Sort step certificate create flags

This commit sorts the flags in step certificate create command. It also
adds flags for the hidden insecure and subtle and replaces them in other
commands.

command/certificate/create.go

@@ -41,14 +41,15 @@ func createCommand() cli.Command {
 		Action: command.ActionFunc(createAction),
 		Usage:  "create a certificate or certificate signing request",
 		UsageText: `**step certificate create** <subject> <crt-file> <key-file>
-[**--kms**=<uri>] [**--csr**] [**--profile**=<profile>]
-[**--template**=<file>] [**--set**=<key=value>] [**--set-file**=<file>]
-[**--not-before**=<duration>] [**--not-after**=<duration>]
-[**--password-file**=<file>] [**--ca**=<issuer-cert>] 
-[**--ca-key**=<issuer-key>] [**--ca-password-file**=<file>]
-[**--ca-kms**=<uri>] [**--san**=<SAN>] [**--bundle**] [**--key**=<file>]
 [**--kty**=<type>] [**--curve**=<curve>] [**--size**=<size>]
-[**--skip-csr-signature**] [**--no-password**] [**--insecure**]`,
+[**--csr**] [**--profile**=<profile>] [**--template**=<file>]
+[**--set**=<key=value>] [**--set-file**=<file>]
+[**--not-before**=<duration>] [**--not-after**=<duration>] [**--san**=<SAN>]
+[**--ca**=<issuer-cert>] [**--ca-kms**=<uri>]
+[**--ca-key**=<issuer-key>] [**--ca-password-file**=<file>]
+[**--kms**=<uri>] [**--key**=<file>] [**--password-file**=<file>]
+[**--bundle**] [**--skip-csr-signature**]
+[**--no-password**] [**--subtle**] [**--insecure**]`,
 		Description: `**step certificate create** generates a certificate or a
 certificate signing request (CSR) that can be signed later using 'step
 certificate sign' (or some other tool) to produce a certificate.
@@ -347,35 +348,37 @@ $ step certificate create \
   --profile intermediate-ca \
   --ca-kms 'pkcs11:module-path=/usr/local/lib/softhsm/libsofthsm2.so;token=smallstep?pin-value=password'
   --ca root_ca.crt --ca-key 'pkcs11:id=4000' \
-  --kms 'pkcs11:module-path=/usr/local/lib/softhsm/libsofthsm2.so;token=smallstep?pin-value=password' \ 
+  --kms 'pkcs11:module-path=/usr/local/lib/softhsm/libsofthsm2.so;token=smallstep?pin-value=password' \
   --key 'pkcs11:id=4001' \
   'My KMS Intermediate' intermediate_ca.crt
 '''
 
 Create an intermediate certificate for an RSA decryption key in Google Cloud KMS, signed by a root stored on disk, using <step-kms-plugin>:
 '''
 $ step certificate create \
-  --profile intermediate-ca \ 
-  --ca root_ca.crt --ca-key root_ca_key \ 
-  --kms cloudkms: \ 
+  --profile intermediate-ca \
+  --ca root_ca.crt --ca-key root_ca_key \
+  --kms cloudkms: \
   --key 'projects/myProjectID/locations/global/keyRings/myKeyRing/cryptoKeys/myKey/cryptoKeyVersions/1' \
   --skip-csr-signature \
-  'My RSA Intermediate' intermediate_rsa_ca.crt 
+  'My RSA Intermediate' intermediate_rsa_ca.crt
 '''
 
 Create an intermediate certificate for an RSA signing key in Google Cloud KMS, signed by a root stored in an HSM, using <step-kms-plugin>:
 '''
 $ step certificate create \
-  --profile intermediate-ca \ 
+  --profile intermediate-ca \
   --ca-kms 'pkcs11:module-path=/usr/local/lib/softhsm/libsofthsm2.so;token=smallstep?pin-value=password' \
-  --ca root_ca.crt --ca-key 'pkcs11:id=4000' \ 
-  --kms cloudkms: \ 
+  --ca root_ca.crt --ca-key 'pkcs11:id=4000' \
+  --kms cloudkms: \
   --key 'projects/myProjectID/locations/global/keyRings/myKeyRing/cryptoKeys/myKey/cryptoKeyVersions/1' \
-  'My RSA Intermediate' intermediate_rsa_ca.crt 
+  'My RSA Intermediate' intermediate_rsa_ca.crt
 '''
 `,
 		Flags: []cli.Flag{
-			flags.KMSUri,
+			flags.KTY,
+			flags.Size,
+			flags.Curve,
 			cli.BoolFlag{
 				Name:  "csr",
 				Usage: `Generate a certificate signing request (CSR) instead of a certificate.`,
@@ -407,14 +410,34 @@ $ step certificate create \
 			flags.TemplateSet,
 			flags.TemplateSetFile,
 			cli.StringFlag{
-				Name: "password-file",
-				Usage: `The path to the <file> containing the password to
-encrypt the new private key or decrypt the user submitted private key.`,
+				Name: "not-before",
+				Usage: `The <time|duration> set in the NotBefore property of the certificate. If a
+<time> is used it is expected to be in RFC 3339 format. If a <duration> is
+used, it is a sequence of decimal numbers, each with optional fraction and a
+unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns",
+"us" (or "µs"), "ms", "s", "m", "h".`,
+			},
+			cli.StringFlag{
+				Name: "not-after",
+				Usage: `The <time|duration> set in the NotAfter property of the certificate. If a
+<time> is used it is expected to be in RFC 3339 format. If a <duration> is
+used, it is a sequence of decimal numbers, each with optional fraction and a
+unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns",
+"us" (or "µs"), "ms", "s", "m", "h".`,
+			},
+			cli.StringSliceFlag{
+				Name: "san",
+				Usage: `Add DNS or IP Address Subjective Alternative Names (SANs). Use the '--san'
+flag multiple times to configure multiple SANs.`,
 			},
 			cli.StringFlag{
 				Name:  "ca",
 				Usage: `The certificate authority used to issue the new certificate (PEM file).`,
 			},
+			cli.StringFlag{
+				Name:  "ca-kms",
+				Usage: "The <uri> to configure the KMS used for signing the certificate",
+			},
 			cli.StringFlag{
 				Name:  "ca-key",
 				Usage: `The certificate authority private key used to sign the new certificate (PEM file).`,
@@ -424,59 +447,34 @@ encrypt the new private key or decrypt the user submitted private key.`,
 				Usage: `The path to the <file> containing the password to
 decrypt the CA private key.`,
 			},
+			flags.KMSUri,
 			cli.StringFlag{
 				Name:  "key",
 				Usage: "The <file> of the private key to use instead of creating a new one (PEM file).",
 			},
+			cli.StringFlag{
+				Name: "password-file",
+				Usage: `The path to the <file> containing the password to
+encrypt the new private key or decrypt the user submitted private key.`,
+			},
 			cli.BoolFlag{
 				Name: "no-password",
 				Usage: `Do not ask for a password to encrypt the private key.
 Sensitive key material will be written to disk unencrypted. This is not
 recommended. Requires **--insecure** flag.`,
-			},
-			cli.StringFlag{
-				Name: "not-before",
-				Usage: `The <time|duration> set in the NotBefore property of the certificate. If a
-<time> is used it is expected to be in RFC 3339 format. If a <duration> is
-used, it is a sequence of decimal numbers, each with optional fraction and a
-unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns",
-"us" (or "µs"), "ms", "s", "m", "h".`,
-			},
-			cli.StringFlag{
-				Name: "not-after",
-				Usage: `The <time|duration> set in the NotAfter property of the certificate. If a
-<time> is used it is expected to be in RFC 3339 format. If a <duration> is
-used, it is a sequence of decimal numbers, each with optional fraction and a
-unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns",
-"us" (or "µs"), "ms", "s", "m", "h".`,
-			},
-			cli.StringSliceFlag{
-				Name: "san",
-				Usage: `Add DNS or IP Address Subjective Alternative Names (SANs). Use the '--san'
-flag multiple times to configure multiple SANs.`,
 			},
 			cli.BoolFlag{
 				Name: "bundle",
 				Usage: `Bundle the new leaf certificate with the signing certificate. This flag requires
 the **--ca** flag.`,
 			},
-			flags.KTY,
-			flags.Size,
-			flags.Curve,
-			flags.Force,
-			flags.Subtle,
-			cli.BoolFlag{
-				Name:   "insecure",
-				Hidden: true,
-			},
-			cli.StringFlag{
-				Name:  "ca-kms",
-				Usage: "The <uri> to configure the KMS used for signing the certificate",
-			},
 			cli.BoolFlag{
 				Name:  "skip-csr-signature",
-				Usage: "Skip creating and signing a CSR",
+				Usage: "Skip creating and signing a CSR.",
 			},
+			flags.Force,
+			flags.Subtle,
+			flags.InsecureHidden,
 		},
 	}
 }

command/certificate/p12.go

@@ -23,7 +23,8 @@ func p12Command() cli.Command {
 		Action: command.ActionFunc(p12Action),
 		Usage:  `package a certificate and keys into a .p12 file`,
 		UsageText: `step certificate p12 <p12-path> [<crt-path>] [<key-path>]
-[**--ca**=<file>] [**--password-file**=<file>]`,
+[**--ca**=<file>] [**--password-file**=<file>]
+[**--force**] [**--no-password**] [**--insecure**]`,
 		Description: `**step certificate p12** creates a .p12 (PFX / PKCS12)
 file containing certificates and keys. This can then be used to import
 into Windows / Firefox / Java applications.

command/crypto/hash/hash.go

@@ -18,6 +18,7 @@ import (
 	"strings"
 
 	"github.com/pkg/errors"
+	"github.com/smallstep/cli/flags"
 	"github.com/urfave/cli"
 	"go.step.sm/cli-utils/errs"
 )
@@ -127,10 +128,7 @@ For examples, see **step help crypto hash**.
 		:  MD5 produces a 128-bit hash value
 `,
 			},
-			cli.BoolFlag{
-				Name:   "insecure",
-				Hidden: true,
-			},
+			flags.InsecureHidden,
 		},
 	}
 }
@@ -187,10 +185,7 @@ For examples, see **step help crypto hash**.
 		:  MD5 produces a 128-bit hash value
 `,
 			},
-			cli.BoolFlag{
-				Name:   "insecure",
-				Hidden: true,
-			},
+			flags.InsecureHidden,
 		},
 	}
 }

command/crypto/jwe/encrypt.go

@@ -5,6 +5,7 @@ import (
 	"os"
 
 	"github.com/pkg/errors"
+	"github.com/smallstep/cli/flags"
 	"github.com/smallstep/cli/utils"
 	"github.com/urfave/cli"
 	"go.step.sm/cli-utils/errs"
@@ -147,10 +148,7 @@ applications where more than one JWE payload type may be present. This
 parameter is ignored by JWE implementations, but may be processed by
 applications that use JWE.`,
 			},
-			cli.BoolFlag{
-				Name:   "subtle",
-				Hidden: true,
-			},
+			flags.SubtleHidden,
 		},
 	}
 }

command/crypto/jwk/create.go

@@ -377,9 +377,9 @@ existing <pem-file> instead of creating a new key.`,
 			},
 			flags.PasswordFile,
 			flags.NoPassword,
+			flags.Force,
 			flags.Subtle,
 			flags.Insecure,
-			flags.Force,
 		},
 	}
 }

command/crypto/jws/inspect.go

@@ -8,6 +8,7 @@ import (
 	"strings"
 
 	"github.com/pkg/errors"
+	"github.com/smallstep/cli/flags"
 	"github.com/smallstep/cli/utils"
 	"github.com/urfave/cli"
 	"go.step.sm/cli-utils/errs"
@@ -32,10 +33,7 @@ For examples, see **step help crypto jws**.`,
 				Usage: `Displays the header, payload and signature as a JSON object. The payload will
 be encoded using Base64.`,
 			},
-			cli.BoolFlag{
-				Name:   "insecure",
-				Hidden: true,
-			},
+			flags.InsecureHidden,
 		},
 	}
 }

command/crypto/jws/sign.go

@@ -150,17 +150,14 @@ string. When used with '--jwk' the <kid> value must match the **"kid"** member
 of the JWK. When used with **--jwks** (a JWK Set) the <kid> value must match
 the **"kid"** member of one of the JWKs in the JWK Set.`,
 			},
-			cli.BoolFlag{
-				Name:   "subtle",
-				Hidden: true,
-			},
 			cli.BoolFlag{
 				Name:   "no-kid",
 				Hidden: true,
 			},
 			flags.PasswordFile,
 			flags.X5cCert,
 			flags.X5tCert,
+			flags.SubtleHidden,
 		},
 	}
 }

command/crypto/jws/verify.go

@@ -5,6 +5,7 @@ import (
 	"strings"
 
 	"github.com/pkg/errors"
+	"github.com/smallstep/cli/flags"
 	"github.com/smallstep/cli/utils"
 	"github.com/urfave/cli"
 	"go.step.sm/cli-utils/errs"
@@ -71,14 +72,8 @@ member its value must match <kid> or verification will fail.`,
 				Usage: `Displays the header, payload and signature as a JSON object. The payload will
 be encoded using Base64.`,
 			},
-			cli.BoolFlag{
-				Name:   "subtle",
-				Hidden: true,
-			},
-			cli.BoolFlag{
-				Name:   "insecure",
-				Hidden: true,
-			},
+			flags.SubtleHidden,
+			flags.InsecureHidden,
 		},
 	}
 }

command/crypto/jwt/sign.go

@@ -199,17 +199,14 @@ the **"kid"** member of one of the JWKs in the JWK Set.`,
 				Name:  "password-file",
 				Usage: `The path to the <file> containing the password to decrypt the key.`,
 			},
-			cli.BoolFlag{
-				Name:   "subtle",
-				Hidden: true,
-			},
 			cli.BoolFlag{
 				Name:   "no-kid",
 				Hidden: true,
 			},
 			flags.X5cCert,
 			flags.X5tCert,
 			flags.X5cInsecure,
+			flags.SubtleHidden,
 		},
 	}
 }

command/crypto/jwt/verify.go

@@ -7,6 +7,7 @@ import (
 	"time"
 
 	"github.com/pkg/errors"
+	"github.com/smallstep/cli/flags"
 	"github.com/smallstep/cli/utils"
 	"github.com/urfave/cli"
 	"go.step.sm/cli-utils/errs"
@@ -89,18 +90,12 @@ member its value must match <kid> or verification will fail.`,
 				Name:  "password-file",
 				Usage: `The path to the <file> containing the password to decrypt the key.`,
 			},
-			cli.BoolFlag{
-				Name:   "subtle",
-				Hidden: true,
-			},
 			cli.BoolFlag{
 				Name:   "no-exp-check",
 				Hidden: true,
 			},
-			cli.BoolFlag{
-				Name:   "insecure",
-				Hidden: true,
-			},
+			flags.SubtleHidden,
+			flags.InsecureHidden,
 		},
 	}
 }

command/crypto/kdf/kdf.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 
 	"github.com/pkg/errors"
+	"github.com/smallstep/cli/flags"
 	"github.com/smallstep/cli/internal/kdf"
 	"github.com/smallstep/cli/utils"
 	"github.com/urfave/cli"
@@ -149,10 +150,7 @@ appear in places you might not expect. If omitted input is read from STDIN.`,
 		: A password-based KDF optimized to resist GPU and side-channel attacks.
 `,
 			},
-			cli.BoolFlag{
-				Name:   "insecure",
-				Hidden: true,
-			},
+			flags.InsecureHidden,
 		},
 	}
 }

command/crypto/otp/verify.go

@@ -63,10 +63,7 @@ as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms"
 "s", "m", "h". A <duration> value is added to the current time. An empty
 <time|duration> defaults to "time.Now()".`,
 			},
-			cli.BoolFlag{
-				Name:   "insecure",
-				Hidden: true,
-			},
+			flags.InsecureHidden,
 		},
 	}
 }