[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls-3_0_12-30-gcde338f
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls-3_0_12-30-gcde338f |
|
Date: |
Sat, 21 Jan 2012 14:19:47 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=cde338f1a6a2a23fec1553031bf35659f7ccfe4d
The branch, master has been updated
via cde338f1a6a2a23fec1553031bf35659f7ccfe4d (commit)
via c8ba1373e5fc3bd2fcd654e7f9e7cf64fde4e649 (commit)
via 3576fcddb9ee310aa21a1dacbd85b73c9e0ae45c (commit)
from 217daa4c01f79fc11720414e7083c785e40fef3b (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit cde338f1a6a2a23fec1553031bf35659f7ccfe4d
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Jan 21 15:20:49 2012 +0100
p11tool uses libopts
commit c8ba1373e5fc3bd2fcd654e7f9e7cf64fde4e649
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Jan 21 13:30:04 2012 +0100
keyfile and certfile types were changed to string, to allow for PKCS #11
urls
commit 3576fcddb9ee310aa21a1dacbd85b73c9e0ae45c
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sat Jan 21 13:20:32 2012 +0100
replaced smallexample with example.
-----------------------------------------------------------------------
Summary of changes:
.gitignore | 4 +
configure.ac | 1 +
doc/cha-cert-auth2.texi | 48 ++++----
doc/fdl-1.3.texi | 8 +-
doc/manpages/Makefile.am | 3 +
doc/manpages/p11tool.1 | 100 ----------------
src/Makefile.am | 14 +-
src/cli-args.def.in | 11 +-
src/cli-debug-args.def.in | 2 +-
src/p11tool-args.def.in | 290 +++++++++++++++++++++++++++++++++++++++++++++
src/p11tool.c | 179 +++++++++++++++++++++-------
src/psk-args.def.in | 4 +-
src/serv-args.def.in | 23 ++---
src/srptool-args.def.in | 6 +-
14 files changed, 487 insertions(+), 206 deletions(-)
delete mode 100644 doc/manpages/p11tool.1
create mode 100644 src/p11tool-args.def.in
diff --git a/.gitignore b/.gitignore
index 2736b24..6a979a2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -575,3 +575,7 @@ src/serv-args.c
src/serv-args.h
src/srptool-args.c
src/srptool-args.h
+doc/manpages/p11tool.1
+src/p11tool-args.h
+src/p11tool-args.c
+src/p11tool-args.def
diff --git a/configure.ac b/configure.ac
index 1917e12..65c3ee0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -491,6 +491,7 @@ AC_CONFIG_FILES([
src/serv-args.def
src/cli-debug-args.def
src/srptool-args.def
+ src/p11tool-args.def
src/psk-args.def
src/cfg/Makefile
src/cfg/platon/Makefile
diff --git a/doc/cha-cert-auth2.texi b/doc/cha-cert-auth2.texi
index 27caf49..828fcce 100644
--- a/doc/cha-cert-auth2.texi
+++ b/doc/cha-cert-auth2.texi
@@ -734,25 +734,25 @@ The @code{-Q} parameter specify the name of the file
containing the
OCSP request, and it should contain the OCSP request in binary DER
format.
address@hidden
address@hidden
$ ocsptool -i -Q ocsp-request.der
address@hidden smallexample
address@hidden example
The input file may also be sent to standard input like this:
address@hidden
address@hidden
$ cat ocsp-request.der | ocsptool --request-info
address@hidden smallexample
address@hidden example
@subheading Print information about an OCSP response
Similar to parsing OCSP requests, OCSP responses can be parsed using
the @code{-j} or @code{--response-info} as follows.
address@hidden
address@hidden
$ ocsptool -j -Q ocsp-response.der
$ cat ocsp-response.der | ocsptool --response-info
address@hidden smallexample
address@hidden example
@subheading Generate an OCSP request
@@ -765,9 +765,9 @@ and the certificate to check with @code{--load-cert}. By
default PEM
format is used for these files, although @code{--inder} can be used to
specify that the input files are in DER format.
address@hidden
address@hidden
$ ocsptool -q --load-issuer issuer.pem --load-cert client.pem --outfile
ocsp-request.der
address@hidden smallexample
address@hidden example
When generating OCSP requests, the tool will add an OCSP extension
containing a nonce. This behaviour can be disabled by specifying
@@ -786,9 +786,9 @@ be in the set of trust anchors, or the issuer of the signer
certificate needs to be in the set of trust anchors and the OCSP
Extended Key Usage bit has to be asserted in the signer certificate.
address@hidden
address@hidden
$ ocsptool -e --load-trust issuer.pem --load-response ocsp-response.der
address@hidden smallexample
address@hidden example
The tool will print status of verification.
@@ -801,9 +801,9 @@ you want to use it to check the signature. This is
achieved using
one certificate and it will be used to verify the signature in the
OCSP response. It will not check the Extended Key Usage bit.
address@hidden
address@hidden
$ ocsptool -e --load-signer ocsp-signer.pem --load-response ocsp-response.der
address@hidden smallexample
address@hidden example
This approach is normally only relevant in two situations. The first
is when the OCSP response does not contain a copy of the signer
@@ -820,9 +820,9 @@ certificate from CACert. First we'll use @code{gnutls-cli}
to get a
copy of the server certificate chain. The server is not required to
send this information, but this particular one is configured to do so.
address@hidden
address@hidden
$ echo | gnutls-cli -p 443 blog.josefsson.org --print-cert > chain.pem
address@hidden smallexample
address@hidden example
Use a text editor on @code{chain.pem} to create three files for each
separate certificates, called @code{cert.pem} for the first
@@ -835,47 +835,47 @@ responder is located, in the Authority Information Access
Information
extension. For example, from @code{certtool -i < cert.pem} there is
this information:
address@hidden
address@hidden
Authority Information Access Information (not critical):
Access Method: 1.3.6.1.5.5.7.48.1 (id-ad-ocsp)
Access Location URI: http://ocsp.CAcert.org/
address@hidden smallexample
address@hidden example
This means the CA support OCSP queries over HTTP. We are now ready to
create a OCSP request for the certificate.
address@hidden
address@hidden
$ ocsptool --generate-request --load-issuer issuer.pem --load-cert cert.pem
--outfile ocsp-request.der
address@hidden smallexample
address@hidden example
The request is sent base64 encoded via HTTP to the address indicated
by the id-ad-ocsp extension, as follows.
address@hidden
address@hidden
$ wget -O ocsp-response.der http://ocsp.CAcert.org/$(base64 -w0
ocsp-request.der)
address@hidden smallexample
address@hidden example
The OCSP response is now in the file @code{ocsp-response.der} and you
can view it using @code{ocsptool -j < ocsp-response.der}. To verify
the signature you need to load the issuer as the trust anchor.
address@hidden
address@hidden
$ ocsptool --verify-response --load-trust issuer.pem --load-response
ocsp-response.der
Verifying OCSP Response: Success.
$
address@hidden smallexample
address@hidden example
This particular OCSP responder includes its signer certificate in the
OCSP respnose, so you may extract it and use it together with
@code{--load-signer} for verifying the signature directly against the
certificate.
address@hidden
address@hidden
$ ocsptool -j < ocsp-response.der > signer.pem
$ ocsptool --verify-response --load-signer signer.pem --load-response
ocsp-response.der
Verifying OCSP Response: Success.
$
address@hidden smallexample
address@hidden example
You may experiment passing different certificates to
@code{--load-trust} and @code{--load-signer} to find common error
diff --git a/doc/fdl-1.3.texi b/doc/fdl-1.3.texi
index 3b83db4..3a74be0 100644
--- a/doc/fdl-1.3.texi
+++ b/doc/fdl-1.3.texi
@@ -468,7 +468,7 @@ To use this License in a document you have written, include
a copy of
the License in the document and put the following copyright and
license notices just after the title page:
address@hidden
address@hidden
@group
Copyright (C) @var{year} @var{your name}.
Permission is granted to copy, distribute and/or modify this document
@@ -478,18 +478,18 @@ license notices just after the title page:
Texts. A copy of the license is included in the section entitled ``GNU
Free Documentation License''.
@end group
address@hidden smallexample
address@hidden example
If you have Invariant Sections, Front-Cover Texts and Back-Cover Texts,
replace the address@hidden''@: line with this:
address@hidden
address@hidden
@group
with the Invariant Sections being @var{list their titles}, with
the Front-Cover Texts being @var{list}, and with the Back-Cover Texts
being @var{list}.
@end group
address@hidden smallexample
address@hidden example
If you have Invariant Sections without Cover Texts, or some other
combination of the three, merge those two alternatives to suit the
diff --git a/doc/manpages/Makefile.am b/doc/manpages/Makefile.am
index 7ec7d0f..3c6ada6 100644
--- a/doc/manpages/Makefile.am
+++ b/doc/manpages/Makefile.am
@@ -38,6 +38,9 @@ gnutls-cli-debug.1: ../../src/cli-debug-args.def
srptool.1: ../../src/srptool-args.def
-autogen -DMAN_SECTION=1 -Tagman-cmd.tpl $<
+p11tool.1: ../../src/p11tool-args.def
+ -autogen -DMAN_SECTION=1 -Tagman-cmd.tpl $<
+
psktool.1: ../../src/psk-args.def
-autogen -DMAN_SECTION=1 -Tagman-cmd.tpl $<
diff --git a/doc/manpages/p11tool.1 b/doc/manpages/p11tool.1
deleted file mode 100644
index 798a47b..0000000
--- a/doc/manpages/p11tool.1
+++ /dev/null
@@ -1,100 +0,0 @@
-.TH p11tool 1 "November 11th 2010"
-.SH NAME
-p11tool \- Manipulate PKCS #11 tokens.
-.SH SYNOPSIS
-p11tool [\fIoptions\fR]
-.SH DESCRIPTION
-Export/import data from PKCS #11 tokens. To use PKCS #11 tokens with
-gnutls the configuration file /etc/gnutls/pkcs11.conf has to exist and
-contain a number of lines of the form "load=/usr/lib/opensc-pkcs11.so".
-.SH OPTIONS
-.SS Program control options
-.IP "\-d, \-\-debug LEVEL"
-Specify the debug level. Default is 1.
-.IP "\-h, \-\-help"
-Shows this help text
-
-.SS Generic options
-.IP "\-\-login"
-Force login to the token for the intended operation.
-.IP "\-\-provider MODULE"
-In addition to /etc/gnutls/pkcs11.conf, load the specified module.
-.IP "\-\-outfile FILE"
-Print output to FILE.
-.IP "\-\-inder, \-\-inraw"
-Input is DER formatted.
-
-.SS Getting information on available X.509 certificates
-.IP "\-\-list\-tokens"
-Prints all available tokens.
-.IP "\-\-initialize URL"
-Initializes (formats) the specified by the URL token. Note that
-several tokens do not support this fascility.
-
-.SS Getting information on available X.509 certificates
-.IP "\-\-list\-all\-certs"
-Prints all available certificates.
-.IP "\-\-list\-certs"
-Prints all certificates that have a corresponding private key stored in the
token.
-.IP "\-\-list\-trusted"
-Prints all certificates that have been marked as trusted.
-
-.SS Getting information on private keys
-.IP "\-\-list\-privkeys"
-Prints all available private keys.
-
-.SS Handling generic objects
-.IP "\-\-export URL"
-Exports the object (e.g. certificate) specified by the URL.
-.IP "\-\-delete URL"
-Deletes the object specified by the URL. Note that several tokens do not
-support deletion.
-.IP "\-\-detailed\-url"
-When printing URLs print them in a detailed (to the PKCS #11 module used)
-form.
-.IP "\-\-no\-detailed\-url"
-When printing URLs, do not print details on the module used.
-
-.SS Storing objects
-.IP "\-\-write URL"
-Flag to set when writing an object. Requires one of \-\-load\-privkey,
\-\-load\-pubkey,
-\-\-load\-certificate or \-\-secret\-key options.
-.IP "\-\-load\-privkey"
-Load a private key for the write operations.
-.IP "\-\-load\-pubkey"
-Load an X.509 subjectPublicKey for the write operation.
-.IP "\-\-load\-certificate"
-Load an X.509 certificate for the write operation.
-.IP "\-\-secret\-key"
-Specify a hex encoded secret key for the write operation.
-.IP "\-\-trusted"
-The object stored will be marked as trusted.
-.IP "\-\-label"
-The label of the object stored.
-
-.SS Controlling output
-.IP "\-8, \-\-pkcs8"
-Use PKCS #8 format for private keys.
-
-.SH EXAMPLES
-To store a private key and certificate, run:
-
-.RS
-.nf
-$ p11tool \-\-login \-\-write "pkcs11:XXX" \-\-load\-privkey key.pem
\-\-label "MyKey"
-$ p11tool \-\-login \-\-write "pkcs11:XXX" \-\-load\-certificate cert.pem
\-\-label "MyCert"
-.fi
-.RE
-
-To view all objects in a token, use:
-
-.RS
-.nf
-$ p11tool \-\-login \-\-list\-all
-.fi
-.RE
-
-.SH AUTHOR
-.PP
-Nikos Mavrogiannopoulos <address@hidden> and others; see
-/usr/share/doc/gnutls\-bin/AUTHORS for a complete list.
diff --git a/src/Makefile.am b/src/Makefile.am
index 739869a..7586d11 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -61,7 +61,7 @@ gnutls_serv_SOURCES = \
$(PKCS11_SRCS)
gnutls_serv_LDADD = ../lib/libgnutls.la
gnutls_serv_LDADD += libcmd-serv.la ../gl/libgnu.la $(LIBOPTS_LDADD)
-gnutls_serv_LDADD += $(LTLIBGCRYPT) $(LIBSOCKET) $(GETADDRINFO_LIB)
+gnutls_serv_LDADD += $(LIBSOCKET) $(GETADDRINFO_LIB)
noinst_LTLIBRARIES += libcmd-serv.la
libcmd_serv_la_CFLAGS =
libcmd_serv_la_SOURCES = serv-args.def serv-args.c serv-args.h
@@ -93,7 +93,7 @@ BENCHMARK_SRCS = benchmark-cipher.c benchmark.c benchmark.h
benchmark-tls.c
gnutls_cli_SOURCES = cli.c common.h common.c $(PKCS11_SRCS) $(BENCHMARK_SRCS)
gnutls_cli_LDADD = ../lib/libgnutls.la
gnutls_cli_LDADD += libcmd-cli.la ../gl/libgnu.la $(LIBOPTS_LDADD)
-gnutls_cli_LDADD += $(LTLIBGCRYPT) $(LIBSOCKET) $(GETADDRINFO_LIB)
$(LIB_CLOCK_GETTIME)
+gnutls_cli_LDADD += $(LIBSOCKET) $(GETADDRINFO_LIB) $(LIB_CLOCK_GETTIME)
noinst_LTLIBRARIES += libcmd-cli.la
libcmd_cli_la_CFLAGS =
libcmd_cli_la_SOURCES = cli-args.def cli-args.c cli-args.h
@@ -110,7 +110,6 @@ libcmd_cli_debug_la_SOURCES = cli-debug-args.def
cli-debug-args.c cli-debug-args
certtool_SOURCES = certtool.c dh.c certtool-common.c $(PKCS11_SRCS)
certtool_LDADD = ../lib/libgnutls.la
certtool_LDADD += libcmd-certtool.la ../gl/libgnu.la
-certtool_LDADD += $(LTLIBGCRYPT)
if HAVE_LIBCFG
certtool_LDADD += -lcfg+
else
@@ -134,10 +133,9 @@ libcmd_certtool_la_LIBADD += ../gl/libgnu.la
$(INET_PTON_LIB)
if ENABLE_PKCS11
p11tool_gaa_CFLAGS =
-p11tool_SOURCES = p11tool.gaa p11tool.c pkcs11.c certtool-common.c p11tool.h
$(PKCS11_SRCS)
-p11tool_LDADD = ../lib/libgnutls.la
+p11tool_SOURCES = p11tool-args.def p11tool.c pkcs11.c certtool-common.c
p11tool.h $(PKCS11_SRCS)
+p11tool_LDADD = ../lib/libgnutls.la $(LIBOPTS_LDADD)
p11tool_LDADD += libcmd-p11tool.la ../gl/libgnu.la
-p11tool_LDADD += $(LTLIBGCRYPT)
if HAVE_LIBCFG
p11tool_LDADD += -lcfg+
@@ -147,7 +145,7 @@ endif
noinst_LTLIBRARIES += libcmd-p11tool.la
libcmd_p11tool_la_CFLAGS =
-libcmd_p11tool_la_SOURCES = p11tool-gaa.c p11tool.gaa p11tool-gaa.h \
+libcmd_p11tool_la_SOURCES = p11tool-args.def p11tool-args.c p11tool-args.h \
certtool-cfg.h certtool-cfg.c
libcmd_p11tool_la_LIBADD = ../gl/libgnu.la $(LTLIBREADLINE)
libcmd_p11tool_la_LIBADD += ../lib/libgnutls.la
@@ -175,3 +173,5 @@ serv-args.c: $(srcdir)/serv-args.def
-autogen $<
srptool-args.c: $(srcdir)/srptool-args.def
-autogen $<
+p11tool-args.c: $(srcdir)/p11tool-args.def
+ -autogen $<
diff --git a/src/cli-args.def.in b/src/cli-args.def.in
index c5583b5..d8cd0ac 100644
--- a/src/cli-args.def.in
+++ b/src/cli-args.def.in
@@ -18,7 +18,7 @@ export = '#include <gettext.h>';
copyright = {
date = "2000-2012";
owner = "Free Software Foundation";
- author = "Nikos Mavrogiannopoulos and Simon Josefsson";
+ author = "Nikos Mavrogiannopoulos, Simon Josefsson and others; see
/usr/share/doc/gnutls-bin/AUTHORS for a complete list.";
eaddr = "address@hidden";
type = gpl;
};
@@ -136,8 +136,7 @@ information on allowed keywords";
flag = {
name = x509cafile;
- arg-type = file;
- file-exists = yes;
+ arg-type = string;
descrip = "Certificate file or PKCS #11 URL to use";
doc = "";
};
@@ -176,16 +175,14 @@ flag = {
flag = {
name = x509keyfile;
- arg-type = file;
- file-exists = yes;
+ arg-type = string;
descrip = "X.509 key file or PKCS #11 URL to use";
doc = "";
};
flag = {
name = x509certfile;
- arg-type = file;
- file-exists = yes;
+ arg-type = string;
descrip = "X.509 Certificate file or PKCS #11 URL to use";
doc = "";
};
diff --git a/src/cli-debug-args.def.in b/src/cli-debug-args.def.in
index 1cae337..745044f 100644
--- a/src/cli-debug-args.def.in
+++ b/src/cli-debug-args.def.in
@@ -19,7 +19,7 @@ export = '#include <gettext.h>';
copyright = {
date = "2000-2012";
owner = "Free Software Foundation";
- author = "Nikos Mavrogiannopoulos and Simon Josefsson";
+ author = "Nikos Mavrogiannopoulos, Simon Josefsson and others; see
/usr/share/doc/gnutls-bin/AUTHORS for a complete list.";
eaddr = "address@hidden";
type = gpl;
};
diff --git a/src/p11tool-args.def.in b/src/p11tool-args.def.in
new file mode 100644
index 0000000..2bfda10
--- /dev/null
+++ b/src/p11tool-args.def.in
@@ -0,0 +1,290 @@
+AutoGen Definitions options;
+prog-name = p11tool;
+prog-title = "GnuTLS PKCS #11 tool";
+prog-desc = "Program to handle PKCS #11 smart cards and security
modules.\n";
+detail = "Program that allows handling data from PKCS #11 smart cards
+and security modules.
+
+To use PKCS #11 tokens with gnutls the configuration file
+/etc/gnutls/pkcs11.conf has to exist and contain a number of lines of the form
'load=/usr/lib/opensc-pkcs11.so'.
+";
+
+short-usage = "p11tool [options]\np11tool --help for usage instructions.\n";
+prog-group = "GnuTLS";
+gnu-usage;
+no-misuse-usage;
+disable-save;
+long-opts;
+config-header = 'config.h';
+export = '#include <gettext.h>';
+
+copyright = {
+ date = "2000-2012";
+ owner = "Free Software Foundation";
+ author = "Nikos Mavrogiannopoulos, Simon Josefsson and others; see
/usr/share/doc/gnutls-bin/AUTHORS for a complete list.";
+ eaddr = "address@hidden";
+ type = gpl;
+};
+version = "@VERSION@";
+
+flag = {
+ name = debug;
+ value = d;
+ arg-type = number;
+ arg-range = "0 -> 9999";
+ descrip = "Enable debugging.";
+ doc = "Specifies the debug level.";
+};
+
+flag = {
+ name = list-tokens;
+ descrip = "List all available tokens";
+ doc = "";
+};
+
+flag = {
+ name = export;
+ flags-must= url;
+ descrip = "Export the object specified by the URL";
+ doc = "";
+};
+
+flag = {
+ name = url;
+ arg-type = string;
+ arg-name = "PKCS #11 URL";
+ descrip = "Specify the PKCS #11 URL for the operation";
+ doc = "";
+};
+
+flag = {
+ name = list-mechanisms;
+ flags-must= url;
+ descrip = "List all available mechanisms in a token";
+ doc = "";
+};
+
+flag = {
+ name = list-all;
+ flags-must= url;
+ descrip = "List all available objects in a token";
+ doc = "";
+};
+
+flag = {
+ name = list-all-certs;
+ flags-must= url;
+ descrip = "List all available certificates in a token";
+ doc = "";
+};
+
+flag = {
+ name = list-certs;
+ flags-must= url;
+ descrip = "List all certificates that are associated with a private key
present in the token";
+ doc = "";
+};
+
+flag = {
+ name = list-all-privkeys;
+ flags-must= url;
+ descrip = "List all available private keys in a token";
+ doc = "";
+};
+
+flag = {
+ name = list-all-trusted;
+ flags-must= url;
+ descrip = "List all available certificates marked as trusted";
+ doc = "";
+};
+
+flag = {
+ name = initialize;
+ flags-must= url;
+ descrip = "Initializes a PKCS #11 token";
+ doc = "";
+};
+
+flag = {
+ name = write;
+ flags-must= url;
+ descrip = "Writes the loaded objects to a PKCS #11 token";
+ doc = "It can be used to write private keys, certificates or secret keys
to a token.";
+};
+
+flag = {
+ name = delete;
+ flags-must= url;
+ descrip = "Deletes the objects matching the PKCS #11 URL";
+ doc = "";
+};
+
+flag = {
+ name = generate-rsa;
+ flags-must= url;
+ descrip = "Generates an RSA private-public key pair on the specified
token";
+ doc = "";
+};
+
+flag = {
+ name = generate-dsa;
+ flags-must= url;
+ descrip = "Generates an RSA private-public key pair on the specified
token";
+ doc = "";
+};
+flag = {
+ name = generate-ecc;
+ flags-must= url;
+ descrip = "Generates an RSA private-public key pair on the specified
token";
+ doc = "";
+};
+
+flag = {
+ name = label;
+ descrip = "Sets a label for the write operation";
+ doc = "";
+};
+
+flag = {
+ name = trusted;
+ disable = "no";
+ disabled;
+ descrip = "Marks the object to be written as trusted";
+ doc = "";
+};
+
+flag = {
+ name = private;
+ disable = "no";
+ enabled;
+ descrip = "Marks the object to be written as private";
+ doc = "The written object will require a PIN to be used.";
+};
+
+flag = {
+ name = login;
+ descrip = "Force login to token";
+ doc = "";
+};
+
+flag = {
+ name = detailed-url;
+ descrip = "Print detailed URLs";
+ disabled;
+ enable = "no";
+ doc = "";
+};
+
+flag = {
+ name = secret-key;
+ arg-type = string;
+ descrip = "Provide a hex encoded secret key";
+ doc = "";
+};
+
+flag = {
+ name = load-privkey;
+ arg-type = file;
+ file-exists = yes;
+ descrip = "Private key file to use";
+ doc = "";
+};
+
+flag = {
+ name = load-pubkey;
+ arg-type = file;
+ file-exists = yes;
+ descrip = "Public key file to use";
+ doc = "";
+};
+
+flag = {
+ name = load-certificate;
+ arg-type = file;
+ file-exists = yes;
+ descrip = "Certificate file to use";
+ doc = "";
+};
+
+flag = {
+ name = pkcs8;
+ value = 8;
+ descrip = "Use PKCS #8 format for private keys";
+ doc = "";
+};
+
+flag = {
+ name = bits;
+ arg-type = number;
+ descrip = "Specify the number of bits for key generate";
+ doc = "";
+};
+
+flag = {
+ name = sec-param;
+ arg-type = string;
+ arg-name = "Security parameter";
+ descrip = "Specify the security level [low|legacy|normal|high|ultra].";
+ doc = "This is alternative to the bits option.";
+};
+
+
+flag = {
+ name = inder;
+ descrip = "Use DER format for input certificates and private keys";
+ doc = "";
+};
+
+flag = {
+ name = inraw;
+ descrip = "Use RAW/DER format for input certificates and private keys";
+ doc = "";
+};
+
+flag = {
+ name = provider;
+ arg-type = file;
+ file-exists = yes;
+ descrip = "Specify the PKCS #11 provider library";
+ doc = "This will override the default options in
/etc/gnutls/pkcs11.conf";
+};
+
+flag = {
+ name = outfile;
+ arg-type = string;
+ descrip = "Output file";
+ doc = "";
+};
+
+
+doc-section = {
+ ds-type = 'SEE ALSO';
+ ds-format = 'man';
+ ds-text = <<-_EOT_
+ certtool (1)
+_EOT_;
+};
+
+doc-section = {
+ ds-type = 'EXAMPLES';
+ ds-format = 'texi';
+ ds-text = <<-_EOT_
+To view all tokens in your system use:
address@hidden
+$ p11tool --list-tokens
address@hidden example
+
+To store a private key and a certificate in a token run:
address@hidden
+$ p11tool --login --write --url "pkcs11:URL" --load-privkey key.pem --label
"Mykey"
+$ p11tool --login --write --url "pkcs11:URL" --load-certificate cert.pem
--label "MyCert"
address@hidden example
+
+To view all objects in a token use:
address@hidden
+$ p11tool --login --list-all --url "pkcs11:TOKEN-URL"
address@hidden example
+_EOT_;
+};
+
diff --git a/src/p11tool.c b/src/p11tool.c
index a478bf3..265b292 100644
--- a/src/p11tool.c
+++ b/src/p11tool.c
@@ -46,13 +46,12 @@
#include <progname.h>
#include <version-etc.h>
-#include "p11tool-gaa.h"
+#include "p11tool-args.h"
#include "p11tool.h"
#include "certtool-common.h"
-static void gaa_parser (int argc, char **argv);
+static void cmd_parser (int argc, char **argv);
-static gaainfo info;
static FILE *outfile;
int batch = 0;
@@ -67,40 +66,43 @@ int
main (int argc, char **argv)
{
set_program_name (argv[0]);
- gaa_parser (argc, argv);
+ cmd_parser (argc, argv);
return 0;
}
static void
-gaa_parser (int argc, char **argv)
+cmd_parser (int argc, char **argv)
{
- int ret;
+ int ret, debug = 0;
common_info_st cinfo;
-
- if (gaa (argc, argv, &info) != -1)
- {
- fprintf (stderr, "Try `%s --help' for more information.\n",
- program_name);
- exit (1);
- }
+ unsigned int action = 1, pkcs11_type = -1, key_type = GNUTLS_PK_UNKNOWN;
+ const char* url = NULL;
+ unsigned int detailed_url = 0;
+ unsigned int login = 0, bits = 0;
+ const char* label = NULL, *sec_param = NULL;
+
+ optionProcess( &p11toolOptions, argc, argv);
+
+ if (ENABLED_OPT(DEBUG))
+ debug = OPT_VALUE_DEBUG;
gnutls_global_set_log_function (tls_log_func);
- gnutls_global_set_log_level (info.debug);
- if (info.debug > 1)
- printf ("Setting log level to %d\n", info.debug);
+ gnutls_global_set_log_level (debug);
+ if (debug > 1)
+ printf ("Setting log level to %d\n", debug);
if ((ret = gnutls_global_init ()) < 0)
error (EXIT_FAILURE, 0, "global_init: %s", gnutls_strerror (ret));
- if (info.pkcs11_provider != NULL)
+ if (ENABLED_OPT(PROVIDER))
{
ret = gnutls_pkcs11_init (GNUTLS_PKCS11_FLAG_MANUAL, NULL);
if (ret < 0)
fprintf (stderr, "pkcs11_init: %s", gnutls_strerror (ret));
else
{
- ret = gnutls_pkcs11_add_provider (info.pkcs11_provider, NULL);
+ ret = gnutls_pkcs11_add_provider (OPT_ARG(PROVIDER), NULL);
if (ret < 0)
error (EXIT_FAILURE, 0, "pkcs11_add_provider: %s",
gnutls_strerror (ret));
@@ -113,56 +115,151 @@ gaa_parser (int argc, char **argv)
fprintf (stderr, "pkcs11_init: %s", gnutls_strerror (ret));
}
- if (info.outfile)
+ if (ENABLED_OPT(OUTFILE))
{
- outfile = safe_open_rw (info.outfile, 0);
+ outfile = safe_open_rw (OPT_ARG(OUTFILE), 0);
if (outfile == NULL)
- error (EXIT_FAILURE, errno, "%s", info.outfile);
+ error (EXIT_FAILURE, errno, "%s", OPT_ARG(OUTFILE));
}
else
outfile = stdout;
memset (&cinfo, 0, sizeof (cinfo));
- cinfo.secret_key = info.secret_key;
- cinfo.privkey = info.privkey;
- cinfo.pkcs8 = info.pkcs8;
- cinfo.incert_format = info.incert_format;
- cinfo.cert = info.cert;
+
+ if (ENABLED_OPT(SECRET_KEY))
+ cinfo.secret_key = OPT_ARG(SECRET_KEY);
+
+ if (ENABLED_OPT(LOAD_PRIVKEY))
+ cinfo.privkey = OPT_ARG(LOAD_PRIVKEY);
+
+ if (ENABLED_OPT(PKCS8))
+ cinfo.pkcs8 = 1;
+
+ if (ENABLED_OPT(INDER) || ENABLED_OPT(INRAW))
+ cinfo.incert_format = GNUTLS_X509_FMT_DER;
+
+ if (ENABLED_OPT(LOAD_CERTIFICATE))
+ cinfo.cert = OPT_ARG(LOAD_CERTIFICATE);
+
+ if (ENABLED_OPT(LOAD_PUBKEY))
+ cinfo.pubkey = OPT_ARG(LOAD_PUBKEY);
+
+ if (ENABLED_OPT(LIST_TOKENS))
+ action = ACTION_PKCS11_TOKENS;
+ else if (ENABLED_OPT(LIST_MECHANISMS))
+ action = ACTION_PKCS11_MECHANISMS;
+ else if (ENABLED_OPT(LIST_ALL))
+ {
+ pkcs11_type = PKCS11_TYPE_ALL;
+ action = ACTION_PKCS11_LIST;
+ }
+ else if (ENABLED_OPT(LIST_ALL_CERTS))
+ {
+ pkcs11_type = PKCS11_TYPE_CRT_ALL;
+ action = ACTION_PKCS11_LIST;
+ }
+ else if (ENABLED_OPT(LIST_CERTS))
+ {
+ pkcs11_type = PKCS11_TYPE_PK;
+ action = ACTION_PKCS11_LIST;
+ }
+ else if (ENABLED_OPT(LIST_ALL_PRIVKEYS))
+ {
+ pkcs11_type = PKCS11_TYPE_PRIVKEY;
+ action = ACTION_PKCS11_LIST;
+ }
+ else if (ENABLED_OPT(LIST_ALL_TRUSTED))
+ {
+ pkcs11_type = PKCS11_TYPE_TRUSTED;
+ action = ACTION_PKCS11_LIST;
+ }
+ else if (ENABLED_OPT(EXPORT))
+ {
+ action = ACTION_PKCS11_EXPORT_URL;
+ }
+ else if (ENABLED_OPT(WRITE))
+ action = ACTION_PKCS11_WRITE_URL;
+ else if (ENABLED_OPT(INITIALIZE))
+ action = ACTION_PKCS11_TOKEN_INIT;
+ else if (ENABLED_OPT(DELETE))
+ action = ACTION_PKCS11_DELETE_URL;
+ else if (ENABLED_OPT(GENERATE_ECC))
+ {
+ key_type = GNUTLS_PK_EC;
+ action = ACTION_PKCS11_GENERATE;
+ }
+ else if (ENABLED_OPT(GENERATE_RSA))
+ {
+ key_type = GNUTLS_PK_RSA;
+ action = ACTION_PKCS11_GENERATE;
+ }
+ else if (ENABLED_OPT(GENERATE_DSA))
+ {
+ key_type = GNUTLS_PK_DSA;
+ action = ACTION_PKCS11_GENERATE;
+ }
+ else
+ {
+ USAGE(1);
+ }
+
+ if (ENABLED_OPT(DETAILED_URL))
+ detailed_url = 1;
+
+ if (ENABLED_OPT(LOGIN))
+ login = 1;
+
+ if (ENABLED_OPT(URL))
+ {
+ url = OPT_ARG(URL);
+ }
+
+ if (ENABLED_OPT(LABEL))
+ {
+ label = OPT_ARG(LABEL);
+ }
+
+ if (ENABLED_OPT(BITS))
+ {
+ bits = OPT_VALUE_BITS;
+ }
+
+ if (ENABLED_OPT(SEC_PARAM))
+ {
+ sec_param = OPT_ARG(SEC_PARAM);
+ }
- switch (info.action)
+ switch (action)
{
case ACTION_PKCS11_LIST:
- pkcs11_list (outfile, info.pkcs11_url, info.pkcs11_type,
- info.pkcs11_login, info.pkcs11_detailed_url, &cinfo);
+ pkcs11_list (outfile, url, pkcs11_type,
+ login, detailed_url, &cinfo);
break;
case ACTION_PKCS11_TOKENS:
- pkcs11_token_list (outfile, info.pkcs11_detailed_url, &cinfo);
+ pkcs11_token_list (outfile, detailed_url, &cinfo);
break;
case ACTION_PKCS11_MECHANISMS:
- pkcs11_mechanism_list (outfile, info.pkcs11_url, info.pkcs11_login,
+ pkcs11_mechanism_list (outfile, url, login,
&cinfo);
break;
case ACTION_PKCS11_EXPORT_URL:
- pkcs11_export (outfile, info.pkcs11_url, info.pkcs11_login, &cinfo);
+ pkcs11_export (outfile, url, login, &cinfo);
break;
case ACTION_PKCS11_WRITE_URL:
- pkcs11_write (outfile, info.pkcs11_url, info.pkcs11_label,
- info.pkcs11_trusted, info.pkcs11_private,
info.pkcs11_login, &cinfo);
+ pkcs11_write (outfile, url, label,
+ ENABLED_OPT(TRUSTED), ENABLED_OPT(PRIVATE), login, &cinfo);
break;
case ACTION_PKCS11_TOKEN_INIT:
- pkcs11_init (outfile, info.pkcs11_url, info.pkcs11_label, &cinfo);
+ pkcs11_init (outfile, url, label, &cinfo);
break;
case ACTION_PKCS11_DELETE_URL:
- pkcs11_delete (outfile, info.pkcs11_url, 0, info.pkcs11_login, &cinfo);
+ pkcs11_delete (outfile, url, 0, login, &cinfo);
break;
case ACTION_PKCS11_GENERATE:
- pkcs11_generate (outfile, info.pkcs11_url, info.key_type,
get_bits(info.key_type, info.bits, info.sec_param),
- info.pkcs11_label, info.pkcs11_private,
info.pkcs11_detailed_url, info.pkcs11_login,
+ pkcs11_generate (outfile, url, key_type, get_bits(key_type, bits,
sec_param),
+ label, ENABLED_OPT(PRIVATE), detailed_url, login,
&cinfo);
break;
- default:
- gaa_help ();
- exit (0);
}
fclose (outfile);
diff --git a/src/psk-args.def.in b/src/psk-args.def.in
index 01130e8..a3921d2 100644
--- a/src/psk-args.def.in
+++ b/src/psk-args.def.in
@@ -8,9 +8,7 @@ short-usage = "psktool [options]\npsktool --help for usage
instructions.\n";
prog-group = "GnuTLS";
gnu-usage;
no-misuse-usage;
-reorder-args;
disable-save;
-argument;
long-opts;
config-header = 'config.h';
export = '#include <gettext.h>';
@@ -18,7 +16,7 @@ export = '#include <gettext.h>';
copyright = {
date = "2000-2012";
owner = "Free Software Foundation";
- author = "Nikos Mavrogiannopoulos and Simon Josefsson";
+ author = "Nikos Mavrogiannopoulos, Simon Josefsson and others; see
/usr/share/doc/gnutls-bin/AUTHORS for a complete list.";
eaddr = "address@hidden";
type = gpl;
};
diff --git a/src/serv-args.def.in b/src/serv-args.def.in
index 424cab2..711614f 100644
--- a/src/serv-args.def.in
+++ b/src/serv-args.def.in
@@ -15,7 +15,7 @@ export = '#include <gettext.h>';
copyright = {
date = "2000-2012";
owner = "Free Software Foundation";
- author = "Nikos Mavrogiannopoulos and Simon Josefsson";
+ author = "Nikos Mavrogiannopoulos, Simon Josefsson and others; see
/usr/share/doc/gnutls-bin/AUTHORS for a complete list.";
eaddr = "address@hidden";
type = gpl;
};
@@ -125,8 +125,7 @@ flag = {
flag = {
name = x509cafile;
- arg-type = file;
- file-exists = yes;
+ arg-type = string;
descrip = "Certificate file or PKCS #11 URL to use";
doc = "";
};
@@ -165,48 +164,42 @@ flag = {
flag = {
name = x509keyfile;
- arg-type = file;
- file-exists = yes;
+ arg-type = string;
descrip = "X.509 key file or PKCS #11 URL to use";
doc = "";
};
flag = {
name = x509certfile;
- arg-type = file;
- file-exists = yes;
+ arg-type = string;
descrip = "X.509 Certificate file or PKCS #11 URL to use";
doc = "";
};
flag = {
name = x509dsakeyfile;
- arg-type = file;
- file-exists = yes;
+ arg-type = string;
descrip = "Alternative X.509 key file or PKCS #11 URL to use";
doc = "";
};
flag = {
name = x509dsacertfile;
- arg-type = file;
- file-exists = yes;
+ arg-type = string;
descrip = "Alternative X.509 Certificate file or PKCS #11 URL to use";
doc = "";
};
flag = {
name = x509ecckeyfile;
- arg-type = file;
- file-exists = yes;
+ arg-type = string;
descrip = "Alternative X.509 key file or PKCS #11 URL to use";
doc = "";
};
flag = {
name = x509ecccertfile;
- arg-type = file;
- file-exists = yes;
+ arg-type = string;
descrip = "Alternative X.509 Certificate file or PKCS #11 URL to use";
doc = "";
};
diff --git a/src/srptool-args.def.in b/src/srptool-args.def.in
index 0fb80af..f355e37 100644
--- a/src/srptool-args.def.in
+++ b/src/srptool-args.def.in
@@ -14,9 +14,7 @@ short-usage = "srptool [options]\nsrptool --help for usage
instructions.\n";
prog-group = "GnuTLS";
gnu-usage;
no-misuse-usage;
-reorder-args;
disable-save;
-argument;
long-opts;
config-header = 'config.h';
export = '#include <gettext.h>';
@@ -24,7 +22,7 @@ export = '#include <gettext.h>';
copyright = {
date = "2000-2012";
owner = "Free Software Foundation";
- author = "Nikos Mavrogiannopoulos and Simon Josefsson";
+ author = "Nikos Mavrogiannopoulos, Simon Josefsson and others; see
/usr/share/doc/gnutls-bin/AUTHORS for a complete list.";
eaddr = "address@hidden";
type = gpl;
};
@@ -114,7 +112,7 @@ This command will create @file{/etc/tpasswd} and will add
user 'test' (you
will also be prompted for a password). Verifiers are stored by default
in the way libsrp expects.
@example
-srptool --passwd /etc/tpasswd --passwd-conf /etc/tpasswd.conf -u test
+$ srptool --passwd /etc/tpasswd --passwd-conf /etc/tpasswd.conf -u test
@end example
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls-3_0_12-30-gcde338f,
Nikos Mavrogiannopoulos <=