Bug 1341302, certutil: document RSA-PSS options, r=hkario, r=kaie

--HG-- extra : amend_source : a21bd2b6ab18fa3aad98596d9caf90b9267c50b0
sailfishos-mirror · Oct 27, 2017 · 316fa40 · 316fa40
1 parent 1d5bfa0
commit 316fa40
Show file tree

Hide file tree

Showing 4 changed files with 69 additions and 29 deletions.
diff --git a/cmd/certutil/certutil.c b/cmd/certutil/certutil.c
@@ -1217,6 +1217,8 @@ luC(enum usage_level ul, const char *command)
         "   -o output-cert");
     FPS "%-20s Self sign\n",
         "   -x");
+    FPS "%-20s Sign the certificate with RSA-PSS (the issuer key must be rsa)\n",
+        "   --pss-sign");
     FPS "%-20s Cert serial number\n",
         "   -m serial-number");
     FPS "%-20s Time Warp\n",
@@ -1550,6 +1552,8 @@ luR(enum usage_level ul, const char *command)
         "   -h token-name");
     FPS "%-20s Key size in bits, RSA keys only (min %d, max %d, default %d)\n",
         "   -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS);
+    FPS "%-20s Create a certificate request restricted to RSA-PSS (rsa only)\n",
+        "   --pss");
     FPS "%-20s Name of file containing PQG parameters (dsa only)\n",
         "   -q pqgfile");
     FPS "%-20s Elliptic curve name (ec only)\n",
@@ -1727,6 +1731,8 @@ luS(enum usage_level ul, const char *command)
         "   -h token-name");
     FPS "%-20s Key size in bits, RSA keys only (min %d, max %d, default %d)\n",
         "   -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS);
+    FPS "%-20s Create a certificate restricted to RSA-PSS (rsa only)\n",
+        "   --pss");
     FPS "%-20s Name of file containing PQG parameters (dsa only)\n",
         "   -q pqgfile");
     FPS "%-20s Elliptic curve name (ec only)\n",
@@ -1735,6 +1741,8 @@ luS(enum usage_level ul, const char *command)
         "");
     FPS "%-20s Self sign\n",
         "   -x");
+    FPS "%-20s Sign the certificate with RSA-PSS (the issuer key must be rsa)\n",
+        "   --pss-sign");
     FPS "%-20s Cert serial number\n",
         "   -m serial-number");
     FPS "%-20s Time Warp\n",

diff --git a/doc/certutil.xml b/doc/certutil.xml
@@ -455,6 +455,16 @@ of the attribute codes:
         <listitem><para>Set an alternate exponent value to use in generating a new RSA public key for the database, instead of the default value of 65537. The available alternate values are 3 and 17.</para></listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term>--pss</term>
+        <listitem><para>Restrict the generated certificate (with the <option>-S</option> option) or certificate request (with the <option>-R</option> option) to be used with the RSA-PSS signature scheme. This only works when the private key of the certificate or certificate request is RSA.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>--pss-sign</term>
+        <listitem><para>Sign the generated certificate with the RSA-PSS signature scheme (with the <option>-C</option> or <option>-S</option> option). This only works when the private key of the signer's certificate is RSA. If the signer's certificate is restricted to RSA-PSS, it is not necessary to specify this option.</para></listitem>
+      </varlistentry>
+
       <varlistentry>
         <term>-z noise-file</term>
         <listitem><para>Read a seed value from the specified file to generate a new private and public key pair. This argument makes it possible to use hardware-generated seed values or manually create a value from the keyboard. The minimum file size is 20 bytes.</para></listitem>