Summary of use of MAC security tools

Security is the command-line management tool for Keychain and security modules in Mac Systems (the graphical tool is Keychain Access.app). A keychain (Keychain) is essentially a repository for secure authentication entities such as certificates, keys, and passwords, and is stored as a. Keychain file in the computer, usually in the following directory:

• ~/library/keychains/
• /library/keychains/
• /network/library/keychains/

Security API Documentation: https://developer.apple.com/library/mac/documentation/Security/Conceptual/keychainServConcepts/ 01introduction/introduction.html

Security command

The syntax is as follows:

security [-HILQV] [-p prompt] [command] [command options] [command args]

• [subcommand]-H help, view all commands when no command parameters are used, show how to use the command with command arguments
• -I interactive mode
• -P <prompt> Enter interactive mode, using a custom prompt
• -Q Reduce Information output
• -V Increase Information output
• -L Security call/usr/bin/leaks-nocontext to check for leaks in the executed command before exiting

subcommand (command)

The list of subcommands is as follows, and the security [-hilav] [-P prompt] in front of the command syntax is ignored in the description of the subcommands later.

• Help
• Create-keychain Create keychain and join search list
• List-keychains displaying or setting keychain search lists
• Default-keychain Show or set the default keychain
• Login-keychain Display or set login keychain
• Delete-keychain Delete Keychain and remove from search list
• Lock-keychain Locking the established keychain
• Unlock-keychain Unlock the established keychain
• Set-keychain-settings Setting the Keychain configuration
• Set-keychain-password Setting Keychain Password
• Dump-keychain Display the contents of one or more keychain
• Create-keypair creating an asymmetric key pair
• Add-generic-password Adding a common password entry to the keychain
• Find-generic-password finding a Universal Password entry
• Delete-generic-password Delete a universal password entry
• Add-internet-password Adding a network password entry to the keychain
• Find-internet-password Finding network Password entries
• Delete-internet-password Delete a network password entry
• add-certificates Adding a certificate to a keychain
• find-certificate Finding a certificate
• delete-certificate Remove a certificate from the keychain
• find-identity Find authentication Entity (certificate + private key)
• Set-identity-preference
• Get-identity-preference
• Create-db
• Export
• Import
• CMS encoding or decoding CMS information (pkcs#7)
• Install-mds Installing/Reloading the MDS database
• Add-trusted-cert Add a trusted certificate (public key only, no private key)
• Remove-trusted-cert Deleting a trusted certificate
• Dump-trusted-setting Display Trust configuration
• user-trust-settings-enable Display or manage user-level trust configuration
• Trust-settings-export Export Trust Configuration
• Trust-settings-import Import Trust Configuration
• Verify-cert Authentication Certificate
• Authorize authorization actions
• AUTHORIZATIONDB Change authorization policy database
• Execute-with-privileges with privileged Execution tool
• Leaks running/usr/bin/leaks in this process
• Error displays descriptive information for the specified error code
• Create-filevaultmaster-keychain creates a keychain with key pair for FileVault recovery (FileVault is a privacy mechanism in the Apple system that automatically and transparently encrypts and decrypts the contents of the home directory in real Time)

Create a Keychain

Create-keychain [-P] [-P <password>] <keychainFiles...>

• -p <password> Set password for newly created keychain
• -p call Securityagent graphical program to set password

Add a key to the Keychain (certification program)

Import <inputfile> [-K <keychain>] [-t <type>] [-F format] [-W] [-P passphrase] [options ...]

• - k <keychain> Specify which keychain to import the project into
• - T <type> Specifies the type of project to import, with the following values: Pub | priv | session | cert | agg
• - F <format> Specifies the format of the imported project, with the desired value: OpenSSL | OPENSSL1 | OPENSSL2 | BSafe | Raw | PKCS7 | Pkcs8 | PKCS12 | Netscape | Pemseq
• -W indicates the private key is wrapped and should be unpacked when importing
• -X indicates that the private key cannot be extracted after import
• - p <password> Direct Import entry password, default to use GUI input password
• -a specifies a key-value pair property that can recur multiple times
• -A All programs can use the imported items
• - T specifies that you can use the program that imports the project, which can recur multiple times

123456   certsofappbuild.keychainsecurity unlock123456111111  -t/usr/bin/ codesign...sign operation...security Delete-keychain Certsofappbuild.keychian

Find an authentication Entity (certificate + private key)

find-identity [-P policy] [-s string] [-v] [keychain ...]

• -P Search by specified purpose policy, can be repeated to specify multiple items, available values are: Basic, Ssl-client, Ssl-server, SMIME, EAP, IPSec, ichat, codesigning, Sys-de Fault, SYS-KERBEROS-KDC, Macappstore, AppleID
• -S provides parameters for the policy specified by-p
• - v displays only valid, which shows all by default.
• If keychain is not specified, the default search list is used

find-identity-v-P codesigning    #显示默认搜索列表中有效地认证实体

Display or set a keychain search list

List-keychain [-D user|system|common|dynamic] [-s [keychain ...]

• -D using the specified preference domain
• -S Set Keychain search list
• Displays the search list without any parameters

Encrypt/Decrypt CMS information (pkcs#7)

CMS [-cdes] [<options>]

• -C Create a CMS encryption information
• - D Decrypt CMS information
• -E Create CMS package information
• -S Create CMS signature information

Decryption options

• -c <content_file> using detached content files
• -h <level> produce headers with CMS message information
• -N Suppress content output

Encoding options

• -R ID,... To create a package for the specified recipient, the ID can be certificate nickname or email adderess
• -G contains signature time properties
• -h
• -N <certi_nickname> signing with the specified certificate
• -P contains the Smimecapabilities property
• -T CMS information does not contain content
• -y <certi_nickname> contains the encryptionkeypreference attribute for the specified certificate, using none to ignore
• -Z

Common options

• -e <envelope> Specify the envelope file, in combination with-D,-E
• -K keychain Specifies the keychain used
• -I <infile> input data from file, default input is stdin
• - o <outfile> output data to file, default to stdout
• -P <password> Specify a key db password, which is prompted by default
• -s transmit data byte by bit
• -V Display debug information
• -U <certusage> Set certificate usage type, default to Certusageemailsigner
  • 0 certusagesslclient
  • 1 certusagesslserver
  • 2 Certusagesslserverwithstepup
  • 3 Certusagesslca
  • 4 Certusageemailsigner
  • 5 certusageemailrecipient
  • 6 Certusageobjectsigner
  • 7 Certusageusercertimport
  • 8 Certusageverifyca
  • 9 Certusageprotectedobjectsigner
  • Ten Certusagestatusresponder
  • Certusageanyca

　

Security Cms-d-I. example.mobileprovision

Summary of use of MAC security tools