First of all thank you for wrapping the OpenSSL calls in a webserver interface, very useful!
Problem: Regardless which digest algorithm is specified in the timestamp request, uts-server always applies the same digest algorithm to the timestamp response. Example:
signtool sign /sha1 <CodeSignCert> /fd sha512 /tr http://uts-server /td sha512 file.exe
Expected result: The code signature as well as the timestamp both use SHA512.
Actual behaviour: While the code signature is using SHA512, the timestamp is applied with a SHA256 digest. Changing the /td in the example parameter to any other value has no effect, uts-server always uses SHA256.
It seems that the code to select the digest algorithm is commented out in src/lib/rfc3161.c lin 154+ but I don't know enough about the timestamp query structure on how to extract this value.
Using TS_CONF_set_signer_digest(conf, section, NULL, resp_ctx) I can set the digest algorithm to something else than sha256 via the uts-server configuration file (eg signer_digest = sha512), but then the algorithm is just hardcoded to something else and still not picked up from the request.
First of all thank you for wrapping the OpenSSL calls in a webserver interface, very useful!
Problem: Regardless which digest algorithm is specified in the timestamp request, uts-server always applies the same digest algorithm to the timestamp response. Example:
signtool sign /sha1 <CodeSignCert> /fd sha512 /tr http://uts-server /td sha512 file.exeExpected result: The code signature as well as the timestamp both use SHA512.
Actual behaviour: While the code signature is using SHA512, the timestamp is applied with a SHA256 digest. Changing the
/tdin the example parameter to any other value has no effect, uts-server always uses SHA256.It seems that the code to select the digest algorithm is commented out in src/lib/rfc3161.c lin 154+ but I don't know enough about the timestamp query structure on how to extract this value.
Using TS_CONF_set_signer_digest(conf, section, NULL, resp_ctx) I can set the digest algorithm to something else than sha256 via the uts-server configuration file (eg signer_digest = sha512), but then the algorithm is just hardcoded to something else and still not picked up from the request.