Use better defaults for TSA. (2cc7acd2) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

apps/openssl-vms.cnf

+1 −1

Original line number	Diff line number	Diff line
		@@ -340,7 +340,7 @@ signer_digest = sha1 # Signing digest to use. (Optional)
		default_policy = tsa_policy1 # Policy if request did not specify it
		# (optional)
		other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
		digests = md5, sha1 # Acceptable message digests (mandatory)
		digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
		accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
		clock_precision_digits = 0 # number of digits after dot. (optional)
		ordering = yes # Is ordering defined for timestamps?

apps/openssl.cnf

+2 −2

Original line number	Diff line number	Diff line
		@@ -335,11 +335,11 @@ signer_cert = $dir/tsacert.pem # The TSA signing certificate
		certs = $dir/cacert.pem # Certificate chain to include in reply
		# (optional)
		signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
		signer_digest = sha1 # Signing digest to use. (Optional)
		signer_digest = sha256 # Signing digest to use. (Optional)
		default_policy = tsa_policy1 # Policy if request did not specify it
		# (optional)
		other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
		digests = md5, sha1 # Acceptable message digests (mandatory)
		digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
		accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
		clock_precision_digits = 0 # number of digits after dot. (optional)
		ordering = yes # Is ordering defined for timestamps?

doc/apps/ts.pod

+3 −4

Original line number	Diff line number	Diff line
		@@ -28,7 +28,7 @@ B<-reply>
		[B<-passin> password_src]
		[B<-signer> tsa_cert.pem]
		[B<-inkey> private.pem]
		[B<-md2>\|B<-md4>\|B<-md5>\|B<-sha>\|B<-sha1>\|B<-mdc2>\|B<-ripemd160>\|B<...>]
		[B<-sha1\|-sha224\|-sha256\|-sha384\|-sha512>]
		[B<-chain> certs_file.pem]
		[B<-policy> object_id]
		[B<-in> response.tsr]
		@@ -216,7 +216,7 @@ variable of the config file. (Optional)
		The signer private key of the TSA in PEM format. Overrides the
		B<signer_key> config file option. (Optional)

		=item B<-md2>\|B<-md4>\|B<-md5>\|B<-sha>\|B<-sha1>\|B<-mdc2>\|B<-ripemd160>\|B<...>
		=item B<-sha1\|-sha224\|-sha256\|-sha384\|-sha512>

		Signing digest to use. Overrides the B<signer_digest> config file
		option. (Optional)
		@@ -405,8 +405,7 @@ command line option. (Optional)
		=item B<signer_digest>

		Signing digest to use. The same as the
		B<-md2>\|B<-md4>\|B<-md5>\|B<-sha>\|B<-sha1>\|B<-mdc2>\|B<-ripemd160>\|B<...>
		command line option. (Optional)
		B<-sha1\|-sha224\|-sha256\|-sha384\|-sha512> command line option. (Optional)

		=item B<default_policy>

test/CAtsa.cnf

+5 −5

Original line number	Diff line number	Diff line
		@@ -35,7 +35,7 @@ private_key = $dir/private/cakey.pem# The private key
		RANDFILE = $dir/private/.rand # private random number file

		default_days = 365 # how long to certify for
		default_md = sha1 # which md to use.
		default_md = sha256 # which md to use.
		preserve = no # keep passed DN ordering

		policy = policy_match
		@@ -132,11 +132,11 @@ signer_cert = $dir/tsa_cert1.pem # The TSA signing certificate
		certs = $dir/tsaca.pem # Certificate chain to include in reply
		# (optional)
		signer_key = $dir/tsa_key1.pem # The TSA private key (optional)
		signer_digest = sha1 # Signing digest to use. (Optional)
		signer_digest = sha256 # Signing digest to use. (Optional)
		default_policy = tsa_policy1 # Policy if request did not specify it
		# (optional)
		other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
		digests = md5, sha1 # Acceptable message digests (mandatory)
		digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
		accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
		ordering = yes # Is ordering defined for timestamps?
		# (optional, default: no)
		@@ -156,8 +156,8 @@ signer_cert = $dir/tsa_cert2.pem # The TSA signing certificate
		certs = $dir/demoCA/cacert.pem# Certificate chain to include in reply
		# (optional)
		signer_key = $dir/tsa_key2.pem # The TSA private key (optional)
		signer_digest = sha1 # Signing digest to use. (Optional)
		signer_digest = sha256 # Signing digest to use. (Optional)
		default_policy = tsa_policy1 # Policy if request did not specify it
		# (optional)
		other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
		digests = md5, sha1 # Acceptable message digests (mandatory)
		digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)