New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFC 3161 timestamping fails #27351
Comments
Building corefx locally and debugging through the because the expected signed attributes are missing: SigningCertificate and/or SigningCertificateV2. So it looks like what I am missing is how to fill-in this blank: // Exercise left to the reader
// signer.SignedAttributes.Add(BuildSigningCertificateV2Attribute(certificate)); And here I seem to run into a wall: the seemingly-relevant structs/classes to build these attributes are all internal, including The only example I could find builds them from hard-coded byte arrays, in the test code, here: Is there a higher-level API available (or planned to be exposed) that allows building the |
Not presently, no. The API was designed to read/verify/process timestamps, building timestamps is mainly expected to be done by trusted timestamping authorities. (Though test scenarios certainly do exist.) The linked test code there builds a valid SigningCertificate (v1) attribute. Slightly lower is code to build a V2 attribute, though it's certainly a lot trickier. |
Thank you @bartonjs, that's understandable given that 99% of scenarios would be covered by reading them. I'll see what I can piece together from this point on. It would be really helpful if at least Using |
Making AsnReader/AsnWriter public is on my TODO list, though not with a specific timeline. We've probably stopped changing it enough that it's almost time to go forward. AsnSerializer has a lot of value, but a lot of cost, too. We've just removed the last usage of it in .NET Core, using generated code instead (solves some perf problems, some reflection/runtime problems, and some debuggability problems). It probably won't survive to be public. |
@bartonjs sounds good, looking forward to that (you're likely referring to https://github.com/dotnet/corefx/issues/21833). |
I'm using @bartonjs's example, An overly simplistic timestamp issuance authority at https://github.com/dotnet/corefx/issues/24524#issuecomment-361337499 to timestamp a request generated by
signtool timestamp
, and having trouble getting it to work. Here is what I did.One-time certificate setup
Run this PowerShell script to generate a root CA and a timestamping certificate:
The output should be similar to:
Note/copy the timestamping certificate thumbprint (i.e.
3877B460311CC3F281B037198493518AF14C62B5
).Open
certmgr.msc
, Cut the_TestCA
certificate from Personal, and Paste it to Trusted Root Certification Authorities.In a command prompt, run:
Replace
Program.cs
with:Replace the certificate thumbprint with the value obtained in the One-time certificate setup step.
dotnet run
fails with:at:
Replace line 60 with:
dotnet run
now fails with:I'm very likely missing out some subtle detail, I just can't figure out what it is. Or perhaps it's a actual bug. I would appreciate feedback in either case 😃
The text was updated successfully, but these errors were encountered: