]> git.saurik.com Git - apple/security.git/blob - OSX/sec/Security/Tool/SecurityCommands.h
Security-58286.270.3.0.1.tar.gz
[apple/security.git] / OSX / sec / Security / Tool / SecurityCommands.h
1 // This is a preprocessed file to define commands that we provide in Security part of the Sec module.
2
3 #include <SecurityTool/security_tool_commands.h>
4
5 #if TARGET_OS_IPHONE
6 #define USE_SECURITY_ITEM "By default the synchronizable keys is not searched/update/deleted, use \"security item\" for that.\n"
7 #else
8 #define USE_SECURITY_ITEM
9 #endif
10
11
12 SECURITY_COMMAND("add-internet-password", keychain_add_internet_password,
13 "[-a accountName] [-d securityDomain] [-p path] [-P port] [-r protocol] [-s serverName] [-t authenticationType] [-w passwordData] [keychain]\n"
14 " -a Use \"accountName\".\n"
15 " -d Use \"securityDomain\".\n"
16 " -p Use \"path\".\n"
17 " -P Use \"port\".\n"
18 " -r Use \"protocol\".\n"
19 " -s Use \"serverName\".\n"
20 " -t Use \"authenticationType\".\n"
21 " -w Use passwordData.\n"
22 "If no keychains is specified the password is added to the default keychain.",
23 "Add an internet password item.")
24
25 SECURITY_COMMAND("item", keychain_item,
26 "[-v][-a|-D|-u attr=value,...|[-q][-g] attr=value,...] [-d password | -f datafile] [attr=value,...]\n"
27 "-q Query for item matching (default). Note: as default query skips items with ACL, you have to define 'u_AuthUI=u_AuthUIA' if you want to query items with ACL\n"
28 "-g Get password data\n"
29 "-a Add item to keychain\n"
30 "-u Update item in keychain (require query to match)\n"
31 "-D Delete item from keychain\n"
32 "Add, query, update or delete items from the keychain. Extra attr=value pairs after options always apply to the query\n"
33 "class=[genp|inet|cert|keys] is required for the query\n"
34 "To search the synchronizable items (not searched by default) use sync=1 as an attr=value pair.\n"
35 "Security Access Control object can be passed as attribute accc with following syntax:\n"
36 "accc=\"<access class>[;operation[:constraint type(constraint parameters)]...]\""
37 "\nExample:\naccc=\"ak;od(cpo(DeviceOwnerAuthentication));odel(true);oe(true)\""
38 "\naccc=\"ak;od(cpo(DeviceOwnerAuthentication));odel(true);oe(true);prp(true)\""
39 "\naccc=\"ak;od(cup(true)pkofn(1)cbio(pbioc(<>)pbioh(<>)));odel(true);oe(true)\""
40 "SAC object for deleting item added by default\n",
41 "Manipulate keychain items.")
42
43 SECURITY_COMMAND("keychain-item-digest", keychain_item_digest,
44 "itemClass keychainAccessGroup\n"
45 "Dump items reported by _SecItemDigest command\n",
46 "Show keychain item digest.")
47
48 SECURITY_COMMAND_IOS("add-certificates", keychain_add_certificates,
49 "[-k keychain] file...\n"
50 "If no keychains is specified the certificates are added to the default keychain.\n"
51 "\tadd-certificates -t file...\n"
52 "Add the specified certificates to the users TrustSettings.sqlite3 database.",
53 "Add certificates to the keychain.")
54
55 SECURITY_COMMAND_IOS("show-certificates", keychain_show_certificates,
56 "[-p][-s][-t] file...\n"
57 "[-k][-p][-s][-v][-t][-f][-q attr=value,...] [attr=value,...]\n"
58 " -k Show all certificates in keychain.\n"
59 " -q Query for certificates matching (implies -k)\n"
60 " -p Output cert in PEM format.\n"
61 " -f Show fingerprint (SHA1 digest of octects inside the public key bit string.)\n"
62 " -s Show subject.\n"
63 " -v Show entire certificate in text form.\n"
64 " -t Evaluate trust.",
65 "Display certificates in human readable form.")
66
67 SECURITY_COMMAND("find-internet-password", keychain_find_internet_password,
68 "[-a accountName] [-d securityDomain] [-g] [-p path] [-P port] [-r protocol] [-s serverName] [-t authenticationType] [keychain...]\n"
69 " -a Match on \"accountName\" when searching.\n"
70 " -d Match on \"securityDomain\" when searching.\n"
71 " -g Display the password for the item found.\n"
72 " -p Match on \"path\" when searching.\n"
73 " -P Match on \"port\" when searching.\n"
74 " -r Match on \"protocol\" when searching.\n"
75 " -s Match on \"serverName\" when searching.\n"
76 " -t Match on \"authenticationType\" when searching.\n"
77 USE_SECURITY_ITEM
78 "If no keychains are specified the default search list is used.",
79 "Find an internet password item.")
80
81 SECURITY_COMMAND("find-generic-password", keychain_find_generic_password,
82 "[-a accountName] [-s serviceName] [keychain...]\n"
83 " -a Match on \"accountName\" when searching.\n"
84 " -g Display the password for the item found.\n"
85 " -s Match on \"serviceName\" when searching.\n"
86 "If no keychains are specified the default search list is used.",
87 "Find a generic password item.")
88
89 SECURITY_COMMAND("delete-internet-password", keychain_delete_internet_password,
90 "[-a accountName] [-d securityDomain] [-g] [-p path] [-P port] [-r protocol] [-s serverName] [-t authenticationType] [keychain...]\n"
91 " -a Match on \"accountName\" when searching.\n"
92 " -d Match on \"securityDomain\" when searching.\n"
93 " -g Display the password for the item found.\n"
94 " -p Match on \"path\" when searching.\n"
95 " -P Match on \"port\" when searching.\n"
96 " -r Match on \"protocol\" when searching.\n"
97 " -s Match on \"serverName\" when searching.\n"
98 " -t Match on \"authenticationType\" when searching.\n"
99 USE_SECURITY_ITEM
100 "If no keychains are specified the default search list is used.",
101 "Delete one or more internet password items.")
102
103 SECURITY_COMMAND("delete-generic-password", keychain_delete_generic_password,
104 "[-a accountName] [-s serviceName] [keychain...]\n"
105 " -a Match on \"accountName\" when searching.\n"
106 " -g Display the password for the item found.\n"
107 " -s Match on \"serviceName\" when searching.\n"
108 USE_SECURITY_ITEM
109 "If no keychains are specified the default search list is used.",
110 "Delete one or more generic password items.")
111
112 SECURITY_COMMAND_IOS("keychain-export", keychain_export,
113 "-k <keybag> [-p password ] <plist>\n"
114 " <keybag> keybag file name. (Can be created with keystorectl)\n"
115 " <password> backup password (optional)\n"
116 " <plist> backup plist file\n",
117 "Export keychain to a plist file.")
118
119 SECURITY_COMMAND_IOS("keychain-import", keychain_import,
120 "-k <keybag> [-p <password> ] <plist>\n"
121 " <keybag> keybag file name. (Can be created with keystorectl)\n"
122 " <password> backup password (optional)\n"
123 " <plist> backup plist file\n",
124 "Import keychain from a plist file.")
125
126 SECURITY_COMMAND_IOS("pkcs12", pkcs12_util,
127 "[options] -p <password> file\n"
128 " -d delete identity\n",
129 "Manipulate pkcs12 blobs.")
130
131 SECURITY_COMMAND_IOS("scep", command_scep,
132 "[options] <url>\n"
133 " -b keysize Keysize in bits.\n"
134 " -u usage Key usage bitmask in decimal (Digital Signature = 1, Key Encipherment = 4).\n"
135 " -c challenge Challenge password.\n"
136 " -n name Service instance name (required for MS SCEP).\n"
137 " -v Verbose.\n"
138 " -x Turn cert validation off.\n"
139 " -s subject Subject to request (O=Apple,CN=iPhone).\n"
140 " -h subjaltname SubjectAlternateName (foo.com).\n"
141 " -o capabilities Override capabilities GetCACaps returns (POSTPKIOperation,SHA-1,DES3)\n",
142 "Certify a public key using a SCEP server")
143
144 SECURITY_COMMAND_IOS("codesign", codesign_util,
145 "[options] <file>\n",
146 "Verify code signature blob in binary.")
147
148 SECURITY_COMMAND_IOS("enroll-secure-profile", command_spc,
149 "[options] <file>\n",
150 "Enroll in secure profile service.")
151
152 SECURITY_COMMAND_IOS("keys-need-update", keychain_roll_keys,
153 "[options]\n"
154 " -f attempt an update.\n",
155 "Rotate keys.")
156
157 SECURITY_COMMAND("log", log_control,
158 "[options] [scope_list]\n"
159 " -l list current settings.\n"
160 " -s scope_list set log scopes to scope_list.\n"
161 " -c scope_list set log scopes to scope_list for all devices in circle.\n",
162 "control logging settings")
163
164 SECURITY_COMMAND_IOS("verify-cert", verify_cert,
165 "[options]\n"
166 " -c certFile Certificate to verify. Can be specified multiple times.\n"
167 " -r rootCertFile Root Certificate. Can be specified multiple times.\n"
168 " -p policy Verify policy (basic, ssl, smime, eap, IPSec, appleID,\n"
169 " codeSign, timestamp, revocation).\n"
170 " -C Set client policy to true. Default is server policy. (ssl, IPSec, eap)\n"
171 " -d date Set date and time to use when verifying certificate,\n"
172 " provided in the form of YYYY-MM-DD-hh:mm:ss (time optional) in GMT.\n"
173 " e.g: 2016-04-25-15:59:59 for April 25, 2016 at 3:59:59 pm in GMT\n"
174 " -L Local certs only.\n"
175 " -n name Name to be verified. (ssl, IPSec, smime)\n"
176 " -q Quiet.\n"
177 " -R revOption Perform revocation checking with one of the following options:\n"
178 " ocsp Check revocation status using OCSP method.\n"
179 " require Require a positive response for successful verification.\n"
180 " offline Consult cached responses only (no network requests).\n"
181 " Can be specified multiple times; e.g. to check revocation via OCSP\n"
182 " and require a positive response, use \"-R ocsp -R require\".\n",
183 "Verify certificate(s).")
184
185 SECURITY_COMMAND_IOS("trust-store", trust_store_show_certificates,
186 "[-p][-f][-s][-v][-t][-k]\n"
187 " -p Output cert in PEM format.\n"
188 " -f Show fingerprint (SHA1 digest certificate.)\n"
189 " -s Show subject.\n"
190 " -v Show entire certificate in text form.\n"
191 " -t Show trust settings for certificates.\n"
192 " -k Show keyid (SHA1 digest of public key)",
193 "Display user trust store certificates and trust settings.")
194
195 SECURITY_COMMAND("check-trust-update", check_trust_update,
196 "[-s]\n"
197 " -s Check for Supplementals (Pinning DB and Trusted CT Logs) update\n",
198 "Check for data updates for trust and return current version.")
199
200 SECURITY_COMMAND("add-ct-exceptions", add_ct_exceptions,
201 "[options]\n"
202 " -d domain Domain to add. Can be specified multiple times.\n"
203 " -c cert Cert to add. Can be specified multiple times.\n"
204 " -p plist plist with exceptions to set (resetting existing).\n"
205 " Overrides -d and -c\n"
206 " For detailed specification, see SecTrustSettingsPriv.h.\n"
207 " -r which Reset exceptions for \"domain\", \"cert\", or \"all\".\n"
208 " Overrides -d, -c, and -p\n",
209 "Set exceptions for Certificate Transparency enforcement")
210
211 SECURITY_COMMAND("show-ct-exceptions", show_ct_exceptions,
212 "[options]\n"
213 " -a Output all combined CT exceptions.\n"
214 " -i identifier Output CT exceptions for specified identifier.\n"
215 " Default is exceptions for this tool. Overridden by -a.\n"
216 " -d Output domain exceptions. Default is both domains and certs.\n"
217 " -c Output certificate exceptions (as SPKI hash).\n"
218 " Default is both domains and certs.\n",
219 "Display exceptions for Certificate Transparnecy enforcment in json.")