General verify options to openssl ts
This commit adds the general verify options of ocsp, verify, cms, etc. to the openssl timestamping app as suggested by Stephen N. Henson in [openssl.org #4287]. The conflicting "-policy" option of "openssl ts" has been renamed to "-tspolicy". Documentation and tests have been updated. CAVE: This will break code, which currently uses the "-policy" option. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
This commit is contained in:
fbroda
@@ -8,13 +8,12 @@ ts - Time Stamping Authority tool (client/server)
|
||||
|
||||
B<openssl> B<ts>
|
||||
B<-query>
|
||||
[B<-help>]
|
||||
[B<-rand> file:file...]
|
||||
[B<-config> configfile]
|
||||
[B<-data> file_to_hash]
|
||||
[B<-digest> digest_bytes]
|
||||
[B<-[digest]>]
|
||||
[B<-policy> object_id]
|
||||
[B<-tspolicy> object_id]
|
||||
[B<-no_nonce>]
|
||||
[B<-cert>]
|
||||
[B<-in> request.tsq]
|
||||
@@ -31,7 +30,7 @@ B<-reply>
|
||||
[B<-inkey> private.pem]
|
||||
[B<-sha1|-sha224|-sha256|-sha384|-sha512>]
|
||||
[B<-chain> certs_file.pem]
|
||||
[B<-policy> object_id]
|
||||
[B<-tspolicy> object_id]
|
||||
[B<-in> response.tsr]
|
||||
[B<-token_in>]
|
||||
[B<-out> response.tsr]
|
||||
@@ -49,6 +48,37 @@ B<-verify>
|
||||
[B<-CApath> trusted_cert_path]
|
||||
[B<-CAfile> trusted_certs.pem]
|
||||
[B<-untrusted> cert_file.pem]
|
||||
[I<verify options>]
|
||||
|
||||
I<verify options:>
|
||||
[-attime timestamp]
|
||||
[-check_ss_sig]
|
||||
[-crl_check]
|
||||
[-crl_check_all]
|
||||
[-explicit_policy]
|
||||
[-extended_crl]
|
||||
[-ignore_critical]
|
||||
[-inhibit_any]
|
||||
[-inhibit_map]
|
||||
[-issuer_checks]
|
||||
[-no_alt_chains]
|
||||
[-no_check_time]
|
||||
[-partial_chain]
|
||||
[-policy arg]
|
||||
[-policy_check]
|
||||
[-policy_print]
|
||||
[-purpose purpose]
|
||||
[-suiteB_128]
|
||||
[-suiteB_128_only]
|
||||
[-suiteB_192]
|
||||
[-trusted_first]
|
||||
[-use_deltas]
|
||||
[-verify_depth num]
|
||||
[-verify_email email]
|
||||
[-verify_hostname hostname]
|
||||
[-verify_ip ip]
|
||||
[-verify_name name]
|
||||
[-x509_strict]
|
||||
|
||||
=head1 DESCRIPTION
|
||||
|
||||
@@ -100,10 +130,6 @@ request with the following options:
|
||||
|
||||
=over 4
|
||||
|
||||
=item B<-help>
|
||||
|
||||
Print out a usage message.
|
||||
|
||||
=item B<-rand> file:file...
|
||||
|
||||
The files containing random data for seeding the random number
|
||||
@@ -136,7 +162,7 @@ The message digest to apply to the data file.
|
||||
Any digest supported by the OpenSSL B<dgst> command can be used.
|
||||
The default is SHA-1. (Optional)
|
||||
|
||||
=item B<-policy> object_id
|
||||
=item B<-tspolicy> object_id
|
||||
|
||||
The policy that the client expects the TSA to use for creating the
|
||||
time stamp token. Either the dotted OID notation or OID names defined
|
||||
@@ -235,7 +261,7 @@ contain the certificate chain for the signer certificate from its
|
||||
issuer upwards. The B<-reply> command does not build a certificate
|
||||
chain automatically. (Optional)
|
||||
|
||||
=item B<-policy> object_id
|
||||
=item B<-tspolicy> object_id
|
||||
|
||||
The default policy to use for the response unless the client
|
||||
explicitly requires a particular TSA policy. The OID can be specified
|
||||
@@ -343,6 +369,20 @@ certificate. This file must contain the TSA signing certificate and
|
||||
all intermediate CA certificates unless the response includes them.
|
||||
(Optional)
|
||||
|
||||
=item I<verify options>
|
||||
|
||||
The options [-attime timestamp], [-check_ss_sig], [-crl_check],
|
||||
[-crl_check_all], [-explicit_policy], [-extended_crl],
|
||||
[-ignore_critical], [-inhibit_any], [-inhibit_map],
|
||||
[-issuer_checks], [-no_alt_chains], [-no_check_time],
|
||||
[-partial_chain], [-policy arg], [-policy_check],
|
||||
[-policy_print], [-purpose purpose], [-suiteB_128],
|
||||
[-suiteB_128_only], [-suiteB_192], [-trusted_first],
|
||||
[-use_deltas], [-verify_depth num], [-verify_email email],
|
||||
[-verify_hostname hostname], [-verify_ip ip], [-verify_name name],
|
||||
and [-x509_strict] can be used to control timestamp verification.
|
||||
See L<verify(1)>.
|
||||
|
||||
=back
|
||||
|
||||
=head1 CONFIGURATION FILE OPTIONS
|
||||
@@ -415,7 +455,7 @@ B<-sha1|-sha224|-sha256|-sha384|-sha512> command line option. (Optional)
|
||||
=item B<default_policy>
|
||||
|
||||
The default policy to use when the request does not mandate any
|
||||
policy. The same as the B<-policy> command line option. (Optional)
|
||||
policy. The same as the B<-tspolicy> command line option. (Optional)
|
||||
|
||||
=item B<other_policies>
|
||||
|
||||
@@ -501,7 +541,7 @@ specifies a policy id (assuming the tsa_policy1 name is defined in the
|
||||
OID section of the config file):
|
||||
|
||||
openssl ts -query -data design2.txt -md5 \
|
||||
-policy tsa_policy1 -cert -out design2.tsq
|
||||
-tspolicy tsa_policy1 -cert -out design2.tsq
|
||||
|
||||
=head2 Time Stamp Response
|
||||
|
||||
|
||||
Reference in New Issue
Block a user