Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Enumerate all certificates in Mac Keychain and compare creation/expiry dates

I'm trying to write a script that will list all installed certificates in the keychain and compare them to the creation/expiration dates of certificates from the Apple dev portal.

I've looked at the documentation for security ( https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/security.1.html ) and openssl, but I can't seem to pass a cert from one to the other.

The alternative is to use the Security.framework directly, but I don't see any obvious method for dumping the creation/expiry dates for certificates.

Any guidance?

like image 621
ray Avatar asked Nov 13 '16 22:11

ray


People also ask

How do I view all certificates on my Mac?

In the Keychain Access app on Mac, select a keychain, then click either the My Certificates category or the Certificates category to see the certificates in that keychain.

What are certificates on Mac keychain?

In macOS, certificates are part of your digital identity and are stored in your keychain. Keychain Access lets you manage your certificates and keychains. Certificates are issued by trusted organizations, such as VeriSign, Inc., or RSA Data Security, Inc.

Where are passwords and certificates stored in a Mac?

Keychain Access lets you view the keys, certificates, passwords, account information, notes, or other information stored in a keychain. In the Keychain Access app on your Mac, if you don't see a list of keychains, choose Window > Keychain Viewer or press Command-1.

What is keychain certificate?

android.security.KeyChain. The KeyChain class provides access to private keys and their corresponding certificate chains in credential storage. Applications accessing the KeyChain normally go through these steps: Receive a callback from an X509KeyManager that a private key is requested.


1 Answers

At the command line, I think you could do security find-certificate -a -p and then split up the returned PEM-encoded certificates to feed them to openssl x509 -inform PEM .... one by one.

In code, you can enumerate certificates using SecItemCopyMatching with kSecClass=kSecClassCertificate and kSecMatchLimit=kSecMatchLimitAll. You might be able to get the certificate's expiration date using SecCertificateCopyValues(), but if not, you could get the certificate itself (as a DER-encoded blob) using SecCertificateCopyData() and pipe it to openssl x509 -inform DER .....

like image 179
wiml Avatar answered Sep 21 '22 10:09

wiml