From: Nikos Mavrogiannopoulos Date: Wed, 4 Dec 2013 14:49:43 +0000 (+0100) Subject: deleted auto-generated files X-Git-Tag: gnutls_3_3_0pre0~498 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7ccc907f604bc99b5cb56802e08470323ced59da;p=thirdparty%2Fgnutls.git deleted auto-generated files --- diff --git a/doc/invoke-certtool.texi b/doc/invoke-certtool.texi deleted file mode 100644 index 23c629cfcd..0000000000 --- a/doc/invoke-certtool.texi +++ /dev/null @@ -1,637 +0,0 @@ -@node certtool Invocation -@subsection Invoking certtool -@pindex certtool -@ignore -# -*- buffer-read-only: t -*- vi: set ro: -# -# DO NOT EDIT THIS FILE (invoke-certtool.texi) -# -# It has been AutoGen-ed November 24, 2013 at 09:50:55 AM by AutoGen 5.18.2 -# From the definitions ../src/certtool-args.def -# and the template file agtexi-cmd.tpl -@end ignore - - -Tool to parse and generate X.509 certificates, requests and private keys. -It can be used interactively or non interactively by -specifying the template command line option. - -This section was generated by @strong{AutoGen}, -using the @code{agtexi-cmd} template and the option descriptions for the @code{certtool} program. -This software is released under the GNU General Public License, version 3 or later. - - -@anchor{certtool usage} -@subsubheading certtool help/usage (@option{--help}) -@cindex certtool help - -This is the automatically generated usage text for certtool. - -The text printed is the same whether selected with the @code{help} option -(@option{--help}) or the @code{more-help} option (@option{--more-help}). @code{more-help} will print -the usage text by passing it through a pager program. -@code{more-help} is disabled on platforms without a working -@code{fork(2)} function. The @code{PAGER} environment variable is -used to select the program, defaulting to @file{more}. Both will exit -with a status code of 0. - -@exampleindent 0 -@example -certtool - GnuTLS certificate tool -Usage: certtool [ - [] | --[@{=| @}] ]... - - -d, --debug=num Enable debugging - - it must be in the range: - 0 to 9999 - -V, --verbose More verbose output - - may appear multiple times - --infile=file Input file - - file must pre-exist - --outfile=str Output file - -s, --generate-self-signed Generate a self-signed certificate - -c, --generate-certificate Generate a signed certificate - --generate-proxy Generates a proxy certificate - --generate-crl Generate a CRL - -u, --update-certificate Update a signed certificate - -p, --generate-privkey Generate a private key - -q, --generate-request Generate a PKCS #10 certificate request - - prohibits the option 'infile' - -e, --verify-chain Verify a PEM encoded certificate chain - --verify Verify a PEM encoded certificate chain using a trusted list - --verify-crl Verify a CRL using a trusted list - - requires the option 'load-ca-certificate' - --generate-dh-params Generate PKCS #3 encoded Diffie-Hellman parameters - --get-dh-params Get the included PKCS #3 encoded Diffie-Hellman parameters - --dh-info Print information PKCS #3 encoded Diffie-Hellman parameters - --load-privkey=str Loads a private key file - --load-pubkey=str Loads a public key file - --load-request=file Loads a certificate request file - - file must pre-exist - --load-certificate=str Loads a certificate file - --load-ca-privkey=str Loads the certificate authority's private key file - --load-ca-certificate=str Loads the certificate authority's certificate file - --password=str Password to use - --hex-numbers Print big number in an easier format to parse - --cprint In certain operations it prints the information is C-friendly format - --null-password Enforce a NULL password - -i, --certificate-info Print information on the given certificate - --certificate-pubkey Print certificate's public key - --pgp-certificate-info Print information on the given OpenPGP certificate - --pgp-ring-info Print information on the given OpenPGP keyring structure - -l, --crl-info Print information on the given CRL structure - --crq-info Print information on the given certificate request - --no-crq-extensions Do not use extensions in certificate requests - --p12-info Print information on a PKCS #12 structure - --p7-info Print information on a PKCS #7 structure - --smime-to-p7 Convert S/MIME to PKCS #7 structure - -k, --key-info Print information on a private key - --pgp-key-info Print information on an OpenPGP private key - --pubkey-info Print information on a public key - --v1 Generate an X.509 version 1 certificate (with no extensions) - --to-p12 Generate a PKCS #12 structure - - requires the option 'load-certificate' - --to-p8 Generate a PKCS #8 structure - -8, --pkcs8 Use PKCS #8 format for private keys - -!, --rsa Generate RSA key - -", --dsa Generate DSA key - -#, --ecc Generate ECC (ECDSA) key - -$, --ecdsa an alias for the 'ecc' option - -%, --hash=str Hash algorithm to use for signing - -&, --inder Use DER format for input certificates, private keys, and DH parameters - - disabled as '--no-inder' - -', --inraw an alias for the 'inder' option - -(, --outder Use DER format for output certificates, private keys, and DH parameters - - disabled as '--no-outder' - -), --outraw an alias for the 'outder' option - -*, --bits=num Specify the number of bits for key generate - -+, --sec-param=str Specify the security level [low, legacy, normal, high, ultra] - -,, --disable-quick-random No effect - --, --template=file Template file to use for non-interactive operation - - file must pre-exist - -., --pkcs-cipher=str Cipher to use for PKCS #8 and #12 operations - -v, --version[=arg] output version information and exit - -h, --help display extended usage information and exit - -!, --more-help extended usage information passed thru pager - -Options are specified by doubled hyphens and their name or by a single -hyphen and the flag character. - -Tool to parse and generate X.509 certificates, requests and private keys. -It can be used interactively or non interactively by specifying the -template command line option. - -Please send bug reports to: -@end example -@exampleindent 4 - -@anchor{certtool debug} -@subsubheading debug option (-d) - -This is the ``enable debugging'' option. -This option takes a number argument. -Specifies the debug level. -@anchor{certtool generate-request} -@subsubheading generate-request option (-q) - -This is the ``generate a pkcs #10 certificate request'' option. - -@noindent -This option has some usage constraints. It: -@itemize @bullet -@item -must not appear in combination with any of the following options: -infile. -@end itemize - -Will generate a PKCS #10 certificate request. To specify a private key use --load-privkey. -@anchor{certtool verify-chain} -@subsubheading verify-chain option (-e) - -This is the ``verify a pem encoded certificate chain'' option. -The last certificate in the chain must be a self signed one. -@anchor{certtool verify} -@subsubheading verify option - -This is the ``verify a pem encoded certificate chain using a trusted list'' option. -The trusted certificate list can be loaded with --load-ca-certificate. If no -certificate list is provided, then the system's certificate list is used. -@anchor{certtool verify-crl} -@subsubheading verify-crl option - -This is the ``verify a crl using a trusted list'' option. - -@noindent -This option has some usage constraints. It: -@itemize @bullet -@item -must appear in combination with the following options: -load-ca-certificate. -@end itemize - -The trusted certificate list must be loaded with --load-ca-certificate. -@anchor{certtool get-dh-params} -@subsubheading get-dh-params option - -This is the ``get the included pkcs #3 encoded diffie-hellman parameters'' option. -Returns stored DH parameters in GnuTLS. Those parameters are used in the SRP protocol. The parameters returned by fresh generation -are more efficient since GnuTLS 3.0.9. -@anchor{certtool load-privkey} -@subsubheading load-privkey option - -This is the ``loads a private key file'' option. -This option takes a string argument. -This can be either a file or a PKCS #11 URL -@anchor{certtool load-pubkey} -@subsubheading load-pubkey option - -This is the ``loads a public key file'' option. -This option takes a string argument. -This can be either a file or a PKCS #11 URL -@anchor{certtool load-certificate} -@subsubheading load-certificate option - -This is the ``loads a certificate file'' option. -This option takes a string argument. -This can be either a file or a PKCS #11 URL -@anchor{certtool load-ca-privkey} -@subsubheading load-ca-privkey option - -This is the ``loads the certificate authority's private key file'' option. -This option takes a string argument. -This can be either a file or a PKCS #11 URL -@anchor{certtool load-ca-certificate} -@subsubheading load-ca-certificate option - -This is the ``loads the certificate authority's certificate file'' option. -This option takes a string argument. -This can be either a file or a PKCS #11 URL -@anchor{certtool cprint} -@subsubheading cprint option - -This is the ``in certain operations it prints the information is c-friendly format'' option. -In certain operations it prints the information is C-friendly format, suitable for including into C programs. -@anchor{certtool null-password} -@subsubheading null-password option - -This is the ``enforce a null password'' option. -This option enforces a NULL password. This may be different than the empty password in some schemas. -@anchor{certtool pubkey-info} -@subsubheading pubkey-info option - -This is the ``print information on a public key'' option. -The option combined with --load-request, --load-pubkey, --load-privkey and --load-certificate will extract the public key of the object in question. -@anchor{certtool to-p12} -@subsubheading to-p12 option - -This is the ``generate a pkcs #12 structure'' option. - -@noindent -This option has some usage constraints. It: -@itemize @bullet -@item -must appear in combination with the following options: -load-certificate. -@end itemize - -It requires a certificate, a private key and possibly a CA certificate to be specified. -@anchor{certtool rsa} -@subsubheading rsa option - -This is the ``generate rsa key'' option. -When combined with --generate-privkey generates an RSA private key. -@anchor{certtool dsa} -@subsubheading dsa option - -This is the ``generate dsa key'' option. -When combined with --generate-privkey generates a DSA private key. -@anchor{certtool ecc} -@subsubheading ecc option - -This is the ``generate ecc (ecdsa) key'' option. -When combined with --generate-privkey generates an elliptic curve private key to be used with ECDSA. -@anchor{certtool ecdsa} -@subsubheading ecdsa option - -This is an alias for the @code{ecc} option, -@pxref{certtool ecc, the ecc option documentation}. - -@anchor{certtool hash} -@subsubheading hash option - -This is the ``hash algorithm to use for signing'' option. -This option takes a string argument. -Available hash functions are SHA1, RMD160, SHA256, SHA384, SHA512. -@anchor{certtool inder} -@subsubheading inder option - -This is the ``use der format for input certificates, private keys, and dh parameters '' option. - -@noindent -This option has some usage constraints. It: -@itemize @bullet -@item -can be disabled with --no-inder. -@end itemize - -The input files will be assumed to be in DER or RAW format. -Unlike options that in PEM input would allow multiple input data (e.g. multiple -certificates), when reading in DER format a single data structure is read. -@anchor{certtool inraw} -@subsubheading inraw option - -This is an alias for the @code{inder} option, -@pxref{certtool inder, the inder option documentation}. - -@anchor{certtool outder} -@subsubheading outder option - -This is the ``use der format for output certificates, private keys, and dh parameters'' option. - -@noindent -This option has some usage constraints. It: -@itemize @bullet -@item -can be disabled with --no-outder. -@end itemize - -The output will be in DER or RAW format. -@anchor{certtool outraw} -@subsubheading outraw option - -This is an alias for the @code{outder} option, -@pxref{certtool outder, the outder option documentation}. - -@anchor{certtool sec-param} -@subsubheading sec-param option - -This is the ``specify the security level [low, legacy, normal, high, ultra]'' option. -This option takes a string argument @file{Security parameter}. -This is alternative to the bits option. -@anchor{certtool pkcs-cipher} -@subsubheading pkcs-cipher option - -This is the ``cipher to use for pkcs #8 and #12 operations'' option. -This option takes a string argument @file{Cipher}. -Cipher may be one of 3des, 3des-pkcs12, aes-128, aes-192, aes-256, rc2-40, arcfour. -@anchor{certtool exit status} -@subsubheading certtool exit status - -One of the following exit values will be returned: -@table @samp -@item 0 (EXIT_SUCCESS) -Successful program execution. -@item 1 (EXIT_FAILURE) -The operation failed or the command syntax was not valid. -@end table -@anchor{certtool See Also} -@subsubheading certtool See Also - p11tool (1) -@anchor{certtool Examples} -@subsubheading certtool Examples -@subsubheading Generating private keys -To create an RSA private key, run: -@example -$ certtool --generate-privkey --outfile key.pem --rsa -@end example - -To create a DSA or elliptic curves (ECDSA) private key use the -above command combined with 'dsa' or 'ecc' options. - -@subsubheading Generating certificate requests -To create a certificate request (needed when the certificate is issued by -another party), run: -@example -certtool --generate-request --load-privkey key.pem \ - --outfile request.pem -@end example - -If the private key is stored in a smart card you can generate -a request by specifying the private key object URL. -@example -$ ./certtool --generate-request --load-privkey "pkcs11:..." \ - --load-pubkey "pkcs11:..." --outfile request.pem -@end example - - -@subsubheading Generating a self-signed certificate -To create a self signed certificate, use the command: -@example -$ certtool --generate-privkey --outfile ca-key.pem -$ certtool --generate-self-signed --load-privkey ca-key.pem \ - --outfile ca-cert.pem -@end example - -Note that a self-signed certificate usually belongs to a certificate -authority, that signs other certificates. - -@subsubheading Generating a certificate -To generate a certificate using the previous request, use the command: -@example -$ certtool --generate-certificate --load-request request.pem \ - --outfile cert.pem --load-ca-certificate ca-cert.pem \ - --load-ca-privkey ca-key.pem -@end example - -To generate a certificate using the private key only, use the command: -@example -$ certtool --generate-certificate --load-privkey key.pem \ - --outfile cert.pem --load-ca-certificate ca-cert.pem \ - --load-ca-privkey ca-key.pem -@end example - -@subsubheading Certificate information -To view the certificate information, use: -@example -$ certtool --certificate-info --infile cert.pem -@end example - -@subsubheading PKCS #12 structure generation -To generate a PKCS #12 structure using the previous key and certificate, -use the command: -@example -$ certtool --load-certificate cert.pem --load-privkey key.pem \ - --to-p12 --outder --outfile key.p12 -@end example - -Some tools (reportedly web browsers) have problems with that file -because it does not contain the CA certificate for the certificate. -To work around that problem in the tool, you can use the ---load-ca-certificate parameter as follows: - -@example -$ certtool --load-ca-certificate ca.pem \ - --load-certificate cert.pem --load-privkey key.pem \ - --to-p12 --outder --outfile key.p12 -@end example - -@subsubheading Diffie-Hellman parameter generation -To generate parameters for Diffie-Hellman key exchange, use the command: -@example -$ certtool --generate-dh-params --outfile dh.pem --sec-param normal -@end example - -@subsubheading Proxy certificate generation -Proxy certificate can be used to delegate your credential to a -temporary, typically short-lived, certificate. To create one from the -previously created certificate, first create a temporary key and then -generate a proxy certificate for it, using the commands: - -@example -$ certtool --generate-privkey > proxy-key.pem -$ certtool --generate-proxy --load-ca-privkey key.pem \ - --load-privkey proxy-key.pem --load-certificate cert.pem \ - --outfile proxy-cert.pem -@end example - -@subsubheading Certificate revocation list generation -To create an empty Certificate Revocation List (CRL) do: - -@example -$ certtool --generate-crl --load-ca-privkey x509-ca-key.pem \ - --load-ca-certificate x509-ca.pem -@end example - -To create a CRL that contains some revoked certificates, place the -certificates in a file and use @code{--load-certificate} as follows: - -@example -$ certtool --generate-crl --load-ca-privkey x509-ca-key.pem \ - --load-ca-certificate x509-ca.pem --load-certificate revoked-certs.pem -@end example - -To verify a Certificate Revocation List (CRL) do: - -@example -$ certtool --verify-crl --load-ca-certificate x509-ca.pem < crl.pem -@end example -@anchor{certtool Files} -@subsubheading certtool Files -@subsubheading Certtool's template file format -A template file can be used to avoid the interactive questions of -certtool. Initially create a file named 'cert.cfg' that contains the information -about the certificate. The template can be used as below: - -@example -$ certtool --generate-certificate --load-privkey key.pem \ - --template cert.cfg --outfile cert.pem \ - --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem -@end example - -An example certtool template file that can be used to generate a certificate -request or a self signed certificate follows. - -@example -# X.509 Certificate options -# -# DN options - -# The organization of the subject. -organization = "Koko inc." - -# The organizational unit of the subject. -unit = "sleeping dept." - -# The locality of the subject. -# locality = - -# The state of the certificate owner. -state = "Attiki" - -# The country of the subject. Two letter code. -country = GR - -# The common name of the certificate owner. -cn = "Cindy Lauper" - -# A user id of the certificate owner. -#uid = "clauper" - -# Set domain components -#dc = "name" -#dc = "domain" - -# If the supported DN OIDs are not adequate you can set -# any OID here. -# For example set the X.520 Title and the X.520 Pseudonym -# by using OID and string pairs. -#dn_oid = 2.5.4.12 Dr. -#dn_oid = 2.5.4.65 jackal - -# This is deprecated and should not be used in new -# certificates. -# pkcs9_email = "none@@none.org" - -# An alternative way to set the certificate's distinguished name directly -# is with the "dn" option. The attribute names allowed are: -# C (country), street, O (organization), OU (unit), title, CN (common name), -# L (locality), ST (state), placeOfBirth, gender, countryOfCitizenship, -# countryOfResidence, serialNumber, telephoneNumber, surName, initials, -# generationQualifier, givenName, pseudonym, dnQualifier, postalCode, name, -# businessCategory, DC, UID, jurisdictionOfIncorporationLocalityName, -# jurisdictionOfIncorporationStateOrProvinceName, -# jurisdictionOfIncorporationCountryName, XmppAddr, and numeric OIDs. - -#dn = "cn=Nik,st=Attiki,C=GR,surName=Mavrogiannopoulos,2.5.4.9=Arkadias" - -# The serial number of the certificate -serial = 007 - -# In how many days, counting from today, this certificate will expire. -# Use -1 if there is no expiration date. -expiration_days = 700 - -# Alternatively you may set concrete dates and time. The GNU date string -# formats are accepted. See: -# http://www.gnu.org/software/tar/manual/html_node/Date-input-formats.html - -#activation_date = "2004-02-29 16:21:42" -#expiration_date = "2025-02-29 16:24:41" - -# X.509 v3 extensions - -# A dnsname in case of a WWW server. -#dns_name = "www.none.org" -#dns_name = "www.morethanone.org" - -# A subject alternative name URI -#uri = "http://www.example.com" - -# An IP address in case of a server. -#ip_address = "192.168.1.1" - -# An email in case of a person -email = "none@@none.org" - -# Challenge password used in certificate requests -challenge_password = 123456 - -# Password when encrypting a private key -#password = secret - -# An URL that has CRLs (certificate revocation lists) -# available. Needed in CA certificates. -#crl_dist_points = "http://www.getcrl.crl/getcrl/" - -# Whether this is a CA certificate or not -#ca - -# for microsoft smart card logon -# key_purpose_oid = 1.3.6.1.4.1.311.20.2.2 - -### Other predefined key purpose OIDs - -# Whether this certificate will be used for a TLS client -#tls_www_client - -# Whether this certificate will be used for a TLS server -#tls_www_server - -# Whether this certificate will be used to sign data (needed -# in TLS DHE ciphersuites). -signing_key - -# Whether this certificate will be used to encrypt data (needed -# in TLS RSA ciphersuites). Note that it is preferred to use different -# keys for encryption and signing. -encryption_key - -# Whether this key will be used to sign other certificates. -#cert_signing_key - -# Whether this key will be used to sign CRLs. -#crl_signing_key - -# Whether this key will be used to sign code. -#code_signing_key - -# Whether this key will be used to sign OCSP data. -#ocsp_signing_key - -# Whether this key will be used for time stamping. -#time_stamping_key - -# Whether this key will be used for IPsec IKE operations. -#ipsec_ike_key - -### end of key purpose OIDs - -# When generating a certificate from a certificate -# request, then honor the extensions stored in the request -# and store them in the real certificate. -#honor_crq_extensions - -# Path length contraint. Sets the maximum number of -# certificates that can be used to certify this certificate. -# (i.e. the certificate chain length) -#path_len = -1 -#path_len = 2 - -# OCSP URI -# ocsp_uri = http://my.ocsp.server/ocsp - -# CA issuers URI -# ca_issuers_uri = http://my.ca.issuer - -# Certificate policies -# policy1 = 1.3.6.1.4.1.5484.1.10.99.1.0 -# policy1_txt = "This is a long policy to summarize" -# policy1_url = http://www.example.com/a-policy-to-read - -# policy2 = 1.3.6.1.4.1.5484.1.10.99.1.1 -# policy2_txt = "This is a short policy" -# policy2_url = http://www.example.com/another-policy-to-read - - -# Options for proxy certificates -# proxy_policy_language = 1.3.6.1.5.5.7.21.1 - - -# Options for generating a CRL - -# next CRL update will be in 43 days (wow) -#crl_next_update = 43 - -# this is the 5th CRL by this CA -#crl_number = 5 - -@end example diff --git a/doc/invoke-danetool.texi b/doc/invoke-danetool.texi deleted file mode 100644 index be2ff08514..0000000000 --- a/doc/invoke-danetool.texi +++ /dev/null @@ -1,279 +0,0 @@ -@node danetool Invocation -@subsection Invoking danetool -@pindex danetool -@ignore -# -*- buffer-read-only: t -*- vi: set ro: -# -# DO NOT EDIT THIS FILE (invoke-danetool.texi) -# -# It has been AutoGen-ed November 24, 2013 at 09:50:58 AM by AutoGen 5.18.2 -# From the definitions ../src/danetool-args.def -# and the template file agtexi-cmd.tpl -@end ignore - - -Tool to generate and check DNS resource records for the DANE protocol. - -This section was generated by @strong{AutoGen}, -using the @code{agtexi-cmd} template and the option descriptions for the @code{danetool} program. -This software is released under the GNU General Public License, version 3 or later. - - -@anchor{danetool usage} -@subsubheading danetool help/usage (@option{--help}) -@cindex danetool help - -This is the automatically generated usage text for danetool. - -The text printed is the same whether selected with the @code{help} option -(@option{--help}) or the @code{more-help} option (@option{--more-help}). @code{more-help} will print -the usage text by passing it through a pager program. -@code{more-help} is disabled on platforms without a working -@code{fork(2)} function. The @code{PAGER} environment variable is -used to select the program, defaulting to @file{more}. Both will exit -with a status code of 0. - -@exampleindent 0 -@example -danetool - GnuTLS DANE tool -Usage: danetool [ - [] | --[@{=| @}] ]... - - -d, --debug=num Enable debugging - - it must be in the range: - 0 to 9999 - -V, --verbose More verbose output - - may appear multiple times - --infile=file Input file - - file must pre-exist - --outfile=str Output file - --load-pubkey=str Loads a public key file - --load-certificate=str Loads a certificate file - --dlv=str Sets a DLV file - --hash=str Hash algorithm to use for signing - --check=str Check a host's DANE TLSA entry - --check-ee Check only the end-entity's certificate - --check-ca Check only the CA's certificate - --insecure Do not verify any DNSSEC signature - --local-dns Use the local DNS server for DNSSEC resolving - - disabled as '--no-local-dns' - --inder Use DER format for input certificates and private keys - - disabled as '--no-inder' - --inraw an alias for the 'inder' option - --tlsa-rr Print the DANE RR data on a certificate or public key - - requires the option 'host' - --host=str Specify the hostname to be used in the DANE RR - --proto=str The protocol set for DANE data (tcp, udp etc.) - --port=num Specify the port number for the DANE data - --ca Whether the provided certificate or public key is a Certificate -Authority - --x509 Use the hash of the X.509 certificate, rather than the public key - --local an alias for the 'domain' option - - enabled by default - --domain The provided certificate or public key is issued by the local domain - - disabled as '--no-domain' - - enabled by default - -v, --version[=arg] output version information and exit - -h, --help display extended usage information and exit - -!, --more-help extended usage information passed thru pager - -Options are specified by doubled hyphens and their name or by a single -hyphen and the flag character. - -Tool to generate and check DNS resource records for the DANE protocol. - -Please send bug reports to: -@end example -@exampleindent 4 - -@anchor{danetool debug} -@subsubheading debug option (-d) - -This is the ``enable debugging'' option. -This option takes a number argument. -Specifies the debug level. -@anchor{danetool load-pubkey} -@subsubheading load-pubkey option - -This is the ``loads a public key file'' option. -This option takes a string argument. -This can be either a file or a PKCS #11 URL -@anchor{danetool load-certificate} -@subsubheading load-certificate option - -This is the ``loads a certificate file'' option. -This option takes a string argument. -This can be either a file or a PKCS #11 URL -@anchor{danetool dlv} -@subsubheading dlv option - -This is the ``sets a dlv file'' option. -This option takes a string argument. -This sets a DLV file to be used for DNSSEC verification. -@anchor{danetool hash} -@subsubheading hash option - -This is the ``hash algorithm to use for signing'' option. -This option takes a string argument. -Available hash functions are SHA1, RMD160, SHA256, SHA384, SHA512. -@anchor{danetool check} -@subsubheading check option - -This is the ``check a host's dane tlsa entry'' option. -This option takes a string argument. -Obtains the DANE TLSA entry from the given hostname and prints information. Note that the actual certificate of the host has to be provided using --load-certificate. -@anchor{danetool check-ee} -@subsubheading check-ee option - -This is the ``check only the end-entity's certificate'' option. -Checks the end-entity's certificate only. Trust anchors or CAs are not considered. -@anchor{danetool check-ca} -@subsubheading check-ca option - -This is the ``check only the ca's certificate'' option. -Checks the trust anchor's and CA's certificate only. End-entities are not considered. -@anchor{danetool insecure} -@subsubheading insecure option - -This is the ``do not verify any dnssec signature'' option. -Ignores any DNSSEC signature verification results. -@anchor{danetool local-dns} -@subsubheading local-dns option - -This is the ``use the local dns server for dnssec resolving'' option. - -@noindent -This option has some usage constraints. It: -@itemize @bullet -@item -can be disabled with --no-local-dns. -@end itemize - -This option will use the local DNS server for DNSSEC. -This is disabled by default due to many servers not allowing DNSSEC. -@anchor{danetool inder} -@subsubheading inder option - -This is the ``use der format for input certificates and private keys'' option. - -@noindent -This option has some usage constraints. It: -@itemize @bullet -@item -can be disabled with --no-inder. -@end itemize - -The input files will be assumed to be in DER or RAW format. -Unlike options that in PEM input would allow multiple input data (e.g. multiple -certificates), when reading in DER format a single data structure is read. -@anchor{danetool inraw} -@subsubheading inraw option - -This is an alias for the @code{inder} option, -@pxref{danetool inder, the inder option documentation}. - -@anchor{danetool tlsa-rr} -@subsubheading tlsa-rr option - -This is the ``print the dane rr data on a certificate or public key'' option. - -@noindent -This option has some usage constraints. It: -@itemize @bullet -@item -must appear in combination with the following options: -host. -@end itemize - -This command prints the DANE RR data needed to enable DANE on a DNS server. -@anchor{danetool host} -@subsubheading host option - -This is the ``specify the hostname to be used in the dane rr'' option. -This option takes a string argument @file{Hostname}. -This command sets the hostname for the DANE RR. -@anchor{danetool proto} -@subsubheading proto option - -This is the ``the protocol set for dane data (tcp, udp etc.)'' option. -This option takes a string argument @file{Protocol}. -This command specifies the protocol for the service set in the DANE data. -@anchor{danetool ca} -@subsubheading ca option - -This is the ``whether the provided certificate or public key is a certificate authority'' option. -Marks the DANE RR as a CA certificate if specified. -@anchor{danetool x509} -@subsubheading x509 option - -This is the ``use the hash of the x.509 certificate, rather than the public key'' option. -This option forces the generated record to contain the hash of the full X.509 certificate. By default only the hash of the public key is used. -@anchor{danetool local} -@subsubheading local option - -This is an alias for the @code{domain} option, -@pxref{danetool domain, the domain option documentation}. - -@anchor{danetool domain} -@subsubheading domain option - -This is the ``the provided certificate or public key is issued by the local domain'' option. - -@noindent -This option has some usage constraints. It: -@itemize @bullet -@item -can be disabled with --no-domain. -@item -It is enabled by default. -@end itemize - -DANE distinguishes certificates and public keys offered via the DNSSEC to trusted and local entities. This flag indicates that this is a domain-issued certificate, meaning that there could be no CA involved. -@anchor{danetool exit status} -@subsubheading danetool exit status - -One of the following exit values will be returned: -@table @samp -@item 0 (EXIT_SUCCESS) -Successful program execution. -@item 1 (EXIT_FAILURE) -The operation failed or the command syntax was not valid. -@end table -@anchor{danetool See Also} -@subsubheading danetool See Also - certtool (1) -@anchor{danetool Examples} -@subsubheading danetool Examples -@subsubheading DANE TLSA RR generation - -To create a DANE TLSA resource record for a certificate (or public key) -that was issued localy and may or may not be signed by a CA use the following command. -@example -$ danetool --tlsa-rr --host www.example.com --load-certificate cert.pem -@end example - -To create a DANE TLSA resource record for a CA signed certificate, which will -be marked as such use the following command. -@example -$ danetool --tlsa-rr --host www.example.com --load-certificate cert.pem \ - --no-domain -@end example - -The former is useful to add in your DNS entry even if your certificate is signed -by a CA. That way even users who do not trust your CA will be able to verify your -certificate using DANE. - -In order to create a record for the CA signer of your certificate use the following. -@example -$ danetool --tlsa-rr --host www.example.com --load-certificate cert.pem \ - --ca --no-domain -@end example - -To read a server's DANE TLSA entry, use: -@example -$ danetool --check www.example.com --proto tcp --port 443 -@end example - -To verify a server's DANE TLSA entry, use: -@example -$ danetool --check www.example.com --proto tcp --port 443 --load-certificate chain.pem -@end example diff --git a/doc/invoke-gnutls-cli-debug.texi b/doc/invoke-gnutls-cli-debug.texi deleted file mode 100644 index 8c2cc0a17a..0000000000 --- a/doc/invoke-gnutls-cli-debug.texi +++ /dev/null @@ -1,140 +0,0 @@ -@node gnutls-cli-debug Invocation -@section Invoking gnutls-cli-debug -@pindex gnutls-cli-debug -@ignore -# -*- buffer-read-only: t -*- vi: set ro: -# -# DO NOT EDIT THIS FILE (invoke-gnutls-cli-debug.texi) -# -# It has been AutoGen-ed November 24, 2013 at 09:50:53 AM by AutoGen 5.18.2 -# From the definitions ../src/cli-debug-args.def -# and the template file agtexi-cmd.tpl -@end ignore - - -TLS debug client. It sets up multiple TLS connections to -a server and queries its capabilities. It was created to assist in debugging -GnuTLS, but it might be useful to extract a TLS server's capabilities. -It connects to a TLS server, performs tests and print the server's -capabilities. If called with the `-v' parameter more checks will be performed. -Can be used to check for servers with special needs or bugs. - -This section was generated by @strong{AutoGen}, -using the @code{agtexi-cmd} template and the option descriptions for the @code{gnutls-cli-debug} program. -This software is released under the GNU General Public License, version 3 or later. - - -@anchor{gnutls-cli-debug usage} -@subheading gnutls-cli-debug help/usage (@option{--help}) -@cindex gnutls-cli-debug help - -This is the automatically generated usage text for gnutls-cli-debug. - -The text printed is the same whether selected with the @code{help} option -(@option{--help}) or the @code{more-help} option (@option{--more-help}). @code{more-help} will print -the usage text by passing it through a pager program. -@code{more-help} is disabled on platforms without a working -@code{fork(2)} function. The @code{PAGER} environment variable is -used to select the program, defaulting to @file{more}. Both will exit -with a status code of 0. - -@exampleindent 0 -@example -gnutls-cli-debug - GnuTLS debug client -Usage: gnutls-cli-debug [ - [] | --[@{=| @}] ]... - - -d, --debug=num Enable debugging - - it must be in the range: - 0 to 9999 - -V, --verbose More verbose output - - may appear multiple times - -p, --port=num The port to connect to - - it must be in the range: - 0 to 65536 - -v, --version[=arg] output version information and exit - -h, --help display extended usage information and exit - -!, --more-help extended usage information passed thru pager - -Options are specified by doubled hyphens and their name or by a single -hyphen and the flag character. -Operands and options may be intermixed. They will be reordered. - -TLS debug client. It sets up multiple TLS connections to a server and -queries its capabilities. It was created to assist in debugging GnuTLS, -but it might be useful to extract a TLS server's capabilities. It connects -to a TLS server, performs tests and print the server's capabilities. If -called with the `-v' parameter more checks will be performed. Can be used -to check for servers with special needs or bugs. - -Please send bug reports to: -@end example -@exampleindent 4 - -@anchor{gnutls-cli-debug debug} -@subheading debug option (-d) - -This is the ``enable debugging'' option. -This option takes a number argument. -Specifies the debug level. -@anchor{gnutls-cli-debug exit status} -@subheading gnutls-cli-debug exit status - -One of the following exit values will be returned: -@table @samp -@item 0 (EXIT_SUCCESS) -Successful program execution. -@item 1 (EXIT_FAILURE) -The operation failed or the command syntax was not valid. -@end table -@anchor{gnutls-cli-debug See Also} -@subheading gnutls-cli-debug See Also -gnutls-cli(1), gnutls-serv(1) -@anchor{gnutls-cli-debug Examples} -@subheading gnutls-cli-debug Examples -@example -$ ../src/gnutls-cli-debug localhost -Resolving 'localhost'... -Connecting to '127.0.0.1:443'... -Checking for SSL 3.0 support... yes -Checking whether %COMPAT is required... no -Checking for TLS 1.0 support... yes -Checking for TLS 1.1 support... no -Checking fallback from TLS 1.1 to... TLS 1.0 -Checking for TLS 1.2 support... no -Checking whether we need to disable TLS 1.0... N/A -Checking for Safe renegotiation support... yes -Checking for Safe renegotiation support (SCSV)... yes -Checking for HTTPS server name... not checked -Checking for version rollback bug in RSA PMS... no -Checking for version rollback bug in Client Hello... no -Checking whether the server ignores the RSA PMS version... no -Checking whether the server can accept Hello Extensions... yes -Checking whether the server can accept small records (512 bytes)... yes -Checking whether the server can accept cipher suites not in SSL 3.0 spec... yes -Checking whether the server can accept a bogus TLS record version in the client hello... yes -Checking for certificate information... N/A -Checking for trusted CAs... N/A -Checking whether the server understands TLS closure alerts... partially -Checking whether the server supports session resumption... yes -Checking for export-grade ciphersuite support... no -Checking RSA-export ciphersuite info... N/A -Checking for anonymous authentication support... no -Checking anonymous Diffie-Hellman group info... N/A -Checking for ephemeral Diffie-Hellman support... no -Checking ephemeral Diffie-Hellman group info... N/A -Checking for ephemeral EC Diffie-Hellman support... yes -Checking ephemeral EC Diffie-Hellman group info... - Curve SECP256R1 -Checking for AES-GCM cipher support... no -Checking for AES-CBC cipher support... yes -Checking for CAMELLIA cipher support... no -Checking for 3DES-CBC cipher support... yes -Checking for ARCFOUR 128 cipher support... yes -Checking for ARCFOUR 40 cipher support... no -Checking for MD5 MAC support... yes -Checking for SHA1 MAC support... yes -Checking for SHA256 MAC support... no -Checking for ZLIB compression support... no -Checking for max record size... no -Checking for OpenPGP authentication support... no -@end example diff --git a/doc/invoke-gnutls-cli.texi b/doc/invoke-gnutls-cli.texi deleted file mode 100644 index e6606bb788..0000000000 --- a/doc/invoke-gnutls-cli.texi +++ /dev/null @@ -1,356 +0,0 @@ -@node gnutls-cli Invocation -@section Invoking gnutls-cli -@pindex gnutls-cli -@ignore -# -*- buffer-read-only: t -*- vi: set ro: -# -# DO NOT EDIT THIS FILE (invoke-gnutls-cli.texi) -# -# It has been AutoGen-ed November 24, 2013 at 09:50:52 AM by AutoGen 5.18.2 -# From the definitions ../src/cli-args.def -# and the template file agtexi-cmd.tpl -@end ignore - - -Simple client program to set up a TLS connection to some other computer. -It sets up a TLS connection and forwards data from the standard input to the secured socket and vice versa. - -This section was generated by @strong{AutoGen}, -using the @code{agtexi-cmd} template and the option descriptions for the @code{gnutls-cli} program. -This software is released under the GNU General Public License, version 3 or later. - - -@anchor{gnutls-cli usage} -@subheading gnutls-cli help/usage (@option{--help}) -@cindex gnutls-cli help - -This is the automatically generated usage text for gnutls-cli. - -The text printed is the same whether selected with the @code{help} option -(@option{--help}) or the @code{more-help} option (@option{--more-help}). @code{more-help} will print -the usage text by passing it through a pager program. -@code{more-help} is disabled on platforms without a working -@code{fork(2)} function. The @code{PAGER} environment variable is -used to select the program, defaulting to @file{more}. Both will exit -with a status code of 0. - -@exampleindent 0 -@example -gnutls-cli - GnuTLS client -Usage: gnutls-cli [ - [] | --[@{=| @}] ]... [hostname] - - -d, --debug=num Enable debugging - - it must be in the range: - 0 to 9999 - -V, --verbose More verbose output - - may appear multiple times - --tofu Enable trust on first use authentication - - disabled as '--no-tofu' - --dane Enable DANE certificate verification (DNSSEC) - - disabled as '--no-dane' - --local-dns Use the local DNS server for DNSSEC resolving - - disabled as '--no-local-dns' - --ca-verification Disable CA certificate verification - - disabled as '--no-ca-verification' - - enabled by default - --ocsp Enable OCSP certificate verification - - disabled as '--no-ocsp' - -r, --resume Establish a session and resume - -e, --rehandshake Establish a session and rehandshake - -s, --starttls Connect, establish a plain session and start TLS - -u, --udp Use DTLS (datagram TLS) over UDP - --mtu=num Set MTU for datagram TLS - - it must be in the range: - 0 to 17000 - --crlf Send CR LF instead of LF - --x509fmtder Use DER format for certificates to read from - -f, --fingerprint Send the openpgp fingerprint, instead of the key - --print-cert Print peer's certificate in PEM format - --dh-bits=num The minimum number of bits allowed for DH - --priority=str Priorities string - --x509cafile=str Certificate file or PKCS #11 URL to use - --x509crlfile=file CRL file to use - - file must pre-exist - --pgpkeyfile=file PGP Key file to use - - file must pre-exist - --pgpkeyring=file PGP Key ring file to use - - file must pre-exist - --pgpcertfile=file PGP Public Key (certificate) file to use - - file must pre-exist - --x509keyfile=str X.509 key file or PKCS #11 URL to use - --x509certfile=str X.509 Certificate file or PKCS #11 URL to use - --pgpsubkey=str PGP subkey to use (hex or auto) - --srpusername=str SRP username to use - --srppasswd=str SRP password to use - --pskusername=str PSK username to use - --pskkey=str PSK key (in hex) to use - -p, --port=str The port or service to connect to - --insecure Don't abort program if server certificate can't be validated - --ranges Use length-hiding padding to prevent traffic analysis - --benchmark-ciphers Benchmark individual ciphers - --benchmark-soft-ciphers Benchmark individual software ciphers (no hw acceleration) - --benchmark-tls-kx Benchmark TLS key exchange methods - --benchmark-tls-ciphers Benchmark TLS ciphers - -l, --list Print a list of the supported algorithms and modes - --noticket Don't allow session tickets - --srtp-profiles=str Offer SRTP profiles - --alpn=str Application layer protocol - - may appear multiple times - -b, --heartbeat Activate heartbeat support - --recordsize=num The maximum record size to advertize - - it must be in the range: - 0 to 4096 - --disable-sni Do not send a Server Name Indication (SNI) - --disable-extensions Disable all the TLS extensions - --inline-commands Inline commands of the form ^^ - --inline-commands-prefix=str Change the default (^) used as a delimiter for inline commands. The -value is a single US-ASCII character (octets 0 - 127). - -v, --version[=arg] output version information and exit - -h, --help display extended usage information and exit - -!, --more-help extended usage information passed thru pager - -Options are specified by doubled hyphens and their name or by a single -hyphen and the flag character. -Operands and options may be intermixed. They will be reordered. - -Simple client program to set up a TLS connection to some other computer. It -sets up a TLS connection and forwards data from the standard input to the -secured socket and vice versa. - -Please send bug reports to: -@end example -@exampleindent 4 - -@anchor{gnutls-cli debug} -@subheading debug option (-d) - -This is the ``enable debugging'' option. -This option takes a number argument. -Specifies the debug level. -@anchor{gnutls-cli tofu} -@subheading tofu option - -This is the ``enable trust on first use authentication'' option. - -@noindent -This option has some usage constraints. It: -@itemize @bullet -@item -can be disabled with --no-tofu. -@end itemize - -This option will, in addition to certificate authentication, perform authentication based on previously seen public keys, a model similar to SSH authentication. -@anchor{gnutls-cli dane} -@subheading dane option - -This is the ``enable dane certificate verification (dnssec)'' option. - -@noindent -This option has some usage constraints. It: -@itemize @bullet -@item -can be disabled with --no-dane. -@end itemize - -This option will, in addition to certificate authentication using -the trusted CAs, verify the server certificates using on the DANE information -available via DNSSEC. -@anchor{gnutls-cli local-dns} -@subheading local-dns option - -This is the ``use the local dns server for dnssec resolving'' option. - -@noindent -This option has some usage constraints. It: -@itemize @bullet -@item -can be disabled with --no-local-dns. -@end itemize - -This option will use the local DNS server for DNSSEC. -This is disabled by default due to many servers not allowing DNSSEC. -@anchor{gnutls-cli ca-verification} -@subheading ca-verification option - -This is the ``disable ca certificate verification'' option. - -@noindent -This option has some usage constraints. It: -@itemize @bullet -@item -can be disabled with --no-ca-verification. -@item -It is enabled by default. -@end itemize - -This option will disable CA certificate verification. It is to be used with the --dane or --tofu options. -@anchor{gnutls-cli ocsp} -@subheading ocsp option - -This is the ``enable ocsp certificate verification'' option. - -@noindent -This option has some usage constraints. It: -@itemize @bullet -@item -can be disabled with --no-ocsp. -@end itemize - -This option will enable verification of the peer's certificate using ocsp -@anchor{gnutls-cli resume} -@subheading resume option (-r) - -This is the ``establish a session and resume'' option. -Connect, establish a session, reconnect and resume. -@anchor{gnutls-cli rehandshake} -@subheading rehandshake option (-e) - -This is the ``establish a session and rehandshake'' option. -Connect, establish a session and rehandshake immediately. -@anchor{gnutls-cli starttls} -@subheading starttls option (-s) - -This is the ``connect, establish a plain session and start tls'' option. -The TLS session will be initiated when EOF or a SIGALRM is received. -@anchor{gnutls-cli dh-bits} -@subheading dh-bits option - -This is the ``the minimum number of bits allowed for dh'' option. -This option takes a number argument. -This option sets the minimum number of bits allowed for a Diffie-Hellman key exchange. You may want to lower the default value if the peer sends a weak prime and you get an connection error with unacceptable prime. -@anchor{gnutls-cli priority} -@subheading priority option - -This is the ``priorities string'' option. -This option takes a string argument. -TLS algorithms and protocols to enable. You can -use predefined sets of ciphersuites such as PERFORMANCE, -NORMAL, SECURE128, SECURE256. - -Check the GnuTLS manual on section ``Priority strings'' for more -information on allowed keywords -@anchor{gnutls-cli ranges} -@subheading ranges option - -This is the ``use length-hiding padding to prevent traffic analysis'' option. -When possible (e.g., when %NEW_PADDING is specified), use length-hiding padding to prevent traffic analysis. -@anchor{gnutls-cli list} -@subheading list option (-l) - -This is the ``print a list of the supported algorithms and modes'' option. -Print a list of the supported algorithms and modes. If a priority string is given then only the enabled ciphersuites are shown. -@anchor{gnutls-cli alpn} -@subheading alpn option - -This is the ``application layer protocol'' option. -This option takes a string argument. - -@noindent -This option has some usage constraints. It: -@itemize @bullet -@item -may appear an unlimited number of times. -@end itemize - -This option will set and enable the Application Layer Protocol Negotiation (ALPN) in the TLS protocol. -@anchor{gnutls-cli disable-extensions} -@subheading disable-extensions option - -This is the ``disable all the tls extensions'' option. -This option disables all TLS extensions. Deprecated option. Use the priority string. -@anchor{gnutls-cli inline-commands} -@subheading inline-commands option - -This is the ``inline commands of the form ^^'' option. -Enable inline commands of the form ^^. The inline commands are expected to be in a line by themselves. The available commands are: resume and renegotiate. -@anchor{gnutls-cli inline-commands-prefix} -@subheading inline-commands-prefix option - -This is the ``change the default (^) used as a delimiter for inline commands. - the value is a single us-ascii character (octets 0 - 127).'' option. -This option takes a string argument. -Change the default (^) delimiter used for inline commands. The delimiter is expected to be a single US-ASCII character (octets 0 - 127). This option is only relevant if inline commands are enabled via the inline-commands option -@anchor{gnutls-cli exit status} -@subheading gnutls-cli exit status - -One of the following exit values will be returned: -@table @samp -@item 0 (EXIT_SUCCESS) -Successful program execution. -@item 1 (EXIT_FAILURE) -The operation failed or the command syntax was not valid. -@end table -@anchor{gnutls-cli See Also} -@subheading gnutls-cli See Also -gnutls-cli-debug(1), gnutls-serv(1) -@anchor{gnutls-cli Examples} -@subheading gnutls-cli Examples -@subheading Connecting using PSK authentication -To connect to a server using PSK authentication, you need to enable the choice of PSK by using a cipher priority parameter such as in the example below. -@example -$ ./gnutls-cli -p 5556 localhost --pskusername psk_identity \ - --pskkey 88f3824b3e5659f52d00e959bacab954b6540344 \ - --priority NORMAL:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK -Resolving 'localhost'... -Connecting to '127.0.0.1:5556'... -- PSK authentication. -- Version: TLS1.1 -- Key Exchange: PSK -- Cipher: AES-128-CBC -- MAC: SHA1 -- Compression: NULL -- Handshake was completed - -- Simple Client Mode: -@end example -By keeping the --pskusername parameter and removing the --pskkey parameter, it will query only for the password during the handshake. - -@subheading Listing ciphersuites in a priority string -To list the ciphersuites in a priority string: -@example -$ ./gnutls-cli --priority SECURE192 -l -Cipher suites for SECURE192 -TLS_ECDHE_ECDSA_AES_256_CBC_SHA384 0xc0, 0x24 TLS1.2 -TLS_ECDHE_ECDSA_AES_256_GCM_SHA384 0xc0, 0x2e TLS1.2 -TLS_ECDHE_RSA_AES_256_GCM_SHA384 0xc0, 0x30 TLS1.2 -TLS_DHE_RSA_AES_256_CBC_SHA256 0x00, 0x6b TLS1.2 -TLS_DHE_DSS_AES_256_CBC_SHA256 0x00, 0x6a TLS1.2 -TLS_RSA_AES_256_CBC_SHA256 0x00, 0x3d TLS1.2 - -Certificate types: CTYPE-X.509 -Protocols: VERS-TLS1.2, VERS-TLS1.1, VERS-TLS1.0, VERS-SSL3.0, VERS-DTLS1.0 -Compression: COMP-NULL -Elliptic curves: CURVE-SECP384R1, CURVE-SECP521R1 -PK-signatures: SIGN-RSA-SHA384, SIGN-ECDSA-SHA384, SIGN-RSA-SHA512, SIGN-ECDSA-SHA512 -@end example - -@subheading Connecting using a PKCS #11 token -To connect to a server using a certificate and a private key present in a PKCS #11 token you -need to substitute the PKCS 11 URLs in the x509certfile and x509keyfile parameters. - -Those can be found using "p11tool --list-tokens" and then listing all the objects in the -needed token, and using the appropriate. -@example -$ p11tool --list-tokens - -Token 0: -URL: pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test -Label: Test -Manufacturer: EnterSafe -Model: PKCS15 -Serial: 1234 - -$ p11tool --login --list-certs "pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test" - -Object 0: -URL: pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test;object=client;object-type=cert -Type: X.509 Certificate -Label: client -ID: 2a:97:0d:58:d1:51:3c:23:07:ae:4e:0d:72:26:03:7d:99:06:02:6a - -$ export MYCERT="pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test;object=client;object-type=cert" -$ export MYKEY="pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test;object=client;object-type=private" - -$ gnutls-cli www.example.com --x509keyfile $MYKEY --x509certfile MYCERT -@end example -Notice that the private key only differs from the certificate in the object-type. diff --git a/doc/invoke-gnutls-serv.texi b/doc/invoke-gnutls-serv.texi deleted file mode 100644 index 17e41322a3..0000000000 --- a/doc/invoke-gnutls-serv.texi +++ /dev/null @@ -1,313 +0,0 @@ -@node gnutls-serv Invocation -@section Invoking gnutls-serv -@pindex gnutls-serv -@ignore -# -*- buffer-read-only: t -*- vi: set ro: -# -# DO NOT EDIT THIS FILE (invoke-gnutls-serv.texi) -# -# It has been AutoGen-ed November 24, 2013 at 09:50:54 AM by AutoGen 5.18.2 -# From the definitions ../src/serv-args.def -# and the template file agtexi-cmd.tpl -@end ignore - - -Server program that listens to incoming TLS connections. - -This section was generated by @strong{AutoGen}, -using the @code{agtexi-cmd} template and the option descriptions for the @code{gnutls-serv} program. -This software is released under the GNU General Public License, version 3 or later. - - -@anchor{gnutls-serv usage} -@subheading gnutls-serv help/usage (@option{--help}) -@cindex gnutls-serv help - -This is the automatically generated usage text for gnutls-serv. - -The text printed is the same whether selected with the @code{help} option -(@option{--help}) or the @code{more-help} option (@option{--more-help}). @code{more-help} will print -the usage text by passing it through a pager program. -@code{more-help} is disabled on platforms without a working -@code{fork(2)} function. The @code{PAGER} environment variable is -used to select the program, defaulting to @file{more}. Both will exit -with a status code of 0. - -@exampleindent 0 -@example -gnutls-serv - GnuTLS server -Usage: gnutls-serv [ - [] | --[@{=| @}] ]... - - -d, --debug=num Enable debugging - - it must be in the range: - 0 to 9999 - --noticket Don't accept session tickets - -g, --generate Generate Diffie-Hellman and RSA-export parameters - -q, --quiet Suppress some messages - --nodb Do not use a resumption database - --http Act as an HTTP server - --echo Act as an Echo server - -u, --udp Use DTLS (datagram TLS) over UDP - --mtu=num Set MTU for datagram TLS - - it must be in the range: - 0 to 17000 - --srtp-profiles=str Offer SRTP profiles - -a, --disable-client-cert Do not request a client certificate - -r, --require-client-cert Require a client certificate - -b, --heartbeat Activate heartbeat support - --x509fmtder Use DER format for certificates to read from - --priority=str Priorities string - --dhparams=file DH params file to use - - file must pre-exist - --x509cafile=str Certificate file or PKCS #11 URL to use - --x509crlfile=file CRL file to use - - file must pre-exist - --pgpkeyfile=file PGP Key file to use - - file must pre-exist - --pgpkeyring=file PGP Key ring file to use - - file must pre-exist - --pgpcertfile=file PGP Public Key (certificate) file to use - - file must pre-exist - --x509keyfile=str X.509 key file or PKCS #11 URL to use - --x509certfile=str X.509 Certificate file or PKCS #11 URL to use - --x509dsakeyfile=str Alternative X.509 key file or PKCS #11 URL to use - --x509dsacertfile=str Alternative X.509 Certificate file or PKCS #11 URL to use - --x509ecckeyfile=str Alternative X.509 key file or PKCS #11 URL to use - --x509ecccertfile=str Alternative X.509 Certificate file or PKCS #11 URL to use - --pgpsubkey=str PGP subkey to use (hex or auto) - --srppasswd=file SRP password file to use - - file must pre-exist - --srppasswdconf=file SRP password configuration file to use - - file must pre-exist - --pskpasswd=file PSK password file to use - - file must pre-exist - --pskhint=str PSK identity hint to use - --ocsp-response=file The OCSP response to send to client - - file must pre-exist - -p, --port=num The port to connect to - -l, --list Print a list of the supported algorithms and modes - -v, --version[=arg] output version information and exit - -h, --help display extended usage information and exit - -!, --more-help extended usage information passed thru pager - -Options are specified by doubled hyphens and their name or by a single -hyphen and the flag character. - -Server program that listens to incoming TLS connections. - -Please send bug reports to: -@end example -@exampleindent 4 - -@anchor{gnutls-serv debug} -@subheading debug option (-d) - -This is the ``enable debugging'' option. -This option takes a number argument. -Specifies the debug level. -@anchor{gnutls-serv heartbeat} -@subheading heartbeat option (-b) - -This is the ``activate heartbeat support'' option. -Regularly ping client via heartbeat extension messages -@anchor{gnutls-serv priority} -@subheading priority option - -This is the ``priorities string'' option. -This option takes a string argument. -TLS algorithms and protocols to enable. You can -use predefined sets of ciphersuites such as PERFORMANCE, -NORMAL, SECURE128, SECURE256. - -Check the GnuTLS manual on section ``Priority strings'' for more -information on allowed keywords -@anchor{gnutls-serv ocsp-response} -@subheading ocsp-response option - -This is the ``the ocsp response to send to client'' option. -This option takes a file argument. -If the client requested an OCSP response, return data from this file to the client. -@anchor{gnutls-serv list} -@subheading list option (-l) - -This is the ``print a list of the supported algorithms and modes'' option. -Print a list of the supported algorithms and modes. If a priority string is given then only the enabled ciphersuites are shown. -@anchor{gnutls-serv exit status} -@subheading gnutls-serv exit status - -One of the following exit values will be returned: -@table @samp -@item 0 (EXIT_SUCCESS) -Successful program execution. -@item 1 (EXIT_FAILURE) -The operation failed or the command syntax was not valid. -@end table -@anchor{gnutls-serv See Also} -@subheading gnutls-serv See Also -gnutls-cli-debug(1), gnutls-cli(1) -@anchor{gnutls-serv Examples} -@subheading gnutls-serv Examples -Running your own TLS server based on GnuTLS can be useful when -debugging clients and/or GnuTLS itself. This section describes how to -use @code{gnutls-serv} as a simple HTTPS server. - -The most basic server can be started as: - -@example -gnutls-serv --http -@end example - -It will only support anonymous ciphersuites, which many TLS clients -refuse to use. - -The next step is to add support for X.509. First we generate a CA: - -@example -$ certtool --generate-privkey > x509-ca-key.pem -$ echo 'cn = GnuTLS test CA' > ca.tmpl -$ echo 'ca' >> ca.tmpl -$ echo 'cert_signing_key' >> ca.tmpl -$ certtool --generate-self-signed --load-privkey x509-ca-key.pem \ - --template ca.tmpl --outfile x509-ca.pem -... -@end example - -Then generate a server certificate. Remember to change the dns_name -value to the name of your server host, or skip that command to avoid -the field. - -@example -$ certtool --generate-privkey > x509-server-key.pem -$ echo 'organization = GnuTLS test server' > server.tmpl -$ echo 'cn = test.gnutls.org' >> server.tmpl -$ echo 'tls_www_server' >> server.tmpl -$ echo 'encryption_key' >> server.tmpl -$ echo 'signing_key' >> server.tmpl -$ echo 'dns_name = test.gnutls.org' >> server.tmpl -$ certtool --generate-certificate --load-privkey x509-server-key.pem \ - --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \ - --template server.tmpl --outfile x509-server.pem -... -@end example - -For use in the client, you may want to generate a client certificate -as well. - -@example -$ certtool --generate-privkey > x509-client-key.pem -$ echo 'cn = GnuTLS test client' > client.tmpl -$ echo 'tls_www_client' >> client.tmpl -$ echo 'encryption_key' >> client.tmpl -$ echo 'signing_key' >> client.tmpl -$ certtool --generate-certificate --load-privkey x509-client-key.pem \ - --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \ - --template client.tmpl --outfile x509-client.pem -... -@end example - -To be able to import the client key/certificate into some -applications, you will need to convert them into a PKCS#12 structure. -This also encrypts the security sensitive key with a password. - -@example -$ certtool --to-p12 --load-ca-certificate x509-ca.pem \ - --load-privkey x509-client-key.pem --load-certificate x509-client.pem \ - --outder --outfile x509-client.p12 -@end example - -For icing, we'll create a proxy certificate for the client too. - -@example -$ certtool --generate-privkey > x509-proxy-key.pem -$ echo 'cn = GnuTLS test client proxy' > proxy.tmpl -$ certtool --generate-proxy --load-privkey x509-proxy-key.pem \ - --load-ca-certificate x509-client.pem --load-ca-privkey x509-client-key.pem \ - --load-certificate x509-client.pem --template proxy.tmpl \ - --outfile x509-proxy.pem -... -@end example - -Then start the server again: - -@example -$ gnutls-serv --http \ - --x509cafile x509-ca.pem \ - --x509keyfile x509-server-key.pem \ - --x509certfile x509-server.pem -@end example - -Try connecting to the server using your web browser. Note that the -server listens to port 5556 by default. - -While you are at it, to allow connections using DSA, you can also -create a DSA key and certificate for the server. These credentials -will be used in the final example below. - -@example -$ certtool --generate-privkey --dsa > x509-server-key-dsa.pem -$ certtool --generate-certificate --load-privkey x509-server-key-dsa.pem \ - --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \ - --template server.tmpl --outfile x509-server-dsa.pem -... -@end example - -The next step is to create OpenPGP credentials for the server. - -@example -gpg --gen-key -...enter whatever details you want, use 'test.gnutls.org' as name... -@end example - -Make a note of the OpenPGP key identifier of the newly generated key, -here it was @code{5D1D14D8}. You will need to export the key for -GnuTLS to be able to use it. - -@example -gpg -a --export 5D1D14D8 > openpgp-server.txt -gpg --export 5D1D14D8 > openpgp-server.bin -gpg --export-secret-keys 5D1D14D8 > openpgp-server-key.bin -gpg -a --export-secret-keys 5D1D14D8 > openpgp-server-key.txt -@end example - -Let's start the server with support for OpenPGP credentials: - -@example -gnutls-serv --http \ - --pgpkeyfile openpgp-server-key.txt \ - --pgpcertfile openpgp-server.txt -@end example - -The next step is to add support for SRP authentication. This requires -an SRP password file created with @code{srptool}. -To start the server with SRP support: - -@example -gnutls-serv --http \ - --srppasswdconf srp-tpasswd.conf \ - --srppasswd srp-passwd.txt -@end example - -Let's also start a server with support for PSK. This would require -a password file created with @code{psktool}. - -@example -gnutls-serv --http \ - --pskpasswd psk-passwd.txt -@end example - -Finally, we start the server with all the earlier parameters and you -get this command: - -@example -gnutls-serv --http \ - --x509cafile x509-ca.pem \ - --x509keyfile x509-server-key.pem \ - --x509certfile x509-server.pem \ - --x509dsakeyfile x509-server-key-dsa.pem \ - --x509dsacertfile x509-server-dsa.pem \ - --pgpkeyfile openpgp-server-key.txt \ - --pgpcertfile openpgp-server.txt \ - --srppasswdconf srp-tpasswd.conf \ - --srppasswd srp-passwd.txt \ - --pskpasswd psk-passwd.txt -@end example diff --git a/doc/invoke-ocsptool.texi b/doc/invoke-ocsptool.texi deleted file mode 100644 index 01690aa9bd..0000000000 --- a/doc/invoke-ocsptool.texi +++ /dev/null @@ -1,254 +0,0 @@ -@node ocsptool Invocation -@subsection Invoking ocsptool -@pindex ocsptool -@ignore -# -*- buffer-read-only: t -*- vi: set ro: -# -# DO NOT EDIT THIS FILE (invoke-ocsptool.texi) -# -# It has been AutoGen-ed November 24, 2013 at 09:50:56 AM by AutoGen 5.18.2 -# From the definitions ../src/ocsptool-args.def -# and the template file agtexi-cmd.tpl -@end ignore - - -Ocsptool is a program that can parse and print information about -OCSP requests/responses, generate requests and verify responses. - - -This section was generated by @strong{AutoGen}, -using the @code{agtexi-cmd} template and the option descriptions for the @code{ocsptool} program. -This software is released under the GNU General Public License, version 3 or later. - - -@anchor{ocsptool usage} -@subsubheading ocsptool help/usage (@option{--help}) -@cindex ocsptool help - -This is the automatically generated usage text for ocsptool. - -The text printed is the same whether selected with the @code{help} option -(@option{--help}) or the @code{more-help} option (@option{--more-help}). @code{more-help} will print -the usage text by passing it through a pager program. -@code{more-help} is disabled on platforms without a working -@code{fork(2)} function. The @code{PAGER} environment variable is -used to select the program, defaulting to @file{more}. Both will exit -with a status code of 0. - -@exampleindent 0 -@example -ocsptool - GnuTLS OCSP tool -Usage: ocsptool [ - [] | --[@{=| @}] ]... - - -d, --debug=num Enable debugging - - it must be in the range: - 0 to 9999 - -V, --verbose More verbose output - - may appear multiple times - --infile=file Input file - - file must pre-exist - --outfile=str Output file - --ask[=arg] Ask an OCSP/HTTP server on a certificate validity - - requires these options: - load-cert - load-issuer - -e, --verify-response Verify response - -i, --request-info Print information on a OCSP request - -j, --response-info Print information on a OCSP response - -q, --generate-request Generate an OCSP request - --nonce Don't add nonce to OCSP request - - disabled as '--no-nonce' - --load-issuer=file Read issuer certificate from file - - file must pre-exist - --load-cert=file Read certificate to check from file - - file must pre-exist - --load-trust=file Read OCSP trust anchors from file - - prohibits the option 'load-signer' - - file must pre-exist - --load-signer=file Read OCSP response signer from file - - prohibits the option 'load-trust' - - file must pre-exist - --inder Use DER format for input certificates and private keys - - disabled as '--no-inder' - -Q, --load-request=file Read DER encoded OCSP request from file - - file must pre-exist - -S, --load-response=file Read DER encoded OCSP response from file - - file must pre-exist - -v, --version[=arg] output version information and exit - -h, --help display extended usage information and exit - -!, --more-help extended usage information passed thru pager - -Options are specified by doubled hyphens and their name or by a single -hyphen and the flag character. - -Ocsptool is a program that can parse and print information about OCSP -requests/responses, generate requests and verify responses. - -Please send bug reports to: -@end example -@exampleindent 4 - -@anchor{ocsptool debug} -@subsubheading debug option (-d) - -This is the ``enable debugging'' option. -This option takes a number argument. -Specifies the debug level. -@anchor{ocsptool ask} -@subsubheading ask option - -This is the ``ask an ocsp/http server on a certificate validity'' option. -This option takes an optional string argument @file{server name|url}. - -@noindent -This option has some usage constraints. It: -@itemize @bullet -@item -must appear in combination with the following options: -load-cert, load-issuer. -@end itemize - -Connects to the specified HTTP OCSP server and queries on the validity of the loaded certificate. -@anchor{ocsptool exit status} -@subsubheading ocsptool exit status - -One of the following exit values will be returned: -@table @samp -@item 0 (EXIT_SUCCESS) -Successful program execution. -@item 1 (EXIT_FAILURE) -The operation failed or the command syntax was not valid. -@end table -@anchor{ocsptool See Also} -@subsubheading ocsptool See Also - certtool (1) -@anchor{ocsptool Examples} -@subsubheading ocsptool Examples -@subsubheading Print information about an OCSP request - -To parse an OCSP request and print information about the content, the -@code{-i} or @code{--request-info} parameter may be used as follows. -The @code{-Q} parameter specify the name of the file containing the -OCSP request, and it should contain the OCSP request in binary DER -format. - -@example -$ ocsptool -i -Q ocsp-request.der -@end example - -The input file may also be sent to standard input like this: - -@example -$ cat ocsp-request.der | ocsptool --request-info -@end example - -@subsubheading Print information about an OCSP response - -Similar to parsing OCSP requests, OCSP responses can be parsed using -the @code{-j} or @code{--response-info} as follows. - -@example -$ ocsptool -j -Q ocsp-response.der -$ cat ocsp-response.der | ocsptool --response-info -@end example - -@subsubheading Generate an OCSP request - -The @code{-q} or @code{--generate-request} parameters are used to -generate an OCSP request. By default the OCSP request is written to -standard output in binary DER format, but can be stored in a file -using @code{--outfile}. To generate an OCSP request the issuer of the -certificate to check needs to be specified with @code{--load-issuer} -and the certificate to check with @code{--load-cert}. By default PEM -format is used for these files, although @code{--inder} can be used to -specify that the input files are in DER format. - -@example -$ ocsptool -q --load-issuer issuer.pem --load-cert client.pem \ - --outfile ocsp-request.der -@end example - -When generating OCSP requests, the tool will add an OCSP extension -containing a nonce. This behaviour can be disabled by specifying -@code{--no-nonce}. - -@subsubheading Verify signature in OCSP response - -To verify the signature in an OCSP response the @code{-e} or -@code{--verify-response} parameter is used. The tool will read an -OCSP response in DER format from standard input, or from the file -specified by @code{--load-response}. The OCSP response is verified -against a set of trust anchors, which are specified using -@code{--load-trust}. The trust anchors are concatenated certificates -in PEM format. The certificate that signed the OCSP response needs to -be in the set of trust anchors, or the issuer of the signer -certificate needs to be in the set of trust anchors and the OCSP -Extended Key Usage bit has to be asserted in the signer certificate. - -@example -$ ocsptool -e --load-trust issuer.pem \ - --load-response ocsp-response.der -@end example - -The tool will print status of verification. - -@subsubheading Verify signature in OCSP response against given certificate - -It is possible to override the normal trust logic if you know that a -certain certificate is supposed to have signed the OCSP response, and -you want to use it to check the signature. This is achieved using -@code{--load-signer} instead of @code{--load-trust}. This will load -one certificate and it will be used to verify the signature in the -OCSP response. It will not check the Extended Key Usage bit. - -@example -$ ocsptool -e --load-signer ocsp-signer.pem \ - --load-response ocsp-response.der -@end example - -This approach is normally only relevant in two situations. The first -is when the OCSP response does not contain a copy of the signer -certificate, so the @code{--load-trust} code would fail. The second -is if you want to avoid the indirect mode where the OCSP response -signer certificate is signed by a trust anchor. - -@subsubheading Real-world example - -Here is an example of how to generate an OCSP request for a -certificate and to verify the response. For illustration we'll use -the @code{blog.josefsson.org} host, which (as of writing) uses a -certificate from CACert. First we'll use @code{gnutls-cli} to get a -copy of the server certificate chain. The server is not required to -send this information, but this particular one is configured to do so. - -@example -$ echo | gnutls-cli -p 443 blog.josefsson.org --print-cert > chain.pem -@end example - -Use a text editor on @code{chain.pem} to create three files for each -separate certificates, called @code{cert.pem} for the first -certificate for the domain itself, secondly @code{issuer.pem} for the -intermediate certificate and @code{root.pem} for the final root -certificate. - -The domain certificate normally contains a pointer to where the OCSP -responder is located, in the Authority Information Access Information -extension. For example, from @code{certtool -i < cert.pem} there is -this information: - -@example -Authority Information Access Information (not critical): -Access Method: 1.3.6.1.5.5.7.48.1 (id-ad-ocsp) -Access Location URI: http://ocsp.CAcert.org/ -@end example - -This means the CA support OCSP queries over HTTP. We are now ready to -create a OCSP request for the certificate. - -@example -$ ocsptool --ask ocsp.CAcert.org --load-issuer issuer.pem \ - --load-cert cert.pem --outfile ocsp-response.der -@end example - -The request is sent via HTTP to the OCSP server address specified. If the -address is ommited ocsptool will use the address stored in the certificate. diff --git a/doc/invoke-p11tool.texi b/doc/invoke-p11tool.texi deleted file mode 100644 index b0eacad7f2..0000000000 --- a/doc/invoke-p11tool.texi +++ /dev/null @@ -1,270 +0,0 @@ -@node p11tool Invocation -@subsection Invoking p11tool -@pindex p11tool -@ignore -# -*- buffer-read-only: t -*- vi: set ro: -# -# DO NOT EDIT THIS FILE (invoke-p11tool.texi) -# -# It has been AutoGen-ed November 24, 2013 at 09:51:01 AM by AutoGen 5.18.2 -# From the definitions ../src/p11tool-args.def -# and the template file agtexi-cmd.tpl -@end ignore - - -Program that allows handling data from PKCS #11 smart cards -and security modules. - -To use PKCS #11 tokens with gnutls the configuration file -/etc/gnutls/pkcs11.conf has to exist and contain a number of lines of the form 'load=/usr/lib/opensc-pkcs11.so'. -Alternatively the p11-kit configuration files have to be setup. - -To provide the PIN for all the operations below use the environment variable -GNUTLS_PIN. - - -This section was generated by @strong{AutoGen}, -using the @code{agtexi-cmd} template and the option descriptions for the @code{p11tool} program. -This software is released under the GNU General Public License, version 3 or later. - - -@anchor{p11tool usage} -@subsubheading p11tool help/usage (@option{--help}) -@cindex p11tool help - -This is the automatically generated usage text for p11tool. - -The text printed is the same whether selected with the @code{help} option -(@option{--help}) or the @code{more-help} option (@option{--more-help}). @code{more-help} will print -the usage text by passing it through a pager program. -@code{more-help} is disabled on platforms without a working -@code{fork(2)} function. The @code{PAGER} environment variable is -used to select the program, defaulting to @file{more}. Both will exit -with a status code of 0. - -@exampleindent 0 -@example -p11tool - GnuTLS PKCS #11 tool -Usage: p11tool [ - [] | --[@{=| @}] ]... [url] - - -d, --debug=num Enable debugging - - it must be in the range: - 0 to 9999 - --outfile=str Output file - --list-tokens List all available tokens - --export Export the object specified by the URL - --export-chain Export the certificate specified by the URL and its chain of trust - --list-mechanisms List all available mechanisms in a token - --list-all List all available objects in a token - --list-all-certs List all available certificates in a token - --list-certs List all certificates that have an associated private key - --list-all-privkeys List all available private keys in a token - --list-all-trusted List all available certificates marked as trusted - --initialize Initializes a PKCS #11 token - --write Writes the loaded objects to a PKCS #11 token - --delete Deletes the objects matching the PKCS #11 URL - --generate-random=num Generate random data - --generate-rsa Generate an RSA private-public key pair - --generate-dsa Generate an RSA private-public key pair - --generate-ecc Generate an RSA private-public key pair - --label=str Sets a label for the write operation - --trusted Marks the object to be written as trusted - - disabled as '--no-trusted' - --private Marks the object to be written as private - - disabled as '--no-private' - - enabled by default - --login Force login to token - - disabled as '--no-login' - --detailed-url Print detailed URLs - - disabled as '--no-detailed-url' - --secret-key=str Provide a hex encoded secret key - --load-privkey=file Private key file to use - - file must pre-exist - --load-pubkey=file Public key file to use - - file must pre-exist - --load-certificate=file Certificate file to use - - file must pre-exist - -8, --pkcs8 Use PKCS #8 format for private keys - --bits=num Specify the number of bits for key generate - --sec-param=str Specify the security level - --inder Use DER/RAW format for input - - disabled as '--no-inder' - --inraw an alias for the 'inder' option - --outder Use DER format for output certificates, private keys, and DH parameters - - disabled as '--no-outder' - --outraw an alias for the 'outder' option - --provider=file Specify the PKCS #11 provider library - - file must pre-exist - -v, --version[=arg] output version information and exit - -h, --help display extended usage information and exit - -!, --more-help extended usage information passed thru pager - -Options are specified by doubled hyphens and their name or by a single -hyphen and the flag character. -Operands and options may be intermixed. They will be reordered. - -Program that allows handling data from PKCS #11 smart cards and security -modules. - -To use PKCS #11 tokens with gnutls the configuration file -/etc/gnutls/pkcs11.conf has to exist and contain a number of lines of the -form 'load=/usr/lib/opensc-pkcs11.so'. Alternatively the p11-kit -configuration files have to be setup. - -To provide the PIN for all the operations below use the environment -variable GNUTLS_PIN. - -Please send bug reports to: -@end example -@exampleindent 4 - -@anchor{p11tool debug} -@subsubheading debug option (-d) - -This is the ``enable debugging'' option. -This option takes a number argument. -Specifies the debug level. -@anchor{p11tool export-chain} -@subsubheading export-chain option - -This is the ``export the certificate specified by the url and its chain of trust'' option. -Exports the certificate specified by the URL and generates its chain of trust based on the stored certificates in the module. -@anchor{p11tool write} -@subsubheading write option - -This is the ``writes the loaded objects to a pkcs #11 token'' option. -It can be used to write private keys, certificates or secret keys to a token. -@anchor{p11tool generate-random} -@subsubheading generate-random option - -This is the ``generate random data'' option. -This option takes a number argument. -Asks the token to generate a number of bytes of random bytes. -@anchor{p11tool generate-rsa} -@subsubheading generate-rsa option - -This is the ``generate an rsa private-public key pair'' option. -Generates an RSA private-public key pair on the specified token. -@anchor{p11tool generate-dsa} -@subsubheading generate-dsa option - -This is the ``generate an rsa private-public key pair'' option. -Generates an RSA private-public key pair on the specified token. -@anchor{p11tool generate-ecc} -@subsubheading generate-ecc option - -This is the ``generate an rsa private-public key pair'' option. -Generates an RSA private-public key pair on the specified token. -@anchor{p11tool private} -@subsubheading private option - -This is the ``marks the object to be written as private'' option. - -@noindent -This option has some usage constraints. It: -@itemize @bullet -@item -can be disabled with --no-private. -@item -It is enabled by default. -@end itemize - -The written object will require a PIN to be used. -@anchor{p11tool sec-param} -@subsubheading sec-param option - -This is the ``specify the security level'' option. -This option takes a string argument @file{Security parameter}. -This is alternative to the bits option. Available options are [low, legacy, normal, high, ultra]. -@anchor{p11tool inder} -@subsubheading inder option - -This is the ``use der/raw format for input'' option. - -@noindent -This option has some usage constraints. It: -@itemize @bullet -@item -can be disabled with --no-inder. -@end itemize - -Use DER/RAW format for input certificates and private keys. -@anchor{p11tool inraw} -@subsubheading inraw option - -This is an alias for the @code{inder} option, -@pxref{p11tool inder, the inder option documentation}. - -@anchor{p11tool outder} -@subsubheading outder option - -This is the ``use der format for output certificates, private keys, and dh parameters'' option. - -@noindent -This option has some usage constraints. It: -@itemize @bullet -@item -can be disabled with --no-outder. -@end itemize - -The output will be in DER or RAW format. -@anchor{p11tool outraw} -@subsubheading outraw option - -This is an alias for the @code{outder} option, -@pxref{p11tool outder, the outder option documentation}. - -@anchor{p11tool provider} -@subsubheading provider option - -This is the ``specify the pkcs #11 provider library'' option. -This option takes a file argument. -This will override the default options in /etc/gnutls/pkcs11.conf -@anchor{p11tool exit status} -@subsubheading p11tool exit status - -One of the following exit values will be returned: -@table @samp -@item 0 (EXIT_SUCCESS) -Successful program execution. -@item 1 (EXIT_FAILURE) -The operation failed or the command syntax was not valid. -@end table -@anchor{p11tool See Also} -@subsubheading p11tool See Also - certtool (1) -@anchor{p11tool Examples} -@subsubheading p11tool Examples -To view all tokens in your system use: -@example -$ p11tool --list-tokens -@end example - -To view all objects in a token use: -@example -$ p11tool --login --list-all "pkcs11:TOKEN-URL" -@end example - -To store a private key and a certificate in a token run: -@example -$ p11tool --login --write "pkcs11:URL" --load-privkey key.pem \ - --label "Mykey" -$ p11tool --login --write "pkcs11:URL" --load-certificate cert.pem \ - --label "Mykey" -@end example -Note that some tokens require the same label to be used for the certificate -and its corresponding private key. - -To generate an RSA private key inside the token use: -@example -$ p11tool --login --generate-rsa --bits 1024 --label "MyNewKey" \ - --outfile MyNewKey.pub "pkcs11:TOKEN-URL" -@end example -The bits parameter in the above example is explicitly set because some -tokens only support a limited number of bits. The output file is the -corresponding public key. This key can be used to general a certificate -request with certtool. -@example -certtool --generate-request --load-privkey "pkcs11:KEY-URL" \ - --load-pubkey MyNewKey.pub --outfile request.pem -@end example diff --git a/doc/invoke-psktool.texi b/doc/invoke-psktool.texi deleted file mode 100644 index 7842917930..0000000000 --- a/doc/invoke-psktool.texi +++ /dev/null @@ -1,96 +0,0 @@ -@node psktool Invocation -@subsubsection Invoking psktool -@pindex psktool -@ignore -# -*- buffer-read-only: t -*- vi: set ro: -# -# DO NOT EDIT THIS FILE (invoke-psktool.texi) -# -# It has been AutoGen-ed November 24, 2013 at 09:51:00 AM by AutoGen 5.18.2 -# From the definitions ../src/psk-args.def -# and the template file agtexi-cmd.tpl -@end ignore - - -Program that generates random keys for use with TLS-PSK. The -keys are stored in hexadecimal format in a key file. - -This section was generated by @strong{AutoGen}, -using the @code{agtexi-cmd} template and the option descriptions for the @code{psktool} program. -This software is released under the GNU General Public License, version 3 or later. - - -@anchor{psktool usage} -@subsubheading psktool help/usage (@option{--help}) -@cindex psktool help - -This is the automatically generated usage text for psktool. - -The text printed is the same whether selected with the @code{help} option -(@option{--help}) or the @code{more-help} option (@option{--more-help}). @code{more-help} will print -the usage text by passing it through a pager program. -@code{more-help} is disabled on platforms without a working -@code{fork(2)} function. The @code{PAGER} environment variable is -used to select the program, defaulting to @file{more}. Both will exit -with a status code of 0. - -@exampleindent 0 -@example -psktool - GnuTLS PSK tool -Usage: psktool [ - [] | --[@{=| @}] ]... - - -d, --debug=num Enable debugging - - it must be in the range: - 0 to 9999 - -s, --keysize=num specify the key size in bytes - - it must be in the range: - 0 to 512 - -u, --username=str specify a username - -p, --passwd=str specify a password file - -v, --version[=arg] output version information and exit - -h, --help display extended usage information and exit - -!, --more-help extended usage information passed thru pager - -Options are specified by doubled hyphens and their name or by a single -hyphen and the flag character. - -Program that generates random keys for use with TLS-PSK. The keys are -stored in hexadecimal format in a key file. - -Please send bug reports to: -@end example -@exampleindent 4 - -@anchor{psktool debug} -@subsubheading debug option (-d) - -This is the ``enable debugging'' option. -This option takes a number argument. -Specifies the debug level. -@anchor{psktool exit status} -@subsubheading psktool exit status - -One of the following exit values will be returned: -@table @samp -@item 0 (EXIT_SUCCESS) -Successful program execution. -@item 1 (EXIT_FAILURE) -The operation failed or the command syntax was not valid. -@end table -@anchor{psktool See Also} -@subsubheading psktool See Also - gnutls-cli-debug (1), gnutls-serv (1), srptool (1), certtool (1) -@anchor{psktool Examples} -@subsubheading psktool Examples -To add a user 'psk_identity' in @file{passwd.psk} for use with GnuTLS run: -@example -$ ./psktool -u psk_identity -p passwd.psk -Generating a random key for user 'psk_identity' -Key stored to passwd.psk -$ cat psks.txt -psk_identity:88f3824b3e5659f52d00e959bacab954b6540344 -$ -@end example - -This command will create @file{passwd.psk} if it does not exist -and will add user 'psk_identity' (you will also be prompted for a password). diff --git a/doc/invoke-srptool.texi b/doc/invoke-srptool.texi deleted file mode 100644 index b5eb3828ae..0000000000 --- a/doc/invoke-srptool.texi +++ /dev/null @@ -1,133 +0,0 @@ -@node srptool Invocation -@subsubsection Invoking srptool -@pindex srptool -@ignore -# -*- buffer-read-only: t -*- vi: set ro: -# -# DO NOT EDIT THIS FILE (invoke-srptool.texi) -# -# It has been AutoGen-ed November 24, 2013 at 09:50:59 AM by AutoGen 5.18.2 -# From the definitions ../src/srptool-args.def -# and the template file agtexi-cmd.tpl -@end ignore - - -Simple program that emulates the programs in the Stanford SRP (Secure -Remote Password) libraries using GnuTLS. It is intended for use in places -where you don't expect SRP authentication to be the used for system users. - -In brief, to use SRP you need to create two files. These are the password -file that holds the users and the verifiers associated with them and the -configuration file to hold the group parameters (called tpasswd.conf). - -This section was generated by @strong{AutoGen}, -using the @code{agtexi-cmd} template and the option descriptions for the @code{srptool} program. -This software is released under the GNU General Public License, version 3 or later. - - -@anchor{srptool usage} -@subsubheading srptool help/usage (@option{--help}) -@cindex srptool help - -This is the automatically generated usage text for srptool. - -The text printed is the same whether selected with the @code{help} option -(@option{--help}) or the @code{more-help} option (@option{--more-help}). @code{more-help} will print -the usage text by passing it through a pager program. -@code{more-help} is disabled on platforms without a working -@code{fork(2)} function. The @code{PAGER} environment variable is -used to select the program, defaulting to @file{more}. Both will exit -with a status code of 0. - -@exampleindent 0 -@example -srptool - GnuTLS SRP tool -Usage: srptool [ - [] | --[@{=| @}] ]... - - -d, --debug=num Enable debugging - - it must be in the range: - 0 to 9999 - -i, --index=num specify the index of the group parameters in tpasswd.conf to use - -u, --username=str specify a username - -p, --passwd=str specify a password file - -s, --salt=num specify salt size - --verify just verify the password. - -v, --passwd-conf=str specify a password conf file. - --create-conf=str Generate a password configuration file. - -v, --version[=arg] output version information and exit - -h, --help display extended usage information and exit - -!, --more-help extended usage information passed thru pager - -Options are specified by doubled hyphens and their name or by a single -hyphen and the flag character. - -Simple program that emulates the programs in the Stanford SRP (Secure -Remote Password) libraries using GnuTLS. It is intended for use in places -where you don't expect SRP authentication to be the used for system users. - -In brief, to use SRP you need to create two files. These are the password -file that holds the users and the verifiers associated with them and the -configuration file to hold the group parameters (called tpasswd.conf). - -Please send bug reports to: -@end example -@exampleindent 4 - -@anchor{srptool debug} -@subsubheading debug option (-d) - -This is the ``enable debugging'' option. -This option takes a number argument. -Specifies the debug level. -@anchor{srptool verify} -@subsubheading verify option - -This is the ``just verify the password.'' option. -Verifies the password provided against the password file. -@anchor{srptool passwd-conf} -@subsubheading passwd-conf option (-v) - -This is the ``specify a password conf file.'' option. -This option takes a string argument. -Specify a filename or a PKCS #11 URL to read the CAs from. -@anchor{srptool create-conf} -@subsubheading create-conf option - -This is the ``generate a password configuration file.'' option. -This option takes a string argument. -This generates a password configuration file (tpasswd.conf) -containing the required for TLS parameters. -@anchor{srptool exit status} -@subsubheading srptool exit status - -One of the following exit values will be returned: -@table @samp -@item 0 (EXIT_SUCCESS) -Successful program execution. -@item 1 (EXIT_FAILURE) -The operation failed or the command syntax was not valid. -@end table -@anchor{srptool See Also} -@subsubheading srptool See Also - gnutls-cli-debug (1), gnutls-serv (1), srptool (1), psktool (1), certtool (1) -@anchor{srptool Examples} -@subsubheading srptool Examples -To create @file{tpasswd.conf} which holds the g and n values for SRP protocol -(generator and a large prime), run: -@example -$ srptool --create-conf /etc/tpasswd.conf -@end example - -This command will create @file{/etc/tpasswd} and will add user 'test' (you -will also be prompted for a password). Verifiers are stored by default -in the way libsrp expects. -@example -$ srptool --passwd /etc/tpasswd --passwd-conf /etc/tpasswd.conf -u test -@end example - - -This command will check against a password. If the password matches -the one in @file{/etc/tpasswd} you will get an ok. -@example -$ srptool --passwd /etc/tpasswd --passwd\-conf /etc/tpasswd.conf --verify -u test -@end example diff --git a/doc/invoke-tpmtool.texi b/doc/invoke-tpmtool.texi deleted file mode 100644 index 4417edae47..0000000000 --- a/doc/invoke-tpmtool.texi +++ /dev/null @@ -1,205 +0,0 @@ -@node tpmtool Invocation -@subsection Invoking tpmtool -@pindex tpmtool -@ignore -# -*- buffer-read-only: t -*- vi: set ro: -# -# DO NOT EDIT THIS FILE (invoke-tpmtool.texi) -# -# It has been AutoGen-ed November 24, 2013 at 09:51:02 AM by AutoGen 5.18.2 -# From the definitions ../src/tpmtool-args.def -# and the template file agtexi-cmd.tpl -@end ignore - - -Program that allows handling cryptographic data from the TPM chip. - -This section was generated by @strong{AutoGen}, -using the @code{agtexi-cmd} template and the option descriptions for the @code{tpmtool} program. -This software is released under the GNU General Public License, version 3 or later. - - -@anchor{tpmtool usage} -@subsubheading tpmtool help/usage (@option{--help}) -@cindex tpmtool help - -This is the automatically generated usage text for tpmtool. - -The text printed is the same whether selected with the @code{help} option -(@option{--help}) or the @code{more-help} option (@option{--more-help}). @code{more-help} will print -the usage text by passing it through a pager program. -@code{more-help} is disabled on platforms without a working -@code{fork(2)} function. The @code{PAGER} environment variable is -used to select the program, defaulting to @file{more}. Both will exit -with a status code of 0. - -@exampleindent 0 -@example -tpmtool - GnuTLS TPM tool -Usage: tpmtool [ - [] | --[@{=| @}] ]... - - -d, --debug=num Enable debugging - - it must be in the range: - 0 to 9999 - --infile=file Input file - - file must pre-exist - --outfile=str Output file - --generate-rsa Generate an RSA private-public key pair - --register Any generated key will be registered in the TPM - - requires the option 'generate-rsa' - --signing Any generated key will be a signing key - - requires the option 'generate-rsa' - -- and prohibits the option 'legacy' - --legacy Any generated key will be a legacy key - - requires the option 'generate-rsa' - -- and prohibits the option 'signing' - --user Any registered key will be a user key - - requires the option 'register' - -- and prohibits the option 'system' - --system Any registred key will be a system key - - requires the option 'register' - -- and prohibits the option 'user' - --pubkey=str Prints the public key of the provided key - --list Lists all stored keys in the TPM - --delete=str Delete the key identified by the given URL (UUID). - --sec-param=str Specify the security level [low, legacy, normal, high, ultra]. - --bits=num Specify the number of bits for key generate - --inder Use the DER format for keys. - - disabled as '--no-inder' - --outder Use DER format for output keys - - disabled as '--no-outder' - -v, --version[=arg] output version information and exit - -h, --help display extended usage information and exit - -!, --more-help extended usage information passed thru pager - -Options are specified by doubled hyphens and their name or by a single -hyphen and the flag character. - -Program that allows handling cryptographic data from the TPM chip. - -Please send bug reports to: -@end example -@exampleindent 4 - -@anchor{tpmtool debug} -@subsubheading debug option (-d) - -This is the ``enable debugging'' option. -This option takes a number argument. -Specifies the debug level. -@anchor{tpmtool generate-rsa} -@subsubheading generate-rsa option - -This is the ``generate an rsa private-public key pair'' option. -Generates an RSA private-public key pair in the TPM chip. -The key may be stored in filesystem and protected by a PIN, or stored (registered) -in the TPM chip flash. -@anchor{tpmtool user} -@subsubheading user option - -This is the ``any registered key will be a user key'' option. - -@noindent -This option has some usage constraints. It: -@itemize @bullet -@item -must appear in combination with the following options: -register. -@item -must not appear in combination with any of the following options: -system. -@end itemize - -The generated key will be stored in a user specific persistent storage. -@anchor{tpmtool system} -@subsubheading system option - -This is the ``any registred key will be a system key'' option. - -@noindent -This option has some usage constraints. It: -@itemize @bullet -@item -must appear in combination with the following options: -register. -@item -must not appear in combination with any of the following options: -user. -@end itemize - -The generated key will be stored in system persistent storage. -@anchor{tpmtool sec-param} -@subsubheading sec-param option - -This is the ``specify the security level [low, legacy, normal, high, ultra].'' option. -This option takes a string argument @file{Security parameter}. -This is alternative to the bits option. Note however that the -values allowed by the TPM chip are quantized and given values may be rounded up. -@anchor{tpmtool inder} -@subsubheading inder option - -This is the ``use the der format for keys.'' option. - -@noindent -This option has some usage constraints. It: -@itemize @bullet -@item -can be disabled with --no-inder. -@end itemize - -The input files will be assumed to be in the portable -DER format of TPM. The default format is a custom format used by various -TPM tools -@anchor{tpmtool outder} -@subsubheading outder option - -This is the ``use der format for output keys'' option. - -@noindent -This option has some usage constraints. It: -@itemize @bullet -@item -can be disabled with --no-outder. -@end itemize - -The output will be in the TPM portable DER format. -@anchor{tpmtool exit status} -@subsubheading tpmtool exit status - -One of the following exit values will be returned: -@table @samp -@item 0 (EXIT_SUCCESS) -Successful program execution. -@item 1 (EXIT_FAILURE) -The operation failed or the command syntax was not valid. -@end table -@anchor{tpmtool See Also} -@subsubheading tpmtool See Also - p11tool (1), certtool (1) -@anchor{tpmtool Examples} -@subsubheading tpmtool Examples -To generate a key that is to be stored in filesystem use: -@example -$ tpmtool --generate-rsa --bits 2048 --outfile tpmkey.pem -@end example - -To generate a key that is to be stored in TPM's flash use: -@example -$ tpmtool --generate-rsa --bits 2048 --register --user -@end example - -To get the public key of a TPM key use: -@example -$ tpmtool --pubkey tpmkey:uuid=58ad734b-bde6-45c7-89d8-756a55ad1891;storage=user \ - --outfile pubkey.pem -@end example - -or if the key is stored in the filesystem: -@example -$ tpmtool --pubkey tpmkey:file=tmpkey.pem --outfile pubkey.pem -@end example - -To list all keys stored in TPM use: -@example -$ tpmtool --list -@end example