Document how to create the certificate file?

[petterreinholdtsen]

It would be nice if the README or some other documentation explained what the certificate file should look like, and how to create it? I've tried to figure out which file to use for http://zeitstempel.dfn.de, without any luck so far. The content of https://pki.pca.dfn.de/global-services-ca/pub/cacert/chain.txt was rejected.

[petterreinholdtsen]

If the procedure to get the certificate file can be automated, it would be possible to test all the services listed in README.rst to verify they are currently working.

[brimston3]

I used the following to generate a tsr with a more complete certificate chain. The CertificateSet section of the timestamp info is completely optional, so the TSA doesn't have to provide any certs at all.

openssl ts -query -data dummyfile -cert -out rq.tsq
tsget -h http://sha256timestamp.ws.symantec.com/sha256/timestamp -o rq.tsr rq.tsq

Then I used asn1parse to identify different certificates in the DER-encoded file; per the spec, if certificates appear, they will be in a [0] tagged d=4 block after the tst info (notably, there will be a big octet string object of type id-smime-ct-tstinfo before it). I extracted each byte sequence in that block into its own cert.der file. Skip is from the number before the colon (should be a cons: SEQUENCE at d=5), count is hl+l.

openssl asn1parse -inform der -in rq.tsr
dd if=rq.tsr of=cert1.der bs=1 skip=342 count=1340
dd if=rq.tsr of=cert2.der bs=1 skip=1682 count=1359

There may be more than 2 certs in the container, just extract them all. This can probably be automated with pyasn1, but I don't know how. One of these will have the x509v3 extended usage Time Stamping (id-kp-timeStamping). It will almost always be the last cert. All of the rest go in the -untrusted file (concat intermediate CA pems). Easiest way is check for Time Stamp signing with -purpose.

 for each in *.der; do
     openssl x509 -inform der -in "$each" -purpose -noout | grep -F "Time Stamp signing : Yes" && echo "$each";
 done

Convert the leaf certificate into pem format.

openssl x509 -inform der -in cert2.der -out cert2.pem

Read pem file in python as shown in the example code.

• It's a single certificate in the file, not a chain.
• It should be in pem format. (required?)
• it should have Time Stamping under extended key usage, with the critical flag.

[Manouchehri]

@brimston3 Does tsget exist in Ubuntu 18.04 anymore? Can't find it anywhere.