|
Packit |
549fdc |
AutoGen Definitions options;
|
|
Packit |
549fdc |
prog-name = p11tool;
|
|
Packit |
549fdc |
prog-title = "GnuTLS PKCS #11 tool";
|
|
Packit |
549fdc |
prog-desc = "Program to handle PKCS #11 smart cards and security modules.\n";
|
|
Packit |
549fdc |
detail = "Program that allows operations on PKCS #11 smart cards
|
|
Packit |
549fdc |
and security modules.
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
To use PKCS #11 tokens with GnuTLS the p11-kit configuration files need to be setup.
|
|
Packit |
549fdc |
That is create a .module file in /etc/pkcs11/modules with the contents 'module: /path/to/pkcs11.so'.
|
|
Packit |
549fdc |
Alternatively the configuration file /etc/gnutls/pkcs11.conf has to exist and contain a number
|
|
Packit |
549fdc |
of lines of the form 'load=/usr/lib/opensc-pkcs11.so'.
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
You can provide the PIN to be used for the PKCS #11 operations with the environment variables
|
|
Packit |
549fdc |
GNUTLS_PIN and GNUTLS_SO_PIN.
|
|
Packit |
549fdc |
";
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
short-usage = "p11tool [options] [url]\np11tool --help for usage instructions.\n";
|
|
Packit |
549fdc |
explain = "";
|
|
Packit |
549fdc |
reorder-args;
|
|
Packit |
549fdc |
argument = "[url]";
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = token_related_options;
|
|
Packit |
549fdc |
documentation;
|
|
Packit |
549fdc |
descrip = "Tokens";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = list-tokens;
|
|
Packit |
549fdc |
descrip = "List all available tokens";
|
|
Packit |
549fdc |
doc = "";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = list-token-urls;
|
|
Packit |
549fdc |
descrip = "List the URLs available tokens";
|
|
Packit |
549fdc |
doc = "This is a more compact version of --list-tokens.";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = list-mechanisms;
|
|
Packit |
549fdc |
descrip = "List all available mechanisms in a token";
|
|
Packit |
549fdc |
doc = "";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = initialize;
|
|
Packit |
549fdc |
descrip = "Initializes a PKCS #11 token";
|
|
Packit |
549fdc |
doc = "";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = initialize-pin;
|
|
Packit |
549fdc |
descrip = "Initializes/Resets a PKCS #11 token user PIN";
|
|
Packit |
549fdc |
doc = "";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = initialize-so-pin;
|
|
Packit |
549fdc |
descrip = "Initializes/Resets a PKCS #11 token security officer PIN";
|
|
Packit |
549fdc |
doc = "";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = set-pin;
|
|
Packit |
549fdc |
arg-type = string;
|
|
Packit |
549fdc |
descrip = "Specify the PIN to use on token operations";
|
|
Packit |
549fdc |
doc = "Alternatively the GNUTLS_PIN environment variable may be used.";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = set-so-pin;
|
|
Packit |
549fdc |
arg-type = string;
|
|
Packit |
549fdc |
descrip = "Specify the Security Officer's PIN to use on token initialization";
|
|
Packit |
549fdc |
doc = "Alternatively the GNUTLS_SO_PIN environment variable may be used.";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = object_list_related_options;
|
|
Packit |
549fdc |
documentation;
|
|
Packit |
549fdc |
descrip = "Object listing";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = list-all;
|
|
Packit |
549fdc |
descrip = "List all available objects in a token";
|
|
Packit |
549fdc |
doc = "All objects available in the token will be listed. That includes
|
|
Packit |
549fdc |
objects which are potentially unaccessible using this tool.";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = list-all-certs;
|
|
Packit |
549fdc |
descrip = "List all available certificates in a token";
|
|
Packit |
549fdc |
doc = "That option will also provide more information on the
|
|
Packit |
549fdc |
certificates, for example, expand the attached extensions in a trust
|
|
Packit |
549fdc |
token (like p11-kit-trust).";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = list-certs;
|
|
Packit |
549fdc |
descrip = "List all certificates that have an associated private key";
|
|
Packit |
549fdc |
doc = "That option will only display certificates which have a private
|
|
Packit |
549fdc |
key associated with them (share the same ID).";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = list-all-privkeys;
|
|
Packit |
549fdc |
descrip = "List all available private keys in a token";
|
|
Packit |
549fdc |
doc = "Lists all the private keys in a token that match the specified URL.";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = list-privkeys;
|
|
Packit |
549fdc |
aliases = list-all-privkeys;
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = list-keys;
|
|
Packit |
549fdc |
aliases = list-all-privkeys;
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = list-all-trusted;
|
|
Packit |
549fdc |
descrip = "List all available certificates marked as trusted";
|
|
Packit |
549fdc |
doc = "";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = export;
|
|
Packit |
549fdc |
descrip = "Export the object specified by the URL";
|
|
Packit |
549fdc |
doc = "";
|
|
Packit |
549fdc |
flags-cant = export-stapled;
|
|
Packit |
549fdc |
flags-cant = export-chain;
|
|
Packit |
549fdc |
flags-cant = export-pubkey;
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = export-stapled;
|
|
Packit |
549fdc |
descrip = "Export the certificate object specified by the URL";
|
|
Packit |
549fdc |
doc = "Exports the certificate specified by the URL while including any attached extensions to it.
|
|
Packit |
549fdc |
Since attached extensions are a p11-kit extension, this option is only
|
|
Packit |
549fdc |
available on p11-kit registered trust modules.";
|
|
Packit |
549fdc |
flags-cant = export;
|
|
Packit |
549fdc |
flags-cant = export-chain;
|
|
Packit |
549fdc |
flags-cant = export-pubkey;
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = export-chain;
|
|
Packit |
549fdc |
descrip = "Export the certificate specified by the URL and its chain of trust";
|
|
Packit |
549fdc |
doc = "Exports the certificate specified by the URL and generates its chain of trust based on the stored certificates in the module.";
|
|
Packit |
549fdc |
flags-cant = export-stapled;
|
|
Packit |
549fdc |
flags-cant = export;
|
|
Packit |
549fdc |
flags-cant = export-pubkey;
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = export-pubkey;
|
|
Packit |
549fdc |
descrip = "Export the public key for a private key";
|
|
Packit |
549fdc |
doc = "Exports the public key for the specified private key";
|
|
Packit |
549fdc |
flags-cant = export-stapled;
|
|
Packit |
549fdc |
flags-cant = export;
|
|
Packit |
549fdc |
flags-cant = export-chain;
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = info;
|
|
Packit |
549fdc |
descrip = "List information on an available object in a token";
|
|
Packit |
549fdc |
doc = "";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = trusted;
|
|
Packit |
549fdc |
aliases = mark-trusted;
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = distrusted;
|
|
Packit |
549fdc |
aliases = mark-distrusted;
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = keygen_related_options;
|
|
Packit |
549fdc |
documentation;
|
|
Packit |
549fdc |
descrip = "Key generation";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = generate-privkey;
|
|
Packit |
549fdc |
arg-type = string;
|
|
Packit |
549fdc |
descrip = "Generate private-public key pair of given type";
|
|
Packit |
549fdc |
doc = "Generates a private-public key pair in the specified token.
|
|
Packit |
549fdc |
Acceptable types are RSA, ECDSA, and DSA. Should be combined with --sec-param or --bits.";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = generate-rsa;
|
|
Packit |
549fdc |
descrip = "Generate an RSA private-public key pair";
|
|
Packit |
549fdc |
doc = "Generates an RSA private-public key pair on the specified token.
|
|
Packit |
549fdc |
Should be combined with --sec-param or --bits.";
|
|
Packit |
549fdc |
deprecated;
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = generate-dsa;
|
|
Packit |
549fdc |
descrip = "Generate a DSA private-public key pair";
|
|
Packit |
549fdc |
doc = "Generates a DSA private-public key pair on the specified token.
|
|
Packit |
549fdc |
Should be combined with --sec-param or --bits.";
|
|
Packit |
549fdc |
deprecated;
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = generate-ecc;
|
|
Packit |
549fdc |
descrip = "Generate an ECDSA private-public key pair";
|
|
Packit |
549fdc |
doc = "Generates an ECDSA private-public key pair on the specified token.
|
|
Packit |
549fdc |
Should be combined with --curve, --sec-param or --bits.";
|
|
Packit |
549fdc |
deprecated;
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = bits;
|
|
Packit |
549fdc |
arg-type = number;
|
|
Packit |
549fdc |
descrip = "Specify the number of bits for the key generate";
|
|
Packit |
549fdc |
doc = "For applications which have no key-size restrictions the
|
|
Packit |
549fdc |
--sec-param option is recommended, as the sec-param levels will adapt
|
|
Packit |
549fdc |
to the acceptable security levels with the new versions of gnutls.";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = curve;
|
|
Packit |
549fdc |
arg-type = string;
|
|
Packit |
549fdc |
descrip = "Specify the curve used for EC key generation";
|
|
Packit |
549fdc |
doc = "Supported values are secp192r1, secp224r1, secp256r1, secp384r1 and secp521r1.";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = sec-param;
|
|
Packit |
549fdc |
arg-type = string;
|
|
Packit |
549fdc |
arg-name = "Security parameter";
|
|
Packit |
549fdc |
descrip = "Specify the security level";
|
|
Packit |
549fdc |
doc = "This is alternative to the bits option. Available options are [low, legacy, medium, high, ultra].";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = write_object_related_options;
|
|
Packit |
549fdc |
documentation;
|
|
Packit |
549fdc |
descrip = "Writing objects";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = set-id;
|
|
Packit |
549fdc |
descrip = "Set the CKA_ID (in hex) for the specified by the URL object";
|
|
Packit |
549fdc |
doc = "Modifies or sets the CKA_ID in the specified by the URL object. The ID should be specified in hexadecimal format without a '0x' prefix.";
|
|
Packit |
549fdc |
arg-type = string;
|
|
Packit |
549fdc |
flags_cant = write;
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = set-label;
|
|
Packit |
549fdc |
descrip = "Set the CKA_LABEL for the specified by the URL object";
|
|
Packit |
549fdc |
doc = "Modifies or sets the CKA_LABEL in the specified by the URL object";
|
|
Packit |
549fdc |
arg-type = string;
|
|
Packit |
549fdc |
flags_cant = write;
|
|
Packit |
549fdc |
flags_cant = set-id;
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = write;
|
|
Packit |
549fdc |
descrip = "Writes the loaded objects to a PKCS #11 token";
|
|
Packit |
549fdc |
doc = "It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with
|
|
Packit |
549fdc |
one of --load-privkey, --load-pubkey, --load-certificate option.";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = delete;
|
|
Packit |
549fdc |
descrip = "Deletes the objects matching the given PKCS #11 URL";
|
|
Packit |
549fdc |
doc = "";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = label;
|
|
Packit |
549fdc |
arg-type = string;
|
|
Packit |
549fdc |
descrip = "Sets a label for the write operation";
|
|
Packit |
549fdc |
doc = "";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = id;
|
|
Packit |
549fdc |
arg-type = string;
|
|
Packit |
549fdc |
descrip = "Sets an ID for the write operation";
|
|
Packit |
549fdc |
doc = "Sets the CKA_ID to be set by the write operation. The ID should be specified in hexadecimal format without a '0x' prefix.";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = mark-wrap;
|
|
Packit |
549fdc |
disable = "no";
|
|
Packit |
549fdc |
disabled;
|
|
Packit |
549fdc |
descrip = "Marks the generated key to be a wrapping key";
|
|
Packit |
549fdc |
doc = "Marks the generated key with the CKA_WRAP flag.";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = mark-trusted;
|
|
Packit |
549fdc |
disable = "no";
|
|
Packit |
549fdc |
disabled;
|
|
Packit |
549fdc |
descrip = "Marks the object to be written as trusted";
|
|
Packit |
549fdc |
doc = "Marks the object to be generated/written with the CKA_TRUST flag.";
|
|
Packit |
549fdc |
flags_cant = mark-distrusted;
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = mark-distrusted;
|
|
Packit |
549fdc |
descrip = "When retrieving objects, it requires the objects to be distrusted (blacklisted)";
|
|
Packit |
549fdc |
doc = "Ensures that the objects retrieved have the CKA_X_TRUST flag.
|
|
Packit |
549fdc |
This is p11-kit trust module extension, thus this flag is only valid with
|
|
Packit |
549fdc |
p11-kit registered trust modules.";
|
|
Packit |
549fdc |
flags_cant = mark-trusted;
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = mark-decrypt;
|
|
Packit |
549fdc |
disable = "no";
|
|
Packit |
549fdc |
disabled;
|
|
Packit |
549fdc |
descrip = "Marks the object to be written for decryption";
|
|
Packit |
549fdc |
doc = "Marks the object to be generated/written with the CKA_DECRYPT flag set to true.";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = mark-sign;
|
|
Packit |
549fdc |
disable = "no";
|
|
Packit |
549fdc |
disabled;
|
|
Packit |
549fdc |
descrip = "Marks the object to be written for signature generation";
|
|
Packit |
549fdc |
doc = "Marks the object to be generated/written with the CKA_SIGN flag set to true.";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = mark-ca;
|
|
Packit |
549fdc |
disable = "no";
|
|
Packit |
549fdc |
disabled;
|
|
Packit |
549fdc |
descrip = "Marks the object to be written as a CA";
|
|
Packit |
549fdc |
doc = "Marks the object to be generated/written with the CKA_CERTIFICATE_CATEGORY as CA.";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = mark-private;
|
|
Packit |
549fdc |
disable = "no";
|
|
Packit |
549fdc |
descrip = "Marks the object to be written as private";
|
|
Packit |
549fdc |
doc = "Marks the object to be generated/written with the CKA_PRIVATE flag. The written object will require a PIN to be used.";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = ca;
|
|
Packit |
549fdc |
aliases = mark-ca;
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = private;
|
|
Packit |
549fdc |
aliases = mark-private;
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = secret-key;
|
|
Packit |
549fdc |
arg-type = string;
|
|
Packit |
549fdc |
descrip = "Provide a hex encoded secret key";
|
|
Packit |
549fdc |
doc = "This secret key will be written to the module if --write is specified.";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = load-privkey;
|
|
Packit |
549fdc |
arg-type = file;
|
|
Packit |
549fdc |
file-exists = yes;
|
|
Packit |
549fdc |
descrip = "Private key file to use";
|
|
Packit |
549fdc |
doc = "";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = load-pubkey;
|
|
Packit |
549fdc |
arg-type = file;
|
|
Packit |
549fdc |
file-exists = yes;
|
|
Packit |
549fdc |
descrip = "Public key file to use";
|
|
Packit |
549fdc |
doc = "";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = load-certificate;
|
|
Packit |
549fdc |
arg-type = file;
|
|
Packit |
549fdc |
file-exists = yes;
|
|
Packit |
549fdc |
descrip = "Certificate file to use";
|
|
Packit |
549fdc |
doc = "";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = other_options;
|
|
Packit |
549fdc |
documentation;
|
|
Packit |
549fdc |
descrip = "Other options";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
#define OUTFILE_OPT 1
|
|
Packit |
549fdc |
#include args-std.def
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = login;
|
|
Packit |
549fdc |
descrip = "Force (user) login to token";
|
|
Packit |
549fdc |
disabled;
|
|
Packit |
549fdc |
disable = "no";
|
|
Packit |
549fdc |
doc = "";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = so-login;
|
|
Packit |
549fdc |
descrip = "Force security officer login to token";
|
|
Packit |
549fdc |
disabled;
|
|
Packit |
549fdc |
disable = "no";
|
|
Packit |
549fdc |
doc = "Forces login to the token as security officer (admin).";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = admin-login;
|
|
Packit |
549fdc |
aliases = so-login;
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = test-sign;
|
|
Packit |
549fdc |
descrip = "Tests the signature operation of the provided object";
|
|
Packit |
549fdc |
doc = "It can be used to test the correct operation of the signature operation.
|
|
Packit |
549fdc |
If both a private and a public key are available this operation will sign and verify
|
|
Packit |
549fdc |
the signed data.";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = sign-params;
|
|
Packit |
549fdc |
arg-type = string;
|
|
Packit |
549fdc |
descrip = "Sign with a specific signature algorithm";
|
|
Packit |
549fdc |
doc = "This option can be combined with --test-sign, to sign with
|
|
Packit |
549fdc |
a specific signature algorithm variant. The only option supported is 'RSA-PSS', and should be
|
|
Packit |
549fdc |
specified in order to use RSA-PSS signature on RSA keys.";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = hash;
|
|
Packit |
549fdc |
arg-type = string;
|
|
Packit |
549fdc |
descrip = "Hash algorithm to use for signing";
|
|
Packit |
549fdc |
doc = "This option can be combined with test-sign. Available hash functions are SHA1, RMD160, SHA256, SHA384, SHA512, SHA3-224, SHA3-256, SHA3-384, SHA3-512.";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = generate-random;
|
|
Packit |
549fdc |
descrip = "Generate random data";
|
|
Packit |
549fdc |
arg-type = number;
|
|
Packit |
549fdc |
doc = "Asks the token to generate a number of bytes of random bytes.";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = pkcs8;
|
|
Packit |
549fdc |
value = 8;
|
|
Packit |
549fdc |
descrip = "Use PKCS #8 format for private keys";
|
|
Packit |
549fdc |
doc = "";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = inder;
|
|
Packit |
549fdc |
descrip = "Use DER/RAW format for input";
|
|
Packit |
549fdc |
disabled;
|
|
Packit |
549fdc |
disable = "no";
|
|
Packit |
549fdc |
doc = "Use DER/RAW format for input certificates and private keys.";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = inraw;
|
|
Packit |
549fdc |
aliases = inder;
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = outder;
|
|
Packit |
549fdc |
descrip = "Use DER format for output certificates, private keys, and DH parameters";
|
|
Packit |
549fdc |
disabled;
|
|
Packit |
549fdc |
disable = "no";
|
|
Packit |
549fdc |
doc = "The output will be in DER or RAW format.";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = outraw;
|
|
Packit |
549fdc |
aliases = outder;
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = provider;
|
|
Packit |
549fdc |
arg-type = file;
|
|
Packit |
549fdc |
descrip = "Specify the PKCS #11 provider library";
|
|
Packit |
549fdc |
doc = "This will override the default options in /etc/gnutls/pkcs11.conf";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = provider-opts;
|
|
Packit |
549fdc |
arg-type = string;
|
|
Packit |
549fdc |
descrip = "Specify parameters for the PKCS #11 provider library";
|
|
Packit |
549fdc |
doc = "This is a PKCS#11 internal option used by few modules.
|
|
Packit |
549fdc |
Mainly for testing PKCS#11 modules.";
|
|
Packit |
549fdc |
deprecated;
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = detailed-url;
|
|
Packit |
549fdc |
descrip = "Print detailed URLs";
|
|
Packit |
549fdc |
disabled;
|
|
Packit |
549fdc |
disable = "no";
|
|
Packit |
549fdc |
doc = "";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = only-urls;
|
|
Packit |
549fdc |
descrip = "Print a compact listing using only the URLs";
|
|
Packit |
549fdc |
doc = "";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
flag = {
|
|
Packit |
549fdc |
name = batch;
|
|
Packit |
549fdc |
descrip = "Disable all interaction with the tool";
|
|
Packit |
549fdc |
doc = "In batch mode there will be no prompts, all parameters need to be specified on command line.";
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
doc-section = {
|
|
Packit |
549fdc |
ds-type = 'SEE ALSO';
|
|
Packit |
549fdc |
ds-format = 'texi';
|
|
Packit |
549fdc |
ds-text = <<-_EOT_
|
|
Packit |
549fdc |
certtool (1)
|
|
Packit |
549fdc |
_EOT_;
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
doc-section = {
|
|
Packit |
549fdc |
ds-type = 'EXAMPLES';
|
|
Packit |
549fdc |
ds-format = 'texi';
|
|
Packit |
549fdc |
ds-text = <<-_EOT_
|
|
Packit |
549fdc |
To view all tokens in your system use:
|
|
Packit |
549fdc |
@example
|
|
Packit |
549fdc |
$ p11tool --list-tokens
|
|
Packit |
549fdc |
@end example
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
To view all objects in a token use:
|
|
Packit |
549fdc |
@example
|
|
Packit |
549fdc |
$ p11tool --login --list-all "pkcs11:TOKEN-URL"
|
|
Packit |
549fdc |
@end example
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
To store a private key and a certificate in a token run:
|
|
Packit |
549fdc |
@example
|
|
Packit |
549fdc |
$ p11tool --login --write "pkcs11:URL" --load-privkey key.pem \
|
|
Packit |
549fdc |
--label "Mykey"
|
|
Packit |
549fdc |
$ p11tool --login --write "pkcs11:URL" --load-certificate cert.pem \
|
|
Packit |
549fdc |
--label "Mykey"
|
|
Packit |
549fdc |
@end example
|
|
Packit |
549fdc |
Note that some tokens require the same label to be used for the certificate
|
|
Packit |
549fdc |
and its corresponding private key.
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
To generate an RSA private key inside the token use:
|
|
Packit |
549fdc |
@example
|
|
Packit |
549fdc |
$ p11tool --login --generate-privkey rsa --bits 1024 --label "MyNewKey" \
|
|
Packit |
549fdc |
--outfile MyNewKey.pub "pkcs11:TOKEN-URL"
|
|
Packit |
549fdc |
@end example
|
|
Packit |
549fdc |
The bits parameter in the above example is explicitly set because some
|
|
Packit |
549fdc |
tokens only support limited choices in the bit length. The output file is the
|
|
Packit |
549fdc |
corresponding public key. This key can be used to general a certificate
|
|
Packit |
549fdc |
request with certtool.
|
|
Packit |
549fdc |
@example
|
|
Packit |
549fdc |
certtool --generate-request --load-privkey "pkcs11:KEY-URL" \
|
|
Packit |
549fdc |
--load-pubkey MyNewKey.pub --outfile request.pem
|
|
Packit |
549fdc |
@end example
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
_EOT_;
|
|
Packit |
549fdc |
};
|
|
Packit |
549fdc |
|