I am looking to validate a RFC 3161 Timestamp Token against a certificate, which appears in an external trusted list of certificates, so the validation stops there. There is no need to validate against the full certificate chain.
openssl ts -verify requires a CA certificate either in a CAfile or a CApath. Is there a way to validate the token against a certificate and nothing more?
The openssl ts app in the 1.0.2 branch has limited options to influence the certificate validation process. Using that version, it does not seem possible to achieve what you are looking for without modifying the app's code or coding your own solution.
In the 1.1.0 branch of OpenSSL however, the configuration implementation of the apps that do certificate verification has been consolidated and made consistent. -- see the verify options at the bottom of the synopsis of the ts 1.1.0 documentation This means that openssl ts in that branch has similar configuration options for certificate verification as the other verifying applications do. In particular, the option -partial_chain as mentioned in this comment is useful.
Testing a situation that seems similar to yours, the following worked for me (where TSA_cert.pem contains only the certificate of the signer and no chain):
$ openssl ts -verify -in response.tsr -data myFile.txt -CAfile TSA_cert.pem -partial_chain
Verification: OK
Verifying that same response file but with three bytes modified:
$ openssl ts -verify -in response_corrupted.tsr -data myFile.txt -CAfile TSA_cert.pem -partial_chain
Verification: FAILED
140450542175232:error:21071065:PKCS7 routines:PKCS7_signatureVerify:digest failure:crypto/pkcs7/pk7_doit.c:1007:
140450542175232:error:2F06A06D:time stamp routines:TS_RESP_verify_signature:signature failure:crypto/ts/ts_rsp_verify.c:143:
However, I had to upgrade to a 1.1.1 pre-release because I ran into this bug: Error #2F067065 - "ess signing certificate error" when validating timestamp reply, for which the fix is not included in 1.1.0.
