I'm looking for a robust approach to validate the authenticity of an RFC3161 timestamp token using OpenSSL, particularly emphasizing stringent validation while operating entirely offline.
While I'm aware that openssl ts -verify allows verification of timestamps, using only minimal arguments doesn't offer comprehensive validation. For instance, as far as I can tell, it happily verifies a timestamp as valid without cross-checking any Certificate Revocation Lists (CRLs) unless the user explicitly instructs it to do so.
Given that openssl's default is so permissive, I can never be sure that I have supplied all the necessary command arguments to ensure an unassailable verification of a time stamp.
Assuming I have the stamped hash, time stamp token including the certificate chain and all relevant certificate revocation lists (CRLs) required for future validation, how can I instruct OpenSSL to adopt a paranoid validation approach?