From 08e89a9e52861b59f43c77937ff80e4d920bec4a Mon Sep 17 00:00:00 2001 From: Ben Kibbey Date: Sun, 11 Oct 2015 16:09:39 -0400 Subject: [PATCH] Update docs. --- doc/libpwmd.3 | 6 ++--- doc/pwmc.1.in | 73 +++++++++++++++++++++----------------------------------- src/libpwmd.h.in | 13 +++++----- 3 files changed, 36 insertions(+), 56 deletions(-) diff --git a/doc/libpwmd.3 b/doc/libpwmd.3 index 5cf9c50f..1e304e4a 100644 --- a/doc/libpwmd.3 +++ b/doc/libpwmd.3 @@ -1,4 +1,4 @@ -.TH "libpwmd.h" 3 "Mon Sep 28 2015" "Version 7.3.0" "libpwmd" \" -*- nroff -*- +.TH "libpwmd.h" 3 "Sun Oct 11 2015" "Version 7.3.0" "libpwmd" \" -*- nroff -*- .ad l .nh .SH NAME @@ -561,7 +561,7 @@ This must be set before calling \fBpwmd_open()\fP\&. .TP \fB\fIPWMD_OPTION_OVERRIDE_INQUIRE \fP\fP -When set, override libpwmd's handling of server inquires with the PASSPHRASE and NEW_PASSPHRASE keywords\&. Handling of these keywords is done automatically when \fBPWMD_OPTION_NO_PINENTRY\fP or \fBPWMD_OPTION_LOCAL_PINENTRY\fP is set or when the connection is a remote one\&. +When set, override libpwmd's handling of server inquires with the PASSPHRASE, NEW_PASSPHRASE and SIGN_PASSPHRASE keywords\&. Handling of these keywords is done automatically when \fBPWMD_OPTION_NO_PINENTRY\fP or \fBPWMD_OPTION_LOCAL_PINENTRY\fP is set or when the connection is a remote one\&. .PP \fBSee also:\fP .RS 4 @@ -1077,7 +1077,7 @@ The inquire \fIcallback\fP function should be used when \fBPWMD_OPTION_OVERRIDE_ .SS "LIBPWMD_API gpg_error_t pwmd_password (\fBpwm_t\fP * pwm, const char * keyword, char ** data, size_t * size)" .PP -Obtain a passphrase from a local pinentry\&. This is the same function that libpwmd uses during an inquire when using the local pinentry and the inquire keyword is either PASSPHRASE or NEW_PASSPHRASE\&. Provided for convenience since it sets proper pinentry strings and handles new passphrase confirmation\&. +Obtain a passphrase from a local pinentry\&. This is the same function that libpwmd uses during an inquire when using the local pinentry and the inquire keyword is one of PASSPHRASE, NEW_PASSPHRASE or SIGN_PASSPHRASE\&. Provided for convenience since it sets proper pinentry strings and handles new passphrase confirmation\&. .PP \fBParameters:\fP .RS 4 diff --git a/doc/pwmc.1.in b/doc/pwmc.1.in index 12aca704..6ce68778 100644 --- a/doc/pwmc.1.in +++ b/doc/pwmc.1.in @@ -252,18 +252,6 @@ When saving to a new file, do not prompt for a passphrase. This will allow the data file to be opened without a passphrase. .TP -.I "\-\-no-gpg-agent" -When -.BR pwmd (1) -is compiled with -.BR gpg-agent (1) -support and gpg-agent usage is enabled, pwmd will default to using -the gpg-agent key-pair encryption mechanism rather than symmetric -encryption of the data file. Use this option to force symmetric -encryption of the data file without using gpg-agent. Note that this -option only has an affect when saving to a new file. - -.TP .I "\--key-file " Read the passphrase used to open a file from the specified filename. @@ -289,28 +277,22 @@ The number of cipher encryption iterations of the XML data. This is actually N+1. .TP -.I "\-\-key\-params " -When saving, use the specified key parameters rather than the pwmd -default. This should be a valid S-expression. See the libgcrypt -documentation for details. - -.TP -.I "\-\-keygrip " -Encrypt the XML data using the specified key grip. The key can be any -that -.BR gpg-agent (1) -knows of. +.I "\-\-key\-params " +When saving, use the key parameters obtained from +.B filename +rather than the +.B pwmd +defaults. The parameters are in GnuPG XML format. .TP -.I "\-\-sign-keygrip " -Sign the encrypted XML data using the specified key grip. The key can -be any that -.BR gpg-agent (1) -knows of. +.I "\-\-keyid [,...]" +Encrypt the XML data to the specified recipients. When not specified, the same +recipients for an existing data file will be used. Otherwise, a new key pair +will be generated. .TP -.I "\--s2k-count " -The number of passphrase hashing iterations for a new file. +.I "\-\-sign-keyid " +Sign the encrypted XML data using the specified key. .TP .I "\--no-status" @@ -378,7 +360,7 @@ command line option. The .BR socat (1) command can be replaced with any utility that can read from stdin and write -to a local domain socket. +to a UNIX domain socket. .SH PINENTRY @@ -488,26 +470,32 @@ is specified, the option is unset. .RS .TP -.I keyfile [] -Set the +.I keyfile [] +Obtain the passphrase from .B filename -containing the passphrase to open -.B datafile for the next command requiring a passphrase. This is equivalent to the .I "\-\-key-file" command line option. This value will be unset after the next protocol command to prevent misuse. .TP -.I new-keyfile [] -Set the +.I new-keyfile [] +Obtain the passphrase from .B filename -containing the passphrase to use to save -.B datafile for the next command requiring a new passphrase. This is equivalent to the .I "\-\-new-key-file" command line option. This value will be unset after the next protocol command to prevent misuse. .TP +.I sign-keyfile [] +Obtain the passphrase from +.B filename +for the next command requiring a passphrase used for signing. This is +equivalent to the +.I "\-\-sign-key-file" +command line option and is optionally used for signing a symmetrically +encrypted data file. This value will be unset after the next protocol command +to prevent misuse. +.TP .I pinentry-timeout Set the amount of seconds before the pinentry program will close and return an error while waiting for user input. @@ -566,13 +554,6 @@ Connect to a remote pwmd server over TLS, interactively: .RS .I pwmc --url tls://hostname --ca-cert cafile.pem --client-cert client.pem --client-key clientkey.pem filename .RE -.P -Connect to a remote pwmd server over TLS and generate a new keypair -for a data file that may not already exist using a keyfile as -passphrase and inquire data from a file descriptor: -.RS -.I pwmc --url tls://hostname --ca-cert cafile.pem --client-cert client.pem --client-key clientkey.pem --inquire STORE --inquire-line 'some\\\\telement\\\\t' --inquire-fd 3 --key-file old_key --new-key-file new_key --cipher serpent128 --cipher-iterations 4000 --key-params '(genkey (rsa (nbits 4:1024)))' -S datafile 3