Lines Matching +full:4 +full:- +full:data
1 .\" -*- mode: troff; coding: utf-8 -*-
57 .IX Title "OPENSSL-TS 1ossl"
58 .TH OPENSSL-TS 1ossl 2025-09-30 3.5.4 OpenSSL
64 openssl\-ts \- Time Stamping Authority command
68 \&\fB\-help\fR
71 \&\fB\-query\fR
72 [\fB\-config\fR \fIconfigfile\fR]
73 [\fB\-data\fR \fIfile_to_hash\fR]
74 [\fB\-digest\fR \fIdigest_bytes\fR]
75 [\fB\-\fR\f(BIdigest\fR]
76 [\fB\-tspolicy\fR \fIobject_id\fR]
77 [\fB\-no_nonce\fR]
78 [\fB\-cert\fR]
79 [\fB\-in\fR \fIrequest.tsq\fR]
80 [\fB\-out\fR \fIrequest.tsq\fR]
81 [\fB\-text\fR]
82 [\fB\-rand\fR \fIfiles\fR]
83 [\fB\-writerand\fR \fIfile\fR]
84 [\fB\-provider\fR \fIname\fR]
85 [\fB\-provider\-path\fR \fIpath\fR]
86 [\fB\-provparam\fR \fI[name:]key=value\fR]
87 [\fB\-propquery\fR \fIpropq\fR]
90 \&\fB\-reply\fR
91 [\fB\-config\fR \fIconfigfile\fR]
92 [\fB\-section\fR \fItsa_section\fR]
93 [\fB\-queryfile\fR \fIrequest.tsq\fR]
94 [\fB\-passin\fR \fIpassword_src\fR]
95 [\fB\-signer\fR \fItsa_cert.pem\fR]
96 [\fB\-inkey\fR \fIfilename\fR|\fIuri\fR]
97 [\fB\-\fR\f(BIdigest\fR]
98 [\fB\-chain\fR \fIcerts_file.pem\fR]
99 [\fB\-tspolicy\fR \fIobject_id\fR]
100 [\fB\-in\fR \fIresponse.tsr\fR]
101 [\fB\-token_in\fR]
102 [\fB\-out\fR \fIresponse.tsr\fR]
103 [\fB\-token_out\fR]
104 [\fB\-text\fR]
105 [\fB\-engine\fR \fIid\fR]
106 [\fB\-provider\fR \fIname\fR]
107 [\fB\-provider\-path\fR \fIpath\fR]
108 [\fB\-provparam\fR \fI[name:]key=value\fR]
109 [\fB\-propquery\fR \fIpropq\fR]
112 \&\fB\-verify\fR
113 [\fB\-data\fR \fIfile_to_hash\fR]
114 [\fB\-digest\fR \fIdigest_bytes\fR]
115 [\fB\-queryfile\fR \fIrequest.tsq\fR]
116 [\fB\-in\fR \fIresponse.tsr\fR]
117 [\fB\-token_in\fR]
118 [\fB\-untrusted\fR \fIfiles\fR|\fIuris\fR]
119 [\fB\-CAfile\fR \fIfile\fR]
120 [\fB\-CApath\fR \fIdir\fR]
121 [\fB\-CAstore\fR \fIuri\fR]
122 [\fB\-allow_proxy_certs\fR]
123 [\fB\-attime\fR \fItimestamp\fR]
124 [\fB\-no_check_time\fR]
125 [\fB\-check_ss_sig\fR]
126 [\fB\-crl_check\fR]
127 [\fB\-crl_check_all\fR]
128 [\fB\-explicit_policy\fR]
129 [\fB\-extended_crl\fR]
130 [\fB\-ignore_critical\fR]
131 [\fB\-inhibit_any\fR]
132 [\fB\-inhibit_map\fR]
133 [\fB\-partial_chain\fR]
134 [\fB\-policy\fR \fIarg\fR]
135 [\fB\-policy_check\fR]
136 [\fB\-policy_print\fR]
137 [\fB\-purpose\fR \fIpurpose\fR]
138 [\fB\-suiteB_128\fR]
139 [\fB\-suiteB_128_only\fR]
140 [\fB\-suiteB_192\fR]
141 [\fB\-trusted_first\fR]
142 [\fB\-no_alt_chains\fR]
143 [\fB\-use_deltas\fR]
144 [\fB\-auth_level\fR \fInum\fR]
145 [\fB\-verify_depth\fR \fInum\fR]
146 [\fB\-verify_email\fR \fIemail\fR]
147 [\fB\-verify_hostname\fR \fIhostname\fR]
148 [\fB\-verify_ip\fR \fIip\fR]
149 [\fB\-verify_name\fR \fIname\fR]
150 [\fB\-x509_strict\fR]
151 [\fB\-issuer_checks\fR]
152 [\fB\-provider\fR \fIname\fR]
153 [\fB\-provider\-path\fR \fIpath\fR]
154 [\fB\-provparam\fR \fI[name:]key=value\fR]
155 [\fB\-propquery\fR \fIpropq\fR]
159 server application as specified in RFC 3161 (Time-Stamp Protocol, TSP). A
163 .IP 1. 4
164 The TSA client computes a one-way hash value for a data file and sends
166 .IP 2. 4
170 data file at the time of response generation.
171 .IP 3. 4
176 There is one DER encoded protocol data unit defined for transporting a
179 creating a timestamp request based on a data file,
181 response corresponds to a particular request or a data file.
185 requests either by ftp or e\-mail.
188 .IP \fB\-help\fR 4
189 .IX Item "-help"
191 .IP \fB\-query\fR 4
192 .IX Item "-query"
194 .IP \fB\-reply\fR 4
195 .IX Item "-reply"
197 .IP \fB\-verify\fR 4
198 .IX Item "-verify"
202 The \fB\-query\fR command can be used for creating and printing a timestamp
204 .IP "\fB\-config\fR \fIconfigfile\fR" 4
205 .IX Item "-config configfile"
209 .IP "\fB\-data\fR \fIfile_to_hash\fR" 4
210 .IX Item "-data file_to_hash"
211 The data file for which the timestamp request needs to be
212 created. stdin is the default if neither the \fB\-data\fR nor the \fB\-digest\fR
214 .IP "\fB\-digest\fR \fIdigest_bytes\fR" 4
215 .IX Item "-digest digest_bytes"
216 It is possible to specify the message imprint explicitly without the data
221 .IP \fB\-\fR\f(BIdigest\fR 4
222 .IX Item "-digest"
223 The message digest to apply to the data file.
224 Any digest supported by the \fBopenssl\-dgst\fR\|(1) command can be used.
225 The default is SHA\-256. (Optional)
226 .IP "\fB\-tspolicy\fR \fIobject_id\fR" 4
227 .IX Item "-tspolicy object_id"
232 .IP \fB\-no_nonce\fR 4
233 .IX Item "-no_nonce"
235 given. Otherwise, a 64\-bit long pseudo-random nonce is
238 .IP \fB\-cert\fR 4
239 .IX Item "-cert"
242 .IP "\fB\-in\fR \fIrequest.tsq\fR" 4
243 .IX Item "-in request.tsq"
246 to examine the content of a request in human-readable
248 .IP "\fB\-out\fR \fIrequest.tsq\fR" 4
249 .IX Item "-out request.tsq"
252 .IP \fB\-text\fR 4
253 .IX Item "-text"
254 If this option is specified the output is human-readable text format
256 .IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
257 .IX Item "-rand files, -writerand file"
263 successful. The \fB\-reply\fR command is for creating a timestamp
265 response/token in human-readable format. If \fB\-token_out\fR is not
268 .IP "\fB\-config\fR \fIconfigfile\fR" 4
269 .IX Item "-config configfile"
274 .IP "\fB\-section\fR \fItsa_section\fR" 4
275 .IX Item "-section tsa_section"
279 .IP "\fB\-queryfile\fR \fIrequest.tsq\fR" 4
280 .IX Item "-queryfile request.tsq"
282 .IP "\fB\-passin\fR \fIpassword_src\fR" 4
283 .IX Item "-passin password_src"
286 .IP "\fB\-signer\fR \fItsa_cert.pem\fR" 4
287 .IX Item "-signer tsa_cert.pem"
293 .IP "\fB\-inkey\fR \fIfilename\fR|\fIuri\fR" 4
294 .IX Item "-inkey filename|uri"
297 .IP \fB\-\fR\f(BIdigest\fR 4
298 .IX Item "-digest"
301 .IP "\fB\-chain\fR \fIcerts_file.pem\fR" 4
302 .IX Item "-chain certs_file.pem"
305 the \fB\-cert\fR option was used for the request. This file is supposed to
307 issuer upwards. The \fB\-reply\fR command does not build a certificate
309 .IP "\fB\-tspolicy\fR \fIobject_id\fR" 4
310 .IX Item "-tspolicy object_id"
315 .IP "\fB\-in\fR \fIresponse.tsr\fR" 4
316 .IX Item "-in response.tsr"
318 (if \fB\-token_in\fR is also specified) in DER format that will be written
324 .IP \fB\-token_in\fR 4
325 .IX Item "-token_in"
326 This flag can be used together with the \fB\-in\fR option and indicates
329 .IP "\fB\-out\fR \fIresponse.tsr\fR" 4
330 .IX Item "-out response.tsr"
332 file depends on other options (see \fB\-text\fR, \fB\-token_out\fR). The default is
334 .IP \fB\-token_out\fR 4
335 .IX Item "-token_out"
338 .IP \fB\-text\fR 4
339 .IX Item "-text"
340 If this option is specified the output is human-readable text format
342 .IP "\fB\-engine\fR \fIid\fR" 4
343 .IX Item "-engine id"
346 .IP "\fB\-provider\fR \fIname\fR" 4
347 .IX Item "-provider name"
349 .IP "\fB\-provider\-path\fR \fIpath\fR" 4
350 .IX Item "-provider-path path"
351 .IP "\fB\-provparam\fR \fI[name:]key=value\fR" 4
352 .IX Item "-provparam [name:]key=value"
353 .IP "\fB\-propquery\fR \fIpropq\fR" 4
354 .IX Item "-propquery propq"
359 The \fB\-verify\fR command is for verifying if a timestamp response or
361 data file. The \fB\-verify\fR command does not use the configuration file.
362 .IP "\fB\-data\fR \fIfile_to_hash\fR" 4
363 .IX Item "-data file_to_hash"
366 The \fB\-digest\fR and \fB\-queryfile\fR options must not be specified with this one.
368 .IP "\fB\-digest\fR \fIdigest_bytes\fR" 4
369 .IX Item "-digest digest_bytes"
372 specified in the token. The \fB\-data\fR and \fB\-queryfile\fR options must not be
374 .IP "\fB\-queryfile\fR \fIrequest.tsq\fR" 4
375 .IX Item "-queryfile request.tsq"
376 The original timestamp request in DER format. The \fB\-data\fR and \fB\-digest\fR
378 .IP "\fB\-in\fR \fIresponse.tsr\fR" 4
379 .IX Item "-in response.tsr"
381 .IP \fB\-token_in\fR 4
382 .IX Item "-token_in"
383 This flag can be used together with the \fB\-in\fR option and indicates
386 .IP "\fB\-untrusted\fR \fIfiles\fR|\fIuris\fR" 4
387 .IX Item "-untrusted files|uris"
396 .IP "\fB\-CAfile\fR \fIfile\fR, \fB\-CApath\fR \fIdir\fR, \fB\-CAstore\fR \fIuri\fR" 4
397 .IX Item "-CAfile file, -CApath dir, -CAstore uri"
398 See "Trusted Certificate Options" in \fBopenssl\-verification\-options\fR\|(1) for details.
399 At least one of \fB\-CAfile\fR, \fB\-CApath\fR or \fB\-CAstore\fR must be specified.
400 …-allow_proxy_certs\fR, \fB\-attime\fR, \fB\-no_check_time\fR, \fB\-check_ss_sig\fR, \fB\-crl_check…
401 …-allow_proxy_certs, -attime, -no_check_time, -check_ss_sig, -crl_check, -crl_check_all, -explicit_…
403 See "Verification Options" in \fBopenssl\-verification\-options\fR\|(1) for details.
408 The \fB\-query\fR and \fB\-reply\fR commands make use of a configuration file.
411 \&\fB\-query\fR command uses only the symbolic OID names section
412 and it can work without it. However, the \fB\-reply\fR command needs the
417 .IP "\fBtsa\fR section, \fBdefault_tsa\fR" 4
420 that contains all the options for the \fB\-reply\fR command. This default
421 section can be overridden with the \fB\-section\fR command line switch. (Optional)
422 .IP \fBoid_file\fR 4
428 .IP \fBoid_section\fR 4
434 .IP \fBRANDFILE\fR 4
439 .IP \fBserial\fR 4
445 .IP \fBcrypto_device\fR 4
448 all available algorithms. The default value is built-in, you can specify
451 .IP \fBsigner_cert\fR 4
453 TSA signing certificate in PEM format. The same as the \fB\-signer\fR
455 .IP \fBcerts\fR 4
458 included in the response. The same as the \fB\-chain\fR command line
460 .IP \fBsigner_key\fR 4
462 The private key of the TSA in PEM format. The same as the \fB\-inkey\fR
464 .IP \fBsigner_digest\fR 4
467 \&\fB\-\fR\f(BIdigest\fR command line option. (Mandatory unless specified on the command
469 .IP \fBdefault_policy\fR 4
472 policy. The same as the \fB\-tspolicy\fR command line option. (Optional)
473 .IP \fBother_policies\fR 4
477 .IP \fBdigests\fR 4
481 .IP \fBaccuracy\fR 4
486 .IP \fBclock_precision_digits\fR 4
494 .IP \fBordering\fR 4
499 .IP \fBtsa_name\fR 4
503 .IP \fBess_cert_id_chain\fR 4
510 If this variable is set to yes and the \fBcerts\fR variable or the \fB\-chain\fR option
512 be included, where the \fB\-chain\fR option overrides the \fBcerts\fR variable.
514 .IP \fBess_cert_id_alg\fR 4
525 To create a timestamp request for \fIdesign1.txt\fR with SHA\-256 digest,
530 \& openssl ts \-query \-data design1.txt \-no_nonce \e
531 \& \-out design1.tsq
538 \& openssl ts \-query \-digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \e
539 \& \-no_nonce \-out design1.tsq
545 \& openssl ts \-query \-in design1.tsq \-text
548 To create a timestamp request which includes the SHA\-512 digest
554 \& openssl ts \-query \-data design2.txt \-sha512 \e
555 \& \-tspolicy tsa_policy1 \-cert \-out design2.tsq
568 See \fBopenssl\-req\fR\|(1), \fBopenssl\-ca\fR\|(1), and \fBopenssl\-x509\fR\|(1) for
576 \& openssl ts \-reply \-queryfile design1.tsq \-inkey tsakey.pem \e
577 \& \-signer tsacert.pem \-out design1.tsr
583 \& openssl ts \-reply \-queryfile design1.tsq \-out design1.tsr
589 \& openssl ts \-reply \-in design1.tsr \-text
595 \& openssl ts \-reply \-queryfile design1.tsq \-out design1_token.der \-token_out
601 \& openssl ts \-reply \-in design1_token.der \-token_in \-text \-token_out
607 \& openssl ts \-reply \-in design1.tsr \-out design1_token.der \-token_out
614 \& openssl ts \-reply \-in design1_token.der \-token_in \-out design1.tsr
621 \& openssl ts \-verify \-queryfile design1.tsq \-in design1.tsr \e
622 \& \-CAfile cacert.pem \-untrusted tsacert.pem
628 \& openssl ts \-verify \-queryfile design2.tsq \-in design2.tsr \e
629 \& \-CAfile cacert.pem
632 To verify a timestamp token against the original data file:
635 \& openssl ts \-verify \-data design2.txt \-in design2.tsr \e
636 \& \-CAfile cacert.pem
642 \& openssl ts \-verify \-digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \e
643 \& \-in design2.tsr \-CAfile cacert.pem
651 to implement an automatic e\-mail based TSA with \fBprocmail\fR\|(1)
675 The \fB\-engine\fR option was deprecated in OpenSSL 3.0.
680 \&\fBopenssl\-req\fR\|(1),
681 \&\fBopenssl\-x509\fR\|(1),
682 \&\fBopenssl\-ca\fR\|(1),
683 \&\fBopenssl\-genrsa\fR\|(1),
685 \&\fBossl_store\-file\fR\|(7)
688 Copyright 2006\-2025 The OpenSSL Project Authors. All Rights Reserved.