[openssl-dev] [openssl.org #4287] Option -attime for "openssl ts -verify"

Broda, Frank Frank.Broda at ipb-halle.de
Wed Mar 2 16:16:49 UTC 2016


On Tue Feb 02 Stephen Henson wrote:
> On Tue Feb 02 15:56:01 2016, Frank.Broda at ipb-halle.de wrote:
> > Hi,
> > please find my pull request on
> > https://github.com/openssl/openssl/pull/610
> >
> > These two patches add an -attime option to "openssl ts -verify"
> > similar to the same option in "openssl verify". This allows checking 
> > of timestamp responses with expired certificates. Documentation has 
> > been updated as well.
> IMHO a better way to handle this is to make "ts" handle general verify 
> options the same way that ocsp, verify, cms, s_client and s_server do then 
> you get -attime support automatically.

The implementation for "ts -verify" would be straightforward. But 
for "ts -query" and "ts -reply" an existing "-policy" option produces 
conflicts. I'm not sure how to resolve this. Two alternatives come 
to my mind:

1.  Rename the original "-policy" option to something like "-requestpolicy" (please 
suggest alternatives). In this case it would not be possible to call "ts -query" 
with an "-attime" option (or all the other verify options which do not make sense 
in this context). The drawback is: it would break some existing code, because the 
original "-policy" option gets renamed.

2. Remove the original "-policy" option from the list of options and use the 
"OPT_V_OPTIONS" throughout. The policy would be then extracted from 
the X509_VERIFY_PARAM structure created during parsing of the verify options.
This seems not elegant to me. It would allow lots of options which make no 
sense in "ts -query" and "ts -reply". Probably I'd make a mess when 
trying to implement this.

Please excuse my poor understanding of the whole subject. There might be other 
strategies, but I'm not aware of them.

Kind regards,


More information about the openssl-dev mailing list