pkcs15-tool: add documentation for secret key options

2017-06-12 13:32:58 +03:00 · 2017-06-12 13:32:58 +03:00 · 00a710b939
parent 137c6306d2
commit 00a710b939
1 changed files with 47 additions and 0 deletions
--- a/doc/tools/pkcs15-init.1.xml
+++ b/doc/tools/pkcs15-init.1.xml
@ -233,6 +233,22 @@
 				usually the user certificate that goes with the key, as well as the CA certificate.
 			</para>
 		</refsect2>
+
+		<refsect2>
+			<title>Secret Key Upload</title>
+			<para>
+				You can use a secret key generated by other means and upload it to the card.
+				For instance, to upload an AES-secret key generated by the system random generator
+				you would use
+			</para>
+			<para>
+				<command>pkcs15-init --store-secret-key /dev/urandom --secret-key-algorithm aes/256 --auth-id 01</command>
+			</para>
+			<para>
+				By default a random ID is generated for the secret key. You may specify an ID
+				with the <option>--id</option> if needed.
+			</para>
+		</refsect2>
 	</refsect1>

 	<refsect1>
@ -380,6 +396,19 @@
 					</listitem>
 				</varlistentry>

+				<varlistentry>
+					<term>
+						<option>--secret-key-algorithm</option> <replaceable>keyspec</replaceable>,
+					</term>
+					<listitem>
+						<para>
+							<replaceable>keyspec</replaceable> describes the algorithm and length of the
+							key to be created or downloaded, such as <literal>aes/256</literal>.
+							This will create a 256 bit AES key.
+						</para>
+					</listitem>
+				</varlistentry>
+
 				<varlistentry>
 					<term>
 						<option>--store-certificate</option> <replaceable>filename</replaceable>,
@ -439,6 +468,24 @@
 					</listitem>
 				</varlistentry>

+				<varlistentry>
+					<term>
+						<option>--store-secret-key</option> <replaceable>filename</replaceable>,
+					</term>
+					<listitem>
+						<para>
+							Tells <command>pkcs15-init</command> to download the specified
+							secret key to the card. The file is assumed to contain the raw key.
+							They key type should be specified with <option>--secret-key-algorithm</option>
+							option.
+							You may additionally specify the key ID along with this command,
+							using the <option>--id</option> option, otherwise a random ID is generated.
+							For the multi-application cards the target PKCS#15 application can be
+							specified by the hexadecimal AID value of the <option>aid</option> option.
+						</para>
+					</listitem>
+				</varlistentry>
+
 				<varlistentry>
 					<term>
 						<option>--update-certificate</option> <replaceable>filename</replaceable>,