]> git.saurik.com Git - apple/security.git/blob - SecurityTool/macOS/security.1
Security-59306.101.1.tar.gz
[apple/security.git] / SecurityTool / macOS / security.1
1 .\"Modified from man(1) of FreeBSD, the NetBSD mdoc.template, and mdoc.samples.
2 .\"See Also:
3 .\"man mdoc.samples for a complete listing of options
4 .\"man mdoc for the short list of editing options
5 .Dd March 15, 2017 \" DATE
6 .Dt security 1 \" Program name and manual section number
7 .Os Darwin
8 .Sh NAME \" Section Header - required - don't modify
9 .Nm security
10 .\" The following lines are read in generating the apropos(man -k) database. Use only key
11 .\" words here as the database is built based on the words here and in the .ND line.
12 .\" Use .Nm macro to designate other names for the documented program.
13 .Nd Command line interface to keychains and Security framework
14 .Sh SYNOPSIS \" Section Header - required - don't modify
15 .Nm
16 .Op Fl hilqv \" [-hilqv]
17 .Op Fl p Ar prompt \" [-p prompt]
18 .Op Ar command \" [command]
19 .Op Ar command_options \" [command_options]
20 .Op Ar command_args \" [command_args]
21 .Sh DESCRIPTION \" Section Header - required - don't modify
22 A simple command line interface which lets you administer keychains,
23 manipulate keys and certificates, and do just about anything the
24 Security framework is capable of from the command line.
25 .Pp
26 By default
27 .Nm
28 will execute the
29 .Ar command
30 supplied and report if anything went wrong.
31 .Pp
32 If the
33 .Fl i
34 or
35 .Fl p
36 options are provided,
37 .Nm
38 will enter interactive mode and allow the user to enter multiple commands on stdin. When EOF is read from stdin
39 .Nm
40 will exit.
41 .Pp
42 Here is a complete list of the options available:
43 .Bl -tag -width -indent
44 .It Fl h
45 If no arguments are specified, show a list of all commands. If arguments are provided, show usage for each the specified commands. This option is essentially the same as the
46 .Nm help
47 command.
48 .It Fl i
49 Run
50 .Nm
51 in interactive mode. A prompt
52 .Po
53 .Li security>
54 by default
55 .Pc
56 will be displayed and the user will be able to type commands on stdin until an EOF is encountered.
57 .It Fl l
58 Before
59 .Nm
60 exits, run
61 .Dl "/usr/bin/leaks -nocontext"
62 on itself to see if the command(s) you executed had any leaks.
63 .It Fl p Ar prompt
64 This option implies the
65 .Fl i
66 option but changes the default prompt to the argument specified instead.
67 .It Fl q
68 Will make
69 .Nm
70 less verbose.
71 .It Fl v
72 Will make
73 .Nm
74 more verbose.
75 .El \" Ends the list
76 .Pp
77 .Sh "SECURITY COMMAND SUMMARY"
78 .Nm
79 provides a rich variety of commands
80 .Po Ar command
81 in the
82 .Sx SYNOPSIS Pc Ns
83 , each of which often has a wealth of options, to allow access to
84 the broad functionality provided by the Security framework. However,
85 you don't have to master every detail for
86 .Nm
87 to be useful to you.
88 .Pp
89 Here are brief descriptions of all the
90 .Nm
91 commands:
92 .Pp
93 .Bl -tag -width user-trust-settings-enable -compact
94 .It Nm help
95 Show all commands, or show usage for a command.
96 .It Nm list-keychains
97 Display or manipulate the keychain search list.
98 .It Nm default-keychain
99 Display or set the default keychain.
100 .It Nm login-keychain
101 Display or set the login keychain.
102 .It Nm create-keychain
103 Create keychains.
104 .It Nm delete-keychain
105 Delete keychains and remove them from the search list.
106 .It Nm lock-keychain
107 Lock the specified keychain.
108 .It Nm unlock-keychain
109 Unlock the specified keychain.
110 .It Nm set-keychain-settings
111 Set settings for a keychain.
112 .It Nm set-keychain-password
113 Set password for a keychain.
114 .It Nm show-keychain-info
115 Show the settings for keychain.
116 .It Nm dump-keychain
117 Dump the contents of one or more keychains.
118 .It Nm create-keypair
119 Create an asymmetric key pair.
120 .It Nm add-generic-password
121 Add a generic password item.
122 .It Nm add-internet-password
123 Add an internet password item.
124 .It Nm add-certificates
125 Add certificates to a keychain.
126 .It Nm find-generic-password
127 Find a generic password item.
128 .It Nm delete-generic-password
129 Delete a generic password item.
130 .It Nm set-generic-password-partition-list
131 Set the partition list of a generic password item.
132 .It Nm find-internet-password
133 Find an internet password item.
134 .It Nm delete-internet-password
135 Delete an internet password item.
136 .It Nm set-internet-password-partition-list
137 Set the partition list of a internet password item.
138 .It Nm find-key
139 Find keys in the keychain
140 .It Nm set-key-partition-list
141 Set the partition list of a key.
142 .It Nm find-certificate
143 Find a certificate item.
144 .It Nm find-identity
145 Find an identity (certificate + private key).
146 .It Nm delete-certificate
147 Delete a certificate from a keychain.
148 .It Nm delete-identity
149 Delete a certificate and its private key from a keychain.
150 .It Nm set-identity-preference
151 Set the preferred identity to use for a service.
152 .It Nm get-identity-preference
153 Get the preferred identity to use for a service.
154 .It Nm create-db
155 Create a db using the DL.
156 .It Nm export
157 Export items from a keychain.
158 .It Nm import
159 Import items into a keychain.
160 .It Nm cms
161 Encode or decode CMS messages.
162 .It Nm install-mds
163 Install (or re-install) the MDS database.
164 .It Nm add-trusted-cert
165 Add trusted certificate(s).
166 .It Nm remove-trusted-cert
167 Remove trusted certificate(s).
168 .It Nm dump-trust-settings
169 Display contents of trust settings.
170 .It Nm user-trust-settings-enable
171 Display or manipulate user-level trust settings.
172 .It Nm trust-settings-export
173 Export trust settings.
174 .It Nm trust-settings-import
175 Import trust settings.
176 .It Nm verify-cert
177 Verify certificate(s).
178 .It Nm authorize
179 Perform authorization operations.
180 .It Nm authorizationdb
181 Make changes to the authorization policy database.
182 .It Nm execute-with-privileges
183 Execute tool with privileges.
184 .It Nm leaks
185 Run
186 .Pa /usr/bin/leaks
187 on this process.
188 .It Nm smartcards
189 Enable, disable or list disabled smartcard tokens.
190 .It Nm list-smartcards
191 Display available smartcards.
192 .It Nm export-smartcard
193 Export/display items from a smartcard.
194 .It Nm error
195 Display a descriptive message for the given error code(s).
196 .El
197 .Sh "COMMON COMMAND OPTIONS"
198 This section describes the
199 .Ar command_options
200 that are available across all
201 .Nm
202 commands.
203 .Bl -tag -width -indent
204 .It Fl h
205 Show a usage message for the specified command. This option is
206 essentially the same as the
207 .Ar help
208 command.
209 .El
210 .Sh "SECURITY COMMANDS"
211 Here (finally) are details on all the
212 .Nm
213 commands and the options each accepts.
214 .Bl -item
215 .It
216 .Nm help
217 .Op Fl h
218 .Bl -item -offset -indent
219 Show all commands, or show usage for a command.
220 .El
221 .It
222 .Nm list-keychains
223 .Op Fl h
224 .Op Fl d Ar user Ns | Ns Ar system Ns | Ns Ar common Ns | Ns Ar dynamic
225 .Op Fl s Op Ar keychain...
226 .Bl -item -offset -indent
227 Display or manipulate the keychain search list.
228 .It
229 .Bl -tag -compact -width -indent
230 .It Fl d Ar user Ns | Ns Ar system Ns | Ns Ar common Ns | Ns Ar dynamic
231 Use the specified preference domain.
232 .It Fl s
233 Set the search list to the specified keychains.
234 .El
235 .El
236 .It
237 .Nm default-keychain
238 .Op Fl h
239 .Op Fl d Ar user Ns | Ns Ar system Ns | Ns Ar common Ns | Ns Ar dynamic
240 .Op Fl s Op Ar keychain
241 .Bl -item -offset -indent
242 Display or set the default keychain.
243 .It
244 .Bl -tag -compact -width -indent
245 .It Fl d Ar user Ns | Ns Ar system Ns | Ns Ar common Ns | Ns Ar dynamic
246 Use the specified preference domain.
247 .It Fl s
248 Set the default keychain to the specified
249 .Ar keychain Ns .
250 Unset it if no keychain is specified.
251 .El
252 .El
253 .It
254 .Nm login-keychain
255 .Op Fl h
256 .Op Fl d Ar user Ns | Ns Ar system Ns | Ns Ar common Ns | Ns Ar dynamic
257 .Op Fl s Op Ar keychain
258 .Bl -item -offset -indent
259 Display or set the login keychain.
260 .It
261 .Bl -tag -compact -width -indent
262 .It Fl d Ar user Ns | Ns Ar system Ns | Ns Ar common Ns | Ns Ar dynamic
263 Use the specified preference domain.
264 .It Fl s
265 Set the login keychain to the specified
266 .Ar keychain Ns .
267 Unset it if no keychain is specified.
268 .El
269 .El
270 .It
271 .Nm create-keychain
272 .Op Fl hP
273 .Op Fl p Ar password
274 .Op Ar keychain...
275 .Bl -item -offset -indent
276 Create keychains.
277 .It
278 .Bl -tag -compact -width -indent-indent
279 .It Fl P
280 Prompt the user for a password using the SecurityAgent.
281 .It Fl p Ar password
282 Use
283 .Ar password
284 as the password for the keychains being created.
285 .El
286 .It
287 If neither
288 .Fl P
289 or
290 .Fl p Ar password
291 are specified, the user is prompted for a password on the command line. Use
292 of the -p option is insecure.
293 .El
294 .It
295 .Nm delete-keychain
296 .Op Fl h
297 .Op Ar keychain...
298 .Bl -item -offset -indent
299 Delete keychains and remove them from the search list.
300 .El
301 .It
302 .Nm lock-keychain
303 .Op Fl h
304 .Op Fl a Ns | Ns Ar keychain
305 .Bl -item -offset -indent
306 Lock
307 .Ar keychain Ns
308 \&, or the default keychain if none is specified. If the
309 .Fl a
310 option is specified, all keychains are locked.
311 .El
312 .It
313 .Nm unlock-keychain
314 .Op Fl hu
315 .Op Fl p Ar password
316 .Op Ar keychain
317 .Bl -item -offset -indent
318 Unlock
319 .Ar keychain Ns
320 \&, or the default keychain if none is specified.
321 .El
322 .It
323 .Nm set-keychain-settings
324 .Op Fl hlu
325 .Op Fl t Ar timeout
326 .Op Ar keychain
327 .Bl -item -offset -indent
328 Set settings for
329 .Ar keychain Ns
330 \&, or the default keychain if none is specified.
331 .It
332 .Bl -tag -compact -width -indent-indent
333 .It Fl l
334 Lock keychain when the system sleeps.
335 .It Fl u
336 Lock keychain after timeout interval.
337 .It Fl t Ar timeout
338 Specify
339 .Ar timeout
340 interval in seconds (omitting this option specifies "no timeout").
341 .El
342 .El
343 .It
344 .Nm set-keychain-password
345 .Op Fl h
346 .Op Fl o Ar oldPassword
347 .Op Fl p Ar newPassword
348 .Op Ar keychain
349 .Bl -item -offset -indent
350 Set password for
351 .Ar keychain Ns
352 \&, or the default keychain if none is specified.
353 .It
354 .Bl -tag -compact -width -indent-indent
355 .It Fl o Ar oldPassword
356 Old keychain password (if not provided, will prompt)
357 .It Fl p Ar newPassword
358 New keychain password (if not provided, will prompt)
359 .El
360 .El
361 .It
362 .Nm show-keychain-info
363 .Op Fl h
364 .Op Ar keychain
365 .Bl -item -offset -indent
366 Show the settings for
367 .Ar keychain Ns
368 \&.
369 .El
370 .It
371 .Nm dump-keychain
372 .Op Fl adhir
373 .Bl -item -offset -indent
374 Dump the contents of one or more keychains.
375 .It
376 .Bl -tag -compact -width -indent-indent
377 .It Fl a
378 Dump access control list of items
379 .It Fl d
380 Dump (decrypted) data of items
381 .It Fl i
382 Interactive access control list editing mode
383 .It Fl r
384 Dump raw (encrypted) data of items
385 .El
386 .El
387 .It
388 .Nm create-keypair
389 .Op Fl h
390 .Op Fl a Ar alg
391 .Op Fl s Ar size
392 .Op Fl f Ar date
393 .Op Fl t Ar date
394 .Op Fl d Ar days
395 .Op Fl k Ar keychain
396 .Op Fl A Ns | Ns Fl T Ar appPath
397 .Op Ar name
398 .Bl -item -offset -indent
399 Create an asymmetric key pair.
400 .It
401 .Bl -tag -compact -width -indent-indent
402 .It Fl a Ar alg
403 Use
404 .Ar alg
405 as the algorithm, can be rsa, dh, dsa or fee (default rsa)
406 .It Fl s Ar size
407 Specify the keysize in bits (default 512)
408 .It Fl f Ar date
409 Make a key valid from the specified date (ex: "13/11/10 3:30pm")
410 .It Fl t Ar date
411 Make a key valid to the specified date
412 .It Fl d Ar days
413 Make a key valid for the number of days specified from today
414 .It Fl k Ar keychain
415 Use the specified keychain rather than the default
416 .It Fl A
417 Allow any application to access this key without warning (insecure, not recommended!)
418 .It Fl T Ar appPath
419 Specify an application which may access this key (multiple
420 .Fl T Ns
421 \& options are allowed)
422 .El
423 .El
424 .It
425 .Nm add-generic-password
426 .Op Fl h
427 .Op Fl a Ar account
428 .Op Fl s Ar service
429 .Op Fl w Ar password
430 .Op Ar options...
431 .Op Ar keychain
432 .Bl -item -offset -indent
433 Add a generic password item.
434 .It
435 .Bl -tag -compact -width -indent-indent
436 .It Fl a Ar account
437 Specify account name (required)
438 .It Fl c Ar creator
439 Specify item creator (optional four-character code)
440 .It Fl C Ar type
441 Specify item type (optional four-character code)
442 .It Fl D Ar kind
443 Specify kind (default is "application password")
444 .It Fl G Ar value
445 Specify generic attribute value (optional)
446 .It Fl j Ar comment
447 Specify comment string (optional)
448 .It Fl l Ar label
449 Specify label (if omitted, service name is used as default label)
450 .It Fl s Ar service
451 Specify service name (required)
452 .It Fl p Ar password
453 Specify password to be added (legacy option, equivalent to
454 .Fl w Ns
455 \&)
456 .It Fl w Ar password
457 Specify password to be added. Put at end of command to be prompted (recommended)
458 .It Fl A
459 Allow any application to access this item without warning (insecure, not recommended!)
460 .It Fl T Ar appPath
461 Specify an application which may access this item (multiple
462 .Fl T Ns
463 \& options are allowed)
464 .It Fl U
465 Update item if it already exists (if omitted, the item cannot already exist)
466 .It Fl X Ar password
467 Specify password data to be added as a hexadecimal string
468 .El
469 .It
470 .Bl -item
471 By default, the application which creates an item is trusted to access its data without warning. You can remove this default access by explicitly specifying an empty app pathname:
472 .Fl T Ns
473 \& "". If no keychain is specified, the password is added to the default keychain.
474 .El
475 .El
476 .It
477 .Nm add-internet-password
478 .Op Fl h
479 .Op Fl a Ar account
480 .Op Fl s Ar server
481 .Op Fl w Ar password
482 .Op Ar options...
483 .Op Ar keychain
484 .Bl -item -offset -indent
485 Add an internet password item.
486 .It
487 .Bl -tag -compact -width -indent-indent
488 .It Fl a Ar account
489 Specify account name (required)
490 .It Fl c Ar creator
491 Specify item creator (optional four-character code)
492 .It Fl C Ar type
493 Specify item type (optional four-character code)
494 .It Fl d Ar domain
495 Specify security domain string (optional)
496 .It Fl D Ar kind
497 Specify kind (default is "application password")
498 .It Fl j Ar comment
499 Specify comment string (optional)
500 .It Fl l Ar label
501 Specify label (if omitted, service name is used as default label)
502 .It Fl p Ar path
503 Specify path string (optional)
504 .It Fl P Ar port
505 Specify port number (optional)
506 .It Fl r Ar protocol
507 Specify protocol (optional four-character SecProtocolType, e.g. "http", "ftp ")
508 .It Fl s Ar server
509 Specify server name (required)
510 .It Fl t Ar authenticationType
511 Specify authentication type (as a four-character SecAuthenticationType, default is "dflt")
512 .It Fl w Ar password
513 Specify password to be added. Put at end of command to be prompted (recommended)
514 .It Fl A
515 Allow any application to access this item without warning (insecure, not recommended!)
516 .It Fl T Ar appPath
517 Specify an application which may access this item (multiple
518 .Fl T Ns
519 \& options are allowed)
520 .It Fl U
521 Update item if it already exists (if omitted, the item cannot already exist)
522 .It Fl X Ar password
523 Specify password data to be added as a hexadecimal string
524 .El
525 .It
526 .Bl -item
527 By default, the application which creates an item is trusted to access its data without warning. You can remove this default access by explicitly specifying an empty app pathname:
528 .Fl T Ns
529 \& "". If no keychain is specified, the password is added to the default keychain.
530 .El
531 .El
532 .It
533 .Nm add-certificates
534 .Op Fl h
535 .Op Fl k Ar keychain
536 .Ar file...
537 .Bl -item -offset -indent
538 Add certficates contained in the specified
539 .Ar files
540 to the default keychain. The files must contain one DER encoded X509 certificate each.
541 .Bl -tag -compact -width -indent-indent
542 .It Fl k Ar keychain
543 Use
544 .Ar keychain
545 rather than the default keychain.
546 .El
547 .El
548 .It
549 .Nm find-generic-password
550 .Op Fl h
551 .Op Fl a Ar account
552 .Op Fl s Ar service
553 .Op Fl Ar options...
554 .Op Fl g
555 .Op Fl Ar keychain...
556 .Bl -item -offset -indent
557 Find a generic password item.
558 .It
559 .Bl -tag -compact -width -indent-indent
560 .It Fl a Ar account
561 Match account string
562 .It Fl c Ar creator
563 Match creator (four-character code)
564 .It Fl C Ar type
565 Match type (four-character code)
566 .It Fl D Ar kind
567 Match kind string
568 .It Fl G Ar value
569 Match value string (generic attribute)
570 .It Fl j Ar comment
571 Match comment string
572 .It Fl l Ar label
573 Match label string
574 .It Fl s Ar service
575 Match service string
576 .It Fl g
577 Display the password for the item found
578 .It Fl w
579 Display the password(only) for the item found
580 .El
581 .El
582 .It
583 .Nm delete-generic-password
584 .Op Fl h
585 .Op Fl a Ar account
586 .Op Fl s Ar service
587 .Op Fl Ar options...
588 .Op Fl Ar keychain...
589 .Bl -item -offset -indent
590 Delete a generic password item.
591 .It
592 .Bl -tag -compact -width -indent-indent
593 .It Fl a Ar account
594 Match account string
595 .It Fl c Ar creator
596 Match creator (four-character code)
597 .It Fl C Ar type
598 Match type (four-character code)
599 .It Fl D Ar kind
600 Match kind string
601 .It Fl G Ar value
602 Match value string (generic attribute)
603 .It Fl j Ar comment
604 Match comment string
605 .It Fl l Ar label
606 Match label string
607 .It Fl s Ar service
608 Match service string
609 .El
610 .El
611 .It
612 .Nm delete-internet-password
613 .Op Fl h
614 .Op Fl a Ar account
615 .Op Fl s Ar server
616 .Op Ar options...
617 .Op Ar keychain...
618 .Bl -item -offset -indent
619 Delete an internet password item.
620 .It
621 .Bl -tag -compact -width -indent-indent
622 .It Fl a Ar account
623 Match account string
624 .It Fl c Ar creator
625 Match creator (four-character code)
626 .It Fl C Ar type
627 Match type (four-character code)
628 .It Fl d Ar securityDomain
629 Match securityDomain string
630 .It Fl D Ar kind
631 Match kind string
632 .It Fl j Ar comment
633 Match comment string
634 .It Fl l Ar label
635 Match label string
636 .It Fl p Ar path
637 Match path string
638 .It Fl P Ar port
639 Match port number
640 .It Fl r Ar protocol
641 Match protocol (four-character code)
642 .It Fl s Ar server
643 Match server string
644 .It Fl t Ar authenticationType
645 Match authenticationType (four-character code)
646 .El
647 .El
648 .It
649 .Nm find-internet-password
650 .Op Fl h
651 .Op Fl a Ar account
652 .Op Fl s Ar server
653 .Op Ar options...
654 .Op Fl g
655 .Op Ar keychain...
656 .Bl -item -offset -indent
657 Find an internet password item.
658 .It
659 .Bl -tag -compact -width -indent-indent
660 .It Fl a Ar account
661 Match account string
662 .It Fl c Ar creator
663 Match creator (four-character code)
664 .It Fl C Ar type
665 Match type (four-character code)
666 .It Fl d Ar securityDomain
667 Match securityDomain string
668 .It Fl D Ar kind
669 Match kind string
670 .It Fl j Ar comment
671 Match comment string
672 .It Fl l Ar label
673 Match label string
674 .It Fl p Ar path
675 Match path string
676 .It Fl P Ar port
677 Match port number
678 .It Fl r Ar protocol
679 Match protocol (four-character code)
680 .It Fl s Ar server
681 Match server string
682 .It Fl t Ar authenticationType
683 Match authenticationType (four-character code)
684 .It Fl g
685 Display the password for the item found
686 .It Fl w
687 Display the password(only) for the item found
688 .El
689 .El
690 .It
691 .Nm find-key
692 .Op Ar options...
693 .Op Ar keychain...
694 .Bl -item -offset -indent
695 Search the keychain for keys.
696 .It
697 .Bl -tag -compact -width -indent-indent
698 .It Fl a Ar application-label
699 Match "application label" string
700 .It Fl c Ar creator
701 Match creator (four-character code)
702 .It Fl d
703 Match keys that can decrypt
704 .It Fl D Ar description
705 Match "description" string
706 .It Fl e
707 Match keys that can encrypt
708 .It Fl j Ar comment
709 Match comment string
710 .It Fl l Ar label
711 Match label string
712 .It Fl r
713 Match keys that can derive
714 .It Fl s
715 Match keys that can sign
716 .It Fl t Ar type
717 Type of key to find: one of "symmetric", "public", or "private"
718 .It Fl u
719 Match keys that can unwrap
720 .It Fl v
721 Match keys that can verify
722 .It Fl w
723 Match keys that can wrap
724 .El
725 .El
726 .It
727 .Nm set-generic-password-partition-list
728 .Op Fl a Ar account
729 .Op Fl s Ar service
730 .Op Fl S Ar <partition list (comma separated)>
731 .Op Fl k Ar <keychain password>
732 .Op Ar options...
733 .Op Ar keychain
734 .Bl -item -offset -indent
735 Sets the "partition list" for a generic password. The "partition list" is an extra parameter in the ACL which limits access to the item based on an application's code signature. You must present the keychain's password to change a partition list.
736 .It
737 .Bl -tag -compact -width -indent-indent
738 .It Fl S Ar partition-list
739 Comma-separated partition list. See output of "security dump-keychain" for examples.
740 .It Fl k Ar password
741 Password for keychain
742 .It Fl a Ar account
743 Match account string
744 .It Fl c Ar creator
745 Match creator (four-character code)
746 .It Fl C Ar type
747 Match type (four-character code)
748 .It Fl D Ar kind
749 Match kind string
750 .It Fl G Ar value
751 Match value string (generic attribute)
752 .It Fl j Ar comment
753 Match comment string
754 .It Fl l Ar label
755 Match label string
756 .It Fl s Ar service
757 Match service string
758 .El
759 .El
760 .It
761 .Nm set-internet-password-partition-list
762 .Op Fl a Ar account
763 .Op Fl s Ar server
764 .Op Fl S Ar <partition list (comma separated)>
765 .Op Fl k Ar <keychain password>
766 .Op Ar options...
767 .Op Ar keychain
768 .Bl -item -offset -indent
769 Sets the "partition list" for an internet password. The "partition list" is an extra parameter in the ACL which limits access to the item based on an application's code signature. You must present the keychain's password to change a partition list.
770 .It
771 .Bl -tag -compact -width -indent-indent
772 .It Fl S Ar partition-list
773 Comma-separated partition list. See output of "security dump-keychain" for examples.
774 .It Fl k Ar password
775 Password for keychain
776 .It Fl a Ar account
777 Match account string
778 .It Fl c Ar creator
779 Match creator (four-character code)
780 .It Fl C Ar type
781 Match type (four-character code)
782 .It Fl d Ar securityDomain
783 Match securityDomain string
784 .It Fl D Ar kind
785 Match kind string
786 .It Fl j Ar comment
787 Match comment string
788 .It Fl l Ar label
789 Match label string
790 .It Fl p Ar path
791 Match path string
792 .It Fl P Ar port
793 Match port number
794 .It Fl r Ar protocol
795 Match protocol (four-character code)
796 .It Fl s Ar server
797 Match server string
798 .It Fl t Ar authenticationType
799 Match authenticationType (four-character code)
800 .El
801 .El
802 .It
803 .Nm set-key-partition-list
804 .Op Fl S Ar <partition list (comma separated)>
805 .Op Fl k Ar <keychain password>
806 .Op Ar options...
807 .Op Ar keychain
808 .Bl -item -offset -indent
809 Sets the "partition list" for a key. The "partition list" is an extra parameter in the ACL which limits access to the key based on an application's code signature. You must present the keychain's password to change a partition list. If you'd like to run /usr/bin/codesign with the key, "apple:" must be an element of the partition list.
810 .It
811 .Bl -tag -compact -width -indent-indent
812 .It Fl S Ar partition-list
813 Comma-separated partition list. See output of "security dump-keychain" for examples.
814 .It Fl k Ar password
815 Password for keychain
816 .It Fl a Ar application-label
817 Match "application label" string
818 .It Fl c Ar creator
819 Match creator (four-character code)
820 .It Fl d
821 Match keys that can decrypt
822 .It Fl D Ar description
823 Match "description" string
824 .It Fl e
825 Match keys that can encrypt
826 .It Fl j Ar comment
827 Match comment string
828 .It Fl l Ar label
829 Match label string
830 .It Fl r
831 Match keys that can derive
832 .It Fl s
833 Match keys that can sign
834 .It Fl t Ar type
835 Type of key to find: one of "symmetric", "public", or "private"
836 .It Fl u
837 Match keys that can unwrap
838 .It Fl v
839 Match keys that can verify
840 .It Fl w
841 Match keys that can wrap
842 .El
843 .El
844 .It
845 .Nm find-certificate
846 .Op Fl h
847 .Op Fl a
848 .Op Fl c Ar name
849 .Op Fl e Ar emailAddress
850 .Op Fl m
851 .Op Fl p
852 .Op Fl Z
853 .Op Ar keychain...
854 .Bl -item -offset -indent
855 Find a certificate item. If no
856 .Ar keychain Ns
857 \& arguments are provided, the default search list is used.
858 .It
859 Options:
860 .Bl -tag -compact -width -indent-indent
861 .It Fl a
862 Find all matching certificates, not just the first one
863 .It Fl c Ar name
864 Match on
865 .Ar name Ns
866 \& when searching (optional)
867 .It Fl e Ar emailAddress
868 Match on
869 .Ar emailAddress Ns
870 \& when searching (optional)
871 .It Fl m
872 Show the email addresses in the certificate
873 .It Fl p
874 Output certificate in pem format. Default is to dump the attributes and keychain the cert is in.
875 .It Fl Z
876 Print SHA-256 (and SHA-1) hash of the certificate
877 .El
878 .It
879 .Sy Examples
880 .Bl -tag -width -indent
881 .It security> find-certificate -a -p > allcerts.pem
882 Exports all certificates from all keychains into a pem file called allcerts.pem.
883 .It security> find-certificate -a -e me@foo.com -p > certs.pem
884 Exports all certificates from all keychains with the email address
885 me@foo.com into a pem file called certs.pem.
886 .It security> find-certificate -a -c MyName -Z login.keychain | grep ^SHA-256
887 Print the SHA-256 hash of every certificate in 'login.keychain' whose common name includes 'MyName'
888 .El
889 .El
890 .It
891 .Nm find-identity
892 .Op Fl h
893 .Op Fl p Ar policy
894 .Op Fl s Ar string
895 .Op Fl v
896 .Op Ar keychain...
897 .Bl -item -offset -indent
898 Find an identity (certificate + private key) satisfying a given policy. If no
899 .Ar policy Ns
900 \& arguments are provided, the X.509 basic policy is assumed. If no
901 .Ar keychain Ns
902 \& arguments are provided, the default search list is used.
903 .It
904 Options:
905 .Bl -tag -compact -width -indent-indent
906 .It Fl p Ar policy
907 Specify
908 .Ar policy Ns
909 \& to evaluate (multiple -p options are allowed). Supported policies:
910 basic, ssl-client, ssl-server, smime, eap, ipsec, ichat, codesigning,
911 sys-default, sys-kerberos-kdc
912 .It Fl s Ar string
913 Specify optional policy-specific
914 .Ar string Ns
915 \& (e.g. a DNS hostname for SSL, or RFC822 email address for S/MIME)
916 .It Fl v
917 Show valid identities only (default is to show all identities)
918 .El
919 .It
920 .Sy Examples
921 .Bl -tag -width -indent
922 .It security> find-identity -v -p ssl-client
923 Display valid identities that can be used for SSL client authentication
924 .It security> find-identity -p ssl-server -s www.domain.com
925 Display identities for a SSL server running on the host 'www.domain.com'
926 .It security> find-identity -p smime -s user@domain.com
927 Display identities that can be used to sign a message from 'user@domain.com'
928 .El
929 .El
930 .It
931 .Nm delete-certificate
932 .Op Fl h
933 .Op Fl c Ar name
934 .Op Fl Z Ar hash
935 .Op Fl t
936 .Op Ar keychain...
937 .Bl -item -offset -indent
938 Delete a certificate from a keychain. If no
939 .Ar keychain Ns
940 \& arguments are provided, the default search list is used.
941 .It
942 .Bl -tag -compact -width -indent-indent
943 .It Fl c Ar name
944 Specify certificate to delete by its common name
945 .It Fl Z Ar hash
946 Specify certificate to delete by its SHA-256 (or SHA-1) hash
947 .It Fl t
948 Also delete user trust settings for this certificate
949 .El
950 .It
951 The certificate to be deleted must be uniquely specified either by a
952 string found in its common name, or by its SHA-256 (or SHA-1) hash.
953 .El
954 .It
955 .Nm delete-identity
956 .Op Fl h
957 .Op Fl c Ar name
958 .Op Fl Z Ar hash
959 .Op Fl t
960 .Op Ar keychain...
961 .Bl -item -offset -indent
962 Delete a certificate and its private key from a keychain. If no
963 .Ar keychain Ns
964 \& arguments are provided, the default search list is used.
965 .It
966 .Bl -tag -compact -width -indent-indent
967 .It Fl c Ar name
968 Specify certificate to delete by its common name
969 .It Fl Z Ar hash
970 Specify certificate to delete by its SHA-256 (or SHA-1) hash
971 .It Fl t
972 Also delete user trust settings for this identity certificate
973 .El
974 .It
975 The identity to be deleted must be uniquely specified either by a
976 string found in its common name, or by its SHA-256 (or SHA-1) hash.
977 .El
978 .It
979 .Nm set-identity-preference
980 .Op Fl h
981 .Op Fl n
982 .Op Fl c Ar identity
983 .Op Fl s Ar service
984 .Op Fl u Ar keyUsage
985 .Op Fl Z Ar hash
986 .Op Ar keychain...
987 .Bl -item -offset -indent
988 Set the preferred identity to use for a service.
989 .It
990 .Bl -tag -compact -width -indent-indent
991 .It Fl n
992 Specify no identity (clears existing preference for the given service)
993 .It Fl c Ar identity
994 Specify identity by common name of the certificate
995 .It Fl s Ar service
996 Specify service (may be a URL, RFC822 email address, DNS host, or other name) for which this identity is to be preferred
997 .It Fl u Ar keyUsage
998 Specify key usage (optional)
999 .It Fl Z Ar hash
1000 Specify identity by SHA-256 (or SHA-1) hash of certificate (optional)
1001 .El
1002 .It
1003 The identity is located by searching the specified keychain(s) for a certificate whose common name contains
1004 the given identity string. If no keychains are specified to search, the default search list is used. Different
1005 identity preferences can be set for individual key usages. You can differentiate between two identities which contain
1006 the same string by providing a SHA-256 (or SHA-1) hash of the certificate in addition to, or instead of, the name.
1007 .It
1008 .Sy PARTIAL PATHS AND WILDCARDS
1009 .It
1010 Prior to 10.5.4, identity preferences for SSL/TLS client authentication could only be set on a per-URL basis. The
1011 URL being visited had to match the service name exactly for the preference to be in effect.
1012 .It
1013 In 10.5.4, it became possible to specify identity preferences on a per-server basis, by using
1014 a service name with a partial path URL to match more specific paths on the same server. For
1015 example, if an identity preference for "https://www.apache-ssl.org/" exists, it will be in effect for
1016 "https://www.apache-ssl.org/cgi/cert-export", and so on. Note that partial path URLs must end with a trailing
1017 slash character.
1018 .It
1019 Starting with 10.6, it is possible to specify identity preferences on a per-domain
1020 basis, by using the wildcard character '*' as the leftmost component of the service name. Unlike SSL wildcards,
1021 an identity preference wildcard can match more than one subdomain. For example, an identity preference for
1022 the name "*.army.mil" will match "server1.subdomain1.army.mil" or "server2.subdomain2.army.mil". Likewise,
1023 a preference for "*.mil" will match both "server.army.mil" and "server.navy.mil".
1024 .It
1025 .Sy KEY USAGE CODES
1026 .It
1027 .Bl -tag -width -indent
1028 0 - preference is in effect for all possible key usages (default)
1029 1 - encryption only
1030 2 - decryption only
1031 4 - signing only
1032 8 - signature verification only
1033 16 - signing with message recovery only
1034 32 - signature verification with message recovery only
1035 64 - key wrapping only
1036 128 - key unwrapping only
1037 256 - key derivation only
1038 .It To specify more than one usage, add values together.
1039 .El
1040 .El
1041 .It
1042 .Nm get-identity-preference
1043 .Op Fl h
1044 .Op Fl s Ar service
1045 .Op Fl u Ar keyUsage
1046 .Op Fl p
1047 .Op Fl c
1048 .Op Fl Z
1049 .Bl -item -offset -indent
1050 Get the preferred identity to use for a service.
1051 .It
1052 .Bl -tag -compact -width -indent-indent
1053 .It Fl s Ar service
1054 Specify service (may be a URL, RFC822 email address, DNS host, or other name)
1055 .It Fl u Ar keyUsage
1056 Specify key usage (optional)
1057 .It Fl p
1058 Output identity certificate in pem format
1059 .It Fl c
1060 Print common name of the preferred identity certificate
1061 .It Fl Z
1062 Print SHA-256 (and SHA-1) hash of the preferred identity certificate
1063 .El
1064 .El
1065 .It
1066 .Nm create-db
1067 .Op Fl aho0
1068 .Op Fl g Ar dl Ns | Ns Ar cspdl
1069 .Op Fl m Ar mode
1070 .Op Ar name
1071 .Bl -item -offset -indent
1072 Create a db using the DL. If
1073 .Ar name
1074 isn't provided
1075 .Nm
1076 will prompt the user to type a name.
1077 .It
1078 Options:
1079 .Bl -tag -compact -width -indent-indent
1080 .It Fl a
1081 Turn off autocommit
1082 .It Fl g Ar dl Ns | Ns Ar cspdl
1083 Use the AppleDL (default) or AppleCspDL
1084 .It Fl m Ar mode
1085 Set the file permissions to
1086 .Ar mode Ns
1087 \&.
1088 .It Fl o
1089 Force using openparams argument
1090 .It Fl 0
1091 Force using version 0 openparams
1092 .El
1093 .It
1094 .Sy Examples
1095 .Bl -tag -width -indent
1096 .It security> create-db -m 0644 test.db
1097 .It security> create-db -g cspdl -a test2.db
1098 .El
1099 .\"new import/export commands.
1100 .El
1101 .It
1102 .Nm export
1103 .Op Fl k Ar keychain
1104 .Op Fl t Ar type
1105 .Op Fl f Ar format
1106 .Op Fl w
1107 .Op Fl p Ar format
1108 .Op Fl P Ar passphrase
1109 .Op Fl o Ar outfile
1110 .Bl -item -offset -indent
1111 Export one or more items from a keychain to one of a number of external representations. If
1112 .Ar keychain
1113 isn't provided, items will be exported from the user's default keychain.
1114 .It
1115 Options:
1116 .Bl -tag -compact -width -indent-indent
1117 .It Fl k Ar keychain
1118 Specify keychain from which item(s) will be exported.
1119 .It Fl t Ar type
1120 Specify the type of items to export. Possible types are certs, allKeys, pubKeys, privKeys, identities, and all. The default is all. An identity consists of both a certificate and the corresponding private key.
1121 .It Fl f Ar format
1122 Specify the format of the exported data. Possible formats are openssl, bsafe, pkcs7, pkcs8, pkcs12, x509, openssh1, openssh2, and pemseq. The default is pemseq if more than one item is being exported. The default is openssl if one key is being exported. The default is x509 if one certificate is being exported.
1123 .It Fl w
1124 Specifies that private keys are to be wrapped on export.
1125 .It Fl p
1126 Specifies that PEM armour is to be applied to the output data.
1127 .It Fl P Ar passphrase
1128 Specify the wrapping passphrase immediately. The default is to obtain a secure passphrase via GUI.
1129 .It Fl o Ar outfile
1130 Write the output data to
1131 .Ar outfile Ns
1132 \&. Default is to write data to stdout.
1133 .El
1134 .It
1135 .Sy Examples
1136 .Bl -tag -width -indent
1137 .It security> export -k login.keychain -t certs -o /tmp/certs.pem
1138 .It security> export -k newcert.keychain -t identities -f pkcs12 -o /tmp/mycerts.p12
1139 .El
1140 .\"marker.
1141 .El
1142 .It
1143 .Nm import
1144 inputfile
1145 .Op Fl k Ar keychain
1146 .Op Fl t Ar type
1147 .Op Fl f Ar format
1148 .Op Fl w
1149 .Op Fl P Ar passphrase
1150 .Op Ar options...
1151 .Bl -item -offset -indent
1152 Import one or more items from
1153 .Ar inputfile Ns
1154 \& into a keychain. If
1155 .Ar keychain
1156 isn't provided, items will be imported into the user's default keychain.
1157 .It
1158 Options:
1159 .Bl -tag -compact -width -indent-indent
1160 .It Fl k Ar keychain
1161 Specify keychain into which item(s) will be imported.
1162 .It Fl t Ar type
1163 Specify the type of items to import. Possible types are cert, pub, priv, session, cert, and agg. Pub, priv, and session refer to keys; agg is one of the aggregate types (pkcs12 and PEM sequence). The command can often figure out what item_type an item contains based in the filename and/or item_format.
1164 .It Fl f Ar format
1165 Specify the format of the exported data. Possible formats are openssl, bsafe, raw, pkcs7, pkcs8, pkcs12, x509, openssh1, openssh2, and pemseq. The command can often figure out what format an item is in based in the filename and/or item_type.
1166 .It Fl w
1167 Specify that private keys are wrapped and must be unwrapped on import.
1168 .It Fl x
1169 Specify that private keys are non-extractable after being imported.
1170 .It Fl P Ar passphrase
1171 Specify the unwrapping passphrase immediately. The default is to obtain a secure passphrase via GUI.
1172 .It Fl a Ar attrName Ar attrValue
1173 Specify optional extended attribute name and value. Can be used multiple times. This is only valid when importing keys.
1174 .It Fl A
1175 Allow any application to access the imported key without warning (insecure, not recommended!)
1176 .It Fl T Ar appPath
1177 Specify an application which may access the imported key (multiple
1178 .Fl T Ns
1179 \& options are allowed)
1180 .El
1181 .It
1182 .Sy Examples
1183 .Bl -tag -width -indent
1184 .It security> import /tmp/certs.pem -k
1185 .It security> import /tmp/mycerts.p12 -t agg -k newcert.keychain
1186 .It security> import /tmp/mycerts.p12 -f pkcs12 -k newcert.keychain
1187 .El
1188 .\"end of new import/export commands.
1189 .El
1190 .It
1191 .Nm cms
1192 .Op Fl C Ns | Ns Fl D Ns | Ns Fl E Ns | Ns Fl S
1193 .Op Ar options...
1194 .Bl -item -offset -indent
1195 Encode or decode CMS messages.
1196 .Bl -tag -compact -width -indent-indent
1197 .It Fl C
1198 create a CMS encrypted message
1199 .It Fl D
1200 decode a CMS message
1201 .It Fl E
1202 create a CMS enveloped message
1203 .It Fl S
1204 create a CMS signed message
1205 .El
1206 .It
1207 Decoding options:
1208 .Bl -tag -compact -width -indent-indent
1209 .It Fl c Ar content
1210 use this detached content file
1211 .It Fl h Ar level
1212 generate email headers with info about CMS message (output
1213 .Ar level Ns
1214 \& >= 0)
1215 .It Fl n
1216 suppress output of content
1217 .El
1218 .It
1219 Encoding options:
1220 .Bl -tag -compact -width -indent-indent
1221 .It Fl r Ar id,...
1222 create envelope for comma-delimited list of recipients, where id can be a certificate nickname or email address
1223 .It Fl G
1224 include a signing time attribute
1225 .It Fl H Ar hash
1226 hash = MD2|MD4|MD5|SHA1|SHA256|SHA384|SHA512 (default: SHA1)
1227 .It Fl N Ar nick
1228 use certificate named "nick" for signing
1229 .It Fl P
1230 include a SMIMECapabilities attribute
1231 .It Fl T
1232 do not include content in CMS message
1233 .It Fl Y Ar nick
1234 include an EncryptionKeyPreference attribute with certificate (use "NONE" to omit)
1235 .It Fl Z Ar hash
1236 find a certificate by subject key ID
1237 .El
1238 .It
1239 Common options:
1240 .Bl -tag -compact -width -indent-indent
1241 .It Fl e Ar envelope
1242 specify envelope file (valid with
1243 .Fl D Ns
1244 \& or
1245 .Fl E Ns
1246 \&)
1247 .It Fl k Ar keychain
1248 specify keychain to use
1249 .It Fl i Ar infile
1250 use infile as source of data (default: stdin)
1251 .It Fl o Ar outfile
1252 use outfile as destination of data (default: stdout)
1253 .It Fl p Ar password
1254 use password as key db password (default: prompt)
1255 .It Fl s
1256 pass data a single byte at a time to CMS
1257 .It Fl u Ar certusage
1258 set type of certificate usage (default: certUsageEmailSigner)
1259 .It Fl v
1260 print debugging information
1261 .El
1262 .It
1263 Cert usage codes:
1264 0 - certUsageSSLClient
1265 1 - certUsageSSLServer
1266 2 - certUsageSSLServerWithStepUp
1267 3 - certUsageSSLCA
1268 4 - certUsageEmailSigner
1269 5 - certUsageEmailRecipient
1270 6 - certUsageObjectSigner
1271 7 - certUsageUserCertImport
1272 8 - certUsageVerifyCA
1273 9 - certUsageProtectedObjectSigner
1274 10 - certUsageStatusResponder
1275 11 - certUsageAnyCA
1276 .It
1277 .El
1278 .It
1279 .Nm install-mds
1280 .Bl -item -offset -indent
1281 Install (or re-install) the Module Directory Services (MDS) database. This is a system tool which is not normally used by users. There are no options.
1282 .El
1283 .It
1284 .Nm add-trusted-cert
1285 .Op Fl d
1286 .Op Fl r Ar resultType
1287 .Op Fl p Ar policy
1288 .Op Fl a Ar appPath
1289 .Op Fl s Ar policyString
1290 .Op Fl e Ar allowedError
1291 .Op Fl u Ar keyUsage
1292 .Op Fl k Ar keychain
1293 .Op Fl i Ar settingsFileIn
1294 .Op Fl o Ar settingsFileOut
1295 certFile
1296 .Bl -item -offset -indent
1297 Add certificate (in DER or PEM format) from
1298 .Ar certFile Ns
1299 \& to per-user or local Admin Trust Settings. When modifying per-user Trust Settings, user authentication is required via an authentication dialog. When modifying admin Trust Settings, the process must be running as root, or admin authentication is required.
1300 .It
1301 Options:
1302 .Bl -tag -compact -width -indent-indent
1303 .It Fl d
1304 Add to admin cert store; default is user.
1305 .It Fl r Ar resultType
1306 resultType = trustRoot|trustAsRoot|deny|unspecified; default is trustRoot.
1307 .It Fl p Ar policy
1308 Specify policy constraint (ssl, smime, codeSign, IPSec, basic, swUpdate, pkgSign, eap, macappstore, appleID, timestamping).
1309 .It Fl a Ar appPath
1310 Specify application constraint.
1311 .It Fl s Ar policyString
1312 Specify policy-specific string.
1313 .It Fl e Ar allowedError
1314 Specify allowed error (an integer value, or one of: certExpired, hostnameMismatch)
1315 .It Fl u Ar keyUsage
1316 Specify key usage, an integer.
1317 .It Fl k Ar keychain
1318 Specify keychain to which cert is added.
1319 .It Fl i Ar settingsFileIn
1320 Input trust settings file; default is user domain.
1321 .It Fl o Ar settingsFileOut
1322 Output trust settings file; default is user domain.
1323 .El
1324 .It
1325 .Sy Key usage codes:
1326 -1 - Any
1327 1 - Sign
1328 2 - Encrypt/Decrypt Data
1329 4 - Encrypt/Decrypt Key
1330 8 - Sign certificate
1331 16 - Sign revocation
1332 32 - Key exchange
1333 To specify more than one usage, add values together (except -1 - Any).
1334 .It
1335 .Sy Examples
1336 .Bl -tag -width -indent
1337 .Dl security> add-trusted-cert /tmp/cert.der
1338 .Dl security> add-trusted-cert -d .tmp/cert.der
1339 .El
1340 .\"marker.
1341 .It
1342 .Nm remove-trusted-cert
1343 .Op Fl d
1344 certFile
1345 .Bl -item -offset -indent
1346 Remove certificate (in DER or PEM format) in
1347 .Ar certFile Ns
1348 \& from per-user or local Admin Trust Settings. When modifying per-user Trust Settings, user authentication is required via an authentication dialog. When modifying admin Trust Settings, the process must be running as root, or admin authentication is required.
1349 .It
1350 Options:
1351 .Bl -tag -compact -width -indent-indent
1352 .It Fl d
1353 Remove from admin cert store; default is user.
1354 .El
1355 .\"marker.
1356 .El
1357 .It
1358 .Nm dump-trust-settings
1359 .Op Fl s
1360 .Op Fl d
1361 .Bl -item -offset -indent
1362 Display Trust Settings.
1363 .It
1364 Options:
1365 .Bl -tag -compact -width -indent-indent
1366 .It Fl s
1367 Display trusted system certs; default is user.
1368 .It Fl d
1369 Display trusted admin certs; default is user.
1370 .El
1371 .\"marker.
1372 .El
1373 .It
1374 .Nm user-trust-settings-enable
1375 .Op Fl d
1376 .Op Fl e
1377 .Bl -item -offset -indent
1378 Display or manipulate user-level Trust Settings. With no arguments, shows the current state of the user-level Trust Settings enable. Otherwise enables or disables user-level Trust Settings.
1379 .It
1380 Options:
1381 .Bl -tag -compact -width -indent-indent
1382 .It Fl d
1383 Disable user-level Trust Settings.
1384 .It Fl e
1385 Enable user-level Trust Settings.
1386 .El
1387 .\"marker.
1388 .El
1389 .It
1390 .Nm trust-settings-export
1391 .Op Fl s
1392 .Op Fl d
1393 settings_file
1394 .Bl -item -offset -indent
1395 Export Trust Settings to the specified file.
1396 .It
1397 Options:
1398 .Bl -tag -compact -width -indent-indent
1399 .It Fl s
1400 Export system Trust Settings; default is user.
1401 .It Fl d
1402 Export admin Trust Settings; default is user.
1403 .El
1404 .\"marker.
1405 .El
1406 .It
1407 .Nm trust-settings-import
1408 .Op Fl d
1409 settings_file
1410 .Bl -item -offset -indent
1411 Import Trust Settings from the specified file. When modifying per-user Trust Settings, user authentication is required via an authentication dialog. When modifying admin Trust Settings, the process must be running as root, or admin authentication is required.
1412 .It
1413 Options:
1414 .Bl -tag -compact -width -indent-indent
1415 .It Fl d
1416 Import admin Trust Settings; default is user.
1417 .El
1418 .\"marker.
1419 .El
1420 .It
1421 .Nm verify-cert
1422 .Op Fl c Ar certFile
1423 .Op Fl r Ar rootCertFile
1424 .Op Fl p Ar policy
1425 .Op Fl C
1426 .Op Fl d Ar date
1427 .Op Fl k Ar keychain
1428 .Op Fl n Ar name
1429 .Op Fl N
1430 .Op Fl L
1431 .Op Fl l
1432 .Op Fl e Ar emailAddress
1433 .Op Fl s Ar sslHost
1434 .Op Fl q
1435 .Op Fl R Ar revCheckOption
1436 .Op Fl P
1437 .Op Fl t
1438 .Op Fl v
1439 .Op Ar url
1440 .Bl -item -offset -indent
1441 Verify one or more certificates. If a direct URL argument is provided, a TLS connection is attempted and the certificate presented by that server is evaluated according to standard SSL server policy; other certificates or policy options will be ignored in this case.
1442 .It
1443 Options:
1444 .Bl -tag -compact -width -indent-indent
1445 .It Fl c Ar certFile
1446 Certificate to verify, in DER or PEM format. Can be specified more than once; leaf certificate has to be specified first.
1447 .It Fl r Ar rootCertFile
1448 Root certificate, in DER or PEM format. Can be specified more than once. If not specified, the system anchor certificates are used. If one root certificate is specified, and zero (non-root) certificates are specified, the root certificate is verified against itself.
1449 .It Fl p Ar policy
1450 Specify verification policy (ssl, smime, codeSign, IPSec, basic, swUpdate, pkgSign, eap, appleID, macappstore, timestamping). Default is basic.
1451 .It Fl C
1452 Specify this evaluation is for client usage, if the verification policy (e.g. ssl) distinguishes between client and server usage. Default is server usage.
1453 .It Fl d Ar date
1454 Date to set for verification. Specified in the format of YYYY-MM-DD-hh:mm:ss (time optional). e.g: 2016-04-25-15:59:59 for April 25, 2016 at 3:59:59 pm in GMT
1455 .It Fl k Ar keychain
1456 Keychain to search for intermediate CA certificates. Can be specified multiple times. Default is the current user's keychain search list.
1457 .It Fl n Ar name
1458 Specify a name to be verified, e.g. the SSL host name for the ssl policy, or RFC822 email address for the smime policy. For backward compatibility, if the -n option is provided without an argument, it will be interpreted as equivalent to -N.
1459 .It Fl N
1460 Avoid searching any keychains.
1461 .It Fl L
1462 Use local certificates only. If an issuing CA certificate is missing, this option will avoid accessing the network to fetch it.
1463 .It Fl l
1464 Specifies that the leaf certificate is a CA cert. By default, a leaf certificate with a Basic Constraints extension with the CA bit set fails verification.
1465 .It Fl e Ar emailAddress
1466 Specify email address for the smime policy. (This option is deprecated; use -n instead.)
1467 .It Fl s Ar sslHost
1468 Specify SSL host name for the ssl policy. (This option is deprecated; use -n instead.)
1469 .It Fl q
1470 Quiet, no stdout or stderr.
1471 .It Fl R Ar revCheckOption
1472 Specify a revocation checking option for this evaluation (ocsp, crl, require, offline). Can be specified multiple times; e.g. to enable revocation checking via either OCSP or CRL methods and require a positive response, use "-R ocsp -R crl -R require". The offline option will consult previously cached responses, but will not make a request to a revocation server.
1473 .It Fl P
1474 Output the constructed certificate chain in PEM format.
1475 .It Fl t
1476 Output certificate contents as text.
1477 .It Fl v
1478 Specify verbose output, including per-certificate trust results.
1479 .El
1480 .It
1481 .Sy Examples
1482 .Bl -tag -width -indent
1483 .It security> verify-cert -c applestore0.cer -c applestore1.cer -p ssl -n store.apple.com
1484 .It security> verify-cert -r serverbasic.crt
1485 .It security> verify-cert -v https://www.apple.com
1486 .El
1487 .\"marker.
1488 .El
1489 .It
1490 .Nm authorize
1491 .Op Fl updPiew
1492 .Op Ar right...
1493 .Bl -item -offset -indent
1494 Authorize requested right(s). The extend-rights flag will be passed by default.
1495 .It
1496 Options:
1497 .Bl -tag -compact -width -indent-indent
1498 .It Fl u
1499 Allow user interaction.
1500 .It Fl p
1501 Allow returning partial rights.
1502 .It Fl d
1503 Destroy acquired rights.
1504 .It Fl P
1505 Pre-authorize rights only.
1506 .It Fl l
1507 Operate authorization in least privileged mode.
1508 .It Fl i
1509 Internalize authref passed on stdin.
1510 .It Fl e
1511 Externalize authref to stdout
1512 .It Fl w
1513 Wait while holding AuthorizationRef until stdout is closed. This will allow client to read externalized AuthorizationRef from pipe.
1514 .El
1515 .It
1516 .Sy Examples
1517 .Bl -tag -width -indent
1518 .It security> security authorize -ud my-right
1519 Basic authorization of my-right.
1520 .It security> security -q authorize -uew my-right | security -q authorize -i my-right
1521 Authorizing a right and passing it to another command as a way to add authorization to shell scripts.
1522 .El
1523 .El
1524 .It
1525 .Nm authorizationdb
1526 .Ar read <right-name>
1527 .It
1528 .Nm authorizationdb
1529 .Ar write <right-name> [allow|deny|<rulename>]
1530 .It
1531 .Nm authorizationdb
1532 .Ar remove <right-name>
1533 .Bl -item -offset -indent
1534 Read/Modify authorization policy database. Without a rulename write will read a dictionary as a plist from stdin.
1535 .It
1536 .Sy Examples
1537 .Bl -tag -width -indent
1538 .It security> security authorizationdb read system.privilege.admin > /tmp/aewp-def
1539 Read definition of system.privilege.admin right.
1540 .It security> security authorizationdb write system.preferences < /tmp/aewp-def
1541 Set system.preferences to definition of system.privilege.admin right.
1542 .It security> security authorizationdb write system.preferences authenticate-admin
1543 Every change to preferences requires an Admin user to authenticate.
1544 .El
1545 .El
1546 .It
1547 .Nm execute-with-privileges
1548 .Ar <program>
1549 .Op Ar args...
1550 .Bl -item -offset -indent
1551 Execute tool with privileges.
1552 On success stdin will be read and forwarded to the tool.
1553 .El
1554 .It
1555 .Nm leaks
1556 .Op Fl h
1557 .Op Fl cycles
1558 .Op Fl nocontext
1559 .Op Fl nostacks
1560 .Op Fl exclude Ar symbol
1561 .Bl -item -offset -indent
1562 Run
1563 .Li /usr/bin/leaks
1564 on this process. This can help find memory leaks after running
1565 certain commands.
1566 .It
1567 Options:
1568 .Bl -tag -compact -width -indent-indent
1569 .It Fl cycles
1570 Use a stricter algorithm (See
1571 .Xr leaks 1
1572 for details).
1573 .It Fl nocontext
1574 Withhold the hex dumps of the leaked memory.
1575 .It Fl nostacks
1576 Don't show stack traces of leaked memory.
1577 .It Fl exclude Ar symbol
1578 Ignore leaks called from
1579 .Ar symbol Ns .
1580 .El
1581 .El
1582 .It
1583 .Nm smartcards
1584 .Ar token
1585 .Op Fl l
1586 .Op Fl e Ar token
1587 .Op Fl d Ar token
1588 .Bl -item -offset -indent
1589 Enable, disable or list disabled smartcard tokens.
1590 .It
1591 Options:
1592 .Bl -tag -compact -width -indent-indent
1593 .It Fl l
1594 List disabled smartcard tokens.
1595 .It Fl e Ar token
1596 Enable smartcard token.
1597 .It Fl d Ar token
1598 Disable smartcard token.
1599 .El
1600 .It
1601 .Sy To list tokens available in the system
1602 .It
1603 .Bl -tag -compact -width -indent
1604 .It pluginkit -m -p com.apple.ctk-tokens
1605 .El
1606 .It
1607 .Sy Examples
1608 .It
1609 .Bl -tag -compact -width -indent
1610 .It security smartcards token -l
1611 .It security smartcards token -d com.apple.CryptoTokenKit.pivtoken
1612 .It security smartcards token -e com.apple.CryptoTokenKit.pivtoken
1613 .El
1614 .El
1615 .It
1616 .Nm list-smartcards
1617 .Bl -item -offset -indent
1618 Display
1619 .Ar id Ns
1620 s of available smartcards.
1621 .El
1622 .It
1623 .Nm export-smartcard
1624 .Ar token
1625 .Op Fl i Ar id
1626 .Op Fl t Ar certs Ns | Ns Ar privKeys Ns | Ns Ar identities Ns | Ns Ar all
1627 .Op Fl e Ar exportPath
1628 .Bl -item -offset -indent
1629 Export/display items from a smartcard. If
1630 .Ar id
1631 isn't provided, items from all smartcards will be displayed.
1632 .It
1633 Options:
1634 .Bl -tag -compact -width -indent-indent
1635 .It Fl i Ar id
1636 Export/display items from token specified by token
1637 .Ar id Ns
1638 , available
1639 .Ar id Ns
1640 s can be listed by list-smartcards command.
1641 .It Fl t Ar certs Ns | Ns Ar privKeys Ns | Ns Ar identities Ns | Ns Ar all
1642 Display items of the specified type (Default:
1643 .Ar all Ns
1644 )
1645 .It Fl e Ar exportPath
1646 Specify path to export certificates and public keys. If
1647 .Ar exportPath Ns
1648 is specified screen output is suppressed. This option cannot be combined with -t option.
1649 .El
1650 .El
1651 .It
1652 .Nm error
1653 .Op Fl h
1654 .Op Ar <error code(s)...>
1655 .Bl -item -offset -indent
1656 Display an error string for the given security-related error code.
1657 The error can be in decimal or hex, e.g. 1234 or 0x1234. Multiple
1658 errors can be separated by spaces.
1659 .El
1660 .El
1661 .El
1662 .Sh ENVIRONMENT \" May not be needed
1663 .Bl -tag -width -indent
1664 .It Ev MallocStackLogging
1665 When using the
1666 .Nm leaks
1667 command or the
1668 .Fl l
1669 option it's probably a good idea to set this environment variable before
1670 .Nm
1671 is started. Doing so will allow leaks to display symbolic backtraces.
1672 .El
1673 .Sh FILES
1674 .Bl -tag -width -indent
1675 .It Pa ~/Library/Preferences/com.apple.security.plist
1676 .Pp
1677 Property list file containing the current user's default keychain and keychain search list.
1678 .It Pa /Library/Preferences/com.apple.security.plist
1679 .Pp
1680 Property list file containing the system default keychain and keychain search list. This is used by processes started at boot time, or those requesting to use the system search domain, such as system daemons.
1681 .It Pa /Library/Preferences/com.apple.security-common.plist
1682 .Pp
1683 Property list file containing the common keychain search list, which is appended to every user's search list and to the system search list.
1684 .El
1685 .Sh SEE ALSO
1686 .\" List links in ascending order by section, alphabetically within a section.
1687 .\" Please do not reference files that do not exist without filing a bug report
1688 .Xr certtool 1 ,
1689 .Xr leaks 1 ,
1690 .Xr pluginkit 8
1691 .\" .Xr systemkeychain 8
1692 .Sh HISTORY
1693 .Nm
1694 was first introduced in Mac OS X version 10.3.
1695 .Sh BUGS
1696 .Nm
1697 still needs more commands before it can be considered complete.
1698 In particular, it should someday supersede both the
1699 .Li certtool
1700 and
1701 .Li systemkeychain
1702 commands.