1/* 2 * Copyright (c) 2005 - 2007 Kungliga Tekniska Högskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * 3. Neither the name of the Institute nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33/* $Id$ */ 34 35command = { 36 name = "cms-create-sd" 37 name = "cms-sign" 38 option = { 39 long = "certificate" 40 short = "c" 41 type = "strings" 42 argument = "certificate-store" 43 help = "certificate stores to pull certificates from" 44 } 45 option = { 46 long = "signer" 47 short = "s" 48 type = "string" 49 argument = "signer-friendly-name" 50 help = "certificate to sign with" 51 } 52 option = { 53 long = "anchors" 54 type = "strings" 55 argument = "certificate-store" 56 help = "trust anchors" 57 } 58 option = { 59 long = "pool" 60 type = "strings" 61 argument = "certificate-pool" 62 help = "certificate store to pull certificates from" 63 } 64 option = { 65 long = "pass" 66 type = "strings" 67 argument = "password" 68 help = "password, prompter, or environment" 69 } 70 option = { 71 long = "peer-alg" 72 type = "strings" 73 argument = "oid" 74 help = "oid that the peer support" 75 } 76 option = { 77 long = "content-type" 78 type = "string" 79 argument = "oid" 80 help = "content type oid" 81 } 82 option = { 83 long = "content-info" 84 type = "flag" 85 help = "wrapped out-data in a ContentInfo" 86 } 87 option = { 88 long = "pem" 89 type = "flag" 90 help = "wrap out-data in PEM armor" 91 } 92 option = { 93 long = "detached-signature" 94 type = "flag" 95 help = "create a detached signature" 96 } 97 option = { 98 long = "signer" 99 type = "-flag" 100 help = "do not sign" 101 } 102 option = { 103 long = "id-by-name" 104 type = "flag" 105 help = "use subject name for CMS Identifier" 106 } 107 option = { 108 long = "embedded-certs" 109 type = "-flag" 110 help = "dont embedded certficiates" 111 } 112 option = { 113 long = "embed-leaf-only" 114 type = "flag" 115 help = "only embed leaf certificate" 116 } 117 min_args="1" 118 max_args="2" 119 argument="in-file out-file" 120 help = "Wrap a file within a SignedData object" 121} 122command = { 123 name = "cms-verify-sd" 124 option = { 125 long = "anchors" 126 short = "D" 127 type = "strings" 128 argument = "certificate-store" 129 help = "trust anchors" 130 } 131 option = { 132 long = "certificate" 133 short = "c" 134 type = "strings" 135 argument = "certificate-store" 136 help = "certificate store to pull certificates from" 137 } 138 option = { 139 long = "pass" 140 type = "strings" 141 argument = "password" 142 help = "password, prompter, or environment" 143 } 144 option = { 145 long = "missing-revoke" 146 type = "flag" 147 help = "missing CRL/OCSP is ok" 148 } 149 option = { 150 long = "content-info" 151 type = "flag" 152 help = "unwrap in-data that's in a ContentInfo" 153 } 154 option = { 155 long = "pem" 156 type = "flag" 157 help = "unwrap in-data from PEM armor" 158 } 159 option = { 160 long = "signer-allowed" 161 type = "-flag" 162 help = "allow no signer" 163 } 164 option = { 165 long = "allow-wrong-oid" 166 type = "flag" 167 help = "allow wrong oid flag" 168 } 169 option = { 170 long = "signed-content" 171 type = "string" 172 help = "file containing content" 173 } 174 min_args="1" 175 max_args="2" 176 argument="in-file [out-file]" 177 help = "Verify a file within a SignedData object" 178} 179command = { 180 name = "cms-unenvelope" 181 option = { 182 long = "certificate" 183 short = "c" 184 type = "strings" 185 argument = "certificate-store" 186 help = "certificate used to decrypt the data" 187 } 188 option = { 189 long = "pass" 190 type = "strings" 191 argument = "password" 192 help = "password, prompter, or environment" 193 } 194 option = { 195 long = "content-info" 196 type = "flag" 197 help = "wrapped out-data in a ContentInfo" 198 } 199 option = { 200 long = "allow-weak-crypto" 201 type = "flag" 202 help = "allow weak crypto" 203 } 204 min_args="2" 205 argument="in-file out-file" 206 help = "Unenvelope a file containing a EnvelopedData object" 207} 208command = { 209 name = "cms-envelope" 210 function = "cms_create_enveloped" 211 option = { 212 long = "certificate" 213 short = "c" 214 type = "strings" 215 argument = "certificate-store" 216 help = "certificates used to receive the data" 217 } 218 option = { 219 long = "pass" 220 type = "strings" 221 argument = "password" 222 help = "password, prompter, or environment" 223 } 224 option = { 225 long = "encryption-type" 226 type = "string" 227 argument = "enctype" 228 help = "enctype" 229 } 230 option = { 231 long = "content-type" 232 type = "string" 233 argument = "oid" 234 help = "content type oid" 235 } 236 option = { 237 long = "content-info" 238 type = "flag" 239 help = "wrapped out-data in a ContentInfo" 240 } 241 option = { 242 long = "allow-weak-crypto" 243 type = "flag" 244 help = "allow weak crypto" 245 } 246 min_args="2" 247 argument="in-file out-file" 248 help = "Envelope a file containing a EnvelopedData object" 249} 250command = { 251 name = "verify" 252 function = "pcert_verify" 253 option = { 254 long = "pass" 255 type = "strings" 256 argument = "password" 257 help = "password, prompter, or environment" 258 } 259 option = { 260 long = "allow-proxy-certificate" 261 type = "flag" 262 help = "allow proxy certificates" 263 } 264 option = { 265 long = "missing-revoke" 266 type = "flag" 267 help = "missing CRL/OCSP is ok" 268 } 269 option = { 270 long = "time" 271 type = "string" 272 help = "time when to validate the chain" 273 } 274 option = { 275 long = "verbose" 276 short = "v" 277 type = "flag" 278 help = "verbose logging" 279 } 280 option = { 281 long = "max-depth" 282 type = "integer" 283 help = "maximum search length of certificate trust anchor" 284 } 285 option = { 286 long = "hostname" 287 type = "string" 288 help = "match hostname to certificate" 289 } 290 argument = "cert:foo chain:cert1 chain:cert2 anchor:anchor1 anchor:anchor2" 291 help = "Verify certificate chain" 292} 293command = { 294 name = "print" 295 function = "pcert_print" 296 option = { 297 long = "pass" 298 type = "strings" 299 argument = "password" 300 help = "password, prompter, or environment" 301 } 302 option = { 303 long = "content" 304 type = "flag" 305 help = "print the content of the certificates" 306 } 307 option = { 308 long = "never-fail" 309 type = "flag" 310 help = "never fail with an error code" 311 } 312 option = { 313 long = "info" 314 type = "flag" 315 help = "print the information about the certificate store" 316 } 317 min_args="1" 318 argument="certificate ..." 319 help = "Print certificates" 320} 321command = { 322 name = "validate" 323 function = "pcert_validate" 324 option = { 325 long = "pass" 326 type = "strings" 327 argument = "password" 328 help = "password, prompter, or environment" 329 } 330 min_args="1" 331 argument="certificate ..." 332 help = "Validate content of certificates" 333} 334command = { 335 name = "certificate-copy" 336 name = "cc" 337 option = { 338 long = "in-pass" 339 type = "strings" 340 argument = "password" 341 help = "password, prompter, or environment" 342 } 343 option = { 344 long = "out-pass" 345 type = "string" 346 argument = "password" 347 help = "password, prompter, or environment" 348 } 349 min_args="2" 350 argument="in-certificates-1 ... out-certificate" 351 help = "Copy in certificates stores into out certificate store" 352} 353command = { 354 name = "ocsp-fetch" 355 option = { 356 long = "pass" 357 type = "strings" 358 argument = "password" 359 help = "password, prompter, or environment" 360 } 361 option = { 362 long = "sign" 363 type = "string" 364 argument = "certificate" 365 help = "certificate use to sign the request" 366 } 367 option = { 368 long = "url-path" 369 type = "string" 370 argument = "url" 371 help = "part after host in url to put in the request" 372 } 373 option = { 374 long = "nonce" 375 type = "-flag" 376 default = "1" 377 help = "don't include nonce in request" 378 } 379 option = { 380 long = "pool" 381 type = "strings" 382 argument = "certificate-store" 383 help = "pool to find parent certificate in" 384 } 385 min_args="2" 386 argument="outfile certs ..." 387 help = "Fetch OCSP responses for the following certs" 388} 389command = { 390 option = { 391 long = "ocsp-file" 392 type = "string" 393 help = "OCSP file" 394 } 395 name = "ocsp-verify" 396 min_args="1" 397 argument="certificates ..." 398 help = "Check that certificates are in OCSP file and valid" 399} 400command = { 401 name = "ocsp-print" 402 option = { 403 long = "verbose" 404 type = "flag" 405 help = "verbose" 406 } 407 min_args="1" 408 argument="ocsp-response-file ..." 409 help = "Print the OCSP responses" 410} 411command = { 412 name = "request-create" 413 option = { 414 long = "subject" 415 type = "string" 416 help = "Subject DN" 417 } 418 option = { 419 long = "email" 420 type = "strings" 421 help = "Email address in SubjectAltName" 422 } 423 option = { 424 long = "dnsname" 425 type = "strings" 426 help = "Hostname or domainname in SubjectAltName" 427 } 428 option = { 429 long = "type" 430 type = "string" 431 help = "Type of request CRMF or PKCS10, defaults to PKCS10" 432 } 433 option = { 434 long = "key" 435 type = "string" 436 help = "Key-pair" 437 } 438 option = { 439 long = "generate-key" 440 type = "string" 441 help = "keytype" 442 } 443 option = { 444 long = "key-bits" 445 type = "integer" 446 help = "number of bits in the generated key"; 447 } 448 option = { 449 long = "verbose" 450 type = "flag" 451 help = "verbose status" 452 } 453 min_args="1" 454 max_args="1" 455 argument="output-file" 456 help = "Create a CRMF or PKCS10 request" 457} 458command = { 459 name = "request-print" 460 option = { 461 long = "verbose" 462 type = "flag" 463 help = "verbose printing" 464 } 465 min_args="1" 466 argument="requests ..." 467 help = "Print requests" 468} 469command = { 470 name = "query" 471 option = { 472 long = "exact" 473 type = "flag" 474 help = "exact match" 475 } 476 option = { 477 long = "private-key" 478 type = "flag" 479 help = "search for private key" 480 } 481 option = { 482 long = "friendlyname" 483 type = "string" 484 argument = "name" 485 help = "match on friendly name" 486 } 487 option = { 488 long = "persistent" 489 type = "string" 490 argument = "persistent-identity" 491 help = "match on persistent identity" 492 } 493 option = { 494 long = "eku" 495 type = "string" 496 argument = "oid-string" 497 help = "match on EKU" 498 } 499 option = { 500 long = "expr" 501 type = "string" 502 argument = "expression" 503 help = "match on expression" 504 } 505 option = { 506 long = "keyEncipherment" 507 type = "flag" 508 help = "match keyEncipherment certificates" 509 } 510 option = { 511 long = "digitalSignature" 512 type = "flag" 513 help = "match digitalSignature certificates" 514 } 515 option = { 516 long = "print" 517 type = "flag" 518 help = "print matches" 519 } 520 option = { 521 long = "pass" 522 type = "strings" 523 argument = "password" 524 help = "password, prompter, or environment" 525 } 526 min_args="1" 527 argument="certificates ..." 528 help = "Query the certificates for a match" 529} 530command = { 531 name = "info" 532} 533command = { 534 name = "random-data" 535 min_args="1" 536 argument="bytes" 537 help = "Generates random bytes and prints them to standard output" 538} 539command = { 540 option = { 541 long = "type" 542 type = "string" 543 help = "type of CMS algorithm" 544 } 545 name = "crypto-available" 546 help = "Print available CMS crypto types" 547} 548command = { 549 option = { 550 long = "type" 551 type = "string" 552 help = "type of CMS algorithm" 553 } 554 option = { 555 long = "certificate" 556 type = "string" 557 help = "source certificate limiting the choices" 558 } 559 option = { 560 long = "peer-cmstype" 561 type = "strings" 562 help = "peer limiting cmstypes" 563 } 564 name = "crypto-select" 565 help = "Print selected CMS type" 566} 567command = { 568 option = { 569 long = "decode" 570 short = "d" 571 type = "flag" 572 help = "decode instead of encode" 573 } 574 name = "hex" 575 function = "hxtool_hex" 576 help = "Encode input to hex" 577} 578command = { 579 option = { 580 long = "issue-ca" 581 type = "flag" 582 help = "Issue a CA certificate" 583 } 584 option = { 585 long = "issue-proxy" 586 type = "flag" 587 help = "Issue a proxy certificate" 588 } 589 option = { 590 long = "domain-controller" 591 type = "flag" 592 help = "Issue a MS domaincontroller certificate" 593 } 594 option = { 595 long = "subject" 596 type = "string" 597 help = "Subject of issued certificate" 598 } 599 option = { 600 long = "ca-certificate" 601 type = "string" 602 help = "Issuing CA certificate" 603 } 604 option = { 605 long = "self-signed" 606 type = "flag" 607 help = "Issuing a self-signed certificate" 608 } 609 option = { 610 long = "ca-private-key" 611 type = "string" 612 help = "Private key for self-signed certificate" 613 } 614 option = { 615 long = "certificate" 616 type = "string" 617 help = "Issued certificate" 618 } 619 option = { 620 long = "type" 621 type = "strings" 622 help = "Types of certificate to issue (can be used more then once)" 623 } 624 option = { 625 long = "lifetime" 626 type = "string" 627 help = "Lifetime of certificate" 628 } 629 option = { 630 long = "serial-number" 631 type = "string" 632 help = "serial-number of certificate" 633 } 634 option = { 635 long = "path-length" 636 default = "-1" 637 type = "integer" 638 help = "Maximum path length (CA and proxy certificates), -1 no limit" 639 } 640 option = { 641 long = "hostname" 642 type = "strings" 643 help = "DNS names this certificate is allowed to serve" 644 } 645 option = { 646 long = "email" 647 type = "strings" 648 help = "email addresses assigned to this certificate" 649 } 650 option = { 651 long = "pk-init-principal" 652 type = "string" 653 help = "PK-INIT principal (for SAN)" 654 } 655 option = { 656 long = "ms-upn" 657 type = "string" 658 help = "Microsoft UPN (for SAN)" 659 } 660 option = { 661 long = "jid" 662 type = "string" 663 help = "XMPP jabber id (for SAN)" 664 } 665 option = { 666 long = "req" 667 type = "string" 668 help = "certificate request" 669 } 670 option = { 671 long = "certificate-private-key" 672 type = "string" 673 help = "private-key" 674 } 675 option = { 676 long = "generate-key" 677 type = "string" 678 help = "keytype" 679 } 680 option = { 681 long = "key-bits" 682 type = "integer" 683 help = "number of bits in the generated key" 684 } 685 option = { 686 long = "crl-uri" 687 type = "string" 688 help = "URI to CRL" 689 } 690 option = { 691 long = "template-certificate" 692 type = "string" 693 help = "certificate" 694 } 695 option = { 696 long = "template-fields" 697 type = "string" 698 help = "flag" 699 } 700 name = "certificate-sign" 701 name = "cert-sign" 702 name = "issue-certificate" 703 name = "ca" 704 function = "hxtool_ca" 705 help = "Issue a certificate" 706} 707command = { 708 name = "test-crypto" 709 option = { 710 long = "pass" 711 type = "strings" 712 argument = "password" 713 help = "password, prompter, or environment" 714 } 715 option = { 716 long = "verbose" 717 type = "flag" 718 help = "verbose printing" 719 } 720 min_args="1" 721 argument="certificates..." 722 help = "Test crypto system related to the certificates" 723} 724command = { 725 option = { 726 long = "signer" 727 type = "string" 728 help = "signer certificate" 729 } 730 option = { 731 long = "pass" 732 type = "strings" 733 argument = "password" 734 help = "password, prompter, or environment" 735 } 736 option = { 737 long = "crl-file" 738 type = "string" 739 help = "CRL output file" 740 } 741 option = { 742 long = "lifetime" 743 type = "string" 744 help = "time the crl will be valid" 745 } 746 name = "crl-sign" 747 min_args="0" 748 argument="certificates..." 749 help = "Create a CRL" 750} 751command = { 752 name = "help" 753 name = "?" 754 argument = "[command]" 755 min_args = "0" 756 max_args = "1" 757 help = "Help! I need somebody" 758} 759