Skip to content

TimeStampResp error when policy is not supported #286

New issue
New issue
Open
Open
TimeStampResp error when policy is not supported#286
@ricardo-reis-1970

Description

@ricardo-reis-1970
ricardo-reis-1970
opened on Jan 9, 2025

Just to be sure, this is a question about asn1crypto, not openssl. I'm using asn1crypto 1.5.1 (latest).

Setup

I created a couple requests and replies with openssl:

openssl ts -query -data 10_Visuals.pdf -no_nonce -out req.tsq
openssl ts -reply -config x509.cnf -queryfile req.tsq -out req.tsr
openssl ts -query -data 10_Visuals.pdf -no_nonce -tspolicy 2.16.756.1.89 -out reqpol.tsq
openssl ts -reply -config x509.cnf -queryfile reqpol.tsq -out reqpol.tsr

The config file was this:

[ server ]
basicConstraints = CA:TRUE, pathlen:0
extendedKeyUsage = critical, timeStamping

[ tsa ]
default_tsa = tsa_config

[ tsa_config ]
dir              = .
serial           = $dir/serial
crypto_device    = builtin
signer_cert      = $dir/tsa.crt
signer_digest    = SHA256
signer_key       = $dir/tsa.key
default_policy   = 2.16.756.1.17
digests          = sha256
accuracy         = secs:1, millisecs:500, microsecs:100
ordering         = yes
tsa_name         = yes

And this is the file to be timestamped, just for good measure:
10_Visuals.pdf

Here are the openssl verifications:

$ openssl ts -verify -queryfile req.tsq -in req.tsr -CAfile ca.crt -untrusted tsa.crt
Using configuration from /etc/ssl/openssl.cnf
Verification: OK

$ openssl ts -verify -config x509.cnf -queryfile reqpol.tsq -in reqpol.tsr -CAfile ca.crt -untrusted tsa.crt
Using configuration from x509.cnf
Verification: FAILED
40C739B922740000:error:1780006B:time stamp routines:ts_check_status_info:no time stamp token:../crypto/ts/ts_rsp_verify.c:390:status code: rejection, status text: Requested policy is not supported., failure codes: unacceptedPolicy

So, the verification failed, but this is an operational error, not a bug. The response file reqpol.tsr is fully legitimate according to RFC3161.

asn1crypto

Now I had these 4 files and I loaded them with the appropriate loaders:

  • asn1crypto.tsp.TimeStampReq.load for the requests
  • asn1crypto.tsp.TimeStampResp.load for the replies
    No errors were issued at this point.

I can get the native of the query:

# reqpol.tsq
>>> reqpoltsq.native
{
  'version': 'v1',
  'message_imprint': {
    'hash_algorithm': {
      'algorithm': 'sha256',
      'parameters': None,
    },
    'hashed_message': b"\xfc\xca\x01rs\xc3'\x9c9\x0cK\x84\x87C{\x15\nZIj\x06e\xe5\xb7B\xf1\x1b\x81\xeaT\x91\xe2",
  },
  'req_policy': '2.16.756.1.89',
  'nonce': None,
  'cert_req': False,
  'extensions': None,
}

However, when I try and visualize the failed response, I get an error:

# reqpol.tsr
>>> reqpoltsr.native
Traceback (most recent call last):
  File "<console>", line 1, in <module>
  File "/path/to/.venv/lib/python3.12/site-packages/asn1crypto/core.py", line 4053, in native
    self._parse_children(recurse=True)
  File "/path/to/.venv/lib/python3.12/site-packages/asn1crypto/core.py", line 3997, in _parse_children
    raise e
  File "/path/to/.venv/lib/python3.12/site-packages/asn1crypto/core.py", line 3985, in _parse_children
    raise ValueError(unwrap(
ValueError: Field "time_stamp_token" is missing from structure
    while parsing asn1crypto.tsp.TimeStampResp

I cannot even access its status field:

>>> reqpoltsr['status']
Traceback (most recent call last):
  File "<console>", line 1, in <module>
  File "/path/to/.venv/lib/python3.12/site-packages/asn1crypto/core.py", line 3516, in __getitem__
    self._parse_children()
  File "/path/to/.venv/lib/python3.12/site-packages/asn1crypto/core.py", line 3997, in _parse_children
    raise e
  File "/path/to/.venv/lib/python3.12/site-packages/asn1crypto/core.py", line 3985, in _parse_children
    raise ValueError(unwrap(
ValueError: Field "time_stamp_token" is missing from structure
    while parsing asn1crypto.tsp.TimeStampResp

So, I'm trying to access one field and it complains that the other field is missing.

I believe this should not happen, because RFC 3161 defines:

TimeStampResp ::= SEQUENCE {
  status                   PKIStatusInfo,
  timeStampToken           TimeStampToken      OPTIONAL  }

and further states:

When the TimeStampToken is not present, the failInfo indicates the
reason why the time-stamp request was rejected and may be one of the
following values.

So, an error condition is transmitted to the client as a legitimate response, but the client cannot read it, because the library is raising an exception.

Suggestion (almost a pull request...)

I believe that the issue lies in asn1crypto/tsp.py, lines 156-160:

class TimeStampResp(Sequence):
    _fields = [
        ('status', PKIStatusInfo),
        ('time_stamp_token', ContentInfo),
    ]

Particularly, line 159 should read:

        ('time_stamp_token', ContentInfo, {'optional': True}),

In fact, I introduced this change in tsp.py, and now I have:

>>> reqpoltsr['status']
<asn1crypto.tsp.PKIStatusInfo 131359013820016 b'0.\x02\x01\x020$\x0c"Requested policy is not supported.\x03\x03\x00\x00\x01'>
>>> reqpoltsr['time_stamp_token']
<asn1crypto.core.Void 131359040865872 b''>
>>> reqpoltsr.native
{
  'status': {
    'status': 'rejection',
    'status_string': [
      'Requested policy is not supported.',
    ],
    'fail_info': {
      'unaccepted_policy',
    },
  },
  'time_stamp_token': None,
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions