security.1
1 .\"Modified from man(1) of FreeBSD, the NetBSD mdoc.template, and mdoc.samples. 2 .\"See Also: 3 .\"man mdoc.samples for a complete listing of options 4 .\"man mdoc for the short list of editing options 5 .Dd March 15, 2017 \" DATE 6 .Dt security 1 \" Program name and manual section number 7 .Os Darwin 8 .Sh NAME \" Section Header - required - don't modify 9 .Nm security 10 .\" The following lines are read in generating the apropos(man -k) database. Use only key 11 .\" words here as the database is built based on the words here and in the .ND line. 12 .\" Use .Nm macro to designate other names for the documented program. 13 .Nd Command line interface to keychains and Security framework 14 .Sh SYNOPSIS \" Section Header - required - don't modify 15 .Nm 16 .Op Fl hilqv \" [-hilqv] 17 .Op Fl p Ar prompt \" [-p prompt] 18 .Op Ar command \" [command] 19 .Op Ar command_options \" [command_options] 20 .Op Ar command_args \" [command_args] 21 .Sh DESCRIPTION \" Section Header - required - don't modify 22 A simple command line interface which lets you administer keychains, 23 manipulate keys and certificates, and do just about anything the 24 Security framework is capable of from the command line. 25 .Pp 26 By default 27 .Nm 28 will execute the 29 .Ar command 30 supplied and report if anything went wrong. 31 .Pp 32 If the 33 .Fl i 34 or 35 .Fl p 36 options are provided, 37 .Nm 38 will enter interactive mode and allow the user to enter multiple commands on stdin. When EOF is read from stdin 39 .Nm 40 will exit. 41 .Pp 42 Here is a complete list of the options available: 43 .Bl -tag -width -indent 44 .It Fl h 45 If no arguments are specified, show a list of all commands. If arguments are provided, show usage for each the specified commands. This option is essentially the same as the 46 .Nm help 47 command. 48 .It Fl i 49 Run 50 .Nm 51 in interactive mode. A prompt 52 .Po 53 .Li security> 54 by default 55 .Pc 56 will be displayed and the user will be able to type commands on stdin until an EOF is encountered. 57 .It Fl l 58 Before 59 .Nm 60 exits, run 61 .Dl "/usr/bin/leaks -nocontext" 62 on itself to see if the command(s) you executed had any leaks. 63 .It Fl p Ar prompt 64 This option implies the 65 .Fl i 66 option but changes the default prompt to the argument specified instead. 67 .It Fl q 68 Will make 69 .Nm 70 less verbose. 71 .It Fl v 72 Will make 73 .Nm 74 more verbose. 75 .El \" Ends the list 76 .Pp 77 .Sh "SECURITY COMMAND SUMMARY" 78 .Nm 79 provides a rich variety of commands 80 .Po Ar command 81 in the 82 .Sx SYNOPSIS Pc Ns 83 , each of which often has a wealth of options, to allow access to 84 the broad functionality provided by the Security framework. However, 85 you don't have to master every detail for 86 .Nm 87 to be useful to you. 88 .Pp 89 Here are brief descriptions of all the 90 .Nm 91 commands: 92 .Pp 93 .Bl -tag -width user-trust-settings-enable -compact 94 .It Nm help 95 Show all commands, or show usage for a command. 96 .It Nm list-keychains 97 Display or manipulate the keychain search list. 98 .It Nm default-keychain 99 Display or set the default keychain. 100 .It Nm login-keychain 101 Display or set the login keychain. 102 .It Nm create-keychain 103 Create keychains. 104 .It Nm delete-keychain 105 Delete keychains and remove them from the search list. 106 .It Nm lock-keychain 107 Lock the specified keychain. 108 .It Nm unlock-keychain 109 Unlock the specified keychain. 110 .It Nm set-keychain-settings 111 Set settings for a keychain. 112 .It Nm set-keychain-password 113 Set password for a keychain. 114 .It Nm show-keychain-info 115 Show the settings for keychain. 116 .It Nm dump-keychain 117 Dump the contents of one or more keychains. 118 .It Nm create-keypair 119 Create an asymmetric key pair. 120 .It Nm add-generic-password 121 Add a generic password item. 122 .It Nm add-internet-password 123 Add an internet password item. 124 .It Nm add-certificates 125 Add certificates to a keychain. 126 .It Nm find-generic-password 127 Find a generic password item. 128 .It Nm delete-generic-password 129 Delete a generic password item. 130 .It Nm set-generic-password-partition-list 131 Set the partition list of a generic password item. 132 .It Nm find-internet-password 133 Find an internet password item. 134 .It Nm delete-internet-password 135 Delete an internet password item. 136 .It Nm set-internet-password-partition-list 137 Set the partition list of a internet password item. 138 .It Nm find-key 139 Find keys in the keychain 140 .It Nm set-key-partition-list 141 Set the partition list of a key. 142 .It Nm find-certificate 143 Find a certificate item. 144 .It Nm find-identity 145 Find an identity (certificate + private key). 146 .It Nm delete-certificate 147 Delete a certificate from a keychain. 148 .It Nm delete-identity 149 Delete a certificate and its private key from a keychain. 150 .It Nm set-identity-preference 151 Set the preferred identity to use for a service. 152 .It Nm get-identity-preference 153 Get the preferred identity to use for a service. 154 .It Nm create-db 155 Create a db using the DL. 156 .It Nm export 157 Export items from a keychain. 158 .It Nm import 159 Import items into a keychain. 160 .It Nm cms 161 Encode or decode CMS messages. 162 .It Nm install-mds 163 Install (or re-install) the MDS database. 164 .It Nm add-trusted-cert 165 Add trusted certificate(s). 166 .It Nm remove-trusted-cert 167 Remove trusted certificate(s). 168 .It Nm dump-trust-settings 169 Display contents of trust settings. 170 .It Nm user-trust-settings-enable 171 Display or manipulate user-level trust settings. 172 .It Nm trust-settings-export 173 Export trust settings. 174 .It Nm trust-settings-import 175 Import trust settings. 176 .It Nm verify-cert 177 Verify certificate(s). 178 .It Nm authorize 179 Perform authorization operations. 180 .It Nm authorizationdb 181 Make changes to the authorization policy database. 182 .It Nm execute-with-privileges 183 Execute tool with privileges. 184 .It Nm leaks 185 Run 186 .Pa /usr/bin/leaks 187 on this process. 188 .It Nm smartcards 189 Enable, disable or list disabled smartcard tokens. 190 .It Nm list-smartcards 191 Display available smartcards. 192 .It Nm export-smartcard 193 Export/display items from a smartcard. 194 .It Nm error 195 Display a descriptive message for the given error code(s). 196 .El 197 .Sh "COMMON COMMAND OPTIONS" 198 This section describes the 199 .Ar command_options 200 that are available across all 201 .Nm 202 commands. 203 .Bl -tag -width -indent 204 .It Fl h 205 Show a usage message for the specified command. This option is 206 essentially the same as the 207 .Ar help 208 command. 209 .El 210 .Sh "SECURITY COMMANDS" 211 Here (finally) are details on all the 212 .Nm 213 commands and the options each accepts. 214 .Bl -item 215 .It 216 .Nm help 217 .Op Fl h 218 .Bl -item -offset -indent 219 Show all commands, or show usage for a command. 220 .El 221 .It 222 .Nm list-keychains 223 .Op Fl h 224 .Op Fl d Ar user Ns | Ns Ar system Ns | Ns Ar common Ns | Ns Ar dynamic 225 .Op Fl s Op Ar keychain... 226 .Bl -item -offset -indent 227 Display or manipulate the keychain search list. 228 .It 229 .Bl -tag -compact -width -indent 230 .It Fl d Ar user Ns | Ns Ar system Ns | Ns Ar common Ns | Ns Ar dynamic 231 Use the specified preference domain. 232 .It Fl s 233 Set the search list to the specified keychains. 234 .El 235 .El 236 .It 237 .Nm default-keychain 238 .Op Fl h 239 .Op Fl d Ar user Ns | Ns Ar system Ns | Ns Ar common Ns | Ns Ar dynamic 240 .Op Fl s Op Ar keychain 241 .Bl -item -offset -indent 242 Display or set the default keychain. 243 .It 244 .Bl -tag -compact -width -indent 245 .It Fl d Ar user Ns | Ns Ar system Ns | Ns Ar common Ns | Ns Ar dynamic 246 Use the specified preference domain. 247 .It Fl s 248 Set the default keychain to the specified 249 .Ar keychain Ns . 250 Unset it if no keychain is specified. 251 .El 252 .El 253 .It 254 .Nm login-keychain 255 .Op Fl h 256 .Op Fl d Ar user Ns | Ns Ar system Ns | Ns Ar common Ns | Ns Ar dynamic 257 .Op Fl s Op Ar keychain 258 .Bl -item -offset -indent 259 Display or set the login keychain. 260 .It 261 .Bl -tag -compact -width -indent 262 .It Fl d Ar user Ns | Ns Ar system Ns | Ns Ar common Ns | Ns Ar dynamic 263 Use the specified preference domain. 264 .It Fl s 265 Set the login keychain to the specified 266 .Ar keychain Ns . 267 Unset it if no keychain is specified. 268 .El 269 .El 270 .It 271 .Nm create-keychain 272 .Op Fl hP 273 .Op Fl p Ar password 274 .Op Ar keychain... 275 .Bl -item -offset -indent 276 Create keychains. 277 .It 278 .Bl -tag -compact -width -indent-indent 279 .It Fl P 280 Prompt the user for a password using the SecurityAgent. 281 .It Fl p Ar password 282 Use 283 .Ar password 284 as the password for the keychains being created. 285 .El 286 .It 287 If neither 288 .Fl P 289 or 290 .Fl p Ar password 291 are specified, the user is prompted for a password on the command line. Use 292 of the -p option is insecure. 293 .El 294 .It 295 .Nm delete-keychain 296 .Op Fl h 297 .Op Ar keychain... 298 .Bl -item -offset -indent 299 Delete keychains and remove them from the search list. 300 .El 301 .It 302 .Nm lock-keychain 303 .Op Fl h 304 .Op Fl a Ns | Ns Ar keychain 305 .Bl -item -offset -indent 306 Lock 307 .Ar keychain Ns 308 \&, or the default keychain if none is specified. If the 309 .Fl a 310 option is specified, all keychains are locked. 311 .El 312 .It 313 .Nm unlock-keychain 314 .Op Fl hu 315 .Op Fl p Ar password 316 .Op Ar keychain 317 .Bl -item -offset -indent 318 Unlock 319 .Ar keychain Ns 320 \&, or the default keychain if none is specified. 321 .El 322 .It 323 .Nm set-keychain-settings 324 .Op Fl hlu 325 .Op Fl t Ar timeout 326 .Op Ar keychain 327 .Bl -item -offset -indent 328 Set settings for 329 .Ar keychain Ns 330 \&, or the default keychain if none is specified. 331 .It 332 .Bl -tag -compact -width -indent-indent 333 .It Fl l 334 Lock keychain when the system sleeps. 335 .It Fl u 336 Lock keychain after timeout interval. 337 .It Fl t Ar timeout 338 Specify 339 .Ar timeout 340 interval in seconds (omitting this option specifies "no timeout"). 341 .El 342 .El 343 .It 344 .Nm set-keychain-password 345 .Op Fl h 346 .Op Fl o Ar oldPassword 347 .Op Fl p Ar newPassword 348 .Op Ar keychain 349 .Bl -item -offset -indent 350 Set password for 351 .Ar keychain Ns 352 \&, or the default keychain if none is specified. 353 .It 354 .Bl -tag -compact -width -indent-indent 355 .It Fl o Ar oldPassword 356 Old keychain password (if not provided, will prompt) 357 .It Fl p Ar newPassword 358 New keychain password (if not provided, will prompt) 359 .El 360 .El 361 .It 362 .Nm show-keychain-info 363 .Op Fl h 364 .Op Ar keychain 365 .Bl -item -offset -indent 366 Show the settings for 367 .Ar keychain Ns 368 \&. 369 .El 370 .It 371 .Nm dump-keychain 372 .Op Fl adhir 373 .Bl -item -offset -indent 374 Dump the contents of one or more keychains. 375 .It 376 .Bl -tag -compact -width -indent-indent 377 .It Fl a 378 Dump access control list of items 379 .It Fl d 380 Dump (decrypted) data of items 381 .It Fl i 382 Interactive access control list editing mode 383 .It Fl r 384 Dump raw (encrypted) data of items 385 .El 386 .El 387 .It 388 .Nm create-keypair 389 .Op Fl h 390 .Op Fl a Ar alg 391 .Op Fl s Ar size 392 .Op Fl f Ar date 393 .Op Fl t Ar date 394 .Op Fl d Ar days 395 .Op Fl k Ar keychain 396 .Op Fl A Ns | Ns Fl T Ar appPath 397 .Op Ar name 398 .Bl -item -offset -indent 399 Create an asymmetric key pair. 400 .It 401 .Bl -tag -compact -width -indent-indent 402 .It Fl a Ar alg 403 Use 404 .Ar alg 405 as the algorithm, can be rsa, dh, dsa or fee (default rsa) 406 .It Fl s Ar size 407 Specify the keysize in bits (default 512) 408 .It Fl f Ar date 409 Make a key valid from the specified date (ex: "13/11/10 3:30pm") 410 .It Fl t Ar date 411 Make a key valid to the specified date 412 .It Fl d Ar days 413 Make a key valid for the number of days specified from today 414 .It Fl k Ar keychain 415 Use the specified keychain rather than the default 416 .It Fl A 417 Allow any application to access this key without warning (insecure, not recommended!) 418 .It Fl T Ar appPath 419 Specify an application which may access this key (multiple 420 .Fl T Ns 421 \& options are allowed) 422 .El 423 .El 424 .It 425 .Nm add-generic-password 426 .Op Fl h 427 .Op Fl a Ar account 428 .Op Fl s Ar service 429 .Op Fl w Ar password 430 .Op Ar options... 431 .Op Ar keychain 432 .Bl -item -offset -indent 433 Add a generic password item. 434 .It 435 .Bl -tag -compact -width -indent-indent 436 .It Fl a Ar account 437 Specify account name (required) 438 .It Fl c Ar creator 439 Specify item creator (optional four-character code) 440 .It Fl C Ar type 441 Specify item type (optional four-character code) 442 .It Fl D Ar kind 443 Specify kind (default is "application password") 444 .It Fl G Ar value 445 Specify generic attribute value (optional) 446 .It Fl j Ar comment 447 Specify comment string (optional) 448 .It Fl l Ar label 449 Specify label (if omitted, service name is used as default label) 450 .It Fl s Ar service 451 Specify service name (required) 452 .It Fl p Ar password 453 Specify password to be added (legacy option, equivalent to 454 .Fl w Ns 455 \&) 456 .It Fl w Ar password 457 Specify password to be added. Put at end of command to be prompted (recommended) 458 .It Fl A 459 Allow any application to access this item without warning (insecure, not recommended!) 460 .It Fl T Ar appPath 461 Specify an application which may access this item (multiple 462 .Fl T Ns 463 \& options are allowed) 464 .It Fl U 465 Update item if it already exists (if omitted, the item cannot already exist) 466 .It Fl X Ar password 467 Specify password data to be added as a hexadecimal string 468 .El 469 .It 470 .Bl -item 471 By default, the application which creates an item is trusted to access its data without warning. You can remove this default access by explicitly specifying an empty app pathname: 472 .Fl T Ns 473 \& "". If no keychain is specified, the password is added to the default keychain. 474 .El 475 .El 476 .It 477 .Nm add-internet-password 478 .Op Fl h 479 .Op Fl a Ar account 480 .Op Fl s Ar server 481 .Op Fl w Ar password 482 .Op Ar options... 483 .Op Ar keychain 484 .Bl -item -offset -indent 485 Add an internet password item. 486 .It 487 .Bl -tag -compact -width -indent-indent 488 .It Fl a Ar account 489 Specify account name (required) 490 .It Fl c Ar creator 491 Specify item creator (optional four-character code) 492 .It Fl C Ar type 493 Specify item type (optional four-character code) 494 .It Fl d Ar domain 495 Specify security domain string (optional) 496 .It Fl D Ar kind 497 Specify kind (default is "application password") 498 .It Fl j Ar comment 499 Specify comment string (optional) 500 .It Fl l Ar label 501 Specify label (if omitted, service name is used as default label) 502 .It Fl p Ar path 503 Specify path string (optional) 504 .It Fl P Ar port 505 Specify port number (optional) 506 .It Fl r Ar protocol 507 Specify protocol (optional four-character SecProtocolType, e.g. "http", "ftp ") 508 .It Fl s Ar server 509 Specify server name (required) 510 .It Fl t Ar authenticationType 511 Specify authentication type (as a four-character SecAuthenticationType, default is "dflt") 512 .It Fl w Ar password 513 Specify password to be added. Put at end of command to be prompted (recommended) 514 .It Fl A 515 Allow any application to access this item without warning (insecure, not recommended!) 516 .It Fl T Ar appPath 517 Specify an application which may access this item (multiple 518 .Fl T Ns 519 \& options are allowed) 520 .It Fl U 521 Update item if it already exists (if omitted, the item cannot already exist) 522 .It Fl X Ar password 523 Specify password data to be added as a hexadecimal string 524 .El 525 .It 526 .Bl -item 527 By default, the application which creates an item is trusted to access its data without warning. You can remove this default access by explicitly specifying an empty app pathname: 528 .Fl T Ns 529 \& "". If no keychain is specified, the password is added to the default keychain. 530 .El 531 .El 532 .It 533 .Nm add-certificates 534 .Op Fl h 535 .Op Fl k Ar keychain 536 .Ar file... 537 .Bl -item -offset -indent 538 Add certficates contained in the specified 539 .Ar files 540 to the default keychain. The files must contain one DER encoded X509 certificate each. 541 .Bl -tag -compact -width -indent-indent 542 .It Fl k Ar keychain 543 Use 544 .Ar keychain 545 rather than the default keychain. 546 .El 547 .El 548 .It 549 .Nm find-generic-password 550 .Op Fl h 551 .Op Fl a Ar account 552 .Op Fl s Ar service 553 .Op Fl Ar options... 554 .Op Fl g 555 .Op Fl Ar keychain... 556 .Bl -item -offset -indent 557 Find a generic password item. 558 .It 559 .Bl -tag -compact -width -indent-indent 560 .It Fl a Ar account 561 Match account string 562 .It Fl c Ar creator 563 Match creator (four-character code) 564 .It Fl C Ar type 565 Match type (four-character code) 566 .It Fl D Ar kind 567 Match kind string 568 .It Fl G Ar value 569 Match value string (generic attribute) 570 .It Fl j Ar comment 571 Match comment string 572 .It Fl l Ar label 573 Match label string 574 .It Fl s Ar service 575 Match service string 576 .It Fl g 577 Display the password for the item found 578 .It Fl w 579 Display the password(only) for the item found 580 .El 581 .El 582 .It 583 .Nm delete-generic-password 584 .Op Fl h 585 .Op Fl a Ar account 586 .Op Fl s Ar service 587 .Op Fl Ar options... 588 .Op Fl Ar keychain... 589 .Bl -item -offset -indent 590 Delete a generic password item. 591 .It 592 .Bl -tag -compact -width -indent-indent 593 .It Fl a Ar account 594 Match account string 595 .It Fl c Ar creator 596 Match creator (four-character code) 597 .It Fl C Ar type 598 Match type (four-character code) 599 .It Fl D Ar kind 600 Match kind string 601 .It Fl G Ar value 602 Match value string (generic attribute) 603 .It Fl j Ar comment 604 Match comment string 605 .It Fl l Ar label 606 Match label string 607 .It Fl s Ar service 608 Match service string 609 .El 610 .El 611 .It 612 .Nm delete-internet-password 613 .Op Fl h 614 .Op Fl a Ar account 615 .Op Fl s Ar server 616 .Op Ar options... 617 .Op Ar keychain... 618 .Bl -item -offset -indent 619 Delete an internet password item. 620 .It 621 .Bl -tag -compact -width -indent-indent 622 .It Fl a Ar account 623 Match account string 624 .It Fl c Ar creator 625 Match creator (four-character code) 626 .It Fl C Ar type 627 Match type (four-character code) 628 .It Fl d Ar securityDomain 629 Match securityDomain string 630 .It Fl D Ar kind 631 Match kind string 632 .It Fl j Ar comment 633 Match comment string 634 .It Fl l Ar label 635 Match label string 636 .It Fl p Ar path 637 Match path string 638 .It Fl P Ar port 639 Match port number 640 .It Fl r Ar protocol 641 Match protocol (four-character code) 642 .It Fl s Ar server 643 Match server string 644 .It Fl t Ar authenticationType 645 Match authenticationType (four-character code) 646 .El 647 .El 648 .It 649 .Nm find-internet-password 650 .Op Fl h 651 .Op Fl a Ar account 652 .Op Fl s Ar server 653 .Op Ar options... 654 .Op Fl g 655 .Op Ar keychain... 656 .Bl -item -offset -indent 657 Find an internet password item. 658 .It 659 .Bl -tag -compact -width -indent-indent 660 .It Fl a Ar account 661 Match account string 662 .It Fl c Ar creator 663 Match creator (four-character code) 664 .It Fl C Ar type 665 Match type (four-character code) 666 .It Fl d Ar securityDomain 667 Match securityDomain string 668 .It Fl D Ar kind 669 Match kind string 670 .It Fl j Ar comment 671 Match comment string 672 .It Fl l Ar label 673 Match label string 674 .It Fl p Ar path 675 Match path string 676 .It Fl P Ar port 677 Match port number 678 .It Fl r Ar protocol 679 Match protocol (four-character code) 680 .It Fl s Ar server 681 Match server string 682 .It Fl t Ar authenticationType 683 Match authenticationType (four-character code) 684 .It Fl g 685 Display the password for the item found 686 .It Fl w 687 Display the password(only) for the item found 688 .El 689 .El 690 .It 691 .Nm find-key 692 .Op Ar options... 693 .Op Ar keychain... 694 .Bl -item -offset -indent 695 Search the keychain for keys. 696 .It 697 .Bl -tag -compact -width -indent-indent 698 .It Fl a Ar application-label 699 Match "application label" string 700 .It Fl c Ar creator 701 Match creator (four-character code) 702 .It Fl d 703 Match keys that can decrypt 704 .It Fl D Ar description 705 Match "description" string 706 .It Fl e 707 Match keys that can encrypt 708 .It Fl j Ar comment 709 Match comment string 710 .It Fl l Ar label 711 Match label string 712 .It Fl r 713 Match keys that can derive 714 .It Fl s 715 Match keys that can sign 716 .It Fl t Ar type 717 Type of key to find: one of "symmetric", "public", or "private" 718 .It Fl u 719 Match keys that can unwrap 720 .It Fl v 721 Match keys that can verify 722 .It Fl w 723 Match keys that can wrap 724 .El 725 .El 726 .It 727 .Nm set-generic-password-partition-list 728 .Op Fl a Ar account 729 .Op Fl s Ar service 730 .Op Fl S Ar <partition list (comma separated)> 731 .Op Fl k Ar <keychain password> 732 .Op Ar options... 733 .Op Ar keychain 734 .Bl -item -offset -indent 735 Sets the "partition list" for a generic password. The "partition list" is an extra parameter in the ACL which limits access to the item based on an application's code signature. You must present the keychain's password to change a partition list. 736 .It 737 .Bl -tag -compact -width -indent-indent 738 .It Fl S Ar partition-list 739 Comma-separated partition list. See output of "security dump-keychain" for examples. 740 .It Fl k Ar password 741 Password for keychain 742 .It Fl a Ar account 743 Match account string 744 .It Fl c Ar creator 745 Match creator (four-character code) 746 .It Fl C Ar type 747 Match type (four-character code) 748 .It Fl D Ar kind 749 Match kind string 750 .It Fl G Ar value 751 Match value string (generic attribute) 752 .It Fl j Ar comment 753 Match comment string 754 .It Fl l Ar label 755 Match label string 756 .It Fl s Ar service 757 Match service string 758 .El 759 .El 760 .It 761 .Nm set-internet-password-partition-list 762 .Op Fl a Ar account 763 .Op Fl s Ar server 764 .Op Fl S Ar <partition list (comma separated)> 765 .Op Fl k Ar <keychain password> 766 .Op Ar options... 767 .Op Ar keychain 768 .Bl -item -offset -indent 769 Sets the "partition list" for an internet password. The "partition list" is an extra parameter in the ACL which limits access to the item based on an application's code signature. You must present the keychain's password to change a partition list. 770 .It 771 .Bl -tag -compact -width -indent-indent 772 .It Fl S Ar partition-list 773 Comma-separated partition list. See output of "security dump-keychain" for examples. 774 .It Fl k Ar password 775 Password for keychain 776 .It Fl a Ar account 777 Match account string 778 .It Fl c Ar creator 779 Match creator (four-character code) 780 .It Fl C Ar type 781 Match type (four-character code) 782 .It Fl d Ar securityDomain 783 Match securityDomain string 784 .It Fl D Ar kind 785 Match kind string 786 .It Fl j Ar comment 787 Match comment string 788 .It Fl l Ar label 789 Match label string 790 .It Fl p Ar path 791 Match path string 792 .It Fl P Ar port 793 Match port number 794 .It Fl r Ar protocol 795 Match protocol (four-character code) 796 .It Fl s Ar server 797 Match server string 798 .It Fl t Ar authenticationType 799 Match authenticationType (four-character code) 800 .El 801 .El 802 .It 803 .Nm set-key-partition-list 804 .Op Fl S Ar <partition list (comma separated)> 805 .Op Fl k Ar <keychain password> 806 .Op Ar options... 807 .Op Ar keychain 808 .Bl -item -offset -indent 809 Sets the "partition list" for a key. The "partition list" is an extra parameter in the ACL which limits access to the key based on an application's code signature. You must present the keychain's password to change a partition list. If you'd like to run /usr/bin/codesign with the key, "apple:" must be an element of the partition list. 810 .It 811 .Bl -tag -compact -width -indent-indent 812 .It Fl S Ar partition-list 813 Comma-separated partition list. See output of "security dump-keychain" for examples. 814 .It Fl k Ar password 815 Password for keychain 816 .It Fl a Ar application-label 817 Match "application label" string 818 .It Fl c Ar creator 819 Match creator (four-character code) 820 .It Fl d 821 Match keys that can decrypt 822 .It Fl D Ar description 823 Match "description" string 824 .It Fl e 825 Match keys that can encrypt 826 .It Fl j Ar comment 827 Match comment string 828 .It Fl l Ar label 829 Match label string 830 .It Fl r 831 Match keys that can derive 832 .It Fl s 833 Match keys that can sign 834 .It Fl t Ar type 835 Type of key to find: one of "symmetric", "public", or "private" 836 .It Fl u 837 Match keys that can unwrap 838 .It Fl v 839 Match keys that can verify 840 .It Fl w 841 Match keys that can wrap 842 .El 843 .El 844 .It 845 .Nm find-certificate 846 .Op Fl h 847 .Op Fl a 848 .Op Fl c Ar name 849 .Op Fl e Ar emailAddress 850 .Op Fl m 851 .Op Fl p 852 .Op Fl Z 853 .Op Ar keychain... 854 .Bl -item -offset -indent 855 Find a certificate item. If no 856 .Ar keychain Ns 857 \& arguments are provided, the default search list is used. 858 .It 859 Options: 860 .Bl -tag -compact -width -indent-indent 861 .It Fl a 862 Find all matching certificates, not just the first one 863 .It Fl c Ar name 864 Match on 865 .Ar name Ns 866 \& when searching (optional) 867 .It Fl e Ar emailAddress 868 Match on 869 .Ar emailAddress Ns 870 \& when searching (optional) 871 .It Fl m 872 Show the email addresses in the certificate 873 .It Fl p 874 Output certificate in pem format. Default is to dump the attributes and keychain the cert is in. 875 .It Fl Z 876 Print SHA-256 (and SHA-1) hash of the certificate 877 .El 878 .It 879 .Sy Examples 880 .Bl -tag -width -indent 881 .It security> find-certificate -a -p > allcerts.pem 882 Exports all certificates from all keychains into a pem file called allcerts.pem. 883 .It security> find-certificate -a -e me@foo.com -p > certs.pem 884 Exports all certificates from all keychains with the email address 885 me@foo.com into a pem file called certs.pem. 886 .It security> find-certificate -a -c MyName -Z login.keychain | grep ^SHA-256 887 Print the SHA-256 hash of every certificate in 'login.keychain' whose common name includes 'MyName' 888 .El 889 .El 890 .It 891 .Nm find-identity 892 .Op Fl h 893 .Op Fl p Ar policy 894 .Op Fl s Ar string 895 .Op Fl v 896 .Op Ar keychain... 897 .Bl -item -offset -indent 898 Find an identity (certificate + private key) satisfying a given policy. If no 899 .Ar policy Ns 900 \& arguments are provided, the X.509 basic policy is assumed. If no 901 .Ar keychain Ns 902 \& arguments are provided, the default search list is used. 903 .It 904 Options: 905 .Bl -tag -compact -width -indent-indent 906 .It Fl p Ar policy 907 Specify 908 .Ar policy Ns 909 \& to evaluate (multiple -p options are allowed). Supported policies: 910 basic, ssl-client, ssl-server, smime, eap, ipsec, ichat, codesigning, 911 sys-default, sys-kerberos-kdc 912 .It Fl s Ar string 913 Specify optional policy-specific 914 .Ar string Ns 915 \& (e.g. a DNS hostname for SSL, or RFC822 email address for S/MIME) 916 .It Fl v 917 Show valid identities only (default is to show all identities) 918 .El 919 .It 920 .Sy Examples 921 .Bl -tag -width -indent 922 .It security> find-identity -v -p ssl-client 923 Display valid identities that can be used for SSL client authentication 924 .It security> find-identity -p ssl-server -s www.domain.com 925 Display identities for a SSL server running on the host 'www.domain.com' 926 .It security> find-identity -p smime -s user@domain.com 927 Display identities that can be used to sign a message from 'user@domain.com' 928 .El 929 .El 930 .It 931 .Nm delete-certificate 932 .Op Fl h 933 .Op Fl c Ar name 934 .Op Fl Z Ar hash 935 .Op Fl t 936 .Op Ar keychain... 937 .Bl -item -offset -indent 938 Delete a certificate from a keychain. If no 939 .Ar keychain Ns 940 \& arguments are provided, the default search list is used. 941 .It 942 .Bl -tag -compact -width -indent-indent 943 .It Fl c Ar name 944 Specify certificate to delete by its common name 945 .It Fl Z Ar hash 946 Specify certificate to delete by its SHA-256 (or SHA-1) hash 947 .It Fl t 948 Also delete user trust settings for this certificate 949 .El 950 .It 951 The certificate to be deleted must be uniquely specified either by a 952 string found in its common name, or by its SHA-256 (or SHA-1) hash. 953 .El 954 .It 955 .Nm delete-identity 956 .Op Fl h 957 .Op Fl c Ar name 958 .Op Fl Z Ar hash 959 .Op Fl t 960 .Op Ar keychain... 961 .Bl -item -offset -indent 962 Delete a certificate and its private key from a keychain. If no 963 .Ar keychain Ns 964 \& arguments are provided, the default search list is used. 965 .It 966 .Bl -tag -compact -width -indent-indent 967 .It Fl c Ar name 968 Specify certificate to delete by its common name 969 .It Fl Z Ar hash 970 Specify certificate to delete by its SHA-256 (or SHA-1) hash 971 .It Fl t 972 Also delete user trust settings for this identity certificate 973 .El 974 .It 975 The identity to be deleted must be uniquely specified either by a 976 string found in its common name, or by its SHA-256 (or SHA-1) hash. 977 .El 978 .It 979 .Nm set-identity-preference 980 .Op Fl h 981 .Op Fl n 982 .Op Fl c Ar identity 983 .Op Fl s Ar service 984 .Op Fl u Ar keyUsage 985 .Op Fl Z Ar hash 986 .Op Ar keychain... 987 .Bl -item -offset -indent 988 Set the preferred identity to use for a service. 989 .It 990 .Bl -tag -compact -width -indent-indent 991 .It Fl n 992 Specify no identity (clears existing preference for the given service) 993 .It Fl c Ar identity 994 Specify identity by common name of the certificate 995 .It Fl s Ar service 996 Specify service (may be a URL, RFC822 email address, DNS host, or other name) for which this identity is to be preferred 997 .It Fl u Ar keyUsage 998 Specify key usage (optional) 999 .It Fl Z Ar hash 1000 Specify identity by SHA-256 (or SHA-1) hash of certificate (optional) 1001 .El 1002 .It 1003 The identity is located by searching the specified keychain(s) for a certificate whose common name contains 1004 the given identity string. If no keychains are specified to search, the default search list is used. Different 1005 identity preferences can be set for individual key usages. You can differentiate between two identities which contain 1006 the same string by providing a SHA-256 (or SHA-1) hash of the certificate in addition to, or instead of, the name. 1007 .It 1008 .Sy PARTIAL PATHS AND WILDCARDS 1009 .It 1010 Prior to 10.5.4, identity preferences for SSL/TLS client authentication could only be set on a per-URL basis. The 1011 URL being visited had to match the service name exactly for the preference to be in effect. 1012 .It 1013 In 10.5.4, it became possible to specify identity preferences on a per-server basis, by using 1014 a service name with a partial path URL to match more specific paths on the same server. For 1015 example, if an identity preference for "https://www.apache-ssl.org/" exists, it will be in effect for 1016 "https://www.apache-ssl.org/cgi/cert-export", and so on. Note that partial path URLs must end with a trailing 1017 slash character. 1018 .It 1019 Starting with 10.6, it is possible to specify identity preferences on a per-domain 1020 basis, by using the wildcard character '*' as the leftmost component of the service name. Unlike SSL wildcards, 1021 an identity preference wildcard can match more than one subdomain. For example, an identity preference for 1022 the name "*.army.mil" will match "server1.subdomain1.army.mil" or "server2.subdomain2.army.mil". Likewise, 1023 a preference for "*.mil" will match both "server.army.mil" and "server.navy.mil". 1024 .It 1025 .Sy KEY USAGE CODES 1026 .It 1027 .Bl -tag -width -indent 1028 0 - preference is in effect for all possible key usages (default) 1029 1 - encryption only 1030 2 - decryption only 1031 4 - signing only 1032 8 - signature verification only 1033 16 - signing with message recovery only 1034 32 - signature verification with message recovery only 1035 64 - key wrapping only 1036 128 - key unwrapping only 1037 256 - key derivation only 1038 .It To specify more than one usage, add values together. 1039 .El 1040 .El 1041 .It 1042 .Nm get-identity-preference 1043 .Op Fl h 1044 .Op Fl s Ar service 1045 .Op Fl u Ar keyUsage 1046 .Op Fl p 1047 .Op Fl c 1048 .Op Fl Z 1049 .Bl -item -offset -indent 1050 Get the preferred identity to use for a service. 1051 .It 1052 .Bl -tag -compact -width -indent-indent 1053 .It Fl s Ar service 1054 Specify service (may be a URL, RFC822 email address, DNS host, or other name) 1055 .It Fl u Ar keyUsage 1056 Specify key usage (optional) 1057 .It Fl p 1058 Output identity certificate in pem format 1059 .It Fl c 1060 Print common name of the preferred identity certificate 1061 .It Fl Z 1062 Print SHA-256 (and SHA-1) hash of the preferred identity certificate 1063 .El 1064 .El 1065 .It 1066 .Nm create-db 1067 .Op Fl aho0 1068 .Op Fl g Ar dl Ns | Ns Ar cspdl 1069 .Op Fl m Ar mode 1070 .Op Ar name 1071 .Bl -item -offset -indent 1072 Create a db using the DL. If 1073 .Ar name 1074 isn't provided 1075 .Nm 1076 will prompt the user to type a name. 1077 .It 1078 Options: 1079 .Bl -tag -compact -width -indent-indent 1080 .It Fl a 1081 Turn off autocommit 1082 .It Fl g Ar dl Ns | Ns Ar cspdl 1083 Use the AppleDL (default) or AppleCspDL 1084 .It Fl m Ar mode 1085 Set the file permissions to 1086 .Ar mode Ns 1087 \&. 1088 .It Fl o 1089 Force using openparams argument 1090 .It Fl 0 1091 Force using version 0 openparams 1092 .El 1093 .It 1094 .Sy Examples 1095 .Bl -tag -width -indent 1096 .It security> create-db -m 0644 test.db 1097 .It security> create-db -g cspdl -a test2.db 1098 .El 1099 .\"new import/export commands. 1100 .El 1101 .It 1102 .Nm export 1103 .Op Fl k Ar keychain 1104 .Op Fl t Ar type 1105 .Op Fl f Ar format 1106 .Op Fl w 1107 .Op Fl p Ar format 1108 .Op Fl P Ar passphrase 1109 .Op Fl o Ar outfile 1110 .Bl -item -offset -indent 1111 Export one or more items from a keychain to one of a number of external representations. If 1112 .Ar keychain 1113 isn't provided, items will be exported from the user's default keychain. 1114 .It 1115 Options: 1116 .Bl -tag -compact -width -indent-indent 1117 .It Fl k Ar keychain 1118 Specify keychain from which item(s) will be exported. 1119 .It Fl t Ar type 1120 Specify the type of items to export. Possible types are certs, allKeys, pubKeys, privKeys, identities, and all. The default is all. An identity consists of both a certificate and the corresponding private key. 1121 .It Fl f Ar format 1122 Specify the format of the exported data. Possible formats are openssl, bsafe, pkcs7, pkcs8, pkcs12, x509, openssh1, openssh2, and pemseq. The default is pemseq if more than one item is being exported. The default is openssl if one key is being exported. The default is x509 if one certificate is being exported. 1123 .It Fl w 1124 Specifies that private keys are to be wrapped on export. 1125 .It Fl p 1126 Specifies that PEM armour is to be applied to the output data. 1127 .It Fl P Ar passphrase 1128 Specify the wrapping passphrase immediately. The default is to obtain a secure passphrase via GUI. 1129 .It Fl o Ar outfile 1130 Write the output data to 1131 .Ar outfile Ns 1132 \&. Default is to write data to stdout. 1133 .El 1134 .It 1135 .Sy Examples 1136 .Bl -tag -width -indent 1137 .It security> export -k login.keychain -t certs -o /tmp/certs.pem 1138 .It security> export -k newcert.keychain -t identities -f pkcs12 -o /tmp/mycerts.p12 1139 .El 1140 .\"marker. 1141 .El 1142 .It 1143 .Nm import 1144 inputfile 1145 .Op Fl k Ar keychain 1146 .Op Fl t Ar type 1147 .Op Fl f Ar format 1148 .Op Fl w 1149 .Op Fl P Ar passphrase 1150 .Op Ar options... 1151 .Bl -item -offset -indent 1152 Import one or more items from 1153 .Ar inputfile Ns 1154 \& into a keychain. If 1155 .Ar keychain 1156 isn't provided, items will be imported into the user's default keychain. 1157 .It 1158 Options: 1159 .Bl -tag -compact -width -indent-indent 1160 .It Fl k Ar keychain 1161 Specify keychain into which item(s) will be imported. 1162 .It Fl t Ar type 1163 Specify the type of items to import. Possible types are cert, pub, priv, session, cert, and agg. Pub, priv, and session refer to keys; agg is one of the aggregate types (pkcs12 and PEM sequence). The command can often figure out what item_type an item contains based in the filename and/or item_format. 1164 .It Fl f Ar format 1165 Specify the format of the exported data. Possible formats are openssl, bsafe, raw, pkcs7, pkcs8, pkcs12, x509, openssh1, openssh2, and pemseq. The command can often figure out what format an item is in based in the filename and/or item_type. 1166 .It Fl w 1167 Specify that private keys are wrapped and must be unwrapped on import. 1168 .It Fl x 1169 Specify that private keys are non-extractable after being imported. 1170 .It Fl P Ar passphrase 1171 Specify the unwrapping passphrase immediately. The default is to obtain a secure passphrase via GUI. 1172 .It Fl a Ar attrName Ar attrValue 1173 Specify optional extended attribute name and value. Can be used multiple times. This is only valid when importing keys. 1174 .It Fl A 1175 Allow any application to access the imported key without warning (insecure, not recommended!) 1176 .It Fl T Ar appPath 1177 Specify an application which may access the imported key (multiple 1178 .Fl T Ns 1179 \& options are allowed) 1180 .El 1181 .It 1182 .Sy Examples 1183 .Bl -tag -width -indent 1184 .It security> import /tmp/certs.pem -k 1185 .It security> import /tmp/mycerts.p12 -t agg -k newcert.keychain 1186 .It security> import /tmp/mycerts.p12 -f pkcs12 -k newcert.keychain 1187 .El 1188 .\"end of new import/export commands. 1189 .El 1190 .It 1191 .Nm cms 1192 .Op Fl C Ns | Ns Fl D Ns | Ns Fl E Ns | Ns Fl S 1193 .Op Ar options... 1194 .Bl -item -offset -indent 1195 Encode or decode CMS messages. 1196 .Bl -tag -compact -width -indent-indent 1197 .It Fl C 1198 create a CMS encrypted message 1199 .It Fl D 1200 decode a CMS message 1201 .It Fl E 1202 create a CMS enveloped message 1203 .It Fl S 1204 create a CMS signed message 1205 .El 1206 .It 1207 Decoding options: 1208 .Bl -tag -compact -width -indent-indent 1209 .It Fl c Ar content 1210 use this detached content file 1211 .It Fl h Ar level 1212 generate email headers with info about CMS message (output 1213 .Ar level Ns 1214 \& >= 0) 1215 .It Fl n 1216 suppress output of content 1217 .El 1218 .It 1219 Encoding options: 1220 .Bl -tag -compact -width -indent-indent 1221 .It Fl r Ar id,... 1222 create envelope for comma-delimited list of recipients, where id can be a certificate nickname or email address 1223 .It Fl G 1224 include a signing time attribute 1225 .It Fl H Ar hash 1226 hash = MD2|MD4|MD5|SHA1|SHA256|SHA384|SHA512 (default: SHA1) 1227 .It Fl N Ar nick 1228 use certificate named "nick" for signing 1229 .It Fl P 1230 include a SMIMECapabilities attribute 1231 .It Fl T 1232 do not include content in CMS message 1233 .It Fl Y Ar nick 1234 include an EncryptionKeyPreference attribute with certificate (use "NONE" to omit) 1235 .It Fl Z Ar hash 1236 find a certificate by subject key ID 1237 .El 1238 .It 1239 Common options: 1240 .Bl -tag -compact -width -indent-indent 1241 .It Fl e Ar envelope 1242 specify envelope file (valid with 1243 .Fl D Ns 1244 \& or 1245 .Fl E Ns 1246 \&) 1247 .It Fl k Ar keychain 1248 specify keychain to use 1249 .It Fl i Ar infile 1250 use infile as source of data (default: stdin) 1251 .It Fl o Ar outfile 1252 use outfile as destination of data (default: stdout) 1253 .It Fl p Ar password 1254 use password as key db password (default: prompt) 1255 .It Fl s 1256 pass data a single byte at a time to CMS 1257 .It Fl u Ar certusage 1258 set type of certificate usage (default: certUsageEmailSigner) 1259 .It Fl v 1260 print debugging information 1261 .El 1262 .It 1263 Cert usage codes: 1264 0 - certUsageSSLClient 1265 1 - certUsageSSLServer 1266 2 - certUsageSSLServerWithStepUp 1267 3 - certUsageSSLCA 1268 4 - certUsageEmailSigner 1269 5 - certUsageEmailRecipient 1270 6 - certUsageObjectSigner 1271 7 - certUsageUserCertImport 1272 8 - certUsageVerifyCA 1273 9 - certUsageProtectedObjectSigner 1274 10 - certUsageStatusResponder 1275 11 - certUsageAnyCA 1276 .It 1277 .El 1278 .It 1279 .Nm install-mds 1280 .Bl -item -offset -indent 1281 Install (or re-install) the Module Directory Services (MDS) database. This is a system tool which is not normally used by users. There are no options. 1282 .El 1283 .It 1284 .Nm add-trusted-cert 1285 .Op Fl d 1286 .Op Fl r Ar resultType 1287 .Op Fl p Ar policy 1288 .Op Fl a Ar appPath 1289 .Op Fl s Ar policyString 1290 .Op Fl e Ar allowedError 1291 .Op Fl u Ar keyUsage 1292 .Op Fl k Ar keychain 1293 .Op Fl i Ar settingsFileIn 1294 .Op Fl o Ar settingsFileOut 1295 certFile 1296 .Bl -item -offset -indent 1297 Add certificate (in DER or PEM format) from 1298 .Ar certFile Ns 1299 \& to per-user or local Admin Trust Settings. When modifying per-user Trust Settings, user authentication is required via an authentication dialog. When modifying admin Trust Settings, the process must be running as root, or admin authentication is required. 1300 .It 1301 Options: 1302 .Bl -tag -compact -width -indent-indent 1303 .It Fl d 1304 Add to admin cert store; default is user. 1305 .It Fl r Ar resultType 1306 resultType = trustRoot|trustAsRoot|deny|unspecified; default is trustRoot. 1307 .It Fl p Ar policy 1308 Specify policy constraint (ssl, smime, codeSign, IPSec, basic, swUpdate, pkgSign, eap, macappstore, appleID, timestamping). 1309 .It Fl a Ar appPath 1310 Specify application constraint. 1311 .It Fl s Ar policyString 1312 Specify policy-specific string. 1313 .It Fl e Ar allowedError 1314 Specify allowed error (an integer value, or one of: certExpired, hostnameMismatch) 1315 .It Fl u Ar keyUsage 1316 Specify key usage, an integer. 1317 .It Fl k Ar keychain 1318 Specify keychain to which cert is added. 1319 .It Fl i Ar settingsFileIn 1320 Input trust settings file; default is user domain. 1321 .It Fl o Ar settingsFileOut 1322 Output trust settings file; default is user domain. 1323 .El 1324 .It 1325 .Sy Key usage codes: 1326 -1 - Any 1327 1 - Sign 1328 2 - Encrypt/Decrypt Data 1329 4 - Encrypt/Decrypt Key 1330 8 - Sign certificate 1331 16 - Sign revocation 1332 32 - Key exchange 1333 To specify more than one usage, add values together (except -1 - Any). 1334 .It 1335 .Sy Examples 1336 .Bl -tag -width -indent 1337 .Dl security> add-trusted-cert /tmp/cert.der 1338 .Dl security> add-trusted-cert -d .tmp/cert.der 1339 .El 1340 .\"marker. 1341 .It 1342 .Nm remove-trusted-cert 1343 .Op Fl d 1344 certFile 1345 .Bl -item -offset -indent 1346 Remove certificate (in DER or PEM format) in 1347 .Ar certFile Ns 1348 \& from per-user or local Admin Trust Settings. When modifying per-user Trust Settings, user authentication is required via an authentication dialog. When modifying admin Trust Settings, the process must be running as root, or admin authentication is required. 1349 .It 1350 Options: 1351 .Bl -tag -compact -width -indent-indent 1352 .It Fl d 1353 Remove from admin cert store; default is user. 1354 .El 1355 .\"marker. 1356 .El 1357 .It 1358 .Nm dump-trust-settings 1359 .Op Fl s 1360 .Op Fl d 1361 .Bl -item -offset -indent 1362 Display Trust Settings. 1363 .It 1364 Options: 1365 .Bl -tag -compact -width -indent-indent 1366 .It Fl s 1367 Display trusted system certs; default is user. 1368 .It Fl d 1369 Display trusted admin certs; default is user. 1370 .El 1371 .\"marker. 1372 .El 1373 .It 1374 .Nm user-trust-settings-enable 1375 .Op Fl d 1376 .Op Fl e 1377 .Bl -item -offset -indent 1378 Display or manipulate user-level Trust Settings. With no arguments, shows the current state of the user-level Trust Settings enable. Otherwise enables or disables user-level Trust Settings. 1379 .It 1380 Options: 1381 .Bl -tag -compact -width -indent-indent 1382 .It Fl d 1383 Disable user-level Trust Settings. 1384 .It Fl e 1385 Enable user-level Trust Settings. 1386 .El 1387 .\"marker. 1388 .El 1389 .It 1390 .Nm trust-settings-export 1391 .Op Fl s 1392 .Op Fl d 1393 settings_file 1394 .Bl -item -offset -indent 1395 Export Trust Settings to the specified file. 1396 .It 1397 Options: 1398 .Bl -tag -compact -width -indent-indent 1399 .It Fl s 1400 Export system Trust Settings; default is user. 1401 .It Fl d 1402 Export admin Trust Settings; default is user. 1403 .El 1404 .\"marker. 1405 .El 1406 .It 1407 .Nm trust-settings-import 1408 .Op Fl d 1409 settings_file 1410 .Bl -item -offset -indent 1411 Import Trust Settings from the specified file. When modifying per-user Trust Settings, user authentication is required via an authentication dialog. When modifying admin Trust Settings, the process must be running as root, or admin authentication is required. 1412 .It 1413 Options: 1414 .Bl -tag -compact -width -indent-indent 1415 .It Fl d 1416 Import admin Trust Settings; default is user. 1417 .El 1418 .\"marker. 1419 .El 1420 .It 1421 .Nm verify-cert 1422 .Op Fl c Ar certFile 1423 .Op Fl r Ar rootCertFile 1424 .Op Fl p Ar policy 1425 .Op Fl C 1426 .Op Fl d Ar date 1427 .Op Fl k Ar keychain 1428 .Op Fl n Ar name 1429 .Op Fl N 1430 .Op Fl L 1431 .Op Fl l 1432 .Op Fl e Ar emailAddress 1433 .Op Fl s Ar sslHost 1434 .Op Fl q 1435 .Op Fl R Ar revCheckOption 1436 .Op Fl P 1437 .Op Fl t 1438 .Op Fl v 1439 .Op Ar url 1440 .Bl -item -offset -indent 1441 Verify one or more certificates. If a direct URL argument is provided, a TLS connection is attempted and the certificate presented by that server is evaluated according to standard SSL server policy; other certificates or policy options will be ignored in this case. 1442 .It 1443 Options: 1444 .Bl -tag -compact -width -indent-indent 1445 .It Fl c Ar certFile 1446 Certificate to verify, in DER or PEM format. Can be specified more than once; leaf certificate has to be specified first. 1447 .It Fl r Ar rootCertFile 1448 Root certificate, in DER or PEM format. Can be specified more than once. If not specified, the system anchor certificates are used. If one root certificate is specified, and zero (non-root) certificates are specified, the root certificate is verified against itself. 1449 .It Fl p Ar policy 1450 Specify verification policy (ssl, smime, codeSign, IPSec, basic, swUpdate, pkgSign, eap, appleID, macappstore, timestamping). Default is basic. 1451 .It Fl C 1452 Specify this evaluation is for client usage, if the verification policy (e.g. ssl) distinguishes between client and server usage. Default is server usage. 1453 .It Fl d Ar date 1454 Date to set for verification. Specified in the format of YYYY-MM-DD-hh:mm:ss (time optional). e.g: 2016-04-25-15:59:59 for April 25, 2016 at 3:59:59 pm in GMT 1455 .It Fl k Ar keychain 1456 Keychain to search for intermediate CA certificates. Can be specified multiple times. Default is the current user's keychain search list. 1457 .It Fl n Ar name 1458 Specify a name to be verified, e.g. the SSL host name for the ssl policy, or RFC822 email address for the smime policy. For backward compatibility, if the -n option is provided without an argument, it will be interpreted as equivalent to -N. 1459 .It Fl N 1460 Avoid searching any keychains. 1461 .It Fl L 1462 Use local certificates only. If an issuing CA certificate is missing, this option will avoid accessing the network to fetch it. 1463 .It Fl l 1464 Specifies that the leaf certificate is a CA cert. By default, a leaf certificate with a Basic Constraints extension with the CA bit set fails verification. 1465 .It Fl e Ar emailAddress 1466 Specify email address for the smime policy. (This option is deprecated; use -n instead.) 1467 .It Fl s Ar sslHost 1468 Specify SSL host name for the ssl policy. (This option is deprecated; use -n instead.) 1469 .It Fl q 1470 Quiet, no stdout or stderr. 1471 .It Fl R Ar revCheckOption 1472 Specify a revocation checking option for this evaluation (ocsp, crl, require, offline). Can be specified multiple times; e.g. to enable revocation checking via either OCSP or CRL methods and require a positive response, use "-R ocsp -R crl -R require". The offline option will consult previously cached responses, but will not make a request to a revocation server. 1473 .It Fl P 1474 Output the constructed certificate chain in PEM format. 1475 .It Fl t 1476 Output certificate contents as text. 1477 .It Fl v 1478 Specify verbose output, including per-certificate trust results. 1479 .El 1480 .It 1481 .Sy Examples 1482 .Bl -tag -width -indent 1483 .It security> verify-cert -c applestore0.cer -c applestore1.cer -p ssl -n store.apple.com 1484 .It security> verify-cert -r serverbasic.crt 1485 .It security> verify-cert -v https://www.apple.com 1486 .El 1487 .\"marker. 1488 .El 1489 .It 1490 .Nm authorize 1491 .Op Fl updPiew 1492 .Op Ar right... 1493 .Bl -item -offset -indent 1494 Authorize requested right(s). The extend-rights flag will be passed by default. 1495 .It 1496 Options: 1497 .Bl -tag -compact -width -indent-indent 1498 .It Fl u 1499 Allow user interaction. 1500 .It Fl p 1501 Allow returning partial rights. 1502 .It Fl d 1503 Destroy acquired rights. 1504 .It Fl P 1505 Pre-authorize rights only. 1506 .It Fl l 1507 Operate authorization in least privileged mode. 1508 .It Fl i 1509 Internalize authref passed on stdin. 1510 .It Fl e 1511 Externalize authref to stdout 1512 .It Fl w 1513 Wait while holding AuthorizationRef until stdout is closed. This will allow client to read externalized AuthorizationRef from pipe. 1514 .El 1515 .It 1516 .Sy Examples 1517 .Bl -tag -width -indent 1518 .It security> security authorize -ud my-right 1519 Basic authorization of my-right. 1520 .It security> security -q authorize -uew my-right | security -q authorize -i my-right 1521 Authorizing a right and passing it to another command as a way to add authorization to shell scripts. 1522 .El 1523 .El 1524 .It 1525 .Nm authorizationdb 1526 .Ar read <right-name> 1527 .It 1528 .Nm authorizationdb 1529 .Ar write <right-name> [allow|deny|<rulename>] 1530 .It 1531 .Nm authorizationdb 1532 .Ar remove <right-name> 1533 .Bl -item -offset -indent 1534 Read/Modify authorization policy database. Without a rulename write will read a dictionary as a plist from stdin. 1535 .It 1536 .Sy Examples 1537 .Bl -tag -width -indent 1538 .It security> security authorizationdb read system.privilege.admin > /tmp/aewp-def 1539 Read definition of system.privilege.admin right. 1540 .It security> security authorizationdb write system.preferences < /tmp/aewp-def 1541 Set system.preferences to definition of system.privilege.admin right. 1542 .It security> security authorizationdb write system.preferences authenticate-admin 1543 Every change to preferences requires an Admin user to authenticate. 1544 .El 1545 .El 1546 .It 1547 .Nm execute-with-privileges 1548 .Ar <program> 1549 .Op Ar args... 1550 .Bl -item -offset -indent 1551 Execute tool with privileges. 1552 On success stdin will be read and forwarded to the tool. 1553 .El 1554 .It 1555 .Nm leaks 1556 .Op Fl h 1557 .Op Fl cycles 1558 .Op Fl nocontext 1559 .Op Fl nostacks 1560 .Op Fl exclude Ar symbol 1561 .Bl -item -offset -indent 1562 Run 1563 .Li /usr/bin/leaks 1564 on this process. This can help find memory leaks after running 1565 certain commands. 1566 .It 1567 Options: 1568 .Bl -tag -compact -width -indent-indent 1569 .It Fl cycles 1570 Use a stricter algorithm (See 1571 .Xr leaks 1 1572 for details). 1573 .It Fl nocontext 1574 Withhold the hex dumps of the leaked memory. 1575 .It Fl nostacks 1576 Don't show stack traces of leaked memory. 1577 .It Fl exclude Ar symbol 1578 Ignore leaks called from 1579 .Ar symbol Ns . 1580 .El 1581 .El 1582 .It 1583 .Nm smartcards 1584 .Ar token 1585 .Op Fl l 1586 .Op Fl e Ar token 1587 .Op Fl d Ar token 1588 .Bl -item -offset -indent 1589 Enable, disable or list disabled smartcard tokens. 1590 .It 1591 Options: 1592 .Bl -tag -compact -width -indent-indent 1593 .It Fl l 1594 List disabled smartcard tokens. 1595 .It Fl e Ar token 1596 Enable smartcard token. 1597 .It Fl d Ar token 1598 Disable smartcard token. 1599 .El 1600 .It 1601 .Sy To list tokens available in the system 1602 .It 1603 .Bl -tag -compact -width -indent 1604 .It pluginkit -m -p com.apple.ctk-tokens 1605 .El 1606 .It 1607 .Sy Examples 1608 .It 1609 .Bl -tag -compact -width -indent 1610 .It security smartcards token -l 1611 .It security smartcards token -d com.apple.CryptoTokenKit.pivtoken 1612 .It security smartcards token -e com.apple.CryptoTokenKit.pivtoken 1613 .El 1614 .El 1615 .It 1616 .Nm list-smartcards 1617 .Bl -item -offset -indent 1618 Display 1619 .Ar id Ns 1620 s of available smartcards. 1621 .El 1622 .It 1623 .Nm export-smartcard 1624 .Ar token 1625 .Op Fl i Ar id 1626 .Op Fl t Ar certs Ns | Ns Ar privKeys Ns | Ns Ar identities Ns | Ns Ar all 1627 .Op Fl e Ar exportPath 1628 .Bl -item -offset -indent 1629 Export/display items from a smartcard. If 1630 .Ar id 1631 isn't provided, items from all smartcards will be displayed. 1632 .It 1633 Options: 1634 .Bl -tag -compact -width -indent-indent 1635 .It Fl i Ar id 1636 Export/display items from token specified by token 1637 .Ar id Ns 1638 , available 1639 .Ar id Ns 1640 s can be listed by list-smartcards command. 1641 .It Fl t Ar certs Ns | Ns Ar privKeys Ns | Ns Ar identities Ns | Ns Ar all 1642 Display items of the specified type (Default: 1643 .Ar all Ns 1644 ) 1645 .It Fl e Ar exportPath 1646 Specify path to export certificates and public keys. If 1647 .Ar exportPath Ns 1648 is specified screen output is suppressed. This option cannot be combined with -t option. 1649 .El 1650 .El 1651 .It 1652 .Nm error 1653 .Op Fl h 1654 .Op Ar <error code(s)...> 1655 .Bl -item -offset -indent 1656 Display an error string for the given security-related error code. 1657 The error can be in decimal or hex, e.g. 1234 or 0x1234. Multiple 1658 errors can be separated by spaces. 1659 .El 1660 .El 1661 .El 1662 .Sh ENVIRONMENT \" May not be needed 1663 .Bl -tag -width -indent 1664 .It Ev MallocStackLogging 1665 When using the 1666 .Nm leaks 1667 command or the 1668 .Fl l 1669 option it's probably a good idea to set this environment variable before 1670 .Nm 1671 is started. Doing so will allow leaks to display symbolic backtraces. 1672 .El 1673 .Sh FILES 1674 .Bl -tag -width -indent 1675 .It Pa ~/Library/Preferences/com.apple.security.plist 1676 .Pp 1677 Property list file containing the current user's default keychain and keychain search list. 1678 .It Pa /Library/Preferences/com.apple.security.plist 1679 .Pp 1680 Property list file containing the system default keychain and keychain search list. This is used by processes started at boot time, or those requesting to use the system search domain, such as system daemons. 1681 .It Pa /Library/Preferences/com.apple.security-common.plist 1682 .Pp 1683 Property list file containing the common keychain search list, which is appended to every user's search list and to the system search list. 1684 .El 1685 .Sh SEE ALSO 1686 .\" List links in ascending order by section, alphabetically within a section. 1687 .\" Please do not reference files that do not exist without filing a bug report 1688 .Xr certtool 1 , 1689 .Xr leaks 1 , 1690 .Xr pluginkit 8 1691 .\" .Xr systemkeychain 8 1692 .Sh HISTORY 1693 .Nm 1694 was first introduced in Mac OS X version 10.3. 1695 .Sh BUGS 1696 .Nm 1697 still needs more commands before it can be considered complete. 1698 In particular, it should someday supersede both the 1699 .Li certtool 1700 and 1701 .Li systemkeychain 1702 commands.