Re: [openssl-users] Question about timestamps

2016-04-12 Thread Alex Samad 
Oh sorry I am new to the TS side of things and I am putting things
together piece meal.

On 12 April 2016 at 13:08, Jakob Bohm  wrote:
> My point was that the -text output would *show* you if
> the missing certs were included in the time stamp response
> somewhere, and where.
>
> If they are indeed inside the response, then the question
> would be why the "openssl ts -verify" command didn't find
> them automatically.
>
> If they are not inside the response, then the question
> would be why Symantec didn't include them like other
> tsa-s do.
>
> On 08/04/2016 22:36, Alex Samad wrote:
>
> Hi
>
> Yep I have tried the output to text. but does that verify the signature.
>
> So what I think I have now is
>
> my data to be signed
> I make a request
> send the request to the tsa
> the tsa signs it adds signature
> I have response.
>
> Now I need to verify it
>
> openssl ts -verify -data SHA.sha -in SHA.sha.tsr
>
> but it seems to fail, I presume (newbie), because I don't have the
> intermediary certs .
>
> I presume symantec have signed it with a cert thats rooted in one of
> their main CA's and I presume for me to verify I need the
> intermediaries or atleast the sign cert's ca.
>
>
> I have looked on symantecs site to no available
>
> and I am working on guess work here
>
>
>
>
>
> On 8 April 2016 at 16:26, Jakob Bohm  wrote:
>
> Try something like
>
> $OPENSSL ts -reply -in ${FL}.tsr -text -noout
>
> (Not sure if it accepts the -noout option or not).
>
>
> On 08/04/2016 08:01, Alex Samad wrote:
>
> Okay, how do I dump the intermediaries then ?
>
>
>
> On 8 April 2016 at 15:49, Jakob Bohm  wrote:
>
> On 08/04/2016 07:39, Alex Samad wrote:
>
> Hi
>
> I am trying to use a rfc3161 timestamp service to record timestamps.
>
>
> Basically I have a sha of some files and I would like to sign the file.
>
> basically I am using something like this
>
> # Generate Query and send
> $OPENSSL ts -query -data "$FL" -sha256 | $CURL -s -H
> "Content-Type:application/timestamp-query" --data-binary "@-" $TSA >
> "${FL}.tsr"
>
> $OPENSSL ts -reply -in "${FL}.tsr" -text > "${FL}.ts.txt"
>
>
> where FL = is file.
>
> What I want to be able to do is verify the .tsr file
>
> testing that with
>
> openssl ts -verify -data SHA.sha -in SHA.sha.tsr
>
>
> where SHA.sha is the original FL
>
> but I get
>
> Verification: FAILED
> 140221656393544:error:2107C080:PKCS7
> routines:PKCS7_get0_signers:signer certificate not
> found:pk7_smime.c:476:
>
> from the text output
>cat *.txt
> Status info:
> Status: Granted.
> Status description: unspecified
> Failure info: unspecified
>
> TST info:
> Version: 1
> Policy OID: 2.16.840.1.113733.1.7.23.3
> Hash Algorithm: sha256
> Message data:
>    - 8c 6d 95 5b e0 cd 8b c9-df 8c ab 57 45 c4 69 e6
> .m.[...WE.i.
>   0010 - 7a b9 ce cb 14 8f 55 25-91 2e 57 37 3e 5c b8 d5
> z.U%..W7>\..
> Serial number: 0xBEAF663E1CD2F0D029C1A641AD2F9137A5F097C9
> Time stamp: Apr  8 04:58:08 2016 GMT
> Accuracy: 0x1E seconds, unspecified millis, unspecified micros
> Ordering: no
> Nonce: 0x8E67A9941BCB2570
> TSA: DirName:/C=US/O=Symantec Corporation/OU=Symantec Trust
> Network/CN=Symantec SHA256 TimeStamping Signer - G1
> Extensions:
>
> I think this certificate is the end entity certificate
> for the Symantec time stamping server that responded to
> your request.
>
> If you dump the full contents of the TSR it should include
> that certificate somewhere, plus a chain leading to a
> public root which is hopefully in your list of trusted
> certificates or at least available via some other secure
> method.
>
>
> Enjoy
>
> Jakob
> --
> Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
> Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
> This public discussion message is non-binding and may contain errors.
> WiseMo - Remote Service Management for PCs, Phones and Embedded
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Question about timestamps

2016-04-11 Thread Jakob Bohm 

My point was that the -text output would *show* you if
the missing certs were included in the time stamp response
somewhere, and where.

If they are indeed inside the response, then the question
would be why the "openssl ts -verify" command didn't find
them automatically.

If they are not inside the response, then the question
would be why Symantec didn't include them like other
tsa-s do.

On 08/04/2016 22:36, Alex Samad wrote:

Hi

Yep I have tried the output to text. but does that verify the signature.

So what I think I have now is

my data to be signed
I make a request
send the request to the tsa
the tsa signs it adds signature
I have response.

Now I need to verify it

openssl ts -verify -data SHA.sha -in SHA.sha.tsr

but it seems to fail, I presume (newbie), because I don't have the
intermediary certs .

I presume symantec have signed it with a cert thats rooted in one of
their main CA's and I presume for me to verify I need the
intermediaries or atleast the sign cert's ca.


I have looked on symantecs site to no available

and I am working on guess work here





On 8 April 2016 at 16:26, Jakob Bohm  wrote:

Try something like

$OPENSSL ts -reply -in ${FL}.tsr -text -noout

(Not sure if it accepts the -noout option or not).


On 08/04/2016 08:01, Alex Samad wrote:

Okay, how do I dump the intermediaries then ?



On 8 April 2016 at 15:49, Jakob Bohm  wrote:

On 08/04/2016 07:39, Alex Samad wrote:

Hi

I am trying to use a rfc3161 timestamp service to record timestamps.


Basically I have a sha of some files and I would like to sign the file.

basically I am using something like this

# Generate Query and send
$OPENSSL ts -query -data "$FL" -sha256 | $CURL -s -H
"Content-Type:application/timestamp-query" --data-binary "@-" $TSA >
"${FL}.tsr"

$OPENSSL ts -reply -in "${FL}.tsr" -text > "${FL}.ts.txt"


where FL = is file.

What I want to be able to do is verify the .tsr file

testing that with

openssl ts -verify -data SHA.sha -in SHA.sha.tsr


where SHA.sha is the original FL

but I get

Verification: FAILED
140221656393544:error:2107C080:PKCS7
routines:PKCS7_get0_signers:signer certificate not
found:pk7_smime.c:476:

from the text output
cat *.txt
Status info:
Status: Granted.
Status description: unspecified
Failure info: unspecified

TST info:
Version: 1
Policy OID: 2.16.840.1.113733.1.7.23.3
Hash Algorithm: sha256
Message data:
    - 8c 6d 95 5b e0 cd 8b c9-df 8c ab 57 45 c4 69 e6
.m.[...WE.i.
   0010 - 7a b9 ce cb 14 8f 55 25-91 2e 57 37 3e 5c b8 d5
z.U%..W7>\..
Serial number: 0xBEAF663E1CD2F0D029C1A641AD2F9137A5F097C9
Time stamp: Apr  8 04:58:08 2016 GMT
Accuracy: 0x1E seconds, unspecified millis, unspecified micros
Ordering: no
Nonce: 0x8E67A9941BCB2570
TSA: DirName:/C=US/O=Symantec Corporation/OU=Symantec Trust
Network/CN=Symantec SHA256 TimeStamping Signer - G1
Extensions:

I think this certificate is the end entity certificate
for the Symantec time stamping server that responded to
your request.

If you dump the full contents of the TSR it should include
that certificate somewhere, plus a chain leading to a
public root which is hopefully in your list of trusted
certificates or at least available via some other secure
method.



Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Question about timestamps

2016-04-08 Thread Alex Samad 
Hi

Yep I have tried the output to text. but does that verify the signature.

So what I think I have now is

my data to be signed
I make a request
send the request to the tsa
the tsa signs it adds signature
I have response.

Now I need to verify it

openssl ts -verify -data SHA.sha -in SHA.sha.tsr

but it seems to fail, I presume (newbie), because I don't have the
intermediary certs .

I presume symantec have signed it with a cert thats rooted in one of
their main CA's and I presume for me to verify I need the
intermediaries or atleast the sign cert's ca.


I have looked on symantecs site to no available

and I am working on guess work here





On 8 April 2016 at 16:26, Jakob Bohm  wrote:
> Try something like
>
> $OPENSSL ts -reply -in ${FL}.tsr -text -noout
>
> (Not sure if it accepts the -noout option or not).
>
>
> On 08/04/2016 08:01, Alex Samad wrote:
>>
>> Okay, how do I dump the intermediaries then ?
>>
>>
>>
>> On 8 April 2016 at 15:49, Jakob Bohm  wrote:
>>>
>>> On 08/04/2016 07:39, Alex Samad wrote:

 Hi

 I am trying to use a rfc3161 timestamp service to record timestamps.


 Basically I have a sha of some files and I would like to sign the file.

 basically I am using something like this

 # Generate Query and send
 $OPENSSL ts -query -data "$FL" -sha256 | $CURL -s -H
 "Content-Type:application/timestamp-query" --data-binary "@-" $TSA >
 "${FL}.tsr"

 $OPENSSL ts -reply -in "${FL}.tsr" -text > "${FL}.ts.txt"


 where FL = is file.

 What I want to be able to do is verify the .tsr file

 testing that with

 openssl ts -verify -data SHA.sha -in SHA.sha.tsr


 where SHA.sha is the original FL

 but I get

 Verification: FAILED
 140221656393544:error:2107C080:PKCS7
 routines:PKCS7_get0_signers:signer certificate not
 found:pk7_smime.c:476:

 from the text output
cat *.txt
 Status info:
 Status: Granted.
 Status description: unspecified
 Failure info: unspecified

 TST info:
 Version: 1
 Policy OID: 2.16.840.1.113733.1.7.23.3
 Hash Algorithm: sha256
 Message data:
    - 8c 6d 95 5b e0 cd 8b c9-df 8c ab 57 45 c4 69 e6
 .m.[...WE.i.
   0010 - 7a b9 ce cb 14 8f 55 25-91 2e 57 37 3e 5c b8 d5
 z.U%..W7>\..
 Serial number: 0xBEAF663E1CD2F0D029C1A641AD2F9137A5F097C9
 Time stamp: Apr  8 04:58:08 2016 GMT
 Accuracy: 0x1E seconds, unspecified millis, unspecified micros
 Ordering: no
 Nonce: 0x8E67A9941BCB2570
 TSA: DirName:/C=US/O=Symantec Corporation/OU=Symantec Trust
 Network/CN=Symantec SHA256 TimeStamping Signer - G1
 Extensions:
>>>
>>> I think this certificate is the end entity certificate
>>> for the Symantec time stamping server that responded to
>>> your request.
>>>
>>> If you dump the full contents of the TSR it should include
>>> that certificate somewhere, plus a chain leading to a
>>> public root which is hopefully in your list of trusted
>>> certificates or at least available via some other secure
>>> method.
>>>
>
> Enjoy
>
> Jakob
> --
> Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
> Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
> This public discussion message is non-binding and may contain errors.
> WiseMo - Remote Service Management for PCs, Phones and Embedded
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Question about timestamps

2016-04-08 Thread Jakob Bohm 

Try something like

$OPENSSL ts -reply -in ${FL}.tsr -text -noout

(Not sure if it accepts the -noout option or not).

On 08/04/2016 08:01, Alex Samad wrote:

Okay, how do I dump the intermediaries then ?



On 8 April 2016 at 15:49, Jakob Bohm  wrote:

On 08/04/2016 07:39, Alex Samad wrote:

Hi

I am trying to use a rfc3161 timestamp service to record timestamps.


Basically I have a sha of some files and I would like to sign the file.

basically I am using something like this

# Generate Query and send
$OPENSSL ts -query -data "$FL" -sha256 | $CURL -s -H
"Content-Type:application/timestamp-query" --data-binary "@-" $TSA >
"${FL}.tsr"

$OPENSSL ts -reply -in "${FL}.tsr" -text > "${FL}.ts.txt"


where FL = is file.

What I want to be able to do is verify the .tsr file

testing that with

openssl ts -verify -data SHA.sha -in SHA.sha.tsr


where SHA.sha is the original FL

but I get

Verification: FAILED
140221656393544:error:2107C080:PKCS7
routines:PKCS7_get0_signers:signer certificate not
found:pk7_smime.c:476:

from the text output
   cat *.txt
Status info:
Status: Granted.
Status description: unspecified
Failure info: unspecified

TST info:
Version: 1
Policy OID: 2.16.840.1.113733.1.7.23.3
Hash Algorithm: sha256
Message data:
   - 8c 6d 95 5b e0 cd 8b c9-df 8c ab 57 45 c4 69 e6
.m.[...WE.i.
  0010 - 7a b9 ce cb 14 8f 55 25-91 2e 57 37 3e 5c b8 d5
z.U%..W7>\..
Serial number: 0xBEAF663E1CD2F0D029C1A641AD2F9137A5F097C9
Time stamp: Apr  8 04:58:08 2016 GMT
Accuracy: 0x1E seconds, unspecified millis, unspecified micros
Ordering: no
Nonce: 0x8E67A9941BCB2570
TSA: DirName:/C=US/O=Symantec Corporation/OU=Symantec Trust
Network/CN=Symantec SHA256 TimeStamping Signer - G1
Extensions:

I think this certificate is the end entity certificate
for the Symantec time stamping server that responded to
your request.

If you dump the full contents of the TSR it should include
that certificate somewhere, plus a chain leading to a
public root which is hopefully in your list of trusted
certificates or at least available via some other secure
method.



Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Question about timestamps

2016-04-08 Thread Alex Samad 
Okay, how do I dump the intermediaries then ?



On 8 April 2016 at 15:49, Jakob Bohm  wrote:
> On 08/04/2016 07:39, Alex Samad wrote:
>>
>> Hi
>>
>> I am trying to use a rfc3161 timestamp service to record timestamps.
>>
>>
>> Basically I have a sha of some files and I would like to sign the file.
>>
>> basically I am using something like this
>>
>> # Generate Query and send
>> $OPENSSL ts -query -data "$FL" -sha256 | $CURL -s -H
>> "Content-Type:application/timestamp-query" --data-binary "@-" $TSA >
>> "${FL}.tsr"
>>
>> $OPENSSL ts -reply -in "${FL}.tsr" -text > "${FL}.ts.txt"
>>
>>
>> where FL = is file.
>>
>> What I want to be able to do is verify the .tsr file
>>
>> testing that with
>>
>> openssl ts -verify -data SHA.sha -in SHA.sha.tsr
>>
>>
>> where SHA.sha is the original FL
>>
>> but I get
>>
>> Verification: FAILED
>> 140221656393544:error:2107C080:PKCS7
>> routines:PKCS7_get0_signers:signer certificate not
>> found:pk7_smime.c:476:
>>
>> from the text output
>>   cat *.txt
>> Status info:
>> Status: Granted.
>> Status description: unspecified
>> Failure info: unspecified
>>
>> TST info:
>> Version: 1
>> Policy OID: 2.16.840.1.113733.1.7.23.3
>> Hash Algorithm: sha256
>> Message data:
>>   - 8c 6d 95 5b e0 cd 8b c9-df 8c ab 57 45 c4 69 e6
>> .m.[...WE.i.
>>  0010 - 7a b9 ce cb 14 8f 55 25-91 2e 57 37 3e 5c b8 d5
>> z.U%..W7>\..
>> Serial number: 0xBEAF663E1CD2F0D029C1A641AD2F9137A5F097C9
>> Time stamp: Apr  8 04:58:08 2016 GMT
>> Accuracy: 0x1E seconds, unspecified millis, unspecified micros
>> Ordering: no
>> Nonce: 0x8E67A9941BCB2570
>> TSA: DirName:/C=US/O=Symantec Corporation/OU=Symantec Trust
>> Network/CN=Symantec SHA256 TimeStamping Signer - G1
>> Extensions:
>
> I think this certificate is the end entity certificate
> for the Symantec time stamping server that responded to
> your request.
>
> If you dump the full contents of the TSR it should include
> that certificate somewhere, plus a chain leading to a
> public root which is hopefully in your list of trusted
> certificates or at least available via some other secure
> method.
>
>>
>>
>>
>> I am guessing my problem is the above certificate is not in the ssl
>> path. and currently I am unable to find it on the symantec site.
>>
>> Am I doing the right think ?
>> I have also looked at global sign and similar issue, find the cert
>>
>> what am i missing
>
>
>
> Enjoy
>
> Jakob
> --
> Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
> Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
> This public discussion message is non-binding and may contain errors.
> WiseMo - Remote Service Management for PCs, Phones and Embedded
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Question about timestamps

2016-04-07 Thread Jakob Bohm 

On 08/04/2016 07:39, Alex Samad wrote:

Hi

I am trying to use a rfc3161 timestamp service to record timestamps.


Basically I have a sha of some files and I would like to sign the file.

basically I am using something like this

# Generate Query and send
$OPENSSL ts -query -data "$FL" -sha256 | $CURL -s -H
"Content-Type:application/timestamp-query" --data-binary "@-" $TSA >
"${FL}.tsr"

$OPENSSL ts -reply -in "${FL}.tsr" -text > "${FL}.ts.txt"


where FL = is file.

What I want to be able to do is verify the .tsr file

testing that with

openssl ts -verify -data SHA.sha -in SHA.sha.tsr


where SHA.sha is the original FL

but I get

Verification: FAILED
140221656393544:error:2107C080:PKCS7
routines:PKCS7_get0_signers:signer certificate not
found:pk7_smime.c:476:

from the text output
  cat *.txt
Status info:
Status: Granted.
Status description: unspecified
Failure info: unspecified

TST info:
Version: 1
Policy OID: 2.16.840.1.113733.1.7.23.3
Hash Algorithm: sha256
Message data:
  - 8c 6d 95 5b e0 cd 8b c9-df 8c ab 57 45 c4 69 e6   .m.[...WE.i.
 0010 - 7a b9 ce cb 14 8f 55 25-91 2e 57 37 3e 5c b8 d5   z.U%..W7>\..
Serial number: 0xBEAF663E1CD2F0D029C1A641AD2F9137A5F097C9
Time stamp: Apr  8 04:58:08 2016 GMT
Accuracy: 0x1E seconds, unspecified millis, unspecified micros
Ordering: no
Nonce: 0x8E67A9941BCB2570
TSA: DirName:/C=US/O=Symantec Corporation/OU=Symantec Trust
Network/CN=Symantec SHA256 TimeStamping Signer - G1
Extensions:

I think this certificate is the end entity certificate
for the Symantec time stamping server that responded to
your request.

If you dump the full contents of the TSR it should include
that certificate somewhere, plus a chain leading to a
public root which is hopefully in your list of trusted
certificates or at least available via some other secure
method.





I am guessing my problem is the above certificate is not in the ssl
path. and currently I am unable to find it on the symantec site.

Am I doing the right think ?
I have also looked at global sign and similar issue, find the cert

what am i missing



Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Question about timestamps

2016-04-07 Thread Alex Samad 
Hi

I am trying to use a rfc3161 timestamp service to record timestamps.


Basically I have a sha of some files and I would like to sign the file.

basically I am using something like this

# Generate Query and send
$OPENSSL ts -query -data "$FL" -sha256 | $CURL -s -H
"Content-Type:application/timestamp-query" --data-binary "@-" $TSA >
"${FL}.tsr"

$OPENSSL ts -reply -in "${FL}.tsr" -text > "${FL}.ts.txt"


where FL = is file.

What I want to be able to do is verify the .tsr file

testing that with

openssl ts -verify -data SHA.sha -in SHA.sha.tsr


where SHA.sha is the original FL

but I get

Verification: FAILED
140221656393544:error:2107C080:PKCS7
routines:PKCS7_get0_signers:signer certificate not
found:pk7_smime.c:476:

from the text output
 cat *.txt
Status info:
Status: Granted.
Status description: unspecified
Failure info: unspecified

TST info:
Version: 1
Policy OID: 2.16.840.1.113733.1.7.23.3
Hash Algorithm: sha256
Message data:
 - 8c 6d 95 5b e0 cd 8b c9-df 8c ab 57 45 c4 69 e6   .m.[...WE.i.
0010 - 7a b9 ce cb 14 8f 55 25-91 2e 57 37 3e 5c b8 d5   z.U%..W7>\..
Serial number: 0xBEAF663E1CD2F0D029C1A641AD2F9137A5F097C9
Time stamp: Apr  8 04:58:08 2016 GMT
Accuracy: 0x1E seconds, unspecified millis, unspecified micros
Ordering: no
Nonce: 0x8E67A9941BCB2570
TSA: DirName:/C=US/O=Symantec Corporation/OU=Symantec Trust
Network/CN=Symantec SHA256 TimeStamping Signer - G1
Extensions:




I am guessing my problem is the above certificate is not in the ssl
path. and currently I am unable to find it on the symantec site.

Am I doing the right think ?
I have also looked at global sign and similar issue, find the cert

what am i missing

A
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users