pt-tls-client: Added man page

2017-07-15 18:37:52 +02:00 · 2017-07-15 18:37:52 +02:00 · 34cade8b84
parent 693705c74e
commit 34cade8b84
4 changed files with 140 additions and 4 deletions
--- a/src/pt-tls-client/.gitignore
+++ b/src/pt-tls-client/.gitignore
@ -1 +1,2 @@
 pt-tls-client
+pt-tls-client.1
--- a/src/pt-tls-client/Makefile.am
+++ b/src/pt-tls-client/Makefile.am
@ -1,4 +1,4 @@
-ipsec_PROGRAMS = pt-tls-client
+bin_PROGRAMS = pt-tls-client

 pt_tls_client_SOURCES = pt-tls-client.c

@ -19,3 +19,7 @@ pt_tls_client_LDADD = \
 	$(top_builddir)/src/libpttls/libpttls.la \
 	$(top_builddir)/src/libtnccs/libtnccs.la

+man1_MANS = pt-tls-client.1
+
+CLEANFILES = $(man1_MANS)
+
--- a/src/pt-tls-client/pt-tls-client.1.in
+++ b/src/pt-tls-client/pt-tls-client.1.in
@ -0,0 +1,130 @@
+.TH PT-TLS-CLIENT 1 "2017-07-15" "@PACKAGE_VERSION@" "strongSwan"
+.
+.SH "NAME"
+.
+pt-tls-client \- Simple client using PT-TLS to collect integrity information
+.
+.SH "SYNOPSIS"
+.
+.SY "pt-tls-client"
+.BI \-\-connect
+.IR hostname |\fIaddress
+.OP \-\-port hex
+.RB [ \-\-cert
+.IR file ]+
+.RB [ \-\-keyid
+.IR hex |\fB\-\-key
+.IR file ]
+.RB [ \-\-key-type
+.BR rsa |\fBecdsa\fR]
+.OP \-\-client client-id
+.OP \-\-secret password
+.OP \-\-mutual
+.OP \-\-optionsfrom filename
+.OP \-\-quiet
+.OP \-\-debug level
+.YS
+.
+.SY "pt-tls-client"
+.B \-h
+|
+.B \-\-help
+.YS
+.
+.SH "DESCRIPTION"
+.
+.B pt-tls-client
+is a simple client using the PT-TLS (RFC 6876) transport protocol to collect
+integrity measurements on the client platform. PT-TLS does an initial TLS
+handshake with certificate-based server authentication and optional
+certificate-based client authentication.  Alternatively simple password-based
+SASL client authentication protected by TLS can be used.
+.P
+Attribute requests and integrity measurements are exchanged via the PA-TNC (RFC
+5792) message protocol between any number of Integrity Measurement Verifiers
+(IMVs) residing on the remote PT-TLS server and multiple Integrity Measurement
+Collectors (IMCs) loaded dynamically by the PT-TLS client according to a list
+defined by \fI/etc/tnc_config\fR. PA-TNC messages that contain one or several
+PA-TNC attributes are multiplexed into PB-TNC (RFC 5793) client or server data
+batches which in turn are transported via PT-TLS.
+.
+.SH "OPTIONS"
+.
+.TP
+.B "\-h, \-\-help"
+Prints usage information and a short summary of the available commands.
+.TP
+.BI "\-c, \-\-connect " hostname\fR|\fIaddress
+Set the hostname or IP address of the PT-TLS server.
+.TP
+.BI "\-p, \-\-port " port
+Set the port of the PT-TLS server, default: 271.
+.TP
+.BI "\-x, \-\-cert " file
+Set the path to an X.509 certificate file. This option can be repeated to load
+multiple client and CA certificates.
+.TP
+.BI "\-k, \-\-key " file
+Set the path to the client's PKCS#1 or PKCS#8 private key file
+.TP
+.BI "\-t, \-\-key\-type " type
+Define the type of the private key if stored in PKCS#1 format. Can be omitted
+with PKCS#8 keys.
+.TP
+.BI "\-x, \-\-keyid " hex
+Set the keyid of the private key stored in a smartcard or a TPM 2.0 Trusted
+Platform Module.
+.TP
+.BI "\-i, \-\-client " client-id
+Set the username or client ID of the client required for password-based SASL
+authentication.
+.TP
+.BI "\-s, \-\-secret " password
+Set the preshared secret or client password required for password-based SASL
+authentication.
+.TP
+.B "\-q, \-\-mutual
+Enable mutual attestation between PT-TLS client and PT-TLS server.
+.TP
+.BI "\-v, \-\-debug " level
+Set debug level, default: 1.
+.TP
+.B "\-q, \-\-quiet
+Disable debug output to stderr.
+.TP
+.BI "\-+, \-\-optionsfrom " file
+Read command line options from \fIfile\fR.
+.
+.SH "EXAMPLES"
+.
+Connect to a PT-TLS server using certificate-based authentication,
+storing the private ECDSA key in a file:
+.PP
+.EX
+  pt-tls-client \-\-connect pdp.example.com \-\-cert ca.crt \\
+                \-\-cert client.crt \-\-key client.key \-\-key\-type ecdsa
+.EE
+.PP
+Connect to a PT-TLS server using certificate-based authentication,
+storing the private key in a smartcard or a TPM 2.0 Trusted Platform Module:
+.PP
+.EX
+  pt-tls-client \-\-connect pdp.example.com \-\-cert ca.crt \\
+                \-\-cert client.crt \-\-keyid 0x81010002
+.EE
+.PP
+Connect to a PT-TLS server listening on port 443, using SASL password-based
+authentication:
+.PP
+.EX
+  pt-tls-client \-\-connect pdp.example.com --port 443 \-\-cert ca.crt \\
+                \-\-client jane \-\-password p2Nl9trKlb
+.EE
+.SH FILES
+.TP
+/etc/tnc_config
+.
+.SH "SEE ALSO"
+.
+.BR strongswan.conf (5)
+
--- a/src/pt-tls-client/pt-tls-client.c
+++ b/src/pt-tls-client/pt-tls-client.c
@ -44,8 +44,8 @@ static void usage(FILE *out)
 		"Usage: pt-tls  --connect <hostname|address> [--port <port>]\n"
 		"              [--cert <file>]+ [--keyid <hex>|--key <file>]\n"
 		"              [--key-type rsa|ecdsa] [--client <client-id>]\n"
-		"              [--secret <password>] [--optionsfrom <filename>]\n"
-		"              [--quiet] [--debug <level>]\n");
+		"              [--secret <password>] [--mutual] [--quiet]\n"
+		"              [--debug <level>] [--optionsfrom <filename>]\n");
 }

 /**
@ -292,7 +292,8 @@ int main(int argc, char *argv[])
 			{"optionsfrom",	required_argument,		NULL,		'+' },
 			{0,0,0,0 }
 		};
-		switch (getopt_long(argc, argv, "", long_opts, NULL))
+		switch (getopt_long(argc, argv, "hc:i:s:p:x:K:k:t:mqd:+:", long_opts,
+			    NULL))
 		{
 			case EOF:
 				break;