diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-12-29 13:11:32 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-12-29 13:11:32 +0200 |
| commit | f0c04cbfd12d330df70ba9952084f4d7d3d0525b (patch) | |
| tree | cc5cc489c68a787ea3167729bec6070021ebe959 | |
| parent | f01c3652d334e58dea92b75c061be41d77427968 (diff) | |
| download | gnutls-f0c04cbfd12d330df70ba9952084f4d7d3d0525b.tar.gz | |
Reorganization of the authentication chapter.
| -rw-r--r-- | doc/Makefile.am | 18 | ||||
| -rw-r--r-- | doc/cha-auth.texi | 23 | ||||
| -rw-r--r-- | doc/cha-cert-auth.texi | 38 | ||||
| -rw-r--r-- | doc/cha-cert-auth2.texi | 22 | ||||
| -rw-r--r-- | doc/cha-shared-key.texi | 12 | ||||
| -rw-r--r-- | doc/gnutls.texi | 9 | ||||
| -rw-r--r-- | doc/invoke-certtool.texi | 650 | ||||
| -rw-r--r-- | doc/invoke-danetool.texi | 200 | ||||
| -rw-r--r-- | doc/invoke-gnutls-cli-debug.texi | 91 | ||||
| -rw-r--r-- | doc/invoke-gnutls-cli.texi | 342 | ||||
| -rw-r--r-- | doc/invoke-gnutls-serv.texi | 354 | ||||
| -rw-r--r-- | doc/invoke-ocsptool.texi | 249 | ||||
| -rw-r--r-- | doc/invoke-p11tool.texi | 303 | ||||
| -rw-r--r-- | doc/invoke-psktool.texi | 58 | ||||
| -rw-r--r-- | doc/invoke-srptool.texi | 95 | ||||
| -rw-r--r-- | doc/invoke-tpmtool.texi | 187 |
16 files changed, 1384 insertions, 1267 deletions
diff --git a/doc/Makefile.am b/doc/Makefile.am index 1dc3088e62..8962ccf6d0 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -80,21 +80,27 @@ invoke-certtool.texi: $(SRC_DEF_CERTTOOL) rm -f ../doc/$@ && \ ../doc/scripts/cleanup-autogen.pl <../src/$@ >../doc/$@.tmp && \ mv -f ../doc/$@.tmp ../doc/$@ && \ - rm -f ../src/$@ + rm -f ../src/$@ && \ + sed -i 's/@subheading/@subsubheading/g' ../doc/$@ && \ + sed -i 's/@section/@subsection/g' ../doc/$@ invoke-ocsptool.texi: $(SRC_DEF_OCSPTOOL) @-cd ../src/ && autogen -Tagtexi-cmd.tpl $< && \ rm -f ../doc/$@ && \ ../doc/scripts/cleanup-autogen.pl <../src/$@ >../doc/$@.tmp && \ mv -f ../doc/$@.tmp ../doc/$@ && \ - rm -f ../src/$@ + rm -f ../src/$@ && \ + sed -i 's/@subheading/@subsubheading/g' ../doc/$@ && \ + sed -i 's/@section/@subsection/g' ../doc/$@ invoke-danetool.texi: $(SRC_DEF_DANETOOL) @-cd ../src/ && autogen -Tagtexi-cmd.tpl $< && \ rm -f ../doc/$@ && \ ../doc/scripts/cleanup-autogen.pl <../src/$@ >../doc/$@.tmp && \ mv -f ../doc/$@.tmp ../doc/$@ && \ - rm -f ../src/$@ + rm -f ../src/$@ && \ + sed -i 's/@subheading/@subsubheading/g' ../doc/$@ && \ + sed -i 's/@section/@subsection/g' ../doc/$@ invoke-srptool.texi: $(SRC_DEF_SRPTOOL) @-cd ../src/ && autogen -Tagtexi-cmd.tpl $< && \ @@ -103,7 +109,7 @@ invoke-srptool.texi: $(SRC_DEF_SRPTOOL) mv -f ../doc/$@.tmp ../doc/$@ && \ rm -f ../src/$@ && \ sed -i 's/@subheading/@subsubheading/g' ../doc/$@ && \ - sed -i 's/@section/@subsection/g' ../doc/$@ + sed -i 's/@section/@subsubsection/g' ../doc/$@ invoke-psktool.texi: $(SRC_DEF_PSKTOOL) @-cd ../src/ && autogen -Tagtexi-cmd.tpl $< && \ @@ -112,7 +118,7 @@ invoke-psktool.texi: $(SRC_DEF_PSKTOOL) mv -f ../doc/$@.tmp ../doc/$@ && \ rm -f ../src/$@ && \ sed -i 's/@subheading/@subsubheading/g' ../doc/$@ && \ - sed -i 's/@section/@subsection/g' ../doc/$@ + sed -i 's/@section/@subsubsection/g' ../doc/$@ invoke-p11tool.texi: $(SRC_DEF_P11TOOL) @-cd ../src/ && autogen -Tagtexi-cmd.tpl $< && \ @@ -140,7 +146,7 @@ gnutls_TEXINFOS = gnutls.texi fdl-1.3.texi \ cha-library.texi cha-preface.texi cha-programs.texi \ sec-tls-app.texi cha-errors.texi cha-support.texi \ cha-shared-key.texi cha-gtls-examples.texi cha-upgrade.texi \ - cha-tokens.texi cha-crypto.texi + cha-tokens.texi cha-crypto.texi cha-auth.texi gnutls_TEXINFOS += invoke-gnutls-cli.texi invoke-gnutls-cli-debug.texi \ invoke-gnutls-serv.texi invoke-certtool.texi invoke-srptool.texi \ diff --git a/doc/cha-auth.texi b/doc/cha-auth.texi index 1fcf9a33ea..2e1768f08f 100644 --- a/doc/cha-auth.texi +++ b/doc/cha-auth.texi @@ -2,6 +2,16 @@ @chapter Authentication methods @cindex authentication methods +@menu +* Selecting the appropriate authentication method:: +* Certificate authentication:: +* More on certificate authentication:: +* Shared-key and anonymous authentication:: +@end menu + +@node Selecting the appropriate authentication method +@section Selecting the appropriate authentication method + The initial key exchange of the TLS protocol performs authentication of the peers. In typical scenarios the server is authenticated to the client, and optionally the client to the server. @@ -12,7 +22,7 @@ including pre-shared keys, and passwords. The rest of this section provides some guidance on how to use the available authentication methods in @acronym{GnuTLS} in various scenarios. -@section Two peers with an out-of-band channel +@subsection Two peers with an out-of-band channel Let's consider two peers need to communicate over an untrusted channel (the Internet), but have an out-of-band channel available. The latter @@ -41,7 +51,7 @@ bootstrapping of a user's PC in a corporate environment, in person communication, communication over an alternative network (e.g. the phone network) etc. -@section Two peers without an out-of-band channel +@subsection Two peers without an out-of-band channel When an out-of-band channel is not available the peer cannot be reliably authenticated. What can be done, however, is to allow some form of @@ -59,7 +69,7 @@ authentication}). To mitigate the uncertainty of the information exchanged in the first connection other channels over the Internet may be used (e.g., @ref{Verifying a certificate using DANE}). -@section A trusted third party is available +@subsection A trusted third party is available When a trusted third party is available the most suitable option is to use certificate authentication (see @ref{Certificate authentication}). @@ -90,3 +100,10 @@ the same (see @ref{Verifying a certificate using trust on first use authentication}). @end itemize + +@include cha-cert-auth.texi + +@include cha-cert-auth2.texi + +@include cha-shared-key.texi + diff --git a/doc/cha-cert-auth.texi b/doc/cha-cert-auth.texi index afc3670d09..63ad6ccdb4 100644 --- a/doc/cha-cert-auth.texi +++ b/doc/cha-cert-auth.texi @@ -1,5 +1,5 @@ @node Certificate authentication -@chapter Certificate authentication +@section Certificate authentication @cindex certificate authentication The most known authentication method of @acronym{TLS} are certificates. @@ -65,7 +65,7 @@ to use this key exchange algorithm. @end menu @node X.509 certificates -@section @acronym{X.509} certificates +@subsection @acronym{X.509} certificates @cindex X.509 certificates The @acronym{X.509} protocols rely on a hierarchical trust model. In @@ -93,7 +93,7 @@ acceptable. The framework is illustrated on @ref{fig:x509}. @end menu @node X.509 certificate structure -@subsection @acronym{X.509} certificate structure +@subsubsection @acronym{X.509} certificate structure An @acronym{X.509} certificate usually contains information about the certificate holder, the signer, a unique serial number, expiration @@ -201,7 +201,7 @@ demonstrate the @acronym{X.509} parsing capabilities can be found in @ref{ex:x509-info}. @node Importing an X.509 certificate -@subsection Importing an X.509 certificate +@subsubsection Importing an X.509 certificate The certificate structure should be initialized using @funcref{gnutls_x509_crt_init}, and a certificate structure can be imported using @funcref{gnutls_x509_crt_import}. @@ -218,7 +218,7 @@ Note that although the functions above apply to @code{gnutls_x509_crt_t} structu exist for the CRL structure @code{gnutls_x509_crl_t}. @node X.509 distinguished names -@subsection X.509 distinguished names +@subsubsection X.509 distinguished names @cindex X.509 distinguished name The ``subject'' of an X.509 certificate is not described by @@ -247,7 +247,7 @@ to the contents of the distinguished name structure. @node X.509 public and private keys -@subsection Accessing public and private keys +@subsubsection Accessing public and private keys Each X.509 certificate contains a public key that corresponds to a private key. To get a unique identifier of the public key the @funcref{gnutls_x509_crt_get_key_id} @@ -262,7 +262,7 @@ The private key parameters may be directly accessed by using one of the followin @showfuncE{gnutls_x509_privkey_get_pk_algorithm2,gnutls_x509_privkey_export_rsa_raw2,gnutls_x509_privkey_export_ecc_raw,gnutls_x509_privkey_export_dsa_raw,gnutls_x509_privkey_get_key_id} @node Verifying X.509 certificate paths -@subsection Verifying @acronym{X.509} certificate paths +@subsubsection Verifying @acronym{X.509} certificate paths @cindex verifying certificate paths Verifying certificate paths is important in @acronym{X.509} @@ -293,7 +293,7 @@ are trusted for a particular server but not to authorize other certificates. This purpose is served by the functions @funcref{gnutls_x509_trust_list_add_named_crt} and @funcref{gnutls_x509_trust_list_verify_named_crt}. @node Verifying a certificate in the context of TLS session -@subsection Verifying a certificate in the context of TLS session +@subsubsection Verifying a certificate in the context of TLS session @cindex verifying certificate paths @tindex gnutls_certificate_verify_flags @@ -318,7 +318,7 @@ flags are part of the enumeration @node OpenPGP certificates -@section @acronym{OpenPGP} certificates +@subsection @acronym{OpenPGP} certificates @cindex OpenPGP certificates The @acronym{OpenPGP} key authentication relies on a distributed trust @@ -379,7 +379,7 @@ The expiration time of the subkey. @end float -@subsection @acronym{OpenPGP} certificate structure +@subsubsection @acronym{OpenPGP} certificate structure In @acronym{GnuTLS} the @acronym{OpenPGP} certificate structures @xcite{RFC2440} are handled using the @code{gnutls_openpgp_crt_t} type. @@ -421,7 +421,7 @@ The corresponding private keys are stored in the @code{gnutls_openpgp_privkey_t} type. All the prototypes for the key handling functions can be found in @file{gnutls/openpgp.h}. -@subsection Verifying an @acronym{OpenPGP} certificate +@subsubsection Verifying an @acronym{OpenPGP} certificate The verification functions of @acronym{OpenPGP} keys, included in @acronym{GnuTLS}, are simple ones, and do not use the features of the @@ -444,7 +444,7 @@ of verification status flags is the same as in the @acronym{X.509} certificates @showfuncdesc{gnutls_openpgp_crt_verify_self} -@subsection Verifying a certificate in the context of a TLS session +@subsubsection Verifying a certificate in the context of a TLS session Similarly with X.509 certificates, one needs to specify the OpenPGP keyring file in the credentials structure. The certificates @@ -454,7 +454,7 @@ to verify the signatures in the certificate sent by the peer. @showfuncdesc{gnutls_certificate_set_openpgp_keyring_file} @node Advanced certificate verification -@section Advanced certificate verification +@subsection Advanced certificate verification @cindex Certificate verification The verification of X.509 certificates in the HTTPS and other Internet protocols is typically @@ -466,11 +466,11 @@ other verification methods. In this section we list the available in GnuTLS meth @menu * Verifying a certificate using trust on first use authentication:: -* Verifying a certificate using DANE (DNSSEC):: +* Verifying a certificate using DANE:: @end menu @node Verifying a certificate using trust on first use authentication -@subsection Verifying a certificate using trust on first use authentication +@subsubsection Verifying a certificate using trust on first use authentication @cindex verifying certificate paths @cindex SSH-style authentication @cindex Trust on first use @@ -491,8 +491,8 @@ shown in @ref{Simple client example with SSH-style certificate verification}. See @ref{Certificate verification} on how to use the available functionality. -@node Verifying a certificate using DANE (DNSSEC) -@subsection Verifying a certificate using DANE (DNSSEC) +@node Verifying a certificate using DANE +@subsubsection Verifying a certificate using DANE (DNSSEC) @cindex verifying certificate paths @cindex DANE @cindex DNSSEC @@ -512,7 +512,7 @@ with GnuTLS and the function prototypes are in @code{gnutls/dane.h}. See @ref{Certificate verification} for information on how to use the library. @node Digital signatures -@section Digital signatures +@subsection Digital signatures @cindex digital signatures In this section we will provide some information about digital @@ -576,7 +576,7 @@ sometime in the future, SHA-1 will be disabled as well. The collision attacks on SHA-1 may also get better, given the new interest in tools for creating them. -@subsection Trading security for interoperability +@subsubsection Trading security for interoperability If you connect to a server and use GnuTLS' functions to verify the certificate chain, and get a @code{GNUTLS_CERT_INSECURE_ALGORITHM} diff --git a/doc/cha-cert-auth2.texi b/doc/cha-cert-auth2.texi index 975a06469b..b49c201740 100644 --- a/doc/cha-cert-auth2.texi +++ b/doc/cha-cert-auth2.texi @@ -1,5 +1,5 @@ @node More on certificate authentication -@chapter More on certificate authentication +@section More on certificate authentication @cindex certificate authentication Certificates are not the only structures involved in a public key @@ -18,7 +18,7 @@ structures, etc., are discussed in this chapter. @end menu @node PKCS 10 certificate requests -@section @acronym{PKCS} #10 certificate requests +@subsection @acronym{PKCS} #10 certificate requests @cindex certificate requests @cindex PKCS #10 @@ -53,7 +53,7 @@ which should return a signed certificate. @verbatiminclude examples/ex-crq.c @node PKIX certificate revocation lists -@section PKIX certificate revocation lists +@subsection PKIX certificate revocation lists @cindex certificate revocation lists @cindex CRL @@ -102,7 +102,7 @@ The basic CRL structure functions follow. @showfuncD{gnutls_x509_crl_init,gnutls_x509_crl_import,gnutls_x509_crl_export,gnutls_x509_crl_export} -@subheading Reading a CRL +@subsubheading Reading a CRL The most important function that extracts the certificate revocation information from a CRL is @funcref{gnutls_x509_crl_get_crt_serial}. Other @@ -113,7 +113,7 @@ functions that return other fields of the CRL structure are also provided. @showfuncE{gnutls_x509_crl_get_version,gnutls_x509_crl_get_issuer_dn,gnutls_x509_crl_get_this_update,gnutls_x509_crl_get_next_update,gnutls_x509_crl_get_crt_count} -@subheading Generation of a CRL +@subsubheading Generation of a CRL The following functions can be used to generate a CRL. @@ -133,7 +133,7 @@ CRL number extension and the authority key identifier. @showfuncB{gnutls_x509_crl_set_number,gnutls_x509_crl_set_authority_key_id} @node OCSP certificate status checking -@section @acronym{OCSP} certificate status checking +@subsection @acronym{OCSP} certificate status checking @cindex certificate status @cindex Online Certificate Status Protocol @cindex OCSP @@ -303,7 +303,7 @@ whether the received OCSP response corresponds to the certificate being checked. @showfuncC{gnutls_ocsp_resp_verify,gnutls_ocsp_resp_verify_direct,gnutls_ocsp_resp_check_crt} @node Managing encrypted keys -@section Managing encrypted keys +@subsection Managing encrypted keys @cindex Encrypted keys Transferring or storing private keys in plain may not be a @@ -320,7 +320,7 @@ while the PKCS #12 method allows, in addition, the bundling of accompanying data into the structure. That is typically the corresponding certificate, as well as a trusted CA certificate. -@subheading High level functionality +@subsubheading High level functionality Generic and higher level private key import functions are available, that import plain or encrypted keys and will auto-detect the encrypted key format. @@ -328,7 +328,7 @@ import plain or encrypted keys and will auto-detect the encrypted key format. @showfuncdesc{gnutls_privkey_import_x509_raw} -@subheading @acronym{PKCS} #8 structures +@subsubheading @acronym{PKCS} #8 structures @cindex PKCS #8 PKCS #8 keys can be imported and exported as normal private keys using @@ -342,7 +342,7 @@ be decrypted. @showenumdesc{gnutls_pkcs_encrypt_flags_t,Encryption flags} -@subheading @acronym{PKCS} #12 structures +@subsubheading @acronym{PKCS} #12 structures @cindex PKCS #12 A @acronym{PKCS} #12 structure @xcite{PKCS12} usually contains a user's @@ -374,7 +374,7 @@ of their usage is also shown. @verbatiminclude examples/ex-pkcs12.c -@subheading OpenSSL encrypted keys +@subsubheading OpenSSL encrypted keys @cindex OpenSSL encrypted keys Unfortunately the structures discussed in the previous sections are not the only structures that may hold an encrypted private key. For example diff --git a/doc/cha-shared-key.texi b/doc/cha-shared-key.texi index b2e7f06865..5931070807 100644 --- a/doc/cha-shared-key.texi +++ b/doc/cha-shared-key.texi @@ -1,5 +1,5 @@ @node Shared-key and anonymous authentication -@chapter Shared-key and anonymous authentication +@section Shared-key and anonymous authentication In addition to certificate authentication, the TLS protocol may be used with password, shared-key and anonymous authentication methods. @@ -12,7 +12,7 @@ The rest of this chapter discusses details of these methods. @end menu @node SRP authentication -@section SRP authentication +@subsection SRP authentication @menu * Authentication using SRP:: @@ -20,7 +20,7 @@ The rest of this chapter discusses details of these methods. @end menu @node Authentication using SRP -@subsection Authentication using @acronym{SRP} +@subsubsection Authentication using @acronym{SRP} @cindex SRP authentication @acronym{GnuTLS} supports authentication via the Secure Remote Password @@ -78,7 +78,7 @@ authenticated using a certificate with RSA parameters. @include invoke-srptool.texi @node PSK authentication -@section PSK authentication +@subsection PSK authentication @menu * Authentication using PSK:: @@ -86,7 +86,7 @@ authenticated using a certificate with RSA parameters. @end menu @node Authentication using PSK -@subsection Authentication using @acronym{PSK} +@subsubsection Authentication using @acronym{PSK} @cindex PSK authentication Authentication using Pre-shared keys is a method to authenticate using @@ -121,7 +121,7 @@ in @acronym{GnuTLS}. @include invoke-psktool.texi @node Anonymous authentication -@section Anonymous authentication +@subsection Anonymous authentication @cindex anonymous authentication The anonymous key exchange offers encryption without any diff --git a/doc/gnutls.texi b/doc/gnutls.texi index 0cfc62e3e6..fe42593f57 100644 --- a/doc/gnutls.texi +++ b/doc/gnutls.texi @@ -150,9 +150,6 @@ Documentation License''. * Introduction to GnuTLS:: * Introduction to TLS:: * Authentication methods:: -* Certificate authentication:: -* Shared-key and anonymous authentication:: -* More on certificate authentication:: * Hardware security modules and abstract key types:: * How to use GnuTLS in applications:: * GnuTLS application examples:: @@ -179,12 +176,6 @@ Documentation License''. @include cha-auth.texi -@include cha-cert-auth.texi - -@include cha-shared-key.texi - -@include cha-cert-auth2.texi - @include cha-tokens.texi @include cha-gtls-app.texi diff --git a/doc/invoke-certtool.texi b/doc/invoke-certtool.texi index 601175f6ba..ceb314fafd 100644 --- a/doc/invoke-certtool.texi +++ b/doc/invoke-certtool.texi @@ -1,37 +1,30 @@ @node certtool Invocation -@section Invoking certtool +@subsection Invoking certtool @pindex certtool @ignore # -*- buffer-read-only: t -*- vi: set ro: # # DO NOT EDIT THIS FILE (invoke-certtool.texi) # -# It has been AutoGen-ed December 15, 2012 at 11:11:50 AM by AutoGen 5.16 +# It has been AutoGen-ed December 29, 2012 at 01:05:07 PM by AutoGen 5.12 # From the definitions ../src/certtool-args.def # and the template file agtexi-cmd.tpl @end ignore - Tool to parse and generate X.509 certificates, requests and private keys. It can be used interactively or non interactively by specifying the template command line option. This section was generated by @strong{AutoGen}, using the @code{agtexi-cmd} template and the option descriptions for the @code{certtool} program. -This software is released under the GNU General Public License, version 3 or later. + +This software is released under the GNU General Public License. @anchor{certtool usage} -@subheading certtool help/usage (-h) -@cindex certtool help +@subsubheading certtool usage help (-?) -This is the automatically generated usage text for certtool. -The text printed is the same whether for the @code{help} option (-h) or the @code{more-help} option (-!). @code{more-help} will print -the usage text by passing it through a pager program. -@code{more-help} is disabled on platforms without a working -@code{fork(2)} function. The @code{PAGER} environment variable is -used to select the program, defaulting to @file{more}. Both will exit -with a status code of 0. +This is the automatically generated usage text for certtool: @exampleindent 0 @example @@ -128,18 +121,107 @@ please send bug reports to: bug-gnutls@@gnu.org @end example @exampleindent 4 +@anchor{certtool bits} +@subsubheading bits option + +This is the ``specify the number of bits for key generate'' option. + + +@anchor{certtool certificate-info} +@subsubheading certificate-info option (-i) + +This is the ``print information on the given certificate'' option. + + +@anchor{certtool certificate-pubkey} +@subsubheading certificate-pubkey option + +This is the ``print certificate's public key'' option. + + +@anchor{certtool crl-info} +@subsubheading crl-info option (-l) + +This is the ``print information on the given crl structure'' option. + + +@anchor{certtool crq-info} +@subsubheading crq-info option + +This is the ``print information on the given certificate request'' option. + + @anchor{certtool debug} -@subheading debug option (-d) +@subsubheading debug option (-d) This is the ``enable debugging.'' option. -This option takes an argument number. Specifies the debug level. + +@anchor{certtool dh-info} +@subsubheading dh-info option + +This is the ``print information pkcs #3 encoded diffie-hellman parameters'' option. + + +@anchor{certtool disable-quick-random} +@subsubheading disable-quick-random option + +This is the ``no effect'' option. + + +@anchor{certtool dsa} +@subsubheading dsa option + +This is the ``generate dsa key'' option. +When combined with --generate-privkey generates a DSA private key. + +@anchor{certtool ecc} +@subsubheading ecc option + +This is the ``generate ecc (ecdsa) key'' option. +When combined with --generate-privkey generates an elliptic curve private key to be used with ECDSA. + +@anchor{certtool ecdsa} +@subsubheading ecdsa option + +This is the ``'' option. +This option has no @samp{doc} documentation. + +@anchor{certtool generate-certificate} +@subsubheading generate-certificate option (-c) + +This is the ``generate a signed certificate'' option. + + +@anchor{certtool generate-crl} +@subsubheading generate-crl option + +This is the ``generate a crl'' option. + + +@anchor{certtool generate-dh-params} +@subsubheading generate-dh-params option + +This is the ``generate pkcs #3 encoded diffie-hellman parameters.'' option. + + +@anchor{certtool generate-privkey} +@subsubheading generate-privkey option (-p) + +This is the ``generate a private key'' option. + + +@anchor{certtool generate-proxy} +@subsubheading generate-proxy option + +This is the ``generates a proxy certificate'' option. + + @anchor{certtool generate-request} -@subheading generate-request option (-q) +@subsubheading generate-request option (-q) This is the ``generate a pkcs #10 certificate request'' option. -@noindent This option has some usage constraints. It: @itemize @bullet @item @@ -148,465 +230,301 @@ infile. @end itemize Will generate a PKCS #10 certificate request. To specify a private key use --load-privkey. -@anchor{certtool verify-chain} -@subheading verify-chain option (-e) - -This is the ``verify a pem encoded certificate chain.'' option. -The last certificate in the chain must be a self signed one. -@anchor{certtool verify} -@subheading verify option -This is the ``verify a pem encoded certificate chain using a trusted list.'' option. +@anchor{certtool generate-self-signed} +@subsubheading generate-self-signed option (-s) -@noindent -This option has some usage constraints. It: -@itemize @bullet -@item -must appear in combination with the following options: -load-ca-certificate. -@end itemize +This is the ``generate a self-signed certificate'' option. -The trusted certificate list must be loaded with --load-ca-certificate. -@anchor{certtool verify-crl} -@subheading verify-crl option -This is the ``verify a crl using a trusted list.'' option. - -@noindent -This option has some usage constraints. It: -@itemize @bullet -@item -must appear in combination with the following options: -load-ca-certificate. -@end itemize - -The trusted certificate list must be loaded with --load-ca-certificate. @anchor{certtool get-dh-params} -@subheading get-dh-params option +@subsubheading get-dh-params option This is the ``get the included pkcs #3 encoded diffie-hellman parameters.'' option. Returns stored DH parameters in GnuTLS. Those parameters are used in the SRP protocol. The parameters returned by fresh generation are more efficient since GnuTLS 3.0.9. -@anchor{certtool load-privkey} -@subheading load-privkey option -This is the ``loads a private key file'' option. -This option takes an argument string. -This can be either a file or a PKCS #11 URL -@anchor{certtool load-pubkey} -@subheading load-pubkey option +@anchor{certtool hash} +@subsubheading hash option -This is the ``loads a public key file'' option. -This option takes an argument string. -This can be either a file or a PKCS #11 URL -@anchor{certtool load-certificate} -@subheading load-certificate option +This is the ``hash algorithm to use for signing.'' option. +Available hash functions are SHA1, RMD160, SHA256, SHA384, SHA512. -This is the ``loads a certificate file'' option. -This option takes an argument string. +@anchor{certtool hex-numbers} +@subsubheading hex-numbers option + +This is the ``print big number in an easier format to parse'' option. + + +@anchor{certtool inder} +@subsubheading inder option + +This is the ``use der format for input certificates and private keys.'' option. +The input files will be assumed to be in DER or RAW format. +Unlike options that in PEM input would allow multiple input data (e.g. multiple +certificates), when reading in DER format a single data structure is read. + +@anchor{certtool infile} +@subsubheading infile option + +This is the ``input file'' option. + + +@anchor{certtool inraw} +@subsubheading inraw option + +This is the ``'' option. +This option has no @samp{doc} documentation. + +@anchor{certtool key-info} +@subsubheading key-info option (-k) + +This is the ``print information on a private key'' option. + + +@anchor{certtool load-ca-certificate} +@subsubheading load-ca-certificate option + +This is the ``loads the certificate authority's certificate file'' option. This can be either a file or a PKCS #11 URL + @anchor{certtool load-ca-privkey} -@subheading load-ca-privkey option +@subsubheading load-ca-privkey option This is the ``loads the certificate authority's private key file'' option. -This option takes an argument string. This can be either a file or a PKCS #11 URL -@anchor{certtool load-ca-certificate} -@subheading load-ca-certificate option -This is the ``loads the certificate authority's certificate file'' option. -This option takes an argument string. -This can be either a file or a PKCS #11 URL -@anchor{certtool null-password} -@subheading null-password option +@anchor{certtool load-certificate} +@subsubheading load-certificate option -This is the ``enforce a null password'' option. -This option enforces a NULL password. This may be different than the empty password in some schemas. -@anchor{certtool pubkey-info} -@subheading pubkey-info option +This is the ``loads a certificate file'' option. +This can be either a file or a PKCS #11 URL -This is the ``print information on a public key'' option. -The option combined with --load-request, --load-pubkey, --load-privkey and --load-certificate will extract the public key of the object in question. -@anchor{certtool to-p12} -@subheading to-p12 option +@anchor{certtool load-privkey} +@subsubheading load-privkey option -This is the ``generate a pkcs #12 structure'' option. +This is the ``loads a private key file'' option. +This can be either a file or a PKCS #11 URL -@noindent -This option has some usage constraints. It: -@itemize @bullet -@item -must appear in combination with the following options: -load-certificate. -@end itemize +@anchor{certtool load-pubkey} +@subsubheading load-pubkey option -It requires a certificate, a private key and possibly a CA certificate to be specified. -@anchor{certtool rsa} -@subheading rsa option +This is the ``loads a public key file'' option. +This can be either a file or a PKCS #11 URL -This is the ``generate rsa key'' option. -When combined with --generate-privkey generates an RSA private key. -@anchor{certtool dsa} -@subheading dsa option +@anchor{certtool load-request} +@subsubheading load-request option -This is the ``generate dsa key'' option. -When combined with --generate-privkey generates a DSA private key. -@anchor{certtool ecc} -@subheading ecc option +This is the ``loads a certificate request file'' option. -This is the ``generate ecc (ecdsa) key'' option. -When combined with --generate-privkey generates an elliptic curve private key to be used with ECDSA. -@anchor{certtool ecdsa} -@subheading ecdsa option -This is an alias for the ecc option, -@pxref{certtool ecc, the ecc option documentation}. +@anchor{certtool no-crq-extensions} +@subsubheading no-crq-extensions option -@anchor{certtool hash} -@subheading hash option +This is the ``do not use extensions in certificate requests'' option. -This is the ``hash algorithm to use for signing.'' option. -This option takes an argument string. -Available hash functions are SHA1, RMD160, SHA256, SHA384, SHA512. -@anchor{certtool inder} -@subheading inder option -This is the ``use der format for input certificates and private keys.'' option. -The input files will be assumed to be in DER or RAW format. -Unlike options that in PEM input would allow multiple input data (e.g. multiple -certificates), when reading in DER format a single data structure is read. -@anchor{certtool inraw} -@subheading inraw option +@anchor{certtool null-password} +@subsubheading null-password option -This is an alias for the inder option, -@pxref{certtool inder, the inder option documentation}. +This is the ``enforce a null password'' option. +This option enforces a NULL password. This may be different than the empty password in some schemas. @anchor{certtool outder} -@subheading outder option +@subsubheading outder option This is the ``use der format for output certificates and private keys'' option. The output will be in DER or RAW format. -@anchor{certtool outraw} -@subheading outraw option -This is an alias for the outder option, -@pxref{certtool outder, the outder option documentation}. +@anchor{certtool outfile} +@subsubheading outfile option -@anchor{certtool sec-param} -@subheading sec-param option +This is the ``output file'' option. -This is the ``specify the security level [low, legacy, normal, high, ultra].'' option. -This option takes an argument string @file{Security parameter}. -This is alternative to the bits option. -@anchor{certtool pkcs-cipher} -@subheading pkcs-cipher option -This is the ``cipher to use for pkcs #8 and #12 operations'' option. -This option takes an argument string @file{Cipher}. -Cipher may be one of 3des, 3des-pkcs12, aes-128, aes-192, aes-256, rc2-40, arcfour. -@anchor{certtool exit status} -@subheading certtool exit status +@anchor{certtool outraw} +@subsubheading outraw option -One of the following exit values will be returned: -@table @samp -@item 0 (EXIT_SUCCESS) -Successful program execution. -@item 1 (EXIT_FAILURE) -The operation failed or the command syntax was not valid. -@end table -@anchor{certtool See Also} -@subheading certtool See Also - p11tool (1) +This is the ``'' option. +This option has no @samp{doc} documentation. -@anchor{certtool Examples} -@subheading certtool Examples -@subheading Generating private keys -To create an RSA private key, run: -@example -$ certtool --generate-privkey --outfile key.pem --rsa -@end example +@anchor{certtool p12-info} +@subsubheading p12-info option -To create a DSA or elliptic curves (ECDSA) private key use the -above command combined with 'dsa' or 'ecc' options. +This is the ``print information on a pkcs #12 structure'' option. -@subheading Generating certificate requests -To create a certificate request (needed when the certificate is issued by -another party), run: -@example -certtool --generate-request --load-privkey key.pem \ - --outfile request.pem -@end example -If the private key is stored in a smart card you can generate -a request by specifying the private key object URL. -@example -$ ./certtool --generate-request --load-privkey "pkcs11:..." \ - --load-pubkey "pkcs11:..." --outfile request.pem -@end example +@anchor{certtool p7-info} +@subsubheading p7-info option +This is the ``print information on a pkcs #7 structure'' option. -@subheading Generating a self-signed certificate -To create a self signed certificate, use the command: -@example -$ certtool --generate-privkey --outfile ca-key.pem -$ certtool --generate-self-signed --load-privkey ca-key.pem \ - --outfile ca-cert.pem -@end example -Note that a self-signed certificate usually belongs to a certificate -authority, that signs other certificates. +@anchor{certtool password} +@subsubheading password option -@subheading Generating a certificate -To generate a certificate using the previous request, use the command: -@example -$ certtool --generate-certificate --load-request request.pem \ - --outfile cert.pem --load-ca-certificate ca-cert.pem \ - --load-ca-privkey ca-key.pem -@end example +This is the ``password to use'' option. -To generate a certificate using the private key only, use the command: -@example -$ certtool --generate-certificate --load-privkey key.pem \ - --outfile cert.pem --load-ca-certificate ca-cert.pem \ - --load-ca-privkey ca-key.pem -@end example -@subheading Certificate information -To view the certificate information, use: -@example -$ certtool --certificate-info --infile cert.pem -@end example +@anchor{certtool pgp-certificate-info} +@subsubheading pgp-certificate-info option -@subheading PKCS #12 structure generation -To generate a PKCS #12 structure using the previous key and certificate, -use the command: -@example -$ certtool --load-certificate cert.pem --load-privkey key.pem \ - --to-p12 --outder --outfile key.p12 -@end example +This is the ``print information on the given openpgp certificate'' option. -Some tools (reportedly web browsers) have problems with that file -because it does not contain the CA certificate for the certificate. -To work around that problem in the tool, you can use the ---load-ca-certificate parameter as follows: -@example -$ certtool --load-ca-certificate ca.pem \ - --load-certificate cert.pem --load-privkey key.pem \ - --to-p12 --outder --outfile key.p12 -@end example +@anchor{certtool pgp-key-info} +@subsubheading pgp-key-info option -@subheading Diffie-Hellman parameter generation -To generate parameters for Diffie-Hellman key exchange, use the command: -@example -$ certtool --generate-dh-params --outfile dh.pem --sec-param normal -@end example +This is the ``print information on an openpgp private key'' option. -@subheading Proxy certificate generation -Proxy certificate can be used to delegate your credential to a -temporary, typically short-lived, certificate. To create one from the -previously created certificate, first create a temporary key and then -generate a proxy certificate for it, using the commands: -@example -$ certtool --generate-privkey > proxy-key.pem -$ certtool --generate-proxy --load-ca-privkey key.pem \ - --load-privkey proxy-key.pem --load-certificate cert.pem \ - --outfile proxy-cert.pem -@end example +@anchor{certtool pgp-ring-info} +@subsubheading pgp-ring-info option -@subheading Certificate revocation list generation -To create an empty Certificate Revocation List (CRL) do: +This is the ``print information on the given openpgp keyring structure'' option. -@example -$ certtool --generate-crl --load-ca-privkey x509-ca-key.pem \ - --load-ca-certificate x509-ca.pem -@end example -To create a CRL that contains some revoked certificates, place the -certificates in a file and use @code{--load-certificate} as follows: +@anchor{certtool pkcs8} +@subsubheading pkcs8 option (-8) -@example -$ certtool --generate-crl --load-ca-privkey x509-ca-key.pem \ - --load-ca-certificate x509-ca.pem --load-certificate revoked-certs.pem -@end example - -To verify a Certificate Revocation List (CRL) do: - -@example -$ certtool --verify-crl --load-ca-certificate x509-ca.pem < crl.pem -@end example +This is the ``use pkcs #8 format for private keys'' option. -@anchor{certtool Files} -@subheading certtool Files -@subheading Certtool's template file format -A template file can be used to avoid the interactive questions of -certtool. Initially create a file named 'cert.cfg' that contains the information -about the certificate. The template can be used as below: - -@example -$ certtool --generate-certificate cert.pem --load-privkey key.pem \ - --template cert.cfg \ - --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem -@end example -An example certtool template file that can be used to generate a certificate -request or a self signed certificate follows. +@anchor{certtool pkcs-cipher} +@subsubheading pkcs-cipher option -@example -# X.509 Certificate options -# -# DN options +This is the ``cipher to use for pkcs #8 and #12 operations'' option. +Cipher may be one of 3des, 3des-pkcs12, aes-128, aes-192, aes-256, rc2-40, arcfour. -# The organization of the subject. -organization = "Koko inc." +@anchor{certtool pubkey-info} +@subsubheading pubkey-info option -# The organizational unit of the subject. -unit = "sleeping dept." +This is the ``print information on a public key'' option. +The option combined with --load-request, --load-pubkey, --load-privkey and --load-certificate will extract the public key of the object in question. -# The locality of the subject. -# locality = +@anchor{certtool rsa} +@subsubheading rsa option -# The state of the certificate owner. -state = "Attiki" +This is the ``generate rsa key'' option. +When combined with --generate-privkey generates an RSA private key. -# The country of the subject. Two letter code. -country = GR +@anchor{certtool sec-param} +@subsubheading sec-param option -# The common name of the certificate owner. -cn = "Cindy Lauper" +This is the ``specify the security level [low, legacy, normal, high, ultra].'' option. +This is alternative to the bits option. -# A user id of the certificate owner. -#uid = "clauper" +@anchor{certtool smime-to-p7} +@subsubheading smime-to-p7 option -# Set domain components -#dc = "name" -#dc = "domain" +This is the ``convert s/mime to pkcs #7 structure'' option. -# If the supported DN OIDs are not adequate you can set -# any OID here. -# For example set the X.520 Title and the X.520 Pseudonym -# by using OID and string pairs. -#dn_oid = 2.5.4.12 Dr. -#dn_oid = 2.5.4.65 jackal -# This is deprecated and should not be used in new -# certificates. -# pkcs9_email = "none@@none.org" +@anchor{certtool template} +@subsubheading template option -# The serial number of the certificate -serial = 007 +This is the ``template file to use for non-interactive operation'' option. -# In how many days, counting from today, this certificate will expire. -expiration_days = 700 -# X.509 v3 extensions +@anchor{certtool to-p12} +@subsubheading to-p12 option -# A dnsname in case of a WWW server. -#dns_name = "www.none.org" -#dns_name = "www.morethanone.org" +This is the ``generate a pkcs #12 structure'' option. -# A subject alternative name URI -#uri = "http://www.example.com" +This option has some usage constraints. It: +@itemize @bullet +@item +must appear in combination with the following options: +load-certificate. +@end itemize -# An IP address in case of a server. -#ip_address = "192.168.1.1" +It requires a certificate, a private key and possibly a CA certificate to be specified. -# An email in case of a person -email = "none@@none.org" +@anchor{certtool to-p8} +@subsubheading to-p8 option -# Challenge password used in certificate requests -challenge_password = 123456 +This is the ``generate a pkcs #8 structure'' option. -# Password when encrypting a private key -#password = secret -# An URL that has CRLs (certificate revocation lists) -# available. Needed in CA certificates. -#crl_dist_points = "http://www.getcrl.crl/getcrl/" +@anchor{certtool update-certificate} +@subsubheading update-certificate option (-u) -# Whether this is a CA certificate or not -#ca +This is the ``update a signed certificate'' option. -# for microsoft smart card logon -# key_purpose_oid = 1.3.6.1.4.1.311.20.2.2 -### Other predefined key purpose OIDs +@anchor{certtool v1} +@subsubheading v1 option -# Whether this certificate will be used for a TLS client -#tls_www_client +This is the ``generate an x.509 version 1 certificate (with no extensions)'' option. -# Whether this certificate will be used for a TLS server -#tls_www_server -# Whether this certificate will be used to sign data (needed -# in TLS DHE ciphersuites). -signing_key +@anchor{certtool verbose} +@subsubheading verbose option (-V) -# Whether this certificate will be used to encrypt data (needed -# in TLS RSA ciphersuites). Note that it is preferred to use different -# keys for encryption and signing. -#encryption_key +This is the ``more verbose output'' option. -# Whether this key will be used to sign other certificates. -#cert_signing_key +This option has some usage constraints. It: +@itemize @bullet +@item +may appear an unlimited number of times. +@end itemize -# Whether this key will be used to sign CRLs. -#crl_signing_key -# Whether this key will be used to sign code. -#code_signing_key -# Whether this key will be used to sign OCSP data. -#ocsp_signing_key +@anchor{certtool verify} +@subsubheading verify option -# Whether this key will be used for time stamping. -#time_stamping_key +This is the ``verify a pem encoded certificate chain using a trusted list.'' option. -# Whether this key will be used for IPsec IKE operations. -#ipsec_ike_key +This option has some usage constraints. It: +@itemize @bullet +@item +must appear in combination with the following options: +load-ca-certificate. +@end itemize -### end of key purpose OIDs +The trusted certificate list must be loaded with --load-ca-certificate. -# When generating a certificate from a certificate -# request, then honor the extensions stored in the request -# and store them in the real certificate. -#honor_crq_extensions +@anchor{certtool verify-chain} +@subsubheading verify-chain option (-e) -# Path length contraint. Sets the maximum number of -# certificates that can be used to certify this certificate. -# (i.e. the certificate chain length) -#path_len = -1 -#path_len = 2 +This is the ``verify a pem encoded certificate chain.'' option. +The last certificate in the chain must be a self signed one. -# OCSP URI -# ocsp_uri = http://my.ocsp.server/ocsp +@anchor{certtool verify-crl} +@subsubheading verify-crl option -# CA issuers URI -# ca_issuers_uri = http://my.ca.issuer +This is the ``verify a crl using a trusted list.'' option. -# Certificate policies -# policy1 = 1.3.6.1.4.1.5484.1.10.99.1.0 -# policy1_txt = "This is a long policy to summarize" -# policy1_url = http://www.example.com/a-policy-to-read +This option has some usage constraints. It: +@itemize @bullet +@item +must appear in combination with the following options: +load-ca-certificate. +@end itemize -# policy2 = 1.3.6.1.4.1.5484.1.10.99.1.1 -# policy2_txt = "This is a short policy" -# policy2_url = http://www.example.com/another-policy-to-read +The trusted certificate list must be loaded with --load-ca-certificate. +@anchor{certtool exit status} +@subsubheading certtool exit status -# Options for proxy certificates -# proxy_policy_language = 1.3.6.1.5.5.7.21.1 +One of the following exit values will be returned: +@table @samp +@item 0 +Successful program execution. +@item 1 +The operation failed or the command syntax was not valid. +@end table -# Options for generating a CRL +@anchor{certtool See Also} +@subsubheading certtool See Also -# next CRL update will be in 43 days (wow) -#crl_next_update = 43 -# this is the 5th CRL by this CA -#crl_number = 5 +@anchor{certtool Examples} +@subsubheading certtool Examples -@end example +@anchor{certtool Files} +@subsubheading certtool Files diff --git a/doc/invoke-danetool.texi b/doc/invoke-danetool.texi index b2232f47a9..b7c19b6754 100644 --- a/doc/invoke-danetool.texi +++ b/doc/invoke-danetool.texi @@ -1,35 +1,28 @@ @node danetool Invocation -@section Invoking danetool +@subsection Invoking danetool @pindex danetool @ignore # -*- buffer-read-only: t -*- vi: set ro: # # DO NOT EDIT THIS FILE (invoke-danetool.texi) # -# It has been AutoGen-ed December 12, 2012 at 07:06:12 PM by AutoGen 5.16 +# It has been AutoGen-ed December 29, 2012 at 01:05:12 PM by AutoGen 5.12 # From the definitions ../src/danetool-args.def # and the template file agtexi-cmd.tpl @end ignore - Tool to generate DNS resource records for the DANE protocol. This section was generated by @strong{AutoGen}, using the @code{agtexi-cmd} template and the option descriptions for the @code{danetool} program. -This software is released under the GNU General Public License, version 3 or later. + +This software is released under the GNU General Public License. @anchor{danetool usage} -@subheading danetool help/usage (-h) -@cindex danetool help +@subsubheading danetool usage help (-?) -This is the automatically generated usage text for danetool. -The text printed is the same whether for the @code{help} option (-h) or the @code{more-help} option (-!). @code{more-help} will print -the usage text by passing it through a pager program. -@code{more-help} is disabled on platforms without a working -@code{fork(2)} function. The @code{PAGER} environment variable is -used to select the program, defaulting to @file{more}. Both will exit -with a status code of 0. +This is the automatically generated usage text for danetool: @exampleindent 0 @example @@ -78,61 +71,104 @@ please send bug reports to: bug-gnutls@@gnu.org @end example @exampleindent 4 +@anchor{danetool ca} +@subsubheading ca option + +This is the ``whether the provided certificate or public key is a certificate authority.'' option. +Marks the DANE RR as a CA certificate if specified. + +@anchor{danetool check} +@subsubheading check option + +This is the ``check a host's dane tlsa entry.'' option. +Obtains the DANE TLSA entry from the given hostname and prints information. + @anchor{danetool debug} -@subheading debug option (-d) +@subsubheading debug option (-d) This is the ``enable debugging.'' option. -This option takes an argument number. Specifies the debug level. -@anchor{danetool load-pubkey} -@subheading load-pubkey option -This is the ``loads a public key file'' option. -This option takes an argument string. -This can be either a file or a PKCS #11 URL -@anchor{danetool load-certificate} -@subheading load-certificate option - -This is the ``loads a certificate file'' option. -This option takes an argument string. -This can be either a file or a PKCS #11 URL @anchor{danetool hash} -@subheading hash option +@subsubheading hash option This is the ``hash algorithm to use for signing.'' option. -This option takes an argument string. Available hash functions are SHA1, RMD160, SHA256, SHA384, SHA512. -@anchor{danetool check} -@subheading check option -This is the ``check a host's dane tlsa entry.'' option. -This option takes an argument string. -Obtains the DANE TLSA entry from the given hostname and prints information. -@anchor{danetool local-dns} -@subheading local-dns option +@anchor{danetool host} +@subsubheading host option + +This is the ``specify the hostname to be used in the dane rr'' option. +This command sets the hostname for the DANE RR. -This is the ``use the local dns server for dnssec resolving.'' option. -This option will use the local DNS server for DNSSEC. -This is disabled by default due to many servers not allowing DNSSEC. @anchor{danetool inder} -@subheading inder option +@subsubheading inder option This is the ``use der format for input certificates and private keys.'' option. The input files will be assumed to be in DER or RAW format. Unlike options that in PEM input would allow multiple input data (e.g. multiple certificates), when reading in DER format a single data structure is read. + +@anchor{danetool infile} +@subsubheading infile option + +This is the ``input file'' option. + + @anchor{danetool inraw} -@subheading inraw option +@subsubheading inraw option + +This is the ``'' option. +This option has no @samp{doc} documentation. + +@anchor{danetool load-certificate} +@subsubheading load-certificate option + +This is the ``loads a certificate file'' option. +This can be either a file or a PKCS #11 URL + +@anchor{danetool load-pubkey} +@subsubheading load-pubkey option -This is an alias for the inder option, -@pxref{danetool inder, the inder option documentation}. +This is the ``loads a public key file'' option. +This can be either a file or a PKCS #11 URL + +@anchor{danetool local} +@subsubheading local option + +This is the ``the provided certificate or public key is a local entity.'' option. +DANE distinguishes certificates and public keys offered via the DNSSEC to trusted and local entities. Use this flag if this is a local (and possibly unsigned) entity. + +@anchor{danetool local-dns} +@subsubheading local-dns option + +This is the ``use the local dns server for dnssec resolving.'' option. +This option will use the local DNS server for DNSSEC. +This is disabled by default due to many servers not allowing DNSSEC. + +@anchor{danetool outfile} +@subsubheading outfile option + +This is the ``output file'' option. + + +@anchor{danetool port} +@subsubheading port option + +This is the ``specify the port number for the dane data.'' option. + + +@anchor{danetool proto} +@subsubheading proto option + +This is the ``the protocol set for dane data (tcp, udp etc.)'' option. +This command specifies the protocol for the service set in the DANE data. @anchor{danetool tlsa-rr} -@subheading tlsa-rr option +@subsubheading tlsa-rr option This is the ``print the dane rr data on a certificate or public key'' option. -@noindent This option has some usage constraints. It: @itemize @bullet @item @@ -141,80 +177,42 @@ host. @end itemize This command prints the DANE RR data needed to enable DANE on a DNS server. -@anchor{danetool host} -@subheading host option -This is the ``specify the hostname to be used in the dane rr'' option. -This option takes an argument string @file{Hostname}. -This command sets the hostname for the DANE RR. -@anchor{danetool proto} -@subheading proto option +@anchor{danetool verbose} +@subsubheading verbose option (-V) + +This is the ``more verbose output'' option. + +This option has some usage constraints. It: +@itemize @bullet +@item +may appear an unlimited number of times. +@end itemize + -This is the ``the protocol set for dane data (tcp, udp etc.)'' option. -This option takes an argument string @file{Protocol}. -This command specifies the protocol for the service set in the DANE data. -@anchor{danetool ca} -@subheading ca option -This is the ``whether the provided certificate or public key is a certificate authority.'' option. -Marks the DANE RR as a CA certificate if specified. @anchor{danetool x509} -@subheading x509 option +@subsubheading x509 option This is the ``use the hash of the x.509 certificate, rather than the public key.'' option. This option forces the generated record to contain the hash of the full X.509 certificate. By default only the hash of the public key is used. -@anchor{danetool local} -@subheading local option -This is the ``the provided certificate or public key is a local entity.'' option. -DANE distinguishes certificates and public keys offered via the DNSSEC to trusted and local entities. Use this flag if this is a local (and possibly unsigned) entity. @anchor{danetool exit status} -@subheading danetool exit status +@subsubheading danetool exit status One of the following exit values will be returned: @table @samp -@item 0 (EXIT_SUCCESS) +@item 0 Successful program execution. -@item 1 (EXIT_FAILURE) +@item 1 The operation failed or the command syntax was not valid. @end table -@anchor{danetool See Also} -@subheading danetool See Also - certtool (1) - -@anchor{danetool Examples} -@subheading danetool Examples -@subheading DANE TLSA RR generation -To create a DANE TLSA resource record for a CA signed certificate use the following commands. - -@example -$ danetool --tlsa-rr --host www.example.com --load-certificate cert.pem -@end example -For a self signed certificate use: -@example -$ danetool --tlsa-rr --host www.example.com --load-certificate cert.pem \ - --local -@end example - -The latter is useful to add in your DNS entry even if your certificate is signed -by a CA. That way even users who do not trust your CA will be able to verify your -certificate using DANE. - -In order to create a record for the signer of your certificate use: -@example -$ danetool --tlsa-rr --host www.example.com --load-certificate cert.pem \ - --ca -@end example +@anchor{danetool See Also} +@subsubheading danetool See Also -To read a server's DANE TLSA entry, use: -@example -$ danetool --check www.example.com --proto tcp --port 443 -@end example -To verify a server's DANE TLSA entry, use: -@example -$ danetool --check www.example.com --proto tcp --port 443 --load-certificate chain.pem -@end example +@anchor{danetool Examples} +@subsubheading danetool Examples diff --git a/doc/invoke-gnutls-cli-debug.texi b/doc/invoke-gnutls-cli-debug.texi index dee362365c..791866f4a7 100644 --- a/doc/invoke-gnutls-cli-debug.texi +++ b/doc/invoke-gnutls-cli-debug.texi @@ -6,12 +6,11 @@ # # DO NOT EDIT THIS FILE (invoke-gnutls-cli-debug.texi) # -# It has been AutoGen-ed December 12, 2012 at 07:04:50 PM by AutoGen 5.16 +# It has been AutoGen-ed December 29, 2012 at 01:00:36 PM by AutoGen 5.12 # From the definitions ../src/cli-debug-args.def # and the template file agtexi-cmd.tpl @end ignore - TLS debug client. It sets up multiple TLS connections to a server and queries its capabilities. It was created to assist in debugging GnuTLS, but it might be useful to extract a TLS server's capabilities. @@ -21,20 +20,14 @@ Can be used to check for servers with special needs or bugs. This section was generated by @strong{AutoGen}, using the @code{agtexi-cmd} template and the option descriptions for the @code{gnutls-cli-debug} program. -This software is released under the GNU General Public License, version 3 or later. + +This software is released under the GNU General Public License. @anchor{gnutls-cli-debug usage} -@subheading gnutls-cli-debug help/usage (-h) -@cindex gnutls-cli-debug help +@subheading gnutls-cli-debug usage help (-?) -This is the automatically generated usage text for gnutls-cli-debug. -The text printed is the same whether for the @code{help} option (-h) or the @code{more-help} option (-!). @code{more-help} will print -the usage text by passing it through a pager program. -@code{more-help} is disabled on platforms without a working -@code{fork(2)} function. The @code{PAGER} environment variable is -used to select the program, defaulting to @file{more}. Both will exit -with a status code of 0. +This is the automatically generated usage text for gnutls-cli-debug: @exampleindent 0 @example @@ -74,69 +67,41 @@ please send bug reports to: bug-gnutls@@gnu.org @subheading debug option (-d) This is the ``enable debugging.'' option. -This option takes an argument number. Specifies the debug level. + +@anchor{gnutls-cli-debug port} +@subheading port option (-p) + +This is the ``the port to connect to'' option. + + +@anchor{gnutls-cli-debug verbose} +@subheading verbose option (-V) + +This is the ``more verbose output'' option. + +This option has some usage constraints. It: +@itemize @bullet +@item +may appear an unlimited number of times. +@end itemize + @anchor{gnutls-cli-debug exit status} @subheading gnutls-cli-debug exit status One of the following exit values will be returned: @table @samp -@item 0 (EXIT_SUCCESS) +@item 0 Successful program execution. -@item 1 (EXIT_FAILURE) +@item 1 The operation failed or the command syntax was not valid. @end table + + @anchor{gnutls-cli-debug See Also} @subheading gnutls-cli-debug See Also -gnutls-cli(1), gnutls-serv(1) + @anchor{gnutls-cli-debug Examples} @subheading gnutls-cli-debug Examples -@example -$ ../src/gnutls-cli-debug localhost -Resolving 'localhost'... -Connecting to '127.0.0.1:443'... -Checking for SSL 3.0 support... yes -Checking whether %COMPAT is required... no -Checking for TLS 1.0 support... yes -Checking for TLS 1.1 support... no -Checking fallback from TLS 1.1 to... TLS 1.0 -Checking for TLS 1.2 support... no -Checking whether we need to disable TLS 1.0... N/A -Checking for Safe renegotiation support... yes -Checking for Safe renegotiation support (SCSV)... yes -Checking for HTTPS server name... not checked -Checking for version rollback bug in RSA PMS... no -Checking for version rollback bug in Client Hello... no -Checking whether the server ignores the RSA PMS version... no -Checking whether the server can accept Hello Extensions... yes -Checking whether the server can accept small records (512 bytes)... yes -Checking whether the server can accept cipher suites not in SSL 3.0 spec... yes -Checking whether the server can accept a bogus TLS record version in the client hello... yes -Checking for certificate information... N/A -Checking for trusted CAs... N/A -Checking whether the server understands TLS closure alerts... partially -Checking whether the server supports session resumption... yes -Checking for export-grade ciphersuite support... no -Checking RSA-export ciphersuite info... N/A -Checking for anonymous authentication support... no -Checking anonymous Diffie-Hellman group info... N/A -Checking for ephemeral Diffie-Hellman support... no -Checking ephemeral Diffie-Hellman group info... N/A -Checking for ephemeral EC Diffie-Hellman support... yes -Checking ephemeral EC Diffie-Hellman group info... - Curve SECP256R1 -Checking for AES-GCM cipher support... no -Checking for AES-CBC cipher support... yes -Checking for CAMELLIA cipher support... no -Checking for 3DES-CBC cipher support... yes -Checking for ARCFOUR 128 cipher support... yes -Checking for ARCFOUR 40 cipher support... no -Checking for MD5 MAC support... yes -Checking for SHA1 MAC support... yes -Checking for SHA256 MAC support... no -Checking for ZLIB compression support... no -Checking for max record size... no -Checking for OpenPGP authentication support... no -@end example diff --git a/doc/invoke-gnutls-cli.texi b/doc/invoke-gnutls-cli.texi index 1cea498ae7..950c2d91dd 100644 --- a/doc/invoke-gnutls-cli.texi +++ b/doc/invoke-gnutls-cli.texi @@ -6,31 +6,24 @@ # # DO NOT EDIT THIS FILE (invoke-gnutls-cli.texi) # -# It has been AutoGen-ed December 12, 2012 at 07:04:50 PM by AutoGen 5.16 +# It has been AutoGen-ed December 29, 2012 at 01:00:35 PM by AutoGen 5.12 # From the definitions ../src/cli-args.def # and the template file agtexi-cmd.tpl @end ignore - Simple client program to set up a TLS connection to some other computer. It sets up a TLS connection and forwards data from the standard input to the secured socket and vice versa. This section was generated by @strong{AutoGen}, using the @code{agtexi-cmd} template and the option descriptions for the @code{gnutls-cli} program. -This software is released under the GNU General Public License, version 3 or later. + +This software is released under the GNU General Public License. @anchor{gnutls-cli usage} -@subheading gnutls-cli help/usage (-h) -@cindex gnutls-cli help +@subheading gnutls-cli usage help (-?) -This is the automatically generated usage text for gnutls-cli. -The text printed is the same whether for the @code{help} option (-h) or the @code{more-help} option (-!). @code{more-help} will print -the usage text by passing it through a pager program. -@code{more-help} is disabled on platforms without a working -@code{fork(2)} function. The @code{PAGER} environment variable is -used to select the program, defaulting to @file{more}. Both will exit -with a status code of 0. +This is the automatically generated usage text for gnutls-cli: @exampleindent 0 @example @@ -114,17 +107,49 @@ please send bug reports to: bug-gnutls@@gnu.org @end example @exampleindent 4 -@anchor{gnutls-cli debug} -@subheading debug option (-d) +@anchor{gnutls-cli benchmark-ciphers} +@subheading benchmark-ciphers option + +This is the ``benchmark individual ciphers'' option. + + +@anchor{gnutls-cli benchmark-soft-ciphers} +@subheading benchmark-soft-ciphers option + +This is the ``benchmark individual software ciphers (no hw acceleration)'' option. + + +@anchor{gnutls-cli benchmark-tls-ciphers} +@subheading benchmark-tls-ciphers option + +This is the ``benchmark tls ciphers'' option. + + +@anchor{gnutls-cli benchmark-tls-kx} +@subheading benchmark-tls-kx option + +This is the ``benchmark tls key exchange methods'' option. + + +@anchor{gnutls-cli ca-verification} +@subheading ca-verification option + +This is the ``disable ca certificate verification'' option. + +This option has some usage constraints. It: +@itemize @bullet +@item +is enabled by default. +@end itemize + +This option will disable CA certificate verification. It is to be used with the --dane or --tofu options. + +@anchor{gnutls-cli crlf} +@subheading crlf option + +This is the ``send cr lf instead of lf'' option. -This is the ``enable debugging.'' option. -This option takes an argument number. -Specifies the debug level. -@anchor{gnutls-cli tofu} -@subheading tofu option -This is the ``enable trust on first use authentication'' option. -This option will, in addition to certificate authentication, perform authentication based on previously seen public keys, a model similar to SSH authentication. @anchor{gnutls-cli dane} @subheading dane option @@ -132,124 +157,245 @@ This is the ``enable dane certificate verification (dnssec)'' option. This option will, in addition to certificate authentication using the trusted CAs, verify the server certificates using on the DANE information available via DNSSEC. + +@anchor{gnutls-cli debug} +@subheading debug option (-d) + +This is the ``enable debugging.'' option. +Specifies the debug level. + +@anchor{gnutls-cli dh-bits} +@subheading dh-bits option + +This is the ``the minimum number of bits allowed for dh'' option. +This option sets the minimum number of bits allowed for a Diffie-Hellman key exchange. You may want to lower the default value if the peer sends a weak prime and you get an connection error with unacceptable prime. + +@anchor{gnutls-cli disable-extensions} +@subheading disable-extensions option + +This is the ``disable all the tls extensions'' option. +This option disables all TLS extensions. Deprecated option. Use the priority string. + +@anchor{gnutls-cli fingerprint} +@subheading fingerprint option (-f) + +This is the ``send the openpgp fingerprint, instead of the key'' option. + + +@anchor{gnutls-cli heartbeat} +@subheading heartbeat option (-b) + +This is the ``activate heartbeat support'' option. + + +@anchor{gnutls-cli insecure} +@subheading insecure option + +This is the ``don't abort program if server certificate can't be validated'' option. + + +@anchor{gnutls-cli list} +@subheading list option (-l) + +This is the ``print a list of the supported algorithms and modes'' option. +Print a list of the supported algorithms and modes. If a priority string is given then only the enabled ciphersuites are shown. + @anchor{gnutls-cli local-dns} @subheading local-dns option This is the ``use the local dns server for dnssec resolving.'' option. This option will use the local DNS server for DNSSEC. This is disabled by default due to many servers not allowing DNSSEC. -@anchor{gnutls-cli ca-verification} -@subheading ca-verification option -This is the ``disable ca certificate verification'' option. +@anchor{gnutls-cli mtu} +@subheading mtu option + +This is the ``set mtu for datagram tls'' option. + + +@anchor{gnutls-cli noticket} +@subheading noticket option + +This is the ``don't accept session tickets'' option. -@noindent -This option has some usage constraints. It: -@itemize @bullet -@item -is enabled by default. -@end itemize -This option will disable CA certificate verification. It is to be used with the --dane or --tofu options. @anchor{gnutls-cli ocsp} @subheading ocsp option This is the ``enable ocsp certificate verification'' option. This option will enable verification of the peer's certificate using ocsp -@anchor{gnutls-cli resume} -@subheading resume option (-r) -This is the ``establish a session and resume'' option. -Connect, establish a session, reconnect and resume. -@anchor{gnutls-cli rehandshake} -@subheading rehandshake option (-e) +@anchor{gnutls-cli pgpcertfile} +@subheading pgpcertfile option -This is the ``establish a session and rehandshake'' option. -Connect, establish a session and rehandshake immediately. -@anchor{gnutls-cli starttls} -@subheading starttls option (-s) +This is the ``pgp public key (certificate) file to use'' option. -This is the ``connect, establish a plain session and start tls.'' option. -The TLS session will be initiated when EOF or a SIGALRM is received. -@anchor{gnutls-cli disable-extensions} -@subheading disable-extensions option -This is the ``disable all the tls extensions'' option. -This option disables all TLS extensions. Deprecated option. Use the priority string. -@anchor{gnutls-cli dh-bits} -@subheading dh-bits option +@anchor{gnutls-cli pgpkeyfile} +@subheading pgpkeyfile option + +This is the ``pgp key file to use'' option. + + +@anchor{gnutls-cli pgpkeyring} +@subheading pgpkeyring option + +This is the ``pgp key ring file to use'' option. + + +@anchor{gnutls-cli pgpsubkey} +@subheading pgpsubkey option + +This is the ``pgp subkey to use (hex or auto)'' option. + + +@anchor{gnutls-cli port} +@subheading port option (-p) + +This is the ``the port or service to connect to'' option. + + +@anchor{gnutls-cli print-cert} +@subheading print-cert option + +This is the ``print peer's certificate in pem format'' option. + -This is the ``the minimum number of bits allowed for dh'' option. -This option takes an argument number. -This option sets the minimum number of bits allowed for a Diffie-Hellman key exchange. You may want to lower the default value if the peer sends a weak prime and you get an connection error with unacceptable prime. @anchor{gnutls-cli priority} @subheading priority option This is the ``priorities string'' option. -This option takes an argument string. TLS algorithms and protocols to enable. You can use predefined sets of ciphersuites such as PERFORMANCE, NORMAL, SECURE128, SECURE256. Check the GnuTLS manual on section ``Priority strings'' for more information on allowed keywords -@anchor{gnutls-cli list} -@subheading list option (-l) -This is the ``print a list of the supported algorithms and modes'' option. -Print a list of the supported algorithms and modes. If a priority string is given then only the enabled ciphersuites are shown. +@anchor{gnutls-cli pskkey} +@subheading pskkey option + +This is the ``psk key (in hex) to use'' option. + + +@anchor{gnutls-cli pskusername} +@subheading pskusername option + +This is the ``psk username to use'' option. + + +@anchor{gnutls-cli recordsize} +@subheading recordsize option + +This is the ``the maximum record size to advertize'' option. + + +@anchor{gnutls-cli rehandshake} +@subheading rehandshake option (-e) + +This is the ``establish a session and rehandshake'' option. +Connect, establish a session and rehandshake immediately. + +@anchor{gnutls-cli resume} +@subheading resume option (-r) + +This is the ``establish a session and resume'' option. +Connect, establish a session, reconnect and resume. + +@anchor{gnutls-cli srppasswd} +@subheading srppasswd option + +This is the ``srp password to use'' option. + + +@anchor{gnutls-cli srpusername} +@subheading srpusername option + +This is the ``srp username to use'' option. + + +@anchor{gnutls-cli srtp-profiles} +@subheading srtp-profiles option + +This is the ``offer srtp profiles'' option. + + +@anchor{gnutls-cli starttls} +@subheading starttls option (-s) + +This is the ``connect, establish a plain session and start tls.'' option. +The TLS session will be initiated when EOF or a SIGALRM is received. + +@anchor{gnutls-cli tofu} +@subheading tofu option + +This is the ``enable trust on first use authentication'' option. +This option will, in addition to certificate authentication, perform authentication based on previously seen public keys, a model similar to SSH authentication. + +@anchor{gnutls-cli udp} +@subheading udp option (-u) + +This is the ``use dtls (datagram tls) over udp'' option. + + +@anchor{gnutls-cli verbose} +@subheading verbose option (-V) + +This is the ``more verbose output'' option. + +This option has some usage constraints. It: +@itemize @bullet +@item +may appear an unlimited number of times. +@end itemize + + + +@anchor{gnutls-cli x509cafile} +@subheading x509cafile option + +This is the ``certificate file or pkcs #11 url to use'' option. + + +@anchor{gnutls-cli x509certfile} +@subheading x509certfile option + +This is the ``x.509 certificate file or pkcs #11 url to use'' option. + + +@anchor{gnutls-cli x509crlfile} +@subheading x509crlfile option + +This is the ``crl file to use'' option. + + +@anchor{gnutls-cli x509fmtder} +@subheading x509fmtder option + +This is the ``use der format for certificates to read from'' option. + + +@anchor{gnutls-cli x509keyfile} +@subheading x509keyfile option + +This is the ``x.509 key file or pkcs #11 url to use'' option. + @anchor{gnutls-cli exit status} @subheading gnutls-cli exit status One of the following exit values will be returned: @table @samp -@item 0 (EXIT_SUCCESS) +@item 0 Successful program execution. -@item 1 (EXIT_FAILURE) +@item 1 The operation failed or the command syntax was not valid. @end table + + @anchor{gnutls-cli See Also} @subheading gnutls-cli See Also -gnutls-cli-debug(1), gnutls-serv(1) + @anchor{gnutls-cli Examples} @subheading gnutls-cli Examples -@subheading Connecting using PSK authentication -To connect to a server using PSK authentication, you need to enable the choice of PSK by using a cipher priority parameter such as in the example below. -@example -$ ./gnutls-cli -p 5556 localhost --pskusername psk_identity \ - --pskkey 88f3824b3e5659f52d00e959bacab954b6540344 \ - --priority NORMAL:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK -Resolving 'localhost'... -Connecting to '127.0.0.1:5556'... -- PSK authentication. -- Version: TLS1.1 -- Key Exchange: PSK -- Cipher: AES-128-CBC -- MAC: SHA1 -- Compression: NULL -- Handshake was completed - -- Simple Client Mode: -@end example -By keeping the --pskusername parameter and removing the --pskkey parameter, it will query only for the password during the handshake. - -@subheading Listing ciphersuites in a priority string -To list the ciphersuites in a priority string: -@example -$ ./gnutls-cli --priority SECURE192 -l -Cipher suites for SECURE192 -TLS_ECDHE_ECDSA_AES_256_CBC_SHA384 0xc0, 0x24 TLS1.2 -TLS_ECDHE_ECDSA_AES_256_GCM_SHA384 0xc0, 0x2e TLS1.2 -TLS_ECDHE_RSA_AES_256_GCM_SHA384 0xc0, 0x30 TLS1.2 -TLS_DHE_RSA_AES_256_CBC_SHA256 0x00, 0x6b TLS1.2 -TLS_DHE_DSS_AES_256_CBC_SHA256 0x00, 0x6a TLS1.2 -TLS_RSA_AES_256_CBC_SHA256 0x00, 0x3d TLS1.2 - -Certificate types: CTYPE-X.509 -Protocols: VERS-TLS1.2, VERS-TLS1.1, VERS-TLS1.0, VERS-SSL3.0, VERS-DTLS1.0 -Compression: COMP-NULL -Elliptic curves: CURVE-SECP384R1, CURVE-SECP521R1 -PK-signatures: SIGN-RSA-SHA384, SIGN-ECDSA-SHA384, SIGN-RSA-SHA512, SIGN-ECDSA-SHA512 -@end example diff --git a/doc/invoke-gnutls-serv.texi b/doc/invoke-gnutls-serv.texi index e4e47bbd71..c4c2807fbc 100644 --- a/doc/invoke-gnutls-serv.texi +++ b/doc/invoke-gnutls-serv.texi @@ -6,30 +6,23 @@ # # DO NOT EDIT THIS FILE (invoke-gnutls-serv.texi) # -# It has been AutoGen-ed December 12, 2012 at 07:04:50 PM by AutoGen 5.16 +# It has been AutoGen-ed December 29, 2012 at 01:00:38 PM by AutoGen 5.12 # From the definitions ../src/serv-args.def # and the template file agtexi-cmd.tpl @end ignore - Server program that listens to incoming TLS connections. This section was generated by @strong{AutoGen}, using the @code{agtexi-cmd} template and the option descriptions for the @code{gnutls-serv} program. -This software is released under the GNU General Public License, version 3 or later. + +This software is released under the GNU General Public License. @anchor{gnutls-serv usage} -@subheading gnutls-serv help/usage (-h) -@cindex gnutls-serv help +@subheading gnutls-serv usage help (-?) -This is the automatically generated usage text for gnutls-serv. -The text printed is the same whether for the @code{help} option (-h) or the @code{more-help} option (-!). @code{more-help} will print -the usage text by passing it through a pager program. -@code{more-help} is disabled on platforms without a working -@code{fork(2)} function. The @code{PAGER} environment variable is -used to select the program, defaulting to @file{more}. Both will exit -with a status code of 0. +This is the automatically generated usage text for gnutls-serv: @exampleindent 0 @example @@ -103,213 +96,232 @@ please send bug reports to: bug-gnutls@@gnu.org @subheading debug option (-d) This is the ``enable debugging.'' option. -This option takes an argument number. Specifies the debug level. + +@anchor{gnutls-serv dhparams} +@subheading dhparams option + +This is the ``dh params file to use'' option. + + +@anchor{gnutls-serv disable-client-cert} +@subheading disable-client-cert option (-a) + +This is the ``do not request a client certificate'' option. + + +@anchor{gnutls-serv echo} +@subheading echo option + +This is the ``act as an echo server'' option. + + +@anchor{gnutls-serv generate} +@subheading generate option (-g) + +This is the ``generate diffie-hellman and rsa-export parameters'' option. + + @anchor{gnutls-serv heartbeat} @subheading heartbeat option (-b) This is the ``activate heartbeat support'' option. Regularly ping client via heartbeat extension messages + +@anchor{gnutls-serv http} +@subheading http option + +This is the ``act as an http server'' option. + + +@anchor{gnutls-serv list} +@subheading list option (-l) + +This is the ``print a list of the supported algorithms and modes'' option. +Print a list of the supported algorithms and modes. If a priority string is given then only the enabled ciphersuites are shown. + +@anchor{gnutls-serv mtu} +@subheading mtu option + +This is the ``set mtu for datagram tls'' option. + + +@anchor{gnutls-serv nodb} +@subheading nodb option + +This is the ``do not use a resumption database'' option. + + +@anchor{gnutls-serv noticket} +@subheading noticket option + +This is the ``don't accept session tickets'' option. + + +@anchor{gnutls-serv ocsp-response} +@subheading ocsp-response option + +This is the ``the ocsp response to send to client'' option. +If the client requested an OCSP response, return data from this file to the client. + +@anchor{gnutls-serv pgpcertfile} +@subheading pgpcertfile option + +This is the ``pgp public key (certificate) file to use'' option. + + +@anchor{gnutls-serv pgpkeyfile} +@subheading pgpkeyfile option + +This is the ``pgp key file to use'' option. + + +@anchor{gnutls-serv pgpkeyring} +@subheading pgpkeyring option + +This is the ``pgp key ring file to use'' option. + + +@anchor{gnutls-serv pgpsubkey} +@subheading pgpsubkey option + +This is the ``pgp subkey to use (hex or auto)'' option. + + +@anchor{gnutls-serv port} +@subheading port option (-p) + +This is the ``the port to connect to'' option. + + @anchor{gnutls-serv priority} @subheading priority option This is the ``priorities string'' option. -This option takes an argument string. TLS algorithms and protocols to enable. You can use predefined sets of ciphersuites such as PERFORMANCE, NORMAL, SECURE128, SECURE256. Check the GnuTLS manual on section ``Priority strings'' for more information on allowed keywords -@anchor{gnutls-serv ocsp-response} -@subheading ocsp-response option -This is the ``the ocsp response to send to client'' option. -This option takes an argument file. -If the client requested an OCSP response, return data from this file to the client. -@anchor{gnutls-serv list} -@subheading list option (-l) +@anchor{gnutls-serv pskhint} +@subheading pskhint option -This is the ``print a list of the supported algorithms and modes'' option. -Print a list of the supported algorithms and modes. If a priority string is given then only the enabled ciphersuites are shown. -@anchor{gnutls-serv exit status} -@subheading gnutls-serv exit status +This is the ``psk identity hint to use'' option. -One of the following exit values will be returned: -@table @samp -@item 0 (EXIT_SUCCESS) -Successful program execution. -@item 1 (EXIT_FAILURE) -The operation failed or the command syntax was not valid. -@end table -@anchor{gnutls-serv See Also} -@subheading gnutls-serv See Also -gnutls-cli-debug(1), gnutls-cli(1) -@anchor{gnutls-serv Examples} -@subheading gnutls-serv Examples -Running your own TLS server based on GnuTLS can be useful when -debugging clients and/or GnuTLS itself. This section describes how to -use @code{gnutls-serv} as a simple HTTPS server. +@anchor{gnutls-serv pskpasswd} +@subheading pskpasswd option -The most basic server can be started as: +This is the ``psk password file to use'' option. -@example -gnutls-serv --http -@end example -It will only support anonymous ciphersuites, which many TLS clients -refuse to use. +@anchor{gnutls-serv quiet} +@subheading quiet option (-q) -The next step is to add support for X.509. First we generate a CA: +This is the ``suppress some messages'' option. -@example -$ certtool --generate-privkey > x509-ca-key.pem -$ echo 'cn = GnuTLS test CA' > ca.tmpl -$ echo 'ca' >> ca.tmpl -$ echo 'cert_signing_key' >> ca.tmpl -$ certtool --generate-self-signed --load-privkey x509-ca-key.pem \ - --template ca.tmpl --outfile x509-ca.pem -... -@end example -Then generate a server certificate. Remember to change the dns_name -value to the name of your server host, or skip that command to avoid -the field. +@anchor{gnutls-serv require-client-cert} +@subheading require-client-cert option (-r) -@example -$ certtool --generate-privkey > x509-server-key.pem -$ echo 'organization = GnuTLS test server' > server.tmpl -$ echo 'cn = test.gnutls.org' >> server.tmpl -$ echo 'tls_www_server' >> server.tmpl -$ echo 'encryption_key' >> server.tmpl -$ echo 'signing_key' >> server.tmpl -$ echo 'dns_name = test.gnutls.org' >> server.tmpl -$ certtool --generate-certificate --load-privkey x509-server-key.pem \ - --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \ - --template server.tmpl --outfile x509-server.pem -... -@end example +This is the ``require a client certificate'' option. -For use in the client, you may want to generate a client certificate -as well. -@example -$ certtool --generate-privkey > x509-client-key.pem -$ echo 'cn = GnuTLS test client' > client.tmpl -$ echo 'tls_www_client' >> client.tmpl -$ echo 'encryption_key' >> client.tmpl -$ echo 'signing_key' >> client.tmpl -$ certtool --generate-certificate --load-privkey x509-client-key.pem \ - --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \ - --template client.tmpl --outfile x509-client.pem -... -@end example +@anchor{gnutls-serv srppasswd} +@subheading srppasswd option -To be able to import the client key/certificate into some -applications, you will need to convert them into a PKCS#12 structure. -This also encrypts the security sensitive key with a password. +This is the ``srp password file to use'' option. -@example -$ certtool --to-p12 --load-ca-certificate x509-ca.pem \ - --load-privkey x509-client-key.pem --load-certificate x509-client.pem \ - --outder --outfile x509-client.p12 -@end example -For icing, we'll create a proxy certificate for the client too. +@anchor{gnutls-serv srppasswdconf} +@subheading srppasswdconf option -@example -$ certtool --generate-privkey > x509-proxy-key.pem -$ echo 'cn = GnuTLS test client proxy' > proxy.tmpl -$ certtool --generate-proxy --load-privkey x509-proxy-key.pem \ - --load-ca-certificate x509-client.pem --load-ca-privkey x509-client-key.pem \ - --load-certificate x509-client.pem --template proxy.tmpl \ - --outfile x509-proxy.pem -... -@end example +This is the ``srp password configuration file to use'' option. -Then start the server again: -@example -$ gnutls-serv --http \ - --x509cafile x509-ca.pem \ - --x509keyfile x509-server-key.pem \ - --x509certfile x509-server.pem -@end example +@anchor{gnutls-serv srtp-profiles} +@subheading srtp-profiles option -Try connecting to the server using your web browser. Note that the -server listens to port 5556 by default. +This is the ``offer srtp profiles'' option. -While you are at it, to allow connections using DSA, you can also -create a DSA key and certificate for the server. These credentials -will be used in the final example below. -@example -$ certtool --generate-privkey --dsa > x509-server-key-dsa.pem -$ certtool --generate-certificate --load-privkey x509-server-key-dsa.pem \ - --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \ - --template server.tmpl --outfile x509-server-dsa.pem -... -@end example +@anchor{gnutls-serv udp} +@subheading udp option (-u) -The next step is to create OpenPGP credentials for the server. +This is the ``use dtls (datagram tls) over udp'' option. -@example -gpg --gen-key -...enter whatever details you want, use 'test.gnutls.org' as name... -@end example -Make a note of the OpenPGP key identifier of the newly generated key, -here it was @code{5D1D14D8}. You will need to export the key for -GnuTLS to be able to use it. +@anchor{gnutls-serv x509cafile} +@subheading x509cafile option -@example -gpg -a --export 5D1D14D8 > openpgp-server.txt -gpg --export 5D1D14D8 > openpgp-server.bin -gpg --export-secret-keys 5D1D14D8 > openpgp-server-key.bin -gpg -a --export-secret-keys 5D1D14D8 > openpgp-server-key.txt -@end example +This is the ``certificate file or pkcs #11 url to use'' option. -Let's start the server with support for OpenPGP credentials: -@example -gnutls-serv --http \ - --pgpkeyfile openpgp-server-key.txt \ - --pgpcertfile openpgp-server.txt -@end example +@anchor{gnutls-serv x509certfile} +@subheading x509certfile option -The next step is to add support for SRP authentication. This requires -an SRP password file created with @code{srptool}. -To start the server with SRP support: +This is the ``x.509 certificate file or pkcs #11 url to use'' option. -@example -gnutls-serv --http \ - --srppasswdconf srp-tpasswd.conf \ - --srppasswd srp-passwd.txt -@end example -Let's also start a server with support for PSK. This would require -a password file created with @code{psktool}. +@anchor{gnutls-serv x509crlfile} +@subheading x509crlfile option -@example -gnutls-serv --http \ - --pskpasswd psk-passwd.txt -@end example +This is the ``crl file to use'' option. -Finally, we start the server with all the earlier parameters and you -get this command: -@example -gnutls-serv --http \ - --x509cafile x509-ca.pem \ - --x509keyfile x509-server-key.pem \ - --x509certfile x509-server.pem \ - --x509dsakeyfile x509-server-key-dsa.pem \ - --x509dsacertfile x509-server-dsa.pem \ - --pgpkeyfile openpgp-server-key.txt \ - --pgpcertfile openpgp-server.txt \ - --srppasswdconf srp-tpasswd.conf \ - --srppasswd srp-passwd.txt \ - --pskpasswd psk-passwd.txt -@end example +@anchor{gnutls-serv x509dsacertfile} +@subheading x509dsacertfile option + +This is the ``alternative x.509 certificate file or pkcs #11 url to use'' option. + + +@anchor{gnutls-serv x509dsakeyfile} +@subheading x509dsakeyfile option + +This is the ``alternative x.509 key file or pkcs #11 url to use'' option. + + +@anchor{gnutls-serv x509ecccertfile} +@subheading x509ecccertfile option + +This is the ``alternative x.509 certificate file or pkcs #11 url to use'' option. + + +@anchor{gnutls-serv x509ecckeyfile} +@subheading x509ecckeyfile option + +This is the ``alternative x.509 key file or pkcs #11 url to use'' option. + + +@anchor{gnutls-serv x509fmtder} +@subheading x509fmtder option + +This is the ``use der format for certificates to read from'' option. + + +@anchor{gnutls-serv x509keyfile} +@subheading x509keyfile option + +This is the ``x.509 key file or pkcs #11 url to use'' option. + +@anchor{gnutls-serv exit status} +@subheading gnutls-serv exit status + +One of the following exit values will be returned: +@table @samp +@item 0 +Successful program execution. +@item 1 +The operation failed or the command syntax was not valid. +@end table + + +@anchor{gnutls-serv See Also} +@subheading gnutls-serv See Also + + +@anchor{gnutls-serv Examples} +@subheading gnutls-serv Examples diff --git a/doc/invoke-ocsptool.texi b/doc/invoke-ocsptool.texi index 7d5f8d980a..a4f9b95ba5 100644 --- a/doc/invoke-ocsptool.texi +++ b/doc/invoke-ocsptool.texi @@ -1,37 +1,30 @@ @node ocsptool Invocation -@section Invoking ocsptool +@subsection Invoking ocsptool @pindex ocsptool @ignore # -*- buffer-read-only: t -*- vi: set ro: # # DO NOT EDIT THIS FILE (invoke-ocsptool.texi) # -# It has been AutoGen-ed December 12, 2012 at 07:06:09 PM by AutoGen 5.16 +# It has been AutoGen-ed December 29, 2012 at 01:05:09 PM by AutoGen 5.12 # From the definitions ../src/ocsptool-args.def # and the template file agtexi-cmd.tpl @end ignore - Ocsptool is a program that can parse and print information about OCSP requests/responses, generate requests and verify responses. This section was generated by @strong{AutoGen}, using the @code{agtexi-cmd} template and the option descriptions for the @code{ocsptool} program. -This software is released under the GNU General Public License, version 3 or later. + +This software is released under the GNU General Public License. @anchor{ocsptool usage} -@subheading ocsptool help/usage (-h) -@cindex ocsptool help +@subsubheading ocsptool usage help (-?) -This is the automatically generated usage text for ocsptool. -The text printed is the same whether for the @code{help} option (-h) or the @code{more-help} option (-!). @code{more-help} will print -the usage text by passing it through a pager program. -@code{more-help} is disabled on platforms without a working -@code{fork(2)} function. The @code{PAGER} environment variable is -used to select the program, defaulting to @file{more}. Both will exit -with a status code of 0. +This is the automatically generated usage text for ocsptool: @exampleindent 0 @example @@ -90,19 +83,11 @@ please send bug reports to: bug-gnutls@@gnu.org @end example @exampleindent 4 -@anchor{ocsptool debug} -@subheading debug option (-d) - -This is the ``enable debugging.'' option. -This option takes an argument number. -Specifies the debug level. @anchor{ocsptool ask} -@subheading ask option +@subsubheading ask option This is the ``ask an ocsp/http server on a certificate validity'' option. -This option takes an optional argument string @file{server name|url}. -@noindent This option has some usage constraints. It: @itemize @bullet @item @@ -111,149 +96,141 @@ load-cert, load-issuer. @end itemize Connects to the specified HTTP OCSP server and queries on the validity of the loaded certificate. -@anchor{ocsptool exit status} -@subheading ocsptool exit status -One of the following exit values will be returned: -@table @samp -@item 0 (EXIT_SUCCESS) -Successful program execution. -@item 1 (EXIT_FAILURE) -The operation failed or the command syntax was not valid. -@end table -@anchor{ocsptool See Also} -@subheading ocsptool See Also - certtool (1) +@anchor{ocsptool debug} +@subsubheading debug option (-d) -@anchor{ocsptool Examples} -@subheading ocsptool Examples -@subheading Print information about an OCSP request +This is the ``enable debugging.'' option. +Specifies the debug level. -To parse an OCSP request and print information about the content, the -@code{-i} or @code{--request-info} parameter may be used as follows. -The @code{-Q} parameter specify the name of the file containing the -OCSP request, and it should contain the OCSP request in binary DER -format. +@anchor{ocsptool generate-request} +@subsubheading generate-request option (-q) -@example -$ ocsptool -i -Q ocsp-request.der -@end example +This is the ``generate an ocsp request'' option. -The input file may also be sent to standard input like this: -@example -$ cat ocsp-request.der | ocsptool --request-info -@end example +@anchor{ocsptool inder} +@subsubheading inder option -@subheading Print information about an OCSP response +This is the ``use der format for input certificates and private keys'' option. -Similar to parsing OCSP requests, OCSP responses can be parsed using -the @code{-j} or @code{--response-info} as follows. -@example -$ ocsptool -j -Q ocsp-response.der -$ cat ocsp-response.der | ocsptool --response-info -@end example +@anchor{ocsptool infile} +@subsubheading infile option -@subheading Generate an OCSP request +This is the ``input file'' option. -The @code{-q} or @code{--generate-request} parameters are used to -generate an OCSP request. By default the OCSP request is written to -standard output in binary DER format, but can be stored in a file -using @code{--outfile}. To generate an OCSP request the issuer of the -certificate to check needs to be specified with @code{--load-issuer} -and the certificate to check with @code{--load-cert}. By default PEM -format is used for these files, although @code{--inder} can be used to -specify that the input files are in DER format. -@example -$ ocsptool -q --load-issuer issuer.pem --load-cert client.pem \ - --outfile ocsp-request.der -@end example +@anchor{ocsptool load-cert} +@subsubheading load-cert option -When generating OCSP requests, the tool will add an OCSP extension -containing a nonce. This behaviour can be disabled by specifying -@code{--no-nonce}. +This is the ``read certificate to check from file'' option. -@subheading Verify signature in OCSP response -To verify the signature in an OCSP response the @code{-e} or -@code{--verify-response} parameter is used. The tool will read an -OCSP response in DER format from standard input, or from the file -specified by @code{--load-response}. The OCSP response is verified -against a set of trust anchors, which are specified using -@code{--load-trust}. The trust anchors are concatenated certificates -in PEM format. The certificate that signed the OCSP response needs to -be in the set of trust anchors, or the issuer of the signer -certificate needs to be in the set of trust anchors and the OCSP -Extended Key Usage bit has to be asserted in the signer certificate. +@anchor{ocsptool load-issuer} +@subsubheading load-issuer option -@example -$ ocsptool -e --load-trust issuer.pem \ - --load-response ocsp-response.der -@end example +This is the ``read issuer certificate from file'' option. -The tool will print status of verification. -@subheading Verify signature in OCSP response against given certificate +@anchor{ocsptool load-request} +@subsubheading load-request option (-Q) -It is possible to override the normal trust logic if you know that a -certain certificate is supposed to have signed the OCSP response, and -you want to use it to check the signature. This is achieved using -@code{--load-signer} instead of @code{--load-trust}. This will load -one certificate and it will be used to verify the signature in the -OCSP response. It will not check the Extended Key Usage bit. +This is the ``read der encoded ocsp request from file'' option. -@example -$ ocsptool -e --load-signer ocsp-signer.pem \ - --load-response ocsp-response.der -@end example -This approach is normally only relevant in two situations. The first -is when the OCSP response does not contain a copy of the signer -certificate, so the @code{--load-trust} code would fail. The second -is if you want to avoid the indirect mode where the OCSP response -signer certificate is signed by a trust anchor. +@anchor{ocsptool load-response} +@subsubheading load-response option (-S) -@subheading Real-world example +This is the ``read der encoded ocsp response from file'' option. -Here is an example of how to generate an OCSP request for a -certificate and to verify the response. For illustration we'll use -the @code{blog.josefsson.org} host, which (as of writing) uses a -certificate from CACert. First we'll use @code{gnutls-cli} to get a -copy of the server certificate chain. The server is not required to -send this information, but this particular one is configured to do so. -@example -$ echo | gnutls-cli -p 443 blog.josefsson.org --print-cert > chain.pem -@end example +@anchor{ocsptool load-signer} +@subsubheading load-signer option -Use a text editor on @code{chain.pem} to create three files for each -separate certificates, called @code{cert.pem} for the first -certificate for the domain itself, secondly @code{issuer.pem} for the -intermediate certificate and @code{root.pem} for the final root -certificate. +This is the ``read ocsp response signer from file'' option. -The domain certificate normally contains a pointer to where the OCSP -responder is located, in the Authority Information Access Information -extension. For example, from @code{certtool -i < cert.pem} there is -this information: +This option has some usage constraints. It: +@itemize @bullet +@item +must not appear in combination with any of the following options: +load-trust. +@end itemize -@example -Authority Information Access Information (not critical): -Access Method: 1.3.6.1.5.5.7.48.1 (id-ad-ocsp) -Access Location URI: http://ocsp.CAcert.org/ -@end example -This means the CA support OCSP queries over HTTP. We are now ready to -create a OCSP request for the certificate. -@example -$ ocsptool --ask ocsp.CAcert.org --load-issuer issuer.pem \ - --load-cert cert.pem --outfile ocsp-response.der -@end example +@anchor{ocsptool load-trust} +@subsubheading load-trust option + +This is the ``read ocsp trust anchors from file'' option. + +This option has some usage constraints. It: +@itemize @bullet +@item +must not appear in combination with any of the following options: +load-signer. +@end itemize + + + +@anchor{ocsptool nonce} +@subsubheading nonce option + +This is the ``don't add nonce to ocsp request'' option. + + +@anchor{ocsptool outfile} +@subsubheading outfile option + +This is the ``output file'' option. -The request is sent via HTTP to the OCSP server address specified. If the -address is ommited ocsptool will use the address stored in the certificate. +@anchor{ocsptool request-info} +@subsubheading request-info option (-i) + +This is the ``print information on a ocsp request'' option. + + +@anchor{ocsptool response-info} +@subsubheading response-info option (-j) + +This is the ``print information on a ocsp response'' option. + + +@anchor{ocsptool verbose} +@subsubheading verbose option (-V) + +This is the ``more verbose output'' option. + +This option has some usage constraints. It: +@itemize @bullet +@item +may appear an unlimited number of times. +@end itemize + + + +@anchor{ocsptool verify-response} +@subsubheading verify-response option (-e) + +This is the ``verify response'' option. + +@anchor{ocsptool exit status} +@subsubheading ocsptool exit status + +One of the following exit values will be returned: +@table @samp +@item 0 +Successful program execution. +@item 1 +The operation failed or the command syntax was not valid. +@end table + + +@anchor{ocsptool See Also} +@subsubheading ocsptool See Also + + +@anchor{ocsptool Examples} +@subsubheading ocsptool Examples diff --git a/doc/invoke-p11tool.texi b/doc/invoke-p11tool.texi index 43f99e77c3..688461a46b 100644 --- a/doc/invoke-p11tool.texi +++ b/doc/invoke-p11tool.texi @@ -6,12 +6,11 @@ # # DO NOT EDIT THIS FILE (invoke-p11tool.texi) # -# It has been AutoGen-ed November 28, 2012 at 11:46:10 PM by AutoGen 5.16 +# It has been AutoGen-ed December 29, 2012 at 01:00:45 PM by AutoGen 5.12 # From the definitions ../src/p11tool-args.def # and the template file agtexi-cmd.tpl @end ignore - Program that allows handling data from PKCS #11 smart cards and security modules. @@ -21,122 +20,176 @@ To use PKCS #11 tokens with gnutls the configuration file This section was generated by @strong{AutoGen}, using the @code{agtexi-cmd} template and the option descriptions for the @code{p11tool} program. -This software is released under the GNU General Public License, version 3 or later. + +This software is released under the GNU General Public License. @anchor{p11tool usage} -@subsubheading p11tool help/usage (-h) -@cindex p11tool help +@subsubheading p11tool usage help (-?) -This is the automatically generated usage text for p11tool. -The text printed is the same whether for the @code{help} option (-h) or the @code{more-help} option (-!). @code{more-help} will print -the usage text by passing it through a pager program. -@code{more-help} is disabled on platforms without a working -@code{fork(2)} function. The @code{PAGER} environment variable is -used to select the program, defaulting to @file{more}. Both will exit -with a status code of 0. +This is the automatically generated usage text for p11tool: @exampleindent 0 @example -p11tool - GnuTLS PKCS #11 tool - Ver. @@VERSION@@ -USAGE: p11tool [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]... [url] - - -d, --debug=num Enable debugging. - - It must be in the range: - 0 to 9999 - --outfile=str Output file - --list-tokens List all available tokens - --export Export the object specified by the URL - --list-mechanisms List all available mechanisms in a token - --list-all List all available objects in a token - --list-all-certs List all available certificates in a token - --list-certs List all certificates that have an associated private key - --list-all-privkeys List all available private keys in a token - --list-all-trusted List all available certificates marked as trusted - --initialize Initializes a PKCS #11 token - --write Writes the loaded objects to a PKCS #11 token - --delete Deletes the objects matching the PKCS #11 URL - --generate-rsa Generate an RSA private-public key pair - --generate-dsa Generate an RSA private-public key pair - --generate-ecc Generate an RSA private-public key pair - --label=str Sets a label for the write operation - --trusted Marks the object to be written as trusted - - disabled as --no-trusted - --private Marks the object to be written as private - - disabled as --no-private - - enabled by default - --login Force login to token - - disabled as --no-login - --detailed-url Print detailed URLs - - disabled as --no-detailed-url - --secret-key=str Provide a hex encoded secret key - --load-privkey=file Private key file to use - - file must pre-exist - --load-pubkey=file Public key file to use - - file must pre-exist - --load-certificate=file Certificate file to use - - file must pre-exist - -8, --pkcs8 Use PKCS #8 format for private keys - --bits=num Specify the number of bits for key generate - --sec-param=str Specify the security level - --inder Use DER/RAW format for input - - disabled as --no-inder - --inraw This is an alias for 'inder' - --provider=file Specify the PKCS #11 provider library - - file must pre-exist - -v, --version[=arg] Output version information and exit - -h, --help Display extended usage information and exit - -!, --more-help Extended usage information passed thru pager - -Options are specified by doubled hyphens and their name or by a single -hyphen and the flag character. -Operands and options may be intermixed. They will be reordered. - - - -Program that allows handling data from PKCS #11 smart cards and security -modules. - -To use PKCS #11 tokens with gnutls the configuration file -/etc/gnutls/pkcs11.conf has to exist and contain a number of lines of the -form 'load=/usr/lib/opensc-pkcs11.so'. - -please send bug reports to: bug-gnutls@@gnu.org +p11tool is unavailable - no --help @end example @exampleindent 4 +@anchor{p11tool bits} +@subsubheading bits option + +This is the ``specify the number of bits for key generate'' option. + + @anchor{p11tool debug} @subsubheading debug option (-d) This is the ``enable debugging.'' option. -This option takes an argument number. Specifies the debug level. -@anchor{p11tool write} -@subsubheading write option -This is the ``writes the loaded objects to a pkcs #11 token'' option. -It can be used to write private keys, certificates or secret keys to a token. -@anchor{p11tool generate-rsa} -@subsubheading generate-rsa option +@anchor{p11tool delete} +@subsubheading delete option + +This is the ``deletes the objects matching the pkcs #11 url'' option. + + +@anchor{p11tool detailed-url} +@subsubheading detailed-url option + +This is the ``print detailed urls'' option. + + +@anchor{p11tool export} +@subsubheading export option + +This is the ``export the object specified by the url'' option. + -This is the ``generate an rsa private-public key pair'' option. -Generates an RSA private-public key pair on the specified token. @anchor{p11tool generate-dsa} @subsubheading generate-dsa option This is the ``generate an rsa private-public key pair'' option. Generates an RSA private-public key pair on the specified token. + @anchor{p11tool generate-ecc} @subsubheading generate-ecc option This is the ``generate an rsa private-public key pair'' option. Generates an RSA private-public key pair on the specified token. + +@anchor{p11tool generate-rsa} +@subsubheading generate-rsa option + +This is the ``generate an rsa private-public key pair'' option. +Generates an RSA private-public key pair on the specified token. + +@anchor{p11tool inder} +@subsubheading inder option + +This is the ``use der/raw format for input'' option. +Use DER/RAW format for input certificates and private keys. + +@anchor{p11tool initialize} +@subsubheading initialize option + +This is the ``initializes a pkcs #11 token'' option. + + +@anchor{p11tool inraw} +@subsubheading inraw option + +This is the ``'' option. +This option has no @samp{doc} documentation. + +@anchor{p11tool label} +@subsubheading label option + +This is the ``sets a label for the write operation'' option. + + +@anchor{p11tool list-all} +@subsubheading list-all option + +This is the ``list all available objects in a token'' option. + + +@anchor{p11tool list-all-certs} +@subsubheading list-all-certs option + +This is the ``list all available certificates in a token'' option. + + +@anchor{p11tool list-all-privkeys} +@subsubheading list-all-privkeys option + +This is the ``list all available private keys in a token'' option. + + +@anchor{p11tool list-all-trusted} +@subsubheading list-all-trusted option + +This is the ``list all available certificates marked as trusted'' option. + + +@anchor{p11tool list-certs} +@subsubheading list-certs option + +This is the ``list all certificates that have an associated private key'' option. + + +@anchor{p11tool list-mechanisms} +@subsubheading list-mechanisms option + +This is the ``list all available mechanisms in a token'' option. + + +@anchor{p11tool list-tokens} +@subsubheading list-tokens option + +This is the ``list all available tokens'' option. + + +@anchor{p11tool load-certificate} +@subsubheading load-certificate option + +This is the ``certificate file to use'' option. + + +@anchor{p11tool load-privkey} +@subsubheading load-privkey option + +This is the ``private key file to use'' option. + + +@anchor{p11tool load-pubkey} +@subsubheading load-pubkey option + +This is the ``public key file to use'' option. + + +@anchor{p11tool login} +@subsubheading login option + +This is the ``force login to token'' option. + + +@anchor{p11tool outfile} +@subsubheading outfile option + +This is the ``output file'' option. + + +@anchor{p11tool pkcs8} +@subsubheading pkcs8 option (-8) + +This is the ``use pkcs #8 format for private keys'' option. + + @anchor{p11tool private} @subsubheading private option This is the ``marks the object to be written as private'' option. -@noindent This option has some usage constraints. It: @itemize @bullet @item @@ -144,77 +197,53 @@ is enabled by default. @end itemize The written object will require a PIN to be used. + +@anchor{p11tool provider} +@subsubheading provider option + +This is the ``specify the pkcs #11 provider library'' option. +This will override the default options in /etc/gnutls/pkcs11.conf + @anchor{p11tool sec-param} @subsubheading sec-param option This is the ``specify the security level'' option. -This option takes an argument string @file{Security parameter}. This is alternative to the bits option. Available options are [low, legacy, normal, high, ultra]. -@anchor{p11tool inder} -@subsubheading inder option -This is the ``use der/raw format for input'' option. -Use DER/RAW format for input certificates and private keys. -@anchor{p11tool inraw} -@subsubheading inraw option +@anchor{p11tool secret-key} +@subsubheading secret-key option -This is an alias for the inder option, -@pxref{p11tool inder, the inder option documentation}. +This is the ``provide a hex encoded secret key'' option. -@anchor{p11tool provider} -@subsubheading provider option -This is the ``specify the pkcs #11 provider library'' option. -This option takes an argument file. -This will override the default options in /etc/gnutls/pkcs11.conf +@anchor{p11tool trusted} +@subsubheading trusted option + +This is the ``marks the object to be written as trusted'' option. + + +@anchor{p11tool write} +@subsubheading write option + +This is the ``writes the loaded objects to a pkcs #11 token'' option. +It can be used to write private keys, certificates or secret keys to a token. + @anchor{p11tool exit status} @subsubheading p11tool exit status One of the following exit values will be returned: @table @samp -@item 0 (EXIT_SUCCESS) +@item 0 Successful program execution. -@item 1 (EXIT_FAILURE) +@item 1 The operation failed or the command syntax was not valid. @end table + + @anchor{p11tool See Also} @subsubheading p11tool See Also - certtool (1) + @anchor{p11tool Examples} @subsubheading p11tool Examples -To view all tokens in your system use: -@example -$ p11tool --list-tokens -@end example - -To view all objects in a token use: -@example -$ p11tool --login --list-all "pkcs11:TOKEN-URL" -@end example - -To store a private key and a certificate in a token run: -@example -$ p11tool --login --write "pkcs11:URL" --load-privkey key.pem \ - --label "Mykey" -$ p11tool --login --write "pkcs11:URL" --load-certificate cert.pem \ - --label "Mykey" -@end example -Note that some tokens require the same label to be used for the certificate -and its corresponding private key. - -To generate an RSA private key inside the token use: -@example -$ p11tool --login --generate-rsa --bits 1024 --label "MyNewKey" \ - --outfile MyNewKey.pub "pkcs11:TOKEN-URL" -@end example -The bits parameter in the above example is explicitly set because some -tokens only support a limited number of bits. The output file is the -corresponding public key. This key can be used to general a certificate -request with certtool. -@example -certtool --generate-request --load-privkey "pkcs11:KEY-URL" \ - --load-pubkey MyNewKey.pub --outfile request.pem -@end example - diff --git a/doc/invoke-psktool.texi b/doc/invoke-psktool.texi index 381074560e..77d5c8f198 100644 --- a/doc/invoke-psktool.texi +++ b/doc/invoke-psktool.texi @@ -1,36 +1,29 @@ @node psktool Invocation -@subsection Invoking psktool +@subsubsection Invoking psktool @pindex psktool @ignore # -*- buffer-read-only: t -*- vi: set ro: # # DO NOT EDIT THIS FILE (invoke-psktool.texi) # -# It has been AutoGen-ed December 12, 2012 at 07:06:10 PM by AutoGen 5.16 +# It has been AutoGen-ed December 29, 2012 at 01:07:10 PM by AutoGen 5.12 # From the definitions ../src/psk-args.def # and the template file agtexi-cmd.tpl @end ignore - Program that generates random keys for use with TLS-PSK. The keys are stored in hexadecimal format in a key file. This section was generated by @strong{AutoGen}, using the @code{agtexi-cmd} template and the option descriptions for the @code{psktool} program. -This software is released under the GNU General Public License, version 3 or later. + +This software is released under the GNU General Public License. @anchor{psktool usage} -@subsubheading psktool help/usage (-h) -@cindex psktool help +@subsubheading psktool usage help (-?) -This is the automatically generated usage text for psktool. -The text printed is the same whether for the @code{help} option (-h) or the @code{more-help} option (-!). @code{more-help} will print -the usage text by passing it through a pager program. -@code{more-help} is disabled on platforms without a working -@code{fork(2)} function. The @code{PAGER} environment variable is -used to select the program, defaulting to @file{more}. Both will exit -with a status code of 0. +This is the automatically generated usage text for psktool: @exampleindent 0 @example @@ -65,34 +58,41 @@ please send bug reports to: bug-gnutls@@gnu.org @subsubheading debug option (-d) This is the ``enable debugging.'' option. -This option takes an argument number. Specifies the debug level. + +@anchor{psktool keysize} +@subsubheading keysize option (-s) + +This is the ``specify the key size in bytes'' option. + + +@anchor{psktool passwd} +@subsubheading passwd option (-p) + +This is the ``specify a password file.'' option. + + +@anchor{psktool username} +@subsubheading username option (-u) + +This is the ``specify a username'' option. + @anchor{psktool exit status} @subsubheading psktool exit status One of the following exit values will be returned: @table @samp -@item 0 (EXIT_SUCCESS) +@item 0 Successful program execution. -@item 1 (EXIT_FAILURE) +@item 1 The operation failed or the command syntax was not valid. @end table + + @anchor{psktool See Also} @subsubheading psktool See Also - gnutls-cli-debug (1), gnutls-serv (1), srptool (1), certtool (1) + @anchor{psktool Examples} @subsubheading psktool Examples -To add a user 'psk_identity' in @file{passwd.psk} for use with GnuTLS run: -@example -$ ./psktool -u psk_identity -p passwd.psk -Generating a random key for user 'psk_identity' -Key stored to passwd.psk -$ cat psks.txt -psk_identity:88f3824b3e5659f52d00e959bacab954b6540344 -$ -@end example - -This command will create @file{passwd.psk} if it does not exist -and will add user 'psk_identity' (you will also be prompted for a password). diff --git a/doc/invoke-srptool.texi b/doc/invoke-srptool.texi index 4539b0b8ba..b555a6a211 100644 --- a/doc/invoke-srptool.texi +++ b/doc/invoke-srptool.texi @@ -1,17 +1,16 @@ @node srptool Invocation -@subsection Invoking srptool +@subsubsection Invoking srptool @pindex srptool @ignore # -*- buffer-read-only: t -*- vi: set ro: # # DO NOT EDIT THIS FILE (invoke-srptool.texi) # -# It has been AutoGen-ed December 12, 2012 at 07:04:50 PM by AutoGen 5.16 +# It has been AutoGen-ed December 29, 2012 at 01:07:08 PM by AutoGen 5.12 # From the definitions ../src/srptool-args.def # and the template file agtexi-cmd.tpl @end ignore - Simple program that emulates the programs in the Stanford SRP (Secure Remote Password) libraries using GnuTLS. It is intended for use in places where you don't expect SRP authentication to be the used for system users. @@ -22,20 +21,14 @@ configuration file to hold the group parameters (called tpasswd.conf). This section was generated by @strong{AutoGen}, using the @code{agtexi-cmd} template and the option descriptions for the @code{srptool} program. -This software is released under the GNU General Public License, version 3 or later. + +This software is released under the GNU General Public License. @anchor{srptool usage} -@subsubheading srptool help/usage (-h) -@cindex srptool help +@subsubheading srptool usage help (-?) -This is the automatically generated usage text for srptool. -The text printed is the same whether for the @code{help} option (-h) or the @code{more-help} option (-!). @code{more-help} will print -the usage text by passing it through a pager program. -@code{more-help} is disabled on platforms without a working -@code{fork(2)} function. The @code{PAGER} environment variable is -used to select the program, defaulting to @file{more}. Both will exit -with a status code of 0. +This is the automatically generated usage text for srptool: @exampleindent 0 @example @@ -73,63 +66,71 @@ please send bug reports to: bug-gnutls@@gnu.org @end example @exampleindent 4 +@anchor{srptool create-conf} +@subsubheading create-conf option + +This is the ``generate a password configuration file.'' option. +This generates a password configuration file (tpasswd.conf) +containing the required for TLS parameters. + @anchor{srptool debug} @subsubheading debug option (-d) This is the ``enable debugging.'' option. -This option takes an argument number. Specifies the debug level. -@anchor{srptool verify} -@subsubheading verify option -This is the ``just verify the password.'' option. -Verifies the password provided against the password file. +@anchor{srptool index} +@subsubheading index option (-i) + +This is the ``specify the index of the group parameters in tpasswd.conf to use.'' option. + + +@anchor{srptool passwd} +@subsubheading passwd option (-p) + +This is the ``specify a password file.'' option. + + @anchor{srptool passwd-conf} @subsubheading passwd-conf option (-v) This is the ``specify a password conf file.'' option. -This option takes an argument string. Specify a filename or a PKCS #11 URL to read the CAs from. -@anchor{srptool create-conf} -@subsubheading create-conf option -This is the ``generate a password configuration file.'' option. -This option takes an argument string. -This generates a password configuration file (tpasswd.conf) -containing the required for TLS parameters. +@anchor{srptool salt} +@subsubheading salt option (-s) + +This is the ``specify salt size.'' option. + + +@anchor{srptool username} +@subsubheading username option (-u) + +This is the ``specify a username'' option. + + +@anchor{srptool verify} +@subsubheading verify option + +This is the ``just verify the password.'' option. +Verifies the password provided against the password file. + @anchor{srptool exit status} @subsubheading srptool exit status One of the following exit values will be returned: @table @samp -@item 0 (EXIT_SUCCESS) +@item 0 Successful program execution. -@item 1 (EXIT_FAILURE) +@item 1 The operation failed or the command syntax was not valid. @end table + + @anchor{srptool See Also} @subsubheading srptool See Also - gnutls-cli-debug (1), gnutls-serv (1), srptool (1), psktool (1), certtool (1) + @anchor{srptool Examples} @subsubheading srptool Examples -To create @file{tpasswd.conf} which holds the g and n values for SRP protocol -(generator and a large prime), run: -@example -$ srptool --create-conf /etc/tpasswd.conf -@end example - -This command will create @file{/etc/tpasswd} and will add user 'test' (you -will also be prompted for a password). Verifiers are stored by default -in the way libsrp expects. -@example -$ srptool --passwd /etc/tpasswd --passwd-conf /etc/tpasswd.conf -u test -@end example - - -This command will check against a password. If the password matches -the one in @file{/etc/tpasswd} you will get an ok. -@example -$ srptool --passwd /etc/tpasswd --passwd\-conf /etc/tpasswd.conf --verify -u test -@end example diff --git a/doc/invoke-tpmtool.texi b/doc/invoke-tpmtool.texi index 93ea0c6db4..98c267de1b 100644 --- a/doc/invoke-tpmtool.texi +++ b/doc/invoke-tpmtool.texi @@ -6,30 +6,23 @@ # # DO NOT EDIT THIS FILE (invoke-tpmtool.texi) # -# It has been AutoGen-ed December 12, 2012 at 07:06:11 PM by AutoGen 5.16 +# It has been AutoGen-ed December 29, 2012 at 01:00:46 PM by AutoGen 5.12 # From the definitions ../src/tpmtool-args.def # and the template file agtexi-cmd.tpl @end ignore - Program that allows handling cryptographic data from the TPM chip. This section was generated by @strong{AutoGen}, using the @code{agtexi-cmd} template and the option descriptions for the @code{tpmtool} program. -This software is released under the GNU General Public License, version 3 or later. + +This software is released under the GNU General Public License. @anchor{tpmtool usage} -@subsubheading tpmtool help/usage (-h) -@cindex tpmtool help +@subsubheading tpmtool usage help (-?) -This is the automatically generated usage text for tpmtool. -The text printed is the same whether for the @code{help} option (-h) or the @code{more-help} option (-!). @code{more-help} will print -the usage text by passing it through a pager program. -@code{more-help} is disabled on platforms without a working -@code{fork(2)} function. The @code{PAGER} environment variable is -used to select the program, defaulting to @file{more}. Both will exit -with a status code of 0. +This is the automatically generated usage text for tpmtool: @exampleindent 0 @example @@ -90,12 +83,24 @@ please send bug reports to: bug-gnutls@@gnu.org @end example @exampleindent 4 +@anchor{tpmtool bits} +@subsubheading bits option + +This is the ``specify the number of bits for key generate'' option. + + @anchor{tpmtool debug} @subsubheading debug option (-d) This is the ``enable debugging.'' option. -This option takes an argument number. Specifies the debug level. + +@anchor{tpmtool delete} +@subsubheading delete option + +This is the ``delete the key identified by the given url (uuid).'' option. + + @anchor{tpmtool generate-rsa} @subsubheading generate-rsa option @@ -103,29 +108,105 @@ This is the ``generate an rsa private-public key pair'' option. Generates an RSA private-public key pair in the TPM chip. The key may be stored in filesystem and protected by a PIN, or stored (registered) in the TPM chip flash. -@anchor{tpmtool user} -@subsubheading user option -This is the ``any registered key will be a user key'' option. +@anchor{tpmtool inder} +@subsubheading inder option + +This is the ``use the der format for keys.'' option. +The input files will be assumed to be in the portable +DER format of TPM. The default format is a custom format used by various +TPM tools + +@anchor{tpmtool infile} +@subsubheading infile option + +This is the ``input file'' option. + + +@anchor{tpmtool legacy} +@subsubheading legacy option + +This is the ``any generated key will be a legacy key'' option. -@noindent This option has some usage constraints. It: @itemize @bullet @item must appear in combination with the following options: -register. +generate-rsa. @item must not appear in combination with any of the following options: -system. +signing. @end itemize -The generated key will be stored in a user specific persistent storage. + + +@anchor{tpmtool list} +@subsubheading list option + +This is the ``lists all stored keys in the tpm'' option. + + +@anchor{tpmtool outder} +@subsubheading outder option + +This is the ``use der format for output keys'' option. +The output will be in the TPM portable DER format. + +@anchor{tpmtool outfile} +@subsubheading outfile option + +This is the ``output file'' option. + + +@anchor{tpmtool pubkey} +@subsubheading pubkey option + +This is the ``prints the public key of the provided key'' option. + + +@anchor{tpmtool register} +@subsubheading register option + +This is the ``any generated key will be registered in the tpm'' option. + +This option has some usage constraints. It: +@itemize @bullet +@item +must appear in combination with the following options: +generate-rsa. +@end itemize + + + +@anchor{tpmtool sec-param} +@subsubheading sec-param option + +This is the ``specify the security level [low, legacy, normal, high, ultra].'' option. +This is alternative to the bits option. Note however that the +values allowed by the TPM chip are quantized and given values may be rounded up. + +@anchor{tpmtool signing} +@subsubheading signing option + +This is the ``any generated key will be a signing key'' option. + +This option has some usage constraints. It: +@itemize @bullet +@item +must appear in combination with the following options: +generate-rsa. +@item +must not appear in combination with any of the following options: +legacy. +@end itemize + + + @anchor{tpmtool system} @subsubheading system option This is the ``any registred key will be a system key'' option. -@noindent This option has some usage constraints. It: @itemize @bullet @item @@ -137,64 +218,40 @@ user. @end itemize The generated key will be stored in system persistent storage. -@anchor{tpmtool sec-param} -@subsubheading sec-param option -This is the ``specify the security level [low, legacy, normal, high, ultra].'' option. -This option takes an argument string @file{Security parameter}. -This is alternative to the bits option. Note however that the -values allowed by the TPM chip are quantized and given values may be rounded up. -@anchor{tpmtool inder} -@subsubheading inder option +@anchor{tpmtool user} +@subsubheading user option -This is the ``use the der format for keys.'' option. -The input files will be assumed to be in the portable -DER format of TPM. The default format is a custom format used by various -TPM tools -@anchor{tpmtool outder} -@subsubheading outder option +This is the ``any registered key will be a user key'' option. + +This option has some usage constraints. It: +@itemize @bullet +@item +must appear in combination with the following options: +register. +@item +must not appear in combination with any of the following options: +system. +@end itemize + +The generated key will be stored in a user specific persistent storage. -This is the ``use der format for output keys'' option. -The output will be in the TPM portable DER format. @anchor{tpmtool exit status} @subsubheading tpmtool exit status One of the following exit values will be returned: @table @samp -@item 0 (EXIT_SUCCESS) +@item 0 Successful program execution. -@item 1 (EXIT_FAILURE) +@item 1 The operation failed or the command syntax was not valid. @end table + + @anchor{tpmtool See Also} @subsubheading tpmtool See Also - p11tool (1), certtool (1) + @anchor{tpmtool Examples} @subsubheading tpmtool Examples -To generate a key that is to be stored in filesystem use: -@example -$ tpmtool --generate-rsa --bits 2048 --outfile tpmkey.pem -@end example - -To generate a key that is to be stored in TPM's flash use: -@example -$ tpmtool --generate-rsa --bits 2048 --register --user -@end example - -To get the public key of a TPM key use: -@example -$ tpmtool --pubkey tpmkey:uuid=58ad734b-bde6-45c7-89d8-756a55ad1891;storage=user \ - --outfile pubkey.pem -@end example - -or if the key is stored in the filesystem: -@example -$ tpmtool --pubkey tpmkey:file=tmpkey.pem --outfile pubkey.pem -@end example - -To list all keys stored in TPM use: -@example -$ tpmtool --list -@end example |