doc: beautify pkcs11-tool man page examples

frankmorgner · frankmorgner · commit 748bae4f0288 · 2024-02-21T09:17:02.000+01:00
diff --git a/doc/tools/pkcs11-tool.1.xml b/doc/tools/pkcs11-tool.1.xml
@@ -710,19 +710,19 @@
 			Perform a basic functionality test of the card:
 				<programlisting>pkcs11-tool --test --login</programlisting>
 
-			To list all certificates on the smart card:
+			List all certificates on the smart card:
 				<programlisting>pkcs11-tool --list-objects --type cert</programlisting>
 
-			To read the certificate with ID <replaceable>KEY_ID</replaceable>
-			in DER format from smart card:
-				<programlisting>pkcs11-tool --read-object --id KEY_ID --type cert --output-file cert.der</programlisting>
+			Read the certificate with ID <varname>CERT_ID</varname>
+			in DER format from smart card and convert it to PEM via OpenSSL:
+			<programlisting>
+pkcs11-tool --read-object --id $CERT_ID --type cert \
+					--output-file cert.der
+openssl x509 -inform DER -in cert.der -outform PEM > cert.pem
+			</programlisting>
 
-			Write certificate to token:
-				<programlisting> pkcs11-tool --login --write-object certificate.der --type cert</programlisting>
-
-			To convert the certificate in DER format to PEM format, use OpenSSL
-			tools:
-				<programlisting>openssl x509 -inform DER -in cert.der -outform PEM > cert.pem</programlisting>
+			Write a certificate to token:
+				<programlisting>pkcs11-tool --login --write-object certificate.der --type cert</programlisting>
 
 			Generate new RSA Key pair:
 				<programlisting>pkcs11-tool --login --keypairgen --key-type RSA:2048</programlisting>
@@ -732,58 +732,69 @@
 
 			Generate an elliptic curve key pair with OpenSSL and import it to the card as <varname>$ID</varname>:
 				<programlisting>openssl genpkey -out EC_private.der -outform DER \
- -algorithm EC -pkeyopt ec_paramgen_curve:P-521
+	-algorithm EC -pkeyopt ec_paramgen_curve:P-521
 pkcs11-tool --write-object EC_private.der --id "$ID" \
- --type privkey --label "EC private key" -p "$PIN"
+	--type privkey --label "EC private key" -p "$PIN"
 openssl pkey -in EC_private.der -out EC_public.der \
- -pubout -inform DER -outform DER
+	-pubout -inform DER -outform DER
 pkcs11-tool --write-object EC_public.der --id "$ID" \
- --type pubkey  --label "EC public key" -p $PIN</programlisting>
+	--type pubkey  --label "EC public key" -p $PIN</programlisting>
 
 			List private keys:
 				<programlisting>pkcs11-tool --login --list-objects --type privkey</programlisting>
 
-			To sign some data stored in file <replaceable>data</replaceable>
-			using the private key with ID <replaceable>ID</replaceable> and
+			Sign some data stored in file <filename>data</filename>
+			using the private key with ID <varname>ID</varname> and
 			using the RSA-PKCS mechanism:
-				<programlisting>pkcs11-tool --sign --id ID --mechanism RSA-PKCS --input-file data --output-file data.sig</programlisting>
+			<programlisting>
+pkcs11-tool --sign --id $ID --mechanism RSA-PKCS \
+	--input-file data --output-file data.sig
+			</programlisting>
 			The same is also possible by piping the data from stdin rather than specifying a input file:
-				<programlisting>dd if=data bs=128 count=1 | pkcs11-tool --sign --id ID --mechanism RSA-PKCS --pin=$PIN > data.sig</programlisting>
+			<programlisting>
+dd if=data bs=128 count=1 \
+	| pkcs11-tool --sign --id $ID --mechanism RSA-PKCS \
+	> data.sig
+			</programlisting>
 
 			Verify the signed data:
-<programlisting>pkcs11-tool --id ID --verify -m RSA-PKCS --input-file data --signature-file data.sig</programlisting>
+			<programlisting>
+pkcs11-tool --id ID --verify -m RSA-PKCS \
+	--input-file data --signature-file data.sig
+			</programlisting>
 
 			To encrypt file using the AES key with ID 85 and using mechanism AES-CBC with padding:
 				<programlisting>
 pkcs11-tool --login --encrypt --id 85 -m AES-CBC-PAD \
- --iv "00000000000000000000000000000000" \
- -i file.txt -o encrypted_file.data
-			Decipher the encrypted file:
+	--iv "00000000000000000000000000000000" \
+	-i file.txt -o encrypted_file.data
 				</programlisting>
+			Decipher the encrypted file:
+				<programlisting>
 pkcs11-tool --login --decrypt --id 85 -m AES-CBC-PAD \
- --iv "00000000000000000000000000000000" \
---i encrypted_file.data -o decrypted.txt
+	--iv "00000000000000000000000000000000" \
+	--i encrypted_file.data -o decrypted.txt
 				</programlisting>
 
 			Use the key with ID 75 using mechanism AES-CBC-PAD, with initialization vector
 			"00000000000000000000000000000000" to wrap the key with ID 76 into output file
-			<replaceable>exported_aes.key</replaceable>
+			<filename>exported_aes.key</filename>
 				<programlisting>
 pkcs11-tool --login --wrap --id 75 --mechanism AES-CBC-PAD \
- --iv "00000000000000000000000000000000" \
- --application-id 76 \
- --output-file exported_aes.key
+	--iv "00000000000000000000000000000000" \
+	--application-id 76 \
+	--output-file exported_aes.key
 				</programlisting>
 			Use the key with ID 22 and mechanism RSA-PKCS to unwrap key from file
-			<replaceable>aes_wrapped.key</replaceable>. After a successful unwrap operation,
+			<filename>aes_wrapped.key</filename>. After a successful unwrap operation,
 			a new AES key is created on token. ID of this key is set to 90 and label of this
-			key is set to <replaceable>unwrapped-key</replaceable>
+			key is set to <literal>unwrapped-key</literal>
 			Note: for the MyEID card, the AES key size must be present in key
 			specification i.e. AES:16
 				<programlisting>
 pkcs11-tool --login --unwrap --mechanism RSA-PKCS --id 22 \
-  -i aes_wrapped.key --key-type AES: \
-  --application-id 90 --applicatin-label unwrapped-key
+	-i aes_wrapped.key --key-type AES: \
+	--application-id 90 --applicatin-label unwrapped-key
 				</programlisting>
 
 			Use the SO-PIN to initialize or re-set the PIN:
