With OpenSSL how to verify a timestamp token against one certificate (not the whole chain)

Question

I am trying to verify the signature in a timestamp token in OpenSSL (v1.1.1a) against only the signing certificate and not the complete chain (with the flag -partial_chain).

I am using

openssl ts -verify -partial_chain -in ~/Desktop/dgn/token-der.txt -token_in -digest bcbfcee484a9b243bafad6b8a43e0ddc1bf091837463e7c717495395eefbc2a6 -CAfile ~/Desktop/dgn/dgn-cert.txt

and the error is:

Verification: FAILED
Using configuration from C:/Program Files/Git/mingw64/ssl/openssl.cnf
13812:error:2107C080:PKCS7 routines:PKCS7_get0_signers:signer certificate not found:../openssl-1.1.1a/crypto/pkcs7/pk7_smime.c:421:

What is the right way of doing it?

This is a follow-up to question: Validate a timestamp token against a certificate (but not the whole certification chain) using OpenSSL.

score 0 · Accepted Answer · answered Jan 25 '19 at 17:12

The flag -untrusted solved the issue:

openssl ts -verify -partial_chain -in ~/Desktop/dgn/token-der.txt -token_in -digest bcbfcee484a9b243bafad6b8a43e0ddc1bf091837463e7c717495395eefbc2a6 -CAfile ~/Desktop/dgn/dgn-cert.txt -untrusted ~/Desktop/dgn/dgn-cert.txt

With OpenSSL how to verify a timestamp token against one certificate (not the whole chain)

1 Answers1