OpenSSL、LibreSSLのコマンドでタイムスタンプリクエストを作成する
OpenSSLの ts コマンドを利用して、タイムスタンプリクエストを作成します。
以下のオプションでタイムスタンプリクエストを作成することが出来ます。
openssl ts -query -data ハッシュ対象ファイル -out タイムスタンプリクエストファイル
OpenSSL の ts コマンドのヘルプです。
>openssl ts -help
Usage: ts [options]
General options:
-help Display this summary
-config infile Configuration file
-section val Section to use within config file
-engine val Use engine, possibly a hardware device
-inkey val File with private key for reply
-signer val Signer certificate file
-chain infile File with signer CA chain
-CAfile infile File with trusted CA certs
-CApath dir Path to trusted CA files
-CAstore uri URI to trusted CA store
-untrusted infile Extra untrusted certs
-token_in Input is a PKCS#7 file
-token_out Output is a PKCS#7 file
-passin val Input file pass phrase source
-* Any supported digest
Query options:
-query Generate a TS query
-data infile File to hash
-digest val Digest (as a hex string)
-queryfile infile File containing a TS query
-cert Put cert request into query
-in infile Input file
Verify options:
-verify Verify a TS response
-reply Generate a TS reply
-tspolicy val Policy OID to use
-no_nonce Do not include a nonce
-out outfile Output file
-text Output text (not DER)
Random state options:
-rand val Load the given file(s) into the random number generator
-writerand outfile Write random data to the specified file
Validation options:
-policy val adds policy to the acceptable policy set
-purpose val certificate chain purpose
-verify_name val verification policy name
-verify_depth int chain depth limit
-auth_level int chain authentication security level
-attime intmax verification epoch time
-verify_hostname val expected peer hostname
-verify_email val expected peer email
-verify_ip val expected peer IP address
-ignore_critical permit unhandled critical extensions
-issuer_checks (deprecated)
-crl_check check leaf certificate revocation
-crl_check_all check full chain revocation
-policy_check perform rfc5280 policy checks
-explicit_policy set policy variable require-explicit-policy
-inhibit_any set policy variable inhibit-any-policy
-inhibit_map set policy variable inhibit-policy-mapping
-x509_strict disable certificate compatibility work-arounds
-extended_crl enable extended CRL features
-use_deltas use delta CRLs
-policy_print print policy processing diagnostics
-check_ss_sig check root CA self-signatures
-trusted_first search trust store first (default)
-suiteB_128_only Suite B 128-bit-only mode
-suiteB_128 Suite B 128-bit mode allowing 192-bit algorithms
-suiteB_192 Suite B 192-bit-only mode
-partial_chain accept chains anchored by intermediate trust-store CAs
-no_alt_chains (deprecated)
-no_check_time ignore certificate validity time
-allow_proxy_certs allow the use of proxy certificates
Provider options:
-provider-path val Provider load path (must be before 'provider' argument if required)
-provider val Provider to load (can be specified multiple times)
-propquery val Property query used when fetching algorithms
Typical uses:
openssl ts -query [-rand file...] [-config file] [-data file]
[-digest hexstring] [-tspolicy oid] [-no_nonce] [-cert]
[-in file] [-out file] [-text]
openssl ts -reply [-config file] [-section tsa_section]
[-queryfile file] [-passin password]
[-signer tsa_cert.pem] [-inkey private_key.pem]
[-chain certs_file.pem] [-tspolicy oid]
[-in file] [-token_in] [-out file] [-token_out]
[-text] [-engine id]
openssl ts -verify -CApath dir -CAfile root-cert.pem -CAstore uri
-untrusted extra-certs.pem [-data file] [-digest hexstring]
[-queryfile request.tsq] -in response.tsr [-token_in] ...
実際にタイムスタンプリクエストを作成します。
> openssl ts -query -data HelloWorld.txt -out HelloWorld.txt.tsq
Using configuration from C:\Program Files\Common Files\SSL/openssl.cnf
作成したタイムスタンプリクエストを以下のコマンドで表示します。
> openssl ts -query -in HelloWorld.txt.tsq -text
Using configuration from C:\Program Files\Common Files\SSL/openssl.cnf
Version: 1
Hash Algorithm: sha256
Message data:
0000 - a5 91 a6 d4 0b f4 20 40-4a 01 17 33 cf b7 b1 90 ...... @J..3....
0010 - d6 2c 65 bf 0b cd a3 2b-57 b2 77 d9 ad 9f 14 6e .,e....+W.w....n
Policy OID: unspecified
Nonce: 0xDC9C89DBD700A3EC
Certificate required: no
Extensions:
作成したタイムスタンプリクエストは、ASN.1のDERエンコード形式で作成されていますので OpenSSLの ans1parse コマンドで ASN.1を解析した結果を表示してみます。
> openssl asn1parse -inform DER -in HelloWorld.txt.tsq
0:d=0 hl=2 l= 65 cons: SEQUENCE
2:d=1 hl=2 l= 1 prim: INTEGER :01
5:d=1 hl=2 l= 49 cons: SEQUENCE
7:d=2 hl=2 l= 13 cons: SEQUENCE
9:d=3 hl=2 l= 9 prim: OBJECT :sha256
20:d=3 hl=2 l= 0 prim: NULL
22:d=2 hl=2 l= 32 prim: OCTET STRING [HEX DUMP]:A591A6D40BF420404A011733CFB7B190D62C65BF0BCDA32B57B277D9AD9F146E
56:d=1 hl=2 l= 9 prim: INTEGER :DC9C89DBD700A3EC
LibreSSL でタイムスタンプリクエストを生成
LibreSSLでも tsコマンドが使用できます。
> "C:\Program Files (x86)\LibreSSL\bin\openssl.exe" ts -query -data HelloWorld.txt -out HelloWorld.txt.tsq
解析結果をみるとLibreSSLのデフォルトのハッシュアルゴリズムはSHA-1でした。
> "C:\Program Files (x86)\LibreSSL\bin\openssl.exe" ts -query -in HelloWorld.txt.tsq -text
Version: 1
Hash Algorithm: sha1
Message data:
0000 - 0a 4d 55 a8 d7 78 e5 02-2f ab 70 19 77 c5 d8 40 .MU..x../.p.w..@
0010 - bb c4 86 d0 ....
Policy OID: unspecified
Nonce: 0xD84CEA7C50A5AD7B
Certificate required: no
Extensions:
ans1parse コマンドの結果です。
> "C:\Program Files (x86)\LibreSSL\bin\openssl.exe" asn1parse -inform DER -in HelloWorld.txt.tsq
0:d=0 hl=2 l= 49 cons: SEQUENCE
2:d=1 hl=2 l= 1 prim: INTEGER :01
5:d=1 hl=2 l= 33 cons: SEQUENCE
7:d=2 hl=2 l= 9 cons: SEQUENCE
9:d=3 hl=2 l= 5 prim: OBJECT :sha1
16:d=3 hl=2 l= 0 prim: NULL
18:d=2 hl=2 l= 20 prim: OCTET STRING [HEX DUMP]:0A4D55A8D778E5022FAB701977C5D840BBC486D0
40:d=1 hl=2 l= 9 prim: INTEGER :D84CEA7C50A5AD7B