]>
Commit | Line | Data |
---|---|---|
c7235be6 UM |
1 | =pod |
2 | ||
3 | =head1 NAME | |
4 | ||
5 | ts - Time Stamping Authority tool (client/server) | |
6 | ||
7 | =head1 SYNOPSIS | |
8 | ||
9 | B<openssl> B<ts> | |
10 | B<-query> | |
11 | [B<-rand> file:file...] | |
12 | [B<-config> configfile] | |
13 | [B<-data> file_to_hash] | |
14 | [B<-digest> digest_bytes] | |
c03726ca | 15 | [B<-[digest]>] |
08538fc0 | 16 | [B<-tspolicy> object_id] |
c7235be6 UM |
17 | [B<-no_nonce>] |
18 | [B<-cert>] | |
19 | [B<-in> request.tsq] | |
20 | [B<-out> request.tsq] | |
21 | [B<-text>] | |
22 | ||
23 | B<openssl> B<ts> | |
24 | B<-reply> | |
25 | [B<-config> configfile] | |
26 | [B<-section> tsa_section] | |
27 | [B<-queryfile> request.tsq] | |
28 | [B<-passin> password_src] | |
29 | [B<-signer> tsa_cert.pem] | |
30 | [B<-inkey> private.pem] | |
2cc7acd2 | 31 | [B<-sha1|-sha224|-sha256|-sha384|-sha512>] |
c7235be6 | 32 | [B<-chain> certs_file.pem] |
08538fc0 | 33 | [B<-tspolicy> object_id] |
c7235be6 UM |
34 | [B<-in> response.tsr] |
35 | [B<-token_in>] | |
36 | [B<-out> response.tsr] | |
37 | [B<-token_out>] | |
38 | [B<-text>] | |
39 | [B<-engine> id] | |
40 | ||
41 | B<openssl> B<ts> | |
42 | B<-verify> | |
43 | [B<-data> file_to_hash] | |
44 | [B<-digest> digest_bytes] | |
45 | [B<-queryfile> request.tsq] | |
46 | [B<-in> response.tsr] | |
47 | [B<-token_in>] | |
48 | [B<-CApath> trusted_cert_path] | |
49 | [B<-CAfile> trusted_certs.pem] | |
50 | [B<-untrusted> cert_file.pem] | |
08538fc0 | 51 | [I<verify options>] |
52 | ||
53 | I<verify options:> | |
54 | [-attime timestamp] | |
55 | [-check_ss_sig] | |
56 | [-crl_check] | |
57 | [-crl_check_all] | |
58 | [-explicit_policy] | |
59 | [-extended_crl] | |
60 | [-ignore_critical] | |
61 | [-inhibit_any] | |
62 | [-inhibit_map] | |
63 | [-issuer_checks] | |
64 | [-no_alt_chains] | |
65 | [-no_check_time] | |
66 | [-partial_chain] | |
67 | [-policy arg] | |
68 | [-policy_check] | |
69 | [-policy_print] | |
70 | [-purpose purpose] | |
71 | [-suiteB_128] | |
72 | [-suiteB_128_only] | |
73 | [-suiteB_192] | |
74 | [-trusted_first] | |
75 | [-use_deltas] | |
fbb82a60 | 76 | [-auth_level num] |
08538fc0 | 77 | [-verify_depth num] |
78 | [-verify_email email] | |
79 | [-verify_hostname hostname] | |
80 | [-verify_ip ip] | |
81 | [-verify_name name] | |
82 | [-x509_strict] | |
c7235be6 UM |
83 | |
84 | =head1 DESCRIPTION | |
85 | ||
86 | The B<ts> command is a basic Time Stamping Authority (TSA) client and server | |
87 | application as specified in RFC 3161 (Time-Stamp Protocol, TSP). A | |
88 | TSA can be part of a PKI deployment and its role is to provide long | |
89 | term proof of the existence of a certain datum before a particular | |
90 | time. Here is a brief description of the protocol: | |
91 | ||
92 | =over 4 | |
93 | ||
94 | =item 1. | |
95 | ||
96 | The TSA client computes a one-way hash value for a data file and sends | |
97 | the hash to the TSA. | |
98 | ||
99 | =item 2. | |
100 | ||
101 | The TSA attaches the current date and time to the received hash value, | |
102 | signs them and sends the time stamp token back to the client. By | |
103 | creating this token the TSA certifies the existence of the original | |
104 | data file at the time of response generation. | |
105 | ||
106 | =item 3. | |
107 | ||
108 | The TSA client receives the time stamp token and verifies the | |
109 | signature on it. It also checks if the token contains the same hash | |
110 | value that it had sent to the TSA. | |
111 | ||
112 | =back | |
113 | ||
114 | There is one DER encoded protocol data unit defined for transporting a time | |
115 | stamp request to the TSA and one for sending the time stamp response | |
116 | back to the client. The B<ts> command has three main functions: | |
117 | creating a time stamp request based on a data file, | |
118 | creating a time stamp response based on a request, verifying if a | |
119 | response corresponds to a particular request or a data file. | |
120 | ||
121 | There is no support for sending the requests/responses automatically | |
122 | over HTTP or TCP yet as suggested in RFC 3161. The users must send the | |
123 | requests either by ftp or e-mail. | |
124 | ||
125 | =head1 OPTIONS | |
126 | ||
127 | =head2 Time Stamp Request generation | |
128 | ||
129 | The B<-query> switch can be used for creating and printing a time stamp | |
130 | request with the following options: | |
131 | ||
132 | =over 4 | |
133 | ||
134 | =item B<-rand> file:file... | |
135 | ||
136 | The files containing random data for seeding the random number | |
137 | generator. Multiple files can be specified, the separator is B<;> for | |
138 | MS-Windows, B<,> for VMS and B<:> for all other platforms. (Optional) | |
139 | ||
140 | =item B<-config> configfile | |
141 | ||
142 | The configuration file to use, this option overrides the | |
143 | B<OPENSSL_CONF> environment variable. Only the OID section | |
144 | of the config file is used with the B<-query> command. (Optional) | |
145 | ||
146 | =item B<-data> file_to_hash | |
147 | ||
148 | The data file for which the time stamp request needs to be | |
149 | created. stdin is the default if neither the B<-data> nor the B<-digest> | |
150 | parameter is specified. (Optional) | |
151 | ||
152 | =item B<-digest> digest_bytes | |
153 | ||
154 | It is possible to specify the message imprint explicitly without the data | |
155 | file. The imprint must be specified in a hexadecimal format, two characters | |
156 | per byte, the bytes optionally separated by colons (e.g. 1A:F6:01:... or | |
4c583c36 | 157 | 1AF601...). The number of bytes must match the message digest algorithm |
c7235be6 UM |
158 | in use. (Optional) |
159 | ||
c03726ca | 160 | =item B<-[digest]> |
c7235be6 | 161 | |
c03726ca RS |
162 | The message digest to apply to the data file. |
163 | Any digest supported by the OpenSSL B<dgst> command can be used. | |
11503177 | 164 | The default is SHA-1. (Optional) |
c7235be6 | 165 | |
08538fc0 | 166 | =item B<-tspolicy> object_id |
c7235be6 UM |
167 | |
168 | The policy that the client expects the TSA to use for creating the | |
169 | time stamp token. Either the dotted OID notation or OID names defined | |
170 | in the config file can be used. If no policy is requested the TSA will | |
171 | use its own default policy. (Optional) | |
172 | ||
173 | =item B<-no_nonce> | |
174 | ||
175 | No nonce is specified in the request if this option is | |
176 | given. Otherwise a 64 bit long pseudo-random none is | |
177 | included in the request. It is recommended to use nonce to | |
178 | protect against replay-attacks. (Optional) | |
179 | ||
180 | =item B<-cert> | |
181 | ||
182 | The TSA is expected to include its signing certificate in the | |
183 | response. (Optional) | |
184 | ||
185 | =item B<-in> request.tsq | |
186 | ||
187 | This option specifies a previously created time stamp request in DER | |
188 | format that will be printed into the output file. Useful when you need | |
189 | to examine the content of a request in human-readable | |
190 | ||
191 | format. (Optional) | |
192 | ||
193 | =item B<-out> request.tsq | |
194 | ||
195 | Name of the output file to which the request will be written. Default | |
196 | is stdout. (Optional) | |
197 | ||
198 | =item B<-text> | |
199 | ||
200 | If this option is specified the output is human-readable text format | |
201 | instead of DER. (Optional) | |
202 | ||
203 | =back | |
204 | ||
205 | =head2 Time Stamp Response generation | |
206 | ||
207 | A time stamp response (TimeStampResp) consists of a response status | |
208 | and the time stamp token itself (ContentInfo), if the token generation was | |
209 | successful. The B<-reply> command is for creating a time stamp | |
210 | response or time stamp token based on a request and printing the | |
211 | response/token in human-readable format. If B<-token_out> is not | |
212 | specified the output is always a time stamp response (TimeStampResp), | |
213 | otherwise it is a time stamp token (ContentInfo). | |
214 | ||
215 | =over 4 | |
216 | ||
217 | =item B<-config> configfile | |
218 | ||
219 | The configuration file to use, this option overrides the | |
220 | B<OPENSSL_CONF> environment variable. See B<CONFIGURATION FILE | |
221 | OPTIONS> for configurable variables. (Optional) | |
222 | ||
223 | =item B<-section> tsa_section | |
224 | ||
4c583c36 | 225 | The name of the config file section containing the settings for the |
c7235be6 UM |
226 | response generation. If not specified the default TSA section is |
227 | used, see B<CONFIGURATION FILE OPTIONS> for details. (Optional) | |
228 | ||
229 | =item B<-queryfile> request.tsq | |
230 | ||
231 | The name of the file containing a DER encoded time stamp request. (Optional) | |
232 | ||
233 | =item B<-passin> password_src | |
234 | ||
235 | Specifies the password source for the private key of the TSA. See | |
9b86974e | 236 | B<PASS PHRASE ARGUMENTS> in L<openssl(1)>. (Optional) |
c7235be6 UM |
237 | |
238 | =item B<-signer> tsa_cert.pem | |
239 | ||
240 | The signer certificate of the TSA in PEM format. The TSA signing | |
241 | certificate must have exactly one extended key usage assigned to it: | |
242 | timeStamping. The extended key usage must also be critical, otherwise | |
243 | the certificate is going to be refused. Overrides the B<signer_cert> | |
244 | variable of the config file. (Optional) | |
245 | ||
246 | =item B<-inkey> private.pem | |
247 | ||
248 | The signer private key of the TSA in PEM format. Overrides the | |
249 | B<signer_key> config file option. (Optional) | |
250 | ||
2cc7acd2 | 251 | =item B<-sha1|-sha224|-sha256|-sha384|-sha512> |
e20b4727 DSH |
252 | |
253 | Signing digest to use. Overrides the B<signer_digest> config file | |
254 | option. (Optional) | |
255 | ||
c7235be6 UM |
256 | =item B<-chain> certs_file.pem |
257 | ||
258 | The collection of certificates in PEM format that will all | |
259 | be included in the response in addition to the signer certificate if | |
260 | the B<-cert> option was used for the request. This file is supposed to | |
261 | contain the certificate chain for the signer certificate from its | |
262 | issuer upwards. The B<-reply> command does not build a certificate | |
263 | chain automatically. (Optional) | |
264 | ||
08538fc0 | 265 | =item B<-tspolicy> object_id |
c7235be6 UM |
266 | |
267 | The default policy to use for the response unless the client | |
268 | explicitly requires a particular TSA policy. The OID can be specified | |
269 | either in dotted notation or with its name. Overrides the | |
270 | B<default_policy> config file option. (Optional) | |
271 | ||
272 | =item B<-in> response.tsr | |
273 | ||
274 | Specifies a previously created time stamp response or time stamp token | |
275 | (if B<-token_in> is also specified) in DER format that will be written | |
276 | to the output file. This option does not require a request, it is | |
277 | useful e.g. when you need to examine the content of a response or | |
278 | token or you want to extract the time stamp token from a response. If | |
279 | the input is a token and the output is a time stamp response a default | |
280 | 'granted' status info is added to the token. (Optional) | |
281 | ||
282 | =item B<-token_in> | |
283 | ||
284 | This flag can be used together with the B<-in> option and indicates | |
285 | that the input is a DER encoded time stamp token (ContentInfo) instead | |
286 | of a time stamp response (TimeStampResp). (Optional) | |
287 | ||
288 | =item B<-out> response.tsr | |
289 | ||
290 | The response is written to this file. The format and content of the | |
291 | file depends on other options (see B<-text>, B<-token_out>). The default is | |
292 | stdout. (Optional) | |
293 | ||
294 | =item B<-token_out> | |
295 | ||
296 | The output is a time stamp token (ContentInfo) instead of time stamp | |
297 | response (TimeStampResp). (Optional) | |
298 | ||
299 | =item B<-text> | |
300 | ||
301 | If this option is specified the output is human-readable text format | |
302 | instead of DER. (Optional) | |
303 | ||
304 | =item B<-engine> id | |
305 | ||
e5fa864f | 306 | Specifying an engine (by its unique B<id> string) will cause B<ts> |
c7235be6 UM |
307 | to attempt to obtain a functional reference to the specified engine, |
308 | thus initialising it if needed. The engine will then be set as the default | |
309 | for all available algorithms. Default is builtin. (Optional) | |
310 | ||
311 | =back | |
312 | ||
313 | =head2 Time Stamp Response verification | |
314 | ||
315 | The B<-verify> command is for verifying if a time stamp response or time | |
316 | stamp token is valid and matches a particular time stamp request or | |
317 | data file. The B<-verify> command does not use the configuration file. | |
318 | ||
319 | =over 4 | |
320 | ||
321 | =item B<-data> file_to_hash | |
322 | ||
323 | The response or token must be verified against file_to_hash. The file | |
4c583c36 | 324 | is hashed with the message digest algorithm specified in the token. |
c7235be6 UM |
325 | The B<-digest> and B<-queryfile> options must not be specified with this one. |
326 | (Optional) | |
327 | ||
328 | =item B<-digest> digest_bytes | |
329 | ||
330 | The response or token must be verified against the message digest specified | |
331 | with this option. The number of bytes must match the message digest algorithm | |
332 | specified in the token. The B<-data> and B<-queryfile> options must not be | |
333 | specified with this one. (Optional) | |
334 | ||
335 | =item B<-queryfile> request.tsq | |
336 | ||
337 | The original time stamp request in DER format. The B<-data> and B<-digest> | |
338 | options must not be specified with this one. (Optional) | |
339 | ||
340 | =item B<-in> response.tsr | |
341 | ||
342 | The time stamp response that needs to be verified in DER format. (Mandatory) | |
343 | ||
344 | =item B<-token_in> | |
345 | ||
346 | This flag can be used together with the B<-in> option and indicates | |
347 | that the input is a DER encoded time stamp token (ContentInfo) instead | |
348 | of a time stamp response (TimeStampResp). (Optional) | |
349 | ||
350 | =item B<-CApath> trusted_cert_path | |
351 | ||
4c583c36 | 352 | The name of the directory containing the trusted CA certificates of the |
9b86974e | 353 | client. See the similar option of L<verify(1)> for additional |
c7235be6 UM |
354 | details. Either this option or B<-CAfile> must be specified. (Optional) |
355 | ||
356 | ||
357 | =item B<-CAfile> trusted_certs.pem | |
358 | ||
4c583c36 AM |
359 | The name of the file containing a set of trusted self-signed CA |
360 | certificates in PEM format. See the similar option of | |
9b86974e | 361 | L<verify(1)> for additional details. Either this option |
c7235be6 UM |
362 | or B<-CApath> must be specified. |
363 | (Optional) | |
364 | ||
365 | =item B<-untrusted> cert_file.pem | |
366 | ||
367 | Set of additional untrusted certificates in PEM format which may be | |
368 | needed when building the certificate chain for the TSA's signing | |
369 | certificate. This file must contain the TSA signing certificate and | |
370 | all intermediate CA certificates unless the response includes them. | |
371 | (Optional) | |
372 | ||
08538fc0 | 373 | =item I<verify options> |
374 | ||
fbb82a60 VD |
375 | The options B<-attime timestamp>, B<-check_ss_sig>, B<-crl_check>, |
376 | B<-crl_check_all>, B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>, | |
377 | B<-inhibit_any>, B<-inhibit_map>, B<-issuer_checks>, B<-no_alt_chains>, | |
378 | B<-no_check_time>, B<-partial_chain>, B<-policy>, B<-policy_check>, | |
379 | B<-policy_print>, B<-purpose>, B<-suiteB_128>, B<-suiteB_128_only>, | |
380 | B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>, B<-auth_level>, | |
381 | B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>, | |
382 | B<-verify_name>, and B<-x509_strict> can be used to control timestamp | |
383 | verification. See L<verify(1)>. | |
08538fc0 | 384 | |
c7235be6 UM |
385 | =back |
386 | ||
387 | =head1 CONFIGURATION FILE OPTIONS | |
388 | ||
389 | The B<-query> and B<-reply> commands make use of a configuration file | |
9b86974e | 390 | defined by the B<OPENSSL_CONF> environment variable. See L<config(5)> |
c7235be6 UM |
391 | for a general description of the syntax of the config file. The |
392 | B<-query> command uses only the symbolic OID names section | |
393 | and it can work without it. However, the B<-reply> command needs the | |
394 | config file for its operation. | |
395 | ||
396 | When there is a command line switch equivalent of a variable the | |
397 | switch always overrides the settings in the config file. | |
398 | ||
399 | =over 4 | |
400 | ||
4c583c36 | 401 | =item B<tsa> section, B<default_tsa> |
c7235be6 UM |
402 | |
403 | This is the main section and it specifies the name of another section | |
404 | that contains all the options for the B<-reply> command. This default | |
2b4ffc65 | 405 | section can be overridden with the B<-section> command line switch. (Optional) |
c7235be6 UM |
406 | |
407 | =item B<oid_file> | |
408 | ||
9b86974e | 409 | See L<ca(1)> for description. (Optional) |
c7235be6 UM |
410 | |
411 | =item B<oid_section> | |
412 | ||
9b86974e | 413 | See L<ca(1)> for description. (Optional) |
c7235be6 UM |
414 | |
415 | =item B<RANDFILE> | |
416 | ||
9b86974e | 417 | See L<ca(1)> for description. (Optional) |
c7235be6 UM |
418 | |
419 | =item B<serial> | |
420 | ||
421 | The name of the file containing the hexadecimal serial number of the | |
422 | last time stamp response created. This number is incremented by 1 for | |
28f7e60d | 423 | each response. If the file does not exist at the time of response |
c7235be6 UM |
424 | generation a new file is created with serial number 1. (Mandatory) |
425 | ||
426 | =item B<crypto_device> | |
427 | ||
4c583c36 AM |
428 | Specifies the OpenSSL engine that will be set as the default for |
429 | all available algorithms. The default value is builtin, you can specify | |
c7235be6 UM |
430 | any other engines supported by OpenSSL (e.g. use chil for the NCipher HSM). |
431 | (Optional) | |
432 | ||
433 | =item B<signer_cert> | |
434 | ||
435 | TSA signing certificate in PEM format. The same as the B<-signer> | |
436 | command line option. (Optional) | |
437 | ||
438 | =item B<certs> | |
439 | ||
440 | A file containing a set of PEM encoded certificates that need to be | |
441 | included in the response. The same as the B<-chain> command line | |
442 | option. (Optional) | |
443 | ||
444 | =item B<signer_key> | |
445 | ||
446 | The private key of the TSA in PEM format. The same as the B<-inkey> | |
447 | command line option. (Optional) | |
448 | ||
e20b4727 DSH |
449 | =item B<signer_digest> |
450 | ||
451 | Signing digest to use. The same as the | |
2cc7acd2 | 452 | B<-sha1|-sha224|-sha256|-sha384|-sha512> command line option. (Optional) |
e20b4727 | 453 | |
c7235be6 UM |
454 | =item B<default_policy> |
455 | ||
456 | The default policy to use when the request does not mandate any | |
08538fc0 | 457 | policy. The same as the B<-tspolicy> command line option. (Optional) |
c7235be6 UM |
458 | |
459 | =item B<other_policies> | |
460 | ||
461 | Comma separated list of policies that are also acceptable by the TSA | |
462 | and used only if the request explicitly specifies one of them. (Optional) | |
463 | ||
464 | =item B<digests> | |
465 | ||
466 | The list of message digest algorithms that the TSA accepts. At least | |
467 | one algorithm must be specified. (Mandatory) | |
468 | ||
469 | =item B<accuracy> | |
470 | ||
471 | The accuracy of the time source of the TSA in seconds, milliseconds | |
472 | and microseconds. E.g. secs:1, millisecs:500, microsecs:100. If any of | |
473 | the components is missing zero is assumed for that field. (Optional) | |
474 | ||
475 | =item B<clock_precision_digits> | |
476 | ||
4c583c36 | 477 | Specifies the maximum number of digits, which represent the fraction of |
c7235be6 UM |
478 | seconds, that need to be included in the time field. The trailing zeroes |
479 | must be removed from the time, so there might actually be fewer digits, | |
480 | or no fraction of seconds at all. Supported only on UNIX platforms. | |
481 | The maximum value is 6, default is 0. | |
482 | (Optional) | |
483 | ||
484 | =item B<ordering> | |
485 | ||
486 | If this option is yes the responses generated by this TSA can always | |
487 | be ordered, even if the time difference between two responses is less | |
488 | than the sum of their accuracies. Default is no. (Optional) | |
489 | ||
490 | =item B<tsa_name> | |
491 | ||
492 | Set this option to yes if the subject name of the TSA must be included in | |
493 | the TSA name field of the response. Default is no. (Optional) | |
494 | ||
495 | =item B<ess_cert_id_chain> | |
496 | ||
497 | The SignedData objects created by the TSA always contain the | |
498 | certificate identifier of the signing certificate in a signed | |
499 | attribute (see RFC 2634, Enhanced Security Services). If this option | |
500 | is set to yes and either the B<certs> variable or the B<-chain> option | |
501 | is specified then the certificate identifiers of the chain will also | |
502 | be included in the SigningCertificate signed attribute. If this | |
503 | variable is set to no, only the signing certificate identifier is | |
504 | included. Default is no. (Optional) | |
505 | ||
506 | =back | |
507 | ||
508 | =head1 ENVIRONMENT VARIABLES | |
509 | ||
510 | B<OPENSSL_CONF> contains the path of the configuration file and can be | |
2b4ffc65 | 511 | overridden by the B<-config> command line option. |
c7235be6 UM |
512 | |
513 | =head1 EXAMPLES | |
514 | ||
515 | All the examples below presume that B<OPENSSL_CONF> is set to a proper | |
4c583c36 | 516 | configuration file, e.g. the example configuration file |
c7235be6 UM |
517 | openssl/apps/openssl.cnf will do. |
518 | ||
519 | =head2 Time Stamp Request | |
520 | ||
4c583c36 | 521 | To create a time stamp request for design1.txt with SHA-1 |
c7235be6 UM |
522 | without nonce and policy and no certificate is required in the response: |
523 | ||
524 | openssl ts -query -data design1.txt -no_nonce \ | |
525 | -out design1.tsq | |
526 | ||
527 | To create a similar time stamp request with specifying the message imprint | |
528 | explicitly: | |
529 | ||
530 | openssl ts -query -digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \ | |
531 | -no_nonce -out design1.tsq | |
532 | ||
533 | To print the content of the previous request in human readable format: | |
534 | ||
535 | openssl ts -query -in design1.tsq -text | |
536 | ||
4c583c36 | 537 | To create a time stamp request which includes the MD-5 digest |
c7235be6 UM |
538 | of design2.txt, requests the signer certificate and nonce, |
539 | specifies a policy id (assuming the tsa_policy1 name is defined in the | |
540 | OID section of the config file): | |
541 | ||
542 | openssl ts -query -data design2.txt -md5 \ | |
08538fc0 | 543 | -tspolicy tsa_policy1 -cert -out design2.tsq |
c7235be6 UM |
544 | |
545 | =head2 Time Stamp Response | |
546 | ||
547 | Before generating a response a signing certificate must be created for | |
548 | the TSA that contains the B<timeStamping> critical extended key usage extension | |
549 | without any other key usage extensions. You can add the | |
550 | 'extendedKeyUsage = critical,timeStamping' line to the user certificate section | |
9b86974e RS |
551 | of the config file to generate a proper certificate. See L<req(1)>, |
552 | L<ca(1)>, L<x509(1)> for instructions. The examples | |
c7235be6 UM |
553 | below assume that cacert.pem contains the certificate of the CA, |
554 | tsacert.pem is the signing certificate issued by cacert.pem and | |
555 | tsakey.pem is the private key of the TSA. | |
556 | ||
557 | To create a time stamp response for a request: | |
558 | ||
559 | openssl ts -reply -queryfile design1.tsq -inkey tsakey.pem \ | |
560 | -signer tsacert.pem -out design1.tsr | |
561 | ||
562 | If you want to use the settings in the config file you could just write: | |
563 | ||
564 | openssl ts -reply -queryfile design1.tsq -out design1.tsr | |
565 | ||
566 | To print a time stamp reply to stdout in human readable format: | |
567 | ||
568 | openssl ts -reply -in design1.tsr -text | |
569 | ||
570 | To create a time stamp token instead of time stamp response: | |
571 | ||
572 | openssl ts -reply -queryfile design1.tsq -out design1_token.der -token_out | |
573 | ||
574 | To print a time stamp token to stdout in human readable format: | |
575 | ||
576 | openssl ts -reply -in design1_token.der -token_in -text -token_out | |
577 | ||
578 | To extract the time stamp token from a response: | |
579 | ||
580 | openssl ts -reply -in design1.tsr -out design1_token.der -token_out | |
581 | ||
582 | To add 'granted' status info to a time stamp token thereby creating a | |
583 | valid response: | |
584 | ||
585 | openssl ts -reply -in design1_token.der -token_in -out design1.tsr | |
586 | ||
587 | =head2 Time Stamp Verification | |
588 | ||
589 | To verify a time stamp reply against a request: | |
590 | ||
591 | openssl ts -verify -queryfile design1.tsq -in design1.tsr \ | |
592 | -CAfile cacert.pem -untrusted tsacert.pem | |
593 | ||
594 | To verify a time stamp reply that includes the certificate chain: | |
595 | ||
596 | openssl ts -verify -queryfile design2.tsq -in design2.tsr \ | |
597 | -CAfile cacert.pem | |
598 | ||
599 | To verify a time stamp token against the original data file: | |
600 | openssl ts -verify -data design2.txt -in design2.tsr \ | |
601 | -CAfile cacert.pem | |
602 | ||
603 | To verify a time stamp token against a message imprint: | |
604 | openssl ts -verify -digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \ | |
605 | -in design2.tsr -CAfile cacert.pem | |
606 | ||
607 | You could also look at the 'test' directory for more examples. | |
608 | ||
609 | =head1 BUGS | |
610 | ||
611 | If you find any bugs or you have suggestions please write to | |
612 | Zoltan Glozik <zglozik@opentsa.org>. Known issues: | |
613 | ||
614 | =over 4 | |
615 | ||
616 | =item * No support for time stamps over SMTP, though it is quite easy | |
9b86974e RS |
617 | to implement an automatic e-mail based TSA with L<procmail(1)> |
618 | and L<perl(1)>. HTTP server support is provided in the form of | |
c7235be6 | 619 | a separate apache module. HTTP client support is provided by |
9b86974e | 620 | L<tsget(1)>. Pure TCP/IP protocol is not supported. |
c7235be6 UM |
621 | |
622 | =item * The file containing the last serial number of the TSA is not | |
623 | locked when being read or written. This is a problem if more than one | |
9b86974e | 624 | instance of L<openssl(1)> is trying to create a time stamp |
c7235be6 UM |
625 | response at the same time. This is not an issue when using the apache |
626 | server module, it does proper locking. | |
627 | ||
628 | =item * Look for the FIXME word in the source files. | |
629 | ||
630 | =item * The source code should really be reviewed by somebody else, too. | |
631 | ||
632 | =item * More testing is needed, I have done only some basic tests (see | |
633 | test/testtsa). | |
634 | ||
635 | =back | |
636 | ||
637 | =cut | |
638 | ||
c7235be6 UM |
639 | =head1 SEE ALSO |
640 | ||
9b86974e RS |
641 | L<tsget(1)>, L<openssl(1)>, L<req(1)>, |
642 | L<x509(1)>, L<ca(1)>, L<genrsa(1)>, | |
643 | L<config(5)> | |
c7235be6 UM |
644 | |
645 | =cut | |
e2f92610 RS |
646 | |
647 | =head1 COPYRIGHT | |
648 | ||
649 | Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. | |
650 | ||
651 | Licensed under the OpenSSL license (the "License"). You may not use | |
652 | this file except in compliance with the License. You can obtain a copy | |
653 | in the file LICENSE in the source distribution or at | |
654 | L<https://www.openssl.org/source/license.html>. | |
655 | ||
656 | =cut |