I'm trying to create a little time stamping service using jsrsasign. When creating timestamps, these cannot be parsed/verified with jarsigner or openssl's ts. How can jsrsasign be used to create a timestamp, that can be parsed and verified with jarsigner (https://docs.oracle.com/en/java/javase/11/tools/jarsigner.html) or openssl ts (https://www.openssl.org/docs/man1.1.1/man1/openssl-ts.html)
This is what I'm trying to do (using jsrsasign 8.0.23):
I'm using jarsigner from the following java and OpenSSL versions
(venv) node@nodejs /u/h/node> java -version
openjdk version "11.0.7" 2020-04-14
OpenJDK Runtime Environment (build 11.0.7+10-2)
OpenJDK 64-Bit Server VM (build 11.0.7+10-2, mixed mode)
(venv) node@nodejs /u/h/node> openssl version
OpenSSL 1.1.1d-freebsd 10 Sep 2019
Import the TSA certificate into the truststore:
(venv) node@nodejs /u/h/node> cat Root/tsa.crt.pem
-----BEGIN CERTIFICATE-----
MIIEmTCCBB6gAwIBAgIhAMQAkZsvWRV8Sp1B23OmAcXQ1zYOwX75F/f+MtGZv5gJ
MAoGCCqGSM49BAMCMEUxCzAJBgNVBAYTAkRFMRAwDgYDVQQKDAdNeS5Db3JwMRUw
EwYDVQQLDAxQS0kgU2VydmljZXMxDTALBgNVBAMMBFJvb3QwHhcNMjAwODExMDQz
NjQ2WhcNMjcwODEwMDQzNjQ2WjBEMQswCQYDVQQGEwJERTEQMA4GA1UECgwHTXku
Q29ycDEVMBMGA1UECwwMUEtJIFNlcnZpY2VzMQwwCgYDVQQDDANUU0EwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCPq+TjUZ5Az7xXy5PePzLA8rJfyStO
iXmPdOcs3gvNZKPx2Mj1pjBNeCuQFdY25Qq+WyMR/d/DPNOvTUG8xlgUpAsOdXUI
uCZLsqGkLrerDinK1IVLmtLa8ru5DcJDrMx8iT4op//Ppm7E9rnnPxEpyAAHvyaf
hrz5peS/VZAtbMWPhOnvbNYoveMATKgDh5Lm/tZSimcC5S05dbwSFYMIz8srnKWd
FryjJ+AdnUxyvw6uyZptNUktrHykA9Zt2xCadPuAUINPUZv/DRsVEBL0ucTBQA+o
ixkji33daj1bXNL+C68Wej4zvl7lLMAmJLHhqqvcCdGmo6TlYlziGDKFAgMBAAGj
ggITMIICDzArBgNVHSMEJDAigCC6NyC5ZTUBwkvbCtoKkAd2XiM5O5NhfAM067eS
SO+h+zApBgNVHQ4EIgQgE64g/PWYjH5B29uRIxuR/VnltZr4AzkxQvFuwBoLYT0w
CQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBsAwFgYDVR0lAQH/BAwwCgYIKwYBBQUH
AwgwgYQGA1UdHwR9MHsweaB3oHWGc2h0dHA6Ly9ub2RlanMucnotYnNkLm15LmNv
cnAvZG93bmxvYWQvUm9vdC8yZWUyNmMyZDA5NGViZDEyMzY2OTc5NjY0ZjRhOWNh
YzY3ODY0ZjE1OTgzYWVjMGM0ZjRlYjZmMjRkMmQ5ODEyL2NybC5kZXIwgZUGCCsG
AQUFBwEBBIGIMIGFMIGCBggrBgEFBQcwAoZ2aHR0cDovL25vZGVqcy5yei1ic2Qu
bXkuY29ycC9kb3dubG9hZC9Sb290LzJlZTI2YzJkMDk0ZWJkMTIzNjY5Nzk2NjRm
NGE5Y2FjNjc4NjRmMTU5ODNhZWMwYzRmNGViNmYyNGQyZDk4MTIvY2EuY3J0LmNl
cjAgBgNVHREEGTAXghVub2RlanMucnotYnNkLm15LmNvcnAwQQYIKwYBBQUHAQsE
NTAzMDEGCCsGAQUFBzADhiVodHRwOi8vbm9kZWpzLnJ6LWJzZC5teS5jb3JwL3Rz
YS9Sb290MAoGCCqGSM49BAMCA2kAMGYCMQCD7b1qvwsLo86y4fWYU0TI5iOpm6hM
FB3b3Ut5KWpmQYSY/pu9togcsECylHelIS8CMQDTjsyGAg1aYuMz5rFN2KYH3S/g
lRi7s/6QPr33tBFImPQ9wHOm/OrNLR/Emp4VYq0=
-----END CERTIFICATE-----
(venv) node@nodejs /u/h/node> openssl x509 -in Root/tsa.crt.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
c4:00:91:9b:2f:59:15:7c:4a:9d:41:db:73:a6:01:c5:d0:d7:36:0e:c1:7e:f9:17:f7:fe:32:d1:99:bf:98:09
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = DE, O = My.Corp, OU = PKI Services, CN = Root
Validity
Not Before: Aug 11 04:36:46 2020 GMT
Not After : Aug 10 04:36:46 2027 GMT
Subject: C = DE, O = My.Corp, OU = PKI Services, CN = TSA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:8f:ab:e4:e3:51:9e:40:cf:bc:57:cb:93:de:3f:
32:c0:f2:b2:5f:c9:2b:4e:89:79:8f:74:e7:2c:de:
0b:cd:64:a3:f1:d8:c8:f5:a6:30:4d:78:2b:90:15:
d6:36:e5:0a:be:5b:23:11:fd:df:c3:3c:d3:af:4d:
41:bc:c6:58:14:a4:0b:0e:75:75:08:b8:26:4b:b2:
a1:a4:2e:b7:ab:0e:29:ca:d4:85:4b:9a:d2:da:f2:
bb:b9:0d:c2:43:ac:cc:7c:89:3e:28:a7:ff:cf:a6:
6e:c4:f6:b9:e7:3f:11:29:c8:00:07:bf:26:9f:86:
bc:f9:a5:e4:bf:55:90:2d:6c:c5:8f:84:e9:ef:6c:
d6:28:bd:e3:00:4c:a8:03:87:92:e6:fe:d6:52:8a:
67:02:e5:2d:39:75:bc:12:15:83:08:cf:cb:2b:9c:
a5:9d:16:bc:a3:27:e0:1d:9d:4c:72:bf:0e:ae:c9:
9a:6d:35:49:2d:ac:7c:a4:03:d6:6d:db:10:9a:74:
fb:80:50:83:4f:51:9b:ff:0d:1b:15:10:12:f4:b9:
c4:c1:40:0f:a8:8b:19:23:8b:7d:dd:6a:3d:5b:5c:
d2:fe:0b:af:16:7a:3e:33:be:5e:e5:2c:c0:26:24:
b1:e1:aa:ab:dc:09:d1:a6:a3:a4:e5:62:5c:e2:18:
32:85
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:BA:37:20:B9:65:35:01:C2:4B:DB:0A:DA:0A:90:07:76:5E:23:39:3B:93:61:7C:03:34:EB:B7:92:48:EF:A1:FB
X509v3 Subject Key Identifier:
13:AE:20:FC:F5:98:8C:7E:41:DB:DB:91:23:1B:91:FD:59:E5:B5:9A:F8:03:39:31:42:F1:6E:C0:1A:0B:61:3D
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Non Repudiation
X509v3 Extended Key Usage: critical
Time Stamping
X509v3 CRL Distribution Points:
Full Name:
URI:http://nodejs.rz-bsd.my.corp/download/Root/2ee26c2d094ebd12366979664f4a9cac67864f15983aec0c4f4eb6f24d2d9812/crl.der
Authority Information Access:
CA Issuers - URI:http://nodejs.rz-bsd.my.corp/download/Root/2ee26c2d094ebd12366979664f4a9cac67864f15983aec0c4f4eb6f24d2d9812/ca.crt.cer
X509v3 Subject Alternative Name:
DNS:nodejs.rz-bsd.my.corp
Subject Information Access:
AD Time Stamping - URI:http://nodejs.rz-bsd.my.corp/tsa/Root
Signature Algorithm: ecdsa-with-SHA256
30:66:02:31:00:83:ed:bd:6a:bf:0b:0b:a3:ce:b2:e1:f5:98:
53:44:c8:e6:23:a9:9b:a8:4c:14:1d:db:dd:4b:79:29:6a:66:
41:84:98:fe:9b:bd:b6:88:1c:b0:40:b2:94:77:a5:21:2f:02:
31:00:d3:8e:cc:86:02:0d:5a:62:e3:33:e6:b1:4d:d8:a6:07:
dd:2f:e0:95:18:bb:b3:fe:90:3e:bd:f7:b4:11:48:98:f4:3d:
c0:73:a6:fc:ea:cd:2d:1f:c4:9a:9e:15:62:ad
(venv) node@nodejs /u/h/node> keytool -import -alias tsa -file Root/tsa.crt.pem
Enter keystore password:
Owner: CN=TSA, OU=PKI Services, O=My.Corp, C=DE
Issuer: CN=Root, OU=PKI Services, O=My.Corp, C=DE
Serial number: c400919b2f59157c4a9d41db73a601c5d0d7360ec17ef917f7fe32d199bf9809
Valid from: Tue Aug 11 06:36:46 CEST 2020 until: Tue Aug 10 06:36:46 CEST 2027
Certificate fingerprints:
SHA1: 00:4E:12:E5:22:85:CB:8B:15:06:1F:0F:46:9A:68:FA:1F:F1:AA:A9
SHA256: A3:31:1B:64:DF:BE:97:38:9A:6E:DE:82:3B:D2:44:81:10:85:87:54:0C:E1:14:E1:48:85:58:30:D1:F1:B3:E9
Signature algorithm name: SHA256withECDSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: caIssuers
accessLocation: URIName: http://nodejs.rz-bsd.my.corp/download/Root/2ee26c2d094ebd12366979664f4a9cac67864f15983aec0c4f4eb6f24d2d9812/ca.crt.cer
]
]
#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: BA 37 20 B9 65 35 01 C2 4B DB 0A DA 0A 90 07 76 .7 .e5..K......v
0010: 5E 23 39 3B 93 61 7C 03 34 EB B7 92 48 EF A1 FB ^#9;.a..4...H...
]
]
#3: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://nodejs.rz-bsd.my.corp/download/Root/2ee26c2d094ebd12366979664f4a9cac67864f15983aec0c4f4eb6f24d2d9812/crl.der]
]]
#5: ObjectId: 2.5.29.37 Criticality=true
ExtendedKeyUsages [
timeStamping
]
#6: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Non_repudiation
]
#7: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: nodejs.rz-bsd.my.corp
]
#8: ObjectId: 1.3.6.1.5.5.7.1.11 Criticality=false
SubjectInfoAccess [
[
accessMethod: timeStamping
accessLocation: URIName: http://nodejs.rz-bsd.my.corp/tsa/Root
]
]
#9: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 13 AE 20 FC F5 98 8C 7E 41 DB DB 91 23 1B 91 FD .. .....A...#...
0010: 59 E5 B5 9A F8 03 39 31 42 F1 6E C0 1A 0B 61 3D Y.....91B.n...a=
]
]
Trust this certificate? [no]: yes
Certificate was added to keystore
Now trying to sign a JAR file using the TSA certificate:
(venv) node@nodejs /u/h/node> jarsigner -verbose:all -certs -tsacert tsa acme4j/jose4j/target/jose4j-0.7.3-SNAPSHOT.jar mykey
Enter Passphrase for keystore:
requesting a signature timestamp
TSA certificate: X.509, CN=TSA, OU=PKI Services, O=My.Corp, C=DE
[trusted certificate]
jarsigner: unable to sign jar: sun.security.pkcs.ParsingException: Unable to parse the encoded bytes
This command fails, although signing without a timestamp works fine. Tracing the HTTP timestamp request with tcpdump shows the following:
# tcpdump -i lo0 -XX port 1880
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo0, link-type NULL (BSD loopback), capture size 262144 bytes
16:57:26.222415 IP6 localhost.18201 > localhost.1880: Flags [S], seq 170651008, win 65535, options [mss 16324,nop,wscale 6,sackOK,TS val 1473951903 ecr 0], length 0
0x0000: 1c00 0000 6003 a897 0028 0640 0000 0000 ....`....(.@....
0x0010: 0000 0000 0000 0000 0000 0001 0000 0000 ................
0x0020: 0000 0000 0000 0000 0000 0001 4719 0758 ............G..X
0x0030: 0a2b ed80 0000 0000 a002 ffff 0030 0000 .+...........0..
0x0040: 0204 3fc4 0103 0306 0402 080a 57da b89f ..?.........W...
0x0050: 0000 0000 ....
16:57:26.222440 IP6 localhost.1880 > localhost.18201: Flags [R.], seq 0, ack 170651009, win 0, length 0
0x0000: 1c00 0000 6000 0000 0014 0640 0000 0000 ....`......@....
0x0010: 0000 0000 0000 0000 0000 0001 0000 0000 ................
0x0020: 0000 0000 0000 0000 0000 0001 0758 4719 .............XG.
0x0030: 0000 0000 0a2b ed81 5014 0000 001c 0000 .....+..P.......
16:57:26.222523 IP localhost.52950 > localhost.1880: Flags [S], seq 1414298252, win 65535, options [mss 16344,nop,wscale 6,sackOK,TS val 3454229032 ecr 0], length 0
0x0000: 0200 0000 4500 003c 0000 4000 4006 0000 ....E..<..>
0x0010: 7f00 0001 7f00 0001 ced6 0758 544c 7a8c ...........XTLz.
0x0020: 0000 0000 a002 ffff fe30 0000 0204 3fd8 .........0....?.
0x0030: 0103 0306 0402 080a cde3 5a28 0000 0000 ..........Z(....
16:57:26.222539 IP localhost.1880 > localhost.52950: Flags [S.], se