Some examples on how to use p11tool are illustrated in the following paragraphs.
-@subsubsection List all tokens
+@subsubheading List all tokens
@smallexample
$ p11tool --list-tokens
@end smallexample
-@subsubsection List all objects
+@subsubheading List all objects
The following command will list all objects in a token. The @code{--login}
is required to show objects marked as private.
@smallexample
$ p11tool --login --list-all
@end smallexample
-@subsubsection Exporting an object
+@subsubheading Exporting an object
To retrieve an object stored in the card use the following command.
Note however that objects marked as sensitive (typically PKCS #11 private keys)
are not allowed to be extracted from the token.
$ p11tool --login --export [OBJECT URL]
@end smallexample
-@subsubsection Copy an object to a token
+@subsubheading Copy an object to a token
To copy an object, such as a certificate or private key to a token
use the following command.
@smallexample
@}
@end example
+@menu
+* Abstract public keys::
+* Abstract private keys::
+@end menu
+
+
+@node Abstract public keys
@subsection Public keys
An abstract @code{gnutls_pubkey_t} can be initialized
using the functions below. It can be imported through
@showfuncC{gnutls_pubkey_get_pk_algorithm,gnutls_pubkey_get_preferred_hash_algorithm,gnutls_pubkey_get_key_id}
+@node Abstract private keys
@subsection Private keys
An abstract @code{gnutls_privkey_t} can be initialized
using the functions below. It can be imported through
* Introduction to the library::
* Preparation::
* Session initialization::
+* Associating the credentials::
* Setting up the transport layer::
* TLS handshake::
* Data transfer and termination::
@showfuncdesc{gnutls_credentials_set}
-@subsection Associating the credentials
-@subsubsection Certificates
+@node Associating the credentials
+@section Associating the credentials
+
+@menu
+* Certificate credentials::
+* SRP credentials::
+* PSK credentials::
+* Anonymous credentials::
+@end menu
+
+@node Certificate credentials
+@subsection Certificates
When using certificates the server is required to have at least one
certificate and private key pair. A client may or may not have such a
requires parameters to be generated and associated with a credentials
structure by the server (see @ref{Parameter generation}).
-@subsubsection SRP
+@node SRP credentials
+@subsection SRP
The initialization functions in SRP credentials differ between
client and server.
@showfuncdesc{gnutls_srp_set_server_credentials_function}
-@subsubsection PSK
+@node PSK credentials
+@subsection PSK
The initialization functions in PSK credentials differ between
client and server.
@showfuncC{gnutls_psk_set_server_credentials_function,gnutls_psk_set_server_credentials_hint,gnutls_psk_client_get_hint}
-@subsubsection Anonymous
+@node Anonymous credentials
+@subsection Anonymous
The initialization functions for the credentials are shown below.
@showfuncD{gnutls_anon_allocate_server_credentials,gnutls_anon_allocate_client_credentials,gnutls_anon_free_server_credentials,gnutls_anon_free_client_credentials}
@showfuncdesc{gnutls_transport_set_pull_timeout_function}
+@menu
+* Asynchronous operation::
+* DTLS sessions::
+@end menu
+
+@node Asynchronous operation
@subsection Asynchronous operation
@acronym{GnuTLS} can be used with asynchronous socket or event-driven programming.
During a TLS protocol session @acronym{GnuTLS} does not block for anything except
the @funcref{gnutls_init} should be called with the
@code{GNUTLS_NONBLOCK} flag (see @ref{Session initialization}).
+@node DTLS sessions
@subsection DTLS sessions
Because datagram TLS can operate over connections where the peer
using @funcintref{_gnutls_ext_register} in
@code{gnutls_extensions.c} typically within @funcintref{_gnutls_ext_init}.
-@subsection Adding a New TLS Extension
+@menu
+* Adding a new TLS extension::
+@end menu
+
+@node Adding a new TLS extension
+@subsection Adding a new TLS extension
Adding support for a new TLS extension is done from time to time, and
the process to do so is not difficult. Here are the steps you need to
consider adding support for the hypothetical TLS extension
@code{foobar}.
-@subsubsection Add @code{configure} option like @code{--enable-foobar} or @code{--disable-foobar}.
+@subsubheading Add @code{configure} option like @code{--enable-foobar} or @code{--disable-foobar}.
This step is useful when the extension code is large and it might be desirable
to disable the extension under some circumstances. Otherwise it can be safely
These lines should go in @code{lib/m4/hooks.m4}.
-@subsubsection Add IANA extension value to @code{extensions_t} in @code{gnutls_int.h}.
+@subsubheading Add IANA extension value to @code{extensions_t} in @code{gnutls_int.h}.
A good name for the value would be GNUTLS_EXTENSION_FOOBAR. Check
with @url{http://www.iana.org/assignments/tls-extensiontype-values}
when the IANA allocates that number to someone else, or when the
foobar protocol is allocated another number.
-@subsubsection Add an entry to @code{_gnutls_extensions} in @code{gnutls_extensions.c}.
+@subsubheading Add an entry to @code{_gnutls_extensions} in @code{gnutls_extensions.c}.
A typical entry would be:
Note that the conditional @code{ENABLE_FOOBAR} definition should only be
used if step 1 with the @code{configure} options has taken place.
-@subsubsection Add new files that implement the extension.
+@subsubheading Add new files that implement the extension.
The functions you are responsible to add are those mentioned in the
previous step. They should be added in a file such as @code{ext/@-foobar.c}
endif
@end example
-@subsubsection Add API functions to enable/disable the extension.
+@subsubheading Add API functions to enable/disable the extension.
It might be desirable to allow users of the extension to
request use of the extension, or set extension specific data.
optimization. For more information please consult the @acronym{GnuTLS}
source code in @code{lib/accelerated/}.
-@subsubsection Overriding specific algorithms
+@subsubheading Overriding specific algorithms
When an optimized implementation of a single algorithm is available,
say a hardware assisted version of @acronym{AES-CBC} then the
following (internal) functions, from @code{crypto-backend.h}, can
Those registration functions will only replace the specified algorithm
and leave the rest of subsystem intact.
-@subsubsection Overriding the cryptographic library
+@subsubheading Overriding the cryptographic library
In some systems, that might contain a broad acceleration engine, it
might be desirable to override big parts of the cryptographic backend,
or even all of them. T following functions are provided for this reason.
and they will be discussed in the subsections that follow.
+@menu
+* Maximum fragment length negotiation::
+* Server name indication::
+* Session tickets::
+* Safe renegotiation::
+@end menu
+
+@node Maximum fragment length negotiation
@subsection Maximum fragment length negotiation
@cindex TLS extensions
@cindex maximum fragment length
@showfuncB{gnutls_record_get_max_size,gnutls_record_set_max_size}
+@node Server name indication
@subsection Server name indication
@anchor{serverind}
@cindex TLS extensions
@showfuncB{gnutls_server_name_set,gnutls_server_name_get}
+@node Session tickets
@subsection Session tickets
@cindex TLS extensions
@cindex session tickets
@showfuncC{gnutls_session_ticket_key_generate,gnutls_session_ticket_enable_server,gnutls_session_ticket_enable_client}
+@node Safe renegotiation
@subsection Safe renegotiation
@cindex renegotiation
@cindex safe renegotiation
@node Introduction to GnuTLS
@chapter Introduction to GnuTLS
+@menu
+* GnuTLS introduction::
+* Downloading and installing::
+* Document overview::
+@end menu
+
+@node GnuTLS introduction
@section Introduction
In brief @acronym{GnuTLS} can be described as a library which offers an API
The ``Cryptographic back-end'' is provided by the nettle@footnote{@url{http://www.lysator.liu.se/~nisse/nettle/}}
library.
+@node Downloading and installing
@section Downloading and installing
@cindex installation
@cindex download
For the complete list, refer to the output from @code{configure --help}.
+@node Document overview
@section Overview
In this document we present an overview of the supported security protocols in @ref{Introduction to TLS}, and
continue by providing more information on the certificate authentication in @ref{Certificate authentication},
-v, --version prints the program's version number
@end example
+@menu
+* Setting up a test HTTPS server::
+@end menu
+
+@node Setting up a test HTTPS server
@subsection Setting up a test HTTPS server
@cindex HTTPS server
@cindex debug server
);
$blankline_texinfo = "";
-%highlights_tex = ( $type_param, '" {\bf $1}"',
- $type_constant, '"{\it $1}"',
- $type_func, '"{\bf $1}"',
- $type_struct, '"{\it $1}"',
+%highlights_tex = ( $type_param, '" {\\\bf $1}"',
+ $type_constant, '"{\\\it $1}"',
+ $type_func, '"{\\\bf $1}"',
+ $type_struct, '"{\\\it $1}"',
);
$blankline_tex = "\\\\";
$parameters{$name} = $contents;
} else {
# print STDERR "other section '$name' = '$contents'\n";
+ $name =~ tr/ //d;
$sections{$name} = $contents;
push @sectionlist, $name;
}
$sec =~ s/_/\\_/g;
$sec =~ s/#([a-zA-Z\_]+)/{\\it $1}/g;
- print "\n\\begin{function$sec}\n";
+ print "\n\\begin{function${sec}}\n";
$out = $args{'sections'}{$section};
$out =~ s/\#([a-zA-Z\_]+)/{\\it $1}/g;
$out =~ s/([0-9]+)\^([0-9]+)/\$\{$1\}\^\{$2\}\$/g;
print $out;
- print "\\end{function$sec}\n";
+ print "\\end{function${sec}}\n";
}
print "\\end{function}\n\n";
}
}
}
+ $line =~ s/\@subsubheading (.+)/\\paragraph{$1}/g;
+
if ($line =~ s/\@section (.+)/\\section{$1}/g) {
if ($label ne '') {
$line .= "\\label{$label}\n";