How to verify a RFC3161 timestamp token that uses RSASSA-PSS

Question

My timestamp provider recently changed from using rsaEncryption to sign the timestamp token to rsassaPss (see the diff of the asn1parse here).

Before the change I used the following command in OpenSSL (v1.1.1a) to verify the timestamp token:

$ openssl ts -verify -partial_chain -in token-rsaencryption.der -token_in \
> -digest bcbfcee484a9b243bafad6b8a43e0ddc1bf091837463e7c717495395eefbc2a6 \
> -CAfile cert.pem -untrusted cert.pem
Verification: OK
Using configuration from C:/Program Files/Git/mingw64/ssl/openssl.cnf

However the command doesn't work anymore.

$ openssl ts -verify -partial_chain -in token-rsassapss.der -token_in \
> -digest 00017f0b41ce9649602a0218cd02ed0b0a3d93130329451cc782b7dfda79ce71 \
> -CAfile cert.pem -untrusted cert.pem
Verification: FAILED
Using configuration from C:/Program Files/Git/mingw64/ssl/openssl.cnf 
14548:error:0407008A:rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding:../openssl-1.1.1a/crypto/rsa/rsa_pk1.c:67:
14548:error:04067072:rsa routines:rsa_ossl_public_decrypt:padding check failed:../openssl-1.1.1a/crypto/rsa/rsa_ossl.c:582:
14548:error:21071069:PKCS7 routines:PKCS7_signatureVerify:signature failure:../openssl-1.1.1a/crypto/pkcs7/pk7_doit.c:1037:
14548:error:2F06A06D:time stamp routines:TS_RESP_verify_signature:signature failure:../openssl-1.1.1a/crypto/ts/ts_rsp_verify.c:143:

Probably this is because RSASSA-PSS is not supported in timestamp verification using OpenSSL yet.

Are there any other options to validate a RFC3161 token with rsassaPss?

If you want to see the files, both timestamp tokens (rsaEncryption and rsassaPss) and and the signing certificate are in this zip.

Answer 1

It's been a while, but the issue persists.

The crux is that RSASSA-PSS has been implemented for CMS_* API functions, but not for PKCS7_*. You can see this on the command line, too. As a timestamp token is basically a PKCS#7/CMS SignedData of a TSTInfo, you can verify the signature solely:

$> openssl smime -verify -noverify -inform der -content foo -in foo.tst -out foo.tst.smime_verify
Verification failure
16432:error:21071065:PKCS7 routines:PKCS7_signatureVerify:digest failure:.\crypto\pkcs7\pk7_doit.c:1114:
16432:error:21075069:PKCS7 routines:PKCS7_verify:signature failure:.\crypto\pkcs7\pk7_smime.c:400:

$> openssl cms -verify -inform der -in foo.tst -noverify -out foo.tst.cms_verify
Verification successful

And timestamp verification eventually comes down to a PKCS7_signatureVerify(...)...

You asked about OpenSSL CLI, which there's no solution for to my knowledge. As we use the API anyway (and even 1.0.2u still!^^), here's what I came up with:

I copied static int int_TS_RESP_verify_token(...) over from ts/ts_rsp_verify.c. You'll notice there are 8 different checks altogether to verify the timestamp token, signature verification being the first. The call to TS_RESP_verify_signature(...) therein basically comes down to a PKCS7_signatureVerify(...). I then replaced TS_RESP_verify_signature(...) with CMS_verify(...) (some preparations required) and thus obtained an RSASSA-PSS enabled timestamp token verification.