Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

Timestamp reply validation

90 views

Skip to first unread message

Nicolas ROCHE

unread,

Jun 13, 2013, 5:34:59 AM6/13/13

Hello,

I'm beginning with TSA and I'm wondering if it is possible to validate
a timestamp request against a unique (self signed) certificate.

Now I can do :
$ openssl ts -verify -queryfile file.tsq -in file.tsr -CAfile
demoCA/cacert.pem -untrusted demoCA/tsacert.pem

I add the 'cacert.pem' certificate to the trusted diretory (hash
simlink) but it didn't help :
$ openssl ts -verify -queryfile file.tsq -in file.tsr -CAfile
demoCA/cacert.pem
signer certificate not found

Please, may someone tell me what I'm missing ?
Nicolas.

Here is my testing envirenoment (on debian wheezy) :
============================================================================
#!/bin/bash

# Configuration
cp /etc/ssl/openssl.cnf .
sed -i -e 's/\# extendedKeyUsage/extendedKeyUsage/' openssl.cnf
mkdir demoCA
mkdir demoCA/private
mkdir demoCA/newcerts
touch demoCA/index.txt
echo "0000000000000001" > demoCA/serial
echo "0000000000000001" > demoCA/tsaserial
export OPENSSL_CONF=$PWD/openssl.cnf

# CA Cert (no password for the script usage!)
openssl genrsa 1024 > demoCA/private/cakey.pem
openssl req -new -x509 -days 365 -key demoCA/private/cakey.pem >
demoCA/newcerts/cacert.pem <<EOF
FR
France
Ulis
Me
R&D
CA-Me
nro...@me.fr
EOF
cp demoCA/newcerts/cacert.pem demoCA

# TSA Cert
openssl genrsa 1024 > demoCA/private/tsakey.pem
openssl req -new -key demoCA/private/tsakey.pem > tsacert.csr <<EOF
FR
France
Ulis
Me
R&D
CA-Me
nro...@me.fr

EOF
openssl ca -in tsacert.csr > demoCA/newcerts/tsacert.pem <<EOF
y
y
EOF
cp demoCA/newcerts/tsacert.pem demoCA

# Token query
cowsay "yé" > file.txt
openssl ts -query -data file.txt -policy tsa_policy1 > file.tsq
openssl ts -query -in file.tsq -text

# Token reply
openssl ts -reply -queryfile file.tsq -inkey demoCA/private/tsakey.pem
-signer demoCA/tsacert.pem > file.tsr
openssl ts -reply -in file.tsr -text

# Token validation
openssl ts -verify -queryfile file.tsq -in file.tsr -CAfile
demoCA/cacert.pem -untrusted demoCA/tsacert.pem
openssl ts -verify -data file.txt -in file.tsr -CAfile demoCA/cacert.pem
-untrusted demoCA/tsacert.pem
============================================================================
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

Nicolas ROCHE

unread,

Jun 14, 2013, 4:01:05 AM6/14/13

Hi,
Sorry, I forgot the "-cert" option during the query.
Nicolas.

0 new messages