1/* 2 * Copyright (c) 2005 - 2007 Kungliga Tekniska Högskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * 3. Neither the name of the Institute nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33/* $Id$ */ 34 35command = { 36 name = "cms-create-sd" 37 name = "cms-sign" 38 option = { 39 long = "certificate" 40 short = "c" 41 type = "strings" 42 argument = "certificate-store" 43 help = "certificate stores to pull certificates from" 44 } 45 option = { 46 long = "signer" 47 short = "s" 48 type = "string" 49 argument = "signer-friendly-name" 50 help = "certificate to sign with" 51 } 52 option = { 53 long = "anchors" 54 type = "strings" 55 argument = "certificate-store" 56 help = "trust anchors" 57 } 58 option = { 59 long = "pool" 60 type = "strings" 61 argument = "certificate-pool" 62 help = "certificate store to pull certificates from" 63 } 64 option = { 65 long = "pass" 66 type = "strings" 67 argument = "password" 68 help = "password, prompter, or environment" 69 } 70 option = { 71 long = "peer-alg" 72 type = "strings" 73 argument = "oid" 74 help = "oid that the peer support" 75 } 76 option = { 77 long = "content-type" 78 type = "string" 79 argument = "oid" 80 help = "content type oid" 81 } 82 option = { 83 long = "content-info" 84 type = "flag" 85 help = "wrapped out-data in a ContentInfo" 86 } 87 option = { 88 long = "pem" 89 type = "flag" 90 help = "wrap out-data in PEM armor" 91 } 92 option = { 93 long = "detached-signature" 94 type = "flag" 95 help = "create a detached signature" 96 } 97 option = { 98 long = "signer" 99 type = "-flag" 100 help = "do not sign" 101 } 102 option = { 103 long = "id-by-name" 104 type = "flag" 105 help = "use subject name for CMS Identifier" 106 } 107 option = { 108 long = "embedded-certs" 109 type = "-flag" 110 help = "dont embedded certficiates" 111 } 112 option = { 113 long = "embed-leaf-only" 114 type = "flag" 115 help = "only embed leaf certificate" 116 } 117 min_args="1" 118 max_args="2" 119 argument="in-file out-file" 120 help = "Wrap a file within a SignedData object" 121} 122command = { 123 name = "cms-verify-sd" 124 option = { 125 long = "anchors" 126 short = "D" 127 type = "strings" 128 argument = "certificate-store" 129 help = "trust anchors" 130 } 131 option = { 132 long = "certificate" 133 short = "c" 134 type = "strings" 135 argument = "certificate-store" 136 help = "certificate store to pull certificates from" 137 } 138 option = { 139 long = "pass" 140 type = "strings" 141 argument = "password" 142 help = "password, prompter, or environment" 143 } 144 option = { 145 long = "missing-revoke" 146 type = "flag" 147 help = "missing CRL/OCSP is ok" 148 } 149 option = { 150 long = "content-info" 151 type = "flag" 152 help = "unwrap in-data that's in a ContentInfo" 153 } 154 option = { 155 long = "pem" 156 type = "flag" 157 help = "unwrap in-data from PEM armor" 158 } 159 option = { 160 long = "signer-allowed" 161 type = "-flag" 162 help = "allow no signer" 163 } 164 option = { 165 long = "allow-wrong-oid" 166 type = "flag" 167 help = "allow wrong oid flag" 168 } 169 option = { 170 long = "signed-content" 171 type = "string" 172 help = "file containing content" 173 } 174 min_args="1" 175 max_args="2" 176 argument="in-file [out-file]" 177 help = "Verify a file within a SignedData object" 178} 179command = { 180 name = "cms-unenvelope" 181 option = { 182 long = "certificate" 183 short = "c" 184 type = "strings" 185 argument = "certificate-store" 186 help = "certificate used to decrypt the data" 187 } 188 option = { 189 long = "pass" 190 type = "strings" 191 argument = "password" 192 help = "password, prompter, or environment" 193 } 194 option = { 195 long = "content-info" 196 type = "flag" 197 help = "wrapped out-data in a ContentInfo" 198 } 199 option = { 200 long = "allow-weak-crypto" 201 type = "flag" 202 help = "allow weak crypto" 203 } 204 min_args="2" 205 argument="in-file out-file" 206 help = "Unenvelope a file containing a EnvelopedData object" 207} 208command = { 209 name = "cms-envelope" 210 function = "cms_create_enveloped" 211 option = { 212 long = "certificate" 213 short = "c" 214 type = "strings" 215 argument = "certificate-store" 216 help = "certificates used to receive the data" 217 } 218 option = { 219 long = "pass" 220 type = "strings" 221 argument = "password" 222 help = "password, prompter, or environment" 223 } 224 option = { 225 long = "encryption-type" 226 type = "string" 227 argument = "enctype" 228 help = "enctype" 229 } 230 option = { 231 long = "content-type" 232 type = "string" 233 argument = "oid" 234 help = "content type oid" 235 } 236 option = { 237 long = "content-info" 238 type = "flag" 239 help = "wrapped out-data in a ContentInfo" 240 } 241 option = { 242 long = "allow-weak-crypto" 243 type = "flag" 244 help = "allow weak crypto" 245 } 246 min_args="2" 247 argument="in-file out-file" 248 help = "Envelope a file containing a EnvelopedData object" 249} 250command = { 251 name = "verify" 252 function = "pcert_verify" 253 option = { 254 long = "pass" 255 type = "strings" 256 argument = "password" 257 help = "password, prompter, or environment" 258 } 259 option = { 260 long = "allow-proxy-certificate" 261 type = "flag" 262 help = "allow proxy certificates" 263 } 264 option = { 265 long = "missing-revoke" 266 type = "flag" 267 help = "missing CRL/OCSP is ok" 268 } 269 option = { 270 long = "time" 271 type = "string" 272 help = "time when to validate the chain" 273 } 274 option = { 275 long = "verbose" 276 short = "v" 277 type = "flag" 278 help = "verbose logging" 279 } 280 option = { 281 long = "max-depth" 282 type = "integer" 283 help = "maximum search length of certificate trust anchor" 284 } 285 option = { 286 long = "hostname" 287 type = "string" 288 help = "match hostname to certificate" 289 } 290 argument = "cert:foo chain:cert1 chain:cert2 anchor:anchor1 anchor:anchor2" 291 help = "Verify certificate chain" 292} 293command = { 294 name = "print" 295 function = "pcert_print" 296 option = { 297 long = "pass" 298 type = "strings" 299 argument = "password" 300 help = "password, prompter, or environment" 301 } 302 option = { 303 long = "content" 304 type = "flag" 305 help = "print the content of the certificates" 306 } 307 option = { 308 long = "never-fail" 309 type = "flag" 310 help = "never fail with an error code" 311 } 312 option = { 313 long = "info" 314 type = "flag" 315 help = "print the information about the certificate store" 316 } 317 min_args="1" 318 argument="certificate ..." 319 help = "Print certificates" 320} 321command = { 322 name = "validate" 323 function = "pcert_validate" 324 option = { 325 long = "pass" 326 type = "strings" 327 argument = "password" 328 help = "password, prompter, or environment" 329 } 330 min_args="1" 331 argument="certificate ..." 332 help = "Validate content of certificates" 333} 334command = { 335 name = "certificate-copy" 336 name = "cc" 337 option = { 338 long = "in-pass" 339 type = "strings" 340 argument = "password" 341 help = "password, prompter, or environment" 342 } 343 option = { 344 long = "out-pass" 345 type = "string" 346 argument = "password" 347 help = "password, prompter, or environment" 348 } 349 min_args="2" 350 argument="in-certificates-1 ... out-certificate" 351 help = "Copy in certificates stores into out certificate store" 352} 353command = { 354 name = "ocsp-fetch" 355 option = { 356 long = "pass" 357 type = "strings" 358 argument = "password" 359 help = "password, prompter, or environment" 360 } 361 option = { 362 long = "sign" 363 type = "string" 364 argument = "certificate" 365 help = "certificate use to sign the request" 366 } 367 option = { 368 long = "url-path" 369 type = "string" 370 argument = "url" 371 help = "part after host in url to put in the request" 372 } 373 option = { 374 long = "nonce" 375 type = "-flag" 376 default = "1" 377 help = "don't include nonce in request" 378 } 379 option = { 380 long = "pool" 381 type = "strings" 382 argument = "certificate-store" 383 help = "pool to find parent certificate in" 384 } 385 min_args="2" 386 argument="outfile certs ..." 387 help = "Fetch OCSP responses for the following certs" 388} 389command = { 390 option = { 391 long = "ocsp-file" 392 type = "string" 393 help = "OCSP file" 394 } 395 name = "ocsp-verify" 396 min_args="1" 397 argument="certificates ..." 398 help = "Check that certificates are in OCSP file and valid" 399} 400command = { 401 name = "ocsp-print" 402 option = { 403 long = "verbose" 404 type = "flag" 405 help = "verbose" 406 } 407 min_args="1" 408 argument="ocsp-response-file ..." 409 help = "Print the OCSP responses" 410} 411command = { 412 name = "request-create" 413 option = { 414 long = "subject" 415 type = "string" 416 help = "Subject DN" 417 } 418 option = { 419 long = "email" 420 type = "strings" 421 help = "Email address in SubjectAltName" 422 } 423 option = { 424 long = "dnsname" 425 type = "strings" 426 help = "Hostname or domainname in SubjectAltName" 427 } 428 option = { 429 long = "type" 430 type = "string" 431 help = "Type of request CRMF or PKCS10, defaults to PKCS10" 432 } 433 option = { 434 long = "key" 435 type = "string" 436 help = "Key-pair" 437 } 438 option = { 439 long = "generate-key" 440 type = "string" 441 help = "keytype" 442 } 443 option = { 444 long = "key-bits" 445 type = "integer" 446 help = "number of bits in the generated key"; 447 } 448 option = { 449 long = "verbose" 450 type = "flag" 451 help = "verbose status" 452 } 453 min_args="1" 454 max_args="1" 455 argument="output-file" 456 help = "Create a CRMF or PKCS10 request" 457} 458command = { 459 name = "request-print" 460 option = { 461 long = "verbose" 462 type = "flag" 463 help = "verbose printing" 464 } 465 min_args="1" 466 argument="requests ..." 467 help = "Print requests" 468} 469command = { 470 name = "query" 471 option = { 472 long = "exact" 473 type = "flag" 474 help = "exact match" 475 } 476 option = { 477 long = "private-key" 478 type = "flag" 479 help = "search for private key" 480 } 481 option = { 482 long = "friendlyname" 483 type = "string" 484 argument = "name" 485 help = "match on friendly name" 486 } 487 option = { 488 long = "eku" 489 type = "string" 490 argument = "oid-string" 491 help = "match on EKU" 492 } 493 option = { 494 long = "expr" 495 type = "string" 496 argument = "expression" 497 help = "match on expression" 498 } 499 option = { 500 long = "keyEncipherment" 501 type = "flag" 502 help = "match keyEncipherment certificates" 503 } 504 option = { 505 long = "digitalSignature" 506 type = "flag" 507 help = "match digitalSignature certificates" 508 } 509 option = { 510 long = "print" 511 type = "flag" 512 help = "print matches" 513 } 514 option = { 515 long = "pass" 516 type = "strings" 517 argument = "password" 518 help = "password, prompter, or environment" 519 } 520 min_args="1" 521 argument="certificates ..." 522 help = "Query the certificates for a match" 523} 524command = { 525 name = "info" 526} 527command = { 528 name = "random-data" 529 min_args="1" 530 argument="bytes" 531 help = "Generates random bytes and prints them to standard output" 532} 533command = { 534 option = { 535 long = "type" 536 type = "string" 537 help = "type of CMS algorithm" 538 } 539 name = "crypto-available" 540 min_args="0" 541 help = "Print available CMS crypto types" 542} 543command = { 544 option = { 545 long = "type" 546 type = "string" 547 help = "type of CMS algorithm" 548 } 549 option = { 550 long = "certificate" 551 type = "string" 552 help = "source certificate limiting the choices" 553 } 554 option = { 555 long = "peer-cmstype" 556 type = "strings" 557 help = "peer limiting cmstypes" 558 } 559 name = "crypto-select" 560 min_args="0" 561 help = "Print selected CMS type" 562} 563command = { 564 option = { 565 long = "decode" 566 short = "d" 567 type = "flag" 568 help = "decode instead of encode" 569 } 570 name = "hex" 571 function = "hxtool_hex" 572 min_args="0" 573 help = "Encode input to hex" 574} 575command = { 576 option = { 577 long = "issue-ca" 578 type = "flag" 579 help = "Issue a CA certificate" 580 } 581 option = { 582 long = "issue-proxy" 583 type = "flag" 584 help = "Issue a proxy certificate" 585 } 586 option = { 587 long = "domain-controller" 588 type = "flag" 589 help = "Issue a MS domaincontroller certificate" 590 } 591 option = { 592 long = "subject" 593 type = "string" 594 help = "Subject of issued certificate" 595 } 596 option = { 597 long = "ca-certificate" 598 type = "string" 599 help = "Issuing CA certificate" 600 } 601 option = { 602 long = "self-signed" 603 type = "flag" 604 help = "Issuing a self-signed certificate" 605 } 606 option = { 607 long = "ca-private-key" 608 type = "string" 609 help = "Private key for self-signed certificate" 610 } 611 option = { 612 long = "certificate" 613 type = "string" 614 help = "Issued certificate" 615 } 616 option = { 617 long = "type" 618 type = "strings" 619 help = "Types of certificate to issue (can be used more then once)" 620 } 621 option = { 622 long = "lifetime" 623 type = "string" 624 help = "Lifetime of certificate" 625 } 626 option = { 627 long = "serial-number" 628 type = "string" 629 help = "serial-number of certificate" 630 } 631 option = { 632 long = "path-length" 633 default = "-1" 634 type = "integer" 635 help = "Maximum path length (CA and proxy certificates), -1 no limit" 636 } 637 option = { 638 long = "hostname" 639 type = "strings" 640 help = "DNS names this certificate is allowed to serve" 641 } 642 option = { 643 long = "email" 644 type = "strings" 645 help = "email addresses assigned to this certificate" 646 } 647 option = { 648 long = "pk-init-principal" 649 type = "string" 650 help = "PK-INIT principal (for SAN)" 651 } 652 option = { 653 long = "ms-upn" 654 type = "string" 655 help = "Microsoft UPN (for SAN)" 656 } 657 option = { 658 long = "jid" 659 type = "string" 660 help = "XMPP jabber id (for SAN)" 661 } 662 option = { 663 long = "req" 664 type = "string" 665 help = "certificate request" 666 } 667 option = { 668 long = "certificate-private-key" 669 type = "string" 670 help = "private-key" 671 } 672 option = { 673 long = "generate-key" 674 type = "string" 675 help = "keytype" 676 } 677 option = { 678 long = "key-bits" 679 type = "integer" 680 help = "number of bits in the generated key" 681 } 682 option = { 683 long = "crl-uri" 684 type = "string" 685 help = "URI to CRL" 686 } 687 option = { 688 long = "template-certificate" 689 type = "string" 690 help = "certificate" 691 } 692 option = { 693 long = "template-fields" 694 type = "string" 695 help = "flag" 696 } 697 name = "certificate-sign" 698 name = "cert-sign" 699 name = "issue-certificate" 700 name = "ca" 701 function = "hxtool_ca" 702 min_args="0" 703 help = "Issue a certificate" 704} 705command = { 706 name = "test-crypto" 707 option = { 708 long = "pass" 709 type = "strings" 710 argument = "password" 711 help = "password, prompter, or environment" 712 } 713 option = { 714 long = "verbose" 715 type = "flag" 716 help = "verbose printing" 717 } 718 min_args="1" 719 argument="certificates..." 720 help = "Test crypto system related to the certificates" 721} 722command = { 723 option = { 724 long = "type" 725 type = "integer" 726 help = "type of statistics" 727 } 728 name = "statistic-print" 729 min_args="0" 730 help = "Print statistics" 731} 732command = { 733 option = { 734 long = "signer" 735 type = "string" 736 help = "signer certificate" 737 } 738 option = { 739 long = "pass" 740 type = "strings" 741 argument = "password" 742 help = "password, prompter, or environment" 743 } 744 option = { 745 long = "crl-file" 746 type = "string" 747 help = "CRL output file" 748 } 749 option = { 750 long = "lifetime" 751 type = "string" 752 help = "time the crl will be valid" 753 } 754 name = "crl-sign" 755 min_args="0" 756 argument="certificates..." 757 help = "Create a CRL" 758} 759command = { 760 name = "help" 761 name = "?" 762 argument = "[command]" 763 min_args = "0" 764 max_args = "1" 765 help = "Help! I need somebody" 766} 767