#compdef gnutls-cli gnutls-cli-debug gnutls-serv certtool srptool local -a args args=( '(- :)'{-h,--help}'[display help information]' '(- :)--version=[display version information]:information:((v\:simple c\:copyright n\:full))' '(- :)-v[display version information]' '(- :)'{-\!,--more-help}'[display help information through a pager]' '(-d --debug)'{-d,--debug}'[enable debugging]:debug level' \*{-V,--verbose}'[more verbose output]' ) case "$service" in gnutls-*) args+=( '(-p --port)'{-p,--port}'[specify port or service to connect to]:port:_ports' ) ;| gnutls-cli*) args+=( '(--app-proto --starttls-proto)'{--app-proto,--starttls-proto}"=[specify application protocol to use to obtain the server's certificate]:protocol:(https ftp smtp imap ldap xmpp lmtp pop3 nntp sieve postgres)" ':hostname:_hosts' ) ;| gnutls-cli|gnutls-serv) args+=( "--sni-hostname=[specify server's hostname for server name indication extension]:hostname" "--noticket[don't accept session tickets]" '(-u --udp)'{-u,--udp}'[use DTLS (datagram TLS) over UDP]' '--mtu=[set MTU for datagram TLS]:mtu' '--srtp-profiles=[offer SRTP profiles]:string' '(-b --heartbeat)'{-b,--heartbeat}'[activate heartbeat support]' '--x509fmtder[use DER format for certificates to read from]' '--priority=[specify TLS algorithms and protocols to enable]:(NORMAL PFS SECURE128 SECURE192 SUITEB128 SUITEB192 LEGACY PERFORMANCE NONE)' '--x509cafile=[specify certificate file to use]:file:_files' '--x509crlfile=[specify CRL file to use]:file:_files' '--pgpkeyfile=[specify PGP key file to use]:file:_files' '--pgpkeyring=[specify PGP key ring file to use]:file:_files' '--pgpcertfile=[specify PGP public key (certificate) file to use]:file:_files' '--x509keyfile=[specify X.509 key file to use]:file:_files' '--x509certfile=[specify X.509 certificate file to use]:file:_files' '--pgpsubkey=[specify PGP subkey to use]:sub key' '(-l --list -p --port)'{-l,--list}'[print list of the supported algorithms/modes]' '--provider=[specify PKCS #11 provider library]:provider:_files' ) ;| gnutls-cli) args+=( '--tofu[enable trust on first use authentication]' '!--no-tofu' '--strict-tofu[fail to connect if a known certificate has changed]' '!--no-strict-tofu' '--dane[enable DANE certificate verification (DNSSEC)]' '!--no-dane' '--local-dns[use the local DNS server for DNSSEC resolving]' '!--no-local-dna' '--no-ca-verification[disable CA certificate verification]' '!--ca-verification' '--ocsp[enable OCSP certificate verification]' '!--no-oscp' '(-r --resume)'{-r,--resume}'[establish a session and resume]' '(-e --rehandshake)'{-e,--rehandshake}'[connect, establish a session and rehandshake immediately]' '(-s --starttls)'{-s,--starttls}'[start TLS on EOF or SIGALRM]' '--crlf[send CR LF instead of LF]' '--fastopen[enable TCP Fast Open]' '(-f --fingerprint)'{-f,--fingerprint}'[send the openpgp fingerprint instead of the key]' "--print-cert[print peer's certificate in PEM format]" "--save-cert=[save peer's certificate chain in the specified file in PEM format]:file:_files" "--save-ocsp=[save peer's OCSP status response in the provided file]:file:_files" '--dh-bits=[specify minimum number of bits allowed for DH]:bits' '--srpusername[specify SRP username to use]:username' '--srppasswd[specify SRP password to use]:password' '--pskusername[specify PSK username to use]:username' '--pskkey[specify PSK key to use]:key' "--insecure[don't require server cert validation]" '--ranges[use length-hiding padding to prevent traffic analysis]' '--benchmark-ciphers[benchmark individual ciphers]' '--benchmark-soft-ciphers[benchmark individual software ciphers]' '--benchmark-tls-kx[benchmark TLS key exchange methods]' '--benchmark-tls-ciphers[benchmark TLS ciphers]' '--priority-list[print list of the supported priority strings]' '*--alpn=[enable application layer protocol]:string' '--recordsize=[specify maximum record size to advertize]:record size' "--disable-sni[don't send a Server Name]" '--disable-extensions[disable all the TLS extensions]' '--inline-commands[inline commands of the form ^^]' '--inline-commands-prefix=[change delimiter used for inline commands]:delimiter [^]' '--fips140-mode[report status of FIPS140-2 mode in gnutls library]' ) ;; gnutls-serv) args+=( '--sni-hostname-fatal[send fatal alert on sni-hostname mismatch]' '(-g --generate)'{-g,--generate}'[generate Diffie-Hellman parameters]' '(-q --quiet)'{-q,--quiet}'[suppress some messages]' "--nodb[don't use a resumption database]" '--http[act as an HTTP server]' '--echo[act as an Echo server]' '(-a --disable-client-cert)'{-a,--disable-client-cert}"[don't request a client certificate]" '(-r --require-client-cert)'{-r,--require-client-cert}'[require a client certificate]' '--verify-client-cert[if a client certificate is sent then verify it]' '--dhparams=[specify DH params file to use]:file:_files' '--x509dsakeyfile=[specify alternative X.509 key file to use]:file:_files' '--x509dsacertfile=[specify alternative X.509 certificate file to use]:file:_files' '--x509ecckeyfile=[specify alternative X.509 key file to use]:file:_files' '--x509ecccertfile=[specify alternative X.509 certificate file to use]:file:_files' '--srppasswd=[specify SRP password file to use]:file:_files' '--srppasswdconf=[specify SRP password configuration file to use]:file:_files' '--pskpasswd=[specify PSK password file to use]:file:_files' '--pskhint=[specify PSK identity hint to use]:string' '--ocsp-response=[specify OCSP response to send to client]:file:_files' ) ;; certtool) args+=( '--infile:input file:_files ' '--outfile:output file:_files ' '(-s --generate-self-signed)'{-s,--generate-self-signed}'[generate a self-signed certificate]' '(-c --generate-certificate)'{-c,--generate-certificate}'[generate a signed certificate]' '--generate-proxy[generate a proxy certificate]' '--generate-crl[generate a CRL]' '(-u --update-certificate)'{-u,--update-certificate}'[update a signed certificate]' '(-p --generate-privkey)'{-p,--generate-privkey}'[generate a private key]' '(-q --generate-request)'{-q,--generate-request}'[generate a PKCS #10 certificate request]' '(-e --verify-chain)'{-e,--verify-chain}'[verify a PEM encoded certificate chain]' '--verify[verify a PEM encoded certificate chain using a trusted list]' '--verify-crl[verify a CRL]' '--generate-dh-params[generate PKCS #3 encoded Diffie Hellman parameters]' '--get-dh-params[get the included PKCS #3 encoded Diffie Hellman parameters]' '--dh-info[print information PKCS #3 encoded Diffie-Hellman parameters]' '--load-privkey:private key file:_files' '--load-pubkey:public key file:_files' '--load-request:certificate request file:_files' '--load-certificate:certificate file:_files' '--load-ca-privkey:certificate authority private key file:_files' '--load-ca-certificate:certificate authority certificate file:_files' '--password:password' '--hex-numbers[big number in an easier format to parse]' '--cprint[prints certain information is C-friendly format]' '--null-password[enforce a NULL password]' '--empty-password[enforce an empty password]' '(-i --certificate-info)'{-i,--certificate-info}'[print information on a certificate]' '--certificate-pubkey[print certificate public key]' '(-l --crl-info)'{-l,--crl-info}'[print information on a CRL]' '--crq-info[print information on a certificate request]' "--no-crq-extensions[don't use extensions in certificate requests]" '--p12-info[print information on a PKCS #12 structure]' '--p7-info[print information on a PKCS #7 structure]' '--smime-to-p7[convert S/MIME to PKCS #7 structure]' '(-k --key-info)'{-k,--key-info}'[print information on a private key]' '--pgp-key-info[print information on a OpenPGP private key]' '--pubkey-info[print information on a public key]' '--fix-key[regenerate the parameters in a private key]' '--to-p12[generate a PKCS #12 structure]' '(-8 --pkcs8)'{-8,--pkcs8}'[use PKCS #8 format for private keys]' '--dsa[use DSA keys]' '--hash:hash algorithm for signing:(MD5 SHA1 RMD160)' '--export-ciphers[use weak encryption algorithms]' '--inder[use DER format for input certificates and private keys]' '--xml[use XML format for output certificates]' '--outder[use DER format for output certificates and private keys]' '--bits:number of bits for key generation' '--sec-param[specify the security level]:security level:(low normal high ultra)' '--disable-quick-random[use /dev/random for key generation, thus increasing the quality of randomness used]' '--template:template file to use for non-interactive operation:_files' '--pkcs-cipher[specify cipher to use for pkcs operations]:cipher:(3des 3des-pkcs12 aes-128 aes-192 aes-256 rc2-40 arcfour)' ) ;; srptool) args+=( '(-i --index)'{-i+,--index=}':index of params in tpasswd.conf' '(-u --username)'{-u+,--username=}':username:_users' '(-p --passwd)'{-p+,--passwd=}':password file:_files' '(-s --salt)'{-s+,--salt=}'[specify salt size]:salt size for crypt algorithm' '--verify[just verify password]' '(-v --passwd-conf)'{-v+,--passwd-conf=}'[generate a password configuration file]:password conf file:_files' '--create-conf=[generate a tpasswd.conf file]:file:_files' ) ;; esac _arguments -s -S $args