diff options
| author | Daiki Ueno <ueno@gnu.org> | 2022-01-05 07:39:10 +0100 |
|---|---|---|
| committer | Daiki Ueno <ueno@gnu.org> | 2022-01-15 09:25:56 +0100 |
| commit | 4e919cb7d22c17f870e757a331bd759f790adadc (patch) | |
| tree | 8d6c3fbcad3d2f6dc4aa9434d644912d768d6c8f /src | |
| parent | 08f68bece2748a01a9c93f3ed16c17459ca6deb6 (diff) | |
| download | gnutls-4e919cb7d22c17f870e757a331bd759f790adadc.tar.gz | |
src: remove AutoGen .def files
As neither the tools nor documentation depends on AutoGen, we don't
need to include the AutoGen definition files.
Signed-off-by: Daiki Ueno <ueno@gnu.org>
Diffstat (limited to 'src')
| -rw-r--r-- | src/args-std.def.in | 58 | ||||
| -rw-r--r-- | src/certtool-args.def | 1163 | ||||
| -rw-r--r-- | src/cli-args.def | 600 | ||||
| -rw-r--r-- | src/cli-debug-args.def | 112 | ||||
| -rw-r--r-- | src/danetool-args.def | 230 | ||||
| -rw-r--r-- | src/ocsptool-args.def | 317 | ||||
| -rw-r--r-- | src/p11tool-args.def | 580 | ||||
| -rw-r--r-- | src/psktool-args.def | 70 | ||||
| -rw-r--r-- | src/serv-args.def | 557 | ||||
| -rw-r--r-- | src/srptool-args.def | 106 | ||||
| -rw-r--r-- | src/systemkey-args.def | 43 | ||||
| -rw-r--r-- | src/tpmtool-args.def | 170 |
12 files changed, 0 insertions, 4006 deletions
diff --git a/src/args-std.def.in b/src/args-std.def.in deleted file mode 100644 index 4a92c448d2..0000000000 --- a/src/args-std.def.in +++ /dev/null @@ -1,58 +0,0 @@ - -prog-group = GnuTLS; -config-header = config.h; -gnu-usage; -disable-save; -long-opts; -no-xlate = opt; -version = "@VERSION@"; -no-misuse-usage; -export = '#include <gettext.h>'; - -copyright = { - date = "2000-2020"; - owner = "Free Software Foundation, and others"; - author = "Nikos Mavrogiannopoulos, Simon Josefsson and others; " - "see /usr/share/doc/gnutls/AUTHORS for a complete list."; - eaddr = "@PACKAGE_BUGREPORT@"; - type = gpl; -}; - -help-value = h; -flag = { - name = debug; - value = d; - arg-type = number; - arg-range = "0 -> 9999"; - descrip = "Enable debugging"; - doc = "Specifies the debug level."; -}; - -#ifdef VERBOSE_OPT -flag = { - name = verbose; - value = V; - max = NOLIMIT; - descrip = "More verbose output"; - doc = ""; -}; -#endif - -#ifdef INFILE_OPT -flag = { - name = infile; - arg-type = file; - file-exists = yes; - descrip = "Input file"; - doc = ""; -}; -#endif - -#ifdef OUTFILE_OPT -flag = { - name = outfile; - arg-type = string; - descrip = "Output file"; - doc = ""; -}; -#endif diff --git a/src/certtool-args.def b/src/certtool-args.def deleted file mode 100644 index 61dcb712a5..0000000000 --- a/src/certtool-args.def +++ /dev/null @@ -1,1163 +0,0 @@ -AutoGen Definitions options; -prog-name = certtool; -prog-title = "GnuTLS certificate tool"; -prog-desc = "Manipulate certificates and private keys."; -detail = "Tool to parse and generate X.509 certificates, requests and private keys. -It can be used interactively or non interactively by -specifying the template command line option. - -The tool accepts files or supported URIs via the --infile option. In case PIN -is required for URI access you can provide it using the environment variables GNUTLS_PIN -and GNUTLS_SO_PIN. -"; -short-usage = "certtool [options]\ncerttool --help for usage instructions.\n"; -explain = ""; - -#define INFILE_OPT 1 -#define OUTFILE_OPT 1 -#define VERBOSE_OPT 1 -#include args-std.def - -//---------------------------------------- -flag = { - name = cert_options; - documentation; - descrip = "Certificate related options"; -}; -//---------------------------------------- - -flag = { - name = certificate-info; - value = i; - descrip = "Print information on the given certificate"; - doc = ""; -}; - -flag = { - name = pubkey-info; - descrip = "Print information on a public key"; - doc = "The option combined with --load-request, --load-pubkey, --load-privkey and --load-certificate will extract the public key of the object in question."; -}; - -flag = { - name = generate-self-signed; - value = s; - descrip = "Generate a self-signed certificate"; - doc = ""; -}; - -flag = { - name = generate-certificate; - value = c; - descrip = "Generate a signed certificate"; - doc = ""; -}; - -flag = { - name = generate-proxy; - descrip = "Generates a proxy certificate"; - doc = ""; -}; - -flag = { - name = update-certificate; - value = u; - descrip = "Update a signed certificate"; - doc = ""; -}; - -flag = { - name = fingerprint; - descrip = "Print the fingerprint of the given certificate"; - doc = "This is a simple hash of the DER encoding of the certificate. It can be combined with the --hash parameter. However, it is recommended for identification to use the key-id which depends only on the certificate's key."; -}; - -flag = { - name = key-id; - descrip = "Print the key ID of the given certificate"; - doc = "This is a hash of the public key of the given certificate. It identifies the key uniquely, remains the same on a certificate renewal and depends only on signed fields of the certificate."; -}; - -flag = { - name = certificate-pubkey; - descrip = "Print certificate's public key"; - doc = "This option is deprecated as a duplicate of --pubkey-info"; - deprecated; -}; - -flag = { - name = v1; - descrip = "Generate an X.509 version 1 certificate (with no extensions)"; - doc = ""; -}; - -flag = { - name = sign-params; - arg-type = string; - descrip = "Sign a certificate with a specific signature algorithm"; - doc = "This option can be combined with --generate-certificate, to sign the certificate with -a specific signature algorithm variant. The only option supported is 'RSA-PSS', and should be -specified when the signer does not have a certificate which is marked for RSA-PSS use only."; -}; - - -//---------------------------------------- -flag = { - name = crq_options; - documentation; - descrip = "Certificate request related options"; -}; -//---------------------------------------- - -flag = { - name = crq-info; - descrip = "Print information on the given certificate request"; - doc = ""; -}; - -flag = { - name = generate-request; - value = q; - descrip = "Generate a PKCS #10 certificate request"; - flags_cant = infile; - doc = "Will generate a PKCS #10 certificate request. To specify a private key use --load-privkey."; -}; - -flag = { - name = no-crq-extensions; - descrip = "Do not use extensions in certificate requests"; - doc = ""; -}; - -//---------------------------------------- -flag = { - name = pkcs12_options; - documentation; - descrip = "PKCS#12 file related options"; -}; -//---------------------------------------- - -flag = { - name = p12-info; - descrip = "Print information on a PKCS #12 structure"; - doc = "This option will dump the contents and print the metadata of the provided PKCS #12 structure."; -}; - -flag = { - name = p12-name; - arg-type = string; - descrip = "The PKCS #12 friendly name to use"; - doc = "The name to be used for the primary certificate and private key in a PKCS #12 file."; -}; - -flag = { - name = to-p12; - descrip = "Generate a PKCS #12 structure"; - doc = "It requires a certificate, a private key and possibly a CA certificate to be specified."; -}; - - -//---------------------------------------- -flag = { - name = key_options; - documentation; - descrip = "Private key related options"; -}; -//---------------------------------------- - -flag = { - name = key-info; - value = k; - descrip = "Print information on a private key"; - doc = ""; -}; - -flag = { - name = p8-info; - descrip = "Print information on a PKCS #8 structure"; - doc = "This option will print information about encrypted PKCS #8 structures. That option does not require the decryption of the structure."; -}; - -flag = { - name = to-rsa; - descrip = "Convert an RSA-PSS key to raw RSA format"; - doc = "It requires an RSA-PSS key as input and will output a raw RSA -key. This command is necessary for compatibility with applications that -cannot read RSA-PSS keys."; -}; - -flag = { - name = generate-privkey; - value = p; - descrip = "Generate a private key"; - doc = "When generating RSA-PSS private keys, the --hash option will -restrict the allowed hash for the key; in the same keys the --salt-size -option is also acceptable."; -}; - -flag = { - name = key-type; - arg-type = string; - descrip = "Specify the key type to use on key generation"; - doc = "This option can be combined with --generate-privkey, to specify -the key type to be generated. Valid options are, 'rsa', 'rsa-pss', 'dsa', 'ecdsa', 'ed25519, 'ed448', 'x25519', and 'x448'.'. -When combined with certificate generation it can be used to specify an -RSA-PSS certificate when an RSA key is given."; -}; - -flag = { - name = bits; - arg-type = number; - descrip = "Specify the number of bits for key generation"; - doc = ""; -}; - -flag = { - name = curve; - arg-type = string; - descrip = "Specify the curve used for EC key generation"; - doc = "Supported values are secp192r1, secp224r1, secp256r1, secp384r1 and secp521r1."; -}; - -flag = { - name = sec-param; - arg-type = string; - arg-name = "Security parameter"; - descrip = "Specify the security level [low, legacy, medium, high, ultra]"; - doc = "This is alternative to the bits option."; -}; - -flag = { - name = to-p8; - descrip = "Convert a given key to a PKCS #8 structure"; - doc = "This needs to be combined with --load-privkey."; -}; - -flag = { - name = pkcs8; - value = 8; - descrip = "Use PKCS #8 format for private keys"; - doc = ""; -}; - -flag = { - name = provable; - descrip = "Generate a private key or parameters from a seed using a provable method"; - doc = "This will use the FIPS PUB186-4 algorithms (i.e., Shawe-Taylor) for provable key generation. -When specified the private keys or parameters will be generated from a seed, and can be -later validated with --verify-provable-privkey to be correctly generated from the seed. You may -specify --seed or allow GnuTLS to generate one (recommended). This option can be combined with ---generate-privkey or --generate-dh-params. - -That option applies to RSA and DSA keys. On the DSA keys the PQG parameters -are generated using the seed, and on RSA the two primes."; -}; - -flag = { - name = verify-provable-privkey; - descrip = "Verify a private key generated from a seed using a provable method"; - doc = "This will use the FIPS-186-4 algorithms for provable key generation. You may specify --seed or use the seed stored in the private key structure."; -}; - -flag = { - name = seed; - descrip = "When generating a private key use the given hex-encoded seed"; - arg-type = string; - doc = "The seed acts as a security parameter for the private key, and -thus a seed size which corresponds to the security level of the private key -should be provided (e.g., 256-bits seed)."; -}; - - -//---------------------------------------- -flag = { - name = crl_options; - documentation; - descrip = "CRL related options"; -}; -//---------------------------------------- - -flag = { - name = crl-info; - value = l; - descrip = "Print information on the given CRL structure"; - doc = ""; -}; - - -flag = { - name = generate-crl; - descrip = "Generate a CRL"; - doc = "This option generates a Certificate Revocation List. When combined with --load-crl it would use the loaded CRL as base for the generated (i.e., all revoked certificates in the base will be copied to the new CRL). -To add new certificates to the CRL use --load-certificate."; -}; - - -flag = { - name = verify-crl; - descrip = "Verify a Certificate Revocation List using a trusted list"; - doc = "The trusted certificate list must be loaded with --load-ca-certificate."; - flags-must = load-ca-certificate; -}; - -//---------------------------------------- -flag = { - name = cert_verify_options; - documentation; - descrip = "Certificate verification related options"; -}; -//---------------------------------------- - -flag = { - name = verify-chain; - value = e; - descrip = "Verify a PEM encoded certificate chain"; - doc = "Verifies the validity of a certificate chain. That is, an ordered set of -certificates where each one is the issuer of the previous, and the first is -the end-certificate to be validated. In a proper chain the last certificate -is a self signed one. It can be combined with --verify-purpose or --verify-hostname."; -}; - -flag = { - name = verify; - descrip = "Verify a PEM encoded certificate (chain) against a trusted set"; - doc = "The trusted certificate list can be loaded with --load-ca-certificate. If no -certificate list is provided, then the system's trusted certificate list is used. Note that -during verification multiple paths may be explored. On a successful verification -the successful path will be the last one. It can be combined with --verify-purpose or --verify-hostname."; -}; - -flag = { - name = verify-hostname; - descrip = "Specify a hostname to be used for certificate chain verification"; - arg-type = string; - doc = "This is to be combined with one of the verify certificate options."; -}; - -flag = { - name = verify-email; - descrip = "Specify a email to be used for certificate chain verification"; - arg-type = string; - doc = "This is to be combined with one of the verify certificate options."; - flags-cant = verify-hostname; -}; - -flag = { - name = verify-purpose; - descrip = "Specify a purpose OID to be used for certificate chain verification"; - arg-type = string; - doc = "This object identifier restricts the purpose of the certificates to be verified. Example purposes are 1.3.6.1.5.5.7.3.1 (TLS WWW), 1.3.6.1.5.5.7.3.4 (EMAIL) etc. Note that a CA certificate without a purpose set (extended key usage) is valid for any purpose."; -}; - -flag = { - name = verify-allow-broken; - descrip = "Allow broken algorithms, such as MD5 for verification"; - doc = "This can be combined with --p7-verify, --verify or --verify-chain."; -}; - -flag = { - name = verify-profile; - descrip = "Specify a security level profile to be used for verification"; - arg-type = string; - doc = "This option can be used to specify a certificate verification profile. Certificate - verification profiles correspond to the security level. This should be one of - 'none', 'very weak', 'low', 'legacy', 'medium', 'high', 'ultra', - 'future'. Note that by default no profile is applied, unless one is set - as minimum in the gnutls configuration file."; -}; - -//---------------------------------------- -flag = { - name = pkcs7_options; - documentation; - descrip = "PKCS#7 structure options"; -}; -//---------------------------------------- - -flag = { - name = p7-generate; - descrip = "Generate a PKCS #7 structure"; - doc = "This option generates a PKCS #7 certificate container structure. To add certificates in the structure use --load-certificate and --load-crl."; -}; - -flag = { - name = p7-sign; - descrip = "Signs using a PKCS #7 structure"; - doc = "This option generates a PKCS #7 structure containing a signature for the provided data from infile. The data are stored within the structure. The signer certificate has to be specified using --load-certificate and --load-privkey. The input to --load-certificate can be a list of certificates. In case of a list, the first certificate is used for signing and the other certificates are included in the structure."; -}; - - -flag = { - name = p7-detached-sign; - descrip = "Signs using a detached PKCS #7 structure"; - doc = "This option generates a PKCS #7 structure containing a signature for the provided data from infile. The signer certificate has to be specified using --load-certificate and --load-privkey. The input to --load-certificate can be a list of certificates. In case of a list, the first certificate is used for signing and the other certificates are included in the structure."; -}; - -flag = { - name = p7-include-cert; - disable = "no"; - enabled; - descrip = "The signer's certificate will be included in the cert list."; - doc = "This options works with --p7-sign or --p7-detached-sign and will include or exclude the signer's certificate into the generated signature."; -}; - -flag = { - name = p7-time; - disable = "no"; - disabled; - descrip = "Will include a timestamp in the PKCS #7 structure"; - doc = "This option will include a timestamp in the generated signature"; -}; - -flag = { - name = p7-show-data; - disable = "no"; - disabled; - descrip = "Will show the embedded data in the PKCS #7 structure"; - doc = "This option can be combined with --p7-verify or --p7-info and will display the embedded signed data in the PKCS #7 structure."; -}; - -flag = { - name = p7-info; - descrip = "Print information on a PKCS #7 structure"; - doc = ""; -}; - -flag = { - name = p7-verify; - descrip = "Verify the provided PKCS #7 structure"; - doc = "This option verifies the signed PKCS #7 structure. The certificate list to use for verification can be specified with --load-ca-certificate. When no certificate list is provided, then the system's certificate list is used. Alternatively a direct signer can be provided using --load-certificate. A key purpose can be enforced with the --verify-purpose option, and the --load-data option will utilize detached data."; -}; - -flag = { - name = smime-to-p7; - descrip = "Convert S/MIME to PKCS #7 structure"; - doc = ""; -}; - - - -//---------------------------------------- -flag = { - name = other_options; - documentation; - descrip = "Other options"; -}; -//---------------------------------------- - -flag = { - name = generate-dh-params; - descrip = "Generate PKCS #3 encoded Diffie-Hellman parameters"; - doc = "The will generate random parameters to be used with -Diffie-Hellman key exchange. The output parameters will be in PKCS #3 -format. Note that it is recommended to use the --get-dh-params option -instead."; - deprecated; -}; - -flag = { - name = get-dh-params; - descrip = "List the included PKCS #3 encoded Diffie-Hellman parameters"; - doc = "Returns stored DH parameters in GnuTLS. Those parameters returned -are defined in RFC7919, and can be considered standard parameters for a TLS -key exchange. This option is provided for old applications which require -DH parameters to be specified; modern GnuTLS applications should not require -them."; -}; - -flag = { - name = dh-info; - descrip = "Print information PKCS #3 encoded Diffie-Hellman parameters"; - doc = ""; -}; - -flag = { - name = load-privkey; - descrip = "Loads a private key file"; - arg-type = string; - doc = "This can be either a file or a PKCS #11 URL"; -}; - -flag = { - name = load-pubkey; - descrip = "Loads a public key file"; - arg-type = string; - doc = "This can be either a file or a PKCS #11 URL"; -}; - -flag = { - name = load-request; - descrip = "Loads a certificate request file"; - arg-type = string; - doc = "This option can be used with a file"; -}; - -flag = { - name = load-certificate; - descrip = "Loads a certificate file"; - arg-type = string; - doc = "This option can be used with a file"; -}; - -flag = { - name = load-ca-privkey; - descrip = "Loads the certificate authority's private key file"; - arg-type = string; - doc = "This can be either a file or a PKCS #11 URL"; -}; - -flag = { - name = load-ca-certificate; - descrip = "Loads the certificate authority's certificate file"; - arg-type = string; - doc = "This can be either a file or a PKCS #11 URL"; -}; - -flag = { - name = load-crl; - descrip = "Loads the provided CRL"; - arg-type = string; - doc = "This option can be used with a file"; -}; - -flag = { - name = load-data; - descrip = "Loads auxiliary data"; - arg-type = string; - doc = "This option can be used with a file"; -}; - -flag = { - name = password; - arg-type = string; - descrip = "Password to use"; - doc = "You can use this option to specify the password in the command line instead of reading it from the tty. Note, that the command line arguments are available for view in others in the system. Specifying password as '' is the same as specifying no password."; -}; - -flag = { - name = null-password; - descrip = "Enforce a NULL password"; - doc = "This option enforces a NULL password. This is different than the empty or no password in schemas like PKCS #8."; -}; - -flag = { - name = empty-password; - descrip = "Enforce an empty password"; - doc = "This option enforces an empty password. This is different than the NULL or no password in schemas like PKCS #8."; -}; - - -flag = { - name = hex-numbers; - descrip = "Print big number in an easier format to parse"; - doc = ""; -}; - -flag = { - name = cprint; - descrip = "In certain operations it prints the information in C-friendly format"; - doc = "In certain operations it prints the information in C-friendly format, suitable for including into C programs."; -}; - -flag = { - name = rsa; - descrip = "Generate RSA key"; - doc = "When combined with --generate-privkey generates an RSA private key."; - description = "This option is equivalent to '--key-type rsa'."; - deprecated; -}; - -flag = { - name = dsa; - descrip = "Generate DSA key"; - doc = "When combined with --generate-privkey generates a DSA private key."; - description = "This option is equivalent to '--key-type dsa'."; - deprecated; -}; - -flag = { - name = ecc; - descrip = "Generate ECC (ECDSA) key"; - doc = "When combined with --generate-privkey generates an elliptic curve private key to be used with ECDSA."; - description = "This option is equivalent to '--key-type ecdsa'."; - deprecated; -}; - -flag = { - name = ecdsa; - aliases = ecc; - deprecated; -}; - -flag = { - name = hash; - arg-type = string; - descrip = "Hash algorithm to use for signing"; - doc = "Available hash functions are SHA1, RMD160, SHA256, SHA384, SHA512, SHA3-224, SHA3-256, SHA3-384, SHA3-512."; -}; - -flag = { - name = salt-size; - arg-type = number; - descrip = "Specify the RSA-PSS key default salt size"; - doc = "Typical keys shouldn't set or restrict this option."; -}; - -flag = { - name = inder; - descrip = "Use DER format for input certificates, private keys, and DH parameters "; - disabled; - disable = "no"; - doc = "The input files will be assumed to be in DER or RAW format. -Unlike options that in PEM input would allow multiple input data (e.g. multiple -certificates), when reading in DER format a single data structure is read."; -}; - -flag = { - name = inraw; - aliases = inder; -}; - -flag = { - name = outder; - descrip = "Use DER format for output certificates, private keys, and DH parameters"; - disabled; - disable = "no"; - doc = "The output will be in DER or RAW format."; -}; - -flag = { - name = outraw; - aliases = outder; -}; - -flag = { - name = disable-quick-random; - descrip = "No effect"; - doc = ""; - deprecated; -}; - -flag = { - name = template; - arg-type = string; - descrip = "Template file to use for non-interactive operation"; - doc = ""; -}; - -flag = { - name = stdout-info; - descrip = "Print information to stdout instead of stderr"; - doc = ""; -}; - -flag = { - name = ask-pass; - disabled; - descrip = "Enable interaction for entering password when in batch mode."; - doc = "This option will enable interaction to enter password when in batch mode. That is useful when the template option has been specified."; -}; - -flag = { - name = pkcs-cipher; - arg-type = string; - arg-name = "Cipher"; - descrip = "Cipher to use for PKCS #8 and #12 operations"; - doc = "Cipher may be one of 3des, 3des-pkcs12, aes-128, aes-192, aes-256, rc2-40, arcfour."; -}; - -flag = { - name = provider; - arg-type = string; - descrip = "Specify the PKCS #11 provider library"; - doc = "This will override the default options in /etc/gnutls/pkcs11.conf"; -}; - -flag = { - name = text; - descrip = "Output textual information before PEM-encoded certificates, private keys, etc"; - enabled; - disable = "no"; - doc = "Output textual information before PEM-encoded data"; -}; - -doc-section = { - ds-type = 'SEE ALSO'; - ds-format = 'texi'; - ds-text = <<-_EOT_ - p11tool (1), psktool (1), srptool (1) -_EOT_; -}; - -doc-section = { - ds-type = 'EXAMPLES'; - ds-format = 'texi'; - ds-text = <<-_EOT_ -@subheading Generating private keys -To create an RSA private key, run: -@example -$ certtool --generate-privkey --outfile key.pem --rsa -@end example - -To create a DSA or elliptic curves (ECDSA) private key use the -above command combined with 'dsa' or 'ecc' options. - -@subheading Generating certificate requests -To create a certificate request (needed when the certificate is issued by -another party), run: -@example -certtool --generate-request --load-privkey key.pem \ - --outfile request.pem -@end example - -If the private key is stored in a smart card you can generate -a request by specifying the private key object URL. -@example -$ ./certtool --generate-request --load-privkey "pkcs11:..." \ - --load-pubkey "pkcs11:..." --outfile request.pem -@end example - - -@subheading Generating a self-signed certificate -To create a self signed certificate, use the command: -@example -$ certtool --generate-privkey --outfile ca-key.pem -$ certtool --generate-self-signed --load-privkey ca-key.pem \ - --outfile ca-cert.pem -@end example - -Note that a self-signed certificate usually belongs to a certificate -authority, that signs other certificates. - -@subheading Generating a certificate -To generate a certificate using the previous request, use the command: -@example -$ certtool --generate-certificate --load-request request.pem \ - --outfile cert.pem --load-ca-certificate ca-cert.pem \ - --load-ca-privkey ca-key.pem -@end example - -To generate a certificate using the private key only, use the command: -@example -$ certtool --generate-certificate --load-privkey key.pem \ - --outfile cert.pem --load-ca-certificate ca-cert.pem \ - --load-ca-privkey ca-key.pem -@end example - -@subheading Certificate information -To view the certificate information, use: -@example -$ certtool --certificate-info --infile cert.pem -@end example - -@subheading Changing the certificate format -To convert the certificate from PEM to DER format, use: -@example -$ certtool --certificate-info --infile cert.pem --outder --outfile cert.der -@end example - -@subheading PKCS #12 structure generation -To generate a PKCS #12 structure using the previous key and certificate, -use the command: -@example -$ certtool --load-certificate cert.pem --load-privkey key.pem \ - --to-p12 --outder --outfile key.p12 -@end example - -Some tools (reportedly web browsers) have problems with that file -because it does not contain the CA certificate for the certificate. -To work around that problem in the tool, you can use the ---load-ca-certificate parameter as follows: - -@example -$ certtool --load-ca-certificate ca.pem \ - --load-certificate cert.pem --load-privkey key.pem \ - --to-p12 --outder --outfile key.p12 -@end example - -@subheading Obtaining Diffie-Hellman parameters -To obtain the RFC7919 parameters for Diffie-Hellman key exchange, use the command: -@example -$ certtool --get-dh-params --outfile dh.pem --sec-param medium -@end example - -@subheading Verifying a certificate -To verify a certificate in a file against the system's CA trust store -use the following command: -@example -$ certtool --verify --infile cert.pem -@end example - -It is also possible to simulate hostname verification with the following -options: -@example -$ certtool --verify --verify-hostname www.example.com --infile cert.pem -@end example - - -@subheading Proxy certificate generation -Proxy certificate can be used to delegate your credential to a -temporary, typically short-lived, certificate. To create one from the -previously created certificate, first create a temporary key and then -generate a proxy certificate for it, using the commands: - -@example -$ certtool --generate-privkey > proxy-key.pem -$ certtool --generate-proxy --load-ca-privkey key.pem \ - --load-privkey proxy-key.pem --load-certificate cert.pem \ - --outfile proxy-cert.pem -@end example - -@subheading Certificate revocation list generation -To create an empty Certificate Revocation List (CRL) do: - -@example -$ certtool --generate-crl --load-ca-privkey x509-ca-key.pem \ - --load-ca-certificate x509-ca.pem -@end example - -To create a CRL that contains some revoked certificates, place the -certificates in a file and use @code{--load-certificate} as follows: - -@example -$ certtool --generate-crl --load-ca-privkey x509-ca-key.pem \ - --load-ca-certificate x509-ca.pem --load-certificate revoked-certs.pem -@end example - -To verify a Certificate Revocation List (CRL) do: - -@example -$ certtool --verify-crl --load-ca-certificate x509-ca.pem < crl.pem -@end example -_EOT_; -}; - - -doc-section = { - ds-type = 'FILES'; - ds-format = 'texi'; - ds-text = <<-_EOT_ -@subheading Certtool's template file format -A template file can be used to avoid the interactive questions of -certtool. Initially create a file named 'cert.cfg' that contains the information -about the certificate. The template can be used as below: - -@example -$ certtool --generate-certificate --load-privkey key.pem \ - --template cert.cfg --outfile cert.pem \ - --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem -@end example - -An example certtool template file that can be used to generate a certificate -request or a self signed certificate follows. - -@example -# X.509 Certificate options -# -# DN options - -# The organization of the subject. -organization = "Koko inc." - -# The organizational unit of the subject. -unit = "sleeping dept." - -# The locality of the subject. -# locality = - -# The state of the certificate owner. -state = "Attiki" - -# The country of the subject. Two letter code. -country = GR - -# The common name of the certificate owner. -cn = "Cindy Lauper" - -# A user id of the certificate owner. -#uid = "clauper" - -# Set domain components -#dc = "name" -#dc = "domain" - -# If the supported DN OIDs are not adequate you can set -# any OID here. -# For example set the X.520 Title and the X.520 Pseudonym -# by using OID and string pairs. -#dn_oid = "2.5.4.12 Dr." -#dn_oid = "2.5.4.65 jackal" - -# This is deprecated and should not be used in new -# certificates. -# pkcs9_email = "none@@none.org" - -# An alternative way to set the certificate's distinguished name directly -# is with the "dn" option. The attribute names allowed are: -# C (country), street, O (organization), OU (unit), title, CN (common name), -# L (locality), ST (state), placeOfBirth, gender, countryOfCitizenship, -# countryOfResidence, serialNumber, telephoneNumber, surName, initials, -# generationQualifier, givenName, pseudonym, dnQualifier, postalCode, name, -# businessCategory, DC, UID, jurisdictionOfIncorporationLocalityName, -# jurisdictionOfIncorporationStateOrProvinceName, -# jurisdictionOfIncorporationCountryName, XmppAddr, and numeric OIDs. - -#dn = "cn = Nikos,st = New\, Something,C=GR,surName=Mavrogiannopoulos,2.5.4.9=Arkadias" - -# The serial number of the certificate -# The value is in decimal (i.e. 1963) or hex (i.e. 0x07ab). -# Comment the field for a random serial number. -serial = 007 - -# In how many days, counting from today, this certificate will expire. -# Use -1 if there is no expiration date. -expiration_days = 700 - -# Alternatively you may set concrete dates and time. The GNU date string -# formats are accepted. See: -# https://www.gnu.org/software/tar/manual/html_node/Date-input-formats.html - -#activation_date = "2004-02-29 16:21:42" -#expiration_date = "2025-02-29 16:24:41" - -# X.509 v3 extensions - -# A dnsname in case of a WWW server. -#dns_name = "www.none.org" -#dns_name = "www.morethanone.org" - -# An othername defined by an OID and a hex encoded string -#other_name = "1.3.6.1.5.2.2 302ca00d1b0b56414e5245494e2e4f5247a11b3019a006020400000002a10f300d1b047269636b1b0561646d696e" -#other_name_utf8 = "1.2.4.5.6 A UTF8 string" -#other_name_octet = "1.2.4.5.6 A string that will be encoded as ASN.1 octet string" - -# Allows writing an XmppAddr Identifier -#xmpp_name = juliet@@im.example.com - -# Names used in PKINIT -#krb5_principal = user@@REALM.COM -#krb5_principal = HTTP/user@@REALM.COM - -# A subject alternative name URI -#uri = "https://www.example.com" - -# An IP address in case of a server. -#ip_address = "192.168.1.1" - -# An email in case of a person -email = "none@@none.org" - -# TLS feature (rfc7633) extension. That can is used to indicate mandatory TLS -# extension features to be provided by the server. In practice this is used -# to require the Status Request (extid: 5) extension from the server. That is, -# to require the server holding this certificate to provide a stapled OCSP response. -# You can have multiple lines for multiple TLS features. - -# To ask for OCSP status request use: -#tls_feature = 5 - -# Challenge password used in certificate requests -challenge_password = 123456 - -# Password when encrypting a private key -#password = secret - -# An URL that has CRLs (certificate revocation lists) -# available. Needed in CA certificates. -#crl_dist_points = "https://www.getcrl.crl/getcrl/" - -# Whether this is a CA certificate or not -#ca - -# Subject Unique ID (in hex) -#subject_unique_id = 00153224 - -# Issuer Unique ID (in hex) -#issuer_unique_id = 00153225 - -#### Key usage - -# The following key usage flags are used by CAs and end certificates - -# Whether this certificate will be used to sign data (needed -# in TLS DHE ciphersuites). This is the digitalSignature flag -# in RFC5280 terminology. -signing_key - -# Whether this certificate will be used to encrypt data (needed -# in TLS RSA ciphersuites). Note that it is preferred to use different -# keys for encryption and signing. This is the keyEncipherment flag -# in RFC5280 terminology. -encryption_key - -# Whether this key will be used to sign other certificates. The -# keyCertSign flag in RFC5280 terminology. -#cert_signing_key - -# Whether this key will be used to sign CRLs. The -# cRLSign flag in RFC5280 terminology. -#crl_signing_key - -# The keyAgreement flag of RFC5280. Its purpose is loosely -# defined. Not use it unless required by a protocol. -#key_agreement - -# The dataEncipherment flag of RFC5280. Its purpose is loosely -# defined. Not use it unless required by a protocol. -#data_encipherment - -# The nonRepudiation flag of RFC5280. Its purpose is loosely -# defined. Not use it unless required by a protocol. -#non_repudiation - -#### Extended key usage (key purposes) - -# The following extensions are used in an end certificate -# to clarify its purpose. Some CAs also use it to indicate -# the types of certificates they are purposed to sign. - - -# Whether this certificate will be used for a TLS client; -# this sets the id-kp-clientAuth (1.3.6.1.5.5.7.3.2) of -# extended key usage. -#tls_www_client - -# Whether this certificate will be used for a TLS server; -# this sets the id-kp-serverAuth (1.3.6.1.5.5.7.3.1) of -# extended key usage. -#tls_www_server - -# Whether this key will be used to sign code. This sets the -# id-kp-codeSigning (1.3.6.1.5.5.7.3.3) of extended key usage -# extension. -#code_signing_key - -# Whether this key will be used to sign OCSP data. This sets the -# id-kp-OCSPSigning (1.3.6.1.5.5.7.3.9) of extended key usage extension. -#ocsp_signing_key - -# Whether this key will be used for time stamping. This sets the -# id-kp-timeStamping (1.3.6.1.5.5.7.3.8) of extended key usage extension. -#time_stamping_key - -# Whether this key will be used for email protection. This sets the -# id-kp-emailProtection (1.3.6.1.5.5.7.3.4) of extended key usage extension. -#email_protection_key - -# Whether this key will be used for IPsec IKE operations (1.3.6.1.5.5.7.3.17). -#ipsec_ike_key - -## adding custom key purpose OIDs - -# for microsoft smart card logon -# key_purpose_oid = 1.3.6.1.4.1.311.20.2.2 - -# for email protection -# key_purpose_oid = 1.3.6.1.5.5.7.3.4 - -# for any purpose (must not be used in intermediate CA certificates) -# key_purpose_oid = 2.5.29.37.0 - -### end of key purpose OIDs - -### Adding arbitrary extensions -# This requires to provide the extension OIDs, as well as the extension data in -# hex format. The following two options are available since GnuTLS 3.5.3. -#add_extension = "1.2.3.4 0x0AAB01ACFE" - -# As above but encode the data as an octet string -#add_extension = "1.2.3.4 octet_string(0x0AAB01ACFE)" - -# For portability critical extensions shouldn't be set to certificates. -#add_critical_extension = "5.6.7.8 0x1AAB01ACFE" - -# When generating a certificate from a certificate -# request, then honor the extensions stored in the request -# and store them in the real certificate. -#honor_crq_extensions - -# Alternatively only specific extensions can be copied. -#honor_crq_ext = 2.5.29.17 -#honor_crq_ext = 2.5.29.15 - -# Path length constraint. Sets the maximum number of -# certificates that can be used to certify this certificate. -# (i.e. the certificate chain length) -#path_len = -1 -#path_len = 2 - -# OCSP URI -# ocsp_uri = https://my.ocsp.server/ocsp - -# CA issuers URI -# ca_issuers_uri = https://my.ca.issuer - -# Certificate policies -#policy1 = 1.3.6.1.4.1.5484.1.10.99.1.0 -#policy1_txt = "This is a long policy to summarize" -#policy1_url = https://www.example.com/a-policy-to-read - -#policy2 = 1.3.6.1.4.1.5484.1.10.99.1.1 -#policy2_txt = "This is a short policy" -#policy2_url = https://www.example.com/another-policy-to-read - -# The number of additional certificates that may appear in a -# path before the anyPolicy is no longer acceptable. -#inhibit_anypolicy_skip_certs 1 - -# Name constraints - -# DNS -#nc_permit_dns = example.com -#nc_exclude_dns = test.example.com - -# EMAIL -#nc_permit_email = "nmav@@ex.net" - -# Exclude subdomains of example.com -#nc_exclude_email = .example.com - -# Exclude all e-mail addresses of example.com -#nc_exclude_email = example.com - -# IP -#nc_permit_ip = 192.168.0.0/16 -#nc_exclude_ip = 192.168.5.0/24 -#nc_permit_ip = fc0a:eef2:e7e7:a56e::/64 - - -# Options for proxy certificates -#proxy_policy_language = 1.3.6.1.5.5.7.21.1 - - -# Options for generating a CRL - -# The number of days the next CRL update will be due. -# next CRL update will be in 43 days -#crl_next_update = 43 - -# this is the 5th CRL by this CA -# The value is in decimal (i.e. 1963) or hex (i.e. 0x07ab). -# Comment the field for a time-based number. -# Time-based CRL numbers generated in GnuTLS 3.6.3 and later -# are significantly larger than those generated in previous -# versions. Since CRL numbers need to be monotonic, you need -# to specify the CRL number here manually if you intend to -# downgrade to an earlier version than 3.6.3 after publishing -# the CRL as it is not possible to specify CRL numbers greater -# than 2**63-2 using hex notation in those versions. -#crl_number = 5 - -# Specify the update dates more precisely. -#crl_this_update_date = "2004-02-29 16:21:42" -#crl_next_update_date = "2025-02-29 16:24:41" - -# The date that the certificates will be made seen as -# being revoked. -#crl_revocation_date = "2025-02-29 16:24:41" - -@end example - -_EOT_; -}; - diff --git a/src/cli-args.def b/src/cli-args.def deleted file mode 100644 index 2279b9cc0a..0000000000 --- a/src/cli-args.def +++ /dev/null @@ -1,600 +0,0 @@ -AutoGen Definitions options; -prog-name = gnutls-cli; -prog-title = "GnuTLS client"; -prog-desc = "Simple client program to set up a TLS connection."; -short-usage = "Usage: gnutls-cli [options] hostname\ngnutls-cli --help for usage instructions.\n"; -explain = ""; -detail = "Simple client program to set up a TLS connection to some other computer. -It sets up a TLS connection and forwards data from the standard input to the secured socket and vice versa."; -reorder-args; -argument = "[hostname]"; - -#define VERBOSE_OPT 1 -#include args-std.def - -flag = { - name = tofu; - descrip = "Enable trust on first use authentication"; - disabled; - disable = "no"; - doc = "This option will, in addition to certificate authentication, perform authentication -based on previously seen public keys, a model similar to SSH authentication. Note that when tofu -is specified (PKI) and DANE authentication will become advisory to assist the public key acceptance -process."; -}; - -flag = { - name = strict-tofu; - descrip = "Fail to connect if a certificate is unknown or a known certificate has changed"; - disabled; - disable = "no"; - doc = "This option will perform authentication as with option --tofu; however, no questions shall be asked whatsoever, neither to accept an unknown certificate nor a changed one."; - -}; - -flag = { - name = dane; - descrip = "Enable DANE certificate verification (DNSSEC)"; - disabled; - disable = "no"; - doc = "This option will, in addition to certificate authentication using -the trusted CAs, verify the server certificates using on the DANE information -available via DNSSEC."; -}; - -flag = { - name = local-dns; - descrip = "Use the local DNS server for DNSSEC resolving"; - disabled; - disable = "no"; - doc = "This option will use the local DNS server for DNSSEC. -This is disabled by default due to many servers not allowing DNSSEC."; -}; - -flag = { - name = ca-verification; - descrip = "Enable CA certificate verification"; - enabled; - disable = "no"; - doc = "This option can be used to enable or disable CA certificate verification. It is to be used with the --dane or --tofu options."; -}; - -flag = { - name = ocsp; - descrip = "Enable OCSP certificate verification"; - disabled; - disable = "no"; - doc = "This option will enable verification of the peer's certificate using ocsp"; -}; - -flag = { - name = resume; - value = r; - descrip = "Establish a session and resume"; - doc = "Connect, establish a session, reconnect and resume."; -}; - -flag = { - name = earlydata; - arg-type = string; - descrip = "Send early data on resumption from the specified file"; - doc = ""; -}; - -flag = { - name = rehandshake; - value = e; - descrip = "Establish a session and rehandshake"; - doc = "Connect, establish a session and rehandshake immediately."; -}; - -flag = { - name = sni-hostname; - descrip = "Server's hostname for server name indication extension"; - arg-type = string; - doc = "Set explicitly the server name used in the TLS server name indication extension. That is useful when testing with servers setup on different DNS name than the intended. If not specified, the provided hostname is used. Even with this option server certificate verification still uses the hostname passed on the main commandline. Use --verify-hostname to change this."; -}; - -flag = { - name = verify-hostname; - descrip = "Server's hostname to use for validation"; - arg-type = string; - doc = "Set explicitly the server name to be used when validating the server's certificate."; -}; - -flag = { - name = starttls; - value = s; - descrip = "Connect, establish a plain session and start TLS"; - doc = "The TLS session will be initiated when EOF or a SIGALRM is received."; -}; - -flag = { - name = app-proto; - aliases = starttls-proto; -}; - -flag = { - name = starttls-proto; - descrip = "The application protocol to be used to obtain the server's certificate (https, ftp, smtp, imap, ldap, xmpp, lmtp, pop3, nntp, sieve, postgres)"; - arg-type = string; - doc = "Specify the application layer protocol for STARTTLS. If the protocol is supported, gnutls-cli will proceed to the TLS negotiation."; - flags-cant = starttls; -}; - -flag = { - name = udp; - value = u; - descrip = "Use DTLS (datagram TLS) over UDP"; - doc = ""; -}; - -flag = { - name = mtu; - arg-type = number; - arg-range = "0->17000"; - descrip = "Set MTU for datagram TLS"; - doc = ""; -}; - -flag = { - name = crlf; - descrip = "Send CR LF instead of LF"; - doc = ""; -}; - -flag = { - name = fastopen; - descrip = "Enable TCP Fast Open"; - doc = ""; -}; - -flag = { - name = x509fmtder; - descrip = "Use DER format for certificates to read from"; - doc = ""; -}; - -flag = { - name = print-cert; - descrip = "Print peer's certificate in PEM format"; - doc = ""; -}; - -flag = { - name = save-cert; - arg-type = string; - descrip = "Save the peer's certificate chain in the specified file in PEM format"; - doc = ""; -}; - -flag = { - name = save-ocsp; - arg-type = string; - descrip = "Save the peer's OCSP status response in the provided file"; - doc = ""; - flags-cant = save-ocsp-multi; -}; - -flag = { - name = save-ocsp-multi; - arg-type = string; - descrip = "Save all OCSP responses provided by the peer in this file"; - doc = "The file will contain a list of PEM encoded OCSP status responses if any were provided by the peer, starting with the one for the peer's server certificate."; - flags-cant = save-ocsp; -}; - -flag = { - name = save-server-trace; - arg-type = string; - descrip = "Save the server-side TLS message trace in the provided file"; - doc = ""; -}; - -flag = { - name = save-client-trace; - arg-type = string; - descrip = "Save the client-side TLS message trace in the provided file"; - doc = ""; -}; - -flag = { - name = dh-bits; - arg-type = number; - descrip = "The minimum number of bits allowed for DH"; - doc = "This option sets the minimum number of bits allowed for a Diffie-Hellman key exchange. You may want to lower the default value if the peer sends a weak prime and you get an connection error with unacceptable prime."; -}; - -flag = { - name = priority; - arg-type = string; - descrip = "Priorities string"; - doc = "TLS algorithms and protocols to enable. You can -use predefined sets of ciphersuites such as PERFORMANCE, -NORMAL, PFS, SECURE128, SECURE256. The default is NORMAL. - -Check the GnuTLS manual on section ``Priority strings'' for more -information on the allowed keywords"; -}; - -flag = { - name = x509cafile; - arg-type = string; - descrip = "Certificate file or PKCS #11 URL to use"; - doc = ""; -}; - -flag = { - name = x509crlfile; - arg-type = file; - file-exists = yes; - descrip = "CRL file to use"; - doc = ""; -}; - -flag = { - name = x509keyfile; - arg-type = string; - descrip = "X.509 key file or PKCS #11 URL to use"; - doc = ""; -}; - -flag = { - name = x509certfile; - arg-type = string; - descrip = "X.509 Certificate file or PKCS #11 URL to use"; - doc = ""; - flags-must = x509keyfile; -}; - -flag = { - name = rawpkkeyfile; - arg-type = string; - descrip = "Private key file (PKCS #8 or PKCS #12) or PKCS #11 URL to use"; - doc = "In order to instruct the application to negotiate raw public keys one -must enable the respective certificate types via the priority strings (i.e. CTYPE-CLI-* -and CTYPE-SRV-* flags). - -Check the GnuTLS manual on section ``Priority strings'' for more -information on how to set certificate types."; -}; - -flag = { - name = rawpkfile; - arg-type = string; - descrip = "Raw public-key file to use"; - doc = "In order to instruct the application to negotiate raw public keys one -must enable the respective certificate types via the priority strings (i.e. CTYPE-CLI-* -and CTYPE-SRV-* flags). - -Check the GnuTLS manual on section ``Priority strings'' for more -information on how to set certificate types."; - flags-must = rawpkkeyfile; -}; - -flag = { - name = srpusername; - arg-type = string; - descrip = "SRP username to use"; - doc = ""; -}; - -flag = { - name = srppasswd; - arg-type = string; - descrip = "SRP password to use"; - doc = ""; -}; - -flag = { - name = pskusername; - arg-type = string; - descrip = "PSK username to use"; - doc = ""; -}; - -flag = { - name = pskkey; - arg-type = string; - descrip = "PSK key (in hex) to use"; - doc = ""; -}; - - -flag = { - name = port; - value = p; - arg-type = string; - descrip = "The port or service to connect to"; - doc = ""; -}; - -flag = { - name = insecure; - descrip = "Don't abort program if server certificate can't be validated"; - doc = ""; -}; - -flag = { - name = verify-allow-broken; - descrip = "Allow broken algorithms, such as MD5 for certificate verification"; - doc = ""; -}; - -flag = { - name = ranges; - descrip = "Use length-hiding padding to prevent traffic analysis"; - doc = "When possible (e.g., when using CBC ciphersuites), use length-hiding padding to prevent traffic analysis."; - deprecated; -}; - -flag = { - name = benchmark-ciphers; - descrip = "Benchmark individual ciphers"; - doc = "By default the benchmarked ciphers will utilize any capabilities of the local CPU to improve performance. To test against the raw software implementation set the environment variable GNUTLS_CPUID_OVERRIDE to 0x1."; -}; - -flag = { - name = benchmark-tls-kx; - descrip = "Benchmark TLS key exchange methods"; - doc = ""; -}; - -flag = { - name = benchmark-tls-ciphers; - descrip = "Benchmark TLS ciphers"; - doc = "By default the benchmarked ciphers will utilize any capabilities of the local CPU to improve performance. To test against the raw software implementation set the environment variable GNUTLS_CPUID_OVERRIDE to 0x1."; -}; - -flag = { - name = list; - value = l; - descrip = "Print a list of the supported algorithms and modes"; - doc = "Print a list of the supported algorithms and modes. If a priority string is given then only the enabled ciphersuites are shown."; - flags-cant = port; -}; - -flag = { - name = priority-list; - descrip = "Print a list of the supported priority strings"; - doc = "Print a list of the supported priority strings. The ciphersuites corresponding to each priority string can be examined using -l -p."; -}; - -flag = { - name = noticket; - descrip = "Don't allow session tickets"; - doc = "Disable the request of receiving of session tickets under TLS1.2 or earlier"; -}; - -flag = { - name = srtp_profiles; - arg-type = string; - descrip = "Offer SRTP profiles"; - doc = ""; -}; - -flag = { - name = alpn; - arg-type = string; - descrip = "Application layer protocol"; - max = NOLIMIT; /* occurrence limit (none) */ - stack-arg; /* save opt args in a stack */ - doc = "This option will set and enable the Application Layer Protocol Negotiation (ALPN) in the TLS protocol."; -}; - -flag = { - name = heartbeat; - value = b; - descrip = "Activate heartbeat support"; - doc = ""; -}; - -flag = { - name = recordsize; - arg-type = number; - arg-range = "0->4096"; - descrip = "The maximum record size to advertise"; - doc = ""; -}; - -flag = { - name = disable-sni; - descrip = "Do not send a Server Name Indication (SNI)"; - doc = ""; -}; - -flag = { - name = disable-extensions; - descrip = "Disable all the TLS extensions"; - doc = "This option disables all TLS extensions. Deprecated option. Use the priority string."; - deprecated; -}; - -flag = { - name = single-key-share; - descrip = "Send a single key share under TLS1.3"; - doc = "This option switches the default mode of sending multiple -key shares, to send a single one (the top one)."; -}; - -flag = { - name = post-handshake-auth; - descrip = "Enable post-handshake authentication under TLS1.3"; - doc = "This option enables post-handshake authentication when under TLS1.3."; -}; - -flag = { - name = inline-commands; - descrip = "Inline commands of the form ^<cmd>^"; - doc = "Enable inline commands of the form ^<cmd>^. The inline commands are expected to be in a line by themselves. The available commands are: resume, rekey1 (local rekey), rekey (rekey on both peers) and renegotiate."; -}; - -flag = { - name = inline-commands-prefix; - arg-type = string; - descrip = "Change the default delimiter for inline commands."; - doc = "Change the default delimiter (^) used for inline commands. The delimiter is expected to be a single US-ASCII character (octets 0 - 127). This option is only relevant if inline commands are enabled via the inline-commands option"; -}; - -flag = { - name = provider; - arg-type = file; - file-exists = yes; - descrip = "Specify the PKCS #11 provider library"; - doc = "This will override the default options in /etc/gnutls/pkcs11.conf"; -}; - -flag = { - name = fips140-mode; - descrip = "Reports the status of the FIPS140-2 mode in gnutls library"; - doc = ""; -}; - -flag = { - name = logfile; - arg-type = string; - descrip = "Redirect informational messages to a specific file."; - doc = "Redirect informational messages to a specific file. The file may be /dev/null also to make the gnutls client quiet to use it in piped server connections where only the server communication may appear on stdout."; -}; - -flag = { - name = keymatexport; - arg-type = string; - descrip = "Label used for exporting keying material"; - doc = ""; -}; - -flag = { - name = keymatexportsize; - arg-type = number; - descrip = "Size of the exported keying material"; - doc = ""; -}; - -flag = { - name = waitresumption; - descrip = "Block waiting for the resumption data under TLS1.3"; - doc = "This option makes the client to block waiting for the resumption data under TLS1.3. The option has effect only when --resume is provided."; -}; - -flag = { - name = ca-auto-retrieve; - descrip = "Enable automatic retrieval of missing CA certificates"; - disabled; - disable = "no"; - doc = "This option enables the client to automatically retrieve the missing intermediate CA certificates in the certificate chain, based on the Authority Information Access (AIA) extension."; -}; - -doc-section = { - ds-type = 'SEE ALSO'; // or anything else - ds-format = 'texi'; // or texi or mdoc format - ds-text = <<-_EOF_ -gnutls-cli-debug(1), gnutls-serv(1) -_EOF_; -}; - -doc-section = { - ds-type = 'EXAMPLES'; - ds-format = 'texi'; - ds-text = <<-_EOF_ -@subheading Connecting using PSK authentication -To connect to a server using PSK authentication, you need to enable the choice of PSK by using a cipher priority parameter such as in the example below. -@example -$ ./gnutls-cli -p 5556 localhost --pskusername psk_identity \ - --pskkey 88f3824b3e5659f52d00e959bacab954b6540344 \ - --priority NORMAL:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK -Resolving 'localhost'... -Connecting to '127.0.0.1:5556'... -- PSK authentication. -- Version: TLS1.1 -- Key Exchange: PSK -- Cipher: AES-128-CBC -- MAC: SHA1 -- Compression: NULL -- Handshake was completed - -- Simple Client Mode: -@end example -By keeping the --pskusername parameter and removing the --pskkey parameter, it will query only for the password during the handshake. - -@subheading Connecting using raw public-key authentication -To connect to a server using raw public-key authentication, you need to enable the option to negotiate raw public-keys via the priority strings such as in the example below. -@example -$ ./gnutls-cli -p 5556 localhost --priority NORMAL:-CTYPE-CLI-ALL:+CTYPE-CLI-RAWPK \ - --rawpkkeyfile cli.key.pem \ - --rawpkfile cli.rawpk.pem -Processed 1 client raw public key pair... -Resolving 'localhost'... -Connecting to '127.0.0.1:5556'... -- Successfully sent 1 certificate(s) to server. -- Server has requested a certificate. -- Certificate type: X.509 -- Got a certificate list of 1 certificates. -- Certificate[0] info: - - skipped -- Description: (TLS1.3-Raw Public Key-X.509)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM) -- Options: -- Handshake was completed - -- Simple Client Mode: -@end example - -@subheading Connecting to STARTTLS services - -You could also use the client to connect to services with starttls capability. -@example -$ gnutls-cli --starttls-proto smtp --port 25 localhost -@end example - -@subheading Listing ciphersuites in a priority string -To list the ciphersuites in a priority string: -@example -$ ./gnutls-cli --priority SECURE192 -l -Cipher suites for SECURE192 -TLS_ECDHE_ECDSA_AES_256_CBC_SHA384 0xc0, 0x24 TLS1.2 -TLS_ECDHE_ECDSA_AES_256_GCM_SHA384 0xc0, 0x2e TLS1.2 -TLS_ECDHE_RSA_AES_256_GCM_SHA384 0xc0, 0x30 TLS1.2 -TLS_DHE_RSA_AES_256_CBC_SHA256 0x00, 0x6b TLS1.2 -TLS_DHE_DSS_AES_256_CBC_SHA256 0x00, 0x6a TLS1.2 -TLS_RSA_AES_256_CBC_SHA256 0x00, 0x3d TLS1.2 - -Certificate types: CTYPE-X.509 -Protocols: VERS-TLS1.2, VERS-TLS1.1, VERS-TLS1.0, VERS-SSL3.0, VERS-DTLS1.0 -Compression: COMP-NULL -Elliptic curves: CURVE-SECP384R1, CURVE-SECP521R1 -PK-signatures: SIGN-RSA-SHA384, SIGN-ECDSA-SHA384, SIGN-RSA-SHA512, SIGN-ECDSA-SHA512 -@end example - -@subheading Connecting using a PKCS #11 token -To connect to a server using a certificate and a private key present in a PKCS #11 token you -need to substitute the PKCS 11 URLs in the x509certfile and x509keyfile parameters. - -Those can be found using "p11tool --list-tokens" and then listing all the objects in the -needed token, and using the appropriate. -@example -$ p11tool --list-tokens - -Token 0: - URL: pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test - Label: Test - Manufacturer: EnterSafe - Model: PKCS15 - Serial: 1234 - -$ p11tool --login --list-certs "pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test" - -Object 0: - URL: pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test;object=client;type=cert - Type: X.509 Certificate - Label: client - ID: 2a:97:0d:58:d1:51:3c:23:07:ae:4e:0d:72:26:03:7d:99:06:02:6a - -$ MYCERT="pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test;object=client;type=cert" -$ MYKEY="pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test;object=client;type=private" -$ export MYCERT MYKEY - -$ gnutls-cli www.example.com --x509keyfile $MYKEY --x509certfile $MYCERT -@end example -Notice that the private key only differs from the certificate in the type. -_EOF_; -}; diff --git a/src/cli-debug-args.def b/src/cli-debug-args.def deleted file mode 100644 index 21c6a42e30..0000000000 --- a/src/cli-debug-args.def +++ /dev/null @@ -1,112 +0,0 @@ -AutoGen Definitions options; -prog-name = gnutls-cli-debug; -prog-title = "GnuTLS debug client"; -prog-desc = "Simple client program to check TLS server capabilities."; -short-usage = "Usage: gnutls-cli-debug [options] hostname\n" - "gnutls-cli --help for usage instructions.\n"; -explain = ""; -detail = "TLS debug client. It sets up multiple TLS connections to -a server and queries its capabilities. It was created to assist in debugging -GnuTLS, but it might be useful to extract a TLS server's capabilities. -It connects to a TLS server, performs tests and print the server's -capabilities. If called with the `-V' parameter more checks will be performed. -Can be used to check for servers with special needs or bugs."; -reorder-args; -argument; - -#define VERBOSE_OPT 1 -#include args-std.def - -flag = { - name = port; - value = p; - arg-type = number; - arg-range = "0 -> 65536"; - descrip = "The port to connect to"; - doc = ""; -}; - -flag = { - name = app-proto; - aliases = starttls-proto; -}; - -flag = { - name = starttls-proto; - arg-type = string; - descrip = "The application protocol to be used to obtain the server's certificate (https, ftp, smtp, imap, ldap, xmpp, lmtp, pop3, nntp, sieve, postgres)"; - doc = "Specify the application layer protocol for STARTTLS. If the protocol is supported, gnutls-cli will proceed to the TLS negotiation."; -}; - - -doc-section = { - ds-type = 'SEE ALSO'; // or anything else - ds-format = 'texi'; // or texi or mdoc format - ds-text = <<-_EOText_ -gnutls-cli(1), gnutls-serv(1) -_EOText_; -}; - -doc-section = { - ds-type = 'EXAMPLES'; - ds-format = 'texi'; - ds-text = <<-_EOF_ -@example -$ gnutls-cli-debug localhost -GnuTLS debug client 3.5.0 -Checking localhost:443 - for SSL 3.0 (RFC6101) support... yes - whether we need to disable TLS 1.2... no - whether we need to disable TLS 1.1... no - whether we need to disable TLS 1.0... no - whether %NO_EXTENSIONS is required... no - whether %COMPAT is required... no - for TLS 1.0 (RFC2246) support... yes - for TLS 1.1 (RFC4346) support... yes - for TLS 1.2 (RFC5246) support... yes - fallback from TLS 1.6 to... TLS1.2 - for RFC7507 inappropriate fallback... yes - for HTTPS server name... Local - for certificate chain order... sorted - for safe renegotiation (RFC5746) support... yes - for Safe renegotiation support (SCSV)... no - for encrypt-then-MAC (RFC7366) support... no - for ext master secret (RFC7627) support... no - for heartbeat (RFC6520) support... no - for version rollback bug in RSA PMS... dunno - for version rollback bug in Client Hello... no - whether the server ignores the RSA PMS version... yes -whether small records (512 bytes) are tolerated on handshake... yes - whether cipher suites not in SSL 3.0 spec are accepted... yes -whether a bogus TLS record version in the client hello is accepted... yes - whether the server understands TLS closure alerts... partially - whether the server supports session resumption... yes - for anonymous authentication support... no - for ephemeral Diffie-Hellman support... no - for ephemeral EC Diffie-Hellman support... yes - ephemeral EC Diffie-Hellman group info... SECP256R1 - for AES-128-GCM cipher (RFC5288) support... yes - for AES-128-CCM cipher (RFC6655) support... no - for AES-128-CCM-8 cipher (RFC6655) support... no - for AES-128-CBC cipher (RFC3268) support... yes - for CAMELLIA-128-GCM cipher (RFC6367) support... no - for CAMELLIA-128-CBC cipher (RFC5932) support... no - for 3DES-CBC cipher (RFC2246) support... yes - for ARCFOUR 128 cipher (RFC2246) support... yes - for MD5 MAC support... yes - for SHA1 MAC support... yes - for SHA256 MAC support... yes - for ZLIB compression support... no - for max record size (RFC6066) support... no - for OCSP status response (RFC6066) support... no - for OpenPGP authentication (RFC6091) support... no -@end example - -You could also use the client to debug services with starttls capability. -@example -$ gnutls-cli-debug --starttls-proto smtp --port 25 localhost -@end example - -_EOF_; -}; - diff --git a/src/danetool-args.def b/src/danetool-args.def deleted file mode 100644 index 61d11a3fff..0000000000 --- a/src/danetool-args.def +++ /dev/null @@ -1,230 +0,0 @@ -AutoGen Definitions options; -prog-name = danetool; -prog-title = "GnuTLS DANE tool"; -prog-desc = "Generate DANE TLSA RR entries."; -detail = "Tool to generate and check DNS resource records for the DANE protocol."; -short-usage = "danetool --[tlsa-rr|check] [options] -danetool --help for additional usage instructions.\n"; -explain = ""; - -#define INFILE_OPT 0 -#define OUTFILE_OPT 1 -#define VERBOSE_OPT 1 -#include args-std.def - -flag = { - name = load-pubkey; - descrip = "Loads a public key file"; - arg-type = string; - doc = "This can be either a file or a PKCS #11 URL"; -}; - -flag = { - name = load-certificate; - descrip = "Loads a certificate file"; - arg-type = string; - doc = "This can be either a file or a PKCS #11 URL"; -}; - -flag = { - name = dlv; - descrip = "Sets a DLV file"; - arg-type = string; - doc = "This sets a DLV file to be used for DNSSEC verification."; -}; - -flag = { - name = hash; - arg-type = string; - descrip = "Hash algorithm to use for signing"; - doc = "Available hash functions are SHA1, RMD160, SHA256, SHA384, SHA512."; -}; - -flag = { - name = check; - arg-type = string; - descrip = "Check a host's DANE TLSA entry"; - doc = "Obtains the DANE TLSA entry from the given hostname and prints information. Note that the actual certificate of the host can be provided using --load-certificate, otherwise danetool will connect to the server to obtain it. The exit code on verification success will be zero."; -}; - -flag = { - name = check-ee; - descrip = "Check only the end-entity's certificate"; - doc = "Checks the end-entity's certificate only. Trust anchors or CAs are not considered."; -}; - -flag = { - name = check-ca; - descrip = "Check only the CA's certificate"; - doc = "Checks the trust anchor's and CA's certificate only. End-entities are not considered."; -}; - -flag = { - name = tlsa-rr; - descrip = "Print the DANE RR data on a certificate or public key"; - flags_must = host; - doc = "This command prints the DANE RR data needed to enable DANE on a DNS server."; -}; - -flag = { - name = host; - descrip = "Specify the hostname to be used in the DANE RR"; - arg-type = string; - arg-name = "Hostname"; - doc = "This command sets the hostname for the DANE RR."; -}; - -flag = { - name = proto; - descrip = "The protocol set for DANE data (tcp, udp etc.)"; - arg-type = string; - arg-name = "Protocol"; - doc = "This command specifies the protocol for the service set in the DANE data."; -}; - -flag = { - name = port; - arg-type = string; - descrip = "The port or service to connect to, for DANE data"; - default-value = "443"; - doc = ""; -}; - -flag = { - name = app-proto; - aliases = starttls-proto; -}; - -flag = { - name = starttls-proto; - descrip = "The application protocol to be used to obtain the server's certificate (https, ftp, smtp, imap, ldap, xmpp, lmtp, pop3, nntp, sieve, postgres)"; - arg-type = string; - doc = "When the server's certificate isn't provided danetool will connect to the server to obtain the certificate. In that case it is required to know the protocol to talk with the server prior to initiating the TLS handshake."; -}; - -flag = { - name = ca; - descrip = "Whether the provided certificate or public key is a Certificate Authority"; - doc = "Marks the DANE RR as a CA certificate if specified."; -}; - -flag = { - name = x509; - descrip = "Use the hash of the X.509 certificate, rather than the public key"; - doc = "This option forces the generated record to contain the hash of the full X.509 certificate. By default only the hash of the public key is used."; -}; - -flag = { - name = local; - aliases = domain; -}; - -flag = { - name = domain; - descrip = "The provided certificate or public key is issued by the local domain"; - enabled; - disable = "no"; - doc = "DANE distinguishes certificates and public keys offered via the DNSSEC to trusted and local entities. This flag indicates that this is a domain-issued certificate, meaning that there could be no CA involved."; -}; - -flag = { - name = local-dns; - descrip = "Use the local DNS server for DNSSEC resolving"; - disabled; - disable = "no"; - doc = "This option will use the local DNS server for DNSSEC. -This is disabled by default due to many servers not allowing DNSSEC."; -}; - -flag = { - name = insecure; - descrip = "Do not verify any DNSSEC signature"; - doc = "Ignores any DNSSEC signature verification results."; -}; - -flag = { - name = inder; - descrip = "Use DER format for input certificates and private keys"; - disabled; - disable = "no"; - doc = "The input files will be assumed to be in DER or RAW format. -Unlike options that in PEM input would allow multiple input data (e.g. multiple -certificates), when reading in DER format a single data structure is read."; -}; - -flag = { - name = inraw; - aliases = inder; -}; - -flag = { - name = print-raw; - descrip = "Print the received DANE data in raw format"; - disabled; - disable = "no"; - doc = "This option will print the received DANE data."; -}; - -flag = { - name = quiet; - descrip = "Suppress several informational messages"; - doc = "In that case on the exit code can be used as an indication of verification success"; -}; - - - -doc-section = { - ds-type = 'SEE ALSO'; - ds-format = 'texi'; - ds-text = <<-_EOT_ - certtool (1) -_EOT_; -}; - -doc-section = { - ds-type = 'EXAMPLES'; - ds-format = 'texi'; - ds-text = <<-_EOT_ -@subheading DANE TLSA RR generation - -To create a DANE TLSA resource record for a certificate (or public key) -that was issued localy and may or may not be signed by a CA use the following command. -@example -$ danetool --tlsa-rr --host www.example.com --load-certificate cert.pem -@end example - -To create a DANE TLSA resource record for a CA signed certificate, which will -be marked as such use the following command. -@example -$ danetool --tlsa-rr --host www.example.com --load-certificate cert.pem \ - --no-domain -@end example - -The former is useful to add in your DNS entry even if your certificate is signed -by a CA. That way even users who do not trust your CA will be able to verify your -certificate using DANE. - -In order to create a record for the CA signer of your certificate use the following. -@example -$ danetool --tlsa-rr --host www.example.com --load-certificate cert.pem \ - --ca --no-domain -@end example - -To read a server's DANE TLSA entry, use: -@example -$ danetool --check www.example.com --proto tcp --port 443 -@end example - -To verify an HTTPS server's DANE TLSA entry, use: -@example -$ danetool --check www.example.com --proto tcp --port 443 --load-certificate chain.pem -@end example - -To verify an SMTP server's DANE TLSA entry, use: -@example -$ danetool --check www.example.com --proto tcp --starttls-proto=smtp --load-certificate chain.pem -@end example -_EOT_; -}; - - diff --git a/src/ocsptool-args.def b/src/ocsptool-args.def deleted file mode 100644 index c0d54e5c07..0000000000 --- a/src/ocsptool-args.def +++ /dev/null @@ -1,317 +0,0 @@ -AutoGen Definitions options; -prog-name = ocsptool; -prog-title = "GnuTLS OCSP tool"; -prog-desc = "Program to handle OCSP request/responses."; -detail = "ocsptool is a program that can parse and print information about -OCSP requests/responses, generate requests and verify responses. Unlike -other GnuTLS applications it outputs DER encoded structures by default -unless the '--outpem' option is specified."; -short-usage = "ocsptool [options]\nocsptool --help for usage instructions.\n"; -explain = ""; - -doc-section = { - ds-type = 'DESCRIPTION'; - ds-format = 'texi'; - ds-text = <<-_EOT_ -@subheading On verification -Responses are typically signed/issued by designated certificates or -certificate authorities and thus this tool requires on verification -the certificate of the issuer or the full certificate chain in order to -determine the appropriate signing authority. The specified certificate -of the issuer is assumed trusted. -_EOT_; -}; - -#define INFILE_OPT 1 -#define OUTFILE_OPT 1 -#define VERBOSE_OPT 1 -#include args-std.def - -flag = { - name = ask; - arg-type = string; - arg-name = "server name|url"; - arg-optional; - descrip = "Ask an OCSP/HTTP server on a certificate validity"; - doc = "Connects to the specified HTTP OCSP server and queries on the validity of the loaded certificate. -Its argument can be a URL or a plain server name. It can be combined with --load-chain, where it checks -all certificates in the provided chain, or with --load-cert and ---load-issuer options. The latter checks the provided certificate -against its specified issuer certificate."; -}; - -flag = { - name = verify-response; - value = e; - descrip = "Verify response"; - doc = "Verifies the provided OCSP response against the system trust -anchors (unless --load-trust is provided). It requires the --load-signer -or --load-chain options to obtain the signer of the OCSP response."; -}; - -flag = { - name = request-info; - value = i; - descrip = "Print information on a OCSP request"; - doc = "Display detailed information on the provided OCSP request."; -}; - -flag = { - name = response-info; - value = j; - descrip = "Print information on a OCSP response"; - doc = "Display detailed information on the provided OCSP response."; -}; - -flag = { - name = generate-request; - value = q; - descrip = "Generates an OCSP request"; - doc = ""; -}; - -flag = { - name = nonce; - disabled = yes; - disable = "no"; - descrip = "Use (or not) a nonce to OCSP request"; - doc = ""; -}; - -flag = { - name = load-chain; - arg-type = file; - file-exists = yes; - descrip = "Reads a set of certificates forming a chain from file"; - doc = ""; -}; - -flag = { - name = load-issuer; - arg-type = file; - file-exists = yes; - descrip = "Reads issuer's certificate from file"; - doc = ""; -}; - -flag = { - name = load-cert; - arg-type = file; - file-exists = yes; - descrip = "Reads the certificate to check from file"; - doc = ""; -}; - -flag = { - name = load-trust; - arg-type = file; - file-exists = yes; - descrip = "Read OCSP trust anchors from file"; - flags-cant = load-signer; - doc = "When verifying an OCSP response read the trust anchors from the -provided file. When this is not provided, the system's trust anchors will be -used."; -}; - -flag = { - name = load-signer; - arg-type = file; - file-exists = yes; - descrip = "Reads the OCSP response signer from file"; - flags-cant = load-trust; - doc = ""; -}; - -flag = { - name = inder; - disabled; - disable = "no"; - descrip = "Use DER format for input certificates and private keys"; - doc = ""; -}; - -flag = { - name = outder; - descrip = "Use DER format for output of responses (this is the default)"; - doc = "The output will be in DER encoded format. Unlike other GnuTLS tools, this is the default for this tool"; -}; - -flag = { - name = outpem; - descrip = "Use PEM format for output of responses"; - doc = "The output will be in PEM format."; -}; - -flag = { - name = load-request; - value = Q; - arg-type = file; - file-exists = yes; - descrip = "Reads the DER encoded OCSP request from file"; - doc = ""; -}; - -flag = { - name = load-response; - value = S; - arg-type = file; - file-exists = yes; - descrip = "Reads the DER encoded OCSP response from file"; - doc = ""; -}; - -flag = { - name = ignore-errors; - descrip = "Ignore any verification errors"; - doc = ""; -}; - -flag = { - name = verify-allow-broken; - descrip = "Allow broken algorithms, such as MD5 for verification"; - doc = "This can be combined with --verify-response."; -}; - -doc-section = { - ds-type = 'SEE ALSO'; - ds-format = 'texi'; - ds-text = <<-_EOT_ - certtool (1) -_EOT_; -}; - -doc-section = { - ds-type = 'EXAMPLES'; - ds-format = 'texi'; - ds-text = <<-_EOF_ -@subheading Print information about an OCSP request - -To parse an OCSP request and print information about the content, the -@code{-i} or @code{--request-info} parameter may be used as follows. -The @code{-Q} parameter specify the name of the file containing the -OCSP request, and it should contain the OCSP request in binary DER -format. - -@example -$ ocsptool -i -Q ocsp-request.der -@end example - -The input file may also be sent to standard input like this: - -@example -$ cat ocsp-request.der | ocsptool --request-info -@end example - -@subheading Print information about an OCSP response - -Similar to parsing OCSP requests, OCSP responses can be parsed using -the @code{-j} or @code{--response-info} as follows. - -@example -$ ocsptool -j -Q ocsp-response.der -$ cat ocsp-response.der | ocsptool --response-info -@end example - -@subheading Generate an OCSP request - -The @code{-q} or @code{--generate-request} parameters are used to -generate an OCSP request. By default the OCSP request is written to -standard output in binary DER format, but can be stored in a file -using @code{--outfile}. To generate an OCSP request the issuer of the -certificate to check needs to be specified with @code{--load-issuer} -and the certificate to check with @code{--load-cert}. By default PEM -format is used for these files, although @code{--inder} can be used to -specify that the input files are in DER format. - -@example -$ ocsptool -q --load-issuer issuer.pem --load-cert client.pem \ - --outfile ocsp-request.der -@end example - -When generating OCSP requests, the tool will add an OCSP extension -containing a nonce. This behaviour can be disabled by specifying -@code{--no-nonce}. - -@subheading Verify signature in OCSP response - -To verify the signature in an OCSP response the @code{-e} or -@code{--verify-response} parameter is used. The tool will read an -OCSP response in DER format from standard input, or from the file -specified by @code{--load-response}. The OCSP response is verified -against a set of trust anchors, which are specified using -@code{--load-trust}. The trust anchors are concatenated certificates -in PEM format. The certificate that signed the OCSP response needs to -be in the set of trust anchors, or the issuer of the signer -certificate needs to be in the set of trust anchors and the OCSP -Extended Key Usage bit has to be asserted in the signer certificate. - -@example -$ ocsptool -e --load-trust issuer.pem \ - --load-response ocsp-response.der -@end example - -The tool will print status of verification. - -@subheading Verify signature in OCSP response against given certificate - -It is possible to override the normal trust logic if you know that a -certain certificate is supposed to have signed the OCSP response, and -you want to use it to check the signature. This is achieved using -@code{--load-signer} instead of @code{--load-trust}. This will load -one certificate and it will be used to verify the signature in the -OCSP response. It will not check the Extended Key Usage bit. - -@example -$ ocsptool -e --load-signer ocsp-signer.pem \ - --load-response ocsp-response.der -@end example - -This approach is normally only relevant in two situations. The first -is when the OCSP response does not contain a copy of the signer -certificate, so the @code{--load-trust} code would fail. The second -is if you want to avoid the indirect mode where the OCSP response -signer certificate is signed by a trust anchor. - -@subheading Real-world example - -Here is an example of how to generate an OCSP request for a -certificate and to verify the response. For illustration we'll use -the @code{blog.josefsson.org} host, which (as of writing) uses a -certificate from CACert. First we'll use @code{gnutls-cli} to get a -copy of the server certificate chain. The server is not required to -send this information, but this particular one is configured to do so. - -@example -$ echo | gnutls-cli -p 443 blog.josefsson.org --save-cert chain.pem -@end example - -The saved certificates normally contain a pointer to where the OCSP -responder is located, in the Authority Information Access Information -extension. For example, from @code{certtool -i < chain.pem} there is -this information: - -@example - Authority Information Access Information (not critical): - Access Method: 1.3.6.1.5.5.7.48.1 (id-ad-ocsp) - Access Location URI: https://ocsp.CAcert.org/ -@end example - -This means that ocsptool can discover the servers to contact over HTTP. -We can now request information on the chain certificates. - -@example -$ ocsptool --ask --load-chain chain.pem -@end example - -The request is sent via HTTP to the OCSP server address found in -the certificates. It is possible to override the address of the -OCSP server as well as ask information on a particular certificate -using --load-cert and --load-issuer. - -@example -$ ocsptool --ask https://ocsp.CAcert.org/ --load-chain chain.pem -@end example - -_EOF_; -}; - diff --git a/src/p11tool-args.def b/src/p11tool-args.def deleted file mode 100644 index 65ed3411f5..0000000000 --- a/src/p11tool-args.def +++ /dev/null @@ -1,580 +0,0 @@ -AutoGen Definitions options; -prog-name = p11tool; -prog-title = "GnuTLS PKCS #11 tool"; -prog-desc = "Program to handle PKCS #11 smart cards and security modules.\n"; -detail = "Program that allows operations on PKCS #11 smart cards -and security modules. - -To use PKCS #11 tokens with GnuTLS the p11-kit configuration files need to be setup. -That is create a .module file in /etc/pkcs11/modules with the contents 'module: /path/to/pkcs11.so'. -Alternatively the configuration file /etc/gnutls/pkcs11.conf has to exist and contain a number -of lines of the form 'load=/usr/lib/opensc-pkcs11.so'. - -You can provide the PIN to be used for the PKCS #11 operations with the environment variables -GNUTLS_PIN and GNUTLS_SO_PIN. -"; - -short-usage = "p11tool [options] [url]\np11tool --help for usage instructions.\n"; -explain = ""; -reorder-args; -argument = "[url]"; - -flag = { - name = token_related_options; - documentation; - descrip = "Tokens"; -}; - -flag = { - name = list-tokens; - descrip = "List all available tokens"; - doc = ""; -}; - -flag = { - name = list-token-urls; - descrip = "List the URLs available tokens"; - doc = "This is a more compact version of --list-tokens."; -}; - -flag = { - name = list-mechanisms; - descrip = "List all available mechanisms in a token"; - doc = ""; -}; - -flag = { - name = initialize; - descrip = "Initializes a PKCS #11 token"; - doc = ""; -}; - -flag = { - name = initialize-pin; - descrip = "Initializes/Resets a PKCS #11 token user PIN"; - doc = ""; -}; - -flag = { - name = initialize-so-pin; - descrip = "Initializes/Resets a PKCS #11 token security officer PIN."; - doc = "This initializes the security officer's PIN. When used non-interactively use the GNUTLS_NEW_SO_PIN -environment variables to initialize SO's PIN."; -}; - -flag = { - name = set-pin; - arg-type = string; - descrip = "Specify the PIN to use on token operations"; - doc = "Alternatively the GNUTLS_PIN environment variable may be used."; -}; - -flag = { - name = set-so-pin; - arg-type = string; - descrip = "Specify the Security Officer's PIN to use on token initialization"; - doc = "Alternatively the GNUTLS_SO_PIN environment variable may be used."; -}; - -flag = { - name = object_list_related_options; - documentation; - descrip = "Object listing"; -}; - -flag = { - name = list-all; - descrip = "List all available objects in a token"; - doc = "All objects available in the token will be listed. That includes -objects which are potentially unaccessible using this tool."; -}; - -flag = { - name = list-all-certs; - descrip = "List all available certificates in a token"; - doc = "That option will also provide more information on the -certificates, for example, expand the attached extensions in a trust -token (like p11-kit-trust)."; -}; - -flag = { - name = list-certs; - descrip = "List all certificates that have an associated private key"; - doc = "That option will only display certificates which have a private -key associated with them (share the same ID)."; -}; - -flag = { - name = list-all-privkeys; - descrip = "List all available private keys in a token"; - doc = "Lists all the private keys in a token that match the specified URL."; -}; - -flag = { - name = list-privkeys; - aliases = list-all-privkeys; -}; - -flag = { - name = list-keys; - aliases = list-all-privkeys; -}; - -flag = { - name = list-all-trusted; - descrip = "List all available certificates marked as trusted"; - doc = ""; -}; - -flag = { - name = export; - descrip = "Export the object specified by the URL"; - doc = ""; - flags-cant = export-stapled; - flags-cant = export-chain; - flags-cant = export-pubkey; -}; - -flag = { - name = export-stapled; - descrip = "Export the certificate object specified by the URL"; - doc = "Exports the certificate specified by the URL while including any attached extensions to it. -Since attached extensions are a p11-kit extension, this option is only -available on p11-kit registered trust modules."; - flags-cant = export; - flags-cant = export-chain; - flags-cant = export-pubkey; -}; - -flag = { - name = export-chain; - descrip = "Export the certificate specified by the URL and its chain of trust"; - doc = "Exports the certificate specified by the URL and generates its chain of trust based on the stored certificates in the module."; - flags-cant = export-stapled; - flags-cant = export; - flags-cant = export-pubkey; -}; - -flag = { - name = export-pubkey; - descrip = "Export the public key for a private key"; - doc = "Exports the public key for the specified private key"; - flags-cant = export-stapled; - flags-cant = export; - flags-cant = export-chain; -}; - -flag = { - name = info; - descrip = "List information on an available object in a token"; - doc = ""; -}; - -flag = { - name = trusted; - aliases = mark-trusted; -}; - -flag = { - name = distrusted; - aliases = mark-distrusted; -}; - -flag = { - name = keygen_related_options; - documentation; - descrip = "Key generation"; -}; - -flag = { - name = generate-privkey; - arg-type = string; - descrip = "Generate private-public key pair of given type"; - doc = "Generates a private-public key pair in the specified token. -Acceptable types are RSA, ECDSA, Ed25519, and DSA. Should be combined with --sec-param or --bits."; -}; - -flag = { - name = generate-rsa; - descrip = "Generate an RSA private-public key pair"; - doc = "Generates an RSA private-public key pair on the specified token. -Should be combined with --sec-param or --bits."; - deprecated; -}; - -flag = { - name = generate-dsa; - descrip = "Generate a DSA private-public key pair"; - doc = "Generates a DSA private-public key pair on the specified token. -Should be combined with --sec-param or --bits."; - deprecated; -}; - -flag = { - name = generate-ecc; - descrip = "Generate an ECDSA private-public key pair"; - doc = "Generates an ECDSA private-public key pair on the specified token. -Should be combined with --curve, --sec-param or --bits."; - deprecated; -}; - -flag = { - name = bits; - arg-type = number; - descrip = "Specify the number of bits for the key generate"; - doc = "For applications which have no key-size restrictions the ---sec-param option is recommended, as the sec-param levels will adapt -to the acceptable security levels with the new versions of gnutls."; -}; - -flag = { - name = curve; - arg-type = string; - descrip = "Specify the curve used for EC key generation"; - doc = "Supported values are secp192r1, secp224r1, secp256r1, secp384r1 and secp521r1."; -}; - -flag = { - name = sec-param; - arg-type = string; - arg-name = "Security parameter"; - descrip = "Specify the security level"; - doc = "This is alternative to the bits option. Available options are [low, legacy, medium, high, ultra]."; -}; - -flag = { - name = write_object_related_options; - documentation; - descrip = "Writing objects"; -}; - -flag = { - name = set-id; - descrip = "Set the CKA_ID (in hex) for the specified by the URL object"; - doc = "Modifies or sets the CKA_ID in the specified by the URL object. The ID should be specified in hexadecimal format without a '0x' prefix."; - arg-type = string; - flags_cant = write; -}; - -flag = { - name = set-label; - descrip = "Set the CKA_LABEL for the specified by the URL object"; - doc = "Modifies or sets the CKA_LABEL in the specified by the URL object"; - arg-type = string; - flags_cant = write; - flags_cant = set-id; -}; - -flag = { - name = write; - descrip = "Writes the loaded objects to a PKCS #11 token"; - doc = "It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with one of --load-privkey, --load-pubkey, --load-certificate option. - -When writing a certificate object, its CKA_ID is set to the same CKA_ID of the corresponding public key, if it exists on the token; otherwise it will be derived from the X.509 Subject Key Identifier of the certificate. If this behavior is undesired, write the public key to the token beforehand."; -}; - -flag = { - name = delete; - descrip = "Deletes the objects matching the given PKCS #11 URL"; - doc = ""; -}; - -flag = { - name = label; - arg-type = string; - descrip = "Sets a label for the write operation"; - doc = ""; -}; - -flag = { - name = id; - arg-type = string; - descrip = "Sets an ID for the write operation"; - doc = "Sets the CKA_ID to be set by the write operation. The ID should be specified in hexadecimal format without a '0x' prefix."; -}; - -flag = { - name = mark-wrap; - disable = "no"; - disabled; - descrip = "Marks the generated key to be a wrapping key"; - doc = "Marks the generated key with the CKA_WRAP flag."; -}; - -flag = { - name = mark-trusted; - disable = "no"; - disabled; - descrip = "Marks the object to be written as trusted"; - doc = "Marks the object to be generated/written with the CKA_TRUST flag."; - flags_cant = mark-distrusted; -}; - -flag = { - name = mark-distrusted; - descrip = "When retrieving objects, it requires the objects to be distrusted (blacklisted)"; - doc = "Ensures that the objects retrieved have the CKA_X_TRUST flag. -This is p11-kit trust module extension, thus this flag is only valid with -p11-kit registered trust modules."; - flags_cant = mark-trusted; -}; - -flag = { - name = mark-decrypt; - disable = "no"; - disabled; - descrip = "Marks the object to be written for decryption"; - doc = "Marks the object to be generated/written with the CKA_DECRYPT flag set to true."; -}; - -flag = { - name = mark-sign; - disable = "no"; - disabled; - descrip = "Marks the object to be written for signature generation"; - doc = "Marks the object to be generated/written with the CKA_SIGN flag set to true."; -}; - -flag = { - name = mark-ca; - disable = "no"; - disabled; - descrip = "Marks the object to be written as a CA"; - doc = "Marks the object to be generated/written with the CKA_CERTIFICATE_CATEGORY as CA."; -}; - -flag = { - name = mark-private; - disable = "no"; - descrip = "Marks the object to be written as private"; - doc = "Marks the object to be generated/written with the CKA_PRIVATE flag. The written object will require a PIN to be used."; -}; - -flag = { - name = ca; - aliases = mark-ca; -}; - -flag = { - name = private; - aliases = mark-private; -}; - -flag = { - name = mark-always-authenticate; - disable = "no"; - descrip = "Marks the object to be written as always authenticate"; - doc = "Marks the object to be generated/written with the CKA_ALWAYS_AUTHENTICATE flag. The written object will Mark the object as requiring authentication (pin entry) before every operation."; -}; - -flag = { - name = secret-key; - arg-type = string; - descrip = "Provide a hex encoded secret key"; - doc = "This secret key will be written to the module if --write is specified."; -}; - -flag = { - name = load-privkey; - arg-type = file; - file-exists = yes; - descrip = "Private key file to use"; - doc = ""; -}; - -flag = { - name = load-pubkey; - arg-type = file; - file-exists = yes; - descrip = "Public key file to use"; - doc = ""; -}; - -flag = { - name = load-certificate; - arg-type = file; - file-exists = yes; - descrip = "Certificate file to use"; - doc = ""; -}; - -flag = { - name = other_options; - documentation; - descrip = "Other options"; -}; - -#define OUTFILE_OPT 1 -#include args-std.def - -flag = { - name = login; - descrip = "Force (user) login to token"; - disabled; - disable = "no"; - doc = ""; -}; - -flag = { - name = so-login; - descrip = "Force security officer login to token"; - disabled; - disable = "no"; - doc = "Forces login to the token as security officer (admin)."; -}; - -flag = { - name = admin-login; - aliases = so-login; -}; - -flag = { - name = test-sign; - descrip = "Tests the signature operation of the provided object"; - doc = "It can be used to test the correct operation of the signature operation. -If both a private and a public key are available this operation will sign and verify -the signed data."; -}; - -flag = { - name = sign-params; - arg-type = string; - descrip = "Sign with a specific signature algorithm"; - doc = "This option can be combined with --test-sign, to sign with -a specific signature algorithm variant. The only option supported is 'RSA-PSS', and should be -specified in order to use RSA-PSS signature on RSA keys."; -}; - -flag = { - name = hash; - arg-type = string; - descrip = "Hash algorithm to use for signing"; - doc = "This option can be combined with test-sign. Available hash functions are SHA1, RMD160, SHA256, SHA384, SHA512, SHA3-224, SHA3-256, SHA3-384, SHA3-512."; -}; - -flag = { - name = generate-random; - descrip = "Generate random data"; - arg-type = number; - doc = "Asks the token to generate a number of bytes of random bytes."; -}; - -flag = { - name = pkcs8; - value = 8; - descrip = "Use PKCS #8 format for private keys"; - doc = ""; -}; - -flag = { - name = inder; - descrip = "Use DER/RAW format for input"; - disabled; - disable = "no"; - doc = "Use DER/RAW format for input certificates and private keys."; -}; - -flag = { - name = inraw; - aliases = inder; -}; - -flag = { - name = outder; - descrip = "Use DER format for output certificates, private keys, and DH parameters"; - disabled; - disable = "no"; - doc = "The output will be in DER or RAW format."; -}; - -flag = { - name = outraw; - aliases = outder; -}; - -flag = { - name = provider; - arg-type = file; - descrip = "Specify the PKCS #11 provider library"; - doc = "This will override the default options in /etc/gnutls/pkcs11.conf"; -}; - -flag = { - name = provider-opts; - arg-type = string; - descrip = "Specify parameters for the PKCS #11 provider library"; - doc = "This is a PKCS#11 internal option used by few modules. - Mainly for testing PKCS#11 modules."; - deprecated; -}; - -flag = { - name = detailed-url; - descrip = "Print detailed URLs"; - disabled; - disable = "no"; - doc = ""; -}; - -flag = { - name = only-urls; - descrip = "Print a compact listing using only the URLs"; - doc = ""; -}; - -flag = { - name = batch; - descrip = "Disable all interaction with the tool"; - doc = "In batch mode there will be no prompts, all parameters need to be specified on command line."; -}; - - -doc-section = { - ds-type = 'SEE ALSO'; - ds-format = 'texi'; - ds-text = <<-_EOT_ - certtool (1) -_EOT_; -}; - -doc-section = { - ds-type = 'EXAMPLES'; - ds-format = 'texi'; - ds-text = <<-_EOT_ -To view all tokens in your system use: -@example -$ p11tool --list-tokens -@end example - -To view all objects in a token use: -@example -$ p11tool --login --list-all "pkcs11:TOKEN-URL" -@end example - -To store a private key and a certificate in a token run: -@example -$ p11tool --login --write "pkcs11:URL" --load-privkey key.pem \ - --label "Mykey" -$ p11tool --login --write "pkcs11:URL" --load-certificate cert.pem \ - --label "Mykey" -@end example -Note that some tokens require the same label to be used for the certificate -and its corresponding private key. - -To generate an RSA private key inside the token use: -@example -$ p11tool --login --generate-privkey rsa --bits 1024 --label "MyNewKey" \ - --outfile MyNewKey.pub "pkcs11:TOKEN-URL" -@end example -The bits parameter in the above example is explicitly set because some -tokens only support limited choices in the bit length. The output file is the -corresponding public key. This key can be used to general a certificate -request with certtool. -@example -certtool --generate-request --load-privkey "pkcs11:KEY-URL" \ - --load-pubkey MyNewKey.pub --outfile request.pem -@end example - -_EOT_; -}; - diff --git a/src/psktool-args.def b/src/psktool-args.def deleted file mode 100644 index 74e1c0a57a..0000000000 --- a/src/psktool-args.def +++ /dev/null @@ -1,70 +0,0 @@ -AutoGen Definitions options; -prog-name = psktool; -prog-title = "GnuTLS PSK tool"; -prog-desc = "Program to create PSK parameters.\n"; -detail = "Program that generates random keys for use with TLS-PSK. The -keys are stored in hexadecimal format in a key file."; -short-usage = "psktool [options]\npsktool --help for usage instructions.\n"; -explain = ""; - -#include args-std.def - -flag = { - name = keysize; - value = s; - arg-type = number; - arg-range = "0 -> 512"; - descrip = "Specify the key size in bytes (default is 32-bytes or 256-bits)"; - doc = ""; -}; - -flag = { - name = username; - value = u; - arg-type = string; - descrip = "Specify the username to use"; - doc = ""; -}; - -flag = { - name = pskfile; - value = p; - arg-type = string; - descrip = "Specify a pre-shared key file"; - doc = "This option will specify the pre-shared key file to store the generated keys."; -}; - -flag = { - name = passwd; - aliases = pskfile; - descrip = "Specify a pre-shared key file"; - deprecated; -}; - -doc-section = { - ds-type = 'SEE ALSO'; - ds-format = 'texi'; - ds-text = <<-_EOT_ - gnutls-cli-debug (1), gnutls-serv (1), srptool (1), certtool (1) -_EOT_; -}; - -doc-section = { - ds-type = 'EXAMPLES'; - ds-format = 'texi'; - ds-text = <<-_EOT_ -To add a user 'psk_identity' in @file{keys.psk} for use with GnuTLS run: -@example -$ ./psktool -u psk_identity -p keys.psk -Generating a random key for user 'psk_identity' -Key stored to keys.psk -$ cat keys.psk -psk_identity:88f3824b3e5659f52d00e959bacab954b6540344 -$ -@end example - -This command will create @file{keys.psk} if it does not exist -and will add user 'psk_identity'. -_EOT_; -}; - diff --git a/src/serv-args.def b/src/serv-args.def deleted file mode 100644 index ca61801c1e..0000000000 --- a/src/serv-args.def +++ /dev/null @@ -1,557 +0,0 @@ -AutoGen Definitions options; -prog-name = gnutls-serv; -prog-title = "GnuTLS server"; -prog-desc = "Simple server program to act as an HTTPS or TLS echo service."; -short-usage = "Usage: gnutls-serv [options]\ngnutls-serv --help for usage instructions.\n"; -explain = ""; -detail = "Server program that listens to incoming TLS connections."; - -#include args-std.def - -flag = { - name = sni-hostname; - descrip = "Server's hostname for server name extension"; - arg-type = string; - doc = "Server name of type host_name that the server will recognise as its own. If the server receives client hello with different name, it will send a warning-level unrecognized_name alert."; -}; - -flag = { - name = sni-hostname-fatal; - descrip = "Send fatal alert on sni-hostname mismatch"; - doc = ""; -}; - -flag = { - name = alpn; - arg-type = string; - descrip = "Specify ALPN protocol to be enabled by the server"; - doc = "Specify the (textual) ALPN protocol for the server to use."; - stack-arg; - max = NOLIMIT; -}; - -flag = { - name = alpn-fatal; - descrip = "Send fatal alert on non-matching ALPN name"; - doc = ""; -}; - -flag = { - name = noticket; - descrip = "Don't accept session tickets"; - doc = ""; -}; - -flag = { - name = earlydata; - descrip = "Accept early data"; - doc = ""; -}; - -flag = { - name = maxearlydata; - arg-type = number; - arg-range = "1->"; - descrip = "The maximum early data size to accept"; - doc = ""; -}; - -flag = { - name = nocookie; - descrip = "Don't require cookie on DTLS sessions"; - doc = ""; -}; - -flag = { - name = generate; - value = g; - descrip = "Generate Diffie-Hellman parameters"; - doc = ""; -}; - -flag = { - name = quiet; - value = q; - descrip = "Suppress some messages"; - doc = ""; -}; - -flag = { - name = nodb; - descrip = "Do not use a resumption database"; - doc = ""; -}; - -flag = { - name = http; - descrip = "Act as an HTTP server"; - doc = ""; -}; - -flag = { - name = echo; - descrip = "Act as an Echo server"; - doc = ""; -}; - -flag = { - name = crlf; - descrip = "Do not replace CRLF by LF in Echo server mode"; - doc = ""; -}; - -flag = { - name = udp; - value = u; - descrip = "Use DTLS (datagram TLS) over UDP"; - doc = ""; -}; - -flag = { - name = mtu; - arg-type = number; - arg-range = "0->17000"; - descrip = "Set MTU for datagram TLS"; - doc = ""; -}; - -flag = { - name = srtp_profiles; - arg-type = string; - descrip = "Offer SRTP profiles"; - doc = ""; -}; - -flag = { - name = disable-client-cert; - value = a; - descrip = "Do not request a client certificate"; - doc = ""; - flags-cant = require-client-cert; -}; - -flag = { - name = require-client-cert; - value = r; - descrip = "Require a client certificate"; - doc = "This option before 3.6.0 used to imply --verify-client-cert. -Since 3.6.0 it will no longer verify the certificate by default."; -}; - -flag = { - name = verify-client-cert; - disabled; - descrip = "If a client certificate is sent then verify it."; - doc = "Do not require, but if a client certificate is sent then verify it and close the connection if invalid."; -}; - -flag = { - name = heartbeat; - value = b; - descrip = "Activate heartbeat support"; - doc = "Regularly ping client via heartbeat extension messages"; -}; - -flag = { - name = x509fmtder; - descrip = "Use DER format for certificates to read from"; - doc = ""; -}; - -flag = { - name = priority; - arg-type = string; - descrip = "Priorities string"; - doc = "TLS algorithms and protocols to enable. You can -use predefined sets of ciphersuites such as PERFORMANCE, -NORMAL, SECURE128, SECURE256. The default is NORMAL. - -Check the GnuTLS manual on section ``Priority strings'' for more -information on allowed keywords"; -}; - -flag = { - name = dhparams; - arg-type = file; - file-exists = yes; - descrip = "DH params file to use"; - doc = ""; -}; - -flag = { - name = x509cafile; - arg-type = string; - descrip = "Certificate file or PKCS #11 URL to use"; - doc = ""; -}; - -flag = { - name = x509crlfile; - arg-type = file; - file-exists = yes; - descrip = "CRL file to use"; - doc = ""; -}; - -flag = { - name = pgpkeyfile; - arg-type = file; - file-exists = yes; - descrip = "PGP Key file to use"; - doc = ""; - deprecated; -}; - - -flag = { - name = x509keyfile; - arg-type = string; - descrip = "X.509 key file or PKCS #11 URL to use"; - doc = "Specify the private key file or URI to use; it must correspond to -the certificate specified in --x509certfile. Multiple keys and certificates -can be specified with this option and in that case each occurrence of keyfile -must be followed by the corresponding x509certfile or vice-versa."; - stack-arg; - max = NOLIMIT; -}; - -flag = { - name = x509certfile; - arg-type = string; - descrip = "X.509 Certificate file or PKCS #11 URL to use"; - doc = "Specify the certificate file or URI to use; it must correspond to -the key specified in --x509keyfile. Multiple keys and certificates -can be specified with this option and in that case each occurrence of keyfile -must be followed by the corresponding x509certfile or vice-versa."; - stack-arg; - max = NOLIMIT; -}; - -flag = { - name = x509dsakeyfile; - aliases = x509keyfile; - descrip = "Alternative X.509 key file or PKCS #11 URL to use"; - deprecated; -}; - -flag = { - name = x509dsacertfile; - aliases = x509certfile; - descrip = "Alternative X.509 Certificate file or PKCS #11 URL to use"; - deprecated; -}; - -flag = { - name = x509ecckeyfile; - aliases = x509keyfile; - descrip = "Alternative X.509 key file or PKCS #11 URL to use"; - deprecated; -}; - -flag = { - name = x509ecccertfile; - aliases = x509certfile; - descrip = "Alternative X.509 Certificate file or PKCS #11 URL to use"; - deprecated; -}; - -flag = { - name = rawpkkeyfile; - arg-type = string; - descrip = "Private key file (PKCS #8 or PKCS #12) or PKCS #11 URL to use"; - doc = "Specify the private key file or URI to use; it must correspond to -the raw public-key specified in --rawpkfile. Multiple key pairs -can be specified with this option and in that case each occurrence of keyfile -must be followed by the corresponding rawpkfile or vice-versa. - -In order to instruct the application to negotiate raw public keys one -must enable the respective certificate types via the priority strings (i.e. CTYPE-CLI-* -and CTYPE-SRV-* flags). - -Check the GnuTLS manual on section ``Priority strings'' for more -information on how to set certificate types."; - stack-arg; - max = NOLIMIT; -}; - -flag = { - name = rawpkfile; - arg-type = string; - descrip = "Raw public-key file to use"; - doc = "Specify the raw public-key file to use; it must correspond to -the private key specified in --rawpkkeyfile. Multiple key pairs -can be specified with this option and in that case each occurrence of keyfile -must be followed by the corresponding rawpkfile or vice-versa. - -In order to instruct the application to negotiate raw public keys one -must enable the respective certificate types via the priority strings (i.e. CTYPE-CLI-* -and CTYPE-SRV-* flags). - -Check the GnuTLS manual on section ``Priority strings'' for more -information on how to set certificate types."; - stack-arg; - max = NOLIMIT; - flags-must = rawpkkeyfile; -}; - -flag = { - name = srppasswd; - arg-type = file; - file-exists = yes; - descrip = "SRP password file to use"; - doc = ""; -}; - -flag = { - name = srppasswdconf; - arg-type = file; - file-exists = yes; - descrip = "SRP password configuration file to use"; - doc = ""; -}; - -flag = { - name = pskpasswd; - arg-type = file; - file-exists = yes; - descrip = "PSK password file to use"; - doc = ""; -}; - -flag = { - name = pskhint; - arg-type = string; - descrip = "PSK identity hint to use"; - doc = ""; -}; - -flag = { - name = ocsp-response; - arg-type = string; - descrip = "The OCSP response to send to client"; - doc = "If the client requested an OCSP response, return data from this file to the client."; - stack-arg; - max = NOLIMIT; -}; - -flag = { - name = ignore-ocsp-response-errors; - descrip = "Ignore any errors when setting the OCSP response"; - doc = "That option instructs gnutls to not attempt to match the provided OCSP responses with the certificates."; -}; - -flag = { - name = port; - value = p; - arg-type = number; - descrip = "The port to connect to"; - doc = ""; -}; - -flag = { - name = list; - value = l; - descrip = "Print a list of the supported algorithms and modes"; - doc = "Print a list of the supported algorithms and modes. If a priority string is given then only the enabled ciphersuites are shown."; -}; - -flag = { - name = provider; - arg-type = file; - file-exists = yes; - descrip = "Specify the PKCS #11 provider library"; - doc = "This will override the default options in /etc/gnutls/pkcs11.conf"; -}; - -flag = { - name = keymatexport; - arg-type = string; - descrip = "Label used for exporting keying material"; - doc = ""; -}; - -flag = { - name = keymatexportsize; - arg-type = number; - descrip = "Size of the exported keying material"; - doc = ""; -}; - -flag = { - name = recordsize; - arg-type = number; - arg-range = "0->16384"; - descrip = "The maximum record size to advertise"; - doc = ""; -}; - -flag = { - name = httpdata; - arg-type = file; - file-exists = yes; - descrip = "The data used as HTTP response"; - doc = ""; -}; - -doc-section = { - ds-type = 'SEE ALSO'; // or anything else - ds-format = 'texi'; // or texi or mdoc format - ds-text = <<-_EOText_ -gnutls-cli-debug(1), gnutls-cli(1) -_EOText_; -}; - -doc-section = { - ds-type = 'EXAMPLES'; - ds-format = 'texi'; - ds-text = <<-_EOF_ -Running your own TLS server based on GnuTLS can be useful when -debugging clients and/or GnuTLS itself. This section describes how to -use @code{gnutls-serv} as a simple HTTPS server. - -The most basic server can be started as: - -@example -gnutls-serv --http --priority "NORMAL:+ANON-ECDH:+ANON-DH" -@end example - -It will only support anonymous ciphersuites, which many TLS clients -refuse to use. - -The next step is to add support for X.509. First we generate a CA: - -@example -$ certtool --generate-privkey > x509-ca-key.pem -$ echo 'cn = GnuTLS test CA' > ca.tmpl -$ echo 'ca' >> ca.tmpl -$ echo 'cert_signing_key' >> ca.tmpl -$ certtool --generate-self-signed --load-privkey x509-ca-key.pem \ - --template ca.tmpl --outfile x509-ca.pem -@end example - -Then generate a server certificate. Remember to change the dns_name -value to the name of your server host, or skip that command to avoid -the field. - -@example -$ certtool --generate-privkey > x509-server-key.pem -$ echo 'organization = GnuTLS test server' > server.tmpl -$ echo 'cn = test.gnutls.org' >> server.tmpl -$ echo 'tls_www_server' >> server.tmpl -$ echo 'encryption_key' >> server.tmpl -$ echo 'signing_key' >> server.tmpl -$ echo 'dns_name = test.gnutls.org' >> server.tmpl -$ certtool --generate-certificate --load-privkey x509-server-key.pem \ - --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \ - --template server.tmpl --outfile x509-server.pem -@end example - -For use in the client, you may want to generate a client certificate -as well. - -@example -$ certtool --generate-privkey > x509-client-key.pem -$ echo 'cn = GnuTLS test client' > client.tmpl -$ echo 'tls_www_client' >> client.tmpl -$ echo 'encryption_key' >> client.tmpl -$ echo 'signing_key' >> client.tmpl -$ certtool --generate-certificate --load-privkey x509-client-key.pem \ - --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \ - --template client.tmpl --outfile x509-client.pem -@end example - -To be able to import the client key/certificate into some -applications, you will need to convert them into a PKCS#12 structure. -This also encrypts the security sensitive key with a password. - -@example -$ certtool --to-p12 --load-ca-certificate x509-ca.pem \ - --load-privkey x509-client-key.pem --load-certificate x509-client.pem \ - --outder --outfile x509-client.p12 -@end example - -For icing, we'll create a proxy certificate for the client too. - -@example -$ certtool --generate-privkey > x509-proxy-key.pem -$ echo 'cn = GnuTLS test client proxy' > proxy.tmpl -$ certtool --generate-proxy --load-privkey x509-proxy-key.pem \ - --load-ca-certificate x509-client.pem --load-ca-privkey x509-client-key.pem \ - --load-certificate x509-client.pem --template proxy.tmpl \ - --outfile x509-proxy.pem -@end example - -Then start the server again: - -@example -$ gnutls-serv --http \ - --x509cafile x509-ca.pem \ - --x509keyfile x509-server-key.pem \ - --x509certfile x509-server.pem -@end example - -Try connecting to the server using your web browser. Note that the -server listens to port 5556 by default. - -While you are at it, to allow connections using ECDSA, you can also -create a ECDSA key and certificate for the server. These credentials -will be used in the final example below. - -@example -$ certtool --generate-privkey --ecdsa > x509-server-key-ecc.pem -$ certtool --generate-certificate --load-privkey x509-server-key-ecc.pem \ - --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \ - --template server.tmpl --outfile x509-server-ecc.pem -@end example - - -The next step is to add support for SRP authentication. This requires -an SRP password file created with @code{srptool}. -To start the server with SRP support: - -@example -gnutls-serv --http --priority NORMAL:+SRP-RSA:+SRP \ - --srppasswdconf srp-tpasswd.conf \ - --srppasswd srp-passwd.txt -@end example - -Let's also start a server with support for PSK. This would require -a password file created with @code{psktool}. - -@example -gnutls-serv --http --priority NORMAL:+ECDHE-PSK:+PSK \ - --pskpasswd psk-passwd.txt -@end example - -If you want a server with support for raw public-keys we can also add these -credentials. Note however that there is no identity information linked to these -keys as is the case with regular x509 certificates. Authentication must be done -via different means. Also we need to explicitly enable raw public-key certificates -via the priority strings. - -@example -gnutls-serv --http --priority NORMAL:+CTYPE-CLI-RAWPK:+CTYPE-SRV-RAWPK \ - --rawpkfile srv.rawpk.pem \ - --rawpkkeyfile srv.key.pem -@end example - - -Finally, we start the server with all the earlier parameters and you -get this command: - -@example -gnutls-serv --http --priority NORMAL:+PSK:+SRP:+CTYPE-CLI-RAWPK:+CTYPE-SRV-RAWPK \ - --x509cafile x509-ca.pem \ - --x509keyfile x509-server-key.pem \ - --x509certfile x509-server.pem \ - --x509keyfile x509-server-key-ecc.pem \ - --x509certfile x509-server-ecc.pem \ - --srppasswdconf srp-tpasswd.conf \ - --srppasswd srp-passwd.txt \ - --pskpasswd psk-passwd.txt \ - --rawpkfile srv.rawpk.pem \ - --rawpkkeyfile srv.key.pem -@end example -_EOF_; -}; - diff --git a/src/srptool-args.def b/src/srptool-args.def deleted file mode 100644 index 67e3a8c9d2..0000000000 --- a/src/srptool-args.def +++ /dev/null @@ -1,106 +0,0 @@ -AutoGen Definitions options; -prog-name = srptool; -prog-title = "GnuTLS SRP tool"; -prog-desc = "Simple program to create SRP parameters.\n"; -explain = ""; -detail = "Simple program that emulates the programs in the Stanford SRP (Secure -Remote Password) libraries using GnuTLS. It is intended for use in places -where you don't expect SRP authentication to be the used for system users. - -In brief, to use SRP you need to create two files. These are the password -file that holds the users and the verifiers associated with them and the -configuration file to hold the group parameters (called tpasswd.conf)."; - -short-usage = "srptool [options]\nsrptool --help for usage instructions.\n"; - -#include args-std.def - -flag = { - name = index; - value = i; - arg-type = number; - arg-default = 3; - descrip = "specify the index of the group parameters in tpasswd.conf to use"; - doc = ""; -}; - -flag = { - name = username; - value = u; - arg-type = string; - descrip = "specify a username"; - doc = ""; -}; - -flag = { - name = passwd; - value = p; - arg-type = string; - descrip = "specify a password file"; - doc = ""; -}; - -flag = { - name = salt; - value = s; - arg-type = number; - descrip = "specify salt size"; - doc = ""; -}; - -flag = { - name = verify; - descrip = "just verify the password."; - doc = "Verifies the password provided against the password file."; -}; - -flag = { - name = passwd-conf; - value = v; - arg-type = string; - descrip = "specify a password conf file."; - doc = "Specify a filename or a PKCS #11 URL to read the CAs from."; -}; - -flag = { - name = create-conf; - arg-type = string; - descrip = "Generate a password configuration file."; - doc = "This generates a password configuration file (tpasswd.conf) -containing the required for TLS parameters."; -}; - -doc-section = { - ds-type = 'SEE ALSO'; - ds-format = 'texi'; - ds-text = <<-_EOT_ - gnutls-cli-debug (1), gnutls-serv (1), srptool (1), psktool (1), certtool (1) -_EOT_; -}; - -doc-section = { - ds-type = 'EXAMPLES'; - ds-format = 'texi'; - ds-text = <<-_EOT_ -To create @file{tpasswd.conf} which holds the g and n values for SRP protocol -(generator and a large prime), run: -@example -$ srptool --create-conf /etc/tpasswd.conf -@end example - -This command will create @file{/etc/tpasswd} and will add user 'test' (you -will also be prompted for a password). Verifiers are stored by default -in the way libsrp expects. -@example -$ srptool --passwd /etc/tpasswd --passwd-conf /etc/tpasswd.conf -u test -@end example - - -This command will check against a password. If the password matches -the one in @file{/etc/tpasswd} you will get an ok. -@example -$ srptool --passwd /etc/tpasswd --passwd\-conf /etc/tpasswd.conf --verify -u test -@end example -_EOT_; -}; - diff --git a/src/systemkey-args.def b/src/systemkey-args.def deleted file mode 100644 index f13c12704b..0000000000 --- a/src/systemkey-args.def +++ /dev/null @@ -1,43 +0,0 @@ -AutoGen Definitions options; -prog-name = systemkey-tool; -prog-title = "GnuTLS system key tool"; -prog-desc = "Program to handle system keys.\n"; -detail = "Program that allows handling user keys as stored in the system in a uniform way."; -short-usage = "systemkey-tool [options]\nsystemkey-tool --help for usage instructions.\n"; -explain = ""; - -#define OUTFILE_OPT 1 -#define INFILE_OPT 0 -#include args-std.def - -flag = { - name = list; - descrip = "Lists all stored keys."; - doc = ""; -}; - -flag = { - name = delete; - arg-type = string; - arg-name = "url"; - descrip = "Delete the key identified by the given URL."; - doc = ""; -}; - -flag = { - name = outder; - descrip = "Use DER format for output keys"; - disabled; - disable = "no"; - doc = "The output will be in DER format."; -}; - -doc-section = { - ds-type = 'SEE ALSO'; - ds-format = 'texi'; - ds-text = <<-_EOT_ - p11tool (1), certtool (1) -_EOT_; -}; - - diff --git a/src/tpmtool-args.def b/src/tpmtool-args.def deleted file mode 100644 index 85ec9e6f07..0000000000 --- a/src/tpmtool-args.def +++ /dev/null @@ -1,170 +0,0 @@ -AutoGen Definitions options; -prog-name = tpmtool; -prog-title = "GnuTLS TPM tool"; -prog-desc = "Program to handle TPM as a cryptographic device.\n"; -detail = "Program that allows handling cryptographic data from the TPM chip."; -short-usage = "tpmtool [options]\ntpmtool --help for usage instructions.\n"; -explain = ""; - -#define OUTFILE_OPT 1 -#define INFILE_OPT 1 -#include args-std.def - -flag = { - name = generate-rsa; - descrip = "Generate an RSA private-public key pair"; - doc = "Generates an RSA private-public key pair in the TPM chip. -The key may be stored in file system and protected by a PIN, or stored (registered) -in the TPM chip flash."; -}; - -flag = { - name = register; - descrip = "Any generated key will be registered in the TPM"; - flags_must = generate-rsa; - doc = ""; -}; - -flag = { - name = signing; - descrip = "Any generated key will be a signing key"; - flags_must = generate-rsa; - flags_cant = legacy; - doc = ""; -}; - -flag = { - name = legacy; - descrip = "Any generated key will be a legacy key"; - flags_must = generate-rsa; - flags_cant = signing; - doc = ""; -}; - -flag = { - name = user; - descrip = "Any registered key will be a user key"; - flags_must = register; - flags_cant = system; - doc = "The generated key will be stored in a user specific persistent storage."; -}; - -flag = { - name = system; - descrip = "Any registered key will be a system key"; - flags_must = register; - flags_cant = user; - doc = "The generated key will be stored in system persistent storage."; -}; - - -flag = { - name = pubkey; - arg-type = string; - arg-name = "url"; - descrip = "Prints the public key of the provided key"; - doc = ""; -}; - -flag = { - name = list; - descrip = "Lists all stored keys in the TPM"; - doc = ""; -}; - -flag = { - name = delete; - arg-type = string; - arg-name = "url"; - descrip = "Delete the key identified by the given URL (UUID)."; - doc = ""; -}; - -flag = { - name = test-sign; - arg-type = string; - arg-name = "url"; - descrip = "Tests the signature operation of the provided object"; - doc = "It can be used to test the correct operation of the signature operation. -This operation will sign and verify the signed data."; -}; - -flag = { - name = sec-param; - arg-type = string; - arg-name = "Security parameter"; - descrip = "Specify the security level [low, legacy, medium, high, ultra]."; - doc = "This is alternative to the bits option. Note however that the -values allowed by the TPM chip are quantized and given values may be rounded up."; -}; - -flag = { - name = bits; - arg-type = number; - descrip = "Specify the number of bits for key generate"; - doc = ""; -}; - -flag = { - name = inder; - descrip = "Use the DER format for keys."; - disabled; - disable = "no"; - doc = "The input files will be assumed to be in the portable -DER format of TPM. The default format is a custom format used by various -TPM tools"; -}; - -flag = { - name = outder; - descrip = "Use DER format for output keys"; - disabled; - disable = "no"; - doc = "The output will be in the TPM portable DER format."; -}; - -flag = { - name = srk-well-known; - descrip = "SRK has well known password (20 bytes of zeros)"; -}; - -doc-section = { - ds-type = 'SEE ALSO'; - ds-format = 'texi'; - ds-text = <<-_EOT_ - p11tool (1), certtool (1) -_EOT_; -}; - -doc-section = { - ds-type = 'EXAMPLES'; - ds-format = 'texi'; - ds-text = <<-_EOT_ -To generate a key that is to be stored in file system use: -@example -$ tpmtool --generate-rsa --bits 2048 --outfile tpmkey.pem -@end example - -To generate a key that is to be stored in TPM's flash use: -@example -$ tpmtool --generate-rsa --bits 2048 --register --user -@end example - -To get the public key of a TPM key use: -@example -$ tpmtool --pubkey tpmkey:uuid=58ad734b-bde6-45c7-89d8-756a55ad1891;storage=user \ - --outfile pubkey.pem -@end example - -or if the key is stored in the file system: -@example -$ tpmtool --pubkey tpmkey:file=tmpkey.pem --outfile pubkey.pem -@end example - -To list all keys stored in TPM use: -@example -$ tpmtool --list -@end example -_EOT_; -}; - |