aboutsummaryrefslogtreecommitdiff
path: root/openssl/agent/pkcs11/options.cli
blob: 3c7d3b6c49317742ba0246ed0b90872bb130103e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
// file      : openssl/agent/pkcs11/options.cli
// license   : MIT; see accompanying LICENSE file

include <openssl/options.cli>;

"\section=1"
"\name=openssl-agent-pkcs11"
"\summary=OpenSSL PKCS#11 key agent"

namespace openssl
{
  namespace agent
  {
    namespace pkcs11
    {
      {
        "<options> <url>",

        "
        \h|SYNOPSIS|

        \c{\b{openssl-agent-pkcs11 --help}\n
           \b{openssl-agent-pkcs11 --version}\n
           \b{openssl-agent-pkcs11} [<options>] <url>}

        \h|DESCRIPTION|

        The \cb{PKCS#11} key agent prompts for a PIN for the specified token
        and forks off the daemon, which unlocks the key, opens a UNIX domain
        socket, and waits for cryptographic operation requests from the
        OpenSSL client \l{openssl-client(1)}. The agent also prints to
        \cb{stdout} a shell script fragment that sets the environment
        variables necessary for locating the agent. See the ENVIRONMENT
        section for details.

        The daemon can be run in the simulation mode without actually logging
        into the \cb{PKCS#11} token. If the \cb{--simulate} option is
        specified with the \cb{success} outcome, the daemon pretends to unlock
        the requested key and responds with a dummy signature to the
        subsequent data signing requests. The \cb{failure} outcome causes the
        daemon to exit with non-zero status, as if it failed to find the key.
        This mode is mostly useful for testing.
        "
      }

      class options
      {
        "\h|OPTIONS|"

        bool --help {"Print usage information and exit."}
        bool --version {"Print version and exit."}

        simulate_outcome --simulate
        {
          "<outcome>",
          "Run the daemon in the simulation mode."
        }
      };

      "
      \h|ENVIRONMENT|

      The printed shell script fragment sets the
      \cb{OPENSSL_AGENT_PKCS11_SOCK} and \cb{OPENSSL_AGENT_PKCS11_PID}
      environment variables. The former refers to the Unix-domain socket that
      should be used by \cb{openssl-client(1)} for communicating with the
      daemon. The latter contains the daemon process id that can be used to
      terminate the daemon by sending it the \cb{SIGTERM} signal.
      "

      "
      \h|EXIT STATUS|

      Non-zero exit status is returned in case of an error.
      "
    }
  }
}