diff options
Diffstat (limited to 'secure/usr.bin/openssl/man/ts.1')
| -rw-r--r-- | secure/usr.bin/openssl/man/ts.1 | 727 |
1 files changed, 0 insertions, 727 deletions
diff --git a/secure/usr.bin/openssl/man/ts.1 b/secure/usr.bin/openssl/man/ts.1 deleted file mode 100644 index 256cda1b54d1..000000000000 --- a/secure/usr.bin/openssl/man/ts.1 +++ /dev/null @@ -1,727 +0,0 @@ -.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is >0, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{\ -. if \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{\ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "TS 1" -.TH TS 1 "2022-07-05" "1.1.1q" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -openssl\-ts, ts \- Time Stamping Authority tool (client/server) -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBts\fR -\&\fB\-query\fR -[\fB\-rand file...\fR] -[\fB\-writerand file\fR] -[\fB\-config\fR configfile] -[\fB\-data\fR file_to_hash] -[\fB\-digest\fR digest_bytes] -[\fB\-\f(BIdigest\fB\fR] -[\fB\-tspolicy\fR object_id] -[\fB\-no_nonce\fR] -[\fB\-cert\fR] -[\fB\-in\fR request.tsq] -[\fB\-out\fR request.tsq] -[\fB\-text\fR] -.PP -\&\fBopenssl\fR \fBts\fR -\&\fB\-reply\fR -[\fB\-config\fR configfile] -[\fB\-section\fR tsa_section] -[\fB\-queryfile\fR request.tsq] -[\fB\-passin\fR password_src] -[\fB\-signer\fR tsa_cert.pem] -[\fB\-inkey\fR file_or_id] -[\fB\-\f(BIdigest\fB\fR] -[\fB\-chain\fR certs_file.pem] -[\fB\-tspolicy\fR object_id] -[\fB\-in\fR response.tsr] -[\fB\-token_in\fR] -[\fB\-out\fR response.tsr] -[\fB\-token_out\fR] -[\fB\-text\fR] -[\fB\-engine\fR id] -.PP -\&\fBopenssl\fR \fBts\fR -\&\fB\-verify\fR -[\fB\-data\fR file_to_hash] -[\fB\-digest\fR digest_bytes] -[\fB\-queryfile\fR request.tsq] -[\fB\-in\fR response.tsr] -[\fB\-token_in\fR] -[\fB\-CApath\fR trusted_cert_path] -[\fB\-CAfile\fR trusted_certs.pem] -[\fB\-untrusted\fR cert_file.pem] -[\fIverify options\fR] -.PP -\&\fIverify options:\fR -[\-attime timestamp] -[\-check_ss_sig] -[\-crl_check] -[\-crl_check_all] -[\-explicit_policy] -[\-extended_crl] -[\-ignore_critical] -[\-inhibit_any] -[\-inhibit_map] -[\-issuer_checks] -[\-no_alt_chains] -[\-no_check_time] -[\-partial_chain] -[\-policy arg] -[\-policy_check] -[\-policy_print] -[\-purpose purpose] -[\-suiteB_128] -[\-suiteB_128_only] -[\-suiteB_192] -[\-trusted_first] -[\-use_deltas] -[\-auth_level num] -[\-verify_depth num] -[\-verify_email email] -[\-verify_hostname hostname] -[\-verify_ip ip] -[\-verify_name name] -[\-x509_strict] -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fBts\fR command is a basic Time Stamping Authority (\s-1TSA\s0) client and server -application as specified in \s-1RFC 3161\s0 (Time-Stamp Protocol, \s-1TSP\s0). A -\&\s-1TSA\s0 can be part of a \s-1PKI\s0 deployment and its role is to provide long -term proof of the existence of a certain datum before a particular -time. Here is a brief description of the protocol: -.IP "1." 4 -The \s-1TSA\s0 client computes a one-way hash value for a data file and sends -the hash to the \s-1TSA.\s0 -.IP "2." 4 -The \s-1TSA\s0 attaches the current date and time to the received hash value, -signs them and sends the timestamp token back to the client. By -creating this token the \s-1TSA\s0 certifies the existence of the original -data file at the time of response generation. -.IP "3." 4 -The \s-1TSA\s0 client receives the timestamp token and verifies the -signature on it. It also checks if the token contains the same hash -value that it had sent to the \s-1TSA.\s0 -.PP -There is one \s-1DER\s0 encoded protocol data unit defined for transporting -a timestamp request to the \s-1TSA\s0 and one for sending the timestamp response -back to the client. The \fBts\fR command has three main functions: -creating a timestamp request based on a data file, -creating a timestamp response based on a request, verifying if a -response corresponds to a particular request or a data file. -.PP -There is no support for sending the requests/responses automatically -over \s-1HTTP\s0 or \s-1TCP\s0 yet as suggested in \s-1RFC 3161.\s0 The users must send the -requests either by ftp or e\-mail. -.SH "OPTIONS" -.IX Header "OPTIONS" -.SS "Time Stamp Request generation" -.IX Subsection "Time Stamp Request generation" -The \fB\-query\fR switch can be used for creating and printing a timestamp -request with the following options: -.IP "\fB\-rand file...\fR" 4 -.IX Item "-rand file..." -A file or files containing random data used to seed the random number -generator. -Multiple files can be specified separated by an OS-dependent character. -The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for -all others. -.IP "[\fB\-writerand file\fR]" 4 -.IX Item "[-writerand file]" -Writes random data to the specified \fIfile\fR upon exit. -This can be used with a subsequent \fB\-rand\fR flag. -.IP "\fB\-config\fR configfile" 4 -.IX Item "-config configfile" -The configuration file to use. -Optional; for a description of the default value, -see \*(L"\s-1COMMAND SUMMARY\*(R"\s0 in \fBopenssl\fR\|(1). -.IP "\fB\-data\fR file_to_hash" 4 -.IX Item "-data file_to_hash" -The data file for which the timestamp request needs to be -created. stdin is the default if neither the \fB\-data\fR nor the \fB\-digest\fR -parameter is specified. (Optional) -.IP "\fB\-digest\fR digest_bytes" 4 -.IX Item "-digest digest_bytes" -It is possible to specify the message imprint explicitly without the data -file. The imprint must be specified in a hexadecimal format, two characters -per byte, the bytes optionally separated by colons (e.g. 1A:F6:01:... or -1AF601...). The number of bytes must match the message digest algorithm -in use. (Optional) -.IP "\fB\-\f(BIdigest\fB\fR" 4 -.IX Item "-digest" -The message digest to apply to the data file. -Any digest supported by the OpenSSL \fBdgst\fR command can be used. -The default is \s-1SHA\-1.\s0 (Optional) -.IP "\fB\-tspolicy\fR object_id" 4 -.IX Item "-tspolicy object_id" -The policy that the client expects the \s-1TSA\s0 to use for creating the -timestamp token. Either the dotted \s-1OID\s0 notation or \s-1OID\s0 names defined -in the config file can be used. If no policy is requested the \s-1TSA\s0 will -use its own default policy. (Optional) -.IP "\fB\-no_nonce\fR" 4 -.IX Item "-no_nonce" -No nonce is specified in the request if this option is -given. Otherwise a 64 bit long pseudo-random none is -included in the request. It is recommended to use nonce to -protect against replay-attacks. (Optional) -.IP "\fB\-cert\fR" 4 -.IX Item "-cert" -The \s-1TSA\s0 is expected to include its signing certificate in the -response. (Optional) -.IP "\fB\-in\fR request.tsq" 4 -.IX Item "-in request.tsq" -This option specifies a previously created timestamp request in \s-1DER\s0 -format that will be printed into the output file. Useful when you need -to examine the content of a request in human-readable -format. (Optional) -.IP "\fB\-out\fR request.tsq" 4 -.IX Item "-out request.tsq" -Name of the output file to which the request will be written. Default -is stdout. (Optional) -.IP "\fB\-text\fR" 4 -.IX Item "-text" -If this option is specified the output is human-readable text format -instead of \s-1DER.\s0 (Optional) -.SS "Time Stamp Response generation" -.IX Subsection "Time Stamp Response generation" -A timestamp response (TimeStampResp) consists of a response status -and the timestamp token itself (ContentInfo), if the token generation was -successful. The \fB\-reply\fR command is for creating a timestamp -response or timestamp token based on a request and printing the -response/token in human-readable format. If \fB\-token_out\fR is not -specified the output is always a timestamp response (TimeStampResp), -otherwise it is a timestamp token (ContentInfo). -.IP "\fB\-config\fR configfile" 4 -.IX Item "-config configfile" -The configuration file to use. -Optional; for a description of the default value, -see \*(L"\s-1COMMAND SUMMARY\*(R"\s0 in \fBopenssl\fR\|(1). -See \fB\s-1CONFIGURATION FILE OPTIONS\s0\fR for configurable variables. -.IP "\fB\-section\fR tsa_section" 4 -.IX Item "-section tsa_section" -The name of the config file section containing the settings for the -response generation. If not specified the default \s-1TSA\s0 section is -used, see \fB\s-1CONFIGURATION FILE OPTIONS\s0\fR for details. (Optional) -.IP "\fB\-queryfile\fR request.tsq" 4 -.IX Item "-queryfile request.tsq" -The name of the file containing a \s-1DER\s0 encoded timestamp request. (Optional) -.IP "\fB\-passin\fR password_src" 4 -.IX Item "-passin password_src" -Specifies the password source for the private key of the \s-1TSA.\s0 See -\&\*(L"Pass Phrase Options\*(R" in \fBopenssl\fR\|(1). (Optional) -.IP "\fB\-signer\fR tsa_cert.pem" 4 -.IX Item "-signer tsa_cert.pem" -The signer certificate of the \s-1TSA\s0 in \s-1PEM\s0 format. The \s-1TSA\s0 signing -certificate must have exactly one extended key usage assigned to it: -timeStamping. The extended key usage must also be critical, otherwise -the certificate is going to be refused. Overrides the \fBsigner_cert\fR -variable of the config file. (Optional) -.IP "\fB\-inkey\fR file_or_id" 4 -.IX Item "-inkey file_or_id" -The signer private key of the \s-1TSA\s0 in \s-1PEM\s0 format. Overrides the -\&\fBsigner_key\fR config file option. (Optional) -If no engine is used, the argument is taken as a file; if an engine is -specified, the argument is given to the engine as a key identifier. -.IP "\fB\-\f(BIdigest\fB\fR" 4 -.IX Item "-digest" -Signing digest to use. Overrides the \fBsigner_digest\fR config file -option. (Mandatory unless specified in the config file) -.IP "\fB\-chain\fR certs_file.pem" 4 -.IX Item "-chain certs_file.pem" -The collection of certificates in \s-1PEM\s0 format that will all -be included in the response in addition to the signer certificate if -the \fB\-cert\fR option was used for the request. This file is supposed to -contain the certificate chain for the signer certificate from its -issuer upwards. The \fB\-reply\fR command does not build a certificate -chain automatically. (Optional) -.IP "\fB\-tspolicy\fR object_id" 4 -.IX Item "-tspolicy object_id" -The default policy to use for the response unless the client -explicitly requires a particular \s-1TSA\s0 policy. The \s-1OID\s0 can be specified -either in dotted notation or with its name. Overrides the -\&\fBdefault_policy\fR config file option. (Optional) -.IP "\fB\-in\fR response.tsr" 4 -.IX Item "-in response.tsr" -Specifies a previously created timestamp response or timestamp token -(if \fB\-token_in\fR is also specified) in \s-1DER\s0 format that will be written -to the output file. This option does not require a request, it is -useful e.g. when you need to examine the content of a response or -token or you want to extract the timestamp token from a response. If -the input is a token and the output is a timestamp response a default -\&'granted' status info is added to the token. (Optional) -.IP "\fB\-token_in\fR" 4 -.IX Item "-token_in" -This flag can be used together with the \fB\-in\fR option and indicates -that the input is a \s-1DER\s0 encoded timestamp token (ContentInfo) instead -of a timestamp response (TimeStampResp). (Optional) -.IP "\fB\-out\fR response.tsr" 4 -.IX Item "-out response.tsr" -The response is written to this file. The format and content of the -file depends on other options (see \fB\-text\fR, \fB\-token_out\fR). The default is -stdout. (Optional) -.IP "\fB\-token_out\fR" 4 -.IX Item "-token_out" -The output is a timestamp token (ContentInfo) instead of timestamp -response (TimeStampResp). (Optional) -.IP "\fB\-text\fR" 4 -.IX Item "-text" -If this option is specified the output is human-readable text format -instead of \s-1DER.\s0 (Optional) -.IP "\fB\-engine\fR id" 4 -.IX Item "-engine id" -Specifying an engine (by its unique \fBid\fR string) will cause \fBts\fR -to attempt to obtain a functional reference to the specified engine, -thus initialising it if needed. The engine will then be set as the default -for all available algorithms. Default is builtin. (Optional) -.SS "Time Stamp Response verification" -.IX Subsection "Time Stamp Response verification" -The \fB\-verify\fR command is for verifying if a timestamp response or -timestamp token is valid and matches a particular timestamp request or -data file. The \fB\-verify\fR command does not use the configuration file. -.IP "\fB\-data\fR file_to_hash" 4 -.IX Item "-data file_to_hash" -The response or token must be verified against file_to_hash. The file -is hashed with the message digest algorithm specified in the token. -The \fB\-digest\fR and \fB\-queryfile\fR options must not be specified with this one. -(Optional) -.IP "\fB\-digest\fR digest_bytes" 4 -.IX Item "-digest digest_bytes" -The response or token must be verified against the message digest specified -with this option. The number of bytes must match the message digest algorithm -specified in the token. The \fB\-data\fR and \fB\-queryfile\fR options must not be -specified with this one. (Optional) -.IP "\fB\-queryfile\fR request.tsq" 4 -.IX Item "-queryfile request.tsq" -The original timestamp request in \s-1DER\s0 format. The \fB\-data\fR and \fB\-digest\fR -options must not be specified with this one. (Optional) -.IP "\fB\-in\fR response.tsr" 4 -.IX Item "-in response.tsr" -The timestamp response that needs to be verified in \s-1DER\s0 format. (Mandatory) -.IP "\fB\-token_in\fR" 4 -.IX Item "-token_in" -This flag can be used together with the \fB\-in\fR option and indicates -that the input is a \s-1DER\s0 encoded timestamp token (ContentInfo) instead -of a timestamp response (TimeStampResp). (Optional) -.IP "\fB\-CApath\fR trusted_cert_path" 4 -.IX Item "-CApath trusted_cert_path" -The name of the directory containing the trusted \s-1CA\s0 certificates of the -client. See the similar option of \fBverify\fR\|(1) for additional -details. Either this option or \fB\-CAfile\fR must be specified. (Optional) -.IP "\fB\-CAfile\fR trusted_certs.pem" 4 -.IX Item "-CAfile trusted_certs.pem" -The name of the file containing a set of trusted self-signed \s-1CA\s0 -certificates in \s-1PEM\s0 format. See the similar option of -\&\fBverify\fR\|(1) for additional details. Either this option -or \fB\-CApath\fR must be specified. -(Optional) -.IP "\fB\-untrusted\fR cert_file.pem" 4 -.IX Item "-untrusted cert_file.pem" -Set of additional untrusted certificates in \s-1PEM\s0 format which may be -needed when building the certificate chain for the \s-1TSA\s0's signing -certificate. This file must contain the \s-1TSA\s0 signing certificate and -all intermediate \s-1CA\s0 certificates unless the response includes them. -(Optional) -.IP "\fIverify options\fR" 4 -.IX Item "verify options" -The options \fB\-attime timestamp\fR, \fB\-check_ss_sig\fR, \fB\-crl_check\fR, -\&\fB\-crl_check_all\fR, \fB\-explicit_policy\fR, \fB\-extended_crl\fR, \fB\-ignore_critical\fR, -\&\fB\-inhibit_any\fR, \fB\-inhibit_map\fR, \fB\-issuer_checks\fR, \fB\-no_alt_chains\fR, -\&\fB\-no_check_time\fR, \fB\-partial_chain\fR, \fB\-policy\fR, \fB\-policy_check\fR, -\&\fB\-policy_print\fR, \fB\-purpose\fR, \fB\-suiteB_128\fR, \fB\-suiteB_128_only\fR, -\&\fB\-suiteB_192\fR, \fB\-trusted_first\fR, \fB\-use_deltas\fR, \fB\-auth_level\fR, -\&\fB\-verify_depth\fR, \fB\-verify_email\fR, \fB\-verify_hostname\fR, \fB\-verify_ip\fR, -\&\fB\-verify_name\fR, and \fB\-x509_strict\fR can be used to control timestamp -verification. See \fBverify\fR\|(1). -.SH "CONFIGURATION FILE OPTIONS" -.IX Header "CONFIGURATION FILE OPTIONS" -The \fB\-query\fR and \fB\-reply\fR commands make use of a configuration file. -See \fBconfig\fR\|(5) -for a general description of the syntax of the config file. The -\&\fB\-query\fR command uses only the symbolic \s-1OID\s0 names section -and it can work without it. However, the \fB\-reply\fR command needs the -config file for its operation. -.PP -When there is a command line switch equivalent of a variable the -switch always overrides the settings in the config file. -.IP "\fBtsa\fR section, \fBdefault_tsa\fR" 4 -.IX Item "tsa section, default_tsa" -This is the main section and it specifies the name of another section -that contains all the options for the \fB\-reply\fR command. This default -section can be overridden with the \fB\-section\fR command line switch. (Optional) -.IP "\fBoid_file\fR" 4 -.IX Item "oid_file" -See \fBca\fR\|(1) for description. (Optional) -.IP "\fBoid_section\fR" 4 -.IX Item "oid_section" -See \fBca\fR\|(1) for description. (Optional) -.IP "\fB\s-1RANDFILE\s0\fR" 4 -.IX Item "RANDFILE" -See \fBca\fR\|(1) for description. (Optional) -.IP "\fBserial\fR" 4 -.IX Item "serial" -The name of the file containing the hexadecimal serial number of the -last timestamp response created. This number is incremented by 1 for -each response. If the file does not exist at the time of response -generation a new file is created with serial number 1. (Mandatory) -.IP "\fBcrypto_device\fR" 4 -.IX Item "crypto_device" -Specifies the OpenSSL engine that will be set as the default for -all available algorithms. The default value is builtin, you can specify -any other engines supported by OpenSSL (e.g. use chil for the NCipher \s-1HSM\s0). -(Optional) -.IP "\fBsigner_cert\fR" 4 -.IX Item "signer_cert" -\&\s-1TSA\s0 signing certificate in \s-1PEM\s0 format. The same as the \fB\-signer\fR -command line option. (Optional) -.IP "\fBcerts\fR" 4 -.IX Item "certs" -A file containing a set of \s-1PEM\s0 encoded certificates that need to be -included in the response. The same as the \fB\-chain\fR command line -option. (Optional) -.IP "\fBsigner_key\fR" 4 -.IX Item "signer_key" -The private key of the \s-1TSA\s0 in \s-1PEM\s0 format. The same as the \fB\-inkey\fR -command line option. (Optional) -.IP "\fBsigner_digest\fR" 4 -.IX Item "signer_digest" -Signing digest to use. The same as the -\&\fB\-\f(BIdigest\fB\fR command line option. (Mandatory unless specified on the command -line) -.IP "\fBdefault_policy\fR" 4 -.IX Item "default_policy" -The default policy to use when the request does not mandate any -policy. The same as the \fB\-tspolicy\fR command line option. (Optional) -.IP "\fBother_policies\fR" 4 -.IX Item "other_policies" -Comma separated list of policies that are also acceptable by the \s-1TSA\s0 -and used only if the request explicitly specifies one of them. (Optional) -.IP "\fBdigests\fR" 4 -.IX Item "digests" -The list of message digest algorithms that the \s-1TSA\s0 accepts. At least -one algorithm must be specified. (Mandatory) -.IP "\fBaccuracy\fR" 4 -.IX Item "accuracy" -The accuracy of the time source of the \s-1TSA\s0 in seconds, milliseconds -and microseconds. E.g. secs:1, millisecs:500, microsecs:100. If any of -the components is missing zero is assumed for that field. (Optional) -.IP "\fBclock_precision_digits\fR" 4 -.IX Item "clock_precision_digits" -Specifies the maximum number of digits, which represent the fraction of -seconds, that need to be included in the time field. The trailing zeros -must be removed from the time, so there might actually be fewer digits, -or no fraction of seconds at all. Supported only on \s-1UNIX\s0 platforms. -The maximum value is 6, default is 0. -(Optional) -.IP "\fBordering\fR" 4 -.IX Item "ordering" -If this option is yes the responses generated by this \s-1TSA\s0 can always -be ordered, even if the time difference between two responses is less -than the sum of their accuracies. Default is no. (Optional) -.IP "\fBtsa_name\fR" 4 -.IX Item "tsa_name" -Set this option to yes if the subject name of the \s-1TSA\s0 must be included in -the \s-1TSA\s0 name field of the response. Default is no. (Optional) -.IP "\fBess_cert_id_chain\fR" 4 -.IX Item "ess_cert_id_chain" -The SignedData objects created by the \s-1TSA\s0 always contain the -certificate identifier of the signing certificate in a signed -attribute (see \s-1RFC 2634,\s0 Enhanced Security Services). If this option -is set to yes and either the \fBcerts\fR variable or the \fB\-chain\fR option -is specified then the certificate identifiers of the chain will also -be included in the SigningCertificate signed attribute. If this -variable is set to no, only the signing certificate identifier is -included. Default is no. (Optional) -.IP "\fBess_cert_id_alg\fR" 4 -.IX Item "ess_cert_id_alg" -This option specifies the hash function to be used to calculate the \s-1TSA\s0's -public key certificate identifier. Default is sha1. (Optional) -.SH "EXAMPLES" -.IX Header "EXAMPLES" -All the examples below presume that \fB\s-1OPENSSL_CONF\s0\fR is set to a proper -configuration file, e.g. the example configuration file -openssl/apps/openssl.cnf will do. -.SS "Time Stamp Request" -.IX Subsection "Time Stamp Request" -To create a timestamp request for design1.txt with \s-1SHA\-1\s0 -without nonce and policy and no certificate is required in the response: -.PP -.Vb 2 -\& openssl ts \-query \-data design1.txt \-no_nonce \e -\& \-out design1.tsq -.Ve -.PP -To create a similar timestamp request with specifying the message imprint -explicitly: -.PP -.Vb 2 -\& openssl ts \-query \-digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \e -\& \-no_nonce \-out design1.tsq -.Ve -.PP -To print the content of the previous request in human readable format: -.PP -.Vb 1 -\& openssl ts \-query \-in design1.tsq \-text -.Ve -.PP -To create a timestamp request which includes the \s-1MD\-5\s0 digest -of design2.txt, requests the signer certificate and nonce, -specifies a policy id (assuming the tsa_policy1 name is defined in the -\&\s-1OID\s0 section of the config file): -.PP -.Vb 2 -\& openssl ts \-query \-data design2.txt \-md5 \e -\& \-tspolicy tsa_policy1 \-cert \-out design2.tsq -.Ve -.SS "Time Stamp Response" -.IX Subsection "Time Stamp Response" -Before generating a response a signing certificate must be created for -the \s-1TSA\s0 that contains the \fBtimeStamping\fR critical extended key usage extension -without any other key usage extensions. You can add this line to the -user certificate section of the config file to generate a proper certificate; -.PP -.Vb 1 -\& extendedKeyUsage = critical,timeStamping -.Ve -.PP -See \fBreq\fR\|(1), \fBca\fR\|(1), and \fBx509\fR\|(1) for instructions. The examples -below assume that cacert.pem contains the certificate of the \s-1CA,\s0 -tsacert.pem is the signing certificate issued by cacert.pem and -tsakey.pem is the private key of the \s-1TSA.\s0 -.PP -To create a timestamp response for a request: -.PP -.Vb 2 -\& openssl ts \-reply \-queryfile design1.tsq \-inkey tsakey.pem \e -\& \-signer tsacert.pem \-out design1.tsr -.Ve -.PP -If you want to use the settings in the config file you could just write: -.PP -.Vb 1 -\& openssl ts \-reply \-queryfile design1.tsq \-out design1.tsr -.Ve -.PP -To print a timestamp reply to stdout in human readable format: -.PP -.Vb 1 -\& openssl ts \-reply \-in design1.tsr \-text -.Ve -.PP -To create a timestamp token instead of timestamp response: -.PP -.Vb 1 -\& openssl ts \-reply \-queryfile design1.tsq \-out design1_token.der \-token_out -.Ve -.PP -To print a timestamp token to stdout in human readable format: -.PP -.Vb 1 -\& openssl ts \-reply \-in design1_token.der \-token_in \-text \-token_out -.Ve -.PP -To extract the timestamp token from a response: -.PP -.Vb 1 -\& openssl ts \-reply \-in design1.tsr \-out design1_token.der \-token_out -.Ve -.PP -To add 'granted' status info to a timestamp token thereby creating a -valid response: -.PP -.Vb 1 -\& openssl ts \-reply \-in design1_token.der \-token_in \-out design1.tsr -.Ve -.SS "Time Stamp Verification" -.IX Subsection "Time Stamp Verification" -To verify a timestamp reply against a request: -.PP -.Vb 2 -\& openssl ts \-verify \-queryfile design1.tsq \-in design1.tsr \e -\& \-CAfile cacert.pem \-untrusted tsacert.pem -.Ve -.PP -To verify a timestamp reply that includes the certificate chain: -.PP -.Vb 2 -\& openssl ts \-verify \-queryfile design2.tsq \-in design2.tsr \e -\& \-CAfile cacert.pem -.Ve -.PP -To verify a timestamp token against the original data file: - openssl ts \-verify \-data design2.txt \-in design2.tsr \e - \-CAfile cacert.pem -.PP -To verify a timestamp token against a message imprint: - openssl ts \-verify \-digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \e - \-in design2.tsr \-CAfile cacert.pem -.PP -You could also look at the 'test' directory for more examples. -.SH "BUGS" -.IX Header "BUGS" -.IP "\(bu" 2 -No support for timestamps over \s-1SMTP,\s0 though it is quite easy -to implement an automatic e\-mail based \s-1TSA\s0 with \fBprocmail\fR\|(1) -and \fBperl\fR\|(1). \s-1HTTP\s0 server support is provided in the form of -a separate apache module. \s-1HTTP\s0 client support is provided by -\&\fBtsget\fR\|(1). Pure \s-1TCP/IP\s0 protocol is not supported. -.IP "\(bu" 2 -The file containing the last serial number of the \s-1TSA\s0 is not -locked when being read or written. This is a problem if more than one -instance of \fBopenssl\fR\|(1) is trying to create a timestamp -response at the same time. This is not an issue when using the apache -server module, it does proper locking. -.IP "\(bu" 2 -Look for the \s-1FIXME\s0 word in the source files. -.IP "\(bu" 2 -The source code should really be reviewed by somebody else, too. -.IP "\(bu" 2 -More testing is needed, I have done only some basic tests (see -test/testtsa). -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fBtsget\fR\|(1), \fBopenssl\fR\|(1), \fBreq\fR\|(1), -\&\fBx509\fR\|(1), \fBca\fR\|(1), \fBgenrsa\fR\|(1), -\&\fBconfig\fR\|(5) -.SH "COPYRIGHT" -.IX Header "COPYRIGHT" -Copyright 2006\-2021 The OpenSSL Project Authors. All Rights Reserved. -.PP -Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use -this file except in compliance with the License. You can obtain a copy -in the file \s-1LICENSE\s0 in the source distribution or at -<https://www.openssl.org/source/license.html>. |