時戳確認，丟失的證書

Question

我需要什麼： 我需要一個叫做notes文件可驗證的時間戳，使用openssl我的Ubuntu電腦上。

我的問題是什麼： 我可以從http://timestamp.globalsign.com/scripts/timstamp.dll簽署時間戳，但我無法驗證它。當我運行

openssl ts -verify -data notes -in test.tsr 

我得到的兩線輸出（插入可讀性多餘的換行符）

Verification: FAILED 

3073500860:error:2F06D064:time stamp routines: 
TS_VERIFY_CERT:certificate verify error:ts_rsp_verify.c:246: 
Verify error:unable to get local issuer certificate 

我覺得這是什麼意思是，我需要一個名爲「GlobalSign的TSA證書標準 - G2「（參見下面的」腳本的輸出「部分），但我不知道在哪裏可以找到它。 I grep'd我的/usr，/etc和/home該字符串的目錄，所以我非常有信心，我實際上沒有它。我無法在Google上找到它。 有人知道從哪裏得到這個證書，或者我正在做其他的事情嗎？而且，爲什麼這麼難？我看到很多人都在討論在各種堆棧交換機上使用這個服務器，但我似乎是唯一有這個問題的人。

---

更多信息

我使用的是默認的openssl配置文件在/etc/ssl/openssl.cnf。

我使用以下短腳本來生成時間戳查詢test.tsq，然後將其發送到時間戳服務器，接收時間戳回覆test.tsr，然後嘗試驗證它。

#!/bin/bash 
#make time stamp query 
openssl ts -query -data notes -sha256 -cert -out test.tsq 

#write query to stdout in text format 
openssl ts -query -in test.tsq -text 

echo "" 

#use tsget to get the request, since I don't know how to do it with curl 
tsget -h http://timestamp.globalsign.com/scripts/timstamp.dll test.tsq 

#write the reply to stdout in text form 
openssl ts -reply -in test.tsr -text 

echo "" 

#verify the timestamp 
openssl ts -verify -data notes -in test.tsr 

的perl腳本tsget附帶的openssl包，我認爲，我發現它在/usr/lib/ssl/misc/tsget，但我會在這裏包括它的故障排除：

#!/usr/bin/perl -w 
# Written by Zoltan Glozik <zglozik@stones.com>. 
# Copyright (c) 2002 The OpenTSA Project. All rights reserved. 
$::version = '$Id: tsget,v 1.3 2009/09/07 17:57:18 steve Exp $'; 

use strict; 
use IO::Handle; 
use Getopt::Std; 
use File::Basename; 
use WWW::Curl::Easy; 

use vars qw(%options); 

# Callback for reading the body. 
sub read_body { 
    my ($maxlength, $state) = @_; 
    my $return_data = ""; 
    my $data_len = length ${$state->{data}}; 
    if ($state->{bytes} < $data_len) { 
    $data_len = $data_len - $state->{bytes}; 
    $data_len = $maxlength if $data_len > $maxlength; 
    $return_data = substr ${$state->{data}}, $state->{bytes}, $data_len; 
    $state->{bytes} += $data_len; 
    } 
    return $return_data; 
} 

# Callback for writing the body into a variable. 
sub write_body { 
    my ($data, $pointer) = @_; 
    ${$pointer} .= $data; 
    return length($data); 
} 

# Initialise a new Curl object. 
sub create_curl { 
    my $url = shift; 

    # Create Curl object. 
    my $curl = WWW::Curl::Easy::new(); 

    # Error-handling related options. 
    $curl->setopt(CURLOPT_VERBOSE, 1) if $options{d}; 
    $curl->setopt(CURLOPT_FAILONERROR, 1); 
    $curl->setopt(CURLOPT_USERAGENT, "OpenTSA tsget.pl/" . (split//, $::version)[2]); 

    # Options for POST method. 
    $curl->setopt(CURLOPT_UPLOAD, 1); 
    $curl->setopt(CURLOPT_CUSTOMREQUEST, "POST"); 
    $curl->setopt(CURLOPT_HTTPHEADER, 
     ["Content-Type: application/timestamp-query", 
     "Accept: application/timestamp-reply,application/timestamp-response"]); 
    $curl->setopt(CURLOPT_READFUNCTION, \&read_body); 
    $curl->setopt(CURLOPT_HEADERFUNCTION, sub { return length($_[0]); }); 

    # Options for getting the result. 
    $curl->setopt(CURLOPT_WRITEFUNCTION, \&write_body); 

    # SSL related options. 
    $curl->setopt(CURLOPT_SSLKEYTYPE, "PEM"); 
    $curl->setopt(CURLOPT_SSL_VERIFYPEER, 1); # Verify server's certificate. 
    $curl->setopt(CURLOPT_SSL_VERIFYHOST, 2); # Check server's CN. 
    $curl->setopt(CURLOPT_SSLKEY, $options{k}) if defined($options{k}); 
    $curl->setopt(CURLOPT_SSLKEYPASSWD, $options{p}) if defined($options{p}); 
    $curl->setopt(CURLOPT_SSLCERT, $options{c}) if defined($options{c}); 
    $curl->setopt(CURLOPT_CAINFO, $options{C}) if defined($options{C}); 
    $curl->setopt(CURLOPT_CAPATH, $options{P}) if defined($options{P}); 
    $curl->setopt(CURLOPT_RANDOM_FILE, $options{r}) if defined($options{r}); 
    $curl->setopt(CURLOPT_EGDSOCKET, $options{g}) if defined($options{g}); 

    # Setting destination. 
    $curl->setopt(CURLOPT_URL, $url); 

    return $curl; 
} 

# Send a request and returns the body back. 
sub get_timestamp { 
    my $curl = shift; 
    my $body = shift; 
    my $ts_body; 
    local $::error_buf; 

    # Error-handling related options. 
    $curl->setopt(CURLOPT_ERRORBUFFER, "::error_buf"); 

    # Options for POST method. 
    $curl->setopt(CURLOPT_INFILE, {data => $body, bytes => 0}); 
    $curl->setopt(CURLOPT_INFILESIZE, length(${$body})); 

    # Options for getting the result. 
    $curl->setopt(CURLOPT_FILE, \$ts_body); 

    # Send the request... 
    my $error_code = $curl->perform(); 
    my $error_string; 
    if ($error_code != 0) { 
     my $http_code = $curl->getinfo(CURLINFO_HTTP_CODE); 
    $error_string = "could not get timestamp"; 
    $error_string .= ", http code: $http_code" unless $http_code == 0; 
    $error_string .= ", curl code: $error_code"; 
    $error_string .= " ($::error_buf)" if defined($::error_buf); 
    } else { 
     my $ct = $curl->getinfo(CURLINFO_CONTENT_TYPE); 
    if (lc($ct) ne "application/timestamp-reply" 
     && lc($ct) ne "application/timestamp-response") { 
     $error_string = "unexpected content type returned: $ct"; 
     } 
    } 
    return ($ts_body, $error_string); 

} 

# Print usage information and exists. 
sub usage { 

    print STDERR "usage: $0 -h <server_url> [-e <extension>] [-o <output>] "; 
    print STDERR "[-v] [-d] [-k <private_key.pem>] [-p <key_password>] "; 
    print STDERR "[-c <client_cert.pem>] [-C <CA_certs.pem>] [-P <CA_path>] "; 
    print STDERR "[-r <file:file...>] [-g <EGD_socket>] [<request>]...\n"; 
    exit 1; 
} 

# ---------------------------------------------------------------------- 
# Main program 
# ---------------------------------------------------------------------- 

# Getting command-line options (default comes from TSGET environment variable). 
my $getopt_arg = "h:e:o:vdk:p:c:C:P:r:g:"; 
if (exists $ENV{TSGET}) { 
    my @old_argv = @ARGV; 
    @ARGV = split /\s+/, $ENV{TSGET}; 
    getopts($getopt_arg, \%options) or usage; 
    @ARGV = @old_argv; 
} 
getopts($getopt_arg, \%options) or usage; 

# Checking argument consistency. 
if (!exists($options{h}) || (@ARGV == 0 && !exists($options{o})) 
    || (@ARGV > 1 && exists($options{o}))) { 
    print STDERR "Inconsistent command line options.\n"; 
    usage; 
} 
# Setting defaults. 
@ARGV = ("-") unless @ARGV != 0; 
$options{e} = ".tsr" unless defined($options{e}); 

# Processing requests. 
my $curl = create_curl $options{h}; 
undef $/; # For reading whole files. 
REQUEST: foreach (@ARGV) { 
    my $input = $_; 
    my ($base, $path) = fileparse($input, '\.[^.]*'); 
    my $output_base = $base . $options{e}; 
    my $output = defined($options{o}) ? $options{o} : $path . $output_base; 

    STDERR->printflush("$input: ") if $options{v}; 
    # Read request. 
    my $body; 
    if ($input eq "-") { 
    # Read the request from STDIN; 
    $body = <STDIN>; 
    } else { 
    # Read the request from file. 
     open INPUT, "<" . $input 
     or warn("$input: could not open input file: $!\n"), next REQUEST; 
     $body = <INPUT>; 
     close INPUT 
     or warn("$input: could not close input file: $!\n"), next REQUEST; 
    } 

    # Send request. 
    STDERR->printflush("sending request") if $options{v}; 

    my ($ts_body, $error) = get_timestamp $curl, \$body; 
    if (defined($error)) { 
    die "$input: fatal error: $error\n"; 
    } 
    STDERR->printflush(", reply received") if $options{v}; 

    # Write response. 
    if ($output eq "-") { 
    # Write to STDOUT. 
     print $ts_body; 
    } else { 
    # Write to file. 
     open OUTPUT, ">", $output 
     or warn("$output: could not open output file: $!\n"), next REQUEST; 
     print OUTPUT $ts_body; 
     close OUTPUT 
     or warn("$output: could not close output file: $!\n"), next REQUEST; 
    } 
    STDERR->printflush(", $output written.\n") if $options{v}; 
} 
$curl->cleanup(); 
WWW::Curl::Easy::global_cleanup(); 

腳本

的輸出

Version: 1 
Hash Algorithm: sha256 
Message data: 
    0000 - a8 31 60 9c a3 fe 14 74-05 f1 be 78 89 5c a6 a5 .1`....t...x.\.. 
    0010 - d3 b7 4a 7d 18 b9 d0 f9-39 fc a8 d6 e2 be 2e 27 ..J}....9......' 
Policy OID: unspecified 
Nonce: 0x533AC264C90C4EEE 
Certificate required: yes 
Extensions: 

Undefined subroutine &WWW::Curl::Easy::global_cleanup called at /usr/local/bin/tsget line 196. 
Status info: 
Status: Granted. 
Status description: unspecified 
Failure info: unspecified 

TST info: 
Version: 1 
Policy OID: 1.3.6.1.4.1.4146.2.2 
Hash Algorithm: sha256 
Message data: 
    0000 - a8 31 60 9c a3 fe 14 74-05 f1 be 78 89 5c a6 a5 .1`....t...x.\.. 
    0010 - d3 b7 4a 7d 18 b9 d0 f9-39 fc a8 d6 e2 be 2e 27 ..J}....9......' 
Serial number: 0x3A668E2441A3707CB495191DC3EF2D717C49DD30 
Time stamp: Sep 25 16:55:34 2015 GMT 
Accuracy: unspecified 
Ordering: no 
Nonce: 0x533AC264C90C4EEE 
TSA: DirName:/C=SG/O=GMO GlobalSign Pte Ltd/CN=GlobalSign TSA for Standard - G2 
Extensions: 

Verification: FAILED 
3073967804:error:2F06D064:time stamp routines:TS_VERIFY_CERT:certificate verify error:ts_rsp_verify.c:246:Verify error:unable to get local issuer certificate 

Answer 1

好吧，我確實找到了答案：http://tsa.safecreative.org/

多的谷歌搜索後，我開始得到的印象是，雖然像這樣的this one和this one和this one，尤其是this one帖子使它看起來像GlobalSign的和Verisign和朋友每次運行一個免費的時間戳服務器，現在我的印象他們並不真正自由。我認爲這可能是他們銷售的其他產品的免費「補充」。任何人都可以從他們的服務器獲得時間戳，但是我無法驗證沒有他們的證書的時間戳，這似乎沒有免費提供。如果有人知道，他們可以自由糾正我。

另一方面，http://tsa.safecreative.org/是一個實際上免費的網站（或每個IP地址每天最多5枚郵票免費），任何人都可以下載其證書來驗證時間戳。這正是我所期待的。

Answer 2

在Windows中獲取時間戳，然後從時間戳可執行文件導出證書鏈，並且您有鏈。