All posts by hablutzel1

Perform a GET OCSP request in (almost) one line

First, it is required to define the following function:

$ urlencode () 
> { 
>     python -c "import urllib; print urllib.quote('''$1''', '')"
> }

Then the OCSP request can be performed like this:

$ curl$(urlencode `openssl ocsp -issuer issuer.pem -cert end_entity.pem -reqout - | base64 -w 0`) | openssl ocsp -respin - -text -CAfile rootca.pem
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: 98D1F86E10EBCF9BEC609F18901BA0EB7D09FD2B
    Produced At: Nov 11 14:16:01 2019 GMT

Load PKCS #11 key using PuTTY-CAC Pageant from command line

This post assumes that you already installed PuTTY-CAC from and you understand how to use PuTTY-CAC to load PKCS #11 certificates from the GUI:

But, given that I’ve been unable to find the documentation to perform this operation from the CLI I’ve checked the PuTTY-CAC source code and found that the correct command is the following one:

>pageant.exe PKCS:716B8B58D8F2C3A7F98F3F645161B1BF9818B689=C:/Windows/SysWOW64/opensc-pkcs11.dll


  • 716B8B58D8F2C3A7F98F3F645161B1BF9818B689 is the SHA-1 for the certificate itself in DER (binary) format.
  • C:/Windows/SysWOW64/opensc-pkcs11.dll is the PKCS #11 module path.

Add RFC 3161 timestamp to existing PKCS #7/CMS signature in PHP

I have created a simple (and possibly buggy) library that would allow you to add an RFC 3161 timestamp to an existing PKCS #7 or CMS signature.

Note that it has been tested only on Ubuntu 16.04 and it depends on curl package installed with apt-get.

So with this library, for adding the timestamp you only need to do something like:

$updatedCms = CmsTimestamper::addTimestampToCms($originalCmsAsPem, "");

The library and a demonstration class can be found in

Finally, to verify the generated timestamp you could save the updated CMS and verify it with the following set of commands:

# Extract CMS signature value. See RFC 3161, "APPENDIX A".
$ openssl asn1parse -noout -in cms_updated_with_ts.pem -out cms_updated_with_ts.der && dd bs=1 skip=1164 count=256 if=cms_updated_with_ts.der > cms_signature.bin
# Extract TimeStampToken from CMS.
$ openssl asn1parse -noout -in cms_updated_with_ts.pem -offset 1445 -length 1931 -out tst.der
# Verify TimeStampToken against CMS signature value.
$ openssl ts -verify -data cms_signature.bin -in tst.der -token_in -CAfile Starfield_Class_2_Certification_Authority.crt
# Display timestamp details.
$ openssl ts -reply -token_in -in tst.der -text