pipe2me-client 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,69 @@
1
+ require "shellwords"
2
+ require_relative "./file_ext"
3
+
4
+ module Pipe2me::ShellFormat
5
+ extend self
6
+
7
+ def write(path, data)
8
+ File.atomic_write path, dump(data)
9
+ end
10
+
11
+ def read(path)
12
+ parse File.read(path)
13
+ end
14
+
15
+ def dump(obj, prefix=nil)
16
+ format_entries([], obj, prefix).join
17
+ end
18
+
19
+ alias :shell :dump
20
+
21
+ PREFIX = "PIPE2ME"
22
+
23
+ def parse(data)
24
+ arrays = {}
25
+
26
+ prefix_re = Regexp.compile(/^#{PREFIX.downcase}_/)
27
+
28
+ data.lines.inject({}) do |hsh, line|
29
+ key, value = line.split(/\s*=\s*/, 2)
30
+ value.gsub!(/\s*$/, "")
31
+ value = Integer(value) rescue value
32
+
33
+ if key =~ /^(.*)_(\d+)$/
34
+ ary = arrays[$1] ||= []
35
+ ary[$2.to_i] = value
36
+ key, value = $1, ary
37
+ end
38
+
39
+ hsh.update key.downcase.gsub(prefix_re, "").to_sym => value
40
+ end
41
+ end
42
+
43
+ private
44
+
45
+ def format_entries(ary, obj, prefix)
46
+ case obj
47
+ when Array
48
+ prefix = "#{prefix}_" if prefix
49
+ obj.each_with_index do |entry, idx|
50
+ format_entries ary, entry, "#{prefix}#{idx}"
51
+ end
52
+ ary
53
+ when Hash
54
+ prefix = "#{prefix}_" if prefix
55
+ obj.each do |key, value|
56
+ format_entries ary, value, "#{prefix}#{key.upcase}"
57
+ end
58
+ ary
59
+ when defined?(ActiveRecord::Relation) ? ActiveRecord::Relation : nil
60
+ format_entries(ary, obj.to_a, prefix)
61
+ else
62
+ if obj.respond_to?(:attributes)
63
+ format_entries(ary, obj.attributes, prefix)
64
+ else
65
+ ary << "#{PREFIX}_#{prefix}=#{Shellwords.escape(obj)}\n"
66
+ end
67
+ end
68
+ end
69
+ end
@@ -0,0 +1,38 @@
1
+ require "shellwords"
2
+
3
+ module Pipe2me::Sys
4
+ extend self
5
+
6
+ class ExitError < RuntimeError; end
7
+
8
+ def sys(*args)
9
+ cmd, stdout = _sys(*args)
10
+ return stdout if $?.exitstatus == 0
11
+ end
12
+
13
+ def sys!(*args)
14
+ cmd, stdout = _sys(*args)
15
+ return stdout if $?.exitstatus == 0
16
+ raise ExitError, "#{cmd} failed with exit code #{$?.exitstatus}"
17
+ end
18
+
19
+ def sh(*args)
20
+ sys "sh", "-c", *args
21
+ end
22
+
23
+ def sh!(*args)
24
+ sys! "sh", "-c", *args
25
+ end
26
+
27
+ private
28
+
29
+ def _sys(*args)
30
+ cmd = args.
31
+ map { |arg| Shellwords.escape arg.to_s }.
32
+ join(" ")
33
+
34
+ UI.debug cmd
35
+ stdout = IO.popen(cmd, &:read)
36
+ [ cmd, stdout ]
37
+ end
38
+ end
@@ -0,0 +1,78 @@
1
+ require "pipe2me/ext/http"
2
+ require "pipe2me/ext/sys"
3
+ require "pipe2me/ext/shell_format"
4
+
5
+ module Pipe2me::Tunnel
6
+ # file names
7
+ SSL_KEY = "pipe2me.openssl.priv"
8
+ SSL_CERT = "pipe2me.openssl.cert"
9
+
10
+ SSH_PUBKEY = "pipe2me.id_rsa.pub"
11
+ SSH_PRIVKEY = "pipe2me.id_rsa"
12
+ end
13
+
14
+ require_relative "tunnel/openssl"
15
+ require_relative "tunnel/ssh"
16
+ require_relative "tunnel/commands"
17
+
18
+ module Pipe2me::Tunnel
19
+ ShellFormat = Pipe2me::ShellFormat
20
+ include Pipe2me::Sys
21
+
22
+ include OpenSSL
23
+ include SSH
24
+ include Commands
25
+
26
+ extend self
27
+
28
+ def setup(options)
29
+ if File.exists?("pipe2me.info.inc")
30
+ raise "Found existing pipe2me configuration in #{Dir.getwd}"
31
+ end
32
+
33
+ # [todo] escape auth option
34
+ response = HTTP.post! "#{Pipe2me::Config.server}/tunnels/#{options[:auth]}",
35
+ "protocols" => options[:protocols]
36
+
37
+ server_info = ShellFormat.parse(response)
38
+
39
+ raise(ArgumentError, "Missing :fqdn information") unless server_info[:fqdn]
40
+
41
+ ShellFormat.write "pipe2me.info.inc", server_info
42
+ ShellFormat.write "pipe2me.local.inc",
43
+ :server => Pipe2me::Config.server,
44
+ :ports => options[:ports]
45
+
46
+ server_info
47
+ end
48
+
49
+ private
50
+
51
+ # The base URL for this tunnels' configuration
52
+ def url
53
+ "#{config.server}/tunnels/#{config.token}"
54
+ end
55
+
56
+ def config
57
+ @config ||= begin
58
+ hsh = { :ports => [] }
59
+ hsh.update ShellFormat.read("pipe2me.info.inc")
60
+ hsh.update ShellFormat.read("pipe2me.local.inc")
61
+ OpenStruct.new hsh
62
+ end
63
+ end
64
+
65
+ public
66
+
67
+ def update
68
+ unless File.exists?(SSH_PRIVKEY)
69
+ ssh_keygen
70
+ end
71
+ unless File.exists?(SSL_KEY)
72
+ ssl_keygen
73
+ end
74
+ unless File.exists?(SSL_CERT)
75
+ ssl_certsign
76
+ end
77
+ end
78
+ end
@@ -0,0 +1,68 @@
1
+ module Pipe2me::Tunnel::Commands
2
+ extend self
3
+
4
+ T = Pipe2me::Tunnel
5
+
6
+ private
7
+
8
+ # returns an array of [ protocol, remote_port, local_port ] entries
9
+ def tunnels
10
+ @tunnels ||= begin
11
+ urls, ports = config.urls, config.ports
12
+
13
+ urls.zip(ports).map do |url, local_port|
14
+ uri = URI.parse(url)
15
+ [ uri.scheme, uri.port, local_port || uri.port ]
16
+ end
17
+ end
18
+ end
19
+
20
+ public
21
+
22
+ # return an arry [ [name, command ], [name, command ], .. ]
23
+ def tunnel_commands
24
+ tunnel_uri = URI.parse config.tunnel
25
+
26
+ tunnels.map do |protocol, remote_port, local_port|
27
+ next unless cmd = port_tunnel_command(tunnel_uri, protocol, remote_port, local_port)
28
+ [ "#{protocol}_#{remote_port}", cmd ]
29
+ end.compact
30
+ end
31
+
32
+ def echo_commands
33
+ tunnels.map do |protocol, remote_port, local_port|
34
+ next unless cmd = echo_server_command(protocol, local_port)
35
+ [ "echo_#{remote_port}", cmd ]
36
+ end.compact
37
+ end
38
+
39
+ private
40
+
41
+ def port_tunnel_command(tunnel_uri, protocol, remote_port, local_port)
42
+ autossh = `which autossh`.chomp
43
+
44
+ cmd = <<-SHELL
45
+ env AUTOSSH_GATETIME=0 # comments work here..
46
+ #{autossh}
47
+ -M 0
48
+ #{tunnel_uri.user}@#{tunnel_uri.host}
49
+ -p #{tunnel_uri.port}
50
+ -R 0.0.0.0:#{remote_port}:localhost:#{local_port}
51
+ -i #{T::SSH_PRIVKEY}
52
+ -o StrictHostKeyChecking=no
53
+ -o UserKnownHostsFile=pipe2me.known_hosts
54
+ -N
55
+ SHELL
56
+
57
+ # remove comments and newlines from commands
58
+ cmd.gsub(/( *#.*|\s+)/, " ").gsub(/(^ )|( $)/, "")
59
+ end
60
+
61
+ def echo_server_command(protocol, port)
62
+ binary = File.dirname(__FILE__) + "/echo/#{protocol}"
63
+ return unless File.executable?(binary)
64
+
65
+ UI.info "Starting #{protocol} echo server on port #{port}"
66
+ "env PORT=#{port} #{binary}"
67
+ end
68
+ end
@@ -0,0 +1,56 @@
1
+ #!/usr/bin/env ruby
2
+ #
3
+ # Derived from https://github.com/radiospiel/inspector
4
+
5
+ # -- A rack application -------------------------------------------------------
6
+
7
+ require "rack"
8
+
9
+ def format_hash(hash)
10
+ hash.to_a.
11
+ sort_by(&:first).map do |key, value|
12
+ "%25s: %s\n" % [ key.to_s.gsub(/^HTTP_/, ""), value.inspect ]
13
+ end.
14
+ join
15
+ end
16
+
17
+ def insp(env)
18
+ request = Rack::Request.new(env)
19
+ headers, process_env = env.partition do |k,v| k =~ /^HTTP_/ end
20
+ [
21
+ "# Request\n\n",
22
+ format_hash(request_method: request.request_method, fullpath: request.fullpath),
23
+ "\n# Headers\n\n",
24
+ format_hash(headers),
25
+ "\n# process environment\n\n",
26
+ format_hash(ENV)
27
+ ].join("\n")
28
+ end
29
+
30
+ Application = proc do |env|
31
+ req = Rack::Request.new(env)
32
+ body = req.path != "/" ? "#{req.request_method} #{req.fullpath}\n" : insp(env)
33
+
34
+ [
35
+ 200,
36
+ { 'Content-Type' => 'text/plain' },
37
+ [ body ]
38
+ ]
39
+ end
40
+
41
+ # -- configure rack server ----------------------------------------------------
42
+
43
+ require "webrick/https"
44
+
45
+ RACK_SERVER_OPTIONS = {
46
+ :app => Application,
47
+ :BindAddress => "localhost",
48
+ :Port => ENV["PORT"] || 8080,
49
+ :server => "webrick",
50
+ :Logger => WEBrick::BasicLog.new($stderr, WEBrick::BasicLog::WARN)
51
+ }
52
+
53
+ if $0 == __FILE__
54
+ puts "Starting http server at port #{RACK_SERVER_OPTIONS[:Port]}"
55
+ Rack::Server.start(RACK_SERVER_OPTIONS)
56
+ end
@@ -0,0 +1,18 @@
1
+ #!/usr/bin/env ruby
2
+ #
3
+
4
+ load "#{File.dirname(__FILE__)}/http"
5
+
6
+ cert = OpenSSL::X509::Certificate.new File.read("pipe2me.openssl.cert")
7
+ pkey = OpenSSL::PKey::RSA.new File.read("pipe2me.openssl.priv")
8
+
9
+ RACK_SERVER_OPTIONS.update SSLEnable: true,
10
+ SSLVerifyClient: OpenSSL::SSL::VERIFY_NONE,
11
+ SSLPrivateKey: pkey,
12
+ SSLCertificate: cert,
13
+ SSLCertName: [["CN", WEBrick::Utils::getservername]]
14
+
15
+ if $0 == __FILE__
16
+ puts "Starting https server at port #{RACK_SERVER_OPTIONS[:Port]}"
17
+ Rack::Server.start(RACK_SERVER_OPTIONS)
18
+ end
@@ -0,0 +1,351 @@
1
+ #
2
+ # OpenSSL example configuration file.
3
+ # This is mostly being used for generation of certificate requests.
4
+ #
5
+
6
+ # This definition stops the following lines choking if HOME isn't
7
+ # defined.
8
+ HOME = .
9
+ RANDFILE = pipe2me.openssl.rnd
10
+
11
+ # Extra OBJECT IDENTIFIER info:
12
+ oid_file = pipe2me.openssl.oid
13
+ oid_section = new_oids
14
+
15
+ # To use this configuration file with the "-extfile" option of the
16
+ # "openssl x509" utility, name here the section containing the
17
+ # X.509v3 extensions to use:
18
+ # extensions =
19
+ # (Alternatively, use a configuration file that has only
20
+ # X.509v3 extensions in its main [= default] section.)
21
+
22
+ [ new_oids ]
23
+
24
+ # We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
25
+ # Add a simple OID like this:
26
+ # testoid1=1.2.3.4
27
+ # Or use config file substitution like this:
28
+ # testoid2=${testoid1}.5.6
29
+
30
+ # Policies used by the TSA examples.
31
+ tsa_policy1 = 1.2.3.4.1
32
+ tsa_policy2 = 1.2.3.4.5.6
33
+ tsa_policy3 = 1.2.3.4.5.7
34
+
35
+ ####################################################################
36
+ [ ca ]
37
+ default_ca = CA_default # The default ca section
38
+
39
+ ####################################################################
40
+ [ CA_default ]
41
+
42
+ dir = pipe2me.openssl.ca
43
+ certs = $dir/certs # Where the issued certs are kept
44
+ crl_dir = $dir/crl # Where the issued crl are kept
45
+ database = $dir/index.txt # database index file.
46
+ #unique_subject = no # Set to 'no' to allow creation of
47
+ # several ctificates with same subject.
48
+ unique_subject = no
49
+ new_certs_dir = $dir/newcerts # default place for new certs.
50
+
51
+ certificate = $dir/root/certificate.pem # The CA certificate
52
+ serial = $dir/serial # The current serial number
53
+ #crlnumber = $dir/crlnumber # the current crl number
54
+ # must be commented out to leave a V1 CRL
55
+ crl = $dir/crl.pem # The current CRL
56
+ private_key = $dir/root/private_key.pem # The private key
57
+ RANDFILE = $dir/private/.rand # private random number file
58
+
59
+ x509_extensions = usr_cert # The extentions to add to the cert
60
+
61
+ # Comment out the following two lines for the "traditional"
62
+ # (and highly broken) format.
63
+ name_opt = ca_default # Subject Name options
64
+ cert_opt = ca_default # Certificate field options
65
+
66
+ # Extension copying option: use with caution.
67
+ # copy_extensions = copy
68
+
69
+ # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
70
+ # so this is commented out by default to leave a V1 CRL.
71
+ # crlnumber must also be commented out to leave a V1 CRL.
72
+ # crl_extensions = crl_ext
73
+
74
+ default_days = 365 # how long to certify for
75
+ default_crl_days= 30 # how long before next CRL
76
+ default_md = sha1 # use public key default MD
77
+ preserve = no # keep passed DN ordering
78
+
79
+ # A few difference way of specifying how similar the request should look
80
+ # For type CA, the listed attributes must be the same, and the optional
81
+ # and supplied fields are just that :-)
82
+ policy = policy_match
83
+
84
+ # For the CA policy
85
+ [ policy_match ]
86
+ countryName = match
87
+ stateOrProvinceName = match
88
+ organizationName = match
89
+ organizationalUnitName = optional
90
+ commonName = supplied
91
+ emailAddress = optional
92
+
93
+ # For the 'anything' policy
94
+ # At this point in time, you must list all acceptable 'object'
95
+ # types.
96
+ [ policy_anything ]
97
+ countryName = optional
98
+ stateOrProvinceName = optional
99
+ localityName = optional
100
+ organizationName = optional
101
+ organizationalUnitName = optional
102
+ commonName = supplied
103
+ emailAddress = optional
104
+
105
+ ####################################################################
106
+ [ req ]
107
+ default_bits = 1024
108
+ default_keyfile = privkey.pem
109
+ distinguished_name = req_distinguished_name
110
+ attributes = req_attributes
111
+ x509_extensions = v3_ca # The extentions to add to the self signed cert
112
+
113
+ # Passwords for private keys if not present they will be prompted for
114
+ # input_password = secret
115
+ # output_password = secret
116
+
117
+ # This sets a mask for permitted string types. There are several options.
118
+ # default: PrintableString, T61String, BMPString.
119
+ # pkix : PrintableString, BMPString (PKIX recommendation before 2004)
120
+ # utf8only: only UTF8Strings (PKIX recommendation after 2004).
121
+ # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
122
+ # MASK:XXXX a literal mask value.
123
+ # WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
124
+ string_mask = utf8only
125
+
126
+ # req_extensions = v3_req # The extensions to add to a certificate request
127
+
128
+ [ req_distinguished_name ]
129
+ countryName = Country Name (2 letter code)
130
+ countryName_default = AU
131
+ countryName_min = 2
132
+ countryName_max = 2
133
+
134
+ stateOrProvinceName = State or Province Name (full name)
135
+ stateOrProvinceName_default = Some-State
136
+
137
+ localityName = Locality Name (eg, city)
138
+
139
+ 0.organizationName = Organization Name (eg, company)
140
+ 0.organizationName_default = Internet Widgits Pty Ltd
141
+
142
+ # we can do this but it is not needed normally :-)
143
+ #1.organizationName = Second Organization Name (eg, company)
144
+ #1.organizationName_default = World Wide Web Pty Ltd
145
+
146
+ organizationalUnitName = Organizational Unit Name (eg, section)
147
+ #organizationalUnitName_default =
148
+
149
+ commonName = Common Name (eg, YOUR name)
150
+ commonName_max = 64
151
+
152
+ emailAddress = Email Address
153
+ emailAddress_max = 64
154
+
155
+ # SET-ex3 = SET extension number 3
156
+
157
+ [ req_attributes ]
158
+ challengePassword = A challenge password
159
+ challengePassword_min = 4
160
+ challengePassword_max = 20
161
+
162
+ unstructuredName = An optional company name
163
+
164
+ [ usr_cert ]
165
+
166
+ # These extensions are added when 'ca' signs a request.
167
+
168
+ # This goes against PKIX guidelines but some CAs do it and some software
169
+ # requires this to avoid interpreting an end user certificate as a CA.
170
+
171
+ basicConstraints=CA:FALSE
172
+
173
+ # Here are some examples of the usage of nsCertType. If it is omitted
174
+ # the certificate can be used for anything *except* object signing.
175
+
176
+ # This is OK for an SSL server.
177
+ # nsCertType = server
178
+
179
+ # For an object signing certificate this would be used.
180
+ # nsCertType = objsign
181
+
182
+ # For normal client use this is typical
183
+ # nsCertType = client, email
184
+
185
+ # and for everything including object signing:
186
+ # nsCertType = client, email, objsign
187
+
188
+ # This is typical in keyUsage for a client certificate.
189
+ # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
190
+
191
+ # This will be displayed in Netscape's comment listbox.
192
+ nsComment = "OpenSSL Generated Certificate"
193
+
194
+ # PKIX recommendations harmless if included in all certificates.
195
+ subjectKeyIdentifier=hash
196
+ authorityKeyIdentifier=keyid,issuer
197
+
198
+ # This stuff is for subjectAltName and issuerAltname.
199
+ # Import the email address.
200
+ # subjectAltName=email:copy
201
+ # An alternative to produce certificates that aren't
202
+ # deprecated according to PKIX.
203
+ # subjectAltName=email:move
204
+
205
+ # Copy subject details
206
+ # issuerAltName=issuer:copy
207
+
208
+ #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
209
+ #nsBaseUrl
210
+ #nsRevocationUrl
211
+ #nsRenewalUrl
212
+ #nsCaPolicyUrl
213
+ #nsSslServerName
214
+
215
+ # This is required for TSA certificates.
216
+ # extendedKeyUsage = critical,timeStamping
217
+
218
+ [ v3_req ]
219
+
220
+ # Extensions to add to a certificate request
221
+
222
+ basicConstraints = CA:FALSE
223
+ keyUsage = nonRepudiation, digitalSignature, keyEncipherment
224
+
225
+ [ v3_ca ]
226
+
227
+
228
+ # Extensions for a typical CA
229
+
230
+
231
+ # PKIX recommendation.
232
+
233
+ subjectKeyIdentifier=hash
234
+
235
+ authorityKeyIdentifier=keyid:always,issuer
236
+
237
+ # This is what PKIX recommends but some broken software chokes on critical
238
+ # extensions.
239
+ #basicConstraints = critical,CA:true
240
+ # So we do this instead.
241
+ basicConstraints = CA:true
242
+
243
+ # Key usage: this is typical for a CA certificate. However since it will
244
+ # prevent it being used as an test self-signed certificate it is best
245
+ # left out by default.
246
+ # keyUsage = cRLSign, keyCertSign
247
+
248
+ # Some might want this also
249
+ # nsCertType = sslCA, emailCA
250
+
251
+ # Include email address in subject alt name: another PKIX recommendation
252
+ # subjectAltName=email:copy
253
+ # Copy issuer details
254
+ # issuerAltName=issuer:copy
255
+
256
+ # DER hex encoding of an extension: beware experts only!
257
+ # obj=DER:02:03
258
+ # Where 'obj' is a standard or added object
259
+ # You can even override a supported extension:
260
+ # basicConstraints= critical, DER:30:03:01:01:FF
261
+
262
+ [ crl_ext ]
263
+
264
+ # CRL extensions.
265
+ # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
266
+
267
+ # issuerAltName=issuer:copy
268
+ authorityKeyIdentifier=keyid:always
269
+
270
+ [ proxy_cert_ext ]
271
+ # These extensions should be added when creating a proxy certificate
272
+
273
+ # This goes against PKIX guidelines but some CAs do it and some software
274
+ # requires this to avoid interpreting an end user certificate as a CA.
275
+
276
+ basicConstraints=CA:FALSE
277
+
278
+ # Here are some examples of the usage of nsCertType. If it is omitted
279
+ # the certificate can be used for anything *except* object signing.
280
+
281
+ # This is OK for an SSL server.
282
+ # nsCertType = server
283
+
284
+ # For an object signing certificate this would be used.
285
+ # nsCertType = objsign
286
+
287
+ # For normal client use this is typical
288
+ # nsCertType = client, email
289
+
290
+ # and for everything including object signing:
291
+ # nsCertType = client, email, objsign
292
+
293
+ # This is typical in keyUsage for a client certificate.
294
+ # keyUsage = nonRepudiation, digitalSignature, keyEncipherment
295
+
296
+ # This will be displayed in Netscape's comment listbox.
297
+ nsComment = "OpenSSL Generated Certificate"
298
+
299
+ # PKIX recommendations harmless if included in all certificates.
300
+ subjectKeyIdentifier=hash
301
+ authorityKeyIdentifier=keyid,issuer
302
+
303
+ # This stuff is for subjectAltName and issuerAltname.
304
+ # Import the email address.
305
+ # subjectAltName=email:copy
306
+ # An alternative to produce certificates that aren't
307
+ # deprecated according to PKIX.
308
+ # subjectAltName=email:move
309
+
310
+ # Copy subject details
311
+ # issuerAltName=issuer:copy
312
+
313
+ #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
314
+ #nsBaseUrl
315
+ #nsRevocationUrl
316
+ #nsRenewalUrl
317
+ #nsCaPolicyUrl
318
+ #nsSslServerName
319
+
320
+ # This really needs to be in place for it to be a proxy certificate.
321
+ proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
322
+
323
+ ####################################################################
324
+ [ tsa ]
325
+
326
+ default_tsa = tsa_config1 # the default TSA section
327
+
328
+ [ tsa_config1 ]
329
+
330
+ # These are used by the TSA reply generation only.
331
+ dir = ./demoCA # TSA root directory
332
+ serial = $dir/tsaserial # The current serial number (mandatory)
333
+ crypto_device = builtin # OpenSSL engine to use for signing
334
+ signer_cert = $dir/tsacert.pem # The TSA signing certificate
335
+ # (optional)
336
+ certs = $dir/cacert.pem # Certificate chain to include in reply
337
+ # (optional)
338
+ signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
339
+
340
+ default_policy = tsa_policy1 # Policy if request did not specify it
341
+ # (optional)
342
+ other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
343
+ digests = md5, sha1 # Acceptable message digests (mandatory)
344
+ accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
345
+ clock_precision_digits = 0 # number of digits after dot. (optional)
346
+ ordering = yes # Is ordering defined for timestamps?
347
+ # (optional, default: no)
348
+ tsa_name = yes # Must the TSA name be included in the reply?
349
+ # (optional, default: no)
350
+ ess_cert_id_chain = no # Must the ESS cert id chain be included?
351
+ # (optional, default: no)