I’ve used openssl cms to signal the info and generate the indifferent signature. As per my necessities I must timestamp the signature as nicely, in order that if the certificates expired, verification of signature could be achieved. Generated timestamp can also be in indifferent format. I’ve additionally generate the CRL after revoking the certificates.
NOTE: For testing goal I’ve created my very own CA authority utilizing openssl
For signing information:
openssl cms -sign -binary -in test_data.tgz -md5 sha256 -signer my-cert.pem -inkey my-cert.key -out test_data.cms -outform DER
For timestamping signature: (Used freetsa.org as a TSA authority)
openssl ts -query -data test_data.cms -no_nonce -sha256 -cert -out test_data.tsq
curl -H "Content material-Kind: utility/timestamp-query" --data-binary '@test_data.tsq' https://freetsa.org/tsr > test_data.tsr
Now for the verification half as per my understanding from RFC3161 (https://instruments.ietf.org/html/rfc3161#page-20) following process can be utilized to confirm the authenticity of the digital signature.
Confirm timestamp token:
openssl ts -verify -in test_date.tsr -queryfile date_tsr.tsq -CAfile cacert.pem -untrusted tsa.crt
openssl ts -verify -data test_data.cms -in test_data.tsr -CAfile cacert.pem -untrusted tsa.crt
Fetch the timestamp:
openssl ts -reply -in test_date.tsr -text
Time stamp: Apr 24 13:09:25 2020 GMT (Instance)
Convert timestamp to Unix epoch time:
date -d “Apr 24 13:09:25 2020 GMT” +%s
Confirm the signature againt timestamp and the certificates through openssl cms
openssl cms -verify -binary -verify -in test_data.cms -content test_data -CAfile ca-chain.cer -inform DER -out /tmp/tmp.information -attime 1587733765
All the things works till crl (Certificates revocation record) comes into the image. What I do know is that If the certificates (my-cert.pem on this case) has been revoked and if the “Invalidity Date” is after the timestamp date, the signature ought to nonetheless be legitimate. However with openssl cms -verify its not working as anticipated or it’s not supported.
openssl ca -config openssl.conf -revoke my-cert.pem -crl_reason key -crl_reason keyCompromise -crl_compromise 20200422140925Z
Compromise date is after timestamp date.
Confirm the signature with crl and timestamp
openssl cms -verify -binary -verify -in test_data.cms -content test_data -CAfile ca-chain.cer -inform DER -out /tmp/tmp.information -attime 1587733765 -crl_check
output: CRL shouldn’t be but legitimate
I feel openssl is evaluating the “Final Replace” date of CRL as an alternative of “Invalidity date” with the date talked about in -attime argument, i.e. 1587733765 dues to which it reveals “CRL shouldn’t be but legitimate”.
openssl cms -verify -binary -verify -in test_data.cms -content test_data -CAfile ca-chain.cer -inform DER -out /tmp/tmp.information -crl_check
Output: Certificates revoked
So how do I confirm the signature with CRL and timestamp in openssl cms?
The one means I see is to fetch the “Invalidity Date” manually from CRL and evaluate with timestamp and act accordingly.