Point out pdfsig supports PKCS#11 URIs as nickname

NSS "just works" with PKCS#11 URIs since 3.39. See
https://bugzilla.mozilla.org/show_bug.cgi?id=1475274
for details.

IMO we should expose that as feature. It's a standardized NSS-agnostic
way to identify certificate objects, and allows to disambiguate
certificates in any case.

1 files changed, 4 insertions, 1 deletions

diff --git a/utils/pdfsig.1 b/utils/pdfsig.1
index 872c6e8d..2d84b0c6 100644
--- a/utils/pdfsig.1
+++ b/utils/pdfsig.1
@@ -62,7 +62,7 @@ Specifies the field name to be used when adding a new signature. A random ID wil
 Sign the document in the specified signature field present in the document (must be unsigned).  Field can be specified by field name (string) or the n-th signature field in the document (integer).
 .TP
 .B \-nick " nickname"
-Use the certificate with the given nickname for signing.
+Use the certificate with the given nickname for signing. If nickname starts with pkcs11:, it's treated as PKCS#11 URI.
 .TP
 .B \-kpw " password"
 Use the given password for the signing key
@@ -97,6 +97,9 @@ Displays signature info for signed_file.pdf.
 pdfsig input.pdf output.pdf -add-signature -nss-pwd password -nick my-cert -reason 'for fun!'
 Creates a new pdf named output.pdf with the contents of input.pdf signed by the 'my-cert' certificate.
 .TP
+pdfsig input.pdf output.pdf -add-signature -nss-pwd password -nick 'pkcs11:token=smartcard0;object=Second%20certificate;type=cert'
+Same, but uses a PKCS#11 URI as defined in IETF RFC 7512 to select the certificate to be used for signing.
+.TP
 pdfsig input.pdf output.pdf -sign 0 -nss-pwd password -nick my-cert -reason 'for fun!'
 Creates a new pdf named output.pdf with the contents of input.pdf signed by the 'my-cert' certificate. input.pdf must have an already existing un-signed signature field.
 .SH AUTHOR