wine/gecko
0
0
Fork 0
mirror of https://gitlab.winehq.org/wine/wine-gecko.git synced 2024-09-13 09:24:08 -07:00
Code Issues Packages Projects Releases Wiki Activity

Bug 834741, landing final NSPR 4.9.5 and final NSS 3.14.2, r=wtc.

Browse Source 
Keeping the locally applied patch, but bumping its version tag, to indicate it hasn't been part of an official NSS release yet.
This commit is contained in:
Kai Engert 2013-02-01 00:31:20 +01:00
parent ab09fb1d90
commit 62c0f4c74d
28 changed files with 5400 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nsprpub/TAG-INFO
View File

@ -1 +1 @@
NSPR_4_9_5_BETA2
NSPR_4_9_5_RTM

4
nsprpub/pr/include/prinit.h
View File

@ -31,11 +31,11 @@ PR_BEGIN_EXTERN_C
** The format of the version string is
** "<major version>.<minor version>[.<patch level>] [<Beta>]"
*/
#define PR_VERSION "4.9.5 Beta"
#define PR_VERSION "4.9.5"
#define PR_VMAJOR 4
#define PR_VMINOR 9
#define PR_VPATCH 5
#define PR_BETA PR_TRUE
#define PR_BETA PR_FALSE
/*
** PRVersionCheck

9
nsprpub/pr/src/linking/prlink.c
View File

@ -959,12 +959,19 @@ PR_UnloadLibrary(PRLibrary *lib)
int result = 0;
PRStatus status = PR_SUCCESS;
if ((lib == 0) || (lib->refCount <= 0)) {
if (lib == 0) {
PR_SetError(PR_INVALID_ARGUMENT_ERROR, 0);
return PR_FAILURE;
}
PR_EnterMonitor(pr_linker_lock);
if (lib->refCount <= 0) {
PR_ExitMonitor(pr_linker_lock);
PR_SetError(PR_INVALID_ARGUMENT_ERROR, 0);
return PR_FAILURE;
}
if (--lib->refCount > 0) {
PR_LOG(_pr_linker_lm, PR_LOG_MIN,
("%s decr => %d",

2
security/nss/TAG-INFO
View File

@ -1 +1 @@
NSS_3_14_2_BETA3
NSS_3_14_2_RTM

2
security/nss/TAG-INFO-CKBI
View File

@ -1 +1 @@
NSS_3_14_2_BETA3
NSS_3_14_2_RTM

82
security/nss/doc/Makefile Normal file
View File

@ -0,0 +1,82 @@
#! gmake
#
# Creates man pages for the NSS security tools
#
# pk12util, certutil, modutil, ssltap,
# signtool, signver, cmsutil, crlutil,
# derdump, pp, vfychain, vfyserv
#
.SUFFIXES: .html .txt .1 .xml
COMPILE.1 = xmlto -o nroff man
COMPILE.html = xmlto -o html html
# the name of the tar ball
name = nss-man
date = `date +"%Y%m%d"`
all: prepare all-man all-html
prepare: date-and-version
mkdir -p html
mkdir -p nroff
clean:
rm -f date.xml version.xml *.tar.bz2
rm -fr $(name) ascii html nroff
date-and-version: date.xml version.xml
date.xml:
date +"%e %B %Y" | tr -d '\n' > $@
version.xml:
echo -n ${VERSION} > $@
.PHONY : $(MANPAGES)
.PHONY : $(HTMLPAGES)
.PHONY : $(TXTPAGES)
#------------------------------------------
# Package a tar ball for building in fedora
# Include the makefile and .xml files only
# man pages will be created at build time
#------------------------------------------
tarball:
rm -rf $(name); \
mkdir -p $(name)/nroff; \
cp Makefile $(name); \
cp *.xml $(name); \
tar cvjf $(name)-$(date).tar.bz2 $(name)
#--------------------------------------------------------
# manpages
#--------------------------------------------------------
%.1 : %.xml prepare
$(COMPILE.1) $<
MANPAGES = \
certutil.1 cmsutil.1 crlutil.1 pk12util.1 \
modutil.1 ssltap.1 derdump.1 signtool.1 signver.1 \
pp.1 vfychain.1 vfyserv.1
all-man: prepare $(MANPAGES)
#--------------------------------------------------------
# html pages
#--------------------------------------------------------
%.html : %.xml
$(COMPILE.html) $<
mv html/index.html html/$@
HTMLPAGES = \
certutil.html cmsutil.html crlutil.html pk12util.html modutil.html \
ssltap.html derdump.html signtool.html signver.html pp.html \
vfychain.html vfyserv.html
all-html: prepare $(HTMLPAGES)

7
security/nss/doc/README Normal file
View File

@ -0,0 +1,7 @@
A convenient tool to edit these files is
https://sourceforge.net/projects/xml-copy-editor/
Assuming the documentation text will remain plain US-ASCII,
please disable the option
"Save UTF-8 byte order mark".

1128
security/nss/doc/certutil.xml Normal file
View File

File diff suppressed because it is too large Load Diff

278
security/nss/doc/cmsutil.xml Normal file
View File

@ -0,0 +1,278 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY date SYSTEM "date.xml">
<!ENTITY version SYSTEM "version.xml">
]>
<refentry id="cmsutil">
<refentryinfo>
<date>&date;</date>
<title>NSS Security Tools</title>
<productname>nss-tools</productname>
<productnumber>&version;</productnumber>
</refentryinfo>
<refmeta>
<refentrytitle>CMSUTIL</refentrytitle>
<manvolnum>1</manvolnum>
</refmeta>
<refnamediv>
<refname>cmsutil</refname>
<refpurpose>Performs basic cryptograpic operations, such as encryption and decryption, on Cryptographic Message Syntax (CMS) messages.</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>cmsutil</command>
<arg><replaceable>options</replaceable></arg>
<arg>[<replaceable>arguments</replaceable>]</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection>
<title>STATUS</title>
<para>This documentation is still work in progress. Please contribute to the initial review in <ulink url="https://bugzilla.mozilla.org/show_bug.cgi?id=836477">Mozilla NSS bug 836477</ulink>
</para>
</refsection>
<refsection id="description">
<title>Description</title>
<para>The <command>cmsutil</command> command-line uses the S/MIME Toolkit to perform basic operations, such as encryption and decryption, on Cryptographic Message Syntax (CMS) messages.
</para>
<para>
To run cmsutil, type the command cmsutil option [arguments] where option and arguments are combinations of the options and arguments listed in the following section.
Each command takes one option. Each option may take zero or more arguments.
To see a usage string, issue the command without options.
</para>
</refsection>
<refsection id="options">
<title>Options and Arguments</title>
<para>
</para>
<para><command>Options</command></para>
<para>
Options specify an action. Option arguments modify an action.
The options and arguments for the cmsutil command are defined as follows:
</para>
<variablelist>
<varlistentry>
<term>-D </term>
<listitem><para>Decode a message.</para></listitem>
</varlistentry>
<varlistentry>
<term>-C</term>
<listitem><para>Encrypt a message.</para></listitem>
</varlistentry>
<varlistentry>
<term>-E </term>
<listitem><para>Envelope a message.</para></listitem>
</varlistentry>
<varlistentry>
<term>-O </term>
<listitem><para>Create a certificates-only message.</para></listitem>
</varlistentry>
<varlistentry>
<term>-S </term>
<listitem><para>Sign a message.</para></listitem>
</varlistentry>
</variablelist>
<para><command>Arguments</command></para>
<para>Option arguments modify an action and are lowercase.</para>
<variablelist>
<varlistentry>
<term>-c content </term>
<listitem>
<para>Use this detached content (decode only).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-d dbdir</term>
<listitem>
<para>Specify the key/certificate database directory (default is ".")</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-e envfile</term>
<listitem>
<para>Specify a file containing an enveloped message for a set of recipients to which you would like to send an encrypted message. If this is the first encrypted message for that set of recipients, a new enveloped message will be created that you can then use for future messages (encrypt only).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-G</term>
<listitem>
<para>Include a signing time attribute (sign only).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h num</term>
<listitem>
<para>Generate email headers with info about CMS message (decode only).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-i infile</term>
<listitem>
<para>Use infile as a source of data (default is stdin).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-N nickname</term>
<listitem>
<para>Specify nickname of certificate to sign with (sign only).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-n </term>
<listitem>
<para>Suppress output of contents (decode only).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-o outfile</term>
<listitem>
<para>Use outfile as a destination of data (default is stdout).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-P</term>
<listitem>
<para>Include an S/MIME capabilities attribute.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p password</term>
<listitem>
<para>Use password as key database password.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-r recipient1,recipient2, ...</term>
<listitem>
<para>
Specify list of recipients (email addresses) for an encrypted or enveloped message.
For certificates-only message, list of certificates to send.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-T</term>
<listitem>
<para>Suppress content in CMS message (sign only).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-u certusage</term>
<listitem>
<para>Set type of cert usage (default is certUsageEmailSigner).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-Y ekprefnick</term>
<listitem>
<para>Specify an encryption key preference by nickname.</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection id="usage">
<title>Usage</title>
<para>Encrypt Example</para>
<programlisting>
cmsutil -C [-i infile] [-o outfile] [-d dbdir] [-p password] -r "recipient1,recipient2, . . ." -e envfile
</programlisting>
<para>Decode Example</para>
<programlisting>
cmsutil -D [-i infile] [-o outfile] [-d dbdir] [-p password] [-c content] [-n] [-h num]
</programlisting>
<para>Envelope Example</para>
<programlisting>
cmsutil -E [-i infile] [-o outfile] [-d dbdir] [-p password] -r "recipient1,recipient2, ..."
</programlisting>
<para>Certificate-only Example</para>
<programlisting>
cmsutil -O [-i infile] [-o outfile] [-d dbdir] [-p password] -r "cert1,cert2, . . ."
</programlisting>
<para>Sign Message Example</para>
<programlisting>
cmsutil -S [-i infile] [-o outfile] [-d dbdir] [-p password] -N nickname[-TGP] [-Y ekprefnick]
</programlisting>
</refsection>
<refsection>
<title>See also</title>
<para>certutil(1)</para>
</refsection>
<refsection id="seealso">
<title>See Also</title>
<para></para>
<para>
</para>
<para>
</para>
<para>
</para>
</refsection>
<!-- don't change -->
<refsection id="resources">
<title>Additional Resources</title>
<para>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <ulink url="http://www.mozilla.org/projects/security/pki/nss/">http://www.mozilla.org/projects/security/pki/nss/</ulink>. The NSS site relates directly to NSS code changes and releases.</para>
<para>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</para>
<para>IRC: Freenode at #dogtag-pki</para>
</refsection>
<!-- fill in your name first; keep the other names for reference -->
<refsection id="authors">
<title>Authors</title>
<para>The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.</para>
<para>
Authors: Elio Maldonado &lt;emaldona@redhat.com>, Deon Lackey &lt;dlackey@redhat.com>.
</para>
</refsection>
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, version 1.1,
and/or the GNU General Public License, version 2 or later,
and/or the GNU Lesser General Public License, version 2.1 or later.
</para>
</refsection>
</refentry>

536
security/nss/doc/crlutil.xml Normal file
View File

@ -0,0 +1,536 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY date SYSTEM "date.xml">
<!ENTITY version SYSTEM "version.xml">
]>
<refentry id="crlutil">
<refentryinfo>
<date>&date;</date>
<title>NSS Security Tools</title>
<productname>nss-tools</productname>
<productnumber>&version;</productnumber>
</refentryinfo>
<refmeta>
<refentrytitle>CRLUTIL</refentrytitle>
<manvolnum>1</manvolnum>
</refmeta>
<refnamediv>
<refname>crlutil</refname>
<refpurpose>
List, generate, modify, or delete CRLs within the NSS security database file(s) and list, create, modify or delete certificates entries in a particular CRL.
</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>crlutil</command>
<arg><replaceable>options</replaceable></arg>
<arg>[<replaceable>arguments</replaceable>]</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection>
<title>STATUS</title>
<para>This documentation is still work in progress. Please contribute to the initial review in <ulink url="https://bugzilla.mozilla.org/show_bug.cgi?id=836477">Mozilla NSS bug 836477</ulink>
</para>
</refsection>
<refsection id="description">
<title>Description</title>
<para>The Certificate Revocation List (CRL) Management Tool, <command>crlutil</command>, is a command-line utility that can list, generate, modify, or delete CRLs within the NSS security database file(s) and list, create, modify or delete certificates entries in a particular CRL.
</para>
<para>
The key and certificate management process generally begins with creating keys in the key database, then generating and managing certificates in the certificate database(see certutil tool) and continues with certificates expiration or revocation.
</para>
<para>
This document discusses certificate revocation list management. For information on security module database management, see Using the Security Module Database Tool. For information on certificate and key database management, see Using the Certificate Database Tool.
</para>
<para>
To run the Certificate Revocation List Management Tool, type the command
</para>
<para>
crlutil option [arguments]
</para>
<para>
where options and arguments are combinations of the options and arguments listed in the following section. Each command takes one option. Each option may take zero or more arguments. To see a usage string, issue the command without options, or with the -H option.
</para>
</refsection>
<refsection id="options">
<title>Options and Arguments</title>
<para>
</para>
<para><command>Options</command></para>
<para>
Options specify an action. Option arguments modify an action.
The options and arguments for the crlutil command are defined as follows:
</para>
<variablelist>
<varlistentry>
<term>-G </term>
<listitem>
<para>
Create new Certificate Revocation List(CRL).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-D </term>
<listitem>
<para>
Delete Certificate Revocation List from cert database.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-I </term>
<listitem>
<para>
Import a CRL to the cert database
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-E </term>
<listitem>
<para>
Erase all CRLs of specified type from the cert database
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-L </term>
<listitem>
<para>
List existing CRL located in cert database file.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-S </term>
<listitem>
<para>
Show contents of a CRL file which isn't stored in the database.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-M </term>
<listitem>
<para>
Modify existing CRL which can be located in cert db or in arbitrary file. If located in file it should be encoded in ASN.1 encode format.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-G </term>
<listitem>
<para>
</para>
</listitem>
</varlistentry>
</variablelist>
<para><command>Arguments</command></para>
<para>Option arguments modify an action and are lowercase.</para>
<variablelist>
<varlistentry>
<term>-B </term>
<listitem>
<para>
Bypass CA signature checks.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-P dbprefix </term>
<listitem>
<para>
Specify the prefix used on the NSS security database files (for example, my_cert8.db and my_key3.db). This option is provided as a special case. Changing the names of the certificate and key databases is not recommended.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-a </term>
<listitem>
<para>
Use ASCII format or allow the use of ASCII format for input and output. This formatting follows RFC #1113.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c crl-gen-file </term>
<listitem>
<para>
Specify script file that will be used to control crl generation/modification. See crl-cript-file format below. If options -M|-G is used and -c crl-script-file is not specified, crlutil will read script data from standard input.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-d directory </term>
<listitem>
<para>
Specify the database directory containing the certificate and key database files. On Unix the Certificate Database Tool defaults to $HOME/.netscape (that is, ~/.netscape). On Windows NT the default is the current directory.
</para>
<para>
The NSS database files must reside in the same directory.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-i crl-file </term>
<listitem>
<para>
Specify the file which contains the CRL to import or show.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-f password-file </term>
<listitem>
<para>
Specify a file that will automatically supply the password to include in a certificate or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent unauthorized access to this file.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-l algorithm-name </term>
<listitem>
<para>
Specify a specific signature algorithm. List of possible algorithms: MD2 | MD4 | MD5 | SHA1 | SHA256 | SHA384 | SHA512
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-n nickname </term>
<listitem>
<para>
Specify the nickname of a certificate or key to list, create, add to a database, modify, or validate. Bracket the nickname string with quotation marks if it contains spaces.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-o output-file </term>
<listitem>
<para>
Specify the output file name for new CRL. Bracket the output-file string with quotation marks if it contains spaces. If this argument is not used the output destination defaults to standard output.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-t crl-type </term>
<listitem>
<para>
Specify type of CRL. possible types are: 0 - SEC_KRL_TYPE, 1 - SEC_CRL_TYPE. This option is obsolete
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-u url </term>
<listitem>
<para>
Specify the url.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection id="syntax">
<title>CRL Generation script syntax</title>
<para>CRL generation script file has the following syntax:</para>
<para>
* Line with comments should have # as a first symbol of a line</para>
<para>
* Set "this update" or "next update" CRL fields:
</para>
<para>
update=YYYYMMDDhhmmssZ
nextupdate=YYYYMMDDhhmmssZ
</para>
<para>
Field "next update" is optional. Time should be in GeneralizedTime format (YYYYMMDDhhmmssZ).
For example: 20050204153000Z
</para>
<para>* Add an extension to a CRL or a crl certificate entry:</para>
<para>addext extension-name critical/non-critical [arg1[arg2 ...]]</para>
<para>Where:</para>
<para>
extension-name: string value of a name of known extensions.
critical/non-critical: is 1 when extension is critical and 0 otherwise.
arg1, arg2: specific to extension type extension parameters
</para>
<para>
addext uses the range that was set earlier by addcert and will install an extension to every cert entries within the range.
</para>
<para>
* Add certificate entries(s) to CRL:
</para>
<para>
addcert range date
</para>
<para>
range: two integer values separated by dash: range of certificates that will be added by this command. dash is used as a delimiter. Only one cert will be added if there is no delimiter.
date: revocation date of a cert. Date should be represented in GeneralizedTime format (YYYYMMDDhhmmssZ).
</para>
<para>
* Remove certificate entry(s) from CRL
</para>
<para>
rmcert range
</para>
<para>
Where:
</para>
<para>
range: two integer values separated by dash: range of certificates that will be added by this command. dash is used as a delimiter. Only one cert will be added if there is no delimiter.
</para>
<para>
* Change range of certificate entry(s) in CRL
</para>
<para>
range new-range
</para>
<para>
Where:
</para>
<para>
new-range: two integer values separated by dash: range of certificates that will be added by this command. dash is used as a delimiter. Only one cert will be added if there is no delimiter.
</para>
<para>
Implemented Extensions
</para>
<para>
The extensions defined for CRL provide methods for associating additional attributes with CRLs of theirs entries. For more information see RFC #3280
</para>
<para>
* Add The Authority Key Identifier extension:
</para>
<para>
The authority key identifier extension provides a means of identifying the public key corresponding to the private key used to sign a CRL.
</para>
<para>
authKeyId critical [key-id | dn cert-serial]
</para>
<para>
Where:
</para>
<para>
authKeyIdent: identifies the name of an extension
critical: value of 1 of 0. Should be set to 1 if this extension is critical or 0 otherwise.
key-id: key identifier represented in octet string. dn:: is a CA distinguished name cert-serial: authority certificate serial number.
</para>
<para>
* Add Issuer Alternative Name extension:
</para>
<para>
The issuer alternative names extension allows additional identities to be associated with the issuer of the CRL. Defined options include an rfc822 name (electronic mail address), a DNS name, an IP address, and a URI.
</para>
<para>
issuerAltNames non-critical name-list
</para>
<para>
Where:
</para>
<para>
subjAltNames: identifies the name of an extension
should be set to 0 since this is non-critical extension
name-list: comma separated list of names
</para>
<para>
* Add CRL Number extension:
</para>
<para>
The CRL number is a non-critical CRL extension which conveys a monotonically increasing sequence number for a given CRL scope and CRL issuer. This extension allows users to easily determine when a particular CRL supersedes another CRL
</para>
<para>
crlNumber non-critical number
</para>
<para>
Where:
</para>
<para>
crlNumber: identifies the name of an extension
critical: should be set to 0 since this is non-critical extension
number: value of long which identifies the sequential number of a CRL.
</para>
<para>
* Add Revocation Reason Code extension:
</para>
<para>
The reasonCode is a non-critical CRL entry extension that identifies the reason for the certificate revocation.
</para>
<para>
reasonCode non-critical code
</para>
<para>
Where:
</para>
<para>
reasonCode: identifies the name of an extension
non-critical: should be set to 0 since this is non-critical extension
code: the following codes are available:
</para>
<para>
unspecified (0),
keyCompromise (1),
cACompromise (2),
affiliationChanged (3),
superseded (4),
cessationOfOperation (5),
certificateHold (6),
removeFromCRL (8),
privilegeWithdrawn (9),
aACompromise (10)
</para>
<para>
* Add Invalidity Date extension:
</para>
<para>
The invalidity date is a non-critical CRL entry extension that provides the date on which it is known or suspected that the private key was compromised or that the certificate otherwise became invalid.
</para>
<para>
invalidityDate non-critical date
</para>
<para>
Where:
</para>
<para>
crlNumber: identifies the name of an extension
non-critical: should be set to 0 since this is non-critical extension date: invalidity date of a cert. Date should be represented in GeneralizedTime format (YYYYMMDDhhmmssZ).
</para>
</refsection>
<refsection id="usage">
<title>Usage</title>
<para>
The Certificate Revocation List Management Tool's capabilities are grouped as follows, using these combinations of options and arguments. Options and arguments in square brackets are optional, those without square brackets are required.
</para>
<para>See "Implemented extensions" for more information regarding extensions and their parameters.</para>
<para>
* Creating or modifying a CRL:
</para>
<programlisting>
crlutil -G|-M -c crl-gen-file -n nickname [-i crl] [-u url] [-d keydir] [-P dbprefix] [-l alg] [-a] [-B]
</programlisting>
<para>
* Listing all CRls or a named CRL:
</para>
<programlisting>
crlutil -L [-n crl-name] [-d krydir]
</programlisting>
<para>
* Deleting CRL from db:
</para>
<programlisting>
crlutil -D -n nickname [-d keydir] [-P dbprefix]
</programlisting>
<para>
* Erasing CRLs from db:
</para>
<programlisting>
crlutil -E [-d keydir] [-P dbprefix]
</programlisting>
<para>
* Deleting CRL from db:
</para>
<programlisting>
crlutil -D -n nickname [-d keydir] [-P dbprefix]
</programlisting>
<para>
* Erasing CRLs from db:
</para>
<programlisting>
crlutil -E [-d keydir] [-P dbprefix]
</programlisting>
<para>
* Import CRL from file:
</para>
<programlisting>
crlutil -I -i crl [-t crlType] [-u url] [-d keydir] [-P dbprefix] [-B]
</programlisting>
</refsection>
<refsection>
<title>See also</title>
<para>certutil(1)</para>
</refsection>
<refsection id="seealso">
<title>See Also</title>
<para></para>
<para>
</para>
<para>
</para>
<para>
</para>
</refsection>
<!-- don't change -->
<refsection id="resources">
<title>Additional Resources</title>
<para>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <ulink url="http://www.mozilla.org/projects/security/pki/nss/">http://www.mozilla.org/projects/security/pki/nss/</ulink>. The NSS site relates directly to NSS code changes and releases.</para>
<para>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</para>
<para>IRC: Freenode at #dogtag-pki</para>
</refsection>
<!-- fill in your name first; keep the other names for reference -->
<refsection id="authors">
<title>Authors</title>
<para>The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.</para>
<para>
Authors: Elio Maldonado &lt;emaldona@redhat.com>, Deon Lackey &lt;dlackey@redhat.com>.
</para>
</refsection>
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, version 1.1,
and/or the GNU General Public License, version 2 or later,
and/or the GNU Lesser General Public License, version 2.1 or later.
</para>
</refsection>
</refentry>

98
security/nss/doc/derdump.xml Normal file
View File

@ -0,0 +1,98 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY date SYSTEM "date.xml">
<!ENTITY version SYSTEM "version.xml">
]>
<refentry id="derdump">
<refentryinfo>
<date>&date;</date>
<title>NSS Security Tools</title>
<productname>nss-tools</productname>
<productnumber>&version;</productnumber>
</refentryinfo>
<refmeta>
<refentrytitle>DERDUMP</refentrytitle>
<manvolnum>1</manvolnum>
</refmeta>
<refnamediv>
<refname>derdump </refname>
<refpurpose>Dumps C-sequence strings from a DER encoded certificate file</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>derdump</command>
<arg><option>-r</option></arg>
<arg><option>-i <replaceable>input-file</replaceable></option></arg>
<arg><option>-o <replaceable>output-file</replaceable></option></arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection>
<title>STATUS</title>
<para>This documentation is still work in progress. Please contribute to the initial review in <ulink url="https://bugzilla.mozilla.org/show_bug.cgi?id=836477">Mozilla NSS bug 836477</ulink>
</para>
</refsection>
<refsection>
<title>Description</title>
<para><command>derdump </command>dumps C-sequence strings from a DER encode certificate file </para>
</refsection>
<refsection>
<title>Options</title>
<variablelist>
<varlistentry>
<term><option>-r </option></term>
<listitem><simpara>For formatted items, dump raw bytes as well</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>-i </option> <replaceable>DER encoded file</replaceable></term>
<listitem><simpara>Define an input file to use (default is stdin)</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>-o </option> <replaceable>output file</replaceable></term>
<listitem><simpara>Define an output file to use (default is stdout).</simpara></listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection id="resources">
<title>Additional Resources</title>
<para>NSS is maintained in conjunction with PKI and security-related projects through Mozilla dn Fedora. The most closely-related project is Dogtag PKI, with a project wiki at <ulink url="http://pki.fedoraproject.org/wiki/">PKI Wiki</ulink>. </para>
<para>For information specifically about NSS, the NSS project wiki is located at <ulink url="http://www.mozilla.org/projects/security/pki/nss/">Mozilla NSS site</ulink>. The NSS site relates directly to NSS code changes and releases.</para>
<para>Mailing lists: pki-devel@redhat.com and pki-users@redhat.com</para>
<para>IRC: Freenode at #dogtag-pki</para>
</refsection>
<!-- fill in your name first; keep the other names for reference -->
<refsection id="authors">
<title>Authors</title>
<para>The NSS tools were written and maintained by developers with Netscape and now with Red Hat.</para>
<para>
Authors: Gerhardus Geldenhuis &lt;gerhardus.geldenhuis@gmail.com>. Elio Maldonado &lt;emaldona@redhat.com>, Deon Lackey &lt;dlackey@redhat.com&gt;
</para>
</refsection>
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, version 1.1,
and/or the GNU General Public License, version 2 or later,
and/or the GNU Lesser General Public License, version 2.1 or later.
</para>
</refsection>
</refentry>

761
security/nss/doc/modutil.xml Normal file
View File

@ -0,0 +1,761 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY date SYSTEM "date.xml">
<!ENTITY version SYSTEM "version.xml">
]>
<refentry id="modutil">
<refentryinfo>
<date>&date;</date>
<title>NSS Security Tools</title>
<productname>nss-tools</productname>
<productnumber>&version;</productnumber>
</refentryinfo>
<refmeta>
<refentrytitle>MODUTIL</refentrytitle>
<manvolnum>1</manvolnum>
</refmeta>
<refnamediv>
<refname>modutil</refname>
<refpurpose>Manage PKCS #11 module information within the security module database.</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>modutil</command>
<arg><replaceable>options</replaceable></arg>
<arg>[<replaceable>arguments</replaceable>]</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection>
<title>STATUS</title>
<para>This documentation is still work in progress. Please contribute to the initial review in <ulink url="https://bugzilla.mozilla.org/show_bug.cgi?id=836477">Mozilla NSS bug 836477</ulink>
</para>
</refsection>
<refsection id="description">
<title>Description</title>
<para>The Security Module Database Tool, <command>modutil</command>, is a command-line utility for managing PKCS #11 module information both within <filename>secmod.db</filename> files and within hardware tokens. <command>modutil</command> can add and delete PKCS #11 modules, change passwords on security databases, set defaults, list module contents, enable or disable slots, enable or disable FIPS 140-2 compliance, and assign default providers for cryptographic operations. This tool can also create certificate, key, and module security database files.</para>
<para>The tasks associated with security module database management are part of a process that typically also involves managing key databases and certificate databases.</para>
</refsection>
<refsection id="options">
<title>Options</title>
<para>
Running <command>modutil</command> always requires one (and only one) option to specify the type of module operation. Each option may take arguments, anywhere from none to multiple arguments.
</para>
<para><command>Options</command></para>
<variablelist>
<varlistentry>
<term>-add modulename</term>
<listitem><para>Add the named PKCS #11 module to the database. Use this option with the <option>-libfile</option>, <option>-ciphers</option>, and <option>-mechanisms</option> arguments.</para></listitem>
</varlistentry>
<varlistentry>
<term>-changepw tokenname</term>
<listitem><para>Change the password on the named token. If the token has not been initialized, this option initializes the password. Use this option with the <option>-pwfile</option> and <option>-newpwfile</option> arguments. A <emphasis>password</emphasis> is equivalent to a personal identification number (PIN).</para></listitem>
</varlistentry>
<varlistentry>
<term>-chkfips</term>
<listitem><para>Verify whether the module is in the given FIPS mode. <command>true</command> means to verify that the module is in FIPS mode, while <command>false</command> means to verify that the module is not in FIPS mode.</para></listitem>
</varlistentry>
<varlistentry>
<term>-create</term>
<listitem><para>Create new certificate, key, and module databases. Use the <option>-dbdir</option> directory argument to specify a directory. If any of these databases already exist in a specified directory, <command>modutil</command> returns an error message.</para></listitem>
</varlistentry>
<varlistentry>
<term>-default modulename</term>
<listitem><para>Specify the security mechanisms for which the named module will be a default provider. The security mechanisms are specified with the <option>-mechanisms</option> argument.</para></listitem>
</varlistentry>
<varlistentry>
<term>-delete modulename</term>
<listitem><para>Delete the named module. The default NSS PKCS #11 module cannot be deleted.</para></listitem>
</varlistentry>
<varlistentry>
<term>-disable modulename</term>
<listitem><para>Disable all slots on the named module. Use the <option>-slot</option> argument to disable a specific slot.</para></listitem>
</varlistentry>
<varlistentry>
<term>-enable modulename</term>
<listitem><para>Enable all slots on the named module. Use the <option>-slot</option> argument to enable a specific slot.</para></listitem>
</varlistentry>
<varlistentry>
<term>-fips [true | false]</term>
<listitem><para>Enable (true) or disable (false) FIPS 140-2 compliance for the default NSS module.</para></listitem>
</varlistentry>
<varlistentry>
<term>-force</term>
<listitem><para>Disable <command>modutil</command>'s interactive prompts so it can be run from a script. Use this option only after manually testing each planned operation to check for warnings and to ensure that bypassing the prompts will cause no security lapses or loss of database integrity.</para></listitem>
</varlistentry>
<varlistentry>
<term>-jar JAR-file</term>
<listitem><para>Add a new PKCS #11 module to the database using the named JAR file. Use this command with the <option>-installdir</option> and <option>-tempdir</option> arguments. The JAR file uses the NSS PKCS #11 JAR format to identify all the files to be installed, the module's name, the mechanism flags, and the cipher flags, as well as any files to be installed on the target machine, including the PKCS #11 module library file and other files such as documentation. This is covered in the JAR installation file section in the man page, which details the special script needed to perform an installation through a server or with <command>modutil</command>. </para></listitem>
</varlistentry>
<varlistentry>
<term>-list [modulename]</term>
<listitem><para>Display basic information about the contents of the <filename>secmod.db</filename> file. Specifying a <emphasis>modulename</emphasis> displays detailed information about a particular module and its slots and tokens.</para></listitem>
</varlistentry>
<varlistentry>
<term>-rawadd</term>
<listitem><para>Add the module spec string to the <filename>secmod.db</filename> database.</para></listitem>
</varlistentry>
<varlistentry>
<term>-rawlist</term>
<listitem><para>Display the module specs for a specified module or for all loadable modules.</para></listitem>
</varlistentry>
<varlistentry>
<term>-undefault modulename</term>
<listitem><para>Specify the security mechanisms for which the named module will not be a default provider. The security mechanisms are specified with the <option>-mechanisms</option> argument.</para></listitem>
</varlistentry>
</variablelist>
<para><command>Arguments</command></para>
<variablelist>
<varlistentry>
<term>MODULE</term>
<listitem><para>Give the security module to access.</para></listitem>
</varlistentry>
<varlistentry>
<term>MODULESPEC</term>
<listitem><para>Give the security module spec to load into the security database.</para></listitem>
</varlistentry>
<varlistentry>
<term>-ciphers cipher-enable-list</term>
<listitem><para>Enable specific ciphers in a module that is being added to the database. The <emphasis>cipher-enable-list</emphasis> is a colon-delimited list of cipher names. Enclose this list in quotation marks if it contains spaces.</para></listitem>
</varlistentry>
<varlistentry>
<term>-dbdir [sql:]directory</term>
<listitem><para>Specify the database directory in which to access or create security module database files.</para>
<para><command>modutil</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and new SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). If the prefix <command>sql:</command> is not used, then the tool assumes that the given databases are in the old format.</para></listitem>
</varlistentry>
<varlistentry>
<term>--dbprefix prefix</term>
<listitem><para>Specify the prefix used on the database files, such as <filename>my_</filename> for <filename>my_cert8.db</filename>. This option is provided as a special case. Changing the names of the certificate and key databases is not recommended.</para></listitem>
</varlistentry>
<varlistentry>
<term>-installdir root-installation-directory</term>
<listitem><para>Specify the root installation directory relative to which files will be installed by the <option>-jar</option> option. This directory should be one below which it is appropriate to store dynamic library files, such as a server's root directory.</para></listitem>
</varlistentry>
<varlistentry>
<term>-libfile library-file</term>
<listitem><para>Specify a path to a library file containing the implementation of the PKCS #11 interface module that is being added to the database.</para></listitem>
</varlistentry>
<varlistentry>
<term>-mechanisms mechanism-list</term>
<listitem><para>Specify the security mechanisms for which a particular module will be flagged as a default provider. The <emphasis>mechanism-list</emphasis> is a colon-delimited list of mechanism names. Enclose this list in quotation marks if it contains spaces.</para>
<para>The module becomes a default provider for the listed mechanisms when those mechanisms are enabled. If more than one module claims to be a particular mechanism's default provider, that mechanism's default provider is undefined.</para>
<para><command>modutil</command> supports several mechanisms: RSA, DSA, RC2, RC4, RC5, AES, DES, DH, SHA1, SHA256, SHA512, SSL, TLS, MD5, MD2, RANDOM (for random number generation), and FRIENDLY (meaning certificates are publicly readable).</para></listitem>
</varlistentry>
<varlistentry>
<term>-newpwfile new-password-file</term>
<listitem><para>Specify a text file containing a token's new or replacement password so that a password can be entered automatically with the <option>-changepw</option> option.</para></listitem>
</varlistentry>
<varlistentry>
<term>-nocertdb</term>
<listitem><para>Do not open the certificate or key databases. This has several effects:</para>
<itemizedlist>
<listitem>
<para>With the <option>-create</option> command, only a module security file is created; certificate and key databases are not created.</para>
</listitem>
<listitem>
<para>With the <option>-jar</option> command, signatures on the JAR file are not checked.</para>
</listitem>
<listitem>
<para>With the <option>-changepw</option> command, the password on the NSS internal module cannot be set or changed, since this password is stored in the key database.</para></listitem>
</itemizedlist>
</listitem>
</varlistentry>
<varlistentry>
<term>-pwfile old-password-file</term>
<listitem><para>Specify a text file containing a token's existing password so that a password can be entered automatically when the <option>-changepw</option> option is used to change passwords.</para></listitem>
</varlistentry>
<varlistentry>
<term>-secmod secmodname</term>
<listitem><para>Give the name of the security module database (like <filename>secmod.db</filename>) to load.</para></listitem>
</varlistentry>
<varlistentry>
<term>-slot slotname</term>
<listitem><para>Specify a particular slot to be enabled or disabled with the <option>-enable</option> or <option>-disable</option> options.</para></listitem>
</varlistentry>
<varlistentry>
<term>-string CONFIG_STRING</term>
<listitem><para>Pass a configuration string for the module being added to the database.</para></listitem>
</varlistentry>
<varlistentry>
<term>-tempdir temporary-directory</term>
<listitem><para>Give a directory location where temporary files are created during the installation by the <option>-jar</option> option. If no temporary directory is specified, the current directory is used.</para></listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection id="usage-and-examples">
<title>Usage and Examples</title>
<para><command>Creating Database Files</command></para>
<para>Before any operations can be performed, there must be a set of security databases available. <command>modutil</command> can be used to create these files. The only required argument is the database that where the databases will be located.</para>
<programlisting>modutil -create -dbdir [sql:]directory</programlisting>
<para><command>Adding a Cryptographic Module</command></para>
<para>Adding a PKCS #11 module means submitting a supporting library file, enabling its ciphers, and setting default provider status for various security mechanisms. This can be done by supplying all of the information through <command>modutil</command> directly or by running a JAR file and install script. For the most basic case, simply upload the library:</para>
<programlisting>modutil -add modulename -libfile library-file [-ciphers cipher-enable-list] [-mechanisms mechanism-list] </programlisting>
<para>For example:
<programlisting>modutil -dbdir sql:/home/my/sharednssdb -add "Example PKCS #11 Module" -libfile "/tmp/crypto.so" -mechanisms RSA:DSA:RC2:RANDOM
Using database directory ...
Module "Example PKCS #11 Module" added to database.</programlisting>
</para>
<para><command>Installing a Cryptographic Module from a JAR File</command></para>
<para>PKCS #11 modules can also be loaded using a JAR file, which contains all of the required libraries and an installation script that describes how to install the module. The JAR install script is described in more detail in <xref linkend="jar-install-file" />.</para>
<para>The JAR installation script defines the setup information for each platform that the module can be installed on. For example:</para>
<programlisting>Platforms {
Linux:5.4.08:x86 {
ModuleName { "Example PKCS #11 Module" }
ModuleFile { crypto.so }
DefaultMechanismFlags{0x0000}
CipherEnableFlags{0x0000}
Files {
crypto.so {
Path{ /tmp/crypto.so }
}
setup.sh {
Executable
Path{ /tmp/setup.sh }
}
}
}
Linux:6.0.0:x86 {
EquivalentPlatform { Linux:5.4.08:x86 }
}
} </programlisting>
<para>Both the install script and the required libraries must be bundled in a JAR file, which is specified with the <option>-jar</option> argument.</para>
<programlisting>modutil -dbdir sql:/home/mt"jar-install-filey/sharednssdb -jar install.jar -installdir sql:/home/my/sharednssdb
This installation JAR file was signed by:
----------------------------------------------
**SUBJECT NAME**
C=US, ST=California, L=Mountain View, CN=Cryptorific Inc., OU=Digital ID
Class 3 - Netscape Object Signing, OU="www.verisign.com/repository/CPS
Incorp. by Ref.,LIAB.LTD(c)9 6", OU=www.verisign.com/CPS Incorp.by Ref
. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign Object Signing CA - Class 3
Organization, OU="VeriSign, Inc.", O=VeriSign Trust Network **ISSUER
NAME**, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97
VeriSign, OU=VeriSign Object Signing CA - Class 3 Organization,
OU="VeriSign, Inc.", O=VeriSign Trust Network
----------------------------------------------
Do you wish to continue this installation? (y/n) y
Using installer script "installer_script"
Successfully parsed installation script
Current platform is Linux:5.4.08:x86
Using installation parameters for platform Linux:5.4.08:x86
Installed file crypto.so to /tmp/crypto.so
Installed file setup.sh to ./pk11inst.dir/setup.sh
Executing "./pk11inst.dir/setup.sh"...
"./pk11inst.dir/setup.sh" executed successfully
Installed module "Example PKCS #11 Module" into module database
Installation completed successfully </programlisting>
<para><command>Adding Module Spec</command></para>
<para>Each module has information stored in the security database about its configuration and parameters. These can be added or edited using the <option>-rawadd</option> command. For the current settings or to see the format of the module spec in the database, use the <option>-rawlist</option> option.</para>
<programlisting>modutil -rawadd modulespec</programlisting>
<para><command>Deleting a Module</command></para>
<para>A specific PKCS #11 module can be deleted from the <filename>secmod.db</filename> database:</para>
<programlisting>modutil -delete modulename -dbdir [sql:]directory </programlisting>
<para><command>Displaying Module Information</command></para>
<para>The <filename>secmod.db</filename> database contains information about the PKCS #11 modules that are available to an application or server to use. The list of all modules, information about specific modules, and database configuration specs for modules can all be viewed. </para>
<para>To simply get a list of modules in the database, use the <option>-list</option> command.</para>
<programlisting>modutil -list [modulename] -dbdir [sql:]directory </programlisting>
<para>Listing the modules shows the module name, their status, and other associated security databases for certificates and keys. For example:</para>
<programlisting>modutil -list -dbdir sql:/home/my/sharednssdb
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
-----------------------------------------------------------</programlisting>
<para>Passing a specific module name with the <option>-list</option> returns details information about the module itself, like supported cipher mechanisms, version numbers, serial numbers, and other information about the module and the token it is loaded on. For example:</para>
<programlisting> modutil -list "NSS Internal PKCS #11 Module" -dbdir sql:/home/my/sharednssdb
-----------------------------------------------------------
Name: NSS Internal PKCS #11 Module
Library file: **Internal ONLY module**
Manufacturer: Mozilla Foundation
Description: NSS Internal Crypto Services
PKCS #11 Version 2.20
Library Version: 3.11
Cipher Enable Flags: None
Default Mechanism Flags: RSA:RC2:RC4:DES:DH:SHA1:MD5:MD2:SSL:TLS:AES
Slot: NSS Internal Cryptographic Services
Slot Mechanism Flags: RSA:RC2:RC4:DES:DH:SHA1:MD5:MD2:SSL:TLS:AES
Manufacturer: Mozilla Foundation
Type: Software
Version Number: 3.11
Firmware Version: 0.0
Status: Enabled
Token Name: NSS Generic Crypto Services
Token Manufacturer: Mozilla Foundation
Token Model: NSS 3
Token Serial Number: 0000000000000000
Token Version: 4.0
Token Firmware Version: 0.0
Access: Write Protected
Login Type: Public (no login required)
User Pin: NOT Initialized
Slot: NSS User Private Key and Certificate Services
Slot Mechanism Flags: None
Manufacturer: Mozilla Foundation
Type: Software
Version Number: 3.11
Firmware Version: 0.0
Status: Enabled
Token Name: NSS Certificate DB
Token Manufacturer: Mozilla Foundation
Token Model: NSS 3
Token Serial Number: 0000000000000000
Token Version: 8.3
Token Firmware Version: 0.0
Access: NOT Write Protected
Login Type: Login required
User Pin: Initialized</programlisting>
<para>A related command, <option>-rawlist</option> returns information about the database configuration for the modules. (This information can be edited by loading new specs using the <option>-rawadd</option> command.)</para>
<programlisting> modutil -rawlist -dbdir sql:/home/my/sharednssdb
name="NSS Internal PKCS #11 Module" parameters="configdir=. certPrefix= keyPrefix= secmod=secmod.db flags=readOnly " NSS="trustOrder=75 cipherOrder=100 slotParams={0x00000001=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM askpw=any timeout=30 ] } Flags=internal,critical"</programlisting>
<para><command>Setting a Default Provider for Security Mechanisms</command></para>
<para>Multiple security modules may provide support for the same security mechanisms. It is possible to set a specific security module as the default provider for a specific security mechanism (or, conversely, to prohibit a provider from supplying those mechanisms).</para>
<programlisting>modutil -default modulename -mechanisms mechanism-list </programlisting>
<para>To set a module as the default provider for mechanisms, use the <option>-default</option> command with a colon-separated list of mechanisms. The available mechanisms depend on the module; NSS supplies almost all common mechanisms. For example:</para>
<programlisting>modutil -default "NSS Internal PKCS #11 Module" -dbdir -mechanisms RSA:DSA:RC2
Using database directory c:\databases...
Successfully changed defaults.</programlisting>
<para>Clearing the default provider has the same format:</para>
<programlisting>modutil -undefault "NSS Internal PKCS #11 Module" -dbdir -mechanisms MD2:MD5</programlisting>
<para><command>Enabling and Disabling Modules and Slots</command></para>
<para>Modules, and specific slots on modules, can be selectively enabled or disabled using <command>modutil</command>. Both commands have the same format:</para>
<programlisting>modutil -enable|-disable modulename [-slot slotname] </programlisting>
<para>For example:</para>
<programlisting>modutil -enable "NSS Internal PKCS #11 Module" -slot "NSS Internal Cryptographic Services " -dbdir .
Slot "NSS Internal Cryptographic Services " enabled.</programlisting>
<para>Be sure that the appropriate amount of trailing whitespace is after the slot name. Some slot names have a significant amount of whitespace that must be included, or the operation will fail.</para>
<para><command>Enabling and Verifying FIPS Compliance</command></para>
<para>The NSS modules can have FIPS 140-2 compliance enabled or disabled using <command>modutil</command> with the <option>-fips</option> option. For example:</para>
<programlisting>modutil -fips true -dbdir sql:/home/my/sharednssdb/
FIPS mode enabled.</programlisting>
<para>To verify that status of FIPS mode, run the <option>-chkfips</option> command with either a true or false flag (it doesn't matter which). The tool returns the current FIPS setting.</para>
<programlisting>modutil -chkfips false -dbdir sql:/home/my/sharednssdb/
FIPS mode enabled.</programlisting>
<para><command>Changing the Password on a Token</command></para>
<para>Initializing or changing a token's password:</para>
<programlisting>modutil -changepw tokenname [-pwfile old-password-file] [-newpwfile new-password-file] </programlisting>
<programlisting>modutil -dbdir sql:/home/my/sharednssdb -changepw "NSS Certificate DB"
Enter old password:
Incorrect password, try again...
Enter old password:
Enter new password:
Re-enter new password:
Token "Communicator Certificate DB" password changed successfully.</programlisting>
</refsection>
<refsection id="jar-install-file"><title>JAR Installation File Format</title>
<para>When a JAR file is run by a server, by <command>modutil</command>, or by any program that does not interpret JavaScript, a special information file must be included to install the libraries. There are several things to keep in mind with this file:</para>
<itemizedlist>
<listitem>
<para>
It must be declared in the JAR archive's manifest file.
</para>
</listitem>
<listitem>
<para>
The script can have any name.
</para>
</listitem>
<listitem>
<para>
The metainfo tag for this is <command>Pkcs11_install_script</command>. To declare meta-information in the manifest file, put it in a file that is passed to <command>signtool</command>.</para>
</listitem>
</itemizedlist>
<para><command>Sample Script</command></para>
<para>For example, the PKCS #11 installer script could be in the file pk11install. If so, the metainfo file for <command>signtool</command> includes a line such as this:</para>
<programlisting>+ Pkcs11_install_script: pk11install</programlisting>
<para>The script must define the platform and version number, the module name and file, and any optional information like supported ciphers and mechanisms. Multiple platforms can be defined in a single install file.</para>
<programlisting>ForwardCompatible { IRIX:6.2:mips SUNOS:5.5.1:sparc }
Platforms {
WINNT::x86 {
ModuleName { "Example Module" }
ModuleFile { win32/fort32.dll }
DefaultMechanismFlags{0x0001}
DefaultCipherFlags{0x0001}
Files {
win32/setup.exe {
Executable
RelativePath { %temp%/setup.exe }
}
win32/setup.hlp {
RelativePath { %temp%/setup.hlp }
}
win32/setup.cab {
RelativePath { %temp%/setup.cab }
}
}
}
WIN95::x86 {
EquivalentPlatform {WINNT::x86}
}
SUNOS:5.5.1:sparc {
ModuleName { "Example UNIX Module" }
ModuleFile { unix/fort.so }
DefaultMechanismFlags{0x0001}
CipherEnableFlags{0x0001}
Files {
unix/fort.so {
RelativePath{%root%/lib/fort.so}
AbsolutePath{/usr/local/netscape/lib/fort.so}
FilePermissions{555}
}
xplat/instr.html {
RelativePath{%root%/docs/inst.html}
AbsolutePath{/usr/local/netscape/docs/inst.html}
FilePermissions{555}
}
}
}
IRIX:6.2:mips {
EquivalentPlatform { SUNOS:5.5.1:sparc }
}
}</programlisting>
<para><command>Script Grammar</command></para>
<para>The script is basic Java, allowing lists, key-value pairs, strings, and combinations of all of them.</para>
<programlisting>--> valuelist
valuelist --> value valuelist
&lt;null>
value ---> key_value_pair
string
key_value_pair --> key { valuelist }
key --> string
string --> simple_string
"complex_string"
simple_string --> [^ \t\n\""{""}"]+
complex_string --> ([^\"\\\r\n]|(\\\")|(\\\\))+ </programlisting>
<para>Quotes and backslashes must be escaped with a backslash. A complex string must not include newlines or carriage returns.Outside of complex strings, all white space (for example, spaces, tabs, and carriage returns) is considered equal and is used only to delimit tokens.</para>
<para><command>Keys</command></para>
<para>The Java install file uses keys to define the platform and module information.</para>
<para><command>ForwardCompatible</command> gives a list of platforms that are forward compatible. If the current platform cannot be found in the list of supported platforms, then the <command>ForwardCompatible</command> list is checked for any platforms that have the same OS and architecture in an earlier version. If one is found, its attributes are used for the current platform. </para>
<para><command>Platforms</command> (required) Gives a list of platforms. Each entry in the list is itself a key-value pair: the key is the name of the platform and the value list contains various attributes of the platform. The platform string is in the format <emphasis>system name:OS release:architecture</emphasis>. The installer obtains these values from NSPR. OS release is an empty string on non-Unix operating systems. NSPR supports these platforms:</para>
<itemizedlist>
<listitem>
<para>AIX (rs6000)</para>
</listitem>
<listitem>
<para>BSDI (x86)</para>
</listitem>
<listitem>
<para>FREEBSD (x86)</para>
</listitem>
<listitem>
<para>HPUX (hppa1.1)</para>
</listitem>
<listitem>
<para>IRIX (mips)</para>
</listitem>
<listitem>
<para>LINUX (ppc, alpha, x86)</para>
</listitem>
<listitem>
<para>MacOS (PowerPC)</para>
</listitem>
<listitem>
<para>NCR (x86)</para>
</listitem>
<listitem>
<para>NEC (mips)</para>
</listitem>
<listitem>
<para>OS2 (x86)</para>
</listitem>
<listitem>
<para>OSF (alpha)</para>
</listitem>
<listitem>
<para>ReliantUNIX (mips)</para>
</listitem>
<listitem>
<para>SCO (x86)</para>
</listitem>
<listitem>
<para>SOLARIS (sparc)</para>
</listitem>
<listitem>
<para>SONY (mips)</para>
</listitem>
<listitem>
<para>SUNOS (sparc)</para>
</listitem>
<listitem>
<para>UnixWare (x86)</para>
</listitem>
<listitem>
<para>WIN16 (x86)</para>
</listitem>
<listitem>
<para>WIN95 (x86)</para>
</listitem>
<listitem>
<para>WINNT (x86)</para>
</listitem>
</itemizedlist>
<para>For example:</para>
<programlisting>IRIX:6.2:mips
SUNOS:5.5.1:sparc
Linux:2.0.32:x86
WIN95::x86</programlisting>
<para>The module information is defined independently for each platform in the <command>ModuleName</command>, <command>ModuleFile</command>, and <command>Files</command> attributes. These attributes must be given unless an <command>EquivalentPlatform</command> attribute is specified. </para>
<para><command>Per-Platform Keys</command></para>
<para>Per-platform keys have meaning only within the value list of an entry in the <command>Platforms</command> list.</para>
<para><command>ModuleName</command> (required) gives the common name for the module. This name is used to reference the module by servers and by the <command>modutil</command> tool. </para>
<para><command>ModuleFile</command> (required) names the PKCS #11 module file for this platform. The name is given as the relative path of the file within the JAR archive. </para>
<para><command>Files</command> (required) lists the files that need to be installed for this module. Each entry in the file list is a key-value pair. The key is the path of the file in the JAR archive, and the value list contains attributes of the file. At least <command>RelativePath</command> or <command>AbsolutePath</command> must be specified for each file.</para>
<para><command>DefaultMechanismFlags</command> specifies mechanisms for which this module is the default provider; this is equivalent to the <option>-mechanism</option> option with the <option>-add</option> command. This key-value pair is a bitstring specified in hexadecimal (0x) format. It is constructed as a bitwise OR. If the DefaultMechanismFlags entry is omitted, the value defaults to 0x0.</para>
<programlisting>RSA: 0x00000001
DSA: 0x00000002
RC2: 0x00000004
RC4: 0x00000008
DES: 0x00000010
DH: 0x00000020
FORTEZZA: 0x00000040
RC5: 0x00000080
SHA1: 0x00000100
MD5: 0x00000200
MD2: 0x00000400
RANDOM: 0x08000000
FRIENDLY: 0x10000000
OWN_PW_DEFAULTS: 0x20000000
DISABLE: 0x40000000</programlisting>
<para><command>CipherEnableFlags</command> specifies ciphers that this module provides that NSS does not provide (so that the module enables those ciphers for NSS). This is equivalent to the <option>-cipher</option> argument with the <option>-add</option> command. This key is a bitstring specified in hexadecimal (0x) format. It is constructed as a bitwise OR. If the <command>CipherEnableFlags</command> entry is omitted, the value defaults to 0x0.</para>
<para><command>EquivalentPlatform</command> specifies that the attributes of the named platform should also be used for the current platform. This makes it easier when more than one platform uses the same settings.</para>
<para><command>Per-File Keys</command></para>
<para>Some keys have meaning only within the value list of an entry in a <command>Files</command> list.</para>
<para>Each file requires a path key the identifies where the file is. Either <command>RelativePath</command> or <command>AbsolutePath</command> must be specified. If both are specified, the relative path is tried first, and the absolute path is used only if no relative root directory is provided by the installer program.</para>
<para><command>RelativePath</command> specifies the destination directory of the file, relative to some directory decided at install time. Two variables can be used in the relative path: <command>%root%</command> and <command>%temp%</command>. <command>%root%</command> is replaced at run time with the directory relative to which files should be installed; for example, it may be the server's root directory. The <command>%temp%</command> directory is created at the beginning of the installation and destroyed at the end. The purpose of <command>%temp%</command> is to hold executable files (such as setup programs) or files that are used by these programs. Files destined for the temporary directory are guaranteed to be in place before any executable file is run; they are not deleted until all executable files have finished.</para>
<para><command>AbsolutePath</command> specifies the destination directory of the file as an absolute path. </para>
<para><command>Executable</command> specifies that the file is to be executed during the course of the installation. Typically, this string is used for a setup program provided by a module vendor, such as a self-extracting setup executable. More than one file can be specified as executable, in which case the files are run in the order in which they are specified in the script file.</para>
<para><command>FilePermissions</command> sets permissions on any referenced files in a string of octal digits, according to the standard Unix format. This string is a bitwise OR.</para>
<programlisting>user read: 0400
user write: 0200
user execute: 0100
group read: 0040
group write: 0020
group execute: 0010
other read: 0004
other write: 0002
other execute: 0001</programlisting>
<para>Some platforms may not understand these permissions. They are applied only insofar as they make sense for the current platform. If this attribute is omitted, a default of 777 is assumed.</para>
</refsection>
<refsection id="databases"><title>NSS Database Types</title>
<para>NSS originally used BerkeleyDB databases to store security information.
The last versions of these <emphasis>legacy</emphasis> databases are:</para>
<itemizedlist>
<listitem>
<para>
cert8.db for certificates
</para>
</listitem>
<listitem>
<para>
key3.db for keys
</para>
</listitem>
<listitem>
<para>
secmod.db for PKCS #11 module information
</para>
</listitem>
</itemizedlist>
<para>BerkeleyDB has performance limitations, though, which prevent it from being easily used by multiple applications simultaneously. NSS has
some flexibility that allows applications to use their own, independent database engine while keeping a shared database and working around the access issues. Still, NSS
requires more flexibility to provide a truly shared security database.</para>
<para>In 2009, NSS introduced a new set of databases that are SQLite databases rather than
BerkleyDB. These new databases provide more accessibility and performance:</para>
<itemizedlist>
<listitem>
<para>
cert9.db for certificates
</para>
</listitem>
<listitem>
<para>
key4.db for keys
</para>
</listitem>
<listitem>
<para>
pkcs11.txt, which is listing of all of the PKCS #11 modules contained in a new subdirectory in the security databases directory
</para>
</listitem>
</itemizedlist>
<para>Because the SQLite databases are designed to be shared, these are the <emphasis>shared</emphasis> database type. The shared database type is preferred; the legacy format is included for backward compatibility.</para>
<para>By default, the tools (<command>certutil</command>, <command>pk12util</command>, <command>modutil</command>) assume that the given security databases follow the more common legacy type.
Using the SQLite databases must be manually specified by using the <command>sql:</command> prefix with the given security directory. For example:</para>
<programlisting>modutil -create -dbdir sql:/home/my/sharednssdb</programlisting>
<para>To set the shared database type as the default type for the tools, set the <envar>NSS_DEFAULT_DB_TYPE</envar> environment variable to <envar>sql</envar>:</para>
<programlisting>export NSS_DEFAULT_DB_TYPE="sql"</programlisting>
<para>This line can be set added to the <filename>~/.bashrc</filename> file to make the change permanent.</para>
<para>Most applications do not use the shared database by default, but they can be configured to use them. For example, this how-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases:</para>
<itemizedlist>
<listitem>
<para>
https://wiki.mozilla.org/NSS_Shared_DB_Howto</para>
</listitem>
</itemizedlist>
<para>For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki:</para>
<itemizedlist>
<listitem>
<para>
https://wiki.mozilla.org/NSS_Shared_DB
</para>
</listitem>
</itemizedlist>
</refsection>
<refsection id="seealso">
<title>See Also</title>
<para>certutil (1)</para>
<para>pk12util (1)</para>
<para>signtool (1)</para>
<para>The NSS wiki has information on the new database design and how to configure applications to use it.</para>
<itemizedlist>
<listitem>
<para>
https://wiki.mozilla.org/NSS_Shared_DB_Howto</para>
</listitem>
<listitem>
<para>
https://wiki.mozilla.org/NSS_Shared_DB
</para>
</listitem>
</itemizedlist>
</refsection>
<!-- don't change -->
<refsection id="resources">
<title>Additional Resources</title>
<para>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <ulink url="http://www.mozilla.org/projects/security/pki/nss/">http://www.mozilla.org/projects/security/pki/nss/</ulink>. The NSS site relates directly to NSS code changes and releases.</para>
<para>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</para>
<para>IRC: Freenode at #dogtag-pki</para>
</refsection>
<!-- fill in your name first; keep the other names for reference -->
<refsection id="authors">
<title>Authors</title>
<para>The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.</para>
<para>
Authors: Elio Maldonado &lt;emaldona@redhat.com>, Deon Lackey &lt;dlackey@redhat.com>.
</para>
</refsection>
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, version 1.1,
and/or the GNU General Public License, version 2 or later,
and/or the GNU Lesser General Public License, version 2.1 or later.
</para>
</refsection>
</refentry>

516
security/nss/doc/pk12util.xml Normal file
View File

@ -0,0 +1,516 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY date SYSTEM "date.xml">
<!ENTITY version SYSTEM "version.xml">
]>
<refentry id="pk12util">
<refentryinfo>
<date>&date;</date>
<title>NSS Security Tools</title>
<productname>nss-tools</productname>
<productnumber>&version;</productnumber>
</refentryinfo>
<refmeta>
<refentrytitle>PK12UTIL</refentrytitle>
<manvolnum>1</manvolnum>
</refmeta>
<refnamediv>
<refname>pk12util</refname>
<refpurpose>Export and import keys and certificate to or from a PKCS #12 file and the NSS database</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>pk12util</command>
<arg>-i p12File [-h tokenname] [-v] [common-options] </arg>
<arg>
-l p12File [-h tokenname] [-r] [common-options] </arg>
<arg>
-o p12File -n certname [-c keyCipher] [-C certCipher] [-m|--key_len keyLen] [-n|--cert_key_len certKeyLen] [common-options] </arg>
<arg>
common-options are:
[-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]
</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection>
<title>STATUS</title>
<para>This documentation is still work in progress. Please contribute to the initial review in <ulink url="https://bugzilla.mozilla.org/show_bug.cgi?id=836477">Mozilla NSS bug 836477</ulink>
</para>
</refsection>
<refsection id="description">
<title>Description</title>
<para>The PKCS #12 utility, <command>pk12util</command>, enables sharing certificates among any server that supports PKCS#12. The tool can import certificates and keys from PKCS#12 files into security databases, export certificates, and list certificates and keys.</para>
</refsection>
<refsection id="options">
<title>Options and Arguments</title>
<para><command>Options</command></para>
<variablelist>
<varlistentry>
<term>-i p12file</term>
<listitem><para>Import keys and certificates from a PKCS#12 file into a security database.</para></listitem>
</varlistentry>
<varlistentry>
<term>-l p12file</term>
<listitem><para>List the keys and certificates in PKCS#12 file.</para></listitem>
</varlistentry>
<varlistentry>
<term>-o p12file</term>
<listitem><para>Export keys and certificates from the security database to a PKCS#12 file.</para></listitem>
</varlistentry>
</variablelist>
<para><command>Arguments</command></para>
<variablelist>
<varlistentry>
<term>-n certname</term>
<listitem><para>Specify the nickname of the cert and private key to export.</para></listitem>
</varlistentry>
<varlistentry>
<term>-d [sql:]directory</term>
<listitem><para>Specify the database directory into which to import to or export from certificates and keys.</para>
<para><command>pk12util</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and new SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). If the prefix <command>sql:</command> is not used, then the tool assumes that the given databases are in the old format.</para></listitem>
</varlistentry>
<varlistentry>
<term>-P prefix</term>
<listitem><para>Specify the prefix used on the certificate and key databases. This option is provided as a special case.
Changing the names of the certificate and key databases is not recommended.</para></listitem>
</varlistentry>
<varlistentry>
<term>-h tokenname</term>
<listitem><para>Specify the name of the token to import into or export from.</para></listitem>
</varlistentry>
<varlistentry>
<term>-v </term>
<listitem><para>Enable debug logging when importing.</para></listitem>
</varlistentry>
<varlistentry>
<term>-k slotPasswordFile</term>
<listitem><para>Specify the text file containing the slot's password.</para></listitem>
</varlistentry>
<varlistentry>
<term>-K slotPassword</term>
<listitem><para>Specify the slot's password.</para></listitem>
</varlistentry>
<varlistentry>
<term>-w p12filePasswordFile</term>
<listitem><para>Specify the text file containing the pkcs #12 file password.</para></listitem>
</varlistentry>
<varlistentry>
<term>-W p12filePassword</term>
<listitem><para>Specify the pkcs #12 file password.</para></listitem>
</varlistentry>
<varlistentry>
<term>-c keyCipher</term>
<listitem><para>Specify the key encryption algorithm.</para></listitem>
</varlistentry>
<varlistentry>
<term>-C certCipher</term>
<listitem><para>Specify the key cert (overall package) encryption algorithm.</para></listitem>
</varlistentry>
<varlistentry>
<term>-m | --key-len keyLength</term>
<listitem><para>Specify the desired length of the symmetric key to be used to encrypt the private key.</para></listitem>
</varlistentry>
<varlistentry>
<term>-n | --cert-key-len certKeyLength</term>
<listitem><para>Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data.</para></listitem>
</varlistentry>
<varlistentry>
<term>-r</term>
<listitem><para>Dumps all of the data in raw (binary) form. This must be saved as a DER file. The default is to return information in a pretty-print ASCII format, which displays the information about the certificates and public keys in the p12 file.</para></listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection id="return-codes">
<title>Return Codes</title>
<itemizedlist>
<listitem>
<para> 0 - No error</para>
</listitem>
<listitem>
<para> 1 - User Cancelled</para>
</listitem>
<listitem>
<para> 2 - Usage error</para>
</listitem>
<listitem>
<para> 6 - NLS init error</para>
</listitem>
<listitem>
<para> 8 - Certificate DB open error</para>
</listitem>
<listitem>
<para> 9 - Key DB open error</para>
</listitem>
<listitem>
<para> 10 - File initialization error</para>
</listitem>
<listitem>
<para> 11 - Unicode conversion error</para>
</listitem>
<listitem>
<para> 12 - Temporary file creation error</para>
</listitem>
<listitem>
<para> 13 - PKCS11 get slot error</para>
</listitem>
<listitem>
<para> 14 - PKCS12 decoder start error</para>
</listitem>
<listitem>
<para> 15 - error read from import file</para>
</listitem>
<listitem>
<para> 16 - pkcs12 decode error</para>
</listitem>
<listitem>
<para> 17 - pkcs12 decoder verify error</para>
</listitem>
<listitem>
<para> 18 - pkcs12 decoder validate bags error</para>
</listitem>
<listitem>
<para> 19 - pkcs12 decoder import bags error</para>
</listitem>
<listitem>
<para> 20 - key db conversion version 3 to version 2 error</para>
</listitem>
<listitem>
<para> 21 - cert db conversion version 7 to version 5 error</para>
</listitem>
<listitem>
<para> 22 - cert and key dbs patch error</para>
</listitem>
<listitem>
<para> 23 - get default cert db error</para>
</listitem>
<listitem>
<para> 24 - find cert by nickname error</para>
</listitem>
<listitem>
<para> 25 - create export context error</para>
</listitem>
<listitem>
<para> 26 - PKCS12 add password itegrity error</para>
</listitem>
<listitem>
<para> 27 - cert and key Safes creation error</para>
</listitem>
<listitem>
<para> 28 - PKCS12 add cert and key error</para>
</listitem>
<listitem>
<para> 29 - PKCS12 encode error</para>
</listitem>
</itemizedlist>
</refsection>
<refsection id="examples">
<title>Examples</title>
<para><command>Importing Keys and Certificates</command></para>
<para>The most basic usage of <command>pk12util</command> for importing a certificate or key is the PKCS#12 input file (<option>-i</option>) and some way to specify the security database being accessed (either <option>-d</option> for a directory or <option>-h</option> for a token).
</para>
<programlisting>pk12util -i p12File [-h tokenname] [-v] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</programlisting>
<para>For example:</para>
<programlisting># pk12util -i /tmp/cert-files/users.p12 -d sql:/home/my/sharednssdb
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.
Enter new password:
Re-enter password:
Enter password for PKCS12 file:
pk12util: PKCS12 IMPORT SUCCESSFUL</programlisting>
<para><command>Exporting Keys and Certificates</command></para>
<para>Using the <command>pk12util</command> command to export certificates and keys requires both the name of the certificate to extract from the database (<option>-n</option>) and the PKCS#12-formatted output file to write to. There are optional parameters that can be used to encrypt the file to protect the certificate material.
</para>
<programlisting>pk12util -o p12File -n certname [-c keyCipher] [-C certCipher] [-m|--key_len keyLen] [-n|--cert_key_len certKeyLen] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</programlisting>
<para>For example:</para>
<programlisting># pk12util -o certs.p12 -n Server-Cert -d sql:/home/my/sharednssdb
Enter password for PKCS12 file:
Re-enter password: </programlisting>
<para><command>Listing Keys and Certificates</command></para>
<para>The information in a <filename>.p12</filename> file are not human-readable. The certificates and keys in the file can be printed (listed) in a human-readable pretty-print format that shows information for every certificate and any public keys in the <filename>.p12</filename> file.
</para>
<programlisting>pk12util -l p12File [-h tokenname] [-r] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</programlisting>
<para>For example, this prints the default ASCII output:</para>
<programlisting># pk12util -l certs.p12
Enter password for PKCS12 file:
Key(shrouded):
Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID
Encryption algorithm: PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC
Parameters:
Salt:
45:2e:6a:a0:03:4d:7b:a1:63:3c:15:ea:67:37:62:1f
Iteration Count: 1 (0x1)
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 13 (0xd)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "E=personal-freemail@thawte.com,CN=Thawte Personal Freemail C
A,OU=Certification Services Division,O=Thawte Consulting,L=Cape T
own,ST=Western Cape,C=ZA"
....</programlisting>
<para>Alternatively, the <option>-r</option> prints the certificates and then exports them into separate DER binary files. This allows the certificates to be fed to another application that supports <filename>.p12</filename> files. Each certificate is written to a sequentially-number file, beginning with <filename>file0001.der</filename> and continuing through <filename>file000N.der</filename>, incrementing the number for every certificate:</para>
<programlisting># pk12util -l test.p12 -r
Enter password for PKCS12 file:
Key(shrouded):
Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID
Encryption algorithm: PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC
Parameters:
Salt:
45:2e:6a:a0:03:4d:7b:a1:63:3c:15:ea:67:37:62:1f
Iteration Count: 1 (0x1)
Certificate Friendly Name: Thawte Personal Freemail Issuing CA - Thawte Consulting
Certificate Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID</programlisting>
</refsection>
<refsection id="encryption">
<title>Password Encryption</title>
<para>PKCS#12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS#12 file and, optionally, the entire package. If no algorithm is specified, the tool defaults to using <command>PKCS12 V2 PBE with SHA1 and 3KEY Triple DES-cbc</command> for private key encryption. <command>PKCS12 V2 PBE with SHA1 and 40 Bit RC4</command> is the default for the overall package encryption when not in FIPS mode. When in FIPS mode, there is no package encryption.</para>
<para>The private key is always protected with strong encryption by default.</para>
<para>Several types of ciphers are supported.</para>
<variablelist>
<varlistentry>
<term>Symmetric CBC ciphers for PKCS#5 V2</term>
<listitem><para>DES_CBC</para>
<itemizedlist>
<listitem>
<para>RC2-CBC</para>
</listitem>
<listitem>
<para>RC5-CBCPad</para>
</listitem>
<listitem>
<para>DES-EDE3-CBC (the default for key encryption)</para>
</listitem>
<listitem>
<para>AES-128-CBC</para>
</listitem>
<listitem>
<para>AES-192-CBC</para>
</listitem>
<listitem>
<para>AES-256-CBC</para>
</listitem>
<listitem>
<para>CAMELLIA-128-CBC</para>
</listitem>
<listitem>
<para>CAMELLIA-192-CBC</para>
</listitem>
<listitem>
<para>CAMELLIA-256-CBC</para></listitem>
</itemizedlist>
</listitem>
</varlistentry>
<varlistentry>
<term>PKCS#12 PBE ciphers</term>
<listitem><para>PKCS #12 PBE with Sha1 and 128 Bit RC4</para>
<itemizedlist>
<listitem>
<para>PKCS #12 PBE with Sha1 and 40 Bit RC4</para>
</listitem>
<listitem>
<para>PKCS #12 PBE with Sha1 and Triple DES CBC</para>
</listitem>
<listitem>
<para>PKCS #12 PBE with Sha1 and 128 Bit RC2 CBC</para>
</listitem>
<listitem>
<para>PKCS #12 PBE with Sha1 and 40 Bit RC2 CBC</para>
</listitem>
<listitem>
<para>PKCS12 V2 PBE with SHA1 and 128 Bit RC4</para>
</listitem>
<listitem>
<para>PKCS12 V2 PBE with SHA1 and 40 Bit RC4 (the default for non-FIPS mode)</para>
</listitem>
<listitem>
<para>PKCS12 V2 PBE with SHA1 and 3KEY Triple DES-cbc</para>
</listitem>
<listitem>
<para>PKCS12 V2 PBE with SHA1 and 2KEY Triple DES-cbc</para>
</listitem>
<listitem>
<para>PKCS12 V2 PBE with SHA1 and 128 Bit RC2 CBC</para>
</listitem>
<listitem>
<para>PKCS12 V2 PBE with SHA1 and 40 Bit RC2 CBC</para></listitem>
</itemizedlist>
</listitem>
</varlistentry>
<varlistentry>
<term>PKCS#5 PBE ciphers</term>
<listitem><para>PKCS #5 Password Based Encryption with MD2 and DES CBC</para>
<itemizedlist>
<listitem>
<para>PKCS #5 Password Based Encryption with MD5 and DES CBC</para>
</listitem>
<listitem>
<para>PKCS #5 Password Based Encryption with SHA1 and DES CBC</para></listitem>
</itemizedlist>
</listitem>
</varlistentry>
</variablelist>
<para>With PKCS#12, the crypto provider may be the soft token module or an external hardware module. If the cryptographic module does not support the requested algorithm, then the next best fit will be selected (usually the default). If no suitable replacement for the desired algorithm can be found, the tool returns the error <emphasis>no security module can perform the requested operation</emphasis>.</para>
</refsection>
<refsection id="databases"><title>NSS Database Types</title>
<para>NSS originally used BerkeleyDB databases to store security information.
The last versions of these <emphasis>legacy</emphasis> databases are:</para>
<itemizedlist>
<listitem>
<para>
cert8.db for certificates
</para>
</listitem>
<listitem>
<para>
key3.db for keys
</para>
</listitem>
<listitem>
<para>
secmod.db for PKCS #11 module information
</para>
</listitem>
</itemizedlist>
<para>BerkeleyDB has performance limitations, though, which prevent it from being easily used by multiple applications simultaneously. NSS has
some flexibility that allows applications to use their own, independent database engine while keeping a shared database and working around the access issues. Still, NSS
requires more flexibility to provide a truly shared security database.</para>
<para>In 2009, NSS introduced a new set of databases that are SQLite databases rather than
BerkleyDB. These new databases provide more accessibility and performance:</para>
<itemizedlist>
<listitem>
<para>
cert9.db for certificates
</para>
</listitem>
<listitem>
<para>
key4.db for keys
</para>
</listitem>
<listitem>
<para>
pkcs11.txt, which is listing of all of the PKCS #11 modules contained in a new subdirectory in the security databases directory
</para>
</listitem>
</itemizedlist>
<para>Because the SQLite databases are designed to be shared, these are the <emphasis>shared</emphasis> database type. The shared database type is preferred; the legacy format is included for backward compatibility.</para>
<para>By default, the tools (<command>certutil</command>, <command>pk12util</command>, <command>modutil</command>) assume that the given security databases follow the more common legacy type.
Using the SQLite databases must be manually specified by using the <command>sql:</command> prefix with the given security directory. For example:</para>
<programlisting># pk12util -i /tmp/cert-files/users.p12 -d sql:/home/my/sharednssdb</programlisting>
<para>To set the shared database type as the default type for the tools, set the <envar>NSS_DEFAULT_DB_TYPE</envar> environment variable to <envar>sql</envar>:</para>
<programlisting>export NSS_DEFAULT_DB_TYPE="sql"</programlisting>
<para>This line can be set added to the <filename>~/.bashrc</filename> file to make the change permanent.</para>
<para>Most applications do not use the shared database by default, but they can be configured to use them. For example, this how-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases:</para>
<itemizedlist>
<listitem>
<para>
https://wiki.mozilla.org/NSS_Shared_DB_Howto</para>
</listitem>
</itemizedlist>
<para>For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki:</para>
<itemizedlist>
<listitem>
<para>
https://wiki.mozilla.org/NSS_Shared_DB
</para>
</listitem>
</itemizedlist>
</refsection>
<refsection id="seealso">
<title>See Also</title>
<para>certutil (1)</para>
<para>modutil (1)</para>
<para>The NSS wiki has information on the new database design and how to configure applications to use it.</para>
<itemizedlist>
<listitem>
<para>
https://wiki.mozilla.org/NSS_Shared_DB_Howto</para>
</listitem>
<listitem>
<para>
https://wiki.mozilla.org/NSS_Shared_DB
</para>
</listitem>
</itemizedlist>
</refsection>
<!-- don't change -->
<refsection id="resources">
<title>Additional Resources</title>
<para>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <ulink url="http://www.mozilla.org/projects/security/pki/nss/">http://www.mozilla.org/projects/security/pki/nss/</ulink>. The NSS site relates directly to NSS code changes and releases.</para>
<para>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</para>
<para>IRC: Freenode at #dogtag-pki</para>
</refsection>
<!-- fill in your name first; keep the other names for reference -->
<refsection id="authors">
<title>Authors</title>
<para>The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.</para>
<para>
Authors: Elio Maldonado &lt;emaldona@redhat.com>, Deon Lackey &lt;dlackey@redhat.com>.
</para>
</refsection>
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, version 1.1,
and/or the GNU General Public License, version 2 or later,
and/or the GNU Lesser General Public License, version 2.1 or later.
</para>
</refsection>
</refentry>

111
security/nss/doc/pp.xml Normal file
View File

@ -0,0 +1,111 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY date SYSTEM "date.xml">
<!ENTITY version SYSTEM "version.xml">
]>
<refentry id="pp">
<refentryinfo>
<date>&date;</date>
<title>NSS Security Tools</title>
<productname>nss-tools</productname>
<productnumber>&version;</productnumber>
</refentryinfo>
<refmeta>
<refentrytitle>PP</refentrytitle>
<manvolnum>1</manvolnum>
</refmeta>
<refnamediv>
<refname>pp</refname>
<refpurpose>Prints certificates, keys, crls, and pkcs7 files</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>pp -t type [-a] [-i input] [-o output]</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsection>
<title>STATUS</title>
<para>This documentation is still work in progress. Please contribute to the initial review in <ulink url="https://bugzilla.mozilla.org/show_bug.cgi?id=836477">Mozilla NSS bug 836477</ulink>
</para>
</refsection>
<refsection>
<title>Description</title>
<para><command>pp </command>pretty-prints private and public key, certificate, certificate-request,
pkcs7 or crl files
</para>
</refsection>
<refsection>
<title>Options</title>
<variablelist>
<varlistentry>
<term><option>-t </option> <replaceable>type</replaceable></term>
<listitem>
<simpara>specify the input, one of {private-key | public-key | certificate | certificate-request | pkcs7 | crl}</simpara>
<simpara></simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-a </option></term>
<listitem>
<simpara>Input is in ascii encoded form (RFC1113)</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-i </option> <replaceable>inputfile</replaceable></term>
<listitem>
<simpara>Define an input file to use (default is stdin)</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-u </option> <replaceable>outputfile</replaceable></term>
<listitem>
<simpara>Define an output file to use (default is stdout)</simpara>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection id="resources">
<title>Additional Resources</title>
<para>NSS is maintained in conjunction with PKI and security-related projects through Mozilla dn Fedora. The most closely-related project is Dogtag PKI, with a project wiki at <ulink url="http://pki.fedoraproject.org/wiki/">PKI Wiki</ulink>. </para>
<para>For information specifically about NSS, the NSS project wiki is located at <ulink url="http://www.mozilla.org/projects/security/pki/nss/">Mozilla NSS site</ulink>. The NSS site relates directly to NSS code changes and releases.</para>
<para>Mailing lists: pki-devel@redhat.com and pki-users@redhat.com</para>
<para>IRC: Freenode at #dogtag-pki</para>
</refsection>
<!-- fill in your name first; keep the other names for reference -->
<refsection id="authors">
<title>Authors</title>
<para>The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.</para>
<para>
Authors: Elio Maldonado &lt;emaldona@redhat.com>, Deon Lackey &lt;dlackey@redhat.com>.
</para>
</refsection>
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, version 1.1,
and/or the GNU General Public License, version 2 or later,
and/or the GNU Lesser General Public License, version 2.1 or later.
</para>
</refsection>
</refentry>

680
security/nss/doc/signtool.xml Normal file
View File

@ -0,0 +1,680 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY date SYSTEM "date.xml">
<!ENTITY version SYSTEM "version.xml">
]>
<refentry id="signtool">
<refentryinfo>
<date>&date;</date>
<title>NSS Security Tools</title>
<productname>nss-tools</productname>
<productnumber>&version;</productnumber>
</refentryinfo>
<refmeta>
<refentrytitle>signtool</refentrytitle>
<manvolnum>1</manvolnum>
</refmeta>
<refnamediv>
<refname>signtool</refname>
<refpurpose>Digitally sign objects and files.</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>signtool</command>
<arg>-k keyName</arg>
<arg>[-h]</arg>
<arg>[-H]</arg>
<arg>[-l]</arg>
<arg>[-L]</arg>
<arg>[-M]</arg>
<arg>[-v]</arg>
<arg>[-w]</arg>
<arg>[-G nickname]</arg>
<arg>[--keysize | -s size]</arg>
<arg>[-b basename]</arg>
<arg>[-c Compression Level] </arg>
<arg>[-d cert-dir] </arg>
<arg>[-i installer script] </arg>
<arg>[-m metafile] </arg>
<arg>[-x name] </arg>
<arg>[-f filename] </arg>
<arg>[-t|--token tokenname] </arg>
<arg>[-e extension] </arg>
<arg>[-o] </arg>
<arg>[-z] </arg>
<arg>[-X] </arg>
<arg>[--outfile] </arg>
<arg>[--verbose value] </arg>
<arg>[--norecurse] </arg>
<arg>[--leavearc] </arg>
<arg>[-j directory] </arg>
<arg>[-Z jarfile] </arg>
<arg>[-O] </arg>
<arg>[-p password] </arg>
<arg>directory-tree</arg>
<arg>archive</arg>
<!-- this isn't the ideal formatting, since docbook can handle reqiored/optional formatting automatically, but let's make it explicit -->
</cmdsynopsis>
</refsynopsisdiv>
<refsection>
<title>STATUS</title>
<para>This documentation is still work in progress. Please contribute to the initial review in <ulink url="https://bugzilla.mozilla.org/show_bug.cgi?id=836477">Mozilla NSS bug 836477</ulink>
</para>
</refsection>
<refsection id="description">
<title>Description</title>
<para>The Signing Tool, <command>signtool</command>, creates digital signatures and uses a Java Archive (JAR) file to associate the signatures with files in a directory. Electronic software distribution over any network involves potential security problems. To help address some of these problems, you can associate digital signatures with the files in a JAR archive. Digital signatures allow SSL-enabled clients to perform two important operations:</para>
<para>* Confirm the identity of the individual, company, or other entity whose digital signature is associated with the files</para>
<para>* Check whether the files have been tampered with since being signed</para>
<para>If you have a signing certificate, you can use Netscape Signing Tool to digitally sign files and package them as a JAR file. An object-signing certificate is a special kind of certificate that allows you to associate your digital signature with one or more files.</para>
<para>An individual file can potentially be signed with multiple digital signatures. For example, a commercial software developer might sign the files that constitute a software product to prove that the files are indeed from a particular company. A network administrator manager might sign the same files with an additional digital signature based on a company-generated certificate to indicate that the product is approved for use within the company.</para>
<para>The significance of a digital signature is comparable to the significance of a handwritten signature. Once you have signed a file, it is difficult to claim later that you didn't sign it. In some situations, a digital signature may be considered as legally binding as a handwritten signature. Therefore, you should take great care to ensure that you can stand behind any file you sign and distribute.</para>
<para>For example, if you are a software developer, you should test your code to make sure it is virus-free before signing it. Similarly, if you are a network administrator, you should make sure, before signing any code, that it comes from a reliable source and will run correctly with the software installed on the machines to which you are distributing it.</para>
<para>Before you can use Netscape Signing Tool to sign files, you must have an object-signing certificate, which is a special certificate whose associated private key is used to create digital signatures. For testing purposes only, you can create an object-signing certificate with Netscape Signing Tool 1.3. When testing is finished and you are ready to disitribute your software, you should obtain an object-signing certificate from one of two kinds of sources:</para>
<para>* An independent certificate authority (CA) that authenticates your identity and charges you a fee. You typically get a certificate from an independent CA if you want to sign software that will be distributed over the Internet.</para>
<para>* CA server software running on your corporate intranet or extranet. Netscape Certificate Management System provides a complete management solution for creating, deploying, and managing certificates, including CAs that issue object-signing certificates.</para>
<para>You must also have a certificate for the CA that issues your signing certificate before you can sign files. If the certificate authority's certificate isn't already installed in your copy of Communicator, you typically install it by clicking the appropriate link on the certificate authority's web site, for example on the page from which you initiated enrollment for your signing certificate. This is the case for some test certificates, as well as certificates issued by Netscape Certificate Management System: you must download the the CA certificate in addition to obtaining your own signing certificate. CA certificates for several certificate authorities are preinstalled in the Communicator certificate database.</para>
<para>When you receive an object-signing certificate for your own use, it is automatically installed in your copy of the Communicator client software. Communicator supports the public-key cryptography standard known as PKCS #12, which governs key portability. You can, for example, move an object-signing certificate and its associated private key from one computer to another on a credit-card-sized device called a smart card.</para>
</refsection>
<refsection id="options">
<title>Options</title>
<!-- for the moment, I can't find a way for italics and bold tags to work in varlist entries -->
<variablelist>
<varlistentry>
<term>-b basename</term>
<listitem><para>Specifies the base filename for the .rsa and .sf files in the META-INF directory to conform with the JAR format. For example, <emphasis>-b signatures</emphasis> causes the files to be named signatures.rsa and signatures.sf. The default is signtool.</para></listitem>
</varlistentry>
<varlistentry>
<term>-c#</term>
<listitem><para>
Specifies the compression level for the -J or -Z option. The symbol # represents a number from 0 to 9, where 0 means no compression and 9 means maximum compression. The higher the level of compression, the smaller the output but the longer the operation takes.
If the -c# option is not used with either the -J or the -Z option, the default compression value used by both the -J and -Z options is 6.
</para></listitem>
</varlistentry>
<varlistentry>
<term>-d certdir</term>
<listitem><para>
Specifies your certificate database directory; that is, the directory in which you placed your key3.db and cert7.db files. To specify the current directory, use "-d." (including the period).
The Unix version of signtool assumes ~/.netscape unless told otherwise. The NT version of signtool always requires the use of the -d option to specify where the database files are located.
</para></listitem>
</varlistentry>
<varlistentry>
<term>-e extension</term>
<listitem><para>
Tells signtool to sign only files with the given extension; for example, use -e".class" to sign only Java class files. Note that with Netscape Signing Tool version 1.1 and later this option can appear multiple times on one command line, making it possible to specify multiple file types or classes to include.
</para></listitem>
</varlistentry>
<varlistentry>
<term>-f commandfile</term>
<listitem><para>
Specifies a text file containing Netscape Signing Tool options and arguments in keyword=value format. All options and arguments can be expressed through this file. For more information about the syntax used with this file, see "Tips and Techniques".
</para></listitem>
</varlistentry>
<varlistentry>
<term>-i scriptname</term>
<listitem><para>
Specifies the name of an installer script for SmartUpdate. This script installs files from the JAR archive in the local system after SmartUpdate has validated the digital signature. For more details, see the description of -m that follows. The -i option provides a straightforward way to provide this information if you don't need to specify any metadata other than an installer script.
</para></listitem>
</varlistentry>
<varlistentry>
<term>-j directory</term>
<listitem><para>
Specifies a special JavaScript directory. This option causes the specified directory to be signed and tags its entries as inline JavaScript. This special type of entry does not have to appear in the JAR file itself. Instead, it is located in the HTML page containing the inline scripts. When you use signtool -v, these entries are displayed with the string NOT PRESENT.
</para></listitem>
</varlistentry>
<varlistentry>
<term>-k key ... directory</term>
<listitem><para>
Specifies the nickname (key) of the certificate you want to sign with and signs the files in the specified directory. The directory to sign is always specified as the last command-line argument. Thus, it is possible to write
signtool -k MyCert -d . signdir
You may have trouble if the nickname contains a single quotation mark. To avoid problems, escape the quotation mark using the escape conventions for your platform.
It's also possible to use the -k option without signing any files or specifying a directory. For example, you can use it with the -l option to get detailed information about a particular signing certificate.
</para></listitem>
</varlistentry>
<varlistentry>
<term>-G nickname</term>
<listitem><para>
Generates a new private-public key pair and corresponding object-signing certificate with the given nickname.
The newly generated keys and certificate are installed into the key and certificate databases in the directory specified by the -d option. With the NT version of Netscape Signing Tool, you must use the -d option with the -G option. With the Unix version of Netscape Signing Tool, omitting the -d option causes the tool to install the keys and certificate in the Communicator key and certificate databases. If you are installing the keys and certificate in the Communicator databases, you must exit Communicator before using this option; otherwise, you risk corrupting the databases. In all cases, the certificate is also output to a file named x509.cacert, which has the MIME-type application/x-x509-ca-cert.
Unlike certificates normally used to sign finished code to be distributed over a network, a test certificate created with -G is not signed by a recognized certificate authority. Instead, it is self-signed. In addition, a single test signing certificate functions as both an object-signing certificate and a CA. When you are using it to sign objects, it behaves like an object-signing certificate. When it is imported into browser software such as Communicator, it behaves like an object-signing CA and cannot be used to sign objects.
The -G option is available in Netscape Signing Tool 1.0 and later versions only. By default, it produces only RSA certificates with 1024-byte keys in the internal token. However, you can use the -s option specify the required key size and the -t option to specify the token. For more information about the use of the -G option, see "Generating Test Object-Signing Certificates""Generating Test Object-Signing Certificates" on page 1241.
</para></listitem>
</varlistentry>
<varlistentry>
<term>-l</term>
<listitem><para>
Lists signing certificates, including issuing CAs. If any of your certificates are expired or invalid, the list will so specify. This option can be used with the -k option to list detailed information about a particular signing certificate.
The -l option is available in Netscape Signing Tool 1.0 and later versions only.
</para></listitem>
</varlistentry>
<varlistentry>
<term>-J</term>
<listitem><para>
Signs a directory of HTML files containing JavaScript and creates as many archive files as are specified in the HTML tags. Even if signtool creates more than one archive file, you need to supply the key database password only once.
The -J option is available only in Netscape Signing Tool 1.0 and later versions. The -J option cannot be used at the same time as the -Z option.
If the -c# option is not used with the -J option, the default compression value is 6.
Note that versions 1.1 and later of Netscape Signing Tool correctly recognizes the CODEBASE attribute, allows paths to be expressed for the CLASS and SRC attributes instead of filenames only, processes LINK tags and parses HTML correctly, and offers clearer error messages.
</para></listitem>
</varlistentry>
<varlistentry>
<term>-L</term>
<listitem><para>
Lists the certificates in your database. An asterisk appears to the left of the nickname for any certificate that can be used to sign objects with signtool.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--leavearc</term>
<listitem><para>
Retains the temporary .arc (archive) directories that the -J option creates. These directories are automatically erased by default. Retaining the temporary directories can be an aid to debugging.
</para></listitem>
</varlistentry>
<varlistentry>
<term>-m metafile</term>
<listitem><para>
Specifies the name of a metadata control file. Metadata is signed information attached either to the JAR archive itself or to files within the archive. This metadata can be any ASCII string, but is used mainly for specifying an installer script.
The metadata file contains one entry per line, each with three fields:
field #1: file specification, or + if you want to specify global metadata (that is, metadata about the JAR archive itself or all entries in the archive)
field #2: the name of the data you are specifying; for example: Install-Script
field #3: data corresponding to the name in field #2
For example, the -i option uses the equivalent of this line:
+ Install-Script: script.js
This example associates a MIME type with a file:
movie.qt MIME-Type: video/quicktime
For information about the way installer script information appears in the manifest file for a JAR archive, see The JAR Format on Netscape DevEdge.
</para></listitem>
</varlistentry>
<varlistentry>
<term>-M</term>
<listitem><para>
Lists the PKCS #11 modules available to signtool, including smart cards.
The -M option is available in Netscape Signing Tool 1.0 and later versions only.
For information on using Netscape Signing Tool with smart cards, see "Using Netscape Signing Tool with Smart Cards".
For information on using the -M option to verify FIPS-140-1 validated mode, see "Netscape Signing Tool and FIPS-140-1".
</para></listitem>
</varlistentry>
<varlistentry>
<term>--norecurse</term>
<listitem><para>
Blocks recursion into subdirectories when signing a directory's contents or when parsing HTML.
</para></listitem>
</varlistentry>
<varlistentry>
<term>-o</term>
<listitem><para>
Optimizes the archive for size. Use this only if you are signing very large archives containing hundreds of files. This option makes the manifest files (required by the JAR format) considerably smaller, but they contain slightly less information.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--outfile outputfile</term>
<listitem><para>
Specifies a file to receive redirected output from Netscape Signing Tool.
</para></listitem>
</varlistentry>
<varlistentry>
<term>-p password</term>
<listitem><para>
Specifies a password for the private-key database. Note that the password entered on the command line is displayed as plain text.
</para></listitem>
</varlistentry>
<varlistentry>
<term>-s keysize</term>
<listitem><para>
Specifies the size of the key for generated certificate. Use the -M option to find out what tokens are available.
The -s option can be used with the -G option only.
</para></listitem>
</varlistentry>
<varlistentry>
<term>-t token</term>
<listitem><para>
Specifies which available token should generate the key and receive the certificate. Use the -M option to find out what tokens are available.
The -t option can be used with the -G option only.
</para></listitem>
</varlistentry>
<varlistentry>
<term>-v archive</term>
<listitem><para>
Displays the contents of an archive and verifies the cryptographic integrity of the digital signatures it contains and the files with which they are associated. This includes checking that the certificate for the issuer of the object-signing certificate is listed in the certificate database, that the CA's digital signature on the object-signing certificate is valid, that the relevant certificates have not expired, and so on.
</para></listitem>
</varlistentry>
<varlistentry>
<term>--verbosity value</term>
<listitem><para>
Sets the quantity of information Netscape Signing Tool generates in operation. A value of 0 (zero) is the default and gives full information. A value of -1 suppresses most messages, but not error messages.
</para></listitem>
</varlistentry>
<varlistentry>
<term>-w archive</term>
<listitem><para>
Displays the names of signers of any files in the archive.
</para></listitem>
</varlistentry>
<varlistentry>
<term>-x directory</term>
<listitem><para>
Excludes the specified directory from signing. Note that with Netscape Signing Tool version 1.1 and later this option can appear multiple times on one command line, making it possible to specify several particular directories to exclude.
</para></listitem>
</varlistentry>
<varlistentry>
<term>-z</term>
<listitem><para>
Tells signtool not to store the signing time in the digital signature. This option is useful if you want the expiration date of the signature checked against the current date and time rather than the time the files were signed.
</para></listitem>
</varlistentry>
<varlistentry>
<term>-Z jarfile</term>
<listitem><para>
Creates a JAR file with the specified name. You must specify this option if you want signtool to create the JAR file; it does not do so automatically. If you don't specify -Z, you must use an external ZIP tool to create the JAR file.
The -Z option cannot be used at the same time as the -J option.
If the -c# option is not used with the -Z option, the default compression value is 6.</para></listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection id="command-file">
<title>The Command File Format</title>
<para>Entries in a Netscape Signing Tool command file have this general format:
keyword=value
Everything before the = sign on a single line is a keyword, and everything from the = sign to the end of line is a value. The value may include = signs; only the first = sign on a line is interpreted. Blank lines are ignored, but white space on a line with keywords and values is assumed to be part of the keyword (if it comes before the equal sign) or part of the value (if it comes after the first equal sign). Keywords are case insensitive, values are generally case sensitive. Since the = sign and newline delimit the value, it should not be quoted. </para>
<!-- i'm working on a decent way to do embedded subsections; for now, just use a bold tag to show a new section -->
<para><command>Subsection</command></para>
<variablelist>
<varlistentry>
<term>basename</term>
<listitem><para>Same as -b option.</para></listitem>
</varlistentry>
<varlistentry>
<term>compression</term>
<listitem><para>
Same as -c option.
</para></listitem>
</varlistentry>
<varlistentry>
<term>certdir</term>
<listitem><para>
Same as -d option.
</para></listitem>
</varlistentry>
<varlistentry>
<term>extension</term>
<listitem><para>
Same as -e option.
</para></listitem>
</varlistentry>
<varlistentry>
<term>generate</term>
<listitem><para>
Same as -G option.
</para></listitem>
</varlistentry>
<varlistentry>
<term>installscript</term>
<listitem><para>
Same as -i option.
</para></listitem>
</varlistentry>
<varlistentry>
<term>javascriptdir</term>
<listitem><para>
Same as -j option.
</para></listitem>
</varlistentry>
<varlistentry>
<term>htmldir</term>
<listitem><para>
Same as -J option.
</para></listitem>
</varlistentry>
<varlistentry>
<term>certname</term>
<listitem><para>
Nickname of certificate, as with -k and -l -k options.
</para></listitem>
</varlistentry>
<varlistentry>
<term>signdir</term>
<listitem><para>
The directory to be signed, as with -k option.
</para></listitem>
</varlistentry>
<varlistentry>
<term>list</term>
<listitem><para>
Same as -l option. Value is ignored, but = sign must be present.
</para></listitem>
</varlistentry>
<varlistentry>
<term>listall</term>
<listitem><para>
Same as -L option. Value is ignored, but = sign must be present.
</para></listitem>
</varlistentry>
<varlistentry>
<term>metafile</term>
<listitem><para>
Same as -m option.
</para></listitem>
</varlistentry>
<varlistentry>
<term>modules</term>
<listitem><para>
Same as -M option. Value is ignored, but = sign must be present.
</para></listitem>
</varlistentry>
<varlistentry>
<term>optimize</term>
<listitem><para>
Same as -o option. Value is ignored, but = sign must be present.
</para></listitem>
</varlistentry>
<varlistentry>
<term>password</term>
<listitem><para>
Same as -p option.
</para></listitem>
</varlistentry>
<varlistentry>
<term>keysize</term>
<listitem><para>
Same as -s option.
</para></listitem>
</varlistentry>
<varlistentry>
<term>token</term>
<listitem><para>
Same as -t option.
</para></listitem>
</varlistentry>
<varlistentry>
<term>verify</term>
<listitem><para>
Same as -v option.
</para></listitem>
</varlistentry>
<varlistentry>
<term>who</term>
<listitem><para>
Same as -w option.
</para></listitem>
</varlistentry>
<varlistentry>
<term>exclude</term>
<listitem><para>
Same as -x option.
</para></listitem>
</varlistentry>
<varlistentry>
<term>notime</term>
<listitem><para>
Same as -z option. value is ignored, but = sign must be present.
</para></listitem>
</varlistentry>
<varlistentry>
<term>jarfile</term>
<listitem><para>
Same as -Z option.
</para></listitem>
</varlistentry>
<varlistentry>
<term>outfile</term>
<listitem><para>
Name of a file to which output and error messages will be redirected. This option has no command-line equivalent.
</para></listitem></varlistentry></variablelist>
</refsection>
<refsection id="examples">
<title>Extended Examples</title>
<para>The following example will do this and that
</para>
<para><command>Listing Available Signing Certificates</command></para>
<para>You use the -L option to list the nicknames for all available certificates and check which ones are signing certificates.</para>
<programlisting >signtool -L
using certificate directory: /u/jsmith/.netscape
S Certificates
- ------------
BBN Certificate Services CA Root 1
IBM World Registry CA
VeriSign Class 1 CA - Individual Subscriber - VeriSign, Inc.
GTE CyberTrust Root CA
Uptime Group Plc. Class 4 CA
* Verisign Object Signing Cert
Integrion CA
GTE CyberTrust Secure Server CA
AT&amp;T Directory Services
* test object signing cert
Uptime Group Plc. Class 1 CA
VeriSign Class 1 Primary CA
- ------------
Certificates that can be used to sign objects have *'s to their left. </programlisting>
<para>Two signing certificates are displayed: Verisign Object Signing Cert and test object signing cert.</para>
<para>You use the -l option to get a list of signing certificates only, including the signing CA for each.</para>
<programlisting >signtool -l
using certificate directory: /u/jsmith/.netscape
Object signing certificates
---------------------------------------
Verisign Object Signing Cert
Issued by: VeriSign, Inc. - Verisign, Inc.
Expires: Tue May 19, 1998
test object signing cert
Issued by: test object signing cert (Signtool 1.0 Testing
Certificate (960187691))
Expires: Sun May 17, 1998
---------------------------------------</programlisting>
<para>For a list including CAs, use the <option>-L</option> option.</para>
<para><command>Signing a File</command></para>
<para>1. Create an empty directory.</para>
<programlisting >mkdir signdir</programlisting>
<para>2. Put some file into it.</para>
<programlisting >echo boo > signdir/test.f</programlisting>
<para>3. Specify the name of your object-signing certificate and sign the directory.</para>
<programlisting >signtool -k MySignCert -Z testjar.jar signdir
using key "MySignCert"
using certificate directory: /u/jsmith/.netscape
Generating signdir/META-INF/manifest.mf file..
--> test.f
adding signdir/test.f to testjar.jar
Generating signtool.sf file..
Enter Password or Pin for "Communicator Certificate DB":
adding signdir/META-INF/manifest.mf to testjar.jar
adding signdir/META-INF/signtool.sf to testjar.jar
adding signdir/META-INF/signtool.rsa to testjar.jar
tree "signdir" signed successfully</programlisting>
<para>4. Test the archive you just created.</para>
<programlisting >signtool -v testjar.jar
using certificate directory: /u/jsmith/.netscape
archive "testjar.jar" has passed crypto verification.
status path
------------ -------------------
verified test.f</programlisting>
<para><command>Using Netscape Signing Tool with a ZIP Utility</command></para>
<para>To use Netscape Signing Tool with a ZIP utility, you must have the utility in your path environment variable. You should use the zip.exe utility rather than pkzip.exe, which cannot handle long filenames. You can use a ZIP utility instead of the -Z option to package a signed archive into a JAR file after you have signed it:</para>
<programlisting >cd signdir
zip -r ../myjar.jar *
adding: META-INF/ (stored 0%)
adding: META-INF/manifest.mf (deflated 15%)
adding: META-INF/signtool.sf (deflated 28%)
adding: META-INF/signtool.rsa (stored 0%)
adding: text.txt (stored 0%)</programlisting>
<para><command>Generating the Keys and Certificate</command></para>
<para>The signtool option -G generates a new public-private key pair and certificate. It takes the nickname of the new certificate as an argument. The newly generated keys and certificate are installed into the key and certificate databases in the directory specified by the -d option. With the NT version of Netscape Signing Tool, you must use the -d option with the -G option. With the Unix version of Netscape Signing Tool, omitting the -d option causes the tool to install the keys and certificate in the Communicator key and certificate databases. In all cases, the certificate is also output to a file named x509.cacert, which has the MIME-type application/x-x509-ca-cert.</para>
<para>Certificates contain standard information about the entity they identify, such as the common name and organization name. Netscape Signing Tool prompts you for this information when you run the command with the -G option. However, all of the requested fields are optional for test certificates. If you do not enter a common name, the tool provides a default name. In the following example, the user input is in boldface:</para>
<programlisting >signtool -G MyTestCert
using certificate directory: /u/someuser/.netscape
Enter certificate information. All fields are optional. Acceptable
characters are numbers, letters, spaces, and apostrophes.
certificate common name: Test Object Signing Certificate
organization: Netscape Communications Corp.
organization unit: Server Products Division
state or province: California
country (must be exactly 2 characters): US
username: someuser
email address: someuser@netscape.com
Enter Password or Pin for "Communicator Certificate DB": [Password will not echo]
generated public/private key pair
certificate request generated
certificate has been signed
certificate "MyTestCert" added to database
Exported certificate to x509.raw and x509.cacert.</programlisting>
<para>The certificate information is read from standard input. Therefore, the information can be read from a file using the redirection operator (&lt;) in some operating systems. To create a file for this purpose, enter each of the seven input fields, in order, on a separate line. Make sure there is a newline character at the end of the last line. Then run signtool with standard input redirected from your file as follows:</para>
<programlisting >signtool -G MyTestCert inputfile</programlisting>
<para>The prompts show up on the screen, but the responses will be automatically read from the file. The password will still be read from the console unless you use the -p option to give the password on the command line.</para>
<para><command>Using the -M Option to List Smart Cards</command></para>
<para>You can use the -M option to list the PKCS #11 modules, including smart cards, that are available to signtool:</para>
<programlisting >signtool -d "c:\netscape\users\jsmith" -M
using certificate directory: c:\netscape\users\username
Listing of PKCS11 modules
-----------------------------------------------
1. Netscape Internal PKCS #11 Module
(this module is internally loaded)
slots: 2 slots attached
status: loaded
slot: Communicator Internal Cryptographic Services Version 4.0
token: Communicator Generic Crypto Svcs
slot: Communicator User Private Key and Certificate Services
token: Communicator Certificate DB
2. CryptOS
(this is an external module)
DLL name: core32
slots: 1 slots attached
status: loaded
slot: Litronic 210
token:
----------------------------------------------- </programlisting>
<para><command>Using Netscape Signing Tool and a Smart Card to Sign Files</command></para>
<para>The signtool command normally takes an argument of the -k option to specify a signing certificate. To sign with a smart card, you supply only the fully qualified name of the certificate.</para>
<para>To see fully qualified certificate names when you run Communicator, click the Security button in Navigator, then click Yours under Certificates in the left frame. Fully qualified names are of the format smart card:certificate, for example "MyCard:My Signing Cert". You use this name with the -k argument as follows:</para>
<programlisting >signtool -k "MyCard:My Signing Cert" directory</programlisting>
<para><command>Verifying FIPS Mode</command></para>
<para>Use the -M option to verify that you are using the FIPS-140-1 module.</para>
<programlisting >signtool -d "c:\netscape\users\jsmith" -M
using certificate directory: c:\netscape\users\jsmith
Listing of PKCS11 modules
-----------------------------------------------
1. Netscape Internal PKCS #11 Module
(this module is internally loaded)
slots: 2 slots attached
status: loaded
slot: Communicator Internal Cryptographic Services Version 4.0
token: Communicator Generic Crypto Svcs
slot: Communicator User Private Key and Certificate Services
token: Communicator Certificate DB
-----------------------------------------------</programlisting>
<para>This Unix example shows that Netscape Signing Tool is using a FIPS-140-1 module:</para>
<programlisting >signtool -d "c:\netscape\users\jsmith" -M
using certificate directory: c:\netscape\users\jsmith
Enter Password or Pin for "Communicator Certificate DB": [password will not echo]
Listing of PKCS11 modules
-----------------------------------------------
1. Netscape Internal FIPS PKCS #11 Module
(this module is internally loaded)
slots: 1 slots attached
status: loaded
slot: Netscape Internal FIPS-140-1 Cryptographic Services
token: Communicator Certificate DB
-----------------------------------------------</programlisting>
</refsection>
<refsection id="seealso">
<title>See Also</title>
<para>signver (1)</para>
<para>The NSS wiki has information on the new database design and how to configure applications to use it.</para>
<itemizedlist>
<listitem>
<para>
https://wiki.mozilla.org/NSS_Shared_DB_Howto</para>
</listitem>
<listitem>
<para>
https://wiki.mozilla.org/NSS_Shared_DB
</para>
</listitem>
</itemizedlist>
</refsection>
<!-- don't change -->
<refsection id="resources">
<title>Additional Resources</title>
<para>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <ulink url="http://www.mozilla.org/projects/security/pki/nss/">http://www.mozilla.org/projects/security/pki/nss/</ulink>. The NSS site relates directly to NSS code changes and releases.</para>
<para>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</para>
<para>IRC: Freenode at #dogtag-pki</para>
</refsection>
<!-- fill in your name first; keep the other names for reference -->
<refsection id="authors">
<title>Authors</title>
<para>The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.</para>
<para>
Authors: Elio Maldonado &lt;emaldona@redhat.com>, Deon Lackey &lt;dlackey@redhat.com>.
</para>
</refsection>
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, version 1.1,
and/or the GNU General Public License, version 2 or later,
and/or the GNU Lesser General Public License, version 2.1 or later.
</para>
</refsection>
</refentry>

232
security/nss/doc/signver.xml Normal file
View File

@ -0,0 +1,232 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY date SYSTEM "date.xml">
<!ENTITY version SYSTEM "version.xml">
]>
<refentry id="signver">
<refentryinfo>
<date>&date;</date>
<title>NSS Security Tools</title>
<productname>nss-tools</productname>
<productnumber>&version;</productnumber>
</refentryinfo>
<refmeta>
<refentrytitle>SIGNVER</refentrytitle>
<manvolnum>1</manvolnum>
</refmeta>
<refnamediv>
<refname>signver</refname>
<refpurpose>Verify a detached PKCS#7 signature for a file.</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>signtool</command>
<group choice="plain">
<arg choice="plain">-A</arg>
<arg choice="plain">-V</arg>
</group>
<arg choice="plain">-d <replaceable>directory</replaceable></arg>
<arg>-a</arg>
<arg>-i <replaceable>input_file</replaceable></arg>
<arg>-o <replaceable>output_file</replaceable></arg>
<arg>-s <replaceable>signature_file</replaceable></arg>
<arg>-v</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection>
<title>STATUS</title>
<para>This documentation is still work in progress. Please contribute to the initial review in <ulink url="https://bugzilla.mozilla.org/show_bug.cgi?id=836477">Mozilla NSS bug 836477</ulink>
</para>
</refsection>
<refsection id="description">
<title>Description</title>
<para>The Signature Verification Tool, <command>signver</command>, is a simple command-line utility that unpacks a base-64-encoded PKCS#7 signed object and verifies the digital signature using standard cryptographic techniques. The Signature Verification Tool can also display the contents of the signed object.</para>
</refsection>
<refsection id="options">
<title>Options</title>
<variablelist>
<varlistentry>
<term>-A</term>
<listitem><para>Displays all of the information in the PKCS#7 signature.</para></listitem>
</varlistentry>
<varlistentry>
<term>-V</term>
<listitem><para>Verifies the digital signature.</para></listitem>
</varlistentry>
<varlistentry>
<term>-d [sql:]<emphasis>directory</emphasis></term>
<listitem><para>Specify the database directory which contains the certificates and keys.</para>
<para><command>signver</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and new SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). If the prefix <command>sql:</command> is not used, then the tool assumes that the given databases are in the old format.</para></listitem>
</varlistentry>
<varlistentry>
<term>-a</term>
<listitem><para>Sets that the given signature file is in ASCII format.</para></listitem>
</varlistentry>
<varlistentry>
<term>-i <emphasis>input_file</emphasis></term>
<listitem><para>Gives the input file for the object with signed data.</para></listitem>
</varlistentry>
<varlistentry>
<term>-o <emphasis>output_file</emphasis></term>
<listitem><para>Gives the output file to which to write the results.</para></listitem>
</varlistentry>
<varlistentry>
<term>-s <emphasis>signature_file</emphasis></term>
<listitem><para>Gives the input file for the digital signature.</para></listitem>
</varlistentry>
<varlistentry>
<term>-v</term>
<listitem><para>Enables verbose output.</para></listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection id="examples">
<title>Extended Examples</title>
<refsection><title>Verifying a Signature</title>
<para>The <option>-V</option> option verifies that the signature in a given signature file is valid when used to sign the given object (from the input file).</para>
<programlisting>signver -V -s <replaceable>signature_file</replaceable> -i <replaceable>signed_file</replaceable> -d sql:/home/my/sharednssdb
signatureValid=yes</programlisting>
</refsection>
<refsection><title>Printing Signature Data</title>
<para>
The <option>-A</option> option prints all of the information contained in a signature file. Using the <option>-o</option> option prints the signature file information to the given output file rather than stdout.
</para>
<programlisting>signver -A -s <replaceable>signature_file</replaceable> -o <replaceable>output_file</replaceable></programlisting>
</refsection>
</refsection>
<refsection id="databases"><title>NSS Database Types</title>
<para>NSS originally used BerkeleyDB databases to store security information.
The last versions of these <emphasis>legacy</emphasis> databases are:</para>
<itemizedlist>
<listitem>
<para>
cert8.db for certificates
</para>
</listitem>
<listitem>
<para>
key3.db for keys
</para>
</listitem>
<listitem>
<para>
secmod.db for PKCS #11 module information
</para>
</listitem>
</itemizedlist>
<para>BerkeleyDB has performance limitations, though, which prevent it from being easily used by multiple applications simultaneously. NSS has
some flexibility that allows applications to use their own, independent database engine while keeping a shared database and working around the access issues. Still, NSS
requires more flexibility to provide a truly shared security database.</para>
<para>In 2009, NSS introduced a new set of databases that are SQLite databases rather than
BerkleyDB. These new databases provide more accessibility and performance:</para>
<itemizedlist>
<listitem>
<para>
cert9.db for certificates
</para>
</listitem>
<listitem>
<para>
key4.db for keys
</para>
</listitem>
<listitem>
<para>
pkcs11.txt, which is listing of all of the PKCS #11 modules contained in a new subdirectory in the security databases directory
</para>
</listitem>
</itemizedlist>
<para>Because the SQLite databases are designed to be shared, these are the <emphasis>shared</emphasis> database type. The shared database type is preferred; the legacy format is included for backward compatibility.</para>
<para>By default, the tools (<command>certutil</command>, <command>pk12util</command>, <command>modutil</command>) assume that the given security databases follow the more common legacy type.
Using the SQLite databases must be manually specified by using the <command>sql:</command> prefix with the given security directory. For example:</para>
<programlisting># signver -A -s <replaceable>signature</replaceable> -d sql:/home/my/sharednssdb</programlisting>
<para>To set the shared database type as the default type for the tools, set the <envar>NSS_DEFAULT_DB_TYPE</envar> environment variable to <envar>sql</envar>:</para>
<programlisting>export NSS_DEFAULT_DB_TYPE="sql"</programlisting>
<para>This line can be set added to the <filename>~/.bashrc</filename> file to make the change permanent.</para>
<para>Most applications do not use the shared database by default, but they can be configured to use them. For example, this how-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases:</para>
<itemizedlist>
<listitem>
<para>
https://wiki.mozilla.org/NSS_Shared_DB_Howto</para>
</listitem>
</itemizedlist>
<para>For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki:</para>
<itemizedlist>
<listitem>
<para>
https://wiki.mozilla.org/NSS_Shared_DB
</para>
</listitem>
</itemizedlist>
</refsection>
<refsection id="seealso">
<title>See Also</title>
<para>signtool (1)</para>
<para>The NSS wiki has information on the new database design and how to configure applications to use it.</para>
<itemizedlist>
<listitem>
<para>Setting up the shared NSS database</para>
<para>https://wiki.mozilla.org/NSS_Shared_DB_Howto</para>
</listitem>
<listitem>
<para>
Engineering and technical information about the shared NSS database
</para>
<para>
https://wiki.mozilla.org/NSS_Shared_DB
</para>
</listitem>
</itemizedlist>
</refsection>
<!-- don't change -->
<refsection id="resources">
<title>Additional Resources</title>
<para>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <ulink url="http://www.mozilla.org/projects/security/pki/nss/">http://www.mozilla.org/projects/security/pki/nss/</ulink>. The NSS site relates directly to NSS code changes and releases.</para>
<para>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</para>
<para>IRC: Freenode at #dogtag-pki</para>
</refsection>
<!-- fill in your name first; keep the other names for reference -->
<refsection id="authors">
<title>Authors</title>
<para>The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.</para>
<para>
Authors: Elio Maldonado &lt;emaldona@redhat.com>, Deon Lackey &lt;dlackey@redhat.com>.
</para>
</refsection>
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, version 1.1,
and/or the GNU General Public License, version 2 or later,
and/or the GNU Lesser General Public License, version 2.1 or later.
</para>
</refsection>
</refentry>

585
security/nss/doc/ssltap.xml Normal file
View File

@ -0,0 +1,585 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY date SYSTEM "date.xml">
<!ENTITY version SYSTEM "version.xml">
]>
<refentry id="ssltap">
<refentryinfo>
<date>&date;</date>
<title>NSS Security Tools</title>
<productname>nss-tools</productname>
<productnumber>&version;</productnumber>
</refentryinfo>
<refmeta>
<refentrytitle>SSLTAP</refentrytitle>
<manvolnum>1</manvolnum>
</refmeta>
<refnamediv>
<refname>ssltap</refname>
<refpurpose>Tap into SSL connections and display the data going by </refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>libssltap</command>
<arg choice="opt">-vhfsxl</arg>
<arg choice="opt">-p port</arg>
<arg choice="opt">hostname:port</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection>
<title>STATUS</title>
<para>This documentation is still work in progress. Please contribute to the initial review in <ulink url="https://bugzilla.mozilla.org/show_bug.cgi?id=836477">Mozilla NSS bug 836477</ulink>
</para>
</refsection>
<refsection id="description">
<title>Description</title>
<para>The SSL Debugging Tool <command>ssltap</command> is an SSL-aware command-line proxy. It watches TCP connections and displays the data going by. If a connection is SSL, the data display includes interpreted SSL records and handshaking</para>
</refsection>
<refsection id="options">
<title>Options</title>
<variablelist>
<varlistentry>
<term>-v </term>
<listitem><para>Print a version string for the tool.</para></listitem>
</varlistentry>
<varlistentry>
<term>-h </term>
<listitem><para>
Turn on hex/ASCII printing. Instead of outputting raw data, the command interprets each record as a numbered line of hex values, followed by the same data as ASCII characters. The two parts are separated by a vertical bar. Nonprinting characters are replaced by dots.
</para></listitem>
</varlistentry>
<varlistentry>
<term>-f </term>
<listitem><para>
Turn on fancy printing. Output is printed in colored HTML. Data sent from the client to the server is in blue; the server's reply is in red. When used with looping mode, the different connections are separated with horizontal lines. You can use this option to upload the output into a browser.
</para></listitem>
</varlistentry>
<varlistentry><term>-s </term>
<listitem>
<para>
Turn on SSL parsing and decoding. The tool does not automatically detect SSL sessions. If you are intercepting an SSL connection, use this option so that the tool can detect and decode SSL structures.
</para>
<para>
If the tool detects a certificate chain, it saves the DER-encoded certificates into files in the current directory. The files are named cert.0x, where x is the sequence number of the certificate.
</para>
<para>
If the -s option is used with -h, two separate parts are printed for each record: the plain hex/ASCII output, and the parsed SSL output.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-x </term>
<listitem>
<para>
Turn on hex/ASCII printing of undecoded data inside parsed SSL records. Used only with the -s option.
This option uses the same output format as the -h option.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-l prefix</term>
<listitem>
<para>
Turn on looping; that is, continue to accept connections rather than stopping after the first connection is complete.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p port</term>
<listitem>
<para>Change the default rendezvous port (1924) to another port.</para>
<para>The following are well-known port numbers:</para>
<para>
* HTTP 80
</para>
<para>
* HTTPS 443
</para>
<para>
* SMTP 25
</para>
<para>
* FTP 21
</para>
<para>
* IMAP 143
</para>
<para>
* IMAPS 993 (IMAP over SSL)
</para>
<para>
* NNTP 119
</para>
<para>
* NNTPS 563 (NNTP over SSL)
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection id="basic-usage">
<title>Usage and Examples</title>
<para>
You can use the SSL Debugging Tool to intercept any connection information. Although you can run the tool at its most basic by issuing the ssltap command with no options other than hostname:port, the information you get in this way is not very useful. For example, assume your development machine is called intercept. The simplest way to use the debugging tool is to execute the following command from a command shell:
</para>
<programlisting>$ ssltap www.netscape.com</programlisting>
<para>
The program waits for an incoming connection on the default port 1924. In your browser window, enter the URL http://intercept:1924. The browser retrieves the requested page from the server at www.netscape.com, but the page is intercepted and passed on to the browser by the debugging tool on intercept. On its way to the browser, the data is printed to the command shell from which you issued the command. Data sent from the client to the server is surrounded by the following symbols: --> [ data ] Data sent from the server to the client is surrounded by the following symbols:
"left arrow"-- [ data ] The raw data stream is sent to standard output and is not interpreted in any way. This can result in peculiar effects, such as sounds, flashes, and even crashes of the command shell window. To output a basic, printable interpretation of the data, use the -h option, or, if you are looking at an SSL connection, the -s option. You will notice that the page you retrieved looks incomplete in the browser. This is because, by default, the tool closes down after the first connection is complete, so the browser is not able to load images. To make the tool
continue to accept connections, switch on looping mode with the -l option. The following examples show the output from commonly used combinations of options.
</para>
<para>Example 1 </para>
<programlisting>$ ssltap.exe -sx -p 444 interzone.mcom.com:443 > sx.txt</programlisting>
<para>Output </para>
<programlisting>
Connected to interzone.mcom.com:443
-->; [
alloclen = 66 bytes
[ssl2] ClientHelloV2 {
version = {0x03, 0x00}
cipher-specs-length = 39 (0x27)
sid-length = 0 (0x00)
challenge-length = 16 (0x10)
cipher-suites = {
(0x010080) SSL2/RSA/RC4-128/MD5
(0x020080) SSL2/RSA/RC4-40/MD5
(0x030080) SSL2/RSA/RC2CBC128/MD5
(0x040080) SSL2/RSA/RC2CBC40/MD5
(0x060040) SSL2/RSA/DES64CBC/MD5
(0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5
(0x000004) SSL3/RSA/RC4-128/MD5
(0x00ffe0) SSL3/RSA-FIPS/3DES192EDE-CBC/SHA
(0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
(0x00ffe1) SSL3/RSA-FIPS/DES64CBC/SHA
(0x000009) SSL3/RSA/DES64CBC/SHA
(0x000003) SSL3/RSA/RC4-40/MD5
(0x000006) SSL3/RSA/RC2CBC40/MD5
}
session-id = { }
challenge = { 0xec5d 0x8edb 0x37c9 0xb5c9 0x7b70 0x8fe9 0xd1d3
0x2592 }
}
]
&lt;-- [
SSLRecord {
0: 16 03 00 03 e5 |.....
type = 22 (handshake)
version = { 3,0 }
length = 997 (0x3e5)
handshake {
0: 02 00 00 46 |...F
type = 2 (server_hello)
length = 70 (0x000046)
ServerHello {
server_version = {3, 0}
random = {...}
0: 77 8c 6e 26 6c 0c ec c0 d9 58 4f 47 d3 2d 01 45 |
wn&amp;l.ì..XOG.-.E
10: 5c 17 75 43 a7 4c 88 c7 88 64 3c 50 41 48 4f 7f |
\.uC§L.Ç.d&lt;PAHO.
session ID = {
length = 32
contents = {..}
0: 14 11 07 a8 2a 31 91 29 11 94 40 37 57 10 a7 32 | ...¨*1.)..@7W.§2
10: 56 6f 52 62 fe 3d b3 65 b1 e4 13 0f 52 a3 c8 f6 | VoRbþ=³e±...R£È.
}
cipher_suite = (0x0003) SSL3/RSA/RC4-40/MD5
}
0: 0b 00 02 c5 |...Å
type = 11 (certificate)
length = 709 (0x0002c5)
CertificateChain {
chainlength = 706 (0x02c2)
Certificate {
size = 703 (0x02bf)
data = { saved in file 'cert.001' }
}
}
0: 0c 00 00 ca |....
type = 12 (server_key_exchange)
length = 202 (0x0000ca)
0: 0e 00 00 00 |....
type = 14 (server_hello_done)
length = 0 (0x000000)
}
}
]
--> [
SSLRecord {
0: 16 03 00 00 44 |....D
type = 22 (handshake)
version = { 3,0 }
length = 68 (0x44)
handshake {
0: 10 00 00 40 |...@
type = 16 (client_key_exchange)
length = 64 (0x000040)
ClientKeyExchange {
message = {...}
}
}
}
]
--> [
SSLRecord {
0: 14 03 00 00 01 |.....
type = 20 (change_cipher_spec)
version = { 3,0 }
length = 1 (0x1)
0: 01 |.
}
SSLRecord {
0: 16 03 00 00 38 |....8
type = 22 (handshake)
version = { 3,0 }
length = 56 (0x38)
&lt; encrypted >
}
]
&lt;-- [
SSLRecord {
0: 14 03 00 00 01 |.....
type = 20 (change_cipher_spec)
version = { 3,0 }
length = 1 (0x1)
0: 01 |.
}
]
&lt;-- [
SSLRecord {
0: 16 03 00 00 38 |....8
type = 22 (handshake)
version = { 3,0 }
length = 56 (0x38)
&lt; encrypted >
}
]
--> [
SSLRecord {
0: 17 03 00 01 1f |.....
type = 23 (application_data)
version = { 3,0 }
length = 287 (0x11f)
&lt; encrypted >
}
]
&lt;-- [
SSLRecord {
0: 17 03 00 00 a0 |....
type = 23 (application_data)
version = { 3,0 }
length = 160 (0xa0)
&lt; encrypted >
}
]
&lt;-- [
SSLRecord {
0: 17 03 00 00 df |....ß
type = 23 (application_data)
version = { 3,0 }
length = 223 (0xdf)
&lt; encrypted >
}
SSLRecord {
0: 15 03 00 00 12 |.....
type = 21 (alert)
version = { 3,0 }
length = 18 (0x12)
&lt; encrypted >
}
]
Server socket closed.
</programlisting>
<para>Example 2</para>
<para>
The -s option turns on SSL parsing. Because the -x option is not used in this example, undecoded values are output as raw data. The output is routed to a text file.
</para>
<programlisting>$ ssltap -s -p 444 interzone.mcom.com:443 > s.txt</programlisting>
<para>Output </para>
<programlisting>
Connected to interzone.mcom.com:443
--> [
alloclen = 63 bytes
[ssl2] ClientHelloV2 {
version = {0x03, 0x00}
cipher-specs-length = 36 (0x24)
sid-length = 0 (0x00)
challenge-length = 16 (0x10)
cipher-suites = {
(0x010080) SSL2/RSA/RC4-128/MD5
(0x020080) SSL2/RSA/RC4-40/MD5
(0x030080) SSL2/RSA/RC2CBC128/MD5
(0x060040) SSL2/RSA/DES64CBC/MD5
(0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5
(0x000004) SSL3/RSA/RC4-128/MD5
(0x00ffe0) SSL3/RSA-FIPS/3DES192EDE-CBC/SHA
(0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
(0x00ffe1) SSL3/RSA-FIPS/DES64CBC/SHA
(0x000009) SSL3/RSA/DES64CBC/SHA
(0x000003) SSL3/RSA/RC4-40/MD5
}
session-id = { }
challenge = { 0x713c 0x9338 0x30e1 0xf8d6 0xb934 0x7351 0x200c
0x3fd0 }
]
&gt;-- [
SSLRecord {
type = 22 (handshake)
version = { 3,0 }
length = 997 (0x3e5)
handshake {
type = 2 (server_hello)
length = 70 (0x000046)
ServerHello {
server_version = {3, 0}
random = {...}
session ID = {
length = 32
contents = {..}
}
cipher_suite = (0x0003) SSL3/RSA/RC4-40/MD5
}
type = 11 (certificate)
length = 709 (0x0002c5)
CertificateChain {
chainlength = 706 (0x02c2)
Certificate {
size = 703 (0x02bf)
data = { saved in file 'cert.001' }
}
}
type = 12 (server_key_exchange)
length = 202 (0x0000ca)
type = 14 (server_hello_done)
length = 0 (0x000000)
}
}
]
--> [
SSLRecord {
type = 22 (handshake)
version = { 3,0 }
length = 68 (0x44)
handshake {
type = 16 (client_key_exchange)
length = 64 (0x000040)
ClientKeyExchange {
message = {...}
}
}
}
]
--> [
SSLRecord {
type = 20 (change_cipher_spec)
version = { 3,0 }
length = 1 (0x1)
}
SSLRecord {
type = 22 (handshake)
version = { 3,0 }
length = 56 (0x38)
&gt; encrypted >
}
]
&gt;-- [
SSLRecord {
type = 20 (change_cipher_spec)
version = { 3,0 }
length = 1 (0x1)
}
]
&gt;-- [
SSLRecord {
type = 22 (handshake)
version = { 3,0 }
length = 56 (0x38)
&gt; encrypted >
}
]
--> [
SSLRecord {
type = 23 (application_data)
version = { 3,0 }
length = 287 (0x11f)
&gt; encrypted >
}
]
[
SSLRecord {
type = 23 (application_data)
version = { 3,0 }
length = 160 (0xa0)
&gt; encrypted >
}
]
&gt;-- [
SSLRecord {
type = 23 (application_data)
version = { 3,0 }
length = 223 (0xdf)
&gt; encrypted >
}
SSLRecord {
type = 21 (alert)
version = { 3,0 }
length = 18 (0x12)
&gt; encrypted >
}
]
Server socket closed.
</programlisting>
<para>Example 3</para>
<para>
In this example, the -h option turns hex/ASCII format. There is no SSL parsing or decoding. The output is routed to a text file.
</para>
<programlisting>$ ssltap -h -p 444 interzone.mcom.com:443 > h.txt</programlisting>
<para>Output </para>
<programlisting>
Connected to interzone.mcom.com:443
--&gt; [
0: 80 40 01 03 00 00 27 00 00 00 10 01 00 80 02 00 | .@....'.........
10: 80 03 00 80 04 00 80 06 00 40 07 00 c0 00 00 04 | .........@......
20: 00 ff e0 00 00 0a 00 ff e1 00 00 09 00 00 03 00 | ........á.......
30: 00 06 9b fe 5b 56 96 49 1f 9f ca dd d5 ba b9 52 | ..þ[V.I.\xd9 ...º¹R
40: 6f 2d |o-
]
&lt;-- [
0: 16 03 00 03 e5 02 00 00 46 03 00 7f e5 0d 1b 1d | ........F.......
10: 68 7f 3a 79 60 d5 17 3c 1d 9c 96 b3 88 d2 69 3b | h.:y`..&lt;..³.Òi;
20: 78 e2 4b 8b a6 52 12 4b 46 e8 c2 20 14 11 89 05 | x.K.¦R.KFè. ...
30: 4d 52 91 fd 93 e0 51 48 91 90 08 96 c1 b6 76 77 | MR.ý..QH.....¶vw
40: 2a f4 00 08 a1 06 61 a2 64 1f 2e 9b 00 03 00 0b | *ô..¡.a¢d......
50: 00 02 c5 00 02 c2 00 02 bf 30 82 02 bb 30 82 02 | ..Å......0...0..
60: 24 a0 03 02 01 02 02 02 01 36 30 0d 06 09 2a 86 | $ .......60...*.
70: 48 86 f7 0d 01 01 04 05 00 30 77 31 0b 30 09 06 | H.÷......0w1.0..
80: 03 55 04 06 13 02 55 53 31 2c 30 2a 06 03 55 04 | .U....US1,0*..U.
90: 0a 13 23 4e 65 74 73 63 61 70 65 20 43 6f 6d 6d | ..#Netscape Comm
a0: 75 6e 69 63 61 74 69 6f 6e 73 20 43 6f 72 70 6f | unications Corpo
b0: 72 61 74 69 6f 6e 31 11 30 0f 06 03 55 04 0b 13 | ration1.0...U...
c0: 08 48 61 72 64 63 6f 72 65 31 27 30 25 06 03 55 | .Hardcore1'0%..U
d0: 04 03 13 1e 48 61 72 64 63 6f 72 65 20 43 65 72 | ....Hardcore Cer
e0: 74 69 66 69 63 61 74 65 20 53 65 72 76 65 72 20 | tificate Server
f0: 49 49 30 1e 17 0d 39 38 30 35 31 36 30 31 30 33 | II0...9805160103
&lt;additional data lines&gt;
]
&lt;additional records in same format&gt;
Server socket closed.
</programlisting>
<para>Example 4</para>
<para>
In this example, the -s option turns on SSL parsing, and the -h option turns on hex/ASCII format.
Both formats are shown for each record. The output is routed to a text file.
</para>
<programlisting>$ ssltap -hs -p 444 interzone.mcom.com:443 > hs.txt</programlisting>
<para>Output </para>
<programlisting>
Connected to interzone.mcom.com:443
--> [
0: 80 3d 01 03 00 00 24 00 00 00 10 01 00 80 02 00 | .=....$.........
10: 80 03 00 80 04 00 80 06 00 40 07 00 c0 00 00 04 | .........@......
20: 00 ff e0 00 00 0a 00 ff e1 00 00 09 00 00 03 03 | ........á.......
30: 55 e6 e4 99 79 c7 d7 2c 86 78 96 5d b5 cf e9 |U..yÇ\xb0 ,.x.]µÏé
alloclen = 63 bytes
[ssl2] ClientHelloV2 {
version = {0x03, 0x00}
cipher-specs-length = 36 (0x24)
sid-length = 0 (0x00)
challenge-length = 16 (0x10)
cipher-suites = {
(0x010080) SSL2/RSA/RC4-128/MD5
(0x020080) SSL2/RSA/RC4-40/MD5
(0x030080) SSL2/RSA/RC2CBC128/MD5
(0x040080) SSL2/RSA/RC2CBC40/MD5
(0x060040) SSL2/RSA/DES64CBC/MD5
(0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5
(0x000004) SSL3/RSA/RC4-128/MD5
(0x00ffe0) SSL3/RSA-FIPS/3DES192EDE-CBC/SHA
(0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
(0x00ffe1) SSL3/RSA-FIPS/DES64CBC/SHA
(0x000009) SSL3/RSA/DES64CBC/SHA
(0x000003) SSL3/RSA/RC4-40/MD5
}
session-id = { }
challenge = { 0x0355 0xe6e4 0x9979 0xc7d7 0x2c86 0x7896 0x5db
0xcfe9 }
}
]
&lt;additional records in same formats&gt;
Server socket closed.
</programlisting>
</refsection>
<refsection id="usage-tips">
<title>Usage Tips</title>
<para>
When SSL restarts a previous session, it makes use of cached information to do a partial handshake.
If you wish to capture a full SSL handshake, restart the browser to clear the session id cache.
</para>
<para>
If you run the tool on a machine other than the SSL server to which you are trying to connect,
the browser will complain that the host name you are trying to connect to is different from the certificate.
If you are using the default BadCert callback, you can still connect through a dialog. If you are not using
the default BadCert callback, the one you supply must allow for this possibility.
</para>
</refsection>
<refsection id="seealso">
<title>See Also</title>
<para>The NSS Security Tools are also documented at <ulink url="http://www.mozilla.org/projects/security/pki/nss/tools">http://www.mozilla.org/projects/security/pki/nss/</ulink>.</para>
</refsection>
<!-- don't change -->
<refsection id="resources">
<title>Additional Resources</title>
<para>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <ulink url="http://www.mozilla.org/projects/security/pki/nss/">http://www.mozilla.org/projects/security/pki/nss/</ulink>. The NSS site relates directly to NSS code changes and releases.</para>
<para>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</para>
<para>IRC: Freenode at #dogtag-pki</para>
</refsection>
<!-- fill in your name first; keep the other names for reference -->
<refsection id="authors">
<title>Authors</title>
<para>The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.</para>
<para>
Authors: Elio Maldonado &lt;emaldona@redhat.com>, Deon Lackey &lt;dlackey@redhat.com>.
</para>
</refsection>
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, version 1.1,
and/or the GNU General Public License, version 2 or later,
and/or the GNU Lesser General Public License, version 2.1 or later.
</para>
</refsection>
</refentry>

234
security/nss/doc/vfychain.xml Normal file
View File

@ -0,0 +1,234 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY date SYSTEM "date.xml">
<!ENTITY version SYSTEM "version.xml">
]>
<refentry id="vfychain">
<refentryinfo>
<date>&date;</date>
<title>NSS Security Tools</title>
<productname>nss-tools</productname>
<productnumber>&version;</productnumber>
</refentryinfo>
<refmeta>
<refentrytitle>VFYCHAIN</refentrytitle>
<manvolnum>1</manvolnum>
</refmeta>
<refnamediv>
<refname>vfychain </refname>
<refpurpose>vfychain [options] [revocation options] certfile [[options] certfile] ...</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>vfychain</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsection>
<title>STATUS</title>
<para>This documentation is still work in progress. Please contribute to the initial review in <ulink url="https://bugzilla.mozilla.org/show_bug.cgi?id=836477">Mozilla NSS bug 836477</ulink>
</para>
</refsection>
<refsection id="description">
<title>Description</title>
<para>The verification Tool, <command>vfychain</command>, verifies certificate chains. <command>modutil</command> can add and delete PKCS #11 modules, change passwords on security databases, set defaults, list module contents, enable or disable slots, enable or disable FIPS 140-2 compliance, and assign default providers for cryptographic operations. This tool can also create certificate, key, and module security database files.</para>
<para>The tasks associated with security module database management are part of a process that typically also involves managing key databases and certificate databases.</para>
</refsection>
<refsection id="options">
<title>Options</title>
<variablelist>
<varlistentry>
<term><option>-a</option></term>
<listitem>
<simpara>the following certfile is base64 encoded</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-b </option> <replaceable>YYMMDDHHMMZ</replaceable></term>
<listitem>
<simpara>Validate date (default: now)</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-d </option> <replaceable>directory</replaceable></term> <listitem>
<simpara>database directory</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-f </option> </term>
<listitem>
<simpara>Enable cert fetching from AIA URL</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-o </option> <replaceable>oid</replaceable></term>
<listitem>
<simpara>Set policy OID for cert validation(Format OID.1.2.3)</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-p </option></term>
<listitem>
<simpara>Use PKIX Library to validate certificate by calling:</simpara>
<simpara> * CERT_VerifyCertificate if specified once,</simpara>
<simpara> * CERT_PKIXVerifyCert if specified twice and more.</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-r </option></term>
<listitem>
<simpara>Following certfile is raw binary DER (default)</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-t</option></term>
<listitem>
<simpara>Following cert is explicitly trusted (overrides db trust)</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-u </option> <replaceable>usage</replaceable></term>
<listitem>
<para>
0=SSL client, 1=SSL server, 2=SSL StepUp, 3=SSL CA,
4=Email signer, 5=Email recipient, 6=Object signer,
9=ProtectedObjectSigner, 10=OCSP responder, 11=Any CA
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-T </option></term>
<listitem>
<simpara>Trust both explicit trust anchors (-t) and the database. (Without this option, the default is to only trust certificates marked -t, if there are any, or to trust the database if there are certificates marked -t.)
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-v </option></term>
<listitem>
<simpara>Verbose mode. Prints root cert subject(double the
argument for whole root cert info)
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-w </option> <replaceable>password</replaceable></term>
<listitem>
<simpara>Database password</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-W </option> <replaceable>pwfile</replaceable></term>
<listitem>
<simpara>Password file</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><option></option></term>
<listitem>
<simpara>Revocation options for PKIX API (invoked with -pp options) is a
collection of the following flags:
[-g type [-h flags] [-m type [-s flags]] ...] ...</simpara>
<simpara>Where: </simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-g </option> <replaceable>test-type</replaceable></term>
<listitem>
<simpara>Sets status checking test type. Possible values
are "leaf" or "chain"
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-g </option> <replaceable>test type</replaceable></term>
<listitem>
<simpara>Sets status checking test type. Possible values
are "leaf" or "chain".
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-h </option> <replaceable>test flags</replaceable></term>
<listitem>
<simpara>Sets revocation flags for the test type it
follows. Possible flags: "testLocalInfoFirst" and
"requireFreshInfo".
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-m </option> <replaceable>method type</replaceable></term>
<listitem>
<simpara>Sets method type for the test type it follows.
Possible types are "crl" and "ocsp".
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-s </option> <replaceable>method flags</replaceable></term>
<listitem>
<simpara>Sets revocation flags for the method it follows.
Possible types are "doNotUse", "forbidFetching",
"ignoreDefaultSrc", "requireInfo" and "failIfNoInfo".
</simpara>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<!-- don't change -->
<refsection id="resources">
<title>Additional Resources</title>
<para>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <ulink url="http://www.mozilla.org/projects/security/pki/nss/">http://www.mozilla.org/projects/security/pki/nss/</ulink>. The NSS site relates directly to NSS code changes and releases.</para>
<para>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</para>
<para>IRC: Freenode at #dogtag-pki</para>
</refsection>
<!-- fill in your name first; keep the other names for reference -->
<refsection id="authors">
<title>Authors</title>
<para>The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.</para>
<para>
Authors: Elio Maldonado &lt;emaldona@redhat.com>, Deon Lackey &lt;dlackey@redhat.com>.
</para>
</refsection>
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, version 1.1,
and/or the GNU General Public License, version 2 or later,
and/or the GNU Lesser General Public License, version 2.1 or later.
</para>
</refsection>
</refentry>

87
security/nss/doc/vfyserv.xml Normal file
View File

@ -0,0 +1,87 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY date SYSTEM "date.xml">
<!ENTITY version SYSTEM "version.xml">
]>
<refentry id="vfyserv">
<refentryinfo>
<date>&date;</date>
<title>NSS Security Tools</title>
<productname>nss-tools</productname>
<productnumber>&version;</productnumber>
</refentryinfo>
<refmeta>
<refentrytitle>VFYSERV</refentrytitle>
<manvolnum>1</manvolnum>
</refmeta>
<refnamediv>
<refname>vfyserv </refname>
<refpurpose>TBD</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>vfyserv</command>
</cmdsynopsis>
</refsynopsisdiv>
<refsection>
<title>STATUS</title>
<para>This documentation is still work in progress. Please contribute to the initial review in <ulink url="https://bugzilla.mozilla.org/show_bug.cgi?id=836477">Mozilla NSS bug 836477</ulink>
</para>
</refsection>
<refsection id="description">
<title>Description</title>
<para>The <command>vfyserv </command> tool verifies a certificate chain</para>
</refsection>
<refsection id="options">
<title>Options</title>
<variablelist>
<varlistentry>
<term><option></option> <replaceable></replaceable></term>
<listitem>
<simpara></simpara>
<simpara></simpara>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<!-- don't change -->
<refsection id="resources">
<title>Additional Resources</title>
<para>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <ulink url="http://www.mozilla.org/projects/security/pki/nss/">http://www.mozilla.org/projects/security/pki/nss/</ulink>. The NSS site relates directly to NSS code changes and releases.</para>
<para>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</para>
<para>IRC: Freenode at #dogtag-pki</para>
</refsection>
<!-- fill in your name first; keep the other names for reference -->
<refsection id="authors">
<title>Authors</title>
<para>The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.</para>
<para>
Authors: Elio Maldonado &lt;emaldona@redhat.com>, Deon Lackey &lt;dlackey@redhat.com>.
</para>
</refsection>
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, version 1.1,
and/or the GNU General Public License, version 2 or later,
and/or the GNU Lesser General Public License, version 2.1 or later.
</para>
</refsection>
</refentry>

35
security/nss/lib/freebl/Makefile
View File

@ -180,7 +180,7 @@ endif # Darwin
ifeq ($(OS_TARGET),Linux)
ifeq ($(CPU_ARCH),x86_64)
ASFILES = arcfour-amd64-gas.s mpi_amd64_gas.s
ASFLAGS += -march=opteron -m64 -fPIC -Wa,--noexecstack
ASFLAGS += -m64 -fPIC -Wa,--noexecstack
DEFINES += -DNSS_BEVAND_ARCFOUR -DMPI_AMD64 -DMP_ASSEMBLY_MULTIPLY
DEFINES += -DNSS_USE_COMBA
DEFINES += -DMP_CHAR_STORE_SLOW -DMP_IS_LITTLE_ENDIAN
@ -188,16 +188,8 @@ ifeq ($(CPU_ARCH),x86_64)
# comment the next two lines to turn off intel HW accelleration
DEFINES += -DUSE_HW_AES
ASFILES += intel-aes.s intel-gcm.s
# The integrated assembler in Clang 3.0 does not support % in the
# expression of a .set directive. intel-gcm.s uses .set to give
# symbolic names to registers, for example,
# .set Htbl, %rdi
# So we can't use Clang's integrated assembler with intel-gcm.s.
ifneq (,$(findstring clang,$(AS)))
ASFLAGS += -no-integrated-as
endif
EXTRA_SRCS += intel-gcm-wrap.c
INTEL_GCM=1
EXTRA_SRCS += intel-gcm-wrap.c
INTEL_GCM = 1
MPI_SRCS += mpi_amd64.c mp_comba.c
endif
ifeq ($(CPU_ARCH),x86)
@ -453,8 +445,8 @@ else
# comment the next two lines to turn off intel HW accelleration
DEFINES += -DUSE_HW_AES
ASFILES += intel-aes.s intel-gcm.s
EXTRA_SRCS += intel-gcm-wrap.c
INTEL_GCM=1
EXTRA_SRCS += intel-gcm-wrap.c
INTEL_GCM = 1
MPI_SRCS += mpi_amd64.c
else
# Solaris x86
@ -658,13 +650,16 @@ endif
ifdef INTEL_GCM
#
# GCM binary needs -msse4
# GCM binary needs -mssse3
#
$(OBJDIR)/$(PROG_PREFIX)intel-gcm-wrap$(OBJ_SUFFIX): intel-gcm-wrap.c
@$(MAKE_OBJDIR)
ifdef NEED_ABSOLUTE_PATH
$(CC) -o $@ -c -mssse3 $(CFLAGS) $(call core_abspath,$<)
else
$(CC) -o $@ -c -mssse3 $(CFLAGS) $<
$(OBJDIR)/$(PROG_PREFIX)intel-gcm-wrap$(OBJ_SUFFIX): CFLAGS += -mssse3
# The integrated assembler in Clang 3.2 does not support % in the
# expression of a .set directive. intel-gcm.s uses .set to give
# symbolic names to registers, for example,
# .set Htbl, %rdi
# So we can't use Clang's integrated assembler with intel-gcm.s.
ifneq (,$(findstring clang,$(AS)))
$(OBJDIR)/$(PROG_PREFIX)intel-gcm$(OBJ_SUFFIX): ASFLAGS += -no-integrated-as
endif
endif

1
security/nss/lib/freebl/intel-gcm-wrap.c
View File

@ -1,6 +1,7 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/* Copyright(c) 2013, Intel Corp. */
/* Wrapper funcions for Intel optimized implementation of AES-GCM */

21
security/nss/lib/freebl/intel-gcm.h
View File

@ -1,3 +1,24 @@
/******************************************************************************/
/* LICENSE: */
/* This submission to NSS is to be made available under the terms of the */
/* Mozilla Public License, v. 2.0. You can obtain one at http: */
/* //mozilla.org/MPL/2.0/. */
/******************************************************************************/
/* Copyright(c) 2013, Intel Corp. */
/******************************************************************************/
/* Reference: */
/* [1] Shay Gueron, Michael E. Kounavis: Intel® Carry-Less Multiplication */
/* Instruction and its Usage for Computing the GCM Mode (Rev. 2.01) */
/* http://software.intel.com/sites/default/files/article/165685/clmul-wp-r*/
/*ev-2.01-2012-09-21.pdf */
/* [2] S. Gueron, M. E. Kounavis: Efficient Implementation of the Galois */
/* Counter Mode Using a Carry-less Multiplier and a Fast Reduction */
/* Algorithm. Information Processing Letters 110: 549553 (2010). */
/* [3] S. Gueron: AES Performance on the 2nd Generation Intel® Core™ Processor*/
/* Family (to be posted) (2012). */
/* [4] S. Gueron: Fast GHASH computations for speeding up AES-GCM (to be */
/* published) (2012). */
#ifndef INTEL_GCM_H
#define INTEL_GCM_H 1

7
security/nss/lib/freebl/intel-gcm.s
View File

@ -1,4 +1,9 @@
# LICENSE:
# This submission to NSS is to be made available under the terms of the
# Mozilla Public License, v. 2.0. You can obtain one at http:
# //mozilla.org/MPL/2.0/.
################################################################################
# Copyright(c) 2012, Intel Corp.
.align 16
.Lone:

6
security/nss/lib/nss/nss.h
View File

@ -4,7 +4,7 @@
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/* $Id: nss.h,v 1.101 2012/12/10 23:39:39 wtc%google.com Exp $ */
/* $Id: nss.h,v 1.102 2013/01/31 22:47:08 kaie%kuix.de Exp $ */
#ifndef __nss_h_
#define __nss_h_
@ -34,12 +34,12 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
#define NSS_VERSION "3.14.2.0" _NSS_ECC_STRING _NSS_CUSTOMIZED " Beta"
#define NSS_VERSION "3.14.2.0" _NSS_ECC_STRING _NSS_CUSTOMIZED
#define NSS_VMAJOR 3
#define NSS_VMINOR 14
#define NSS_VPATCH 2
#define NSS_VBUILD 0
#define NSS_BETA PR_TRUE
#define NSS_BETA PR_FALSE
#ifndef RC_INVOKED

2
security/nss/lib/smime/smime.def
View File

@ -267,7 +267,7 @@ NSSSMIME_GetVersion;
;+ local:
;+ *;
;+};
;+NSS_3.14.2 { # NSS 3.14.2 release
;+NSS_3.14.3 { # NSS 3.14.3 release
;+ global:
SEC_PKCS7VerifyDetachedSignatureAtTime;
;+ local:

4
security/nss/lib/softoken/softkver.h
View File

@ -25,11 +25,11 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
#define SOFTOKEN_VERSION "3.14.2.0" SOFTOKEN_ECC_STRING " Beta"
#define SOFTOKEN_VERSION "3.14.2.0" SOFTOKEN_ECC_STRING
#define SOFTOKEN_VMAJOR 3
#define SOFTOKEN_VMINOR 14
#define SOFTOKEN_VPATCH 2
#define SOFTOKEN_VBUILD 0
#define SOFTOKEN_BETA PR_TRUE
#define SOFTOKEN_BETA PR_FALSE
#endif /* _SOFTKVER_H_ */

4
security/nss/lib/util/nssutil.h
View File

@ -19,12 +19,12 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
*/
#define NSSUTIL_VERSION "3.14.2.0 Beta"
#define NSSUTIL_VERSION "3.14.2.0"
#define NSSUTIL_VMAJOR 3
#define NSSUTIL_VMINOR 14
#define NSSUTIL_VPATCH 2
#define NSSUTIL_VBUILD 0
#define NSSUTIL_BETA PR_TRUE
#define NSSUTIL_BETA PR_FALSE
SEC_BEGIN_PROTOS

2
security/patches/bug-834091.patch
View File

@ -208,7 +208,7 @@ diff -u -8 -p -r1.39 smime.def
;+ local:
;+ *;
;+};
+;+NSS_3.14.2 { # NSS 3.14.2 release
+;+NSS_3.14.3 { # NSS 3.14.3 release
+;+ global:
+SEC_PKCS7VerifyDetachedSignatureAtTime;
+;+ local: