使用OpenSSL针对证书(而非整个证书链)验证时间戳记令牌 [英] Validate a timestamp token against a certificate (but not the whole certification chain) using OpenSSL

问题描述

我正在寻找针对证书的RFC 3161时间戳记令牌的证书，该令牌显示在证书的外部受信任列表中，因此验证从此处停止.无需针对整个证书链进行验证.

I am looking to validate a RFC 3161 Timestamp Token against a certificate, which appears in an external trusted list of certificates, so the validation stops there. There is no need to validate against the full certificate chain.

openssl ts -verify需要CA文件或CApath中的CA证书.有没有一种方法可以针对证书验证令牌，并且仅此?

openssl ts -verify requires a CA certificate either in a CAfile or a CApath. Is there a way to validate the token against a certificate and nothing more?

推荐答案

1.0.2分支中的openssl ts应用程序具有有限的选项来影响证书验证过程.使用该版本，如果不修改应用程序的代码或编写自己的解决方案，似乎就不可能实现您想要的目标.

The openssl ts app in the 1.0.2 branch has limited options to influence the certificate validation process. Using that version, it does not seem possible to achieve what you are looking for without modifying the app's code or coding your own solution.

但是，在OpenSSL的1.1.0分支中，执行证书验证的应用程序的配置实现已合并并保持一致. -请参阅 1.1.0文档这意味着该分支中的openssl ts具有与其他验证应用程序相似的用于证书验证的配置选项.特别是

In the 1.1.0 branch of OpenSSL however, the configuration implementation of the apps that do certificate verification has been consolidated and made consistent. -- see the verify options at the bottom of the synopsis of the ts 1.1.0 documentation This means that openssl ts in that branch has similar configuration options for certificate verification as the other verifying applications do. In particular, the option -partial_chain as mentioned in this comment is useful.

测试一种看起来与您类似的情况，以下对我有用(其中TSA_cert.pem仅包含签名者的证书，没有任何链结):

Testing a situation that seems similar to yours, the following worked for me (where TSA_cert.pem contains only the certificate of the signer and no chain):

$ openssl ts -verify -in response.tsr -data myFile.txt -CAfile TSA_cert.pem -partial_chain
Verification: OK

验证相同的响应文件，但修改三个字节:

Verifying that same response file but with three bytes modified:

$ openssl ts -verify -in response_corrupted.tsr -data myFile.txt -CAfile TSA_cert.pem -partial_chain
Verification: FAILED
140450542175232:error:21071065:PKCS7 routines:PKCS7_signatureVerify:digest failure:crypto/pkcs7/pk7_doit.c:1007:
140450542175232:error:2F06A06D:time stamp routines:TS_RESP_verify_signature:signature failure:crypto/ts/ts_rsp_verify.c:143:

但是，我必须升级到1.1.1 pre- 错误# 2F067065-验证时间戳回复时出现"ess签名证书错误" ，对此问题未包含在1.1.0中.

However, I had to upgrade to a 1.1.1 pre-release because I ran into this bug: Error #2F067065 - "ess signing certificate error" when validating timestamp reply, for which the fix is not included in 1.1.0.

这篇关于使用OpenSSL针对证书(而非整个证书链)验证时间戳记令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！