Document new -X flag

ProcursusTeam · Mar 19, 2024 · 68af298 · 68af298
1 parent 22304ec
commit 68af298
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 7 deletions.
diff --git a/PKCS11.md b/PKCS11.md
@@ -17,8 +17,8 @@ yubico-piv-tool -s 9c -a import-certificate -i cert.crt.pem
 yubico-piv-tool -s 9c -a import-key -i key.pem
 yubico-piv-tool -s 9c -a set-chuid
 ```
-3. You can use `p11tool --list-privkeys --login` to identify the URI for the slot (make sure that `type` is not in the URI, as seperate URIs for the cert and private key are not currently supported from the command line)
+3. You can use `p11tool --list-privkeys --login` and `p11tool --list-certs --login` to help identify the URIs for the private key and certificate
 
 ## Sign
-1. `ldid -K'pkcs11:model=YubiKey%20YK5;id=%02' -Sents.xml ls.bin`
+1. `ldid -K'pkcs11:object=Private%20key%20for%20Digital%20Signature;type=private' -X'pkcs11:object=X.509%20Certificate%20for%20Digital%20Signature;type=cert' -Sents.xml ls.bin`
 2. If the correct PKCS#11 module is not being loaded, try setting `PKCS11_MODULE_PATH` in your environment (ex. `export PKCS11_MODULE_PATH="/usr/local/lib/p11-kit-proxy.so"` or `PKCS11_MODULE_PATH="/usr/local/lib/libykcs11.so"`)
diff --git a/docs/ldid.1 b/docs/ldid.1
@@ -20,7 +20,7 @@
 .Op Fl H Ns Op Ar sha1 | Ar sha256
 .Op Fl h
 .Op Fl I Ns Ar name
-.Op Fl K Ns Ar file Op Fl U Ns Ar password
+.Op Fl K Ns Ar file Oo Fl U Ns Ar password Oc Op Fl X Ns Ar file
 .Op Fl M
 .Op Fl P Ns Op Ar num
 .Op Fl Q Ns Ar requirements
@@ -108,6 +108,8 @@ If the
 has a password, you will be prompted for it,
 or you can specify from the command line with
 .Fl U .
+To specify the certificate separate from the private key, use
+.Fl X .
 .It Fl M
 When used with
 .Fl S ,
@@ -160,6 +162,14 @@ target is a bundle directory, and not a specific Mach-O file.
 .Fl w
 can be used on any bundle, not just the root .app, including frameworks,
 appexes, and more.
+.It Fl X Ns Ar file
+Use the certificate in
+.Ar file .
+Only used if the private key is a
+.Ar pkcs11:
+URI, and must also be a
+.Ar pkcs11:
+URI.
 .El
 .Sh EXAMPLES
 To fakesign

diff --git a/ldid.cpp b/ldid.cpp
@@ -3751,13 +3751,11 @@ int main(int argc, char *argv[]) {
 
     if (!key.empty()) {
 #if SMARTCARD
-        if (key.compare(0, 7, "pkcs11:") == 0) {
+        if (key.compare(0, 7, "pkcs11:") == 0)
             signer = new P11Signer(key, certuri.empty() ? key : certuri);
-        } else
+        else
 #endif
-        {
             signer = new P12Signer(Buffer(Map(key, O_RDONLY)));
-        }
     }
 
     size_t filei(0), filee(0);

diff --git a/ldid.hpp b/ldid.hpp
@@ -161,6 +161,7 @@ struct Bundle {
 
 class Signer {
   public:
+    virtual ~Signer() {};
     virtual operator EVP_PKEY *() const = 0;
     virtual operator X509 *() const = 0;
     virtual operator STACK_OF(X509) *() const = 0;