What does 'openssl ts -verify' verify exactly?

Matthias Buehlmann Matthias.Buehlmann at mabulous.com
Tue Feb 16 02:35:32 UTC 2021


If openssl ts -verify is used, what exactly is verified?

For example, while the [-crl_check] [-crl_check_all] and
[-extended_crl] verify options are supported, there is no way to pass
CRLs to the call. So, is anything checked for revocation?

How are timestamps verified for which the signing certificate has
expired or has been revoked?

If I understand correctly, to verify the validity of a timestamp token
at the current time, one must
- Check that the singing certificate was valid at the time of
timestamp (for this either current or historical CRLs for the entire
trust chain must be checked)
- If the certificate is not valid anymore at the current time, one
must show that none of the certificates in the trust chain have been
revoked, or that those that have been revoked have the reasonCode
extension and that this reasonCode extension shows one of the
following revocation reasons: unspecified (0), affiliationChanged (3),
superseded (4) or cessationOfOperation (5), in which case the
timestamp token is still valid (section 4 off
https://www.ietf.org/rfc/rfc3161.txt)

Can openssl ts -verify do that? If not, how is a timestamp token
properly verified using OpenSSL?


More information about the openssl-users mailing list