0

I receive an error when I run the Openssl verification command on Ubuntu 14.04 with Openssl 1.0.1f 6 Jan 2014. The error is 0x2F067065 with the error string time stamp routines:TS_CHECK_SIGNING_CERTS:ess signing certificate error.

Timestamping provider suspects it is a Openssl bug. Openssl is busy with the new release and is not responsive on this matter that is low priority.

What is this error, how can I fix it? Could someone please help?

This is when the error occurs:

openssl ts -verify -digest e16db7d30581e44a5540f19553852b5a4e4e26f9adc365cc846f94038ee33025 \
-in /tmp/namirial.tsr -CAfile /tmp/NamirialCATSA.pem

Verification: FAILED
140236013643424:error:2F067065:time stamp routines:TS_CHECK_SIGNING_CERTS:ess signing
certificate error:ts_rsp_verify.c:291:

If necessary, I have a complete reproduction scenario I can send privately. The error is systematic and stable.

This is the PHP code where I call openssl library to perform the validation, any help on how to find a similar library (since it seems that is a bug in Openssl, thus I need to use another library) and how to call it form PHP in Ubuntu?

    public static function validate ($hash, $base64_response_string, $response_time, $tsa_cert_file)
{
    //if (strlen($hash) !== 40)
    //if (strlen($hash) !== 64)  // sha256
        //throw new Exception("Invalid Hash");

    $binary_response_string = base64_decode($base64_response_string);

    if (!strlen($binary_response_string))
        throw new Exception("There was no response-string");    

    if (!intval($response_time))
        throw new Exception("There is no valid response-time given");

    if (!file_exists($tsa_cert_file))
        throw new Exception("The TSA-Certificate could not be found");

    $responsefile = self::createTempFile($binary_response_string);
    $cmd = "openssl ts -verify -digest ".escapeshellarg($hash)." -in ".escapeshellarg($responsefile)." -CAfile ".escapeshellarg($tsa_cert_file);

    $retarray = array();
    exec($cmd." 2>&1", $retarray, $retcode);
    if(unlink($responsefile)) {
            If ($debugMN) {echo " File Deleted Tempfile in validate"; }       
    }

    /*
     * just 2 "normal" cases: 
     *  1) Everything okay -> retcode 0 + retarray[0] == "Verification: OK"
     *  2) Hash is wrong -> retcode 1 + strpos(retarray[somewhere], "message imprint mismatch") !== false
     * 
     * every other case (Certificate not found / invalid / openssl is not installed / ts command not known)
     * are being handled the same way -> retcode 1 + any retarray NOT containing "message imprint mismatch"
     */

    if ($retcode === 0 && strtolower(trim($retarray[0])) == "verification: ok")
    {
        if (self::getTimestampFromAnswer ($binary_response_string) != $response_time)
            throw new Exception("The responsetime of the request was changed");

        return true;
    }
    foreach ($retarray as $retline)
    {
        if (stripos($retline, "message imprint mismatch") !== false)
            return false;
    }
    throw new Exception("Systemcommand failed: ".implode(", ", $retarray));
}

Thank you in advance

MSCA
  • 1
  • 2
  • Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Super User](http://superuser.com/) or [Apple Stack Exchange](http://apple.stackexchange.com/) would be a better place to ask. Also see [Where do I post questions about Dev Ops?](http://meta.stackexchange.com/q/134306). – jww Mar 11 '16 at 00:41
  • *"I have a complete reproduction scenario I can send privately..."* - If you ask the question on the appropriate site, then you should provide the details so the community can reproduce it. Otherwise, it will probably be closed with ***Cannot duplicate*** or similar. If you don't want to provide the details, then you will need to find another forum because that's *not* how sites in the Stack Exchange network work. – jww Mar 11 '16 at 00:46
  • Also see [Possible Bug in OpenSSL - rfc 3161 - TSA service](http://openssl.6102.n7.nabble.com/possible-Bug-in-OpenSSL-rfc-3161-TSA-service-td43128.html) on the OpenSSL mailing list. – jww Mar 11 '16 at 01:24
  • Thanks jww, I'll follow your indication also on how to ask questions here. At this point I would like to know if someone has developed a verification for trusted timestamping that I can call from my PHP code on server side. It should replace my calls to Openssl to do the job. – MSCA Mar 11 '16 at 12:16
  • How can I upload in this post the certificate I mentioned for the community to reproduce the error (NamirialCATSA.pem)? – MSCA Mar 11 '16 at 16:27

1 Answers1

0

You did not ask any question so there is nothing to answer here but either way I'll try to shed some light into your darkness :)

Your provider most likely adds some attribute certificate into the TS responses - I'd guess he's using DSE200 with TAC enabled just likely everyone else seeing similar issues - and OpenSSL currently does not support such scenarios. You can take a look at this older thread from openssl-users mailinglist where this issue had been discussed in details.

jariq
  • 11,681
  • 3
  • 33
  • 52
  • The question was in the title, how can I fix it? I read all that old thread but I didn't understand very much of it, I'm not that expert, I ignore if there is a solution for me. Could you please advise? What should I do? Use another technology to verify the TSA response I receive or what? Should I post the certificate so you can have a look? – MSCA Mar 10 '16 at 15:46
  • @MSCA The easiest solution should be to use something else than default OpenSSL application for verification or use some other timestamping provider. – jariq Mar 10 '16 at 16:11
  • Thanks jariq, changing provider is more complex, any suggestion on using something else to perform the verification? Any standard available that you know of? – MSCA Mar 10 '16 at 20:56
  • @MSCA none that I know of but it should be fairly easy (depending on your coding skills) to write one in JAVA or .NET. – jariq Mar 11 '16 at 05:18
  • At this point I would like to know if someone has developed a verification for trusted timestamping that I can call from my PHP code on server side. It should replace my calls to Openssl to do the job. – MSCA Mar 11 '16 at 12:17
  • Unfortunately I couldn't find an alternative, I don't know how to use bouncycastle with java on the server side with ubuntu. I would like to use PHP to execute programmatically bouncy castle for the verification The verification is where the error occur because of the bug. As an alternative, your patch here: https://rt.openssl.org/Ticket/Display.html?id=2145&user=guest&pass=guest. I found it in your comments here:https://github.com/openssl/openssl/pull/771. I'm not expert, could you please explain to me how to apply your patch or the one you consider more appropriate? – MSCA May 20 '16 at 13:53
  • @MSCA [Patch you are linking](https://rt.openssl.org/Ticket/Display.html?id=2145&user=guest&pass=guest) is **not related** to your problem. As I said previously you should stick to [older thread](http://openssl.6102.n7.nabble.com/possible-Bug-in-OpenSSL-rfc-3161-TSA-service-tt43128.html#none) from openssl-users mailinglist where this issue had been discussed in details. – jariq May 21 '16 at 06:32
  • That's bad news, I thought I found the solution with that patch. I don't know what to do now. Jariq, do you know anybody that can help me? The older thread is too much for me, I cannot produce a solution myself out of it. – MSCA May 21 '16 at 12:11