[B<-config> configfile]
[B<-data> file_to_hash]
[B<-digest> digest_bytes]
-[B<-md2>|B<-md4>|B<-md5>|B<-sha>|B<-sha1>|B<-mdc2>|B<-ripemd160>]
-[B<-policy> object_id]
+[B<-[digest]>]
+[B<-tspolicy> object_id]
[B<-no_nonce>]
[B<-cert>]
[B<-in> request.tsq]
[B<-passin> password_src]
[B<-signer> tsa_cert.pem]
[B<-inkey> private.pem]
+[B<-sha1|-sha224|-sha256|-sha384|-sha512>]
[B<-chain> certs_file.pem]
-[B<-policy> object_id]
+[B<-tspolicy> object_id]
[B<-in> response.tsr]
[B<-token_in>]
[B<-out> response.tsr]
[B<-CApath> trusted_cert_path]
[B<-CAfile> trusted_certs.pem]
[B<-untrusted> cert_file.pem]
+[I<verify options>]
+
+I<verify options:>
+[-attime timestamp]
+[-check_ss_sig]
+[-crl_check]
+[-crl_check_all]
+[-explicit_policy]
+[-extended_crl]
+[-ignore_critical]
+[-inhibit_any]
+[-inhibit_map]
+[-issuer_checks]
+[-no_alt_chains]
+[-no_check_time]
+[-partial_chain]
+[-policy arg]
+[-policy_check]
+[-policy_print]
+[-purpose purpose]
+[-suiteB_128]
+[-suiteB_128_only]
+[-suiteB_192]
+[-trusted_first]
+[-use_deltas]
+[-auth_level num]
+[-verify_depth num]
+[-verify_email email]
+[-verify_hostname hostname]
+[-verify_ip ip]
+[-verify_name name]
+[-x509_strict]
=head1 DESCRIPTION
It is possible to specify the message imprint explicitly without the data
file. The imprint must be specified in a hexadecimal format, two characters
per byte, the bytes optionally separated by colons (e.g. 1A:F6:01:... or
-1AF601...). The number of bytes must match the message digest algorithm
+1AF601...). The number of bytes must match the message digest algorithm
in use. (Optional)
-=item B<-md2>|B<-md4>|B<-md5>|B<-sha>|B<-sha1>|B<-mdc2>|B<-ripemd160>
+=item B<-[digest]>
-The message digest to apply to the data file. The default is SHA-1. (Optional)
+The message digest to apply to the data file.
+Any digest supported by the OpenSSL B<dgst> command can be used.
+The default is SHA-1. (Optional)
-=item B<-policy> object_id
+=item B<-tspolicy> object_id
The policy that the client expects the TSA to use for creating the
time stamp token. Either the dotted OID notation or OID names defined
=item B<-section> tsa_section
-The name of the config file section conatining the settings for the
+The name of the config file section containing the settings for the
response generation. If not specified the default TSA section is
used, see B<CONFIGURATION FILE OPTIONS> for details. (Optional)
=item B<-passin> password_src
Specifies the password source for the private key of the TSA. See
-B<PASS PHRASE ARGUMENTS> in L<openssl(1)|openssl(1)>. (Optional)
+B<PASS PHRASE ARGUMENTS> in L<openssl(1)>. (Optional)
=item B<-signer> tsa_cert.pem
The signer private key of the TSA in PEM format. Overrides the
B<signer_key> config file option. (Optional)
+=item B<-sha1|-sha224|-sha256|-sha384|-sha512>
+
+Signing digest to use. Overrides the B<signer_digest> config file
+option. (Optional)
+
=item B<-chain> certs_file.pem
The collection of certificates in PEM format that will all
issuer upwards. The B<-reply> command does not build a certificate
chain automatically. (Optional)
-=item B<-policy> object_id
+=item B<-tspolicy> object_id
The default policy to use for the response unless the client
explicitly requires a particular TSA policy. The OID can be specified
=item B<-engine> id
-Specifying an engine (by it's unique B<id> string) will cause B<ts>
+Specifying an engine (by its unique B<id> string) will cause B<ts>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms. Default is builtin. (Optional)
=item B<-data> file_to_hash
The response or token must be verified against file_to_hash. The file
-is hashed with the message digest algorithm specified in the token.
+is hashed with the message digest algorithm specified in the token.
The B<-digest> and B<-queryfile> options must not be specified with this one.
(Optional)
=item B<-CApath> trusted_cert_path
-The name of the directory containing the trused CA certificates of the
-client. See the similar option of L<verify(1)|verify(1)> for additional
+The name of the directory containing the trusted CA certificates of the
+client. See the similar option of L<verify(1)> for additional
details. Either this option or B<-CAfile> must be specified. (Optional)
=item B<-CAfile> trusted_certs.pem
-The name of the file containing a set of trusted self-signed CA
-certificates in PEM format. See the similar option of
-L<verify(1)|verify(1)> for additional details. Either this option
+The name of the file containing a set of trusted self-signed CA
+certificates in PEM format. See the similar option of
+L<verify(1)> for additional details. Either this option
or B<-CApath> must be specified.
(Optional)
all intermediate CA certificates unless the response includes them.
(Optional)
+=item I<verify options>
+
+The options B<-attime timestamp>, B<-check_ss_sig>, B<-crl_check>,
+B<-crl_check_all>, B<-explicit_policy>, B<-extended_crl>, B<-ignore_critical>,
+B<-inhibit_any>, B<-inhibit_map>, B<-issuer_checks>, B<-no_alt_chains>,
+B<-no_check_time>, B<-partial_chain>, B<-policy>, B<-policy_check>,
+B<-policy_print>, B<-purpose>, B<-suiteB_128>, B<-suiteB_128_only>,
+B<-suiteB_192>, B<-trusted_first>, B<-use_deltas>, B<-auth_level>,
+B<-verify_depth>, B<-verify_email>, B<-verify_hostname>, B<-verify_ip>,
+B<-verify_name>, and B<-x509_strict> can be used to control timestamp
+verification. See L<verify(1)>.
+
=back
=head1 CONFIGURATION FILE OPTIONS
The B<-query> and B<-reply> commands make use of a configuration file
-defined by the B<OPENSSL_CONF> environment variable. See L<config(5)|config(5>
+defined by the B<OPENSSL_CONF> environment variable. See L<config(5)>
for a general description of the syntax of the config file. The
B<-query> command uses only the symbolic OID names section
and it can work without it. However, the B<-reply> command needs the
=over 4
-=item B<tsa> section, B<default_tsa>
+=item B<tsa> section, B<default_tsa>
This is the main section and it specifies the name of another section
that contains all the options for the B<-reply> command. This default
-section can be overriden with the B<-section> command line switch. (Optional)
+section can be overridden with the B<-section> command line switch. (Optional)
=item B<oid_file>
-See L<ca(1)|ca(1)> for description. (Optional)
+See L<ca(1)> for description. (Optional)
=item B<oid_section>
-See L<ca(1)|ca(1)> for description. (Optional)
+See L<ca(1)> for description. (Optional)
=item B<RANDFILE>
-See L<ca(1)|ca(1)> for description. (Optional)
+See L<ca(1)> for description. (Optional)
=item B<serial>
The name of the file containing the hexadecimal serial number of the
last time stamp response created. This number is incremented by 1 for
-each response. If the file does not exit at the time of response
+each response. If the file does not exist at the time of response
generation a new file is created with serial number 1. (Mandatory)
=item B<crypto_device>
-Specifies the OpenSSL engine that will be set as the default for
-all available algorithms. The default value is builtin, you can specify
+Specifies the OpenSSL engine that will be set as the default for
+all available algorithms. The default value is builtin, you can specify
any other engines supported by OpenSSL (e.g. use chil for the NCipher HSM).
(Optional)
The private key of the TSA in PEM format. The same as the B<-inkey>
command line option. (Optional)
+=item B<signer_digest>
+
+Signing digest to use. The same as the
+B<-sha1|-sha224|-sha256|-sha384|-sha512> command line option. (Optional)
+
=item B<default_policy>
The default policy to use when the request does not mandate any
-policy. The same as the B<-policy> command line option. (Optional)
+policy. The same as the B<-tspolicy> command line option. (Optional)
=item B<other_policies>
=item B<clock_precision_digits>
-Specifies the maximum number of digits, which represent the fraction of
+Specifies the maximum number of digits, which represent the fraction of
seconds, that need to be included in the time field. The trailing zeroes
must be removed from the time, so there might actually be fewer digits,
or no fraction of seconds at all. Supported only on UNIX platforms.
=head1 ENVIRONMENT VARIABLES
B<OPENSSL_CONF> contains the path of the configuration file and can be
-overriden by the B<-config> command line option.
+overridden by the B<-config> command line option.
=head1 EXAMPLES
All the examples below presume that B<OPENSSL_CONF> is set to a proper
-configuration file, e.g. the example configuration file
+configuration file, e.g. the example configuration file
openssl/apps/openssl.cnf will do.
=head2 Time Stamp Request
-To create a time stamp request for design1.txt with SHA-1
+To create a time stamp request for design1.txt with SHA-1
without nonce and policy and no certificate is required in the response:
openssl ts -query -data design1.txt -no_nonce \
openssl ts -query -in design1.tsq -text
-To create a time stamp request which includes the MD-5 digest
+To create a time stamp request which includes the MD-5 digest
of design2.txt, requests the signer certificate and nonce,
specifies a policy id (assuming the tsa_policy1 name is defined in the
OID section of the config file):
openssl ts -query -data design2.txt -md5 \
- -policy tsa_policy1 -cert -out design2.tsq
+ -tspolicy tsa_policy1 -cert -out design2.tsq
=head2 Time Stamp Response
the TSA that contains the B<timeStamping> critical extended key usage extension
without any other key usage extensions. You can add the
'extendedKeyUsage = critical,timeStamping' line to the user certificate section
-of the config file to generate a proper certificate. See L<req(1)|req(1)>,
-L<ca(1)|ca(1)>, L<x509(1)|x509(1)> for instructions. The examples
+of the config file to generate a proper certificate. See L<req(1)>,
+L<ca(1)>, L<x509(1)> for instructions. The examples
below assume that cacert.pem contains the certificate of the CA,
tsacert.pem is the signing certificate issued by cacert.pem and
tsakey.pem is the private key of the TSA.
=over 4
=item * No support for time stamps over SMTP, though it is quite easy
-to implement an automatic e-mail based TSA with L<procmail(1)|procmail(1)>
-and L<perl(1)|perl(1)>. HTTP server support is provided in the form of
+to implement an automatic e-mail based TSA with L<procmail(1)>
+and L<perl(1)>. HTTP server support is provided in the form of
a separate apache module. HTTP client support is provided by
-L<tsget(1)|tsget(1)>. Pure TCP/IP protocol is not supported.
+L<tsget(1)>. Pure TCP/IP protocol is not supported.
=item * The file containing the last serial number of the TSA is not
locked when being read or written. This is a problem if more than one
-instance of L<openssl(1)|openssl(1)> is trying to create a time stamp
+instance of L<openssl(1)> is trying to create a time stamp
response at the same time. This is not an issue when using the apache
server module, it does proper locking.
=cut
-=head1 AUTHOR
-
-Zoltan Glozik <zglozik@opentsa.org>, OpenTSA project (http://www.opentsa.org)
-
=head1 SEE ALSO
-L<tsget(1)|tsget(1)>, L<openssl(1)|openssl(1)>, L<req(1)|req(1)>,
-L<x509(1)|x509(1)>, L<ca(1)|ca(1)>, L<genrsa(1)|genrsa(1)>,
-L<config(5)|config(5)>
+L<tsget(1)>, L<openssl(1)>, L<req(1)>,
+L<x509(1)>, L<ca(1)>, L<genrsa(1)>,
+L<config(5)>
=cut
projects / openssl.git / blobdiff