Enumerate all certificates in Mac Keychain and compare creation/expiry dates

About

Asked 13/11, 2016 at 22:54 Answered 30/11, 2016 at 2:47

I'm trying to write a script that will list all installed certificates in the keychain and compare them to the creation/expiration dates of certificates from the Apple dev portal.

I've looked at the documentation for security ( https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/security.1.html ) and openssl, but I can't seem to pass a cert from one to the other.

The alternative is to use the Security.framework directly, but I don't see any obvious method for dumping the creation/expiry dates for certificates.

Any guidance?

Technocracy answered 13/11, 2016 at 22:54 Comment(2)

Check the source code for Keychain Dumper. You can usually find it around iOS jailbreak utilities used by pentesters. – Cathrine 13/11, 2016 at 23:4

The source code seems to do the same as security find-certificate, where it dumps the the values you can see on the command line. No dates. – Technocracy 13/11, 2016 at 23:58

At the command line, I think you could do security find-certificate -a -p and then split up the returned PEM-encoded certificates to feed them to openssl x509 -inform PEM .... one by one.

In code, you can enumerate certificates using SecItemCopyMatching with kSecClass=kSecClassCertificate and kSecMatchLimit=kSecMatchLimitAll. You might be able to get the certificate's expiration date using SecCertificateCopyValues(), but if not, you could get the certificate itself (as a DER-encoded blob) using SecCertificateCopyData() and pipe it to openssl x509 -inform DER .....

Clamp answered 30/11, 2016 at 2:47 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags