diff options
Diffstat (limited to 'manual/html_node/p11tool-Invocation.html')
-rw-r--r-- | manual/html_node/p11tool-Invocation.html | 321 |
1 files changed, 176 insertions, 145 deletions
diff --git a/manual/html_node/p11tool-Invocation.html b/manual/html_node/p11tool-Invocation.html index 91f18bfa6a..fb0e6179e8 100644 --- a/manual/html_node/p11tool-Invocation.html +++ b/manual/html_node/p11tool-Invocation.html @@ -1,7 +1,7 @@ <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <!-- This manual is last updated 4 March 2015 for version -3.4.2 of GnuTLS. +3.4.3 of GnuTLS. Copyright (C) 2001-2015 Free Software Foundation, Inc.\\ Copyright (C) 2001-2015 Nikos Mavrogiannopoulos @@ -14,10 +14,10 @@ copy of the license is included in the section entitled "GNU Free Documentation License". --> <!-- Created by GNU Texinfo 5.2, http://www.gnu.org/software/texinfo/ --> <head> -<title>GnuTLS 3.4.2: p11tool Invocation</title> +<title>GnuTLS 3.4.3: p11tool Invocation</title> -<meta name="description" content="GnuTLS 3.4.2: p11tool Invocation"> -<meta name="keywords" content="GnuTLS 3.4.2: p11tool Invocation"> +<meta name="description" content="GnuTLS 3.4.3: p11tool Invocation"> +<meta name="keywords" content="GnuTLS 3.4.3: p11tool Invocation"> <meta name="resource-type" content="document"> <meta name="distribution" content="global"> <meta name="Generator" content="makeinfo"> @@ -292,75 +292,92 @@ environment variables GNUTLS_PIN and GNUTLS_SO_PIN. </pre></div> -<a name="p11tool-debug"></a><a name="debug-option-_0028_002dd_0029"></a> -<h4 class="subsection">5.3.8 debug option (-d)</h4> - -<p>This is the “enable debugging” option. -This option takes a number argument. -Specifies the debug level. -<a name="p11tool-export_002dchain"></a></p><a name="export_002dchain-option"></a> -<h4 class="subsection">5.3.9 export-chain option</h4> - -<p>This is the “export the certificate specified by the url and its chain of trust” option. -Exports the certificate specified by the URL and generates its chain of trust based on the stored certificates in the module. -<a name="p11tool-list_002dall_002dprivkeys"></a></p><a name="list_002dall_002dprivkeys-option"></a> -<h4 class="subsection">5.3.10 list-all-privkeys option</h4> - +<a name="p11tool-token_002drelated_002doptions"></a><a name="token_002drelated_002doptions-options"></a> +<h4 class="subsection">5.3.8 token-related-options options</h4> +<p>Tokens. +</p><a name="list_002dtoken_002durls-option_002e"></a> +<h4 class="subsubheading">list-token-urls option.</h4> +<a name="p11tool-list_002dtoken_002durls"></a> +<p>This is the “list the urls available tokens” option. +This is a more compact version of –list-tokens. +</p><a name="set_002dpin-option_002e"></a> +<h4 class="subsubheading">set-pin option.</h4> +<a name="p11tool-set_002dpin"></a> +<p>This is the “specify the pin to use on token initialization” option. +This option takes a string argument. +Alternatively the GNUTLS_PIN environment variable may be used. +</p><a name="set_002dso_002dpin-option_002e"></a> +<h4 class="subsubheading">set-so-pin option.</h4> +<a name="p11tool-set_002dso_002dpin"></a> +<p>This is the “specify the security officer’s pin to use on token initialization” option. +This option takes a string argument. +Alternatively the GNUTLS_SO_PIN environment variable may be used. +<a name="p11tool-object_002dlist_002drelated_002doptions"></a></p><a name="object_002dlist_002drelated_002doptions-options"></a> +<h4 class="subsection">5.3.9 object-list-related-options options</h4> +<p>Object listing. +</p><a name="list_002dall_002dprivkeys-option_002e"></a> +<h4 class="subsubheading">list-all-privkeys option.</h4> +<a name="p11tool-list_002dall_002dprivkeys"></a> <p>This is the “list all available private keys in a token” option. Lists all the private keys in a token that match the specified URL. -<a name="p11tool-list_002dprivkeys"></a></p><a name="list_002dprivkeys-option"></a> -<h4 class="subsection">5.3.11 list-privkeys option</h4> - +</p><a name="list_002dprivkeys-option_002e"></a> +<h4 class="subsubheading">list-privkeys option.</h4> +<a name="p11tool-list_002dprivkeys"></a> <p>This is an alias for the <code>list-all-privkeys</code> option, see <a href="#p11tool-list_002dall_002dprivkeys">the list-all-privkeys option documentation</a>. </p> -<a name="p11tool-list_002dkeys"></a><a name="list_002dkeys-option"></a> -<h4 class="subsection">5.3.12 list-keys option</h4> - +<a name="list_002dkeys-option_002e"></a> +<h4 class="subsubheading">list-keys option.</h4> +<a name="p11tool-list_002dkeys"></a> <p>This is an alias for the <code>list-all-privkeys</code> option, see <a href="#p11tool-list_002dall_002dprivkeys">the list-all-privkeys option documentation</a>. </p> -<a name="p11tool-test_002dsign"></a><a name="test_002dsign-option"></a> -<h4 class="subsection">5.3.13 test-sign option</h4> - -<p>This is the “tests the signature operation of the provided object” option. -It can be used to test the correct operation of the signature operation. -If both a private and a public key are available this operation will sign and verify -the signed data. -<a name="p11tool-write"></a></p><a name="write-option"></a> -<h4 class="subsection">5.3.14 write option</h4> - -<p>This is the “writes the loaded objects to a pkcs #11 token” option. -It can be used to write private keys, certificates or secret keys to a token. -<a name="p11tool-generate_002drandom"></a></p><a name="generate_002drandom-option"></a> -<h4 class="subsection">5.3.15 generate-random option</h4> - -<p>This is the “generate random data” option. -This option takes a number argument. -Asks the token to generate a number of bytes of random bytes. -<a name="p11tool-generate_002drsa"></a></p><a name="generate_002drsa-option"></a> -<h4 class="subsection">5.3.16 generate-rsa option</h4> - +<a name="export_002dchain-option_002e"></a> +<h4 class="subsubheading">export-chain option.</h4> +<a name="p11tool-export_002dchain"></a> +<p>This is the “export the certificate specified by the url and its chain of trust” option. +Exports the certificate specified by the URL and generates its chain of trust based on the stored certificates in the module. +</p><a name="export_002dpubkey-option_002e"></a> +<h4 class="subsubheading">export-pubkey option.</h4> +<a name="p11tool-export_002dpubkey"></a> +<p>This is the “export the public key for a private key” option. +Exports the public key for the specified private key +<a name="p11tool-keygen_002drelated_002doptions"></a></p><a name="keygen_002drelated_002doptions-options"></a> +<h4 class="subsection">5.3.10 keygen-related-options options</h4> +<p>Key generation. +</p><a name="generate_002drsa-option_002e"></a> +<h4 class="subsubheading">generate-rsa option.</h4> +<a name="p11tool-generate_002drsa"></a> <p>This is the “generate an rsa private-public key pair” option. Generates an RSA private-public key pair on the specified token. -<a name="p11tool-generate_002ddsa"></a></p><a name="generate_002ddsa-option"></a> -<h4 class="subsection">5.3.17 generate-dsa option</h4> - +</p><a name="generate_002ddsa-option_002e"></a> +<h4 class="subsubheading">generate-dsa option.</h4> +<a name="p11tool-generate_002ddsa"></a> <p>This is the “generate an rsa private-public key pair” option. Generates an RSA private-public key pair on the specified token. -<a name="p11tool-generate_002decc"></a></p><a name="generate_002decc-option"></a> -<h4 class="subsection">5.3.18 generate-ecc option</h4> - +</p><a name="generate_002decc-option_002e"></a> +<h4 class="subsubheading">generate-ecc option.</h4> +<a name="p11tool-generate_002decc"></a> <p>This is the “generate an rsa private-public key pair” option. Generates an RSA private-public key pair on the specified token. -<a name="p11tool-export_002dpubkey"></a></p><a name="export_002dpubkey-option"></a> -<h4 class="subsection">5.3.19 export-pubkey option</h4> - -<p>This is the “export the public key for a private key” option. -Exports the public key for the specified private key -<a name="p11tool-set_002did"></a></p><a name="set_002did-option"></a> -<h4 class="subsection">5.3.20 set-id option</h4> - +</p><a name="curve-option_002e"></a> +<h4 class="subsubheading">curve option.</h4> +<a name="p11tool-curve"></a> +<p>This is the “specify the curve used for ec key generation” option. +This option takes a string argument. +Supported values are secp192r1, secp224r1, secp256r1, secp384r1 and secp521r1. +</p><a name="sec_002dparam-option_002e"></a> +<h4 class="subsubheading">sec-param option.</h4> +<a name="p11tool-sec_002dparam"></a> +<p>This is the “specify the security level” option. +This option takes a string argument <samp>Security parameter</samp>. +This is alternative to the bits option. Available options are [low, legacy, medium, high, ultra]. +<a name="p11tool-write_002dobject_002drelated_002doptions"></a></p><a name="write_002dobject_002drelated_002doptions-options"></a> +<h4 class="subsection">5.3.11 write-object-related-options options</h4> +<p>Writing objects. +</p><a name="set_002did-option_002e"></a> +<h4 class="subsubheading">set-id option.</h4> +<a name="p11tool-set_002did"></a> <p>This is the “set the cka_id (in hex) for the specified by the url object” option. This option takes a string argument. </p> @@ -371,9 +388,9 @@ write. </li></ul> <p>Modifies or sets the CKA_ID in the specified by the URL object. The ID should be specified in hexadecimal format without a ’0x’ prefix. -<a name="p11tool-set_002dlabel"></a></p><a name="set_002dlabel-option"></a> -<h4 class="subsection">5.3.21 set-label option</h4> - +</p><a name="set_002dlabel-option_002e"></a> +<h4 class="subsubheading">set-label option.</h4> +<a name="p11tool-set_002dlabel"></a> <p>This is the “set the cka_label for the specified by the url object” option. This option takes a string argument. </p> @@ -384,15 +401,20 @@ write, set-id. </li></ul> <p>Modifies or sets the CKA_LABEL in the specified by the URL object -<a name="p11tool-id"></a></p><a name="id-option"></a> -<h4 class="subsection">5.3.22 id option</h4> - +</p><a name="write-option_002e"></a> +<h4 class="subsubheading">write option.</h4> +<a name="p11tool-write"></a> +<p>This is the “writes the loaded objects to a pkcs #11 token” option. +It can be used to write private keys, certificates or secret keys to a token. Must be combined with a –load option. +</p><a name="id-option_002e"></a> +<h4 class="subsubheading">id option.</h4> +<a name="p11tool-id"></a> <p>This is the “sets an id for the write operation” option. This option takes a string argument. Sets the CKA_ID to be set by the write operation. The ID should be specified in hexadecimal format without a ’0x’ prefix. -<a name="p11tool-mark_002dwrap"></a></p><a name="mark_002dwrap-option"></a> -<h4 class="subsection">5.3.23 mark-wrap option</h4> - +</p><a name="mark_002dwrap-option_002e"></a> +<h4 class="subsubheading">mark-wrap option.</h4> +<a name="p11tool-mark_002dwrap"></a> <p>This is the “marks the generated key to be a wrapping key” option. </p> <p>This option has some usage constraints. It: @@ -401,9 +423,9 @@ Sets the CKA_ID to be set by the write operation. The ID should be specified in </li></ul> <p>Marks the generated key with the CKA_WRAP flag. -<a name="p11tool-mark_002dtrusted"></a></p><a name="mark_002dtrusted-option"></a> -<h4 class="subsection">5.3.24 mark-trusted option</h4> - +</p><a name="mark_002dtrusted-option_002e"></a> +<h4 class="subsubheading">mark-trusted option.</h4> +<a name="p11tool-mark_002dtrusted"></a> <p>This is the “marks the object to be written as trusted” option. </p> <p>This option has some usage constraints. It: @@ -411,10 +433,10 @@ Sets the CKA_ID to be set by the write operation. The ID should be specified in <li> can be disabled with –no-mark-trusted. </li></ul> -<p>Marks the object to be generated/copied with the CKA_TRUST flag. -<a name="p11tool-mark_002ddecrypt"></a></p><a name="mark_002ddecrypt-option"></a> -<h4 class="subsection">5.3.25 mark-decrypt option</h4> - +<p>Marks the object to be generated/written with the CKA_TRUST flag. +</p><a name="mark_002ddecrypt-option_002e"></a> +<h4 class="subsubheading">mark-decrypt option.</h4> +<a name="p11tool-mark_002ddecrypt"></a> <p>This is the “marks the object to be written for decryption” option. </p> <p>This option has some usage constraints. It: @@ -422,10 +444,10 @@ Sets the CKA_ID to be set by the write operation. The ID should be specified in <li> can be disabled with –no-mark-decrypt. </li></ul> -<p>Marks the object to be generated/copied with the CKA_DECRYPT flag set to true. -<a name="p11tool-mark_002dsign"></a></p><a name="mark_002dsign-option"></a> -<h4 class="subsection">5.3.26 mark-sign option</h4> - +<p>Marks the object to be generated/written with the CKA_DECRYPT flag set to true. +</p><a name="mark_002dsign-option_002e"></a> +<h4 class="subsubheading">mark-sign option.</h4> +<a name="p11tool-mark_002dsign"></a> <p>This is the “marks the object to be written for signature generation” option. </p> <p>This option has some usage constraints. It: @@ -433,10 +455,10 @@ Sets the CKA_ID to be set by the write operation. The ID should be specified in <li> can be disabled with –no-mark-sign. </li></ul> -<p>Marks the object to be generated/copied with the CKA_SIGN flag set to true. -<a name="p11tool-mark_002dca"></a></p><a name="mark_002dca-option"></a> -<h4 class="subsection">5.3.27 mark-ca option</h4> - +<p>Marks the object to be generated/written with the CKA_SIGN flag set to true. +</p><a name="mark_002dca-option_002e"></a> +<h4 class="subsubheading">mark-ca option.</h4> +<a name="p11tool-mark_002dca"></a> <p>This is the “marks the object to be written as a ca” option. </p> <p>This option has some usage constraints. It: @@ -444,10 +466,10 @@ Sets the CKA_ID to be set by the write operation. The ID should be specified in <li> can be disabled with –no-mark-ca. </li></ul> -<p>Marks the object to be generated/copied with the CKA_CERTIFICATE_CATEGORY as CA. -<a name="p11tool-mark_002dprivate"></a></p><a name="mark_002dprivate-option"></a> -<h4 class="subsection">5.3.28 mark-private option</h4> - +<p>Marks the object to be generated/written with the CKA_CERTIFICATE_CATEGORY as CA. +</p><a name="mark_002dprivate-option_002e"></a> +<h4 class="subsubheading">mark-private option.</h4> +<a name="p11tool-mark_002dprivate"></a> <p>This is the “marks the object to be written as private” option. </p> <p>This option has some usage constraints. It: @@ -456,28 +478,43 @@ Sets the CKA_ID to be set by the write operation. The ID should be specified in </li><li> It is enabled by default. </li></ul> -<p>Marks the object to be generated/copied with the CKA_PRIVATE flag. The written object will require a PIN to be used. -<a name="p11tool-trusted"></a></p><a name="trusted-option"></a> -<h4 class="subsection">5.3.29 trusted option</h4> - +<p>Marks the object to be generated/written with the CKA_PRIVATE flag. The written object will require a PIN to be used. +</p><a name="trusted-option_002e"></a> +<h4 class="subsubheading">trusted option.</h4> +<a name="p11tool-trusted"></a> <p>This is an alias for the <code>mark-trusted</code> option, see <a href="#p11tool-mark_002dtrusted">the mark-trusted option documentation</a>. </p> -<a name="p11tool-ca"></a><a name="ca-option"></a> -<h4 class="subsection">5.3.30 ca option</h4> - +<a name="ca-option_002e"></a> +<h4 class="subsubheading">ca option.</h4> +<a name="p11tool-ca"></a> <p>This is an alias for the <code>mark-ca</code> option, see <a href="#p11tool-mark_002dca">the mark-ca option documentation</a>. </p> -<a name="p11tool-private"></a><a name="private-option"></a> -<h4 class="subsection">5.3.31 private option</h4> - +<a name="private-option_002e"></a> +<h4 class="subsubheading">private option.</h4> +<a name="p11tool-private"></a> <p>This is an alias for the <code>mark-private</code> option, see <a href="#p11tool-mark_002dprivate">the mark-private option documentation</a>. </p> -<a name="p11tool-so_002dlogin"></a><a name="so_002dlogin-option"></a> -<h4 class="subsection">5.3.32 so-login option</h4> - +<a name="secret_002dkey-option_002e"></a> +<h4 class="subsubheading">secret-key option.</h4> +<a name="p11tool-secret_002dkey"></a> +<p>This is the “provide a hex encoded secret key” option. +This option takes a string argument. +This secret key will be written to the module if –write is specified. +<a name="p11tool-other_002doptions"></a></p><a name="other_002doptions-options"></a> +<h4 class="subsection">5.3.12 other-options options</h4> +<p>Other options. +</p><a name="debug-option-_0028_002dd_0029_002e"></a> +<h4 class="subsubheading">debug option (-d).</h4> +<a name="p11tool-debug"></a> +<p>This is the “enable debugging” option. +This option takes a number argument. +Specifies the debug level. +</p><a name="so_002dlogin-option_002e"></a> +<h4 class="subsubheading">so-login option.</h4> +<a name="p11tool-so_002dlogin"></a> <p>This is the “force security officer login to token” option. </p> <p>This option has some usage constraints. It: @@ -486,27 +523,28 @@ see <a href="#p11tool-mark_002dprivate">the mark-private option documentation</a </li></ul> <p>Forces login to the token as security officer (admin). -<a name="p11tool-admin_002dlogin"></a></p><a name="admin_002dlogin-option"></a> -<h4 class="subsection">5.3.33 admin-login option</h4> - +</p><a name="admin_002dlogin-option_002e"></a> +<h4 class="subsubheading">admin-login option.</h4> +<a name="p11tool-admin_002dlogin"></a> <p>This is an alias for the <code>so-login</code> option, see <a href="#p11tool-so_002dlogin">the so-login option documentation</a>. </p> -<a name="p11tool-curve"></a><a name="curve-option"></a> -<h4 class="subsection">5.3.34 curve option</h4> - -<p>This is the “specify the curve used for ec key generation” option. -This option takes a string argument. -Supported values are secp192r1, secp224r1, secp256r1, secp384r1 and secp521r1. -<a name="p11tool-sec_002dparam"></a></p><a name="sec_002dparam-option"></a> -<h4 class="subsection">5.3.35 sec-param option</h4> - -<p>This is the “specify the security level” option. -This option takes a string argument <samp>Security parameter</samp>. -This is alternative to the bits option. Available options are [low, legacy, medium, high, ultra]. -<a name="p11tool-inder"></a></p><a name="inder-option"></a> -<h4 class="subsection">5.3.36 inder option</h4> - +<a name="test_002dsign-option_002e"></a> +<h4 class="subsubheading">test-sign option.</h4> +<a name="p11tool-test_002dsign"></a> +<p>This is the “tests the signature operation of the provided object” option. +It can be used to test the correct operation of the signature operation. +If both a private and a public key are available this operation will sign and verify +the signed data. +</p><a name="generate_002drandom-option_002e"></a> +<h4 class="subsubheading">generate-random option.</h4> +<a name="p11tool-generate_002drandom"></a> +<p>This is the “generate random data” option. +This option takes a number argument. +Asks the token to generate a number of bytes of random bytes. +</p><a name="inder-option_002e"></a> +<h4 class="subsubheading">inder option.</h4> +<a name="p11tool-inder"></a> <p>This is the “use der/raw format for input” option. </p> <p>This option has some usage constraints. It: @@ -515,15 +553,15 @@ This is alternative to the bits option. Available options are [low, legacy, medi </li></ul> <p>Use DER/RAW format for input certificates and private keys. -<a name="p11tool-inraw"></a></p><a name="inraw-option"></a> -<h4 class="subsection">5.3.37 inraw option</h4> - +</p><a name="inraw-option_002e"></a> +<h4 class="subsubheading">inraw option.</h4> +<a name="p11tool-inraw"></a> <p>This is an alias for the <code>inder</code> option, see <a href="#p11tool-inder">the inder option documentation</a>. </p> -<a name="p11tool-outder"></a><a name="outder-option"></a> -<h4 class="subsection">5.3.38 outder option</h4> - +<a name="outder-option_002e"></a> +<h4 class="subsubheading">outder option.</h4> +<a name="p11tool-outder"></a> <p>This is the “use der format for output certificates, private keys, and dh parameters” option. </p> <p>This option has some usage constraints. It: @@ -532,32 +570,25 @@ see <a href="#p11tool-inder">the inder option documentation</a>. </li></ul> <p>The output will be in DER or RAW format. -<a name="p11tool-outraw"></a></p><a name="outraw-option"></a> -<h4 class="subsection">5.3.39 outraw option</h4> - +</p><a name="outraw-option_002e"></a> +<h4 class="subsubheading">outraw option.</h4> +<a name="p11tool-outraw"></a> <p>This is an alias for the <code>outder</code> option, see <a href="#p11tool-outder">the outder option documentation</a>. </p> -<a name="p11tool-set_002dpin"></a><a name="set_002dpin-option"></a> -<h4 class="subsection">5.3.40 set-pin option</h4> - -<p>This is the “specify the pin to use on token initialization” option. -This option takes a string argument. -Alternatively the GNUTLS_PIN environment variable may be used. -<a name="p11tool-set_002dso_002dpin"></a></p><a name="set_002dso_002dpin-option"></a> -<h4 class="subsection">5.3.41 set-so-pin option</h4> - -<p>This is the “specify the security officer’s pin to use on token initialization” option. -This option takes a string argument. -Alternatively the GNUTLS_SO_PIN environment variable may be used. -<a name="p11tool-provider"></a></p><a name="provider-option"></a> -<h4 class="subsection">5.3.42 provider option</h4> - +<a name="provider-option_002e"></a> +<h4 class="subsubheading">provider option.</h4> +<a name="p11tool-provider"></a> <p>This is the “specify the pkcs #11 provider library” option. This option takes a file argument. This will override the default options in /etc/gnutls/pkcs11.conf +</p><a name="batch-option_002e"></a> +<h4 class="subsubheading">batch option.</h4> +<a name="p11tool-batch"></a> +<p>This is the “disable all interaction with the tool” option. +In batch mode there will be no prompts, all parameters need to be specified on command line. <a name="p11tool-exit-status"></a></p><a name="p11tool-exit-status-1"></a> -<h4 class="subsection">5.3.43 p11tool exit status</h4> +<h4 class="subsection">5.3.13 p11tool exit status</h4> <p>One of the following exit values will be returned: </p><dl compact="compact"> @@ -569,10 +600,10 @@ This will override the default options in /etc/gnutls/pkcs11.conf </p></dd> </dl> <a name="p11tool-See-Also"></a><a name="p11tool-See-Also-1"></a> -<h4 class="subsection">5.3.44 p11tool See Also</h4> +<h4 class="subsection">5.3.14 p11tool See Also</h4> <p>certtool (1) <a name="p11tool-Examples"></a></p><a name="p11tool-Examples-1"></a> -<h4 class="subsection">5.3.45 p11tool Examples</h4> +<h4 class="subsection">5.3.15 p11tool Examples</h4> <p>To view all tokens in your system use: </p><div class="example"> <pre class="example">$ p11tool --list-tokens |