OSX/sec/Security/Tool/SecurityCommands.h

   1 // This is a preprocessed file to define commands that we provide in Security part of the Sec module.
   2
   3 #include <SecurityTool/security_tool_commands.h>
   4
   5 SECURITY_COMMAND("add-internet-password", keychain_add_internet_password,
   6                  "[-a accountName] [-d securityDomain] [-p path] [-P port] [-r protocol] [-s serverName] [-t authenticationType] [-w passwordData] [keychain]\n"
   7                  "    -a Use \"accountName\".\n"
   8                  "    -d Use \"securityDomain\".\n"
   9                  "    -p Use \"path\".\n"
  10                  "    -P Use \"port\".\n"
  11                  "    -r Use \"protocol\".\n"
  12                  "    -s Use \"serverName\".\n"
  13                  "    -t Use \"authenticationType\".\n"
  14                  "    -w Use passwordData.\n"
  15                  "If no keychains is specified the password is added to the default keychain.",
  16                  "Add an internet password item.")
  17
  18 SECURITY_COMMAND("item", keychain_item,
  19                  "[-v][-a|-D|-u attr=value,...|[-q][-g] attr=value,...] [-d password | -f datafile] [attr=value,...]\n"
  20                  "-q Query for item matching (default). Note: as default query skips items with ACL, you have to define 'u_AuthUI=u_AuthUIA' if you want to query items with ACL\n"
  21                  "-g Get password data\n"
  22                  "-a Add item to keychain\n"
  23                  "-u Update item in keychain (require query to match)\n"
  24                  "-D Delete item from keychain\n"
  25                  "Add, query, update or delete items from the keychain.  Extra attr=value pairs after options always apply to the query\n"
  26                  "class=[genp|inet|cert|keys] is required for the query\n"
  27                  "Security Access Control object can be passed as attribute accc with following syntax:\n"
  28                  "accc=\"<access class>[;operation[:constraint type(constraint parameters)]...]\""
  29                  "\nExample:\naccc=\"ak;od(cpo(DeviceOwnerAuthentication));odel(true);oe(true)\""
  30                  "\naccc=\"ak;od(cpo(DeviceOwnerAuthentication));odel(true);oe(true);prp(true)\""
  31                  "\naccc=\"ak;od(cup(true)pkofn(1)cbio(pbioc(<>)pbioh(<>)));odel(true);oe(true)\"",
  32                  "SAC object for deleting item added by default\n"
  33                  "Manipulate keychain items.")
  34
  35 SECURITY_COMMAND_IOS("add-certificates", keychain_add_certificates,
  36                  "[-k keychain] file...\n"
  37                  "If no keychains is specified the certificates are added to the default keychain.\n"
  38                  "\tadd-certificates -t file...\n"
  39                  "Add the specified certificates to the users TrustSettings.sqlite3 database.",
  40                  "Add certificates to the keychain.")
  41
  42 SECURITY_COMMAND_IOS("show-certificates", keychain_show_certificates,
  43                  "[-p][-s][-t] file...\n"
  44                  "[-k][-p][-s][-v][-t][-f][-q attr=value,...] [attr=value,...]\n"
  45                  "    -k Show all certificates in keychain.\n"
  46                  "    -q Query for certificates matching (implies -k)\n"
  47                  "    -p Output cert in PEM format.\n"
  48                  "    -f Show fingerprint (SHA1 digest of octects inside the public key bit string.)\n"
  49                  "    -s Show subject.\n"
  50                  "    -v Show entire certificate in text form.\n"
  51                  "    -t Evaluate trust.",
  52                  "Display certificates in human readable form.")
  53
  54 SECURITY_COMMAND("find-internet-password", keychain_find_internet_password,
  55                  "[-a accountName] [-d securityDomain] [-g] [-p path] [-P port] [-r protocol] [-s serverName] [-t authenticationType] [keychain...]\n"
  56                  "    -a Match on \"accountName\" when searching.\n"
  57                  "    -d Match on \"securityDomain\" when searching.\n"
  58                  "    -g Display the password for the item found.\n"
  59                  "    -p Match on \"path\" when searching.\n"
  60                  "    -P Match on \"port\" when searching.\n"
  61                  "    -r Match on \"protocol\" when searching.\n"
  62                  "    -s Match on \"serverName\" when searching.\n"
  63                  "    -t Match on \"authenticationType\" when searching.\n"
  64                  "If no keychains are specified the default search list is used.",
  65                  "Find an internet password item.")
  66
  67 SECURITY_COMMAND("find-generic-password", keychain_find_generic_password,
  68                  "[-a accountName] [-s serviceName] [keychain...]\n"
  69                  "    -a Match on \"accountName\" when searching.\n"
  70                  "    -g Display the password for the item found.\n"
  71                  "    -s Match on \"serviceName\" when searching.\n"
  72                  "If no keychains are specified the default search list is used.",
  73                  "Find a generic password item.")
  74
  75 SECURITY_COMMAND("delete-internet-password", keychain_delete_internet_password,
  76                  "[-a accountName] [-d securityDomain] [-g] [-p path] [-P port] [-r protocol] [-s serverName] [-t authenticationType] [keychain...]\n"
  77                  "    -a Match on \"accountName\" when searching.\n"
  78                  "    -d Match on \"securityDomain\" when searching.\n"
  79                  "    -g Display the password for the item found.\n"
  80                  "    -p Match on \"path\" when searching.\n"
  81                  "    -P Match on \"port\" when searching.\n"
  82                  "    -r Match on \"protocol\" when searching.\n"
  83                  "    -s Match on \"serverName\" when searching.\n"
  84                  "    -t Match on \"authenticationType\" when searching.\n"
  85                  "If no keychains are specified the default search list is used.",
  86                  "Delete one or more internet password items.")
  87
  88 SECURITY_COMMAND("delete-generic-password", keychain_delete_generic_password,
  89                  "[-a accountName] [-s serviceName] [keychain...]\n"
  90                  "    -a Match on \"accountName\" when searching.\n"
  91                  "    -g Display the password for the item found.\n"
  92                  "    -s Match on \"serviceName\" when searching.\n"
  93                  "If no keychains are specified the default search list is used.",
  94                  "Delete one or more generic password items.")
  95
  96 SECURITY_COMMAND_IOS("keychain-export", keychain_export,
  97                  "-k <keybag> [-p password ] <plist>\n"
  98                  "    <keybag>   keybag file name. (Can be created with keystorectl)\n"
  99                  "    <password> backup password (optional)\n"
 100                  "    <plist>    backup plist file\n",
 101                  "Export keychain to a plist file.")
 102
 103 SECURITY_COMMAND_IOS("keychain-import", keychain_import,
 104                  "-k <keybag> [-p <password> ] <plist>\n"
 105                  "    <keybag>   keybag file name. (Can be created with keystorectl)\n"
 106                  "    <password> backup password (optional)\n"
 107                  "    <plist>    backup plist file\n",
 108                  "Import keychain from a plist file.")
 109
 110 SECURITY_COMMAND_IOS("pkcs12", pkcs12_util,
 111                  "[options] -p <password> file\n"
 112                  "  -d           delete identity\n",
 113                  "Manipulate pkcs12 blobs.")
 114
 115 SECURITY_COMMAND_IOS("scep", command_scep,
 116                  "[options] <url>\n"
 117                  "   -b keysize      Keysize in bits.\n"
 118                  "   -u usage        Key usage bitmask in decimal (Digital Signature = 1, Key Encipherment = 4).\n"
 119                  "   -c challenge    Challenge password.\n"
 120                  "   -n name         Service instance name (required for MS SCEP).\n"
 121                  "   -v              Verbose.\n"
 122                  "   -x              Turn cert validation off.\n"
 123                  "   -s subject      Subject to request (O=Apple,CN=iPhone).\n"
 124                  "   -h subjaltname  SubjectAlternateName (foo.com).\n"
 125                  "   -o capabilities Override capabilities GetCACaps returns (POSTPKIOperation,SHA-1,DES3)\n",
 126                  "Certify a public key using a SCEP server")
 127
 128 SECURITY_COMMAND_IOS("codesign", codesign_util,
 129                  "[options] <file>\n",
 130                  "Verify code signature blob in binary.")
 131
 132 SECURITY_COMMAND_IOS("enroll-secure-profile", command_spc,
 133                  "[options] <file>\n",
 134                  "Enroll in secure profile service.")
 135
 136 SECURITY_COMMAND_IOS("keys-need-update", keychain_roll_keys,
 137                      "[options]\n"
 138                      "   -f   attempt an update.\n",
 139                      "Rotate keys.")
 140
 141 SECURITY_COMMAND("log", log_control,
 142                  "[options] [scope_list]\n"
 143                  "   -l              list current settings.\n"
 144                  "   -s scope_list   set log scopes to scope_list.\n"
 145                  "   -c scope_list   set log scopes to scope_list for all devices in circle.\n",
 146                  "control logging settings")
 147
 148 SECURITY_COMMAND_IOS("verify-cert", verify_cert,
 149                  "[options]\n"
 150                  "   -c certFile     Certificate to verify. Can be specified multiple times.\n"
 151                  "   -r rootCertFile Root Certificate. Can be specified multiple times.\n"
 152                  "   -p policy       Verify policy (basic, ssl, smime, eap, IPSec, appleID,\n"
 153                  "                                  codeSign, timestamp, revocation).\n"
 154                  "   -d date         Set date and time to use when verifying certificate,\n"
 155                  "                   provided in the form of YYYY-MM-DD-hh:mm:ss (time optional) in GMT.\n"
 156                  "                   e.g: 2016-04-25-15:59:59 for April 25, 2016 at 3:59:59 pm in GMT\n"
 157                  "   -L              Local certs only.\n"
 158                  "   -n              Name of the host (ssl, IPSec, smime)\n"
 159                  "   -q              Quiet.\n"
 160                  "   -C              Set client to true. Otherwise, verify-cert defaults to server (ssl, IPSec, eap).\n",
 161                  "Verify certificate(s).")
 162
 163 SECURITY_COMMAND_IOS("trust-store", trust_store_show_certificates,
 164                      "[-p][-f][-s][-v][-t][-k]\n"
 165                      "    -p Output cert in PEM format.\n"
 166                      "    -f Show fingerprint (SHA1 digest certificate.)\n"
 167                      "    -s Show subject.\n"
 168                      "    -v Show entire certificate in text form.\n"
 169                      "    -t Show trust settings for certificates.\n"
 170                      "    -k Show keyid (SHA1 digest of public key)",
 171                      "Display user trust store certificates and trust settings.")