Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document how to create the certificate file? #7

Open
petterreinholdtsen opened this issue Sep 18, 2018 · 3 comments
Open

Document how to create the certificate file? #7

petterreinholdtsen opened this issue Sep 18, 2018 · 3 comments
Labels
enhancement help wanted need patch

Comments

@petterreinholdtsen
Copy link
Contributor

It would be nice if the README or some other documentation explained what the certificate file should look like, and how to create it? I've tried to figure out which file to use for http://zeitstempel.dfn.de, without any luck so far. The content of https://pki.pca.dfn.de/global-services-ca/pub/cacert/chain.txt was rejected.
@petterreinholdtsen
Copy link
Contributor Author

If the procedure to get the certificate file can be automated, it would be possible to test all the services listed in README.rst to verify they are currently working.

@brimston3
Copy link

brimston3 commented May 5, 2019
edited
Loading

I used the following to generate a tsr with a more complete certificate chain. The CertificateSet section of the timestamp info is completely optional, so the TSA doesn't have to provide any certs at all.

openssl ts -query -data dummyfile -cert -out rq.tsq
tsget -h http://sha256timestamp.ws.symantec.com/sha256/timestamp -o rq.tsr rq.tsq

Then I used asn1parse to identify different certificates in the DER-encoded file; per the spec, if certificates appear, they will be in a [0] tagged d=4 block after the tst info (notably, there will be a big octet string object of type id-smime-ct-tstinfo before it). I extracted each byte sequence in that block into its own cert.der file. Skip is from the number before the colon (should be a cons: SEQUENCE at d=5), count is hl+l.

openssl asn1parse -inform der -in rq.tsr
dd if=rq.tsr of=cert1.der bs=1 skip=342 count=1340
dd if=rq.tsr of=cert2.der bs=1 skip=1682 count=1359

There may be more than 2 certs in the container, just extract them all. This can probably be automated with pyasn1, but I don't know how. One of these will have the x509v3 extended usage Time Stamping (id-kp-timeStamping). It will almost always be the last cert. All of the rest go in the -untrusted file (concat intermediate CA pems). Easiest way is check for Time Stamp signing with -purpose.

 for each in *.der; do
     openssl x509 -inform der -in "$each" -purpose -noout | grep -F "Time Stamp signing : Yes" && echo "$each";
 done

Convert the leaf certificate into pem format.

openssl x509 -inform der -in cert2.der -out cert2.pem

Read pem file in python as shown in the example code.

  • It's a single certificate in the file, not a chain.
  • It should be in pem format. (required?)
  • it should have Time Stamping under extended key usage, with the critical flag.

@Manouchehri
Copy link

@brimston3 Does tsget exist in Ubuntu 18.04 anymore? Can't find it anywhere.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement help wanted need patch
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@trbs @petterreinholdtsen @brimston3 @Manouchehri