Docs: Update actions documentation

Yubico · Sep 19, 2024 · afde5b5 · afde5b5
1 parent 639eff2
commit afde5b5
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 8 deletions.
diff --git a/doc/Actions/key_generation.adoc b/doc/Actions/key_generation.adoc
@@ -1,7 +1,7 @@
 == Key Generation
     $ yubico-piv-tool -a generate -s <slot> -k [ -A <key algorithm> -o <public key file> ]
-    $ yubico-piv-tool -a verify-pin -a selfsign -s <slot> [ -i <public key file> -S <subject dn> --serial <cert serial number> --valid-days DAYS -o <cert file> ]
-    $ yubico-piv-tool -a verify-pin -a request-certificate -s <slot> [ -i <public key file> -S <subject dn> -o <cert request file> ]
+    $ yubico-piv-tool -a verify-pin -a selfsign -s <slot> -S <subject dn> [ -P <PIN code> --pin-policy <never|once|always|matchonce|matchalways> --touch-policy <never|always|cached> -i <public key file> --serial <cert serial number> --valid-days DAYS -o <cert file> ]
+    $ yubico-piv-tool -a verify-pin -a request-certificate -s <slot> -S <subject dn> [ -P <PIN> -i <public key file> -o <cert request file> ]
     $ yubico-piv-tool -a import-certificate -s <slot> -k [ -o <cert file> ]
 
 === Description
@@ -34,7 +34,10 @@ verify the PIN and `-a verify-bio` for fingerprint verification.
 |-A, --algorithm   | | X | What algorithm to use to generate the key pair | RSA1024, RSA2048, RSA3072 (Requires YubiKey 5.7 or higher), RSA4096 (Requires YubiKey 5.7 or higher), ECCP256, ECCP384, ED25519 (Requires YubiKey 5.7 or higher), X25519 (Requires YubiKey 5.7 or higher) | RSA2048
 |-i, --input       | | X | Filename to use as input | file name or "-" for stdin | -
 |-o, --output      | | X | Filename to use as output | file name or "-" for stdin | -
-|-S, --subject     | | X | The subject to use for the certificate. The subject must be written as: /CN=host.example.com/OU=test/O=example.com/ | |
+|-S, --subject     |X|   | The subject to use for the certificate. The subject must be written as: /CN=host.example.com/OU=test/O=example.com/ | |
+|-P, --pin         | | X | Pin/puk code for verification, if omitted pin/puk will be asked for | |
+|--pin-policy      | |   | Set pin policy applicable for the slot containing the key. Only available on YubiKey 4 or newer | never, once, always, matchonce (applicable with bio verification), matchalways (applicable for with verification) | `always` on slot 9c and `once` on slots 9a, 9d and 9e
+|--touch-policy    | |   | Set touch policy applicable for the slot containing the key. Only available on YubiKey 4 or newer | never, always, caches | never
 |--serial          | | X | Serial number of the self-signed certificate | |
 |--valid-days      | | X | Time (in days) until the self-signed certificate expires | | 365
 |===================================

diff --git a/doc/Actions/key_import.adoc b/doc/Actions/key_import.adoc
@@ -1,7 +1,7 @@
 == Key Import
-    $ yubico-piv-tool -a import-key -s <slot> -k [ -i <input file> -p <input file password> -K <input file format> ]
+    $ yubico-piv-tool -a import-key -s <slot> -k [ -P <PIN code> --pin-policy <never|once|always|matchonce|matchalways> --touch-policy <never|always|cached> -i <input file> -p <input file password> -K <input file format> ]
     $ yubico-piv-tool -a import-certificate -s <slot> -k [ -i <input file> -K <input file format> ]
-    $ yubico-piv-tool -a import-key -a import-certificate -s <slot> -k [ -i <input file> -p <input file password> -K <input file format> ]
+    $ yubico-piv-tool -a import-key -a import-certificate -s <slot> -k [ -P <PIN code> --pin-policy <never|once|always|matchonce|matchalways> --touch-policy <never|always|cached> -i <input file> -p <input file password> -K <input file format> ]
 
 === Description
 Imports a key, a certificate or both into the Yubikey PIV interface. The largest
@@ -28,6 +28,9 @@ management key before start using it.]
 |-i, --input        | | X | Filename to use as input | file name or "-" for stdin | -
 |-K, --key-format   | | X | Format of the key/certificate being read/written | PEM, PKCS12, GZIP, DER, SSH | PEM
 |-p, --password     | | X | Password for decryption of private key file, if omitted password will be asked for | |
+|-P, --pin         | | X | Pin/puk code for verification, if omitted pin/puk will be asked for | |
+|--pin-policy      | |   | Set pin policy applicable for the slot containing the key. Only available on YubiKey 4 or newer | never, once, always, matchonce (applicable with bio verification), matchalways (applicable for with verification) | `always` on slot 9c and `once` on slots 9a, 9d and 9e
+|--touch-policy    | |   | Set touch policy applicable for the slot containing the key. Only available on YubiKey 4 or newer | never, always, caches | never
 |===================================
 
 === Examples

diff --git a/doc/Actions/signing.adoc b/doc/Actions/signing.adoc
@@ -1,5 +1,5 @@
 == Signing
-    $ yubico-piv-tool -a verify-pin --sign -s <slot> [ -H <hash algorithm> -A <key algorithm> -i <input data file> -o <signature file> ]
+    $ yubico-piv-tool -a verify-pin --sign -s <slot> [ -H <hash algorithm> -A <key algorithm> -P <PIN code> -i <input data file> -o <signature file> ]
 
 === Description
 Signs input data
@@ -17,6 +17,7 @@ Use `-a verify-pin` to verify the PIN and `-a verify-bio` for fingerprint verifi
                                                           8a, 8b, 8c, 8d, 8e, 8f, 90, 91, 92, 93, 94, 95, f9 |
 |-A, --algorithm   | | X | Signing key algorithm | RSA1024, RSA2048, RSA3072 (Requires YubiKey 5.7 or higher), RSA4096 (Requires YubiKey 5.7 or higher), ECCP256, ECCP384, ED25519 (Requires YubiKey 5.7 or higher) | RSA2048
 |-H, --hash        | | X | Hash to use for signatures | SHA1, SHA256, SHA384, SHA512 | SHA256
+|-P, --pin         | | X | Pin/puk code for verification, if omitted pin/puk will be asked for | |
 |-i, --input       | | X | Filename to use as input | file name or "-" for stdin | -
 |-o, --output      | | X | Filename to use as output | file name or "-" for stdin | -
 |===================================

diff --git a/doc/Actions/test-decryption.adoc b/doc/Actions/test-decryption.adoc
@@ -1,6 +1,6 @@
 == Test Decryption
     $ yubico-piv-tool -a read-certificate -s <slot> [ -o cert.pem ]
-    $ yubico-piv-tool -a verify-pin -a test-decipher -s <slot> [ -i cert.pem ]
+    $ yubico-piv-tool -a verify-pin -a test-decipher -s <slot> [ -P <PIN code> -i cert.pem ]
 
 === Description
 Tests decryption function.
@@ -19,6 +19,7 @@ done using the "read-certificate" action first.
 
 |-s, --slot        | X | | What key slot to operate on | 9a, 9c, 9d, 9e, 82, 83, 84, 85, 86, 87, 88, 89,
                                                           8a, 8b, 8c, 8d, 8e, 8f, 90, 91, 92, 93, 94, 95, f9 |
+|-P, --pin         | | X | Pin/puk code for verification, if omitted pin/puk will be asked for | |
 |-i, --input       | | X | Filename to use as input | file name or "-" for stdin | -
 |-o, --output      | | X | Filename to use as output | file name or "-" for stdin | -
 |===================================

diff --git a/doc/Actions/test-signature.adoc b/doc/Actions/test-signature.adoc
@@ -1,6 +1,6 @@
 == Test Signature
     $ yubico-piv-tool -a read-certificate -s <slot> [ -o cert.pem ]
-    $ yubico-piv-tool -a verify-pin -a test-signature -s <slot> [ -i cert.pem ]
+    $ yubico-piv-tool -a verify-pin -a test-signature -s <slot> [ -P <PIN code> -i cert.pem ]
 
 === Description
 Tests signing functions.
@@ -19,6 +19,7 @@ done using the "read-certificate" action first.
 
 |-s, --slot        | X | | What key slot to operate on | 9a, 9c, 9d, 9e, 82, 83, 84, 85, 86, 87, 88, 89,
                                                           8a, 8b, 8c, 8d, 8e, 8f, 90, 91, 92, 93, 94, 95, f9 |
+|-P, --pin         | | X | Pin/puk code for verification, if omitted pin/puk will be asked for | |
 |-i, --input       | | X | Filename to use as input | file name or "-" for stdin | -
 |-o, --output      | | X | Filename to use as output | file name or "-" for stdin | -
 |===================================