diff options
Diffstat (limited to 'doc/man-sections/pkcs11-options.rst')
-rw-r--r-- | doc/man-sections/pkcs11-options.rst | 80 |
1 files changed, 80 insertions, 0 deletions
diff --git a/doc/man-sections/pkcs11-options.rst b/doc/man-sections/pkcs11-options.rst new file mode 100644 index 0000000..c064aca --- /dev/null +++ b/doc/man-sections/pkcs11-options.rst @@ -0,0 +1,80 @@ +PKCS#11 / SmartCard options +--------------------------- + +--pkcs11-cert-private args + Set if access to certificate object should be performed after login. + Every provider has its own setting. + + Valid syntaxes: + :: + + pkcs11-cert-private 0 + pkcs11-cert-private 1 + +--pkcs11-id name + Specify the serialized certificate id to be used. The id can be gotten + by the standalone ``--show-pkcs11-ids`` option. + +--pkcs11-id-management + Acquire PKCS#11 id from management interface. In this case a + :code:`NEED-STR 'pkcs11-id-request'` real-time message will be triggered, + application may use pkcs11-id-count command to retrieve available number of + certificates, and pkcs11-id-get command to retrieve certificate id and + certificate body. + +--pkcs11-pin-cache seconds + Specify how many seconds the PIN can be cached, the default is until the + token is removed. + +--pkcs11-private-mode mode + Specify which method to use in order to perform private key operations. + A different mode can be specified for each provider. Mode is encoded as + hex number, and can be a mask one of the following: + + :code:`0` (default) Try to determine automatically. + + :code:`1` Use sign. + + :code:`2` Use sign recover. + + :code:`4` Use decrypt. + + :code:`8` Use unwrap. + +--pkcs11-protected-authentication args + Use PKCS#11 protected authentication path, useful for biometric and + external keypad devices. Every provider has its own setting. + + Valid syntaxes: + :: + + pkcs11-protected-authentication 0 + pkcs11-protected-authentication 1 + +--pkcs11-providers provider + Specify an RSA Security Inc. PKCS #11 Cryptographic Token Interface + (Cryptoki) providers to load. This option can be used instead of + ``--cert``, ``--key`` and ``--pkcs12``. + + If p11-kit is present on the system, its :code:`p11-kit-proxy.so` module + will be loaded by default if either the ``--pkcs11-id`` or + ``--pkcs11-id-management`` options are specified without + ``--pkcs11-provider`` being given. + +--show-pkcs11-ids args + (Standalone) Show PKCS#11 token object list. + + Valid syntax: + :: + + show-pkcs11 [provider] [cert_private] + + Specify ``cert_private`` as :code:`1` if certificates are stored as + private objects. + + If *p11-kit* is present on the system, the ``provider`` argument is + optional; if omitted the default :code:`p11-kit-proxy.so` module will be + queried. + + ``--verb`` option can be used BEFORE this option to produce debugging + information. |