1 |
.\" $MidnightBSD$ |
2 |
.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) |
3 |
.\" |
4 |
.\" Standard preamble: |
5 |
.\" ======================================================================== |
6 |
.de Sp \" Vertical space (when we can't use .PP) |
7 |
.if t .sp .5v |
8 |
.if n .sp |
9 |
.. |
10 |
.de Vb \" Begin verbatim text |
11 |
.ft CW |
12 |
.nf |
13 |
.ne \\$1 |
14 |
.. |
15 |
.de Ve \" End verbatim text |
16 |
.ft R |
17 |
.fi |
18 |
.. |
19 |
.\" Set up some character translations and predefined strings. \*(-- will |
20 |
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left |
21 |
.\" double quote, and \*(R" will give a right double quote. \*(C+ will |
22 |
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and |
23 |
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, |
24 |
.\" nothing in troff, for use with C<>. |
25 |
.tr \(*W- |
26 |
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' |
27 |
.ie n \{\ |
28 |
. ds -- \(*W- |
29 |
. ds PI pi |
30 |
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch |
31 |
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch |
32 |
. ds L" "" |
33 |
. ds R" "" |
34 |
. ds C` "" |
35 |
. ds C' "" |
36 |
'br\} |
37 |
.el\{\ |
38 |
. ds -- \|\(em\| |
39 |
. ds PI \(*p |
40 |
. ds L" `` |
41 |
. ds R" '' |
42 |
. ds C` |
43 |
. ds C' |
44 |
'br\} |
45 |
.\" |
46 |
.\" Escape single quotes in literal strings from groff's Unicode transform. |
47 |
.ie \n(.g .ds Aq \(aq |
48 |
.el .ds Aq ' |
49 |
.\" |
50 |
.\" If the F register is >0, we'll generate index entries on stderr for |
51 |
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index |
52 |
.\" entries marked with X<> in POD. Of course, you'll have to process the |
53 |
.\" output yourself in some meaningful fashion. |
54 |
.\" |
55 |
.\" Avoid warning from groff about undefined register 'F'. |
56 |
.de IX |
57 |
.. |
58 |
.if !\nF .nr F 0 |
59 |
.if \nF>0 \{\ |
60 |
. de IX |
61 |
. tm Index:\\$1\t\\n%\t"\\$2" |
62 |
.. |
63 |
. if !\nF==2 \{\ |
64 |
. nr % 0 |
65 |
. nr F 2 |
66 |
. \} |
67 |
.\} |
68 |
.\" |
69 |
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). |
70 |
.\" Fear. Run. Save yourself. No user-serviceable parts. |
71 |
. \" fudge factors for nroff and troff |
72 |
.if n \{\ |
73 |
. ds #H 0 |
74 |
. ds #V .8m |
75 |
. ds #F .3m |
76 |
. ds #[ \f1 |
77 |
. ds #] \fP |
78 |
.\} |
79 |
.if t \{\ |
80 |
. ds #H ((1u-(\\\\n(.fu%2u))*.13m) |
81 |
. ds #V .6m |
82 |
. ds #F 0 |
83 |
. ds #[ \& |
84 |
. ds #] \& |
85 |
.\} |
86 |
. \" simple accents for nroff and troff |
87 |
.if n \{\ |
88 |
. ds ' \& |
89 |
. ds ` \& |
90 |
. ds ^ \& |
91 |
. ds , \& |
92 |
. ds ~ ~ |
93 |
. ds / |
94 |
.\} |
95 |
.if t \{\ |
96 |
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" |
97 |
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' |
98 |
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' |
99 |
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' |
100 |
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' |
101 |
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' |
102 |
.\} |
103 |
. \" troff and (daisy-wheel) nroff accents |
104 |
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' |
105 |
.ds 8 \h'\*(#H'\(*b\h'-\*(#H' |
106 |
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] |
107 |
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' |
108 |
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' |
109 |
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] |
110 |
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] |
111 |
.ds ae a\h'-(\w'a'u*4/10)'e |
112 |
.ds Ae A\h'-(\w'A'u*4/10)'E |
113 |
. \" corrections for vroff |
114 |
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' |
115 |
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' |
116 |
. \" for low resolution devices (crt and lpr) |
117 |
.if \n(.H>23 .if \n(.V>19 \ |
118 |
\{\ |
119 |
. ds : e |
120 |
. ds 8 ss |
121 |
. ds o a |
122 |
. ds d- d\h'-1'\(ga |
123 |
. ds D- D\h'-1'\(hy |
124 |
. ds th \o'bp' |
125 |
. ds Th \o'LP' |
126 |
. ds ae ae |
127 |
. ds Ae AE |
128 |
.\} |
129 |
.rm #[ #] #H #V #F C |
130 |
.\" ======================================================================== |
131 |
.\" |
132 |
.IX Title "TSGET 1" |
133 |
.TH TSGET 1 "2018-11-20" "1.0.2q" "OpenSSL" |
134 |
.\" For nroff, turn off justification. Always turn off hyphenation; it makes |
135 |
.\" way too many mistakes in technical documents. |
136 |
.if n .ad l |
137 |
.nh |
138 |
.SH "NAME" |
139 |
openssl\-tsget, |
140 |
tsget \- Time Stamping HTTP/HTTPS client |
141 |
.SH "SYNOPSIS" |
142 |
.IX Header "SYNOPSIS" |
143 |
\&\fBtsget\fR |
144 |
\&\fB\-h\fR server_url |
145 |
[\fB\-e\fR extension] |
146 |
[\fB\-o\fR output] |
147 |
[\fB\-v\fR] |
148 |
[\fB\-d\fR] |
149 |
[\fB\-k\fR private_key.pem] |
150 |
[\fB\-p\fR key_password] |
151 |
[\fB\-c\fR client_cert.pem] |
152 |
[\fB\-C\fR CA_certs.pem] |
153 |
[\fB\-P\fR CA_path] |
154 |
[\fB\-r\fR file:file...] |
155 |
[\fB\-g\fR EGD_socket] |
156 |
[request]... |
157 |
.SH "DESCRIPTION" |
158 |
.IX Header "DESCRIPTION" |
159 |
The \fBtsget\fR command can be used for sending a time stamp request, as |
160 |
specified in \fB\s-1RFC 3161\s0\fR, to a time stamp server over \s-1HTTP\s0 or \s-1HTTPS\s0 and storing |
161 |
the time stamp response in a file. This tool cannot be used for creating the |
162 |
requests and verifying responses, you can use the OpenSSL \fB\f(BIts\fB\|(1)\fR command to |
163 |
do that. \fBtsget\fR can send several requests to the server without closing |
164 |
the \s-1TCP\s0 connection if more than one requests are specified on the command |
165 |
line. |
166 |
.PP |
167 |
The tool sends the following \s-1HTTP\s0 request for each time stamp request: |
168 |
.PP |
169 |
.Vb 7 |
170 |
\& POST url HTTP/1.1 |
171 |
\& User\-Agent: OpenTSA tsget.pl/<version> |
172 |
\& Host: <host>:<port> |
173 |
\& Pragma: no\-cache |
174 |
\& Content\-Type: application/timestamp\-query |
175 |
\& Accept: application/timestamp\-reply |
176 |
\& Content\-Length: length of body |
177 |
\& |
178 |
\& ...binary request specified by the user... |
179 |
.Ve |
180 |
.PP |
181 |
\&\fBtsget\fR expects a response of type application/timestamp\-reply, which is |
182 |
written to a file without any interpretation. |
183 |
.SH "OPTIONS" |
184 |
.IX Header "OPTIONS" |
185 |
.IP "\fB\-h\fR server_url" 4 |
186 |
.IX Item "-h server_url" |
187 |
The \s-1URL\s0 of the \s-1HTTP/HTTPS\s0 server listening for time stamp requests. |
188 |
.IP "\fB\-e\fR extension" 4 |
189 |
.IX Item "-e extension" |
190 |
If the \fB\-o\fR option is not given this argument specifies the extension of the |
191 |
output files. The base name of the output file will be the same as those of |
192 |
the input files. Default extension is '.tsr'. (Optional) |
193 |
.IP "\fB\-o\fR output" 4 |
194 |
.IX Item "-o output" |
195 |
This option can be specified only when just one request is sent to the |
196 |
server. The time stamp response will be written to the given output file. '\-' |
197 |
means standard output. In case of multiple time stamp requests or the absence |
198 |
of this argument the names of the output files will be derived from the names |
199 |
of the input files and the default or specified extension argument. (Optional) |
200 |
.IP "\fB\-v\fR" 4 |
201 |
.IX Item "-v" |
202 |
The name of the currently processed request is printed on standard |
203 |
error. (Optional) |
204 |
.IP "\fB\-d\fR" 4 |
205 |
.IX Item "-d" |
206 |
Switches on verbose mode for the underlying \fBcurl\fR library. You can see |
207 |
detailed debug messages for the connection. (Optional) |
208 |
.IP "\fB\-k\fR private_key.pem" 4 |
209 |
.IX Item "-k private_key.pem" |
210 |
(\s-1HTTPS\s0) In case of certificate-based client authentication over \s-1HTTPS\s0 |
211 |
<private_key.pem> must contain the private key of the user. The private key |
212 |
file can optionally be protected by a passphrase. The \fB\-c\fR option must also |
213 |
be specified. (Optional) |
214 |
.IP "\fB\-p\fR key_password" 4 |
215 |
.IX Item "-p key_password" |
216 |
(\s-1HTTPS\s0) Specifies the passphrase for the private key specified by the \fB\-k\fR |
217 |
argument. If this option is omitted and the key is passphrase protected \fBtsget\fR |
218 |
will ask for it. (Optional) |
219 |
.IP "\fB\-c\fR client_cert.pem" 4 |
220 |
.IX Item "-c client_cert.pem" |
221 |
(\s-1HTTPS\s0) In case of certificate-based client authentication over \s-1HTTPS\s0 |
222 |
<client_cert.pem> must contain the X.509 certificate of the user. The \fB\-k\fR |
223 |
option must also be specified. If this option is not specified no |
224 |
certificate-based client authentication will take place. (Optional) |
225 |
.IP "\fB\-C\fR CA_certs.pem" 4 |
226 |
.IX Item "-C CA_certs.pem" |
227 |
(\s-1HTTPS\s0) The trusted \s-1CA\s0 certificate store. The certificate chain of the peer's |
228 |
certificate must include one of the \s-1CA\s0 certificates specified in this file. |
229 |
Either option \fB\-C\fR or option \fB\-P\fR must be given in case of \s-1HTTPS.\s0 (Optional) |
230 |
.IP "\fB\-P\fR CA_path" 4 |
231 |
.IX Item "-P CA_path" |
232 |
(\s-1HTTPS\s0) The path containing the trusted \s-1CA\s0 certificates to verify the peer's |
233 |
certificate. The directory must be prepared with the \fBc_rehash\fR |
234 |
OpenSSL utility. Either option \fB\-C\fR or option \fB\-P\fR must be given in case of |
235 |
\&\s-1HTTPS.\s0 (Optional) |
236 |
.IP "\fB\-rand\fR file:file..." 4 |
237 |
.IX Item "-rand file:file..." |
238 |
The files containing random data for seeding the random number |
239 |
generator. Multiple files can be specified, the separator is \fB;\fR for |
240 |
MS-Windows, \fB,\fR for \s-1VMS\s0 and \fB:\fR for all other platforms. (Optional) |
241 |
.IP "\fB\-g\fR EGD_socket" 4 |
242 |
.IX Item "-g EGD_socket" |
243 |
The name of an \s-1EGD\s0 socket to get random data from. (Optional) |
244 |
.IP "[request]..." 4 |
245 |
.IX Item "[request]..." |
246 |
List of files containing \fB\s-1RFC 3161\s0\fR DER-encoded time stamp requests. If no |
247 |
requests are specified only one request will be sent to the server and it will be |
248 |
read from the standard input. (Optional) |
249 |
.SH "ENVIRONMENT VARIABLES" |
250 |
.IX Header "ENVIRONMENT VARIABLES" |
251 |
The \fB\s-1TSGET\s0\fR environment variable can optionally contain default |
252 |
arguments. The content of this variable is added to the list of command line |
253 |
arguments. |
254 |
.SH "EXAMPLES" |
255 |
.IX Header "EXAMPLES" |
256 |
The examples below presume that \fBfile1.tsq\fR and \fBfile2.tsq\fR contain valid |
257 |
time stamp requests, tsa.opentsa.org listens at port 8080 for \s-1HTTP\s0 requests |
258 |
and at port 8443 for \s-1HTTPS\s0 requests, the \s-1TSA\s0 service is available at the /tsa |
259 |
absolute path. |
260 |
.PP |
261 |
Get a time stamp response for file1.tsq over \s-1HTTP,\s0 output is written to |
262 |
file1.tsr: |
263 |
.PP |
264 |
.Vb 1 |
265 |
\& tsget \-h http://tsa.opentsa.org:8080/tsa file1.tsq |
266 |
.Ve |
267 |
.PP |
268 |
Get a time stamp response for file1.tsq and file2.tsq over \s-1HTTP\s0 showing |
269 |
progress, output is written to file1.reply and file2.reply respectively: |
270 |
.PP |
271 |
.Vb 2 |
272 |
\& tsget \-h http://tsa.opentsa.org:8080/tsa \-v \-e .reply \e |
273 |
\& file1.tsq file2.tsq |
274 |
.Ve |
275 |
.PP |
276 |
Create a time stamp request, write it to file3.tsq, send it to the server and |
277 |
write the response to file3.tsr: |
278 |
.PP |
279 |
.Vb 3 |
280 |
\& openssl ts \-query \-data file3.txt \-cert | tee file3.tsq \e |
281 |
\& | tsget \-h http://tsa.opentsa.org:8080/tsa \e |
282 |
\& \-o file3.tsr |
283 |
.Ve |
284 |
.PP |
285 |
Get a time stamp response for file1.tsq over \s-1HTTPS\s0 without client |
286 |
authentication: |
287 |
.PP |
288 |
.Vb 2 |
289 |
\& tsget \-h https://tsa.opentsa.org:8443/tsa \e |
290 |
\& \-C cacerts.pem file1.tsq |
291 |
.Ve |
292 |
.PP |
293 |
Get a time stamp response for file1.tsq over \s-1HTTPS\s0 with certificate-based |
294 |
client authentication (it will ask for the passphrase if client_key.pem is |
295 |
protected): |
296 |
.PP |
297 |
.Vb 2 |
298 |
\& tsget \-h https://tsa.opentsa.org:8443/tsa \-C cacerts.pem \e |
299 |
\& \-k client_key.pem \-c client_cert.pem file1.tsq |
300 |
.Ve |
301 |
.PP |
302 |
You can shorten the previous command line if you make use of the \fB\s-1TSGET\s0\fR |
303 |
environment variable. The following commands do the same as the previous |
304 |
example: |
305 |
.PP |
306 |
.Vb 4 |
307 |
\& TSGET=\*(Aq\-h https://tsa.opentsa.org:8443/tsa \-C cacerts.pem \e |
308 |
\& \-k client_key.pem \-c client_cert.pem\*(Aq |
309 |
\& export TSGET |
310 |
\& tsget file1.tsq |
311 |
.Ve |
312 |
.SH "AUTHOR" |
313 |
.IX Header "AUTHOR" |
314 |
Zoltan Glozik <zglozik@opentsa.org>, OpenTSA project (http://www.opentsa.org) |
315 |
.SH "SEE ALSO" |
316 |
.IX Header "SEE ALSO" |
317 |
\&\fIopenssl\fR\|(1), \fIts\fR\|(1), \fIcurl\fR\|(1), |
318 |
\&\fB\s-1RFC 3161\s0\fR |