Introduce systemd-keyutil to do various key/certificate operations (#35095)

Let's gather generic key/certificate operations in a new tool
systemd-keyutil instead of spreading them across various special purpose
tools.

Fixes #35087

4 files changed, 106 insertions, 26 deletions

diff --git a/man/rules/meson.build b/man/rules/meson.build
index 7d2c62f574..e76cb0223b 100644
--- a/man/rules/meson.build
+++ b/man/rules/meson.build
@@ -992,6 +992,7 @@ manpages = [
    'systemd-journald@.service',
    'systemd-journald@.socket'],
   ''],
+ ['systemd-keyutil', '1', [], ''],
  ['systemd-localed.service', '8', ['systemd-localed'], 'ENABLE_LOCALED'],
  ['systemd-logind.service', '8', ['systemd-logind'], 'ENABLE_LOGIND'],
  ['systemd-machine-id-commit.service', '8', [], ''],
diff --git a/man/systemd-keyutil.xml b/man/systemd-keyutil.xml
new file mode 100644
index 0000000000..99d4d903b4
--- /dev/null
+++ b/man/systemd-keyutil.xml
@@ -0,0 +1,105 @@
+<?xml version='1.0'?> <!--*-nxml-*-->
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+  "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
+<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
+
+<refentry id="systemd-keyutil"
+    xmlns:xi="http://www.w3.org/2001/XInclude">
+  <refentryinfo>
+    <title>systemd-keyutil</title>
+    <productname>systemd</productname>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>systemd-keyutil</refentrytitle>
+    <manvolnum>1</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>systemd-keyutil</refname>
+    <refpurpose>Perform various operations on private keys and X.509 certificates</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>systemd-keyutil</command>
+      <arg choice="opt" rep="repeat">OPTIONS</arg>
+      <arg choice="req">COMMAND</arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para><command>systemd-keyutil</command> can be used to perform various operations on private keys and
+    X.509 certificates.</para>
+  </refsect1>
+
+  <refsect1>
+    <title>Commands</title>
+
+    <variablelist>
+      <varlistentry>
+        <term><option>validate</option></term>
+
+        <listitem><para>Checks that we can load the private key and certificate specified with
+        <option>--private-key=</option> and <option>--certificate=</option> respectively.</para>
+
+        <para>As a side effect, if the private key is loaded from a PIN-protected hardware token, this
+        command can be used to cache the PIN in the kernel keyring. The
+        <varname>$SYSTEMD_ASK_PASSWORD_KEYRING_TIMEOUT_SEC</varname> and
+        <varname>$SYSTEMD_ASK_PASSWORD_KEYRING_TYPE</varname> environment variables can be used to control
+        how long and in which kernel keyring the PIN is cached.</para>
+
+        <xi:include href="version-info.xml" xpointer="v257"/>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><command>public</command></term>
+
+        <listitem><para>This commands prints the public key in PEM format extracted from either the
+        certificate given with <option>--certificate=</option> or the private key given with
+        <option>--private-key=</option>.</para>
+
+        <xi:include href="version-info.xml" xpointer="v257"/></listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>Options</title>
+    <para>The following options are understood:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term><option>--private-key=<replaceable>PATH/URI</replaceable></option></term>
+        <term><option>--private-key-source=<replaceable>TYPE</replaceable>[:<replaceable>NAME</replaceable>]</option></term>
+        <term><option>--certificate=<replaceable>PATH</replaceable></option></term>
+        <term><option>--certificate-source=<replaceable>TYPE</replaceable>[:<replaceable>NAME</replaceable>]</option></term>
+
+        <listitem><para>Set the private key and certificate to use. The <option>--certificate=</option>
+        option takes a path to a PEM encoded X.509 certificate or a URI that's passed to the OpenSSL provider
+        configured with <option>--certificate-source</option>. The <option>--certificate-source</option>
+        takes one of <literal>file</literal> or <literal>provider</literal>, with the latter being followed
+        by a specific provider identifier, separated with a colon, e.g. <literal>provider:pkcs11</literal>.
+        The <option>--private-key=</option> option can take a path or a URI that will be passed to the
+        OpenSSL engine or provider, as specified by <option>--private-key-source=</option> as a
+        <literal>type:name</literal> tuple, such as <literal>engine:pkcs11</literal></para>.
+
+        <xi:include href="version-info.xml" xpointer="v257"/></listitem>
+      </varlistentry>
+
+      <xi:include href="standard-options.xml" xpointer="help"/>
+      <xi:include href="standard-options.xml" xpointer="version"/>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>See Also</title>
+    <para><simplelist type="inline">
+      <member><citerefentry><refentrytitle>systemd-sbsign</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
+      <member><citerefentry><refentrytitle>systemd-measure</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
+    </simplelist></para>
+  </refsect1>
+</refentry>
diff --git a/man/systemd-measure.xml b/man/systemd-measure.xml
index 1caca9cab0..5d697dd62f 100644
--- a/man/systemd-measure.xml
+++ b/man/systemd-measure.xml
@@ -104,16 +104,6 @@
 
         <xi:include href="version-info.xml" xpointer="v252"/></listitem>
       </varlistentry>
-
-      <varlistentry>
-        <term><command>pcrpkey</command></term>
-
-        <listitem><para>This commands prints the public key either given with <option>--public-key=</option>,
-        or extracted from the certificate given with <option>--certificate=</option> or the private key given
-        with <option>--private-key=</option>.</para>
-
-        <xi:include href="version-info.xml" xpointer="v257"/></listitem>
-      </varlistentry>
     </variablelist>
   </refsect1>
 
diff --git a/man/systemd-sbsign.xml b/man/systemd-sbsign.xml
index 1248377845..57b685f8c3 100644
--- a/man/systemd-sbsign.xml
+++ b/man/systemd-sbsign.xml
@@ -49,22 +49,6 @@
         <xi:include href="version-info.xml" xpointer="v257"/>
         </listitem>
       </varlistentry>
-
-      <varlistentry>
-        <term><option>validate-key</option></term>
-
-        <listitem><para>Checks that we can load the private key specified with
-        <option>--private-key=</option>. </para>
-
-        <para>As a side effect, if the private key is loaded from a PIN-protected hardware token, this
-        command can be used to cache the PIN in the kernel keyring. The
-        <varname>$SYSTEMD_ASK_PASSWORD_KEYRING_TIMEOUT_SEC</varname> and
-        <varname>$SYSTEMD_ASK_PASSWORD_KEYRING_TYPE</varname> environment variables can be used to control
-        how long and in which kernel keyring the PIN is cached.</para>
-
-        <xi:include href="version-info.xml" xpointer="v257"/>
-        </listitem>
-      </varlistentry>
     </variablelist>
   </refsect1>