[openssl-dev] Option -attime for "openssl ts -verify"
Broda, Frank
Frank.Broda at ipb-halle.de
Tue Feb 2 12:50:27 UTC 2016
Dear all,
is there a reason, why "openssl ts -verify" does not provide an "-attime" option, comparable to "openssl verify"? I have a timestamp response which was made in 2009 using a certificate which is now expired. Currently it is impossible to verify this timestamp using the command line tool, because verification fails with a "certificate expired" error. The error is thrown before any checks to the timestamped object (file or digest) are made. Detecting manipulations is therefore not possible. An -attime option should provide means to perform the certificate check at a chosen point in time when the certificate was still valid.
I'd suggest a patch, which introduces an -attime option (see https://github.com/fbroda/openssl/tree/fbroda_ts_date). I'm willing to make a pull request if there are no objections.
Kind regards,
Frank Broda
More information about the openssl-dev
mailing list