Openssl 时间戳验证，缺少证书

我需要什么： 我需要一个名为

notes

的文件上的可验证时间戳，该文件位于我的Ubuntu计算机上，使用

openssl

我的问题是： 我可以从中获得签名的时间戳，但我无法验证它。当我跑的时候

openssl ts -verify -data notes -in test.tsr

我得到两行输出（为了可读性插入额外的换行符）

我想这意味着我需要一个名为“GlobalSignTSA for Standard-G2”的证书（请参阅下面的“脚本输出”部分），但我不知道在哪里可以找到它。我

grep

'd我的

/usr

，

/etc

，和

/home

目录中的字符串，所以我很有信心我实际上没有它。我在谷歌上找不到它有人知道从哪里获得此证书，或者我可能做错了什么吗？还有，为什么这么难？我看到很多人都在谈论在各种堆栈交换上使用这个服务器，但我似乎是唯一一个有这个问题的人

---

更多信息

我使用的是

/etc/ssl/openssl.cnf

上的默认

openssl

配置文件

我使用以下短脚本生成一个时间戳查询

test.tsq

，然后将其发送到时间戳服务器，接收一个时间戳回复

test.tsr

，然后尝试验证它

#!/bin/bash
#make time stamp query
openssl ts -query -data notes -sha256 -cert -out test.tsq

#write query to stdout in text format
openssl ts -query -in test.tsq -text

echo ""

#use tsget to get the request, since I don't know how to do it with curl
tsget -h http://timestamp.globalsign.com/scripts/timstamp.dll test.tsq

#write the reply to stdout in text form
openssl ts -reply -in test.tsr -text

echo ""

#verify the timestamp
openssl ts -verify -data notes -in test.tsr

我想，

perl

脚本

tsget

附带了

openssl

包，我在

/usr/lib/ssl/misc/tsget

中找到了它，但我将在这里包含它以进行故障排除：

#!/usr/bin/perl -w
# Written by Zoltan Glozik <zglozik@stones.com>.
# Copyright (c) 2002 The OpenTSA Project.  All rights reserved.
$::version = '$Id: tsget,v 1.3 2009/09/07 17:57:18 steve Exp $';

use strict;
use IO::Handle;
use Getopt::Std;
use File::Basename;
use WWW::Curl::Easy;

use vars qw(%options);

# Callback for reading the body.
sub read_body {
    my ($maxlength, $state) = @_;
    my $return_data = "";
    my $data_len = length ${$state->{data}};
    if ($state->{bytes} < $data_len) {
    $data_len = $data_len - $state->{bytes};
    $data_len = $maxlength if $data_len > $maxlength;
    $return_data = substr ${$state->{data}}, $state->{bytes}, $data_len;
    $state->{bytes} += $data_len;
    }
    return $return_data;
}

# Callback for writing the body into a variable.
sub write_body {
    my ($data, $pointer) = @_;
    ${$pointer} .= $data;
    return length($data);
}

# Initialise a new Curl object.
sub create_curl {
    my $url = shift;

    # Create Curl object.
    my $curl = WWW::Curl::Easy::new();

    # Error-handling related options.
    $curl->setopt(CURLOPT_VERBOSE, 1) if $options{d};
    $curl->setopt(CURLOPT_FAILONERROR, 1);
    $curl->setopt(CURLOPT_USERAGENT, "OpenTSA tsget.pl/" . (split / /, $::version)[2]);

    # Options for POST method.
    $curl->setopt(CURLOPT_UPLOAD, 1);
    $curl->setopt(CURLOPT_CUSTOMREQUEST, "POST");
    $curl->setopt(CURLOPT_HTTPHEADER,
        ["Content-Type: application/timestamp-query",
        "Accept: application/timestamp-reply,application/timestamp-response"]);
    $curl->setopt(CURLOPT_READFUNCTION, \&read_body);
    $curl->setopt(CURLOPT_HEADERFUNCTION, sub { return length($_[0]); });

    # Options for getting the result.
    $curl->setopt(CURLOPT_WRITEFUNCTION, \&write_body);

    # SSL related options.
    $curl->setopt(CURLOPT_SSLKEYTYPE, "PEM");
    $curl->setopt(CURLOPT_SSL_VERIFYPEER, 1);   # Verify server's certificate.
    $curl->setopt(CURLOPT_SSL_VERIFYHOST, 2);   # Check server's CN.
    $curl->setopt(CURLOPT_SSLKEY, $options{k}) if defined($options{k});
    $curl->setopt(CURLOPT_SSLKEYPASSWD, $options{p}) if defined($options{p});
    $curl->setopt(CURLOPT_SSLCERT, $options{c}) if defined($options{c});
    $curl->setopt(CURLOPT_CAINFO, $options{C}) if defined($options{C});
    $curl->setopt(CURLOPT_CAPATH, $options{P}) if defined($options{P});
    $curl->setopt(CURLOPT_RANDOM_FILE, $options{r}) if defined($options{r});
    $curl->setopt(CURLOPT_EGDSOCKET, $options{g}) if defined($options{g});

    # Setting destination.
    $curl->setopt(CURLOPT_URL, $url);

    return $curl;
}

# Send a request and returns the body back.
sub get_timestamp {
    my $curl = shift;
    my $body = shift;
    my $ts_body;
    local $::error_buf;

    # Error-handling related options.
    $curl->setopt(CURLOPT_ERRORBUFFER, "::error_buf");

    # Options for POST method.
    $curl->setopt(CURLOPT_INFILE, {data => $body, bytes => 0});
    $curl->setopt(CURLOPT_INFILESIZE, length(${$body}));

    # Options for getting the result.
    $curl->setopt(CURLOPT_FILE, \$ts_body);

    # Send the request...
    my $error_code = $curl->perform();
    my $error_string;
    if ($error_code != 0) {
        my $http_code = $curl->getinfo(CURLINFO_HTTP_CODE);
    $error_string = "could not get timestamp";
    $error_string .= ", http code: $http_code" unless $http_code == 0;
    $error_string .= ", curl code: $error_code";
    $error_string .= " ($::error_buf)" if defined($::error_buf);
    } else {
        my $ct = $curl->getinfo(CURLINFO_CONTENT_TYPE);
    if (lc($ct) ne "application/timestamp-reply"
        && lc($ct) ne "application/timestamp-response") {
        $error_string = "unexpected content type returned: $ct";
        }
    }
    return ($ts_body, $error_string);

}

# Print usage information and exists.
sub usage {

    print STDERR "usage: $0 -h <server_url> [-e <extension>] [-o <output>] ";
    print STDERR "[-v] [-d] [-k <private_key.pem>] [-p <key_password>] ";
    print STDERR "[-c <client_cert.pem>] [-C <CA_certs.pem>] [-P <CA_path>] ";
    print STDERR "[-r <file:file...>] [-g <EGD_socket>] [<request>]...\n";
    exit 1;
}

# ----------------------------------------------------------------------
#   Main program
# ----------------------------------------------------------------------

# Getting command-line options (default comes from TSGET environment variable).
my $getopt_arg =  "h:e:o:vdk:p:c:C:P:r:g:";
if (exists $ENV{TSGET}) {
    my @old_argv = @ARGV;
    @ARGV = split /\s+/, $ENV{TSGET};
    getopts($getopt_arg, \%options) or usage;
    @ARGV = @old_argv;
}
getopts($getopt_arg, \%options) or usage;

# Checking argument consistency.
if (!exists($options{h}) || (@ARGV == 0 && !exists($options{o}))
    || (@ARGV > 1 && exists($options{o}))) {
    print STDERR "Inconsistent command line options.\n";
    usage;
}
# Setting defaults.
@ARGV = ("-") unless @ARGV != 0;
$options{e} = ".tsr" unless defined($options{e});

# Processing requests.
my $curl = create_curl $options{h};
undef $/;   # For reading whole files.
REQUEST: foreach (@ARGV) {
    my $input = $_;
    my ($base, $path) = fileparse($input, '\.[^.]*');
    my $output_base = $base . $options{e};
    my $output = defined($options{o}) ? $options{o} : $path . $output_base;

    STDERR->printflush("$input: ") if $options{v};
    # Read request.
    my $body;
    if ($input eq "-") {
    # Read the request from STDIN;
    $body = <STDIN>;
    } else {
    # Read the request from file.
        open INPUT, "<" . $input
        or warn("$input: could not open input file: $!\n"), next REQUEST;
        $body = <INPUT>;
        close INPUT
        or warn("$input: could not close input file: $!\n"), next REQUEST;
    }

    # Send request.
    STDERR->printflush("sending request") if $options{v};

    my ($ts_body, $error) = get_timestamp $curl, \$body;
    if (defined($error)) {
    die "$input: fatal error: $error\n";
    }
    STDERR->printflush(", reply received") if $options{v};

    # Write response.
    if ($output eq "-") {
    # Write to STDOUT.
        print $ts_body;
    } else {
    # Write to file.
        open OUTPUT, ">", $output
        or warn("$output: could not open output file: $!\n"), next REQUEST;
        print OUTPUT $ts_body;
        close OUTPUT
        or warn("$output: could not close output file: $!\n"), next REQUEST;
    }
    STDERR->printflush(", $output written.\n") if $options{v};
}
$curl->cleanup();
WWW::Curl::Easy::global_cleanup();

---

好吧，我确实找到了答案：

在谷歌搜索了很多次之后，我开始觉得，尽管像这样的帖子，特别是让它看起来像GlobalSign、Verisign和friends都运行一个免费的时间戳服务器，但我现在的印象是它们并不是真正免费的。我认为这可能是他们销售的其他一些产品的免费“附加”。任何人都可以从他们的服务器上获取时间戳，但是没有他们的证书，我无法验证时间戳，因为证书似乎不是免费提供的。如果有人不知道，他们可以纠正我

---

另一方面，它实际上是一个免费的网站（或者，每个IP地址每天最多免费5张邮票），任何人都可以下载他们的证书来验证时间戳。这正是我想要的。

在Windows中获取时间戳，然后从时间戳可执行文件导出证书链，您就拥有了该链。

这是“GlobalSign根CA”（在官方网站上称为“R1 GlobalSign根证书”），您需要验证TSR：

-----BEGIN CERTIFICATE-----
MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw
MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT
aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ
jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp
xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp
1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG
snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ
U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8
9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B
AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz
yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE
38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP
AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad
DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME
HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
-----END CERTIFICATE-----

将其保存到

root.pem

此外，还需要提取用于对时间戳响应进行签名的所有中间证书链

首先，使用

-cert

选项发出请求（包括证书链）：

要获得TSR，请向TSA询问：

curl -H 'Content-Type: application/timestamp-query' --data-binary '@test.tsq' http://timestamp.globalsign.com/scripts/timstamp.dll > test.tsr

然后使用以下内容提取证书：

openssl ts -reply -in test.tsr -token_out | openssl pkcs7 -inform der -print_certs | sed -n '/-----BEGIN/,/-----END/p' > chain.pem

然后，您可以通过以下方式验证时间戳响应：

#verify the timestamp
openssl ts -verify -data notes -in test.tsr -CAfile root.pem -untrusted chain.pem

“…我现在的印象是，他们并不是真正免费的。我认为这是他们销售的一些其他产品的免费“附加”…-是的，你一定喜欢公司玩的游戏…也可以在社区公告板上看到。”。

curl -H 'Content-Type: application/timestamp-query' --data-binary '@test.tsq' http://timestamp.globalsign.com/scripts/timstamp.dll > test.tsr

openssl ts -reply -in test.tsr -token_out | openssl pkcs7 -inform der -print_certs | sed -n '/-----BEGIN/,/-----END/p' > chain.pem

#verify the timestamp
openssl ts -verify -data notes -in test.tsr -CAfile root.pem -untrusted chain.pem