openssl/openssl

openssl tsa fails to verify time stamps signed with ML-DSA from BC

Open

#28 774 ouverte le 7 oct. 2025

Voir sur GitHub
 (1 commentaire) (0 réactions) (0 assignés)C (11 262 forks)batch import
branch: masterhelp wantedtriaged: feature

Métriques du dépôt

Stars
 (30 157 stars)
Métriques de merge PR
 (Aucune PR mergée en 30 j)

Description

I created a small Java test that creates certificates, CMS messages and time stamps using Bouncy Castle 1.81 for verification with openssl. All works except the time stamp responses.

Tested on "OpenSSL 3.5.2 5 Aug 2025" from Ubuntu 25.10 Beta as well as git master as of October 7, 23:00 CET.

Attached the artifacts created with BC as well as the Java test case (just for reference).

apps/openssl ts -verify -in tsa-resp.der -data tsa-msg.txt -CAfile RootCA-cert.pem -text
Using configuration from /usr/local/ssl/openssl.cnf
Verification: FAILED
40379CEA5C740000:error:1780006D:time stamp routines:TS_RESP_verify_signature:signature failure:crypto/ts/ts_rsp_verify.c:148:

I sometimes got more error output, stating ML-DSA-44 not supported (don't remember how this is more verbose than the above)

apps/openssl ts -verify -in tsa-resp.der -data tsa-msg.txt -CAfile RootCA-cert.pem -text
Using configuration from /usr/local/ssl/openssl.cnf
Verification: FAILED
40E7D64783780000:error:030000ED:digital envelope routines:evp_pkey_signature_init:provider signature not supported:crypto/evp/signature.c:817:ML-DSA-44 verify_init:
40E7D64783780000:error:10800069:PKCS7 routines:PKCS7_signatureVerify:signature failure:crypto/pkcs7/pk7_doit.c:1178:
40E7D64783780000:error:1780006D:time stamp routines:TS_RESP_verify_signature:signature failure:crypto/ts/ts_rsp_verify.c:148:

A timestamp with EC works perfect (updated artifacts with the EC TSA response).

apps/openssl ts -verify -in tsa-ec-resp.der -data tsa-msg.txt -CAfile RootCA-cert.pem 
Using configuration from /usr/local/ssl/openssl.cnf
Verification: OK

Also cms verification works great.

apps/openssl cms -verify -in cms-withattr-sha.pem -CAfile RootCA-cert.pem --inform PEM
CMS Verification successful
signedMessage

The zip file contains all the artifacts so anyone can run the verification.

BcCmsTsaTest.java

bc-artifacts.zip

Guide contributeur