New upstream version 5.5.2

10 files changed, 60 insertions, 21 deletions

diff --git a/src/pki/man/Makefile.in b/src/pki/man/Makefile.in
index 030d6be53..e40aca3b4 100644
--- a/src/pki/man/Makefile.in
+++ b/src/pki/man/Makefile.in
@@ -315,7 +315,6 @@ exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 gtk_CFLAGS = @gtk_CFLAGS@
 gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -350,6 +349,7 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/pki/man/pki---acert.1.in b/src/pki/man/pki---acert.1.in
index d7460fd1f..c6ecbb989 100644
--- a/src/pki/man/pki---acert.1.in
+++ b/src/pki/man/pki---acert.1.in
@@ -63,7 +63,8 @@ Issuer private key file. Either this or
 is required.
 .TP
 .BI "\-x, \-\-issuerkeyid " hex
-Key ID of a issuer private key on a smartcard. Either this or
+Smartcard or TPM issuer private key object handle in hex format with an optional
+h0x prefix. Either this or
 .B \-\-issuerkey
 is required.
 .TP
diff --git a/src/pki/man/pki---gen.1.in b/src/pki/man/pki---gen.1.in
index 138ab6122..4c61ead9c 100644
--- a/src/pki/man/pki---gen.1.in
+++ b/src/pki/man/pki---gen.1.in
@@ -1,4 +1,4 @@
-.TH "PKI \-\-GEN" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
+.TH "PKI \-\-GEN" 1 "2016-12-13" "@PACKAGE_VERSION@" "strongSwan"
 .
 .SH "NAME"
 .
@@ -45,7 +45,8 @@ Set debug level, default: 1.
 Read command line options from \fIfile\fR.
 .TP
 .BI "\-t, \-\-type " type
-Type of key to generate. Either \fIrsa\fR or \fIecdsa\fR, defaults to \fIrsa\fR.
+Type of key to generate. Either \fIrsa\fR, \fIecdsa\fR, \fIed25519\fR or
+\fIbliss\fR, defaults to \fIrsa\fR.
 .TP
 .BI "\-s, \-\-size " bits
 Key length in bits. Defaults to 2048 for \fIrsa\fR and 384 for \fIecdsa\fR.
diff --git a/src/pki/man/pki---issue.1.in b/src/pki/man/pki---issue.1.in
index bfc7bb1a5..99cc64fa5 100644
--- a/src/pki/man/pki---issue.1.in
+++ b/src/pki/man/pki---issue.1.in
@@ -1,4 +1,4 @@
-.TH "PKI \-\-ISSUE" 1 "2013-08-12" "@PACKAGE_VERSION@" "strongSwan"
+.TH "PKI \-\-ISSUE" 1 "2016-12-13" "@PACKAGE_VERSION@" "strongSwan"
 .
 .SH "NAME"
 .
@@ -24,6 +24,7 @@ pki \-\-issue \- Issue a certificate using a CA certificate and key
 .OP \-\-ocsp uri
 .OP \-\-pathlen len
 .OP \-\-nc-permitted name
+.OP \-\-addrblock block
 .OP \-\-nc-excluded name
 .OP \-\-policy\-mapping mapping
 .OP \-\-policy\-explicit len
@@ -68,9 +69,9 @@ key/request is read from \fISTDIN\fR.
 .TP
 .BI "\-t, \-\-type " type
 Type of the input. One of \fIpub\fR (public key), \fIpriv\fR (private key),
-\fIrsa\fR (RSA private key), \fIecdsa\fR (ECDSA private key), \fIbliss\fR (BLISS
-private key) or \fIpkcs10\fR (PKCS#10 certificate request), defaults to
-\fIpub\fR.
+\fIrsa\fR (RSA private key), \fIecdsa\fR (ECDSA private key),
+\fIed25519\fR (Ed25519 private key) \fIbliss\fR (BLISS private key) or
+\fIpkcs10\fR (PKCS#10 certificate request), defaults to \fIpub\fR.
 .TP
 .BI "\-k, \-\-cakey " file
 CA private key file. Either this or
@@ -78,7 +79,8 @@ CA private key file. Either this or
 is required.
 .TP
 .BI "\-x, \-\-cakeyid " hex
-Key ID of a CA private key on a smartcard. Either this or
+Smartcard or TPM CA private key object handle in hex format with an optional
+0x prefix. Either this or
 .B \-\-cakey
 is required.
 .TP
@@ -148,6 +150,14 @@ times.
 .BI "\-p, \-\-pathlen " len
 Set path length constraint.
 .TP
+.BI "\-B, \-\-addrblock " block
+RFC 3779 address block to include in certificate. \fIblock\fR is either a
+CIDR subnet (such as \fI10.0.0.0/8\fR) or an arbitrary address range
+(\fI192.168.1.7-192.168.1.13\fR). Can be repeated to include multiple blocks.
+Please note that the supplied blocks are included in the certificate as is,
+so for standards compliance, multiple blocks must be supplied in correct
+order and adjacent blocks must be combined. Refer to RFC 3779 for details.
+.TP
 .BI "\-n, \-\-nc-permitted " name
 Add permitted NameConstraint extension to certificate. For DNS or email
 constraints, the identity type is not always detectable by the given name. Use
diff --git a/src/pki/man/pki---keyid.1.in b/src/pki/man/pki---keyid.1.in
index c69f7cbc7..148b95ec3 100644
--- a/src/pki/man/pki---keyid.1.in
+++ b/src/pki/man/pki---keyid.1.in
@@ -7,7 +7,9 @@ pki \-\-keyid \- Calculate key identifiers of a key or certificate
 .SH "SYNOPSIS"
 .
 .SY pki\ \-\-keyid
-.OP \-\-in file
+.RB [ \-\-in
+.IR file | \fB\-\-keyid\fR
+.IR hex ]
 .OP \-\-type type
 .OP \-\-debug level
 .YS
@@ -43,6 +45,10 @@ Read command line options from \fIfile\fR.
 .BI "\-i, \-\-in " file
 Input file. If not given the input is read from \fISTDIN\fR.
 .TP
+.BI "\-x, \-\-keyid " hex
+Smartcard or TPM private key object handle in hex format with an optional
+0x prefix.
+.TP
 .BI "\-t, \-\-type " type
 Type of input. One of \fIpriv\fR (private key), \fIrsa\fR (RSA private key),
 \fIecdsa\fR (ECDSA private key), \fIbliss\fR (BLISS private key),
@@ -70,4 +76,4 @@ Calculate key identifiers of an X.509 certificate:
 .
 .SH "SEE ALSO"
 .
-.BR pki (1)
\ No newline at end of file
+.BR pki (1)
diff --git a/src/pki/man/pki---print.1.in b/src/pki/man/pki---print.1.in
index 09f81cdaa..65fb8bc46 100644
--- a/src/pki/man/pki---print.1.in
+++ b/src/pki/man/pki---print.1.in
@@ -1,4 +1,4 @@
-.TH "PKI \-\-PRINT" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
+.TH "PKI \-\-PRINT" 1 "2016-12-13" "@PACKAGE_VERSION@" "strongSwan"
 .
 .SH "NAME"
 .
@@ -47,8 +47,8 @@ Input file. If not given the input is read from \fISTDIN\fR.
 Type of input. One of \fIx509\fR (X.509 certificate), \fIcrl\fR (Certificate
 Revocation List, CRL), \fIac\fR (Attribute Certificate), \fIpub\fR (public key),
 \fpriv\fR (private key), \fIrsa\fR (RSA private key), \fIecdsa\fR (ECDSA private
-key), \fIbliss\fR (BLISS private key), \fIpriv\fR (private key), defaults to
-\fIx509\fR.
+key), \fIed25519\fR (Ed25519 private key), \fIbliss\fR (BLISS private key),
+\fIpriv\fR (private key), defaults to \fIx509\fR.
 .
 .SH "SEE ALSO"
 .
diff --git a/src/pki/man/pki---pub.1.in b/src/pki/man/pki---pub.1.in
index fe6c520f4..006b7aefa 100644
--- a/src/pki/man/pki---pub.1.in
+++ b/src/pki/man/pki---pub.1.in
@@ -46,6 +46,10 @@ Read command line options from \fIfile\fR.
 .BI "\-i, \-\-in " file
 Input file. If not given the input is read from \fISTDIN\fR.
 .TP
+.BI "\-x, \-\-keyid " hex
+Smartcard or TPM private key object handle in hex format with an optional
+0x prefix.
+.TP
 .BI "\-t, \-\-type " type
 Type of input. One of \fIpriv\fR (private key), \fIrsa\fR (RSA private key),
 \fIecdsa\fR (ECDSA private key), \fIpub\fR (public key), \fIpkcs10\fR (PKCS#10
diff --git a/src/pki/man/pki---req.1.in b/src/pki/man/pki---req.1.in
index 4a39c5c94..09ef0862a 100644
--- a/src/pki/man/pki---req.1.in
+++ b/src/pki/man/pki---req.1.in
@@ -7,7 +7,9 @@ pki \-\-req \- Create a PKCS#10 certificate request
 .SH "SYNOPSIS"
 .
 .SY pki\ \-\-req
-.OP \-\-in file
+.RB [ \-\-in
+.IR file | \fB\-\-keyid\fR
+.IR hex ]
 .OP \-\-type type
 .BI \-\-dn\~ distinguished-name
 .OP \-\-san subjectAltName
@@ -48,6 +50,10 @@ Read command line options from \fIfile\fR.
 .BI "\-i, \-\-in " file
 Private key input file. If not given the key is read from \fISTDIN\fR.
 .TP
+.BI "\-x, \-\-keyid " hex
+Smartcard or TPM private key object handle in hex format with an optional
+0x prefix.
+.TP
 .BI "\-t, \-\-type " type
 Type of the input key. Either \fIpriv\fR, \fIrsa\fR, \fIecdsa\fR or \fIbliss\fR,
 defaults to \fIpriv\fR.
@@ -89,4 +95,4 @@ Generate a certificate request for an ECDSA key and a different digest:
 .
 .SH "SEE ALSO"
 .
-.BR pki (1)
\ No newline at end of file
+.BR pki (1)
diff --git a/src/pki/man/pki---self.1.in b/src/pki/man/pki---self.1.in
index 9461e3eff..aa7e6fabe 100644
--- a/src/pki/man/pki---self.1.in
+++ b/src/pki/man/pki---self.1.in
@@ -1,4 +1,4 @@
-.TH "PKI \-\-SELF" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
+.TH "PKI \-\-SELF" 1 "2016-12-13" "@PACKAGE_VERSION@" "strongSwan"
 .
 .SH "NAME"
 .
@@ -22,6 +22,7 @@ pki \-\-self \- Create a self-signed certificate
 .OP \-\-ca
 .OP \-\-ocsp uri
 .OP \-\-pathlen len
+.OP \-\-addrblock block
 .OP \-\-nc-permitted name
 .OP \-\-nc-excluded name
 .OP \-\-policy\-mapping mapping
@@ -65,11 +66,12 @@ Read command line options from \fIfile\fR.
 Private key input file. If not given the key is read from \fISTDIN\fR.
 .TP
 .BI "\-x, \-\-keyid " hex
-Key ID of a private key on a smartcard.
+Smartcard or TPM private key object handle in hex format with an optional
+0x prefix.
 .TP
 .BI "\-t, \-\-type " type
-Type of the input key. Either \fIpriv\fR, \fIrsa\fR, \fIecdsa\fR or \fIbliss\fR,
-defaults to \fIpriv\fR.
+Type of the input key. Either \fIpriv\fR, \fIrsa\fR, \fIecdsa\fR, \fIed25519\fR
+or \fIbliss\fR, defaults to \fIpriv\fR.
 .TP
 .BI "\-d, \-\-dn " distinguished-name
 Subject and issuer distinguished name (DN). Required.
@@ -127,6 +129,14 @@ times.
 .BI "\-p, \-\-pathlen " len
 Set path length constraint.
 .TP
+.BI "\-B, \-\-addrblock " block
+RFC 3779 address block to include in certificate. \fIblock\fR is either a
+CIDR subnet (such as \fI10.0.0.0/8\fR) or an arbitrary address range
+(\fI192.168.1.7-192.168.1.13\fR). Can be repeated to include multiple blocks.
+Please note that the supplied blocks are included in the certificate as is,
+so for standards compliance, multiple blocks must be supplied in correct
+order and adjacent blocks must be combined. Refer to RFC 3779 for details.
+.TP
 .BI "\-n, \-\-nc-permitted " name
 Add permitted NameConstraint extension to certificate. For DNS or email
 constraints, the identity type is not always detectable by the given name. Use
diff --git a/src/pki/man/pki---signcrl.1.in b/src/pki/man/pki---signcrl.1.in
index b930bfa3c..b901ad084 100644
--- a/src/pki/man/pki---signcrl.1.in
+++ b/src/pki/man/pki---signcrl.1.in
@@ -56,7 +56,8 @@ CA private key file. Either this or
 is required.
 .TP
 .BI "\-x, \-\-cakeyid " hex
-Key ID of a CA private key on a smartcard. Either this or
+Smartcard or TPM CA private key object handle in hex format with an optional
+0x prefix. Either this or
 .B \-\-cakey
 is required.
 .TP