I have a PKCS#7 (i.e., CMS) detached signature of a file that is signed by my signing certificate and then timestamp signed by a TSA that is all generated by an application we wrote. I would like to give a third party the original data file and the detached signature file and have the third party verify the signature and trusted timestamp with readily available tools. Assuming the third party already has the CA certs that make up the chains for my signing certificate and the TSA, what OpenSSL commands should I tell the third party to run do the following:
- Validate the signature against the file and verify that the signing certificate chains up to a trusted root (can ignore revocation)
- Verify that the CMS data is timestamped via a trusted TSA
- Extract the TSA-signed timestamp from the CMS and print it in a human readable format
I am pretty sure #1 can be accomplished by executing the following command:
openssl cms -verify -in cms_file -content data_file -inform DER -CApath path_to_ca_certs
but I would like verification on that. Also, what commands should be used to perform #2 and #3?
