I'm successfully using security to fetch keys from my Keychain via their label, e.g.:
security find-generic-password -l "PDF Encryption"
However, I'm trying to build a UI that offers me a CHOICE of keys to decrypt. Specifically, I'm only interested in the keys that I MANUALLY ADDED via Keychain Access. These show the Kind: Application Password when viewed in Keychain Access:
Unfortunately, I can't seem to come up with any command/filter/search to come up with this list. When I specifically call one out via label, or use dump keychain, I see the following data for each key:
keychain: "/Users/jay/Library/Keychains/vault.keychain-db"
version: 512
class: "genp"
attributes:
0x00000007 <blob>="PDF Encryption"
0x00000008 <blob>=<NULL>
"acct"<blob>="PDF Encryption"
"cdat"<timedate>=0x32303137313030323032333433385A00 "20171002023438Z\000"
"crtr"<uint32>=<NULL>
"cusi"<sint32>=<NULL>
"desc"<blob>=<NULL>
"gena"<blob>=<NULL>
"icmt"<blob>=<NULL>
"invi"<sint32>=<NULL>
"mdat"<timedate>=0x32303137313030323032333433385A00 "20171002023438Z\000"
"nega"<sint32>=<NULL>
"prot"<blob>=<NULL>
"scrp"<sint32>=<NULL>
"svce"<blob>="PDF Encryption"
"type"<uint32>=<NULL>
Unfortunately, it looks like every bit of data except for account and service are set to NULL. But, I don't seem to be able to search via NULL.
Is there any direct way to get a list of these keys?
Best Answer
It looks like the answer here is as close as I can get, which is to use dump-keychain and filter by 0x00000007:
It includes more than just Application Passwords, but it's definitely a more workable subset, and I can filter out a blacklist with
grep -v.