我试图仅根据签名证书而不是完整链(带有-partial_chain标志)来验证OpenSSL(v1.1.1a)中时间戳记令牌中的签名。
我正在使用
openssl ts -verify -partial_chain -in ~/Desktop/dgn/token-der.txt -token_in -digest bcbfcee484a9b243bafad6b8a43e0ddc1bf091837463e7c717495395eefbc2a6 -CAfile ~/Desktop/dgn/dgn-cert.txt
,错误是:
Verification: FAILED
Using configuration from C:/Program Files/Git/mingw64/ssl/openssl.cnf
13812:error:2107C080:PKCS7 routines:PKCS7_get0_signers:signer certificate not found:../openssl-1.1.1a/crypto/pkcs7/pk7_smime.c:421:
正确的做法是什么?
这是对问题的后续解答:Validate a timestamp token against a certificate (but not the whole certification chain) using OpenSSL。
答案 0 :(得分:0)
标志-untrusted解决了该问题:
openssl ts -verify -partial_chain -in ~/Desktop/dgn/token-der.txt -token_in -digest bcbfcee484a9b243bafad6b8a43e0ddc1bf091837463e7c717495395eefbc2a6 -CAfile ~/Desktop/dgn/dgn-cert.txt -untrusted ~/Desktop/dgn/dgn-cert.txt