9 hl=2 l= 54 cons: SEQUENCE
526:d=10 hl=2 l= 3 prim: OBJECT :commonName
531:d=10 hl=2 l= 47 prim: PRINTABLESTRING :VeriSign Universal Root Certification Authority
580:d=7 hl=2 l= 30 cons: SEQUENCE
582:d=8 hl=2 l= 13 prim: UTCTIME :160112000000Z
597:d=8 hl=2 l= 13 prim: UTCTIME :310111235959Z
612:d=7 hl=2 l= 119 cons: SEQUENCE
614:d=8 hl=2 l= 11 cons: SET
--------------------------------------------------
So I understand that the root CA is "VeriSign Universal Root Certification Authority" and it's the certificate I extracted from my certificate store to the file "cert.pem".
6. I checked the certificate cert.pem with the command "openssl x509 -in cert.pem -text":
--EXTRACT FROM THE COMPLETE ANSWER-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
40:1a:c4:64:21:b3:13:21:03:0e:bb:e4:12:1a:c5:1d
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2008 VeriSign, Inc. - For authorized use only, CN=VeriSign Universal Root Certification Authority
Validity
Not Before: Apr 2 00:00:00 2008 GMT
Not After : Dec 1 23:59:59 2037 GMT
Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2008 VeriSign, Inc. - For authorized use only, CN=VeriSign Universal Root Certification Authority
--------------------------------------------------
Sounds good ! But doesn't work to verify the timestamp. OpenSSL version is OpenSSL 1.0.2h 3 May 2016
My question is: why does it fail ? Why OpenSSL verify fails although everything seems OK ? Do I do something wrong ? Is it a bug ? What can I do ?
Thanks a lot.
Best regards,
C. R.
I don't understand why OpenSSL fail to verify a Symantec issued timestamp.
Here is the procedure:
1. Create a dummy test file (I.e. a text file containing only few text characters)
2. Run a timestamp request: /usr/local/bin/openssl ts -query -data "test.txt" -sha256 -cert | curl -o "test.txt.tsr" -sSH 'Content-Type: application/timestamp-query' --data-binary @- "http://sha256timestamp.ws.symantec.com/sha256/timestamp"
3. Check the timestamp: openssl ts -reply -in test.txt.tsr -text
Here, we can see that timestamp is proper issued:
--------------------------------------------------
Status info:
Status: Granted.
Status description: unspecified
Failure info: unspecified
TST info:
Version: 1
Policy OID: 2.16.840.1.113733.1.7.23.3
Hash Algorithm: sha256
Message data:
0000 - e2 ae 3d b6 45 60 82 84-4b a2 39 72 dc 32 71 e9 ..=.E`..K.9r.2q.
0010 - 15 5d e9 20 3b 56 49 de-76 3f 6b 1b 22 78 97 06 .]. ;VI.v?k."x..
Serial number: 0xE473292F026EB26003ABBEC11DD47AA87D7E7B40
Time stamp: Jul 26 14:51:21 2016 GMT
Accuracy: 0x1E seconds, unspecified millis, unspecified micros
Ordering: no
Nonce: 0x1E9132A8C55D7643
TSA: DirName:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec SHA256 TimeStamping Signer - G1
Extensions:
--------------------------------------------------
4. Let's verify the timestamp (what will be done in court, so the ultimate purpose of all the stuff):
openssl ts -verify -data test.txt -in test.txt.tsr -CAfile ./cert.pem
And this is the result:
--------------------------------------------------
Verification: FAILED
4415378440:error:2F06D064:time stamp routines:TS_VERIFY_CERT:certificate verify error:ts_rsp_verify.c:264:Verify error:unable to get local issuer certificate
--------------------------------------------------
According to several searches, this means that the certificate "cert.pem" is not the proper one, I mean the root certificate of the time stamping authority.
5. Well, I'm pretty sure that this certificate is the good one. Why ? Because I dumped the timestamp to extract these info with command openssl asn1parse -inform der -in test.txt.tsr -out test.out-dump:
--EXTRACT FROM THE COMPLETE ANSWER-----
395:d=10 hl=2 l= 3 prim: OBJECT :countryName
400:d=10 hl=2 l= 2 prim: PRINTABLESTRING :US
404:d=8 hl=2 l= 23 cons: SET
406:d=9 hl=2 l= 21 cons: SEQUENCE
408:d=10 hl=2 l= 3 prim: OBJECT :organizationName
413:d=10 hl=2 l= 14 prim: PRINTABLESTRING :VeriSign, Inc.
429:d=8 hl=2 l= 31 cons: SET
431:d=9 hl=2 l= 29 cons: SEQUENCE
433:d=10 hl=2 l= 3 prim: OBJECT :organizationalUnitName
438:d=10 hl=2 l= 22 prim: PRINTABLESTRING :VeriSign Trust Network
462:d=8 hl=2 l= 58 cons: SET
464:d=9 hl=2 l= 56 cons: SEQUENCE
466:d=10 hl=2 l= 3 prim: OBJECT :organizationalUnitName
471:d=10 hl=2 l= 49 prim: PRINTABLESTRING :(c) 2008 VeriSign, Inc. - For authorized use only
522:d=8 hl=2 l= 56 cons: SET
524:d=9 hl=2 l= 54 cons: SEQUENCE
526:d=10 hl=2 l= 3 prim: OBJECT :commonName
531:d=10 hl=2 l= 47 prim: PRINTABLESTRING :VeriSign Universal Root Certification Authority
580:d=7 hl=2 l= 30 cons: SEQUENCE
582:d=8 hl=2 l= 13 prim: UTCTIME :160112000000Z
597:d=8 hl=2 l= 13 prim: UTCTIME :310111235959Z
612:d=7 hl=2 l= 119 cons: SEQUENCE
614:d=8 hl=2 l= 11 cons: SET
--------------------------------------------------
So I understand that the root CA is "VeriSign Universal Root Certification Authority" and it's the certificate I extracted from my certificate store to the file "cert.pem".
6. I checked the certificate cert.pem with the command "openssl x509 -in cert.pem -text":
--EXTRACT FROM THE COMPLETE ANSWER-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
40:1a:c4:64:21:b3:13:21:03:0e:bb:e4:12:1a:c5:1d
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2008 VeriSign, Inc. - For authorized use only, CN=VeriSign Universal Root Certification Authority
Validity
Not Before: Apr 2 00:00:00 2008 GMT
Not After : Dec 1 23:59:59 2037 GMT
Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2008 VeriSign, Inc. - For authorized use only, CN=VeriSign Universal Root Certification Authority
--------------------------------------------------
Sounds good ! But doesn't work to verify the timestamp. OpenSSL version is OpenSSL 1.0.2h 3 May 2016
My question is: why does it fail ? Why OpenSSL verify fails although everything seems OK ? Do I do something wrong ? Is it a bug ? What can I do ?
Thanks a lot.
Best regards,
C. R.
adils...@gmail.com
Oct 12, 2016, 8:43:22 AM10/12/16
to
HI ,
even i am facing same issue, are you able to resolve this issue.
Thanks in advance
Regards
Adil
Goku Zeus
Feb 18, 2023, 1:16:10 PM2/18/23
to
If you face more issues then you have to visit this website: https://halloweensquishmallows.net/
0 new messages