Crypto API - CryptRetrieveTimeStamp

Question

Good day,

Can someone please help me using the Crypto Api function, CryptRetrieveTimeStamp? I successfully use CryptSignMessage to sign my message and now I want to timestamp the data at a TSA, but CryptRetrieveTimeStamp always return *TRUST_E_TIME_STAMP* error.

My function looks as follows, pbMessage and cbMessage are the data and size received from CryptSignMessage:

PCRYPT_TIMESTAMP_CONTEXT tcontext = NULL;
HCERTSTORE hStore = NULL;


fReturn = CryptRetrieveTimeStamp(widestr.c_str(),
       TIMESTAMP_NO_AUTH_RETRIEVAL, 
       0, 
       szOID_RSA_MD5, 
       NULL, 
       (const BYTE*)pbMessage, 
       cbMessage, 
       &tcontext, 
       NULL, 
       &hStore);

I know the error means: The time stamp signer and or certificate could not be verified or is malformed. But I have no idea what or how to solve this error?

Any help/hints would be appreciated. Thanks, Magda

Answer 1

Viewing the request/response through wireshark gave better insight into the problem.

The TSA is a valid TSA, but the encoding was wrong. Changing *szOID_RSA_MD5* to *szOID_NIST_sha256* solved my problem.

Answer 2

MSDN -

The CryptRetrieveTimeStamp function encodes a time stamp request and retrieves the time stamp token from a location specified by a URL to a Time Stamping Authority (TSA).

Most likely you didn't provide the valid TSA in first parameter, which is -

wszUrl [in]

A pointer to a null-terminated wide character string that contains the URL of the TSA to which to send the request.

Edit - The suggested solution is to change time stamping authority.

Answer 3

The problem with the timestamp retrieval is that it is not compatible with OpenSSL... Not related to your question though.