TrustPort eSign PRO: Command Line - Operations over files
Operations with files is one of the features not available in the graphical version of eSign PRO. It lets user perform basic operations over chosen file using given certificate, certificate file or keypair. Among these operations belong signing the file, encrypting the file, signing and encrypting the file, decrypting and verifying the file, creating extra signature, adding a Time Stamp, signing and adding a Time Stamp, creating extra signature and Time Stamp, creating Time Stamp into a file, creating file's HASH.
Specifying the file
Is done through -f filename or --file=filename parameter. It's possible to use both absolute and relative file path.
Specifying the recipient
Is done through -r filename or --recipient=filename . Recipient could be one of those:
Recipient is considered only when encrypting files (mode enc or sge ).
Specifying the signer
Can be done with -s filename or --signer=filename parameter. Only a file containing complete keypair (i. e. .P12 or .PFX ) may be given as the signer.
The signer is used in arbitrary signing mode (i.e. sgn , sge , sgt , esg , est ) or when authenticating the signed data (mode dec ).
Specifying the mode
Is done using either -m mode_shortcut or --mode=mode_shortcut parameter. Mode shortcut may be one of:
Redirection the output
Using the -o output_file or --output=output_file parameter, redirection of the output is performed to output file. After the requested operation on the given file is done, appropriate file extension is automatically appended to the filename (unless already specified by user).
Working with passwords
When working with files .P12 , you can specify the password in two ways. When file has no password, --no-password should be used. Otherwise the password may be specified with --password=your_password option, where your_password is your password for given file. If none of these options is used, you are prompted to enter the password when the file is used.
Using the parameters - examples
Particular options are chosen in a way so it's possible to do the default action without necessity to specify it. Examples:
Working with the Time Stamp
It's possible to add a Time Stamp to any file that is encrypted ( sgn mode) or contains separate signature ( esg mode). As well so address of Time Stamp Authority must be given with parameter -I address:port or --timestampauthority=address:port . Parameter --TSAcertif=certificate to choose certificate of that authority must be given.
Example: esign -f file.sgn -m tsa -I "http://time.trustport.cz:8000/" --TSAcertif=TSAcertificate.cer .
However, these operations may be done together when choosing mode sgt or esg with appropriate parameters.
Example: esign -f file -m est -s "key pair.p12" -I "http://time.trustport.cz:8000/" --TSAcertif=TSAcertificate.cer .
There is now an option to create only Time Stamp with HASH for given file (mode -m tst ). It's again necessary to enter the parameters for Time Stamp Authority.
Example: esign -f file -m tst -I "http://time.trustport.cz:8000/" --TSAcertif=TSAcertificate.cer .
This file may eventually be authenticated with -m dec parameter.
Example of output of such file:
Details about created Time Stamp: C:\esign.txt.tst Signature verified Signature time: 13.9.2004 8:18:49 Hash algorithm: SHA-1 Hash: 475d6e86651a595cddb3a6c6b518c4f71bf0a9ec Policy (OIDS): 18.104.22.168.4.1.4022.1.2.2.1 Serial number: b688478e48e0196480
Creating file's HASH
Next new feature is creating only HASH of a file that is not required to be signed like when creating separate signature. Such HASH may be usable to verify that file contents haven't changed. This operation may be done through with --filehash parameter. Of course, a file to create the HASH from must be given. With -n you can specify algorithm used to create this HASH (no need to give the -m hash parameter).
Example: esign -f file -n MD-5 .
To verify such file, you have to use -m dec parameter. In case of different input file, --originalfile=filename parameter with correct filename must be given for the operation to succeed. If -n parameter was used, it has to be specified again with the same value.
Example esign -f data.doc.hash --originalfile data_backup.doc -m dec -n MD-5 .
Example of HASH:
Choosing algorithm type
When creating or verifying HASH, it's also possible to choose the algorithm type. This is done with -n type or --signalgorithm=type , where type can be one of the values SHA-1, SHA-256, SHA-512, SHA-256, RIPEMD-160 or MD-5.
Viewing file's contents
Parameter -d or --details is used for listing information about the file. It may be used on filetypes .CER , .BIN , .PEM , .P7C , .P7B , .P12 or .PFX . However, it's necessary to specify name of such file, otherwise program supposes you want to see details of some object in the storage.
Example of outputting file details: esign -d -f "my key pair.p12" .
Changing the password for a keypair file
With parameter -p or --changep12password you can change password of a .P12 file (the file is chosen using -f filename parameter). When changing the password, you might want to use parameters --password=password , --no-password for entering current password and --newpassword=password for entering the new one.
Example of changing the password in file: esign -p -file.p12 --password=p13^Jl[0 --newpassword=KuI_[98%^