If I have a Timestamp token, then the signing certificate for the token is identified via the ESSCertID (for RFC3161 tokens) or the ESSCertIDv2 (for FC5816) of the signing certificate, which is the SHA-1 (in the case of ESSCertID) or some other hash (in the case of ESSCertIDv2) of the DER encoding of the signing certificate.
Here's the CMS structure of an RFC3161 token:
$ openssl cms -inform DER -in token_nocerts.tst -cmsout -print
CMS_ContentInfo:
contentType: pkcs7-signedData (1.2.840.113549.1.7.2)
d.signedData:
version: 3
digestAlgorithms:
algorithm: sha512 (2.16.840.1.101.3.4.2.3)
parameter: NULL
encapContentInfo:
eContentType: id-smime-ct-TSTInfo (1.2.840.113549.1.9.16.1.4)
eContent:
0000 - 30 82 01 75 02 01 01 06-04 2a 03 04 01 30 31 0..u.....*...01
000f - 30 0d 06 09 60 86 48 01-65 03 04 02 01 05 00 0...`.H.e......
001e - 04 20 89 9b a3 d9 f7 77-e2 a7 4b dd 34 30 2b . .....w..K.40+
002d - c0 6c b3 f7 a4 6a c1 f5-65 ee 12 8f 79 fd 5d .l...j..e...y.]
003c - ab 99 d6 8b 02 03 2d 19-84 18 0f 32 30 32 31 ......-....2021
004b - 30 32 30 34 31 34 33 30-35 36 5a 01 01 ff 02 0204143056Z....
005a - 09 00 83 16 8e 99 d6 23-2e fc a0 82 01 11 a4 .......#.......
0069 - 82 01 0d 30 82 01 09 31-11 30 0f 06 03 55 04 ...0...1.0...U.
0078 - 0a 13 08 46 72 65 65 20-54 53 41 31 0c 30 0a ...Free TSA1.0.
0087 - 06 03 55 04 0b 13 03 54-53 41 31 76 30 74 06 ..U....TSA1v0t.
0096 - 03 55 04 0d 13 6d 54 68-69 73 20 63 65 72 74 .U...mThis cert
00a5 - 69 66 69 63 61 74 65 20-64 69 67 69 74 61 6c ificate digital
00b4 - 6c 79 20 73 69 67 6e 73-20 64 6f 63 75 6d 65 ly signs docume
00c3 - 6e 74 73 20 61 6e 64 20-74 69 6d 65 20 73 74 nts and time st
00d2 - 61 6d 70 20 72 65 71 75-65 73 74 73 20 6d 61 amp requests ma
00e1 - 64 65 20 75 73 69 6e 67-20 74 68 65 20 66 72 de using the fr
00f0 - 65 65 74 73 61 2e 6f 72-67 20 6f 6e 6c 69 6e eetsa.org onlin
00ff - 65 20 73 65 72 76 69 63-65 73 31 18 30 16 06 e services1.0..
010e - 03 55 04 03 13 0f 77 77-77 2e 66 72 65 65 74 .U....www.freet
011d - 73 61 2e 6f 72 67 31 22-30 20 06 09 2a 86 48 sa.org1"0 ..*.H
012c - 86 f7 0d 01 09 01 16 13-62 75 73 69 6c 65 7a ........busilez
013b - 61 73 40 67 6d 61 69 6c-2e 63 6f 6d 31 12 30 as@gmail.com1.0
014a - 10 06 03 55 04 07 13 09-57 75 65 72 7a 62 75 ...U....Wuerzbu
0159 - 72 67 31 0b 30 09 06 03-55 04 06 13 02 44 45 rg1.0...U....DE
0168 - 31 0f 30 0d 06 03 55 04-08 13 06 42 61 79 65 1.0...U....Baye
0177 - 72 6e rn
certificates:
<ABSENT>
crls:
<ABSENT>
signerInfos:
version: 1
d.issuerAndSerialNumber:
issuer: O=Free TSA, OU=Root CA, CN=www.freetsa.org/emailAddress=busilezas@gmail.com, L=Wuerzburg, ST=Bayern, C=DE
serialNumber: 13972846748170250626
digestAlgorithm:
algorithm: sha512 (2.16.840.1.101.3.4.2.3)
parameter: NULL
signedAttrs:
object: contentType (1.2.840.113549.1.9.3)
set:
OBJECT:id-smime-ct-TSTInfo (1.2.840.113549.1.9.16.1.4)
object: signingTime (1.2.840.113549.1.9.5)
set:
UTCTIME:Feb 4 14:30:56 2021 GMT
object: id-smime-aa-signingCertificate (1.2.840.113549.1.9.16.2.12)
set:
SEQUENCE:
0:d=0 hl=2 l= 26 cons: SEQUENCE
2:d=1 hl=2 l= 24 cons: SEQUENCE
4:d=2 hl=2 l= 22 cons: SEQUENCE
6:d=3 hl=2 l= 20 prim: OCTET STRING [HEX DUMP]:916DA3D860ECCA82E34BC59D1793E7E968875F14
object: messageDigest (1.2.840.113549.1.9.4)
set:
OCTET STRING:
0000 - 4d b9 02 47 cb 66 6e 37-48 c7 56 04 1a M..G.fn7H.V..
000d - 77 45 23 95 72 1d 1d e8-62 3e 7b 68 9d wE#.r...b>{h.
001a - 58 43 88 64 a7 b3 1b be-bd 56 8e 58 8d XC.d.....V.X.
0027 - 8d 12 fe 11 dc 68 89 a5-56 aa bd 00 df .....h..V....
0034 - e4 8d f6 3b d8 8e 7d 78-c7 d2 42 a4 ...;..}x..B.
signatureAlgorithm:
algorithm: rsaEncryption (1.2.840.113549.1.1.1)
parameter: NULL
signature:
0000 - 62 39 1e b9 0e e3 ab 74-fa 90 46 bd d6 78 bc b9.....t..F..x.
000f - 2e d6 a4 3a 7b f4 0e 45-11 ba 16 c0 48 46 5a ...:{..E....HFZ
001e - 52 87 c5 3c 9d ae c7 1d-83 dc c8 03 8f 2e 70 R..<..........p
002d - 2c 4e 1f 6a 4e 5e 64 b7-5d 56 5e cb c9 6f af ,N.jN^d.]V^..o.
003c - 17 3d f4 2f c9 a5 b9 5c-d4 a1 03 1f 43 8f a3 .=./...\....C..
004b - 46 13 62 df 4d f6 cc 48-ad 2c c3 43 85 5e 8c F.b.M..H.,.C.^.
005a - 5b da a8 97 8d 3a 06 28-72 56 f3 38 e3 06 ad [....:.(rV.8...
0069 - ca 80 28 28 73 3f 9a 6f-ed ba b9 ac ed f4 6f ..((s?.o......o
0078 - 69 9e 91 d4 d2 4d 6b 1f-98 53 16 66 d7 50 62 i....Mk..S.f.Pb
0087 - 96 61 9f 0f f6 bd 94 19-d6 04 c5 7e f9 3c 89 .a.........~.<.
0096 - 5a 8a d1 a1 05 72 4e 6f-9c 8a a5 ef 6b 36 8d Z....rNo....k6.
00a5 - e5 ee 8a e9 11 8b 1c 70-42 c7 32 6d 27 42 fb .......pB.2m'B.
00b4 - 99 71 25 ae 66 67 48 58-10 df 4a db 08 08 ea .q%.fgHX..J....
00c3 - b1 a0 d5 ca 22 4b 46 ad-12 fd a1 72 91 c4 8b ...."KF....r...
00d2 - 21 d2 ff d8 b3 13 7f f8-31 9c 42 f6 b4 ea b1 !.......1.B....
00e1 - 15 21 8a ed e0 b9 6a 3c-0d 88 03 aa 4a ca f2 .!....j<....J..
00f0 - 13 59 54 99 0b 19 70 4f-91 0a 7e f7 17 92 70 .YT...pO..~...p
00ff - dd 0f 54 cc 1e e7 7b 42-d2 fa c2 53 3a 45 5a ..T...{B...S:EZ
010e - 45 09 c3 7b b5 34 6d 0b-40 82 72 45 4d eb 60 E..{.4m.@.rEM.`
011d - 00 57 c8 46 77 23 5b 1c-c0 ff 6b 01 5c 0e 2f .W.Fw#[...k.\./
012c - fb 87 b3 e6 42 e5 1b 1d-25 6c c5 43 c4 af b8 ....B...%l.C...
013b - 9b 51 74 f2 c9 85 d2 54-52 ca b6 4e ac a1 83 .Qt....TR..N...
014a - 28 80 99 11 d5 ed a0 82-ad cc df 7d 18 a4 2c (..........}..,
0159 - 05 79 c0 f9 be 7c 52 1e-33 84 0c a5 ae b4 4e .y...|R.3.....N
0168 - 6d 08 ee 68 13 44 35 15-5f e1 3d e5 72 36 72 m..h.D5._.=.r6r
0177 - 05 8e 4c 4d 7f 0d ce 32-23 5c 16 bc 73 99 e6 ..LM...2#\..s..
0186 - 68 ea c5 19 e7 4d d7 0f-22 d5 1c 61 ac a8 cf h....M.."..a...
0195 - b6 70 49 79 3c 22 1a 90-96 cd 3b fb 11 bb 56 .pIy<"....;...V
01a4 - 4f 2a 41 a7 5d 61 f4 81-6a 1c ce 2d f9 0c bb O*A.]a..j..-...
01b3 - 91 80 7a 9d 9c 61 37 81-e1 77 20 d3 06 56 be ..z..a7..w ..V.
01c2 - f3 df 1c 74 47 ee ab 81-7a 03 80 96 95 a0 93 ...tG...z......
01d1 - 4b f4 e6 b9 a2 f4 8b 2f-25 80 2f c9 b5 a3 99 K....../%./....
01e0 - 34 e0 ab 8e 2b fb e3 ce-26 91 0a b3 6d af 18 4...+...&...m..
01ef - 5a d7 a8 7c 3e c6 1c 17-0d e8 30 da df f2 5d Z..|>.....0...]
01fe - 51 3b Q;
unsignedAttrs:
<ABSENT>
looking at the ASN.1 sequence of the token:
$ openssl asn1parse -inform DER -in token_nocerts.tst -i
0:d=0 hl=4 l=1351 cons: SEQUENCE
4:d=1 hl=2 l= 9 prim: OBJECT :pkcs7-signedData
15:d=1 hl=4 l=1336 cons: cont [ 0 ]
19:d=2 hl=4 l=1332 cons: SEQUENCE
23:d=3 hl=2 l= 1 prim: INTEGER :03
26:d=3 hl=2 l= 15 cons: SET
28:d=4 hl=2 l= 13 cons: SEQUENCE
30:d=5 hl=2 l= 9 prim: OBJECT :sha512
41:d=5 hl=2 l= 0 prim: NULL
43:d=3 hl=4 l= 398 cons: SEQUENCE
47:d=4 hl=2 l= 11 prim: OBJECT :id-smime-ct-TSTInfo
60:d=4 hl=4 l= 381 cons: cont [ 0 ]
64:d=5 hl=4 l= 377 prim: OCTET STRING [HEX DUMP]:3082017502010106042A0304013031300D060960864801650304020105000420899BA3D9F777E2A74BDD34302BC06CB3F7A46AC1F565EE128F79FD5DAB99D68B02032D1984180F32303231303230343134333035365A0101FF02090083168E99D6232EFCA0820111A482010D308201093111300F060355040A13084672656520545341310C300A060355040B130354534131763074060355040D136D54686973206365727469666963617465206469676974616C6C79207369676E7320646F63756D656E747320616E642074696D65207374616D70207265717565737473206D616465207573696E672074686520667265657473612E6F7267206F6E6C696E65207365727669636573311830160603550403130F7777772E667265657473612E6F72673122302006092A864886F70D0109011613627573696C657A617340676D61696C2E636F6D3112301006035504071309577565727A62757267310B3009060355040613024445310F300D0603550408130642617965726E
445:d=3 hl=4 l= 906 cons: SET
449:d=4 hl=4 l= 902 cons: SEQUENCE
453:d=5 hl=2 l= 1 prim: INTEGER :01
456:d=5 hl=3 l= 163 cons: SEQUENCE
459:d=6 hl=3 l= 149 cons: SEQUENCE
462:d=7 hl=2 l= 17 cons: SET
464:d=8 hl=2 l= 15 cons: SEQUENCE
466:d=9 hl=2 l= 3 prim: OBJECT :organizationName
471:d=9 hl=2 l= 8 prim: PRINTABLESTRING :Free TSA
481:d=7 hl=2 l= 16 cons: SET
483:d=8 hl=2 l= 14 cons: SEQUENCE
485:d=9 hl=2 l= 3 prim: OBJECT :organizationalUnitName
490:d=9 hl=2 l= 7 prim: PRINTABLESTRING :Root CA
499:d=7 hl=2 l= 24 cons: SET
501:d=8 hl=2 l= 22 cons: SEQUENCE
503:d=9 hl=2 l= 3 prim: OBJECT :commonName
508:d=9 hl=2 l= 15 prim: PRINTABLESTRING :www.freetsa.org
525:d=7 hl=2 l= 34 cons: SET
527:d=8 hl=2 l= 32 cons: SEQUENCE
529:d=9 hl=2 l= 9 prim: OBJECT :emailAddress
540:d=9 hl=2 l= 19 prim: IA5STRING :busilezas@gmail.com
561:d=7 hl=2 l= 18 cons: SET
563:d=8 hl=2 l= 16 cons: SEQUENCE
565:d=9 hl=2 l= 3 prim: OBJECT :localityName
570:d=9 hl=2 l= 9 prim: PRINTABLESTRING :Wuerzburg
581:d=7 hl=2 l= 15 cons: SET
583:d=8 hl=2 l= 13 cons: SEQUENCE
585:d=9 hl=2 l= 3 prim: OBJECT :stateOrProvinceName
590:d=9 hl=2 l= 6 prim: PRINTABLESTRING :Bayern
598:d=7 hl=2 l= 11 cons: SET
600:d=8 hl=2 l= 9 cons: SEQUENCE
602:d=9 hl=2 l= 3 prim: OBJECT :countryName
607:d=9 hl=2 l= 2 prim: PRINTABLESTRING :DE
611:d=6 hl=2 l= 9 prim: INTEGER :C1E986160DA8E982
622:d=5 hl=2 l= 13 cons: SEQUENCE
624:d=6 hl=2 l= 9 prim: OBJECT :sha512
635:d=6 hl=2 l= 0 prim: NULL
637:d=5 hl=3 l= 184 cons: cont [ 0 ]
640:d=6 hl=2 l= 26 cons: SEQUENCE
642:d=7 hl=2 l= 9 prim: OBJECT :contentType
653:d=7 hl=2 l= 13 cons: SET
655:d=8 hl=2 l= 11 prim: OBJECT :id-smime-ct-TSTInfo
668:d=6 hl=2 l= 28 cons: SEQUENCE
670:d=7 hl=2 l= 9 prim: OBJECT :signingTime
681:d=7 hl=2 l= 15 cons: SET
683:d=8 hl=2 l= 13 prim: UTCTIME :210204143056Z
698:d=6 hl=2 l= 43 cons: SEQUENCE
700:d=7 hl=2 l= 11 prim: OBJECT :id-smime-aa-signingCertificate
713:d=7 hl=2 l= 28 cons: SET
715:d=8 hl=2 l= 26 cons: SEQUENCE
717:d=9 hl=2 l= 24 cons: SEQUENCE
719:d=10 hl=2 l= 22 cons: SEQUENCE
721:d=11 hl=2 l= 20 prim: OCTET STRING [HEX DUMP]:916DA3D860ECCA82E34BC59D1793E7E968875F14
743:d=6 hl=2 l= 79 cons: SEQUENCE
745:d=7 hl=2 l= 9 prim: OBJECT :messageDigest
756:d=7 hl=2 l= 66 cons: SET
758:d=8 hl=2 l= 64 prim: OCTET STRING [HEX DUMP]:4DB90247CB666E3748C756041A77452395721D1DE8623E7B689D58438864A7B31BBEBD568E588D8D12FE11DC6889A556AABD00DFE48DF63BD88E7D78C7D242A4
824:d=5 hl=2 l= 13 cons: SEQUENCE
826:d=6 hl=2 l= 9 prim: OBJECT :rsaEncryption
837:d=6 hl=2 l= 0 prim: NULL
839:d=5 hl=4 l= 512 prim: OCTET STRING [HEX DUMP]:62391EB90EE3AB74FA9046BDD678BC2ED6A43A7BF40E4511BA16C048465A5287C53C9DAEC71D83DCC8038F2E702C4E1F6A4E5E64B75D565ECBC96FAF173DF42FC9A5B95CD4A1031F438FA3461362DF4DF6CC48AD2CC343855E8C5BDAA8978D3A06287256F338E306ADCA802828733F9A6FEDBAB9ACEDF46F699E91D4D24D6B1F98531666D7506296619F0FF6BD9419D604C57EF93C895A8AD1A105724E6F9C8AA5EF6B368DE5EE8AE9118B1C7042C7326D2742FB997125AE6667485810DF4ADB0808EAB1A0D5CA224B46AD12FDA17291C48B21D2FFD8B3137FF8319C42F6B4EAB115218AEDE0B96A3C0D8803AA4ACAF2135954990B19704F910A7EF7179270DD0F54CC1EE77B42D2FAC2533A455A4509C37BB5346D0B408272454DEB600057C84677235B1CC0FF6B015C0E2FFB87B3E642E51B1D256CC543C4AFB89B5174F2C985D25452CAB64EACA18328809911D5EDA082ADCCDF7D18A42C0579C0F9BE7C521E33840CA5AEB44E6D08EE68134435155FE13DE5723672058E4C4D7F0DCE32235C16BC7399E668EAC519E74DD70F22D51C61ACA8CFB67049793C221A9096CD3BFB11BB564F2A41A75D61F4816A1CCE2DF90CBB91807A9D9C613781E17720D30656BEF3DF1C7447EEAB817A03809695A0934BF4E6B9A2F48B2F25802FC9B5A39934E0AB8E2BFBE3CE26910AB36DAF185AD7A87C3EC61C170DE830DADFF25D513B
it be 916DA3D860ECCA82E34BC59D1793E7E968875F14 (close to the end, at offset 721 in this case)
according to spec (https://www.ietf.org/rfc/rfc3161.txt) there is always exactly one SignerInfo and this signerInfo always must contain a ESSCertID (or alternatively a ESSCertIDv2 according to RFC3161 spec https://www.rfc-editor.org/rfc/rfc5816)
using openssl cli, now can I extract this hash?
