| blob | 49e392d038ef58640f223b452838afdf5c2d35e0 |
1 /*
2 * Copyright (c) 2005 - 2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33 /* $Id$ */
35 command = {
36 name = "cms-create-sd"
37 name = "cms-sign"
38 option = {
39 long = "certificate"
40 short = "c"
41 type = "strings"
42 argument = "certificate-store"
43 help = "certificate stores to pull certificates from"
44 }
45 option = {
46 long = "signer"
47 short = "s"
48 type = "string"
49 argument = "signer-friendly-name"
50 help = "certificate to sign with"
51 }
52 option = {
53 long = "anchors"
54 type = "strings"
55 argument = "certificate-store"
56 help = "trust anchors"
57 }
58 option = {
59 long = "pool"
60 type = "strings"
61 argument = "certificate-pool"
62 help = "certificate store to pull certificates from"
63 }
64 option = {
65 long = "pass"
66 type = "strings"
67 argument = "password"
68 help = "password, prompter, or environment"
69 }
70 option = {
71 long = "peer-alg"
72 type = "strings"
73 argument = "oid"
74 help = "oid that the peer support"
75 }
76 option = {
77 long = "content-type"
78 type = "string"
79 argument = "oid"
80 help = "content type oid"
81 }
82 option = {
83 long = "content-info"
84 type = "flag"
85 help = "wrapped out-data in a ContentInfo"
86 }
87 option = {
88 long = "pem"
89 type = "flag"
90 help = "wrap out-data in PEM armor"
91 }
92 option = {
93 long = "detached-signature"
94 type = "flag"
95 help = "create a detached signature"
96 }
97 option = {
98 long = "signer"
99 type = "-flag"
100 help = "do not sign"
101 }
102 option = {
103 long = "id-by-name"
104 type = "flag"
105 help = "use subject name for CMS Identifier"
106 }
107 option = {
108 long = "embedded-certs"
109 type = "-flag"
110 help = "don't embed certificates"
111 }
112 option = {
113 long = "embed-leaf-only"
114 type = "flag"
115 help = "only embed leaf certificate"
116 }
117 min_args="1"
118 max_args="2"
119 argument="in-file out-file"
120 help = "Wrap a file within a SignedData object"
121 }
122 command = {
123 name = "cms-verify-sd"
124 option = {
125 long = "anchors"
126 short = "D"
127 type = "strings"
128 argument = "certificate-store"
129 help = "trust anchors"
130 }
131 option = {
132 long = "certificate"
133 short = "c"
134 type = "strings"
135 argument = "certificate-store"
136 help = "certificate store to pull certificates from"
137 }
138 option = {
139 long = "pass"
140 type = "strings"
141 argument = "password"
142 help = "password, prompter, or environment"
143 }
144 option = {
145 long = "missing-revoke"
146 type = "flag"
147 help = "missing CRL/OCSP is ok"
148 }
149 option = {
150 long = "content-info"
151 type = "flag"
152 help = "unwrap in-data that's in a ContentInfo"
153 }
154 option = {
155 long = "pem"
156 type = "flag"
157 help = "unwrap in-data from PEM armor"
158 }
159 option = {
160 long = "signer-allowed"
161 type = "-flag"
162 help = "allow no signer"
163 }
164 option = {
165 long = "allow-wrong-oid"
166 type = "flag"
167 help = "allow wrong oid flag"
168 }
169 option = {
170 long = "signed-content"
171 type = "string"
172 help = "file containing content"
173 }
174 min_args="1"
175 max_args="2"
176 argument="in-file [out-file]"
177 help = "Verify a file within a SignedData object"
178 }
179 command = {
180 name = "cms-unenvelope"
181 option = {
182 long = "certificate"
183 short = "c"
184 type = "strings"
185 argument = "certificate-store"
186 help = "certificate used to decrypt the data"
187 }
188 option = {
189 long = "pass"
190 type = "strings"
191 argument = "password"
192 help = "password, prompter, or environment"
193 }
194 option = {
195 long = "content-info"
196 type = "flag"
197 help = "wrapped out-data in a ContentInfo"
198 }
199 option = {
200 long = "allow-weak-crypto"
201 type = "flag"
202 help = "allow weak crypto"
203 }
204 min_args="2"
205 argument="in-file out-file"
206 help = "Unenvelope a file containing a EnvelopedData object"
207 }
208 command = {
209 name = "cms-envelope"
210 function = "cms_create_enveloped"
211 option = {
212 long = "certificate"
213 short = "c"
214 type = "strings"
215 argument = "certificate-store"
216 help = "certificates used to receive the data"
217 }
218 option = {
219 long = "pass"
220 type = "strings"
221 argument = "password"
222 help = "password, prompter, or environment"
223 }
224 option = {
225 long = "encryption-type"
226 type = "string"
227 argument = "enctype"
228 help = "enctype"
229 }
230 option = {
231 long = "content-type"
232 type = "string"
233 argument = "oid"
234 help = "content type oid"
235 }
236 option = {
237 long = "content-info"
238 type = "flag"
239 help = "wrapped out-data in a ContentInfo"
240 }
241 option = {
242 long = "allow-weak-crypto"
243 type = "flag"
244 help = "allow weak crypto"
245 }
246 min_args="2"
247 argument="in-file out-file"
248 help = "Envelope a file containing a EnvelopedData object"
249 }
250 command = {
251 name = "verify"
252 function = "pcert_verify"
253 option = {
254 long = "pass"
255 type = "strings"
256 argument = "password"
257 help = "password, prompter, or environment"
258 }
259 option = {
260 long = "allow-proxy-certificate"
261 type = "flag"
262 help = "allow proxy certificates"
263 }
264 option = {
265 long = "missing-revoke"
266 type = "flag"
267 help = "missing CRL/OCSP is ok"
268 }
269 option = {
270 long = "time"
271 type = "string"
272 help = "time when to validate the chain"
273 }
274 option = {
275 long = "verbose"
276 short = "v"
277 type = "flag"
278 help = "verbose logging"
279 }
280 option = {
281 long = "max-depth"
282 type = "integer"
283 help = "maximum search length of certificate trust anchor"
284 }
285 option = {
286 long = "hostname"
287 type = "string"
288 help = "match hostname to certificate"
289 }
290 argument = "cert:foo chain:cert1 chain:cert2 anchor:anchor1 anchor:anchor2"
291 help = "Verify certificate chain"
292 }
293 command = {
294 name = "print"
295 function = "pcert_print"
296 option = {
297 long = "pass"
298 type = "strings"
299 argument = "password"
300 help = "password, prompter, or environment"
301 }
302 option = {
303 long = "content"
304 type = "flag"
305 help = "print the content of the certificates"
306 }
307 option = {
308 long = "never-fail"
309 type = "flag"
310 help = "never fail with an error code"
311 }
312 option = {
313 long = "info"
314 type = "flag"
315 help = "print the information about the certificate store"
316 }
317 min_args="1"
318 argument="certificate ..."
319 help = "Print certificates"
320 }
321 command = {
322 name = "validate"
323 function = "pcert_validate"
324 option = {
325 long = "pass"
326 type = "strings"
327 argument = "password"
328 help = "password, prompter, or environment"
329 }
330 min_args="1"
331 argument="certificate ..."
332 help = "Validate content of certificates"
333 }
334 command = {
335 name = "certificate-copy"
336 name = "cc"
337 option = {
338 long = "in-pass"
339 type = "strings"
340 argument = "password"
341 help = "password, prompter, or environment"
342 }
343 option = {
344 long = "out-pass"
345 type = "string"
346 argument = "password"
347 help = "password, prompter, or environment"
348 }
349 min_args="2"
350 argument="in-certificates-1 ... out-certificate"
351 help = "Copy in certificates stores into out certificate store"
352 }
353 command = {
354 name = "ocsp-fetch"
355 option = {
356 long = "pass"
357 type = "strings"
358 argument = "password"
359 help = "password, prompter, or environment"
360 }
361 option = {
362 long = "sign"
363 type = "string"
364 argument = "certificate"
365 help = "certificate use to sign the request"
366 }
367 option = {
368 long = "url-path"
369 type = "string"
370 argument = "url"
371 help = "part after host in url to put in the request"
372 }
373 option = {
374 long = "nonce"
375 type = "-flag"
376 default = "1"
377 help = "don't include nonce in request"
378 }
379 option = {
380 long = "pool"
381 type = "strings"
382 argument = "certificate-store"
383 help = "pool to find parent certificate in"
384 }
385 min_args="2"
386 argument="outfile certs ..."
387 help = "Fetch OCSP responses for the following certs"
388 }
389 command = {
390 option = {
391 long = "ocsp-file"
392 type = "string"
393 help = "OCSP file"
394 }
395 name = "ocsp-verify"
396 min_args="1"
397 argument="certificates ..."
398 help = "Check that certificates are in OCSP file and valid"
399 }
400 command = {
401 name = "ocsp-print"
402 option = {
403 long = "verbose"
404 type = "flag"
405 help = "verbose"
406 }
407 min_args="1"
408 argument="ocsp-response-file ..."
409 help = "Print the OCSP responses"
410 }
411 command = {
412 name = "revoke-print"
413 option = {
414 long = "verbose"
415 type = "flag"
416 help = "verbose"
417 }
418 min_args="1"
419 argument="ocsp/crl files"
420 help = "Print the OCSP/CRL files"
421 }
422 command = {
423 name = "request-create"
424 option = {
425 long = "subject"
426 type = "string"
427 help = "Subject DN"
428 }
429 option = {
430 long = "email"
431 type = "strings"
432 help = "Email address in SubjectAltName"
433 }
434 option = {
435 long = "dnsname"
436 type = "strings"
437 help = "Hostname or domainname in SubjectAltName"
438 }
439 option = {
440 long = "type"
441 type = "string"
442 help = "Type of request CRMF or PKCS10, defaults to PKCS10"
443 }
444 option = {
445 long = "key"
446 type = "string"
447 help = "Key-pair"
448 }
449 option = {
450 long = "generate-key"
451 type = "string"
452 help = "keytype"
453 }
454 option = {
455 long = "key-bits"
456 type = "integer"
457 help = "number of bits in the generated key";
458 }
459 option = {
460 long = "verbose"
461 type = "flag"
462 help = "verbose status"
463 }
464 min_args="1"
465 max_args="1"
466 argument="output-file"
467 help = "Create a CRMF or PKCS10 request"
468 }
469 command = {
470 name = "request-print"
471 option = {
472 long = "verbose"
473 type = "flag"
474 help = "verbose printing"
475 }
476 min_args="1"
477 argument="requests ..."
478 help = "Print requests"
479 }
480 command = {
481 name = "query"
482 option = {
483 long = "exact"
484 type = "flag"
485 help = "exact match"
486 }
487 option = {
488 long = "private-key"
489 type = "flag"
490 help = "search for private key"
491 }
492 option = {
493 long = "friendlyname"
494 type = "string"
495 argument = "name"
496 help = "match on friendly name"
497 }
498 option = {
499 long = "eku"
500 type = "string"
501 argument = "oid-string"
502 help = "match on EKU"
503 }
504 option = {
505 long = "expr"
506 type = "string"
507 argument = "expression"
508 help = "match on expression"
509 }
510 option = {
511 long = "keyEncipherment"
512 type = "flag"
513 help = "match keyEncipherment certificates"
514 }
515 option = {
516 long = "digitalSignature"
517 type = "flag"
518 help = "match digitalSignature certificates"
519 }
520 option = {
521 long = "print"
522 type = "flag"
523 help = "print matches"
524 }
525 option = {
526 long = "pass"
527 type = "strings"
528 argument = "password"
529 help = "password, prompter, or environment"
530 }
531 min_args="1"
532 argument="certificates ..."
533 help = "Query the certificates for a match"
534 }
535 command = {
536 name = "info"
537 }
538 command = {
539 name = "random-data"
540 min_args="1"
541 argument="bytes"
542 help = "Generates random bytes and prints them to standard output"
543 }
544 command = {
545 option = {
546 long = "type"
547 type = "string"
548 help = "type of CMS algorithm"
549 }
550 name = "crypto-available"
551 min_args="0"
552 help = "Print available CMS crypto types"
553 }
554 command = {
555 option = {
556 long = "type"
557 type = "string"
558 help = "type of CMS algorithm"
559 }
560 option = {
561 long = "certificate"
562 type = "string"
563 help = "source certificate limiting the choices"
564 }
565 option = {
566 long = "peer-cmstype"
567 type = "strings"
568 help = "peer limiting cmstypes"
569 }
570 name = "crypto-select"
571 min_args="0"
572 help = "Print selected CMS type"
573 }
574 command = {
575 option = {
576 long = "decode"
577 short = "d"
578 type = "flag"
579 help = "decode instead of encode"
580 }
581 name = "hex"
582 function = "hxtool_hex"
583 min_args="0"
584 help = "Encode input to hex"
585 }
586 command = {
587 option = {
588 long = "issue-ca"
589 type = "flag"
590 help = "Issue a CA certificate"
591 }
592 option = {
593 long = "issue-proxy"
594 type = "flag"
595 help = "Issue a proxy certificate"
596 }
597 option = {
598 long = "domain-controller"
599 type = "flag"
600 help = "Issue a MS domaincontroller certificate"
601 }
602 option = {
603 long = "subject"
604 type = "string"
605 help = "Subject of issued certificate"
606 }
607 option = {
608 long = "ca-certificate"
609 type = "string"
610 help = "Issuing CA certificate"
611 }
612 option = {
613 long = "self-signed"
614 type = "flag"
615 help = "Issuing a self-signed certificate"
616 }
617 option = {
618 long = "ca-private-key"
619 type = "string"
620 help = "Private key for self-signed certificate"
621 }
622 option = {
623 long = "certificate"
624 type = "string"
625 help = "Issued certificate"
626 }
627 option = {
628 long = "type"
629 type = "strings"
630 help = "Types of certificate to issue (can be used more then once)"
631 }
632 option = {
633 long = "lifetime"
634 type = "string"
635 help = "Lifetime of certificate"
636 }
637 option = {
638 long = "signature-algorithm"
639 type = "string"
640 help = "Signature algorithm to use"
641 }
642 option = {
643 long = "serial-number"
644 type = "string"
645 help = "serial-number of certificate"
646 }
647 option = {
648 long = "path-length"
649 default = "-1"
650 type = "integer"
651 help = "Maximum path length (CA and proxy certificates), -1 no limit"
652 }
653 option = {
654 long = "hostname"
655 type = "strings"
656 help = "DNS names this certificate is allowed to serve"
657 }
658 option = {
659 long = "email"
660 type = "strings"
661 help = "email addresses assigned to this certificate"
662 }
663 option = {
664 long = "pk-init-principal"
665 type = "strings"
666 help = "PK-INIT principal (for SAN)"
667 }
668 option = {
669 long = "ms-upn"
670 type = "string"
671 help = "Microsoft UPN (for SAN)"
672 }
673 option = {
674 long = "jid"
675 type = "string"
676 help = "XMPP jabber id (for SAN)"
677 }
678 option = {
679 long = "req"
680 type = "string"
681 help = "certificate request"
682 }
683 option = {
684 long = "certificate-private-key"
685 type = "string"
686 help = "private-key"
687 }
688 option = {
689 long = "generate-key"
690 type = "string"
691 help = "keytype"
692 }
693 option = {
694 long = "key-bits"
695 type = "integer"
696 help = "number of bits in the generated key"
697 }
698 option = {
699 long = "crl-uri"
700 type = "string"
701 help = "URI to CRL"
702 }
703 option = {
704 long = "template-certificate"
705 type = "string"
706 help = "certificate"
707 }
708 option = {
709 long = "template-fields"
710 type = "string"
711 help = "flag"
712 }
713 name = "certificate-sign"
714 name = "cert-sign"
715 name = "issue-certificate"
716 name = "ca"
717 function = "hxtool_ca"
718 min_args="0"
719 help = "Issue a certificate"
720 }
721 command = {
722 name = "test-crypto"
723 option = {
724 long = "pass"
725 type = "strings"
726 argument = "password"
727 help = "password, prompter, or environment"
728 }
729 option = {
730 long = "verbose"
731 type = "flag"
732 help = "verbose printing"
733 }
734 min_args="1"
735 argument="certificates..."
736 help = "Test crypto system related to the certificates"
737 }
738 command = {
739 option = {
740 long = "type"
741 type = "integer"
742 help = "type of statistics"
743 }
744 name = "statistic-print"
745 min_args="0"
746 help = "Print statistics"
747 }
748 command = {
749 option = {
750 long = "signer"
751 type = "string"
752 help = "signer certificate"
753 }
754 option = {
755 long = "pass"
756 type = "strings"
757 argument = "password"
758 help = "password, prompter, or environment"
759 }
760 option = {
761 long = "crl-file"
762 type = "string"
763 help = "CRL output file"
764 }
765 option = {
766 long = "lifetime"
767 type = "string"
768 help = "time the crl will be valid"
769 }
770 name = "crl-sign"
771 min_args="0"
772 argument="certificates..."
773 help = "Create a CRL"
774 }
775 command = {
776 name = "help"
777 name = "?"
778 argument = "[command]"
779 min_args = "0"
780 max_args = "1"
781 help = "Help! I need somebody"
782 }