.. Hidden_Commands.rst .. _hidden-commands-label: ================ Hidden Commands ================ The commands described here are listed when you run the command, ``ykman --full-help``. ykman apdu [OPTIONS] [APDU] ============================ Execute arbitrary Application Protocol Data Unit (APDUs). Provide APDUs as a hex encoded, space-separated list using the following syntax: ``[CLA]INS[P1P2][:DATA][/LE][=EXPECTED_SW]`` If not provided CLA, P1 and P2 are all set to zero. Setting EXPECTED_SW causes the command to check the response SW and fail if it differs. "=" can be used as shorthand for "=9000" (SW=OK). Examples -------- Select the OATH application, send a LIST instruction (``0xA1``), and make sure we get ``sw=9000`` (these are equivalent): .. code-block:: $ ykman apdu a40400:a000000527210101=9000 a1=9000 or $ ykman apdu -a oath a1= Factory reset the OATH application: .. code-block:: $ ykman apdu -a oath 04dead or $ ykman apdu a40400:a000000527210101 04dead or (using full-apdu mode) $ ykman apdu -s 00a4040008a000000527210101 -s 0004dead Get 8 random bytes from the OpenPGP application: .. code-block:: $ ykman apdu -a openpgp 84/08= Options -------- .. table:: +---------------------------------+--------------------------------------------+ | Option | Description | +=================================+============================================+ | ``-h, --help`` | Show this message and exit. | +---------------------------------+--------------------------------------------+ || ``-a, --app [otp|management|`` | Select application. | || ``openpgp|oath|piv|fido|`` | | || ``hsmauth|secure-domain]`` | | +---------------------------------+--------------------------------------------+ | ``-s, --send-apdu TEXT`` | Provide full APDUs. | +---------------------------------+--------------------------------------------+ | ``--short`` | Force usage of short APDUs. | +---------------------------------+--------------------------------------------+ | ``-x, --no-pretty`` | Print only the hex output of a response. | +---------------------------------+--------------------------------------------+ ykman sd [OPTIONS] COMMAND [ARGS] ================================== Manage the Security Domain (SD) application, which holds keys for Secure Copy Protocol (SCP). Options -------- .. table:: +---------------------------------+--------------------------------------------+ | Option | Description | +=================================+============================================+ | ``-h, --help`` | Show this message and exit. | +---------------------------------+--------------------------------------------+ Commands --------- .. table:: +-------------------+-------------------------------------------------------+ | Commmand | Description | +===================+=======================================================+ | ``info`` | List keys in the Security Domain of the YubiKey. | +-------------------+-------------------------------------------------------+ | ``keys`` | Manage SCP keys. | +-------------------+-------------------------------------------------------+ | ``reset`` | Reset all Security Domain data. | +-------------------+-------------------------------------------------------+ ykman sd info [OPTIONS] ======================= List keys in the Security Domain of the YubiKey. Options -------- .. table:: +---------------------------------+--------------------------------------------+ | Option | Description | +=================================+============================================+ | ``-h, --help`` | Show this message and exit. | +---------------------------------+--------------------------------------------+ ykman sd keys [OPTIONS] COMMAND [ARGS] ======================================= Manage SCP keys. Options -------- .. table:: +---------------------------------+--------------------------------------------+ | Option | Description | +=================================+============================================+ | ``-h, --help`` | Show this message and exit. | +---------------------------------+--------------------------------------------+ Commands --------- .. table:: +-------------------+-----------------------------------------------------------+ | Commmand | Description | +===================+===========================================================+ | ``delete`` | Delete a key or keyset. | +-------------------+-----------------------------------------------------------+ | ``export`` | Export certificate chain for a key. | +-------------------+-----------------------------------------------------------+ | ``generate`` | Generate an asymmetric key pair. | +-------------------+-----------------------------------------------------------+ | ``import`` | Import a key or certificate. | +-------------------+-----------------------------------------------------------+ | ``set-allowlist`` | Set an allowlist of certificate serial numbers for a key. | +-------------------+-----------------------------------------------------------+ ykman sd keys delete [OPTIONS] KID KVN ======================================== Deletes the key or keyset with the given Key ID (KID) and Key Version Number (KVN). Set either KID or KVN to ``0`` to use it as a wildcard and delete all keys matching the specific KID or KVN. Arguments ---------- .. table:: +---------------------------------+--------------------------------------------+ | Argument | Description | +=================================+============================================+ | ``KID KVN`` | Key reference for the key to delete. | +---------------------------------+--------------------------------------------+ Options -------- .. table:: +---------------------------------+--------------------------------------------+ | Option | Description | +=================================+============================================+ | ``-h, --help`` | Show this message and exit. | +---------------------------------+--------------------------------------------+ |`` -f, --force`` | Confirm the action without prompting. | +---------------------------------+--------------------------------------------+ ykman sd keys export [OPTIONS] KID KVN OUTPUT ============================================== Export certificate chain for a key. Arguments ---------- .. table:: +---------------------------------+--------------------------------------------+ | Argument | Description | +=================================+============================================+ | ``KID KVN`` || Key reference for the certificate chain | | || to output. | +---------------------------------+--------------------------------------------+ | ``OUTPUT`` || File to write the certificate chain to, | | || Use '-' to use stdout. | +---------------------------------+--------------------------------------------+ Options -------- .. table:: +---------------------------------+--------------------------------------------+ | Option | Description | +=================================+============================================+ | ``-h, --help`` | Show this message and exit. | +---------------------------------+--------------------------------------------+ ykman sd keys generate [OPTIONS] KID KVN PUBLIC-KEY ==================================================== Generate an asymmetric key pair. The private key is generated on the YubiKey, and written to one of the slots. Arguments ---------- .. table:: +---------------------------------+--------------------------------------------+ | Argument | Description | +=================================+============================================+ | ``KID KVN`` || Key reference for the new key. | +---------------------------------+--------------------------------------------+ | ``PUBLIC-KEY`` || File containing the generated public key | | || Use '-' to use stdout. | +---------------------------------+--------------------------------------------+ Options -------- .. table:: +---------------------------------+--------------------------------------------+ | Option | Description | +=================================+============================================+ | ``-h, --help`` | Show this message and exit. | +---------------------------------+--------------------------------------------+ | ``-r, --replace-kvn INTEGER`` || Replace an existing key of the same type, | | || the same KID. | +---------------------------------+--------------------------------------------+ ykman sd keys import [OPTIONS] KID KVN INPUT ============================================= Import a key or certificate. ``KID 0x01`` expects the input to be a ":"-separated triple of K-ENC:K-MAC:K-DEK. ``KID 0x11, 0x13, 0x15`` expect the input to be a file containing a private key and (optionally) a certificate chain. ``KID 0x10, 0x20-0x2F`` expect the file to contain a CA-KLOC certificate. Arguments ---------- .. table:: +---------------------------------+--------------------------------------------+ | Argument | Description | +=================================+============================================+ | ``KID KVN`` | Key reference for the new key. | +---------------------------------+--------------------------------------------+ | ``INPUT`` || SCP03 keyset, or input file. | | || Use '-' to use stdout. | +---------------------------------+--------------------------------------------+ Options -------- .. table:: +---------------------------------+--------------------------------------------+ | Option | Description | +=================================+============================================+ | ``-h, --help`` | Show this message and exit. | +---------------------------------+--------------------------------------------+ | ``-p, --password TEXT`` || Password used to decrypt the file, | | || if needed. | +---------------------------------+--------------------------------------------+ | ``-r, --replace-kvn INTEGER`` || Replace an existing key of the same type, | | || the same KID. | +---------------------------------+--------------------------------------------+ ykman sd keys set-allowlist [OPTIONS] KID KVN [SERIALS] ======================================================== Set an allowlist of certificate serial numbers for a key. Each certificate in the chain used when authenticating an SCP11a/c session is checked and rejected if their serial number is not in this ``allowlist``. Arguments ---------- .. table:: +---------------------------------+--------------------------------------------+ | Argument | Description | +=================================+============================================+ | ``KID KVN`` | Key reference for the allowlist to set. | +---------------------------------+--------------------------------------------+ | ``SERIALS`` | Serial numbers of certificates to allow. | | | Separate serial numbers using a space. | +---------------------------------+--------------------------------------------+ Options -------- .. table:: +---------------------------------+--------------------------------------------+ | Option | Description | +=================================+============================================+ | ``-h, --help`` | Show this message and exit. | +---------------------------------+--------------------------------------------+ ykman sd reset [OPTIONS] ========================= Reset all Security Domain data. This action wipes all keys and restore factory settings for the Security Domain on the YubiKey. Options -------- .. table:: +---------------------------------+--------------------------------------------+ | Option | Description | +=================================+============================================+ | ``-h, --help`` | Show this message and exit. | +---------------------------------+--------------------------------------------+ | ``-f, --force`` | Confirm the action without prompting. | +---------------------------------+--------------------------------------------+