Read a "secure note" by command line

Question

Level 1

0 points

Read a "secure note" by command line

By using the GUI, I have created several so called "secure notes" in my keychain, contaning private information (bank account numbers, etc).

Now, I would like to read them by CLI, via SSH. But I struggle to do this.

The best I can do is a partial dump of my keychain, by using :

_
$ security dump-keychain

...
keychain: "/Users/LOGIN/Library/Keychains/login.keychain"
class: "genp"
attributes:
0x00000007 <blob>="NAME OF THE NOTE"
0x00000008 <blob>=<NULL>
"acct"<blob>=<NULL>
"cdat"<timedate>=0x32303038303330343233313035325A00 "20080304231052Z\000"
"crtr"<uint32>=<NULL>
"cusi"<sint32>=<NULL>
"desc"<blob>=0x6E6F74652073C3A96375726973C3A965 "note s\303\251curis\303\251e"
"gena"<blob>=<NULL>
"icmt"<blob>=<NULL>
"invi"<sint32>=<NULL>
"mdat"<timedate>=0x32303038303332343139303535355A00 "20080324190555Z\000"
"nega"<sint32>=<NULL>
"prot"<blob>=<NULL>
"scrp"<sint32>=<NULL>
"svce"<blob>="NAME OF THE NOTE"
"type"<uint32>="note"
...
_

So I can see the notes' data structure, but not the content. Idealy, I am looking for something that could dump on stdout the content of a given note, something like :

_
$ getnote.sh "My private note"
used password: **************
blablabla
content of the secure note
blablabla
_

Do you have any idea how to do this?

iMac blanc 24", Mac OS X (10.5.6), Système français avec X11

Posted on Feb 3, 2009 2:31 AM

Reply

Answer 1

Camelot

Level 9

58,455 points

Feb 3, 2009 1:21 PM in response to LT-P

You can extract data out of the keychain via the security command line tool. e.g.:

security find-internet-password -g -r imap

will return data about an IMAP account password stored in the keychain.

There's a myriad of options for security. man security is your friend. 🙂

Reply

Answer 2

LT-P Author

Level 1

0 points

Feb 4, 2009 2:18 PM in response to Camelot

will return data about an IMAP account password stored in the keychain.

Yes, I can see that.

I did manage to get a dump of the secure notes with « security find-generic-password -g -s "exact case sensitive name of the note" ».

The remaining problems are :
- you must know the precise name of a note in order to get its dump : you cannot use wildcard or search for a note's name
- the command ask for access to the keychain via a GUI : cannot be used by CLI only

Any idea for improving this?

Reply

Answer 3

Camelot

Level 9

58,455 points

Feb 4, 2009 4:49 PM in response to LT-P

- you must know the precise name of a note in order to get its dump : you cannot use wildcard or search for a note's name

That doesn't surprise me. In theory a legitimate user would know what they're looking for. Someone on a phishing trip would need to use wildcards.

- the command ask for access to the keychain via a GUI : cannot be used by CLI only

Haven't tried it, but maybe you need to unlock the keychain first:

unlock-keychain \[-hu\] \[-p password\] \[keychain\]
Unlock keychain. Or the default is none is specified.

Reply

Answer 4

LT-P Author

Level 1

0 points

Feb 5, 2009 2:00 AM in response to Camelot

Camelot wrote:

- you must know the precise name of a note in order to get its dump : you cannot use wildcard or search for a note's name

That doesn't surprise me. In theory a legitimate user would know what they're looking for. Someone on a phishing trip would need to use wildcards.

Maybe, but then this person would simply do « security dump-keychain -d » in order to get a full dump of the keychain, with plain text content of the secure notes and passwords.

For me, it looks like Apple didn't really finished the CLI tools for managing the keychain.

For the moment, I am thinking of parsing the keychain's dump, but that would be really cumbersome.

- the command ask for access to the keychain via a GUI : cannot be used by CLI only

Haven't tried it, but maybe you need to unlock the keychain first

Yes, that is necessary of course. I was already doing it.

The window I get is quite uncommon : it just tells that the application « security » is asking to access the file « login.keychain »; both path are given to the application and the file. The possible actions are 3 buttons : « Always accept », « Deny » and « Accept » (not sure about the English translation, my interface is in French; but you get the idea). The window doesn't ask for login/password, but only for a confirmation to allow access.

I am not able for the moment to switch to pure a CLI interaction, so this window is blocking the complete non-GUI access.

Reply

Answer 5

orangekay

Level 5

4,085 points

Feb 5, 2009 4:43 AM in response to LT-P

So add the security binary to that item's ACL when you create it.

Reply