AutoGen Definitions options;
prog-name     = p11tool;
prog-title    = "GnuTLS PKCS #11 tool";
prog-desc     = "Program to handle PKCS #11 smart cards and security modules.\n";
detail    = "Program that allows handling data from PKCS #11 smart cards
and security modules. 

To use PKCS #11 tokens with gnutls the configuration file 
/etc/gnutls/pkcs11.conf has to exist and contain a number of lines of the form 'load=/usr/lib/opensc-pkcs11.so'.
";

short-usage   = "p11tool [options] [url]\np11tool --help for usage instructions.\n";
explain       = "";
reorder-args;
argument = "[url]";

#define  OUTFILE_OPT   1
#include args-std.def

flag = {
    name      = list-tokens;
    descrip   = "List all available tokens";
    doc = "";
};

flag = {
    name      = export;
    descrip   = "Export the object specified by the URL";
    doc = "";
};

flag = {
    name      = list-mechanisms;
    descrip   = "List all available mechanisms in a token";
    doc = "";
};

flag = {
    name      = list-all;
    descrip   = "List all available objects in a token";
    doc = "";
};

flag = {
    name      = list-all-certs;
    descrip   = "List all available certificates in a token";
    doc = "";
};

flag = {
    name      = list-certs;
    descrip   = "List all certificates that have an associated private key";
    doc = "";
};

flag = {
    name      = list-all-privkeys;
    descrip   = "List all available private keys in a token";
    doc = "";
};

flag = {
    name      = list-all-trusted;
    descrip   = "List all available certificates marked as trusted";
    doc = "";
};

flag = {
    name      = initialize;
    descrip   = "Initializes a PKCS #11 token";
    doc = "";
};

flag = {
    name      = write;
    descrip   = "Writes the loaded objects to a PKCS #11 token";
    doc = "It can be used to write private keys, certificates or secret keys to a token.";
};

flag = {
    name      = delete;
    descrip   = "Deletes the objects matching the PKCS #11 URL";
    doc = "";
};

flag = {
    name      = generate-rsa;
    descrip   = "Generate an RSA private-public key pair";
    doc = "Generates an RSA private-public key pair on the specified token.";
};

flag = {
    name      = generate-dsa;
    descrip   = "Generate an RSA private-public key pair";
    doc = "Generates an RSA private-public key pair on the specified token.";
};
flag = {
    name      = generate-ecc;
    descrip   = "Generate an RSA private-public key pair";
    doc = "Generates an RSA private-public key pair on the specified token.";
};

flag = {
    name      = label;
    arg-type  = string;
    descrip   = "Sets a label for the write operation";
    doc       = "";
};

flag = {
    name      = trusted;
    disable   = "no";
    disabled;
    descrip   = "Marks the object to be written as trusted";
    doc = "";
};

flag = {
    name      = private;
    disable   = "no";
    enabled;
    descrip   = "Marks the object to be written as private";
    doc = "The written object will require a PIN to be used.";
};

flag = {
    name      = login;
    descrip   = "Force login to token";
    disabled;
    disable   = "no";
    doc       = "";
};

flag = {
    name      = detailed-url;
    descrip   = "Print detailed URLs";
    disabled;
    disable   = "no";
    doc   = "";
};

flag = {
    name      = secret-key;
    arg-type  = string;
    descrip   = "Provide a hex encoded secret key";
    doc   = "";
};

flag = {
    name      = load-privkey;
    arg-type  = file;
    file-exists = yes;
    descrip   = "Private key file to use";
    doc      = "";
};

flag = {
    name      = load-pubkey;
    arg-type  = file;
    file-exists = yes;
    descrip   = "Public key file to use";
    doc      = "";
};

flag = {
    name      = load-certificate;
    arg-type  = file;
    file-exists = yes;
    descrip   = "Certificate file to use";
    doc      = "";
};

flag = {
    name      = pkcs8;
    value     = 8;
    descrip   = "Use PKCS #8 format for private keys";
    doc      = "";
};

flag = {
    name      = bits;
    arg-type  = number;
    descrip   = "Specify the number of bits for key generate";
    doc      = "";
};

flag = {
    name      = sec-param;
    arg-type  = string;
    arg-name  = "Security parameter";
    descrip   = "Specify the security level";
    doc      = "This is alternative to the bits option. Available options are [low, legacy, normal, high, ultra].";
};


flag = {
    name      = inder;
    descrip   = "Use DER/RAW format for input";
    disabled;
    disable   = "no";
    doc      = "Use DER/RAW format for input certificates and private keys.";
};

flag = {
    name      = inraw;
    aliases   = inder;
};

flag = {
    name      = provider;
    arg-type  = file;
    file-exists = yes;
    descrip   = "Specify the PKCS #11 provider library";
    doc      = "This will override the default options in /etc/gnutls/pkcs11.conf";
};


doc-section = {
  ds-type = 'SEE ALSO';
  ds-format = 'texi';
  ds-text   = <<-_EOT_
    certtool (1)
_EOT_;
};

doc-section = {
  ds-type = 'EXAMPLES';
  ds-format = 'texi';
  ds-text   = <<-_EOT_
To view all tokens in your system use:
@example
$ p11tool --list-tokens
@end example

To view all objects in a token use:
@example
$ p11tool --login --list-all "pkcs11:TOKEN-URL"
@end example

To store a private key and a certificate in a token run:
@example
$ p11tool --login --write "pkcs11:URL" --load-privkey key.pem \
          --label "Mykey"
$ p11tool --login --write "pkcs11:URL" --load-certificate cert.pem \
          --label "Mykey"
@end example
Note that some tokens require the same label to be used for the certificate
and its corresponding private key.
_EOT_;
};