TrustPort eSign PRO: Command Line - Operations over files

Operations with files is one of the features not available in the graphical version of eSign PRO. It lets user perform basic operations over chosen file using given certificate, certificate file or keypair. Among these operations belong signing the file, encrypting the file, signing and encrypting the file, decrypting and verifying the file, creating extra signature, adding a Time Stamp, signing and adding a Time Stamp, creating extra signature and Time Stamp, creating Time Stamp into a file, creating file's HASH.

Specifying the file

Is done through -f filename or --file=filename parameter. It's possible to use both absolute and relative file path.

Specifying the recipient

Is done through -r filename or --recipient=filename . Recipient could be one of those:

  • File .CER , .BIN or .PEM that contains recipient's certificate.
  • File .P7C or .P7B that contains one or more recipient's certificates. Attention!!! If there is more than one certificate, the file will be encrypted for each of them.
  • File .P12 or .PFX containing a complete keypair. Attention!!! To access private key, It's necessary to enter the password and if there is more than one certificate, the file will be encrypted for each of them.
  • Text file containing on every line filename with recipient's certificate separately.

Recipient is considered only when encrypting files (mode enc or sge ).

Specifying the signer

Can be done with -s filename or --signer=filename parameter. Only a file containing complete keypair (i. e. .P12 or .PFX ) may be given as the signer.

The signer is used in arbitrary signing mode (i.e. sgn , sge , sgt , esg , est ) or when authenticating the signed data (mode dec ).

Specifying the mode

Is done using either -m mode_shortcut or --mode=mode_shortcut parameter. Mode shortcut may be one of:

  • sgn ... signs a file,
  • enc ... encrypts a file,
  • sge ... signs and encrypts a file,
  • dec ... decrypts and/or verifies a file,
  • esg ... creates extra signature,
  • tsa ... creates a time stamp,
  • sgt ... signs with a time stamp,
  • est ... creates extra signature with a time stamp,
  • tst ... creates a file with its time stamp,
  • hash ... creates file's HASH.

Redirection the output

Using the -o output_file or --output=output_file parameter, redirection of the output is performed to output file. After the requested operation on the given file is done, appropriate file extension is automatically appended to the filename (unless already specified by user).

Working with passwords

When working with files .P12 , you can specify the password in two ways. When file has no password, --no-password should be used. Otherwise the password may be specified with --password=your_password option, where your_password is your password for given file. If none of these options is used, you are prompted to enter the password when the file is used.

Using the parameters - examples

Particular options are chosen in a way so it's possible to do the default action without necessity to specify it. Examples:

  • esign -f file -r certificate.cer
    automatically does file encrypting (no need to give the -m enc parameter),
  • esign -f file -s "key pair.p12" --password=P1x%_34r
    automatically signs the file (without a need to specify -m sgn parameter) and uses the chosen .P12 file password.
  • esign -f file -r certificate.cer -s "key pair.p12" -o output
    automatically does encrypting and signing of given file (without a need to specify -m sge parameter) and stores the output into file output ,
  • esign -f file.enc -s "key pair.p12" -m dec
    does decrypting of the file, here it's necessary to specify -m dec parameter, otherwise the program will sign the file automatically!
  • esign -f file -s "key pair.p12" -m esg
    creates separate signature of file, it's necessary to enter -m esg parameter or file will be signed by default!

Working with the Time Stamp

It's possible to add a Time Stamp to any file that is encrypted ( sgn mode) or contains separate signature ( esg mode). As well so address of Time Stamp Authority must be given with parameter -I address:port or --timestampauthority=address:port . Parameter --TSAcertif=certificate to choose certificate of that authority must be given.

Example: esign -f file.sgn -m tsa -I "http://time.trustport.cz:8000/" --TSAcertif=TSAcertificate.cer .

However, these operations may be done together when choosing mode sgt or esg with appropriate parameters.

Example: esign -f file -m est -s "key pair.p12" -I "http://time.trustport.cz:8000/" --TSAcertif=TSAcertificate.cer .

There is now an option to create only Time Stamp with HASH for given file (mode -m tst ). It's again necessary to enter the parameters for Time Stamp Authority.

Example: esign -f file -m tst -I "http://time.trustport.cz:8000/" --TSAcertif=TSAcertificate.cer .

This file may eventually be authenticated with -m dec parameter.

Example of output of such file:

        Details about created Time Stamp: C:\esign.txt.tst 
        Signature verified Signature time: 13.9.2004 8:18:49 
        Hash algorithm: SHA-1 
        Hash: 475d6e86651a595cddb3a6c6b518c4f71bf0a9ec 
        Policy (OIDS): 1.3.6.1.4.1.4022.1.2.2.1 
        Serial number: b688478e48e0196480
		

Creating file's HASH

Next new feature is creating only HASH of a file that is not required to be signed like when creating separate signature. Such HASH may be usable to verify that file contents haven't changed. This operation may be done through with --filehash parameter. Of course, a file to create the HASH from must be given. With -n you can specify algorithm used to create this HASH (no need to give the -m hash parameter).

Example: esign -f file -n MD-5 .

To verify such file, you have to use -m dec parameter. In case of different input file, --originalfile=filename parameter with correct filename must be given for the operation to succeed. If -n parameter was used, it has to be specified again with the same value.

Example esign -f data.doc.hash --originalfile data_backup.doc -m dec -n MD-5 .

Example of HASH:

        475d6e86651a595cddb3a6c6b518c4f71bf0a9ec
        

Choosing algorithm type

When creating or verifying HASH, it's also possible to choose the algorithm type. This is done with -n type or --signalgorithm=type , where type can be one of the values SHA-1, SHA-256, SHA-512, SHA-256, RIPEMD-160 or MD-5.

Viewing file's contents

Parameter -d or --details is used for listing information about the file. It may be used on filetypes .CER , .BIN , .PEM , .P7C , .P7B , .P12 or .PFX . However, it's necessary to specify name of such file, otherwise program supposes you want to see details of some object in the storage.

Example of outputting file details: esign -d -f "my key pair.p12" .

Changing the password for a keypair file

With parameter -p or --changep12password you can change password of a .P12 file (the file is chosen using -f filename parameter). When changing the password, you might want to use parameters --password=password , --no-password for entering current password and --newpassword=password for entering the new one.

Example of changing the password in file: esign -p -file.p12 --password=p13^Jl[0 --newpassword=KuI_[98%^

Related references

Main Page
Command Line
Operations over storages
Managing tokens and chip-cards
Working with LDAP and hybrid storages


Copyright 2010, TrustPort, a.s., All rights reserved.