From 261e0b6b0d57075f7c802f17901ae03b55b8f27c Mon Sep 17 00:00:00 2001
From: Frank Morgner <frankmorgner@gmail.com>
Date: Tue, 18 Feb 2020 23:33:30 +0100
Subject: [PATCH] unified documentation of handling PIN/PUK on CLI

---
 doc/tools/dnie-tool.1.xml    | 24 ++++++++++++++++------
 doc/tools/gids-tool.1.xml    | 20 ++++++++++++++++--
 doc/tools/openpgp-tool.1.xml | 25 ++++++++++++++++-------
 doc/tools/pkcs15-init.1.xml  | 24 ++++++++++++----------
 doc/tools/pkcs15-tool.1.xml  | 29 ++++++++++++++++++---------
 doc/tools/sc-hsm-tool.1.xml  | 35 ++++++++++++++++----------------
 doc/tools/westcos-tool.1.xml | 39 +++++++++++++++++++-----------------
 7 files changed, 125 insertions(+), 71 deletions(-)

diff --git a/doc/tools/dnie-tool.1.xml b/doc/tools/dnie-tool.1.xml
index 0daac27d..4120bc73 100644
--- a/doc/tools/dnie-tool.1.xml
+++ b/doc/tools/dnie-tool.1.xml
@@ -73,13 +73,25 @@
 				<varlistentry>
 					<term>
 						<option>--pin</option> <replaceable>pin</replaceable>,
-						<option>-p</option> <replaceable>pin</replaceable>
+						<option>--p</option> <replaceable>pin</replaceable>
 					</term>
-					<listitem><para>Specify the user pin <replaceable>pin</replaceable> to use.
-					If set to env:<replaceable>VARIABLE</replaceable>, the
-					value of the environment variable
-					<replaceable>VARIABLE</replaceable> is used.
-					The default is do not enter pin</para></listitem>
+					<listitem>
+						<para>
+							These options can be used to specify the PIN value
+							on the command line. If the value is set to
+							<literal>env:</literal><replaceable>VARIABLE</replaceable>, the value
+							of the specified environment variable is used. By default,
+							the code is prompted on the command line if needed.
+						</para>
+						<para>
+							Note that on most operation systems, any user can
+							display the command line of any process on the
+							system using utilities such as
+							<command>ps(1)</command>. Therefore, you should prefer
+							passing the codes via an environment variable
+							on an unsecured system.
+						</para>
+					</listitem>
 				</varlistentry>
 				<varlistentry>
 					<term>
diff --git a/doc/tools/gids-tool.1.xml b/doc/tools/gids-tool.1.xml
index a7d4f8be..9bad4d5c 100644
--- a/doc/tools/gids-tool.1.xml
+++ b/doc/tools/gids-tool.1.xml
@@ -46,9 +46,25 @@
 				</varlistentry>
 				<varlistentry>
 					<term>
-						<option>--pin</option> <replaceable>argument</replaceable>
+						<option>--pin</option> <replaceable>pin</replaceable>
 					</term>
-					<listitem><para>Define user PIN.</para></listitem>
+					<listitem>
+						<para>
+							This option can be used to specify the PIN value
+							on the command line. If the value is set to
+							<literal>env:</literal><replaceable>VARIABLE</replaceable>, the value
+							of the specified environment variable is used. By default,
+							the code is prompted on the command line if needed.
+						</para>
+						<para>
+							Note that on most operation systems, any user can
+							display the command line of any process on the
+							system using utilities such as
+							<command>ps(1)</command>. Therefore, you should prefer
+							passing the codes via an environment variable
+							on an unsecured system.
+						</para>
+					</listitem>
 				</varlistentry>
 				<varlistentry>
 					<term>
diff --git a/doc/tools/openpgp-tool.1.xml b/doc/tools/openpgp-tool.1.xml
index 5f46be29..cc513131 100644
--- a/doc/tools/openpgp-tool.1.xml
+++ b/doc/tools/openpgp-tool.1.xml
@@ -149,14 +149,25 @@
 
 				<varlistentry>
 					<term>
-						<option>--pin</option> <replaceable>string</replaceable>
+						<option>--pin</option> <replaceable>pin</replaceable>
 					</term>
-					<listitem><para>
-						The PIN text to verify. If set to
-						env:<replaceable>VARIABLE</replaceable>, the value of
-						the environment variable
-						<replaceable>VARIABLE</replaceable> is used.
-					</para></listitem>
+					<listitem>
+						<para>
+							This option can be used to specify the PIN value
+							on the command line. If the value is set to
+							<literal>env:</literal><replaceable>VARIABLE</replaceable>, the value
+							of the specified environment variable is used. By default,
+							the code is prompted on the command line if needed.
+						</para>
+						<para>
+							Note that on most operation systems, any user can
+							display the command line of any process on the
+							system using utilities such as
+							<command>ps(1)</command>. Therefore, you should prefer
+							passing the codes via an environment variable
+							on an unsecured system.
+						</para>
+					</listitem>
 				</varlistentry>
 
 				<varlistentry>
diff --git a/doc/tools/pkcs15-init.1.xml b/doc/tools/pkcs15-init.1.xml
index 212358bd..e7c87383 100644
--- a/doc/tools/pkcs15-init.1.xml
+++ b/doc/tools/pkcs15-init.1.xml
@@ -348,23 +348,25 @@
 
 				<varlistentry>
 					<term>
-						<option>--pin</option>,
-						<option>--puk</option>
-						<option>--so-pin</option>,
-						<option>--so-puk</option>,
+						<option>--pin</option> <replaceable>pin</replaceable>,
+						<option>--puk</option> <replaceable>puk</replaceable>,
+						<option>--so-pin</option> <replaceable>sopin</replaceable>,
+						<option>--so-puk</option> <replaceable>sopuk</replaceable>
 					</term>
 					<listitem>
 						<para>
-							These options can be used to specify PIN/PUK values
-							on the command line. If set to
-							env:<replaceable>VARIABLE</replaceable>, the value
-							of the environment variable
-							<replaceable>VARIABLE</replaceable> is used. Note
-							that on most operation systems, any user can
+							These options can be used to specify the PIN/PUK values
+							on the command line. If the value is set to
+							<literal>env:</literal><replaceable>VARIABLE</replaceable>, the value
+							of the specified environment variable is used. By default,
+							the code is prompted on the command line if needed.
+						</para>
+						<para>
+							Note that on most operation systems, any user can
 							display the command line of any process on the
 							system using utilities such as
 							<command>ps(1)</command>. Therefore, you should prefer
-							passing the values via a hidden environment variable
+							passing the codes via an environment variable
 							on an unsecured system.
 						</para>
 					</listitem>
diff --git a/doc/tools/pkcs15-tool.1.xml b/doc/tools/pkcs15-tool.1.xml
index 02b3b03b..45bbb077 100644
--- a/doc/tools/pkcs15-tool.1.xml
+++ b/doc/tools/pkcs15-tool.1.xml
@@ -310,16 +310,27 @@
 
 				<varlistentry>
 					<term>
-						<option>--pin</option> <replaceable>PIN</replaceable>
+						<option>--pin</option> <replaceable>pin</replaceable>,
+						<option>--new-pin</option> <replaceable>newpin</replaceable>
+						<option>--puk</option> <replaceable>puk</replaceable>
 					</term>
-					<listitem><para>Specify PIN</para></listitem>
-				</varlistentry>
-
-				<varlistentry>
-					<term>
-						<option>--puk</option> <replaceable>PUK</replaceable>
-					</term>
-					<listitem><para>Specify Unblock PIN</para></listitem>
+					<listitem>
+						<para>
+							These options can be used to specify the PIN/PUK values
+							on the command line. If the value is set to
+							<literal>env:</literal><replaceable>VARIABLE</replaceable>, the value
+							of the specified environment variable is used. By default,
+							the code is prompted on the command line if needed.
+						</para>
+						<para>
+							Note that on most operation systems, any user can
+							display the command line of any process on the
+							system using utilities such as
+							<command>ps(1)</command>. Therefore, you should prefer
+							passing the codes via an environment variable
+							on an unsecured system.
+						</para>
+					</listitem>
 				</varlistentry>
 
 				<varlistentry>
diff --git a/doc/tools/sc-hsm-tool.1.xml b/doc/tools/sc-hsm-tool.1.xml
index ced876ae..3f63eda6 100644
--- a/doc/tools/sc-hsm-tool.1.xml
+++ b/doc/tools/sc-hsm-tool.1.xml
@@ -120,26 +120,25 @@
 				
 				<varlistentry>
 					<term>
-						<option>--so-pin</option> <replaceable>value</replaceable>
+						<option>--pin</option> <replaceable>pin</replaceable>,
+						<option>--so-pin</option> <replaceable>sopin</replaceable>,
 					</term>
 					<listitem>
-						<para>Define SO-PIN for initialization. If set to
-						env:<replaceable>VARIABLE</replaceable>, the value of
-						the environment variable
-						<replaceable>VARIABLE</replaceable> is used.</para>
-					</listitem>
-				</varlistentry>
-				
-				<varlistentry>
-					<term>
-						<option>--pin</option> <replaceable>value</replaceable>
-					</term>
-					<listitem>
-						<para>Define user PIN for initialization, wrap or
-						unwrap operation. If set to
-						env:<replaceable>VARIABLE</replaceable>, the value of
-						the environment variable
-						<replaceable>VARIABLE</replaceable> is used.</para>
+						<para>
+							These options can be used to specify the PIN values
+							on the command line. If the value is set to
+							<literal>env:</literal><replaceable>VARIABLE</replaceable>, the value
+							of the specified environment variable is used. By default,
+							the code is prompted on the command line if needed.
+						</para>
+						<para>
+							Note that on most operation systems, any user can
+							display the command line of any process on the
+							system using utilities such as
+							<command>ps(1)</command>. Therefore, you should prefer
+							passing the codes via an environment variable
+							on an unsecured system.
+						</para>
 					</listitem>
 				</varlistentry>
 				
diff --git a/doc/tools/westcos-tool.1.xml b/doc/tools/westcos-tool.1.xml
index 3034f2e8..9950ecf2 100644
--- a/doc/tools/westcos-tool.1.xml
+++ b/doc/tools/westcos-tool.1.xml
@@ -115,25 +115,28 @@
 
 				<varlistentry>
 					<term>
-						<option>--pin-value</option> <replaceable>value</replaceable>,
-						<option>-x</option> <replaceable>value</replaceable>
+						<option>--pin-value</option> <replaceable>pin</replaceable>,
+						<option>-x</option> <replaceable>pin</replaceable>
+						<option>--puk-value</option> <replaceable>puk</replaceable>,
+						<option>-y</option> <replaceable>puk</replaceable>
 					</term>
-					<listitem><para>Set value of PIN. If set to
-					env:<replaceable>VARIABLE</replaceable>, the value of
-					the environment variable
-					<replaceable>VARIABLE</replaceable> is used.</para></listitem>
-				</varlistentry>
-
-				<varlistentry>
-					<term>
-						<option>--puk-value</option> <replaceable>value</replaceable>,
-						<option>-y</option> <replaceable>value</replaceable>
-					</term>
-					<listitem><para>set value of PUK (or value of new PIN for change PIN
-					command see <option>-n</option>). If set to
-					env:<replaceable>VARIABLE</replaceable>, the value of
-					the environment variable
-					<replaceable>VARIABLE</replaceable> is used.</para></listitem>
+					<listitem>
+						<para>
+							These options can be used to specify the PIN/PUK values
+							on the command line. If the value is set to
+							<literal>env:</literal><replaceable>VARIABLE</replaceable>, the value
+							of the specified environment variable is used. By default,
+							the code is prompted on the command line if needed.
+						</para>
+						<para>
+							Note that on most operation systems, any user can
+							display the command line of any process on the
+							system using utilities such as
+							<command>ps(1)</command>. Therefore, you should prefer
+							passing the codes via an environment variable
+							on an unsecured system.
+						</para>
+					</listitem>
 				</varlistentry>
 
 				<varlistentry>