Security is the command-line management tool for Keychain and security modules in Mac Systems (the graphical tool is Keychain Access.app). A keychain (Keychain) is essentially a repository for secure authentication entities such as certificates, keys, and passwords, and is stored as a. Keychain file in the computer, usually in the following directory:
- ~/library/keychains/
- /library/keychains/
- /network/library/keychains/
Security API Documentation: https://developer.apple.com/library/mac/documentation/Security/Conceptual/keychainServConcepts/ 01introduction/introduction.html
Security command
The syntax is as follows:
security [-HILQV] [-p prompt] [command] [command options] [command args]
- [subcommand]-H help, view all commands when no command parameters are used, show how to use the command with command arguments
- -I interactive mode
- -P <prompt> Enter interactive mode, using a custom prompt
- -Q Reduce Information output
- -V Increase Information output
- -L Security call/usr/bin/leaks-nocontext to check for leaks in the executed command before exiting
subcommand (command)
The list of subcommands is as follows, and the security [-hilav] [-P prompt] in front of the command syntax is ignored in the description of the subcommands later.
- Help
- Create-keychain Create keychain and join search list
- List-keychains displaying or setting keychain search lists
- Default-keychain Show or set the default keychain
- Login-keychain Display or set login keychain
- Delete-keychain Delete Keychain and remove from search list
- Lock-keychain Locking the established keychain
- Unlock-keychain Unlock the established keychain
- Set-keychain-settings Setting the Keychain configuration
- Set-keychain-password Setting Keychain Password
- Dump-keychain Display the contents of one or more keychain
- Create-keypair creating an asymmetric key pair
- Add-generic-password Adding a common password entry to the keychain
- Find-generic-password finding a Universal Password entry
- Delete-generic-password Delete a universal password entry
- Add-internet-password Adding a network password entry to the keychain
- Find-internet-password Finding network Password entries
- Delete-internet-password Delete a network password entry
- add-certificates Adding a certificate to a keychain
- find-certificate Finding a certificate
- delete-certificate Remove a certificate from the keychain
- find-identity Find authentication Entity (certificate + private key)
- Set-identity-preference
- Get-identity-preference
- Create-db
- Export
- Import
- CMS encoding or decoding CMS information (pkcs#7)
- Install-mds Installing/Reloading the MDS database
- Add-trusted-cert Add a trusted certificate (public key only, no private key)
- Remove-trusted-cert Deleting a trusted certificate
- Dump-trusted-setting Display Trust configuration
- user-trust-settings-enable Display or manage user-level trust configuration
- Trust-settings-export Export Trust Configuration
- Trust-settings-import Import Trust Configuration
- Verify-cert Authentication Certificate
- Authorize authorization actions
- AUTHORIZATIONDB Change authorization policy database
- Execute-with-privileges with privileged Execution tool
- Leaks running/usr/bin/leaks in this process
- Error displays descriptive information for the specified error code
- Create-filevaultmaster-keychain creates a keychain with key pair for FileVault recovery (FileVault is a privacy mechanism in the Apple system that automatically and transparently encrypts and decrypts the contents of the home directory in real Time)
Create a Keychain
Create-keychain [-P] [-P <password>] <keychainFiles...>
- -p <password> Set password for newly created keychain
- -p call Securityagent graphical program to set password
Add a key to the Keychain (certification program)
Import <inputfile> [-K <keychain>] [-t <type>] [-F format] [-W] [-P passphrase] [options ...]
- - k <keychain> Specify which keychain to import the project into
- - T <type> Specifies the type of project to import, with the following values: Pub | priv | session | cert | agg
- - F <format> Specifies the format of the imported project, with the desired value: OpenSSL | OPENSSL1 | OPENSSL2 | BSafe | Raw | PKCS7 | Pkcs8 | PKCS12 | Netscape | Pemseq
- -W indicates the private key is wrapped and should be unpacked when importing
- -X indicates that the private key cannot be extracted after import
- - p <password> Direct Import entry password, default to use GUI input password
- -a specifies a key-value pair property that can recur multiple times
- -A All programs can use the imported items
- - T specifies that you can use the program that imports the project, which can recur multiple times
123456 certsofappbuild.keychainsecurity unlock123456111111 -t/usr/bin/ codesign...sign operation...security Delete-keychain Certsofappbuild.keychian
Find an authentication Entity (certificate + private key)
find-identity [-P policy] [-s string] [-v] [keychain ...]
- -P Search by specified purpose policy, can be repeated to specify multiple items, available values are: Basic, Ssl-client, Ssl-server, SMIME, EAP, IPSec, ichat, codesigning, Sys-de Fault, SYS-KERBEROS-KDC, Macappstore, AppleID
- -S provides parameters for the policy specified by-p
- - v displays only valid, which shows all by default.
- If keychain is not specified, the default search list is used
find-identity-v-P codesigning #显示默认搜索列表中有效地认证实体
Display or set a keychain search list
List-keychain [-D user|system|common|dynamic] [-s [keychain ...]
- -D using the specified preference domain
- -S Set Keychain search list
- Displays the search list without any parameters
Encrypt/Decrypt CMS information (pkcs#7)
CMS [-cdes] [<options>]
- -C Create a CMS encryption information
- - D Decrypt CMS information
- -E Create CMS package information
- -S Create CMS signature information
Decryption options
- -c <content_file> using detached content files
- -h <level> produce headers with CMS message information
- -N Suppress content output
Encoding options
- -R ID,... To create a package for the specified recipient, the ID can be certificate nickname or email adderess
- -G contains signature time properties
- -h
- -N <certi_nickname> signing with the specified certificate
- -P contains the Smimecapabilities property
- -T CMS information does not contain content
- -y <certi_nickname> contains the encryptionkeypreference attribute for the specified certificate, using none to ignore
- -Z
Common options
- -e <envelope> Specify the envelope file, in combination with-D,-E
- -K keychain Specifies the keychain used
- -I <infile> input data from file, default input is stdin
- - o <outfile> output data to file, default to stdout
- -P <password> Specify a key db password, which is prompted by default
- -s transmit data byte by bit
- -V Display debug information
- -U <certusage> Set certificate usage type, default to Certusageemailsigner
- 0 certusagesslclient
- 1 certusagesslserver
- 2 Certusagesslserverwithstepup
- 3 Certusagesslca
- 4 Certusageemailsigner
- 5 certusageemailrecipient
- 6 Certusageobjectsigner
- 7 Certusageusercertimport
- 8 Certusageverifyca
- 9 Certusageprotectedobjectsigner
- Ten Certusagestatusresponder
- Certusageanyca
Security Cms-d-I. example.mobileprovision
Summary of use of MAC security tools