Section: OpenSSL (1SSL)
openssl ts -query [-rand file:file...] [-config configfile] [-data file_to_hash] [-digest digest_bytes] [-md2|-md4|-md5|-sha|-sha1|-mdc2|-ripemd160|...] [-policy object_id] [-no_nonce] [-cert] [-in request.tsq] [-out request.tsq] [-text]
openssl ts -reply [-config configfile] [-section tsa_section] [-queryfile request.tsq] [-passin password_src] [-signer tsa_cert.pem] [-inkey private.pem] [-chain certs_file.pem] [-policy object_id] [-in response.tsr] [-token_in] [-out response.tsr] [-token_out] [-text] [-engine id]
openssl ts -verify [-data file_to_hash] [-digest digest_bytes] [-queryfile request.tsq] [-in response.tsr] [-token_in] [-CApath trusted_cert_path] [-CAfile trusted_certs.pem] [-untrusted cert_file.pem]
The ts command is a basic Time Stamping Authority (TSA) client and server application as specified in RFC 3161 (Time-Stamp Protocol, TSP). A TSA can be part of a PKI deployment and its role is to provide long term proof of the existence of a certain datum before a particular time. Here is a brief description of the protocol:
There is one DER encoded protocol data unit defined for transporting a time stamp request to the TSA and one for sending the time stamp response back to the client. The ts command has three main functions: creating a time stamp request based on a data file, creating a time stamp response based on a request, verifying if a response corresponds to a particular request or a data file.
The -query switch can be used for creating and printing a time stamp request with the following options:
A time stamp response (TimeStampResp) consists of a response status and the time stamp token itself (ContentInfo), if the token generation was successful. The -reply command is for creating a time stamp response or time stamp token based on a request and printing the response/token in human-readable format. If -token_out is not specified the output is always a time stamp response (TimeStampResp), otherwise it is a time stamp token (ContentInfo).
The -verify command is for verifying if a time stamp response or time stamp token is valid and matches a particular time stamp request or data file. The -verify command does not use the configuration file.
The -query and -reply commands make use of a configuration file defined by the OPENSSL_CONF environment variable. See config?(5) for a general description of the syntax of the config file. The -query command uses only the symbolic OID names section and it can work without it. However, the -reply command needs the config file for its operation.
When there is a command line switch equivalent of a variable the switch always overrides the settings in the config file.
To create a time stamp request for design1.txt with SHA-1 without nonce and policy and no certificate is required in the response:
openssl ts -query -data design1.txt -no_nonce \ -out design1.tsq
To create a similar time stamp request with specifying the message imprint explicitly:
openssl ts -query -digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \ -no_nonce -out design1.tsq
To print the content of the previous request in human readable format:
openssl ts -query -in design1.tsq -text
To create a time stamp request which includes the MD-5 digest of design2.txt, requests the signer certificate and nonce, specifies a policy id (assuming the tsa_policy1 name is defined in the OID section of the config file):
openssl ts -query -data design2.txt -md5 \ -policy tsa_policy1 -cert -out design2.tsq
Before generating a response a signing certificate must be created for the TSA that contains the timeStamping critical extended key usage extension without any other key usage extensions. You can add the 'extendedKeyUsage = critical,timeStamping' line to the user certificate section of the config file to generate a proper certificate. See req?(1), ca?(1), x509?(1) for instructions. The examples below assume that cacert.pem contains the certificate of the CA, tsacert.pem is the signing certificate issued by cacert.pem and tsakey.pem is the private key of the TSA.
To create a time stamp response for a request:
openssl ts -reply -queryfile design1.tsq -inkey tsakey.pem \ -signer tsacert.pem -out design1.tsr
If you want to use the settings in the config file you could just write:
openssl ts -reply -queryfile design1.tsq -out design1.tsr
To print a time stamp reply to stdout in human readable format:
openssl ts -reply -in design1.tsr -text
To create a time stamp token instead of time stamp response:
openssl ts -reply -queryfile design1.tsq -out design1_token.der -token_out
To print a time stamp token to stdout in human readable format:
openssl ts -reply -in design1_token.der -token_in -text -token_out
To extract the time stamp token from a response:
openssl ts -reply -in design1.tsr -out design1_token.der -token_out
To add 'granted' status info to a time stamp token thereby creating a valid response:
openssl ts -reply -in design1_token.der -token_in -out design1.tsr
To verify a time stamp reply against a request:
openssl ts -verify -queryfile design1.tsq -in design1.tsr \ -CAfile cacert.pem -untrusted tsacert.pem
To verify a time stamp reply that includes the certificate chain:
openssl ts -verify -queryfile design2.tsq -in design2.tsr \ -CAfile cacert.pem
To verify a time stamp token against the original data file:openssl ts -verify -data design2.txt -in design2.tsr \
To verify a time stamp token against a message imprint:openssl ts -verify -digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \
-in design2.tsr -CAfile cacert.pem
If you find any bugs or you have suggestions please write to Zoltan Glozik <[email protected]>. Known issues:
Tutoriais de Tecnologia Web