doc/gnutls.vrs
doc/gnutls.xml
doc/ia-api.texi
-doc/invoke-*.menu
doc/invoke-*.texi
doc/latex/cha-tokens.tex
doc/latex/cha-upgrade.tex
-include $(top_srcdir)/doc/doc.mk
-invoke-gnutls-cli.texi: $(top_srcdir)/src/cli-args.def
- PATH="$(top_builddir)/src/$(PATH_SEPARATOR)$${PATH}$(PATH_SEPARATOR)" $(AUTOGEN) -L$(top_builddir)/src -Tagtexi-cmd.tpl $<; \
- if [ ! -e $@ ]; then \
- cp $(srcdir)/$@ .; \
- fi; \
- $(srcdir)/scripts/cleanup-autogen.pl < $@ > $@.tmp && \
- mv -f $@.tmp $@
-
-invoke-gnutls-cli-debug.texi: $(top_srcdir)/src/cli-debug-args.def invoke-gnutls-cli.texi
- PATH="$(top_builddir)/src/$(PATH_SEPARATOR)$${PATH}$(PATH_SEPARATOR)" $(AUTOGEN) -L$(top_builddir)/src -Tagtexi-cmd.tpl $<; \
- if [ ! -e $@ ]; then \
- cp $(srcdir)/$@ .; \
- fi; \
- $(srcdir)/scripts/cleanup-autogen.pl < $@ > $@.tmp && \
- mv -f $@.tmp $@
-
-invoke-gnutls-serv.texi: $(top_srcdir)/src/serv-args.def invoke-gnutls-cli-debug.texi
- PATH="$(top_builddir)/src/$(PATH_SEPARATOR)$${PATH}$(PATH_SEPARATOR)" $(AUTOGEN) -L$(top_builddir)/src -Tagtexi-cmd.tpl $<; \
- if [ ! -e $@ ]; then \
- cp $(srcdir)/$@ .; \
- fi; \
- $(srcdir)/scripts/cleanup-autogen.pl < $@ > $@.tmp && \
- mv -f $@.tmp $@
-
-invoke-certtool.texi: $(top_srcdir)/src/certtool-args.def invoke-gnutls-serv.texi
- PATH="$(top_builddir)/src/$(PATH_SEPARATOR)$${PATH}$(PATH_SEPARATOR)" $(AUTOGEN) -L$(top_builddir)/src -Tagtexi-cmd.tpl $<; \
- if [ ! -e $@ ]; then \
- cp $(srcdir)/$@ .; \
- fi; \
- $(srcdir)/scripts/cleanup-autogen.pl < $@ > $@.tmp && \
- rm -f $@ && \
- $(SED) -e 's/@subheading/@subsubheading/g' \
- -e 's/@section/@subsection/g' $@.tmp > $@ && \
- rm -f $@.tmp
-
-invoke-ocsptool.texi: $(top_srcdir)/src/ocsptool-args.def invoke-certtool.texi
- PATH="$(top_builddir)/src/$(PATH_SEPARATOR)$${PATH}$(PATH_SEPARATOR)" $(AUTOGEN) -L$(top_builddir)/src -Tagtexi-cmd.tpl $<; \
- if [ ! -e $@ ]; then \
- cp $(srcdir)/$@ .; \
- fi; \
- $(srcdir)/scripts/cleanup-autogen.pl < $@ > $@.tmp && \
- rm -f $@ && \
- $(SED) -e 's/@subheading/@subsubheading/g' \
- -e 's/@section/@subsection/g' $@.tmp > $@ && \
- rm -f $@.tmp
-
-invoke-danetool.texi: $(top_srcdir)/src/danetool-args.def invoke-ocsptool.texi
- PATH="$(top_builddir)/src/$(PATH_SEPARATOR)$${PATH}$(PATH_SEPARATOR)" $(AUTOGEN) -L$(top_builddir)/src -Tagtexi-cmd.tpl $<; \
- if [ ! -e $@ ]; then \
- cp $(srcdir)/$@ .; \
- fi; \
- $(srcdir)/scripts/cleanup-autogen.pl < $@ > $@.tmp && \
- rm -f $@ && \
- $(SED) -e 's/@subheading/@subsubheading/g' \
- -e 's/@section/@subsection/g' $@.tmp > $@ && \
- rm -f $@.tmp
-
-invoke-srptool.texi: $(top_srcdir)/src/srptool-args.def invoke-danetool.texi
- PATH="$(top_builddir)/src/$(PATH_SEPARATOR)$${PATH}$(PATH_SEPARATOR)" $(AUTOGEN) -L$(top_builddir)/src -Tagtexi-cmd.tpl $<; \
- if [ ! -e $@ ]; then \
- cp $(srcdir)/$@ .; \
- fi; \
- $(srcdir)/scripts/cleanup-autogen.pl < $@ > $@.tmp && \
- rm -f $@ && \
- $(SED) -e 's/@subheading/@subsubheading/g' \
- -e 's/@section/@subsubsection/g' $@.tmp > $@ && \
- rm -f $@.tmp
-
-invoke-psktool.texi: $(top_srcdir)/src/psktool-args.def invoke-srptool.texi
- PATH="$(top_builddir)/src/$(PATH_SEPARATOR)$${PATH}$(PATH_SEPARATOR)" $(AUTOGEN) -L$(top_builddir)/src -Tagtexi-cmd.tpl $<; \
- if [ ! -e $@ ]; then \
- cp $(srcdir)/$@ .; \
- fi; \
- $(srcdir)/scripts/cleanup-autogen.pl < $@ > $@.tmp && \
- rm -f $@ && \
- $(SED) -e 's/@subheading/@subsubheading/g' \
- -e 's/@section/@subsubsection/g' $@.tmp > $@ && \
- rm -f $@.tmp
-
-invoke-p11tool.texi: $(top_srcdir)/src/p11tool-args.def invoke-psktool.texi
- PATH="$(top_builddir)/src/$(PATH_SEPARATOR)$${PATH}$(PATH_SEPARATOR)" $(AUTOGEN) -L$(top_builddir)/src -Tagtexi-cmd.tpl $<; \
- if [ ! -e $@ ]; then \
- cp $(srcdir)/$@ .; \
- fi; \
- $(srcdir)/scripts/cleanup-autogen.pl < $@ > $@.tmp && \
- rm -f $@ && \
- $(SED) \
- -e 's/@subsection/@subsubheading/g' \
- -e 's/@section/@subsection/g' $@.tmp > $@ && \
- rm -f $@.tmp
-
-invoke-tpmtool.texi: $(top_srcdir)/src/tpmtool-args.def invoke-p11tool.texi
- PATH="$(top_builddir)/src/$(PATH_SEPARATOR)$${PATH}$(PATH_SEPARATOR)" $(AUTOGEN) -L$(top_builddir)/src -Tagtexi-cmd.tpl $<; \
- if [ ! -e $@ ]; then \
- cp $(srcdir)/$@ .; \
- fi; \
- $(srcdir)/scripts/cleanup-autogen.pl < $@ > $@.tmp && \
- rm -f $@ && \
- $(SED) \
- -e 's/@subsection/@subsubheading/g' \
- -e 's/@section/@subsection/g' $@.tmp > $@ && \
- rm -f $@.tmp
+INVOKE_GNUTLS_CLI_TEXI_DEPS = gnutls-cli-see-also.texi gnutls-cli-examples.texi
+EXTRA_DIST += $(INVOKE_GNUTLS_CLI_TEXI_DEPS)
+invoke-gnutls-cli.texi: $(INVOKE_GNUTLS_CLI_TEXI_DEPS)
+invoke-gnutls-cli.texi: $(top_srcdir)/src/gnutls-cli-options.json
+ $(AM_V_GEN) PYTHONPATH='$(top_srcdir)/python' \
+ $(PYTHON) $(srcdir)/scripts/gen-cmd-texi.py \
+ --see-also $(srcdir)/gnutls-cli-see-also.texi \
+ --examples $(srcdir)/gnutls-cli-examples.texi \
+ $< $@
+
+INVOKE_GNUTLS_CLI_DEBUG_TEXI_DEPS = gnutls-cli-debug-see-also.texi gnutls-cli-debug-examples.texi
+EXTRA_DIST += $(INVOKE_GNUTLS_CLI_DEBUG_TEXI_DEPS)
+invoke-gnutls-cli-debug.texi: $(INVOKE_GNUTLS_CLI_DEBUG_TEXI_DEPS)
+invoke-gnutls-cli-debug.texi: $(top_srcdir)/src/gnutls-cli-debug-options.json
+ $(AM_V_GEN) PYTHONPATH='$(top_srcdir)/python' \
+ $(PYTHON) $(srcdir)/scripts/gen-cmd-texi.py \
+ --see-also $(srcdir)/gnutls-cli-debug-see-also.texi \
+ --examples $(srcdir)/gnutls-cli-debug-examples.texi \
+ $< $@
+
+INVOKE_GNUTLS_SERV_TEXI_DEPS = gnutls-serv-see-also.texi gnutls-serv-examples.texi
+EXTRA_DIST += $(INVOKE_GNUTLS_SERV_TEXI_DEPS)
+invoke-gnutls-serv.texi: $(INVOKE_GNUTLS_SERV_TEXI_DEPS)
+invoke-gnutls-serv.texi: $(top_srcdir)/src/gnutls-serv-options.json
+ $(AM_V_GEN) PYTHONPATH='$(top_srcdir)/python' \
+ $(PYTHON) $(srcdir)/scripts/gen-cmd-texi.py \
+ --see-also $(srcdir)/gnutls-serv-see-also.texi \
+ --examples $(srcdir)/gnutls-serv-examples.texi \
+ $< $@
+
+INVOKE_CERTTOOL_TEXI_DEPS = certtool-see-also.texi certtool-examples.texi certtool-files.texi
+EXTRA_DIST += $(INVOKE_CERTTOOL_TEXI_DEPS)
+invoke-certtool.texi: $(INVOKE_CERTTOOL_TEXI_DEPS)
+invoke-certtool.texi: $(top_srcdir)/src/certtool-options.json
+ $(AM_V_GEN) PYTHONPATH='$(top_srcdir)/python' \
+ $(PYTHON) $(srcdir)/scripts/gen-cmd-texi.py \
+ --see-also $(srcdir)/certtool-see-also.texi \
+ --examples $(srcdir)/certtool-examples.texi \
+ --files $(srcdir)/certtool-files.texi \
+ --level 1 \
+ --section-node \
+ $< $@
+
+INVOKE_OCSPTOOL_TEXI_DEPS = ocsptool-see-also.texi ocsptool-examples.texi ocsptool-description.texi
+EXTRA_DIST += $(INVOKE_OCSPTOOL_TEXI_DEPS)
+invoke-ocsptool.texi: $(INVOKE_OCSPTOOL_TEXI_DEPS)
+invoke-ocsptool.texi: $(top_srcdir)/src/ocsptool-options.json
+ $(AM_V_GEN) PYTHONPATH='$(top_srcdir)/python' \
+ $(PYTHON) $(srcdir)/scripts/gen-cmd-texi.py \
+ --see-also $(srcdir)/ocsptool-see-also.texi \
+ --examples $(srcdir)/ocsptool-examples.texi \
+ --description $(srcdir)/ocsptool-description.texi \
+ --level 1 \
+ --section-node \
+ $< $@
+
+INVOKE_DANETOOL_TEXI_DEPS = danetool-see-also.texi danetool-examples.texi
+EXTRA_DIST += $(INVOKE_DANETOOL_TEXI_DEPS)
+invoke-danetool.texi: $(INVOKE_DANETOOL_TEXI_DEPS)
+invoke-danetool.texi: $(top_srcdir)/src/danetool-options.json
+ $(AM_V_GEN) PYTHONPATH='$(top_srcdir)/python' \
+ $(PYTHON) $(srcdir)/scripts/gen-cmd-texi.py \
+ --see-also $(srcdir)/danetool-see-also.texi \
+ --examples $(srcdir)/danetool-examples.texi \
+ --level 1 \
+ --section-node \
+ $< $@
+
+INVOKE_SRPTOOL_TEXI_DEPS = srptool-see-also.texi srptool-examples.texi
+EXTRA_DIST += $(INVOKE_SRPTOOL_TEXI_DEPS)
+invoke-srptool.texi: $(INVOKE_SRPTOOL_TEXI_DEPS)
+invoke-srptool.texi: $(top_srcdir)/src/srptool-options.json
+ $(AM_V_GEN) PYTHONPATH='$(top_srcdir)/python' \
+ $(PYTHON) $(srcdir)/scripts/gen-cmd-texi.py \
+ --see-also $(srcdir)/srptool-see-also.texi \
+ --examples $(srcdir)/srptool-examples.texi \
+ --level 2 \
+ --section-node \
+ $< $@
+
+INVOKE_PSKTOOL_TEXI_DEPS = psktool-see-also.texi psktool-examples.texi
+EXTRA_DIST += $(INVOKE_PSKTOOL_TEXI_DEPS)
+invoke-psktool.texi: $(INVOKE_PSKTOOL_TEXI_DEPS)
+invoke-psktool.texi: $(top_srcdir)/src/psktool-options.json
+ $(AM_V_GEN) PYTHONPATH='$(top_srcdir)/python' \
+ $(PYTHON) $(srcdir)/scripts/gen-cmd-texi.py \
+ --see-also $(srcdir)/psktool-see-also.texi \
+ --examples $(srcdir)/psktool-examples.texi \
+ --level 2 \
+ --section-node \
+ $< $@
+
+INVOKE_P11TOOL_TEXI_DEPS = p11tool-see-also.texi p11tool-examples.texi
+EXTRA_DIST += $(INVOKE_P11TOOL_TEXI_DEPS)
+invoke-p11tool.texi: $(INVOKE_P11TOOL_TEXI_DEPS)
+invoke-p11tool.texi: $(top_srcdir)/src/p11tool-options.json
+ $(AM_V_GEN) PYTHONPATH='$(top_srcdir)/python' \
+ $(PYTHON) $(srcdir)/scripts/gen-cmd-texi.py \
+ --see-also $(srcdir)/p11tool-see-also.texi \
+ --examples $(srcdir)/p11tool-examples.texi \
+ --level 1 \
+ --section-node \
+ $< $@
+
+INVOKE_TPMTOOL_TEXI_DEPS = tpmtool-see-also.texi tpmtool-examples.texi
+EXTRA_DIST += $(INVOKE_TPMTOOL_TEXI_DEPS)
+invoke-tpmtool.texi: $(INVOKE_TPMTOOL_TEXI_DEPS)
+invoke-tpmtool.texi: $(top_srcdir)/src/tpmtool-options.json
+ $(AM_V_GEN) PYTHONPATH='$(top_srcdir)/python' \
+ $(PYTHON) $(srcdir)/scripts/gen-cmd-texi.py \
+ --see-also $(srcdir)/tpmtool-see-also.texi \
+ --examples $(srcdir)/tpmtool-examples.texi \
+ --level 1 \
+ --section-node \
+ $< $@
info_TEXINFOS = gnutls.texi gnutls-guile.texi
invoke-ocsptool.texi invoke-psktool.texi invoke-p11tool.texi \
invoke-tpmtool.texi invoke-danetool.texi
+$(AUTOGENED_DOC): $(srcdir)/scripts/gen-cmd-texi.py
+
gnutls_TEXINFOS += stamp_functions
# Examples.
--- /dev/null
+@subheading Generating private keys
+To create an RSA private key, run:
+@example
+$ certtool --generate-privkey --outfile key.pem --rsa
+@end example
+
+To create a DSA or elliptic curves (ECDSA) private key use the
+above command combined with 'dsa' or 'ecc' options.
+
+@subheading Generating certificate requests
+To create a certificate request (needed when the certificate is issued by
+another party), run:
+@example
+certtool --generate-request --load-privkey key.pem \
+ --outfile request.pem
+@end example
+
+If the private key is stored in a smart card you can generate
+a request by specifying the private key object URL.
+@example
+$ ./certtool --generate-request --load-privkey "pkcs11:..." \
+ --load-pubkey "pkcs11:..." --outfile request.pem
+@end example
+
+
+@subheading Generating a self-signed certificate
+To create a self signed certificate, use the command:
+@example
+$ certtool --generate-privkey --outfile ca-key.pem
+$ certtool --generate-self-signed --load-privkey ca-key.pem \
+ --outfile ca-cert.pem
+@end example
+
+Note that a self-signed certificate usually belongs to a certificate
+authority, that signs other certificates.
+
+@subheading Generating a certificate
+To generate a certificate using the previous request, use the command:
+@example
+$ certtool --generate-certificate --load-request request.pem \
+ --outfile cert.pem --load-ca-certificate ca-cert.pem \
+ --load-ca-privkey ca-key.pem
+@end example
+
+To generate a certificate using the private key only, use the command:
+@example
+$ certtool --generate-certificate --load-privkey key.pem \
+ --outfile cert.pem --load-ca-certificate ca-cert.pem \
+ --load-ca-privkey ca-key.pem
+@end example
+
+@subheading Certificate information
+To view the certificate information, use:
+@example
+$ certtool --certificate-info --infile cert.pem
+@end example
+
+@subheading Changing the certificate format
+To convert the certificate from PEM to DER format, use:
+@example
+$ certtool --certificate-info --infile cert.pem --outder --outfile cert.der
+@end example
+
+@subheading PKCS #12 structure generation
+To generate a PKCS #12 structure using the previous key and certificate,
+use the command:
+@example
+$ certtool --load-certificate cert.pem --load-privkey key.pem \
+ --to-p12 --outder --outfile key.p12
+@end example
+
+Some tools (reportedly web browsers) have problems with that file
+because it does not contain the CA certificate for the certificate.
+To work around that problem in the tool, you can use the
+--load-ca-certificate parameter as follows:
+
+@example
+$ certtool --load-ca-certificate ca.pem \
+ --load-certificate cert.pem --load-privkey key.pem \
+ --to-p12 --outder --outfile key.p12
+@end example
+
+@subheading Obtaining Diffie-Hellman parameters
+To obtain the RFC7919 parameters for Diffie-Hellman key exchange, use the command:
+@example
+$ certtool --get-dh-params --outfile dh.pem --sec-param medium
+@end example
+
+@subheading Verifying a certificate
+To verify a certificate in a file against the system's CA trust store
+use the following command:
+@example
+$ certtool --verify --infile cert.pem
+@end example
+
+It is also possible to simulate hostname verification with the following
+options:
+@example
+$ certtool --verify --verify-hostname www.example.com --infile cert.pem
+@end example
+
+
+@subheading Proxy certificate generation
+Proxy certificate can be used to delegate your credential to a
+temporary, typically short-lived, certificate. To create one from the
+previously created certificate, first create a temporary key and then
+generate a proxy certificate for it, using the commands:
+
+@example
+$ certtool --generate-privkey > proxy-key.pem
+$ certtool --generate-proxy --load-ca-privkey key.pem \
+ --load-privkey proxy-key.pem --load-certificate cert.pem \
+ --outfile proxy-cert.pem
+@end example
+
+@subheading Certificate revocation list generation
+To create an empty Certificate Revocation List (CRL) do:
+
+@example
+$ certtool --generate-crl --load-ca-privkey x509-ca-key.pem \
+ --load-ca-certificate x509-ca.pem
+@end example
+
+To create a CRL that contains some revoked certificates, place the
+certificates in a file and use @code{--load-certificate} as follows:
+
+@example
+$ certtool --generate-crl --load-ca-privkey x509-ca-key.pem \
+ --load-ca-certificate x509-ca.pem --load-certificate revoked-certs.pem
+@end example
+
+To verify a Certificate Revocation List (CRL) do:
+
+@example
+$ certtool --verify-crl --load-ca-certificate x509-ca.pem < crl.pem
+@end example
--- /dev/null
+@subheading Certtool's template file format
+A template file can be used to avoid the interactive questions of
+certtool. Initially create a file named 'cert.cfg' that contains the information
+about the certificate. The template can be used as below:
+
+@example
+$ certtool --generate-certificate --load-privkey key.pem \
+ --template cert.cfg --outfile cert.pem \
+ --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem
+@end example
+
+An example certtool template file that can be used to generate a certificate
+request or a self signed certificate follows.
+
+@example
+# X.509 Certificate options
+#
+# DN options
+
+# The organization of the subject.
+organization = "Koko inc."
+
+# The organizational unit of the subject.
+unit = "sleeping dept."
+
+# The locality of the subject.
+# locality =
+
+# The state of the certificate owner.
+state = "Attiki"
+
+# The country of the subject. Two letter code.
+country = GR
+
+# The common name of the certificate owner.
+cn = "Cindy Lauper"
+
+# A user id of the certificate owner.
+#uid = "clauper"
+
+# Set domain components
+#dc = "name"
+#dc = "domain"
+
+# If the supported DN OIDs are not adequate you can set
+# any OID here.
+# For example set the X.520 Title and the X.520 Pseudonym
+# by using OID and string pairs.
+#dn_oid = "2.5.4.12 Dr."
+#dn_oid = "2.5.4.65 jackal"
+
+# This is deprecated and should not be used in new
+# certificates.
+# pkcs9_email = "none@@none.org"
+
+# An alternative way to set the certificate's distinguished name directly
+# is with the "dn" option. The attribute names allowed are:
+# C (country), street, O (organization), OU (unit), title, CN (common name),
+# L (locality), ST (state), placeOfBirth, gender, countryOfCitizenship,
+# countryOfResidence, serialNumber, telephoneNumber, surName, initials,
+# generationQualifier, givenName, pseudonym, dnQualifier, postalCode, name,
+# businessCategory, DC, UID, jurisdictionOfIncorporationLocalityName,
+# jurisdictionOfIncorporationStateOrProvinceName,
+# jurisdictionOfIncorporationCountryName, XmppAddr, and numeric OIDs.
+
+#dn = "cn = Nikos,st = New\, Something,C=GR,surName=Mavrogiannopoulos,2.5.4.9=Arkadias"
+
+# The serial number of the certificate
+# The value is in decimal (i.e. 1963) or hex (i.e. 0x07ab).
+# Comment the field for a random serial number.
+serial = 007
+
+# In how many days, counting from today, this certificate will expire.
+# Use -1 if there is no expiration date.
+expiration_days = 700
+
+# Alternatively you may set concrete dates and time. The GNU date string
+# formats are accepted. See:
+# https://www.gnu.org/software/tar/manual/html_node/Date-input-formats.html
+
+#activation_date = "2004-02-29 16:21:42"
+#expiration_date = "2025-02-29 16:24:41"
+
+# X.509 v3 extensions
+
+# A dnsname in case of a WWW server.
+#dns_name = "www.none.org"
+#dns_name = "www.morethanone.org"
+
+# An othername defined by an OID and a hex encoded string
+#other_name = "1.3.6.1.5.2.2 302ca00d1b0b56414e5245494e2e4f5247a11b3019a006020400000002a10f300d1b047269636b1b0561646d696e"
+#other_name_utf8 = "1.2.4.5.6 A UTF8 string"
+#other_name_octet = "1.2.4.5.6 A string that will be encoded as ASN.1 octet string"
+
+# Allows writing an XmppAddr Identifier
+#xmpp_name = juliet@@im.example.com
+
+# Names used in PKINIT
+#krb5_principal = user@@REALM.COM
+#krb5_principal = HTTP/user@@REALM.COM
+
+# A subject alternative name URI
+#uri = "https://www.example.com"
+
+# An IP address in case of a server.
+#ip_address = "192.168.1.1"
+
+# An email in case of a person
+email = "none@@none.org"
+
+# TLS feature (rfc7633) extension. That can is used to indicate mandatory TLS
+# extension features to be provided by the server. In practice this is used
+# to require the Status Request (extid: 5) extension from the server. That is,
+# to require the server holding this certificate to provide a stapled OCSP response.
+# You can have multiple lines for multiple TLS features.
+
+# To ask for OCSP status request use:
+#tls_feature = 5
+
+# Challenge password used in certificate requests
+challenge_password = 123456
+
+# Password when encrypting a private key
+#password = secret
+
+# An URL that has CRLs (certificate revocation lists)
+# available. Needed in CA certificates.
+#crl_dist_points = "https://www.getcrl.crl/getcrl/"
+
+# Whether this is a CA certificate or not
+#ca
+
+# Subject Unique ID (in hex)
+#subject_unique_id = 00153224
+
+# Issuer Unique ID (in hex)
+#issuer_unique_id = 00153225
+
+#### Key usage
+
+# The following key usage flags are used by CAs and end certificates
+
+# Whether this certificate will be used to sign data (needed
+# in TLS DHE ciphersuites). This is the digitalSignature flag
+# in RFC5280 terminology.
+signing_key
+
+# Whether this certificate will be used to encrypt data (needed
+# in TLS RSA ciphersuites). Note that it is preferred to use different
+# keys for encryption and signing. This is the keyEncipherment flag
+# in RFC5280 terminology.
+encryption_key
+
+# Whether this key will be used to sign other certificates. The
+# keyCertSign flag in RFC5280 terminology.
+#cert_signing_key
+
+# Whether this key will be used to sign CRLs. The
+# cRLSign flag in RFC5280 terminology.
+#crl_signing_key
+
+# The keyAgreement flag of RFC5280. Its purpose is loosely
+# defined. Not use it unless required by a protocol.
+#key_agreement
+
+# The dataEncipherment flag of RFC5280. Its purpose is loosely
+# defined. Not use it unless required by a protocol.
+#data_encipherment
+
+# The nonRepudiation flag of RFC5280. Its purpose is loosely
+# defined. Not use it unless required by a protocol.
+#non_repudiation
+
+#### Extended key usage (key purposes)
+
+# The following extensions are used in an end certificate
+# to clarify its purpose. Some CAs also use it to indicate
+# the types of certificates they are purposed to sign.
+
+
+# Whether this certificate will be used for a TLS client;
+# this sets the id-kp-clientAuth (1.3.6.1.5.5.7.3.2) of
+# extended key usage.
+#tls_www_client
+
+# Whether this certificate will be used for a TLS server;
+# this sets the id-kp-serverAuth (1.3.6.1.5.5.7.3.1) of
+# extended key usage.
+#tls_www_server
+
+# Whether this key will be used to sign code. This sets the
+# id-kp-codeSigning (1.3.6.1.5.5.7.3.3) of extended key usage
+# extension.
+#code_signing_key
+
+# Whether this key will be used to sign OCSP data. This sets the
+# id-kp-OCSPSigning (1.3.6.1.5.5.7.3.9) of extended key usage extension.
+#ocsp_signing_key
+
+# Whether this key will be used for time stamping. This sets the
+# id-kp-timeStamping (1.3.6.1.5.5.7.3.8) of extended key usage extension.
+#time_stamping_key
+
+# Whether this key will be used for email protection. This sets the
+# id-kp-emailProtection (1.3.6.1.5.5.7.3.4) of extended key usage extension.
+#email_protection_key
+
+# Whether this key will be used for IPsec IKE operations (1.3.6.1.5.5.7.3.17).
+#ipsec_ike_key
+
+## adding custom key purpose OIDs
+
+# for microsoft smart card logon
+# key_purpose_oid = 1.3.6.1.4.1.311.20.2.2
+
+# for email protection
+# key_purpose_oid = 1.3.6.1.5.5.7.3.4
+
+# for any purpose (must not be used in intermediate CA certificates)
+# key_purpose_oid = 2.5.29.37.0
+
+### end of key purpose OIDs
+
+### Adding arbitrary extensions
+# This requires to provide the extension OIDs, as well as the extension data in
+# hex format. The following two options are available since GnuTLS 3.5.3.
+#add_extension = "1.2.3.4 0x0AAB01ACFE"
+
+# As above but encode the data as an octet string
+#add_extension = "1.2.3.4 octet_string(0x0AAB01ACFE)"
+
+# For portability critical extensions shouldn't be set to certificates.
+#add_critical_extension = "5.6.7.8 0x1AAB01ACFE"
+
+# When generating a certificate from a certificate
+# request, then honor the extensions stored in the request
+# and store them in the real certificate.
+#honor_crq_extensions
+
+# Alternatively only specific extensions can be copied.
+#honor_crq_ext = 2.5.29.17
+#honor_crq_ext = 2.5.29.15
+
+# Path length constraint. Sets the maximum number of
+# certificates that can be used to certify this certificate.
+# (i.e. the certificate chain length)
+#path_len = -1
+#path_len = 2
+
+# OCSP URI
+# ocsp_uri = https://my.ocsp.server/ocsp
+
+# CA issuers URI
+# ca_issuers_uri = https://my.ca.issuer
+
+# Certificate policies
+#policy1 = 1.3.6.1.4.1.5484.1.10.99.1.0
+#policy1_txt = "This is a long policy to summarize"
+#policy1_url = https://www.example.com/a-policy-to-read
+
+#policy2 = 1.3.6.1.4.1.5484.1.10.99.1.1
+#policy2_txt = "This is a short policy"
+#policy2_url = https://www.example.com/another-policy-to-read
+
+# The number of additional certificates that may appear in a
+# path before the anyPolicy is no longer acceptable.
+#inhibit_anypolicy_skip_certs 1
+
+# Name constraints
+
+# DNS
+#nc_permit_dns = example.com
+#nc_exclude_dns = test.example.com
+
+# EMAIL
+#nc_permit_email = "nmav@@ex.net"
+
+# Exclude subdomains of example.com
+#nc_exclude_email = .example.com
+
+# Exclude all e-mail addresses of example.com
+#nc_exclude_email = example.com
+
+# IP
+#nc_permit_ip = 192.168.0.0/16
+#nc_exclude_ip = 192.168.5.0/24
+#nc_permit_ip = fc0a:eef2:e7e7:a56e::/64
+
+
+# Options for proxy certificates
+#proxy_policy_language = 1.3.6.1.5.5.7.21.1
+
+
+# Options for generating a CRL
+
+# The number of days the next CRL update will be due.
+# next CRL update will be in 43 days
+#crl_next_update = 43
+
+# this is the 5th CRL by this CA
+# The value is in decimal (i.e. 1963) or hex (i.e. 0x07ab).
+# Comment the field for a time-based number.
+# Time-based CRL numbers generated in GnuTLS 3.6.3 and later
+# are significantly larger than those generated in previous
+# versions. Since CRL numbers need to be monotonic, you need
+# to specify the CRL number here manually if you intend to
+# downgrade to an earlier version than 3.6.3 after publishing
+# the CRL as it is not possible to specify CRL numbers greater
+# than 2**63-2 using hex notation in those versions.
+#crl_number = 5
+
+# Specify the update dates more precisely.
+#crl_this_update_date = "2004-02-29 16:21:42"
+#crl_next_update_date = "2025-02-29 16:24:41"
+
+# The date that the certificates will be made seen as
+# being revoked.
+#crl_revocation_date = "2025-02-29 16:24:41"
+
+@end example
+
--- /dev/null
+ p11tool (1), psktool (1), srptool (1)
--- /dev/null
+@subheading DANE TLSA RR generation
+
+To create a DANE TLSA resource record for a certificate (or public key)
+that was issued localy and may or may not be signed by a CA use the following command.
+@example
+$ danetool --tlsa-rr --host www.example.com --load-certificate cert.pem
+@end example
+
+To create a DANE TLSA resource record for a CA signed certificate, which will
+be marked as such use the following command.
+@example
+$ danetool --tlsa-rr --host www.example.com --load-certificate cert.pem \
+ --no-domain
+@end example
+
+The former is useful to add in your DNS entry even if your certificate is signed
+by a CA. That way even users who do not trust your CA will be able to verify your
+certificate using DANE.
+
+In order to create a record for the CA signer of your certificate use the following.
+@example
+$ danetool --tlsa-rr --host www.example.com --load-certificate cert.pem \
+ --ca --no-domain
+@end example
+
+To read a server's DANE TLSA entry, use:
+@example
+$ danetool --check www.example.com --proto tcp --port 443
+@end example
+
+To verify an HTTPS server's DANE TLSA entry, use:
+@example
+$ danetool --check www.example.com --proto tcp --port 443 --load-certificate chain.pem
+@end example
+
+To verify an SMTP server's DANE TLSA entry, use:
+@example
+$ danetool --check www.example.com --proto tcp --starttls-proto=smtp --load-certificate chain.pem
+@end example
--- /dev/null
+ certtool (1)
--- /dev/null
+@example
+$ gnutls-cli-debug localhost
+GnuTLS debug client 3.5.0
+Checking localhost:443
+ for SSL 3.0 (RFC6101) support... yes
+ whether we need to disable TLS 1.2... no
+ whether we need to disable TLS 1.1... no
+ whether we need to disable TLS 1.0... no
+ whether %NO_EXTENSIONS is required... no
+ whether %COMPAT is required... no
+ for TLS 1.0 (RFC2246) support... yes
+ for TLS 1.1 (RFC4346) support... yes
+ for TLS 1.2 (RFC5246) support... yes
+ fallback from TLS 1.6 to... TLS1.2
+ for RFC7507 inappropriate fallback... yes
+ for HTTPS server name... Local
+ for certificate chain order... sorted
+ for safe renegotiation (RFC5746) support... yes
+ for Safe renegotiation support (SCSV)... no
+ for encrypt-then-MAC (RFC7366) support... no
+ for ext master secret (RFC7627) support... no
+ for heartbeat (RFC6520) support... no
+ for version rollback bug in RSA PMS... dunno
+ for version rollback bug in Client Hello... no
+ whether the server ignores the RSA PMS version... yes
+whether small records (512 bytes) are tolerated on handshake... yes
+ whether cipher suites not in SSL 3.0 spec are accepted... yes
+whether a bogus TLS record version in the client hello is accepted... yes
+ whether the server understands TLS closure alerts... partially
+ whether the server supports session resumption... yes
+ for anonymous authentication support... no
+ for ephemeral Diffie-Hellman support... no
+ for ephemeral EC Diffie-Hellman support... yes
+ ephemeral EC Diffie-Hellman group info... SECP256R1
+ for AES-128-GCM cipher (RFC5288) support... yes
+ for AES-128-CCM cipher (RFC6655) support... no
+ for AES-128-CCM-8 cipher (RFC6655) support... no
+ for AES-128-CBC cipher (RFC3268) support... yes
+ for CAMELLIA-128-GCM cipher (RFC6367) support... no
+ for CAMELLIA-128-CBC cipher (RFC5932) support... no
+ for 3DES-CBC cipher (RFC2246) support... yes
+ for ARCFOUR 128 cipher (RFC2246) support... yes
+ for MD5 MAC support... yes
+ for SHA1 MAC support... yes
+ for SHA256 MAC support... yes
+ for ZLIB compression support... no
+ for max record size (RFC6066) support... no
+ for OCSP status response (RFC6066) support... no
+ for OpenPGP authentication (RFC6091) support... no
+@end example
+
+You could also use the client to debug services with starttls capability.
+@example
+$ gnutls-cli-debug --starttls-proto smtp --port 25 localhost
+@end example
+
--- /dev/null
+gnutls-cli(1), gnutls-serv(1)
--- /dev/null
+@subheading Connecting using PSK authentication
+To connect to a server using PSK authentication, you need to enable the choice of PSK by using a cipher priority parameter such as in the example below.
+@example
+$ ./gnutls-cli -p 5556 localhost --pskusername psk_identity \
+ --pskkey 88f3824b3e5659f52d00e959bacab954b6540344 \
+ --priority NORMAL:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK
+Resolving 'localhost'...
+Connecting to '127.0.0.1:5556'...
+- PSK authentication.
+- Version: TLS1.1
+- Key Exchange: PSK
+- Cipher: AES-128-CBC
+- MAC: SHA1
+- Compression: NULL
+- Handshake was completed
+
+- Simple Client Mode:
+@end example
+By keeping the --pskusername parameter and removing the --pskkey parameter, it will query only for the password during the handshake.
+
+@subheading Connecting using raw public-key authentication
+To connect to a server using raw public-key authentication, you need to enable the option to negotiate raw public-keys via the priority strings such as in the example below.
+@example
+$ ./gnutls-cli -p 5556 localhost --priority NORMAL:-CTYPE-CLI-ALL:+CTYPE-CLI-RAWPK \
+ --rawpkkeyfile cli.key.pem \
+ --rawpkfile cli.rawpk.pem
+Processed 1 client raw public key pair...
+Resolving 'localhost'...
+Connecting to '127.0.0.1:5556'...
+- Successfully sent 1 certificate(s) to server.
+- Server has requested a certificate.
+- Certificate type: X.509
+- Got a certificate list of 1 certificates.
+- Certificate[0] info:
+ - skipped
+- Description: (TLS1.3-Raw Public Key-X.509)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
+- Options:
+- Handshake was completed
+
+- Simple Client Mode:
+@end example
+
+@subheading Connecting to STARTTLS services
+
+You could also use the client to connect to services with starttls capability.
+@example
+$ gnutls-cli --starttls-proto smtp --port 25 localhost
+@end example
+
+@subheading Listing ciphersuites in a priority string
+To list the ciphersuites in a priority string:
+@example
+$ ./gnutls-cli --priority SECURE192 -l
+Cipher suites for SECURE192
+TLS_ECDHE_ECDSA_AES_256_CBC_SHA384 0xc0, 0x24 TLS1.2
+TLS_ECDHE_ECDSA_AES_256_GCM_SHA384 0xc0, 0x2e TLS1.2
+TLS_ECDHE_RSA_AES_256_GCM_SHA384 0xc0, 0x30 TLS1.2
+TLS_DHE_RSA_AES_256_CBC_SHA256 0x00, 0x6b TLS1.2
+TLS_DHE_DSS_AES_256_CBC_SHA256 0x00, 0x6a TLS1.2
+TLS_RSA_AES_256_CBC_SHA256 0x00, 0x3d TLS1.2
+
+Certificate types: CTYPE-X.509
+Protocols: VERS-TLS1.2, VERS-TLS1.1, VERS-TLS1.0, VERS-SSL3.0, VERS-DTLS1.0
+Compression: COMP-NULL
+Elliptic curves: CURVE-SECP384R1, CURVE-SECP521R1
+PK-signatures: SIGN-RSA-SHA384, SIGN-ECDSA-SHA384, SIGN-RSA-SHA512, SIGN-ECDSA-SHA512
+@end example
+
+@subheading Connecting using a PKCS #11 token
+To connect to a server using a certificate and a private key present in a PKCS #11 token you
+need to substitute the PKCS 11 URLs in the x509certfile and x509keyfile parameters.
+
+Those can be found using "p11tool --list-tokens" and then listing all the objects in the
+needed token, and using the appropriate.
+@example
+$ p11tool --list-tokens
+
+Token 0:
+ URL: pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test
+ Label: Test
+ Manufacturer: EnterSafe
+ Model: PKCS15
+ Serial: 1234
+
+$ p11tool --login --list-certs "pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test"
+
+Object 0:
+ URL: pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test;object=client;type=cert
+ Type: X.509 Certificate
+ Label: client
+ ID: 2a:97:0d:58:d1:51:3c:23:07:ae:4e:0d:72:26:03:7d:99:06:02:6a
+
+$ MYCERT="pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test;object=client;type=cert"
+$ MYKEY="pkcs11:model=PKCS15;manufacturer=MyMan;serial=1234;token=Test;object=client;type=private"
+$ export MYCERT MYKEY
+
+$ gnutls-cli www.example.com --x509keyfile $MYKEY --x509certfile $MYCERT
+@end example
+Notice that the private key only differs from the certificate in the type.
--- /dev/null
+gnutls-cli-debug(1), gnutls-serv(1)
--- /dev/null
+Running your own TLS server based on GnuTLS can be useful when
+debugging clients and/or GnuTLS itself. This section describes how to
+use @code{gnutls-serv} as a simple HTTPS server.
+
+The most basic server can be started as:
+
+@example
+gnutls-serv --http --priority "NORMAL:+ANON-ECDH:+ANON-DH"
+@end example
+
+It will only support anonymous ciphersuites, which many TLS clients
+refuse to use.
+
+The next step is to add support for X.509. First we generate a CA:
+
+@example
+$ certtool --generate-privkey > x509-ca-key.pem
+$ echo 'cn = GnuTLS test CA' > ca.tmpl
+$ echo 'ca' >> ca.tmpl
+$ echo 'cert_signing_key' >> ca.tmpl
+$ certtool --generate-self-signed --load-privkey x509-ca-key.pem \
+ --template ca.tmpl --outfile x509-ca.pem
+@end example
+
+Then generate a server certificate. Remember to change the dns_name
+value to the name of your server host, or skip that command to avoid
+the field.
+
+@example
+$ certtool --generate-privkey > x509-server-key.pem
+$ echo 'organization = GnuTLS test server' > server.tmpl
+$ echo 'cn = test.gnutls.org' >> server.tmpl
+$ echo 'tls_www_server' >> server.tmpl
+$ echo 'encryption_key' >> server.tmpl
+$ echo 'signing_key' >> server.tmpl
+$ echo 'dns_name = test.gnutls.org' >> server.tmpl
+$ certtool --generate-certificate --load-privkey x509-server-key.pem \
+ --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
+ --template server.tmpl --outfile x509-server.pem
+@end example
+
+For use in the client, you may want to generate a client certificate
+as well.
+
+@example
+$ certtool --generate-privkey > x509-client-key.pem
+$ echo 'cn = GnuTLS test client' > client.tmpl
+$ echo 'tls_www_client' >> client.tmpl
+$ echo 'encryption_key' >> client.tmpl
+$ echo 'signing_key' >> client.tmpl
+$ certtool --generate-certificate --load-privkey x509-client-key.pem \
+ --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
+ --template client.tmpl --outfile x509-client.pem
+@end example
+
+To be able to import the client key/certificate into some
+applications, you will need to convert them into a PKCS#12 structure.
+This also encrypts the security sensitive key with a password.
+
+@example
+$ certtool --to-p12 --load-ca-certificate x509-ca.pem \
+ --load-privkey x509-client-key.pem --load-certificate x509-client.pem \
+ --outder --outfile x509-client.p12
+@end example
+
+For icing, we'll create a proxy certificate for the client too.
+
+@example
+$ certtool --generate-privkey > x509-proxy-key.pem
+$ echo 'cn = GnuTLS test client proxy' > proxy.tmpl
+$ certtool --generate-proxy --load-privkey x509-proxy-key.pem \
+ --load-ca-certificate x509-client.pem --load-ca-privkey x509-client-key.pem \
+ --load-certificate x509-client.pem --template proxy.tmpl \
+ --outfile x509-proxy.pem
+@end example
+
+Then start the server again:
+
+@example
+$ gnutls-serv --http \
+ --x509cafile x509-ca.pem \
+ --x509keyfile x509-server-key.pem \
+ --x509certfile x509-server.pem
+@end example
+
+Try connecting to the server using your web browser. Note that the
+server listens to port 5556 by default.
+
+While you are at it, to allow connections using ECDSA, you can also
+create a ECDSA key and certificate for the server. These credentials
+will be used in the final example below.
+
+@example
+$ certtool --generate-privkey --ecdsa > x509-server-key-ecc.pem
+$ certtool --generate-certificate --load-privkey x509-server-key-ecc.pem \
+ --load-ca-certificate x509-ca.pem --load-ca-privkey x509-ca-key.pem \
+ --template server.tmpl --outfile x509-server-ecc.pem
+@end example
+
+
+The next step is to add support for SRP authentication. This requires
+an SRP password file created with @code{srptool}.
+To start the server with SRP support:
+
+@example
+gnutls-serv --http --priority NORMAL:+SRP-RSA:+SRP \
+ --srppasswdconf srp-tpasswd.conf \
+ --srppasswd srp-passwd.txt
+@end example
+
+Let's also start a server with support for PSK. This would require
+a password file created with @code{psktool}.
+
+@example
+gnutls-serv --http --priority NORMAL:+ECDHE-PSK:+PSK \
+ --pskpasswd psk-passwd.txt
+@end example
+
+If you want a server with support for raw public-keys we can also add these
+credentials. Note however that there is no identity information linked to these
+keys as is the case with regular x509 certificates. Authentication must be done
+via different means. Also we need to explicitly enable raw public-key certificates
+via the priority strings.
+
+@example
+gnutls-serv --http --priority NORMAL:+CTYPE-CLI-RAWPK:+CTYPE-SRV-RAWPK \
+ --rawpkfile srv.rawpk.pem \
+ --rawpkkeyfile srv.key.pem
+@end example
+
+
+Finally, we start the server with all the earlier parameters and you
+get this command:
+
+@example
+gnutls-serv --http --priority NORMAL:+PSK:+SRP:+CTYPE-CLI-RAWPK:+CTYPE-SRV-RAWPK \
+ --x509cafile x509-ca.pem \
+ --x509keyfile x509-server-key.pem \
+ --x509certfile x509-server.pem \
+ --x509keyfile x509-server-key-ecc.pem \
+ --x509certfile x509-server-ecc.pem \
+ --srppasswdconf srp-tpasswd.conf \
+ --srppasswd srp-passwd.txt \
+ --pskpasswd psk-passwd.txt \
+ --rawpkfile srv.rawpk.pem \
+ --rawpkkeyfile srv.key.pem
+@end example
--- /dev/null
+gnutls-cli-debug(1), gnutls-cli(1)
--- /dev/null
+@subheading On verification
+Responses are typically signed/issued by designated certificates or
+certificate authorities and thus this tool requires on verification
+the certificate of the issuer or the full certificate chain in order to
+determine the appropriate signing authority. The specified certificate
+of the issuer is assumed trusted.
--- /dev/null
+@subheading Print information about an OCSP request
+
+To parse an OCSP request and print information about the content, the
+@code{-i} or @code{--request-info} parameter may be used as follows.
+The @code{-Q} parameter specify the name of the file containing the
+OCSP request, and it should contain the OCSP request in binary DER
+format.
+
+@example
+$ ocsptool -i -Q ocsp-request.der
+@end example
+
+The input file may also be sent to standard input like this:
+
+@example
+$ cat ocsp-request.der | ocsptool --request-info
+@end example
+
+@subheading Print information about an OCSP response
+
+Similar to parsing OCSP requests, OCSP responses can be parsed using
+the @code{-j} or @code{--response-info} as follows.
+
+@example
+$ ocsptool -j -Q ocsp-response.der
+$ cat ocsp-response.der | ocsptool --response-info
+@end example
+
+@subheading Generate an OCSP request
+
+The @code{-q} or @code{--generate-request} parameters are used to
+generate an OCSP request. By default the OCSP request is written to
+standard output in binary DER format, but can be stored in a file
+using @code{--outfile}. To generate an OCSP request the issuer of the
+certificate to check needs to be specified with @code{--load-issuer}
+and the certificate to check with @code{--load-cert}. By default PEM
+format is used for these files, although @code{--inder} can be used to
+specify that the input files are in DER format.
+
+@example
+$ ocsptool -q --load-issuer issuer.pem --load-cert client.pem \
+ --outfile ocsp-request.der
+@end example
+
+When generating OCSP requests, the tool will add an OCSP extension
+containing a nonce. This behaviour can be disabled by specifying
+@code{--no-nonce}.
+
+@subheading Verify signature in OCSP response
+
+To verify the signature in an OCSP response the @code{-e} or
+@code{--verify-response} parameter is used. The tool will read an
+OCSP response in DER format from standard input, or from the file
+specified by @code{--load-response}. The OCSP response is verified
+against a set of trust anchors, which are specified using
+@code{--load-trust}. The trust anchors are concatenated certificates
+in PEM format. The certificate that signed the OCSP response needs to
+be in the set of trust anchors, or the issuer of the signer
+certificate needs to be in the set of trust anchors and the OCSP
+Extended Key Usage bit has to be asserted in the signer certificate.
+
+@example
+$ ocsptool -e --load-trust issuer.pem \
+ --load-response ocsp-response.der
+@end example
+
+The tool will print status of verification.
+
+@subheading Verify signature in OCSP response against given certificate
+
+It is possible to override the normal trust logic if you know that a
+certain certificate is supposed to have signed the OCSP response, and
+you want to use it to check the signature. This is achieved using
+@code{--load-signer} instead of @code{--load-trust}. This will load
+one certificate and it will be used to verify the signature in the
+OCSP response. It will not check the Extended Key Usage bit.
+
+@example
+$ ocsptool -e --load-signer ocsp-signer.pem \
+ --load-response ocsp-response.der
+@end example
+
+This approach is normally only relevant in two situations. The first
+is when the OCSP response does not contain a copy of the signer
+certificate, so the @code{--load-trust} code would fail. The second
+is if you want to avoid the indirect mode where the OCSP response
+signer certificate is signed by a trust anchor.
+
+@subheading Real-world example
+
+Here is an example of how to generate an OCSP request for a
+certificate and to verify the response. For illustration we'll use
+the @code{blog.josefsson.org} host, which (as of writing) uses a
+certificate from CACert. First we'll use @code{gnutls-cli} to get a
+copy of the server certificate chain. The server is not required to
+send this information, but this particular one is configured to do so.
+
+@example
+$ echo | gnutls-cli -p 443 blog.josefsson.org --save-cert chain.pem
+@end example
+
+The saved certificates normally contain a pointer to where the OCSP
+responder is located, in the Authority Information Access Information
+extension. For example, from @code{certtool -i < chain.pem} there is
+this information:
+
+@example
+ Authority Information Access Information (not critical):
+ Access Method: 1.3.6.1.5.5.7.48.1 (id-ad-ocsp)
+ Access Location URI: https://ocsp.CAcert.org/
+@end example
+
+This means that ocsptool can discover the servers to contact over HTTP.
+We can now request information on the chain certificates.
+
+@example
+$ ocsptool --ask --load-chain chain.pem
+@end example
+
+The request is sent via HTTP to the OCSP server address found in
+the certificates. It is possible to override the address of the
+OCSP server as well as ask information on a particular certificate
+using --load-cert and --load-issuer.
+
+@example
+$ ocsptool --ask https://ocsp.CAcert.org/ --load-chain chain.pem
+@end example
+
--- /dev/null
+ certtool (1)
--- /dev/null
+To view all tokens in your system use:
+@example
+$ p11tool --list-tokens
+@end example
+
+To view all objects in a token use:
+@example
+$ p11tool --login --list-all "pkcs11:TOKEN-URL"
+@end example
+
+To store a private key and a certificate in a token run:
+@example
+$ p11tool --login --write "pkcs11:URL" --load-privkey key.pem \
+ --label "Mykey"
+$ p11tool --login --write "pkcs11:URL" --load-certificate cert.pem \
+ --label "Mykey"
+@end example
+Note that some tokens require the same label to be used for the certificate
+and its corresponding private key.
+
+To generate an RSA private key inside the token use:
+@example
+$ p11tool --login --generate-privkey rsa --bits 1024 --label "MyNewKey" \
+ --outfile MyNewKey.pub "pkcs11:TOKEN-URL"
+@end example
+The bits parameter in the above example is explicitly set because some
+tokens only support limited choices in the bit length. The output file is the
+corresponding public key. This key can be used to general a certificate
+request with certtool.
+@example
+certtool --generate-request --load-privkey "pkcs11:KEY-URL" \
+ --load-pubkey MyNewKey.pub --outfile request.pem
+@end example
+
--- /dev/null
+ certtool (1)
--- /dev/null
+To add a user 'psk_identity' in @file{keys.psk} for use with GnuTLS run:
+@example
+$ ./psktool -u psk_identity -p keys.psk
+Generating a random key for user 'psk_identity'
+Key stored to keys.psk
+$ cat keys.psk
+psk_identity:88f3824b3e5659f52d00e959bacab954b6540344
+$
+@end example
+
+This command will create @file{keys.psk} if it does not exist
+and will add user 'psk_identity'.
--- /dev/null
+ gnutls-cli-debug (1), gnutls-serv (1), srptool (1), certtool (1)
# along with this file; if not, write to the Free Software Foundation,
# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-EXTRA_DIST = gdoc sort2.pl split-texi.pl cleanup-autogen.pl getfuncs.pl getfuncs-map.pl
+EXTRA_DIST = gdoc sort2.pl split-texi.pl getfuncs.pl getfuncs-map.pl gen-cmd-texi.py
+++ /dev/null
-#!/usr/bin/perl
-
-# Copyright (C) 2012 Free Software Foundation, Inc.
-#
-# This file is part of GnuTLS.
-#
-# This file is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 3 of the License, or
-# (at your option) any later version.
-#
-# This file is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-# General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this file; if not, write to the Free Software Foundation,
-# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-
-my $line;
-my $init = 0;
-my $menu = 0;
-my $i = 0;
-
-while ($line = <>) {
-
- if ($line =~ /\@node (.*)/) {
- if ($init == 0) {
- $init = 1;
- } else {
- print "\@anchor\{$1\}\n";
- next;
- }
- }
-
- if ($line =~ /\@menu/) {
- $menu = 1;
- next;
- }
-
- if ($line =~ /\@end menu/) {
- $menu = 0;
- next;
- }
-
- next if ($menu != 0);
-
- if ($line =~ /\@subsection\s(.*)/) {
- $line = "\@subheading $1\n";
- }
-
- if ($line =~ /\@cindex\s(.*)/) {
- if ($line !~ /help/) {
- next;
- }
- }
-
- if ($line =~ /^Please send bug reports.*/) {
- next;
- }
-
- print $line;
- $i++;
-}
-
-if ($i < 2) {
- exit 1;
-}
-
-exit 0;
--- /dev/null
+#!/usr/bin/python
+# Copyright (C) 2021 Daiki Ueno
+
+# This file is part of GnuTLS.
+
+# GnuTLS is free software: you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# GnuTLS is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see
+# <https://www.gnu.org/licenses/>.
+
+from typing import Mapping, Sequence, TextIO
+import io
+import jsonopts
+
+HEADINGS = ['@heading', '@subheading', '@subsubheading']
+
+
+def get_heading(level: int) -> str:
+ return HEADINGS[min(level, len(HEADINGS)-1)]
+
+
+SECTIONS = ['@section', '@subsection', '@subsubsection']
+
+
+def get_section(level: int) -> str:
+ return SECTIONS[min(level, len(SECTIONS)-1)]
+
+
+def shift_headings(s: str, level: int) -> str:
+ for (i, h) in reversed(list(enumerate(HEADINGS))):
+ r = get_heading(level+i)
+ s = s.replace(h, r)
+ return s
+
+
+def gen_option_docs(meta: Mapping[str, str],
+ level: int,
+ options: Sequence[Mapping[str, str]]) -> str:
+ prog_name = meta['prog-name']
+ docs = io.StringIO()
+ for option in options:
+ long_opt = option['long-option']
+ short_opt = option.get('short-option')
+ detail = option.get('detail')
+ desc = option.get('desc')
+ alias = option.get('aliases')
+ if alias:
+ docs.write(f'''\
+{get_heading(level+1)} {long_opt} option.
+@anchor{{{prog_name} {long_opt}}}
+
+This is an alias for the @code{{{alias}}} option,
+@pxref{{{prog_name} {alias}, the {alias} option documentation}}.
+
+''')
+ continue
+
+ if not detail or not desc:
+ continue
+ if short_opt:
+ docs.write(
+ f'{get_heading(level+1)} {long_opt} option (-{short_opt}).\n'
+ )
+ else:
+ docs.write(f'{get_heading(level+1)} {long_opt} option.\n')
+ docs.write(f'''\
+@anchor{{{prog_name} {long_opt}}}
+
+This is the ``{desc.lower()}'' option.
+''')
+ arg_type = option.get('arg-type')
+ if arg_type:
+ arg_name = option.get('arg-name')
+ if arg_name:
+ docs.write((
+ f'This option takes a {arg_type} argument '
+ f'@file{{{arg_name}}}.\n'
+ ))
+ else:
+ docs.write(f'This option takes a {arg_type} argument.\n')
+
+ conflict_opts = option.get('conflicts', '').split()
+ require_opts = option.get('requires', '').split()
+ disable_prefix = option.get('disable-prefix')
+ if len(conflict_opts) > 0 or len(require_opts) > 0 or \
+ ('enabled' in option):
+ docs.write('''
+@noindent
+This option has some usage constraints. It:
+@itemize @bullet
+''')
+ if len(conflict_opts) > 0:
+ docs.write(f'''\
+@item
+must not appear in combination with any of the following options:
+{', '.join(conflict_opts)}.
+''')
+ if len(require_opts) > 0:
+ docs.write(f'''\
+@item
+must appear in combination with the following options:
+{', '.join(require_opts)}.
+''')
+ if disable_prefix:
+ docs.write(f'''\
+@item
+can be disabled with --{disable_prefix}{long_opt}.
+''')
+ if 'enabled' in option:
+ docs.write('''\
+@item
+It is enabled by default.
+''')
+ docs.write('@end itemize\n\n')
+
+ docs.write(f'''\
+{detail}
+''')
+ if 'deprecated' in option:
+ docs.write('\n@strong{NOTE}@strong{: THIS OPTION IS DEPRECATED}\n')
+
+ return docs.getvalue()
+
+
+LABELS = {
+ 'see-also': 'See Also',
+ 'examples': 'Examples',
+ 'files': 'Files'
+}
+
+
+def include(meta: Mapping[str, str],
+ level: int,
+ name: str,
+ includes: Mapping[str, TextIO]) -> str:
+ prog_name = meta['prog-name']
+ docs = io.StringIO()
+ f = includes.get(name)
+ if f:
+ docs.write(f'''\
+@anchor{{{prog_name} {LABELS[name]}}}
+{get_heading(level+2)} {prog_name} {LABELS[name]}
+{shift_headings(f.read(), level)}\
+''')
+ return docs.getvalue()
+
+
+def escape_texi(s: str) -> str:
+ for c in ['@', '{', '}']:
+ s = s.replace(c, f'@{c}')
+ return s
+
+
+def gen(infile: TextIO,
+ level: int,
+ section_node: bool,
+ includes: Mapping[str, TextIO],
+ texi: TextIO):
+ sections = [jsonopts.Section.from_json(section)
+ for section in json.load(args.json)]
+ sections.append(jsonopts.Section.default())
+
+ prog_name = sections[0].meta['prog-name']
+ description = includes.get('description')
+ if description:
+ detail = description.read()
+ else:
+ detail = sections[0].meta['detail']
+
+ section_docs = io.StringIO()
+ for section in sections:
+ section_id = section.meta.get('id', '')
+ if section_id:
+ section_desc = section.meta['desc']
+ option_docs = gen_option_docs(sections[0].meta, level+1,
+ section.options)
+ section_docs.write(f'''\
+@anchor{{{prog_name} {section_id}}}
+{get_heading(level+1)} {section_id} options
+{section_desc if section_desc.endswith('.') else section_desc + '.'}
+{option_docs}\
+''')
+ else:
+ section_docs.write(gen_option_docs(sections[0].meta, level,
+ section.options))
+
+ heading = get_section(level) if section_node else get_heading(level)
+ texi.write(f'''\
+@node {prog_name} Invocation
+{heading} Invoking {prog_name}
+@pindex {prog_name}
+
+{detail}
+
+@anchor{{{prog_name} usage}}
+{get_heading(level+1)} {prog_name} help/usage (@option{{-?}})
+@cindex {prog_name} help
+
+The text printed is the same whether selected with the @code{{help}} option
+(@option{{--help}}) or the @code{{more-help}} option \
+(@option{{--more-help}}). @code{{more-help}} will print
+the usage text by passing it through a pager program.
+@code{{more-help}} is disabled on platforms without a working
+@code{{fork(2)}} function. The @code{{PAGER}} environment variable is
+used to select the program, defaulting to @file{{more}}. Both will exit
+with a status code of 0.
+
+@exampleindent 0
+@example
+{escape_texi(jsonopts.usage(sections[0].meta, sections))}
+@end example
+@exampleindent 4
+
+{section_docs.getvalue()}\
+@anchor{{{prog_name} exit status}}
+{get_heading(level+1)} {prog_name} exit status
+
+One of the following exit values will be returned:
+@table @samp
+@item 0 (EXIT_SUCCESS)
+Successful program execution.
+@item 1 (EXIT_FAILURE)
+The operation failed or the command syntax was not valid.
+@end table
+''')
+ if 'see-also' in includes:
+ texi.write(include(sections[0].meta, level, 'see-also', includes))
+ if 'examples' in includes:
+ texi.write(include(sections[0].meta, level, 'examples', includes))
+ if 'files' in includes:
+ texi.write(include(sections[0].meta, level, 'files', includes))
+
+
+if __name__ == '__main__':
+ import argparse
+ import json
+
+ parser = argparse.ArgumentParser(description='generate texinfo')
+ parser.add_argument('json', type=argparse.FileType('r'))
+ parser.add_argument('texi', type=argparse.FileType('w'))
+ parser.add_argument('--description', type=argparse.FileType('r'))
+ parser.add_argument('--see-also', type=argparse.FileType('r'))
+ parser.add_argument('--examples', type=argparse.FileType('r'))
+ parser.add_argument('--files', type=argparse.FileType('r'))
+ parser.add_argument('--level', type=int, default=0)
+ parser.add_argument('--section-node', action='store_true')
+
+ args = parser.parse_args()
+ includes = dict()
+ if args.see_also:
+ includes['see-also'] = args.see_also
+ if args.examples:
+ includes['examples'] = args.examples
+ if args.files:
+ includes['files'] = args.files
+ if args.description:
+ includes['description'] = args.description
+ gen(args.json, args.level, args.section_node, includes, args.texi)
--- /dev/null
+To create @file{tpasswd.conf} which holds the g and n values for SRP protocol
+(generator and a large prime), run:
+@example
+$ srptool --create-conf /etc/tpasswd.conf
+@end example
+
+This command will create @file{/etc/tpasswd} and will add user 'test' (you
+will also be prompted for a password). Verifiers are stored by default
+in the way libsrp expects.
+@example
+$ srptool --passwd /etc/tpasswd --passwd-conf /etc/tpasswd.conf -u test
+@end example
+
+
+This command will check against a password. If the password matches
+the one in @file{/etc/tpasswd} you will get an ok.
+@example
+$ srptool --passwd /etc/tpasswd --passwd\-conf /etc/tpasswd.conf --verify -u test
+@end example
--- /dev/null
+ gnutls-cli-debug (1), gnutls-serv (1), srptool (1), psktool (1), certtool (1)
--- /dev/null
+ p11tool (1), certtool (1)
--- /dev/null
+To generate a key that is to be stored in file system use:
+@example
+$ tpmtool --generate-rsa --bits 2048 --outfile tpmkey.pem
+@end example
+
+To generate a key that is to be stored in TPM's flash use:
+@example
+$ tpmtool --generate-rsa --bits 2048 --register --user
+@end example
+
+To get the public key of a TPM key use:
+@example
+$ tpmtool --pubkey tpmkey:uuid=58ad734b-bde6-45c7-89d8-756a55ad1891;storage=user \
+ --outfile pubkey.pem
+@end example
+
+or if the key is stored in the file system:
+@example
+$ tpmtool --pubkey tpmkey:file=tmpkey.pem --outfile pubkey.pem
+@end example
+
+To list all keys stored in TPM use:
+@example
+$ tpmtool --list
+@end example
--- /dev/null
+ p11tool (1), certtool (1)
projects / thirdparty / gnutls.git / commitdiff
