signature=d80926ab19028a2cf65e944ce710aef6,[Question] How to create interoperable timestamps?

I'm trying to create a little time stamping service using jsrsasign. When creating timestamps, these cannot be parsed/verified with jarsigner or openssl's ts. How can jsrsasign be used to create a timestamp, that can be parsed and verified with jarsigner (https://docs.oracle.com/en/java/javase/11/tools/jarsigner.html) or openssl ts (https://www.openssl.org/docs/man1.1.1/man1/openssl-ts.html)

This is what I'm trying to do (using jsrsasign 8.0.23):

I'm using jarsigner from the following java and OpenSSL versions

(venv) node@nodejs /u/h/node> java -version

openjdk version "11.0.7" 2020-04-14

OpenJDK Runtime Environment (build 11.0.7+10-2)

OpenJDK 64-Bit Server VM (build 11.0.7+10-2, mixed mode)

(venv) node@nodejs /u/h/node> openssl version

OpenSSL 1.1.1d-freebsd 10 Sep 2019

Import the TSA certificate into the truststore:

(venv) node@nodejs /u/h/node> cat Root/tsa.crt.pem

-----BEGIN CERTIFICATE-----

MIIEmTCCBB6gAwIBAgIhAMQAkZsvWRV8Sp1B23OmAcXQ1zYOwX75F/f+MtGZv5gJ

MAoGCCqGSM49BAMCMEUxCzAJBgNVBAYTAkRFMRAwDgYDVQQKDAdNeS5Db3JwMRUw

EwYDVQQLDAxQS0kgU2VydmljZXMxDTALBgNVBAMMBFJvb3QwHhcNMjAwODExMDQz

NjQ2WhcNMjcwODEwMDQzNjQ2WjBEMQswCQYDVQQGEwJERTEQMA4GA1UECgwHTXku

Q29ycDEVMBMGA1UECwwMUEtJIFNlcnZpY2VzMQwwCgYDVQQDDANUU0EwggEiMA0G

CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCPq+TjUZ5Az7xXy5PePzLA8rJfyStO

iXmPdOcs3gvNZKPx2Mj1pjBNeCuQFdY25Qq+WyMR/d/DPNOvTUG8xlgUpAsOdXUI

uCZLsqGkLrerDinK1IVLmtLa8ru5DcJDrMx8iT4op//Ppm7E9rnnPxEpyAAHvyaf

hrz5peS/VZAtbMWPhOnvbNYoveMATKgDh5Lm/tZSimcC5S05dbwSFYMIz8srnKWd

FryjJ+AdnUxyvw6uyZptNUktrHykA9Zt2xCadPuAUINPUZv/DRsVEBL0ucTBQA+o

ixkji33daj1bXNL+C68Wej4zvl7lLMAmJLHhqqvcCdGmo6TlYlziGDKFAgMBAAGj

ggITMIICDzArBgNVHSMEJDAigCC6NyC5ZTUBwkvbCtoKkAd2XiM5O5NhfAM067eS

SO+h+zApBgNVHQ4EIgQgE64g/PWYjH5B29uRIxuR/VnltZr4AzkxQvFuwBoLYT0w

CQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBsAwFgYDVR0lAQH/BAwwCgYIKwYBBQUH

AwgwgYQGA1UdHwR9MHsweaB3oHWGc2h0dHA6Ly9ub2RlanMucnotYnNkLm15LmNv

cnAvZG93bmxvYWQvUm9vdC8yZWUyNmMyZDA5NGViZDEyMzY2OTc5NjY0ZjRhOWNh

YzY3ODY0ZjE1OTgzYWVjMGM0ZjRlYjZmMjRkMmQ5ODEyL2NybC5kZXIwgZUGCCsG

AQUFBwEBBIGIMIGFMIGCBggrBgEFBQcwAoZ2aHR0cDovL25vZGVqcy5yei1ic2Qu

bXkuY29ycC9kb3dubG9hZC9Sb290LzJlZTI2YzJkMDk0ZWJkMTIzNjY5Nzk2NjRm

NGE5Y2FjNjc4NjRmMTU5ODNhZWMwYzRmNGViNmYyNGQyZDk4MTIvY2EuY3J0LmNl

cjAgBgNVHREEGTAXghVub2RlanMucnotYnNkLm15LmNvcnAwQQYIKwYBBQUHAQsE

NTAzMDEGCCsGAQUFBzADhiVodHRwOi8vbm9kZWpzLnJ6LWJzZC5teS5jb3JwL3Rz

YS9Sb290MAoGCCqGSM49BAMCA2kAMGYCMQCD7b1qvwsLo86y4fWYU0TI5iOpm6hM

FB3b3Ut5KWpmQYSY/pu9togcsECylHelIS8CMQDTjsyGAg1aYuMz5rFN2KYH3S/g

lRi7s/6QPr33tBFImPQ9wHOm/OrNLR/Emp4VYq0=

-----END CERTIFICATE-----

(venv) node@nodejs /u/h/node> openssl x509 -in Root/tsa.crt.pem -noout -text

Certificate:

Data:

Version: 3 (0x2)

Serial Number:

c4:00:91:9b:2f:59:15:7c:4a:9d:41:db:73:a6:01:c5:d0:d7:36:0e:c1:7e:f9:17:f7:fe:32:d1:99:bf:98:09

Signature Algorithm: ecdsa-with-SHA256

Issuer: C = DE, O = My.Corp, OU = PKI Services, CN = Root

Validity

Not Before: Aug 11 04:36:46 2020 GMT

Not After : Aug 10 04:36:46 2027 GMT

Subject: C = DE, O = My.Corp, OU = PKI Services, CN = TSA

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

RSA Public-Key: (2048 bit)

Modulus:

00:8f:ab:e4:e3:51:9e:40:cf:bc:57:cb:93:de:3f:

32:c0:f2:b2:5f:c9:2b:4e:89:79:8f:74:e7:2c:de:

0b:cd:64:a3:f1:d8:c8:f5:a6:30:4d:78:2b:90:15:

d6:36:e5:0a:be:5b:23:11:fd:df:c3:3c:d3:af:4d:

41:bc:c6:58:14:a4:0b:0e:75:75:08:b8:26:4b:b2:

a1:a4:2e:b7:ab:0e:29:ca:d4:85:4b:9a:d2:da:f2:

bb:b9:0d:c2:43:ac:cc:7c:89:3e:28:a7:ff:cf:a6:

6e:c4:f6:b9:e7:3f:11:29:c8:00:07:bf:26:9f:86:

bc:f9:a5:e4:bf:55:90:2d:6c:c5:8f:84:e9:ef:6c:

d6:28:bd:e3:00:4c:a8:03:87:92:e6:fe:d6:52:8a:

67:02:e5:2d:39:75:bc:12:15:83:08:cf:cb:2b:9c:

a5:9d:16:bc:a3:27:e0:1d:9d:4c:72:bf:0e:ae:c9:

9a:6d:35:49:2d:ac:7c:a4:03:d6:6d:db:10:9a:74:

fb:80:50:83:4f:51:9b:ff:0d:1b:15:10:12:f4:b9:

c4:c1:40:0f:a8:8b:19:23:8b:7d:dd:6a:3d:5b:5c:

d2:fe:0b:af:16:7a:3e:33:be:5e:e5:2c:c0:26:24:

b1:e1:aa:ab:dc:09:d1:a6:a3:a4:e5:62:5c:e2:18:

32:85

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Authority Key Identifier:

keyid:BA:37:20:B9:65:35:01:C2:4B:DB:0A:DA:0A:90:07:76:5E:23:39:3B:93:61:7C:03:34:EB:B7:92:48:EF:A1:FB

X509v3 Subject Key Identifier:

13:AE:20:FC:F5:98:8C:7E:41:DB:DB:91:23:1B:91:FD:59:E5:B5:9A:F8:03:39:31:42:F1:6E:C0:1A:0B:61:3D

X509v3 Basic Constraints:

CA:FALSE

X509v3 Key Usage: critical

Digital Signature, Non Repudiation

X509v3 Extended Key Usage: critical

Time Stamping

X509v3 CRL Distribution Points:

Full Name:

URI:http://nodejs.rz-bsd.my.corp/download/Root/2ee26c2d094ebd12366979664f4a9cac67864f15983aec0c4f4eb6f24d2d9812/crl.der

Authority Information Access:

CA Issuers - URI:http://nodejs.rz-bsd.my.corp/download/Root/2ee26c2d094ebd12366979664f4a9cac67864f15983aec0c4f4eb6f24d2d9812/ca.crt.cer

X509v3 Subject Alternative Name:

DNS:nodejs.rz-bsd.my.corp

Subject Information Access:

AD Time Stamping - URI:http://nodejs.rz-bsd.my.corp/tsa/Root

Signature Algorithm: ecdsa-with-SHA256

30:66:02:31:00:83:ed:bd:6a:bf:0b:0b:a3:ce:b2:e1:f5:98:

53:44:c8:e6:23:a9:9b:a8:4c:14:1d:db:dd:4b:79:29:6a:66:

41:84:98:fe:9b:bd:b6:88:1c:b0:40:b2:94:77:a5:21:2f:02:

31:00:d3:8e:cc:86:02:0d:5a:62:e3:33:e6:b1:4d:d8:a6:07:

dd:2f:e0:95:18:bb:b3:fe:90:3e:bd:f7:b4:11:48:98:f4:3d:

c0:73:a6:fc:ea:cd:2d:1f:c4:9a:9e:15:62:ad

(venv) node@nodejs /u/h/node> keytool -import -alias tsa -file Root/tsa.crt.pem

Enter keystore password:

Owner: CN=TSA, OU=PKI Services, O=My.Corp, C=DE

Issuer: CN=Root, OU=PKI Services, O=My.Corp, C=DE

Serial number: c400919b2f59157c4a9d41db73a601c5d0d7360ec17ef917f7fe32d199bf9809

Valid from: Tue Aug 11 06:36:46 CEST 2020 until: Tue Aug 10 06:36:46 CEST 2027

Certificate fingerprints:

SHA1: 00:4E:12:E5:22:85:CB:8B:15:06:1F:0F:46:9A:68:FA:1F:F1:AA:A9

SHA256: A3:31:1B:64:DF:BE:97:38:9A:6E:DE:82:3B:D2:44:81:10:85:87:54:0C:E1:14:E1:48:85:58:30:D1:F1:B3:E9

Signature algorithm name: SHA256withECDSA

Subject Public Key Algorithm: 2048-bit RSA key

Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false

AuthorityInfoAccess [

[

accessMethod: caIssuers

accessLocation: URIName: http://nodejs.rz-bsd.my.corp/download/Root/2ee26c2d094ebd12366979664f4a9cac67864f15983aec0c4f4eb6f24d2d9812/ca.crt.cer

]

]

#2: ObjectId: 2.5.29.35 Criticality=false

AuthorityKeyIdentifier [

KeyIdentifier [

0000: BA 37 20 B9 65 35 01 C2 4B DB 0A DA 0A 90 07 76 .7 .e5..K......v

0010: 5E 23 39 3B 93 61 7C 03 34 EB B7 92 48 EF A1 FB ^#9;.a..4...H...

]

]

#3: ObjectId: 2.5.29.19 Criticality=false

BasicConstraints:[

CA:false

PathLen: undefined

]

#4: ObjectId: 2.5.29.31 Criticality=false

CRLDistributionPoints [

[DistributionPoint:

[URIName: http://nodejs.rz-bsd.my.corp/download/Root/2ee26c2d094ebd12366979664f4a9cac67864f15983aec0c4f4eb6f24d2d9812/crl.der]

]]

#5: ObjectId: 2.5.29.37 Criticality=true

ExtendedKeyUsages [

timeStamping

]

#6: ObjectId: 2.5.29.15 Criticality=true

KeyUsage [

DigitalSignature

Non_repudiation

]

#7: ObjectId: 2.5.29.17 Criticality=false

SubjectAlternativeName [

DNSName: nodejs.rz-bsd.my.corp

]

#8: ObjectId: 1.3.6.1.5.5.7.1.11 Criticality=false

SubjectInfoAccess [

[

accessMethod: timeStamping

accessLocation: URIName: http://nodejs.rz-bsd.my.corp/tsa/Root

]

]

#9: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [

KeyIdentifier [

0000: 13 AE 20 FC F5 98 8C 7E 41 DB DB 91 23 1B 91 FD .. .....A...#...

0010: 59 E5 B5 9A F8 03 39 31 42 F1 6E C0 1A 0B 61 3D Y.....91B.n...a=

]

]

Trust this certificate? [no]: yes

Certificate was added to keystore

Now trying to sign a JAR file using the TSA certificate:

(venv) node@nodejs /u/h/node> jarsigner -verbose:all -certs -tsacert tsa acme4j/jose4j/target/jose4j-0.7.3-SNAPSHOT.jar mykey

Enter Passphrase for keystore:

requesting a signature timestamp

TSA certificate: X.509, CN=TSA, OU=PKI Services, O=My.Corp, C=DE

[trusted certificate]

jarsigner: unable to sign jar: sun.security.pkcs.ParsingException: Unable to parse the encoded bytes

This command fails, although signing without a timestamp works fine. Tracing the HTTP timestamp request with tcpdump shows the following:

# tcpdump -i lo0 -XX port 1880

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on lo0, link-type NULL (BSD loopback), capture size 262144 bytes

16:57:26.222415 IP6 localhost.18201 > localhost.1880: Flags [S], seq 170651008, win 65535, options [mss 16324,nop,wscale 6,sackOK,TS val 1473951903 ecr 0], length 0

0x0000: 1c00 0000 6003 a897 0028 0640 0000 0000 ....`....(.@....

0x0010: 0000 0000 0000 0000 0000 0001 0000 0000 ................

0x0020: 0000 0000 0000 0000 0000 0001 4719 0758 ............G..X

0x0030: 0a2b ed80 0000 0000 a002 ffff 0030 0000 .+...........0..

0x0040: 0204 3fc4 0103 0306 0402 080a 57da b89f ..?.........W...

0x0050: 0000 0000 ....

16:57:26.222440 IP6 localhost.1880 > localhost.18201: Flags [R.], seq 0, ack 170651009, win 0, length 0

0x0000: 1c00 0000 6000 0000 0014 0640 0000 0000 ....`......@....

0x0010: 0000 0000 0000 0000 0000 0001 0000 0000 ................

0x0020: 0000 0000 0000 0000 0000 0001 0758 4719 .............XG.

0x0030: 0000 0000 0a2b ed81 5014 0000 001c 0000 .....+..P.......

16:57:26.222523 IP localhost.52950 > localhost.1880: Flags [S], seq 1414298252, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 3454229032 ecr 0], length 0

0x0000: 0200 0000 4500 003c 0000 4000 4006 0000 ....E..<..>

0x0010: 7f00 0001 7f00 0001 ced6 0758 544c 7a8c ...........XTLz.

0x0020: 0000 0000 a002 ffff fe30 0000 0204 3fd8 .........0....?.

0x0030: 0103 0306 0402 080a cde3 5a28 0000 0000 ..........Z(....

16:57:26.222539 IP localhost.1880 > localhost.52950: Flags [S.], se