From afde5b5ecbed2859646f02be51a65fe3bd51d2c9 Mon Sep 17 00:00:00 2001 From: Aveen Ismail Date: Thu, 19 Sep 2024 16:25:39 +0200 Subject: [PATCH] Docs: Update actions documentation --- doc/Actions/key_generation.adoc | 9 ++++++--- doc/Actions/key_import.adoc | 7 +++++-- doc/Actions/signing.adoc | 3 ++- doc/Actions/test-decryption.adoc | 3 ++- doc/Actions/test-signature.adoc | 3 ++- 5 files changed, 17 insertions(+), 8 deletions(-) diff --git a/doc/Actions/key_generation.adoc b/doc/Actions/key_generation.adoc index b100fddc..abbabcd0 100644 --- a/doc/Actions/key_generation.adoc +++ b/doc/Actions/key_generation.adoc @@ -1,7 +1,7 @@ == Key Generation $ yubico-piv-tool -a generate -s -k [ -A -o ] - $ yubico-piv-tool -a verify-pin -a selfsign -s [ -i -S --serial --valid-days DAYS -o ] - $ yubico-piv-tool -a verify-pin -a request-certificate -s [ -i -S -o ] + $ yubico-piv-tool -a verify-pin -a selfsign -s -S [ -P --pin-policy --touch-policy -i --serial --valid-days DAYS -o ] + $ yubico-piv-tool -a verify-pin -a request-certificate -s -S [ -P -i -o ] $ yubico-piv-tool -a import-certificate -s -k [ -o ] === Description @@ -34,7 +34,10 @@ verify the PIN and `-a verify-bio` for fingerprint verification. |-A, --algorithm | | X | What algorithm to use to generate the key pair | RSA1024, RSA2048, RSA3072 (Requires YubiKey 5.7 or higher), RSA4096 (Requires YubiKey 5.7 or higher), ECCP256, ECCP384, ED25519 (Requires YubiKey 5.7 or higher), X25519 (Requires YubiKey 5.7 or higher) | RSA2048 |-i, --input | | X | Filename to use as input | file name or "-" for stdin | - |-o, --output | | X | Filename to use as output | file name or "-" for stdin | - -|-S, --subject | | X | The subject to use for the certificate. The subject must be written as: /CN=host.example.com/OU=test/O=example.com/ | | +|-S, --subject |X| | The subject to use for the certificate. The subject must be written as: /CN=host.example.com/OU=test/O=example.com/ | | +|-P, --pin | | X | Pin/puk code for verification, if omitted pin/puk will be asked for | | +|--pin-policy | | | Set pin policy applicable for the slot containing the key. Only available on YubiKey 4 or newer | never, once, always, matchonce (applicable with bio verification), matchalways (applicable for with verification) | `always` on slot 9c and `once` on slots 9a, 9d and 9e +|--touch-policy | | | Set touch policy applicable for the slot containing the key. Only available on YubiKey 4 or newer | never, always, caches | never |--serial | | X | Serial number of the self-signed certificate | | |--valid-days | | X | Time (in days) until the self-signed certificate expires | | 365 |=================================== diff --git a/doc/Actions/key_import.adoc b/doc/Actions/key_import.adoc index eb4445d5..6d194c6b 100644 --- a/doc/Actions/key_import.adoc +++ b/doc/Actions/key_import.adoc @@ -1,7 +1,7 @@ == Key Import - $ yubico-piv-tool -a import-key -s -k [ -i -p -K ] + $ yubico-piv-tool -a import-key -s -k [ -P --pin-policy --touch-policy -i -p -K ] $ yubico-piv-tool -a import-certificate -s -k [ -i -K ] - $ yubico-piv-tool -a import-key -a import-certificate -s -k [ -i -p -K ] + $ yubico-piv-tool -a import-key -a import-certificate -s -k [ -P --pin-policy --touch-policy -i -p -K ] === Description Imports a key, a certificate or both into the Yubikey PIV interface. The largest @@ -28,6 +28,9 @@ management key before start using it.] |-i, --input | | X | Filename to use as input | file name or "-" for stdin | - |-K, --key-format | | X | Format of the key/certificate being read/written | PEM, PKCS12, GZIP, DER, SSH | PEM |-p, --password | | X | Password for decryption of private key file, if omitted password will be asked for | | +|-P, --pin | | X | Pin/puk code for verification, if omitted pin/puk will be asked for | | +|--pin-policy | | | Set pin policy applicable for the slot containing the key. Only available on YubiKey 4 or newer | never, once, always, matchonce (applicable with bio verification), matchalways (applicable for with verification) | `always` on slot 9c and `once` on slots 9a, 9d and 9e +|--touch-policy | | | Set touch policy applicable for the slot containing the key. Only available on YubiKey 4 or newer | never, always, caches | never |=================================== === Examples diff --git a/doc/Actions/signing.adoc b/doc/Actions/signing.adoc index 381ad714..9a8f3945 100644 --- a/doc/Actions/signing.adoc +++ b/doc/Actions/signing.adoc @@ -1,5 +1,5 @@ == Signing - $ yubico-piv-tool -a verify-pin --sign -s [ -H -A -i -o ] + $ yubico-piv-tool -a verify-pin --sign -s [ -H -A -P -i -o ] === Description Signs input data @@ -17,6 +17,7 @@ Use `-a verify-pin` to verify the PIN and `-a verify-bio` for fingerprint verifi 8a, 8b, 8c, 8d, 8e, 8f, 90, 91, 92, 93, 94, 95, f9 | |-A, --algorithm | | X | Signing key algorithm | RSA1024, RSA2048, RSA3072 (Requires YubiKey 5.7 or higher), RSA4096 (Requires YubiKey 5.7 or higher), ECCP256, ECCP384, ED25519 (Requires YubiKey 5.7 or higher) | RSA2048 |-H, --hash | | X | Hash to use for signatures | SHA1, SHA256, SHA384, SHA512 | SHA256 +|-P, --pin | | X | Pin/puk code for verification, if omitted pin/puk will be asked for | | |-i, --input | | X | Filename to use as input | file name or "-" for stdin | - |-o, --output | | X | Filename to use as output | file name or "-" for stdin | - |=================================== diff --git a/doc/Actions/test-decryption.adoc b/doc/Actions/test-decryption.adoc index 5fb68cc4..95fc96e2 100644 --- a/doc/Actions/test-decryption.adoc +++ b/doc/Actions/test-decryption.adoc @@ -1,6 +1,6 @@ == Test Decryption $ yubico-piv-tool -a read-certificate -s [ -o cert.pem ] - $ yubico-piv-tool -a verify-pin -a test-decipher -s [ -i cert.pem ] + $ yubico-piv-tool -a verify-pin -a test-decipher -s [ -P -i cert.pem ] === Description Tests decryption function. @@ -19,6 +19,7 @@ done using the "read-certificate" action first. |-s, --slot | X | | What key slot to operate on | 9a, 9c, 9d, 9e, 82, 83, 84, 85, 86, 87, 88, 89, 8a, 8b, 8c, 8d, 8e, 8f, 90, 91, 92, 93, 94, 95, f9 | +|-P, --pin | | X | Pin/puk code for verification, if omitted pin/puk will be asked for | | |-i, --input | | X | Filename to use as input | file name or "-" for stdin | - |-o, --output | | X | Filename to use as output | file name or "-" for stdin | - |=================================== diff --git a/doc/Actions/test-signature.adoc b/doc/Actions/test-signature.adoc index 29d7f195..86a783b4 100644 --- a/doc/Actions/test-signature.adoc +++ b/doc/Actions/test-signature.adoc @@ -1,6 +1,6 @@ == Test Signature $ yubico-piv-tool -a read-certificate -s [ -o cert.pem ] - $ yubico-piv-tool -a verify-pin -a test-signature -s [ -i cert.pem ] + $ yubico-piv-tool -a verify-pin -a test-signature -s [ -P -i cert.pem ] === Description Tests signing functions. @@ -19,6 +19,7 @@ done using the "read-certificate" action first. |-s, --slot | X | | What key slot to operate on | 9a, 9c, 9d, 9e, 82, 83, 84, 85, 86, 87, 88, 89, 8a, 8b, 8c, 8d, 8e, 8f, 90, 91, 92, 93, 94, 95, f9 | +|-P, --pin | | X | Pin/puk code for verification, if omitted pin/puk will be asked for | | |-i, --input | | X | Filename to use as input | file name or "-" for stdin | - |-o, --output | | X | Filename to use as output | file name or "-" for stdin | - |===================================