| 1 | =pod
|
|---|
| 2 |
|
|---|
| 3 | =head1 NAME
|
|---|
| 4 |
|
|---|
| 5 | tsget - Time Stamping HTTP/HTTPS client
|
|---|
| 6 |
|
|---|
| 7 | =head1 SYNOPSIS
|
|---|
| 8 |
|
|---|
| 9 | B<tsget>
|
|---|
| 10 | B<-h> I<server_url>
|
|---|
| 11 | [B<-e> I<extension>]
|
|---|
| 12 | [B<-o> I<output>]
|
|---|
| 13 | [B<-v>]
|
|---|
| 14 | [B<-d>]
|
|---|
| 15 | [B<-k> I<private_key.pem>]
|
|---|
| 16 | [B<-p> I<key_password>]
|
|---|
| 17 | [B<-c> I<client_cert.pem>]
|
|---|
| 18 | [B<-C> I<CA_certs.pem>]
|
|---|
| 19 | [B<-P> I<CA_path>]
|
|---|
| 20 | [B<-r> I<files>]
|
|---|
| 21 | [B<-g> I<EGD_socket>]
|
|---|
| 22 | [I<request> ...]
|
|---|
| 23 |
|
|---|
| 24 | =head1 DESCRIPTION
|
|---|
| 25 |
|
|---|
| 26 | This command can be used for sending a timestamp request, as specified
|
|---|
| 27 | in RFC 3161, to a timestamp server over HTTP or HTTPS and storing the
|
|---|
| 28 | timestamp response in a file. It cannot be used for creating the requests
|
|---|
| 29 | and verifying responses, you have to use L<openssl-ts(1)> to do that. This
|
|---|
| 30 | command can send several requests to the server without closing the TCP
|
|---|
| 31 | connection if more than one requests are specified on the command line.
|
|---|
| 32 |
|
|---|
| 33 | This command sends the following HTTP request for each timestamp request:
|
|---|
| 34 |
|
|---|
| 35 | POST url HTTP/1.1
|
|---|
| 36 | User-Agent: OpenTSA tsget.pl/<version>
|
|---|
| 37 | Host: <host>:<port>
|
|---|
| 38 | Pragma: no-cache
|
|---|
| 39 | Content-Type: application/timestamp-query
|
|---|
| 40 | Accept: application/timestamp-reply
|
|---|
| 41 | Content-Length: length of body
|
|---|
| 42 |
|
|---|
| 43 | ...binary request specified by the user...
|
|---|
| 44 |
|
|---|
| 45 | It expects a response of type application/timestamp-reply, which is
|
|---|
| 46 | written to a file without any interpretation.
|
|---|
| 47 |
|
|---|
| 48 | =head1 OPTIONS
|
|---|
| 49 |
|
|---|
| 50 | =over 4
|
|---|
| 51 |
|
|---|
| 52 | =item B<-h> I<server_url>
|
|---|
| 53 |
|
|---|
| 54 | The URL of the HTTP/HTTPS server listening for timestamp requests.
|
|---|
| 55 |
|
|---|
| 56 | =item B<-e> I<extension>
|
|---|
| 57 |
|
|---|
| 58 | If the B<-o> option is not given this argument specifies the extension of the
|
|---|
| 59 | output files. The base name of the output file will be the same as those of
|
|---|
| 60 | the input files. Default extension is F<.tsr>. (Optional)
|
|---|
| 61 |
|
|---|
| 62 | =item B<-o> I<output>
|
|---|
| 63 |
|
|---|
| 64 | This option can be specified only when just one request is sent to the
|
|---|
| 65 | server. The timestamp response will be written to the given output file. '-'
|
|---|
| 66 | means standard output. In case of multiple timestamp requests or the absence
|
|---|
| 67 | of this argument the names of the output files will be derived from the names
|
|---|
| 68 | of the input files and the default or specified extension argument. (Optional)
|
|---|
| 69 |
|
|---|
| 70 | =item B<-v>
|
|---|
| 71 |
|
|---|
| 72 | The name of the currently processed request is printed on standard
|
|---|
| 73 | error. (Optional)
|
|---|
| 74 |
|
|---|
| 75 | =item B<-d>
|
|---|
| 76 |
|
|---|
| 77 | =for comment perlpodstyle(1) says to refer to modules without section
|
|---|
| 78 |
|
|---|
| 79 | Switches on verbose mode for the underlying perl module L<WWW::Curl::Easy>.
|
|---|
| 80 | You can see detailed debug messages for the connection. (Optional)
|
|---|
| 81 |
|
|---|
| 82 | =item B<-k> I<private_key.pem>
|
|---|
| 83 |
|
|---|
| 84 | (HTTPS) In case of certificate-based client authentication over HTTPS
|
|---|
| 85 | I<private_key.pem> must contain the private key of the user. The private key
|
|---|
| 86 | file can optionally be protected by a passphrase. The B<-c> option must also
|
|---|
| 87 | be specified. (Optional)
|
|---|
| 88 |
|
|---|
| 89 | =item B<-p> I<key_password>
|
|---|
| 90 |
|
|---|
| 91 | (HTTPS) Specifies the passphrase for the private key specified by the B<-k>
|
|---|
| 92 | argument. If this option is omitted and the key is passphrase protected,
|
|---|
| 93 | it will be prompted for. (Optional)
|
|---|
| 94 |
|
|---|
| 95 | =item B<-c> I<client_cert.pem>
|
|---|
| 96 |
|
|---|
| 97 | (HTTPS) In case of certificate-based client authentication over HTTPS
|
|---|
| 98 | I<client_cert.pem> must contain the X.509 certificate of the user. The B<-k>
|
|---|
| 99 | option must also be specified. If this option is not specified no
|
|---|
| 100 | certificate-based client authentication will take place. (Optional)
|
|---|
| 101 |
|
|---|
| 102 | =item B<-C> I<CA_certs.pem>
|
|---|
| 103 |
|
|---|
| 104 | (HTTPS) The trusted CA certificate store. The certificate chain of the peer's
|
|---|
| 105 | certificate must include one of the CA certificates specified in this file.
|
|---|
| 106 | Either option B<-C> or option B<-P> must be given in case of HTTPS. (Optional)
|
|---|
| 107 |
|
|---|
| 108 | =item B<-P> I<CA_path>
|
|---|
| 109 |
|
|---|
| 110 | (HTTPS) The path containing the trusted CA certificates to verify the peer's
|
|---|
| 111 | certificate. The directory must be prepared with L<openssl-rehash(1)>. Either
|
|---|
| 112 | option B<-C> or option B<-P> must be given in case of HTTPS. (Optional)
|
|---|
| 113 |
|
|---|
| 114 | =item B<-r> I<files>
|
|---|
| 115 |
|
|---|
| 116 | See L<openssl(1)/Random State Options> for more information.
|
|---|
| 117 |
|
|---|
| 118 | =item B<-g> I<EGD_socket>
|
|---|
| 119 |
|
|---|
| 120 | The name of an EGD socket to get random data from. (Optional)
|
|---|
| 121 |
|
|---|
| 122 | =item I<request> ...
|
|---|
| 123 |
|
|---|
| 124 | List of files containing RFC 3161 DER-encoded timestamp requests. If no
|
|---|
| 125 | requests are specified only one request will be sent to the server and it will
|
|---|
| 126 | be read from the standard input.
|
|---|
| 127 | (Optional)
|
|---|
| 128 |
|
|---|
| 129 | =back
|
|---|
| 130 |
|
|---|
| 131 | =head1 ENVIRONMENT VARIABLES
|
|---|
| 132 |
|
|---|
| 133 | The B<TSGET> environment variable can optionally contain default
|
|---|
| 134 | arguments. The content of this variable is added to the list of command line
|
|---|
| 135 | arguments.
|
|---|
| 136 |
|
|---|
| 137 | =head1 EXAMPLES
|
|---|
| 138 |
|
|---|
| 139 | The examples below presume that F<file1.tsq> and F<file2.tsq> contain valid
|
|---|
| 140 | timestamp requests, tsa.opentsa.org listens at port 8080 for HTTP requests
|
|---|
| 141 | and at port 8443 for HTTPS requests, the TSA service is available at the /tsa
|
|---|
| 142 | absolute path.
|
|---|
| 143 |
|
|---|
| 144 | Get a timestamp response for F<file1.tsq> over HTTP, output is written to
|
|---|
| 145 | F<file1.tsr>:
|
|---|
| 146 |
|
|---|
| 147 | tsget -h http://tsa.opentsa.org:8080/tsa file1.tsq
|
|---|
| 148 |
|
|---|
| 149 | Get a timestamp response for F<file1.tsq> and F<file2.tsq> over HTTP showing
|
|---|
| 150 | progress, output is written to F<file1.reply> and F<file2.reply> respectively:
|
|---|
| 151 |
|
|---|
| 152 | tsget -h http://tsa.opentsa.org:8080/tsa -v -e .reply \
|
|---|
| 153 | file1.tsq file2.tsq
|
|---|
| 154 |
|
|---|
| 155 | Create a timestamp request, write it to F<file3.tsq>, send it to the server and
|
|---|
| 156 | write the response to F<file3.tsr>:
|
|---|
| 157 |
|
|---|
| 158 | openssl ts -query -data file3.txt -cert | tee file3.tsq \
|
|---|
| 159 | | tsget -h http://tsa.opentsa.org:8080/tsa \
|
|---|
| 160 | -o file3.tsr
|
|---|
| 161 |
|
|---|
| 162 | Get a timestamp response for F<file1.tsq> over HTTPS without client
|
|---|
| 163 | authentication:
|
|---|
| 164 |
|
|---|
| 165 | tsget -h https://tsa.opentsa.org:8443/tsa \
|
|---|
| 166 | -C cacerts.pem file1.tsq
|
|---|
| 167 |
|
|---|
| 168 | Get a timestamp response for F<file1.tsq> over HTTPS with certificate-based
|
|---|
| 169 | client authentication (it will ask for the passphrase if F<client_key.pem> is
|
|---|
| 170 | protected):
|
|---|
| 171 |
|
|---|
| 172 | tsget -h https://tsa.opentsa.org:8443/tsa -C cacerts.pem \
|
|---|
| 173 | -k client_key.pem -c client_cert.pem file1.tsq
|
|---|
| 174 |
|
|---|
| 175 | You can shorten the previous command line if you make use of the B<TSGET>
|
|---|
| 176 | environment variable. The following commands do the same as the previous
|
|---|
| 177 | example:
|
|---|
| 178 |
|
|---|
| 179 | TSGET='-h https://tsa.opentsa.org:8443/tsa -C cacerts.pem \
|
|---|
| 180 | -k client_key.pem -c client_cert.pem'
|
|---|
| 181 | export TSGET
|
|---|
| 182 | tsget file1.tsq
|
|---|
| 183 |
|
|---|
| 184 | =head1 SEE ALSO
|
|---|
| 185 |
|
|---|
| 186 | =for openssl foreign manual WWW::Curl::Easy
|
|---|
| 187 |
|
|---|
| 188 | L<openssl(1)>,
|
|---|
| 189 | L<openssl-ts(1)>,
|
|---|
| 190 | L<WWW::Curl::Easy>,
|
|---|
| 191 | L<https://www.rfc-editor.org/rfc/rfc3161.html>
|
|---|
| 192 |
|
|---|
| 193 | =head1 COPYRIGHT
|
|---|
| 194 |
|
|---|
| 195 | Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
|
|---|
| 196 |
|
|---|
| 197 | Licensed under the Apache License 2.0 (the "License"). You may not use
|
|---|
| 198 | this file except in compliance with the License. You can obtain a copy
|
|---|
| 199 | in the file LICENSE in the source distribution or at
|
|---|
| 200 | L<https://www.openssl.org/source/license.html>.
|
|---|
| 201 |
|
|---|
| 202 | =cut
|
|---|
