mirror of
https://github.com/guanzhi/GmSSL.git
synced 2026-05-13 20:06:24 +08:00
update manuals
This commit is contained in:
Zhi Guan
@@ -6,7 +6,7 @@ ts - Time Stamping Authority tool (client/server)
|
||||
|
||||
=head1 SYNOPSIS
|
||||
|
||||
B<openssl> B<ts>
|
||||
B<gmssl> B<ts>
|
||||
B<-query>
|
||||
[B<-rand> file:file...]
|
||||
[B<-config> configfile]
|
||||
@@ -20,7 +20,7 @@ B<-query>
|
||||
[B<-out> request.tsq]
|
||||
[B<-text>]
|
||||
|
||||
B<openssl> B<ts>
|
||||
B<gmssl> B<ts>
|
||||
B<-reply>
|
||||
[B<-config> configfile]
|
||||
[B<-section> tsa_section]
|
||||
@@ -37,7 +37,7 @@ B<-reply>
|
||||
[B<-text>]
|
||||
[B<-engine> id]
|
||||
|
||||
B<openssl> B<ts>
|
||||
B<gmssl> B<ts>
|
||||
B<-verify>
|
||||
[B<-data> file_to_hash]
|
||||
[B<-digest> digest_bytes]
|
||||
@@ -127,7 +127,7 @@ in use. (Optional)
|
||||
=item B<-md2>|B<-md4>|B<-md5>|B<-sha>|B<-sha1>|B<-mdc2>|B<-ripemd160>|B<...>
|
||||
|
||||
The message digest to apply to the data file, it supports all the message
|
||||
digest algorithms that are supported by the openssl B<dgst> command.
|
||||
digest algorithms that are supported by the gmssl B<dgst> command.
|
||||
The default is SHA-1. (Optional)
|
||||
|
||||
=item B<-policy> object_id
|
||||
@@ -200,7 +200,7 @@ The name of the file containing a DER encoded time stamp request. (Optional)
|
||||
=item B<-passin> password_src
|
||||
|
||||
Specifies the password source for the private key of the TSA. See
|
||||
B<PASS PHRASE ARGUMENTS> in L<openssl(1)|openssl(1)>. (Optional)
|
||||
B<PASS PHRASE ARGUMENTS> in L<gmssl(1)|gmssl(1)>. (Optional)
|
||||
|
||||
=item B<-signer> tsa_cert.pem
|
||||
|
||||
@@ -375,9 +375,9 @@ generation a new file is created with serial number 1. (Mandatory)
|
||||
|
||||
=item B<crypto_device>
|
||||
|
||||
Specifies the OpenSSL engine that will be set as the default for
|
||||
Specifies the GmSSL engine that will be set as the default for
|
||||
all available algorithms. The default value is builtin, you can specify
|
||||
any other engines supported by OpenSSL (e.g. use chil for the NCipher HSM).
|
||||
any other engines supported by GmSSL (e.g. use chil for the NCipher HSM).
|
||||
(Optional)
|
||||
|
||||
=item B<signer_cert>
|
||||
@@ -459,32 +459,32 @@ overridden by the B<-config> command line option.
|
||||
|
||||
All the examples below presume that B<OPENSSL_CONF> is set to a proper
|
||||
configuration file, e.g. the example configuration file
|
||||
openssl/apps/openssl.cnf will do.
|
||||
gmssl/apps/openssl.cnf will do.
|
||||
|
||||
=head2 Time Stamp Request
|
||||
|
||||
To create a time stamp request for design1.txt with SHA-1
|
||||
without nonce and policy and no certificate is required in the response:
|
||||
|
||||
openssl ts -query -data design1.txt -no_nonce \
|
||||
gmssl ts -query -data design1.txt -no_nonce \
|
||||
-out design1.tsq
|
||||
|
||||
To create a similar time stamp request with specifying the message imprint
|
||||
explicitly:
|
||||
|
||||
openssl ts -query -digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \
|
||||
gmssl ts -query -digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \
|
||||
-no_nonce -out design1.tsq
|
||||
|
||||
To print the content of the previous request in human readable format:
|
||||
|
||||
openssl ts -query -in design1.tsq -text
|
||||
gmssl ts -query -in design1.tsq -text
|
||||
|
||||
To create a time stamp request which includes the MD-5 digest
|
||||
of design2.txt, requests the signer certificate and nonce,
|
||||
specifies a policy id (assuming the tsa_policy1 name is defined in the
|
||||
OID section of the config file):
|
||||
|
||||
openssl ts -query -data design2.txt -md5 \
|
||||
gmssl ts -query -data design2.txt -md5 \
|
||||
-policy tsa_policy1 -cert -out design2.tsq
|
||||
|
||||
=head2 Time Stamp Response
|
||||
@@ -501,52 +501,52 @@ tsakey.pem is the private key of the TSA.
|
||||
|
||||
To create a time stamp response for a request:
|
||||
|
||||
openssl ts -reply -queryfile design1.tsq -inkey tsakey.pem \
|
||||
gmssl ts -reply -queryfile design1.tsq -inkey tsakey.pem \
|
||||
-signer tsacert.pem -out design1.tsr
|
||||
|
||||
If you want to use the settings in the config file you could just write:
|
||||
|
||||
openssl ts -reply -queryfile design1.tsq -out design1.tsr
|
||||
gmssl ts -reply -queryfile design1.tsq -out design1.tsr
|
||||
|
||||
To print a time stamp reply to stdout in human readable format:
|
||||
|
||||
openssl ts -reply -in design1.tsr -text
|
||||
gmssl ts -reply -in design1.tsr -text
|
||||
|
||||
To create a time stamp token instead of time stamp response:
|
||||
|
||||
openssl ts -reply -queryfile design1.tsq -out design1_token.der -token_out
|
||||
gmssl ts -reply -queryfile design1.tsq -out design1_token.der -token_out
|
||||
|
||||
To print a time stamp token to stdout in human readable format:
|
||||
|
||||
openssl ts -reply -in design1_token.der -token_in -text -token_out
|
||||
gmssl ts -reply -in design1_token.der -token_in -text -token_out
|
||||
|
||||
To extract the time stamp token from a response:
|
||||
|
||||
openssl ts -reply -in design1.tsr -out design1_token.der -token_out
|
||||
gmssl ts -reply -in design1.tsr -out design1_token.der -token_out
|
||||
|
||||
To add 'granted' status info to a time stamp token thereby creating a
|
||||
valid response:
|
||||
|
||||
openssl ts -reply -in design1_token.der -token_in -out design1.tsr
|
||||
gmssl ts -reply -in design1_token.der -token_in -out design1.tsr
|
||||
|
||||
=head2 Time Stamp Verification
|
||||
|
||||
To verify a time stamp reply against a request:
|
||||
|
||||
openssl ts -verify -queryfile design1.tsq -in design1.tsr \
|
||||
gmssl ts -verify -queryfile design1.tsq -in design1.tsr \
|
||||
-CAfile cacert.pem -untrusted tsacert.pem
|
||||
|
||||
To verify a time stamp reply that includes the certificate chain:
|
||||
|
||||
openssl ts -verify -queryfile design2.tsq -in design2.tsr \
|
||||
gmssl ts -verify -queryfile design2.tsq -in design2.tsr \
|
||||
-CAfile cacert.pem
|
||||
|
||||
To verify a time stamp token against the original data file:
|
||||
openssl ts -verify -data design2.txt -in design2.tsr \
|
||||
gmssl ts -verify -data design2.txt -in design2.tsr \
|
||||
-CAfile cacert.pem
|
||||
|
||||
To verify a time stamp token against a message imprint:
|
||||
openssl ts -verify -digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \
|
||||
gmssl ts -verify -digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \
|
||||
-in design2.tsr -CAfile cacert.pem
|
||||
|
||||
You could also look at the 'test' directory for more examples.
|
||||
@@ -566,7 +566,7 @@ L<tsget(1)|tsget(1)>. Pure TCP/IP protocol is not supported.
|
||||
|
||||
=item * The file containing the last serial number of the TSA is not
|
||||
locked when being read or written. This is a problem if more than one
|
||||
instance of L<openssl(1)|openssl(1)> is trying to create a time stamp
|
||||
instance of L<gmssl(1)|gmssl(1)> is trying to create a time stamp
|
||||
response at the same time. This is not an issue when using the apache
|
||||
server module, it does proper locking.
|
||||
|
||||
@@ -587,7 +587,7 @@ Zoltan Glozik <zglozik@opentsa.org>, OpenTSA project (http://www.opentsa.org)
|
||||
|
||||
=head1 SEE ALSO
|
||||
|
||||
L<tsget(1)|tsget(1)>, L<openssl(1)|openssl(1)>, L<req(1)|req(1)>,
|
||||
L<tsget(1)|tsget(1)>, L<gmssl(1)|gmssl(1)>, L<req(1)|req(1)>,
|
||||
L<x509(1)|x509(1)>, L<ca(1)|ca(1)>, L<genrsa(1)|genrsa(1)>,
|
||||
L<config(5)|config(5)>
|
||||
|
||||
|
||||
Reference in New Issue
Block a user