diff options
| author | Elio Maldonado <emaldona@redhat.com> | 2014-06-05 17:04:58 -0700 |
|---|---|---|
| committer | Elio Maldonado <emaldona@redhat.com> | 2014-06-05 17:04:58 -0700 |
| commit | 06250dcc37e837980ceb5de6c8396179d5a54aec (patch) | |
| tree | 59cbff1464b20c73769ca26197becee68de5c44b | |
| parent | 93b0fcd04f2baf8f5f57b334e34b30e31033a97c (diff) | |
| download | nss-hg-06250dcc37e837980ceb5de6c8396179d5a54aec.tar.gz | |
Bug 1007126 - various flaws in the man pages, r=rrelyea
| -rw-r--r-- | doc/certutil.xml | 12 | ||||
| -rw-r--r-- | doc/cmsutil.xml | 24 | ||||
| -rw-r--r-- | doc/crlutil.xml | 83 | ||||
| -rw-r--r-- | doc/html/certutil.html | 10 | ||||
| -rw-r--r-- | doc/html/cmsutil.html | 9 | ||||
| -rw-r--r-- | doc/html/crlutil.html | 39 | ||||
| -rw-r--r-- | doc/html/modutil.html | 12 | ||||
| -rw-r--r-- | doc/html/pk12util.html | 25 | ||||
| -rw-r--r-- | doc/html/pp.html | 6 | ||||
| -rw-r--r-- | doc/html/signtool.html | 40 | ||||
| -rw-r--r-- | doc/html/signver.html | 8 | ||||
| -rw-r--r-- | doc/html/ssltap.html | 27 | ||||
| -rw-r--r-- | doc/html/vfychain.html | 2 | ||||
| -rw-r--r-- | doc/html/vfyserv.html | 2 | ||||
| -rw-r--r-- | doc/modutil.xml | 8 | ||||
| -rw-r--r-- | doc/nroff/certutil.1 | 20 | ||||
| -rw-r--r-- | doc/nroff/cmsutil.1 | 17 | ||||
| -rw-r--r-- | doc/nroff/crlutil.1 | 61 | ||||
| -rw-r--r-- | doc/nroff/modutil.1 | 18 | ||||
| -rw-r--r-- | doc/nroff/pk12util.1 | 127 | ||||
| -rw-r--r-- | doc/nroff/pp.1 | 4 | ||||
| -rw-r--r-- | doc/nroff/signtool.1 | 26 | ||||
| -rw-r--r-- | doc/nroff/signver.1 | 8 | ||||
| -rw-r--r-- | doc/nroff/ssltap.1 | 50 | ||||
| -rw-r--r-- | doc/nroff/vfychain.1 | 4 | ||||
| -rw-r--r-- | doc/nroff/vfyserv.1 | 4 | ||||
| -rw-r--r-- | doc/pk12util.xml | 208 | ||||
| -rw-r--r-- | doc/signtool.xml | 93 | ||||
| -rw-r--r-- | doc/signver.xml | 2 | ||||
| -rw-r--r-- | doc/ssltap.xml | 60 |
30 files changed, 464 insertions, 545 deletions
diff --git a/doc/certutil.xml b/doc/certutil.xml index a86e954f7..872806797 100644 --- a/doc/certutil.xml +++ b/doc/certutil.xml @@ -196,10 +196,10 @@ If this option is not used, the validity check defaults to the current system ti <para><command>certutil</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and new SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). </para> <para>NSS recognizes the following prefixes:</para> <itemizedlist> - <listitem><para><command>sql: requests the newer database</command></para></listitem> - <listitem><para><command>dbm: requests the legacy database</command></para></listitem> + <listitem><para><command>sql:</command> requests the newer database</para></listitem> + <listitem><para><command>dbm:</command> requests the legacy database</para></listitem> </itemizedlist> - <para>If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE. If NSS_DEFAULT_DB_TYPE is not set then dbm: is the default.</para> + <para>If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE. If NSS_DEFAULT_DB_TYPE is not set then <command>dbm:</command> is the default.</para> </listitem> </varlistentry> @@ -432,11 +432,11 @@ of the attribute codes: <varlistentry> <term>-1 | --keyUsage keyword,keyword</term> - <listitem><para>Set a Netscape Certificate Type Extension in the certificate. There are several available keywords:</para> + <listitem><para>Set an X.509 V3 Certificate Type Extension in the certificate. There are several available keywords:</para> <itemizedlist> <listitem> <para> - digital signature + digitalSignature </para> </listitem> <listitem> @@ -498,7 +498,7 @@ of the attribute codes: <varlistentry> <term>-5 | --nsCertType keyword,keyword</term> - <listitem><para>Add a Netscape certificate type extension to a certificate that is being created or added to the database. There are several available keywords:</para> + <listitem><para>Add an X.509 V3 certificate type extension to a certificate that is being created or added to the database. There are several available keywords:</para> <itemizedlist> <listitem> <para> diff --git a/doc/cmsutil.xml b/doc/cmsutil.xml index ba45b99fd..c7d2408d3 100644 --- a/doc/cmsutil.xml +++ b/doc/cmsutil.xml @@ -62,16 +62,16 @@ The options and arguments for the cmsutil command are defined as follows: </para> <variablelist> <varlistentry> - <term>-D </term> - <listitem><para>Decode a message.</para></listitem> - </varlistentry> - - <varlistentry> <term>-C</term> <listitem><para>Encrypt a message.</para></listitem> </varlistentry> <varlistentry> + <term>-D </term> + <listitem><para>Decode a message.</para></listitem> + </varlistentry> + + <varlistentry> <term>-E </term> <listitem><para>Envelope a message.</para></listitem> </varlistentry> @@ -267,23 +267,11 @@ cmsutil -S [-i infile] [-o outfile] [-d dbdir] [-p password] -N nickname[-TGP] [ </refsection> - <refsection> + <refsection id="seealso"> <title>See also</title> <para>certutil(1)</para> </refsection> - - <refsection id="seealso"> - <title>See Also</title> - <para></para> - <para> - </para> - <para> - </para> - <para> - </para> - </refsection> - <!-- don't change --> <refsection id="resources"> <title>Additional Resources</title> diff --git a/doc/crlutil.xml b/doc/crlutil.xml index a6dddd4d6..e77570e2d 100644 --- a/doc/crlutil.xml +++ b/doc/crlutil.xml @@ -76,15 +76,6 @@ The options and arguments for the crlutil command are defined as follows: <variablelist> <varlistentry> - <term>-G </term> - <listitem> - <para> -Create new Certificate Revocation List(CRL). - </para> - </listitem> - </varlistentry> - - <varlistentry> <term>-D </term> <listitem> <para> @@ -93,40 +84,38 @@ Delete Certificate Revocation List from cert database. </listitem> </varlistentry> - <varlistentry> - <term>-I </term> + <term>-E </term> <listitem> <para> -Import a CRL to the cert database +Erase all CRLs of specified type from the cert database </para> </listitem> </varlistentry> <varlistentry> - <term>-E </term> + <term>-G </term> <listitem> <para> -Erase all CRLs of specified type from the cert database +Create new Certificate Revocation List (CRL). </para> </listitem> </varlistentry> - <varlistentry> - <term>-L </term> + <term>-I </term> <listitem> <para> -List existing CRL located in cert database file. +Import a CRL to the cert database </para> </listitem> </varlistentry> <varlistentry> - <term>-S </term> + <term>-L </term> <listitem> <para> -Show contents of a CRL file which isn't stored in the database. +List existing CRL located in cert database file. </para> </listitem> </varlistentry> @@ -141,43 +130,34 @@ Modify existing CRL which can be located in cert db or in arbitrary file. If loc </varlistentry> <varlistentry> - <term>-G </term> + <term>-S </term> <listitem> <para> - +Show contents of a CRL file which isn't stored in the database. </para> </listitem> </varlistentry> </variablelist> <para><command>Arguments</command></para> - <para>Option arguments modify an action and are lowercase.</para> + <para>Option arguments modify an action.</para> <variablelist> <varlistentry> - <term>-B </term> - <listitem> - <para> -Bypass CA signature checks. - </para> - </listitem> - </varlistentry> - - <varlistentry> - <term>-P dbprefix </term> + <term>-a </term> <listitem> <para> -Specify the prefix used on the NSS security database files (for example, my_cert8.db and my_key3.db). This option is provided as a special case. Changing the names of the certificate and key databases is not recommended. +Use ASCII format or allow the use of ASCII format for input and output. This formatting follows RFC #1113. </para> </listitem> </varlistentry> <varlistentry> - <term>-a </term> + <term>-B </term> <listitem> <para> -Use ASCII format or allow the use of ASCII format for input and output. This formatting follows RFC #1113. +Bypass CA signature checks. </para> </listitem> </varlistentry> @@ -204,19 +184,19 @@ The NSS database files must reside in the same directory. </varlistentry> <varlistentry> - <term>-i crl-file </term> + <term>-f password-file </term> <listitem> <para> -Specify the file which contains the CRL to import or show. +Specify a file that will automatically supply the password to include in a certificate or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent unauthorized access to this file. </para> </listitem> </varlistentry> <varlistentry> - <term>-f password-file </term> + <term>-i crl-file </term> <listitem> <para> -Specify a file that will automatically supply the password to include in a certificate or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent unauthorized access to this file. +Specify the file which contains the CRL to import or show. </para> </listitem> </varlistentry> @@ -249,6 +229,15 @@ Specify the output file name for new CRL. Bracket the output-file string with qu </varlistentry> <varlistentry> + <term>-P dbprefix </term> + <listitem> + <para> +Specify the prefix used on the NSS security database files (for example, my_cert8.db and my_key3.db). This option is provided as a special case. Changing the names of the certificate and key databases is not recommended. + </para> + </listitem> + </varlistentry> + + <varlistentry> <term>-t crl-type </term> <listitem> <para> @@ -355,7 +344,7 @@ Implemented Extensions * Add The Authority Key Identifier extension: </para> <para> - The authority key identifier extension provides a means of identifying the public key corresponding to the private key used to sign a CRL. +The authority key identifier extension provides a means of identifying the public key corresponding to the private key used to sign a CRL. </para> <para> authKeyId critical [key-id | dn cert-serial] @@ -504,21 +493,9 @@ crlutil -G|-M -c crl-gen-file -n nickname [-i crl] [-u url] [-d keydir] [-P dbpr </programlisting> </refsection> - <refsection> - <title>See also</title> - <para>certutil(1)</para> - </refsection> - - <refsection id="seealso"> <title>See Also</title> - <para></para> - <para> - </para> - <para> - </para> - <para> - </para> + <para>certutil(1)</para> </refsection> <!-- don't change --> diff --git a/doc/html/certutil.html b/doc/html/certutil.html index 34430f2c4..c99513fcb 100644 --- a/doc/html/certutil.html +++ b/doc/html/certutil.html @@ -1,4 +1,4 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>CERTUTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="CERTUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">CERTUTIL</th></tr></table><hr></div><div class="refentry"><a name="certutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>certutil — Manage keys and certificate in both NSS databases and other NSS tokens</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">certutil</code> [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm229558164448"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a> +<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>CERTUTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="CERTUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">CERTUTIL</th></tr></table><hr></div><div class="refentry"><a name="certutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>certutil — Manage keys and certificate in both NSS databases and other NSS tokens</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">certutil</code> [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm233261230240"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a> </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Certificate Database Tool, <span class="command"><strong>certutil</strong></span>, is a command-line utility that can create and modify certificate and key databases. It can specifically list, generate, modify, or delete certificates, create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key database.</p><p>Certificate issuance, part of the key and certificate management process, requires that keys and certificates be created in the key database. This document discusses certificate and key database management. For information on the security module database management, see the <span class="command"><strong>modutil</strong></span> manpage.</p></div><div class="refsection"><a name="options"></a><h2>Command Options and Arguments</h2><p>Running <span class="command"><strong>certutil</strong></span> always requires one and only one command option to specify the type of certificate operation. Each command option may take zero or more arguments. The command option <code class="option">-H</code> will list all the command options and their relevant arguments.</p><p><span class="command"><strong>Command Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-A </span></dt><dd><p>Add an existing certificate to a certificate database. The certificate database should already exist; if one is not present, this command option will initialize one by default.</p></dd><dt><span class="term">-B</span></dt><dd><p>Run a series of commands from the specified batch file. This requires the <code class="option">-i</code> argument.</p></dd><dt><span class="term">-C </span></dt><dd><p>Create a new binary certificate file from a binary certificate request file. Use the <code class="option">-i</code> argument to specify the certificate request file. If this argument is not used, <span class="command"><strong>certutil</strong></span> prompts for a filename. </p></dd><dt><span class="term">-D </span></dt><dd><p>Delete a certificate from the certificate database.</p></dd><dt><span class="term">-E </span></dt><dd><p>Add an email certificate to the certificate database.</p></dd><dt><span class="term">-F</span></dt><dd><p>Delete a private key from a key database. Specify the key to delete with the -n argument. Specify the database from which to delete the key with the <code class="option">-d</code> argument. Use the <code class="option">-k</code> argument to specify explicitly whether to delete a DSA, RSA, or ECC key. If you don't use the <code class="option">-k</code> argument, the option looks for an RSA key matching the specified nickname. </p><p> @@ -10,7 +10,7 @@ For certificate requests, ASCII output defaults to standard output unless redire </p><p> If this option is not used, the validity check defaults to the current system time.</p></dd><dt><span class="term">-c issuer</span></dt><dd><p>Identify the certificate of the CA from which a new certificate will derive its authenticity. Use the exact nickname or alias of the CA certificate, or use the CA's email address. Bracket the issuer string - with quotation marks if it contains spaces. </p></dd><dt><span class="term">-d [prefix]directory</span></dt><dd><p>Specify the database directory containing the certificate and key database files.</p><p><span class="command"><strong>certutil</strong></span> supports two types of databases: the legacy security databases (<code class="filename">cert8.db</code>, <code class="filename">key3.db</code>, and <code class="filename">secmod.db</code>) and new SQLite databases (<code class="filename">cert9.db</code>, <code class="filename">key4.db</code>, and <code class="filename">pkcs11.txt</code>). </p><p>NSS recognizes the following prefixes:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="command"><strong>sql: requests the newer database</strong></span></p></li><li class="listitem"><p><span class="command"><strong>dbm: requests the legacy database</strong></span></p></li></ul></div><p>If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE. If NSS_DEFAULT_DB_TYPE is not set then dbm: is the default.</p></dd><dt><span class="term">-e </span></dt><dd><p>Check a certificate's signature during the process of validating a certificate.</p></dd><dt><span class="term">--email email-address</span></dt><dd><p>Specify the email address of a certificate to list. Used with the -L command option.</p></dd><dt><span class="term">-f password-file</span></dt><dd><p>Specify a file that will automatically supply the password to include in a certificate + with quotation marks if it contains spaces. </p></dd><dt><span class="term">-d [prefix]directory</span></dt><dd><p>Specify the database directory containing the certificate and key database files.</p><p><span class="command"><strong>certutil</strong></span> supports two types of databases: the legacy security databases (<code class="filename">cert8.db</code>, <code class="filename">key3.db</code>, and <code class="filename">secmod.db</code>) and new SQLite databases (<code class="filename">cert9.db</code>, <code class="filename">key4.db</code>, and <code class="filename">pkcs11.txt</code>). </p><p>NSS recognizes the following prefixes:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="command"><strong>sql:</strong></span> requests the newer database</p></li><li class="listitem"><p><span class="command"><strong>dbm:</strong></span> requests the legacy database</p></li></ul></div><p>If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE. If NSS_DEFAULT_DB_TYPE is not set then <span class="command"><strong>dbm:</strong></span> is the default.</p></dd><dt><span class="term">-e </span></dt><dd><p>Check a certificate's signature during the process of validating a certificate.</p></dd><dt><span class="term">--email email-address</span></dt><dd><p>Specify the email address of a certificate to list. Used with the -L command option.</p></dd><dt><span class="term">-f password-file</span></dt><dd><p>Specify a file that will automatically supply the password to include in a certificate or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent unauthorized access to this file.</p></dd><dt><span class="term">-g keysize</span></dt><dd><p>Set a key size to use when generating new public and private key pairs. The minimum is 512 bits and the maximum is 16384 bits. The default is 1024 bits. Any size between the minimum and maximum is allowed.</p></dd><dt><span class="term">-h tokenname</span></dt><dd><p>Specify the name of a token to use or act on. If not specified the default token is the internal database slot.</p></dd><dt><span class="term">-i input_file</span></dt><dd><p>Pass an input file to the command. Depending on the command option, an input file can be a specific certificate, a certificate request file, or a batch file of commands.</p></dd><dt><span class="term">-k key-type-or-id</span></dt><dd><p>Specify the type or specific ID of a key.</p><p> The valid key type options are rsa, dsa, ec, or all. The default @@ -59,8 +59,8 @@ of the attribute codes: the certificate or adding it to a database. Express the offset in integers, using a minus sign (-) to indicate a negative offset. If this argument is not used, the validity period begins at the current system time. The length - of the validity period is set with the -v argument. </p></dd><dt><span class="term">-X </span></dt><dd><p>Force the key and certificate database to open in read-write mode. This is used with the <code class="option">-U</code> and <code class="option">-L</code> command options.</p></dd><dt><span class="term">-x </span></dt><dd><p>Use <span class="command"><strong>certutil</strong></span> to generate the signature for a certificate being created or added to a database, rather than obtaining a signature from a separate CA.</p></dd><dt><span class="term">-y exp</span></dt><dd><p>Set an alternate exponent value to use in generating a new RSA public key for the database, instead of the default value of 65537. The available alternate values are 3 and 17.</p></dd><dt><span class="term">-z noise-file</span></dt><dd><p>Read a seed value from the specified file to generate a new private and public key pair. This argument makes it possible to use hardware-generated seed values or manually create a value from the keyboard. The minimum file size is 20 bytes.</p></dd><dt><span class="term">-0 SSO_password</span></dt><dd><p>Set a site security officer password on a token.</p></dd><dt><span class="term">-1 | --keyUsage keyword,keyword</span></dt><dd><p>Set a Netscape Certificate Type Extension in the certificate. There are several available keywords:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> - digital signature + of the validity period is set with the -v argument. </p></dd><dt><span class="term">-X </span></dt><dd><p>Force the key and certificate database to open in read-write mode. This is used with the <code class="option">-U</code> and <code class="option">-L</code> command options.</p></dd><dt><span class="term">-x </span></dt><dd><p>Use <span class="command"><strong>certutil</strong></span> to generate the signature for a certificate being created or added to a database, rather than obtaining a signature from a separate CA.</p></dd><dt><span class="term">-y exp</span></dt><dd><p>Set an alternate exponent value to use in generating a new RSA public key for the database, instead of the default value of 65537. The available alternate values are 3 and 17.</p></dd><dt><span class="term">-z noise-file</span></dt><dd><p>Read a seed value from the specified file to generate a new private and public key pair. This argument makes it possible to use hardware-generated seed values or manually create a value from the keyboard. The minimum file size is 20 bytes.</p></dd><dt><span class="term">-0 SSO_password</span></dt><dd><p>Set a site security officer password on a token.</p></dd><dt><span class="term">-1 | --keyUsage keyword,keyword</span></dt><dd><p>Set an X.509 V3 Certificate Type Extension in the certificate. There are several available keywords:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> + digitalSignature </p></li><li class="listitem"><p> nonRepudiation </p></li><li class="listitem"><p> @@ -75,7 +75,7 @@ of the attribute codes: crlSigning </p></li><li class="listitem"><p> critical - </p></li></ul></div></dd><dt><span class="term">-2 </span></dt><dd><p>Add a basic constraint extension to a certificate that is being created or added to a database. This extension supports the certificate chain verification process. <span class="command"><strong>certutil</strong></span> prompts for the certificate constraint extension to select.</p><p>X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">-3 </span></dt><dd><p>Add an authority key ID extension to a certificate that is being created or added to a database. This extension supports the identification of a particular certificate, from among multiple certificates associated with one subject name, as the correct issuer of a certificate. The Certificate Database Tool will prompt you to select the authority key ID extension.</p><p>X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">-4 </span></dt><dd><p>Add a CRL distribution point extension to a certificate that is being created or added to a database. This extension identifies the URL of a certificate's associated certificate revocation list (CRL). <span class="command"><strong>certutil</strong></span> prompts for the URL.</p><p>X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">-5 | --nsCertType keyword,keyword</span></dt><dd><p>Add a Netscape certificate type extension to a certificate that is being created or added to the database. There are several available keywords:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> + </p></li></ul></div></dd><dt><span class="term">-2 </span></dt><dd><p>Add a basic constraint extension to a certificate that is being created or added to a database. This extension supports the certificate chain verification process. <span class="command"><strong>certutil</strong></span> prompts for the certificate constraint extension to select.</p><p>X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">-3 </span></dt><dd><p>Add an authority key ID extension to a certificate that is being created or added to a database. This extension supports the identification of a particular certificate, from among multiple certificates associated with one subject name, as the correct issuer of a certificate. The Certificate Database Tool will prompt you to select the authority key ID extension.</p><p>X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">-4 </span></dt><dd><p>Add a CRL distribution point extension to a certificate that is being created or added to a database. This extension identifies the URL of a certificate's associated certificate revocation list (CRL). <span class="command"><strong>certutil</strong></span> prompts for the URL.</p><p>X.509 certificate extensions are described in RFC 5280.</p></dd><dt><span class="term">-5 | --nsCertType keyword,keyword</span></dt><dd><p>Add an X.509 V3 certificate type extension to a certificate that is being created or added to the database. There are several available keywords:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> sslClient </p></li><li class="listitem"><p> sslServer diff --git a/doc/html/cmsutil.html b/doc/html/cmsutil.html index 2b5249cad..1bed3fe6f 100644 --- a/doc/html/cmsutil.html +++ b/doc/html/cmsutil.html @@ -1,4 +1,4 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>CMSUTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="CMSUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">CMSUTIL</th></tr></table><hr></div><div class="refentry"><a name="cmsutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>cmsutil — Performs basic cryptograpic operations, such as encryption and decryption, on Cryptographic Message Syntax (CMS) messages.</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">cmsutil</code> [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm207695361776"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a> +<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>CMSUTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="CMSUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">CMSUTIL</th></tr></table><hr></div><div class="refentry"><a name="cmsutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>cmsutil — Performs basic cryptograpic operations, such as encryption and decryption, on Cryptographic Message Syntax (CMS) messages.</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">cmsutil</code> [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm233266717696"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a> </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The <span class="command"><strong>cmsutil</strong></span> command-line uses the S/MIME Toolkit to perform basic operations, such as encryption and decryption, on Cryptographic Message Syntax (CMS) messages. </p><p> To run cmsutil, type the command cmsutil option [arguments] where option and arguments are combinations of the options and arguments listed in the following section. @@ -8,7 +8,7 @@ To see a usage string, issue the command without options. </p><p><span class="command"><strong>Options</strong></span></p><p> Options specify an action. Option arguments modify an action. The options and arguments for the cmsutil command are defined as follows: - </p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-D </span></dt><dd><p>Decode a message.</p></dd><dt><span class="term">-C</span></dt><dd><p>Encrypt a message.</p></dd><dt><span class="term">-E </span></dt><dd><p>Envelope a message.</p></dd><dt><span class="term">-O </span></dt><dd><p>Create a certificates-only message.</p></dd><dt><span class="term">-S </span></dt><dd><p>Sign a message.</p></dd></dl></div><p><span class="command"><strong>Arguments</strong></span></p><p>Option arguments modify an action.</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-b </span></dt><dd><p>Decode a batch of files named in infile.</p></dd><dt><span class="term">-c content </span></dt><dd><p>Use this detached content (decode only).</p></dd><dt><span class="term">-d dbdir</span></dt><dd><p>Specify the key/certificate database directory (default is ".")</p></dd><dt><span class="term">-e envfile</span></dt><dd><p>Specify a file containing an enveloped message for a set of recipients to which you would like to send an encrypted message. If this is the first encrypted message for that set of recipients, a new enveloped message will be created that you can then use for future messages (encrypt only).</p></dd><dt><span class="term">-f pwfile</span></dt><dd><p>Use password file to set password on all PKCS#11 tokens.</p></dd><dt><span class="term">-G</span></dt><dd><p>Include a signing time attribute (sign only).</p></dd><dt><span class="term">-H hash</span></dt><dd><p>Use specified hash algorithm (default:SHA1).</p></dd><dt><span class="term">-h num</span></dt><dd><p>Generate email headers with info about CMS message (decode only).</p></dd><dt><span class="term">-i infile</span></dt><dd><p>Use infile as a source of data (default is stdin).</p></dd><dt><span class="term">-k</span></dt><dd><p>Keep decoded encryption certs in permanent cert db.</p></dd><dt><span class="term">-N nickname</span></dt><dd><p>Specify nickname of certificate to sign with (sign only).</p></dd><dt><span class="term">-n </span></dt><dd><p>Suppress output of contents (decode only).</p></dd><dt><span class="term">-o outfile</span></dt><dd><p>Use outfile as a destination of data (default is stdout).</p></dd><dt><span class="term">-P</span></dt><dd><p>Include an S/MIME capabilities attribute.</p></dd><dt><span class="term">-p password</span></dt><dd><p>Use password as key database password.</p></dd><dt><span class="term">-r recipient1,recipient2, ...</span></dt><dd><p> + </p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-C</span></dt><dd><p>Encrypt a message.</p></dd><dt><span class="term">-D </span></dt><dd><p>Decode a message.</p></dd><dt><span class="term">-E </span></dt><dd><p>Envelope a message.</p></dd><dt><span class="term">-O </span></dt><dd><p>Create a certificates-only message.</p></dd><dt><span class="term">-S </span></dt><dd><p>Sign a message.</p></dd></dl></div><p><span class="command"><strong>Arguments</strong></span></p><p>Option arguments modify an action.</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-b </span></dt><dd><p>Decode a batch of files named in infile.</p></dd><dt><span class="term">-c content </span></dt><dd><p>Use this detached content (decode only).</p></dd><dt><span class="term">-d dbdir</span></dt><dd><p>Specify the key/certificate database directory (default is ".")</p></dd><dt><span class="term">-e envfile</span></dt><dd><p>Specify a file containing an enveloped message for a set of recipients to which you would like to send an encrypted message. If this is the first encrypted message for that set of recipients, a new enveloped message will be created that you can then use for future messages (encrypt only).</p></dd><dt><span class="term">-f pwfile</span></dt><dd><p>Use password file to set password on all PKCS#11 tokens.</p></dd><dt><span class="term">-G</span></dt><dd><p>Include a signing time attribute (sign only).</p></dd><dt><span class="term">-H hash</span></dt><dd><p>Use specified hash algorithm (default:SHA1).</p></dd><dt><span class="term">-h num</span></dt><dd><p>Generate email headers with info about CMS message (decode only).</p></dd><dt><span class="term">-i infile</span></dt><dd><p>Use infile as a source of data (default is stdin).</p></dd><dt><span class="term">-k</span></dt><dd><p>Keep decoded encryption certs in permanent cert db.</p></dd><dt><span class="term">-N nickname</span></dt><dd><p>Specify nickname of certificate to sign with (sign only).</p></dd><dt><span class="term">-n </span></dt><dd><p>Suppress output of contents (decode only).</p></dd><dt><span class="term">-o outfile</span></dt><dd><p>Use outfile as a destination of data (default is stdout).</p></dd><dt><span class="term">-P</span></dt><dd><p>Include an S/MIME capabilities attribute.</p></dd><dt><span class="term">-p password</span></dt><dd><p>Use password as key database password.</p></dd><dt><span class="term">-r recipient1,recipient2, ...</span></dt><dd><p> Specify list of recipients (email addresses) for an encrypted or enveloped message. For certificates-only message, list of certificates to send. </p></dd><dt><span class="term">-T</span></dt><dd><p>Suppress content in CMS message (sign only).</p></dd><dt><span class="term">-u certusage</span></dt><dd><p>Set type of cert usage (default is certUsageEmailSigner).</p></dd><dt><span class="term">-v</span></dt><dd><p>Print debugging information.</p></dd><dt><span class="term">-Y ekprefnick</span></dt><dd><p>Specify an encryption key preference by nickname.</p></dd></dl></div></div><div class="refsection"><a name="usage"></a><h2>Usage</h2><p>Encrypt Example</p><pre class="programlisting"> @@ -21,10 +21,7 @@ cmsutil -E [-i infile] [-o outfile] [-d dbdir] [-p password] -r "recipient1,reci cmsutil -O [-i infile] [-o outfile] [-d dbdir] [-p password] -r "cert1,cert2, . . ." </pre><p>Sign Message Example</p><pre class="programlisting"> cmsutil -S [-i infile] [-o outfile] [-d dbdir] [-p password] -N nickname[-TGP] [-Y ekprefnick] - </pre></div><div class="refsection"><a name="idm207694289248"></a><h2>See also</h2><p>certutil(1)</p></div><div class="refsection"><a name="seealso"></a><h2>See Also</h2><p></p><p> - </p><p> - </p><p> - </p></div><div class="refsection"><a name="resources"></a><h2>Additional Resources</h2><p>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <a class="ulink" href="http://www.mozilla.org/projects/security/pki/nss/" target="_top">http://www.mozilla.org/projects/security/pki/nss/</a>. The NSS site relates directly to NSS code changes and releases.</p><p>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</p><p>IRC: Freenode at #dogtag-pki</p></div><div class="refsection"><a name="authors"></a><h2>Authors</h2><p>The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</p><p> + </pre></div><div class="refsection"><a name="seealso"></a><h2>See also</h2><p>certutil(1)</p></div><div class="refsection"><a name="resources"></a><h2>Additional Resources</h2><p>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <a class="ulink" href="http://www.mozilla.org/projects/security/pki/nss/" target="_top">http://www.mozilla.org/projects/security/pki/nss/</a>. The NSS site relates directly to NSS code changes and releases.</p><p>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</p><p>IRC: Freenode at #dogtag-pki</p></div><div class="refsection"><a name="authors"></a><h2>Authors</h2><p>The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</p><p> Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. </p></div><div class="refsection"><a name="license"></a><h2>LICENSE</h2><p>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. </p></div></div><div class="navfooter"><hr></div></body></html> diff --git a/doc/html/crlutil.html b/doc/html/crlutil.html index 3f39545e6..c27a06e78 100644 --- a/doc/html/crlutil.html +++ b/doc/html/crlutil.html @@ -1,6 +1,6 @@ <html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>CRLUTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="CRLUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">CRLUTIL</th></tr></table><hr></div><div class="refentry"><a name="crlutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>crlutil — List, generate, modify, or delete CRLs within the NSS security database file(s) and list, create, modify or delete certificates entries in a particular CRL. - </p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">crlutil</code> [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm207693223392"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a> + </p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">crlutil</code> [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm233261315520"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a> </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Certificate Revocation List (CRL) Management Tool, <span class="command"><strong>crlutil</strong></span>, is a command-line utility that can list, generate, modify, or delete CRLs within the NSS security database file(s) and list, create, modify or delete certificates entries in a particular CRL. </p><p> The key and certificate management process generally begins with creating keys in the key database, then generating and managing certificates in the certificate database(see certutil tool) and continues with certificates expiration or revocation. @@ -16,44 +16,42 @@ where options and arguments are combinations of the options and arguments listed </p><p><span class="command"><strong>Options</strong></span></p><p> Options specify an action. Option arguments modify an action. The options and arguments for the crlutil command are defined as follows: - </p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-G </span></dt><dd><p> -Create new Certificate Revocation List(CRL). - </p></dd><dt><span class="term">-D </span></dt><dd><p> + </p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-D </span></dt><dd><p> Delete Certificate Revocation List from cert database. - </p></dd><dt><span class="term">-I </span></dt><dd><p> -Import a CRL to the cert database </p></dd><dt><span class="term">-E </span></dt><dd><p> Erase all CRLs of specified type from the cert database + </p></dd><dt><span class="term">-G </span></dt><dd><p> +Create new Certificate Revocation List (CRL). + </p></dd><dt><span class="term">-I </span></dt><dd><p> +Import a CRL to the cert database </p></dd><dt><span class="term">-L </span></dt><dd><p> List existing CRL located in cert database file. - </p></dd><dt><span class="term">-S </span></dt><dd><p> -Show contents of a CRL file which isn't stored in the database. </p></dd><dt><span class="term">-M </span></dt><dd><p> Modify existing CRL which can be located in cert db or in arbitrary file. If located in file it should be encoded in ASN.1 encode format. - </p></dd><dt><span class="term">-G </span></dt><dd><p> - - </p></dd></dl></div><p><span class="command"><strong>Arguments</strong></span></p><p>Option arguments modify an action and are lowercase.</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-B </span></dt><dd><p> -Bypass CA signature checks. - </p></dd><dt><span class="term">-P dbprefix </span></dt><dd><p> -Specify the prefix used on the NSS security database files (for example, my_cert8.db and my_key3.db). This option is provided as a special case. Changing the names of the certificate and key databases is not recommended. - </p></dd><dt><span class="term">-a </span></dt><dd><p> + </p></dd><dt><span class="term">-S </span></dt><dd><p> +Show contents of a CRL file which isn't stored in the database. + </p></dd></dl></div><p><span class="command"><strong>Arguments</strong></span></p><p>Option arguments modify an action.</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-a </span></dt><dd><p> Use ASCII format or allow the use of ASCII format for input and output. This formatting follows RFC #1113. + </p></dd><dt><span class="term">-B </span></dt><dd><p> +Bypass CA signature checks. </p></dd><dt><span class="term">-c crl-gen-file </span></dt><dd><p> Specify script file that will be used to control crl generation/modification. See crl-cript-file format below. If options -M|-G is used and -c crl-script-file is not specified, crlutil will read script data from standard input. </p></dd><dt><span class="term">-d directory </span></dt><dd><p> Specify the database directory containing the certificate and key database files. On Unix the Certificate Database Tool defaults to $HOME/.netscape (that is, ~/.netscape). On Windows NT the default is the current directory. </p><p> The NSS database files must reside in the same directory. - </p></dd><dt><span class="term">-i crl-file </span></dt><dd><p> -Specify the file which contains the CRL to import or show. </p></dd><dt><span class="term">-f password-file </span></dt><dd><p> Specify a file that will automatically supply the password to include in a certificate or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent unauthorized access to this file. + </p></dd><dt><span class="term">-i crl-file </span></dt><dd><p> +Specify the file which contains the CRL to import or show. </p></dd><dt><span class="term">-l algorithm-name </span></dt><dd><p> Specify a specific signature algorithm. List of possible algorithms: MD2 | MD4 | MD5 | SHA1 | SHA256 | SHA384 | SHA512 </p></dd><dt><span class="term">-n nickname </span></dt><dd><p> Specify the nickname of a certificate or key to list, create, add to a database, modify, or validate. Bracket the nickname string with quotation marks if it contains spaces. </p></dd><dt><span class="term">-o output-file </span></dt><dd><p> Specify the output file name for new CRL. Bracket the output-file string with quotation marks if it contains spaces. If this argument is not used the output destination defaults to standard output. + </p></dd><dt><span class="term">-P dbprefix </span></dt><dd><p> +Specify the prefix used on the NSS security database files (for example, my_cert8.db and my_key3.db). This option is provided as a special case. Changing the names of the certificate and key databases is not recommended. </p></dd><dt><span class="term">-t crl-type </span></dt><dd><p> Specify type of CRL. possible types are: 0 - SEC_KRL_TYPE, 1 - SEC_CRL_TYPE. This option is obsolete </p></dd><dt><span class="term">-u url </span></dt><dd><p> @@ -103,7 +101,7 @@ Implemented Extensions </p><p> * Add The Authority Key Identifier extension: </p><p> - The authority key identifier extension provides a means of identifying the public key corresponding to the private key used to sign a CRL. +The authority key identifier extension provides a means of identifying the public key corresponding to the private key used to sign a CRL. </p><p> authKeyId critical [key-id | dn cert-serial] </p><p> @@ -200,10 +198,7 @@ crlutil -G|-M -c crl-gen-file -n nickname [-i crl] [-u url] [-d keydir] [-P dbpr * Import CRL from file: </p><pre class="programlisting"> crlutil -I -i crl [-t crlType] [-u url] [-d keydir] [-P dbprefix] [-B] - </pre></div><div class="refsection"><a name="idm207692123648"></a><h2>See also</h2><p>certutil(1)</p></div><div class="refsection"><a name="seealso"></a><h2>See Also</h2><p></p><p> - </p><p> - </p><p> - </p></div><div class="refsection"><a name="resources"></a><h2>Additional Resources</h2><p>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <a class="ulink" href="http://www.mozilla.org/projects/security/pki/nss/" target="_top">http://www.mozilla.org/projects/security/pki/nss/</a>. The NSS site relates directly to NSS code changes and releases.</p><p>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</p><p>IRC: Freenode at #dogtag-pki</p></div><div class="refsection"><a name="authors"></a><h2>Authors</h2><p>The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</p><p> + </pre></div><div class="refsection"><a name="seealso"></a><h2>See Also</h2><p>certutil(1)</p></div><div class="refsection"><a name="resources"></a><h2>Additional Resources</h2><p>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <a class="ulink" href="http://www.mozilla.org/projects/security/pki/nss/" target="_top">http://www.mozilla.org/projects/security/pki/nss/</a>. The NSS site relates directly to NSS code changes and releases.</p><p>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</p><p>IRC: Freenode at #dogtag-pki</p></div><div class="refsection"><a name="authors"></a><h2>Authors</h2><p>The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</p><p> Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. </p></div><div class="refsection"><a name="license"></a><h2>LICENSE</h2><p>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. </p></div></div><div class="navfooter"><hr></div></body></html> diff --git a/doc/html/modutil.html b/doc/html/modutil.html index e67fde2a0..5c53b0a62 100644 --- a/doc/html/modutil.html +++ b/doc/html/modutil.html @@ -1,7 +1,7 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>MODUTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="MODUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">MODUTIL</th></tr></table><hr></div><div class="refentry"><a name="modutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>modutil — Manage PKCS #11 module information within the security module database.</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">modutil</code> [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm224666099264"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a> +<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>MODUTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="MODUTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">MODUTIL</th></tr></table><hr></div><div class="refentry"><a name="modutil"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>modutil — Manage PKCS #11 module information within the security module database.</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">modutil</code> [<em class="replaceable"><code>options</code></em>] [[<em class="replaceable"><code>arguments</code></em>]]</p></div></div><div class="refsection"><a name="idm233245929376"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a> </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Security Module Database Tool, <span class="command"><strong>modutil</strong></span>, is a command-line utility for managing PKCS #11 module information both within <code class="filename">secmod.db</code> files and within hardware tokens. <span class="command"><strong>modutil</strong></span> can add and delete PKCS #11 modules, change passwords on security databases, set defaults, list module contents, enable or disable slots, enable or disable FIPS 140-2 compliance, and assign default providers for cryptographic operations. This tool can also create certificate, key, and module security database files.</p><p>The tasks associated with security module database management are part of a process that typically also involves managing key databases and certificate databases.</p></div><div class="refsection"><a name="options"></a><h2>Options</h2><p> Running <span class="command"><strong>modutil</strong></span> always requires one (and only one) option to specify the type of module operation. Each option may take arguments, anywhere from none to multiple arguments. - </p><p><span class="command"><strong>Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-add modulename</span></dt><dd><p>Add the named PKCS #11 module to the database. Use this option with the <code class="option">-libfile</code>, <code class="option">-ciphers</code>, and <code class="option">-mechanisms</code> arguments.</p></dd><dt><span class="term">-changepw tokenname</span></dt><dd><p>Change the password on the named token. If the token has not been initialized, this option initializes the password. Use this option with the <code class="option">-pwfile</code> and <code class="option">-newpwfile</code> arguments. A <span class="emphasis"><em>password</em></span> is equivalent to a personal identification number (PIN).</p></dd><dt><span class="term">-chkfips</span></dt><dd><p>Verify whether the module is in the given FIPS mode. <span class="command"><strong>true</strong></span> means to verify that the module is in FIPS mode, while <span class="command"><strong>false</strong></span> means to verify that the module is not in FIPS mode.</p></dd><dt><span class="term">-create</span></dt><dd><p>Create new certificate, key, and module databases. Use the <code class="option">-dbdir</code> directory argument to specify a directory. If any of these databases already exist in a specified directory, <span class="command"><strong>modutil</strong></span> returns an error message.</p></dd><dt><span class="term">-default modulename</span></dt><dd><p>Specify the security mechanisms for which the named module will be a default provider. The security mechanisms are specified with the <code class="option">-mechanisms</code> argument.</p></dd><dt><span class="term">-delete modulename</span></dt><dd><p>Delete the named module. The default NSS PKCS #11 module cannot be deleted.</p></dd><dt><span class="term">-disable modulename</span></dt><dd><p>Disable all slots on the named module. Use the <code class="option">-slot</code> argument to disable a specific slot.</p></dd><dt><span class="term">-enable modulename</span></dt><dd><p>Enable all slots on the named module. Use the <code class="option">-slot</code> argument to enable a specific slot.</p></dd><dt><span class="term">-fips [true | false]</span></dt><dd><p>Enable (true) or disable (false) FIPS 140-2 compliance for the default NSS module.</p></dd><dt><span class="term">-force</span></dt><dd><p>Disable <span class="command"><strong>modutil</strong></span>'s interactive prompts so it can be run from a script. Use this option only after manually testing each planned operation to check for warnings and to ensure that bypassing the prompts will cause no security lapses or loss of database integrity.</p></dd><dt><span class="term">-jar JAR-file</span></dt><dd><p>Add a new PKCS #11 module to the database using the named JAR file. Use this command with the <code class="option">-installdir</code> and <code class="option">-tempdir</code> arguments. The JAR file uses the NSS PKCS #11 JAR format to identify all the files to be installed, the module's name, the mechanism flags, and the cipher flags, as well as any files to be installed on the target machine, including the PKCS #11 module library file and other files such as documentation. This is covered in the JAR installation file section in the man page, which details the special script needed to perform an installation through a server or with <span class="command"><strong>modutil</strong></span>. </p></dd><dt><span class="term">-list [modulename]</span></dt><dd><p>Display basic information about the contents of the <code class="filename">secmod.db</code> file. Specifying a <span class="emphasis"><em>modulename</em></span> displays detailed information about a particular module and its slots and tokens.</p></dd><dt><span class="term">-rawadd</span></dt><dd><p>Add the module spec string to the <code class="filename">secmod.db</code> database.</p></dd><dt><span class="term">-rawlist</span></dt><dd><p>Display the module specs for a specified module or for all loadable modules.</p></dd><dt><span class="term">-undefault modulename</span></dt><dd><p>Specify the security mechanisms for which the named module will not be a default provider. The security mechanisms are specified with the <code class="option">-mechanisms</code> argument.</p></dd></dl></div><p><span class="command"><strong>Arguments</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">MODULE</span></dt><dd><p>Give the security module to access.</p></dd><dt><span class="term">MODULESPEC</span></dt><dd><p>Give the security module spec to load into the security database.</p></dd><dt><span class="term">-ciphers cipher-enable-list</span></dt><dd><p>Enable specific ciphers in a module that is being added to the database. The <span class="emphasis"><em>cipher-enable-list</em></span> is a colon-delimited list of cipher names. Enclose this list in quotation marks if it contains spaces.</p></dd><dt><span class="term">-dbdir [sql:]directory</span></dt><dd><p>Specify the database directory in which to access or create security module database files.</p><p><span class="command"><strong>modutil</strong></span> supports two types of databases: the legacy security databases (<code class="filename">cert8.db</code>, <code class="filename">key3.db</code>, and <code class="filename">secmod.db</code>) and new SQLite databases (<code class="filename">cert9.db</code>, <code class="filename">key4.db</code>, and <code class="filename">pkcs11.txt</code>). If the prefix <span class="command"><strong>sql:</strong></span> is not used, then the tool assumes that the given databases are in the old format.</p></dd><dt><span class="term">--dbprefix prefix</span></dt><dd><p>Specify the prefix used on the database files, such as <code class="filename">my_</code> for <code class="filename">my_cert8.db</code>. This option is provided as a special case. Changing the names of the certificate and key databases is not recommended.</p></dd><dt><span class="term">-installdir root-installation-directory</span></dt><dd><p>Specify the root installation directory relative to which files will be installed by the <code class="option">-jar</code> option. This directory should be one below which it is appropriate to store dynamic library files, such as a server's root directory.</p></dd><dt><span class="term">-libfile library-file</span></dt><dd><p>Specify a path to a library file containing the implementation of the PKCS #11 interface module that is being added to the database.</p></dd><dt><span class="term">-mechanisms mechanism-list</span></dt><dd><p>Specify the security mechanisms for which a particular module will be flagged as a default provider. The <span class="emphasis"><em>mechanism-list</em></span> is a colon-delimited list of mechanism names. Enclose this list in quotation marks if it contains spaces.</p><p>The module becomes a default provider for the listed mechanisms when those mechanisms are enabled. If more than one module claims to be a particular mechanism's default provider, that mechanism's default provider is undefined.</p><p><span class="command"><strong>modutil</strong></span> supports several mechanisms: RSA, DSA, RC2, RC4, RC5, AES, DES, DH, SHA1, SHA256, SHA512, SSL, TLS, MD5, MD2, RANDOM (for random number generation), and FRIENDLY (meaning certificates are publicly readable).</p></dd><dt><span class="term">-newpwfile new-password-file</span></dt><dd><p>Specify a text file containing a token's new or replacement password so that a password can be entered automatically with the <code class="option">-changepw</code> option.</p></dd><dt><span class="term">-nocertdb</span></dt><dd><p>Do not open the certificate or key databases. This has several effects:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>With the <code class="option">-create</code> command, only a module security file is created; certificate and key databases are not created.</p></li><li class="listitem"><p>With the <code class="option">-jar</code> command, signatures on the JAR file are not checked.</p></li><li class="listitem"><p>With the <code class="option">-changepw</code> command, the password on the NSS internal module cannot be set or changed, since this password is stored in the key database.</p></li></ul></div></dd><dt><span class="term">-pwfile old-password-file</span></dt><dd><p>Specify a text file containing a token's existing password so that a password can be entered automatically when the <code class="option">-changepw</code> option is used to change passwords.</p></dd><dt><span class="term">-secmod secmodname</span></dt><dd><p>Give the name of the security module database (like <code class="filename">secmod.db</code>) to load.</p></dd><dt><span class="term">-slot slotname</span></dt><dd><p>Specify a particular slot to be enabled or disabled with the <code class="option">-enable</code> or <code class="option">-disable</code> options.</p></dd><dt><span class="term">-string CONFIG_STRING</span></dt><dd><p>Pass a configuration string for the module being added to the database.</p></dd><dt><span class="term">-tempdir temporary-directory</span></dt><dd><p>Give a directory location where temporary files are created during the installation by the <code class="option">-jar</code> option. If no temporary directory is specified, the current directory is used.</p></dd></dl></div></div><div class="refsection"><a name="usage-and-examples"></a><h2>Usage and Examples</h2><p><span class="command"><strong>Creating Database Files</strong></span></p><p>Before any operations can be performed, there must be a set of security databases available. <span class="command"><strong>modutil</strong></span> can be used to create these files. The only required argument is the database that where the databases will be located.</p><pre class="programlisting">modutil -create -dbdir [sql:]directory</pre><p><span class="command"><strong>Adding a Cryptographic Module</strong></span></p><p>Adding a PKCS #11 module means submitting a supporting library file, enabling its ciphers, and setting default provider status for various security mechanisms. This can be done by supplying all of the information through <span class="command"><strong>modutil</strong></span> directly or by running a JAR file and install script. For the most basic case, simply upload the library:</p><pre class="programlisting">modutil -add modulename -libfile library-file [-ciphers cipher-enable-list] [-mechanisms mechanism-list] </pre><p>For example: + </p><p><span class="command"><strong>Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-add modulename</span></dt><dd><p>Add the named PKCS #11 module to the database. Use this option with the <code class="option">-libfile</code>, <code class="option">-ciphers</code>, and <code class="option">-mechanisms</code> arguments.</p></dd><dt><span class="term">-changepw tokenname</span></dt><dd><p>Change the password on the named token. If the token has not been initialized, this option initializes the password. Use this option with the <code class="option">-pwfile</code> and <code class="option">-newpwfile</code> arguments. A <span class="emphasis"><em>password</em></span> is equivalent to a personal identification number (PIN).</p></dd><dt><span class="term">-chkfips</span></dt><dd><p>Verify whether the module is in the given FIPS mode. <span class="command"><strong>true</strong></span> means to verify that the module is in FIPS mode, while <span class="command"><strong>false</strong></span> means to verify that the module is not in FIPS mode.</p></dd><dt><span class="term">-create</span></dt><dd><p>Create new certificate, key, and module databases. Use the <code class="option">-dbdir</code> directory argument to specify a directory. If any of these databases already exist in a specified directory, <span class="command"><strong>modutil</strong></span> returns an error message.</p></dd><dt><span class="term">-default modulename</span></dt><dd><p>Specify the security mechanisms for which the named module will be a default provider. The security mechanisms are specified with the <code class="option">-mechanisms</code> argument.</p></dd><dt><span class="term">-delete modulename</span></dt><dd><p>Delete the named module. The default NSS PKCS #11 module cannot be deleted.</p></dd><dt><span class="term">-disable modulename</span></dt><dd><p>Disable all slots on the named module. Use the <code class="option">-slot</code> argument to disable a specific slot.</p><p>The internal NSS PKCS #11 module cannot be disabled.</p></dd><dt><span class="term">-enable modulename</span></dt><dd><p>Enable all slots on the named module. Use the <code class="option">-slot</code> argument to enable a specific slot.</p></dd><dt><span class="term">-fips [true | false]</span></dt><dd><p>Enable (true) or disable (false) FIPS 140-2 compliance for the default NSS module.</p></dd><dt><span class="term">-force</span></dt><dd><p>Disable <span class="command"><strong>modutil</strong></span>'s interactive prompts so it can be run from a script. Use this option only after manually testing each planned operation to check for warnings and to ensure that bypassing the prompts will cause no security lapses or loss of database integrity.</p></dd><dt><span class="term">-jar JAR-file</span></dt><dd><p>Add a new PKCS #11 module to the database using the named JAR file. Use this command with the <code class="option">-installdir</code> and <code class="option">-tempdir</code> arguments. The JAR file uses the NSS PKCS #11 JAR format to identify all the files to be installed, the module's name, the mechanism flags, and the cipher flags, as well as any files to be installed on the target machine, including the PKCS #11 module library file and other files such as documentation. This is covered in the JAR installation file section in the man page, which details the special script needed to perform an installation through a server or with <span class="command"><strong>modutil</strong></span>. </p></dd><dt><span class="term">-list [modulename]</span></dt><dd><p>Display basic information about the contents of the <code class="filename">secmod.db</code> file. Specifying a <span class="emphasis"><em>modulename</em></span> displays detailed information about a particular module and its slots and tokens.</p></dd><dt><span class="term">-rawadd</span></dt><dd><p>Add the module spec string to the <code class="filename">secmod.db</code> database.</p></dd><dt><span class="term">-rawlist</span></dt><dd><p>Display the module specs for a specified module or for all loadable modules.</p></dd><dt><span class="term">-undefault modulename</span></dt><dd><p>Specify the security mechanisms for which the named module will not be a default provider. The security mechanisms are specified with the <code class="option">-mechanisms</code> argument.</p></dd></dl></div><p><span class="command"><strong>Arguments</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">MODULE</span></dt><dd><p>Give the security module to access.</p></dd><dt><span class="term">MODULESPEC</span></dt><dd><p>Give the security module spec to load into the security database.</p></dd><dt><span class="term">-ciphers cipher-enable-list</span></dt><dd><p>Enable specific ciphers in a module that is being added to the database. The <span class="emphasis"><em>cipher-enable-list</em></span> is a colon-delimited list of cipher names. Enclose this list in quotation marks if it contains spaces.</p></dd><dt><span class="term">-dbdir [sql:]directory</span></dt><dd><p>Specify the database directory in which to access or create security module database files.</p><p><span class="command"><strong>modutil</strong></span> supports two types of databases: the legacy security databases (<code class="filename">cert8.db</code>, <code class="filename">key3.db</code>, and <code class="filename">secmod.db</code>) and new SQLite databases (<code class="filename">cert9.db</code>, <code class="filename">key4.db</code>, and <code class="filename">pkcs11.txt</code>). If the prefix <span class="command"><strong>sql:</strong></span> is not used, then the tool assumes that the given databases are in the old format.</p></dd><dt><span class="term">--dbprefix prefix</span></dt><dd><p>Specify the prefix used on the database files, such as <code class="filename">my_</code> for <code class="filename">my_cert8.db</code>. This option is provided as a special case. Changing the names of the certificate and key databases is not recommended.</p></dd><dt><span class="term">-installdir root-installation-directory</span></dt><dd><p>Specify the root installation directory relative to which files will be installed by the <code class="option">-jar</code> option. This directory should be one below which it is appropriate to store dynamic library files, such as a server's root directory.</p></dd><dt><span class="term">-libfile library-file</span></dt><dd><p>Specify a path to a library file containing the implementation of the PKCS #11 interface module that is being added to the database.</p></dd><dt><span class="term">-mechanisms mechanism-list</span></dt><dd><p>Specify the security mechanisms for which a particular module will be flagged as a default provider. The <span class="emphasis"><em>mechanism-list</em></span> is a colon-delimited list of mechanism names. Enclose this list in quotation marks if it contains spaces.</p><p>The module becomes a default provider for the listed mechanisms when those mechanisms are enabled. If more than one module claims to be a particular mechanism's default provider, that mechanism's default provider is undefined.</p><p><span class="command"><strong>modutil</strong></span> supports several mechanisms: RSA, DSA, RC2, RC4, RC5, AES, DES, DH, SHA1, SHA256, SHA512, SSL, TLS, MD5, MD2, RANDOM (for random number generation), and FRIENDLY (meaning certificates are publicly readable).</p></dd><dt><span class="term">-newpwfile new-password-file</span></dt><dd><p>Specify a text file containing a token's new or replacement password so that a password can be entered automatically with the <code class="option">-changepw</code> option.</p></dd><dt><span class="term">-nocertdb</span></dt><dd><p>Do not open the certificate or key databases. This has several effects:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>With the <code class="option">-create</code> command, only a module security file is created; certificate and key databases are not created.</p></li><li class="listitem"><p>With the <code class="option">-jar</code> command, signatures on the JAR file are not checked.</p></li><li class="listitem"><p>With the <code class="option">-changepw</code> command, the password on the NSS internal module cannot be set or changed, since this password is stored in the key database.</p></li></ul></div></dd><dt><span class="term">-pwfile old-password-file</span></dt><dd><p>Specify a text file containing a token's existing password so that a password can be entered automatically when the <code class="option">-changepw</code> option is used to change passwords.</p></dd><dt><span class="term">-secmod secmodname</span></dt><dd><p>Give the name of the security module database (like <code class="filename">secmod.db</code>) to load.</p></dd><dt><span class="term">-slot slotname</span></dt><dd><p>Specify a particular slot to be enabled or disabled with the <code class="option">-enable</code> or <code class="option">-disable</code> options.</p></dd><dt><span class="term">-string CONFIG_STRING</span></dt><dd><p>Pass a configuration string for the module being added to the database.</p></dd><dt><span class="term">-tempdir temporary-directory</span></dt><dd><p>Give a directory location where temporary files are created during the installation by the <code class="option">-jar</code> option. If no temporary directory is specified, the current directory is used.</p></dd></dl></div></div><div class="refsection"><a name="usage-and-examples"></a><h2>Usage and Examples</h2><p><span class="command"><strong>Creating Database Files</strong></span></p><p>Before any operations can be performed, there must be a set of security databases available. <span class="command"><strong>modutil</strong></span> can be used to create these files. The only required argument is the database that where the databases will be located.</p><pre class="programlisting">modutil -create -dbdir [sql:]directory</pre><p><span class="command"><strong>Adding a Cryptographic Module</strong></span></p><p>Adding a PKCS #11 module means submitting a supporting library file, enabling its ciphers, and setting default provider status for various security mechanisms. This can be done by supplying all of the information through <span class="command"><strong>modutil</strong></span> directly or by running a JAR file and install script. For the most basic case, simply upload the library:</p><pre class="programlisting">modutil -add modulename -libfile library-file [-ciphers cipher-enable-list] [-mechanisms mechanism-list] </pre><p>For example: </p><pre class="programlisting">modutil -dbdir sql:/home/my/sharednssdb -add "Example PKCS #11 Module" -libfile "/tmp/crypto.so" -mechanisms RSA:DSA:RC2:RANDOM Using database directory ... @@ -211,7 +211,8 @@ MD2: 0x00000400 RANDOM: 0x08000000 FRIENDLY: 0x10000000 OWN_PW_DEFAULTS: 0x20000000 -DISABLE: 0x40000000</pre><p><span class="command"><strong>CipherEnableFlags</strong></span> specifies ciphers that this module provides that NSS does not provide (so that the module enables those ciphers for NSS). This is equivalent to the <code class="option">-cipher</code> argument with the <code class="option">-add</code> command. This key is a bitstring specified in hexadecimal (0x) format. It is constructed as a bitwise OR. If the <span class="command"><strong>CipherEnableFlags</strong></span> entry is omitted, the value defaults to 0x0.</p><p><span class="command"><strong>EquivalentPlatform</strong></span> specifies that the attributes of the named platform should also be used for the current platform. This makes it easier when more than one platform uses the same settings.</p><p><span class="command"><strong>Per-File Keys</strong></span></p><p>Some keys have meaning only within the value list of an entry in a <span class="command"><strong>Files</strong></span> list.</p><p>Each file requires a path key the identifies where the file is. Either <span class="command"><strong>RelativePath</strong></span> or <span class="command"><strong>AbsolutePath</strong></span> must be specified. If both are specified, the relative path is tried first, and the absolute path is used only if no relative root directory is provided by the installer program.</p><p><span class="command"><strong>RelativePath</strong></span> specifies the destination directory of the file, relative to some directory decided at install time. Two variables can be used in the relative path: <span class="command"><strong>%root%</strong></span> and <span class="command"><strong>%temp%</strong></span>. <span class="command"><strong>%root%</strong></span> is replaced at run time with the directory relative to which files should be installed; for example, it may be the server's root directory. The <span class="command"><strong>%temp%</strong></span> directory is created at the beginning of the installation and destroyed at the end. The purpose of <span class="command"><strong>%temp%</strong></span> is to hold executable files (such as setup programs) or files that are used by these programs. Files destined for the temporary directory are guaranteed to be in place before any executable file is run; they are not deleted until all executable files have finished.</p><p><span class="command"><strong>AbsolutePath</strong></span> specifies the destination directory of the file as an absolute path. </p><p><span class="command"><strong>Executable</strong></span> specifies that the file is to be executed during the course of the installation. Typically, this string is used for a setup program provided by a module vendor, such as a self-extracting setup executable. More than one file can be specified as executable, in which case the files are run in the order in which they are specified in the script file.</p><p><span class="command"><strong>FilePermissions</strong></span> sets permissions on any referenced files in a string of octal digits, according to the standard Unix format. This string is a bitwise OR.</p><pre class="programlisting">user read: 0400 +DISABLE: 0x40000000</pre><p><span class="command"><strong>CipherEnableFlags</strong></span> specifies ciphers that this module provides that NSS does not provide (so that the module enables those ciphers for NSS). This is equivalent to the <code class="option">-cipher</code> argument with the <code class="option">-add</code> command. This key is a bitstring specified in hexadecimal (0x) format. It is constructed as a bitwise OR. If the <span class="command"><strong>CipherEnableFlags</strong></span> entry is omitted, the value defaults to 0x0.</p><p><span class="command"><strong>EquivalentPlatform</strong></span> specifies that the attributes of the named platform should also be used for the current platform. This makes it easier when more than one platform uses the same settings.</p><p><span class="command"><strong>Per-File Keys</strong></span></p><p>Some keys have meaning only within the value list of an entry in a <span class="command"><strong>Files</strong></span> list.</p><p>Each file requires a path key the identifies where the file is. Either <span class="command"><strong>RelativePath</strong></span> or <span class="command"><strong>AbsolutePath</strong></span> must be specified. If both are specified, the relative path is tried first, and the absolute path is used only if no relative root directory is provided by the installer program.</p><p><span class="command"><strong>RelativePath</strong></span> specifies the destination directory of the file, relative to some directory decided at install time. Two variables can be used in the relative path: <span class="command"><strong>%root%</strong></span> and <span class="command"><strong>%temp%</strong></span>. <span class="command"><strong>%root%</strong></span> is replaced at run time with the directory relative to which files should be installed; for example, it may be the server's root directory. The <span class="command"><strong>%temp%</strong></span> directory is created at the beginning of the installation and destroyed at the end. The purpose of <span class="command"><strong>%temp%</strong></span> is to hold executable files (such as setup programs) or files that are used by these programs. Files destined for the temporary directory are guaranteed to be in place before any executable file is run; they are not deleted until all executable files have finished.</p><p><span class="command"><strong>AbsolutePath</strong></span> specifies the destination directory of the file as an absolute path. </p><p><span class="command"><strong>Executable</strong></span> specifies that the file is to be executed during the course of the installation. Typically, this string is used for a setup program provided by a module vendor, such as a self-extracting setup executable. More than one file can be specified as executable, in which case the files are run in the order in which they are specified in the script file.</p><p><span class="command"><strong>FilePermissions</strong></span> sets permissions on any referenced files in a string of octal digits, according to the standard Unix format. This string is a bitwise OR.</p><pre class="programlisting"> +user read: 0400 user write: 0200 user execute: 0100 group read: 0040 @@ -219,7 +220,8 @@ group write: 0020 group execute: 0010 other read: 0004 other write: 0002 -other execute: 0001</pre><p>Some platforms may not understand these permissions. They are applied only insofar as they make sense for the current platform. If this attribute is omitted, a default of 777 is assumed.</p></div><div class="refsection"><a name="databases"></a><h2>NSS Database Types</h2><p>NSS originally used BerkeleyDB databases to store security information. +other execute: 0001 +</pre><p>Some platforms may not understand these permissions. They are applied only insofar as they make sense for the current platform. If this attribute is omitted, a default of 777 is assumed.</p></div><div class="refsection"><a name="databases"></a><h2>NSS Database Types</h2><p>NSS originally used BerkeleyDB databases to store security information. The last versions of these <span class="emphasis"><em>legacy</em></span> databases are:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> cert8.db for certificates </p></li><li class="listitem"><p> @@ -236,7 +238,7 @@ BerkleyDB. These new databases provide more accessibility and performance:</p><d </p></li><li class="listitem"><p> pkcs11.txt, which is listing of all of the PKCS #11 modules contained in a new subdirectory in the security databases directory </p></li></ul></div><p>Because the SQLite databases are designed to be shared, these are the <span class="emphasis"><em>shared</em></span> database type. The shared database type is preferred; the legacy format is included for backward compatibility.</p><p>By default, the tools (<span class="command"><strong>certutil</strong></span>, <span class="command"><strong>pk12util</strong></span>, <span class="command"><strong>modutil</strong></span>) assume that the given security databases follow the more common legacy type. -Using the SQLite databases must be manually specified by using the <span class="command"><strong>sql:</strong></span> prefix with the given security directory. For example:</p><pre class="programlisting">modutil -create -dbdir sql:/home/my/sharednssdb</pre><p>To set the shared database type as the default type for the tools, set the <code class="envar">NSS_DEFAULT_DB_TYPE</code> environment variable to <code class="envar">sql</code>:</p><pre class="programlisting">export NSS_DEFAULT_DB_TYPE="sql"</pre><p>This line can be set added to the <code class="filename">~/.bashrc</code> file to make the change permanent.</p><p>Most applications do not use the shared database by default, but they can be configured to use them. For example, this how-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> +Using the SQLite databases must be manually specified by using the <span class="command"><strong>sql:</strong></span> prefix with the given security directory. For example:</p><pre class="programlisting">modutil -create -dbdir sql:/home/my/sharednssdb</pre><p>To set the shared database type as the default type for the tools, set the <code class="envar">NSS_DEFAULT_DB_TYPE</code> environment variable to <code class="envar">sql</code>:</p><pre class="programlisting">export NSS_DEFAULT_DB_TYPE="sql"</pre><p>This line can be added to the <code class="filename">~/.bashrc</code> file to make the change permanent for the user.</p><p>Most applications do not use the shared database by default, but they can be configured to use them. For example, this how-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> https://wiki.mozilla.org/NSS_Shared_DB_Howto</p></li></ul></div><p>For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> https://wiki.mozilla.org/NSS_Shared_DB </p></li></ul></div></div><div class="refsection"><a name="seealso"></a><h2>See Also</h2><p>certutil (1)</p><p>pk12util (1)</p><p>signtool (1)</p><p>The NSS wiki has information on the new database design and how to configure applications to use it.</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> diff --git a/doc/html/pk12util.html b/doc/html/pk12util.html index 2663bcf45..fe516dd83 100644 --- a/doc/html/pk12util.html +++ b/doc/html/pk12util.html @@ -1,13 +1,9 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>PK12UTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="PK12UTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">PK12UTIL</th></tr></table><hr></div><div class="refentry"><a name="pk12util"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>pk12util — Export and import keys and certificate to or from a PKCS #12 file and the NSS database</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">pk12util</code> [-i p12File [-h tokenname] [-v] [common-options] ] [ - -l p12File [-h tokenname] [-r] [common-options] ] [ - -o p12File -n certname [-c keyCipher] [-C certCipher] [-m|--key_len keyLen] [-n|--cert_key_len certKeyLen] [common-options] ] [ - -common-options are: -[-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword] - ]</p></div></div><div class="refsection"><a name="idm224682436944"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a> - </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The PKCS #12 utility, <span class="command"><strong>pk12util</strong></span>, enables sharing certificates among any server that supports PKCS#12. The tool can import certificates and keys from PKCS#12 files into security databases, export certificates, and list certificates and keys.</p></div><div class="refsection"><a name="options"></a><h2>Options and Arguments</h2><p><span class="command"><strong>Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-i p12file</span></dt><dd><p>Import keys and certificates from a PKCS#12 file into a security database.</p></dd><dt><span class="term">-l p12file</span></dt><dd><p>List the keys and certificates in PKCS#12 file.</p></dd><dt><span class="term">-o p12file</span></dt><dd><p>Export keys and certificates from the security database to a PKCS#12 file.</p></dd></dl></div><p><span class="command"><strong>Arguments</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-n certname</span></dt><dd><p>Specify the nickname of the cert and private key to export.</p></dd><dt><span class="term">-d [sql:]directory</span></dt><dd><p>Specify the database directory into which to import to or export from certificates and keys.</p><p><span class="command"><strong>pk12util</strong></span> supports two types of databases: the legacy security databases (<code class="filename">cert8.db</code>, <code class="filename">key3.db</code>, and <code class="filename">secmod.db</code>) and new SQLite databases (<code class="filename">cert9.db</code>, <code class="filename">key4.db</code>, and <code class="filename">pkcs11.txt</code>). If the prefix <span class="command"><strong>sql:</strong></span> is not used, then the tool assumes that the given databases are in the old format.</p></dd><dt><span class="term">-P prefix</span></dt><dd><p>Specify the prefix used on the certificate and key databases. This option is provided as a special case. - Changing the names of the certificate and key databases is not recommended.</p></dd><dt><span class="term">-h tokenname</span></dt><dd><p>Specify the name of the token to import into or export from.</p></dd><dt><span class="term">-v </span></dt><dd><p>Enable debug logging when importing.</p></dd><dt><span class="term">-k slotPasswordFile</span></dt><dd><p>Specify the text file containing the slot's password.</p></dd><dt><span class="term">-K slotPassword</span></dt><dd><p>Specify the slot's password.</p></dd><dt><span class="term">-w p12filePasswordFile</span></dt><dd><p>Specify the text file containing the pkcs #12 file password.</p></dd><dt><span class="term">-W p12filePassword</span></dt><dd><p>Specify the pkcs #12 file password.</p></dd><dt><span class="term">-c keyCipher</span></dt><dd><p>Specify the key encryption algorithm.</p></dd><dt><span class="term">-C certCipher</span></dt><dd><p>Specify the key cert (overall package) encryption algorithm.</p></dd><dt><span class="term">-m | --key-len keyLength</span></dt><dd><p>Specify the desired length of the symmetric key to be used to encrypt the private key.</p></dd><dt><span class="term">-n | --cert-key-len certKeyLength</span></dt><dd><p>Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data.</p></dd><dt><span class="term">-r</span></dt><dd><p>Dumps all of the data in raw (binary) form. This must be saved as a DER file. The default is to return information in a pretty-print ASCII format, which displays the information about the certificates and public keys in the p12 file.</p></dd></dl></div></div><div class="refsection"><a name="return-codes"></a><h2>Return Codes</h2><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> 0 - No error</p></li><li class="listitem"><p> 1 - User Cancelled</p></li><li class="listitem"><p> 2 - Usage error</p></li><li class="listitem"><p> 6 - NLS init error</p></li><li class="listitem"><p> 8 - Certificate DB open error</p></li><li class="listitem"><p> 9 - Key DB open error</p></li><li class="listitem"><p> 10 - File initialization error</p></li><li class="listitem"><p> 11 - Unicode conversion error</p></li><li class="listitem"><p> 12 - Temporary file creation error</p></li><li class="listitem"><p> 13 - PKCS11 get slot error</p></li><li class="listitem"><p> 14 - PKCS12 decoder start error</p></li><li class="listitem"><p> 15 - error read from import file</p></li><li class="listitem"><p> 16 - pkcs12 decode error</p></li><li class="listitem"><p> 17 - pkcs12 decoder verify error</p></li><li class="listitem"><p> 18 - pkcs12 decoder validate bags error</p></li><li class="listitem"><p> 19 - pkcs12 decoder import bags error</p></li><li class="listitem"><p> 20 - key db conversion version 3 to version 2 error</p></li><li class="listitem"><p> 21 - cert db conversion version 7 to version 5 error</p></li><li class="listitem"><p> 22 - cert and key dbs patch error</p></li><li class="listitem"><p> 23 - get default cert db error</p></li><li class="listitem"><p> 24 - find cert by nickname error</p></li><li class="listitem"><p> 25 - create export context error</p></li><li class="listitem"><p> 26 - PKCS12 add password itegrity error</p></li><li class="listitem"><p> 27 - cert and key Safes creation error</p></li><li class="listitem"><p> 28 - PKCS12 add cert and key error</p></li><li class="listitem"><p> 29 - PKCS12 encode error</p></li></ul></div></div><div class="refsection"><a name="examples"></a><h2>Examples</h2><p><span class="command"><strong>Importing Keys and Certificates</strong></span></p><p>The most basic usage of <span class="command"><strong>pk12util</strong></span> for importing a certificate or key is the PKCS#12 input file (<code class="option">-i</code>) and some way to specify the security database being accessed (either <code class="option">-d</code> for a directory or <code class="option">-h</code> for a token). - </p><pre class="programlisting">pk12util -i p12File [-h tokenname] [-v] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</pre><p>For example:</p><pre class="programlisting"># pk12util -i /tmp/cert-files/users.p12 -d sql:/home/my/sharednssdb +<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>PK12UTIL</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="PK12UTIL"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">PK12UTIL</th></tr></table><hr></div><div class="refentry"><a name="pk12util"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>pk12util — Export and import keys and certificate to or from a PKCS #12 file and the NSS database</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">pk12util</code> [-i p12File|-l p12File|-o p12File] [-d [sql:]directory] [-h tokenname] [-P dbprefix] [-r] [-v] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</p></div></div><div class="refsection"><a name="idm233250345408"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a> + </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The PKCS #12 utility, <span class="command"><strong>pk12util</strong></span>, enables sharing certificates among any server that supports PKCS#12. The tool can import certificates and keys from PKCS#12 files into security databases, export certificates, and list certificates and keys.</p></div><div class="refsection"><a name="options"></a><h2>Options and Arguments</h2><p><span class="command"><strong>Options</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-i p12file</span></dt><dd><p>Import keys and certificates from a PKCS#12 file into a security database.</p></dd><dt><span class="term">-l p12file</span></dt><dd><p>List the keys and certificates in PKCS#12 file.</p></dd><dt><span class="term">-o p12file</span></dt><dd><p>Export keys and certificates from the security database to a PKCS#12 file.</p></dd></dl></div><p><span class="command"><strong>Arguments</strong></span></p><div class="variablelist"><dl class="variablelist"><dt><span class="term">-c keyCipher</span></dt><dd><p>Specify the key encryption algorithm.</p></dd><dt><span class="term">-C certCipher</span></dt><dd><p>Specify the key cert (overall package) encryption algorithm.</p></dd><dt><span class="term">-d [sql:]directory</span></dt><dd><p>Specify the database directory into which to import to or export from certificates and keys.</p><p><span class="command"><strong>pk12util</strong></span> supports two types of databases: the legacy security databases (<code class="filename">cert8.db</code>, <code class="filename">key3.db</code>, and <code class="filename">secmod.db</code>) and new SQLite databases (<code class="filename">cert9.db</code>, <code class="filename">key4.db</code>, and <code class="filename">pkcs11.txt</code>). If the prefix <span class="command"><strong>sql:</strong></span> is not used, then the tool assumes that the given databases are in the old format.</p></dd><dt><span class="term">-h tokenname</span></dt><dd><p>Specify the name of the token to import into or export from.</p></dd><dt><span class="term">-k slotPasswordFile</span></dt><dd><p>Specify the text file containing the slot's password.</p></dd><dt><span class="term">-K slotPassword</span></dt><dd><p>Specify the slot's password.</p></dd><dt><span class="term">-m | --key-len keyLength</span></dt><dd><p>Specify the desired length of the symmetric key to be used to encrypt the private key.</p></dd><dt><span class="term">-n | --cert-key-len certKeyLength</span></dt><dd><p>Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data.</p></dd><dt><span class="term">-n certname</span></dt><dd><p>Specify the nickname of the cert and private key to export.</p></dd><dt><span class="term">-P prefix</span></dt><dd><p>Specify the prefix used on the certificate and key databases. This option is provided as a special case. + Changing the names of the certificate and key databases is not recommended.</p></dd><dt><span class="term">-r</span></dt><dd><p>Dumps all of the data in raw (binary) form. This must be saved as a DER file. The default is to return information in a pretty-print ASCII format, which displays the information about the certificates and public keys in the p12 file.</p></dd><dt><span class="term">-v </span></dt><dd><p>Enable debug logging when importing.</p></dd><dt><span class="term">-w p12filePasswordFile</span></dt><dd><p>Specify the text file containing the pkcs #12 file password.</p></dd><dt><span class="term">-W p12filePassword</span></dt><dd><p>Specify the pkcs #12 file password.</p></dd></dl></div></div><div class="refsection"><a name="return-codes"></a><h2>Return Codes</h2><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> 0 - No error</p></li><li class="listitem"><p> 1 - User Cancelled</p></li><li class="listitem"><p> 2 - Usage error</p></li><li class="listitem"><p> 6 - NLS init error</p></li><li class="listitem"><p> 8 - Certificate DB open error</p></li><li class="listitem"><p> 9 - Key DB open error</p></li><li class="listitem"><p> 10 - File initialization error</p></li><li class="listitem"><p> 11 - Unicode conversion error</p></li><li class="listitem"><p> 12 - Temporary file creation error</p></li><li class="listitem"><p> 13 - PKCS11 get slot error</p></li><li class="listitem"><p> 14 - PKCS12 decoder start error</p></li><li class="listitem"><p> 15 - error read from import file</p></li><li class="listitem"><p> 16 - pkcs12 decode error</p></li><li class="listitem"><p> 17 - pkcs12 decoder verify error</p></li><li class="listitem"><p> 18 - pkcs12 decoder validate bags error</p></li><li class="listitem"><p> 19 - pkcs12 decoder import bags error</p></li><li class="listitem"><p> 20 - key db conversion version 3 to version 2 error</p></li><li class="listitem"><p> 21 - cert db conversion version 7 to version 5 error</p></li><li class="listitem"><p> 22 - cert and key dbs patch error</p></li><li class="listitem"><p> 23 - get default cert db error</p></li><li class="listitem"><p> 24 - find cert by nickname error</p></li><li class="listitem"><p> 25 - create export context error</p></li><li class="listitem"><p> 26 - PKCS12 add password itegrity error</p></li><li class="listitem"><p> 27 - cert and key Safes creation error</p></li><li class="listitem"><p> 28 - PKCS12 add cert and key error</p></li><li class="listitem"><p> 29 - PKCS12 encode error</p></li></ul></div></div><div class="refsection"><a name="examples"></a><h2>Examples</h2><p><span class="command"><strong>Importing Keys and Certificates</strong></span></p><p>The most basic usage of <span class="command"><strong>pk12util</strong></span> for importing a certificate or key is the PKCS#12 input file (<code class="option">-i</code>) and some way to specify the security database being accessed (either <code class="option">-d</code> for a directory or <code class="option">-h</code> for a token). + </p><p> + pk12util -i p12File [-h tokenname] [-v] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword] + </p><p>For example:</p><p> </p><pre class="programlisting"># pk12util -i /tmp/cert-files/users.p12 -d sql:/home/my/sharednssdb Enter a password which will be used to encrypt your keys. The password should be at least 8 characters long, @@ -17,10 +13,10 @@ Enter new password: Re-enter password: Enter password for PKCS12 file: pk12util: PKCS12 IMPORT SUCCESSFUL</pre><p><span class="command"><strong>Exporting Keys and Certificates</strong></span></p><p>Using the <span class="command"><strong>pk12util</strong></span> command to export certificates and keys requires both the name of the certificate to extract from the database (<code class="option">-n</code>) and the PKCS#12-formatted output file to write to. There are optional parameters that can be used to encrypt the file to protect the certificate material. - </p><pre class="programlisting">pk12util -o p12File -n certname [-c keyCipher] [-C certCipher] [-m|--key_len keyLen] [-n|--cert_key_len certKeyLen] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</pre><p>For example:</p><pre class="programlisting"># pk12util -o certs.p12 -n Server-Cert -d sql:/home/my/sharednssdb + </p><p>pk12util -o p12File -n certname [-c keyCipher] [-C certCipher] [-m|--key_len keyLen] [-n|--cert_key_len certKeyLen] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</p><p>For example:</p><pre class="programlisting"># pk12util -o certs.p12 -n Server-Cert -d sql:/home/my/sharednssdb Enter password for PKCS12 file: Re-enter password: </pre><p><span class="command"><strong>Listing Keys and Certificates</strong></span></p><p>The information in a <code class="filename">.p12</code> file are not human-readable. The certificates and keys in the file can be printed (listed) in a human-readable pretty-print format that shows information for every certificate and any public keys in the <code class="filename">.p12</code> file. - </p><pre class="programlisting">pk12util -l p12File [-h tokenname] [-r] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</pre><p>For example, this prints the default ASCII output:</p><pre class="programlisting"># pk12util -l certs.p12 + </p><p>pk12util -l p12File [-h tokenname] [-r] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</p><p>For example, this prints the default ASCII output:</p><pre class="programlisting"># pk12util -l certs.p12 Enter password for PKCS12 file: Key(shrouded): @@ -39,7 +35,7 @@ Certificate: Issuer: "E=personal-freemail@thawte.com,CN=Thawte Personal Freemail C A,OU=Certification Services Division,O=Thawte Consulting,L=Cape T own,ST=Western Cape,C=ZA" -....</pre><p>Alternatively, the <code class="option">-r</code> prints the certificates and then exports them into separate DER binary files. This allows the certificates to be fed to another application that supports <code class="filename">.p12</code> files. Each certificate is written to a sequentially-number file, beginning with <code class="filename">file0001.der</code> and continuing through <code class="filename">file000N.der</code>, incrementing the number for every certificate:</p><pre class="programlisting"># pk12util -l test.p12 -r + </pre><p>Alternatively, the <code class="option">-r</code> prints the certificates and then exports them into separate DER binary files. This allows the certificates to be fed to another application that supports <code class="filename">.p12</code> files. Each certificate is written to a sequentially-number file, beginning with <code class="filename">file0001.der</code> and continuing through <code class="filename">file000N.der</code>, incrementing the number for every certificate:</p><pre class="programlisting">pk12util -l test.p12 -r Enter password for PKCS12 file: Key(shrouded): Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID @@ -51,7 +47,8 @@ Key(shrouded): Iteration Count: 1 (0x1) Certificate Friendly Name: Thawte Personal Freemail Issuing CA - Thawte Consulting -Certificate Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID</pre></div><div class="refsection"><a name="encryption"></a><h2>Password Encryption</h2><p>PKCS#12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS#12 file and, optionally, the entire package. If no algorithm is specified, the tool defaults to using <span class="command"><strong>PKCS12 V2 PBE with SHA1 and 3KEY Triple DES-cbc</strong></span> for private key encryption. <span class="command"><strong>PKCS12 V2 PBE with SHA1 and 40 Bit RC4</strong></span> is the default for the overall package encryption when not in FIPS mode. When in FIPS mode, there is no package encryption.</p><p>The private key is always protected with strong encryption by default.</p><p>Several types of ciphers are supported.</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">Symmetric CBC ciphers for PKCS#5 V2</span></dt><dd><p>DES_CBC</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>RC2-CBC</p></li><li class="listitem"><p>RC5-CBCPad</p></li><li class="listitem"><p>DES-EDE3-CBC (the default for key encryption)</p></li><li class="listitem"><p>AES-128-CBC</p></li><li class="listitem"><p>AES-192-CBC</p></li><li class="listitem"><p>AES-256-CBC</p></li><li class="listitem"><p>CAMELLIA-128-CBC</p></li><li class="listitem"><p>CAMELLIA-192-CBC</p></li><li class="listitem"><p>CAMELLIA-256-CBC</p></li></ul></div></dd><dt><span class="term">PKCS#12 PBE ciphers</span></dt><dd><p>PKCS #12 PBE with Sha1 and 128 Bit RC4</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>PKCS #12 PBE with Sha1 and 40 Bit RC4</p></li><li class="listitem"><p>PKCS #12 PBE with Sha1 and Triple DES CBC</p></li><li class="listitem"><p>PKCS #12 PBE with Sha1 and 128 Bit RC2 CBC</p></li><li class="listitem"><p>PKCS #12 PBE with Sha1 and 40 Bit RC2 CBC</p></li><li class="listitem"><p>PKCS12 V2 PBE with SHA1 and 128 Bit RC4</p></li><li class="listitem"><p>PKCS12 V2 PBE with SHA1 and 40 Bit RC4 (the default for non-FIPS mode)</p></li><li class="listitem"><p>PKCS12 V2 PBE with SHA1 and 3KEY Triple DES-cbc</p></li><li class="listitem"><p>PKCS12 V2 PBE with SHA1 and 2KEY Triple DES-cbc</p></li><li class="listitem"><p>PKCS12 V2 PBE with SHA1 and 128 Bit RC2 CBC</p></li><li class="listitem"><p>PKCS12 V2 PBE with SHA1 and 40 Bit RC2 CBC</p></li></ul></div></dd><dt><span class="term">PKCS#5 PBE ciphers</span></dt><dd><p>PKCS #5 Password Based Encryption with MD2 and DES CBC</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>PKCS #5 Password Based Encryption with MD5 and DES CBC</p></li><li class="listitem"><p>PKCS #5 Password Based Encryption with SHA1 and DES CBC</p></li></ul></div></dd></dl></div><p>With PKCS#12, the crypto provider may be the soft token module or an external hardware module. If the cryptographic module does not support the requested algorithm, then the next best fit will be selected (usually the default). If no suitable replacement for the desired algorithm can be found, the tool returns the error <span class="emphasis"><em>no security module can perform the requested operation</em></span>.</p></div><div class="refsection"><a name="databases"></a><h2>NSS Database Types</h2><p>NSS originally used BerkeleyDB databases to store security information. +Certificate Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID + </pre></div><div class="refsection"><a name="encryption"></a><h2>Password Encryption</h2><p>PKCS#12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS#12 file and, optionally, the entire package. If no algorithm is specified, the tool defaults to using <span class="command"><strong>PKCS12 V2 PBE with SHA1 and 3KEY Triple DES-cbc</strong></span> for private key encryption. <span class="command"><strong>PKCS12 V2 PBE with SHA1 and 40 Bit RC4</strong></span> is the default for the overall package encryption when not in FIPS mode. When in FIPS mode, there is no package encryption.</p><p>The private key is always protected with strong encryption by default.</p><p>Several types of ciphers are supported.</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">Symmetric CBC ciphers for PKCS#5 V2</span></dt><dd><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>DES-CBC</p></li><li class="listitem"><p>RC2-CBC</p></li><li class="listitem"><p>RC5-CBCPad</p></li><li class="listitem"><p>DES-EDE3-CBC (the default for key encryption)</p></li><li class="listitem"><p>AES-128-CBC</p></li><li class="listitem"><p>AES-192-CBC</p></li><li class="listitem"><p>AES-256-CBC</p></li><li class="listitem"><p>CAMELLIA-128-CBC</p></li><li class="listitem"><p>CAMELLIA-192-CBC</p></li><li class="listitem"><p>CAMELLIA-256-CBC</p></li></ul></div></dd><dt><span class="term">PKCS#12 PBE ciphers</span></dt><dd><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>PKCS #12 PBE with Sha1 and 128 Bit RC4</p></li><li class="listitem"><p>PKCS #12 PBE with Sha1 and 40 Bit RC4</p></li><li class="listitem"><p>PKCS #12 PBE with Sha1 and Triple DES CBC</p></li><li class="listitem"><p>PKCS #12 PBE with Sha1 and 128 Bit RC2 CBC</p></li><li class="listitem"><p>PKCS #12 PBE with Sha1 and 40 Bit RC2 CBC</p></li><li class="listitem"><p>PKCS12 V2 PBE with SHA1 and 128 Bit RC4</p></li><li class="listitem"><p>PKCS12 V2 PBE with SHA1 and 40 Bit RC4 (the default for non-FIPS mode)</p></li><li class="listitem"><p>PKCS12 V2 PBE with SHA1 and 3KEY Triple DES-cbc</p></li><li class="listitem"><p>PKCS12 V2 PBE with SHA1 and 2KEY Triple DES-cbc</p></li><li class="listitem"><p>PKCS12 V2 PBE with SHA1 and 128 Bit RC2 CBC</p></li><li class="listitem"><p>PKCS12 V2 PBE with SHA1 and 40 Bit RC2 CBC</p></li></ul></div></dd><dt><span class="term">PKCS#5 PBE ciphers</span></dt><dd><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>PKCS #5 Password Based Encryption with MD2 and DES CBC</p></li><li class="listitem"><p>PKCS #5 Password Based Encryption with MD5 and DES CBC</p></li><li class="listitem"><p>PKCS #5 Password Based Encryption with SHA1 and DES CBC</p></li></ul></div></dd></dl></div><p>With PKCS#12, the crypto provider may be the soft token module or an external hardware module. If the cryptographic module does not support the requested algorithm, then the next best fit will be selected (usually the default). If no suitable replacement for the desired algorithm can be found, the tool returns the error <span class="emphasis"><em>no security module can perform the requested operation</em></span>.</p></div><div class="refsection"><a name="databases"></a><h2>NSS Database Types</h2><p>NSS originally used BerkeleyDB databases to store security information. The last versions of these <span class="emphasis"><em>legacy</em></span> databases are:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> cert8.db for certificates </p></li><li class="listitem"><p> diff --git a/doc/html/pp.html b/doc/html/pp.html index 5b2e2348a..4407ef72b 100644 --- a/doc/html/pp.html +++ b/doc/html/pp.html @@ -1,7 +1,7 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>PP</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="PP"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">PP</th></tr></table><hr></div><div class="refentry"><a name="pp"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>pp — Prints certificates, keys, crls, and pkcs7 files</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">pp -t type [-a] [-i input] [-o output]</code> </p></div></div><div class="refsection"><a name="idm224681757664"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a> - </p></div><div class="refsection"><a name="idm224678000880"></a><h2>Description</h2><p><span class="command"><strong>pp </strong></span>pretty-prints private and public key, certificate, certificate-request, +<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>PP</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="PP"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">PP</th></tr></table><hr></div><div class="refentry"><a name="pp"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>pp — Prints certificates, keys, crls, and pkcs7 files</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">pp -t type [-a] [-i input] [-o output]</code> </p></div></div><div class="refsection"><a name="idm233254308544"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a> + </p></div><div class="refsection"><a name="idm233250605968"></a><h2>Description</h2><p><span class="command"><strong>pp </strong></span>pretty-prints private and public key, certificate, certificate-request, pkcs7 or crl files - </p></div><div class="refsection"><a name="idm224677998992"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="option">-t </code> <em class="replaceable"><code>type</code></em></span></dt><dd><p class="simpara">specify the input, one of {private-key | public-key | certificate | certificate-request | pkcs7 | crl}</p><p class="simpara"></p></dd><dt><span class="term"><code class="option">-a </code></span></dt><dd>Input is in ascii encoded form (RFC1113)</dd><dt><span class="term"><code class="option">-i </code> <em class="replaceable"><code>inputfile</code></em></span></dt><dd>Define an input file to use (default is stdin)</dd><dt><span class="term"><code class="option">-u </code> <em class="replaceable"><code>outputfile</code></em></span></dt><dd>Define an output file to use (default is stdout)</dd></dl></div></div><div class="refsection"><a name="resources"></a><h2>Additional Resources</h2><p>NSS is maintained in conjunction with PKI and security-related projects through Mozilla and Fedora. The most closely-related project is Dogtag PKI, with a project wiki at <a class="ulink" href="http://pki.fedoraproject.org/wiki/" target="_top">PKI Wiki</a>. </p><p>For information specifically about NSS, the NSS project wiki is located at <a class="ulink" href="http://www.mozilla.org/projects/security/pki/nss/" target="_top">Mozilla NSS site</a>. The NSS site relates directly to NSS code changes and releases.</p><p>Mailing lists: pki-devel@redhat.com and pki-users@redhat.com</p><p>IRC: Freenode at #dogtag-pki</p></div><div class="refsection"><a name="authors"></a><h2>Authors</h2><p>The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</p><p> + </p></div><div class="refsection"><a name="idm233250603984"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="option">-t </code> <em class="replaceable"><code>type</code></em></span></dt><dd><p class="simpara">specify the input, one of {private-key | public-key | certificate | certificate-request | pkcs7 | crl}</p><p class="simpara"></p></dd><dt><span class="term"><code class="option">-a </code></span></dt><dd>Input is in ascii encoded form (RFC1113)</dd><dt><span class="term"><code class="option">-i </code> <em class="replaceable"><code>inputfile</code></em></span></dt><dd>Define an input file to use (default is stdin)</dd><dt><span class="term"><code class="option">-u </code> <em class="replaceable"><code>outputfile</code></em></span></dt><dd>Define an output file to use (default is stdout)</dd></dl></div></div><div class="refsection"><a name="resources"></a><h2>Additional Resources</h2><p>NSS is maintained in conjunction with PKI and security-related projects through Mozilla and Fedora. The most closely-related project is Dogtag PKI, with a project wiki at <a class="ulink" href="http://pki.fedoraproject.org/wiki/" target="_top">PKI Wiki</a>. </p><p>For information specifically about NSS, the NSS project wiki is located at <a class="ulink" href="http://www.mozilla.org/projects/security/pki/nss/" target="_top">Mozilla NSS site</a>. The NSS site relates directly to NSS code changes and releases.</p><p>Mailing lists: pki-devel@redhat.com and pki-users@redhat.com</p><p>IRC: Freenode at #dogtag-pki</p></div><div class="refsection"><a name="authors"></a><h2>Authors</h2><p>The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</p><p> Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. </p></div><div class="refsection"><a name="license"></a><h2>LICENSE</h2><p>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. </p></div></div><div class="navfooter"><hr></div></body></html> diff --git a/doc/html/signtool.html b/doc/html/signtool.html index 1e33a4717..84568e17c 100644 --- a/doc/html/signtool.html +++ b/doc/html/signtool.html @@ -1,4 +1,4 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>signtool</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="signtool"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">signtool</th></tr></table><hr></div><div class="refentry"><a name="signtool"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>signtool — Digitally sign objects and files.</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">signtool</code> [-k keyName] [[-h]] [[-H]] [[-l]] [[-L]] [[-M]] [[-v]] [[-w]] [[-G nickname]] [[--keysize | -s size]] [[-b basename]] [[-c Compression Level] ] [[-d cert-dir] ] [[-i installer script] ] [[-m metafile] ] [[-x name] ] [[-f filename] ] [[-t|--token tokenname] ] [[-e extension] ] [[-o] ] [[-z] ] [[-X] ] [[--outfile] ] [[--verbose value] ] [[--norecurse] ] [[--leavearc] ] [[-j directory] ] [[-Z jarfile] ] [[-O] ] [[-p password] ] [directory-tree] [archive]</p></div></div><div class="refsection"><a name="idm224666150896"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a> +<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>signtool</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="signtool"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">signtool</th></tr></table><hr></div><div class="refentry"><a name="signtool"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>signtool — Digitally sign objects and files.</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">signtool</code> [[-b basename]] [[-c Compression Level] ] [[-d cert-dir] ] [[-e extension] ] [[-f filename] ] [[-i installer script] ] [[-h]] [[-H]] [[-v]] [[-w]] [[-G nickname]] [[-J]] [[-j directory] ] [-k keyName] [[--keysize | -s size]] [[-l]] [[-L]] [[-M]] [[-m metafile] ] [[--norecurse] ] [[-O] ] [[-o] ] [[--outfile] ] [[-p password] ] [[-t|--token tokenname] ] [[-z] ] [[-X] ] [[-x name] ] [[--verbose value] ] [[--leavearc] ] [[-Z jarfile] ] [directory-tree] [archive]</p></div></div><div class="refsection"><a name="idm233257546416"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a> </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Signing Tool, <span class="command"><strong>signtool</strong></span>, creates digital signatures and uses a Java Archive (JAR) file to associate the signatures with files in a directory. Electronic software distribution over any network involves potential security problems. To help address some of these problems, you can associate digital signatures with the files in a JAR archive. Digital signatures allow SSL-enabled clients to perform two important operations:</p><p>* Confirm the identity of the individual, company, or other entity whose digital signature is associated with the files</p><p>* Check whether the files have been tampered with since being signed</p><p>If you have a signing certificate, you can use Netscape Signing Tool to digitally sign files and package them as a JAR file. An object-signing certificate is a special kind of certificate that allows you to associate your digital signature with one or more files.</p><p>An individual file can potentially be signed with multiple digital signatures. For example, a commercial software developer might sign the files that constitute a software product to prove that the files are indeed from a particular company. A network administrator manager might sign the same files with an additional digital signature based on a company-generated certificate to indicate that the product is approved for use within the company.</p><p>The significance of a digital signature is comparable to the significance of a handwritten signature. Once you have signed a file, it is difficult to claim later that you didn't sign it. In some situations, a digital signature may be considered as legally binding as a handwritten signature. Therefore, you should take great care to ensure that you can stand behind any file you sign and distribute.</p><p>For example, if you are a software developer, you should test your code to make sure it is virus-free before signing it. Similarly, if you are a network administrator, you should make sure, before signing any code, that it comes from a reliable source and will run correctly with the software installed on the machines to which you are distributing it.</p><p>Before you can use Netscape Signing Tool to sign files, you must have an object-signing certificate, which is a special certificate whose associated private key is used to create digital signatures. For testing purposes only, you can create an object-signing certificate with Netscape Signing Tool 1.3. When testing is finished and you are ready to disitribute your software, you should obtain an object-signing certificate from one of two kinds of sources:</p><p>* An independent certificate authority (CA) that authenticates your identity and charges you a fee. You typically get a certificate from an independent CA if you want to sign software that will be distributed over the Internet.</p><p>* CA server software running on your corporate intranet or extranet. Netscape Certificate Management System provides a complete management solution for creating, deploying, and managing certificates, including CAs that issue object-signing certificates.</p><p>You must also have a certificate for the CA that issues your signing certificate before you can sign files. If the certificate authority's certificate isn't already installed in your copy of Communicator, you typically install it by clicking the appropriate link on the certificate authority's web site, for example on the page from which you initiated enrollment for your signing certificate. This is the case for some test certificates, as well as certificates issued by Netscape Certificate Management System: you must download the the CA certificate in addition to obtaining your own signing certificate. CA certificates for several certificate authorities are preinstalled in the Communicator certificate database.</p><p>When you receive an object-signing certificate for your own use, it is automatically installed in your copy of the Communicator client software. Communicator supports the public-key cryptography standard known as PKCS #12, which governs key portability. You can, for example, move an object-signing certificate and its associated private key from one computer to another on a credit-card-sized device called a smart card.</p></div><div class="refsection"><a name="options"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term">-b basename</span></dt><dd><p>Specifies the base filename for the .rsa and .sf files in the META-INF directory to conform with the JAR format. For example, <span class="emphasis"><em>-b signatures</em></span> causes the files to be named signatures.rsa and signatures.sf. The default is signtool.</p></dd><dt><span class="term">-c#</span></dt><dd><p> Specifies the compression level for the -J or -Z option. The symbol # represents a number from 0 to 9, where 0 means no compression and 9 means maximum compression. The higher the level of compression, the smaller the output but the longer the operation takes. @@ -11,18 +11,6 @@ The Unix version of signtool assumes ~/.netscape unless told otherwise. The NT v Tells signtool to sign only files with the given extension; for example, use -e".class" to sign only Java class files. Note that with Netscape Signing Tool version 1.1 and later this option can appear multiple times on one command line, making it possible to specify multiple file types or classes to include. </p></dd><dt><span class="term">-f commandfile</span></dt><dd><p> Specifies a text file containing Netscape Signing Tool options and arguments in keyword=value format. All options and arguments can be expressed through this file. For more information about the syntax used with this file, see "Tips and Techniques". -</p></dd><dt><span class="term">-i scriptname</span></dt><dd><p> - Specifies the name of an installer script for SmartUpdate. This script installs files from the JAR archive in the local system after SmartUpdate has validated the digital signature. For more details, see the description of -m that follows. The -i option provides a straightforward way to provide this information if you don't need to specify any metadata other than an installer script. -</p></dd><dt><span class="term">-j directory</span></dt><dd><p> - Specifies a special JavaScript directory. This option causes the specified directory to be signed and tags its entries as inline JavaScript. This special type of entry does not have to appear in the JAR file itself. Instead, it is located in the HTML page containing the inline scripts. When you use signtool -v, these entries are displayed with the string NOT PRESENT. -</p></dd><dt><span class="term">-k key ... directory</span></dt><dd><p> - Specifies the nickname (key) of the certificate you want to sign with and signs the files in the specified directory. The directory to sign is always specified as the last command-line argument. Thus, it is possible to write - -signtool -k MyCert -d . signdir - -You may have trouble if the nickname contains a single quotation mark. To avoid problems, escape the quotation mark using the escape conventions for your platform. - -It's also possible to use the -k option without signing any files or specifying a directory. For example, you can use it with the -l option to get detailed information about a particular signing certificate. </p></dd><dt><span class="term">-G nickname</span></dt><dd><p> Generates a new private-public key pair and corresponding object-signing certificate with the given nickname. @@ -30,19 +18,31 @@ The newly generated keys and certificate are installed into the key and certific Unlike certificates normally used to sign finished code to be distributed over a network, a test certificate created with -G is not signed by a recognized certificate authority. Instead, it is self-signed. In addition, a single test signing certificate functions as both an object-signing certificate and a CA. When you are using it to sign objects, it behaves like an object-signing certificate. When it is imported into browser software such as Communicator, it behaves like an object-signing CA and cannot be used to sign objects. -The -G option is available in Netscape Signing Tool 1.0 and later versions only. By default, it produces only RSA certificates with 1024-byte keys in the internal token. However, you can use the -s option specify the required key size and the -t option to specify the token. For more information about the use of the -G option, see "Generating Test Object-Signing Certificates""Generating Test Object-Signing Certificates" on page 1241. -</p></dd><dt><span class="term">-l</span></dt><dd><p> - Lists signing certificates, including issuing CAs. If any of your certificates are expired or invalid, the list will so specify. This option can be used with the -k option to list detailed information about a particular signing certificate. - -The -l option is available in Netscape Signing Tool 1.0 and later versions only. -</p></dd><dt><span class="term">-J</span></dt><dd><p> - Signs a directory of HTML files containing JavaScript and creates as many archive files as are specified in the HTML tags. Even if signtool creates more than one archive file, you need to supply the key database password only once. +The -G option is available in Netscape Signing Tool 1.0 and later versions only. By default, it produces only RSA certificates with 1024-byte keys in the internal token. However, you can use the -s option specify the required key size and the -t option to specify the token. + </p></dd><dt><span class="term">-i scriptname</span></dt><dd><p> +Specifies the name of an installer script for SmartUpdate. This script installs files from the JAR archive in the local system after SmartUpdate has validated the digital signature. For more details, see the description of -m that follows. The -i option provides a straightforward way to provide this information if you don't need to specify any metadata other than an installer script. + </p></dd><dt><span class="term">-J</span></dt><dd><p> +Signs a directory of HTML files containing JavaScript and creates as many archive files as are specified in the HTML tags. Even if signtool creates more than one archive file, you need to supply the key database password only once. The -J option is available only in Netscape Signing Tool 1.0 and later versions. The -J option cannot be used at the same time as the -Z option. If the -c# option is not used with the -J option, the default compression value is 6. Note that versions 1.1 and later of Netscape Signing Tool correctly recognizes the CODEBASE attribute, allows paths to be expressed for the CLASS and SRC attributes instead of filenames only, processes LINK tags and parses HTML correctly, and offers clearer error messages. + </p></dd><dt><span class="term">-j directory</span></dt><dd><p> + Specifies a special JavaScript directory. This option causes the specified directory to be signed and tags its entries as inline JavaScript. This special type of entry does not have to appear in the JAR file itself. Instead, it is located in the HTML page containing the inline scripts. When you use signtool -v, these entries are displayed with the string NOT PRESENT. +</p></dd><dt><span class="term">-k key ... directory</span></dt><dd><p> + Specifies the nickname (key) of the certificate you want to sign with and signs the files in the specified directory. The directory to sign is always specified as the last command-line argument. Thus, it is possible to write + +signtool -k MyCert -d . signdir + +You may have trouble if the nickname contains a single quotation mark. To avoid problems, escape the quotation mark using the escape conventions for your platform. + +It's also possible to use the -k option without signing any files or specifying a directory. For example, you can use it with the -l option to get detailed information about a particular signing certificate. +</p></dd><dt><span class="term">-l</span></dt><dd><p> + Lists signing certificates, including issuing CAs. If any of your certificates are expired or invalid, the list will so specify. This option can be used with the -k option to list detailed information about a particular signing certificate. + +The -l option is available in Netscape Signing Tool 1.0 and later versions only. </p></dd><dt><span class="term">-L</span></dt><dd><p> Lists the certificates in your database. An asterisk appears to the left of the nickname for any certificate that can be used to sign objects with signtool. </p></dd><dt><span class="term">--leavearc</span></dt><dd><p> diff --git a/doc/html/signver.html b/doc/html/signver.html index 4e6573df4..ade57de6f 100644 --- a/doc/html/signver.html +++ b/doc/html/signver.html @@ -1,7 +1,7 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>SIGNVER</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="SIGNVER"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">SIGNVER</th></tr></table><hr></div><div class="refentry"><a name="signver"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>signver — Verify a detached PKCS#7 signature for a file.</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">signtool</code> -A | -V -d <em class="replaceable"><code>directory</code></em> [-a] [-i <em class="replaceable"><code>input_file</code></em>] [-o <em class="replaceable"><code>output_file</code></em>] [-s <em class="replaceable"><code>signature_file</code></em>] [-v]</p></div></div><div class="refsection"><a name="idm224680848704"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a> - </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Signature Verification Tool, <span class="command"><strong>signver</strong></span>, is a simple command-line utility that unpacks a base-64-encoded PKCS#7 signed object and verifies the digital signature using standard cryptographic techniques. The Signature Verification Tool can also display the contents of the signed object.</p></div><div class="refsection"><a name="options"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term">-A</span></dt><dd><p>Displays all of the information in the PKCS#7 signature.</p></dd><dt><span class="term">-V</span></dt><dd><p>Verifies the digital signature.</p></dd><dt><span class="term">-d [sql:]<span class="emphasis"><em>directory</em></span></span></dt><dd><p>Specify the database directory which contains the certificates and keys.</p><p><span class="command"><strong>signver</strong></span> supports two types of databases: the legacy security databases (<code class="filename">cert8.db</code>, <code class="filename">key3.db</code>, and <code class="filename">secmod.db</code>) and new SQLite databases (<code class="filename">cert9.db</code>, <code class="filename">key4.db</code>, and <code class="filename">pkcs11.txt</code>). If the prefix <span class="command"><strong>sql:</strong></span> is not used, then the tool assumes that the given databases are in the old format.</p></dd><dt><span class="term">-a</span></dt><dd><p>Sets that the given signature file is in ASCII format.</p></dd><dt><span class="term">-i <span class="emphasis"><em>input_file</em></span></span></dt><dd><p>Gives the input file for the object with signed data.</p></dd><dt><span class="term">-o <span class="emphasis"><em>output_file</em></span></span></dt><dd><p>Gives the output file to which to write the results.</p></dd><dt><span class="term">-s <span class="emphasis"><em>signature_file</em></span></span></dt><dd><p>Gives the input file for the digital signature.</p></dd><dt><span class="term">-v</span></dt><dd><p>Enables verbose output.</p></dd></dl></div></div><div class="refsection"><a name="examples"></a><h2>Extended Examples</h2><div class="refsection"><a name="idm224681951616"></a><h3>Verifying a Signature</h3><p>The <code class="option">-V</code> option verifies that the signature in a given signature file is valid when used to sign the given object (from the input file).</p><pre class="programlisting">signver -V -s <em class="replaceable"><code>signature_file</code></em> -i <em class="replaceable"><code>signed_file</code></em> -d sql:/home/my/sharednssdb +<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>SIGNVER</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="SIGNVER"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">SIGNVER</th></tr></table><hr></div><div class="refentry"><a name="signver"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>signver — Verify a detached PKCS#7 signature for a file.</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">signtool</code> -A | -V -d <em class="replaceable"><code>directory</code></em> [-a] [-i <em class="replaceable"><code>input_file</code></em>] [-o <em class="replaceable"><code>output_file</code></em>] [-s <em class="replaceable"><code>signature_file</code></em>] [-v]</p></div></div><div class="refsection"><a name="idm233257229808"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a> + </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The Signature Verification Tool, <span class="command"><strong>signver</strong></span>, is a simple command-line utility that unpacks a base-64-encoded PKCS#7 signed object and verifies the digital signature using standard cryptographic techniques. The Signature Verification Tool can also display the contents of the signed object.</p></div><div class="refsection"><a name="options"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term">-A</span></dt><dd><p>Displays all of the information in the PKCS#7 signature.</p></dd><dt><span class="term">-V</span></dt><dd><p>Verifies the digital signature.</p></dd><dt><span class="term">-d [sql:]<span class="emphasis"><em>directory</em></span></span></dt><dd><p>Specify the database directory which contains the certificates and keys.</p><p><span class="command"><strong>signver</strong></span> supports two types of databases: the legacy security databases (<code class="filename">cert8.db</code>, <code class="filename">key3.db</code>, and <code class="filename">secmod.db</code>) and new SQLite databases (<code class="filename">cert9.db</code>, <code class="filename">key4.db</code>, and <code class="filename">pkcs11.txt</code>). If the prefix <span class="command"><strong>sql:</strong></span> is not used, then the tool assumes that the given databases are in the old format.</p></dd><dt><span class="term">-a</span></dt><dd><p>Sets that the given signature file is in ASCII format.</p></dd><dt><span class="term">-i <span class="emphasis"><em>input_file</em></span></span></dt><dd><p>Gives the input file for the object with signed data.</p></dd><dt><span class="term">-o <span class="emphasis"><em>output_file</em></span></span></dt><dd><p>Gives the output file to which to write the results.</p></dd><dt><span class="term">-s <span class="emphasis"><em>signature_file</em></span></span></dt><dd><p>Gives the input file for the digital signature.</p></dd><dt><span class="term">-v</span></dt><dd><p>Enables verbose output.</p></dd></dl></div></div><div class="refsection"><a name="examples"></a><h2>Extended Examples</h2><div class="refsection"><a name="idm233261091008"></a><h3>Verifying a Signature</h3><p>The <code class="option">-V</code> option verifies that the signature in a given signature file is valid when used to sign the given object (from the input file).</p><pre class="programlisting">signver -V -s <em class="replaceable"><code>signature_file</code></em> -i <em class="replaceable"><code>signed_file</code></em> -d sql:/home/my/sharednssdb -signatureValid=yes</pre></div><div class="refsection"><a name="idm224679496656"></a><h3>Printing Signature Data</h3><p> +signatureValid=yes</pre></div><div class="refsection"><a name="idm233261087840"></a><h3>Printing Signature Data</h3><p> The <code class="option">-A</code> option prints all of the information contained in a signature file. Using the <code class="option">-o</code> option prints the signature file information to the given output file rather than stdout. </p><pre class="programlisting">signver -A -s <em class="replaceable"><code>signature_file</code></em> -o <em class="replaceable"><code>output_file</code></em></pre></div></div><div class="refsection"><a name="databases"></a><h2>NSS Database Types</h2><p>NSS originally used BerkeleyDB databases to store security information. The last versions of these <span class="emphasis"><em>legacy</em></span> databases are:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> @@ -20,7 +20,7 @@ BerkleyDB. These new databases provide more accessibility and performance:</p><d </p></li><li class="listitem"><p> pkcs11.txt, which is listing of all of the PKCS #11 modules contained in a new subdirectory in the security databases directory </p></li></ul></div><p>Because the SQLite databases are designed to be shared, these are the <span class="emphasis"><em>shared</em></span> database type. The shared database type is preferred; the legacy format is included for backward compatibility.</p><p>By default, the tools (<span class="command"><strong>certutil</strong></span>, <span class="command"><strong>pk12util</strong></span>, <span class="command"><strong>modutil</strong></span>) assume that the given security databases follow the more common legacy type. -Using the SQLite databases must be manually specified by using the <span class="command"><strong>sql:</strong></span> prefix with the given security directory. For example:</p><pre class="programlisting"># signver -A -s <em class="replaceable"><code>signature</code></em> -d sql:/home/my/sharednssdb</pre><p>To set the shared database type as the default type for the tools, set the <code class="envar">NSS_DEFAULT_DB_TYPE</code> environment variable to <code class="envar">sql</code>:</p><pre class="programlisting">export NSS_DEFAULT_DB_TYPE="sql"</pre><p>This line can be set added to the <code class="filename">~/.bashrc</code> file to make the change permanent.</p><p>Most applications do not use the shared database by default, but they can be configured to use them. For example, this how-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> +Using the SQLite databases must be manually specified by using the <span class="command"><strong>sql:</strong></span> prefix with the given security directory. For example:</p><pre class="programlisting"># signver -A -s <em class="replaceable"><code>signature</code></em> -d sql:/home/my/sharednssdb</pre><p>To set the shared database type as the default type for the tools, set the <code class="envar">NSS_DEFAULT_DB_TYPE</code> environment variable to <code class="envar">sql</code>:</p><pre class="programlisting">export NSS_DEFAULT_DB_TYPE="sql"</pre><p>This line can be added to the <code class="filename">~/.bashrc</code> file to make the change permanent for the user.</p><p>Most applications do not use the shared database by default, but they can be configured to use them. For example, this how-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> https://wiki.mozilla.org/NSS_Shared_DB_Howto</p></li></ul></div><p>For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki:</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p> https://wiki.mozilla.org/NSS_Shared_DB </p></li></ul></div></div><div class="refsection"><a name="seealso"></a><h2>See Also</h2><p>signtool (1)</p><p>The NSS wiki has information on the new database design and how to configure applications to use it.</p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>Setting up the shared NSS database</p><p>https://wiki.mozilla.org/NSS_Shared_DB_Howto</p></li><li class="listitem"><p> diff --git a/doc/html/ssltap.html b/doc/html/ssltap.html index 61b701a22..e69b3758e 100644 --- a/doc/html/ssltap.html +++ b/doc/html/ssltap.html @@ -1,18 +1,9 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>SSLTAP</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="SSLTAP"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">SSLTAP</th></tr></table><hr></div><div class="refentry"><a name="ssltap"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>ssltap — Tap into SSL connections and display the data going by </p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">libssltap</code> [-vhfsxl] [-p port] [hostname:port]</p></div></div><div class="refsection"><a name="idm224680842512"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a> - </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The SSL Debugging Tool <span class="command"><strong>ssltap</strong></span> is an SSL-aware command-line proxy. It watches TCP connections and displays the data going by. If a connection is SSL, the data display includes interpreted SSL records and handshaking</p></div><div class="refsection"><a name="options"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term">-v </span></dt><dd><p>Print a version string for the tool.</p></dd><dt><span class="term">-h </span></dt><dd><p> -Turn on hex/ASCII printing. Instead of outputting raw data, the command interprets each record as a numbered line of hex values, followed by the same data as ASCII characters. The two parts are separated by a vertical bar. Nonprinting characters are replaced by dots. - </p></dd><dt><span class="term">-f </span></dt><dd><p> +<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>SSLTAP</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="SSLTAP"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">SSLTAP</th></tr></table><hr></div><div class="refentry"><a name="ssltap"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>ssltap — Tap into SSL connections and display the data going by </p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">ssltap</code> [-fhlsvx] [-p port] [hostname:port]</p></div></div><div class="refsection"><a name="idm233258230400"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a> + </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The SSL Debugging Tool <span class="command"><strong>ssltap</strong></span> is an SSL-aware command-line proxy. It watches TCP connections and displays the data going by. If a connection is SSL, the data display includes interpreted SSL records and handshaking</p></div><div class="refsection"><a name="options"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term">-f </span></dt><dd><p> Turn on fancy printing. Output is printed in colored HTML. Data sent from the client to the server is in blue; the server's reply is in red. When used with looping mode, the different connections are separated with horizontal lines. You can use this option to upload the output into a browser. - </p></dd><dt><span class="term">-s </span></dt><dd><p> -Turn on SSL parsing and decoding. The tool does not automatically detect SSL sessions. If you are intercepting an SSL connection, use this option so that the tool can detect and decode SSL structures. - </p><p> -If the tool detects a certificate chain, it saves the DER-encoded certificates into files in the current directory. The files are named cert.0x, where x is the sequence number of the certificate. - </p><p> -If the -s option is used with -h, two separate parts are printed for each record: the plain hex/ASCII output, and the parsed SSL output. - </p></dd><dt><span class="term">-x </span></dt><dd><p> -Turn on hex/ASCII printing of undecoded data inside parsed SSL records. Used only with the -s option. -This option uses the same output format as the -h option. - </p></dd><dt><span class="term">-l prefix</span></dt><dd><p> + </p></dd><dt><span class="term">-h </span></dt><dd><p> +Turn on hex/ASCII printing. Instead of outputting raw data, the command interprets each record as a numbered line of hex values, followed by the same data as ASCII characters. The two parts are separated by a vertical bar. Nonprinting characters are replaced by dots. + </p></dd><dt><span class="term">-l prefix</span></dt><dd><p> Turn on looping; that is, continue to accept connections rather than stopping after the first connection is complete. </p></dd><dt><span class="term">-p port</span></dt><dd><p>Change the default rendezvous port (1924) to another port.</p><p>The following are well-known port numbers:</p><p> * HTTP 80 @@ -30,7 +21,13 @@ Turn on looping; that is, continue to accept connections rather than stopping af * NNTP 119 </p><p> * NNTPS 563 (NNTP over SSL) - </p></dd></dl></div></div><div class="refsection"><a name="basic-usage"></a><h2>Usage and Examples</h2><p> + </p></dd><dt><span class="term">-s </span></dt><dd><p> +Turn on SSL parsing and decoding. The tool does not automatically detect SSL sessions. If you are intercepting an SSL connection, use this option so that the tool can detect and decode SSL structures. + </p><p> +If the tool detects a certificate chain, it saves the DER-encoded certificates into files in the current directory. The files are named cert.0x, where x is the sequence number of the certificate. + </p><p> +If the -s option is used with -h, two separate parts are printed for each record: the plain hex/ASCII output, and the parsed SSL output. + </p></dd><dt><span class="term">-v </span></dt><dd><p>Print a version string for the tool.</p></dd><dt><span class="term">-x </span></dt><dd><p>Turn on extra SSL hex dumps.</p></dd></dl></div></div><div class="refsection"><a name="basic-usage"></a><h2>Usage and Examples</h2><p> You can use the SSL Debugging Tool to intercept any connection information. Although you can run the tool at its most basic by issuing the ssltap command with no options other than hostname:port, the information you get in this way is not very useful. For example, assume your development machine is called intercept. The simplest way to use the debugging tool is to execute the following command from a command shell: </p><pre class="programlisting">$ ssltap www.netscape.com</pre><p> The program waits for an incoming connection on the default port 1924. In your browser window, enter the URL http://intercept:1924. The browser retrieves the requested page from the server at www.netscape.com, but the page is intercepted and passed on to the browser by the debugging tool on intercept. On its way to the browser, the data is printed to the command shell from which you issued the command. Data sent from the client to the server is surrounded by the following symbols: --> [ data ] Data sent from the server to the client is surrounded by the following symbols: diff --git a/doc/html/vfychain.html b/doc/html/vfychain.html index 49ee65f80..a360836f5 100644 --- a/doc/html/vfychain.html +++ b/doc/html/vfychain.html @@ -1,4 +1,4 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>VFYCHAIN</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="VFYCHAIN"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">VFYCHAIN</th></tr></table><hr></div><div class="refentry"><a name="vfychain"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>vfychain — vfychain [options] [revocation options] certfile [[options] certfile] ...</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">vfychain</code> </p></div></div><div class="refsection"><a name="idm224658292400"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a> +<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>VFYCHAIN</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="VFYCHAIN"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">VFYCHAIN</th></tr></table><hr></div><div class="refentry"><a name="vfychain"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>vfychain — vfychain [options] [revocation options] certfile [[options] certfile] ...</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">vfychain</code> </p></div></div><div class="refsection"><a name="idm233261246224"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a> </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The verification Tool, <span class="command"><strong>vfychain</strong></span>, verifies certificate chains. <span class="command"><strong>modutil</strong></span> can add and delete PKCS #11 modules, change passwords on security databases, set defaults, list module contents, enable or disable slots, enable or disable FIPS 140-2 compliance, and assign default providers for cryptographic operations. This tool can also create certificate, key, and module security database files.</p><p>The tasks associated with security module database management are part of a process that typically also involves managing key databases and certificate databases.</p></div><div class="refsection"><a name="options"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="option">-a</code></span></dt><dd>the following certfile is base64 encoded</dd><dt><span class="term"><code class="option">-b </code> <em class="replaceable"><code>YYMMDDHHMMZ</code></em></span></dt><dd>Validate date (default: now)</dd><dt><span class="term"><code class="option">-d </code> <em class="replaceable"><code>directory</code></em></span></dt><dd>database directory</dd><dt><span class="term"><code class="option">-f </code> </span></dt><dd>Enable cert fetching from AIA URL</dd><dt><span class="term"><code class="option">-o </code> <em class="replaceable"><code>oid</code></em></span></dt><dd>Set policy OID for cert validation(Format OID.1.2.3)</dd><dt><span class="term"><code class="option">-p </code></span></dt><dd><p class="simpara">Use PKIX Library to validate certificate by calling:</p><p class="simpara"> * CERT_VerifyCertificate if specified once,</p><p class="simpara"> * CERT_PKIXVerifyCert if specified twice and more.</p></dd><dt><span class="term"><code class="option">-r </code></span></dt><dd>Following certfile is raw binary DER (default)</dd><dt><span class="term"><code class="option">-t</code></span></dt><dd>Following cert is explicitly trusted (overrides db trust)</dd><dt><span class="term"><code class="option">-u </code> <em class="replaceable"><code>usage</code></em></span></dt><dd><p> 0=SSL client, 1=SSL server, 2=SSL StepUp, 3=SSL CA, 4=Email signer, 5=Email recipient, 6=Object signer, diff --git a/doc/html/vfyserv.html b/doc/html/vfyserv.html index 58e227ad0..dec6dcb3a 100644 --- a/doc/html/vfyserv.html +++ b/doc/html/vfyserv.html @@ -1,4 +1,4 @@ -<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>VFYSERV</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="VFYSERV"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">VFYSERV</th></tr></table><hr></div><div class="refentry"><a name="vfyserv"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>vfyserv — TBD</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">vfyserv</code> </p></div></div><div class="refsection"><a name="idm224662974480"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a> +<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>VFYSERV</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="VFYSERV"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">VFYSERV</th></tr></table><hr></div><div class="refentry"><a name="vfyserv"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>vfyserv — TBD</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">vfyserv</code> </p></div></div><div class="refsection"><a name="idm233266435200"></a><h2>STATUS</h2><p>This documentation is still work in progress. Please contribute to the initial review in <a class="ulink" href="https://bugzilla.mozilla.org/show_bug.cgi?id=836477" target="_top">Mozilla NSS bug 836477</a> </p></div><div class="refsection"><a name="description"></a><h2>Description</h2><p>The <span class="command"><strong>vfyserv </strong></span> tool verifies a certificate chain</p></div><div class="refsection"><a name="options"></a><h2>Options</h2><div class="variablelist"><dl class="variablelist"><dt><span class="term"><code class="option"></code> <em class="replaceable"><code></code></em></span></dt><dd><p class="simpara"></p><p class="simpara"></p></dd></dl></div></div><div class="refsection"><a name="resources"></a><h2>Additional Resources</h2><p>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <a class="ulink" href="http://www.mozilla.org/projects/security/pki/nss/" target="_top">http://www.mozilla.org/projects/security/pki/nss/</a>. The NSS site relates directly to NSS code changes and releases.</p><p>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</p><p>IRC: Freenode at #dogtag-pki</p></div><div class="refsection"><a name="authors"></a><h2>Authors</h2><p>The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</p><p> Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. </p></div><div class="refsection"><a name="license"></a><h2>LICENSE</h2><p>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. diff --git a/doc/modutil.xml b/doc/modutil.xml index cefd3f411..142aa69da 100644 --- a/doc/modutil.xml +++ b/doc/modutil.xml @@ -625,7 +625,8 @@ DISABLE: 0x40000000</programlisting> <para><command>Executable</command> specifies that the file is to be executed during the course of the installation. Typically, this string is used for a setup program provided by a module vendor, such as a self-extracting setup executable. More than one file can be specified as executable, in which case the files are run in the order in which they are specified in the script file.</para> <para><command>FilePermissions</command> sets permissions on any referenced files in a string of octal digits, according to the standard Unix format. This string is a bitwise OR.</para> -<programlisting>user read: 0400 +<programlisting> +user read: 0400 user write: 0200 user execute: 0100 group read: 0040 @@ -633,7 +634,8 @@ group write: 0020 group execute: 0010 other read: 0004 other write: 0002 -other execute: 0001</programlisting> +other execute: 0001 +</programlisting> <para>Some platforms may not understand these permissions. They are applied only insofar as they make sense for the current platform. If this attribute is omitted, a default of 777 is assumed.</para> </refsection> @@ -693,7 +695,7 @@ Using the SQLite databases must be manually specified by using the <command>sql: <para>To set the shared database type as the default type for the tools, set the <envar>NSS_DEFAULT_DB_TYPE</envar> environment variable to <envar>sql</envar>:</para> <programlisting>export NSS_DEFAULT_DB_TYPE="sql"</programlisting> -<para>This line can be set added to the <filename>~/.bashrc</filename> file to make the change permanent.</para> +<para>This line can be added to the <filename>~/.bashrc</filename> file to make the change permanent for the user.</para> <para>Most applications do not use the shared database by default, but they can be configured to use them. For example, this how-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases:</para> <itemizedlist> diff --git a/doc/nroff/certutil.1 b/doc/nroff/certutil.1 index 2dfa79df6..1d7f247a5 100644 --- a/doc/nroff/certutil.1 +++ b/doc/nroff/certutil.1 @@ -2,12 +2,12 @@ .\" Title: CERTUTIL .\" Author: [see the "Authors" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 31 March 2014 +.\" Date: 5 June 2014 .\" Manual: NSS Security Tools .\" Source: nss-tools .\" Language: English .\" -.TH "CERTUTIL" "1" "31 March 2014" "nss-tools" "NSS Security Tools" +.TH "CERTUTIL" "1" "5 June 2014" "nss-tools" "NSS Security Tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -229,7 +229,8 @@ NSS recognizes the following prefixes: .sp -1 .IP \(bu 2.3 .\} -\fBsql: requests the newer database\fR +\fBsql:\fR +requests the newer database .RE .sp .RS 4 @@ -240,10 +241,13 @@ NSS recognizes the following prefixes: .sp -1 .IP \(bu 2.3 .\} -\fBdbm: requests the legacy database\fR +\fBdbm:\fR +requests the legacy database .RE .sp -If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE\&. If NSS_DEFAULT_DB_TYPE is not set then dbm: is the default\&. +If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE\&. If NSS_DEFAULT_DB_TYPE is not set then +\fBdbm:\fR +is the default\&. .RE .PP \-e @@ -543,7 +547,7 @@ Set a site security officer password on a token\&. .PP \-1 | \-\-keyUsage keyword,keyword .RS 4 -Set a Netscape Certificate Type Extension in the certificate\&. There are several available keywords: +Set an X\&.509 V3 Certificate Type Extension in the certificate\&. There are several available keywords: .sp .RS 4 .ie n \{\ @@ -553,7 +557,7 @@ Set a Netscape Certificate Type Extension in the certificate\&. There are severa .sp -1 .IP \(bu 2.3 .\} -digital signature +digitalSignature .RE .sp .RS 4 @@ -661,7 +665,7 @@ X\&.509 certificate extensions are described in RFC 5280\&. .PP \-5 | \-\-nsCertType keyword,keyword .RS 4 -Add a Netscape certificate type extension to a certificate that is being created or added to the database\&. There are several available keywords: +Add an X\&.509 V3 certificate type extension to a certificate that is being created or added to the database\&. There are several available keywords: .sp .RS 4 .ie n \{\ diff --git a/doc/nroff/cmsutil.1 b/doc/nroff/cmsutil.1 index 2093d6796..9c0bb48e9 100644 --- a/doc/nroff/cmsutil.1 +++ b/doc/nroff/cmsutil.1 @@ -2,12 +2,12 @@ .\" Title: CMSUTIL .\" Author: [see the "Authors" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 19 July 2013 +.\" Date: 5 June 2014 .\" Manual: NSS Security Tools .\" Source: nss-tools .\" Language: English .\" -.TH "CMSUTIL" "1" "19 July 2013" "nss-tools" "NSS Security Tools" +.TH "CMSUTIL" "1" "5 June 2014" "nss-tools" "NSS Security Tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -50,14 +50,14 @@ To run cmsutil, type the command cmsutil option [arguments] where option and arg .PP Options specify an action\&. Option arguments modify an action\&. The options and arguments for the cmsutil command are defined as follows: .PP -\-D +\-C .RS 4 -Decode a message\&. +Encrypt a message\&. .RE .PP -\-C +\-D .RS 4 -Encrypt a message\&. +Decode a message\&. .RE .PP \-E @@ -247,11 +247,6 @@ cmsutil \-S [\-i infile] [\-o outfile] [\-d dbdir] [\-p password] \-N nickname[\ .SH "SEE ALSO" .PP certutil(1) -.SH "SEE ALSO" -.PP -.PP -.PP -.PP .SH "ADDITIONAL RESOURCES" .PP For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at diff --git a/doc/nroff/crlutil.1 b/doc/nroff/crlutil.1 index 3e2c3ee32..866bdedb0 100644 --- a/doc/nroff/crlutil.1 +++ b/doc/nroff/crlutil.1 @@ -2,12 +2,12 @@ .\" Title: CRLUTIL .\" Author: [see the "Authors" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 19 July 2013 +.\" Date: 5 June 2014 .\" Manual: NSS Security Tools .\" Source: nss-tools .\" Language: English .\" -.TH "CRLUTIL" "1" "19 July 2013" "nss-tools" "NSS Security Tools" +.TH "CRLUTIL" "1" "5 June 2014" "nss-tools" "NSS Security Tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -57,34 +57,29 @@ where options and arguments are combinations of the options and arguments listed .PP Options specify an action\&. Option arguments modify an action\&. The options and arguments for the crlutil command are defined as follows: .PP -\-G -.RS 4 -Create new Certificate Revocation List(CRL)\&. -.RE -.PP \-D .RS 4 Delete Certificate Revocation List from cert database\&. .RE .PP -\-I +\-E .RS 4 -Import a CRL to the cert database +Erase all CRLs of specified type from the cert database .RE .PP -\-E +\-G .RS 4 -Erase all CRLs of specified type from the cert database +Create new Certificate Revocation List (CRL)\&. .RE .PP -\-L +\-I .RS 4 -List existing CRL located in cert database file\&. +Import a CRL to the cert database .RE .PP -\-S +\-L .RS 4 -Show contents of a CRL file which isn\*(Aqt stored in the database\&. +List existing CRL located in cert database file\&. .RE .PP \-M @@ -92,27 +87,23 @@ Show contents of a CRL file which isn\*(Aqt stored in the database\&. Modify existing CRL which can be located in cert db or in arbitrary file\&. If located in file it should be encoded in ASN\&.1 encode format\&. .RE .PP -\-G +\-S .RS 4 +Show contents of a CRL file which isn\*(Aqt stored in the database\&. .RE .PP \fBArguments\fR .PP -Option arguments modify an action and are lowercase\&. -.PP -\-B -.RS 4 -Bypass CA signature checks\&. -.RE +Option arguments modify an action\&. .PP -\-P dbprefix +\-a .RS 4 -Specify the prefix used on the NSS security database files (for example, my_cert8\&.db and my_key3\&.db)\&. This option is provided as a special case\&. Changing the names of the certificate and key databases is not recommended\&. +Use ASCII format or allow the use of ASCII format for input and output\&. This formatting follows RFC #1113\&. .RE .PP -\-a +\-B .RS 4 -Use ASCII format or allow the use of ASCII format for input and output\&. This formatting follows RFC #1113\&. +Bypass CA signature checks\&. .RE .PP \-c crl\-gen\-file @@ -127,14 +118,14 @@ Specify the database directory containing the certificate and key database files The NSS database files must reside in the same directory\&. .RE .PP -\-i crl\-file +\-f password\-file .RS 4 -Specify the file which contains the CRL to import or show\&. +Specify a file that will automatically supply the password to include in a certificate or to access a certificate database\&. This is a plain\-text file containing one password\&. Be sure to prevent unauthorized access to this file\&. .RE .PP -\-f password\-file +\-i crl\-file .RS 4 -Specify a file that will automatically supply the password to include in a certificate or to access a certificate database\&. This is a plain\-text file containing one password\&. Be sure to prevent unauthorized access to this file\&. +Specify the file which contains the CRL to import or show\&. .RE .PP \-l algorithm\-name @@ -152,6 +143,11 @@ Specify the nickname of a certificate or key to list, create, add to a database, Specify the output file name for new CRL\&. Bracket the output\-file string with quotation marks if it contains spaces\&. If this argument is not used the output destination defaults to standard output\&. .RE .PP +\-P dbprefix +.RS 4 +Specify the prefix used on the NSS security database files (for example, my_cert8\&.db and my_key3\&.db)\&. This option is provided as a special case\&. Changing the names of the certificate and key databases is not recommended\&. +.RE +.PP \-t crl\-type .RS 4 Specify type of CRL\&. possible types are: 0 \- SEC_KRL_TYPE, 1 \- SEC_CRL_TYPE\&. This option is obsolete @@ -369,11 +365,6 @@ crlutil \-G|\-M \-c crl\-gen\-file \-n nickname [\-i crl] [\-u url] [\-d keydir] .SH "SEE ALSO" .PP certutil(1) -.SH "SEE ALSO" -.PP -.PP -.PP -.PP .SH "ADDITIONAL RESOURCES" .PP For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at diff --git a/doc/nroff/modutil.1 b/doc/nroff/modutil.1 index 09cd45ded..1ce9ab2ce 100644 --- a/doc/nroff/modutil.1 +++ b/doc/nroff/modutil.1 @@ -1,13 +1,13 @@ '\" t .\" Title: MODUTIL .\" Author: [see the "Authors" section] -.\" Generator: DocBook XSL Stylesheets v1.77.1 <http://docbook.sf.net/> -.\" Date: 15 February 2013 +.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> +.\" Date: 5 June 2014 .\" Manual: NSS Security Tools .\" Source: nss-tools .\" Language: English .\" -.TH "MODUTIL" "1" "15 February 2013" "nss-tools" "NSS Security Tools" +.TH "MODUTIL" "1" "5 June 2014" "nss-tools" "NSS Security Tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -109,6 +109,8 @@ Delete the named module\&. The default NSS PKCS #11 module cannot be deleted\&. Disable all slots on the named module\&. Use the \fB\-slot\fR argument to disable a specific slot\&. +.sp +The internal NSS PKCS #11 module cannot be disabled\&. .RE .PP \-enable modulename @@ -1248,7 +1250,7 @@ group write: 0020 group execute: 0010 other read: 0004 other write: 0002 -other execute: 0001 +other execute: 0001 .fi .if n \{\ .RE @@ -1366,9 +1368,9 @@ export NSS_DEFAULT_DB_TYPE="sql" .RE .\} .PP -This line can be set added to the +This line can be added to the ~/\&.bashrc -file to make the change permanent\&. +file to make the change permanent for the user\&. .PP Most applications do not use the shared database by default, but they can be configured to use them\&. For example, this how\-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases: .sp @@ -1436,12 +1438,12 @@ Mailing lists: https://lists\&.mozilla\&.org/listinfo/dev\-tech\-crypto IRC: Freenode at #dogtag\-pki .SH "AUTHORS" .PP -The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun\&. +The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google\&. .PP Authors: Elio Maldonado <emaldona@redhat\&.com>, Deon Lackey <dlackey@redhat\&.com>\&. .SH "LICENSE" .PP -Licensed under the Mozilla Public License, version 1\&.1, and/or the GNU General Public License, version 2 or later, and/or the GNU Lesser General Public License, version 2\&.1 or later\&. +Licensed under the Mozilla Public License, v\&. 2\&.0\&. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla\&.org/MPL/2\&.0/\&. .SH "NOTES" .IP " 1." 4 Mozilla NSS bug 836477 diff --git a/doc/nroff/pk12util.1 b/doc/nroff/pk12util.1 index 55ae2e6f1..c4fa972c0 100644 --- a/doc/nroff/pk12util.1 +++ b/doc/nroff/pk12util.1 @@ -2,12 +2,12 @@ .\" Title: PK12UTIL .\" Author: [see the "Authors" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 12 November 2013 +.\" Date: 5 June 2014 .\" Manual: NSS Security Tools .\" Source: nss-tools .\" Language: English .\" -.TH "PK12UTIL" "1" "12 November 2013" "nss-tools" "NSS Security Tools" +.TH "PK12UTIL" "1" "5 June 2014" "nss-tools" "NSS Security Tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -31,7 +31,7 @@ pk12util \- Export and import keys and certificate to or from a PKCS #12 file and the NSS database .SH "SYNOPSIS" .HP \w'\fBpk12util\fR\ 'u -\fBpk12util\fR [\-i\ p12File\ [\-h\ tokenname]\ [\-v]\ [common\-options]] [\-l\ p12File\ [\-h\ tokenname]\ [\-r]\ [common\-options]] [\-o\ p12File\ \-n\ certname\ [\-c\ keyCipher]\ [\-C\ certCipher]\ [\-m|\-\-key_len\ keyLen]\ [\-n|\-\-cert_key_len\ certKeyLen]\ [common\-options]] [common\-options\ are:\ [\-d\ [sql:]directory]\ [\-P\ dbprefix]\ [\-k\ slotPasswordFile|\-K\ slotPassword]\ [\-w\ p12filePasswordFile|\-W\ p12filePassword]] +\fBpk12util\fR [\-i\ p12File|\-l\ p12File|\-o\ p12File] [\-d\ [sql:]directory] [\-h\ tokenname] [\-P\ dbprefix] [\-r] [\-v] [\-k\ slotPasswordFile|\-K\ slotPassword] [\-w\ p12filePasswordFile|\-W\ p12filePassword] .SH "STATUS" .PP This documentation is still work in progress\&. Please contribute to the initial review in @@ -61,9 +61,14 @@ Export keys and certificates from the security database to a PKCS#12 file\&. .PP \fBArguments\fR .PP -\-n certname +\-c keyCipher .RS 4 -Specify the nickname of the cert and private key to export\&. +Specify the key encryption algorithm\&. +.RE +.PP +\-C certCipher +.RS 4 +Specify the key cert (overall package) encryption algorithm\&. .RE .PP \-d [sql:]directory @@ -80,21 +85,11 @@ pkcs11\&.txt)\&. If the prefix is not used, then the tool assumes that the given databases are in the old format\&. .RE .PP -\-P prefix -.RS 4 -Specify the prefix used on the certificate and key databases\&. This option is provided as a special case\&. Changing the names of the certificate and key databases is not recommended\&. -.RE -.PP \-h tokenname .RS 4 Specify the name of the token to import into or export from\&. .RE .PP -\-v -.RS 4 -Enable debug logging when importing\&. -.RE -.PP \-k slotPasswordFile .RS 4 Specify the text file containing the slot\*(Aqs password\&. @@ -105,39 +100,44 @@ Specify the text file containing the slot\*(Aqs password\&. Specify the slot\*(Aqs password\&. .RE .PP -\-w p12filePasswordFile +\-m | \-\-key\-len keyLength .RS 4 -Specify the text file containing the pkcs #12 file password\&. +Specify the desired length of the symmetric key to be used to encrypt the private key\&. .RE .PP -\-W p12filePassword +\-n | \-\-cert\-key\-len certKeyLength .RS 4 -Specify the pkcs #12 file password\&. +Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta\-data\&. .RE .PP -\-c keyCipher +\-n certname .RS 4 -Specify the key encryption algorithm\&. +Specify the nickname of the cert and private key to export\&. .RE .PP -\-C certCipher +\-P prefix .RS 4 -Specify the key cert (overall package) encryption algorithm\&. +Specify the prefix used on the certificate and key databases\&. This option is provided as a special case\&. Changing the names of the certificate and key databases is not recommended\&. .RE .PP -\-m | \-\-key\-len keyLength +\-r .RS 4 -Specify the desired length of the symmetric key to be used to encrypt the private key\&. +Dumps all of the data in raw (binary) form\&. This must be saved as a DER file\&. The default is to return information in a pretty\-print ASCII format, which displays the information about the certificates and public keys in the p12 file\&. .RE .PP -\-n | \-\-cert\-key\-len certKeyLength +\-v .RS 4 -Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta\-data\&. +Enable debug logging when importing\&. .RE .PP -\-r +\-w p12filePasswordFile .RS 4 -Dumps all of the data in raw (binary) form\&. This must be saved as a DER file\&. The default is to return information in a pretty\-print ASCII format, which displays the information about the certificates and public keys in the p12 file\&. +Specify the text file containing the pkcs #12 file password\&. +.RE +.PP +\-W p12filePassword +.RS 4 +Specify the pkcs #12 file password\&. .RE .SH "RETURN CODES" .sp @@ -437,18 +437,12 @@ for importing a certificate or key is the PKCS#12 input file (\fB\-i\fR) and som for a directory or \fB\-h\fR for a token)\&. -.sp -.if n \{\ -.RS 4 -.\} -.nf +.PP pk12util \-i p12File [\-h tokenname] [\-v] [\-d [sql:]directory] [\-P dbprefix] [\-k slotPasswordFile|\-K slotPassword] [\-w p12filePasswordFile|\-W p12filePassword] -.fi -.if n \{\ -.RE -.\} .PP For example: +.PP + .sp .if n \{\ .RS 4 @@ -474,16 +468,8 @@ pk12util: PKCS12 IMPORT SUCCESSFUL Using the \fBpk12util\fR command to export certificates and keys requires both the name of the certificate to extract from the database (\fB\-n\fR) and the PKCS#12\-formatted output file to write to\&. There are optional parameters that can be used to encrypt the file to protect the certificate material\&. -.sp -.if n \{\ -.RS 4 -.\} -.nf +.PP pk12util \-o p12File \-n certname [\-c keyCipher] [\-C certCipher] [\-m|\-\-key_len keyLen] [\-n|\-\-cert_key_len certKeyLen] [\-d [sql:]directory] [\-P dbprefix] [\-k slotPasswordFile|\-K slotPassword] [\-w p12filePasswordFile|\-W p12filePassword] -.fi -.if n \{\ -.RE -.\} .PP For example: .sp @@ -506,16 +492,8 @@ The information in a file are not human\-readable\&. The certificates and keys in the file can be printed (listed) in a human\-readable pretty\-print format that shows information for every certificate and any public keys in the \&.p12 file\&. -.sp -.if n \{\ -.RS 4 -.\} -.nf +.PP pk12util \-l p12File [\-h tokenname] [\-r] [\-d [sql:]directory] [\-P dbprefix] [\-k slotPasswordFile|\-K slotPassword] [\-w p12filePasswordFile|\-W p12filePassword] -.fi -.if n \{\ -.RE -.\} .PP For example, this prints the default ASCII output: .sp @@ -542,7 +520,7 @@ Certificate: Issuer: "E=personal\-freemail@thawte\&.com,CN=Thawte Personal Freemail C A,OU=Certification Services Division,O=Thawte Consulting,L=Cape T own,ST=Western Cape,C=ZA" -\&.\&.\&.\&. + .fi .if n \{\ .RE @@ -561,7 +539,7 @@ file000N\&.der, incrementing the number for every certificate: .RS 4 .\} .nf -# pk12util \-l test\&.p12 \-r +pk12util \-l test\&.p12 \-r Enter password for PKCS12 file: Key(shrouded): Friendly Name: Thawte Freemail Member\*(Aqs Thawte Consulting (Pty) Ltd\&. ID @@ -574,6 +552,7 @@ Key(shrouded): Certificate Friendly Name: Thawte Personal Freemail Issuing CA \- Thawte Consulting Certificate Friendly Name: Thawte Freemail Member\*(Aqs Thawte Consulting (Pty) Ltd\&. ID + .fi .if n \{\ .RE @@ -592,7 +571,17 @@ Several types of ciphers are supported\&. .PP Symmetric CBC ciphers for PKCS#5 V2 .RS 4 -DES_CBC +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +DES\-CBC +.RE .sp .RS 4 .ie n \{\ @@ -696,7 +685,17 @@ CAMELLIA\-256\-CBC .PP PKCS#12 PBE ciphers .RS 4 +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} PKCS #12 PBE with Sha1 and 128 Bit RC4 +.RE .sp .RS 4 .ie n \{\ @@ -811,7 +810,17 @@ PKCS12 V2 PBE with SHA1 and 40 Bit RC2 CBC .PP PKCS#5 PBE ciphers .RS 4 +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} PKCS #5 Password Based Encryption with MD2 and DES CBC +.RE .sp .RS 4 .ie n \{\ diff --git a/doc/nroff/pp.1 b/doc/nroff/pp.1 index 6a8eb630d..2c9aa5a63 100644 --- a/doc/nroff/pp.1 +++ b/doc/nroff/pp.1 @@ -2,12 +2,12 @@ .\" Title: PP .\" Author: [see the "Authors" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 12 November 2013 +.\" Date: 5 June 2014 .\" Manual: NSS Security Tools .\" Source: nss-tools .\" Language: English .\" -.TH "PP" "1" "12 November 2013" "nss-tools" "NSS Security Tools" +.TH "PP" "1" "5 June 2014" "nss-tools" "NSS Security Tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/doc/nroff/signtool.1 b/doc/nroff/signtool.1 index e78f77b5b..3a91ce69d 100644 --- a/doc/nroff/signtool.1 +++ b/doc/nroff/signtool.1 @@ -2,12 +2,12 @@ .\" Title: signtool .\" Author: [see the "Authors" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 12 November 2013 +.\" Date: 5 June 2014 .\" Manual: NSS Security Tools .\" Source: nss-tools .\" Language: English .\" -.TH "SIGNTOOL" "1" "12 November 2013" "nss-tools" "NSS Security Tools" +.TH "SIGNTOOL" "1" "5 June 2014" "nss-tools" "NSS Security Tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -31,7 +31,7 @@ signtool \- Digitally sign objects and files\&. .SH "SYNOPSIS" .HP \w'\fBsigntool\fR\ 'u -\fBsigntool\fR [\-k\ keyName] [[\-h]] [[\-H]] [[\-l]] [[\-L]] [[\-M]] [[\-v]] [[\-w]] [[\-G\ nickname]] [[\-\-keysize\ |\ \-s\ size]] [[\-b\ basename]] [[\-c\ Compression\ Level]] [[\-d\ cert\-dir]] [[\-i\ installer\ script]] [[\-m\ metafile]] [[\-x\ name]] [[\-f\ filename]] [[\-t|\-\-token\ tokenname]] [[\-e\ extension]] [[\-o]] [[\-z]] [[\-X]] [[\-\-outfile]] [[\-\-verbose\ value]] [[\-\-norecurse]] [[\-\-leavearc]] [[\-j\ directory]] [[\-Z\ jarfile]] [[\-O]] [[\-p\ password]] [directory\-tree] [archive] +\fBsigntool\fR [[\-b\ basename]] [[\-c\ Compression\ Level]] [[\-d\ cert\-dir]] [[\-e\ extension]] [[\-f\ filename]] [[\-i\ installer\ script]] [[\-h]] [[\-H]] [[\-v]] [[\-w]] [[\-G\ nickname]] [[\-J]] [[\-j\ directory]] [\-k\ keyName] [[\-\-keysize\ |\ \-s\ size]] [[\-l]] [[\-L]] [[\-M]] [[\-m\ metafile]] [[\-\-norecurse]] [[\-O]] [[\-o]] [[\-\-outfile]] [[\-p\ password]] [[\-t|\-\-token\ tokenname]] [[\-z]] [[\-X]] [[\-x\ name]] [[\-\-verbose\ value]] [[\-\-leavearc]] [[\-Z\ jarfile]] [directory\-tree] [archive] .SH "STATUS" .PP This documentation is still work in progress\&. Please contribute to the initial review in @@ -91,11 +91,21 @@ Tells signtool to sign only files with the given extension; for example, use \-e Specifies a text file containing Netscape Signing Tool options and arguments in keyword=value format\&. All options and arguments can be expressed through this file\&. For more information about the syntax used with this file, see "Tips and Techniques"\&. .RE .PP +\-G nickname +.RS 4 +Generates a new private\-public key pair and corresponding object\-signing certificate with the given nickname\&. The newly generated keys and certificate are installed into the key and certificate databases in the directory specified by the \-d option\&. With the NT version of Netscape Signing Tool, you must use the \-d option with the \-G option\&. With the Unix version of Netscape Signing Tool, omitting the \-d option causes the tool to install the keys and certificate in the Communicator key and certificate databases\&. If you are installing the keys and certificate in the Communicator databases, you must exit Communicator before using this option; otherwise, you risk corrupting the databases\&. In all cases, the certificate is also output to a file named x509\&.cacert, which has the MIME\-type application/x\-x509\-ca\-cert\&. Unlike certificates normally used to sign finished code to be distributed over a network, a test certificate created with \-G is not signed by a recognized certificate authority\&. Instead, it is self\-signed\&. In addition, a single test signing certificate functions as both an object\-signing certificate and a CA\&. When you are using it to sign objects, it behaves like an object\-signing certificate\&. When it is imported into browser software such as Communicator, it behaves like an object\-signing CA and cannot be used to sign objects\&. The \-G option is available in Netscape Signing Tool 1\&.0 and later versions only\&. By default, it produces only RSA certificates with 1024\-byte keys in the internal token\&. However, you can use the \-s option specify the required key size and the \-t option to specify the token\&. +.RE +.PP \-i scriptname .RS 4 Specifies the name of an installer script for SmartUpdate\&. This script installs files from the JAR archive in the local system after SmartUpdate has validated the digital signature\&. For more details, see the description of \-m that follows\&. The \-i option provides a straightforward way to provide this information if you don\*(Aqt need to specify any metadata other than an installer script\&. .RE .PP +\-J +.RS 4 +Signs a directory of HTML files containing JavaScript and creates as many archive files as are specified in the HTML tags\&. Even if signtool creates more than one archive file, you need to supply the key database password only once\&. The \-J option is available only in Netscape Signing Tool 1\&.0 and later versions\&. The \-J option cannot be used at the same time as the \-Z option\&. If the \-c# option is not used with the \-J option, the default compression value is 6\&. Note that versions 1\&.1 and later of Netscape Signing Tool correctly recognizes the CODEBASE attribute, allows paths to be expressed for the CLASS and SRC attributes instead of filenames only, processes LINK tags and parses HTML correctly, and offers clearer error messages\&. +.RE +.PP \-j directory .RS 4 Specifies a special JavaScript directory\&. This option causes the specified directory to be signed and tags its entries as inline JavaScript\&. This special type of entry does not have to appear in the JAR file itself\&. Instead, it is located in the HTML page containing the inline scripts\&. When you use signtool \-v, these entries are displayed with the string NOT PRESENT\&. @@ -106,21 +116,11 @@ Specifies a special JavaScript directory\&. This option causes the specified dir Specifies the nickname (key) of the certificate you want to sign with and signs the files in the specified directory\&. The directory to sign is always specified as the last command\-line argument\&. Thus, it is possible to write signtool \-k MyCert \-d \&. signdir You may have trouble if the nickname contains a single quotation mark\&. To avoid problems, escape the quotation mark using the escape conventions for your platform\&. It\*(Aqs also possible to use the \-k option without signing any files or specifying a directory\&. For example, you can use it with the \-l option to get detailed information about a particular signing certificate\&. .RE .PP -\-G nickname -.RS 4 -Generates a new private\-public key pair and corresponding object\-signing certificate with the given nickname\&. The newly generated keys and certificate are installed into the key and certificate databases in the directory specified by the \-d option\&. With the NT version of Netscape Signing Tool, you must use the \-d option with the \-G option\&. With the Unix version of Netscape Signing Tool, omitting the \-d option causes the tool to install the keys and certificate in the Communicator key and certificate databases\&. If you are installing the keys and certificate in the Communicator databases, you must exit Communicator before using this option; otherwise, you risk corrupting the databases\&. In all cases, the certificate is also output to a file named x509\&.cacert, which has the MIME\-type application/x\-x509\-ca\-cert\&. Unlike certificates normally used to sign finished code to be distributed over a network, a test certificate created with \-G is not signed by a recognized certificate authority\&. Instead, it is self\-signed\&. In addition, a single test signing certificate functions as both an object\-signing certificate and a CA\&. When you are using it to sign objects, it behaves like an object\-signing certificate\&. When it is imported into browser software such as Communicator, it behaves like an object\-signing CA and cannot be used to sign objects\&. The \-G option is available in Netscape Signing Tool 1\&.0 and later versions only\&. By default, it produces only RSA certificates with 1024\-byte keys in the internal token\&. However, you can use the \-s option specify the required key size and the \-t option to specify the token\&. For more information about the use of the \-G option, see "Generating Test Object\-Signing Certificates""Generating Test Object\-Signing Certificates" on page 1241\&. -.RE -.PP \-l .RS 4 Lists signing certificates, including issuing CAs\&. If any of your certificates are expired or invalid, the list will so specify\&. This option can be used with the \-k option to list detailed information about a particular signing certificate\&. The \-l option is available in Netscape Signing Tool 1\&.0 and later versions only\&. .RE .PP -\-J -.RS 4 -Signs a directory of HTML files containing JavaScript and creates as many archive files as are specified in the HTML tags\&. Even if signtool creates more than one archive file, you need to supply the key database password only once\&. The \-J option is available only in Netscape Signing Tool 1\&.0 and later versions\&. The \-J option cannot be used at the same time as the \-Z option\&. If the \-c# option is not used with the \-J option, the default compression value is 6\&. Note that versions 1\&.1 and later of Netscape Signing Tool correctly recognizes the CODEBASE attribute, allows paths to be expressed for the CLASS and SRC attributes instead of filenames only, processes LINK tags and parses HTML correctly, and offers clearer error messages\&. -.RE -.PP \-L .RS 4 Lists the certificates in your database\&. An asterisk appears to the left of the nickname for any certificate that can be used to sign objects with signtool\&. diff --git a/doc/nroff/signver.1 b/doc/nroff/signver.1 index c327c8a72..ad92c11a6 100644 --- a/doc/nroff/signver.1 +++ b/doc/nroff/signver.1 @@ -2,12 +2,12 @@ .\" Title: SIGNVER .\" Author: [see the "Authors" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 12 November 2013 +.\" Date: 5 June 2014 .\" Manual: NSS Security Tools .\" Source: nss-tools .\" Language: English .\" -.TH "SIGNVER" "1" "12 November 2013" "nss-tools" "NSS Security Tools" +.TH "SIGNVER" "1" "5 June 2014" "nss-tools" "NSS Security Tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -236,9 +236,9 @@ export NSS_DEFAULT_DB_TYPE="sql" .RE .\} .PP -This line can be set added to the +This line can be added to the ~/\&.bashrc -file to make the change permanent\&. +file to make the change permanent for the user\&. .PP Most applications do not use the shared database by default, but they can be configured to use them\&. For example, this how\-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases: .sp diff --git a/doc/nroff/ssltap.1 b/doc/nroff/ssltap.1 index 950f20b89..69129ecb0 100644 --- a/doc/nroff/ssltap.1 +++ b/doc/nroff/ssltap.1 @@ -2,12 +2,12 @@ .\" Title: SSLTAP .\" Author: [see the "Authors" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 12 November 2013 +.\" Date: 5 June 2014 .\" Manual: NSS Security Tools .\" Source: nss-tools .\" Language: English .\" -.TH "SSLTAP" "1" "12 November 2013" "nss-tools" "NSS Security Tools" +.TH "SSLTAP" "1" "5 June 2014" "nss-tools" "NSS Security Tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -30,8 +30,8 @@ .SH "NAME" ssltap \- Tap into SSL connections and display the data going by .SH "SYNOPSIS" -.HP \w'\fBlibssltap\fR\ 'u -\fBlibssltap\fR [\-vhfsxl] [\-p\ port] [hostname:port] +.HP \w'\fBssltap\fR\ 'u +\fBssltap\fR [\-fhlsvx] [\-p\ port] [hostname:port] .SH "STATUS" .PP This documentation is still work in progress\&. Please contribute to the initial review in @@ -43,33 +43,14 @@ The SSL Debugging Tool is an SSL\-aware command\-line proxy\&. It watches TCP connections and displays the data going by\&. If a connection is SSL, the data display includes interpreted SSL records and handshaking .SH "OPTIONS" .PP -\-v -.RS 4 -Print a version string for the tool\&. -.RE -.PP -\-h -.RS 4 -Turn on hex/ASCII printing\&. Instead of outputting raw data, the command interprets each record as a numbered line of hex values, followed by the same data as ASCII characters\&. The two parts are separated by a vertical bar\&. Nonprinting characters are replaced by dots\&. -.RE -.PP \-f .RS 4 Turn on fancy printing\&. Output is printed in colored HTML\&. Data sent from the client to the server is in blue; the server\*(Aqs reply is in red\&. When used with looping mode, the different connections are separated with horizontal lines\&. You can use this option to upload the output into a browser\&. .RE .PP -\-s -.RS 4 -Turn on SSL parsing and decoding\&. The tool does not automatically detect SSL sessions\&. If you are intercepting an SSL connection, use this option so that the tool can detect and decode SSL structures\&. -.sp -If the tool detects a certificate chain, it saves the DER\-encoded certificates into files in the current directory\&. The files are named cert\&.0x, where x is the sequence number of the certificate\&. -.sp -If the \-s option is used with \-h, two separate parts are printed for each record: the plain hex/ASCII output, and the parsed SSL output\&. -.RE -.PP -\-x +\-h .RS 4 -Turn on hex/ASCII printing of undecoded data inside parsed SSL records\&. Used only with the \-s option\&. This option uses the same output format as the \-h option\&. +Turn on hex/ASCII printing\&. Instead of outputting raw data, the command interprets each record as a numbered line of hex values, followed by the same data as ASCII characters\&. The two parts are separated by a vertical bar\&. Nonprinting characters are replaced by dots\&. .RE .PP \-l prefix @@ -99,6 +80,25 @@ The following are well\-known port numbers: .sp * NNTPS 563 (NNTP over SSL) .RE +.PP +\-s +.RS 4 +Turn on SSL parsing and decoding\&. The tool does not automatically detect SSL sessions\&. If you are intercepting an SSL connection, use this option so that the tool can detect and decode SSL structures\&. +.sp +If the tool detects a certificate chain, it saves the DER\-encoded certificates into files in the current directory\&. The files are named cert\&.0x, where x is the sequence number of the certificate\&. +.sp +If the \-s option is used with \-h, two separate parts are printed for each record: the plain hex/ASCII output, and the parsed SSL output\&. +.RE +.PP +\-v +.RS 4 +Print a version string for the tool\&. +.RE +.PP +\-x +.RS 4 +Turn on extra SSL hex dumps\&. +.RE .SH "USAGE AND EXAMPLES" .PP You can use the SSL Debugging Tool to intercept any connection information\&. Although you can run the tool at its most basic by issuing the ssltap command with no options other than hostname:port, the information you get in this way is not very useful\&. For example, assume your development machine is called intercept\&. The simplest way to use the debugging tool is to execute the following command from a command shell: diff --git a/doc/nroff/vfychain.1 b/doc/nroff/vfychain.1 index 487b7f9a9..d5e37e4d8 100644 --- a/doc/nroff/vfychain.1 +++ b/doc/nroff/vfychain.1 @@ -2,12 +2,12 @@ .\" Title: VFYCHAIN .\" Author: [see the "Authors" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 12 November 2013 +.\" Date: 5 June 2014 .\" Manual: NSS Security Tools .\" Source: nss-tools .\" Language: English .\" -.TH "VFYCHAIN" "1" "12 November 2013" "nss-tools" "NSS Security Tools" +.TH "VFYCHAIN" "1" "5 June 2014" "nss-tools" "NSS Security Tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/doc/nroff/vfyserv.1 b/doc/nroff/vfyserv.1 index f991ce233..ffe5f3614 100644 --- a/doc/nroff/vfyserv.1 +++ b/doc/nroff/vfyserv.1 @@ -2,12 +2,12 @@ .\" Title: VFYSERV .\" Author: [see the "Authors" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 12 November 2013 +.\" Date: 5 June 2014 .\" Manual: NSS Security Tools .\" Source: nss-tools .\" Language: English .\" -.TH "VFYSERV" "1" "12 November 2013" "nss-tools" "NSS Security Tools" +.TH "VFYSERV" "1" "5 June 2014" "nss-tools" "NSS Security Tools" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff --git a/doc/pk12util.xml b/doc/pk12util.xml index 590aec803..03ee356e6 100644 --- a/doc/pk12util.xml +++ b/doc/pk12util.xml @@ -27,16 +27,14 @@ <refsynopsisdiv> <cmdsynopsis> <command>pk12util</command> - <arg>-i p12File [-h tokenname] [-v] [common-options] </arg> - <arg> - -l p12File [-h tokenname] [-r] [common-options] </arg> - <arg> - -o p12File -n certname [-c keyCipher] [-C certCipher] [-m|--key_len keyLen] [-n|--cert_key_len certKeyLen] [common-options] </arg> - <arg> - -common-options are: -[-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword] - </arg> + <arg>-i p12File|-l p12File|-o p12File</arg> + <arg>-d [sql:]directory</arg> + <arg>-h tokenname</arg> + <arg>-P dbprefix</arg> + <arg>-r</arg> + <arg>-v</arg> + <arg>-k slotPasswordFile|-K slotPassword</arg> + <arg>-w p12filePasswordFile|-W p12filePassword</arg> </cmdsynopsis> </refsynopsisdiv> @@ -73,22 +71,20 @@ common-options are: <para><command>Arguments</command></para> <variablelist> - <varlistentry> - <term>-n certname</term> - <listitem><para>Specify the nickname of the cert and private key to export.</para></listitem> + <term>-c keyCipher</term> + <listitem><para>Specify the key encryption algorithm.</para></listitem> </varlistentry> <varlistentry> - <term>-d [sql:]directory</term> - <listitem><para>Specify the database directory into which to import to or export from certificates and keys.</para> - <para><command>pk12util</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and new SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). If the prefix <command>sql:</command> is not used, then the tool assumes that the given databases are in the old format.</para></listitem> + <term>-C certCipher</term> + <listitem><para>Specify the key cert (overall package) encryption algorithm.</para></listitem> </varlistentry> <varlistentry> - <term>-P prefix</term> - <listitem><para>Specify the prefix used on the certificate and key databases. This option is provided as a special case. - Changing the names of the certificate and key databases is not recommended.</para></listitem> + <term>-d [sql:]directory</term> + <listitem><para>Specify the database directory into which to import to or export from certificates and keys.</para> + <para><command>pk12util</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and new SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). If the prefix <command>sql:</command> is not used, then the tool assumes that the given databases are in the old format.</para></listitem> </varlistentry> <varlistentry> @@ -97,11 +93,6 @@ common-options are: </varlistentry> <varlistentry> - <term>-v </term> - <listitem><para>Enable debug logging when importing.</para></listitem> - </varlistentry> - - <varlistentry> <term>-k slotPasswordFile</term> <listitem><para>Specify the text file containing the slot's password.</para></listitem> </varlistentry> @@ -112,39 +103,46 @@ common-options are: </varlistentry> <varlistentry> - <term>-w p12filePasswordFile</term> - <listitem><para>Specify the text file containing the pkcs #12 file password.</para></listitem> + <term>-m | --key-len keyLength</term> + <listitem><para>Specify the desired length of the symmetric key to be used to encrypt the private key.</para></listitem> </varlistentry> <varlistentry> - <term>-W p12filePassword</term> - <listitem><para>Specify the pkcs #12 file password.</para></listitem> + <term>-n | --cert-key-len certKeyLength</term> + <listitem><para>Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data.</para></listitem> </varlistentry> <varlistentry> - <term>-c keyCipher</term> - <listitem><para>Specify the key encryption algorithm.</para></listitem> + <term>-n certname</term> + <listitem><para>Specify the nickname of the cert and private key to export.</para></listitem> </varlistentry> <varlistentry> - <term>-C certCipher</term> - <listitem><para>Specify the key cert (overall package) encryption algorithm.</para></listitem> + <term>-P prefix</term> + <listitem><para>Specify the prefix used on the certificate and key databases. This option is provided as a special case. + Changing the names of the certificate and key databases is not recommended.</para></listitem> </varlistentry> <varlistentry> - <term>-m | --key-len keyLength</term> - <listitem><para>Specify the desired length of the symmetric key to be used to encrypt the private key.</para></listitem> + <term>-r</term> + <listitem><para>Dumps all of the data in raw (binary) form. This must be saved as a DER file. The default is to return information in a pretty-print ASCII format, which displays the information about the certificates and public keys in the p12 file.</para></listitem> </varlistentry> <varlistentry> - <term>-n | --cert-key-len certKeyLength</term> - <listitem><para>Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data.</para></listitem> + <term>-v </term> + <listitem><para>Enable debug logging when importing.</para></listitem> </varlistentry> <varlistentry> - <term>-r</term> - <listitem><para>Dumps all of the data in raw (binary) form. This must be saved as a DER file. The default is to return information in a pretty-print ASCII format, which displays the information about the certificates and public keys in the p12 file.</para></listitem> + <term>-w p12filePasswordFile</term> + <listitem><para>Specify the text file containing the pkcs #12 file password.</para></listitem> + </varlistentry> + + <varlistentry> + <term>-W p12filePassword</term> + <listitem><para>Specify the pkcs #12 file password.</para></listitem> </varlistentry> + </variablelist> </refsection> @@ -237,9 +235,12 @@ common-options are: <para><command>Importing Keys and Certificates</command></para> <para>The most basic usage of <command>pk12util</command> for importing a certificate or key is the PKCS#12 input file (<option>-i</option>) and some way to specify the security database being accessed (either <option>-d</option> for a directory or <option>-h</option> for a token). </para> -<programlisting>pk12util -i p12File [-h tokenname] [-v] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</programlisting> + <para> + pk12util -i p12File [-h tokenname] [-v] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword] + </para> <para>For example:</para> -<programlisting># pk12util -i /tmp/cert-files/users.p12 -d sql:/home/my/sharednssdb + <para> </para> + <programlisting># pk12util -i /tmp/cert-files/users.p12 -d sql:/home/my/sharednssdb Enter a password which will be used to encrypt your keys. The password should be at least 8 characters long, @@ -253,18 +254,18 @@ pk12util: PKCS12 IMPORT SUCCESSFUL</programlisting> <para><command>Exporting Keys and Certificates</command></para> <para>Using the <command>pk12util</command> command to export certificates and keys requires both the name of the certificate to extract from the database (<option>-n</option>) and the PKCS#12-formatted output file to write to. There are optional parameters that can be used to encrypt the file to protect the certificate material. </para> -<programlisting>pk12util -o p12File -n certname [-c keyCipher] [-C certCipher] [-m|--key_len keyLen] [-n|--cert_key_len certKeyLen] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</programlisting> + <para>pk12util -o p12File -n certname [-c keyCipher] [-C certCipher] [-m|--key_len keyLen] [-n|--cert_key_len certKeyLen] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</para> <para>For example:</para> -<programlisting># pk12util -o certs.p12 -n Server-Cert -d sql:/home/my/sharednssdb + <programlisting># pk12util -o certs.p12 -n Server-Cert -d sql:/home/my/sharednssdb Enter password for PKCS12 file: Re-enter password: </programlisting> <para><command>Listing Keys and Certificates</command></para> <para>The information in a <filename>.p12</filename> file are not human-readable. The certificates and keys in the file can be printed (listed) in a human-readable pretty-print format that shows information for every certificate and any public keys in the <filename>.p12</filename> file. </para> -<programlisting>pk12util -l p12File [-h tokenname] [-r] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</programlisting> + <para>pk12util -l p12File [-h tokenname] [-r] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</para> <para>For example, this prints the default ASCII output:</para> -<programlisting># pk12util -l certs.p12 + <programlisting># pk12util -l certs.p12 Enter password for PKCS12 file: Key(shrouded): @@ -283,9 +284,9 @@ Certificate: Issuer: "E=personal-freemail@thawte.com,CN=Thawte Personal Freemail C A,OU=Certification Services Division,O=Thawte Consulting,L=Cape T own,ST=Western Cape,C=ZA" -....</programlisting> + </programlisting> <para>Alternatively, the <option>-r</option> prints the certificates and then exports them into separate DER binary files. This allows the certificates to be fed to another application that supports <filename>.p12</filename> files. Each certificate is written to a sequentially-number file, beginning with <filename>file0001.der</filename> and continuing through <filename>file000N.der</filename>, incrementing the number for every certificate:</para> -<programlisting># pk12util -l test.p12 -r + <programlisting>pk12util -l test.p12 -r Enter password for PKCS12 file: Key(shrouded): Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID @@ -297,7 +298,8 @@ Key(shrouded): Iteration Count: 1 (0x1) Certificate Friendly Name: Thawte Personal Freemail Issuing CA - Thawte Consulting -Certificate Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID</programlisting> +Certificate Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID + </programlisting> </refsection> <refsection id="encryption"> @@ -309,86 +311,48 @@ Certificate Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) L <varlistentry> <term>Symmetric CBC ciphers for PKCS#5 V2</term> - <listitem><para>DES_CBC</para> - <itemizedlist> - <listitem> - <para>RC2-CBC</para> - </listitem> - <listitem> - <para>RC5-CBCPad</para> - </listitem> - <listitem> - <para>DES-EDE3-CBC (the default for key encryption)</para> - </listitem> - <listitem> - <para>AES-128-CBC</para> - </listitem> - <listitem> - <para>AES-192-CBC</para> - </listitem> - <listitem> - <para>AES-256-CBC</para> - </listitem> - <listitem> - <para>CAMELLIA-128-CBC</para> - </listitem> - <listitem> - <para>CAMELLIA-192-CBC</para> - </listitem> - <listitem> - <para>CAMELLIA-256-CBC</para></listitem> - </itemizedlist> - </listitem> + <listitem> + <itemizedlist> + <listitem><para>DES-CBC</para></listitem> + <listitem><para>RC2-CBC</para></listitem> + <listitem><para>RC5-CBCPad</para></listitem> + <listitem><para>DES-EDE3-CBC (the default for key encryption)</para></listitem> + <listitem><para>AES-128-CBC</para></listitem> + <listitem><para>AES-192-CBC</para></listitem> + <listitem><para>AES-256-CBC</para></listitem> + <listitem><para>CAMELLIA-128-CBC</para></listitem> + <listitem><para>CAMELLIA-192-CBC</para></listitem> + <listitem><para>CAMELLIA-256-CBC</para></listitem> + </itemizedlist> + </listitem> </varlistentry> <varlistentry> <term>PKCS#12 PBE ciphers</term> - <listitem><para>PKCS #12 PBE with Sha1 and 128 Bit RC4</para> - <itemizedlist> - <listitem> - <para>PKCS #12 PBE with Sha1 and 40 Bit RC4</para> - </listitem> - <listitem> - <para>PKCS #12 PBE with Sha1 and Triple DES CBC</para> - </listitem> - <listitem> - <para>PKCS #12 PBE with Sha1 and 128 Bit RC2 CBC</para> - </listitem> - <listitem> - <para>PKCS #12 PBE with Sha1 and 40 Bit RC2 CBC</para> - </listitem> - <listitem> - <para>PKCS12 V2 PBE with SHA1 and 128 Bit RC4</para> - </listitem> - <listitem> - <para>PKCS12 V2 PBE with SHA1 and 40 Bit RC4 (the default for non-FIPS mode)</para> - </listitem> - <listitem> - <para>PKCS12 V2 PBE with SHA1 and 3KEY Triple DES-cbc</para> - </listitem> - <listitem> - <para>PKCS12 V2 PBE with SHA1 and 2KEY Triple DES-cbc</para> - </listitem> - <listitem> - <para>PKCS12 V2 PBE with SHA1 and 128 Bit RC2 CBC</para> - </listitem> - <listitem> - <para>PKCS12 V2 PBE with SHA1 and 40 Bit RC2 CBC</para></listitem> - </itemizedlist> - </listitem> + <listitem> + <itemizedlist> + <listitem><para>PKCS #12 PBE with Sha1 and 128 Bit RC4</para></listitem> + <listitem><para>PKCS #12 PBE with Sha1 and 40 Bit RC4</para></listitem> + <listitem><para>PKCS #12 PBE with Sha1 and Triple DES CBC</para></listitem> + <listitem><para>PKCS #12 PBE with Sha1 and 128 Bit RC2 CBC</para></listitem> + <listitem><para>PKCS #12 PBE with Sha1 and 40 Bit RC2 CBC</para></listitem> + <listitem><para>PKCS12 V2 PBE with SHA1 and 128 Bit RC4</para></listitem> + <listitem><para>PKCS12 V2 PBE with SHA1 and 40 Bit RC4 (the default for non-FIPS mode)</para></listitem> + <listitem><para>PKCS12 V2 PBE with SHA1 and 3KEY Triple DES-cbc</para></listitem> + <listitem><para>PKCS12 V2 PBE with SHA1 and 2KEY Triple DES-cbc</para></listitem> + <listitem><para>PKCS12 V2 PBE with SHA1 and 128 Bit RC2 CBC</para></listitem> + <listitem><para>PKCS12 V2 PBE with SHA1 and 40 Bit RC2 CBC</para></listitem> + </itemizedlist> + </listitem> </varlistentry> - - <varlistentry> - <term>PKCS#5 PBE ciphers</term> - <listitem><para>PKCS #5 Password Based Encryption with MD2 and DES CBC</para> - <itemizedlist> - <listitem> - <para>PKCS #5 Password Based Encryption with MD5 and DES CBC</para> - </listitem> - <listitem> - <para>PKCS #5 Password Based Encryption with SHA1 and DES CBC</para></listitem> - </itemizedlist> - </listitem> + <varlistentry><term>PKCS#5 PBE ciphers</term> + <listitem> + <itemizedlist> + <listitem><para>PKCS #5 Password Based Encryption with MD2 and DES CBC</para></listitem> + <listitem><para>PKCS #5 Password Based Encryption with MD5 and DES CBC</para></listitem> + <listitem><para>PKCS #5 Password Based Encryption with SHA1 and DES CBC</para></listitem> + </itemizedlist> + </listitem> </varlistentry> </variablelist> <para>With PKCS#12, the crypto provider may be the soft token module or an external hardware module. If the cryptographic module does not support the requested algorithm, then the next best fit will be selected (usually the default). If no suitable replacement for the desired algorithm can be found, the tool returns the error <emphasis>no security module can perform the requested operation</emphasis>.</para> diff --git a/doc/signtool.xml b/doc/signtool.xml index 9f9da6875..3a6c2080e 100644 --- a/doc/signtool.xml +++ b/doc/signtool.xml @@ -27,36 +27,37 @@ <refsynopsisdiv> <cmdsynopsis> <command>signtool</command> - <arg>-k keyName</arg> + <arg>[-b basename]</arg> + <arg>[-c Compression Level] </arg> + <arg>[-d cert-dir] </arg> + <arg>[-e extension] </arg> + <arg>[-f filename] </arg> + <arg>[-i installer script] </arg> <arg>[-h]</arg> <arg>[-H]</arg> - <arg>[-l]</arg> - <arg>[-L]</arg> - <arg>[-M]</arg> <arg>[-v]</arg> <arg>[-w]</arg> <arg>[-G nickname]</arg> + <arg>[-J]</arg> + <arg>[-j directory] </arg> + <arg>-k keyName</arg> <arg>[--keysize | -s size]</arg> - <arg>[-b basename]</arg> - <arg>[-c Compression Level] </arg> - <arg>[-d cert-dir] </arg> - <arg>[-i installer script] </arg> + <arg>[-l]</arg> + <arg>[-L]</arg> + <arg>[-M]</arg> <arg>[-m metafile] </arg> - <arg>[-x name] </arg> - <arg>[-f filename] </arg> - <arg>[-t|--token tokenname] </arg> - <arg>[-e extension] </arg> + <arg>[--norecurse] </arg> + <arg>[-O] </arg> <arg>[-o] </arg> + <arg>[--outfile] </arg> + <arg>[-p password] </arg> + <arg>[-t|--token tokenname] </arg> <arg>[-z] </arg> <arg>[-X] </arg> - <arg>[--outfile] </arg> + <arg>[-x name] </arg> <arg>[--verbose value] </arg> - <arg>[--norecurse] </arg> <arg>[--leavearc] </arg> - <arg>[-j directory] </arg> <arg>[-Z jarfile] </arg> - <arg>[-O] </arg> - <arg>[-p password] </arg> <arg>directory-tree</arg> <arg>archive</arg> <!-- this isn't the ideal formatting, since docbook can handle reqiored/optional formatting automatically, but let's make it explicit --> @@ -97,7 +98,7 @@ </varlistentry> <varlistentry> <term>-c#</term> - <listitem><para> + <listitem><para> Specifies the compression level for the -J or -Z option. The symbol # represents a number from 0 to 9, where 0 means no compression and 9 means maximum compression. The higher the level of compression, the smaller the output but the longer the operation takes. If the -c# option is not used with either the -J or the -Z option, the default compression value used by both the -J and -Z options is 6. @@ -124,10 +125,36 @@ The Unix version of signtool assumes ~/.netscape unless told otherwise. The NT v </para></listitem> </varlistentry> <varlistentry> + <term>-G nickname</term> + <listitem><para> + Generates a new private-public key pair and corresponding object-signing certificate with the given nickname. + +The newly generated keys and certificate are installed into the key and certificate databases in the directory specified by the -d option. With the NT version of Netscape Signing Tool, you must use the -d option with the -G option. With the Unix version of Netscape Signing Tool, omitting the -d option causes the tool to install the keys and certificate in the Communicator key and certificate databases. If you are installing the keys and certificate in the Communicator databases, you must exit Communicator before using this option; otherwise, you risk corrupting the databases. In all cases, the certificate is also output to a file named x509.cacert, which has the MIME-type application/x-x509-ca-cert. + +Unlike certificates normally used to sign finished code to be distributed over a network, a test certificate created with -G is not signed by a recognized certificate authority. Instead, it is self-signed. In addition, a single test signing certificate functions as both an object-signing certificate and a CA. When you are using it to sign objects, it behaves like an object-signing certificate. When it is imported into browser software such as Communicator, it behaves like an object-signing CA and cannot be used to sign objects. + +The -G option is available in Netscape Signing Tool 1.0 and later versions only. By default, it produces only RSA certificates with 1024-byte keys in the internal token. However, you can use the -s option specify the required key size and the -t option to specify the token. + </para></listitem> + </varlistentry> + <varlistentry> <term>-i scriptname</term> - <listitem><para> - Specifies the name of an installer script for SmartUpdate. This script installs files from the JAR archive in the local system after SmartUpdate has validated the digital signature. For more details, see the description of -m that follows. The -i option provides a straightforward way to provide this information if you don't need to specify any metadata other than an installer script. -</para></listitem> + <listitem><para> +Specifies the name of an installer script for SmartUpdate. This script installs files from the JAR archive in the local system after SmartUpdate has validated the digital signature. For more details, see the description of -m that follows. The -i option provides a straightforward way to provide this information if you don't need to specify any metadata other than an installer script. + </para></listitem> + </varlistentry> + <varlistentry> + <term>-J</term> + <listitem> + <para> +Signs a directory of HTML files containing JavaScript and creates as many archive files as are specified in the HTML tags. Even if signtool creates more than one archive file, you need to supply the key database password only once. + +The -J option is available only in Netscape Signing Tool 1.0 and later versions. The -J option cannot be used at the same time as the -Z option. + +If the -c# option is not used with the -J option, the default compression value is 6. + +Note that versions 1.1 and later of Netscape Signing Tool correctly recognizes the CODEBASE attribute, allows paths to be expressed for the CLASS and SRC attributes instead of filenames only, processes LINK tags and parses HTML correctly, and offers clearer error messages. + </para> + </listitem> </varlistentry> <varlistentry> <term>-j directory</term> @@ -148,18 +175,6 @@ It's also possible to use the -k option without signing any files or specifying </para></listitem> </varlistentry> <varlistentry> - <term>-G nickname</term> - <listitem><para> - Generates a new private-public key pair and corresponding object-signing certificate with the given nickname. - -The newly generated keys and certificate are installed into the key and certificate databases in the directory specified by the -d option. With the NT version of Netscape Signing Tool, you must use the -d option with the -G option. With the Unix version of Netscape Signing Tool, omitting the -d option causes the tool to install the keys and certificate in the Communicator key and certificate databases. If you are installing the keys and certificate in the Communicator databases, you must exit Communicator before using this option; otherwise, you risk corrupting the databases. In all cases, the certificate is also output to a file named x509.cacert, which has the MIME-type application/x-x509-ca-cert. - -Unlike certificates normally used to sign finished code to be distributed over a network, a test certificate created with -G is not signed by a recognized certificate authority. Instead, it is self-signed. In addition, a single test signing certificate functions as both an object-signing certificate and a CA. When you are using it to sign objects, it behaves like an object-signing certificate. When it is imported into browser software such as Communicator, it behaves like an object-signing CA and cannot be used to sign objects. - -The -G option is available in Netscape Signing Tool 1.0 and later versions only. By default, it produces only RSA certificates with 1024-byte keys in the internal token. However, you can use the -s option specify the required key size and the -t option to specify the token. For more information about the use of the -G option, see "Generating Test Object-Signing Certificates""Generating Test Object-Signing Certificates" on page 1241. -</para></listitem> - </varlistentry> - <varlistentry> <term>-l</term> <listitem><para> Lists signing certificates, including issuing CAs. If any of your certificates are expired or invalid, the list will so specify. This option can be used with the -k option to list detailed information about a particular signing certificate. @@ -168,18 +183,6 @@ The -l option is available in Netscape Signing Tool 1.0 and later versions only. </para></listitem> </varlistentry> <varlistentry> - <term>-J</term> - <listitem><para> - Signs a directory of HTML files containing JavaScript and creates as many archive files as are specified in the HTML tags. Even if signtool creates more than one archive file, you need to supply the key database password only once. - -The -J option is available only in Netscape Signing Tool 1.0 and later versions. The -J option cannot be used at the same time as the -Z option. - -If the -c# option is not used with the -J option, the default compression value is 6. - -Note that versions 1.1 and later of Netscape Signing Tool correctly recognizes the CODEBASE attribute, allows paths to be expressed for the CLASS and SRC attributes instead of filenames only, processes LINK tags and parses HTML correctly, and offers clearer error messages. -</para></listitem> - </varlistentry> - <varlistentry> <term>-L</term> <listitem><para> Lists the certificates in your database. An asterisk appears to the left of the nickname for any certificate that can be used to sign objects with signtool. diff --git a/doc/signver.xml b/doc/signver.xml index 7c598d82a..e645e9190 100644 --- a/doc/signver.xml +++ b/doc/signver.xml @@ -163,7 +163,7 @@ Using the SQLite databases must be manually specified by using the <command>sql: <para>To set the shared database type as the default type for the tools, set the <envar>NSS_DEFAULT_DB_TYPE</envar> environment variable to <envar>sql</envar>:</para> <programlisting>export NSS_DEFAULT_DB_TYPE="sql"</programlisting> -<para>This line can be set added to the <filename>~/.bashrc</filename> file to make the change permanent.</para> +<para>This line can be added to the <filename>~/.bashrc</filename> file to make the change permanent for the user.</para> <para>Most applications do not use the shared database by default, but they can be configured to use them. For example, this how-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases:</para> <itemizedlist> diff --git a/doc/ssltap.xml b/doc/ssltap.xml index e66a493ed..32b9e2f51 100644 --- a/doc/ssltap.xml +++ b/doc/ssltap.xml @@ -26,8 +26,8 @@ <refsynopsisdiv> <cmdsynopsis> - <command>libssltap</command> - <arg choice="opt">-vhfsxl</arg> + <command>ssltap</command> + <arg choice="opt">-fhlsvx</arg> <arg choice="opt">-p port</arg> <arg choice="opt">hostname:port</arg> </cmdsynopsis> @@ -48,8 +48,10 @@ <title>Options</title> <variablelist> <varlistentry> - <term>-v </term> - <listitem><para>Print a version string for the tool.</para></listitem> + <term>-f </term> + <listitem><para> +Turn on fancy printing. Output is printed in colored HTML. Data sent from the client to the server is in blue; the server's reply is in red. When used with looping mode, the different connections are separated with horizontal lines. You can use this option to upload the output into a browser. + </para></listitem> </varlistentry> <varlistentry> <term>-h </term> @@ -58,34 +60,6 @@ Turn on hex/ASCII printing. Instead of outputting raw data, the command interpre </para></listitem> </varlistentry> <varlistentry> - <term>-f </term> - <listitem><para> -Turn on fancy printing. Output is printed in colored HTML. Data sent from the client to the server is in blue; the server's reply is in red. When used with looping mode, the different connections are separated with horizontal lines. You can use this option to upload the output into a browser. - </para></listitem> - </varlistentry> - <varlistentry><term>-s </term> - <listitem> - <para> -Turn on SSL parsing and decoding. The tool does not automatically detect SSL sessions. If you are intercepting an SSL connection, use this option so that the tool can detect and decode SSL structures. - </para> - <para> -If the tool detects a certificate chain, it saves the DER-encoded certificates into files in the current directory. The files are named cert.0x, where x is the sequence number of the certificate. - </para> - <para> -If the -s option is used with -h, two separate parts are printed for each record: the plain hex/ASCII output, and the parsed SSL output. - </para> - </listitem> - </varlistentry> - <varlistentry> - <term>-x </term> - <listitem> - <para> -Turn on hex/ASCII printing of undecoded data inside parsed SSL records. Used only with the -s option. -This option uses the same output format as the -h option. - </para> - </listitem> - </varlistentry> - <varlistentry> <term>-l prefix</term> <listitem> <para> @@ -124,6 +98,28 @@ Turn on looping; that is, continue to accept connections rather than stopping af </para> </listitem> </varlistentry> + <varlistentry> + <term>-s </term> + <listitem> + <para> +Turn on SSL parsing and decoding. The tool does not automatically detect SSL sessions. If you are intercepting an SSL connection, use this option so that the tool can detect and decode SSL structures. + </para> + <para> +If the tool detects a certificate chain, it saves the DER-encoded certificates into files in the current directory. The files are named cert.0x, where x is the sequence number of the certificate. + </para> + <para> +If the -s option is used with -h, two separate parts are printed for each record: the plain hex/ASCII output, and the parsed SSL output. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>-v </term> + <listitem><para>Print a version string for the tool.</para></listitem> + </varlistentry> + <varlistentry> + <term>-x </term> + <listitem><para>Turn on extra SSL hex dumps.</para></listitem> + </varlistentry> </variablelist> </refsection> |