1 files changed, 109 insertions, 0 deletions

diff --git a/openssl/client/options.cli b/openssl/client/options.cli
new file mode 100644
index 0000000..4a2872a
--- /dev/null
+++ b/openssl/client/options.cli
@@ -0,0 +1,109 @@
+// file      : openssl/client/options.cli
+// copyright : Copyright (c) 2014-2018 Code Synthesis Ltd
+// license   : MIT; see accompanying LICENSE file
+
+include <openssl/options.cli>;
+
+"\section=1"
+"\name=openssl-client"
+"\summary=OpenSSL client"
+
+namespace openssl
+{
+  namespace client
+  {
+    {
+      "<options>",
+
+      "
+      \h|SYNOPSIS|
+
+      \c{\b{openssl-client --help}\n
+         \b{openssl-client --version}\n
+         \b{openssl-client} rsautl [<options>]}
+
+      \h|DESCRIPTION|
+
+      The \cb{rsautl} command is a drop-in replacement for the
+      \cb{openssl-rsautl(1)} cryptographic operations. Instead of performing
+      the operations itself, it forwards the request to an OpenSSL key agent
+      that keeps the private key unlocked for the session.
+
+      Currently, data signing with a private key stored in a \cb{PKCS#11}
+      token is the only supported arrangement. This limits the
+      \cb{openssl-rsautl(1)} options and values to the following usage:
+
+      \
+      $ openssl-client rsautl -sign -keyform engine -engine pkcs11 -inkey pkcs11:...
+      \
+
+      This command reads data from \cb{stdin}, asks
+      \cb{openssl-agent-pkcs11(1)} to sign it using the specified unlocked
+      private key, and prints the resulting signature to \cb{stdout}.
+
+      The command can be simulated without actually performing any
+      cryptographic operations. If the \cb{--simulate} option is specified
+      with the \cb{success} outcome, then the command prints a dummy signature
+      produced by the agent and exits with zero status. The \cb{failure}
+      outcome causes it to print the diagnostics to \cb{stderr} and exit with
+      non-zero status. This mode is mostly useful for OpenSSL key agents
+      testing.
+      "
+    }
+
+    class options
+    {
+      "\h|OPTIONS|"
+
+      bool --help {"Print usage information and exit."}
+      bool --version {"Print version and exit."}
+
+      bool -sign
+      {
+        "Sign data read from \cb{stdin}."
+      }
+
+      string -keyform
+      {
+        "<form>",
+        "Private key format. The only supported format is \cb{engine}."
+      }
+
+      string -engine
+      {
+        "<engine>",
+        "Engine to use for the cryptographic operation. The only supported
+         engine is \cb{pkcs11}."
+      }
+
+      string -inkey
+      {
+        "<location>",
+        "Private key location. Its format (file path, URL, etc) depends on the
+         engine used. For the \cb{pkcs11} engine it should be a \cb{PKCS#11}
+         URL."
+      }
+
+      simulate_outcome --simulate
+      {
+        "<outcome>",
+        "Ask the agent to simulate the cryptographic operation instead of
+         performing it for real."
+      }
+    };
+
+    "
+    \h|ENVIRONMENT|
+
+    If \cb{-engine} is \cb{pkcs11}, then the \cb{OPENSSL_AGENT_PKCS11_SOCK}
+    environment variable should be set to the Unix-domain socket of the
+    \cb{openssl-agent-pkcs11(1)} daemon.
+    "
+
+    "
+    \h|EXIT STATUS|
+
+    Non-zero exit status is returned in case of an error.
+    "
+  }
+}