blob: c064aca5dfe5571af05cfb7d3495906300e5a93b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
|
PKCS#11 / SmartCard options
---------------------------
--pkcs11-cert-private args
Set if access to certificate object should be performed after login.
Every provider has its own setting.
Valid syntaxes:
::
pkcs11-cert-private 0
pkcs11-cert-private 1
--pkcs11-id name
Specify the serialized certificate id to be used. The id can be gotten
by the standalone ``--show-pkcs11-ids`` option.
--pkcs11-id-management
Acquire PKCS#11 id from management interface. In this case a
:code:`NEED-STR 'pkcs11-id-request'` real-time message will be triggered,
application may use pkcs11-id-count command to retrieve available number of
certificates, and pkcs11-id-get command to retrieve certificate id and
certificate body.
--pkcs11-pin-cache seconds
Specify how many seconds the PIN can be cached, the default is until the
token is removed.
--pkcs11-private-mode mode
Specify which method to use in order to perform private key operations.
A different mode can be specified for each provider. Mode is encoded as
hex number, and can be a mask one of the following:
:code:`0` (default) Try to determine automatically.
:code:`1` Use sign.
:code:`2` Use sign recover.
:code:`4` Use decrypt.
:code:`8` Use unwrap.
--pkcs11-protected-authentication args
Use PKCS#11 protected authentication path, useful for biometric and
external keypad devices. Every provider has its own setting.
Valid syntaxes:
::
pkcs11-protected-authentication 0
pkcs11-protected-authentication 1
--pkcs11-providers provider
Specify an RSA Security Inc. PKCS #11 Cryptographic Token Interface
(Cryptoki) providers to load. This option can be used instead of
``--cert``, ``--key`` and ``--pkcs12``.
If p11-kit is present on the system, its :code:`p11-kit-proxy.so` module
will be loaded by default if either the ``--pkcs11-id`` or
``--pkcs11-id-management`` options are specified without
``--pkcs11-provider`` being given.
--show-pkcs11-ids args
(Standalone) Show PKCS#11 token object list.
Valid syntax:
::
show-pkcs11 [provider] [cert_private]
Specify ``cert_private`` as :code:`1` if certificates are stored as
private objects.
If *p11-kit* is present on the system, the ``provider`` argument is
optional; if omitted the default :code:`p11-kit-proxy.so` module will be
queried.
``--verb`` option can be used BEFORE this option to produce debugging
information.
|
