All posts by hablutzel1

Load PKCS #11 key using PuTTY-CAC Pageant from command line

This post assumes that you already installed PuTTY-CAC from and you understand how to use PuTTY-CAC to load PKCS #11 certificates from the GUI:

But, given that I’ve been unable to find the documentation to perform this operation from the CLI I’ve checked the PuTTY-CAC source code and found that the correct command is the following one:

>pageant.exe PKCS:716B8B58D8F2C3A7F98F3F645161B1BF9818B689=C:/Windows/SysWOW64/opensc-pkcs11.dll


  • 716B8B58D8F2C3A7F98F3F645161B1BF9818B689 is the SHA-1 for the certificate itself in DER (binary) format.
  • C:/Windows/SysWOW64/opensc-pkcs11.dll is the PKCS #11 module path.

Add RFC 3161 timestamp to existing PKCS #7/CMS signature in PHP

I have created a simple (and possibly buggy) library that would allow you to add an RFC 3161 timestamp to an existing PKCS #7 or CMS signature.

Note that it has been tested only on Ubuntu 16.04 and it depends on curl package installed with apt-get.

So with this library, for adding the timestamp you only need to do something like:

$updatedCms = CmsTimestamper::addTimestampToCms($originalCmsAsPem, "");

The library and a demonstration class can be found in

Finally, to verify the generated timestamp you could save the updated CMS and verify it with the following set of commands:

# Extract CMS signature value. See RFC 3161, "APPENDIX A".
$ openssl asn1parse -noout -in cms_updated_with_ts.pem -out cms_updated_with_ts.der && dd bs=1 skip=1164 count=256 if=cms_updated_with_ts.der > cms_signature.bin
# Extract TimeStampToken from CMS.
$ openssl asn1parse -noout -in cms_updated_with_ts.pem -offset 1445 -length 1931 -out tst.der
# Verify TimeStampToken against CMS signature value.
$ openssl ts -verify -data cms_signature.bin -in tst.der -token_in -CAfile Starfield_Class_2_Certification_Authority.crt
# Display timestamp details.
$ openssl ts -reply -token_in -in tst.der -text


Signing and verifying XML with xmlsec1

Let’s say we have a certification path like the following:

  • Root CA
    • Intermediate CA 1
      • Intermediate CA 2
        • End entity signer

And we want to sign sample.xml:

<?xml version="1.0" encoding="UTF-8"?>
    <data>Lorem ipsum dolor sit amet, consectetur adipiscing elit.</data>

You will need to modify sample.xml adding to it the highlighted signature template:

<?xml version="1.0" encoding="UTF-8"?>
    <data>Lorem ipsum dolor sit amet, consectetur adipiscing elit.</data>
    <Signature xmlns="">
            <CanonicalizationMethod Algorithm=""/>
            <SignatureMethod Algorithm=""/>
                    <Transform Algorithm=""/>
                    <Transform Algorithm=""/>
                <DigestMethod Algorithm=""/>

Then you can sign it using the following command:

$ xmlsec1 --sign --privkey-pem end_entity_privkey.pem,end_entity_cert.pem --output sample-signed.xml sample.xml

And verify the signature with the following command:

$ xmlsec1 --verify --trusted-pem root_ca.pem --untrusted-pem intermediate_ca_1.pem --untrusted-pem intermediate_ca_2.pem sample-signed.xml
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0

From the previous command note that you have to add only one --trusted-pem for the root CA and one --untrusted-pem for each intermediate CA.

It is very important to realize that xmlsec1 is expecting only one certificate in each PEM file, irrespective of the common practice to group several certificates in one PEM file and because of this --untrusted-pem is repeated for every intermediate CA.

Another useful post on this topic can be found on

Note: xmlsec1 in Windows

From some time already xmlsec1 can be easily installed on Windows as a regular Cygwin package: