pki: Add acert and extend pki/print manpages

configure.ac

@@ -1619,6 +1619,7 @@ AC_CONFIG_FILES([
 	src/pki/man/pki---req.1
 	src/pki/man/pki---self.1
 	src/pki/man/pki---signcrl.1
+	src/pki/man/pki---acert.1
 	src/pki/man/pki---verify.1
 ])
 

src/pki/man/Makefile.am

@@ -4,6 +4,7 @@ man1_MANS = \
 	pki---self.1 \
 	pki---issue.1 \
 	pki---signcrl.1 \
+	pki---acert.1 \
 	pki---req.1 \
 	pki---pkcs7.1 \
 	pki---keyid.1 \

src/pki/man/pki---acert.1.in

@@ -0,0 +1,107 @@
+.TH "PKI \-\-ACERT" 1 "2014-02-05" "@PACKAGE_VERSION@" "strongSwan"
+.
+.SH "NAME"
+.
+pki \-\-acert \- Issue an attribute certificate
+.
+.SH "SYNOPSIS"
+.
+.SY pki\ \-\-acert
+.OP \-\-in file
+.OP \-\-group membership
+.BI \-\-issuerkey\~ file |\-\-issuerkeyid\~ hex
+.BI \-\-issuercert\~ file
+.OP \-\-lifetime hours
+.OP \-\-serial hex
+.OP \-\-digest digest
+.OP \-\-outform encoding
+.OP \-\-debug level
+.YS
+.
+.SY pki\ \-\-acert
+.BI \-\-options\~ file
+.YS
+.
+.SY "pki \-\-acert"
+.B \-h
+|
+.B \-\-help
+.YS
+.
+.SH "DESCRIPTION"
+.
+This sub-command of
+.BR pki (1)
+is used to issue an attribute certificate using an issuer certificate with its
+private key and the holder certificate.
+.
+.SH "OPTIONS"
+.
+.TP
+.B "\-h, \-\-help"
+Print usage information with a summary of the available options.
+.TP
+.BI "\-v, \-\-debug " level
+Set debug level, default: 1.
+.TP
+.BI "\-+, \-\-options " file
+Read command line options from \fIfile\fR.
+.TP
+.BI "\-i, \-\-in " file
+Holder certificate to issue an attribute certificate for. If not given the
+certificate is read from \fISTDIN\fR.
+.TP
+.BI "\-m, \-\-group " membership
+Group membership the attribute certificate shall certify. The specified group
+is included as a string. To include multiple groups, the option can be repeated.
+.TP
+.BI "\-k, \-\-issuerkey " file
+Issuer private key file. Either this or
+.B \-\-issuerkeyid
+is required.
+.TP
+.BI "\-x, \-\-issuerkeyid " hex
+Key ID of a issuer private key on a smartcard. Either this or
+.B \-\-issuerkey
+is required.
+.TP
+.BI "\-c, \-\-issuercert " file
+Issuer certificate file. Required.
+.TP
+.BI "\-l, \-\-lifetime " hours
+Hours the attribute certificate is valid, default: 24.
+.TP
+.BI "\-s, \-\-serial " hex
+Serial number in hex. It is randomly allocated by default.
+.TP
+.BI "\-g, \-\-digest " digest
+Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
+\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to
+\fIsha1\fR.
+.TP
+.BI "\-f, \-\-outform " encoding
+Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
+\fIpem\fR (Base64 PEM), defaults to \fIder\fR.
+.
+.SH "EXAMPLES"
+.
+To save repetitive typing, command line options can be stored in files.
+Lets assume
+.I acert.opt
+contains the following contents:
+.PP
+.EX
+  --issuercert aacert.der --issuerkey aakey.der --digest sha256 --lifetime 4
+.EE
+.PP
+Then the following command can be used to issue an attribute certificate based
+on a holder certificate and the options above:
+.PP
+.EX
+  pki --acert --options acert.opt --in holder.der --group sales --group finance -f pem
+.EE
+.PP
+.
+.SH "SEE ALSO"
+.
+.BR pki (1)

src/pki/man/pki---print.1.in

@@ -46,7 +46,8 @@ Input file. If not given the input is read from \fISTDIN\fR.
 .BI "\-t, \-\-type " type
 Type of input. One of \fIrsa-priv\fR (RSA private key), \fIecdsa-priv\fR (ECDSA
 private key), \fIpub\fR (public key), \fIx509\fR (X.509 certificate), \fIcrl\fR
-(Certificate Revocation List, CRL), defaults to \fIx509\fR.
+(Certificate Revocation List, CRL), \fIac\fR (Attribute Certificate),
+defaults to \fIx509\fR.
 .
 .SH "SEE ALSO"
 .

src/pki/man/pki.1.in

@@ -49,6 +49,9 @@ Issue a certificate using a CA certificate and key.
 .B "\-c, \-\-signcrl"
 Issue a CRL using a CA certificate and key.
 .TP
+.B "\-z, \-\-acert"
+Issue an attribute certificate.
+.TP
 .B "\-r, \-\-req"
 Create a PKCS#10 certificate request.
 .TP
@@ -148,6 +151,7 @@ certificates with the \-\-crl option.
 .BR pki\ \-\-self (1),
 .BR pki\ \-\-issue (1),
 .BR pki\ \-\-signcrl (1),
+.BR pki\ \-\-acert (1),
 .BR pki\ \-\-req (1),
 .BR pki\ \-\-pkcs7 (1),
 .BR pki\ \-\-keyid (1),