summaryrefslogtreecommitdiffstats
path: root/src/p11tool-options.json
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-28 07:33:12 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-28 07:33:12 +0000
commit36082a2fe36ecd800d784ae44c14f1f18c66a7e9 (patch)
tree6c68e0c0097987aff85a01dabddd34b862309a7c /src/p11tool-options.json
parentInitial commit. (diff)
downloadgnutls28-36082a2fe36ecd800d784ae44c14f1f18c66a7e9.tar.xz
gnutls28-36082a2fe36ecd800d784ae44c14f1f18c66a7e9.zip
Adding upstream version 3.7.9.upstream/3.7.9upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r--src/p11tool-options.json441
1 files changed, 441 insertions, 0 deletions
diff --git a/src/p11tool-options.json b/src/p11tool-options.json
new file mode 100644
index 0000000..28ef2fc
--- /dev/null
+++ b/src/p11tool-options.json
@@ -0,0 +1,441 @@
+{
+ "format-version": "0.1.0",
+ "tool": {
+ "name": "p11tool",
+ "title": "GnuTLS PKCS #11 tool",
+ "description": "Program to handle PKCS #11 smart cards and security modules.\n",
+ "detail": "Program that allows operations on PKCS #11 smart cards\nand security modules. \n\nTo use PKCS #11 tokens with GnuTLS the p11-kit configuration files need to be setup.\nThat is create a .module file in /etc/pkcs11/modules with the contents 'module: /path/to/pkcs11.so'.\nAlternatively the configuration file /etc/gnutls/pkcs11.conf has to exist and contain a number\nof lines of the form 'load=/usr/lib/opensc-pkcs11.so'.\n\nYou can provide the PIN to be used for the PKCS #11 operations with the environment variables\nGNUTLS_PIN and GNUTLS_SO_PIN.\n",
+ "short-usage": "p11tool [options] [url]\np11tool --help for usage instructions.\n",
+ "argument": "[url]",
+ "reorder-arguments": true
+ },
+ "sections": [
+ {
+ "options": []
+ },
+ {
+ "ref": "token-related-options",
+ "description": "Tokens",
+ "options": [
+ {
+ "long-option": "list-tokens",
+ "description": "List all available tokens"
+ },
+ {
+ "long-option": "list-token-urls",
+ "description": "List the URLs available tokens",
+ "detail": "This is a more compact version of --list-tokens."
+ },
+ {
+ "long-option": "list-mechanisms",
+ "description": "List all available mechanisms in a token"
+ },
+ {
+ "long-option": "initialize",
+ "description": "Initializes a PKCS #11 token"
+ },
+ {
+ "long-option": "initialize-pin",
+ "description": "Initializes/Resets a PKCS #11 token user PIN"
+ },
+ {
+ "long-option": "initialize-so-pin",
+ "description": "Initializes/Resets a PKCS #11 token security officer PIN",
+ "detail": "This initializes the security officer's PIN. When used non-interactively use the GNUTLS_NEW_SO_PIN\nenvironment variables to initialize SO's PIN."
+ },
+ {
+ "long-option": "set-pin",
+ "description": "Specify the PIN to use on token operations",
+ "detail": "Alternatively the GNUTLS_PIN environment variable may be used.",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "set-so-pin",
+ "description": "Specify the Security Officer's PIN to use on token initialization",
+ "detail": "Alternatively the GNUTLS_SO_PIN environment variable may be used.",
+ "argument-type": "string"
+ }
+ ]
+ },
+ {
+ "ref": "object-list-related-options",
+ "description": "Object listing",
+ "options": [
+ {
+ "long-option": "list-all",
+ "description": "List all available objects in a token",
+ "detail": "All objects available in the token will be listed. That includes\nobjects which are potentially unaccessible using this tool."
+ },
+ {
+ "long-option": "list-all-certs",
+ "description": "List all available certificates in a token",
+ "detail": "That option will also provide more information on the\ncertificates, for example, expand the attached extensions in a trust\ntoken (like p11-kit-trust)."
+ },
+ {
+ "long-option": "list-certs",
+ "description": "List all certificates that have an associated private key",
+ "detail": "That option will only display certificates which have a private\nkey associated with them (share the same ID)."
+ },
+ {
+ "long-option": "list-all-privkeys",
+ "description": "List all available private keys in a token",
+ "detail": "Lists all the private keys in a token that match the specified URL."
+ },
+ {
+ "long-option": "list-privkeys",
+ "aliases": "list-all-privkeys"
+ },
+ {
+ "long-option": "list-keys",
+ "aliases": "list-all-privkeys"
+ },
+ {
+ "long-option": "list-all-trusted",
+ "description": "List all available certificates marked as trusted"
+ },
+ {
+ "long-option": "export",
+ "description": "Export the object specified by the URL",
+ "conflicts": [
+ "export-stapled",
+ "export-chain",
+ "export-pubkey"
+ ]
+ },
+ {
+ "long-option": "export-stapled",
+ "description": "Export the certificate object specified by the URL",
+ "detail": "Exports the certificate specified by the URL while including any attached extensions to it.\nSince attached extensions are a p11-kit extension, this option is only\navailable on p11-kit registered trust modules.",
+ "conflicts": [
+ "export",
+ "export-chain",
+ "export-pubkey"
+ ]
+ },
+ {
+ "long-option": "export-chain",
+ "description": "Export the certificate specified by the URL and its chain of trust",
+ "detail": "Exports the certificate specified by the URL and generates its chain of trust based on the stored certificates in the module.",
+ "conflicts": [
+ "export-stapled",
+ "export",
+ "export-pubkey"
+ ]
+ },
+ {
+ "long-option": "export-pubkey",
+ "description": "Export the public key for a private key",
+ "detail": "Exports the public key for the specified private key",
+ "conflicts": [
+ "export-stapled",
+ "export",
+ "export-chain"
+ ]
+ },
+ {
+ "long-option": "info",
+ "description": "List information on an available object in a token"
+ },
+ {
+ "long-option": "trusted",
+ "aliases": "mark-trusted"
+ },
+ {
+ "long-option": "distrusted",
+ "aliases": "mark-distrusted"
+ }
+ ]
+ },
+ {
+ "ref": "keygen-related-options",
+ "description": "Key generation",
+ "options": [
+ {
+ "long-option": "generate-privkey",
+ "description": "Generate private-public key pair of given type",
+ "detail": "Generates a private-public key pair in the specified token.\nAcceptable types are RSA, ECDSA, Ed25519, and DSA. Should be combined with --sec-param or --bits.",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "generate-rsa",
+ "description": "Generate an RSA private-public key pair",
+ "detail": "Generates an RSA private-public key pair on the specified token.\nShould be combined with --sec-param or --bits.",
+ "deprecated": true
+ },
+ {
+ "long-option": "generate-dsa",
+ "description": "Generate a DSA private-public key pair",
+ "detail": "Generates a DSA private-public key pair on the specified token.\nShould be combined with --sec-param or --bits.",
+ "deprecated": true
+ },
+ {
+ "long-option": "generate-ecc",
+ "description": "Generate an ECDSA private-public key pair",
+ "detail": "Generates an ECDSA private-public key pair on the specified token.\nShould be combined with --curve, --sec-param or --bits.",
+ "deprecated": true
+ },
+ {
+ "long-option": "bits",
+ "description": "Specify the number of bits for the key generate",
+ "detail": "For applications which have no key-size restrictions the\n--sec-param option is recommended, as the sec-param levels will adapt\nto the acceptable security levels with the new versions of gnutls.",
+ "argument-type": "number"
+ },
+ {
+ "long-option": "curve",
+ "description": "Specify the curve used for EC key generation",
+ "detail": "Supported values are secp192r1, secp224r1, secp256r1, secp384r1 and secp521r1.",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "sec-param",
+ "description": "Specify the security level",
+ "detail": "This is alternative to the bits option. Available options are [low, legacy, medium, high, ultra].",
+ "argument-type": "string",
+ "argument-name": "Security parameter"
+ }
+ ]
+ },
+ {
+ "ref": "write-object-related-options",
+ "description": "Writing objects",
+ "options": [
+ {
+ "long-option": "set-id",
+ "description": "Set the CKA_ID (in hex) for the specified by the URL object",
+ "detail": "Modifies or sets the CKA_ID in the specified by the URL object. The ID should be specified in hexadecimal format without a '0x' prefix.",
+ "conflicts": [
+ "write"
+ ],
+ "argument-type": "string"
+ },
+ {
+ "long-option": "set-label",
+ "description": "Set the CKA_LABEL for the specified by the URL object",
+ "detail": "Modifies or sets the CKA_LABEL in the specified by the URL object",
+ "conflicts": [
+ "write",
+ "set-id"
+ ],
+ "argument-type": "string"
+ },
+ {
+ "long-option": "write",
+ "description": "Writes the loaded objects to a PKCS #11 token",
+ "detail": "It can be used to write private, public keys, certificates or secret keys to a token. Must be combined with one of --load-privkey, --load-pubkey, --load-certificate option.\n\nWhen writing a certificate object, its CKA_ID is set to the same CKA_ID of the corresponding public key, if it exists on the token; otherwise it will be derived from the X.509 Subject Key Identifier of the certificate. If this behavior is undesired, write the public key to the token beforehand."
+ },
+ {
+ "long-option": "delete",
+ "description": "Deletes the objects matching the given PKCS #11 URL"
+ },
+ {
+ "long-option": "label",
+ "description": "Sets a label for the write operation",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "id",
+ "description": "Sets an ID for the write operation",
+ "detail": "Sets the CKA_ID to be set by the write operation. The ID should be specified in hexadecimal format without a '0x' prefix.",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "mark-wrap",
+ "description": "Marks the generated key to be a wrapping key",
+ "detail": "Marks the generated key with the CKA_WRAP flag.",
+ "disable-prefix": "no-"
+ },
+ {
+ "long-option": "mark-trusted",
+ "description": "Marks the object to be written as trusted",
+ "detail": "Marks the object to be generated/written with the CKA_TRUST flag.",
+ "conflicts": [
+ "mark-distrusted"
+ ],
+ "disable-prefix": "no-"
+ },
+ {
+ "long-option": "mark-distrusted",
+ "description": "When retrieving objects, it requires the objects to be distrusted (blacklisted)",
+ "detail": "Ensures that the objects retrieved have the CKA_X_TRUST flag.\nThis is p11-kit trust module extension, thus this flag is only valid with\np11-kit registered trust modules.",
+ "conflicts": [
+ "mark-trusted"
+ ]
+ },
+ {
+ "long-option": "mark-decrypt",
+ "description": "Marks the object to be written for decryption",
+ "detail": "Marks the object to be generated/written with the CKA_DECRYPT flag set to true.",
+ "disable-prefix": "no-"
+ },
+ {
+ "long-option": "mark-sign",
+ "description": "Marks the object to be written for signature generation",
+ "detail": "Marks the object to be generated/written with the CKA_SIGN flag set to true.",
+ "disable-prefix": "no-"
+ },
+ {
+ "long-option": "mark-ca",
+ "description": "Marks the object to be written as a CA",
+ "detail": "Marks the object to be generated/written with the CKA_CERTIFICATE_CATEGORY as CA.",
+ "disable-prefix": "no-"
+ },
+ {
+ "long-option": "mark-private",
+ "description": "Marks the object to be written as private",
+ "detail": "Marks the object to be generated/written with the CKA_PRIVATE flag. The written object will require a PIN to be used.",
+ "disable-prefix": "no-"
+ },
+ {
+ "long-option": "ca",
+ "aliases": "mark-ca"
+ },
+ {
+ "long-option": "private",
+ "aliases": "mark-private"
+ },
+ {
+ "long-option": "mark-always-authenticate",
+ "description": "Marks the object to be written as always authenticate",
+ "detail": "Marks the object to be generated/written with the CKA_ALWAYS_AUTHENTICATE flag. The written object will Mark the object as requiring authentication (pin entry) before every operation.",
+ "disable-prefix": "no-"
+ },
+ {
+ "long-option": "secret-key",
+ "description": "Provide a hex encoded secret key",
+ "detail": "This secret key will be written to the module if --write is specified.",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "load-privkey",
+ "description": "Private key file to use",
+ "file-exists": true,
+ "argument-type": "file"
+ },
+ {
+ "long-option": "load-pubkey",
+ "description": "Public key file to use",
+ "file-exists": true,
+ "argument-type": "file"
+ },
+ {
+ "long-option": "load-certificate",
+ "description": "Certificate file to use",
+ "file-exists": true,
+ "argument-type": "file"
+ }
+ ]
+ },
+ {
+ "ref": "other-options",
+ "description": "Other options",
+ "options": [
+ {
+ "long-option": "debug",
+ "short-option": "d",
+ "description": "Enable debugging",
+ "detail": "Specifies the debug level.",
+ "argument-range": {
+ "min": 0,
+ "max": 9999
+ },
+ "argument-type": "number"
+ },
+ {
+ "long-option": "outfile",
+ "description": "Output file",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "login",
+ "description": "Force (user) login to token",
+ "disable-prefix": "no-"
+ },
+ {
+ "long-option": "so-login",
+ "description": "Force security officer login to token",
+ "detail": "Forces login to the token as security officer (admin).",
+ "disable-prefix": "no-"
+ },
+ {
+ "long-option": "admin-login",
+ "aliases": "so-login"
+ },
+ {
+ "long-option": "test-sign",
+ "description": "Tests the signature operation of the provided object",
+ "detail": "It can be used to test the correct operation of the signature operation.\nIf both a private and a public key are available this operation will sign and verify\nthe signed data."
+ },
+ {
+ "long-option": "sign-params",
+ "description": "Sign with a specific signature algorithm",
+ "detail": "This option can be combined with --test-sign, to sign with\na specific signature algorithm variant. The only option supported is 'RSA-PSS', and should be\nspecified in order to use RSA-PSS signature on RSA keys.",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "hash",
+ "description": "Hash algorithm to use for signing",
+ "detail": "This option can be combined with test-sign. Available hash functions are SHA1, RMD160, SHA256, SHA384, SHA512, SHA3-224, SHA3-256, SHA3-384, SHA3-512.",
+ "argument-type": "string"
+ },
+ {
+ "long-option": "generate-random",
+ "description": "Generate random data",
+ "detail": "Asks the token to generate a number of bytes of random bytes.",
+ "argument-type": "number"
+ },
+ {
+ "long-option": "pkcs8",
+ "short-option": "8",
+ "description": "Use PKCS #8 format for private keys"
+ },
+ {
+ "long-option": "inder",
+ "description": "Use DER/RAW format for input",
+ "detail": "Use DER/RAW format for input certificates and private keys.",
+ "disable-prefix": "no-"
+ },
+ {
+ "long-option": "inraw",
+ "aliases": "inder"
+ },
+ {
+ "long-option": "outder",
+ "description": "Use DER format for output certificates, private keys, and DH parameters",
+ "detail": "The output will be in DER or RAW format.",
+ "disable-prefix": "no-"
+ },
+ {
+ "long-option": "outraw",
+ "aliases": "outder"
+ },
+ {
+ "long-option": "provider",
+ "description": "Specify the PKCS #11 provider library",
+ "detail": "This will override the default options in /etc/gnutls/pkcs11.conf",
+ "argument-type": "file"
+ },
+ {
+ "long-option": "provider-opts",
+ "description": "Specify parameters for the PKCS #11 provider library",
+ "detail": "This is a PKCS#11 internal option used by few modules.\n Mainly for testing PKCS#11 modules.",
+ "deprecated": true,
+ "argument-type": "string"
+ },
+ {
+ "long-option": "detailed-url",
+ "description": "Print detailed URLs",
+ "disable-prefix": "no-"
+ },
+ {
+ "long-option": "only-urls",
+ "description": "Print a compact listing using only the URLs"
+ },
+ {
+ "long-option": "batch",
+ "description": "Disable all interaction with the tool",
+ "detail": "In batch mode there will be no prompts, all parameters need to be specified on command line."
+ }
+ ]
+ }
+ ]
+} \ No newline at end of file