xref: /freebsd/crypto/heimdal/lib/hx509/hxtool-commands.in (revision 1c05a6ea6b849ff95e539c31adea887c644a6a01)
1/*
2 * Copyright (c) 2005 - 2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 *    notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 *    notice, this list of conditions and the following disclaimer in the
15 *    documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 *    may be used to endorse or promote products derived from this software
19 *    without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33/* $Id$ */
34
35command = {
36	name = "cms-create-sd"
37	name = "cms-sign"
38	option = {
39		long = "certificate"
40		short = "c"
41		type = "strings"
42		argument = "certificate-store"
43		help = "certificate stores to pull certificates from"
44	}
45	option = {
46		long = "signer"
47		short = "s"
48		type = "string"
49		argument = "signer-friendly-name"
50		help = "certificate to sign with"
51	}
52	option = {
53		long = "anchors"
54		type = "strings"
55		argument = "certificate-store"
56		help = "trust anchors"
57	}
58	option = {
59		long = "pool"
60		type = "strings"
61		argument = "certificate-pool"
62		help = "certificate store to pull certificates from"
63	}
64	option = {
65		long = "pass"
66		type = "strings"
67		argument = "password"
68		help = "password, prompter, or environment"
69	}
70	option = {
71		long = "peer-alg"
72		type = "strings"
73		argument = "oid"
74		help = "oid that the peer support"
75	}
76	option = {
77		long = "content-type"
78		type = "string"
79		argument = "oid"
80		help = "content type oid"
81	}
82	option = {
83		long = "content-info"
84		type = "flag"
85		help = "wrapped out-data in a ContentInfo"
86	}
87	option = {
88		long = "pem"
89		type = "flag"
90		help = "wrap out-data in PEM armor"
91	}
92	option = {
93		long = "detached-signature"
94		type = "flag"
95		help = "create a detached signature"
96	}
97	option = {
98		long = "signer"
99		type = "-flag"
100		help = "do not sign"
101	}
102	option = {
103		long = "id-by-name"
104		type = "flag"
105		help = "use subject name for CMS Identifier"
106	}
107	option = {
108		long = "embedded-certs"
109		type = "-flag"
110		help = "dont embedded certficiates"
111	}
112	option = {
113		long = "embed-leaf-only"
114		type = "flag"
115		help = "only embed leaf certificate"
116	}
117	min_args="1"
118	max_args="2"
119	argument="in-file out-file"
120	help = "Wrap a file within a SignedData object"
121}
122command = {
123	name = "cms-verify-sd"
124	option = {
125		long = "anchors"
126		short = "D"
127		type = "strings"
128		argument = "certificate-store"
129		help = "trust anchors"
130	}
131	option = {
132		long = "certificate"
133		short = "c"
134		type = "strings"
135		argument = "certificate-store"
136		help = "certificate store to pull certificates from"
137	}
138	option = {
139		long = "pass"
140		type = "strings"
141		argument = "password"
142		help = "password, prompter, or environment"
143	}
144	option = {
145		long = "missing-revoke"
146		type = "flag"
147		help = "missing CRL/OCSP is ok"
148	}
149	option = {
150		long = "content-info"
151		type = "flag"
152		help = "unwrap in-data that's in a ContentInfo"
153	}
154	option = {
155		long = "pem"
156		type = "flag"
157		help = "unwrap in-data from PEM armor"
158	}
159	option = {
160		long = "signer-allowed"
161		type = "-flag"
162		help = "allow no signer"
163	}
164	option = {
165		long = "allow-wrong-oid"
166		type = "flag"
167		help = "allow wrong oid flag"
168	}
169	option = {
170		long = "signed-content"
171		type = "string"
172		help = "file containing content"
173	}
174	min_args="1"
175	max_args="2"
176	argument="in-file [out-file]"
177	help = "Verify a file within a SignedData object"
178}
179command = {
180	name = "cms-unenvelope"
181	option = {
182		long = "certificate"
183		short = "c"
184		type = "strings"
185		argument = "certificate-store"
186		help = "certificate used to decrypt the data"
187	}
188	option = {
189		long = "pass"
190		type = "strings"
191		argument = "password"
192		help = "password, prompter, or environment"
193	}
194	option = {
195		long = "content-info"
196		type = "flag"
197		help = "wrapped out-data in a ContentInfo"
198	}
199	option = {
200		long = "allow-weak-crypto"
201		type = "flag"
202		help = "allow weak crypto"
203	}
204	min_args="2"
205	argument="in-file out-file"
206	help = "Unenvelope a file containing a EnvelopedData object"
207}
208command = {
209	name = "cms-envelope"
210	function = "cms_create_enveloped"
211	option = {
212		long = "certificate"
213		short = "c"
214		type = "strings"
215		argument = "certificate-store"
216		help = "certificates used to receive the data"
217	}
218	option = {
219		long = "pass"
220		type = "strings"
221		argument = "password"
222		help = "password, prompter, or environment"
223	}
224	option = {
225		long = "encryption-type"
226		type = "string"
227		argument = "enctype"
228		help = "enctype"
229	}
230	option = {
231		long = "content-type"
232		type = "string"
233		argument = "oid"
234		help = "content type oid"
235	}
236	option = {
237		long = "content-info"
238		type = "flag"
239		help = "wrapped out-data in a ContentInfo"
240	}
241	option = {
242		long = "allow-weak-crypto"
243		type = "flag"
244		help = "allow weak crypto"
245	}
246	min_args="2"
247	argument="in-file out-file"
248	help = "Envelope a file containing a EnvelopedData object"
249}
250command = {
251	name = "verify"
252	function = "pcert_verify"
253	option = {
254		long = "pass"
255		type = "strings"
256		argument = "password"
257		help = "password, prompter, or environment"
258	}
259	option = {
260		long = "allow-proxy-certificate"
261		type = "flag"
262		help = "allow proxy certificates"
263	}
264	option = {
265		long = "missing-revoke"
266		type = "flag"
267		help = "missing CRL/OCSP is ok"
268	}
269	option = {
270		long = "time"
271		type = "string"
272		help = "time when to validate the chain"
273	}
274	option = {
275		long = "verbose"
276		short = "v"
277		type = "flag"
278		help = "verbose logging"
279	}
280	option = {
281		long = "max-depth"
282		type = "integer"
283		help = "maximum search length of certificate trust anchor"
284	}
285	option = {
286		long = "hostname"
287		type = "string"
288		help = "match hostname to certificate"
289	}
290	argument = "cert:foo chain:cert1 chain:cert2 anchor:anchor1 anchor:anchor2"
291	help = "Verify certificate chain"
292}
293command = {
294	name = "print"
295	function = "pcert_print"
296	option = {
297		long = "pass"
298		type = "strings"
299		argument = "password"
300		help = "password, prompter, or environment"
301	}
302	option = {
303		long = "content"
304		type = "flag"
305		help = "print the content of the certificates"
306	}
307	option = {
308		long = "never-fail"
309		type = "flag"
310		help = "never fail with an error code"
311	}
312	option = {
313		long = "info"
314		type = "flag"
315		help = "print the information about the certificate store"
316	}
317	min_args="1"
318	argument="certificate ..."
319	help = "Print certificates"
320}
321command = {
322	name = "validate"
323	function = "pcert_validate"
324	option = {
325		long = "pass"
326		type = "strings"
327		argument = "password"
328		help = "password, prompter, or environment"
329	}
330	min_args="1"
331	argument="certificate ..."
332	help = "Validate content of certificates"
333}
334command = {
335	name = "certificate-copy"
336	name = "cc"
337	option = {
338		long = "in-pass"
339		type = "strings"
340		argument = "password"
341		help = "password, prompter, or environment"
342	}
343	option = {
344		long = "out-pass"
345		type = "string"
346		argument = "password"
347		help = "password, prompter, or environment"
348	}
349	min_args="2"
350	argument="in-certificates-1 ... out-certificate"
351	help = "Copy in certificates stores into out certificate store"
352}
353command = {
354	name = "ocsp-fetch"
355	option = {
356		long = "pass"
357		type = "strings"
358		argument = "password"
359		help = "password, prompter, or environment"
360	}
361	option = {
362		long = "sign"
363		type = "string"
364		argument = "certificate"
365		help = "certificate use to sign the request"
366	}
367	option = {
368		long = "url-path"
369		type = "string"
370		argument = "url"
371		help = "part after host in url to put in the request"
372	}
373	option = {
374		long = "nonce"
375		type = "-flag"
376		default = "1"
377		help = "don't include nonce in request"
378	}
379	option = {
380		long = "pool"
381		type = "strings"
382		argument = "certificate-store"
383		help = "pool to find parent certificate in"
384	}
385	min_args="2"
386	argument="outfile certs ..."
387	help = "Fetch OCSP responses for the following certs"
388}
389command = {
390	option = {
391		long = "ocsp-file"
392		type = "string"
393		help = "OCSP file"
394	}
395	name = "ocsp-verify"
396	min_args="1"
397	argument="certificates ..."
398	help = "Check that certificates are in OCSP file and valid"
399}
400command = {
401	name = "ocsp-print"
402	option = {
403		long = "verbose"
404		type = "flag"
405		help = "verbose"
406	}
407	min_args="1"
408	argument="ocsp-response-file ..."
409	help = "Print the OCSP responses"
410}
411command = {
412	name = "request-create"
413	option = {
414		long = "subject"
415		type = "string"
416		help = "Subject DN"
417	}
418	option = {
419		long = "email"
420		type = "strings"
421		help = "Email address in SubjectAltName"
422	}
423	option = {
424		long = "dnsname"
425		type = "strings"
426		help = "Hostname or domainname in SubjectAltName"
427	}
428	option = {
429		long = "type"
430		type = "string"
431		help = "Type of request CRMF or PKCS10, defaults to PKCS10"
432	}
433	option = {
434		long = "key"
435		type = "string"
436		help = "Key-pair"
437	}
438	option = {
439		long = "generate-key"
440		type = "string"
441		help = "keytype"
442	}
443	option = {
444	        long = "key-bits"
445		type = "integer"
446		help = "number of bits in the generated key";
447	}
448	option = {
449		long = "verbose"
450		type = "flag"
451		help = "verbose status"
452	}
453	min_args="1"
454	max_args="1"
455	argument="output-file"
456	help = "Create a CRMF or PKCS10 request"
457}
458command = {
459	name = "request-print"
460	option = {
461		long = "verbose"
462		type = "flag"
463		help = "verbose printing"
464	}
465	min_args="1"
466	argument="requests ..."
467	help = "Print requests"
468}
469command = {
470	name = "query"
471	option = {
472		long = "exact"
473		type = "flag"
474		help = "exact match"
475	}
476	option = {
477		long = "private-key"
478		type = "flag"
479		help = "search for private key"
480	}
481	option = {
482		long = "friendlyname"
483		type = "string"
484		argument = "name"
485		help = "match on friendly name"
486	}
487	option = {
488		long = "eku"
489		type = "string"
490		argument = "oid-string"
491		help = "match on EKU"
492	}
493	option = {
494		long = "expr"
495		type = "string"
496		argument = "expression"
497		help = "match on expression"
498	}
499	option = {
500		long = "keyEncipherment"
501		type = "flag"
502		help = "match keyEncipherment certificates"
503	}
504	option = {
505		long = "digitalSignature"
506		type = "flag"
507		help = "match digitalSignature certificates"
508	}
509	option = {
510		long = "print"
511		type = "flag"
512		help = "print matches"
513	}
514	option = {
515		long = "pass"
516		type = "strings"
517		argument = "password"
518		help = "password, prompter, or environment"
519	}
520	min_args="1"
521	argument="certificates ..."
522	help = "Query the certificates for a match"
523}
524command = {
525	name = "info"
526}
527command = {
528	name = "random-data"
529	min_args="1"
530	argument="bytes"
531	help = "Generates random bytes and prints them to standard output"
532}
533command = {
534	option = {
535		long = "type"
536		type = "string"
537		help = "type of CMS algorithm"
538	}
539	name = "crypto-available"
540	min_args="0"
541	help = "Print available CMS crypto types"
542}
543command = {
544	option = {
545		long = "type"
546		type = "string"
547		help = "type of CMS algorithm"
548	}
549	option = {
550		long = "certificate"
551		type = "string"
552		help = "source certificate limiting the choices"
553	}
554	option = {
555		long = "peer-cmstype"
556		type = "strings"
557		help = "peer limiting cmstypes"
558	}
559	name = "crypto-select"
560	min_args="0"
561	help = "Print selected CMS type"
562}
563command = {
564	option = {
565		long = "decode"
566		short = "d"
567		type = "flag"
568		help = "decode instead of encode"
569	}
570	name = "hex"
571	function = "hxtool_hex"
572	min_args="0"
573	help = "Encode input to hex"
574}
575command = {
576	option = {
577		long = "issue-ca"
578		type = "flag"
579		help = "Issue a CA certificate"
580	}
581	option = {
582		long = "issue-proxy"
583		type = "flag"
584		help = "Issue a proxy certificate"
585	}
586	option = {
587		long = "domain-controller"
588		type = "flag"
589		help = "Issue a MS domaincontroller certificate"
590	}
591	option = {
592		long = "subject"
593		type = "string"
594		help = "Subject of issued certificate"
595	}
596	option = {
597		long = "ca-certificate"
598		type = "string"
599		help = "Issuing CA certificate"
600	}
601	option = {
602		long = "self-signed"
603		type = "flag"
604		help = "Issuing a self-signed certificate"
605	}
606	option = {
607		long = "ca-private-key"
608		type = "string"
609		help = "Private key for self-signed certificate"
610	}
611	option = {
612		long = "certificate"
613		type = "string"
614		help = "Issued certificate"
615	}
616	option = {
617		long = "type"
618		type = "strings"
619		help = "Types of certificate to issue (can be used more then once)"
620	}
621	option = {
622		long = "lifetime"
623		type = "string"
624		help = "Lifetime of certificate"
625	}
626	option = {
627		long = "serial-number"
628		type = "string"
629		help = "serial-number of certificate"
630	}
631	option = {
632		long = "path-length"
633		default = "-1"
634		type = "integer"
635		help = "Maximum path length (CA and proxy certificates), -1 no limit"
636	}
637	option = {
638		long = "hostname"
639		type = "strings"
640		help = "DNS names this certificate is allowed to serve"
641	}
642	option = {
643		long = "email"
644		type = "strings"
645		help = "email addresses assigned to this certificate"
646	}
647	option = {
648		long = "pk-init-principal"
649		type = "string"
650		help = "PK-INIT principal (for SAN)"
651	}
652	option = {
653		long = "ms-upn"
654		type = "string"
655		help = "Microsoft UPN (for SAN)"
656	}
657	option = {
658		long = "jid"
659		type = "string"
660		help = "XMPP jabber id (for SAN)"
661	}
662	option = {
663		long = "req"
664		type = "string"
665		help = "certificate request"
666	}
667	option = {
668		long = "certificate-private-key"
669		type = "string"
670		help = "private-key"
671	}
672	option = {
673		long = "generate-key"
674		type = "string"
675		help = "keytype"
676	}
677	option = {
678	        long = "key-bits"
679		type = "integer"
680		help = "number of bits in the generated key"
681	}
682	option = {
683	        long = "crl-uri"
684		type = "string"
685		help = "URI to CRL"
686	}
687	option = {
688		long = "template-certificate"
689		type = "string"
690		help = "certificate"
691	}
692	option = {
693		long = "template-fields"
694		type = "string"
695		help = "flag"
696	}
697	name = "certificate-sign"
698	name = "cert-sign"
699	name = "issue-certificate"
700	name = "ca"
701	function = "hxtool_ca"
702	min_args="0"
703	help = "Issue a certificate"
704}
705command = {
706	name = "test-crypto"
707	option = {
708		long = "pass"
709		type = "strings"
710		argument = "password"
711		help = "password, prompter, or environment"
712	}
713	option = {
714		long = "verbose"
715		type = "flag"
716		help = "verbose printing"
717	}
718	min_args="1"
719	argument="certificates..."
720	help = "Test crypto system related to the certificates"
721}
722command = {
723	option = {
724		long = "type"
725		type = "integer"
726		help = "type of statistics"
727	}
728	name = "statistic-print"
729	min_args="0"
730	help = "Print statistics"
731}
732command = {
733	option = {
734		long = "signer"
735		type = "string"
736		help = "signer certificate"
737	}
738	option = {
739		long = "pass"
740		type = "strings"
741		argument = "password"
742		help = "password, prompter, or environment"
743	}
744	option = {
745		long = "crl-file"
746		type = "string"
747		help = "CRL output file"
748	}
749	option = {
750		long = "lifetime"
751		type = "string"
752		help = "time the crl will be valid"
753	}
754	name = "crl-sign"
755	min_args="0"
756	argument="certificates..."
757	help = "Create a CRL"
758}
759command = {
760	name = "help"
761	name = "?"
762	argument = "[command]"
763	min_args = "0"
764	max_args = "1"
765	help = "Help! I need somebody"
766}
767