1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
| | #compdef gnutls-cli gnutls-cli-debug gnutls-serv certtool srptool
local -a args
args=(
'(- :)'{-h,--help}'[display help information]'
'(- :)--version=[display version information]:information:((v\:simple c\:copyright n\:full))'
'(- :)-v[display version information]'
'(- :)'{-\!,--more-help}'[display help information through a pager]'
'(-d --debug)'{-d,--debug}'[enable debugging]:debug level'
\*{-V,--verbose}'[more verbose output]'
)
case "$service" in
gnutls-*)
args+=(
'(-p --port)'{-p,--port}'[specify port or service to connect to]:port:_ports'
)
;|
gnutls-cli*)
args+=(
'(--app-proto --starttls-proto)'{--app-proto,--starttls-proto}"=[specify application protocol to use to obtain the server's certificate]:protocol:(https ftp smtp imap ldap xmpp lmtp pop3 nntp sieve postgres)"
':hostname:_hosts'
)
;|
gnutls-cli|gnutls-serv)
args+=(
"--sni-hostname=[specify server's hostname for server name indication extension]:hostname"
"--noticket[don't accept session tickets]"
'(-u --udp)'{-u,--udp}'[use DTLS (datagram TLS) over UDP]'
'--mtu=[set MTU for datagram TLS]:mtu'
'--srtp-profiles=[offer SRTP profiles]:string'
'(-b --heartbeat)'{-b,--heartbeat}'[activate heartbeat support]'
'--x509fmtder[use DER format for certificates to read from]'
'--priority=[specify TLS algorithms and protocols to enable]:(NORMAL PFS SECURE128 SECURE192 SUITEB128 SUITEB192 LEGACY PERFORMANCE NONE)'
'--x509cafile=[specify certificate file to use]:file:_files'
'--x509crlfile=[specify CRL file to use]:file:_files'
'--pgpkeyfile=[specify PGP key file to use]:file:_files'
'--pgpkeyring=[specify PGP key ring file to use]:file:_files'
'--pgpcertfile=[specify PGP public key (certificate) file to use]:file:_files'
'--x509keyfile=[specify X.509 key file to use]:file:_files'
'--x509certfile=[specify X.509 certificate file to use]:file:_files'
'--pgpsubkey=[specify PGP subkey to use]:sub key'
'(-l --list -p --port)'{-l,--list}'[print list of the supported algorithms/modes]'
'--provider=[specify PKCS #11 provider library]:provider:_files'
)
;|
gnutls-cli)
args+=(
'--tofu[enable trust on first use authentication]' '!--no-tofu'
'--strict-tofu[fail to connect if a known certificate has changed]' '!--no-strict-tofu'
'--dane[enable DANE certificate verification (DNSSEC)]' '!--no-dane'
'--local-dns[use the local DNS server for DNSSEC resolving]' '!--no-local-dna'
'--no-ca-verification[disable CA certificate verification]' '!--ca-verification'
'--ocsp[enable OCSP certificate verification]' '!--no-oscp'
'(-r --resume)'{-r,--resume}'[establish a session and resume]'
'(-e --rehandshake)'{-e,--rehandshake}'[connect, establish a session and rehandshake immediately]'
'(-s --starttls)'{-s,--starttls}'[start TLS on EOF or SIGALRM]'
'--crlf[send CR LF instead of LF]'
'--fastopen[enable TCP Fast Open]'
'(-f --fingerprint)'{-f,--fingerprint}'[send the openpgp fingerprint instead of the key]'
"--print-cert[print peer's certificate in PEM format]"
"--save-cert=[save peer's certificate chain in the specified file in PEM format]:file:_files"
"--save-ocsp=[save peer's OCSP status response in the provided file]:file:_files"
'--dh-bits=[specify minimum number of bits allowed for DH]:bits'
'--srpusername[specify SRP username to use]:username'
'--srppasswd[specify SRP password to use]:password'
'--pskusername[specify PSK username to use]:username'
'--pskkey[specify PSK key to use]:key'
"--insecure[don't require server cert validation]"
'--ranges[use length-hiding padding to prevent traffic analysis]'
'--benchmark-ciphers[benchmark individual ciphers]'
'--benchmark-soft-ciphers[benchmark individual software ciphers]'
'--benchmark-tls-kx[benchmark TLS key exchange methods]'
'--benchmark-tls-ciphers[benchmark TLS ciphers]'
'--priority-list[print list of the supported priority strings]'
'*--alpn=[enable application layer protocol]:string'
'--recordsize=[specify maximum record size to advertize]:record size'
"--disable-sni[don't send a Server Name]"
'--disable-extensions[disable all the TLS extensions]'
'--inline-commands[inline commands of the form ^<cmd>^]'
'--inline-commands-prefix=[change delimiter used for inline commands]:delimiter [^]'
'--fips140-mode[report status of FIPS140-2 mode in gnutls library]'
)
;;
gnutls-serv)
args+=(
'--sni-hostname-fatal[send fatal alert on sni-hostname mismatch]'
'(-g --generate)'{-g,--generate}'[generate Diffie-Hellman parameters]'
'(-q --quiet)'{-q,--quiet}'[suppress some messages]'
"--nodb[don't use a resumption database]"
'--http[act as an HTTP server]'
'--echo[act as an Echo server]'
'(-a --disable-client-cert)'{-a,--disable-client-cert}"[don't request a client certificate]"
'(-r --require-client-cert)'{-r,--require-client-cert}'[require a client certificate]'
'--verify-client-cert[if a client certificate is sent then verify it]'
'--dhparams=[specify DH params file to use]:file:_files'
'--x509dsakeyfile=[specify alternative X.509 key file to use]:file:_files'
'--x509dsacertfile=[specify alternative X.509 certificate file to use]:file:_files'
'--x509ecckeyfile=[specify alternative X.509 key file to use]:file:_files'
'--x509ecccertfile=[specify alternative X.509 certificate file to use]:file:_files'
'--srppasswd=[specify SRP password file to use]:file:_files'
'--srppasswdconf=[specify SRP password configuration file to use]:file:_files'
'--pskpasswd=[specify PSK password file to use]:file:_files'
'--pskhint=[specify PSK identity hint to use]:string'
'--ocsp-response=[specify OCSP response to send to client]:file:_files'
)
;;
certtool)
args+=(
'--infile:input file:_files '
'--outfile:output file:_files '
'(-s --generate-self-signed)'{-s,--generate-self-signed}'[generate a self-signed certificate]'
'(-c --generate-certificate)'{-c,--generate-certificate}'[generate a signed certificate]'
'--generate-proxy[generate a proxy certificate]'
'--generate-crl[generate a CRL]'
'(-u --update-certificate)'{-u,--update-certificate}'[update a signed certificate]'
'(-p --generate-privkey)'{-p,--generate-privkey}'[generate a private key]'
'(-q --generate-request)'{-q,--generate-request}'[generate a PKCS #10 certificate request]'
'(-e --verify-chain)'{-e,--verify-chain}'[verify a PEM encoded certificate chain]'
'--verify[verify a PEM encoded certificate chain using a trusted list]'
'--verify-crl[verify a CRL]'
'--generate-dh-params[generate PKCS #3 encoded Diffie Hellman parameters]'
'--get-dh-params[get the included PKCS #3 encoded Diffie Hellman parameters]'
'--dh-info[print information PKCS #3 encoded Diffie-Hellman parameters]'
'--load-privkey:private key file:_files'
'--load-pubkey:public key file:_files'
'--load-request:certificate request file:_files'
'--load-certificate:certificate file:_files'
'--load-ca-privkey:certificate authority private key file:_files'
'--load-ca-certificate:certificate authority certificate file:_files'
'--password:password'
'--hex-numbers[big number in an easier format to parse]'
'--cprint[prints certain information is C-friendly format]'
'--null-password[enforce a NULL password]'
'--empty-password[enforce an empty password]'
'(-i --certificate-info)'{-i,--certificate-info}'[print information on a certificate]'
'--certificate-pubkey[print certificate public key]'
'(-l --crl-info)'{-l,--crl-info}'[print information on a CRL]'
'--crq-info[print information on a certificate request]'
"--no-crq-extensions[don't use extensions in certificate requests]"
'--p12-info[print information on a PKCS #12 structure]'
'--p7-info[print information on a PKCS #7 structure]'
'--smime-to-p7[convert S/MIME to PKCS #7 structure]'
'(-k --key-info)'{-k,--key-info}'[print information on a private key]'
'--pgp-key-info[print information on a OpenPGP private key]'
'--pubkey-info[print information on a public key]'
'--fix-key[regenerate the parameters in a private key]'
'--to-p12[generate a PKCS #12 structure]'
'(-8 --pkcs8)'{-8,--pkcs8}'[use PKCS #8 format for private keys]'
'--dsa[use DSA keys]'
'--hash:hash algorithm for signing:(MD5 SHA1 RMD160)'
'--export-ciphers[use weak encryption algorithms]'
'--inder[use DER format for input certificates and private keys]'
'--xml[use XML format for output certificates]'
'--outder[use DER format for output certificates and private keys]'
'--bits:number of bits for key generation'
'--sec-param[specify the security level]:security level:(low normal high ultra)'
'--disable-quick-random[use /dev/random for key generation, thus increasing the quality of randomness used]'
'--template:template file to use for non-interactive operation:_files'
'--pkcs-cipher[specify cipher to use for pkcs operations]:cipher:(3des 3des-pkcs12 aes-128 aes-192 aes-256 rc2-40 arcfour)'
)
;;
srptool)
args+=(
'(-i --index)'{-i+,--index=}':index of params in tpasswd.conf'
'(-u --username)'{-u+,--username=}':username:_users'
'(-p --passwd)'{-p+,--passwd=}':password file:_files'
'(-s --salt)'{-s+,--salt=}'[specify salt size]:salt size for crypt algorithm'
'--verify[just verify password]'
'(-v --passwd-conf)'{-v+,--passwd-conf=}'[generate a password configuration file]:password conf file:_files'
'--create-conf=[generate a tpasswd.conf file]:file:_files'
)
;;
esac
_arguments -s -S $args
|