1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
|
#compdef gnutls-cli gnutls-cli-debug gnutls-serv certtool srptool
local -a args
args=(
'(- :)'{-h,--help}'[display help information]'
'(- :)--version=[display version information]:information:((v\:simple c\:copyright n\:full))'
'(- :)-v[display version information]'
'(- :)'{-\!,--more-help}'[display help information through a pager]'
'(-d --debug)'{-d,--debug}'[enable debugging]:debug level'
\*{-V,--verbose}'[more verbose output]'
)
case "$service" in
gnutls-*)
args+=(
'(-p --port)'{-p,--port}'[specify port or service to connect to]:port:_ports'
)
;|
gnutls-cli*)
args+=(
'(--app-proto --starttls-proto)'{--app-proto,--starttls-proto}"=[specify application protocol to use to obtain the server's certificate]:protocol:(https ftp smtp imap ldap xmpp lmtp pop3 nntp sieve postgres)"
':hostname:_hosts'
)
;|
gnutls-cli|gnutls-serv)
args+=(
"--sni-hostname=[specify server's hostname for server name indication extension]:hostname"
"--noticket[don't accept session tickets]"
'(-u --udp)'{-u,--udp}'[use DTLS (datagram TLS) over UDP]'
'--mtu=[set MTU for datagram TLS]:mtu'
'--srtp-profiles=[offer SRTP profiles]:string'
'(-b --heartbeat)'{-b,--heartbeat}'[activate heartbeat support]'
'--x509fmtder[use DER format for certificates to read from]'
'--priority=[specify TLS algorithms and protocols to enable]:(NORMAL PFS SECURE128 SECURE192 SUITEB128 SUITEB192 LEGACY PERFORMANCE NONE)'
'--x509cafile=[specify certificate file to use]:file:_files'
'--x509crlfile=[specify CRL file to use]:file:_files'
'*--x509keyfile=[specify X.509 key file to use]:file:_files'
'*--x509certfile=[specify X.509 certificate file to use]:file:_files'
'(-l --list -p --port)'{-l,--list}'[print list of the supported algorithms/modes]'
'--keymatexport=[specify label used for exporting keying material]:label'
'--keymatexportsize=[specify size of the exported keying material]:size'
)
;|
gnutls-cli|gnutls-serv|certtool)
args+=(
'--provider=[specify PKCS #11 provider library]:provider:_files'
)
;|
gnutls-cli|certtool)
args+=(
'--verify-allow-broken[allow broken algorithms, such as MD5 for certificate verification]'
)
;|
gnutls-cli)
args+=(
'--tofu[enable trust on first use authentication]' '!--no-tofu'
'--strict-tofu[fail to connect if a certificate is unknown or has changed]' '!--no-strict-tofu'
'--dane[enable DANE certificate verification (DNSSEC)]' '!--no-dane'
'--local-dns[use the local DNS server for DNSSEC resolving]' '!--no-local-dna'
'--no-ca-verification[disable CA certificate verification]' '!--ca-verification'
'--ocsp[enable OCSP certificate verification]' '!--no-oscp'
'(-r --resume)'{-r,--resume}'[establish a session and resume]'
'--earlydata=[send early data on resumption from the specified file]:file:_files'
'(-e --rehandshake)'{-e,--rehandshake}'[connect, establish a session and rehandshake immediately]'
"--verify-hostname-str=[specify server's hostname to use for validation]:hostname"
'(-s --starttls)'{-s,--starttls}'[start TLS on EOF or SIGALRM]'
'--crlf[send CR LF instead of LF]'
'--fastopen[enable TCP Fast Open]'
"--print-cert[print peer's certificate in PEM format]"
"--save-cert=[save peer's certificate chain in the specified file in PEM format]:file:_files"
"--save-ocsp=[save peer's OCSP status response in the provided file]:file:_files"
'--save-server-trace=[save the server-side TLS message trace in the provided file]:file:_files'
'--save-client-trace=[save the client-side TLS message trace in the provided file]:file:_files'
'--dh-bits=[specify minimum number of bits allowed for DH]:bits'
'--srpusername[specify SRP username to use]:username'
'--srppasswd[specify SRP password to use]:password'
'--pskusername[specify PSK username to use]:username'
'--pskkey[specify PSK key to use]:key'
"--insecure[don't require server cert validation]"
'--benchmark-ciphers[benchmark individual ciphers]'
'--benchmark-soft-ciphers[benchmark individual software ciphers]'
'--benchmark-tls-kx[benchmark TLS key exchange methods]'
'--benchmark-tls-ciphers[benchmark TLS ciphers]'
'--priority-list[print list of the supported priority strings]'
'*--alpn=[enable application layer protocol]:string'
'--recordsize=[specify maximum record size to advertise]:record size (0-4096)'
"--disable-sni[don't send a Server Name]"
'--single-key-share[send a single key share under TLS1.3]'
'--post-handshake-auth[enable post-handshake authentication under TLS1.3]'
'--inline-commands[inline commands of the form ^<cmd>^]'
'--inline-commands-prefix=[change delimiter used for inline commands]:delimiter [^]'
'--fips140-mode[report status of FIPS140-2 mode in gnutls library]'
'--logfile=[redirect informational messages to a specific file]:file:_files'
)
;;
gnutls-serv)
args+=(
'--sni-hostname-fatal[send fatal alert on sni-hostname mismatch]'
'*--alpn=[specify ALPN protocol to be enabled by the server]:protocol'
'--alpn-fatal[send fatal alert on non-matching ALPN name]'
'--earlydata[accept early data]'
'--maxearlydata=[specify maximum early data size to accept]:size'
"--nocookie[don't require cookie on DTLS sessions]"
'(-g --generate)'{-g,--generate}'[generate Diffie-Hellman parameters]'
'(-q --quiet)'{-q,--quiet}'[suppress some messages]'
"--nodb[don't use a resumption database]"
'--http[act as an HTTP server]'
'--echo[act as an Echo server]'
'(-a --disable-client-cert -r --require-client-cert)'{-a,--disable-client-cert}"[don't request a client certificate]"
'(-a --disable-client-cert -r --require-client-cert)'{-r,--require-client-cert}'[require a client certificate]'
'--verify-client-cert[if a client certificate is sent then verify it]'
'--dhparams=[specify DH params file to use]:file:_files'
'--srppasswd=[specify SRP password file to use]:file:_files'
'--srppasswdconf=[specify SRP password configuration file to use]:file:_files'
'--pskpasswd=[specify PSK password file to use]:file:_files'
'--pskhint=[specify PSK identity hint to use]:string'
'*--ocsp-response=[specify OCSP response to send to client]:string:_files'
'--ignore-ocsp-response-errors[ignore any errors when setting the OCSP response]'
'--recordsize=[specify maximum record size to advertise]:record size (0-16384)'
'--httpdata=[specify data to use as HTTP response]:file:_files'
)
;;
certtool)
args+=(
'(-q --generate-request)--infile:input file:_files '
'--outfile:output file:_files '
'(-s --generate-self-signed)'{-s,--generate-self-signed}'[generate a self-signed certificate]'
'(-c --generate-certificate)'{-c,--generate-certificate}'[generate a signed certificate]'
'--generate-proxy[generate a proxy certificate]'
'--generate-crl[generate a CRL]'
'(-u --update-certificate)'{-u,--update-certificate}'[update a signed certificate]'
'--fingerprint[print the fingerprint of the given certificate]'
'--key-id[print the key ID of the given certificate]'
'--v1[generate an X.509 version 1 certificate (with no extensions)]'
'--sign-params=[sign a certificate with a specific signature algorithm]:algorithm:(RSA-PSS)'
'(-p --generate-privkey)'{-p,--generate-privkey}'[generate a private key]'
'(-q --generate-request --infile)'{-q,--generate-request}'[generate a PKCS #10 certificate request]'
'(-e --verify-chain)'{-e,--verify-chain}'[verify a PEM encoded certificate chain]'
'--verify[verify a PEM encoded certificate chain using a trusted list]'
'--verify-crl[verify a CRL]'
'(--verify-email)--verify-hostname=[specify hostname to be used for certificate chain verification]:hostname:_hosts'
'(--verify-hostname)--verify-email=[specify email to be used for certificate chain verification]:email:_email_addresses'
'--verify-purpose=[specify a purpose OID to be used for certificate chain verification]'
'--p7-sign[sign using a PKCS #7 structure]'
'--p7-detached-sign[sign using a detached PKCS #7 structure]'
"--no-p7-include-cert[don't include signer's certificate will in the cert list]"
'--p7-time[include a timestamp in the PKCS #7 structure]'
'--p7-show-data[show embedded data in the PKCS #7 structure]'
'--p7-verify[verify the provided PKCS #7 structure]'
'--generate-dh-params[generate PKCS #3 encoded Diffie Hellman parameters]'
'--get-dh-params[get the included PKCS #3 encoded Diffie Hellman parameters]'
'--dh-info[print information PKCS #3 encoded Diffie-Hellman parameters]'
'--load-privkey:private key file:_files'
'--load-pubkey:public key file:_files'
'--load-request:certificate request file:_files'
'--load-certificate:certificate file:_files'
'--load-ca-privkey:certificate authority private key file:_files'
'--load-ca-certificate:certificate authority certificate file:_files'
'--load-crl=[load the provided CRL]:CRL'
'--load-data=[load auxiliary data]:data'
'--password=[specify password to use]:password'
'--hex-numbers[big number in an easier format to parse]'
'--cprint[prints certain information is C-friendly format]'
'--null-password[enforce a NULL password]'
'--empty-password[enforce an empty password]'
'--key-type=[specify the key type to use on key generation]:key type'
'(-i --certificate-info)'{-i,--certificate-info}'[print information on a certificate]'
'(-l --crl-info)'{-l,--crl-info}'[print information on a CRL]'
'--crq-info[print information on a certificate request]'
"--no-crq-extensions[don't use extensions in certificate requests]"
'--p12-info[print information on a PKCS #12 structure]'
'--p12-name=[specify PKCS #12 friendly name to use]:name'
'--p7-info[print information on a PKCS #7 structure]'
'--smime-to-p7[convert S/MIME to PKCS #7 structure]'
'(-k --key-info)'{-k,--key-info}'[print information on a private key]'
'--p8-info[print information on a PKCS #8 structure]'
'--to-rsa[convert an RSA-PSS key to raw RSA format]'
'--bits=[specify number of bits for key generation]:bits'
'--curve=[specify the curve used for EC key generation]:curve'
'--sec-param=[specify the security level]:security level:(low legacy medium high ultra)'
'--to-p8[convert a given key to a PKCS #8 structure]'
'--provable[generate a private key or parameters from a seed using a provable method]'
'--verify-provable-privkey[verify a private key generated from a seed using a provable method]'
'--seed=[when generating a private key use the given seed]:seed (hex-encoded)'
'--pubkey-info[print information on a public key]'
'--to-p12[generate a PKCS #12 structure]'
'(-8 --pkcs8)'{-8,--pkcs8}'[use PKCS #8 format for private keys]'
'--hash=[specify hash algorithm for signing]:algorithm:(MD5 SHA1 RMD160)'
'--salt-size=[specify the RSA-PSS key default salt size]:size'
{--inder,--inraw}'[use DER format for input certificates and private keys]'
{--outder,--outraw}'[use DER format for output certificates and private keys]'
'--template=[specify template file to use for non-interactive operation]:file:_files'
'--stdout-info[print information to stdout instead of stderr]'
'--ask-pass[enable interaction for entering password when in batch mode]'
'--pkcs-cipher=[specify cipher to use for pkcs operations]:cipher:(3des 3des-pkcs12 aes-128 aes-192 aes-256 rc2-40 arcfour)'
'!(--no-text)--text'
"--no-text[don't output textual information before PEM-encoded certificates, private keys, etc]"
)
;;
srptool)
args+=(
'(-i --index)'{-i+,--index=}':index of params in tpasswd.conf'
'(-u --username)'{-u+,--username=}':username:_users'
'(-p --passwd)'{-p+,--passwd=}':password file:_files'
'(-s --salt)'{-s+,--salt=}'[specify salt size]:salt size for crypt algorithm'
'--verify[just verify password]'
'(-v --passwd-conf)'{-v+,--passwd-conf=}'[generate a password configuration file]:password conf file:_files'
'--create-conf=[generate a tpasswd.conf file]:file:_files'
)
;;
esac
_arguments -s -S $args
|