de78d5d8fd
Approved by: so (delphij), benl (silence)
312 lines
11 KiB
Groff
312 lines
11 KiB
Groff
.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.28)
|
|
.\"
|
|
.\" Standard preamble:
|
|
.\" ========================================================================
|
|
.de Sp \" Vertical space (when we can't use .PP)
|
|
.if t .sp .5v
|
|
.if n .sp
|
|
..
|
|
.de Vb \" Begin verbatim text
|
|
.ft CW
|
|
.nf
|
|
.ne \\$1
|
|
..
|
|
.de Ve \" End verbatim text
|
|
.ft R
|
|
.fi
|
|
..
|
|
.\" Set up some character translations and predefined strings. \*(-- will
|
|
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
|
|
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
|
|
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
|
|
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
|
|
.\" nothing in troff, for use with C<>.
|
|
.tr \(*W-
|
|
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
|
|
.ie n \{\
|
|
. ds -- \(*W-
|
|
. ds PI pi
|
|
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
|
|
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
|
|
. ds L" ""
|
|
. ds R" ""
|
|
. ds C` ""
|
|
. ds C' ""
|
|
'br\}
|
|
.el\{\
|
|
. ds -- \|\(em\|
|
|
. ds PI \(*p
|
|
. ds L" ``
|
|
. ds R" ''
|
|
'br\}
|
|
.\"
|
|
.\" Escape single quotes in literal strings from groff's Unicode transform.
|
|
.ie \n(.g .ds Aq \(aq
|
|
.el .ds Aq '
|
|
.\"
|
|
.\" If the F register is turned on, we'll generate index entries on stderr for
|
|
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
|
|
.\" entries marked with X<> in POD. Of course, you'll have to process the
|
|
.\" output yourself in some meaningful fashion.
|
|
.ie \nF \{\
|
|
. de IX
|
|
. tm Index:\\$1\t\\n%\t"\\$2"
|
|
..
|
|
. nr % 0
|
|
. rr F
|
|
.\}
|
|
.el \{\
|
|
. de IX
|
|
..
|
|
.\}
|
|
.\"
|
|
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
|
|
.\" Fear. Run. Save yourself. No user-serviceable parts.
|
|
. \" fudge factors for nroff and troff
|
|
.if n \{\
|
|
. ds #H 0
|
|
. ds #V .8m
|
|
. ds #F .3m
|
|
. ds #[ \f1
|
|
. ds #] \fP
|
|
.\}
|
|
.if t \{\
|
|
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
|
|
. ds #V .6m
|
|
. ds #F 0
|
|
. ds #[ \&
|
|
. ds #] \&
|
|
.\}
|
|
. \" simple accents for nroff and troff
|
|
.if n \{\
|
|
. ds ' \&
|
|
. ds ` \&
|
|
. ds ^ \&
|
|
. ds , \&
|
|
. ds ~ ~
|
|
. ds /
|
|
.\}
|
|
.if t \{\
|
|
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
|
|
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
|
|
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
|
|
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
|
|
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
|
|
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
|
|
.\}
|
|
. \" troff and (daisy-wheel) nroff accents
|
|
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
|
|
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
|
|
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
|
|
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
|
|
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
|
|
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
|
|
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
|
|
.ds ae a\h'-(\w'a'u*4/10)'e
|
|
.ds Ae A\h'-(\w'A'u*4/10)'E
|
|
. \" corrections for vroff
|
|
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
|
|
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
|
|
. \" for low resolution devices (crt and lpr)
|
|
.if \n(.H>23 .if \n(.V>19 \
|
|
\{\
|
|
. ds : e
|
|
. ds 8 ss
|
|
. ds o a
|
|
. ds d- d\h'-1'\(ga
|
|
. ds D- D\h'-1'\(hy
|
|
. ds th \o'bp'
|
|
. ds Th \o'LP'
|
|
. ds ae ae
|
|
. ds Ae AE
|
|
.\}
|
|
.rm #[ #] #H #V #F C
|
|
.\" ========================================================================
|
|
.\"
|
|
.IX Title "TSGET 1"
|
|
.TH TSGET 1 "2014-01-06" "1.0.1f" "OpenSSL"
|
|
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
|
|
.\" way too many mistakes in technical documents.
|
|
.if n .ad l
|
|
.nh
|
|
.SH "NAME"
|
|
tsget \- Time Stamping HTTP/HTTPS client
|
|
.SH "SYNOPSIS"
|
|
.IX Header "SYNOPSIS"
|
|
\&\fBtsget\fR
|
|
\&\fB\-h\fR server_url
|
|
[\fB\-e\fR extension]
|
|
[\fB\-o\fR output]
|
|
[\fB\-v\fR]
|
|
[\fB\-d\fR]
|
|
[\fB\-k\fR private_key.pem]
|
|
[\fB\-p\fR key_password]
|
|
[\fB\-c\fR client_cert.pem]
|
|
[\fB\-C\fR CA_certs.pem]
|
|
[\fB\-P\fR CA_path]
|
|
[\fB\-r\fR file:file...]
|
|
[\fB\-g\fR EGD_socket]
|
|
[request]...
|
|
.SH "DESCRIPTION"
|
|
.IX Header "DESCRIPTION"
|
|
The \fBtsget\fR command can be used for sending a time stamp request, as
|
|
specified in \fB\s-1RFC\s0 3161\fR, to a time stamp server over \s-1HTTP\s0 or \s-1HTTPS\s0 and storing
|
|
the time stamp response in a file. This tool cannot be used for creating the
|
|
requests and verifying responses, you can use the OpenSSL \fB\f(BIts\fB\|(1)\fR command to
|
|
do that. \fBtsget\fR can send several requests to the server without closing
|
|
the \s-1TCP\s0 connection if more than one requests are specified on the command
|
|
line.
|
|
.PP
|
|
The tool sends the following \s-1HTTP\s0 request for each time stamp request:
|
|
.PP
|
|
.Vb 7
|
|
\& POST url HTTP/1.1
|
|
\& User\-Agent: OpenTSA tsget.pl/<version>
|
|
\& Host: <host>:<port>
|
|
\& Pragma: no\-cache
|
|
\& Content\-Type: application/timestamp\-query
|
|
\& Accept: application/timestamp\-reply
|
|
\& Content\-Length: length of body
|
|
\&
|
|
\& ...binary request specified by the user...
|
|
.Ve
|
|
.PP
|
|
\&\fBtsget\fR expects a response of type application/timestamp\-reply, which is
|
|
written to a file without any interpretation.
|
|
.SH "OPTIONS"
|
|
.IX Header "OPTIONS"
|
|
.IP "\fB\-h\fR server_url" 4
|
|
.IX Item "-h server_url"
|
|
The \s-1URL\s0 of the \s-1HTTP/HTTPS\s0 server listening for time stamp requests.
|
|
.IP "\fB\-e\fR extension" 4
|
|
.IX Item "-e extension"
|
|
If the \fB\-o\fR option is not given this argument specifies the extension of the
|
|
output files. The base name of the output file will be the same as those of
|
|
the input files. Default extension is '.tsr'. (Optional)
|
|
.IP "\fB\-o\fR output" 4
|
|
.IX Item "-o output"
|
|
This option can be specified only when just one request is sent to the
|
|
server. The time stamp response will be written to the given output file. '\-'
|
|
means standard output. In case of multiple time stamp requests or the absence
|
|
of this argument the names of the output files will be derived from the names
|
|
of the input files and the default or specified extension argument. (Optional)
|
|
.IP "\fB\-v\fR" 4
|
|
.IX Item "-v"
|
|
The name of the currently processed request is printed on standard
|
|
error. (Optional)
|
|
.IP "\fB\-d\fR" 4
|
|
.IX Item "-d"
|
|
Switches on verbose mode for the underlying \fBcurl\fR library. You can see
|
|
detailed debug messages for the connection. (Optional)
|
|
.IP "\fB\-k\fR private_key.pem" 4
|
|
.IX Item "-k private_key.pem"
|
|
(\s-1HTTPS\s0) In case of certificate-based client authentication over \s-1HTTPS\s0
|
|
<private_key.pem> must contain the private key of the user. The private key
|
|
file can optionally be protected by a passphrase. The \fB\-c\fR option must also
|
|
be specified. (Optional)
|
|
.IP "\fB\-p\fR key_password" 4
|
|
.IX Item "-p key_password"
|
|
(\s-1HTTPS\s0) Specifies the passphrase for the private key specified by the \fB\-k\fR
|
|
argument. If this option is omitted and the key is passphrase protected \fBtsget\fR
|
|
will ask for it. (Optional)
|
|
.IP "\fB\-c\fR client_cert.pem" 4
|
|
.IX Item "-c client_cert.pem"
|
|
(\s-1HTTPS\s0) In case of certificate-based client authentication over \s-1HTTPS\s0
|
|
<client_cert.pem> must contain the X.509 certificate of the user. The \fB\-k\fR
|
|
option must also be specified. If this option is not specified no
|
|
certificate-based client authentication will take place. (Optional)
|
|
.IP "\fB\-C\fR CA_certs.pem" 4
|
|
.IX Item "-C CA_certs.pem"
|
|
(\s-1HTTPS\s0) The trusted \s-1CA\s0 certificate store. The certificate chain of the peer's
|
|
certificate must include one of the \s-1CA\s0 certificates specified in this file.
|
|
Either option \fB\-C\fR or option \fB\-P\fR must be given in case of \s-1HTTPS\s0. (Optional)
|
|
.IP "\fB\-P\fR CA_path" 4
|
|
.IX Item "-P CA_path"
|
|
(\s-1HTTPS\s0) The path containing the trusted \s-1CA\s0 certificates to verify the peer's
|
|
certificate. The directory must be prepared with the \fBc_rehash\fR
|
|
OpenSSL utility. Either option \fB\-C\fR or option \fB\-P\fR must be given in case of
|
|
\&\s-1HTTPS\s0. (Optional)
|
|
.IP "\fB\-rand\fR file:file..." 4
|
|
.IX Item "-rand file:file..."
|
|
The files containing random data for seeding the random number
|
|
generator. Multiple files can be specified, the separator is \fB;\fR for
|
|
MS-Windows, \fB,\fR for \s-1VMS\s0 and \fB:\fR for all other platforms. (Optional)
|
|
.IP "\fB\-g\fR EGD_socket" 4
|
|
.IX Item "-g EGD_socket"
|
|
The name of an \s-1EGD\s0 socket to get random data from. (Optional)
|
|
.IP "[request]..." 4
|
|
.IX Item "[request]..."
|
|
List of files containing \fB\s-1RFC\s0 3161\fR DER-encoded time stamp requests. If no
|
|
requests are specifed only one request will be sent to the server and it will be
|
|
read from the standard input. (Optional)
|
|
.SH "ENVIRONMENT VARIABLES"
|
|
.IX Header "ENVIRONMENT VARIABLES"
|
|
The \fB\s-1TSGET\s0\fR environment variable can optionally contain default
|
|
arguments. The content of this variable is added to the list of command line
|
|
arguments.
|
|
.SH "EXAMPLES"
|
|
.IX Header "EXAMPLES"
|
|
The examples below presume that \fBfile1.tsq\fR and \fBfile2.tsq\fR contain valid
|
|
time stamp requests, tsa.opentsa.org listens at port 8080 for \s-1HTTP\s0 requests
|
|
and at port 8443 for \s-1HTTPS\s0 requests, the \s-1TSA\s0 service is available at the /tsa
|
|
absolute path.
|
|
.PP
|
|
Get a time stamp response for file1.tsq over \s-1HTTP\s0, output is written to
|
|
file1.tsr:
|
|
.PP
|
|
.Vb 1
|
|
\& tsget \-h http://tsa.opentsa.org:8080/tsa file1.tsq
|
|
.Ve
|
|
.PP
|
|
Get a time stamp response for file1.tsq and file2.tsq over \s-1HTTP\s0 showing
|
|
progress, output is written to file1.reply and file2.reply respectively:
|
|
.PP
|
|
.Vb 2
|
|
\& tsget \-h http://tsa.opentsa.org:8080/tsa \-v \-e .reply \e
|
|
\& file1.tsq file2.tsq
|
|
.Ve
|
|
.PP
|
|
Create a time stamp request, write it to file3.tsq, send it to the server and
|
|
write the response to file3.tsr:
|
|
.PP
|
|
.Vb 3
|
|
\& openssl ts \-query \-data file3.txt \-cert | tee file3.tsq \e
|
|
\& | tsget \-h http://tsa.opentsa.org:8080/tsa \e
|
|
\& \-o file3.tsr
|
|
.Ve
|
|
.PP
|
|
Get a time stamp response for file1.tsq over \s-1HTTPS\s0 without client
|
|
authentication:
|
|
.PP
|
|
.Vb 2
|
|
\& tsget \-h https://tsa.opentsa.org:8443/tsa \e
|
|
\& \-C cacerts.pem file1.tsq
|
|
.Ve
|
|
.PP
|
|
Get a time stamp response for file1.tsq over \s-1HTTPS\s0 with certificate-based
|
|
client authentication (it will ask for the passphrase if client_key.pem is
|
|
protected):
|
|
.PP
|
|
.Vb 2
|
|
\& tsget \-h https://tsa.opentsa.org:8443/tsa \-C cacerts.pem \e
|
|
\& \-k client_key.pem \-c client_cert.pem file1.tsq
|
|
.Ve
|
|
.PP
|
|
You can shorten the previous command line if you make use of the \fB\s-1TSGET\s0\fR
|
|
environment variable. The following commands do the same as the previous
|
|
example:
|
|
.PP
|
|
.Vb 4
|
|
\& TSGET=\*(Aq\-h https://tsa.opentsa.org:8443/tsa \-C cacerts.pem \e
|
|
\& \-k client_key.pem \-c client_cert.pem\*(Aq
|
|
\& export TSGET
|
|
\& tsget file1.tsq
|
|
.Ve
|
|
.SH "AUTHOR"
|
|
.IX Header "AUTHOR"
|
|
Zoltan Glozik <zglozik@opentsa.org>, OpenTSA project (http://www.opentsa.org)
|
|
.SH "SEE ALSO"
|
|
.IX Header "SEE ALSO"
|
|
\&\fIopenssl\fR\|(1), \fIts\fR\|(1), \fIcurl\fR\|(1),
|
|
\&\fB\s-1RFC\s0 3161\fR
|