1 // This is a preprocessed file to define commands that we provide in Security part of the Sec module. 
   3 #include "SecurityTool/sharedTool/security_tool_commands.h" 
   6 #define USE_SECURITY_ITEM "By default the synchronizable keys is not searched/update/deleted, use \"security item\" for that.\n" 
   8 #define USE_SECURITY_ITEM 
  12 SECURITY_COMMAND("add-internet-password", keychain_add_internet_password
, 
  13                  "[-a accountName] [-d securityDomain] [-p path] [-P port] [-r protocol] [-s serverName] [-t authenticationType] [-w passwordData] [keychain]\n" 
  14                  "    -a Use \"accountName\".\n" 
  15                  "    -d Use \"securityDomain\".\n" 
  18                  "    -r Use \"protocol\".\n" 
  19                  "    -s Use \"serverName\".\n" 
  20                  "    -t Use \"authenticationType\".\n" 
  21                  "    -w Use passwordData.\n" 
  22                  "If no keychains is specified the password is added to the default keychain.", 
  23                  "Add an internet password item.") 
  25 SECURITY_COMMAND("item", keychain_item
, 
  26                  "[-v][-a|-D|-u attr=value,...|[-q][-j][-g] attr=value,...] [-d password | -f datafile] [attr=value,...]\n" 
  27                  "-q Query for item matching (default). Note: as default query skips items with ACL, you have to define 'u_AuthUI=u_AuthUIA' if you want to query items with ACL\n" 
  28                  "-g Get password data\n" 
  29                  "-a Add item to keychain\n" 
  30                  "-u Update item in keychain (require query to match)\n" 
  31                  "-D Delete item from keychain\n" 
  32                  "-j When printing results, print JSON\n" 
  33                  "Add, query, update or delete items from the keychain.  Extra attr=value pairs after options always apply to the query\n" 
  34                  "class=[genp|inet|cert|keys] is required for the query\n" 
  35                  "To search the synchronizable items (not searched by default) use sync=1 as an attr=value pair.\n" 
  36                  "Security Access Control object can be passed as attribute accc with following syntax:\n" 
  37                  "accc=\"<access class>[;operation[:constraint type(constraint parameters)]...]\"" 
  38                  "\nExample:\naccc=\"ak;od(cpo(DeviceOwnerAuthentication));odel(true);oe(true)\"" 
  39                  "\naccc=\"ak;od(cpo(DeviceOwnerAuthentication));odel(true);oe(true);prp(true)\"" 
  40                  "\naccc=\"ak;od(cup(true)pkofn(1)cbio(pbioc(<>)pbioh(<>)));odel(true);oe(true)\"" 
  41                  "SAC object for deleting item added by default\n", 
  42                  "Manipulate keychain items.") 
  45 SECURITY_COMMAND("policy-dryrun", policy_dryrun
, 
  47                  "Try to evaluate policy old/new.") 
  50 SECURITY_COMMAND("keychain-item-digest", keychain_item_digest
, 
  51                  "itemClass keychainAccessGroup\n" 
  52                  "Dump items reported by _SecItemDigest command\n", 
  53                  "Show keychain item digest.") 
  55 SECURITY_COMMAND_IOS("add-certificates", keychain_add_certificates
, 
  56                  "[-k keychain] file...\n" 
  57                  "If no keychains is specified the certificates are added to the default keychain.\n" 
  58                  "\tadd-certificates -t file...\n" 
  59                  "Add the specified certificates to the users TrustSettings.sqlite3 database.", 
  60                  "Add certificates to the keychain.") 
  62 SECURITY_COMMAND_IOS("show-certificates", keychain_show_certificates
, 
  63                  "[-p][-s][-t] file...\n" 
  64                  "[-k][-p][-s][-v][-t][-f][-q attr=value,...] [attr=value,...]\n" 
  65                  "    -k Show all certificates in keychain.\n" 
  66                  "    -q Query for certificates matching (implies -k)\n" 
  67                  "    -p Output cert in PEM format.\n" 
  68                  "    -f Show fingerprint (SHA1 digest of octects inside the public key bit string.)\n" 
  70                  "    -v Show entire certificate in text form.\n" 
  71                  "    -t Evaluate trust.", 
  72                  "Display certificates in human readable form.") 
  74 SECURITY_COMMAND("find-internet-password", keychain_find_internet_password
, 
  75                  "[-a accountName] [-d securityDomain] [-g] [-p path] [-P port] [-r protocol] [-s serverName] [-t authenticationType] [keychain...]\n" 
  76                  "    -a Match on \"accountName\" when searching.\n" 
  77                  "    -d Match on \"securityDomain\" when searching.\n" 
  78                  "    -g Display the password for the item found.\n" 
  79                  "    -p Match on \"path\" when searching.\n" 
  80                  "    -P Match on \"port\" when searching.\n" 
  81                  "    -r Match on \"protocol\" when searching.\n" 
  82                  "    -s Match on \"serverName\" when searching.\n" 
  83                  "    -t Match on \"authenticationType\" when searching.\n" 
  85                  "If no keychains are specified the default search list is used.", 
  86                  "Find an internet password item.") 
  88 SECURITY_COMMAND("find-generic-password", keychain_find_generic_password
, 
  89                  "[-a accountName] [-s serviceName] [keychain...]\n" 
  90                  "    -a Match on \"accountName\" when searching.\n" 
  91                  "    -g Display the password for the item found.\n" 
  92                  "    -s Match on \"serviceName\" when searching.\n" 
  93                  "If no keychains are specified the default search list is used.", 
  94                  "Find a generic password item.") 
  96 SECURITY_COMMAND("delete-internet-password", keychain_delete_internet_password
, 
  97                  "[-a accountName] [-d securityDomain] [-g] [-p path] [-P port] [-r protocol] [-s serverName] [-t authenticationType] [keychain...]\n" 
  98                  "    -a Match on \"accountName\" when searching.\n" 
  99                  "    -d Match on \"securityDomain\" when searching.\n" 
 100                  "    -g Display the password for the item found.\n" 
 101                  "    -p Match on \"path\" when searching.\n" 
 102                  "    -P Match on \"port\" when searching.\n" 
 103                  "    -r Match on \"protocol\" when searching.\n" 
 104                  "    -s Match on \"serverName\" when searching.\n" 
 105                  "    -t Match on \"authenticationType\" when searching.\n" 
 107                  "If no keychains are specified the default search list is used.", 
 108                  "Delete one or more internet password items.") 
 110 SECURITY_COMMAND("delete-generic-password", keychain_delete_generic_password
, 
 111                  "[-a accountName] [-s serviceName] [keychain...]\n" 
 112                  "    -a Match on \"accountName\" when searching.\n" 
 113                  "    -g Display the password for the item found.\n" 
 114                  "    -s Match on \"serviceName\" when searching.\n" 
 116                  "If no keychains are specified the default search list is used.", 
 117                  "Delete one or more generic password items.") 
 119 SECURITY_COMMAND_IOS("keychain-export", keychain_export
, 
 120                  "-k <keybag> [-p password ] <plist>\n" 
 121                  "    <keybag>   keybag file name. (Can be created with keystorectl)\n" 
 122                  "    <password> backup password (optional)\n" 
 123                  "    <plist>    backup plist file\n", 
 124                  "Export keychain to a plist file.") 
 126 SECURITY_COMMAND_IOS("keychain-import", keychain_import
, 
 127                  "-k <keybag> [-p <password> ] <plist>\n" 
 128                  "    <keybag>   keybag file name. (Can be created with keystorectl)\n" 
 129                  "    <password> backup password (optional)\n" 
 130                  "    <plist>    backup plist file\n", 
 131                  "Import keychain from a plist file.") 
 133 SECURITY_COMMAND_IOS("pkcs12", pkcs12_util
, 
 134                  "[options] -p <password> file\n" 
 135                  "  -d           delete identity\n", 
 136                  "Manipulate pkcs12 blobs.") 
 138 SECURITY_COMMAND_IOS("scep", command_scep
, 
 140                  "   -b keysize      Keysize in bits.\n" 
 141                  "   -u usage        Key usage bitmask in decimal (Digital Signature = 1, Key Encipherment = 4).\n" 
 142                  "   -c challenge    Challenge password.\n" 
 143                  "   -n name         Service instance name (required for MS SCEP).\n" 
 145                  "   -x              Turn cert validation off.\n" 
 146                  "   -s subject      Subject to request (O=Apple,CN=iPhone).\n" 
 147                  "   -h subjaltname  SubjectAlternateName (foo.com).\n" 
 148                  "   -o capabilities Override capabilities GetCACaps returns (POSTPKIOperation,SHA-1,DES3)\n", 
 149                  "Certify a public key using a SCEP server") 
 151 SECURITY_COMMAND_IOS("codesign", codesign_util
, 
 152                  "[options] <file>\n", 
 153                  "Verify code signature blob in binary.") 
 155 SECURITY_COMMAND_IOS("enroll-secure-profile", command_spc
, 
 156                  "[options] <file>\n", 
 157                  "Enroll in secure profile service.") 
 159 SECURITY_COMMAND_IOS("keys-need-update", keychain_roll_keys
, 
 161                      "   -f   attempt an update.\n", 
 164 SECURITY_COMMAND("log", log_control
, 
 165                  "[options] [scope_list]\n" 
 166                  "   -l              list current settings.\n" 
 167                  "   -s scope_list   set log scopes to scope_list.\n" 
 168                  "   -c scope_list   set log scopes to scope_list for all devices in circle.\n", 
 169                  "control logging settings") 
 171 SECURITY_COMMAND_IOS("verify-cert", verify_cert
, 
 173                  "   -c certFile     Certificate to verify. Can be specified multiple times.\n" 
 174                  "   -r rootCertFile Root Certificate. Can be specified multiple times.\n" 
 175                  "   -p policy       Verify policy (basic, ssl, smime, eap, IPSec, appleID,\n" 
 176                  "                   codeSign, timestamp, revocation).\n" 
 177                  "   -C              Set client policy to true. Default is server policy. (ssl, IPSec, eap)\n" 
 178                  "   -d date         Set date and time to use when verifying certificate,\n" 
 179                  "                   provided in the form of YYYY-MM-DD-hh:mm:ss (time optional) in GMT.\n" 
 180                  "                   e.g: 2016-04-25-15:59:59 for April 25, 2016 at 3:59:59 pm in GMT\n" 
 181                  "   -L              Local certs only.\n" 
 182                  "   -n name         Name to be verified. (ssl, IPSec, smime)\n" 
 184                  "   -R revOption    Perform revocation checking with one of the following options:\n" 
 185                  "                       ocsp     Check revocation status using OCSP method.\n" 
 186                  "                       require  Require a positive response for successful verification.\n" 
 187                  "                       offline  Consult cached responses only (no network requests).\n" 
 188                  "                   Can be specified multiple times; e.g. to check revocation via OCSP\n" 
 189                  "                   and require a positive response, use \"-R ocsp -R require\".\n", 
 190                  "Verify certificate(s).") 
 192 SECURITY_COMMAND_IOS("trust-store", trust_store_show_certificates
, 
 193                  "[-p][-f][-s][-v][-t][-k]\n" 
 194                  "    -p Output cert in PEM format.\n" 
 195                  "    -f Show fingerprint (SHA1 digest certificate.)\n" 
 196                  "    -s Show subject.\n" 
 197                  "    -v Show entire certificate in text form.\n" 
 198                  "    -t Show trust settings for certificates.\n" 
 199                  "    -k Show keyid (SHA1 digest of public key)", 
 200                  "Display user trust store certificates and trust settings.") 
 202 SECURITY_COMMAND("check-trust-update", check_trust_update
, 
 204                  "    -s Check for Supplementals (Pinning DB and Trusted CT Logs) update\n" 
 205                  "    -e Check for SecExperiment update\n", 
 206                  "Check for data updates for trust and return current version.") 
 208 SECURITY_COMMAND("add-ct-exceptions", add_ct_exceptions
, 
 210                  "   -d domain  Domain to add. Can be specified multiple times.\n" 
 211                  "   -c cert    Cert to add. Can be specified multiple times.\n" 
 212                  "   -p plist   plist with exceptions to set (resetting existing).\n" 
 213                  "                 Overrides -d and -c\n" 
 214                  "                 For detailed specification, see SecTrustSettingsPriv.h.\n" 
 215                  "   -r which   Reset exceptions for \"domain\", \"cert\", or \"all\".\n" 
 216                  "                 Overrides -d, -c, and -p\n", 
 217                  "Set exceptions for Certificate Transparency enforcement") 
 219 SECURITY_COMMAND("show-ct-exceptions", show_ct_exceptions
, 
 221                  "   -a             Output all combined CT exceptions.\n" 
 222                  "   -i identifier  Output CT exceptions for specified identifier.\n" 
 223                  "                      Default is exceptions for this tool. Overridden by -a.\n" 
 224                  "   -d             Output domain exceptions. Default is both domains and certs.\n" 
 225                  "   -c             Output certificate exceptions (as SPKI hash).\n" 
 226                  "                      Default is both domains and certs.\n", 
 227                  "Display exceptions for Certificate Transparency enforcement in json.") 
 229 SECURITY_COMMAND("add-ca-revocation-checking", add_ca_revocation_checking
, 
 231                  "   -c cert    Cert for which revocation checking should be enabled.\n" 
 232                  "                 Specify a CA cert to enable checking for all its issued certs.\n" 
 233                  "                 Can be specified multiple times.\n" 
 234                  "   -p plist   plist containing entries to enable explicit revocation checking.\n" 
 235                  "                 Resets existing entries, if present.\n" 
 237                  "                 For detailed specification, see SecTrustSettingsPriv.h.\n" 
 238                  "   -r which   Resets cert entries for \"cert\" or \"all\".\n" 
 239                  "                 Overrides -c and -p\n", 
 240                  "Specify additional CA certs for which revocation checking is enabled") 
 242 SECURITY_COMMAND("show-ca-revocation-checking", show_ca_revocation_checking
, 
 244                  "   -a             Output all combined CA revocation checking additions.\n" 
 245                  "   -i identifier  Output CA revocation additions for specified identifier.\n" 
 246                  "                      Default is the additions for this tool. Overridden by -a.\n" 
 247                  "   -c             Output CA revocation additions (as certificate SPKI hash).\n", 
 248                  "Display CA revocation checking additions in json.")