src/p11tool-args.def

   1 AutoGen Definitions options;
   2 prog-name     = p11tool;
   3 prog-title    = "GnuTLS PKCS #11 tool";
   4 prog-desc     = "Program to handle PKCS #11 smart cards and security modules.\n";
   5 detail    = "Program that allows handling data from PKCS #11 smart cards
   6 and security modules.
   7
   8 To use PKCS #11 tokens with gnutls the configuration file
   9 /etc/gnutls/pkcs11.conf has to exist and contain a number of lines of the form 'load=/usr/lib/opensc-pkcs11.so'.
  10 ";
  11
  12 short-usage   = "p11tool [options] [url]\np11tool --help for usage instructions.\n";
  13 explain       = "";
  14 reorder-args;
  15 argument = "[url]";
  16
  17 #define  OUTFILE_OPT   1
  18 #include args-std.def
  19
  20 flag = {
  21     name      = list-tokens;
  22     descrip   = "List all available tokens";
  23     doc = "";
  24 };
  25
  26 flag = {
  27     name      = export;
  28     descrip   = "Export the object specified by the URL";
  29     doc = "";
  30 };
  31
  32 flag = {
  33     name      = list-mechanisms;
  34     descrip   = "List all available mechanisms in a token";
  35     doc = "";
  36 };
  37
  38 flag = {
  39     name      = list-all;
  40     descrip   = "List all available objects in a token";
  41     doc = "";
  42 };
  43
  44 flag = {
  45     name      = list-all-certs;
  46     descrip   = "List all available certificates in a token";
  47     doc = "";
  48 };
  49
  50 flag = {
  51     name      = list-certs;
  52     descrip   = "List all certificates that have an associated private key";
  53     doc = "";
  54 };
  55
  56 flag = {
  57     name      = list-all-privkeys;
  58     descrip   = "List all available private keys in a token";
  59     doc = "";
  60 };
  61
  62 flag = {
  63     name      = list-all-trusted;
  64     descrip   = "List all available certificates marked as trusted";
  65     doc = "";
  66 };
  67
  68 flag = {
  69     name      = initialize;
  70     descrip   = "Initializes a PKCS #11 token";
  71     doc = "";
  72 };
  73
  74 flag = {
  75     name      = write;
  76     descrip   = "Writes the loaded objects to a PKCS #11 token";
  77     doc = "It can be used to write private keys, certificates or secret keys to a token.";
  78 };
  79
  80 flag = {
  81     name      = delete;
  82     descrip   = "Deletes the objects matching the PKCS #11 URL";
  83     doc = "";
  84 };
  85
  86 flag = {
  87     name      = generate-rsa;
  88     descrip   = "Generate an RSA private-public key pair";
  89     doc = "Generates an RSA private-public key pair on the specified token.";
  90 };
  91
  92 flag = {
  93     name      = generate-dsa;
  94     descrip   = "Generate an RSA private-public key pair";
  95     doc = "Generates an RSA private-public key pair on the specified token.";
  96 };
  97 flag = {
  98     name      = generate-ecc;
  99     descrip   = "Generate an RSA private-public key pair";
 100     doc = "Generates an RSA private-public key pair on the specified token.";
 101 };
 102
 103 flag = {
 104     name      = label;
 105     arg-type  = string;
 106     descrip   = "Sets a label for the write operation";
 107     doc       = "";
 108 };
 109
 110 flag = {
 111     name      = trusted;
 112     disable   = "no";
 113     disabled;
 114     descrip   = "Marks the object to be written as trusted";
 115     doc = "";
 116 };
 117
 118 flag = {
 119     name      = private;
 120     disable   = "no";
 121     enabled;
 122     descrip   = "Marks the object to be written as private";
 123     doc = "The written object will require a PIN to be used.";
 124 };
 125
 126 flag = {
 127     name      = login;
 128     descrip   = "Force login to token";
 129     disabled;
 130     disable   = "no";
 131     doc       = "";
 132 };
 133
 134 flag = {
 135     name      = detailed-url;
 136     descrip   = "Print detailed URLs";
 137     disabled;
 138     disable   = "no";
 139     doc   = "";
 140 };
 141
 142 flag = {
 143     name      = secret-key;
 144     arg-type  = string;
 145     descrip   = "Provide a hex encoded secret key";
 146     doc   = "";
 147 };
 148
 149 flag = {
 150     name      = load-privkey;
 151     arg-type  = file;
 152     file-exists = yes;
 153     descrip   = "Private key file to use";
 154     doc      = "";
 155 };
 156
 157 flag = {
 158     name      = load-pubkey;
 159     arg-type  = file;
 160     file-exists = yes;
 161     descrip   = "Public key file to use";
 162     doc      = "";
 163 };
 164
 165 flag = {
 166     name      = load-certificate;
 167     arg-type  = file;
 168     file-exists = yes;
 169     descrip   = "Certificate file to use";
 170     doc      = "";
 171 };
 172
 173 flag = {
 174     name      = pkcs8;
 175     value     = 8;
 176     descrip   = "Use PKCS #8 format for private keys";
 177     doc      = "";
 178 };
 179
 180 flag = {
 181     name      = bits;
 182     arg-type  = number;
 183     descrip   = "Specify the number of bits for key generate";
 184     doc      = "";
 185 };
 186
 187 flag = {
 188     name      = sec-param;
 189     arg-type  = string;
 190     arg-name  = "Security parameter";
 191     descrip   = "Specify the security level";
 192     doc      = "This is alternative to the bits option. Available options are [low, legacy, normal, high, ultra].";
 193 };
 194
 195
 196 flag = {
 197     name      = inder;
 198     descrip   = "Use DER/RAW format for input";
 199     disabled;
 200     disable   = "no";
 201     doc      = "Use DER/RAW format for input certificates and private keys.";
 202 };
 203
 204 flag = {
 205     name      = inraw;
 206     aliases   = inder;
 207 };
 208
 209 flag = {
 210     name      = provider;
 211     arg-type  = file;
 212     file-exists = yes;
 213     descrip   = "Specify the PKCS #11 provider library";
 214     doc      = "This will override the default options in /etc/gnutls/pkcs11.conf";
 215 };
 216
 217
 218 doc-section = {
 219   ds-type = 'SEE ALSO';
 220   ds-format = 'texi';
 221   ds-text   = <<-_EOT_
 222     certtool (1)
 223 _EOT_;
 224 };
 225
 226 doc-section = {
 227   ds-type = 'EXAMPLES';
 228   ds-format = 'texi';
 229   ds-text   = <<-_EOT_
 230 To view all tokens in your system use:
 231 @example
 232 $ p11tool --list-tokens
 233 @end example
 234
 235 To view all objects in a token use:
 236 @example
 237 $ p11tool --login --list-all "pkcs11:TOKEN-URL"
 238 @end example
 239
 240 To store a private key and a certificate in a token run:
 241 @example
 242 $ p11tool --login --write "pkcs11:URL" --load-privkey key.pem \
 243           --label "Mykey"
 244 $ p11tool --login --write "pkcs11:URL" --load-certificate cert.pem \
 245           --label "Mykey"
 246 @end example
 247 Note that some tokens require the same label to be used for the certificate
 248 and its corresponding private key.
 249
 250 To generate an RSA private key inside the token use:
 251 @example
 252 $ p11tool --login --generate-rsa --bits 1024 --label "MyNewKey" \
 253           --outfile MyNewKey.pub "pkcs11:TOKEN-URL"
 254 @end example
 255 The bits parameter in the above example is explicitly set because some
 256 tokens only support a limited number of bits. The output file is the
 257 corresponding public key. This key can be used to general a certificate
 258 request with certtool.
 259 @example
 260 certtool --generate-request --load-privkey "pkcs11:KEY-URL" \
 261    --load-pubkey MyNewKey.pub --outfile request.pem
 262 @end example
 263
 264 _EOT_;
 265 };
 266