Question

我需要什么： 我在使用notes的Ubuntu计算机上的openssl文件上需要一个可验证的时间戳。

我的问题是什么： 我可以从http://timestamp.globalsign.com/scripts/timstamp.dll获得签名时间戳，但我无法验证它。我跑的时候

openssl ts -verify -data notes -in test.tsr

我得到了两行输出（插入了额外的换行符以便于阅读）

Verification: FAILED

3073500860:error:2F06D064:time stamp routines:
TS_VERIFY_CERT:certificate verify error:ts_rsp_verify.c:246:
Verify error:unable to get local issuer certificate

我认为这意味着我需要一个名为“GlobalSign TSA for Standard - G2”的证书（参见下面的“脚本输出”部分），但我不知道在哪里可以找到它。我grep指定了该字符串的/usr，/etc和/home目录，所以我非常有信心我实际上没有它。我在谷歌上找不到它。 有人知道从哪里获得这个证书，或者我可能做错了什么？而且，为什么这么难？我看到很多人都在谈论在各种堆栈交换中使用这个服务器，但我似乎是唯一一个遇到这个问题的人。

更多信息

我在openssl使用默认的/etc/ssl/openssl.cnf配置文件。

我使用以下短脚本生成时间戳查询test.tsq，然后将其发送到时间戳服务器，接收时间戳回复test.tsr，然后尝试验证它。

#!/bin/bash
#make time stamp query
openssl ts -query -data notes -sha256 -cert -out test.tsq

#write query to stdout in text format
openssl ts -query -in test.tsq -text

echo ""

#use tsget to get the request, since I don't know how to do it with curl
tsget -h http://timestamp.globalsign.com/scripts/timstamp.dll test.tsq

#write the reply to stdout in text form
openssl ts -reply -in test.tsr -text

echo ""

#verify the timestamp
openssl ts -verify -data notes -in test.tsr

perl脚本tsget附带了我认为的openssl软件包，我在/usr/lib/ssl/misc/tsget找到了它，但我会将其包含在此处进行故障排除：

#!/usr/bin/perl -w
# Written by Zoltan Glozik <zglozik@stones.com>.
# Copyright (c) 2002 The OpenTSA Project.  All rights reserved.
$::version = '$Id: tsget,v 1.3 2009/09/07 17:57:18 steve Exp $';

use strict;
use IO::Handle;
use Getopt::Std;
use File::Basename;
use WWW::Curl::Easy;

use vars qw(%options);

# Callback for reading the body.
sub read_body {
    my ($maxlength, $state) = @_;
    my $return_data = "";
    my $data_len = length ${$state->{data}};
    if ($state->{bytes} < $data_len) {
    $data_len = $data_len - $state->{bytes};
    $data_len = $maxlength if $data_len > $maxlength;
    $return_data = substr ${$state->{data}}, $state->{bytes}, $data_len;
    $state->{bytes} += $data_len;
    }
    return $return_data;
}

# Callback for writing the body into a variable.
sub write_body {
    my ($data, $pointer) = @_;
    ${$pointer} .= $data;
    return length($data);
}

# Initialise a new Curl object.
sub create_curl {
    my $url = shift;

    # Create Curl object.
    my $curl = WWW::Curl::Easy::new();

    # Error-handling related options.
    $curl->setopt(CURLOPT_VERBOSE, 1) if $options{d};
    $curl->setopt(CURLOPT_FAILONERROR, 1);
    $curl->setopt(CURLOPT_USERAGENT, "OpenTSA tsget.pl/" . (split / /, $::version)[2]);

    # Options for POST method.
    $curl->setopt(CURLOPT_UPLOAD, 1);
    $curl->setopt(CURLOPT_CUSTOMREQUEST, "POST");
    $curl->setopt(CURLOPT_HTTPHEADER,
        ["Content-Type: application/timestamp-query",
        "Accept: application/timestamp-reply,application/timestamp-response"]);
    $curl->setopt(CURLOPT_READFUNCTION, \&read_body);
    $curl->setopt(CURLOPT_HEADERFUNCTION, sub { return length($_[0]); });

    # Options for getting the result.
    $curl->setopt(CURLOPT_WRITEFUNCTION, \&write_body);

    # SSL related options.
    $curl->setopt(CURLOPT_SSLKEYTYPE, "PEM");
    $curl->setopt(CURLOPT_SSL_VERIFYPEER, 1);   # Verify server's certificate.
    $curl->setopt(CURLOPT_SSL_VERIFYHOST, 2);   # Check server's CN.
    $curl->setopt(CURLOPT_SSLKEY, $options{k}) if defined($options{k});
    $curl->setopt(CURLOPT_SSLKEYPASSWD, $options{p}) if defined($options{p});
    $curl->setopt(CURLOPT_SSLCERT, $options{c}) if defined($options{c});
    $curl->setopt(CURLOPT_CAINFO, $options{C}) if defined($options{C});
    $curl->setopt(CURLOPT_CAPATH, $options{P}) if defined($options{P});
    $curl->setopt(CURLOPT_RANDOM_FILE, $options{r}) if defined($options{r});
    $curl->setopt(CURLOPT_EGDSOCKET, $options{g}) if defined($options{g});

    # Setting destination.
    $curl->setopt(CURLOPT_URL, $url);

    return $curl;
}

# Send a request and returns the body back.
sub get_timestamp {
    my $curl = shift;
    my $body = shift;
    my $ts_body;
    local $::error_buf;

    # Error-handling related options.
    $curl->setopt(CURLOPT_ERRORBUFFER, "::error_buf");

    # Options for POST method.
    $curl->setopt(CURLOPT_INFILE, {data => $body, bytes => 0});
    $curl->setopt(CURLOPT_INFILESIZE, length(${$body}));

    # Options for getting the result.
    $curl->setopt(CURLOPT_FILE, \$ts_body);

    # Send the request...
    my $error_code = $curl->perform();
    my $error_string;
    if ($error_code != 0) {
        my $http_code = $curl->getinfo(CURLINFO_HTTP_CODE);
    $error_string = "could not get timestamp";
    $error_string .= ", http code: $http_code" unless $http_code == 0;
    $error_string .= ", curl code: $error_code";
    $error_string .= " ($::error_buf)" if defined($::error_buf);
    } else {
        my $ct = $curl->getinfo(CURLINFO_CONTENT_TYPE);
    if (lc($ct) ne "application/timestamp-reply"
        && lc($ct) ne "application/timestamp-response") {
        $error_string = "unexpected content type returned: $ct";
        }
    }
    return ($ts_body, $error_string);

}

# Print usage information and exists.
sub usage {

    print STDERR "usage: $0 -h <server_url> [-e <extension>] [-o <output>] ";
    print STDERR "[-v] [-d] [-k <private_key.pem>] [-p <key_password>] ";
    print STDERR "[-c <client_cert.pem>] [-C <CA_certs.pem>] [-P <CA_path>] ";
    print STDERR "[-r <file:file...>] [-g <EGD_socket>] [<request>]...\n";
    exit 1;
}

# ----------------------------------------------------------------------
#   Main program
# ----------------------------------------------------------------------

# Getting command-line options (default comes from TSGET environment variable).
my $getopt_arg =  "h:e:o:vdk:p:c:C:P:r:g:";
if (exists $ENV{TSGET}) {
    my @old_argv = @ARGV;
    @ARGV = split /\s+/, $ENV{TSGET};
    getopts($getopt_arg, \%options) or usage;
    @ARGV = @old_argv;
}
getopts($getopt_arg, \%options) or usage;

# Checking argument consistency.
if (!exists($options{h}) || (@ARGV == 0 && !exists($options{o}))
    || (@ARGV > 1 && exists($options{o}))) {
    print STDERR "Inconsistent command line options.\n";
    usage;
}
# Setting defaults.
@ARGV = ("-") unless @ARGV != 0;
$options{e} = ".tsr" unless defined($options{e});

# Processing requests.
my $curl = create_curl $options{h};
undef $/;   # For reading whole files.
REQUEST: foreach (@ARGV) {
    my $input = $_;
    my ($base, $path) = fileparse($input, '\.[^.]*');
    my $output_base = $base . $options{e};
    my $output = defined($options{o}) ? $options{o} : $path . $output_base;

    STDERR->printflush("$input: ") if $options{v};
    # Read request.
    my $body;
    if ($input eq "-") {
    # Read the request from STDIN;
    $body = <STDIN>;
    } else {
    # Read the request from file.
        open INPUT, "<" . $input
        or warn("$input: could not open input file: $!\n"), next REQUEST;
        $body = <INPUT>;
        close INPUT
        or warn("$input: could not close input file: $!\n"), next REQUEST;
    }

    # Send request.
    STDERR->printflush("sending request") if $options{v};

    my ($ts_body, $error) = get_timestamp $curl, \$body;
    if (defined($error)) {
    die "$input: fatal error: $error\n";
    }
    STDERR->printflush(", reply received") if $options{v};

    # Write response.
    if ($output eq "-") {
    # Write to STDOUT.
        print $ts_body;
    } else {
    # Write to file.
        open OUTPUT, ">", $output
        or warn("$output: could not open output file: $!\n"), next REQUEST;
        print OUTPUT $ts_body;
        close OUTPUT
        or warn("$output: could not close output file: $!\n"), next REQUEST;
    }
    STDERR->printflush(", $output written.\n") if $options{v};
}
$curl->cleanup();
WWW::Curl::Easy::global_cleanup();

脚本输出

Version: 1
Hash Algorithm: sha256
Message data:
    0000 - a8 31 60 9c a3 fe 14 74-05 f1 be 78 89 5c a6 a5   .1`....t...x.\..
    0010 - d3 b7 4a 7d 18 b9 d0 f9-39 fc a8 d6 e2 be 2e 27   ..J}....9......'
Policy OID: unspecified
Nonce: 0x533AC264C90C4EEE
Certificate required: yes
Extensions:

Undefined subroutine &WWW::Curl::Easy::global_cleanup called at /usr/local/bin/tsget line 196.
Status info:
Status: Granted.
Status description: unspecified
Failure info: unspecified

TST info:
Version: 1
Policy OID: 1.3.6.1.4.1.4146.2.2
Hash Algorithm: sha256
Message data:
    0000 - a8 31 60 9c a3 fe 14 74-05 f1 be 78 89 5c a6 a5   .1`....t...x.\..
    0010 - d3 b7 4a 7d 18 b9 d0 f9-39 fc a8 d6 e2 be 2e 27   ..J}....9......'
Serial number: 0x3A668E2441A3707CB495191DC3EF2D717C49DD30
Time stamp: Sep 25 16:55:34 2015 GMT
Accuracy: unspecified
Ordering: no
Nonce: 0x533AC264C90C4EEE
TSA: DirName:/C=SG/O=GMO GlobalSign Pte Ltd/CN=GlobalSign TSA for Standard - G2
Extensions:

Verification: FAILED
3073967804:error:2F06D064:time stamp routines:TS_VERIFY_CERT:certificate verify error:ts_rsp_verify.c:246:Verify error:unable to get local issuer certificate

Answer 1

好的，我确实找到了答案：http://tsa.safecreative.org/

经过大量谷歌搜索后，我开始得到的印象是，虽然像this one和this one以及this one，特别是this one这样的帖子看起来像是GlobalSign和Verisign和朋友各自运行一个免费的时间戳服务器，我现在的印象是他们并没有真正自由。我认为这是一个免费的＆＃34;加上＆＃34;也许是他们销售的其他产品。任何人都可以从他们的服务器获取时间戳，但是我无法在没有证书的情况下验证该时间戳，这些证书似乎不是免费提供的。如果有人不知道，他们可以自由纠正我。

另一方面，http://tsa.safecreative.org/实际上是免费网站（或者每个IP地址每天最多5张邮票），任何人都可以下载他们的证书来验证时间戳。这正是我所寻找的。

Answer 2

这是您需要验证TSR的“ GlobalSign根CA”（found here和here在官方网站上为“ R1 GlobalSign根证书”）：

将其保存到root.pem

此外，您还需要提取用于签名时间戳响应的所有中间证书链。

首先，使用-cert选项发出请求（以包括证书链）：

#make time stamp query
openssl ts -query -data notes -sha256 -cert -out test.tsq

要获取TSR，请向TSA询问：

curl -H 'Content-Type: application/timestamp-query' --data-binary '@test.tsq' http://timestamp.globalsign.com/scripts/timstamp.dll > test.tsr

然后使用：

提取证书

openssl ts -reply -in test.tsr -token_out | openssl pkcs7 -inform der -print_certs | sed -n '/-----BEGIN/,/-----END/p' > chain.pem

然后，您可以使用：

验证时间戳记响应

#verify the timestamp
openssl ts -verify -data notes -in test.tsr -CAfile root.pem -untrusted chain.pem

Answer 3

在Windows中获取时间戳，然后从带时间戳的可执行文件中导出证书链，您就拥有了链。

时间戳验证，缺少证书

3 个答案: