First, it is required to define the following function:
$ urlencode ()
> python -c "import urllib; print urllib.quote('''$1''', '')"
Then the OCSP request can be performed like this:
$ curl http://ocsp.example.org/$(urlencode `openssl ocsp -issuer issuer.pem -cert end_entity.pem -reqout - | base64 -w 0`) | openssl ocsp -respin - -text -CAfile rootca.pem
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: 98D1F86E10EBCF9BEC609F18901BA0EB7D09FD2B
Produced At: Nov 11 14:16:01 2019 GMT
This post assumes that you already installed PuTTY-CAC from https://github.com/NoMoreFood/putty-cac and you understand how to use PuTTY-CAC to load PKCS #11 certificates from the GUI:
But, given that I’ve been unable to find the documentation to perform this operation from the CLI I’ve checked the PuTTY-CAC source code and found that the correct command is the following one:
716B8B58D8F2C3A7F98F3F645161B1BF9818B689 is the SHA-1 for the certificate itself in DER (binary) format.
C:/Windows/SysWOW64/opensc-pkcs11.dll is the PKCS #11 module path.
I have created a simple (and possibly buggy) library that would allow you to add an RFC 3161 timestamp to an existing PKCS #7 or CMS signature.
Note that it has been tested only on Ubuntu 16.04 and it depends on
curl package installed with
So with this library, for adding the timestamp you only need to do something like:
$updatedCms = CmsTimestamper::addTimestampToCms($originalCmsAsPem, "http://tsa.starfieldtech.com");
The library and a demonstration class can be found in https://github.com/hablutzel1/phpcmstimestamper.
Finally, to verify the generated timestamp you could save the updated CMS and verify it with the following set of commands:
# Extract CMS signature value. See RFC 3161, "APPENDIX A".
$ openssl asn1parse -noout -in cms_updated_with_ts.pem -out cms_updated_with_ts.der && dd bs=1 skip=1164 count=256 if=cms_updated_with_ts.der > cms_signature.bin
# Extract TimeStampToken from CMS.
$ openssl asn1parse -noout -in cms_updated_with_ts.pem -offset 1445 -length 1931 -out tst.der
# Verify TimeStampToken against CMS signature value.
$ openssl ts -verify -data cms_signature.bin -in tst.der -token_in -CAfile Starfield_Class_2_Certification_Authority.crt
# Display timestamp details.
$ openssl ts -reply -token_in -in tst.der -text