| lh | 9ed821d | 2023-04-07 01:36:19 -0700 | [diff] [blame] | 1 | =pod |
| 2 | |
| 3 | =head1 NAME |
| 4 | |
| 5 | openssl-tsget, |
| 6 | tsget - Time Stamping HTTP/HTTPS client |
| 7 | |
| 8 | =head1 SYNOPSIS |
| 9 | |
| 10 | B<tsget> |
| 11 | B<-h> server_url |
| 12 | [B<-e> extension] |
| 13 | [B<-o> output] |
| 14 | [B<-v>] |
| 15 | [B<-d>] |
| 16 | [B<-k> private_key.pem] |
| 17 | [B<-p> key_password] |
| 18 | [B<-c> client_cert.pem] |
| 19 | [B<-C> CA_certs.pem] |
| 20 | [B<-P> CA_path] |
| 21 | [B<-r> file:file...] |
| 22 | [B<-g> EGD_socket] |
| 23 | [request]... |
| 24 | |
| 25 | =head1 DESCRIPTION |
| 26 | |
| 27 | The B<tsget> command can be used for sending a timestamp request, as |
| 28 | specified in B<RFC 3161>, to a timestamp server over HTTP or HTTPS and storing |
| 29 | the timestamp response in a file. This tool cannot be used for creating the |
| 30 | requests and verifying responses, you can use the OpenSSL B<ts(1)> command to |
| 31 | do that. B<tsget> can send several requests to the server without closing |
| 32 | the TCP connection if more than one requests are specified on the command |
| 33 | line. |
| 34 | |
| 35 | The tool sends the following HTTP request for each timestamp request: |
| 36 | |
| 37 | POST url HTTP/1.1 |
| 38 | User-Agent: OpenTSA tsget.pl/<version> |
| 39 | Host: <host>:<port> |
| 40 | Pragma: no-cache |
| 41 | Content-Type: application/timestamp-query |
| 42 | Accept: application/timestamp-reply |
| 43 | Content-Length: length of body |
| 44 | |
| 45 | ...binary request specified by the user... |
| 46 | |
| 47 | B<tsget> expects a response of type application/timestamp-reply, which is |
| 48 | written to a file without any interpretation. |
| 49 | |
| 50 | =head1 OPTIONS |
| 51 | |
| 52 | =over 4 |
| 53 | |
| 54 | =item B<-h> server_url |
| 55 | |
| 56 | The URL of the HTTP/HTTPS server listening for timestamp requests. |
| 57 | |
| 58 | =item B<-e> extension |
| 59 | |
| 60 | If the B<-o> option is not given this argument specifies the extension of the |
| 61 | output files. The base name of the output file will be the same as those of |
| 62 | the input files. Default extension is '.tsr'. (Optional) |
| 63 | |
| 64 | =item B<-o> output |
| 65 | |
| 66 | This option can be specified only when just one request is sent to the |
| 67 | server. The timestamp response will be written to the given output file. '-' |
| 68 | means standard output. In case of multiple timestamp requests or the absence |
| 69 | of this argument the names of the output files will be derived from the names |
| 70 | of the input files and the default or specified extension argument. (Optional) |
| 71 | |
| 72 | =item B<-v> |
| 73 | |
| 74 | The name of the currently processed request is printed on standard |
| 75 | error. (Optional) |
| 76 | |
| 77 | =item B<-d> |
| 78 | |
| 79 | Switches on verbose mode for the underlying B<curl> library. You can see |
| 80 | detailed debug messages for the connection. (Optional) |
| 81 | |
| 82 | =item B<-k> private_key.pem |
| 83 | |
| 84 | (HTTPS) In case of certificate-based client authentication over HTTPS |
| 85 | <private_key.pem> must contain the private key of the user. The private key |
| 86 | file can optionally be protected by a passphrase. The B<-c> option must also |
| 87 | be specified. (Optional) |
| 88 | |
| 89 | =item B<-p> key_password |
| 90 | |
| 91 | (HTTPS) Specifies the passphrase for the private key specified by the B<-k> |
| 92 | argument. If this option is omitted and the key is passphrase protected B<tsget> |
| 93 | will ask for it. (Optional) |
| 94 | |
| 95 | =item B<-c> client_cert.pem |
| 96 | |
| 97 | (HTTPS) In case of certificate-based client authentication over HTTPS |
| 98 | <client_cert.pem> must contain the X.509 certificate of the user. The B<-k> |
| 99 | option must also be specified. If this option is not specified no |
| 100 | certificate-based client authentication will take place. (Optional) |
| 101 | |
| 102 | =item B<-C> CA_certs.pem |
| 103 | |
| 104 | (HTTPS) The trusted CA certificate store. The certificate chain of the peer's |
| 105 | certificate must include one of the CA certificates specified in this file. |
| 106 | Either option B<-C> or option B<-P> must be given in case of HTTPS. (Optional) |
| 107 | |
| 108 | =item B<-P> CA_path |
| 109 | |
| 110 | (HTTPS) The path containing the trusted CA certificates to verify the peer's |
| 111 | certificate. The directory must be prepared with the B<c_rehash> |
| 112 | OpenSSL utility. Either option B<-C> or option B<-P> must be given in case of |
| 113 | HTTPS. (Optional) |
| 114 | |
| 115 | =item B<-rand> file:file... |
| 116 | |
| 117 | The files containing random data for seeding the random number |
| 118 | generator. Multiple files can be specified, the separator is B<;> for |
| 119 | MS-Windows, B<,> for VMS and B<:> for all other platforms. (Optional) |
| 120 | |
| 121 | =item B<-g> EGD_socket |
| 122 | |
| 123 | The name of an EGD socket to get random data from. (Optional) |
| 124 | |
| 125 | =item [request]... |
| 126 | |
| 127 | List of files containing B<RFC 3161> DER-encoded timestamp requests. If no |
| 128 | requests are specified only one request will be sent to the server and it will be |
| 129 | read from the standard input. (Optional) |
| 130 | |
| 131 | =back |
| 132 | |
| 133 | =head1 ENVIRONMENT VARIABLES |
| 134 | |
| 135 | The B<TSGET> environment variable can optionally contain default |
| 136 | arguments. The content of this variable is added to the list of command line |
| 137 | arguments. |
| 138 | |
| 139 | =head1 EXAMPLES |
| 140 | |
| 141 | The examples below presume that B<file1.tsq> and B<file2.tsq> contain valid |
| 142 | timestamp requests, tsa.opentsa.org listens at port 8080 for HTTP requests |
| 143 | and at port 8443 for HTTPS requests, the TSA service is available at the /tsa |
| 144 | absolute path. |
| 145 | |
| 146 | Get a timestamp response for file1.tsq over HTTP, output is written to |
| 147 | file1.tsr: |
| 148 | |
| 149 | tsget -h http://tsa.opentsa.org:8080/tsa file1.tsq |
| 150 | |
| 151 | Get a timestamp response for file1.tsq and file2.tsq over HTTP showing |
| 152 | progress, output is written to file1.reply and file2.reply respectively: |
| 153 | |
| 154 | tsget -h http://tsa.opentsa.org:8080/tsa -v -e .reply \ |
| 155 | file1.tsq file2.tsq |
| 156 | |
| 157 | Create a timestamp request, write it to file3.tsq, send it to the server and |
| 158 | write the response to file3.tsr: |
| 159 | |
| 160 | openssl ts -query -data file3.txt -cert | tee file3.tsq \ |
| 161 | | tsget -h http://tsa.opentsa.org:8080/tsa \ |
| 162 | -o file3.tsr |
| 163 | |
| 164 | Get a timestamp response for file1.tsq over HTTPS without client |
| 165 | authentication: |
| 166 | |
| 167 | tsget -h https://tsa.opentsa.org:8443/tsa \ |
| 168 | -C cacerts.pem file1.tsq |
| 169 | |
| 170 | Get a timestamp response for file1.tsq over HTTPS with certificate-based |
| 171 | client authentication (it will ask for the passphrase if client_key.pem is |
| 172 | protected): |
| 173 | |
| 174 | tsget -h https://tsa.opentsa.org:8443/tsa -C cacerts.pem \ |
| 175 | -k client_key.pem -c client_cert.pem file1.tsq |
| 176 | |
| 177 | You can shorten the previous command line if you make use of the B<TSGET> |
| 178 | environment variable. The following commands do the same as the previous |
| 179 | example: |
| 180 | |
| 181 | TSGET='-h https://tsa.opentsa.org:8443/tsa -C cacerts.pem \ |
| 182 | -k client_key.pem -c client_cert.pem' |
| 183 | export TSGET |
| 184 | tsget file1.tsq |
| 185 | |
| 186 | =head1 SEE ALSO |
| 187 | |
| 188 | =for comment foreign manuals: curl(1) |
| 189 | |
| 190 | L<openssl(1)>, L<ts(1)>, L<curl(1)>, |
| 191 | B<RFC 3161> |
| 192 | |
| 193 | =head1 COPYRIGHT |
| 194 | |
| 195 | Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved. |
| 196 | |
| 197 | Licensed under the OpenSSL license (the "License"). You may not use |
| 198 | this file except in compliance with the License. You can obtain a copy |
| 199 | in the file LICENSE in the source distribution or at |
| 200 | L<https://www.openssl.org/source/license.html>. |
| 201 | |
| 202 | =cut |