]> git.saurik.com Git - apple/security.git/blob - SecurityTool/security.1
Security-58286.20.16.tar.gz
[apple/security.git] / SecurityTool / security.1
1 .\"Modified from man(1) of FreeBSD, the NetBSD mdoc.template, and mdoc.samples.
2 .\"See Also:
3 .\"man mdoc.samples for a complete listing of options
4 .\"man mdoc for the short list of editing options
5 .Dd March 15, 2017 \" DATE
6 .Dt security 1 \" Program name and manual section number
7 .Os Darwin
8 .Sh NAME \" Section Header - required - don't modify
9 .Nm security
10 .\" The following lines are read in generating the apropos(man -k) database. Use only key
11 .\" words here as the database is built based on the words here and in the .ND line.
12 .\" Use .Nm macro to designate other names for the documented program.
13 .Nd Command line interface to keychains and Security framework
14 .Sh SYNOPSIS \" Section Header - required - don't modify
15 .Nm
16 .Op Fl hilqv \" [-hilqv]
17 .Op Fl p Ar prompt \" [-p prompt]
18 .Op Ar command \" [command]
19 .Op Ar command_options \" [command_options]
20 .Op Ar command_args \" [command_args]
21 .Sh DESCRIPTION \" Section Header - required - don't modify
22 A simple command line interface which lets you administer keychains,
23 manipulate keys and certificates, and do just about anything the
24 Security framework is capable of from the command line.
25 .Pp
26 By default
27 .Nm
28 will execute the
29 .Ar command
30 supplied and report if anything went wrong.
31 .Pp
32 If the
33 .Fl i
34 or
35 .Fl p
36 options are provided,
37 .Nm
38 will enter interactive mode and allow the user to enter multiple commands on stdin. When EOF is read from stdin
39 .Nm
40 will exit.
41 .Pp
42 Here is a complete list of the options available:
43 .Bl -tag -width -indent
44 .It Fl h
45 If no arguments are specified, show a list of all commands. If arguments are provided, show usage for each the specified commands. This option is essentially the same as the
46 .Nm help
47 command.
48 .It Fl i
49 Run
50 .Nm
51 in interactive mode. A prompt
52 .Po
53 .Li security>
54 by default
55 .Pc
56 will be displayed and the user will be able to type commands on stdin until an EOF is encountered.
57 .It Fl l
58 Before
59 .Nm
60 exits, run
61 .Dl "/usr/bin/leaks -nocontext"
62 on itself to see if the command(s) you executed had any leaks.
63 .It Fl p Ar prompt
64 This option implies the
65 .Fl i
66 option but changes the default prompt to the argument specified instead.
67 .It Fl q
68 Will make
69 .Nm
70 less verbose.
71 .It Fl v
72 Will make
73 .Nm
74 more verbose.
75 .El \" Ends the list
76 .Pp
77 .Sh "SECURITY COMMAND SUMMARY"
78 .Nm
79 provides a rich variety of commands
80 .Po Ar command
81 in the
82 .Sx SYNOPSIS Pc Ns
83 , each of which often has a wealth of options, to allow access to
84 the broad functionality provided by the Security framework. However,
85 you don't have to master every detail for
86 .Nm
87 to be useful to you.
88 .Pp
89 Here are brief descriptions of all the
90 .Nm
91 commands:
92 .Pp
93 .Bl -tag -width user-trust-settings-enable -compact
94 .It Nm help
95 Show all commands, or show usage for a command.
96 .It Nm list-keychains
97 Display or manipulate the keychain search list.
98 .It Nm default-keychain
99 Display or set the default keychain.
100 .It Nm login-keychain
101 Display or set the login keychain.
102 .It Nm create-keychain
103 Create keychains.
104 .It Nm delete-keychain
105 Delete keychains and remove them from the search list.
106 .It Nm lock-keychain
107 Lock the specified keychain.
108 .It Nm unlock-keychain
109 Unlock the specified keychain.
110 .It Nm set-keychain-settings
111 Set settings for a keychain.
112 .It Nm set-keychain-password
113 Set password for a keychain.
114 .It Nm show-keychain-info
115 Show the settings for keychain.
116 .It Nm dump-keychain
117 Dump the contents of one or more keychains.
118 .It Nm create-keypair
119 Create an asymmetric key pair.
120 .It Nm add-generic-password
121 Add a generic password item.
122 .It Nm add-internet-password
123 Add an internet password item.
124 .It Nm add-certificates
125 Add certificates to a keychain.
126 .It Nm find-generic-password
127 Find a generic password item.
128 .It Nm delete-generic-password
129 Delete a generic password item.
130 .It Nm set-generic-password-partition-list
131 Set the partition list of a generic password item.
132 .It Nm find-internet-password
133 Find an internet password item.
134 .It Nm delete-internet-password
135 Delete an internet password item.
136 .It Nm set-internet-password-partition-list
137 Set the partition list of a internet password item.
138 .It Nm find-key
139 Find keys in the keychain
140 .It Nm set-key-partition-list
141 Set the partition list of a key.
142 .It Nm find-certificate
143 Find a certificate item.
144 .It Nm find-identity
145 Find an identity (certificate + private key).
146 .It Nm delete-certificate
147 Delete a certificate from a keychain.
148 .It Nm delete-identity
149 Delete a certificate and its private key from a keychain.
150 .It Nm set-identity-preference
151 Set the preferred identity to use for a service.
152 .It Nm get-identity-preference
153 Get the preferred identity to use for a service.
154 .It Nm create-db
155 Create a db using the DL.
156 .It Nm export
157 Export items from a keychain.
158 .It Nm import
159 Import items into a keychain.
160 .It Nm cms
161 Encode or decode CMS messages.
162 .It Nm install-mds
163 Install (or re-install) the MDS database.
164 .It Nm add-trusted-cert
165 Add trusted certificate(s).
166 .It Nm remove-trusted-cert
167 Remove trusted certificate(s).
168 .It Nm dump-trust-settings
169 Display contents of trust settings.
170 .It Nm user-trust-settings-enable
171 Display or manipulate user-level trust settings.
172 .It Nm trust-settings-export
173 Export trust settings.
174 .It Nm trust-settings-import
175 Import trust settings.
176 .It Nm verify-cert
177 Verify certificate(s).
178 .It Nm authorize
179 Perform authorization operations.
180 .It Nm authorizationdb
181 Make changes to the authorization policy database.
182 .It Nm execute-with-privileges
183 Execute tool with privileges.
184 .It Nm leaks
185 Run
186 .Pa /usr/bin/leaks
187 on this process.
188 .It Nm smartcards
189 Enable, disable or list disabled smartcard tokens.
190 .It Nm list-smartcards
191 Display available smartcards.
192 .It Nm export-smartcard
193 Export items from a smartcard.
194 .It Nm error
195 Display a descriptive message for the given error code(s).
196 .El
197 .Sh "COMMON COMMAND OPTIONS"
198 This section describes the
199 .Ar command_options
200 that are available across all
201 .Nm
202 commands.
203 .Bl -tag -width -indent
204 .It Fl h
205 Show a usage message for the specified command. This option is
206 essentially the same as the
207 .Ar help
208 command.
209 .El
210 .Sh "SECURITY COMMANDS"
211 Here (finally) are details on all the
212 .Nm
213 commands and the options each accepts.
214 .Bl -item
215 .It
216 .Nm help
217 .Op Fl h
218 .Bl -item -offset -indent
219 Show all commands, or show usage for a command.
220 .El
221 .It
222 .Nm list-keychains
223 .Op Fl h
224 .Op Fl d Ar user Ns | Ns Ar system Ns | Ns Ar common Ns | Ns Ar dynamic
225 .Op Fl s Op Ar keychain...
226 .Bl -item -offset -indent
227 Display or manipulate the keychain search list.
228 .It
229 .Bl -tag -compact -width -indent
230 .It Fl d Ar user Ns | Ns Ar system Ns | Ns Ar common Ns | Ns Ar dynamic
231 Use the specified preference domain.
232 .It Fl s
233 Set the search list to the specified keychains.
234 .El
235 .El
236 .It
237 .Nm default-keychain
238 .Op Fl h
239 .Op Fl d Ar user Ns | Ns Ar system Ns | Ns Ar common Ns | Ns Ar dynamic
240 .Op Fl s Op Ar keychain
241 .Bl -item -offset -indent
242 Display or set the default keychain.
243 .It
244 .Bl -tag -compact -width -indent
245 .It Fl d Ar user Ns | Ns Ar system Ns | Ns Ar common Ns | Ns Ar dynamic
246 Use the specified preference domain.
247 .It Fl s
248 Set the default keychain to the specified
249 .Ar keychain Ns .
250 Unset it if no keychain is specified.
251 .El
252 .El
253 .It
254 .Nm login-keychain
255 .Op Fl h
256 .Op Fl d Ar user Ns | Ns Ar system Ns | Ns Ar common Ns | Ns Ar dynamic
257 .Op Fl s Op Ar keychain
258 .Bl -item -offset -indent
259 Display or set the login keychain.
260 .It
261 .Bl -tag -compact -width -indent
262 .It Fl d Ar user Ns | Ns Ar system Ns | Ns Ar common Ns | Ns Ar dynamic
263 Use the specified preference domain.
264 .It Fl s
265 Set the login keychain to the specified
266 .Ar keychain Ns .
267 Unset it if no keychain is specified.
268 .El
269 .El
270 .It
271 .Nm create-keychain
272 .Op Fl hP
273 .Op Fl p Ar password
274 .Op Ar keychain...
275 .Bl -item -offset -indent
276 Create keychains.
277 .It
278 .Bl -tag -compact -width -indent-indent
279 .It Fl P
280 Prompt the user for a password using the SecurityAgent.
281 .It Fl p Ar password
282 Use
283 .Ar password
284 as the password for the keychains being created.
285 .El
286 .It
287 If neither
288 .Fl P
289 or
290 .Fl p Ar password
291 are specified, the user is prompted for a password on the command line. Use
292 of the -p option is insecure.
293 .El
294 .It
295 .Nm delete-keychain
296 .Op Fl h
297 .Op Ar keychain...
298 .Bl -item -offset -indent
299 Delete keychains and remove them from the search list.
300 .El
301 .It
302 .Nm lock-keychain
303 .Op Fl h
304 .Op Fl a Ns | Ns Ar keychain
305 .Bl -item -offset -indent
306 Lock
307 .Ar keychain Ns
308 \&, or the default keychain if none is specified. If the
309 .Fl a
310 option is specified, all keychains are locked.
311 .El
312 .It
313 .Nm unlock-keychain
314 .Op Fl hu
315 .Op Fl p Ar password
316 .Op Ar keychain
317 .Bl -item -offset -indent
318 Unlock
319 .Ar keychain Ns
320 \&, or the default keychain if none is specified.
321 .El
322 .It
323 .Nm set-keychain-settings
324 .Op Fl hlu
325 .Op Fl t Ar timeout
326 .Op Ar keychain
327 .Bl -item -offset -indent
328 Set settings for
329 .Ar keychain Ns
330 \&, or the default keychain if none is specified.
331 .It
332 .Bl -tag -compact -width -indent-indent
333 .It Fl l
334 Lock keychain when the system sleeps.
335 .It Fl u
336 Lock keychain after timeout interval.
337 .It Fl t Ar timeout
338 Specify
339 .Ar timeout
340 interval in seconds (omitting this option specifies "no timeout").
341 .El
342 .El
343 .It
344 .Nm set-keychain-password
345 .Op Fl h
346 .Op Fl o Ar oldPassword
347 .Op Fl p Ar newPassword
348 .Op Ar keychain
349 .Bl -item -offset -indent
350 Set password for
351 .Ar keychain Ns
352 \&, or the default keychain if none is specified.
353 .It
354 .Bl -tag -compact -width -indent-indent
355 .It Fl o Ar oldPassword
356 Old keychain password (if not provided, will prompt)
357 .It Fl p Ar newPassword
358 New keychain password (if not provided, will prompt)
359 .El
360 .El
361 .It
362 .Nm show-keychain-info
363 .Op Fl h
364 .Op Ar keychain
365 .Bl -item -offset -indent
366 Show the settings for
367 .Ar keychain Ns
368 \&.
369 .El
370 .It
371 .Nm dump-keychain
372 .Op Fl adhir
373 .Bl -item -offset -indent
374 Dump the contents of one or more keychains.
375 .It
376 .Bl -tag -compact -width -indent-indent
377 .It Fl a
378 Dump access control list of items
379 .It Fl d
380 Dump (decrypted) data of items
381 .It Fl i
382 Interactive access control list editing mode
383 .It Fl r
384 Dump raw (encrypted) data of items
385 .El
386 .El
387 .It
388 .Nm create-keypair
389 .Op Fl h
390 .Op Fl a Ar alg
391 .Op Fl s Ar size
392 .Op Fl f Ar date
393 .Op Fl t Ar date
394 .Op Fl d Ar days
395 .Op Fl k Ar keychain
396 .Op Fl A Ns | Ns Fl T Ar appPath
397 .Op Ar name
398 .Bl -item -offset -indent
399 Create an asymmetric key pair.
400 .It
401 .Bl -tag -compact -width -indent-indent
402 .It Fl a Ar alg
403 Use
404 .Ar alg
405 as the algorithm, can be rsa, dh, dsa or fee (default rsa)
406 .It Fl s Ar size
407 Specify the keysize in bits (default 512)
408 .It Fl f Ar date
409 Make a key valid from the specified date (ex: "13/11/10 3:30pm")
410 .It Fl t Ar date
411 Make a key valid to the specified date
412 .It Fl d Ar days
413 Make a key valid for the number of days specified from today
414 .It Fl k Ar keychain
415 Use the specified keychain rather than the default
416 .It Fl A
417 Allow any application to access this key without warning (insecure, not recommended!)
418 .It Fl T Ar appPath
419 Specify an application which may access this key (multiple
420 .Fl T Ns
421 \& options are allowed)
422 .El
423 .El
424 .It
425 .Nm add-generic-password
426 .Op Fl h
427 .Op Fl a Ar account
428 .Op Fl s Ar service
429 .Op Fl w Ar password
430 .Op Ar options...
431 .Op Ar keychain
432 .Bl -item -offset -indent
433 Add a generic password item.
434 .It
435 .Bl -tag -compact -width -indent-indent
436 .It Fl a Ar account
437 Specify account name (required)
438 .It Fl c Ar creator
439 Specify item creator (optional four-character code)
440 .It Fl C Ar type
441 Specify item type (optional four-character code)
442 .It Fl D Ar kind
443 Specify kind (default is "application password")
444 .It Fl G Ar value
445 Specify generic attribute value (optional)
446 .It Fl j Ar comment
447 Specify comment string (optional)
448 .It Fl l Ar label
449 Specify label (if omitted, service name is used as default label)
450 .It Fl s Ar service
451 Specify service name (required)
452 .It Fl p Ar password
453 Specify password to be added (legacy option, equivalent to
454 .Fl w Ns
455 \&)
456 .It Fl w Ar password
457 Specify password to be added. Put at end of command to be prompted (recommended)
458 .It Fl A
459 Allow any application to access this item without warning (insecure, not recommended!)
460 .It Fl T Ar appPath
461 Specify an application which may access this item (multiple
462 .Fl T Ns
463 \& options are allowed)
464 .It Fl U
465 Update item if it already exists (if omitted, the item cannot already exist)
466 .El
467 .It
468 .Bl -item
469 By default, the application which creates an item is trusted to access its data without warning. You can remove this default access by explicitly specifying an empty app pathname:
470 .Fl T Ns
471 \& "". If no keychain is specified, the password is added to the default keychain.
472 .El
473 .El
474 .It
475 .Nm add-internet-password
476 .Op Fl h
477 .Op Fl a Ar account
478 .Op Fl s Ar server
479 .Op Fl w Ar password
480 .Op Ar options...
481 .Op Ar keychain
482 .Bl -item -offset -indent
483 Add an internet password item.
484 .It
485 .Bl -tag -compact -width -indent-indent
486 .It Fl a Ar account
487 Specify account name (required)
488 .It Fl c Ar creator
489 Specify item creator (optional four-character code)
490 .It Fl C Ar type
491 Specify item type (optional four-character code)
492 .It Fl d Ar domain
493 Specify security domain string (optional)
494 .It Fl D Ar kind
495 Specify kind (default is "application password")
496 .It Fl j Ar comment
497 Specify comment string (optional)
498 .It Fl l Ar label
499 Specify label (if omitted, service name is used as default label)
500 .It Fl p Ar path
501 Specify path string (optional)
502 .It Fl P Ar port
503 Specify port number (optional)
504 .It Fl r Ar protocol
505 Specify protocol (optional four-character SecProtocolType, e.g. "http", "ftp ")
506 .It Fl s Ar server
507 Specify server name (required)
508 .It Fl t Ar authenticationType
509 Specify authentication type (as a four-character SecAuthenticationType, default is "dflt")
510 .It Fl w Ar password
511 Specify password to be added. Put at end of command to be prompted (recommended)
512 .It Fl A
513 Allow any application to access this item without warning (insecure, not recommended!)
514 .It Fl T Ar appPath
515 Specify an application which may access this item (multiple
516 .Fl T Ns
517 \& options are allowed)
518 .It Fl U
519 Update item if it already exists (if omitted, the item cannot already exist)
520 .El
521 .It
522 .Bl -item
523 By default, the application which creates an item is trusted to access its data without warning. You can remove this default access by explicitly specifying an empty app pathname:
524 .Fl T Ns
525 \& "". If no keychain is specified, the password is added to the default keychain.
526 .El
527 .El
528 .It
529 .Nm add-certificates
530 .Op Fl h
531 .Op Fl k Ar keychain
532 .Ar file...
533 .Bl -item -offset -indent
534 Add certficates contained in the specified
535 .Ar files
536 to the default keychain. The files must contain one DER encoded X509 certificate each.
537 .Bl -tag -compact -width -indent-indent
538 .It Fl k Ar keychain
539 Use
540 .Ar keychain
541 rather than the default keychain.
542 .El
543 .El
544 .It
545 .Nm find-generic-password
546 .Op Fl h
547 .Op Fl a Ar account
548 .Op Fl s Ar service
549 .Op Fl Ar options...
550 .Op Fl g
551 .Op Fl Ar keychain...
552 .Bl -item -offset -indent
553 Find a generic password item.
554 .It
555 .Bl -tag -compact -width -indent-indent
556 .It Fl a Ar account
557 Match account string
558 .It Fl c Ar creator
559 Match creator (four-character code)
560 .It Fl C Ar type
561 Match type (four-character code)
562 .It Fl D Ar kind
563 Match kind string
564 .It Fl G Ar value
565 Match value string (generic attribute)
566 .It Fl j Ar comment
567 Match comment string
568 .It Fl l Ar label
569 Match label string
570 .It Fl s Ar service
571 Match service string
572 .It Fl g
573 Display the password for the item found
574 .It Fl w
575 Display the password(only) for the item found
576 .El
577 .El
578 .It
579 .Nm delete-generic-password
580 .Op Fl h
581 .Op Fl a Ar account
582 .Op Fl s Ar service
583 .Op Fl Ar options...
584 .Op Fl Ar keychain...
585 .Bl -item -offset -indent
586 Delete a generic password item.
587 .It
588 .Bl -tag -compact -width -indent-indent
589 .It Fl a Ar account
590 Match account string
591 .It Fl c Ar creator
592 Match creator (four-character code)
593 .It Fl C Ar type
594 Match type (four-character code)
595 .It Fl D Ar kind
596 Match kind string
597 .It Fl G Ar value
598 Match value string (generic attribute)
599 .It Fl j Ar comment
600 Match comment string
601 .It Fl l Ar label
602 Match label string
603 .It Fl s Ar service
604 Match service string
605 .El
606 .El
607 .It
608 .Nm delete-internet-password
609 .Op Fl h
610 .Op Fl a Ar account
611 .Op Fl s Ar server
612 .Op Ar options...
613 .Op Ar keychain...
614 .Bl -item -offset -indent
615 Delete an internet password item.
616 .It
617 .Bl -tag -compact -width -indent-indent
618 .It Fl a Ar account
619 Match account string
620 .It Fl c Ar creator
621 Match creator (four-character code)
622 .It Fl C Ar type
623 Match type (four-character code)
624 .It Fl d Ar securityDomain
625 Match securityDomain string
626 .It Fl D Ar kind
627 Match kind string
628 .It Fl j Ar comment
629 Match comment string
630 .It Fl l Ar label
631 Match label string
632 .It Fl p Ar path
633 Match path string
634 .It Fl P Ar port
635 Match port number
636 .It Fl r Ar protocol
637 Match protocol (four-character code)
638 .It Fl s Ar server
639 Match server string
640 .It Fl t Ar authenticationType
641 Match authenticationType (four-character code)
642 .El
643 .El
644 .It
645 .Nm find-internet-password
646 .Op Fl h
647 .Op Fl a Ar account
648 .Op Fl s Ar server
649 .Op Ar options...
650 .Op Fl g
651 .Op Ar keychain...
652 .Bl -item -offset -indent
653 Find an internet password item.
654 .It
655 .Bl -tag -compact -width -indent-indent
656 .It Fl a Ar account
657 Match account string
658 .It Fl c Ar creator
659 Match creator (four-character code)
660 .It Fl C Ar type
661 Match type (four-character code)
662 .It Fl d Ar securityDomain
663 Match securityDomain string
664 .It Fl D Ar kind
665 Match kind string
666 .It Fl j Ar comment
667 Match comment string
668 .It Fl l Ar label
669 Match label string
670 .It Fl p Ar path
671 Match path string
672 .It Fl P Ar port
673 Match port number
674 .It Fl r Ar protocol
675 Match protocol (four-character code)
676 .It Fl s Ar server
677 Match server string
678 .It Fl t Ar authenticationType
679 Match authenticationType (four-character code)
680 .It Fl g
681 Display the password for the item found
682 .It Fl w
683 Display the password(only) for the item found
684 .El
685 .El
686 .It
687 .Nm find-key
688 .Op Ar options...
689 .Op Ar keychain...
690 .Bl -item -offset -indent
691 Search the keychain for keys.
692 .It
693 .Bl -tag -compact -width -indent-indent
694 .It Fl a Ar application-label
695 Match "application label" string
696 .It Fl c Ar creator
697 Match creator (four-character code)
698 .It Fl d
699 Match keys that can decrypt
700 .It Fl D Ar description
701 Match "description" string
702 .It Fl e
703 Match keys that can encrypt
704 .It Fl j Ar comment
705 Match comment string
706 .It Fl l Ar label
707 Match label string
708 .It Fl r
709 Match keys that can derive
710 .It Fl s
711 Match keys that can sign
712 .It Fl t Ar type
713 Type of key to find: one of "symmetric", "public", or "private"
714 .It Fl u
715 Match keys that can unwrap
716 .It Fl v
717 Match keys that can verify
718 .It Fl w
719 Match keys that can wrap
720 .El
721 .El
722 .It
723 .Nm set-generic-password-partition-list
724 .Op Fl a Ar account
725 .Op Fl s Ar service
726 .Op Fl S Ar <partition list (comma separated)>
727 .Op Fl k Ar <keychain password>
728 .Op Ar options...
729 .Op Ar keychain
730 .Bl -item -offset -indent
731 Sets the "partition list" for a generic password. The "partition list" is an extra parameter in the ACL which limits access to the item based on an application's code signature. You must present the keychain's password to change a partition list.
732 .It
733 .Bl -tag -compact -width -indent-indent
734 .It Fl S Ar partition-list
735 Comma-separated partition list. See output of "security dump-keychain" for examples.
736 .It Fl k Ar password
737 Password for keychain
738 .It Fl a Ar account
739 Match account string
740 .It Fl c Ar creator
741 Match creator (four-character code)
742 .It Fl C Ar type
743 Match type (four-character code)
744 .It Fl D Ar kind
745 Match kind string
746 .It Fl G Ar value
747 Match value string (generic attribute)
748 .It Fl j Ar comment
749 Match comment string
750 .It Fl l Ar label
751 Match label string
752 .It Fl s Ar service
753 Match service string
754 .El
755 .El
756 .It
757 .Nm set-internet-password-partition-list
758 .Op Fl a Ar account
759 .Op Fl s Ar server
760 .Op Fl S Ar <partition list (comma separated)>
761 .Op Fl k Ar <keychain password>
762 .Op Ar options...
763 .Op Ar keychain
764 .Bl -item -offset -indent
765 Sets the "partition list" for an internet password. The "partition list" is an extra parameter in the ACL which limits access to the item based on an application's code signature. You must present the keychain's password to change a partition list.
766 .It
767 .Bl -tag -compact -width -indent-indent
768 .It Fl S Ar partition-list
769 Comma-separated partition list. See output of "security dump-keychain" for examples.
770 .It Fl k Ar password
771 Password for keychain
772 .It Fl a Ar account
773 Match account string
774 .It Fl c Ar creator
775 Match creator (four-character code)
776 .It Fl C Ar type
777 Match type (four-character code)
778 .It Fl d Ar securityDomain
779 Match securityDomain string
780 .It Fl D Ar kind
781 Match kind string
782 .It Fl j Ar comment
783 Match comment string
784 .It Fl l Ar label
785 Match label string
786 .It Fl p Ar path
787 Match path string
788 .It Fl P Ar port
789 Match port number
790 .It Fl r Ar protocol
791 Match protocol (four-character code)
792 .It Fl s Ar server
793 Match server string
794 .It Fl t Ar authenticationType
795 Match authenticationType (four-character code)
796 .El
797 .El
798 .It
799 .Nm set-key-partition-list
800 .Op Fl S Ar <partition list (comma separated)>
801 .Op Fl k Ar <keychain password>
802 .Op Ar options...
803 .Op Ar keychain
804 .Bl -item -offset -indent
805 Sets the "partition list" for a key. The "partition list" is an extra parameter in the ACL which limits access to the key based on an application's code signature. You must present the keychain's password to change a partition list. If you'd like to run /usr/bin/codesign with the key, "apple:" must be an element of the partition list.
806 .It
807 .Bl -tag -compact -width -indent-indent
808 .It Fl S Ar partition-list
809 Comma-separated partition list. See output of "security dump-keychain" for examples.
810 .It Fl k Ar password
811 Password for keychain
812 .It Fl a Ar application-label
813 Match "application label" string
814 .It Fl c Ar creator
815 Match creator (four-character code)
816 .It Fl d
817 Match keys that can decrypt
818 .It Fl D Ar description
819 Match "description" string
820 .It Fl e
821 Match keys that can encrypt
822 .It Fl j Ar comment
823 Match comment string
824 .It Fl l Ar label
825 Match label string
826 .It Fl r
827 Match keys that can derive
828 .It Fl s
829 Match keys that can sign
830 .It Fl t Ar type
831 Type of key to find: one of "symmetric", "public", or "private"
832 .It Fl u
833 Match keys that can unwrap
834 .It Fl v
835 Match keys that can verify
836 .It Fl w
837 Match keys that can wrap
838 .El
839 .El
840 .It
841 .Nm find-certificate
842 .Op Fl h
843 .Op Fl a
844 .Op Fl c Ar name
845 .Op Fl e Ar emailAddress
846 .Op Fl m
847 .Op Fl p
848 .Op Fl Z
849 .Op Ar keychain...
850 .Bl -item -offset -indent
851 Find a certificate item. If no
852 .Ar keychain Ns
853 \& arguments are provided, the default search list is used.
854 .It
855 Options:
856 .Bl -tag -compact -width -indent-indent
857 .It Fl a
858 Find all matching certificates, not just the first one
859 .It Fl c Ar name
860 Match on
861 .Ar name Ns
862 \& when searching (optional)
863 .It Fl e Ar emailAddress
864 Match on
865 .Ar emailAddress Ns
866 \& when searching (optional)
867 .It Fl m
868 Show the email addresses in the certificate
869 .It Fl p
870 Output certificate in pem format. Default is to dump the attributes and keychain the cert is in.
871 .It Fl Z
872 Print SHA-1 hash of the certificate
873 .El
874 .It
875 .Sy Examples
876 .Bl -tag -width -indent
877 .It security> find-certificate -a -p > allcerts.pem
878 Exports all certificates from all keychains into a pem file called allcerts.pem.
879 .It security> find-certificate -a -e me@foo.com -p > certs.pem
880 Exports all certificates from all keychains with the email address
881 me@foo.com into a pem file called certs.pem.
882 .It security> find-certificate -a -c MyName -Z login.keychain | grep ^SHA-1
883 Print the SHA-1 hash of every certificate in 'login.keychain' whose common name includes 'MyName'
884 .El
885 .El
886 .It
887 .Nm find-identity
888 .Op Fl h
889 .Op Fl p Ar policy
890 .Op Fl s Ar string
891 .Op Fl v
892 .Op Ar keychain...
893 .Bl -item -offset -indent
894 Find an identity (certificate + private key) satisfying a given policy. If no
895 .Ar policy Ns
896 \& arguments are provided, the X.509 basic policy is assumed. If no
897 .Ar keychain Ns
898 \& arguments are provided, the default search list is used.
899 .It
900 Options:
901 .Bl -tag -compact -width -indent-indent
902 .It Fl p Ar policy
903 Specify
904 .Ar policy Ns
905 \& to evaluate (multiple -p options are allowed). Supported policies:
906 basic, ssl-client, ssl-server, smime, eap, ipsec, ichat, codesigning,
907 sys-default, sys-kerberos-kdc
908 .It Fl s Ar string
909 Specify optional policy-specific
910 .Ar string Ns
911 \& (e.g. a DNS hostname for SSL, or RFC822 email address for S/MIME)
912 .It Fl v
913 Show valid identities only (default is to show all identities)
914 .El
915 .It
916 .Sy Examples
917 .Bl -tag -width -indent
918 .It security> find-identity -v -p ssl-client
919 Display valid identities that can be used for SSL client authentication
920 .It security> find-identity -p ssl-server -s www.domain.com
921 Display identities for a SSL server running on the host 'www.domain.com'
922 .It security> find-identity -p smime -s user@domain.com
923 Display identities that can be used to sign a message from 'user@domain.com'
924 .El
925 .El
926 .It
927 .Nm delete-certificate
928 .Op Fl h
929 .Op Fl c Ar name
930 .Op Fl Z Ar hash
931 .Op Fl t
932 .Op Ar keychain...
933 .Bl -item -offset -indent
934 Delete a certificate from a keychain. If no
935 .Ar keychain Ns
936 \& arguments are provided, the default search list is used.
937 .It
938 .Bl -tag -compact -width -indent-indent
939 .It Fl c Ar name
940 Specify certificate to delete by its common name
941 .It Fl Z Ar hash
942 Specify certificate to delete by its SHA-1 hash
943 .It Fl t
944 Also delete user trust settings for this certificate
945 .El
946 .It
947 The certificate to be deleted must be uniquely specified either by a
948 string found in its common name, or by its SHA-1 hash.
949 .El
950 .It
951 .Nm delete-identity
952 .Op Fl h
953 .Op Fl c Ar name
954 .Op Fl Z Ar hash
955 .Op Fl t
956 .Op Ar keychain...
957 .Bl -item -offset -indent
958 Delete a certificate and its private key from a keychain. If no
959 .Ar keychain Ns
960 \& arguments are provided, the default search list is used.
961 .It
962 .Bl -tag -compact -width -indent-indent
963 .It Fl c Ar name
964 Specify certificate to delete by its common name
965 .It Fl Z Ar hash
966 Specify certificate to delete by its SHA-1 hash
967 .It Fl t
968 Also delete user trust settings for this identity certificate
969 .El
970 .It
971 The identity to be deleted must be uniquely specified either by a
972 string found in its common name, or by its SHA-1 hash.
973 .El
974 .It
975 .Nm set-identity-preference
976 .Op Fl h
977 .Op Fl n
978 .Op Fl c Ar identity
979 .Op Fl s Ar service
980 .Op Fl u Ar keyUsage
981 .Op Fl Z Ar hash
982 .Op Ar keychain...
983 .Bl -item -offset -indent
984 Set the preferred identity to use for a service.
985 .It
986 .Bl -tag -compact -width -indent-indent
987 .It Fl n
988 Specify no identity (clears existing preference for the given service)
989 .It Fl c Ar identity
990 Specify identity by common name of the certificate
991 .It Fl s Ar service
992 Specify service (may be a URL, RFC822 email address, DNS host, or other name) for which this identity is to be preferred
993 .It Fl u Ar keyUsage
994 Specify key usage (optional)
995 .It Fl Z Ar hash
996 Specify identity by SHA-1 hash of certificate (optional)
997 .El
998 .It
999 The identity is located by searching the specified keychain(s) for a certificate whose common name contains
1000 the given identity string. If no keychains are specified to search, the default search list is used. Different
1001 identity preferences can be set for individual key usages. You can differentiate between two identities which contain
1002 the same string by providing a SHA-1 hash of the certificate (in addition to, or instead of, the name.)
1003 .It
1004 .Sy PARTIAL PATHS AND WILDCARDS
1005 .It
1006 Prior to 10.5.4, identity preferences for SSL/TLS client authentication could only be set on a per-URL basis. The
1007 URL being visited had to match the service name exactly for the preference to be in effect.
1008 .It
1009 In 10.5.4, it became possible to specify identity preferences on a per-server basis, by using
1010 a service name with a partial path URL to match more specific paths on the same server. For
1011 example, if an identity preference for "https://www.apache-ssl.org/" exists, it will be in effect for
1012 "https://www.apache-ssl.org/cgi/cert-export", and so on. Note that partial path URLs must end with a trailing
1013 slash character.
1014 .It
1015 Starting with 10.6, it is possible to specify identity preferences on a per-domain
1016 basis, by using the wildcard character '*' as the leftmost component of the service name. Unlike SSL wildcards,
1017 an identity preference wildcard can match more than one subdomain. For example, an identity preference for
1018 the name "*.army.mil" will match "server1.subdomain1.army.mil" or "server2.subdomain2.army.mil". Likewise,
1019 a preference for "*.mil" will match both "server.army.mil" and "server.navy.mil".
1020 .It
1021 .Sy KEY USAGE CODES
1022 .It
1023 .Bl -tag -width -indent
1024 0 - preference is in effect for all possible key usages (default)
1025 1 - encryption only
1026 2 - decryption only
1027 4 - signing only
1028 8 - signature verification only
1029 16 - signing with message recovery only
1030 32 - signature verification with message recovery only
1031 64 - key wrapping only
1032 128 - key unwrapping only
1033 256 - key derivation only
1034 .It To specify more than one usage, add values together.
1035 .El
1036 .El
1037 .It
1038 .Nm get-identity-preference
1039 .Op Fl h
1040 .Op Fl s Ar service
1041 .Op Fl u Ar keyUsage
1042 .Op Fl p
1043 .Op Fl c
1044 .Op Fl Z
1045 .Bl -item -offset -indent
1046 Get the preferred identity to use for a service.
1047 .It
1048 .Bl -tag -compact -width -indent-indent
1049 .It Fl s Ar service
1050 Specify service (may be a URL, RFC822 email address, DNS host, or other name)
1051 .It Fl u Ar keyUsage
1052 Specify key usage (optional)
1053 .It Fl p
1054 Output identity certificate in pem format
1055 .It Fl c
1056 Print common name of the preferred identity certificate
1057 .It Fl Z
1058 Print SHA-1 hash of the preferred identity certificate
1059 .El
1060 .El
1061 .It
1062 .Nm create-db
1063 .Op Fl aho0
1064 .Op Fl g Ar dl Ns | Ns Ar cspdl
1065 .Op Fl m Ar mode
1066 .Op Ar name
1067 .Bl -item -offset -indent
1068 Create a db using the DL. If
1069 .Ar name
1070 isn't provided
1071 .Nm
1072 will prompt the user to type a name.
1073 .It
1074 Options:
1075 .Bl -tag -compact -width -indent-indent
1076 .It Fl a
1077 Turn off autocommit
1078 .It Fl g Ar dl Ns | Ns Ar cspdl
1079 Use the AppleDL (default) or AppleCspDL
1080 .It Fl m Ar mode
1081 Set the file permissions to
1082 .Ar mode Ns
1083 \&.
1084 .It Fl o
1085 Force using openparams argument
1086 .It Fl 0
1087 Force using version 0 openparams
1088 .El
1089 .It
1090 .Sy Examples
1091 .Bl -tag -width -indent
1092 .It security> create-db -m 0644 test.db
1093 .It security> create-db -g cspdl -a test2.db
1094 .El
1095 .\"new import/export commands.
1096 .El
1097 .It
1098 .Nm export
1099 .Op Fl k Ar keychain
1100 .Op Fl t Ar type
1101 .Op Fl f Ar format
1102 .Op Fl w
1103 .Op Fl p Ar format
1104 .Op Fl P Ar passphrase
1105 .Op Fl o Ar outfile
1106 .Bl -item -offset -indent
1107 Export one or more items from a keychain to one of a number of external representations. If
1108 .Ar keychain
1109 isn't provided, items will be exported from the user's default keychain.
1110 .It
1111 Options:
1112 .Bl -tag -compact -width -indent-indent
1113 .It Fl k Ar keychain
1114 Specify keychain from which item(s) will be exported.
1115 .It Fl t Ar type
1116 Specify the type of items to export. Possible types are certs, allKeys, pubKeys, privKeys, identities, and all. The default is all. An identity consists of both a certificate and the corresponding private key.
1117 .It Fl f Ar format
1118 Specify the format of the exported data. Possible formats are openssl, bsafe, pkcs7, pkcs8, pkcs12, x509, openssh1, openssh2, and pemseq. The default is pemseq if more than one item is being exported. The default is openssl if one key is being exported. The default is x509 if one certificate is being exported.
1119 .It Fl w
1120 Specifies that private keys are to be wrapped on export.
1121 .It Fl p
1122 Specifies that PEM armour is to be applied to the output data.
1123 .It Fl P Ar passphrase
1124 Specify the wrapping passphrase immediately. The default is to obtain a secure passphrase via GUI.
1125 .It Fl o Ar outfile
1126 Write the output data to
1127 .Ar outfile Ns
1128 \&. Default is to write data to stdout.
1129 .El
1130 .It
1131 .Sy Examples
1132 .Bl -tag -width -indent
1133 .It security> export -k login.keychain -t certs -o /tmp/certs.pem
1134 .It security> export -k newcert.keychain -t identities -f pkcs12 -o /tmp/mycerts.p12
1135 .El
1136 .\"marker.
1137 .El
1138 .It
1139 .Nm import
1140 inputfile
1141 .Op Fl k Ar keychain
1142 .Op Fl t Ar type
1143 .Op Fl f Ar format
1144 .Op Fl w
1145 .Op Fl P Ar passphrase
1146 .Op Ar options...
1147 .Bl -item -offset -indent
1148 Import one or more items from
1149 .Ar inputfile Ns
1150 \& into a keychain. If
1151 .Ar keychain
1152 isn't provided, items will be imported into the user's default keychain.
1153 .It
1154 Options:
1155 .Bl -tag -compact -width -indent-indent
1156 .It Fl k Ar keychain
1157 Specify keychain into which item(s) will be imported.
1158 .It Fl t Ar type
1159 Specify the type of items to import. Possible types are cert, pub, priv, session, cert, and agg. Pub, priv, and session refer to keys; agg is one of the aggregate types (pkcs12 and PEM sequence). The command can often figure out what item_type an item contains based in the filename and/or item_format.
1160 .It Fl f Ar format
1161 Specify the format of the exported data. Possible formats are openssl, bsafe, raw, pkcs7, pkcs8, pkcs12, x509, openssh1, openssh2, and pemseq. The command can often figure out what format an item is in based in the filename and/or item_type.
1162 .It Fl w
1163 Specify that private keys are wrapped and must be unwrapped on import.
1164 .It Fl x
1165 Specify that private keys are non-extractable after being imported.
1166 .It Fl P Ar passphrase
1167 Specify the unwrapping passphrase immediately. The default is to obtain a secure passphrase via GUI.
1168 .It Fl a Ar attrName Ar attrValue
1169 Specify optional extended attribute name and value. Can be used multiple times. This is only valid when importing keys.
1170 .It Fl A
1171 Allow any application to access the imported key without warning (insecure, not recommended!)
1172 .It Fl T Ar appPath
1173 Specify an application which may access the imported key (multiple
1174 .Fl T Ns
1175 \& options are allowed)
1176 .El
1177 .It
1178 .Sy Examples
1179 .Bl -tag -width -indent
1180 .It security> import /tmp/certs.pem -k
1181 .It security> import /tmp/mycerts.p12 -t agg -k newcert.keychain
1182 .It security> import /tmp/mycerts.p12 -f pkcs12 -k newcert.keychain
1183 .El
1184 .\"end of new import/export commands.
1185 .El
1186 .It
1187 .Nm cms
1188 .Op Fl C Ns | Ns Fl D Ns | Ns Fl E Ns | Ns Fl S
1189 .Op Ar options...
1190 .Bl -item -offset -indent
1191 Encode or decode CMS messages.
1192 .Bl -tag -compact -width -indent-indent
1193 .It Fl C
1194 create a CMS encrypted message
1195 .It Fl D
1196 decode a CMS message
1197 .It Fl E
1198 create a CMS enveloped message
1199 .It Fl S
1200 create a CMS signed message
1201 .El
1202 .It
1203 Decoding options:
1204 .Bl -tag -compact -width -indent-indent
1205 .It Fl c Ar content
1206 use this detached content file
1207 .It Fl h Ar level
1208 generate email headers with info about CMS message (output
1209 .Ar level Ns
1210 \& >= 0)
1211 .It Fl n
1212 suppress output of content
1213 .El
1214 .It
1215 Encoding options:
1216 .Bl -tag -compact -width -indent-indent
1217 .It Fl r Ar id,...
1218 create envelope for comma-delimited list of recipients, where id can be a certificate nickname or email address
1219 .It Fl G
1220 include a signing time attribute
1221 .It Fl H Ar hash
1222 hash = MD2|MD4|MD5|SHA1|SHA256|SHA384|SHA512 (default: SHA1)
1223 .It Fl N Ar nick
1224 use certificate named "nick" for signing
1225 .It Fl P
1226 include a SMIMECapabilities attribute
1227 .It Fl T
1228 do not include content in CMS message
1229 .It Fl Y Ar nick
1230 include an EncryptionKeyPreference attribute with certificate (use "NONE" to omit)
1231 .It Fl Z Ar hash
1232 find a certificate by subject key ID
1233 .El
1234 .It
1235 Common options:
1236 .Bl -tag -compact -width -indent-indent
1237 .It Fl e Ar envelope
1238 specify envelope file (valid with
1239 .Fl D Ns
1240 \& or
1241 .Fl E Ns
1242 \&)
1243 .It Fl k Ar keychain
1244 specify keychain to use
1245 .It Fl i Ar infile
1246 use infile as source of data (default: stdin)
1247 .It Fl o Ar outfile
1248 use outfile as destination of data (default: stdout)
1249 .It Fl p Ar password
1250 use password as key db password (default: prompt)
1251 .It Fl s
1252 pass data a single byte at a time to CMS
1253 .It Fl u Ar certusage
1254 set type of certificate usage (default: certUsageEmailSigner)
1255 .It Fl v
1256 print debugging information
1257 .El
1258 .It
1259 Cert usage codes:
1260 0 - certUsageSSLClient
1261 1 - certUsageSSLServer
1262 2 - certUsageSSLServerWithStepUp
1263 3 - certUsageSSLCA
1264 4 - certUsageEmailSigner
1265 5 - certUsageEmailRecipient
1266 6 - certUsageObjectSigner
1267 7 - certUsageUserCertImport
1268 8 - certUsageVerifyCA
1269 9 - certUsageProtectedObjectSigner
1270 10 - certUsageStatusResponder
1271 11 - certUsageAnyCA
1272 .It
1273 .El
1274 .It
1275 .Nm install-mds
1276 .Bl -item -offset -indent
1277 Install (or re-install) the Module Directory Services (MDS) database. This is a system tool which is not normally used by users. There are no options.
1278 .El
1279 .It
1280 .Nm add-trusted-cert
1281 .Op Fl d
1282 .Op Fl r Ar resultType
1283 .Op Fl p Ar policy
1284 .Op Fl a Ar appPath
1285 .Op Fl s Ar policyString
1286 .Op Fl e Ar allowedError
1287 .Op Fl u Ar keyUsage
1288 .Op Fl k Ar keychain
1289 .Op Fl i Ar settingsFileIn
1290 .Op Fl o Ar settingsFileOut
1291 certFile
1292 .Bl -item -offset -indent
1293 Add certificate (in DER or PEM format) from
1294 .Ar certFile Ns
1295 \& to per-user or local Admin Trust Settings. When modifying per-user Trust Settings, user authentication is required via an authentication dialog. When modifying admin Trust Settings, the process must be running as root, or admin authentication is required.
1296 .It
1297 Options:
1298 .Bl -tag -compact -width -indent-indent
1299 .It Fl d
1300 Add to admin cert store; default is user.
1301 .It Fl r Ar resultType
1302 resultType = trustRoot|trustAsRoot|deny|unspecified; default is trustRoot.
1303 .It Fl p Ar policy
1304 Specify policy constraint (ssl, smime, codeSign, IPSec, basic, swUpdate, pkgSign, eap, macappstore, appleID, timestamping).
1305 .It Fl r Ar resultType
1306 resultType = trustRoot|trustAsRoot|deny|unspecified; default is trustRoot.
1307 .It Fl a Ar appPath
1308 Specify application constraint.
1309 .It Fl s Ar policyString
1310 Specify policy-specific string.
1311 .It Fl e Ar allowedError
1312 Specify allowed error (an integer value, or one of: certExpired, hostnameMismatch)
1313 .It Fl u Ar keyUsage
1314 Specify key usage, an integer.
1315 .It Fl k Ar keychain
1316 Specify keychain to which cert is added.
1317 .It Fl i Ar settingsFileIn
1318 Input trust settings file; default is user domain.
1319 .It Fl o Ar settingsFileOut
1320 Output trust settings file; default is user domain.
1321 .El
1322 .It
1323 .Sy Key usage codes:
1324 -1 - Any
1325 1 - Sign
1326 2 - Encrypt/Decrypt Data
1327 4 - Encrypt/Decrypt Key
1328 8 - Sign certificate
1329 16 - Sign revocation
1330 32 - Key exchange
1331 To specify more than one usage, add values together (except -1 - Any).
1332 .It
1333 .Sy Examples
1334 .Bl -tag -width -indent
1335 .Dl security> add-trusted-cert /tmp/cert.der
1336 .Dl security> add-trusted-cert -d .tmp/cert.der
1337 .El
1338 .\"marker.
1339 .It
1340 .Nm remove-trusted-cert
1341 .Op Fl d
1342 certFile
1343 .Bl -item -offset -indent
1344 Remove certificate (in DER or PEM format) in
1345 .Ar certFile Ns
1346 \& from per-user or local Admin Trust Settings. When modifying per-user Trust Settings, user authentication is required via an authentication dialog. When modifying admin Trust Settings, the process must be running as root, or admin authentication is required.
1347 .It
1348 Options:
1349 .Bl -tag -compact -width -indent-indent
1350 .It Fl d
1351 Remove from admin cert store; default is user.
1352 .El
1353 .\"marker.
1354 .El
1355 .It
1356 .Nm dump-trust-settings
1357 .Op Fl s
1358 .Op Fl d
1359 .Bl -item -offset -indent
1360 Display Trust Settings.
1361 .It
1362 Options:
1363 .Bl -tag -compact -width -indent-indent
1364 .It Fl s
1365 Display trusted system certs; default is user.
1366 .It Fl d
1367 Display trusted admin certs; default is user.
1368 .El
1369 .\"marker.
1370 .El
1371 .It
1372 .Nm user-trust-settings-enable
1373 .Op Fl d
1374 .Op Fl e
1375 .Bl -item -offset -indent
1376 Display or manipulate user-level Trust Settings. With no arguments, shows the current state of the user-level Trust Settings enable. Otherwise enables or disables user-level Trust Settings.
1377 .It
1378 Options:
1379 .Bl -tag -compact -width -indent-indent
1380 .It Fl d
1381 Disable user-level Trust Settings.
1382 .It Fl e
1383 Enable user-level Trust Settings.
1384 .El
1385 .\"marker.
1386 .El
1387 .It
1388 .Nm trust-settings-export
1389 .Op Fl s
1390 .Op Fl d
1391 settings_file
1392 .Bl -item -offset -indent
1393 Export Trust Settings to the specified file.
1394 .It
1395 Options:
1396 .Bl -tag -compact -width -indent-indent
1397 .It Fl s
1398 Export system Trust Settings; default is user.
1399 .It Fl d
1400 Export admin Trust Settings; default is user.
1401 .El
1402 .\"marker.
1403 .El
1404 .It
1405 .Nm trust-settings-import
1406 .Op Fl d
1407 settings_file
1408 .Bl -item -offset -indent
1409 Import Trust Settings from the specified file. When modifying per-user Trust Settings, user authentication is required via an authentication dialog. When modifying admin Trust Settings, the process must be running as root, or admin authentication is required.
1410 .It
1411 Options:
1412 .Bl -tag -compact -width -indent-indent
1413 .It Fl d
1414 Import admin Trust Settings; default is user.
1415 .El
1416 .\"marker.
1417 .El
1418 .It
1419 .Nm verify-cert
1420 .Op Fl c Ar certFile
1421 .Op Fl r Ar rootCertFile
1422 .Op Fl p Ar policy
1423 .Op Fl C
1424 .Op Fl d Ar date
1425 .Op Fl k Ar keychain
1426 .Op Fl n Ar name
1427 .Op Fl N
1428 .Op Fl L
1429 .Op Fl l
1430 .Op Fl e Ar emailAddress
1431 .Op Fl s Ar sslHost
1432 .Op Fl q
1433 .Op Fl R Ar revCheckOption
1434 .Bl -item -offset -indent
1435 Verify one or more certificates.
1436 .It
1437 Options:
1438 .Bl -tag -compact -width -indent-indent
1439 .It Fl c Ar certFile
1440 Certificate to verify, in DER or PEM format. Can be specified more than once; leaf certificate has to be specified first.
1441 .It Fl r Ar rootCertFile
1442 Root certificate, in DER or PEM format. Can be specified more than once. If not specified, the system anchor certificates are used. If one root certificate is specified, and zero (non-root) certificates are specified, the root certificate is verified against itself.
1443 .It Fl p Ar policy
1444 Specify verification policy (ssl, smime, codeSign, IPSec, basic, swUpdate, pkgSign, eap, appleID, macappstore, timestamping). Default is basic.
1445 .It Fl C
1446 Specify this evaluation is for client usage, if the verification policy (e.g. ssl) distinguishes between client and server usage. Default is server usage.
1447 .It Fl d Ar date
1448 Date to set for verification. Specified in the format of YYYY-MM-DD-hh:mm:ss (time optional). e.g: 2016-04-25-15:59:59 for April 25, 2016 at 3:59:59 pm in GMT
1449 .It Fl k Ar keychain
1450 Keychain to search for intermediate CA certificates. Can be specified multiple times. Default is the current user's keychain search list.
1451 .It Fl n Ar name
1452 Specify a name to be verified, e.g. the SSL host name for the ssl policy, or RFC822 email address for the smime policy. For backward compatibility, if the -n option is provided without an argument, it will be interpreted as equivalent to -N.
1453 .It Fl N
1454 Avoid searching any keychains.
1455 .It Fl L
1456 Use local certificates only. If an issuing CA certificate is missing, this option will avoid accessing the network to fetch it.
1457 .It Fl l
1458 Specifies that the leaf certificate is a CA cert. By default, a leaf certificate with a Basic Constraints extension with the CA bit set fails verification.
1459 .It Fl e Ar emailAddress
1460 Specify email address for the smime policy. (This option is deprecated; use -n instead.)
1461 .It Fl s Ar sslHost
1462 Specify SSL host name for the ssl policy. (This option is deprecated; use -n instead.)
1463 .It Fl q
1464 Quiet, no stdout or stderr.
1465 .It Fl R Ar revCheckOption
1466 Specify a revocation checking option for this evaluation (ocsp, crl, require, offline). Can be specified multiple times; e.g. to enable revocation checking via either OCSP or CRL methods and require a positive response, use "-R ocsp -R crl -R require". The offline option will consult previously cached responses, but will not make a request to a revocation server.
1467 .El
1468 .It
1469 .Sy Examples
1470 .Bl -tag -width -indent
1471 .It security> verify-cert -c applestore0.cer -c applestore1.cer -p ssl -n store.apple.com
1472 .It security> verify-cert -r serverbasic.crt
1473 .El
1474 .\"marker.
1475 .El
1476 .It
1477 .Nm authorize
1478 .Op Fl updPiew
1479 .Op Ar right...
1480 .Bl -item -offset -indent
1481 Authorize requested right(s). The extend-rights flag will be passed by default.
1482 .It
1483 Options:
1484 .Bl -tag -compact -width -indent-indent
1485 .It Fl u
1486 Allow user interaction.
1487 .It Fl p
1488 Allow returning partial rights.
1489 .It Fl d
1490 Destroy acquired rights.
1491 .It Fl P
1492 Pre-authorize rights only.
1493 .It Fl l
1494 Operate authorization in least privileged mode.
1495 .It Fl i
1496 Internalize authref passed on stdin.
1497 .It Fl e
1498 Externalize authref to stdout
1499 .It Fl w
1500 Wait while holding AuthorizationRef until stdout is closed. This will allow client to read externalized AuthorizationRef from pipe.
1501 .El
1502 .It
1503 .Sy Examples
1504 .Bl -tag -width -indent
1505 .It security> security authorize -ud my-right
1506 Basic authorization of my-right.
1507 .It security> security -q authorize -uew my-right | security -q authorize -i my-right
1508 Authorizing a right and passing it to another command as a way to add authorization to shell scripts.
1509 .El
1510 .El
1511 .It
1512 .Nm authorizationdb
1513 .Ar read <right-name>
1514 .It
1515 .Nm authorizationdb
1516 .Ar write <right-name> [allow|deny|<rulename>]
1517 .It
1518 .Nm authorizationdb
1519 .Ar remove <right-name>
1520 .Bl -item -offset -indent
1521 Read/Modify authorization policy database. Without a rulename write will read a dictionary as a plist from stdin.
1522 .It
1523 .Sy Examples
1524 .Bl -tag -width -indent
1525 .It security> security authorizationdb read system.privilege.admin > /tmp/aewp-def
1526 Read definition of system.privilege.admin right.
1527 .It security> security authorizationdb write system.preferences < /tmp/aewp-def
1528 Set system.preferences to definition of system.privilege.admin right.
1529 .It security> security authorizationdb write system.preferences authenticate-admin
1530 Every change to preferences requires an Admin user to authenticate.
1531 .El
1532 .El
1533 .It
1534 .Nm execute-with-privileges
1535 .Ar <program>
1536 .Op Ar args...
1537 .Bl -item -offset -indent
1538 Execute tool with privileges.
1539 On success stdin will be read and forwarded to the tool.
1540 .El
1541 .It
1542 .Nm leaks
1543 .Op Fl h
1544 .Op Fl cycles
1545 .Op Fl nocontext
1546 .Op Fl nostacks
1547 .Op Fl exclude Ar symbol
1548 .Bl -item -offset -indent
1549 Run
1550 .Li /usr/bin/leaks
1551 on this process. This can help find memory leaks after running
1552 certain commands.
1553 .It
1554 Options:
1555 .Bl -tag -compact -width -indent-indent
1556 .It Fl cycles
1557 Use a stricter algorithm (See
1558 .Xr leaks 1
1559 for details).
1560 .It Fl nocontext
1561 Withhold the hex dumps of the leaked memory.
1562 .It Fl nostacks
1563 Don't show stack traces of leaked memory.
1564 .It Fl exclude Ar symbol
1565 Ignore leaks called from
1566 .Ar symbol Ns .
1567 .El
1568 .El
1569 .It
1570 .Nm smartcards
1571 .Ar token
1572 .Op Fl l
1573 .Op Fl e Ar token
1574 .Op Fl d Ar token
1575 .Bl -item -offset -indent
1576 Enable, disable or list disabled smartcard tokens.
1577 .It
1578 Options:
1579 .Bl -tag -compact -width -indent-indent
1580 .It Fl l
1581 List disabled smartcard tokens.
1582 .It Fl e Ar token
1583 Enable smartcard token.
1584 .It Fl d Ar token
1585 Disable smartcard token.
1586 .El
1587 .It
1588 .Sy To list tokens available in the system
1589 .It
1590 .Bl -tag -compact -width -indent
1591 .It pluginkit -m -p com.apple.ctk-tokens
1592 .El
1593 .It
1594 .Sy Examples
1595 .It
1596 .Bl -tag -compact -width -indent
1597 .It security smartcards token -l
1598 .It security smartcards token -d com.apple.CryptoTokenKit.pivtoken
1599 .It security smartcards token -e com.apple.CryptoTokenKit.pivtoken
1600 .El
1601 .El
1602 .It
1603 .Nm list-smartcards
1604 .Bl -item -offset -indent
1605 Display
1606 .Ar id Ns
1607 s of available smartcards.
1608 .El
1609 .It
1610 .Nm export-smartcard
1611 .Ar token
1612 .Op Fl i Ar id
1613 .Op Fl t Ar certs Ns | Ns Ar privKeys Ns | Ns Ar identities Ns | Ns Ar all
1614 .Bl -item -offset -indent
1615 Export items from a smartcard. If
1616 .Ar id
1617 isn't provided, items from all smartcards will be exported.
1618 .It
1619 Options:
1620 .Bl -tag -compact -width -indent-indent
1621 .It Fl i Ar id
1622 Export items from token specified by token
1623 .Ar id Ns
1624 , available
1625 .Ar id Ns
1626 s can be listed by list-smartcards command.
1627 .It Fl t Ar certs Ns | Ns Ar privKeys Ns | Ns Ar identities Ns | Ns Ar all
1628 Export items of the specified type (Default:
1629 .Ar all Ns
1630 )
1631 .El
1632 .El
1633 .It
1634 .Nm error
1635 .Op Fl h
1636 .Op Ar <error code(s)...>
1637 .Bl -item -offset -indent
1638 Display an error string for the given security-related error code.
1639 The error can be in decimal or hex, e.g. 1234 or 0x1234. Multiple
1640 errors can be separated by spaces.
1641 .El
1642 .El
1643 .El
1644 .Sh ENVIRONMENT \" May not be needed
1645 .Bl -tag -width -indent
1646 .It Ev MallocStackLogging
1647 When using the
1648 .Nm leaks
1649 command or the
1650 .Fl l
1651 option it's probably a good idea to set this environment variable before
1652 .Nm
1653 is started. Doing so will allow leaks to display symbolic backtraces.
1654 .El
1655 .Sh FILES
1656 .Bl -tag -width -indent
1657 .It Pa ~/Library/Preferences/com.apple.security.plist
1658 .Pp
1659 Property list file containing the current user's default keychain and keychain search list.
1660 .It Pa /Library/Preferences/com.apple.security.plist
1661 .Pp
1662 Property list file containing the system default keychain and keychain search list. This is used by processes started at boot time, or those requesting to use the system search domain, such as system daemons.
1663 .It Pa /Library/Preferences/com.apple.security-common.plist
1664 .Pp
1665 Property list file containing the common keychain search list, which is appended to every user's search list and to the system search list.
1666 .El
1667 .Sh SEE ALSO
1668 .\" List links in ascending order by section, alphabetically within a section.
1669 .\" Please do not reference files that do not exist without filing a bug report
1670 .Xr certtool 1 ,
1671 .Xr leaks 1 ,
1672 .Xr pluginkit 8
1673 .\" .Xr systemkeychain 8
1674 .Sh HISTORY
1675 .Nm
1676 was first introduced in Mac OS X version 10.3.
1677 .Sh BUGS
1678 .Nm
1679 still needs more commands before it can be considered complete.
1680 In particular, it should someday supersede both the
1681 .Li certtool
1682 and
1683 .Li systemkeychain
1684 commands.