Hello, My CA Authority (Europe Union qualified!) claims - there is Bug in OpenSSL => verifying digi. timestamp fails.
The CA says (my bad translation - sorry): "our timestamps contain in addition <Time Attribute Certificate - TAC> included according to RFC 3126. They are RFC 3161 according and other clients works OK, it must be bug of OpenSSL". My knowledge is too low and I'm not programmer to debug and understand it. Can someone test it, please ? The TSA testing service is described here: http://www.postsignum.cz/testovaci_casova_razitka.html (in Czech - you can use Google translate: http://translate.google.cz/translate?sl=cs&tl=en&js=n&prev=_t&hl=cs&ie=UTF-8&eotf=1&u=http%3A%2F%2Fwww.postsignum.cz%2Ftestovaci_casova_razitka.html&act=url ) ----------------------------- The command sequence: ------------------------------ openssl version OpenSSL 1.0.1 14 Mar 2012 $ openssl ts -query -data file.txt -sha256 -no_nonce >file.txt-nononce-sha256-nocert.tsq $ curl -k -v -H "Content-Type: application/timestamp-query" --basic -u "demoTSA:demoTSA2010" --data-binary @file.txt-nononce-sha256-nocert.tsq "https://www.postsignum.cz/DEMOTSA/TSS_user/ " > file.txt-nononce-sha256-nocert-postsigDEMO.tsr $ openssl ts -verify -queryfile file.txt-nononce-sha256-nocert.tsq -in file.txt-nononce-sha256-nocert.postsigDEMO.tsr -CAfile demo_root.pem -untrusted demo_TSA+Qualif.pem Verification: FAILED 140477747164832:error:2F067065:time stamp routines:TS_CHECK_SIGNING_CERTS:ess signing certificate error:ts_rsp_verify.c:291: Note: demo_TSA+Qualif.pem == DEMO_TSA.pem + demo_Qualified.pem in one file == signer + intermediate certificates All files - file, request, replay, certificates are in attachment. --kapetr
TSAtest.tgz
Description: application/compressed-tar
