Did not see anyone answer your question above, so here goes...
You can, ironically, use the 'security' tool for this... "/usr/bin/security" and leverage the 'cms' (Cryptographic Message Syntax) option.
... you will get the usage for "cms". Note the use of input and output files for this...
Usage: cms [-D|-S|-E] [<options>] [-d dbdir] [-u certusage]
-D decode a CMS message
-c content use this detached content
-n suppress output of content
-h num generate email headers with info about CMS message
-S create a CMS signed message
-G include a signing time attribute
-H hash use hash (default:SHA1)
-N nick use certificate named "nick" for signing
-P include a SMIMECapabilities attribute
-T do not include content in CMS message
-Y nick include a EncryptionKeyPreference attribute with cert
(use "NONE" to omit)
-E create a CMS enveloped message (NYI)
-r id,... create envelope for these recipients,
where id can be a certificate nickname or email address
-k keychain keychain to use
-i infile use infile as source of data (default: stdin)
-o outfile use outfile as destination of data (default: stdout)
-p password use password as key db password (default: prompt)
-s pass in data single byte at a time to cms layer
-u certusage set type of certificate usage (default: certUsageEmailSigner)
-v print debugging information
Cert usage codes:
0 - certUsageSSLClient
1 - certUsageSSLServer
2 - certUsageSSLServerWithStepUp
3 - certUsageSSLCA
4 - certUsageEmailSigner
5 - certUsageEmailRecipient
6 - certUsageObjectSigner
7 - certUsageUserCertImport
8 - certUsageVerifyCA
9 - certUsageProtectedObjectSigner
10 - certUsageStatusResponder
11 - certUsageAnyCA
Manipulate cms messages.
Of course, there is also the ever present 'openssl' command as well....