diff options
| author | Daiki Ueno <ueno@gnu.org> | 2021-12-31 18:13:58 +0100 |
|---|---|---|
| committer | Daiki Ueno <ueno@gnu.org> | 2022-01-14 12:49:03 +0100 |
| commit | 0da805e6d3b2b148f9689b3229ddbbf3f4cedb88 (patch) | |
| tree | b6d047b66eab930e9e14165cf3459ba236918050 /src | |
| parent | 39cbedbf19e8a34dce3442c1749109e01251e467 (diff) | |
| download | gnutls-0da805e6d3b2b148f9689b3229ddbbf3f4cedb88.tar.gz | |
src: generate option handling code from JSON
This replaces AutoGen based command-line parser with a Python
script (gen-getopt.py), which takes JSON description as the input.
The included JSON files were converted one-off using the parse-autogen
program: https://gitlab.com/dueno/parse-autogen.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
Diffstat (limited to 'src')
| -rw-r--r-- | src/Makefile.am | 253 | ||||
| -rw-r--r-- | src/certtool-common.c | 2 | ||||
| -rw-r--r-- | src/certtool-options.json | 579 | ||||
| -rw-r--r-- | src/certtool.c | 6 | ||||
| -rw-r--r-- | src/cli-debug.c | 2 | ||||
| -rw-r--r-- | src/cli.c | 2 | ||||
| -rw-r--r-- | src/danetool-options.json | 171 | ||||
| -rw-r--r-- | src/danetool.c | 4 | ||||
| -rw-r--r-- | src/gen-getopt.py | 654 | ||||
| -rw-r--r-- | src/gnutls-cli-debug-options.json | 53 | ||||
| -rw-r--r-- | src/gnutls-cli-options.json | 421 | ||||
| -rw-r--r-- | src/gnutls-serv-options.json | 332 | ||||
| -rw-r--r-- | src/ocsptool-options.json | 164 | ||||
| -rw-r--r-- | src/ocsptool.c | 2 | ||||
| -rw-r--r-- | src/p11tool-options.json | 452 | ||||
| -rw-r--r-- | src/p11tool.c | 6 | ||||
| -rw-r--r-- | src/psk.c | 2 | ||||
| -rw-r--r-- | src/psktool-options.json | 53 | ||||
| -rw-r--r-- | src/serv.c | 2 | ||||
| -rw-r--r-- | src/srptool-options.json | 71 | ||||
| -rw-r--r-- | src/srptool.c | 2 | ||||
| -rw-r--r-- | src/systemkey-tool-options.json | 49 | ||||
| -rw-r--r-- | src/systemkey.c | 2 | ||||
| -rw-r--r-- | src/tpmtool-options.json | 133 | ||||
| -rw-r--r-- | src/tpmtool.c | 2 | ||||
| -rw-r--r-- | src/udp-serv.c | 2 |
26 files changed, 3236 insertions, 185 deletions
diff --git a/src/Makefile.am b/src/Makefile.am index dc6c661ded..ff9c09dd04 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -17,52 +17,34 @@ # along with this file; if not, write to the Free Software Foundation, # Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -# src/gl is being added by the top level makefile -SUBDIRS = - -ARGS_BUILT = \ - srptool-args.c srptool-args.h \ - psktool-args.c psktool-args.h \ - ocsptool-args.h ocsptool-args.c \ - serv-args.c serv-args.h \ - cli-args.c cli-args.h \ - cli-debug-args.c cli-debug-args.h \ - certtool-args.c certtool-args.h \ - danetool-args.c danetool-args.h \ - p11tool-args.c p11tool-args.h \ - tpmtool-args.c tpmtool-args.h \ - systemkey-args.c systemkey-args.h - -# We bundle autogen-generated files as *.bak files. This is awkward, -# but it covers the common use-cases where autogen/libopts is -# installed or not. Do not attempt to simplify it unless autogen -# gains a support for better handling of intermediate files with -# autotools. -ARGS_BAK = \ - srptool-args.c.bak srptool-args.h.bak \ - psktool-args.c.bak psktool-args.h.bak \ - ocsptool-args.h.bak ocsptool-args.c.bak \ - serv-args.c.bak serv-args.h.bak \ - cli-args.c.bak cli-args.h.bak \ - cli-debug-args.c.bak cli-debug-args.h.bak \ - certtool-args.c.bak certtool-args.h.bak \ - danetool-args.c.bak danetool-args.h.bak \ - p11tool-args.c.bak p11tool-args.h.bak \ - tpmtool-args.c.bak tpmtool-args.h.bak \ - systemkey-args.c.bak systemkey-args.h.bak - -ARGS_STAMPS = \ - certtool-args.stamp cli-debug-args.stamp cli-args.stamp tpmtool-args.stamp \ - systemkey-args.stamp srptool-args.stamp ocsptool-args.stamp p11tool-args.stamp \ - danetool-args.stamp serv-args.stamp psktool-args.stamp - -BUILT_SOURCES = $(ARGS_BUILT) - -DISTCLEANFILES = $(BUILT_SOURCES) $(ARGS_STAMPS) - -EXTRA_DIST = gen-mech-list.sh $(ARGS_BAK) - -MAINTAINERCLEANFILES = $(ARGS_BAK) +OPTIONS_BUILT = \ + srptool-options.c srptool-options.h \ + psktool-options.c psktool-options.h \ + ocsptool-options.h ocsptool-options.c \ + gnutls-serv-options.c gnutls-serv-options.h \ + gnutls-cli-options.c gnutls-cli-options.h \ + gnutls-cli-debug-options.c gnutls-cli-debug-options.h \ + certtool-options.c certtool-options.h \ + danetool-options.c danetool-options.h \ + p11tool-options.c p11tool-options.h \ + tpmtool-options.c tpmtool-options.h \ + systemkey-tool-options.c systemkey-tool-options.h + +OPTIONS_JSON = \ + certtool-options.json gnutls-cli-debug-options.json gnutls-cli-options.json tpmtool-options.json \ + systemkey-tool-options.json srptool-options.json ocsptool-options.json p11tool-options.json \ + danetool-options.json gnutls-serv-options.json psktool-options.json + +OPTIONS_STAMP = \ + certtool-options.stamp gnutls-cli-debug-options.stamp gnutls-cli-options.stamp tpmtool-options.stamp \ + systemkey-tool-options.stamp srptool-options.stamp ocsptool-options.stamp p11tool-options.stamp \ + danetool-options.stamp gnutls-serv-options.stamp psktool-options.stamp + +BUILT_SOURCES = $(OPTIONS_BUILT) + +EXTRA_DIST = gen-mech-list.sh gen-getopt.py $(OPTIONS_JSON) $(OPTIONS_BUILT) $(OPTIONS_STAMP) + +MAINTAINERCLEANFILES = $(OPTIONS_BUILT) $(OPTIONS_STAMP) AM_CFLAGS = $(WARN_CFLAGS) $(WERROR_CFLAGS) AM_CPPFLAGS = \ @@ -71,16 +53,7 @@ AM_CPPFLAGS = \ -I$(builddir)/../lib/includes \ -I$(srcdir)/../lib/includes \ -I$(srcdir)/../libdane/includes \ - -I$(srcdir)/../extra/includes \ - $(LIBOPTS_CFLAGS) - -if NEED_LIBOPTS -LIBOPTS = libopts/libopts.la -SUBDIRS += libopts -AM_CPPFLAGS += -I$(srcdir)/libopts -else -LIBOPTS = $(LIBOPTS_LDADD) -endif + -I$(srcdir)/../extra/includes bin_PROGRAMS = psktool gnutls-cli-debug certtool gnutls-serv gnutls-cli if ENABLE_SRP @@ -112,30 +85,27 @@ noinst_LTLIBRARIES = if ENABLE_SRP srptool_SOURCES = srptool.c -srptool_LDADD = ../lib/libgnutls.la libcmd-srp.la $(LIBOPTS) ../gl/libgnu.la +srptool_LDADD = ../lib/libgnutls.la libcmd-srp.la ../gl/libgnu.la srptool_LDADD += $(LTLIBINTL) gl/libgnu_gpl.la noinst_LTLIBRARIES += libcmd-srp.la -libcmd_srp_la_SOURCES = srptool-args.def -nodist_libcmd_srp_la_SOURCES = srptool-args.c srptool-args.h +libcmd_srp_la_SOURCES = srptool-options.c srptool-options.h endif psktool_SOURCES = psk.c -psktool_LDADD = ../lib/libgnutls.la libcmd-psk.la $(LIBOPTS) ../gl/libgnu.la +psktool_LDADD = ../lib/libgnutls.la libcmd-psk.la ../gl/libgnu.la psktool_LDADD += $(LTLIBINTL) gl/libgnu_gpl.la noinst_LTLIBRARIES += libcmd-psk.la -libcmd_psk_la_SOURCES = psktool-args.def -nodist_libcmd_psk_la_SOURCES = psktool-args.c psktool-args.h +libcmd_psk_la_SOURCES = psktool-options.c psktool-options.h if ENABLE_OCSP ocsptool_SOURCES = ocsptool.c ocsptool-common.h ocsptool-common.c certtool-common.c \ socket.c common.c common.h socket.h -ocsptool_LDADD = ../lib/libgnutls.la libcmd-ocsp.la $(LIBOPTS) ../gl/libgnu.la +ocsptool_LDADD = ../lib/libgnutls.la libcmd-ocsp.la ../gl/libgnu.la ocsptool_LDADD += $(LTLIBINTL) $(GETADDRINFO_LIB) gl/libgnu_gpl.la $(LIBIDN_LIBS) noinst_LTLIBRARIES += libcmd-ocsp.la -libcmd_ocsp_la_SOURCES = ocsptool-args.def -nodist_libcmd_ocsp_la_SOURCES = ocsptool-args.h ocsptool-args.c +libcmd_ocsp_la_SOURCES = ocsptool-options.h ocsptool-options.c endif @@ -145,12 +115,11 @@ gnutls_serv_SOURCES = \ common.h common.c \ certtool-common.h gnutls_serv_LDADD = ../lib/libgnutls.la -gnutls_serv_LDADD += libcmd-serv.la $(LIBOPTS) ../gl/libgnu.la +gnutls_serv_LDADD += libcmd-serv.la ../gl/libgnu.la gnutls_serv_LDADD += $(LTLIBINTL) gl/libgnu_gpl.la gnutls_serv_LDADD += $(LIBSOCKET) $(GETADDRINFO_LIB) $(LIBIDN_LIBS) noinst_LTLIBRARIES += libcmd-serv.la -libcmd_serv_la_SOURCES = serv-args.def -nodist_libcmd_serv_la_SOURCES = serv-args.c serv-args.h +libcmd_serv_la_SOURCES = gnutls-serv-options.c gnutls-serv-options.h BENCHMARK_SRCS = benchmark-cipher.c benchmark.c benchmark.h benchmark-tls.c @@ -164,25 +133,23 @@ gnutls_cli_LDADD = ../lib/libgnutls.la -lm if ENABLE_DANE gnutls_cli_LDADD += ../libdane/libgnutls-dane.la endif -gnutls_cli_LDADD += libcmd-cli.la $(LIBOPTS) ../gl/libgnu.la $(LTLIBINTL) $(LIBIDN_LIBS) +gnutls_cli_LDADD += libcmd-cli.la ../gl/libgnu.la $(LTLIBINTL) $(LIBIDN_LIBS) gnutls_cli_LDADD += $(LIBSOCKET) $(GETADDRINFO_LIB) $(LIB_CLOCK_GETTIME) \ $(SERVENT_LIB) gl/libgnu_gpl.la noinst_LTLIBRARIES += libcmd-cli.la -libcmd_cli_la_SOURCES = cli-args.def -nodist_libcmd_cli_la_SOURCES = cli-args.c cli-args.h +libcmd_cli_la_SOURCES = gnutls-cli-options.c gnutls-cli-options.h gnutls_cli_debug_SOURCES = cli-debug.c tests.h tests.c \ socket.c socket.h common.h common.c gnutls_cli_debug_LDADD = ../lib/libgnutls.la libcmd-cli-debug.la -gnutls_cli_debug_LDADD += $(LIBOPTS) ../gl/libgnu.la gl/libgnu_gpl.la +gnutls_cli_debug_LDADD += ../gl/libgnu.la gl/libgnu_gpl.la gnutls_cli_debug_LDADD += $(LTLIBINTL) $(LIBIDN_LIBS) gnutls_cli_debug_LDADD += $(LIBSOCKET) $(GETADDRINFO_LIB) noinst_LTLIBRARIES += libcmd-cli-debug.la -libcmd_cli_debug_la_SOURCES = cli-debug-args.def -nodist_libcmd_cli_debug_la_SOURCES = cli-debug-args.c cli-debug-args.h +libcmd_cli_debug_la_SOURCES = gnutls-cli-debug-options.c gnutls-cli-debug-options.h #certtool -COMMON_LIBS = $(LIBOPTS) $(LTLIBINTL) +COMMON_LIBS = $(LTLIBINTL) if ENABLE_MINITASN1 COMMON_LIBS += ../lib/minitasn1/libminitasn1.la ../gl/libgnu.la AM_CPPFLAGS += -I$(top_srcdir)/lib/minitasn1 @@ -196,9 +163,8 @@ certtool_LDADD = ../lib/libgnutls.la certtool_LDADD += libcmd-certtool.la ../gl/libgnu.la gl/libgnu_gpl.la noinst_LTLIBRARIES += libcmd-certtool.la -libcmd_certtool_la_SOURCES = certtool-args.def \ +libcmd_certtool_la_SOURCES = certtool-options.c certtool-options.h \ certtool-cfg.h certtool-cfg.c -nodist_libcmd_certtool_la_SOURCES = certtool-args.c certtool-args.h libcmd_certtool_la_LIBADD = ../lib/libgnutls.la gl/libgnu_gpl.la ../gl/libgnu.la libcmd_certtool_la_LIBADD += $(COMMON_LIBS) libcmd_certtool_la_LIBADD += $(LTLIBREADLINE) gl/libgnu_gpl.la @@ -213,9 +179,8 @@ danetool_LDADD += ../libdane/libgnutls-dane.la endif noinst_LTLIBRARIES += libcmd-danetool.la -libcmd_danetool_la_SOURCES = danetool-args.def \ +libcmd_danetool_la_SOURCES = danetool-options.c danetool-options.h \ certtool-cfg.h certtool-cfg.c -nodist_libcmd_danetool_la_SOURCES = danetool-args.c danetool-args.h libcmd_danetool_la_LIBADD = ../lib/libgnutls.la gl/libgnu_gpl.la ../gl/libgnu.la libcmd_danetool_la_LIBADD += $(COMMON_LIBS) libcmd_danetool_la_LIBADD += $(LTLIBREADLINE) @@ -225,7 +190,7 @@ libcmd_danetool_la_LIBADD += $(INET_PTON_LIB) $(LIB_CLOCK_GETTIME) if ENABLE_PKCS11 BUILT_SOURCES += mech-list.h -p11tool_SOURCES = p11tool-args.def p11tool.c pkcs11.c certtool-common.c \ +p11tool_SOURCES = p11tool-options.json p11tool.c pkcs11.c certtool-common.c \ certtool-extras.c p11tool.h common.c mech-list.h p11tool_CPPFLAGS = $(AM_CPPFLAGS) $(P11_KIT_CFLAGS) p11tool_LDADD = ../lib/libgnutls.la @@ -233,9 +198,8 @@ p11tool_LDADD += libcmd-p11tool.la ../gl/libgnu.la gl/libgnu_gpl.la p11tool_LDADD += $(COMMON_LIBS) noinst_LTLIBRARIES += libcmd-p11tool.la -libcmd_p11tool_la_SOURCES = p11tool-args.def \ +libcmd_p11tool_la_SOURCES = p11tool-options.c p11tool-options.h \ certtool-cfg.h certtool-cfg.c -nodist_libcmd_p11tool_la_SOURCES = p11tool-args.c p11tool-args.h libcmd_p11tool_la_LIBADD = ../lib/libgnutls.la gl/libgnu_gpl.la ../gl/libgnu.la libcmd_p11tool_la_LIBADD += $(LTLIBREADLINE) $(INET_PTON_LIB) $(LIB_CLOCK_GETTIME) @@ -243,15 +207,14 @@ endif # ENABLE_PKCS11 if ENABLE_TROUSERS -tpmtool_SOURCES = tpmtool-args.def tpmtool.c certtool-common.c certtool-extras.c common.c +tpmtool_SOURCES = tpmtool-options.json tpmtool.c certtool-common.c certtool-extras.c common.c tpmtool_LDADD = ../lib/libgnutls.la tpmtool_LDADD += libcmd-tpmtool.la ../gl/libgnu.la gl/libgnu_gpl.la tpmtool_LDADD += $(COMMON_LIBS) noinst_LTLIBRARIES += libcmd-tpmtool.la -libcmd_tpmtool_la_SOURCES = tpmtool-args.def \ +libcmd_tpmtool_la_SOURCES = tpmtool-options.c tpmtool-options.h \ certtool-cfg.h certtool-cfg.c -nodist_libcmd_tpmtool_la_SOURCES = tpmtool-args.c tpmtool-args.h libcmd_tpmtool_la_LIBADD = ../lib/libgnutls.la gl/libgnu_gpl.la ../gl/libgnu.la libcmd_tpmtool_la_LIBADD += $(LTLIBREADLINE) $(INET_PTON_LIB) $(LIB_CLOCK_GETTIME) @@ -263,96 +226,52 @@ systemkey_LDADD += libcmd-systemkey.la ../gl/libgnu.la gl/libgnu_gpl.la systemkey_LDADD += $(COMMON_LIBS) noinst_LTLIBRARIES += libcmd-systemkey.la -libcmd_systemkey_la_SOURCES = systemkey-args.def \ +libcmd_systemkey_la_SOURCES = systemkey-tool-options.c systemkey-tool-options.h \ certtool-cfg.h certtool-cfg.c -nodist_libcmd_systemkey_la_SOURCES = systemkey-args.c systemkey-args.h libcmd_systemkey_la_LIBADD = ../lib/libgnutls.la gl/libgnu_gpl.la ../gl/libgnu.la libcmd_systemkey_la_LIBADD += $(LTLIBREADLINE) $(INET_PTON_LIB) $(LIB_CLOCK_GETTIME) -SUFFIXES = .stamp .def .c.bak .h.bak - -if NEED_LIBOPTS -# case --enable-local-libopts: We do not call AUTOGEN unless the .bak files are missing -.def.stamp: - $(AM_V_GEN) b=`echo $@ | sed 's/.stamp$$//'`; \ - if ! test -f $(srcdir)/$${b}.c.bak;then \ - echo "No .bak files found; will call autogen"; \ - $(AUTOGEN) $<; \ - else \ - echo "Re-using .bak files"; \ - rm -f $${b}.c $${b}.h; \ - cp -p $(srcdir)/$${b}.c.bak $${b}.c; \ - cp -p $(srcdir)/$${b}.h.bak $${b}.h; \ - fi - touch $@ -else -# default case. We call autogen, and if that fails we resort to the bundled files. -.def.stamp: - $(AM_V_GEN) $(AUTOGEN) $< || { \ - srcdir=''; \ +SUFFIXES = .stamp .json + +OPTIONS_STAMP: $(srcdir)/gen-getopt.py + +.json.stamp: + $(AM_V_GEN) { \ b=`echo $@ | sed 's/.stamp$$//'`; \ - test -f ./$${b}.def || srcdir=$(srcdir)/; \ - cp -p $${srcdir}$${b}.c.bak $${b}.c; \ - cp -p $${srcdir}$${b}.h.bak $${b}.h; \ + PYTHONPATH='$(top_srcdir)/python' \ + $(PYTHON) $(srcdir)/gen-getopt.py \ + --bug-email bugs@gnutls.org \ + --copyright-year 2000-2021 \ + --copyright-holder 'Free Software Foundation, and others' \ + --license gpl3+ \ + --version '$(VERSION)' $< \ + $${b}.c $${b}.h; \ } && \ touch $@ -endif - -.c.c.bak: - -@rm -f $@ - $(AM_V_GEN) cp -p $< $@ - -.h.h.bak: - -@rm -f $@ - $(AM_V_GEN) cp -p $< $@ - -danetool-args.h: danetool-args.stamp -danetool-args.c: danetool-args.stamp -danetool-args.stamp: args-std.def - -ocsptool-args.h: ocsptool-args.stamp -ocsptool-args.c: ocsptool-args.stamp -ocsptool-args.stamp: args-std.def - -tpmtool-args.h: tpmtool-args.stamp -tpmtool-args.c: tpmtool-args.stamp -tpmtool-args.stamp: args-std.def - -p11tool-args.h: p11tool-args.stamp -p11tool-args.c: p11tool-args.stamp -p11tool-args.stamp: args-std.def - -psktool-args.h: psktool-args.stamp -psktool-args.c: psktool-args.stamp -psktool-args.stamp: args-std.def - -cli-debug-args.h: cli-debug-args.stamp -cli-debug-args.c: cli-debug-args.stamp -cli-debug-args.stamp: args-std.def - -cli-args.h: cli-args.stamp -cli-args.c: cli-args.stamp -cli-args.stamp: args-std.def - -serv-args.h: serv-args.stamp -serv-args.c: serv-args.stamp -serv-args.stamp: args-std.def - -srptool-args.h: srptool-args.stamp -srptool-args.c: srptool-args.stamp -srptool-args.stamp: args-std.def - -certtool-args.h: certtool-args.stamp -certtool-args.c: certtool-args.stamp -certtool-args.stamp: args-std.def - -systemkey-args.h: systemkey-args.stamp -systemkey-args.c: systemkey-args.stamp -systemkey-args.stamp: args-std.def -tpm2key-args.h: tpm2key-args.stamp -tpm2key-args.c: tpm2key-args.stamp -tpm2key-args.stamp: args-std.def +danetool-options.stamp: danetool-options.json +ocsptool-options.stamp: ocsptool-options.json +tpmtool-options.stamp: tpmtool-options.json +p11tool-options.stamp: p11tool-options.json +psktool-options.stamp: psktool-options.json +gnutls-cli-debug-options.stamp: gnutls-cli-debug-options.json +gnutls-cli-options.stamp: gnutls-cli-options.json +gnutls-serv-options.stamp: gnutls-serv-options.json +srptool-options.stamp: srptool-options.json +certtool-options.stamp: certtool-options.json +systemkey-tool-options.stamp: systemkey-tool-options.json + +danetool-options.c danetool-options.h: danetool-options.stamp +ocsptool-options.c ocsptool-options.h: ocsptool-options.stamp +tpmtool-options.c tpmtool-options.h: tpmtool-options.stamp +p11tool-options.c p11tool-options.h: p11tool-options.stamp +psktool-options.c psktool-options.h: psktool-options.stamp +gnutls-cli-debug-options.c gnutls-cli-debug-options.h: gnutls-cli-debug-options.stamp +gnutls-cli-options.c gnutls-cli-options.h: gnutls-cli-options.stamp +gnutls-serv-options.c gnutls-serv-options.h: gnutls-serv-options.stamp +srptool-options.c srptool-options.h: srptool-options.stamp +certtool-options.c certtool-options.h: certtool-options.stamp +systemkey-tool-options.c systemkey-tool-options.h: systemkey-tool-options.stamp mech-list.h: gen-mech-list.sh $(AM_V_GEN) $(srcdir)/gen-mech-list.sh > $@.tmp && mv $@.tmp $@ diff --git a/src/certtool-common.c b/src/certtool-common.c index 5e7bc5666c..fae3a489d4 100644 --- a/src/certtool-common.c +++ b/src/certtool-common.c @@ -40,7 +40,7 @@ #include <fcntl.h> #include <common.h> #include "certtool-common.h" -#include "certtool-args.h" +#include "certtool-options.h" #include "certtool-cfg.h" #include "common.h" #include <minmax.h> diff --git a/src/certtool-options.json b/src/certtool-options.json new file mode 100644 index 0000000000..34ecaa7714 --- /dev/null +++ b/src/certtool-options.json @@ -0,0 +1,579 @@ +[ + { + "meta": { + "desc": "", + "prog-name": "certtool", + "prog-title": "GnuTLS certificate tool", + "prog-desc": "Manipulate certificates and private keys.", + "detail": "Tool to parse and generate X.509 certificates, requests and private keys.\nIt can be used interactively or non interactively by\nspecifying the template command line option.\n\nThe tool accepts files or supported URIs via the --infile option. In case PIN\nis required for URI access you can provide it using the environment variables GNUTLS_PIN \nand GNUTLS_SO_PIN.\n", + "short-usage": "certtool [options]\ncerttool --help for usage instructions.\n", + "explain": "" + }, + "options": [ + { + "long-option": "debug", + "short-option": "d", + "arg-min": "0 ", + "desc": "Enable debugging", + "arg-max": " 9999", + "detail": "Specifies the debug level.", + "arg-type": "number" + }, + { + "short-option": "V", + "max": "NOLIMIT", + "long-option": "verbose", + "desc": "More verbose output", + "disabled": "", + "detail": "" + }, + { + "long-option": "infile", + "detail": "", + "arg-type": "file", + "desc": "Input file", + "file-exists": "yes" + }, + { + "detail": "", + "arg-type": "string", + "desc": "Output file", + "long-option": "outfile" + } + ] + }, + { + "meta": { + "id": "cert-options", + "desc": "Certificate related options" + }, + "options": [ + { + "detail": "", + "desc": "Print information on the given certificate", + "short-option": "i", + "long-option": "certificate-info" + }, + { + "desc": "Print information on a public key", + "long-option": "pubkey-info", + "detail": "The option combined with --load-request, --load-pubkey, --load-privkey and --load-certificate will extract the public key of the object in question." + }, + { + "long-option": "generate-self-signed", + "short-option": "s", + "desc": "Generate a self-signed certificate", + "detail": "" + }, + { + "short-option": "c", + "long-option": "generate-certificate", + "desc": "Generate a signed certificate", + "detail": "" + }, + { + "detail": "", + "desc": "Generates a proxy certificate", + "long-option": "generate-proxy" + }, + { + "short-option": "u", + "long-option": "update-certificate", + "detail": "", + "desc": "Update a signed certificate" + }, + { + "desc": "Print the fingerprint of the given certificate", + "long-option": "fingerprint", + "detail": "This is a simple hash of the DER encoding of the certificate. It can be combined with the --hash parameter. However, it is recommended for identification to use the key-id which depends only on the certificate's key." + }, + { + "long-option": "key-id", + "desc": "Print the key ID of the given certificate", + "detail": "This is a hash of the public key of the given certificate. It identifies the key uniquely, remains the same on a certificate renewal and depends only on signed fields of the certificate." + }, + { + "deprecated": "", + "long-option": "certificate-pubkey", + "desc": "Print certificate's public key", + "detail": "This option is deprecated as a duplicate of --pubkey-info" + }, + { + "desc": "Generate an X.509 version 1 certificate (with no extensions)", + "long-option": "v1", + "detail": "" + }, + { + "desc": "Sign a certificate with a specific signature algorithm", + "arg-type": "string", + "detail": "This option can be combined with --generate-certificate, to sign the certificate with\na specific signature algorithm variant. The only option supported is 'RSA-PSS', and should be\nspecified when the signer does not have a certificate which is marked for RSA-PSS use only.", + "long-option": "sign-params" + } + ] + }, + { + "meta": { + "desc": "Certificate request related options", + "id": "crq-options" + }, + "options": [ + { + "detail": "", + "long-option": "crq-info", + "desc": "Print information on the given certificate request" + }, + { + "detail": "Will generate a PKCS #10 certificate request. To specify a private key use --load-privkey.", + "conflicts": "infile", + "long-option": "generate-request", + "desc": "Generate a PKCS #10 certificate request", + "short-option": "q" + }, + { + "desc": "Do not use extensions in certificate requests", + "detail": "", + "long-option": "no-crq-extensions" + } + ] + }, + { + "meta": { + "desc": "PKCS#12 file related options", + "id": "pkcs12-options" + }, + "options": [ + { + "detail": "This option will dump the contents and print the metadata of the provided PKCS #12 structure.", + "desc": "Print information on a PKCS #12 structure", + "long-option": "p12-info" + }, + { + "arg-type": "string", + "desc": "The PKCS #12 friendly name to use", + "detail": "The name to be used for the primary certificate and private key in a PKCS #12 file.", + "long-option": "p12-name" + }, + { + "detail": "It requires a certificate, a private key and possibly a CA certificate to be specified.", + "desc": "Generate a PKCS #12 structure", + "long-option": "to-p12" + } + ] + }, + { + "meta": { + "id": "key-options", + "desc": "Private key related options" + }, + "options": [ + { + "short-option": "k", + "long-option": "key-info", + "detail": "", + "desc": "Print information on a private key" + }, + { + "desc": "Print information on a PKCS #8 structure", + "detail": "This option will print information about encrypted PKCS #8 structures. That option does not require the decryption of the structure.", + "long-option": "p8-info" + }, + { + "detail": "It requires an RSA-PSS key as input and will output a raw RSA\nkey. This command is necessary for compatibility with applications that\ncannot read RSA-PSS keys.", + "long-option": "to-rsa", + "desc": "Convert an RSA-PSS key to raw RSA format" + }, + { + "long-option": "generate-privkey", + "detail": "When generating RSA-PSS private keys, the --hash option will\nrestrict the allowed hash for the key; in the same keys the --salt-size\noption is also acceptable.", + "desc": "Generate a private key", + "short-option": "p" + }, + { + "arg-type": "string", + "long-option": "key-type", + "desc": "Specify the key type to use on key generation", + "detail": "This option can be combined with --generate-privkey, to specify\nthe key type to be generated. Valid options are, 'rsa', 'rsa-pss', 'dsa', 'ecdsa', 'ed25519, 'ed448', 'x25519', and 'x448'.'.\nWhen combined with certificate generation it can be used to specify an\nRSA-PSS certificate when an RSA key is given." + }, + { + "long-option": "bits", + "desc": "Specify the number of bits for key generation", + "detail": "", + "arg-type": "number" + }, + { + "detail": "Supported values are secp192r1, secp224r1, secp256r1, secp384r1 and secp521r1.", + "arg-type": "string", + "long-option": "curve", + "desc": "Specify the curve used for EC key generation" + }, + { + "detail": "This is alternative to the bits option.", + "arg-type": "string", + "long-option": "sec-param", + "arg-name": "Security parameter", + "desc": "Specify the security level [low, legacy, medium, high, ultra]" + }, + { + "detail": "This needs to be combined with --load-privkey.", + "desc": "Convert a given key to a PKCS #8 structure", + "long-option": "to-p8" + }, + { + "short-option": "8", + "long-option": "pkcs8", + "desc": "Use PKCS #8 format for private keys", + "detail": "" + }, + { + "desc": "Generate a private key or parameters from a seed using a provable method", + "detail": "This will use the FIPS PUB186-4 algorithms (i.e., Shawe-Taylor) for provable key generation.\nWhen specified the private keys or parameters will be generated from a seed, and can be\nlater validated with --verify-provable-privkey to be correctly generated from the seed. You may\nspecify --seed or allow GnuTLS to generate one (recommended). This option can be combined with\n--generate-privkey or --generate-dh-params.\n\nThat option applies to RSA and DSA keys. On the DSA keys the PQG parameters\nare generated using the seed, and on RSA the two primes.", + "long-option": "provable" + }, + { + "detail": "This will use the FIPS-186-4 algorithms for provable key generation. You may specify --seed or use the seed stored in the private key structure.", + "long-option": "verify-provable-privkey", + "desc": "Verify a private key generated from a seed using a provable method" + }, + { + "detail": "The seed acts as a security parameter for the private key, and\nthus a seed size which corresponds to the security level of the private key\nshould be provided (e.g., 256-bits seed).", + "arg-type": "string", + "desc": "When generating a private key use the given hex-encoded seed", + "long-option": "seed" + } + ] + }, + { + "meta": { + "desc": "CRL related options", + "id": "crl-options" + }, + "options": [ + { + "short-option": "l", + "desc": "Print information on the given CRL structure", + "long-option": "crl-info", + "detail": "" + }, + { + "long-option": "generate-crl", + "detail": "This option generates a Certificate Revocation List. When combined with --load-crl it would use the loaded CRL as base for the generated (i.e., all revoked certificates in the base will be copied to the new CRL).\nTo add new certificates to the CRL use --load-certificate.", + "desc": "Generate a CRL" + }, + { + "requires": "load-ca-certificate", + "desc": "Verify a Certificate Revocation List using a trusted list", + "long-option": "verify-crl", + "detail": "The trusted certificate list must be loaded with --load-ca-certificate." + } + ] + }, + { + "meta": { + "desc": "Certificate verification related options", + "id": "cert-verify-options" + }, + "options": [ + { + "long-option": "verify-chain", + "desc": "Verify a PEM encoded certificate chain", + "detail": "Verifies the validity of a certificate chain. That is, an ordered set of\ncertificates where each one is the issuer of the previous, and the first is\nthe end-certificate to be validated. In a proper chain the last certificate\nis a self signed one. It can be combined with --verify-purpose or --verify-hostname.", + "short-option": "e" + }, + { + "detail": "The trusted certificate list can be loaded with --load-ca-certificate. If no\ncertificate list is provided, then the system's trusted certificate list is used. Note that\nduring verification multiple paths may be explored. On a successful verification\nthe successful path will be the last one. It can be combined with --verify-purpose or --verify-hostname.", + "desc": "Verify a PEM encoded certificate (chain) against a trusted set", + "long-option": "verify" + }, + { + "long-option": "verify-hostname", + "desc": "Specify a hostname to be used for certificate chain verification", + "arg-type": "string", + "detail": "This is to be combined with one of the verify certificate options." + }, + { + "detail": "This is to be combined with one of the verify certificate options.", + "long-option": "verify-email", + "desc": "Specify a email to be used for certificate chain verification", + "conflicts": "verify-hostname", + "arg-type": "string" + }, + { + "detail": "This object identifier restricts the purpose of the certificates to be verified. Example purposes are 1.3.6.1.5.5.7.3.1 (TLS WWW), 1.3.6.1.5.5.7.3.4 (EMAIL) etc. Note that a CA certificate without a purpose set (extended key usage) is valid for any purpose.", + "long-option": "verify-purpose", + "arg-type": "string", + "desc": "Specify a purpose OID to be used for certificate chain verification" + }, + { + "long-option": "verify-allow-broken", + "detail": "This can be combined with --p7-verify, --verify or --verify-chain.", + "desc": "Allow broken algorithms, such as MD5 for verification" + }, + { + "detail": "This option can be used to specify a certificate verification profile. Certificate\n verification profiles correspond to the security level. This should be one of\n 'none', 'very weak', 'low', 'legacy', 'medium', 'high', 'ultra',\n 'future'. Note that by default no profile is applied, unless one is set\n as minimum in the gnutls configuration file.", + "long-option": "verify-profile", + "arg-type": "string", + "desc": "Specify a security level profile to be used for verification" + } + ] + }, + { + "meta": { + "desc": "PKCS#7 structure options", + "id": "pkcs7-options" + }, + "options": [ + { + "desc": "Generate a PKCS #7 structure", + "detail": "This option generates a PKCS #7 certificate container structure. To add certificates in the structure use --load-certificate and --load-crl.", + "long-option": "p7-generate" + }, + { + "long-option": "p7-sign", + "detail": "This option generates a PKCS #7 structure containing a signature for the provided data from infile. The data are stored within the structure. The signer certificate has to be specified using --load-certificate and --load-privkey. The input to --load-certificate can be a list of certificates. In case of a list, the first certificate is used for signing and the other certificates are included in the structure.", + "desc": "Signs using a PKCS #7 structure" + }, + { + "desc": "Signs using a detached PKCS #7 structure", + "detail": "This option generates a PKCS #7 structure containing a signature for the provided data from infile. The signer certificate has to be specified using --load-certificate and --load-privkey. The input to --load-certificate can be a list of certificates. In case of a list, the first certificate is used for signing and the other certificates are included in the structure.", + "long-option": "p7-detached-sign" + }, + { + "disable-prefix": "no-", + "long-option": "p7-include-cert", + "desc": "The signer's certificate will be included in the cert list.", + "detail": "This options works with --p7-sign or --p7-detached-sign and will include or exclude the signer's certificate into the generated signature.", + "enabled": "" + }, + { + "detail": "This option will include a timestamp in the generated signature", + "disable-prefix": "no-", + "disabled": "", + "desc": "Will include a timestamp in the PKCS #7 structure", + "long-option": "p7-time" + }, + { + "disable-prefix": "no-", + "disabled": "", + "desc": "Will show the embedded data in the PKCS #7 structure", + "long-option": "p7-show-data", + "detail": "This option can be combined with --p7-verify or --p7-info and will display the embedded signed data in the PKCS #7 structure." + }, + { + "long-option": "p7-info", + "desc": "Print information on a PKCS #7 structure", + "detail": "" + }, + { + "detail": "This option verifies the signed PKCS #7 structure. The certificate list to use for verification can be specified with --load-ca-certificate. When no certificate list is provided, then the system's certificate list is used. Alternatively a direct signer can be provided using --load-certificate. A key purpose can be enforced with the --verify-purpose option, and the --load-data option will utilize detached data.", + "long-option": "p7-verify", + "desc": "Verify the provided PKCS #7 structure" + }, + { + "long-option": "smime-to-p7", + "desc": "Convert S/MIME to PKCS #7 structure", + "detail": "" + } + ] + }, + { + "meta": { + "desc": "Other options", + "id": "other-options" + }, + "options": [ + { + "detail": "The will generate random parameters to be used with\nDiffie-Hellman key exchange. The output parameters will be in PKCS #3\nformat. Note that it is recommended to use the --get-dh-params option\ninstead.", + "desc": "Generate PKCS #3 encoded Diffie-Hellman parameters", + "deprecated": "", + "long-option": "generate-dh-params" + }, + { + "long-option": "get-dh-params", + "desc": "List the included PKCS #3 encoded Diffie-Hellman parameters", + "detail": "Returns stored DH parameters in GnuTLS. Those parameters returned\nare defined in RFC7919, and can be considered standard parameters for a TLS\nkey exchange. This option is provided for old applications which require\nDH parameters to be specified; modern GnuTLS applications should not require\nthem." + }, + { + "desc": "Print information PKCS #3 encoded Diffie-Hellman parameters", + "detail": "", + "long-option": "dh-info" + }, + { + "detail": "This can be either a file or a PKCS #11 URL", + "long-option": "load-privkey", + "arg-type": "string", + "desc": "Loads a private key file" + }, + { + "arg-type": "string", + "desc": "Loads a public key file", + "detail": "This can be either a file or a PKCS #11 URL", + "long-option": "load-pubkey" + }, + { + "long-option": "load-request", + "desc": "Loads a certificate request file", + "detail": "This option can be used with a file", + "arg-type": "string" + }, + { + "arg-type": "string", + "long-option": "load-certificate", + "detail": "This option can be used with a file", + "desc": "Loads a certificate file" + }, + { + "desc": "Loads the certificate authority's private key file", + "arg-type": "string", + "detail": "This can be either a file or a PKCS #11 URL", + "long-option": "load-ca-privkey" + }, + { + "desc": "Loads the certificate authority's certificate file", + "detail": "This can be either a file or a PKCS #11 URL", + "arg-type": "string", + "long-option": "load-ca-certificate" + }, + { + "desc": "Loads the provided CRL", + "arg-type": "string", + "long-option": "load-crl", + "detail": "This option can be used with a file" + }, + { + "detail": "This option can be used with a file", + "desc": "Loads auxiliary data", + "arg-type": "string", + "long-option": "load-data" + }, + { + "detail": "You can use this option to specify the password in the command line instead of reading it from the tty. Note, that the command line arguments are available for view in others in the system. Specifying password as '' is the same as specifying no password.", + "arg-type": "string", + "desc": "Password to use", + "long-option": "password" + }, + { + "desc": "Enforce a NULL password", + "long-option": "null-password", + "detail": "This option enforces a NULL password. This is different than the empty or no password in schemas like PKCS #8." + }, + { + "detail": "This option enforces an empty password. This is different than the NULL or no password in schemas like PKCS #8.", + "long-option": "empty-password", + "desc": "Enforce an empty password" + }, + { + "long-option": "hex-numbers", + "detail": "", + "desc": "Print big number in an easier format to parse" + }, + { + "long-option": "cprint", + "desc": "In certain operations it prints the information in C-friendly format", + "detail": "In certain operations it prints the information in C-friendly format, suitable for including into C programs." + }, + { + "desc": "Generate RSA key", + "detail": "When combined with --generate-privkey generates an RSA private key.", + "long-option": "rsa", + "description": "This option is equivalent to '--key-type rsa'.", + "deprecated": "" + }, + { + "description": "This option is equivalent to '--key-type dsa'.", + "deprecated": "", + "long-option": "dsa", + "detail": "When combined with --generate-privkey generates a DSA private key.", + "desc": "Generate DSA key" + }, + { + "desc": "Generate ECC (ECDSA) key", + "description": "This option is equivalent to '--key-type ecdsa'.", + "long-option": "ecc", + "detail": "When combined with --generate-privkey generates an elliptic curve private key to be used with ECDSA.", + "deprecated": "" + }, + { + "aliases": "ecc", + "deprecated": "", + "long-option": "ecdsa" + }, + { + "long-option": "hash", + "detail": "Available hash functions are SHA1, RMD160, SHA256, SHA384, SHA512, SHA3-224, SHA3-256, SHA3-384, SHA3-512.", + "desc": "Hash algorithm to use for signing", + "arg-type": "string" + }, + { + "desc": "Specify the RSA-PSS key default salt size", + "arg-type": "number", + "long-option": "salt-size", + "detail": "Typical keys shouldn't set or restrict this option." + }, + { + "desc": "Use DER format for input certificates, private keys, and DH parameters ", + "detail": "The input files will be assumed to be in DER or RAW format. \nUnlike options that in PEM input would allow multiple input data (e.g. multiple \ncertificates), when reading in DER format a single data structure is read.", + "disabled": "", + "disable-prefix": "no-", + "long-option": "inder" + }, + { + "aliases": "inder", + "long-option": "inraw" + }, + { + "long-option": "outder", + "disabled": "", + "desc": "Use DER format for output certificates, private keys, and DH parameters", + "disable-prefix": "no-", + "detail": "The output will be in DER or RAW format." + }, + { + "aliases": "outder", + "long-option": "outraw" + }, + { + "desc": "No effect", + "long-option": "disable-quick-random", + "deprecated": "", + "detail": "" + }, + { + "arg-type": "string", + "long-option": "template", + "desc": "Template file to use for non-interactive operation", + "detail": "" + }, + { + "long-option": "stdout-info", + "detail": "", + "desc": "Print information to stdout instead of stderr" + }, + { + "long-option": "ask-pass", + "disabled": "", + "desc": "Enable interaction for entering password when in batch mode.", + "detail": "This option will enable interaction to enter password when in batch mode. That is useful when the template option has been specified." + }, + { + "arg-name": "Cipher", + "detail": "Cipher may be one of 3des, 3des-pkcs12, aes-128, aes-192, aes-256, rc2-40, arcfour.", + "long-option": "pkcs-cipher", + "desc": "Cipher to use for PKCS #8 and #12 operations", + "arg-type": "string" + }, + { + "arg-type": "string", + "long-option": "provider", + "detail": "This will override the default options in /etc/gnutls/pkcs11.conf", + "desc": "Specify the PKCS #11 provider library" + }, + { + "enabled": "", + "long-option": "text", + "disable-prefix": "no-", + "desc": "Output textual information before PEM-encoded certificates, private keys, etc", + "detail": "Output textual information before PEM-encoded data" + } + ] + } +]
\ No newline at end of file diff --git a/src/certtool.c b/src/certtool.c index 1d7a98064d..c128500614 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -50,7 +50,7 @@ #include <certtool-cfg.h> #include <common.h> -#include "certtool-args.h" +#include "certtool-options.h" #include "certtool-common.h" #define MAX_HASH_SIZE 64 @@ -1265,12 +1265,12 @@ static void cmd_parser(int argc, char **argv) fix_lbuffer(0); - if (HAVE_OPT(INDER) || HAVE_OPT(INRAW)) + if (HAVE_OPT(INDER)) incert_format = GNUTLS_X509_FMT_DER; else incert_format = GNUTLS_X509_FMT_PEM; - if (HAVE_OPT(OUTDER) || HAVE_OPT(OUTRAW)) + if (HAVE_OPT(OUTDER)) outcert_format = GNUTLS_X509_FMT_DER; else outcert_format = GNUTLS_X509_FMT_PEM; diff --git a/src/cli-debug.c b/src/cli-debug.c index c98c0c6f4a..cdd88b96ea 100644 --- a/src/cli-debug.c +++ b/src/cli-debug.c @@ -35,7 +35,7 @@ #include <tests.h> #include <common.h> #include <ctype.h> -#include <cli-debug-args.h> +#include "gnutls-cli-debug-options.h" #include <socket.h> /* Gnulib portability files. */ @@ -71,7 +71,7 @@ #include <common.h> #include <socket.h> -#include <cli-args.h> +#include "gnutls-cli-options.h" #include <ocsptool-common.h> #define MAX_BUF 4096 diff --git a/src/danetool-options.json b/src/danetool-options.json new file mode 100644 index 0000000000..c744498323 --- /dev/null +++ b/src/danetool-options.json @@ -0,0 +1,171 @@ +[ + { + "meta": { + "detail": "Tool to generate and check DNS resource records for the DANE protocol.", + "explain": "", + "desc": "", + "prog-title": "GnuTLS DANE tool", + "prog-desc": "Generate DANE TLSA RR entries.", + "short-usage": "danetool --[tlsa-rr|check] [options]\ndanetool --help for additional usage instructions.\n", + "prog-name": "danetool" + }, + "options": [ + { + "long-option": "debug", + "desc": "Enable debugging", + "short-option": "d", + "arg-max": " 9999", + "arg-min": "0 ", + "arg-type": "number", + "detail": "Specifies the debug level." + }, + { + "desc": "More verbose output", + "detail": "", + "long-option": "verbose", + "short-option": "V", + "max": "NOLIMIT", + "disabled": "" + }, + { + "detail": "", + "desc": "Output file", + "arg-type": "string", + "long-option": "outfile" + }, + { + "desc": "Loads a public key file", + "long-option": "load-pubkey", + "detail": "This can be either a file or a PKCS #11 URL", + "arg-type": "string" + }, + { + "desc": "Loads a certificate file", + "detail": "This can be either a file or a PKCS #11 URL", + "arg-type": "string", + "long-option": "load-certificate" + }, + { + "arg-type": "string", + "desc": "Sets a DLV file", + "detail": "This sets a DLV file to be used for DNSSEC verification.", + "long-option": "dlv" + }, + { + "detail": "Available hash functions are SHA1, RMD160, SHA256, SHA384, SHA512.", + "arg-type": "string", + "desc": "Hash algorithm to use for signing", + "long-option": "hash" + }, + { + "arg-type": "string", + "desc": "Check a host's DANE TLSA entry", + "detail": "Obtains the DANE TLSA entry from the given hostname and prints information. Note that the actual certificate of the host can be provided using --load-certificate, otherwise danetool will connect to the server to obtain it. The exit code on verification success will be zero.", + "long-option": "check" + }, + { + "long-option": "check-ee", + "desc": "Check only the end-entity's certificate", + "detail": "Checks the end-entity's certificate only. Trust anchors or CAs are not considered." + }, + { + "desc": "Check only the CA's certificate", + "long-option": "check-ca", + "detail": "Checks the trust anchor's and CA's certificate only. End-entities are not considered." + }, + { + "desc": "Print the DANE RR data on a certificate or public key", + "requires": "host", + "long-option": "tlsa-rr", + "detail": "This command prints the DANE RR data needed to enable DANE on a DNS server." + }, + { + "long-option": "host", + "arg-type": "string", + "desc": "Specify the hostname to be used in the DANE RR", + "detail": "This command sets the hostname for the DANE RR.", + "arg-name": "Hostname" + }, + { + "arg-type": "string", + "arg-name": "Protocol", + "long-option": "proto", + "desc": "The protocol set for DANE data (tcp, udp etc.)", + "detail": "This command specifies the protocol for the service set in the DANE data." + }, + { + "default-value": "443", + "long-option": "port", + "arg-type": "string", + "desc": "The port or service to connect to, for DANE data", + "detail": "" + }, + { + "aliases": "starttls-proto", + "long-option": "app-proto" + }, + { + "desc": "The application protocol to be used to obtain the server's certificate (https, ftp, smtp, imap, ldap, xmpp, lmtp, pop3, nntp, sieve, postgres)", + "detail": "When the server's certificate isn't provided danetool will connect to the server to obtain the certificate. In that case it is required to know the protocol to talk with the server prior to initiating the TLS handshake.", + "arg-type": "string", + "long-option": "starttls-proto" + }, + { + "long-option": "ca", + "desc": "Whether the provided certificate or public key is a Certificate Authority", + "detail": "Marks the DANE RR as a CA certificate if specified." + }, + { + "detail": "This option forces the generated record to contain the hash of the full X.509 certificate. By default only the hash of the public key is used.", + "long-option": "x509", + "desc": "Use the hash of the X.509 certificate, rather than the public key" + }, + { + "aliases": "domain", + "long-option": "local" + }, + { + "disable-prefix": "no-", + "detail": "DANE distinguishes certificates and public keys offered via the DNSSEC to trusted and local entities. This flag indicates that this is a domain-issued certificate, meaning that there could be no CA involved.", + "long-option": "domain", + "desc": "The provided certificate or public key is issued by the local domain", + "enabled": "" + }, + { + "disabled": "", + "detail": "This option will use the local DNS server for DNSSEC.\nThis is disabled by default due to many servers not allowing DNSSEC.", + "desc": "Use the local DNS server for DNSSEC resolving", + "long-option": "local-dns", + "disable-prefix": "no-" + }, + { + "long-option": "insecure", + "detail": "Ignores any DNSSEC signature verification results.", + "desc": "Do not verify any DNSSEC signature" + }, + { + "disable-prefix": "no-", + "detail": "The input files will be assumed to be in DER or RAW format. \nUnlike options that in PEM input would allow multiple input data (e.g. multiple \ncertificates), when reading in DER format a single data structure is read.", + "long-option": "inder", + "desc": "Use DER format for input certificates and private keys", + "disabled": "" + }, + { + "aliases": "inder", + "long-option": "inraw" + }, + { + "desc": "Print the received DANE data in raw format", + "detail": "This option will print the received DANE data.", + "long-option": "print-raw", + "disabled": "", + "disable-prefix": "no-" + }, + { + "desc": "Suppress several informational messages", + "detail": "In that case on the exit code can be used as an indication of verification success", + "long-option": "quiet" + } + ] + } +]
\ No newline at end of file diff --git a/src/danetool.c b/src/danetool.c index 91b422028d..add5d05a1f 100644 --- a/src/danetool.c +++ b/src/danetool.c @@ -48,7 +48,7 @@ #include <minmax.h> #include <common.h> -#include "danetool-args.h" +#include "danetool-options.h" #include "certtool-common.h" #include "socket.h" @@ -154,7 +154,7 @@ static void cmd_parser(int argc, char **argv) memset(&cinfo, 0, sizeof(cinfo)); - if (HAVE_OPT(INDER) || HAVE_OPT(INRAW)) + if (HAVE_OPT(INDER)) cinfo.incert_format = GNUTLS_X509_FMT_DER; else cinfo.incert_format = GNUTLS_X509_FMT_PEM; diff --git a/src/gen-getopt.py b/src/gen-getopt.py new file mode 100644 index 0000000000..d01c095be7 --- /dev/null +++ b/src/gen-getopt.py @@ -0,0 +1,654 @@ +#!/usr/bin/python +# Copyright (C) 2021 Daiki Ueno + +# This file is part of GnuTLS. + +# GnuTLS is free software: you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. + +# GnuTLS is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. + +# You should have received a copy of the GNU General Public License +# along with this program. If not, see +# <https://www.gnu.org/licenses/>. + +from typing import Mapping, MutableMapping, MutableSequence, Sequence +from typing import TextIO, Union +import io +import os.path +import jsonopts +import sys + +INDENT = ' ' + + +def get_aliases(options) -> Mapping[str, Sequence[str]]: + aliases: MutableMapping[str, MutableSequence[str]] = dict() + for option in options: + long_opt = option['long-option'] + key = option.get('aliases') + if key: + val = aliases.get(key, list()) + val.append(long_opt) + aliases[key] = val + return aliases + + +def get_chars(options) -> Mapping[str, Union[str, int]]: + chars = dict() + chars_counter = 1 + short_opts: MutableMapping[str, str] = dict() + for option in options: + long_opt = option['long-option'] + short_opt = option.get('short-option') + # If the short option is already taken, do not register twice + if short_opt and short_opt in short_opts: + print((f'short option {short_opt} for {long_opt} is already ' + f'taken by {short_opts[short_opt]}'), + file=sys.stderr) + short_opt = None + if short_opt: + chars[long_opt] = short_opt + short_opts[short_opt] = long_opt + else: + chars[long_opt] = chars_counter + chars_counter += 1 + disable_prefix = option.get('disable-prefix') + if disable_prefix: + chars[f'{disable_prefix}{long_opt}'] = chars_counter + chars_counter += 1 + return chars + + +def mangle(name: str) -> str: + return ''.join([c if c in 'abcdefghijklmnopqrstuvwxyz0123456789_' else '_' + for c in name.lower()]) + + +def format_long_opt(c: Union[str, int], long_opt: str, has_arg: str) -> str: + if isinstance(c, str): + return f"{INDENT}{{ \"{long_opt}\", {has_arg}, 0, '{c}' }},\n" + else: + return f'{INDENT}{{ "{long_opt}", {has_arg}, 0, CHAR_MAX + {c} }},\n' + + +def format_switch_case(c: Union[str, int], long_opt: str) -> str: + if isinstance(c, str): + return f"{INDENT*3}case '{c}':\n" + else: + return f'{INDENT*3}case CHAR_MAX + {c}: /* --{long_opt} */\n' + + +def gen_c(meta: Mapping[str, str], + options: Sequence[Mapping[str, str]], + aliases: Mapping[str, Sequence[str]], + usage: str, + outfile: TextIO): + long_opts = io.StringIO() + short_opts = list() + switch_cases = io.StringIO() + enable_statements = io.StringIO() + constraint_statements = io.StringIO() + has_list_arg = False + has_number_arg = False + + chars = get_chars(options) + + prog_name = meta['prog-name'] + struct_name = f'{mangle(prog_name)}_opts' + global_name = f'{mangle(prog_name)}Options' + + switch_cases.write(f"{INDENT*3}case '\\0': /* Long option. */\n") + switch_cases.write(f'{INDENT*4}break;\n') + + for option in options: + long_opt = option['long-option'] + arg_type = option.get('arg-type') + lower_opt = mangle(long_opt) + upper_opt = lower_opt.upper() + + # aliases are handled differently + if 'aliases' in option: + continue + + if arg_type: + if 'arg-optional' in option: + has_arg = 'optional_argument' + else: + has_arg = 'required_argument' + else: + has_arg = 'no_argument' + + c = chars[long_opt] + + if isinstance(c, str): + if arg_type: + short_opts.append(c + ':') + else: + short_opts.append(c) + + long_opts.write(format_long_opt(c, long_opt, has_arg)) + switch_cases.write(format_switch_case(c, long_opt)) + + for alias in aliases.get(long_opt, list()): + c = chars[alias] + long_opts.write(format_long_opt(c, alias, has_arg)) + switch_cases.write(format_switch_case(c, alias)) + + switch_cases.write(f'{INDENT*4}opts->present.{lower_opt} = true;\n') + + if arg_type: + if 'stack-arg' in option: + has_list_arg = True + switch_cases.write(( + f'{INDENT*4}append_to_list (&opts->list.{lower_opt}, ' + f'"{long_opt}", optarg);\n' + )) + else: + switch_cases.write( + f'{INDENT*4}opts->arg.{lower_opt} = optarg;\n' + ) + if arg_type == 'number': + has_number_arg = True + switch_cases.write(( + f'{INDENT*4}opts->value.{lower_opt} = ' + 'parse_number(optarg);\n' + )) + if 'enabled' in option or 'disabled' in option: + switch_cases.write( + f'{INDENT*4}opts->enabled.{lower_opt} = true;\n' + ) + + switch_cases.write(f'{INDENT*4}break;\n') + + if 'enabled' in option: + enable_statements.write( + f'{INDENT}opts->enabled.{lower_opt} = true;\n' + ) + disable_prefix = option.get('disable-prefix') + if disable_prefix: + disable_opt = f'{disable_prefix}{long_opt}' + c = chars[disable_opt] + long_opts.write(format_long_opt(c, disable_opt, has_arg)) + switch_cases.write(format_switch_case(c, disable_opt)) + switch_cases.write( + f'{INDENT*4}opts->present.{lower_opt} = true;\n' + ) + switch_cases.write( + f'{INDENT*4}opts->enabled.{lower_opt} = false;\n' + ) + switch_cases.write(f'{INDENT*4}break;\n') + + conflict_opts = option.get('conflicts', '').split() + for conflict_opt in conflict_opts: + constraint_statements.write(f'''\ +{INDENT}if (HAVE_OPT({upper_opt}) && HAVE_OPT({mangle(conflict_opt).upper()})) +{INDENT*2}{{ +{INDENT*3}error (EXIT_FAILURE, 0, "the '%s' and '%s' options conflict", +{INDENT*3} "{long_opt}", "{mangle(conflict_opt)}"); +{INDENT*2}}} +''') + require_opts = option.get('requires', '').split() + for require_opt in require_opts: + constraint_statements.write(f'''\ +{INDENT}if (HAVE_OPT({upper_opt}) && !HAVE_OPT({mangle(require_opt).upper()})) +{INDENT*2}{{ +{INDENT*3}error (EXIT_FAILURE, 0, "%s option requires the %s options", +{INDENT*3} "{long_opt}", "{mangle(require_opt)}"); +{INDENT*2}}} +''') + arg_min = option.get('arg-min') + if arg_min: + constraint_statements.write(f'''\ +{INDENT}if (HAVE_OPT({upper_opt}) && OPT_VALUE_{upper_opt} < {int(arg_min)}) +{INDENT*2}{{ +{INDENT*3}error (EXIT_FAILURE, 0, "%s option value %d is out of range.", +{INDENT*3} "{long_opt}", opts->value.{lower_opt}); +{INDENT*2}}} +''') + arg_max = option.get('arg-max') + if arg_max: + constraint_statements.write(f'''\ +{INDENT}if (HAVE_OPT({upper_opt}) && OPT_VALUE_{upper_opt} > {int(arg_max)}) +{INDENT*2}{{ +{INDENT*3}error (EXIT_FAILURE, 0, "%s option value %d is out of range", +{INDENT*3} "{long_opt}", opts->value.{lower_opt}); +{INDENT*2}}} +''') + + long_opts.write(f'{INDENT}{{ 0, 0, 0, 0 }}\n') + + switch_cases.write(f'{INDENT*3}default:\n') + switch_cases.write(f'{INDENT*4}usage (stderr, EXIT_FAILURE);\n') + switch_cases.write(f'{INDENT*4}break;\n') + + argument = meta.get('argument') + if argument: + if argument.startswith('[') and argument.endswith(']'): + argument = argument[1:-1] + argument_statement = '' + else: + argument_statement = f'''\ +{INDENT}if (optind == argc) +{INDENT*2}{{ +{INDENT*3}error (EXIT_FAILURE, 0, "Command line arguments required"); +{INDENT*2}}} +''' + else: + argument_statement = f'''\ +{INDENT}if (optind < argc) +{INDENT*2}{{ +{INDENT*3}error (EXIT_FAILURE, 0, "Command line arguments are not allowed."); +{INDENT*2}}} +''' + + short_opts_concatenated = ''.join(sorted(short_opts)) + usage_stringified = '\n'.join([ + f'{INDENT*2}"{line}\\n"' for line in usage.split('\n') + ]) + brief_version = jsonopts.version(meta, 'v') + version = jsonopts.version(meta, 'c') + full_version = jsonopts.version(meta, 'n') + brief_version_stringified = '\n'.join([ + f'{INDENT*6}"{line}\\n"' for line in brief_version.split('\n') + ]) + version_stringified = '\n'.join([ + f'{INDENT*6}"{line}\\n"' for line in version.split('\n') + ]) + full_version_stringified = '\n'.join([ + f'{INDENT*6}"{line}\\n"' for line in full_version.split('\n') + ]) + + outfile.write(f'''\ +/* This file is auto-generated from {meta['infile']}; do not edit */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include "{meta['header']}" +#include <errno.h> +#include <error.h> +#include <getopt.h> +#include <limits.h> +#include <stdlib.h> +#include <string.h> +#ifndef _WIN32 +#include <unistd.h> +#endif /* !_WIN32 */ +#include "xsize.h" + +struct {struct_name} {global_name}; + +''') + + if has_list_arg: + outfile.write(f'''\ +static void +append_to_list (struct {mangle(prog_name)}_list *list, + const char *name, const char *arg) +{{ +{INDENT}const char **tmp; +{INDENT}size_t new_count = xsum (list->count, 1); + +{INDENT}if (size_overflow_p (new_count)) +{INDENT*2}error (EXIT_FAILURE, 0, "too many arguments for %s", +{INDENT*2} name); + +{INDENT}tmp = reallocarray (list->args, new_count, sizeof (char *)); +{INDENT}if (!tmp) +{INDENT*2}error (EXIT_FAILURE, 0, "unable to allocate memory for %s", +{INDENT*2} name); + +{INDENT}list->args = tmp; +{INDENT}list->args[list->count] = optarg; +{INDENT}list->count = new_count; +}} + +''') + + if has_number_arg: + outfile.write(f'''\ +static long +parse_number (const char *arg) +{{ +{INDENT}char *endptr = NULL; +{INDENT}errno = 0; +{INDENT}long result; + +{INDENT}if (strncmp (arg, "0x", 2) == 0) +{INDENT*2}result = strtol (arg + 2, &endptr, 16); +{INDENT}else if (strncmp (arg, "0", 1) == 0 +{INDENT} && strspn (arg, "012345678") == strlen (optarg)) +{INDENT*2}result = strtol (arg + 1, &endptr, 8); +{INDENT}else +{INDENT*2}result = strtol (arg, &endptr, 10); + +{INDENT}if (errno != 0 || (endptr && *endptr != '\\0')) +{INDENT*2}error (EXIT_FAILURE, errno, "'%s' is not a recognizable number.", +{INDENT*2} arg); + +{INDENT}return result; +}} + +''') + + outfile.write(f'''\ +/* Long options. */ +static const struct option long_options[] = +{{ +{long_opts.getvalue()} +}}; + +int +optionProcess (struct {struct_name} *opts, int argc, char **argv) +{{ +{INDENT}int opt; + +{enable_statements.getvalue().rstrip()} +{INDENT}while ((opt = getopt_long (argc, argv, "{short_opts_concatenated}", +{INDENT} long_options, NULL)) != EOF) +{INDENT*2}switch (opt) +{INDENT*3}{{ +{switch_cases.getvalue().rstrip()} +{INDENT*3}}} + +{constraint_statements.getvalue().rstrip()} +{argument_statement} + +{INDENT}if (HAVE_OPT(HELP)) +{INDENT*2}{{ +{INDENT*3}USAGE(0); +{INDENT*2}}} + +{INDENT}if (HAVE_OPT(MORE_HELP)) +#ifdef _WIN32 +{INDENT*2}{{ +{INDENT*3}USAGE(0); +{INDENT*2}}} +#else /* _WIN32 */ +{INDENT*2}{{ +{INDENT*3}pid_t pid; +{INDENT*3}int pfds[2]; + +{INDENT*3}if (pipe (pfds) < 0) +{INDENT*4}error (EXIT_FAILURE, errno, "pipe"); + +{INDENT*3}pid = fork (); +{INDENT*3}if (pid < 0) +{INDENT*4}error (EXIT_FAILURE, errno, "fork"); + +{INDENT*3}if (pid == 0) +{INDENT*4}{{ +{INDENT*5}close (pfds[0]); +{INDENT*5}dup2 (pfds[1], STDOUT_FILENO); +{INDENT*5}close (pfds[1]); + +{INDENT*5}usage (stdout, 0); +{INDENT*4}}} +{INDENT*3}else +{INDENT*4}{{ +{INDENT*5}const char *args[2]; +{INDENT*5}const char *envvar; + +{INDENT*5}close (pfds[1]); +{INDENT*5}dup2 (pfds[0], STDIN_FILENO); +{INDENT*5}close (pfds[0]); + +{INDENT*5}envvar = secure_getenv ("PAGER"); +{INDENT*5}if (!envvar || *envvar == '\\0') +{INDENT*6}args[0] = "more"; +{INDENT*5}else +{INDENT*6}args[0] = envvar; + +{INDENT*5}args[1] = NULL; + +{INDENT*5}execvp (args[0], (char * const *)args); + +{INDENT*5}exit (EXIT_FAILURE); +{INDENT*4}}} +{INDENT*2}}} +#endif /* !_WIN32 */ + +{INDENT}if (HAVE_OPT(VERSION)) +{INDENT*2}{{ +{INDENT*3}if (!OPT_ARG_VERSION || !strcmp (OPT_ARG_VERSION, "c")) +{INDENT*4}{{ +{INDENT*5}const char str[] = +{version_stringified}; +{INDENT*5}fprintf (stdout, "%s", str); +{INDENT*5}exit(0); +{INDENT*4}}} +{INDENT*3}else if (!strcmp (OPT_ARG_VERSION, "v")) +{INDENT*4}{{ +{INDENT*5}const char str[] = +{brief_version_stringified}; +{INDENT*5}fprintf (stdout, "%s", str); +{INDENT*5}exit(0); +{INDENT*4}}} +{INDENT*3}else if (!strcmp (OPT_ARG_VERSION, "n")) +{INDENT*4}{{ +{INDENT*5}const char str[] = +{full_version_stringified}; +{INDENT*5}fprintf (stdout, "%s", str); +{INDENT*5}exit(0); +{INDENT*4}}} +{INDENT*3}else +{INDENT*4}{{ +{INDENT*5}error (EXIT_FAILURE, 0, +{INDENT*5} "version option argument 'a' invalid. Use:\\n" +{INDENT*5} " 'v' - version only\\n" +{INDENT*5} " 'c' - version and copyright\\n" +{INDENT*5} " 'n' - version and full copyright notice"); +{INDENT*4}}} +{INDENT*2}}} + +{INDENT}return optind; +}} + +void +usage (FILE *out, int status) +{{ +{INDENT}const char str[] = +{usage_stringified}; +{INDENT}fprintf (out, "%s", str); +{INDENT}exit (status); +}} +''') + + +def gen_h(meta: Mapping[str, str], + options: Sequence[Mapping[str, str]], + aliases: Mapping[str, Sequence[str]], + outfile: TextIO): + struct_members_present = io.StringIO() + struct_members_arg = io.StringIO() + struct_members_value = io.StringIO() + struct_members_enabled = io.StringIO() + struct_members_list = io.StringIO() + have_opts = io.StringIO() + opt_args = io.StringIO() + opt_values = io.StringIO() + enabled_opts = io.StringIO() + stackct_opts = io.StringIO() + stacklst_opts = io.StringIO() + + prog_name = meta['prog-name'] + struct_name = f'{mangle(prog_name)}_opts' + global_name = f'{mangle(prog_name)}Options' + list_struct_name = f'{mangle(prog_name)}_list' + + for option in options: + long_opt = option['long-option'] + arg_type = option.get('arg-type') + lower_opt = mangle(long_opt) + upper_opt = lower_opt.upper() + + # aliases are handled differently + if 'aliases' in option: + continue + + struct_members_present.write(f'{INDENT*2}bool {lower_opt};\n') + + if arg_type: + if 'stack-arg' in option: + struct_members_list.write( + f'{INDENT*2}struct {list_struct_name} {lower_opt};\n' + ) + stackct_opts.write(( + f'#define STACKCT_OPT_{upper_opt} ' + f'{global_name}.list.{lower_opt}.count\n' + )) + stacklst_opts.write(( + f'#define STACKLST_OPT_{upper_opt} ' + f'{global_name}.list.{lower_opt}.args\n' + )) + else: + struct_members_arg.write( + f'{INDENT*2}const char *{lower_opt};\n' + ) + if arg_type == 'number': + struct_members_value.write(f'{INDENT*2}int {lower_opt};\n') + opt_values.write(( + f'#define OPT_VALUE_{upper_opt} ' + f'{global_name}.value.{lower_opt}\n' + )) + + if 'enabled' in option or 'disabled' in option: + struct_members_enabled.write(f'{INDENT*2}bool {lower_opt};\n') + enabled_opts.write(( + f'#define ENABLED_OPT_{upper_opt} ' + f'{global_name}.enabled.{lower_opt}\n' + )) + + have_opts.write(( + f'#define HAVE_OPT_{upper_opt} ' + f'{global_name}.present.{lower_opt}\n' + )) + opt_args.write(( + f'#define OPT_ARG_{upper_opt} ' + f'{global_name}.arg.{lower_opt}\n' + )) + + header_guard = f'{mangle(meta["header"]).upper()}_' + + outfile.write(f'''\ +/* This file is auto-generated from {meta["infile"]}; do not edit */ +#include <stdbool.h> +#include <stdio.h> + +#ifndef {header_guard} +#define {header_guard} 1 + +struct {list_struct_name} +{{ +{INDENT}const char **args; +{INDENT}unsigned int count; +}}; + +struct {struct_name} +{{ +{INDENT}/* Options present in the command line */ +{INDENT}struct +{INDENT}{{ +{struct_members_present.getvalue().rstrip()} +{INDENT}}} present; + +{INDENT}/* Option arguments in raw string form */ +{INDENT}struct +{INDENT}{{ +{struct_members_arg.getvalue().rstrip()} +{INDENT}}} arg; + +{INDENT}/* Option arguments parsed as integer */ +{INDENT}struct +{INDENT}{{ +{struct_members_value.getvalue().rstrip()} +{INDENT}}} value; + +{INDENT}/* Option arguments parsed as list */ +{INDENT}struct +{INDENT}{{ +{struct_members_list.getvalue().rstrip()} +{INDENT}}} list; + +{INDENT}/* Option enablement status */ +{INDENT}struct +{INDENT}{{ +{struct_members_enabled.getvalue().rstrip()} +{INDENT}}} enabled; +}}; + +#define HAVE_OPT(name) HAVE_OPT_ ## name +#define OPT_ARG(name) OPT_ARG_ ## name +#define ENABLED_OPT(name) ENABLED_OPT_ ## name +#define STACKCT_OPT(name) STACKCT_OPT_ ## name +#define STACKLST_OPT(name) STACKLST_OPT_ ## name +#define USAGE(status) usage (stdout, (status)) + +{have_opts.getvalue()} +{opt_args.getvalue()} +{opt_values.getvalue()} +{enabled_opts.getvalue()} +{stackct_opts.getvalue()} +{stacklst_opts.getvalue()} + +extern struct {struct_name} {global_name}; +int optionProcess(struct {struct_name} *opts, int argc, char **argv); +void usage (FILE *out, int status); + +#endif /* {header_guard} */ +''') + + +def gen(infile: TextIO, meta: Mapping[str, str], c: TextIO, h: TextIO): + sections = [jsonopts.Section.from_json(section) + for section in json.load(args.json)] + sections.append(jsonopts.Section.default()) + meta = { + **meta, + **sections[0].meta, + **{ + 'header': os.path.basename(h.name), + 'infile': os.path.basename(infile.name) + } + } + options = [option for section in sections for option in section.options] + aliases = get_aliases(options) + usage = jsonopts.usage(meta, sections) + gen_c(meta, options, aliases, usage, c) + gen_h(meta, options, aliases, h) + + +if __name__ == '__main__': + import argparse + import json + + parser = argparse.ArgumentParser(description='generate getopt wrapper') + parser.add_argument('json', type=argparse.FileType('r')) + parser.add_argument('c', type=argparse.FileType('w')) + parser.add_argument('h', type=argparse.FileType('w')) + parser.add_argument('--bug-email', help='bug report email address') + parser.add_argument('--copyright-year', help='copyright year') + parser.add_argument('--copyright-holder', help='copyright holder') + parser.add_argument('--license', help='license') + parser.add_argument('--version', help='version') + + args = parser.parse_args() + meta = dict() + if args.bug_email: + meta['bug-email'] = args.bug_email + if args.copyright_year: + meta['copyright-year'] = args.copyright_year + if args.copyright_holder: + meta['copyright-holder'] = args.copyright_holder + if args.license: + meta['license'] = args.license + if args.version: + meta['version'] = args.version + + gen(args.json, meta, args.c, args.h) diff --git a/src/gnutls-cli-debug-options.json b/src/gnutls-cli-debug-options.json new file mode 100644 index 0000000000..5c286577f8 --- /dev/null +++ b/src/gnutls-cli-debug-options.json @@ -0,0 +1,53 @@ +[ + { + "meta": { + "argument": "[hostname]", + "reorder-args": "", + "explain": "", + "prog-title": "GnuTLS debug client", + "short-usage": "Usage: gnutls-cli-debug [options] hostname\ngnutls-cli --help for usage instructions.\n", + "detail": "TLS debug client. It sets up multiple TLS connections to \na server and queries its capabilities. It was created to assist in debugging \nGnuTLS, but it might be useful to extract a TLS server's capabilities.\nIt connects to a TLS server, performs tests and print the server's \ncapabilities. If called with the `-V' parameter more checks will be performed.\nCan be used to check for servers with special needs or bugs.", + "prog-desc": "Simple client program to check TLS server capabilities.", + "prog-name": "gnutls-cli-debug", + "desc": "" + }, + "options": [ + { + "short-option": "d", + "detail": "Specifies the debug level.", + "arg-max": " 9999", + "arg-type": "number", + "arg-min": "0 ", + "long-option": "debug", + "desc": "Enable debugging" + }, + { + "max": "NOLIMIT", + "disabled": "", + "desc": "More verbose output", + "short-option": "V", + "long-option": "verbose", + "detail": "" + }, + { + "short-option": "p", + "long-option": "port", + "arg-min": "0 ", + "desc": "The port to connect to", + "arg-max": " 65536", + "arg-type": "number", + "detail": "" + }, + { + "aliases": "starttls-proto", + "long-option": "app-proto" + }, + { + "detail": "Specify the application layer protocol for STARTTLS. If the protocol is supported, gnutls-cli will proceed to the TLS negotiation.", + "arg-type": "string", + "desc": "The application protocol to be used to obtain the server's certificate (https, ftp, smtp, imap, ldap, xmpp, lmtp, pop3, nntp, sieve, postgres)", + "long-option": "starttls-proto" + } + ] + } +]
\ No newline at end of file diff --git a/src/gnutls-cli-options.json b/src/gnutls-cli-options.json new file mode 100644 index 0000000000..0777e6b198 --- /dev/null +++ b/src/gnutls-cli-options.json @@ -0,0 +1,421 @@ +[ + { + "meta": { + "detail": "Simple client program to set up a TLS connection to some other computer. \nIt sets up a TLS connection and forwards data from the standard input to the secured socket and vice versa.", + "prog-desc": "Simple client program to set up a TLS connection.", + "explain": "", + "short-usage": "Usage: gnutls-cli [options] hostname\ngnutls-cli --help for usage instructions.\n", + "reorder-args": "", + "prog-name": "gnutls-cli", + "desc": "", + "argument": "[hostname]", + "prog-title": "GnuTLS client" + }, + "options": [ + { + "short-option": "d", + "desc": "Enable debugging", + "arg-type": "number", + "arg-min": "0 ", + "arg-max": " 9999", + "detail": "Specifies the debug level.", + "long-option": "debug" + }, + { + "disabled": "", + "long-option": "verbose", + "detail": "", + "desc": "More verbose output", + "short-option": "V", + "max": "NOLIMIT" + }, + { + "detail": "This option will, in addition to certificate authentication, perform authentication\nbased on previously seen public keys, a model similar to SSH authentication. Note that when tofu \nis specified (PKI) and DANE authentication will become advisory to assist the public key acceptance\nprocess.", + "disabled": "", + "desc": "Enable trust on first use authentication", + "disable-prefix": "no-", + "long-option": "tofu" + }, + { + "detail": "This option will perform authentication as with option --tofu; however, no questions shall be asked whatsoever, neither to accept an unknown certificate nor a changed one.", + "desc": "Fail to connect if a certificate is unknown or a known certificate has changed", + "long-option": "strict-tofu", + "disabled": "", + "disable-prefix": "no-" + }, + { + "detail": "This option will, in addition to certificate authentication using \nthe trusted CAs, verify the server certificates using on the DANE information\navailable via DNSSEC.", + "desc": "Enable DANE certificate verification (DNSSEC)", + "disabled": "", + "disable-prefix": "no-", + "long-option": "dane" + }, + { + "disable-prefix": "no-", + "detail": "This option will use the local DNS server for DNSSEC.\nThis is disabled by default due to many servers not allowing DNSSEC.", + "desc": "Use the local DNS server for DNSSEC resolving", + "long-option": "local-dns", + "disabled": "" + }, + { + "desc": "Enable CA certificate verification", + "detail": "This option can be used to enable or disable CA certificate verification. It is to be used with the --dane or --tofu options.", + "disable-prefix": "no-", + "enabled": "", + "long-option": "ca-verification" + }, + { + "desc": "Enable OCSP certificate verification", + "detail": "This option will enable verification of the peer's certificate using ocsp", + "disable-prefix": "no-", + "long-option": "ocsp", + "disabled": "" + }, + { + "detail": "Connect, establish a session, reconnect and resume.", + "desc": "Establish a session and resume", + "short-option": "r", + "long-option": "resume" + }, + { + "desc": "Send early data on resumption from the specified file", + "detail": "", + "arg-type": "string", + "long-option": "earlydata" + }, + { + "short-option": "e", + "desc": "Establish a session and rehandshake", + "long-option": "rehandshake", + "detail": "Connect, establish a session and rehandshake immediately." + }, + { + "desc": "Server's hostname for server name indication extension", + "arg-type": "string", + "detail": "Set explicitly the server name used in the TLS server name indication extension. That is useful when testing with servers setup on different DNS name than the intended. If not specified, the provided hostname is used. Even with this option server certificate verification still uses the hostname passed on the main commandline. Use --verify-hostname to change this.", + "long-option": "sni-hostname" + }, + { + "long-option": "verify-hostname", + "desc": "Server's hostname to use for validation", + "detail": "Set explicitly the server name to be used when validating the server's certificate.", + "arg-type": "string" + }, + { + "long-option": "starttls", + "desc": "Connect, establish a plain session and start TLS", + "detail": "The TLS session will be initiated when EOF or a SIGALRM is received.", + "short-option": "s" + }, + { + "aliases": "starttls-proto", + "long-option": "app-proto" + }, + { + "conflicts": "starttls", + "arg-type": "string", + "desc": "The application protocol to be used to obtain the server's certificate (https, ftp, smtp, imap, ldap, xmpp, lmtp, pop3, nntp, sieve, postgres)", + "long-option": "starttls-proto", + "detail": "Specify the application layer protocol for STARTTLS. If the protocol is supported, gnutls-cli will proceed to the TLS negotiation." + }, + { + "short-option": "u", + "desc": "Use DTLS (datagram TLS) over UDP", + "long-option": "udp", + "detail": "" + }, + { + "arg-type": "number", + "detail": "", + "arg-max": "17000", + "long-option": "mtu", + "desc": "Set MTU for datagram TLS", + "arg-min": "0" + }, + { + "detail": "", + "long-option": "crlf", + "desc": "Send CR LF instead of LF" + }, + { + "detail": "", + "long-option": "fastopen", + "desc": "Enable TCP Fast Open" + }, + { + "desc": "Use DER format for certificates to read from", + "long-option": "x509fmtder", + "detail": "" + }, + { + "desc": "Print peer's certificate in PEM format", + "long-option": "print-cert", + "detail": "" + }, + { + "desc": "Save the peer's certificate chain in the specified file in PEM format", + "long-option": "save-cert", + "detail": "", + "arg-type": "string" + }, + { + "detail": "", + "conflicts": "save-ocsp-multi", + "long-option": "save-ocsp", + "desc": "Save the peer's OCSP status response in the provided file", + "arg-type": "string" + }, + { + "arg-type": "string", + "detail": "The file will contain a list of PEM encoded OCSP status responses if any were provided by the peer, starting with the one for the peer's server certificate.", + "long-option": "save-ocsp-multi", + "desc": "Save all OCSP responses provided by the peer in this file", + "conflicts": "save-ocsp" + }, + { + "long-option": "save-server-trace", + "desc": "Save the server-side TLS message trace in the provided file", + "detail": "", + "arg-type": "string" + }, + { + "arg-type": "string", + "desc": "Save the client-side TLS message trace in the provided file", + "detail": "", + "long-option": "save-client-trace" + }, + { + "long-option": "dh-bits", + "arg-type": "number", + "detail": "This option sets the minimum number of bits allowed for a Diffie-Hellman key exchange. You may want to lower the default value if the peer sends a weak prime and you get an connection error with unacceptable prime.", + "desc": "The minimum number of bits allowed for DH" + }, + { + "arg-type": "string", + "long-option": "priority", + "desc": "Priorities string", + "detail": "TLS algorithms and protocols to enable. You can\nuse predefined sets of ciphersuites such as PERFORMANCE,\nNORMAL, PFS, SECURE128, SECURE256. The default is NORMAL.\n\nCheck the GnuTLS manual on section ``Priority strings'' for more\ninformation on the allowed keywords" + }, + { + "detail": "", + "desc": "Certificate file or PKCS #11 URL to use", + "arg-type": "string", + "long-option": "x509cafile" + }, + { + "arg-type": "file", + "file-exists": "yes", + "long-option": "x509crlfile", + "detail": "", + "desc": "CRL file to use" + }, + { + "detail": "", + "arg-type": "string", + "desc": "X.509 key file or PKCS #11 URL to use", + "long-option": "x509keyfile" + }, + { + "arg-type": "string", + "requires": "x509keyfile", + "long-option": "x509certfile", + "desc": "X.509 Certificate file or PKCS #11 URL to use", + "detail": "" + }, + { + "desc": "Private key file (PKCS #8 or PKCS #12) or PKCS #11 URL to use", + "arg-type": "string", + "long-option": "rawpkkeyfile", + "detail": "In order to instruct the application to negotiate raw public keys one\nmust enable the respective certificate types via the priority strings (i.e. CTYPE-CLI-*\nand CTYPE-SRV-* flags).\n\nCheck the GnuTLS manual on section ``Priority strings'' for more\ninformation on how to set certificate types." + }, + { + "requires": "rawpkkeyfile", + "detail": "In order to instruct the application to negotiate raw public keys one\nmust enable the respective certificate types via the priority strings (i.e. CTYPE-CLI-*\nand CTYPE-SRV-* flags).\n\nCheck the GnuTLS manual on section ``Priority strings'' for more\ninformation on how to set certificate types.", + "desc": "Raw public-key file to use", + "long-option": "rawpkfile", + "arg-type": "string" + }, + { + "desc": "SRP username to use", + "detail": "", + "arg-type": "string", + "long-option": "srpusername" + }, + { + "arg-type": "string", + "detail": "", + "desc": "SRP password to use", + "long-option": "srppasswd" + }, + { + "desc": "PSK username to use", + "arg-type": "string", + "detail": "", + "long-option": "pskusername" + }, + { + "arg-type": "string", + "long-option": "pskkey", + "desc": "PSK key (in hex) to use", + "detail": "" + }, + { + "arg-type": "string", + "short-option": "p", + "detail": "", + "desc": "The port or service to connect to", + "long-option": "port" + }, + { + "long-option": "insecure", + "detail": "", + "desc": "Don't abort program if server certificate can't be validated" + }, + { + "desc": "Allow broken algorithms, such as MD5 for certificate verification", + "detail": "", + "long-option": "verify-allow-broken" + }, + { + "desc": "Use length-hiding padding to prevent traffic analysis", + "deprecated": "", + "long-option": "ranges", + "detail": "When possible (e.g., when using CBC ciphersuites), use length-hiding padding to prevent traffic analysis." + }, + { + "long-option": "benchmark-ciphers", + "detail": "By default the benchmarked ciphers will utilize any capabilities of the local CPU to improve performance. To test against the raw software implementation set the environment variable GNUTLS_CPUID_OVERRIDE to 0x1.", + "desc": "Benchmark individual ciphers" + }, + { + "long-option": "benchmark-tls-kx", + "detail": "", + "desc": "Benchmark TLS key exchange methods" + }, + { + "long-option": "benchmark-tls-ciphers", + "desc": "Benchmark TLS ciphers", + "detail": "By default the benchmarked ciphers will utilize any capabilities of the local CPU to improve performance. To test against the raw software implementation set the environment variable GNUTLS_CPUID_OVERRIDE to 0x1." + }, + { + "long-option": "list", + "desc": "Print a list of the supported algorithms and modes", + "short-option": "l", + "detail": "Print a list of the supported algorithms and modes. If a priority string is given then only the enabled ciphersuites are shown.", + "conflicts": "port" + }, + { + "desc": "Print a list of the supported priority strings", + "detail": "Print a list of the supported priority strings. The ciphersuites corresponding to each priority string can be examined using -l -p.", + "long-option": "priority-list" + }, + { + "detail": "Disable the request of receiving of session tickets under TLS1.2 or earlier", + "long-option": "noticket", + "desc": "Don't allow session tickets" + }, + { + "arg-type": "string", + "long-option": "srtp-profiles", + "desc": "Offer SRTP profiles", + "detail": "" + }, + { + "arg-type": "string", + "stack-arg": "", + "desc": "Application layer protocol", + "long-option": "alpn", + "detail": "This option will set and enable the Application Layer Protocol Negotiation (ALPN) in the TLS protocol.", + "max": "NOLIMIT" + }, + { + "detail": "", + "long-option": "heartbeat", + "short-option": "b", + "desc": "Activate heartbeat support" + }, + { + "arg-max": "4096", + "arg-min": "0", + "long-option": "recordsize", + "detail": "", + "arg-type": "number", + "desc": "The maximum record size to advertise" + }, + { + "detail": "", + "long-option": "disable-sni", + "desc": "Do not send a Server Name Indication (SNI)" + }, + { + "desc": "Disable all the TLS extensions", + "detail": "This option disables all TLS extensions. Deprecated option. Use the priority string.", + "long-option": "disable-extensions", + "deprecated": "" + }, + { + "detail": "This option switches the default mode of sending multiple\nkey shares, to send a single one (the top one).", + "desc": "Send a single key share under TLS1.3", + "long-option": "single-key-share" + }, + { + "detail": "This option enables post-handshake authentication when under TLS1.3.", + "long-option": "post-handshake-auth", + "desc": "Enable post-handshake authentication under TLS1.3" + }, + { + "desc": "Inline commands of the form ^<cmd>^", + "long-option": "inline-commands", + "detail": "Enable inline commands of the form ^<cmd>^. The inline commands are expected to be in a line by themselves. The available commands are: resume, rekey1 (local rekey), rekey (rekey on both peers) and renegotiate." + }, + { + "long-option": "inline-commands-prefix", + "arg-type": "string", + "detail": "Change the default delimiter (^) used for inline commands. The delimiter is expected to be a single US-ASCII character (octets 0 - 127). This option is only relevant if inline commands are enabled via the inline-commands option", + "desc": "Change the default delimiter for inline commands." + }, + { + "long-option": "provider", + "file-exists": "yes", + "arg-type": "file", + "desc": "Specify the PKCS #11 provider library", + "detail": "This will override the default options in /etc/gnutls/pkcs11.conf" + }, + { + "detail": "", + "long-option": "fips140-mode", + "desc": "Reports the status of the FIPS140-2 mode in gnutls library" + }, + { + "desc": "Redirect informational messages to a specific file.", + "arg-type": "string", + "long-option": "logfile", + "detail": "Redirect informational messages to a specific file. The file may be /dev/null also to make the gnutls client quiet to use it in piped server connections where only the server communication may appear on stdout." + }, + { + "detail": "", + "desc": "Label used for exporting keying material", + "arg-type": "string", + "long-option": "keymatexport" + }, + { + "detail": "", + "arg-type": "number", + "long-option": "keymatexportsize", + "desc": "Size of the exported keying material" + }, + { + "long-option": "waitresumption", + "desc": "Block waiting for the resumption data under TLS1.3", + "detail": "This option makes the client to block waiting for the resumption data under TLS1.3. The option has effect only when --resume is provided." + }, + { + "long-option": "ca-auto-retrieve", + "disabled": "", + "disable-prefix": "no-", + "desc": "Enable automatic retrieval of missing CA certificates", + "detail": "This option enables the client to automatically retrieve the missing intermediate CA certificates in the certificate chain, based on the Authority Information Access (AIA) extension." + } + ] + } +]
\ No newline at end of file diff --git a/src/gnutls-serv-options.json b/src/gnutls-serv-options.json new file mode 100644 index 0000000000..ef074385b0 --- /dev/null +++ b/src/gnutls-serv-options.json @@ -0,0 +1,332 @@ +[ + { + "meta": { + "desc": "", + "prog-desc": "Simple server program to act as an HTTPS or TLS echo service.", + "explain": "", + "short-usage": "Usage: gnutls-serv [options]\ngnutls-serv --help for usage instructions.\n", + "detail": "Server program that listens to incoming TLS connections.", + "prog-name": "gnutls-serv", + "prog-title": "GnuTLS server" + }, + "options": [ + { + "arg-type": "number", + "arg-max": " 9999", + "arg-min": "0 ", + "short-option": "d", + "detail": "Specifies the debug level.", + "long-option": "debug", + "desc": "Enable debugging" + }, + { + "arg-type": "string", + "detail": "Server name of type host_name that the server will recognise as its own. If the server receives client hello with different name, it will send a warning-level unrecognized_name alert.", + "desc": "Server's hostname for server name extension", + "long-option": "sni-hostname" + }, + { + "long-option": "sni-hostname-fatal", + "desc": "Send fatal alert on sni-hostname mismatch", + "detail": "" + }, + { + "max": "NOLIMIT", + "detail": "Specify the (textual) ALPN protocol for the server to use.", + "desc": "Specify ALPN protocol to be enabled by the server", + "long-option": "alpn", + "arg-type": "string", + "stack-arg": "" + }, + { + "detail": "", + "long-option": "alpn-fatal", + "desc": "Send fatal alert on non-matching ALPN name" + }, + { + "desc": "Don't accept session tickets", + "detail": "", + "long-option": "noticket" + }, + { + "detail": "", + "long-option": "earlydata", + "desc": "Accept early data" + }, + { + "arg-type": "number", + "desc": "The maximum early data size to accept", + "detail": "", + "arg-max": "", + "long-option": "maxearlydata", + "arg-min": "1" + }, + { + "long-option": "nocookie", + "detail": "", + "desc": "Don't require cookie on DTLS sessions" + }, + { + "detail": "", + "long-option": "generate", + "short-option": "g", + "desc": "Generate Diffie-Hellman parameters" + }, + { + "short-option": "q", + "desc": "Suppress some messages", + "long-option": "quiet", + "detail": "" + }, + { + "long-option": "nodb", + "desc": "Do not use a resumption database", + "detail": "" + }, + { + "desc": "Act as an HTTP server", + "long-option": "http", + "detail": "" + }, + { + "desc": "Act as an Echo server", + "detail": "", + "long-option": "echo" + }, + { + "long-option": "crlf", + "desc": "Do not replace CRLF by LF in Echo server mode", + "detail": "" + }, + { + "desc": "Use DTLS (datagram TLS) over UDP", + "short-option": "u", + "long-option": "udp", + "detail": "" + }, + { + "arg-type": "number", + "desc": "Set MTU for datagram TLS", + "arg-min": "0", + "detail": "", + "arg-max": "17000", + "long-option": "mtu" + }, + { + "detail": "", + "long-option": "srtp-profiles", + "desc": "Offer SRTP profiles", + "arg-type": "string" + }, + { + "desc": "Do not request a client certificate", + "short-option": "a", + "conflicts": "require-client-cert", + "detail": "", + "long-option": "disable-client-cert" + }, + { + "disabled": "", + "detail": "This option before 3.6.0 used to imply --verify-client-cert.\nSince 3.6.0 it will no longer verify the certificate by default.", + "long-option": "require-client-cert", + "desc": "Require a client certificate", + "short-option": "r" + }, + { + "disabled": "", + "desc": "If a client certificate is sent then verify it.", + "detail": "Do not require, but if a client certificate is sent then verify it and close the connection if invalid.", + "long-option": "verify-client-cert" + }, + { + "long-option": "heartbeat", + "desc": "Activate heartbeat support", + "detail": "Regularly ping client via heartbeat extension messages", + "short-option": "b" + }, + { + "desc": "Use DER format for certificates to read from", + "detail": "", + "long-option": "x509fmtder" + }, + { + "detail": "TLS algorithms and protocols to enable. You can\nuse predefined sets of ciphersuites such as PERFORMANCE,\nNORMAL, SECURE128, SECURE256. The default is NORMAL.\n\nCheck the GnuTLS manual on section ``Priority strings'' for more\ninformation on allowed keywords", + "arg-type": "string", + "long-option": "priority", + "desc": "Priorities string" + }, + { + "detail": "", + "long-option": "dhparams", + "arg-type": "file", + "file-exists": "yes", + "desc": "DH params file to use" + }, + { + "arg-type": "string", + "desc": "Certificate file or PKCS #11 URL to use", + "detail": "", + "long-option": "x509cafile" + }, + { + "desc": "CRL file to use", + "detail": "", + "arg-type": "file", + "file-exists": "yes", + "long-option": "x509crlfile" + }, + { + "detail": "", + "deprecated": "", + "long-option": "pgpkeyfile", + "file-exists": "yes", + "desc": "PGP Key file to use", + "arg-type": "file" + }, + { + "stack-arg": "", + "max": "NOLIMIT", + "long-option": "x509keyfile", + "detail": "Specify the private key file or URI to use; it must correspond to\nthe certificate specified in --x509certfile. Multiple keys and certificates\ncan be specified with this option and in that case each occurrence of keyfile\nmust be followed by the corresponding x509certfile or vice-versa.", + "desc": "X.509 key file or PKCS #11 URL to use", + "arg-type": "string" + }, + { + "detail": "Specify the certificate file or URI to use; it must correspond to\nthe key specified in --x509keyfile. Multiple keys and certificates\ncan be specified with this option and in that case each occurrence of keyfile\nmust be followed by the corresponding x509certfile or vice-versa.", + "arg-type": "string", + "stack-arg": "", + "max": "NOLIMIT", + "long-option": "x509certfile", + "desc": "X.509 Certificate file or PKCS #11 URL to use" + }, + { + "aliases": "x509keyfile", + "long-option": "x509dsakeyfile", + "desc": "Alternative X.509 key file or PKCS #11 URL to use", + "deprecated": "" + }, + { + "long-option": "x509dsacertfile", + "desc": "Alternative X.509 Certificate file or PKCS #11 URL to use", + "deprecated": "", + "aliases": "x509certfile" + }, + { + "deprecated": "", + "long-option": "x509ecckeyfile", + "aliases": "x509keyfile", + "desc": "Alternative X.509 key file or PKCS #11 URL to use" + }, + { + "desc": "Alternative X.509 Certificate file or PKCS #11 URL to use", + "aliases": "x509certfile", + "deprecated": "", + "long-option": "x509ecccertfile" + }, + { + "stack-arg": "", + "long-option": "rawpkkeyfile", + "max": "NOLIMIT", + "desc": "Private key file (PKCS #8 or PKCS #12) or PKCS #11 URL to use", + "arg-type": "string", + "detail": "Specify the private key file or URI to use; it must correspond to\nthe raw public-key specified in --rawpkfile. Multiple key pairs\ncan be specified with this option and in that case each occurrence of keyfile\nmust be followed by the corresponding rawpkfile or vice-versa.\n\nIn order to instruct the application to negotiate raw public keys one\nmust enable the respective certificate types via the priority strings (i.e. CTYPE-CLI-*\nand CTYPE-SRV-* flags).\n\nCheck the GnuTLS manual on section ``Priority strings'' for more\ninformation on how to set certificate types." + }, + { + "detail": "Specify the raw public-key file to use; it must correspond to\nthe private key specified in --rawpkkeyfile. Multiple key pairs\ncan be specified with this option and in that case each occurrence of keyfile\nmust be followed by the corresponding rawpkfile or vice-versa.\n\nIn order to instruct the application to negotiate raw public keys one\nmust enable the respective certificate types via the priority strings (i.e. CTYPE-CLI-*\nand CTYPE-SRV-* flags).\n\nCheck the GnuTLS manual on section ``Priority strings'' for more\ninformation on how to set certificate types.", + "requires": "rawpkkeyfile", + "desc": "Raw public-key file to use", + "stack-arg": "", + "max": "NOLIMIT", + "long-option": "rawpkfile", + "arg-type": "string" + }, + { + "detail": "", + "desc": "SRP password file to use", + "long-option": "srppasswd", + "file-exists": "yes", + "arg-type": "file" + }, + { + "desc": "SRP password configuration file to use", + "long-option": "srppasswdconf", + "file-exists": "yes", + "arg-type": "file", + "detail": "" + }, + { + "detail": "", + "file-exists": "yes", + "desc": "PSK password file to use", + "arg-type": "file", + "long-option": "pskpasswd" + }, + { + "arg-type": "string", + "desc": "PSK identity hint to use", + "detail": "", + "long-option": "pskhint" + }, + { + "desc": "The OCSP response to send to client", + "max": "NOLIMIT", + "detail": "If the client requested an OCSP response, return data from this file to the client.", + "long-option": "ocsp-response", + "stack-arg": "", + "arg-type": "string" + }, + { + "long-option": "ignore-ocsp-response-errors", + "desc": "Ignore any errors when setting the OCSP response", + "detail": "That option instructs gnutls to not attempt to match the provided OCSP responses with the certificates." + }, + { + "desc": "The port to connect to", + "detail": "", + "arg-type": "number", + "short-option": "p", + "long-option": "port" + }, + { + "desc": "Print a list of the supported algorithms and modes", + "detail": "Print a list of the supported algorithms and modes. If a priority string is given then only the enabled ciphersuites are shown.", + "short-option": "l", + "long-option": "list" + }, + { + "desc": "Specify the PKCS #11 provider library", + "file-exists": "yes", + "arg-type": "file", + "detail": "This will override the default options in /etc/gnutls/pkcs11.conf", + "long-option": "provider" + }, + { + "arg-type": "string", + "long-option": "keymatexport", + "detail": "", + "desc": "Label used for exporting keying material" + }, + { + "desc": "Size of the exported keying material", + "long-option": "keymatexportsize", + "arg-type": "number", + "detail": "" + }, + { + "desc": "The maximum record size to advertise", + "arg-max": "16384", + "arg-type": "number", + "detail": "", + "long-option": "recordsize", + "arg-min": "0" + }, + { + "detail": "", + "arg-type": "file", + "long-option": "httpdata", + "file-exists": "yes", + "desc": "The data used as HTTP response" + } + ] + } +]
\ No newline at end of file diff --git a/src/ocsptool-options.json b/src/ocsptool-options.json new file mode 100644 index 0000000000..f3b4116190 --- /dev/null +++ b/src/ocsptool-options.json @@ -0,0 +1,164 @@ +[ + { + "meta": { + "explain": "", + "prog-title": "GnuTLS OCSP tool", + "desc": "", + "prog-name": "ocsptool", + "detail": "ocsptool is a program that can parse and print information about\nOCSP requests/responses, generate requests and verify responses. Unlike\nother GnuTLS applications it outputs DER encoded structures by default\nunless the '--outpem' option is specified.", + "short-usage": "ocsptool [options]\nocsptool --help for usage instructions.\n", + "prog-desc": "Program to handle OCSP request/responses." + }, + "options": [ + { + "arg-type": "number", + "arg-min": "0 ", + "desc": "Enable debugging", + "detail": "Specifies the debug level.", + "short-option": "d", + "arg-max": " 9999", + "long-option": "debug" + }, + { + "desc": "More verbose output", + "detail": "", + "short-option": "V", + "long-option": "verbose", + "disabled": "", + "max": "NOLIMIT" + }, + { + "long-option": "infile", + "arg-type": "file", + "desc": "Input file", + "file-exists": "yes", + "detail": "" + }, + { + "arg-type": "string", + "long-option": "outfile", + "desc": "Output file", + "detail": "" + }, + { + "arg-type": "string", + "detail": "Connects to the specified HTTP OCSP server and queries on the validity of the loaded certificate.\nIts argument can be a URL or a plain server name. It can be combined with --load-chain, where it checks\nall certificates in the provided chain, or with --load-cert and\n--load-issuer options. The latter checks the provided certificate\nagainst its specified issuer certificate.", + "long-option": "ask", + "arg-name": "server name|url", + "arg-optional": "", + "desc": "Ask an OCSP/HTTP server on a certificate validity" + }, + { + "long-option": "verify-response", + "desc": "Verify response", + "detail": "Verifies the provided OCSP response against the system trust\nanchors (unless --load-trust is provided). It requires the --load-signer\nor --load-chain options to obtain the signer of the OCSP response.", + "short-option": "e" + }, + { + "long-option": "request-info", + "short-option": "i", + "desc": "Print information on a OCSP request", + "detail": "Display detailed information on the provided OCSP request." + }, + { + "desc": "Print information on a OCSP response", + "detail": "Display detailed information on the provided OCSP response.", + "short-option": "j", + "long-option": "response-info" + }, + { + "detail": "", + "desc": "Generates an OCSP request", + "short-option": "q", + "long-option": "generate-request" + }, + { + "disabled": "yes", + "detail": "", + "long-option": "nonce", + "disable-prefix": "no-", + "desc": "Use (or not) a nonce to OCSP request" + }, + { + "file-exists": "yes", + "desc": "Reads a set of certificates forming a chain from file", + "detail": "", + "arg-type": "file", + "long-option": "load-chain" + }, + { + "desc": "Reads issuer's certificate from file", + "long-option": "load-issuer", + "detail": "", + "file-exists": "yes", + "arg-type": "file" + }, + { + "desc": "Reads the certificate to check from file", + "file-exists": "yes", + "arg-type": "file", + "detail": "", + "long-option": "load-cert" + }, + { + "long-option": "load-trust", + "detail": "When verifying an OCSP response read the trust anchors from the\nprovided file. When this is not provided, the system's trust anchors will be\nused.", + "arg-type": "file", + "file-exists": "yes", + "desc": "Read OCSP trust anchors from file", + "conflicts": "load-signer" + }, + { + "long-option": "load-signer", + "arg-type": "file", + "file-exists": "yes", + "conflicts": "load-trust", + "detail": "", + "desc": "Reads the OCSP response signer from file" + }, + { + "long-option": "inder", + "disable-prefix": "no-", + "detail": "", + "desc": "Use DER format for input certificates and private keys", + "disabled": "" + }, + { + "detail": "The output will be in DER encoded format. Unlike other GnuTLS tools, this is the default for this tool", + "long-option": "outder", + "desc": "Use DER format for output of responses (this is the default)" + }, + { + "long-option": "outpem", + "desc": "Use PEM format for output of responses", + "detail": "The output will be in PEM format." + }, + { + "file-exists": "yes", + "detail": "", + "short-option": "Q", + "arg-type": "file", + "long-option": "load-request", + "desc": "Reads the DER encoded OCSP request from file" + }, + { + "detail": "", + "file-exists": "yes", + "long-option": "load-response", + "arg-type": "file", + "short-option": "S", + "desc": "Reads the DER encoded OCSP response from file" + }, + { + "desc": "Ignore any verification errors", + "long-option": "ignore-errors", + "detail": "" + }, + { + "detail": "This can be combined with --verify-response.", + "long-option": "verify-allow-broken", + "desc": "Allow broken algorithms, such as MD5 for verification" + } + ] + } +]
\ No newline at end of file diff --git a/src/ocsptool.c b/src/ocsptool.c index a963de039a..8e558dfb83 100644 --- a/src/ocsptool.c +++ b/src/ocsptool.c @@ -39,7 +39,7 @@ #include <minmax.h> #include <ocsptool-common.h> -#include <ocsptool-args.h> +#include "ocsptool-options.h" #include "certtool-common.h" FILE *outfile; diff --git a/src/p11tool-options.json b/src/p11tool-options.json new file mode 100644 index 0000000000..22be3edde0 --- /dev/null +++ b/src/p11tool-options.json @@ -0,0 +1,452 @@ +[ + { + "meta": { + "explain": "", + "short-usage": "p11tool [options] [url]\np11tool --help for usage instructions.\n", + "desc": "", + "prog-name": "p11tool", + "prog-desc": "Program to handle PKCS #11 smart cards and security modules.\n", + "detail": "Program that allows operations on PKCS #11 smart cards\nand security modules. \n\nTo use PKCS #11 tokens with GnuTLS the p11-kit configuration files need to be setup.\nThat is create a .module file in /etc/pkcs11/modules with the contents 'module: /path/to/pkcs11.so'.\nAlternatively the configuration file /etc/gnutls/pkcs11.conf has to exist and contain a number\nof lines of the form 'load=/usr/lib/opensc-pkcs11.so'.\n\nYou can provide the PIN to be used for the PKCS #11 operations with the environment variables\nGNUTLS_PIN and GNUTLS_SO_PIN.\n", + "reorder-args": "", + "argument": "[url]", + "prog-title": "GnuTLS PKCS #11 tool" + }, + "options": [] + }, + { + "meta": { + "desc": "Tokens", + "id": "token-related-options" + }, + "options": [ + { + "long-option": "list-tokens", + "detail": "", + "desc": "List all available tokens" + }, + { + "desc": "List the URLs available tokens", + "detail": "This is a more compact version of --list-tokens.", + "long-option": "list-token-urls" + }, + { + "detail": "", + "desc": "List all available mechanisms in a token", + "long-option": "list-mechanisms" + }, + { + "long-option": "initialize", + "desc": "Initializes a PKCS #11 token", + "detail": "" + }, + { + "desc": "Initializes/Resets a PKCS #11 token user PIN", + "detail": "", + "long-option": "initialize-pin" + }, + { + "long-option": "initialize-so-pin", + "detail": "This initializes the security officer's PIN. When used non-interactively use the GNUTLS_NEW_SO_PIN\nenvironment variables to initialize SO's PIN.", + "desc": "Initializes/Resets a PKCS #11 token security officer PIN." + }, + { + "arg-type": "string", + "detail": "Alternatively the GNUTLS_PIN environment variable may be used.", + "desc": "Specify the PIN to use on token operations", + "long-option": "set-pin" + }, + { + "desc": "Specify the Security Officer's PIN to use on token initialization", + "detail": "Alternatively the GNUTLS_SO_PIN environment variable may be used.", + "long-option": "set-so-pin", + "arg-type": "string" + } + ] + }, + { + "meta": { + "desc": "Object listing", + "id": "object-list-related-options" + }, + "options": [ + { + "long-option": "list-all", + "detail": "All objects available in the token will be listed. That includes\nobjects which are potentially unaccessible using this tool.", + "desc": "List all available objects in a token" + }, + { + "detail": "That option will also provide more information on the\ncertificates, for example, expand the attached extensions in a trust\ntoken (like p11-kit-trust).", + "desc": "List all available certificates in a token", + "long-option": "list-all-certs" + }, + { + "detail": "That option will only display certificates which have a private\nkey associated with them (share the same ID).", + "long-option": "list-certs", + "desc": "List all certificates that have an associated private key" + }, + { + "long-option": "list-all-privkeys", + "detail": "Lists all the private keys in a token that match the specified URL.", + "desc": "List all available private keys in a token" + }, + { + "aliases": "list-all-privkeys", + "long-option": "list-privkeys" + }, + { + "aliases": "list-all-privkeys", + "long-option": "list-keys" + }, + { + "detail": "", + "desc": "List all available certificates marked as trusted", + "long-option": "list-all-trusted" + }, + { + "detail": "", + "conflicts": "export-stapled export-chain export-pubkey", + "long-option": "export", + "desc": "Export the object specified by the URL" + }, + { + "desc": "Export the certificate object specified by the URL", + "detail": "Exports the certificate specified by the URL while including any attached extensions to it.\nSince attached extensions are a p11-kit extension, this option is only\navailable on p11-kit registered trust modules.", + "conflicts": "export export-chain export-pubkey", + "long-option": "export-stapled" + }, + { + "conflicts": "export-stapled export export-pubkey", + "desc": "Export the certificate specified by the URL and its chain of trust", + "detail": "Exports the certificate specified by the URL and generates its chain of trust based on the stored certificates in the module.", + "long-option": "export-chain" + }, + { + "desc": "Export the public key for a private key", + "conflicts": "export-stapled export export-chain", + "long-option": "export-pubkey", + "detail": "Exports the public key for the specified private key" + }, + { + "long-option": "info", + "detail": "", + "desc": "List information on an available object in a token" + }, + { + "aliases": "mark-trusted", + "long-option": "trusted" + }, + { + "aliases": "mark-distrusted", + "long-option": "distrusted" + } + ] + }, + { + "meta": { + "desc": "Key generation", + "id": "keygen-related-options" + }, + "options": [ + { + "desc": "Generate private-public key pair of given type", + "arg-type": "string", + "detail": "Generates a private-public key pair in the specified token.\nAcceptable types are RSA, ECDSA, Ed25519, and DSA. Should be combined with --sec-param or --bits.", + "long-option": "generate-privkey" + }, + { + "desc": "Generate an RSA private-public key pair", + "long-option": "generate-rsa", + "detail": "Generates an RSA private-public key pair on the specified token.\nShould be combined with --sec-param or --bits.", + "deprecated": "" + }, + { + "deprecated": "", + "desc": "Generate a DSA private-public key pair", + "detail": "Generates a DSA private-public key pair on the specified token.\nShould be combined with --sec-param or --bits.", + "long-option": "generate-dsa" + }, + { + "deprecated": "", + "desc": "Generate an ECDSA private-public key pair", + "long-option": "generate-ecc", + "detail": "Generates an ECDSA private-public key pair on the specified token.\nShould be combined with --curve, --sec-param or --bits." + }, + { + "desc": "Specify the number of bits for the key generate", + "detail": "For applications which have no key-size restrictions the\n--sec-param option is recommended, as the sec-param levels will adapt\nto the acceptable security levels with the new versions of gnutls.", + "long-option": "bits", + "arg-type": "number" + }, + { + "detail": "Supported values are secp192r1, secp224r1, secp256r1, secp384r1 and secp521r1.", + "long-option": "curve", + "arg-type": "string", + "desc": "Specify the curve used for EC key generation" + }, + { + "long-option": "sec-param", + "desc": "Specify the security level", + "detail": "This is alternative to the bits option. Available options are [low, legacy, medium, high, ultra].", + "arg-name": "Security parameter", + "arg-type": "string" + } + ] + }, + { + "meta": { + "desc": "Writing objects", + "id": "write-object-related-options" + }, + "options": [ + { + "conflicts": "write", + "arg-type": "string", + "long-option": "set-id", + "desc": "Set the CKA_ID (in hex) for the specified by the URL object", + "detail": "Modifies or sets the CKA_ID in the specified by the URL object. The ID should be specified in hexadecimal format without a '0x' prefix." + }, + { + "long-option": "set-label", + "desc": "Set the CKA_LABEL for the specified by the URL object", + "detail": "Modifies or sets the CKA_LABEL in the specified by the URL object", + "conflicts": "write set-id", + "arg-type": "string" + }, + { + "long-option": "write", + "desc": "Writes the loaded objects to a PKCS #11 token", + "detail": "It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with one of --load-privkey, --load-pubkey, --load-certificate option.\n\nWhen writing a certificate object, its CKA_ID is set to the same CKA_ID of the corresponding public key, if it exists on the token; otherwise it will be derived from the X.509 Subject Key Identifier of the certificate. If this behavior is undesired, write the public key to the token beforehand." + }, + { + "long-option": "delete", + "desc": "Deletes the objects matching the given PKCS #11 URL", + "detail": "" + }, + { + "arg-type": "string", + "detail": "", + "long-option": "label", + "desc": "Sets a label for the write operation" + }, + { + "desc": "Sets an ID for the write operation", + "detail": "Sets the CKA_ID to be set by the write operation. The ID should be specified in hexadecimal format without a '0x' prefix.", + "arg-type": "string", + "long-option": "id" + }, + { + "detail": "Marks the generated key with the CKA_WRAP flag.", + "long-option": "mark-wrap", + "disabled": "", + "disable-prefix": "no-", + "desc": "Marks the generated key to be a wrapping key" + }, + { + "disabled": "", + "long-option": "mark-trusted", + "disable-prefix": "no-", + "conflicts": "mark-distrusted", + "desc": "Marks the object to be written as trusted", + "detail": "Marks the object to be generated/written with the CKA_TRUST flag." + }, + { + "detail": "Ensures that the objects retrieved have the CKA_X_TRUST flag.\nThis is p11-kit trust module extension, thus this flag is only valid with\np11-kit registered trust modules.", + "desc": "When retrieving objects, it requires the objects to be distrusted (blacklisted)", + "conflicts": "mark-trusted", + "long-option": "mark-distrusted" + }, + { + "disable-prefix": "no-", + "desc": "Marks the object to be written for decryption", + "detail": "Marks the object to be generated/written with the CKA_DECRYPT flag set to true.", + "disabled": "", + "long-option": "mark-decrypt" + }, + { + "disable-prefix": "no-", + "detail": "Marks the object to be generated/written with the CKA_SIGN flag set to true.", + "disabled": "", + "long-option": "mark-sign", + "desc": "Marks the object to be written for signature generation" + }, + { + "disable-prefix": "no-", + "desc": "Marks the object to be written as a CA", + "long-option": "mark-ca", + "disabled": "", + "detail": "Marks the object to be generated/written with the CKA_CERTIFICATE_CATEGORY as CA." + }, + { + "disable-prefix": "no-", + "long-option": "mark-private", + "desc": "Marks the object to be written as private", + "detail": "Marks the object to be generated/written with the CKA_PRIVATE flag. The written object will require a PIN to be used.", + "disabled": "" + }, + { + "long-option": "ca", + "aliases": "mark-ca" + }, + { + "aliases": "mark-private", + "long-option": "private" + }, + { + "disabled": "", + "desc": "Marks the object to be written as always authenticate", + "long-option": "mark-always-authenticate", + "disable-prefix": "no-", + "detail": "Marks the object to be generated/written with the CKA_ALWAYS_AUTHENTICATE flag. The written object will Mark the object as requiring authentication (pin entry) before every operation." + }, + { + "detail": "This secret key will be written to the module if --write is specified.", + "arg-type": "string", + "desc": "Provide a hex encoded secret key", + "long-option": "secret-key" + }, + { + "arg-type": "file", + "file-exists": "yes", + "long-option": "load-privkey", + "desc": "Private key file to use", + "detail": "" + }, + { + "arg-type": "file", + "file-exists": "yes", + "desc": "Public key file to use", + "long-option": "load-pubkey", + "detail": "" + }, + { + "arg-type": "file", + "desc": "Certificate file to use", + "detail": "", + "long-option": "load-certificate", + "file-exists": "yes" + } + ] + }, + { + "meta": { + "desc": "Other options", + "id": "other-options" + }, + "options": [ + { + "desc": "Enable debugging", + "arg-max": " 9999", + "short-option": "d", + "arg-type": "number", + "detail": "Specifies the debug level.", + "arg-min": "0 ", + "long-option": "debug" + }, + { + "arg-type": "string", + "detail": "", + "long-option": "outfile", + "desc": "Output file" + }, + { + "desc": "Force (user) login to token", + "detail": "", + "long-option": "login", + "disable-prefix": "no-", + "disabled": "" + }, + { + "long-option": "so-login", + "disabled": "", + "disable-prefix": "no-", + "desc": "Force security officer login to token", + "detail": "Forces login to the token as security officer (admin)." + }, + { + "long-option": "admin-login", + "aliases": "so-login" + }, + { + "desc": "Tests the signature operation of the provided object", + "long-option": "test-sign", + "detail": "It can be used to test the correct operation of the signature operation.\nIf both a private and a public key are available this operation will sign and verify\nthe signed data." + }, + { + "detail": "This option can be combined with --test-sign, to sign with\na specific signature algorithm variant. The only option supported is 'RSA-PSS', and should be\nspecified in order to use RSA-PSS signature on RSA keys.", + "arg-type": "string", + "long-option": "sign-params", + "desc": "Sign with a specific signature algorithm" + }, + { + "long-option": "hash", + "detail": "This option can be combined with test-sign. Available hash functions are SHA1, RMD160, SHA256, SHA384, SHA512, SHA3-224, SHA3-256, SHA3-384, SHA3-512.", + "desc": "Hash algorithm to use for signing", + "arg-type": "string" + }, + { + "desc": "Generate random data", + "detail": "Asks the token to generate a number of bytes of random bytes.", + "arg-type": "number", + "long-option": "generate-random" + }, + { + "detail": "", + "short-option": "8", + "long-option": "pkcs8", + "desc": "Use PKCS #8 format for private keys" + }, + { + "long-option": "inder", + "desc": "Use DER/RAW format for input", + "disable-prefix": "no-", + "detail": "Use DER/RAW format for input certificates and private keys.", + "disabled": "" + }, + { + "long-option": "inraw", + "aliases": "inder" + }, + { + "disable-prefix": "no-", + "detail": "The output will be in DER or RAW format.", + "long-option": "outder", + "desc": "Use DER format for output certificates, private keys, and DH parameters", + "disabled": "" + }, + { + "long-option": "outraw", + "aliases": "outder" + }, + { + "long-option": "provider", + "arg-type": "file", + "desc": "Specify the PKCS #11 provider library", + "detail": "This will override the default options in /etc/gnutls/pkcs11.conf" + }, + { + "arg-type": "string", + "desc": "Specify parameters for the PKCS #11 provider library", + "deprecated": "", + "detail": "This is a PKCS#11 internal option used by few modules.\n Mainly for testing PKCS#11 modules.", + "long-option": "provider-opts" + }, + { + "disable-prefix": "no-", + "long-option": "detailed-url", + "disabled": "", + "desc": "Print detailed URLs", + "detail": "" + }, + { + "desc": "Print a compact listing using only the URLs", + "long-option": "only-urls", + "detail": "" + }, + { + "detail": "In batch mode there will be no prompts, all parameters need to be specified on command line.", + "long-option": "batch", + "desc": "Disable all interaction with the tool" + } + ] + } +]
\ No newline at end of file diff --git a/src/p11tool.c b/src/p11tool.c index 693828fcc2..e60f74a9f1 100644 --- a/src/p11tool.c +++ b/src/p11tool.c @@ -44,7 +44,7 @@ /* Gnulib portability files. */ #include <read-file.h> -#include "p11tool-args.h" +#include "p11tool-options.h" #include "p11tool.h" #include "certtool-common.h" @@ -234,12 +234,12 @@ static void cmd_parser(int argc, char **argv) cinfo.only_urls = 1; } - if (ENABLED_OPT(INDER) || ENABLED_OPT(INRAW)) + if (ENABLED_OPT(INDER)) cinfo.incert_format = GNUTLS_X509_FMT_DER; else cinfo.incert_format = GNUTLS_X509_FMT_PEM; - if (HAVE_OPT(OUTDER) || HAVE_OPT(OUTRAW)) + if (HAVE_OPT(OUTDER)) cinfo.outcert_format = GNUTLS_X509_FMT_DER; else cinfo.outcert_format = GNUTLS_X509_FMT_PEM; @@ -39,7 +39,7 @@ int main(int argc, char **argv) #include <stdlib.h> #include <errno.h> #include <gnutls/gnutls.h> -#include <psktool-args.h> +#include "psktool-options.h" #include <gnutls/crypto.h> /* for random */ diff --git a/src/psktool-options.json b/src/psktool-options.json new file mode 100644 index 0000000000..22771fa236 --- /dev/null +++ b/src/psktool-options.json @@ -0,0 +1,53 @@ +[ + { + "meta": { + "explain": "", + "desc": "", + "prog-name": "psktool", + "prog-desc": "Program to create PSK parameters.\n", + "detail": "Program that generates random keys for use with TLS-PSK. The\nkeys are stored in hexadecimal format in a key file.", + "prog-title": "GnuTLS PSK tool", + "short-usage": "psktool [options]\npsktool --help for usage instructions.\n" + }, + "options": [ + { + "desc": "Enable debugging", + "detail": "Specifies the debug level.", + "arg-min": "0 ", + "arg-max": " 9999", + "arg-type": "number", + "short-option": "d", + "long-option": "debug" + }, + { + "long-option": "keysize", + "desc": "Specify the key size in bytes (default is 32-bytes or 256-bits)", + "short-option": "s", + "arg-type": "number", + "detail": "", + "arg-min": "0 ", + "arg-max": " 512" + }, + { + "long-option": "username", + "desc": "Specify the username to use", + "arg-type": "string", + "detail": "", + "short-option": "u" + }, + { + "long-option": "pskfile", + "detail": "This option will specify the pre-shared key file to store the generated keys.", + "short-option": "p", + "arg-type": "string", + "desc": "Specify a pre-shared key file" + }, + { + "deprecated": "", + "desc": "Specify a pre-shared key file", + "aliases": "pskfile", + "long-option": "passwd" + } + ] + } +]
\ No newline at end of file diff --git a/src/serv.c b/src/serv.c index cde7c1645f..85e94cd5e6 100644 --- a/src/serv.c +++ b/src/serv.c @@ -27,7 +27,7 @@ #include <config.h> #include "common.h" -#include "serv-args.h" +#include "gnutls-serv-options.h" #include "udp-serv.h" #include <stdio.h> #include <stdlib.h> diff --git a/src/srptool-options.json b/src/srptool-options.json new file mode 100644 index 0000000000..489eb7a73b --- /dev/null +++ b/src/srptool-options.json @@ -0,0 +1,71 @@ +[ + { + "meta": { + "prog-desc": "Simple program to create SRP parameters.\n", + "explain": "", + "short-usage": "srptool [options]\nsrptool --help for usage instructions.\n", + "detail": "Simple program that emulates the programs in the Stanford SRP (Secure\nRemote Password) libraries using GnuTLS. It is intended for use in places\nwhere you don't expect SRP authentication to be the used for system users.\n\nIn brief, to use SRP you need to create two files. These are the password\nfile that holds the users and the verifiers associated with them and the\nconfiguration file to hold the group parameters (called tpasswd.conf).", + "desc": "", + "prog-name": "srptool", + "prog-title": "GnuTLS SRP tool" + }, + "options": [ + { + "short-option": "d", + "arg-min": "0 ", + "detail": "Specifies the debug level.", + "desc": "Enable debugging", + "long-option": "debug", + "arg-type": "number", + "arg-max": " 9999" + }, + { + "desc": "specify the index of the group parameters in tpasswd.conf to use", + "detail": "", + "short-option": "i", + "arg-type": "number", + "arg-default": "3", + "long-option": "index" + }, + { + "arg-type": "string", + "long-option": "username", + "detail": "", + "desc": "specify a username", + "short-option": "u" + }, + { + "long-option": "passwd", + "desc": "specify a password file", + "arg-type": "string", + "detail": "", + "short-option": "p" + }, + { + "long-option": "salt", + "short-option": "s", + "desc": "specify salt size", + "detail": "", + "arg-type": "number" + }, + { + "desc": "just verify the password.", + "long-option": "verify", + "detail": "Verifies the password provided against the password file." + }, + { + "detail": "Specify a filename or a PKCS #11 URL to read the CAs from.", + "short-option": "v", + "long-option": "passwd-conf", + "desc": "specify a password conf file.", + "arg-type": "string" + }, + { + "arg-type": "string", + "detail": "This generates a password configuration file (tpasswd.conf)\ncontaining the required for TLS parameters.", + "desc": "Generate a password configuration file.", + "long-option": "create-conf" + } + ] + } +]
\ No newline at end of file diff --git a/src/srptool.c b/src/srptool.c index b4bc08b189..a050de09db 100644 --- a/src/srptool.c +++ b/src/srptool.c @@ -40,7 +40,7 @@ #include <getpass.h> #include <minmax.h> -#include <srptool-args.h> +#include "srptool-options.h" /* This may need some rewrite. A lot of stuff which should be here * are in the library, which is not good. diff --git a/src/systemkey-tool-options.json b/src/systemkey-tool-options.json new file mode 100644 index 0000000000..835ffb9c1c --- /dev/null +++ b/src/systemkey-tool-options.json @@ -0,0 +1,49 @@ +[ + { + "meta": { + "detail": "Program that allows handling user keys as stored in the system in a uniform way.", + "short-usage": "systemkey-tool [options]\nsystemkey-tool --help for usage instructions.\n", + "prog-desc": "Program to handle system keys.\n", + "explain": "", + "prog-name": "systemkey-tool", + "desc": "", + "prog-title": "GnuTLS system key tool" + }, + "options": [ + { + "desc": "Enable debugging", + "arg-type": "number", + "short-option": "d", + "arg-min": "0 ", + "arg-max": " 9999", + "long-option": "debug", + "detail": "Specifies the debug level." + }, + { + "arg-type": "string", + "long-option": "outfile", + "detail": "", + "desc": "Output file" + }, + { + "desc": "Lists all stored keys.", + "detail": "", + "long-option": "list" + }, + { + "arg-name": "url", + "detail": "", + "long-option": "delete", + "desc": "Delete the key identified by the given URL.", + "arg-type": "string" + }, + { + "long-option": "outder", + "desc": "Use DER format for output keys", + "disabled": "", + "detail": "The output will be in DER format.", + "disable-prefix": "no-" + } + ] + } +]
\ No newline at end of file diff --git a/src/systemkey.c b/src/systemkey.c index d1186c59a0..11fe3cd8f4 100644 --- a/src/systemkey.c +++ b/src/systemkey.c @@ -44,7 +44,7 @@ #include <read-file.h> #include "certtool-common.h" -#include "systemkey-args.h" +#include "systemkey-tool-options.h" static void cmd_parser(int argc, char **argv); static void systemkey_delete(const char *url, FILE * outfile); diff --git a/src/tpmtool-options.json b/src/tpmtool-options.json new file mode 100644 index 0000000000..22b07a0a6e --- /dev/null +++ b/src/tpmtool-options.json @@ -0,0 +1,133 @@ +[ + { + "meta": { + "prog-name": "tpmtool", + "desc": "", + "short-usage": "tpmtool [options]\ntpmtool --help for usage instructions.\n", + "prog-desc": "Program to handle TPM as a cryptographic device.\n", + "detail": "Program that allows handling cryptographic data from the TPM chip.", + "explain": "", + "prog-title": "GnuTLS TPM tool" + }, + "options": [ + { + "short-option": "d", + "arg-max": " 9999", + "desc": "Enable debugging", + "arg-min": "0 ", + "long-option": "debug", + "arg-type": "number", + "detail": "Specifies the debug level." + }, + { + "long-option": "infile", + "arg-type": "file", + "file-exists": "yes", + "desc": "Input file", + "detail": "" + }, + { + "detail": "", + "desc": "Output file", + "long-option": "outfile", + "arg-type": "string" + }, + { + "desc": "Generate an RSA private-public key pair", + "detail": "Generates an RSA private-public key pair in the TPM chip. \nThe key may be stored in file system and protected by a PIN, or stored (registered)\nin the TPM chip flash.", + "long-option": "generate-rsa" + }, + { + "requires": "generate-rsa", + "desc": "Any generated key will be registered in the TPM", + "long-option": "register", + "detail": "" + }, + { + "conflicts": "legacy", + "requires": "generate-rsa", + "long-option": "signing", + "desc": "Any generated key will be a signing key", + "detail": "" + }, + { + "desc": "Any generated key will be a legacy key", + "conflicts": "signing", + "detail": "", + "requires": "generate-rsa", + "long-option": "legacy" + }, + { + "requires": "register", + "desc": "Any registered key will be a user key", + "long-option": "user", + "detail": "The generated key will be stored in a user specific persistent storage.", + "conflicts": "system" + }, + { + "detail": "The generated key will be stored in system persistent storage.", + "long-option": "system", + "desc": "Any registered key will be a system key", + "conflicts": "user", + "requires": "register" + }, + { + "detail": "", + "arg-type": "string", + "arg-name": "url", + "long-option": "pubkey", + "desc": "Prints the public key of the provided key" + }, + { + "detail": "", + "long-option": "list", + "desc": "Lists all stored keys in the TPM" + }, + { + "arg-type": "string", + "desc": "Delete the key identified by the given URL (UUID).", + "arg-name": "url", + "long-option": "delete", + "detail": "" + }, + { + "arg-name": "url", + "long-option": "test-sign", + "arg-type": "string", + "desc": "Tests the signature operation of the provided object", + "detail": "It can be used to test the correct operation of the signature operation.\nThis operation will sign and verify the signed data." + }, + { + "arg-name": "Security parameter", + "arg-type": "string", + "detail": "This is alternative to the bits option. Note however that the\nvalues allowed by the TPM chip are quantized and given values may be rounded up.", + "long-option": "sec-param", + "desc": "Specify the security level [low, legacy, medium, high, ultra]." + }, + { + "desc": "Specify the number of bits for key generate", + "arg-type": "number", + "detail": "", + "long-option": "bits" + }, + { + "long-option": "inder", + "disable-prefix": "no-", + "detail": "The input files will be assumed to be in the portable\nDER format of TPM. The default format is a custom format used by various\nTPM tools", + "desc": "Use the DER format for keys.", + "disabled": "" + }, + { + "disabled": "", + "long-option": "outder", + "desc": "Use DER format for output keys", + "detail": "The output will be in the TPM portable DER format.", + "disable-prefix": "no-" + }, + { + "desc": "SRK has well known password (20 bytes of zeros)", + "long-option": "srk-well-known" + } + ] + } +]
\ No newline at end of file diff --git a/src/tpmtool.c b/src/tpmtool.c index c8862f0c4d..171b7fd416 100644 --- a/src/tpmtool.c +++ b/src/tpmtool.c @@ -44,7 +44,7 @@ #include <read-file.h> #include "certtool-common.h" -#include "tpmtool-args.h" +#include "tpmtool-options.h" #include "common.h" static void cmd_parser(int argc, char **argv); diff --git a/src/udp-serv.c b/src/udp-serv.c index 814d698fbf..ca19cbebaa 100644 --- a/src/udp-serv.c +++ b/src/udp-serv.c @@ -36,7 +36,7 @@ #include <errno.h> #include <common.h> #include "udp-serv.h" -#include "serv-args.h" +#include "gnutls-serv-options.h" extern int disable_client_cert; |