Tag Archives: Timestamping

How to generate and send a timestamp request for Authenticode

Leave a reply

When code is signed with a digital certificate the signature can not be relied upon past the validity of the certificate that was used because you don’t know when the signature was applied. If you trusted it beyond that period who knows, the certificate could have been expired and the key posted on a wall somewhere which would mean anyone could have produced that signature.

To address this the concept of time-stamping was added to Authenticode, you can time-stamp something using the time-stamp command in signtool. Here are some steps on how to go about doing that.

 

1. Create the file you will want to timestamp

To do this you will need to find a file on your computer that has an embedded Authenticode signature, on my system that’s skype.exe. You dont want to be messing with its digital signature so make a copy of it:

copy “c:\Program Files (x86)\Skype\Phone\Skype.exe” test.exe

2. Generate a timestamp request

signtool timestamp /t “http://timestamp.globalsign.com/scripts/timestamp.dll” test.exe

3. Verify the timestamp response

signtool verify /v /pa test.exe

This is going to give you some output that looks something like this:

Verifying: test.exe
SHA1 hash of file: 47BC1CD615A52EC31144E8F7A09924ED279C0953
Signing Certificate Chain:
Issued to: VeriSign Class 3 Public Primary Certification Authority – G5
Issued by: VeriSign Class 3 Public Primary Certification Authority – G5
Expires: 7/16/2036 4:59:59 PM
SHA1 hash: 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5

Issued to: VeriSign Class 3 Code Signing 2010 CA
Issued by: VeriSign Class 3 Public Primary Certification Authority – G5
Expires: 2/7/2020 4:59:59 PM
SHA1 hash: 495847A93187CFB8C71F840CB7B41497AD95C64F

Issued to: Skype Technologies SA
Issued by: VeriSign Class 3 Code Signing 2010 CA
Expires: 8/19/2014 4:59:59 PM
SHA1 hash: FA16CD8165DEDF5A79984E7B301323C07C550801

The signature is timestamped: 9/16/2013 10:20:53 PM
Timestamp Verified by:
Issued to: GlobalSign Root CA
Issued by: GlobalSign Root CA
Expires: 1/28/2028 5:00:00 AM
SHA1 hash: B1BC968BD4F49D622AA89A81F2150152A41D829C

Issued to: GlobalSign Timestamping CA – G2
Issued by: GlobalSign Root CA
Expires: 1/28/2028 5:00:00 AM
SHA1 hash: C0E49D2D7D90A5CD427F02D9125694D5D6EC5B71

Issued to: GlobalSign TSA for MS Authenticode – G1
Issued by: GlobalSign Timestamping CA – G2
Expires: 9/22/2024 5:00:00 PM
SHA1 hash: 8CE69F5012E1D1A8FB395E2E31E2B42BDE3B343B

Successfully verified: test.exe

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

Hope this helps.

How to generate and send an RFC3161 timestamp with OpenSSL and curl

2 Replies

For me the blog is this odd mix of diary and technical notes, this time I guess the post is more of a technical note — here is a quick guide on how to generate RFC 3161 time-stamps using OpenSSL and curl.

 

1. Create the file you will want to timestamp

 

copy con inputfile.txt

This is my test file.

^Z

 

2. Generate a timestamp request

 

openssl ts -query -data inputfile.txt -cert -sha256 -no_nonce -out request.tsq

 

3. Send the request to your timestamp server

 

curl -k -H “Content-Type: application/timestamp-query” -H Host:timestamp.globalsign.com –data-binary @request.tsq “http://timestamp.globalsign.com”  >inputfile.txt.tsr

 

4. Verify the timestamp response

 

openssl ts -reply -in inputfile.txt.tsr -text

 

This is going to give you some output that looks something like this:

 

Using configuration from C:\OpenSSL-Win64\bin\openssl.cfg

Status info:

Status: Granted.

Status description: unspecified

Failure info: unspecified

TST info:

Version: 1

Policy OID: 1.3.6.1.4.1.4146.2.2

Hash Algorithm: sha256

Message data:

    0000 – 58 df 63 8c 5b bf ff ca-ad 13 c9 6e 93 96 cd 25   X.c.[……n…%

    0010 – 66 5e f1 eb ba 8e 7f 74-6d 65 04 3c 5d ea e4 35   f^…..tme.<]..5

Serial number: 0x2487F5EA8A5A085844ED68A8A7426E07E692E1BD

Time stamp: Sep 17 05:08:38 2013 GMT

Accuracy: unspecified

Ordering: no

Nonce: unspecified

TSA: DirName:/C=SG/O=GMO GlobalSign Pte Ltd/CN=GlobalSign TSA for Standard – G1

Extensions:

It’s that easy.