1/* 2 * Copyright (c) 2005 - 2007 Kungliga Tekniska H��gskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * 3. Neither the name of the Institute nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33/* Id */ 34 35command = { 36 name = "cms-create-sd" 37 name = "cms-sign" 38 option = { 39 long = "certificate" 40 short = "c" 41 type = "strings" 42 argument = "certificate-store" 43 help = "certificate stores to pull certificates from" 44 } 45 option = { 46 long = "signer" 47 short = "s" 48 type = "string" 49 argument = "signer-friendly-name" 50 help = "certificate to sign with" 51 } 52 option = { 53 long = "anchors" 54 type = "strings" 55 argument = "certificate-store" 56 help = "trust anchors" 57 } 58 option = { 59 long = "pool" 60 type = "strings" 61 argument = "certificate-pool" 62 help = "certificate store to pull certificates from" 63 } 64 option = { 65 long = "pass" 66 type = "strings" 67 argument = "password" 68 help = "password, prompter, or environment" 69 } 70 option = { 71 long = "peer-alg" 72 type = "strings" 73 argument = "oid" 74 help = "oid that the peer support" 75 } 76 option = { 77 long = "content-type" 78 type = "string" 79 argument = "oid" 80 help = "content type oid" 81 } 82 option = { 83 long = "content-info" 84 type = "flag" 85 help = "wrapped out-data in a ContentInfo" 86 } 87 option = { 88 long = "pem" 89 type = "flag" 90 help = "wrap out-data in PEM armor" 91 } 92 option = { 93 long = "detached-signature" 94 type = "flag" 95 help = "create a detached signature" 96 } 97 option = { 98 long = "signer" 99 type = "-flag" 100 help = "do not sign" 101 } 102 option = { 103 long = "id-by-name" 104 type = "flag" 105 help = "use subject name for CMS Identifier" 106 } 107 option = { 108 long = "embedded-certs" 109 type = "-flag" 110 help = "don't embed certificates" 111 } 112 option = { 113 long = "embed-leaf-only" 114 type = "flag" 115 help = "only embed leaf certificate" 116 } 117 min_args="1" 118 max_args="2" 119 argument="in-file out-file" 120 help = "Wrap a file within a SignedData object" 121} 122command = { 123 name = "cms-verify-sd" 124 option = { 125 long = "anchors" 126 short = "D" 127 type = "strings" 128 argument = "certificate-store" 129 help = "trust anchors" 130 } 131 option = { 132 long = "certificate" 133 short = "c" 134 type = "strings" 135 argument = "certificate-store" 136 help = "certificate store to pull certificates from" 137 } 138 option = { 139 long = "pass" 140 type = "strings" 141 argument = "password" 142 help = "password, prompter, or environment" 143 } 144 option = { 145 long = "missing-revoke" 146 type = "flag" 147 help = "missing CRL/OCSP is ok" 148 } 149 option = { 150 long = "content-info" 151 type = "flag" 152 help = "unwrap in-data that's in a ContentInfo" 153 } 154 option = { 155 long = "pem" 156 type = "flag" 157 help = "unwrap in-data from PEM armor" 158 } 159 option = { 160 long = "signer-allowed" 161 type = "-flag" 162 help = "allow no signer" 163 } 164 option = { 165 long = "allow-wrong-oid" 166 type = "flag" 167 help = "allow wrong oid flag" 168 } 169 option = { 170 long = "signed-content" 171 type = "string" 172 help = "file containing content" 173 } 174 min_args="1" 175 max_args="2" 176 argument="in-file [out-file]" 177 help = "Verify a file within a SignedData object" 178} 179command = { 180 name = "cms-unenvelope" 181 option = { 182 long = "certificate" 183 short = "c" 184 type = "strings" 185 argument = "certificate-store" 186 help = "certificate used to decrypt the data" 187 } 188 option = { 189 long = "pass" 190 type = "strings" 191 argument = "password" 192 help = "password, prompter, or environment" 193 } 194 option = { 195 long = "content-info" 196 type = "flag" 197 help = "wrapped out-data in a ContentInfo" 198 } 199 option = { 200 long = "allow-weak-crypto" 201 type = "flag" 202 help = "allow weak crypto" 203 } 204 min_args="2" 205 argument="in-file out-file" 206 help = "Unenvelope a file containing a EnvelopedData object" 207} 208command = { 209 name = "cms-envelope" 210 function = "cms_create_enveloped" 211 option = { 212 long = "certificate" 213 short = "c" 214 type = "strings" 215 argument = "certificate-store" 216 help = "certificates used to receive the data" 217 } 218 option = { 219 long = "pass" 220 type = "strings" 221 argument = "password" 222 help = "password, prompter, or environment" 223 } 224 option = { 225 long = "encryption-type" 226 type = "string" 227 argument = "enctype" 228 help = "enctype" 229 } 230 option = { 231 long = "content-type" 232 type = "string" 233 argument = "oid" 234 help = "content type oid" 235 } 236 option = { 237 long = "content-info" 238 type = "flag" 239 help = "wrapped out-data in a ContentInfo" 240 } 241 option = { 242 long = "allow-weak-crypto" 243 type = "flag" 244 help = "allow weak crypto" 245 } 246 min_args="2" 247 argument="in-file out-file" 248 help = "Envelope a file containing a EnvelopedData object" 249} 250command = { 251 name = "verify" 252 function = "pcert_verify" 253 option = { 254 long = "pass" 255 type = "strings" 256 argument = "password" 257 help = "password, prompter, or environment" 258 } 259 option = { 260 long = "allow-proxy-certificate" 261 type = "flag" 262 help = "allow proxy certificates" 263 } 264 option = { 265 long = "missing-revoke" 266 type = "flag" 267 help = "missing CRL/OCSP is ok" 268 } 269 option = { 270 long = "time" 271 type = "string" 272 help = "time when to validate the chain" 273 } 274 option = { 275 long = "verbose" 276 short = "v" 277 type = "flag" 278 help = "verbose logging" 279 } 280 option = { 281 long = "max-depth" 282 type = "integer" 283 help = "maximum search length of certificate trust anchor" 284 } 285 option = { 286 long = "hostname" 287 type = "string" 288 help = "match hostname to certificate" 289 } 290 argument = "cert:foo chain:cert1 chain:cert2 anchor:anchor1 anchor:anchor2" 291 help = "Verify certificate chain" 292} 293command = { 294 name = "print" 295 function = "pcert_print" 296 option = { 297 long = "pass" 298 type = "strings" 299 argument = "password" 300 help = "password, prompter, or environment" 301 } 302 option = { 303 long = "content" 304 type = "flag" 305 help = "print the content of the certificates" 306 } 307 option = { 308 long = "never-fail" 309 type = "flag" 310 help = "never fail with an error code" 311 } 312 option = { 313 long = "info" 314 type = "flag" 315 help = "print the information about the certificate store" 316 } 317 min_args="1" 318 argument="certificate ..." 319 help = "Print certificates" 320} 321command = { 322 name = "validate" 323 function = "pcert_validate" 324 option = { 325 long = "pass" 326 type = "strings" 327 argument = "password" 328 help = "password, prompter, or environment" 329 } 330 min_args="1" 331 argument="certificate ..." 332 help = "Validate content of certificates" 333} 334command = { 335 name = "certificate-copy" 336 name = "cc" 337 option = { 338 long = "in-pass" 339 type = "strings" 340 argument = "password" 341 help = "password, prompter, or environment" 342 } 343 option = { 344 long = "out-pass" 345 type = "string" 346 argument = "password" 347 help = "password, prompter, or environment" 348 } 349 min_args="2" 350 argument="in-certificates-1 ... out-certificate" 351 help = "Copy in certificates stores into out certificate store" 352} 353command = { 354 name = "ocsp-fetch" 355 option = { 356 long = "pass" 357 type = "strings" 358 argument = "password" 359 help = "password, prompter, or environment" 360 } 361 option = { 362 long = "sign" 363 type = "string" 364 argument = "certificate" 365 help = "certificate use to sign the request" 366 } 367 option = { 368 long = "url-path" 369 type = "string" 370 argument = "url" 371 help = "part after host in url to put in the request" 372 } 373 option = { 374 long = "nonce" 375 type = "-flag" 376 default = "1" 377 help = "don't include nonce in request" 378 } 379 option = { 380 long = "pool" 381 type = "strings" 382 argument = "certificate-store" 383 help = "pool to find parent certificate in" 384 } 385 min_args="2" 386 argument="outfile certs ..." 387 help = "Fetch OCSP responses for the following certs" 388} 389command = { 390 option = { 391 long = "ocsp-file" 392 type = "string" 393 help = "OCSP file" 394 } 395 name = "ocsp-verify" 396 min_args="1" 397 argument="certificates ..." 398 help = "Check that certificates are in OCSP file and valid" 399} 400command = { 401 name = "ocsp-print" 402 option = { 403 long = "verbose" 404 type = "flag" 405 help = "verbose" 406 } 407 min_args="1" 408 argument="ocsp-response-file ..." 409 help = "Print the OCSP responses" 410} 411command = { 412 name = "revoke-print" 413 option = { 414 long = "verbose" 415 type = "flag" 416 help = "verbose" 417 } 418 min_args="1" 419 argument="ocsp/crl files" 420 help = "Print the OCSP/CRL files" 421} 422command = { 423 name = "request-create" 424 option = { 425 long = "subject" 426 type = "string" 427 help = "Subject DN" 428 } 429 option = { 430 long = "email" 431 type = "strings" 432 help = "Email address in SubjectAltName" 433 } 434 option = { 435 long = "dnsname" 436 type = "strings" 437 help = "Hostname or domainname in SubjectAltName" 438 } 439 option = { 440 long = "type" 441 type = "string" 442 help = "Type of request CRMF or PKCS10, defaults to PKCS10" 443 } 444 option = { 445 long = "key" 446 type = "string" 447 help = "Key-pair" 448 } 449 option = { 450 long = "generate-key" 451 type = "string" 452 help = "keytype" 453 } 454 option = { 455 long = "key-bits" 456 type = "integer" 457 help = "number of bits in the generated key"; 458 } 459 option = { 460 long = "verbose" 461 type = "flag" 462 help = "verbose status" 463 } 464 min_args="1" 465 max_args="1" 466 argument="output-file" 467 help = "Create a CRMF or PKCS10 request" 468} 469command = { 470 name = "request-print" 471 option = { 472 long = "verbose" 473 type = "flag" 474 help = "verbose printing" 475 } 476 min_args="1" 477 argument="requests ..." 478 help = "Print requests" 479} 480command = { 481 name = "query" 482 option = { 483 long = "exact" 484 type = "flag" 485 help = "exact match" 486 } 487 option = { 488 long = "private-key" 489 type = "flag" 490 help = "search for private key" 491 } 492 option = { 493 long = "friendlyname" 494 type = "string" 495 argument = "name" 496 help = "match on friendly name" 497 } 498 option = { 499 long = "eku" 500 type = "string" 501 argument = "oid-string" 502 help = "match on EKU" 503 } 504 option = { 505 long = "expr" 506 type = "string" 507 argument = "expression" 508 help = "match on expression" 509 } 510 option = { 511 long = "keyEncipherment" 512 type = "flag" 513 help = "match keyEncipherment certificates" 514 } 515 option = { 516 long = "digitalSignature" 517 type = "flag" 518 help = "match digitalSignature certificates" 519 } 520 option = { 521 long = "print" 522 type = "flag" 523 help = "print matches" 524 } 525 option = { 526 long = "pass" 527 type = "strings" 528 argument = "password" 529 help = "password, prompter, or environment" 530 } 531 min_args="1" 532 argument="certificates ..." 533 help = "Query the certificates for a match" 534} 535command = { 536 name = "info" 537} 538command = { 539 name = "random-data" 540 min_args="1" 541 argument="bytes" 542 help = "Generates random bytes and prints them to standard output" 543} 544command = { 545 option = { 546 long = "type" 547 type = "string" 548 help = "type of CMS algorithm" 549 } 550 name = "crypto-available" 551 min_args="0" 552 help = "Print available CMS crypto types" 553} 554command = { 555 option = { 556 long = "type" 557 type = "string" 558 help = "type of CMS algorithm" 559 } 560 option = { 561 long = "certificate" 562 type = "string" 563 help = "source certificate limiting the choices" 564 } 565 option = { 566 long = "peer-cmstype" 567 type = "strings" 568 help = "peer limiting cmstypes" 569 } 570 name = "crypto-select" 571 min_args="0" 572 help = "Print selected CMS type" 573} 574command = { 575 option = { 576 long = "decode" 577 short = "d" 578 type = "flag" 579 help = "decode instead of encode" 580 } 581 name = "hex" 582 function = "hxtool_hex" 583 min_args="0" 584 help = "Encode input to hex" 585} 586command = { 587 option = { 588 long = "issue-ca" 589 type = "flag" 590 help = "Issue a CA certificate" 591 } 592 option = { 593 long = "issue-proxy" 594 type = "flag" 595 help = "Issue a proxy certificate" 596 } 597 option = { 598 long = "domain-controller" 599 type = "flag" 600 help = "Issue a MS domaincontroller certificate" 601 } 602 option = { 603 long = "subject" 604 type = "string" 605 help = "Subject of issued certificate" 606 } 607 option = { 608 long = "ca-certificate" 609 type = "string" 610 help = "Issuing CA certificate" 611 } 612 option = { 613 long = "self-signed" 614 type = "flag" 615 help = "Issuing a self-signed certificate" 616 } 617 option = { 618 long = "ca-private-key" 619 type = "string" 620 help = "Private key for self-signed certificate" 621 } 622 option = { 623 long = "certificate" 624 type = "string" 625 help = "Issued certificate" 626 } 627 option = { 628 long = "type" 629 type = "strings" 630 help = "Types of certificate to issue (can be used more then once)" 631 } 632 option = { 633 long = "lifetime" 634 type = "string" 635 help = "Lifetime of certificate" 636 } 637 option = { 638 long = "signature-algorithm" 639 type = "string" 640 help = "Signature algorithm to use" 641 } 642 option = { 643 long = "serial-number" 644 type = "string" 645 help = "serial-number of certificate" 646 } 647 option = { 648 long = "path-length" 649 default = "-1" 650 type = "integer" 651 help = "Maximum path length (CA and proxy certificates), -1 no limit" 652 } 653 option = { 654 long = "hostname" 655 type = "strings" 656 help = "DNS names this certificate is allowed to serve" 657 } 658 option = { 659 long = "email" 660 type = "strings" 661 help = "email addresses assigned to this certificate" 662 } 663 option = { 664 long = "pk-init-principal" 665 type = "strings" 666 help = "PK-INIT principal (for SAN)" 667 } 668 option = { 669 long = "ms-upn" 670 type = "string" 671 help = "Microsoft UPN (for SAN)" 672 } 673 option = { 674 long = "jid" 675 type = "string" 676 help = "XMPP jabber id (for SAN)" 677 } 678 option = { 679 long = "req" 680 type = "string" 681 help = "certificate request" 682 } 683 option = { 684 long = "certificate-private-key" 685 type = "string" 686 help = "private-key" 687 } 688 option = { 689 long = "generate-key" 690 type = "string" 691 help = "keytype" 692 } 693 option = { 694 long = "key-bits" 695 type = "integer" 696 help = "number of bits in the generated key" 697 } 698 option = { 699 long = "crl-uri" 700 type = "string" 701 help = "URI to CRL" 702 } 703 option = { 704 long = "template-certificate" 705 type = "string" 706 help = "certificate" 707 } 708 option = { 709 long = "template-fields" 710 type = "string" 711 help = "flag" 712 } 713 name = "certificate-sign" 714 name = "cert-sign" 715 name = "issue-certificate" 716 name = "ca" 717 function = "hxtool_ca" 718 min_args="0" 719 help = "Issue a certificate" 720} 721command = { 722 name = "test-crypto" 723 option = { 724 long = "pass" 725 type = "strings" 726 argument = "password" 727 help = "password, prompter, or environment" 728 } 729 option = { 730 long = "verbose" 731 type = "flag" 732 help = "verbose printing" 733 } 734 min_args="1" 735 argument="certificates..." 736 help = "Test crypto system related to the certificates" 737} 738command = { 739 option = { 740 long = "type" 741 type = "integer" 742 help = "type of statistics" 743 } 744 name = "statistic-print" 745 min_args="0" 746 help = "Print statistics" 747} 748command = { 749 option = { 750 long = "signer" 751 type = "string" 752 help = "signer certificate" 753 } 754 option = { 755 long = "pass" 756 type = "strings" 757 argument = "password" 758 help = "password, prompter, or environment" 759 } 760 option = { 761 long = "crl-file" 762 type = "string" 763 help = "CRL output file" 764 } 765 option = { 766 long = "lifetime" 767 type = "string" 768 help = "time the crl will be valid" 769 } 770 name = "crl-sign" 771 min_args="0" 772 argument="certificates..." 773 help = "Create a CRL" 774} 775command = { 776 name = "help" 777 name = "?" 778 argument = "[command]" 779 min_args = "0" 780 max_args = "1" 781 help = "Help! I need somebody" 782} 783