From patchwork Tue Nov 14 11:21:33 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frank Lichtenheld X-Patchwork-Id: 3430 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:3c06:b0:f2:62eb:61c1 with SMTP id e6csp2098698dys; Tue, 14 Nov 2023 03:22:47 -0800 (PST) X-Google-Smtp-Source: AGHT+IFATFBbKxvkORvNGawWucQmEMC6S2X7Ejfmu6tY5iKWnE7zK/JFojJw5pf9bwnWwXToPMPV X-Received: by 2002:a05:6a20:da85:b0:185:ffb1:2776 with SMTP id iy5-20020a056a20da8500b00185ffb12776mr2445984pzb.4.1699960966936; Tue, 14 Nov 2023 03:22:46 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1699960966; cv=none; d=google.com; s=arc-20160816; b=FHD/Aa/vynLO8d7RVtlwHs4WrOQ6dQcVF/krAUnifSuHO8DiBh2iotfM59vUyD749C QEJj/6I2rmptpeZu2tV4LdmFCYqmUY2fETSIc/dWpqw5ZxAatYQz5J9aQpgmosprBH+F /6LwlbYkbjmus3zc1fKI2G6bQ5BVlrQIGohl5MPoD2z1XfD1B1T/BQBAxV5MPREvYEW/ A5Z7ZH0zrRRZ93kYCCx+b5RjfZEMdvA7i9e7OoXbBtFqFCNNoRSfCf1i0v24q6jL/6+u q3kVE5kQzT0ExkvHG+f+005UCAv5OZGU+HozNrinCCx1ziUYZYO8sUJBzRV3kIU2e8AW VGuA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:dkim-signature :dkim-signature; bh=RZ8kk4jX2WgVUwVOgP7j2ycaUA8uZeaVwKylgyrjbos=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=qs1W0z7EFOXCnz940guFbpPcqex9ERRUwTiRIcIR9G5DQtpnfQGV2abcIJCutCyDM8 bTp+PzhdOXzTpkB4bQbEPj3kE+HeYR3wKWSVlXbbAWGw6JGUZVjmfcqHnhJ3188we4tH 9PXdU/rNWC8f0NzyZUdW0A/T5NKhqd0lIEtJJzvEZf7Ujb6lBIhPZXUQgXbJi93AjZmJ MQo9xgiA/FH99pj/+WhbXG039kqKzOdqkDhJqK/xtFXSrUWxomZC8p1ijb6OWlZe5hot Nbds1RLNTxksKd7HzFPVZK9e/9523EZXYWF2adKvkqpXhc7pB623kyOtJZZBhkGeoroo FMNQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=B8rf7bZY; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=eT9UrUC1; dkim=neutral (body hash did not verify) header.i=@lichtenheld.com header.s=MBO0001 header.b=SiPH0HFk; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id u24-20020a656718000000b005a9e4c3d350si7458488pgf.743.2023.11.14.03.22.46 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 14 Nov 2023 03:22:46 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=B8rf7bZY; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=eT9UrUC1; dkim=neutral (body hash did not verify) header.i=@lichtenheld.com header.s=MBO0001 header.b=SiPH0HFk; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1r2rUL-0007bZ-Si; Tue, 14 Nov 2023 11:21:48 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1r2rUJ-0007bS-HF for openvpn-devel@lists.sourceforge.net; Tue, 14 Nov 2023 11:21:47 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Wqjw3Jp6X0XmPVQy2dLW76YSTinUAhHssa69dBCDWvU=; b=B8rf7bZYro4O63WgZZr0C2FaQu iODLdQaqA5/5MWAr/n7l9VIeFWU0+/UvWvWrD0aZIe6J3/DQ6IKqPnK+fDnQXXk5I5cMKfspOO4HN XFqsHdiSs1QsKZBmADKhRN3x0RBrNxAokvKIFBt0r98eOb792MjasCyssxKw+B+Pcb9k=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=Wqjw3Jp6X0XmPVQy2dLW76YSTinUAhHssa69dBCDWvU=; b=e T9UrUC1Ruo7BzuKIwc9ZvsOLfq9pCclOWRF+i/cEVyeETdsMRGVwQqIyia3ivzOcodigxJNLUvmEH LNv1pCgT5F4d1qsGsA9rj/eODrGm1HjxDjy0A4nyDudpnoH5ZbZTWLxm5MB3e3ZQXvupIsQ8LJc4Y 4TKdjLR597aPBQXc=; Received: from mout-p-201.mailbox.org ([80.241.56.171]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1r2rUE-005YNt-PG for openvpn-devel@lists.sourceforge.net; Tue, 14 Nov 2023 11:21:46 +0000 Received: from smtp1.mailbox.org (smtp1.mailbox.org [IPv6:2001:67c:2050:b231:465::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-201.mailbox.org (Postfix) with ESMTPS id 4SV3lf4JQ4z9sdS for ; Tue, 14 Nov 2023 12:21:34 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lichtenheld.com; s=MBO0001; t=1699960894; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=Wqjw3Jp6X0XmPVQy2dLW76YSTinUAhHssa69dBCDWvU=; b=SiPH0HFkOS1/2WypvVLG5efLh/IA41LhmuCBUoiqu8CrxdqaDreQcjJoTtu7fkzrWinYHT IVedVjGsDMtoQLFbo/Fs4+tqd+xeZ6GrmS+R9s9SlIKHsst9PZffUDD53rn8+FFt2eLg3n pjFRkDIHn+Sut0bC6MbxJisTdP2qWojR0XIsaOnZHUmxn++POAoeZbeG4xWHWczVTiLPRh Xg3pNkozLdlWy5oFbGo8J1YiWBF7uksHX/mjwsn6/ZE/lkup3N2wuo4i04g9GETe5CJdCu txyc8+MCVpHGnf2w2U2hT58sy+sI2qA70Wm/aJGSwiZnarGBv/f3luJK8e3MpA== From: Frank Lichtenheld To: openvpn-devel@lists.sourceforge.net Date: Tue, 14 Nov 2023 12:21:33 +0100 Message-Id: <20231114112133.20475-1-frank@lichtenheld.com> MIME-Version: 1.0 X-Rspamd-Queue-Id: 4SV3lf4JQ4z9sdS X-Spam-Score: -0.9 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: - Explicitely specify how to provide settings that are per-provider - Misc grammar fixes Change-Id: I176ba2cb885b5304a6897341f5f03dbb4a7f9028 Signed-off-by: Frank Lichtenheld --- doc/man-sections/pkcs11-options.rst | 34 +++++++++++++++++++++-------- 1 file changed, [...] Content analysis details: (-0.9 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [80.241.56.171 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1r2rUE-005YNt-PG Subject: [Openvpn-devel] [PATCH] doc: improve pkcs11 documentation X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1782538270616492687?= X-GMAIL-MSGID: =?utf-8?q?1782538270616492687?= - Explicitely specify how to provide settings that are per-provider - Misc grammar fixes Change-Id: I176ba2cb885b5304a6897341f5f03dbb4a7f9028 Signed-off-by: Frank Lichtenheld --- doc/man-sections/pkcs11-options.rst | 34 +++++++++++++++++++++-------- 1 file changed, 25 insertions(+), 9 deletions(-) diff --git a/doc/man-sections/pkcs11-options.rst b/doc/man-sections/pkcs11-options.rst index de1662b7..911386a0 100644 --- a/doc/man-sections/pkcs11-options.rst +++ b/doc/man-sections/pkcs11-options.rst @@ -3,13 +3,19 @@ PKCS#11 / SmartCard options --pkcs11-cert-private args Set if access to certificate object should be performed after login. - Every provider has its own setting. + If you specified multiple providers with ``--pkcs11-providers``, every + provider has its own value for this setting, specified as a + space-separated list. + + The default value is ``0``. Valid syntaxes: :: pkcs11-cert-private 0 pkcs11-cert-private 1 + # multiple providers + pkcs11-cert-private 1 0 0 1 [...] --pkcs11-id name Specify the serialized certificate id to be used. The id can be gotten @@ -18,10 +24,10 @@ PKCS#11 / SmartCard options --pkcs11-id-management Acquire PKCS#11 id from management interface. In this case a - :code:`NEED-STR 'pkcs11-id-request'` real-time message will be triggered, - application may use pkcs11-id-count command to retrieve available number of - certificates, and pkcs11-id-get command to retrieve certificate id and - certificate body. + :code:`NEED-STR 'pkcs11-id-request'` real-time message will be triggered. + The application may use the ``pkcs11-id-count`` command to retrieve the + available number of certificates, and the ``pkcs11-id-get`` command to + retrieve certificate id and certificate body. See also the description of ``--pkcs11-providers`` option. --pkcs11-pin-cache seconds @@ -30,8 +36,7 @@ PKCS#11 / SmartCard options --pkcs11-private-mode mode Specify which method to use in order to perform private key operations. - A different mode can be specified for each provider. Mode is encoded as - hex number, and can be a mask one of the following: + Mode is encoded as hex number, and can be a mask one of the following: :code:`0` (default) Try to determine automatically. @@ -43,18 +48,29 @@ PKCS#11 / SmartCard options :code:`8` Use unwrap. + If you specified multiple providers with ``--pkcs11-providers``, every + provider has its own value for this setting, specified as a + space-separated list. + --pkcs11-protected-authentication args Use PKCS#11 protected authentication path, useful for biometric and - external keypad devices. Every provider has its own setting. + external keypad devices. + If you specified multiple providers with ``--pkcs11-providers``, every + provider has its own value for this setting, specified as a + space-separated list. + + The default value is ``0``. Valid syntaxes: :: pkcs11-protected-authentication 0 pkcs11-protected-authentication 1 + # multiple providers + pkcs11-protected-authentication 1 0 0 1 [...] --pkcs11-providers providers - Specify an RSA Security Inc. PKCS #11 Cryptographic Token Interface + Specify RSA Security Inc. PKCS #11 Cryptographic Token Interface (Cryptoki) providers to load. A space-separated list of one or more provider library names may be specified. This option along with ``--pkcs11-id`` or ``pkcs11-id-management`` can be used instead of