From dirkx at webweaving.org  Thu Apr  2 16:53:07 2020
From: dirkx at webweaving.org (Dirk-Willem van Gulik)
Date: Thu, 2 Apr 2020 16:53:07 +0200
Subject: [rs-dev] Odd SignerInfo - timestamp server
Message-ID: <616A5BE4-37F8-46C0-9984-EBBDB0740A33@webweaving.org>

I am looking at a freshly signed timestamp from the interop timeserver (Link to decoded reply below)


Now at what I think is the 

    SignerInfo ::= SEQUENCE {
        version CMSVersion,
        sid SignerIdentifier,
        digestAlgorithm DigestAlgorithmIdentifier,
        signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL,
        signatureAlgorithm SignatureAlgorithmIdentifier,
        signature SignatureValue,
        unsignedAttrs [1] IMPLICIT UnsignedAttributes OPTIONAL }

      SignerIdentifier ::= CHOICE {
        issuerAndSerialNumber IssuerAndSerialNumber,
        subjectKeyIdentifier [0] SubjectKeyIdentifier }

      SignedAttributes ::= SET SIZE (1..MAX) OF Attribute

      UnsignedAttributes ::= SET SIZE (1..MAX) OF Attribute

      Attribute ::= SEQUENCE {
        attrType OBJECT IDENTIFIER,
        attrValues SET OF AttributeValue }

      AttributeValue ::= ANY

      SignatureValue ::= OCTET STRING

blob - I think O am seeing:

   SET (1 elem)
          SEQUENCE (6 elem)
            INTEGER 1
            SEQUENCE (2 elem)
              SEQUENCE (2 elem)
                SET (1 elem)
                  SEQUENCE (2 elem)
                    OBJECT IDENTIFIER 2.5.4.3 commonName (X.520 DN component)
                    PrintableString Redwax Interop Testing Root Certificate Authority 2040
                SET (1 elem)
                  SEQUENCE (2 elem)
                    OBJECT IDENTIFIER 2.5.4.10 organizationName (X.520 DN component)
                    PrintableString Redwax Project
              INTEGER 5
            SEQUENCE (2 elem)
              OBJECT IDENTIFIER 2.16.840.1.101.3.4.2.1 sha-256 (NIST Algorithm)
              NULL
            [0] (4 elem)
              SEQUENCE (2 elem)
                OBJECT IDENTIFIER 1.2.840.113549.1.9.3 contentType (PKCS #9)
                SET (1 elem)
                  OBJECT IDENTIFIER 1.2.840.113549.1.9.16.1.4 tSTInfo (S/MIME Content Types)
              SEQUENCE (2 elem)
                OBJECT IDENTIFIER 1.2.840.113549.1.9.5 signingTime (PKCS #9)
                SET (1 elem)
                  UTCTime 2020-04-02 08:02:41 UTC
              SEQUENCE (2 elem)
                OBJECT IDENTIFIER 1.2.840.113549.1.9.16.2.12 signingCertificate (S/MIME Authenticated Attributes)
                SET (1 elem)
                  SEQUENCE (1 elem)
                    SEQUENCE (1 elem)
                      SEQUENCE (1 elem)
                        OCTET STRING (20 byte) FF4237EAEDC05DA815C24DB853F0D2BFDA34DA5C
              SEQUENCE (2 elem)
                OBJECT IDENTIFIER 1.2.840.113549.1.9.4 messageDigest (PKCS #9)
                SET (1 elem)
                  OCTET STRING (32 byte) A6AAF4C35258680982863FA0B1C703657FD8AFC8FE6959C92B4481A6E9106A21
            SEQUENCE (2 elem)
            OCTET STRING (512 byte) 8CC5BCA06CB6006DFF419537C6CB0D20D78DC15607782512D3EE7A8DDEA32D1BBE5E7?

So the sid (SignerIdentifier) sid specifies the signer's certificate (and thereby the signer's public key).  

It is  version 1; so there must be a choise issuerAndSerialNumber (https://tools.ietf.org/html/rfc5652#section-5.3 and it should contain:
	IssuerAndSerialNumber ::= SEQUENCE {
        	issuer Name,
	        serialNumber CertificateSerialNumber }
	)

So in this case - the DN of the -root- CN=Redwax Interop Testing Root Certificate Authority 2040, O=Redwax Project (and not the working C=NL, ST=Zuid-Holland, L=Leiden, O=TimeServices, CN=Redwax Interop Test).

Now the odd thing - I had expected this to be the latter (CN=Redwax Interop Test) rather than the first.

Am I not understanding this ? Or is there something odd ?

Dw.


https://lapo.it/asn1js/#MIIJBzADAgEAMIII_gYJKoZIhvcNAQcCoIII7zCCCOsCAQMxDzANBglghkgBZQMEAgEFADByBgsqhkiG9w0BCRABBKBjBGEwXwIBAQYGBACPZwEBMDEwDQYJYIZIAWUDBAIBBQAEIGodkSMqvkHpjrPo-NNgP4B7EWcojwws2UJM_oWF0_p9AgkA2hbga8SuCSUYDzIwMjAwNDAyMDgwMjQxWjADAgEBoIIFNjCCBTIwggQaoAMCAQICAQUwDQYJKoZIhvcNAQELBQAwWjE_MD0GA1UEAxM2UmVkd2F4IEludGVyb3AgVGVzdGluZyBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAyMDQwMRcwFQYDVQQKEw5SZWR3YXggUHJvamVjdDAeFw0yMDAyMTUyMDUxNTJaFw00MDAyMTAyMDUxNTJaMGoxCzAJBgNVBAYTAk5MMRUwEwYDVQQIDAxadWlkLUhvbGxhbmQxDzANBgNVBAcMBkxlaWRlbjEVMBMGA1UECgwMVGltZVNlcnZpY2VzMRwwGgYDVQQDDBNSZWR3YXggSW50ZXJvcCBUZXN0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuj-MgMIolQDsp-lpEnOXdBMYJNRY3Jc1BeJLQJ6WSx6qaPO5clvCBLAfWCg8XsqRqKWFmqPYH02LGZeIvMFKeABXqiW5Nk3owDg1pkZhA6aVYK-R7OfO17ghOctlpuhT9DVbVhDZYni4D1twmgKNQDQ6KucLO6znK3hc2cJ7y1ZDfjGGVCSgAQ9wlyH2zWEC30yknZSADa8nygvz6YBUHa_CrUF7bW5MFDPIyKEgVdhKLPSSKovx1AVaoQf3uyGuxsxpFF1hUjQjsKz02TEYfFKF1oYlrDABd5l9yeAnIjpx1cwF-Xv_0kIaTkb1s8-ISLhMCYJwGvPvcyYegPS3CjJVd84gqgGlN9hcETqck_FmuczXW5KK2bWI0kr903xtWp3vKR-msvFonUArK3tHIOqUKe0EE14gFSljfBsJJqLKQLTJNOzbFBN5WgQXgXbWn_ViPf4-q1JgpxTZDwXoDyRaMfwmjtCclKlTsJjiYZj9QZ6h1g10VDJCV9YRJE34h-eq3HpNVovX5Ea8w5XyZG1SX1eQFq0XuqFm34j9sInS0ksXvWRBcS2gDI0toe9K5qvSDOdFWwGAjiENwNFVDKWrgzO-8WFNGe7hgY47q_Ms67RzX3JS-nAeX-ArFwa-RJJJaBr9xbTO0ih1wky2rg-z7-jAHGcOcAbf4R8Lq20CAwEAAaOB8jCB7zAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB_wQEAwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCDAdBgNVHQ4EFgQUOtIv-nlJDGC8cawodrHfqa2ZP_8wgZcGA1UdIwSBjzCBjIAU7XXeNRQ8RyPxsRrkE0OMu8zCK1ahXqRcMFoxPzA9BgNVBAMTNlJlZHdheCBJbnRlcm9wIFRlc3RpbmcgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgMjA0MDEXMBUGA1UEChMOUmVkd2F4IFByb2plY3SCFG8Rt9hV0n2aFPO26RUrYMqMS-KqMA0GCSqGSIb3DQEBCwUAA4IBAQAcOlk_ZTv9egOiju4ItyYYeZQie828KmSCm3zMC2YteqLvVHeDVefVL3yeGUkgyp8C-Mxm1gdAY8NFuhR01TpGLwkXA6FEJrgJCRTuHOrMQvANaPNfQXhWP5G7Pbbp4_y8A130GKiEssPjdueG4kdzREAIat-sz3LtLBzoXxu6094cBI3Z80CHa3uqbj6FaOt3Wyju_eZqXYO0b7iD-hTL37kzWELnyKUKvOSBvvph4EmMezlDmmiC1_pA2e9PatNSybMr-ldV1GKzqINqZoU3LdvIJt2jukcDXWRoXN457MgV7RrzZMZcSQnPLRzPuaAWcCIFRMt6TjkFz1FBZgDCMYIDJTCCAyECAQEwXzBaMT8wPQYDVQQDEzZSZWR3YXggSW50ZXJvcCBUZXN0aW5nIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIwNDAxFzAVBgNVBAoTDlJlZHdheCBQcm9qZWN0AgEFMA0GCWCGSAFlAwQCAQUAoIGYMBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRABBDAcBgkqhkiG9w0BCQUxDxcNMjAwNDAyMDgwMjQxWjArBgsqhkiG9w0BCRACDDEcMBowGDAWBBT_Qjfq7cBdqBXCTbhT8NK_2jTaXDAvBgkqhkiG9w0BCQQxIgQgpqr0w1JYaAmChj-gsccDZX_Yr8j-aVnJK0SBpukQaiEwDQYJKoZIhvcNAQEBBQAEggIAjMW8oGy2AG3_QZU3xssNINeNwVYHeCUS0-56jd6jLRu-XnN9SWQ-8UXy45i7TmJ9CSK3bDL9lnt-kAyqKb4ZDqc4EsnAqTmvThYCCIgw-SYJEYYWydsXfByJf3IcaXRMxB5ijupgmiQ0Frn7Z6j3Oyo4AoL6PG0zx1ujhTWx4-VKvCIfYCREjw3REIlXbzb0_Q6CYurxOYxhAHHRzv-ca-V4JMpJU4WOZsRSaQKW0OrfQanpJHoknOKkCHH__YkNHp53VHKqXGdTW9JfaKz1cK34lBRlQ60dB7K5E-Iff0z6uAhEisbIE2_tk6U7tBiLUMR8N-mIJjiq1B26uGKwDQDYabLXMNKTzVq7YKB7BcYoCwHttH1ea3XoaHNjrakL3at2QR8g2Iukk9zcvyt2OvASSepWrkwEuqd9OJnwk4sO2JXaHABtHDF8a9iWBJASqPwZjpwoe9jlt_2d5RwsC3zkGA5cp_SkK2oJnyd9TQO5rT1o1hCQ-ojaOHNJc5nDuUSwN0JnTv9xBg-kC8QuM7fWNTFkpCaMOY0Cw3VswBtmGyyy_0aMlRrnOFvNwwmasMzoIpu9meYu0-Y1DKsp-TE7OhP2ebZR8mN977WydzpEmt0V-YNMxEQdT6uHUWNJXjMendpBMognIu142Rj1-2v5YDJCsOV3clxaUBMdn78



From dirkx at webweaving.org  Fri Apr  3 20:26:24 2020
From: dirkx at webweaving.org (Dirk-Willem van Gulik)
Date: Fri, 3 Apr 2020 20:26:24 +0200
Subject: [rs-dev] Odd SignerInfo - timestamp server
In-Reply-To: <616A5BE4-37F8-46C0-9984-EBBDB0740A33@webweaving.org>
References: <616A5BE4-37F8-46C0-9984-EBBDB0740A33@webweaving.org>
Message-ID: <E7712E8C-4460-461A-B473-1E6DC81D4834@webweaving.org>


On 2 Apr 2020, at 16:53, Dirk-Willem van Gulik <dirkx at webweaving.org> wrote:
> 
> I am looking at a freshly signed timestamp from the interop timeserver (Link to decoded reply below)
> ...
> So in this case - the DN of the -root- CN=Redwax Interop Testing Root Certificate Authority 2040, O=Redwax Project (and not the working C=NL, ST=Zuid-Holland, L=Leiden, O=TimeServices, CN=Redwax Interop Test).
> 
> Now the odd thing - I had expected this to be the latter (CN=Redwax Interop Test) rather than the first.

Regardless of what the spec says - a quick check on other servers shows that we're doing it 'right',

Dw.

From dirkx at webweaving.org  Sat Apr 18 17:29:45 2020
From: dirkx at webweaving.org (Dirk-Willem van Gulik)
Date: Sat, 18 Apr 2020 17:29:45 +0200
Subject: [rs-dev] Interop with Arduino / IoT firmware update signing
Message-ID: <3BBFDFAE-6CA0-4D76-A228-3F36E5E7FCFF@webweaving.org>

Some minor joy - got RedWax timestamp/sign interop server nicely compatible with IoT firmware updates for Arduino.

And the lovely thing is that it requires very little change in the core infra tools of Arduino (ESP32, etc) and similar 'Over the Air' configs.

+      from pyasn1.codec.der import encoder
+      import rfc3161ng
+
+      timestamper = rfc3161ng.RemoteTimestamper(tsurl,hashname='sha256',include_tsa_certificate=True)
+      tsr = timestamper(data=firmware, return_tsr=True)
+
+      payload = encoder.encode(tsr) + firmware

Dw

[D][SecureUpdateProcessors.cpp:165] process_header(): Ignoring params:  rfc3161=2315 payload=867232
[D][SecureUpdateProcessors.cpp:189] process_header(): RFC 3161 signed payload
[D][SecureUpdateProcessors.cpp:218] process_header(): Processing RFC 3161 signed payload
[D][SecureUpdateProcessors.cpp:233] process_header(): Processed RFC 3161 signed payload
[I][SecureUpdateProcessors.cpp:241] process_header(): Processing payload with SHA256 RFC3161 digest.
[D][SecureUpdateProcessors.cpp:252] process_header(): RFC3161 payload its signature verified (next; check signature, check playload).
[D][SecureUpdateProcessors.cpp:261] process_header(): Signatures in the trust chain:
[D][SecureUpdateProcessors.cpp:265] process_header():    - cert. version     : 3
 - serial number     : 6F:11:B7:D8:55:D2:7D:9A:14:F3:B6:E9:15:2B:60:CA:8C:4B:E2:AA
 - issuer name       : CN=Redwax Interop Testing Root Certificate Authority 2040, O=Redwax Project
 - subject name      : CN=Redwax Interop Testing Root Certificate Authority 2040, O=Redwax Project
 - issued  on        : 2020-02-11 16:38:56
 - expires on        : 2040-02-06 16:38:56
 - signed using      : RSA with SHA1
 - RSA key size      : 2048 bits
 - basic constraints : CA=true

[D][SecureUpdateProcessors.cpp:268] process_header(): Signatures in the RFC3161 wrapper:
[D][SecureUpdateProcessors.cpp:272] process_header():    - cert. version     : 3
 - serial number     : 05
 - issuer name       : CN=Redwax Interop Testing Root Certificate Authority 2040, O=Redwax Project
 - subject name      : C=NL, ST=Zuid-Holland, L=Leiden, O=TimeServices, CN=Redwax Interop Test
 - issued  on        : 2020-02-15 20:51:52
 - expires on        : 2040-02-10 20:51:52
 - signed using      : RSA with SHA-256
 - RSA key size      : 4096 bits
 - basic constraints : CA=false
 - key usage         : Digital Signature
 - ext key usage     : Time Stamping

[I][SecureUpdateProcessors.cpp:280] process_header(): RFC3161 payload its signature verified (next; check playload).
[D][SecureUpdateProcessors.cpp:290] process_header(): Commencing to payload.
[D][SecureUpdateProcessors.cpp:51] process_header(): Valid magic at start of flash header
[D][SecureUpdateProcessors.cpp:345] process_end(): Finalizing
[D][SecureUpdateProcessors.cpp:361] process_end(): Calculated SHA256 Digest 32:77a622f5e49a6e903818d100c59e9813f87e40d49e9aca634fdb354d8f93
[D][SecureUpdateProcessors.cpp:366] process_end(): Receveived SHA256 Digest 32:77a622f5e49a6e903818d100c59e9813f87e40d49e9aca634fdb354d8f93
[I][SecureUpdateProcessors.cpp:381] process_end(): Payload digest matches signed digest.
[D][SecureUpdater.cpp:400] end(): Reporting an OK back up the chain
[D][SecureArduinoOTA.cpp:558] _runUpdate(): OTA Outer Digest matched.

Firmware accepted; activating & rebooting



From dirkx at webweaving.org  Tue Apr 21 17:11:44 2020
From: dirkx at webweaving.org (Dirk-Willem van Gulik)
Date: Tue, 21 Apr 2020 17:11:44 +0200
Subject: [rs-dev] Fwd: [openssl/openssl] Add a Setter for
 X509_REQ_get0_signature. (#10563)
References: <openssl/openssl/pull/10563/c617239193@github.com>
Message-ID: <88DA3934-D516-4BAD-BAD6-94A932B800F8@webweaving.org>

So soon we will no longer need the OpenSSL glue/fix logic for versions that are recent enough.

Dw.

> Begin forwarded message:
> 
> From: Tom?? Mr?z <notifications at github.com>
> Subject: Re: [openssl/openssl] Add a Setter for X509_REQ_get0_signature. (#10563)
> Date: 21 April 2020 at 17:07:18 CEST
> To: openssl/openssl <openssl at noreply.github.com>
> Cc: Dirk-Willem van Gulik <dirkx at webweaving.org>, Mention <mention at noreply.github.com>
> Reply-To: openssl/openssl <reply+AAC73BZJPIW7MZWXSPZKTVN4VLWSNEVBNHHB7NDHLM at reply.github.com>
> 
> 
> Merged to master as c72e593 <https://github.com/openssl/openssl/commit/c72e59349f50ee00a1bf8605ada17dfccb8b3b1a>
> ?
> You are receiving this because you were mentioned.
> Reply to this email directly, view it on GitHub <https://github.com/openssl/openssl/pull/10563#issuecomment-617239193>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAC73BYDE3DPA3GPQLFY42TRNWZCNANCNFSM4JUWNUKA>.
> 



From dirkx at webweaving.org  Sun Apr 26 23:06:03 2020
From: dirkx at webweaving.org (Dirk-Willem van Gulik)
Date: Sun, 26 Apr 2020 23:06:03 +0200
Subject: [rs-dev] othername fix for openssl has gone into master as well
Message-ID: <DB4B535B-63E6-4C39-A462-5012BA62BD03@webweaving.org>

The fix for othername has gone into master @ openssl as well.

Do that will make PeerList a lot more usable (which is nice - given the CovidApp its need in NL for proper privacy).

Dw