Hello!
Thank you very much for your help.
I managed to install it, load the server and connect to the database, the
problem was the version of apache. Compiled httpd-2.0.59 version.
Now I want to try the service for time stamping. I generate a query with the
following command:
. /openssl ts-reply-queryfile request.tsq-signer / root / tssCRT.pem-inkey /
root / tssKey.pem-out-token_out responde.tsr
And I get the following file:
04 ^ B ^ A ^ A0! 0 ^ F ^ E + ^ N ^ C ^ B ^ Z ^ E ^ @ ^ D ^ T ¾ "A-,,, ÿ ® (^
Gau @] ^ Db *> x ^ B ^ Most Holy ¬ V @ $ c) ^ A ^ Aÿ
~
In format text is:
Version: 1
Hash Algorithm: sha1
Message data:
0000 - be ab 2c 2c 2c 2d 41 ff-ae July 28 fc 40 5d c3 04 ..
A-,,,..(...@].
0010 to 62 the 2nd 3e 78 b *> x
Policy OID: unspecified
Nonce: 0x5B1374C33082CD80
Certificate required: yes
Extensions:
Now when I generate the certificate stamp, I do it with this command:
./openssl ts-reply-queryfile request.tsq-signer / root / tssCRT.pem-inkey /
root / tssKey.pem-out-token_out responde.tsr
But I said it was wrong, and not what is the problem.
Have generated a certificate from this type?
Know something about it?
Thank you very much again.
Have been very helpful.
Greetings!
2011/2/24 Mounir IDRASSI <mounir.idra...@idrix.net>
> Hi,
>
> Getting the same error (on ts_rsp_sign.c:206) with the file I send means
> that you are not using the right files : I have explicitely tested the
> OpenSSL function referenced in ts_rsp_sign.c and it is working with no
> error. You have to check your configuration in order to point to the right
> key file.
>
> In my tests, I only used OpenSSL code, no mod_tsa or Apache, because I was
> targeting the OpenSSL error you described. I used the latest version 1.0.0d
> but I thinks this has nothing to do with your problem since it is certainly
> caused by a configuration issue.
> Concerning cnf file, I just modified the usr_cert section in the default
> one in order to add "extendedKeyUsage = critical,timeStamping" and set
> keyUsage to "nonRepudiation, digitalSignature".
>
>
> Cheers,
> --
> Mounir IDRASSI
> IDRIX
> http://www.idrix.fr
>
> On 2/23/2011 3:32 PM, Yessica De Ascencao wrote:
>
>> Hello!
>> Thanks for your help and monitoring.
>> Yes, I get the same error, I also throws the same when tested with the
>> files you sent me.
>> I think there must be something I missed or did wrong in the installation.
>> Which version did you use for this package:
>> openssl
>> mod_tsa
>> Apache
>> mod_ssl
>> mysql
>> ts-patch_XXXX
>>
>> Another thing, to generate the certificate for the extension tsa with Time
>> Stamping, which. cnf did you use? The openssl.cnf or one created for you?
>>
>> Very grateful!
>> Thanks
>>
>> 2011/2/22 Mounir IDRASSI <mounir.idra...@idrix.net <mailto:
>> mounir.idra...@idrix.net>>
>>
>> Hi,
>>
>> Are you sure you have the same error description
>> (lib(47):func(131):reason(117):ts_rsp_sign.c:206:)? I have tested
>> here with a certificate containing "Digital Signature, Non
>> Repudiation" key usage and OpenSSL doesn't complain.
>> I'm attaching the timestamp certificate (with its key and its CA
>> certificate) that I used. Can you see if it is working for you?
>>
>>
>> Cheers,
>> --
>> Mounir IDRASSI
>> IDRIX
>> http://www.idrix.fr
>>
>> On 2/22/2011 3:11 PM, Yessica De Ascencao wrote:
>>
>> Hi Mounir IDRASSI!
>> I generated the certificate with ONLY Digital Signature, Non
>> Repudiation but I still have the same problem.
>>
>> Thanks!
>>
>> Certificate:
>> Data:
>> Version: 3 (0x2)
>> Serial Number:
>> d8:e6:a3:f6:22:c7:a4:0c
>> Signature Algorithm: sha1WithRSAEncryption
>> Issuer: C=ve, ST=distrito capital, O=suscerte,
>> OU=acraiz, CN=ac/emailAddress=a...@suscerte.gob.ve
>> <mailto:a...@suscerte.gob.ve> <mailto:a...@suscerte.gob.ve
>>
>> <mailto:a...@suscerte.gob.ve>>
>>
>> Validity
>> Not Before: Feb 22 14:08:20 2011 GMT
>> Not After : Feb 22 14:08:20 2012 GMT
>> Subject: C=ve, ST=distritocapital, L=caracas, O=tss,
>> OU=suscerte, CN=tsscompany/emailAddress=t...@company.com
>> <mailto:t...@company.com> <mailto:t...@company.com
>>
>> <mailto:t...@company.com>>
>>
>> Subject Public Key Info:
>> Public Key Algorithm: rsaEncryption
>> RSA Public Key: (2048 bit)
>> Modulus (2048 bit):
>> 00:bd:6e:12:e5:72:37:f2:74:e4:95:f7:43:f2:c7:
>> 00:7d:53:cb:2d:a9:49:68:4d:04:b7:40:8d:b7:cd:
>> 56:23:89:8a:e1:78:d6:a8:bd:a3:ef:16:62:d6:37:
>> 6d:25:ce:eb:9d:30:8a:5e:be:6a:68:6f:bf:cd:f7:
>> 6b:cd:85:f8:c6:62:f3:ea:8e:32:79:2a:d2:38:40:
>> b9:d7:88:c9:18:5c:63:98:69:ea:b6:95:83:a2:ac:
>> 1b:b4:17:9a:e7:ea:66:bc:c3:e6:c8:e6:47:94:9b:
>> 36:3c:3b:e0:59:9e:85:90:a6:8f:ad:8a:0a:0b:9e:
>> 51:de:ef:93:73:e5:6b:a9:f2:49:ec:c0:46:57:71:
>> 27:fd:85:47:09:f7:90:f7:bb:c5:3a:83:0a:3c:cc:
>> f2:88:2f:69:5c:80:e2:7f:9e:28:d3:19:09:62:fb:
>> 2b:61:a4:f8:4c:64:d6:72:cb:41:a9:68:69:38:8b:
>> 3f:03:04:83:26:e0:9a:ce:be:1f:05:f0:6d:99:2c:
>> 87:16:97:e2:7f:8b:2f:b1:eb:19:2f:10:45:00:2c:
>> 8e:dd:f5:80:de:cf:c7:17:a0:cc:cf:0d:f3:48:19:
>> 7f:5b:b0:dd:51:a8:80:e0:65:eb:79:ef:ea:fc:d8:
>> 6d:a5:2d:e3:06:b0:83:83:14:7f:61:f9:dc:ea:a7:
>> 7a:4b
>> Exponent: 65537 (0x10001)
>> X509v3 extensions:
>> X509v3 Basic Constraints:
>> CA:FALSE
>> X509v3 Key Usage:
>> Digital Signature, Non Repudiation
>> Netscape Comment:
>> OpenSSL Generated Certificate
>> X509v3 Subject Key Identifier:
>>
>> FA:0C:6E:6E:88:58:51:F4:DF:F1:E3:CC:DD:9D:71:8C:CD:95:68:17
>> X509v3 Authority Key Identifier:
>>
>> keyid:76:B9:CB:3B:5D:C8:B6:AB:02:74:86:D3:1C:C7:42:58:B1:AE:7E:76
>>
>> X509v3 Subject Alternative Name:
>> email:t...@company.com <mailto:email%3a...@company.com>
>> <mailto:email%3a...@company.com
>> <mailto:email%253a...@company.com>>
>>
>>
>> X509v3 Extended Key Usage: critical
>> Time Stamping
>> Signature Algorithm: sha1WithRSAEncryption
>> 3d:d4:76:9a:d7:2d:6a:93:62:d7:2c:29:87:cc:9c:72:97:19:
>> 1a:2d:59:b8:fc:6c:86:22:ad:9c:ba:74:de:89:cb:55:c0:f8:
>> 50:02:5d:7d:58:92:cb:0d:c9:9a:30:a9:2a:32:7e:2c:c6:a1:
>> 19:eb:09:30:55:85:c8:30:d4:f1:51:9a:ca:77:58:8e:f8:a6:
>> b8:d9:92:63:10:fa:ad:06:79:aa:d9:5a:09:9c:5b:91:8b:7a:
>> 04:66:f5:24:0b:25:25:69:a5:66:30:c1:4a:b8:cf:c7:51:e1:
>> 5a:a0:a6:51:cf:b0:26:05:8d:c4:66:cd:3b:c6:08:a5:de:57:
>> 81:af
>>
>>
>> 2011/2/22 Mounir IDRASSI <mounir.idra...@idrix.net
>> <mailto:mounir.idra...@idrix.net>
>> <mailto:mounir.idra...@idrix.net
>> <mailto:mounir.idra...@idrix.net>>>
>>
>>
>> Hi,
>>
>> I don't agree : from the error description
>> (lib(47):func(131):reason(117):ts_rsp_sign.c:206) it is
>> clear that
>> OpenSSL loaded the certificate but the
>> X509_check_purpose(signer,
>> X509_PURPOSE_TIMESTAMP_SIGN, 0) call in ts_rsp_sign failed.
>>
>> Actaully, reading the certificate dump shows that the
>> problem is
>> coming from the certificate Key Usage : it MUST NOT contain Key
>> Encipherment.
>> So, to resolve your problem, set the Key Usage to ONLY Digital
>> Signature, Non Repudiation.
>>
>> I hope this will help.
>> Cheers,
>> --
>> Mounir IDRASSI
>> IDRIX
>> http://www.idrix.fr
>>
>>
>> On 2/22/2011 2:40 PM, Patrick Patterson wrote:
>>
>> Hi Yessica:
>>
>> That error is fairly straightforward - it's can't load the
>> cert (meaning, it can't even load the file).
>>
>> Have you made sure that the permissions are correct?
>> Are you
>> absolutely sure that you have the right cert in the right
>> location?
>>
>> Have fun.
>>
>> Patrick.
>>
>> On 2011-02-22, at 8:37 AM, Yessica De Ascencao wrote:
>>
>> Hi!
>> This is the new certificate:
>>
>> Certificate:
>> Data:
>> Version: 3 (0x2)
>> Serial Number:
>> d8:e6:a3:f6:22:c7:a4:0b
>> Signature Algorithm: sha1WithRSAEncryption
>> Issuer: C=ve, ST=distrito capital, O=suscerte,
>> OU=acraiz, CN=ac/emailAddress=a...@suscerte.gob.ve
>> <mailto:a...@suscerte.gob.ve>
>> <mailto:a...@suscerte.gob.ve <mailto:a...@suscerte.gob.ve>>
>>
>>
>> Validity
>> Not Before: Feb 21 20:15:08 2011 GMT
>> Not After : Feb 21 20:15:08 2012 GMT
>> Subject: C=ve, ST=distritocapital, L=caracas,
>> O=tss, OU=suscerte,
>> CN=tsscompany/emailAddress=t...@company.com
>> <mailto:t...@company.com>
>> <mailto:t...@company.com <mailto:t...@company.com>>
>>
>>
>> Subject Public Key Info:
>> Public Key Algorithm: rsaEncryption
>> RSA Public Key: (2048 bit)
>> Modulus (2048 bit):
>>
>> 00:bd:6e:12:e5:72:37:f2:74:e4:95:f7:43:f2:c7:
>>
>> 00:7d:53:cb:2d:a9:49:68:4d:04:b7:40:8d:b7:cd:
>>
>> 56:23:89:8a:e1:78:d6:a8:bd:a3:ef:16:62:d6:37:
>>
>> 6d:25:ce:eb:9d:30:8a:5e:be:6a:68:6f:bf:cd:f7:
>>
>> 6b:cd:85:f8:c6:62:f3:ea:8e:32:79:2a:d2:38:40:
>>
>> b9:d7:88:c9:18:5c:63:98:69:ea:b6:95:83:a2:ac:
>>
>> 1b:b4:17:9a:e7:ea:66:bc:c3:e6:c8:e6:47:94:9b:
>>
>> 36:3c:3b:e0:59:9e:85:90:a6:8f:ad:8a:0a:0b:9e:
>>
>> 51:de:ef:93:73:e5:6b:a9:f2:49:ec:c0:46:57:71:
>>
>> 27:fd:85:47:09:f7:90:f7:bb:c5:3a:83:0a:3c:cc:
>>
>> f2:88:2f:69:5c:80:e2:7f:9e:28:d3:19:09:62:fb:
>>
>> 2b:61:a4:f8:4c:64:d6:72:cb:41:a9:68:69:38:8b:
>>
>> 3f:03:04:83:26:e0:9a:ce:be:1f:05:f0:6d:99:2c:
>>
>> 87:16:97:e2:7f:8b:2f:b1:eb:19:2f:10:45:00:2c:
>>
>> 8e:dd:f5:80:de:cf:c7:17:a0:cc:cf:0d:f3:48:19:
>>
>> 7f:5b:b0:dd:51:a8:80:e0:65:eb:79:ef:ea:fc:d8:
>>
>> 6d:a5:2d:e3:06:b0:83:83:14:7f:61:f9:dc:ea:a7:
>> 7a:4b
>> Exponent: 65537 (0x10001)
>> X509v3 extensions:
>> X509v3 Basic Constraints:
>> CA:FALSE
>> X509v3 Key Usage:
>> Digital Signature, Non Repudiation, Key
>> Encipherment
>> Netscape Comment:
>> OpenSSL Generated Certificate
>> X509v3 Subject Key Identifier:
>>
>> FA:0C:6E:6E:88:58:51:F4:DF:F1:E3:CC:DD:9D:71:8C:CD:95:68:17
>> X509v3 Authority Key Identifier:
>>
>> keyid:76:B9:CB:3B:5D:C8:B6:AB:02:74:86:D3:1C:C7:42:58:B1:AE:7E:76
>>
>> X509v3 Subject Alternative Name:
>> email:t...@company.com <mailto:email%3a...@company.com>
>> <mailto:email%3a...@company.com
>> <mailto:email%253a...@company.com>>
>>
>>
>> X509v3 Extended Key Usage: critical
>> Time Stamping
>> Signature Algorithm: sha1WithRSAEncryption
>>
>> 02:d1:fd:44:de:1e:9f:e0:29:66:35:8f:43:da:e6:b5:20:43:
>>
>> 52:90:b0:dc:8a:0f:09:92:9e:c2:6b:dc:14:ab:2c:9f:1b:8e:
>>
>> 02:76:9a:17:08:77:ca:26:06:13:25:9e:4a:e2:bf:bb:2b:4d:
>>
>> cf:67:41:c0:2b:3a:1a:d0:ae:a8:88:3c:13:e2:0d:f6:9c:1e:
>>
>> e7:ba:ef:22:c6:b8:18:3b:a8:5e:f9:0e:43:b8:de:82:b1:e0:
>>
>> be:00:d2:57:9c:f3:d9:48:72:28:70:5d:06:d7:73:84:bc:f7:
>>
>> 5e:65:27:86:0d:e8:28:b4:dd:72:4d:8e:59:02:cc:39:0f:8d:
>> 47:87
>>
>> And this is the error:
>> [Mon Feb 21 20:15:37 2011] [error] mod_tsa:could
>> not load
>> X.509 certificate: /usr/local/ssl/misc/demoCA/tss.pem
>> [Mon Feb 21 20:15:37 2011] [error]
>>
>>
>> mod_tsa:17262:error:2F083075:lib(47):func(131):reason(117):ts_rsp_sign.c:206:
>> [Mon Feb 21 20:15:37 2011] [emerg] exiting, fatal error
>> during mod_tsa initialisation.
>>
>> Thanks!!!
>>
>> 2011/2/21 Jaroslav Imrich<jaroslav.imr...@gmail.com
>> <mailto:jaroslav.imr...@gmail.com>
>> <mailto:jaroslav.imr...@gmail.com
>> <mailto:jaroslav.imr...@gmail.com>>>
>>
>> Hello Yessica,
>>
>> please post new certificate and exact error you're
>> getting.
>>
>> --
>> Kind Regards / S pozdravom
>>
>> Jaroslav Imrich
>> http://www.jariq.sk
>>
>>
>>
>> On Mon, Feb 21, 2011 at 4:41 PM, Yessica De
>> Ascencao<yessima...@gmail.com
>> <mailto:yessima...@gmail.com>
>> <mailto:yessima...@gmail.com <mailto:yessima...@gmail.com>>>
>>
>> wrote:
>>
>> hello!!!
>> Thanks for the response!
>>
>> Yes I needed the extension to Time Stamping,
>> however when
>> I load the sample certificate in the OpenTSA page,
>> continues to show me the same error. I created a
>> certificate with the correct extension and likewise
>> gives
>> me error.
>>
>> I really do not know what may be happening.
>>
>> Thank you very much!
>>
>>
>>
>> 2011/2/18 Jaroslav Imrich<jaroslav.imr...@gmail.com
>> <mailto:jaroslav.imr...@gmail.com>
>> <mailto:jaroslav.imr...@gmail.com
>> <mailto:jaroslav.imr...@gmail.com>>>
>>
>> Hello Yessica,
>>
>>
>> this line in your logs tells you where the error
>> occured:
>>
>>
>> [Thu Feb 17 19:23:09 2011] [error]
>>
>> mod_tsa:1510:error:2F083075:lib(47):func(131):reason(117):ts_rsp_sign.c:206:
>>
>> When you look into source code of openssl ts module -
>>
>> http://cvs.openssl.org/fileview?f=openssl/crypto/ts/ts_rsp_sign.c&v=1.6.4.2
>> <
>> http://cvs.openssl.org/fileview?f=openssl/crypto/ts/ts_rsp_sign.c&v=1.6.4.2
>> >
>> <
>> http://cvs.openssl.org/fileview?f=openssl/crypto/ts/ts_rsp_sign.c&v=1.6.4.2
>> <
>> http://cvs.openssl.org/fileview?f=openssl/crypto/ts/ts_rsp_sign.c&v=1.6.4.2
>> >>
>> - you can see that line 206 contains following code:
>>
>> if (X509_check_purpose(signer,
>> X509_PURPOSE_TIMESTAMP_SIGN, 0) != 1)
>> {
>> TSerr(TS_F_TS_RESP_CTX_SET_SIGNER_CERT,
>>
>> TS_R_INVALID_SIGNER_CERTIFICATE_PURPOSE);
>> return 0;
>> }
>>
>> That means loading of TSA certificate failed because of
>> incorrect extensions.
>>
>> Certificate you posted has critical mark on "X509v3
>> Subject Alternative Name" which is completely wrong in
>> this case. It is "Time Stamping" that has to be
>> marked as
>> critical.
>>
>>
>> -- Kind Regards / S pozdravom
>>
>> Jaroslav Imrich
>> http://www.jariq.sk
>>
>>
>>
>> -- Saludos!
>> Yessica De Ascencao
>> 0426-7142582
>>
>>
>>
>> -- Saludos!
>> Yessica De Ascencao
>> 0426-7142582
>>
>> ---
>> Patrick Patterson
>> Chief PKI Architect
>> Carillon Information Security Inc.
>> http://www.carillon.ca
>>
>>
>>
>>
>>
>>
>> ______________________________________________________________________
>> OpenSSL Project http://www.openssl.org
>> User Support Mailing List openssl-users@openssl.org
>> <mailto:openssl-users@openssl.org>
>> <mailto:openssl-users@openssl.org
>>
>> <mailto:openssl-users@openssl.org>>
>>
>> Automated List Manager majord...@openssl.org
>> <mailto:majord...@openssl.org>
>> <mailto:majord...@openssl.org <mailto:majord...@openssl.org>>
>>
>>
>>
>>
>>
>> ______________________________________________________________________
>> OpenSSL Project http://www.openssl.org
>> User Support Mailing List openssl-users@openssl.org
>> <mailto:openssl-users@openssl.org>
>> <mailto:openssl-users@openssl.org
>>
>> <mailto:openssl-users@openssl.org>>
>>
>> Automated List Manager majord...@openssl.org
>> <mailto:majord...@openssl.org>
>> <mailto:majord...@openssl.org <mailto:majord...@openssl.org>>
>>
>>
>>
>>
>>
>>
>> -- Saludos!
>> Yessica De Ascencao
>> 0426-7142582
>>
>>
>>
>>
>>
>> --
>> Saludos!
>> Yessica De Ascencao
>> 0426-7142582
>>
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majord...@openssl.org
>
--
Saludos!
Yessica De Ascencao
0426-7142582
