Manual Pages for UNIX Darwin command on man security

security(1) BSD General Commands Manual security(1)

NAME

sseeccuurriittyy - Command line interface to keychains and Security framework

SYNOPSIS

sseeccuurriittyy [-hhiillqqvv] [-pp prompt] [command] [commandoptions] [commandargs]

DESCRIPTION

A simple command line interface which lets you administer keychains, manipulate keys and certificates, and do just about anything the Security framework is capable of from the command line.

By default sseeccuurriittyy will execute the command supplied and report if any-

thing went wrong.

If the -ii or -pp options are provided, sseeccuurriittyy will enter interactive

mode and allow the user to enter multiple commands on stdin. When EOF is read from stdin sseeccuurriittyy will exit. Here is a complete list of the options available:

-hh If no arguments are specified, show a list of all commands. If

arguments are provided, show usage for each the specified com-

mands. This option is essentially the same as the hheellpp command.

-ii Run sseeccuurriittyy in interactive mode. A prompt (security> by

default) will be displayed and the user will be able to type commands on stdin until an EOF is encountered.

-ll Before sseeccuurriittyy exits, run

/usr/bin/leaks -nocontext

on itself to see if the command(s) you executed had any leaks.

-pp prompt

This option implies the -ii option but changes the default prompt

to the argument specified instead.

-qq Will make sseeccuurriittyy less verbose.

-vv Will make sseeccuurriittyy more verbose.

SSEECCUURRIITTYY CCOOMMMMAANNDD SSUUMMMMAARRYY

sseeccuurriittyy provides a rich variety of commands (command in the SYNOPSIS),

each of which often has a wealth of options, to allow access to the broad functionality provided by the Security framework. However, you don't have to master every detail for sseeccuurriittyy to be useful to you. Here are brief descriptions of all the sseeccuurriittyy commands:

hheellpp Show all commands, or show usage for a com-

mand.

lliisstt-kkeeyycchhaaiinnss Display or manipulate the keychain search

list.

ddeeffaauulltt-kkeeyycchhaaiinn Display or set the default keychain.

llooggiinn-kkeeyycchhaaiinn Display or set the login keychain.

ccrreeaattee-kkeeyycchhaaiinn Create keychains and add them to the search

list.

ddeelleettee-kkeeyycchhaaiinn Delete keychains and remove them from the

search list.

lloocckk-kkeeyycchhaaiinn Lock the specified keychain.

uunnlloocckk-kkeeyycchhaaiinn Unlock the specified keychain.

sseett-kkeeyycchhaaiinn-sseettttiinnggss Set settings for a keychain.

sseett-kkeeyycchhaaiinn-ppaasssswwoorrdd Set password for a keychain.

sshhooww-kkeeyycchhaaiinn-iinnffoo Show the settings for keychain.

dduummpp-kkeeyycchhaaiinn Dump the contents of one or more keychains.

ccrreeaattee-kkeeyyppaaiirr Create an asymmetric key pair.

aadddd-ggeenneerriicc-ppaasssswwoorrdd Add a generic password item.

aadddd-iinntteerrnneett-ppaasssswwoorrdd Add an internet password item.

aadddd-cceerrttiiffiiccaatteess Add certificates to a keychain.

ffiinndd-ggeenneerriicc-ppaasssswwoorrdd Find a generic password item.

ffiinndd-iinntteerrnneett-ppaasssswwoorrdd Find an internet password item.

ffiinndd-cceerrttiiffiiccaattee Find a certificate item.

ffiinndd-iiddeennttiittyy Find an identity (certificate + private key).

ddeelleettee-cceerrttiiffiiccaattee Delete a certificate from a keychain.

sseett-iiddeennttiittyy-pprreeffeerreennccee Set the preferred identity to use for a ser-

vice.

ggeett-iiddeennttiittyy-pprreeffeerreennccee Get the preferred identity to use for a ser-

vice.

ccrreeaattee-ddbb Create a db using the DL.

eexxppoorrtt Export items from a keychain. iimmppoorrtt Import items into a keychain. ccmmss Encode or decode CMS messages.

iinnssttaallll-mmddss Install (or re-install) the MDS database.

aadddd-ttrruusstteedd-cceerrtt Add trusted certificate(s).

rreemmoovvee-ttrruusstteedd-cceerrtt Remove trusted certificate(s).

dduummpp-ttrruusstt-sseettttiinnggss Display contents of trust settings.

uusseerr-ttrruusstt-sseettttiinnggss-eennaabbllee Display or manipulate user-level trust set-

tings.

ttrruusstt-sseettttiinnggss-eexxppoorrtt Export trust settings.

ttrruusstt-sseettttiinnggss-iimmppoorrtt Import trust settings.

vveerriiffyy-cceerrtt Verify certificate(s).

aauutthhoorriizzee Perform authorization operations. aauutthhoorriizzaattiioonnddbb Make changes to the authorization policy database.

eexxeeccuuttee-wwiitthh-pprriivviilleeggeess Execute tool with privileges.

lleeaakkss Run /usr/bin/leaks on this process. eerrrroorr Display a descriptive message for the given error code(s). CCOOMMMMOONN CCOOMMMMAANNDD OOPPTTIIOONNSS This section describes the commandoptions that are available across all sseeccuurriittyy commands.

-hh Show a usage message for the specified command. This option is

essentially the same as the help command. SSEECCUURRIITTYY CCOOMMMMAANNDDSS Here (finally) are details on all the sseeccuurriittyy commands and the options each accepts.

hheellpp [-hh]

Show all commands, or show usage for a command.

lliisstt-kkeeyycchhaaiinnss [-hh] [-dd user|system|common] [-ss [keychain...]]

Display or manipulate the keychain search list.

-dd user|system|common

Use the specified preference domain.

-ss Set the search list to the specified keychains.

ddeeffaauulltt-kkeeyycchhaaiinn [-hh] [-dd user|system|common] [-ss [keychain]]

Display or set the default keychain.

-dd user|system|common

Use the specified preference domain.

-ss Set the default keychain to the specified keychain.

Unset it if no keychain is specified.

llooggiinn-kkeeyycchhaaiinn [-hh] [-dd user|system|common] [-ss [keychain]]

Display or set the login keychain.

-dd user|system|common

Use the specified preference domain.

-ss Set the login keychain to the specified keychain. Unset

it if no keychain is specified.

ccrreeaattee-kkeeyycchhaaiinn [-hhPP] [-pp password] [keychain...]

Create keychains and add them to the search list.

-PP Prompt the user for a password using the Secu-

rityAgent.

-pp password Use password as the password for the keychains

being created.

If neither -PP or -pp password are specified, the user is prompted

for a password on the command line.

ddeelleettee-kkeeyycchhaaiinn [-hh] [keychain...]

Delete keychains and remove them from the search list.

lloocckk-kkeeyycchhaaiinn [-hh] [-aa|keychain]

Lock keychain, or the default keychain if none is specified. If

the -aa option is specified, all keychains are locked.

uunnlloocckk-kkeeyycchhaaiinn [-hhuu] [-pp password] [keychain]

Unlock keychain, or the default keychain if none is specified.

sseett-kkeeyycchhaaiinn-sseettttiinnggss [-hhlluu] [-tt timeout] [keychain]

Set settings for keychain, or the default keychain if none is specified.

-ll Lock keychain when the system sleeps.

-uu Lock keychain after timeout interval.

-tt timeout Specify timeout interval in seconds (omitting this

option specifies "no timeout").

sseett-kkeeyycchhaaiinn-ppaasssswwoorrdd [-hh] [-oo oldPassword] [-pp newPassword] [keychain]

Set password for keychain, or the default keychain if none is specified.

-oo oldPassword Old keychain password (if not provided, will

prompt)

-pp newPassword New keychain password (if not provided, will

prompt)

sshhooww-kkeeyycchhaaiinn-iinnffoo [-hh] [keychain]

Show the settings for keychain.

dduummpp-kkeeyycchhaaiinn [-aaddhhiirr]

Dump the contents of one or more keychains.

-aa Dump access control list of items

-dd Dump (decrypted) data of items

-ii Interactive access control list editing mode

-rr Dump raw (encrypted) data of items

ccrreeaattee-kkeeyyppaaiirr [-hh] [-aa alg] [-ss size] [-ff date] [-tt date] [-dd days] [-kk

keychain] [-AA|-TT appPath] [name]

Create an asymmetric key pair.

-aa alg Use alg as the algorithm, can be rsa, dh, dsa or

fee (default rsa)

-ss size Specify the keysize in bits (default 512)

-ff date Make a key valid from the specified date

-tt date Make a key valid to the specified date

-dd days Make a key valid for the number of days specified

from today

-kk keychain Use the specified keychain rather than the default

-AA Allow any application to access this key without

warning (insecure, not recommended!)

-TT appPath Specify an application which may access this key

(multiple -TT options are allowed)

aadddd-ggeenneerriicc-ppaasssswwoorrdd [-hh] [-aa account] [-ss service] [-ww password]

[options...] [keychain] Add a generic password item.

-aa account Specify account name (required)

-cc creator Specify item creator (optional four-character

code)

-CC type Specify item type (optional four-character code)

-DD kind Specify kind (default is "application password")

-GG value Specify generic attribute value (optional)

-jj comment Specify comment string (optional)

-ll label Specify label (if omitted, service name is used as

default label)

-ss service Specify service name (required)

-pp password Specify password to be added (legacy option,

equivalent to -ww)

-ww password Specify password to be added

-AA Allow any application to access this item without

warning (insecure, not recommended!)

-TT appPath Specify an application which may access this item

(multiple -TT options are allowed)

-UU Update item if it already exists (if omitted, the

item cannot already exist) By default, the application which creates an item is trusted to access its data without warning. You can remove this default

access by explicitly specifying an empty app pathname: -TT "". If

no keychain is specified, the password is added to the default keychain.

aadddd-iinntteerrnneett-ppaasssswwoorrdd [-hh] [-aa account] [-ss server] [-ww password]

[options...] [keychain] Add an internet password item.

-aa account Specify account name (required)

-cc creator Specify item creator (optional four-character

code)

-CC type Specify item type (optional four-character code)

-dd domain Specify security domain string (optional)

-DD kind Specify kind (default is "application password")

-jj comment Specify comment string (optional)

-ll label Specify label (if omitted, service name is used as

default label)

-pp path Specify path string (optional)

-PP port Specify port number (optional)

-rr protocol Specify protocol (optional four-character SecPro-

tocolType, e.g. "http", "ftp ")

-ss server Specify server name (required)

-tt authenticationType

Specify authentication type (as a four-character

SecAuthenticationType, default is "dflt")

-ww password Specify password to be added

-AA Allow any application to access this item without

warning (insecure, not recommended!)

-TT appPath Specify an application which may access this item

(multiple -TT options are allowed)

-UU Update item if it already exists (if omitted, the

item cannot already exist) By default, the application which creates an item is trusted to access its data without warning. You can remove this default

access by explicitly specifying an empty app pathname: -TT "". If

no keychain is specified, the password is added to the default keychain.

aadddd-cceerrttiiffiiccaatteess [-hh] [-kk keychain] file...

Add certficates contained in the specified files to the default keychain. The files must contain one DER encoded X509 certificate each.

-kk keychain Use keychain rather than the default keychain.

ffiinndd-ggeenneerriicc-ppaasssswwoorrdd [-hh] [-aa account] [-ss service] [-options...] [-gg]

[-keychain...]

Find a generic password item.

-aa account Match account string

-cc creator Match creator (four-character code)

-CC type Match type (four-character code)

-DD kind Match kind string

-GG value Match value string (generic attribute)

-jj comment Match comment string

-ll label Match label string

-ss service Match service string

-gg Display the password for the item found

ffiinndd-iinntteerrnneett-ppaasssswwoorrdd [-hh] [-aa account] [-ss server] [options...] [-gg]

[keychain...] Find an internet password item.

-aa account Match account string

-cc creator Match creator (four-character code)

-CC type Match type (four-character code)

-dd securityDomain

Match securityDomain string

-DD kind Match kind string

-jj comment Match comment string

-ll label Match label string

-pp path Match path string

-PP port Match port number

-rr protocol Match protocol (four-character code)

-ss server Match server string

-tt authenticationType

Match authenticationType (four-character code)

-gg Display the password for the item found

ffiinndd-cceerrttiiffiiccaattee [-hh] [-aa] [-cc name] [-ee emailAddress] [-mm] [-pp] [-ZZ]

[keychain...] Find a certificate item. If no keychain arguments are provided, the default search list is used. Options:

-aa Find all matching certificates, not just the first

one

-cc name Match on name when searching (optional)

-ee emailAddress

Match on emailAddress when searching (optional)

-mm Show the email addresses in the certificate

-pp Output certificate in pem format. Default is to

dump the attributes and keychain the cert is in.

-ZZ Print SHA-1 hash of the certificate

EExxaammpplleess

security> find-certificate -a -p > allcerts.pem

Exports all certificates from all keychains into a pem file called allcerts.pem.

security> find-certificate -a -e me@foo.com -p > certs.pem

Exports all certificates from all keychains with the email address me@foo.com into a pem file called certs.pem.

security> find-certificate -a -c MyName -Z login.keychain | grep

^SHA-1

Print the SHA-1 hash of every certificate in 'login.key-

chain' whose common name includes 'MyName'

ffiinndd-iiddeennttiittyy [-hh] [-pp policy] [-ss string] [-vv] [keychain...]

Find an identity (certificate + private key) satisfying a given

policy. If no policy arguments are provided, the X.509 basic pol-

icy is assumed. If no keychain arguments are provided, the default search list is used. Options:

-pp policy Specify policy to evaluate (multiple -p options

are allowed). Supported policies: basic, ssl-

client, ssl-server, smime, eap, ipsec, ichat,

codesigning, sys-default, sys-kerberos-kdc

-ss string Specify optional policy-specific string (e.g. a

DNS hostname for SSL, or RFC822 email address for S/MIME)

-vv Show valid identities only (default is to show all

identities) EExxaammpplleess

security> find-identity -v -p ssl-client

Display valid identities that can be used for SSL client authentication

security> find-identity -p ssl-server -s www.domain.com

Display identities for a SSL server running on the host 'www.domain.com'

security> find-identity -p smime -s user@domain.com

Display identities that can be used to sign a message from 'user@domain.com'

ddeelleettee-cceerrttiiffiiccaattee [-hh] [-cc name] [-ZZ hash] [-tt] [keychain...]

Delete a certificate from a keychain. If no keychain arguments are provided, the default search list is used.

-cc name Specify certificate to delete by its common name

-ZZ hash Specify certificate to delete by its SHA-1 hash

-tt Also delete user trust settings for this certifi-

cate The certificate to be deleted must be uniquely specified either by

a string found in its common name, or by its SHA-1 hash.

sseett-iiddeennttiittyy-pprreeffeerreennccee [-hh] [-cc identity] [-ss service] [-uu keyUsage] [-ZZ

hash] [keychain...] Set the preferred identity to use for a service.

-cc identity Specify identity by common name of the certificate

-ss service Specify service (may be a URL, RFC822 email

address, DNS host, or other name) for which this identity is to be preferred

-uu keyUsage Specify key usage (optional)

-ZZ hash Specify identity by SHA-1 hash of certificate

(optional) The identity is located by searching the specified keychain(s) for a certificate whose common name contains the given identity string. If no keychains are specified to search, the default search list is used. Different identity preferences can be set for

individual key usages. You can differentiate between two identi-

ties which contain the same string by providing a SHA-1 hash of

the certificate (in addition to, or instead of, the name.) PPAARRTTIIAALL PPAATTHHSS AANNDD WWIILLDDCCAARRDDSS

Prior to 10.5.4, identity preferences for SSL/TLS client authenti-

cation could only be set on a per-URL basis. The URL being visited

had to match the service name exactly for the preference to be in effect. In 10.5.4, it became possible to specify identity preferences on a

per-server basis, by using a service name with a partial path URL

to match more specific paths on the same server. For example, if

an identity preference for "https://www.apache-ssl.org/" exists,

it will be in effect for "https://www.apache-ssl.org/cgi/cert-

export", and so on. Note that partial path URLs must end with a trailing slash character. Starting with 10.6, it is possible to specify identity preferences

on a per-domain basis, by using the wildcard character '*' as the

leftmost component of the service name. Unlike SSL wildcards, an identity preference wildcard can match more than one subdomain. For example, an identity preference for the name "*.army.mil" will

match "server1.subdomain1.army.mil" or "server2.subdo-

main2.army.mil". Likewise, a preference for "*.mil" will match both "server.army.mil" and "server.navy.mil". KKEEYY UUSSAAGGEE CCOODDEESS

0 - preference is in effect for all possible key usages

(default)

1 - encryption only

2 - decryption only

4 - signing only

8 - signature verification only

16 - signing with message recovery only

32 - signature verification with message recovery only

64 - key wrapping only

128 - key unwrapping only

256 - key derivation only

To specify more than one usage, add values together.

ggeett-iiddeennttiittyy-pprreeffeerreennccee [-hh] [-ss service] [-uu keyUsage] [-pp] [-cc] [-ZZ]

Get the preferred identity to use for a service.

-ss service Specify service (may be a URL, RFC822 email

address, DNS host, or other name)

-uu keyUsage Specify key usage (optional)

-pp Output identity certificate in pem format

-cc Print common name of the preferred identity cer-

tificate

-ZZ Print SHA-1 hash of the preferred identity cer-

tificate

ccrreeaattee-ddbb [-aahhoo00] [-gg dl|cspdl] [-mm mode] [name]

Create a db using the DL. If name isn't provided sseeccuurriittyy will prompt the user to type a name. Options:

-aa Turn off autocommit

-gg dl|cspdl Use the AppleDL (default) or AppleCspDL

-mm mode Set the file permissions to mode.

-oo Force using openparams argument

-00 Force using version 0 openparams

EExxaammpplleess

security> create-db -m 0644 test.db

security> create-db -g cspdl -a test2.db

eexxppoorrtt [-kk keychain] [-tt type] [-ff format] [-ww] [-pp format] [-PP

passphrase] [-oo outfile]

Export one or more items from a keychain to one of a number of external representations. If keychain isn't provided, items will be exported from the user's default keychain. Options:

-kk keychain Specify keychain from which item(s) will be

exported.

-tt type Specify the type of items to export. Possible

types are certs, allKeys, pubKeys, privKeys, iden-

tities, and all. The default is all. An identity

consists of both a certificate and the correspond-

ing provate key.

-ff format Specify the format of the exported data. Possible

formats are openssl, bsafe, pkcs7, pkcs8, pkcs12, x509, openssh1, openssh2, and pemseq. The default is pemseq if more than one item is being exported. The default is openssl if one key is being exported. The default is x509 if one certificate is being exported.

-ww Specifies that private keys are to be wrapped on

export.

-pp Specifies that PEM armour is to be applied to the

output data.

-PP passphrase Specify the wrapping passphrase immediately. The

default is to obtain a secure passphrase via GUI.

-oo outfile Write the output data to outfile. Default is to

write data to stdout. EExxaammpplleess

security> export -k login.keychain -t certs -o /tmp/certs.pem

security> export -k newcert.keychain -t identities -f pkcs12 -o

/tmp/mycerts.p12

iimmppoorrtt inputfile [-kk keychain] [-tt type] [-ff format] [-ww] [-PP passphrase]

[options...] Import one or more items from inputfile into a keychain. If keychain isn't provided, items will be imported into the user's default keychain. Options:

-kk keychain Specify keychain into which item(s) will be

imported.

-tt type Specify the type of items to import. Possible

types are cert, pub, priv, session, cert, and agg. Pub, priv, and session refer to keys; agg is one of the aggregate types (pkcs12 and PEM sequence). The command can often figure out what itemtype an item contains based in the filename and/or itemformat.

-ff format Specify the format of the exported data. Possible

formats are openssl, bsafe, raw, pkcs7, pkcs8, pkcs12, x509, openssh1, openssh2, and pemseq. The command can often figure out what format an item is in based in the filename and/or itemtype.

-ww Specify that private keys are wrapped and must be

unwrapped on import.

-xx Specify that private keys are non-extractable

after being imported.

-PP passphrase Specify the unwrapping passphrase immediately. The

default is to obtain a secure passphrase via GUI.

-aa attrName attrValue

Specify optional extended attribute name and value. Can be used multiple times. This is only valid when importing keys.

-AA Allow any application to access the imported key

without warning (insecure, not recommended!)

-TT appPath Specify an application which may access the

imported key (multiple -TT options are allowed)

EExxaammpplleess

security> import /tmp/certs.pem -k

security> import /tmp/mycerts.p12 -t agg -k newcert.keychain

security> import /tmp/mycerts.p12 -f pkcs12 -k newcert.keychain

ccmmss [-CC|-DD|-EE|-SS] [options...]

Encode or decode CMS messages.

-CC create a CMS encrypted message

-DD decode a CMS message

-EE create a CMS enveloped message

-SS create a CMS signed message

Decoding options:

-cc content use this detached content file

-hh level generate email headers with info about CMS message

(output level >= 0)

-nn suppress output of content

Encoding options:

-rr id,... create envelope for comma-delimited list of recip-

ients, where id can be a certificate nickname or email address

-GG include a signing time attribute

-HH hash hash = MD2|MD4|MD5|SHA1|SHA256|SHA384|SHA512

(default: SHA1)

-NN nick use certificate named "nick" for signing

-PP include a SMIMECapabilities attribute

-TT do not include content in CMS message

-YY nick include an EncryptionKeyPreference attribute with

certificate (use "NONE" to omit)

-ZZ hash find a certificate by subject key ID

Common options:

-ee envelope specify envelope file (valid with -DD or -EE)

-kk keychain specify keychain to use

-ii infile use infile as source of data (default: stdin)

-oo outfile use outfile as destination of data (default: std-

out)

-pp password use password as key db password (default: prompt)

-ss pass data a single byte at a time to CMS

-uu certusage set type of certificate usage (default: cer-

tUsageEmailSigner)

-vv print debugging information

Cert usage codes:

0 - certUsageSSLClient

1 - certUsageSSLServer

2 - certUsageSSLServerWithStepUp

3 - certUsageSSLCA

4 - certUsageEmailSigner

5 - certUsageEmailRecipient

6 - certUsageObjectSigner

7 - certUsageUserCertImport

8 - certUsageVerifyCA

9 - certUsageProtectedObjectSigner

10 - certUsageStatusResponder

11 - certUsageAnyCA

iinnssttaallll-mmddss

Install (or re-install) the Module Directory Services (MDS) data-

base. This is a system tool which is not normally used by users. There are no options.

aadddd-ttrruusstteedd-cceerrtt [-dd] [-rr resultType] [-pp policy] [-aa appPath] [-ss

policyString] [-ee allowedError] [-uu keyUsage] [-kk keychain] [-ii

settingsFileIn] [-oo settingsFileOut] [-DD] certFile

Add certificate (in DER or PEM format) from certFile to per-user

or local Admin Trust Settings. When modifying per-user Trust Set-

tings, user authentication is required via an authentication dia-

log. When modifying admin Trust Settings, the process must be run-

ning as root, or admin authentication is required. Options:

-dd Add to admin cert store; default is user.

-rr resultType resultType = trustRoot|trustAsRoot|deny|unspeci-

fied; default is trustRoot.

-pp policy Specify policy constraint (ssl, smime, codeSign,

IPSec, iChat, basic, swUpdate, pkgSign, pkinit-

Client, pkinitServer, eap).

-rr resultType resultType = trustRoot|trustAsRoot|deny|unspeci-

fied; default is trustRoot.

-aa appPath Specify application constraint.

-ss policyString

Specify policy-specific string.

-ee allowedError

Specify allowed error (an integer value, or one of: certExpired, hostnameMismatch)

-uu keyUsage Specify key usage, an integer.

-kk keychain Specify keychain to which cert is added.

-ii settingsFileIn

Input trust settings file; default is user domain.

-oo settingsFileOut

Output trust settings file; default is user domain.

-DD Add default setting instead of per-cert setting.

No certFile is specified when using this option EExxaammpplleess

security> add-trusted-cert /tmp/cert.der

security> add-trusted-cert -d .tmp/cert.der

rreemmoovvee-ttrruusstteedd-cceerrtt [-dd] [-DD] certFile

Remove certificate (in DER or PEM format) in certFile from per-user

or local Admin Trust Settings. When modifying per-user Trust Set-

tings, user authentication is required via an authentication dialog. When modifying admin Trust Settings, the process must be running as root, or admin authentication is required. Options:

-dd Remove from admin cert store; default is user.

-DD Remove Default Root Cert setting instead of an

actual cert setting. No certFile is specified when using this option.

dduummpp-ttrruusstt-sseettttiinnggss [-ss] [-dd]

Display Trust Settings. Options:

-ss Display trusted system certs; default is user.

-dd Display trusted admin certs; default is user.

uusseerr-ttrruusstt-sseettttiinnggss-eennaabbllee [-dd] [-ee]

Display or manipulate user-level Trust Settings. With no arguments,

shows the current state of the user-level Trust Settings enable.

Otherwise enables or disables user-level Trust Settings.

Options:

-dd Disable user-level Trust Settings.

-ee Enable user-level Trust Settings.

ttrruusstt-sseettttiinnggss-eexxppoorrtt [-ss] [-dd] settingsfile

Export Trust Settings to the specified file. Options:

-ss Export system Trust Settings; default is user.

-dd Export admin Trust Settings; default is user.

ttrruusstt-sseettttiinnggss-iimmppoorrtt [-dd] settingsfile

Import Trust Settings from the specified file. When modifying per-

user Trust Settings, user authentication is required via an authen-

tication dialog. When modifying admin Trust Settings, the process must be running as root, or admin authentication is required. Options:

-dd Import admin Trust Settings; default is user.

vveerriiffyy-cceerrtt [-cc certFile] [-rr rootCertFile] [-pp policy] [-kk keychain] [-nn]

[-ll] [-ee emailAddress] [-ss sslHost] [-qq]

Verify one or more certificates. Options:

-cc certFile Certificate to verify, in DER or PEM format. Can be

specified more than once; leaf certificate has to be specified first.

-rr rootCertFile

Root certificate, in DER or PEM format. Can be spec-

ified more than once. If not specified, the system

anchor certificates are used. If one root certifi-

cate is specified, and zero (non-root) certificates

are specified, the root certificate is verified against itself.

-pp policy Specify verification policy (ssl, smime, codeSign,

IPSec, iChat, basic, swUpdate, pkgSign, pkinit-

Client, pkinitServer, eap). Default is basic.

-kk keychain Keychain to search for intermediate certs. Can be

specified multiple times. Default is the current user's keychain search list.

-nn Avoid searching any keychains.

-ll Species that the leaf certificate is a CA cert. By

default, a leaf certificate with a Basic Constraints extension with the CA bit set fails verification.

-ee emailAddress

Specify email address for the smime policy.

-ss sslHost Specify SSL host name for the ssl policy.

-qq Quiet, no stdout or stderr.

EExxaammpplleess

security> verify-cert -c applestore0.cer -c applestore1.cer -p ssl

-s store.apple.com

security> verify-cert -r serverbasic.crt

aauutthhoorriizzee [-uuppddPPiieeww] [right...]

Authorize requested right(s). The extend-rights flag will be passed

by default. Options:

-uu Allow user interaction.

-pp Allow returning partial rights.

-dd Destroy acquired rights.

-PP Pre-authorize rights only.

-ll Operate authorization in least privileged mode.

-ii Internalize authref passed on stdin.

-ee Externalize authref to stdout

-ww Wait while holding AuthorizationRef until stdout is

closed. This will allow client to read externalized AuthorizationRef from pipe. EExxaammpplleess

security> security authorize -ud my-right

Basic authorization of my-right.

security> security -q authorize -uew my-right | security -q

authorize -i my-right

Authorizing a right and passing it to another command as a way to add authorization to shell scripts.

aauutthhoorriizzaattiioonnddbb read

aauutthhoorriizzaattiioonnddbb write [allow|deny|]

aauutthhoorriizzaattiioonnddbb remove

Read/Modify authorization policy database. Without a rulename write will read a dictionary as a plist from stdin. EExxaammpplleess

security> security authorizationdb read system.privilege.admin >

/tmp/aewp-def

Read definition of system.privilege.admin right.

security> security authorizationdb write system.preferences <

/tmp/aewp-def

Set system.preferences to definition of system.privi-

lege.admin right.

security> security authorizationdb write system.preferences

authenticate-admin

Every change to preferences requires an Admin user to authenticate.

eexxeeccuuttee-wwiitthh-pprriivviilleeggeess [args...]

Execute tool with privileges. On success stdin will be read and forwarded to the tool.

lleeaakkss [-hh] [-ccyycclleess] [-nnooccoonntteexxtt] [-nnoossttaacckkss] [-eexxcclluuddee symbol]

Run /usr/bin/leaks on this process. This can help find memory leaks after running certain commands. Options:

-ccyycclleess Use a stricter algorithm (See leaks(1) for details).

-nnooccoonntteexxtt Withhold the hex dumps of the leaked memory.

-nnoossttaacckkss Don't show stack traces of leaked memory.

-eexxcclluuddee symbol

Ignore leaks called from symbol.

eerrrroorr [-hh] []

Display an error string for the given security-related error code.

The error can be in decimal or hex, e.g. 1234 or 0x1234. Multiple errors can be separated by spaces. ENVIRONMENT MallocStackLogging

When using the lleeaakkss command or the -ll option it's probably a

good idea to set this environment variable before sseeccuurriittyy is

started. Doing so will allow leaks to display symbolic back-

traces. FILES

~/Library/Preferences/com.apple.security.plist

Property list file containing the current user's default key-

chain and keychain search list.

/Library/Preferences/com.apple.security.plist

Property list file containing the system default keychain and keychain search list. This is used by processes started at boot time, or those requesting to use the system search domain, such as system daemons.

/Library/Preferences/com.apple.security-common.plist

Property list file containing the common keychain search list, which is appended to every user's search list and to the system search list.

BUGS

sseeccuurriittyy still needs more commands before it can be considered complete. In particular, it should someday supersede both the certtool and systemkeychain commands. Darwin December 21, 2019 Darwin