diff options
| author | Sylvestre Ledru <sledru@mozilla.com> | 2022-12-28 15:57:11 +0000 |
|---|---|---|
| committer | Sylvestre Ledru <sledru@mozilla.com> | 2022-12-28 15:57:11 +0000 |
| commit | db8a1f8a2cdcb32ab0c417a5eebca51fd500049d (patch) | |
| tree | da401a4d33191643c6140ec69582c852edc2bea7 | |
| parent | 7f0020b8c14146e581ae3b96747020cc1e614be7 (diff) | |
| download | nss-hg-db8a1f8a2cdcb32ab0c417a5eebca51fd500049d.tar.gz | |
Bug 1807822 - nss doc: remove non breaking space - r=nss-reviewers,bbeurdouche
done with:
$ LC_ALL=C sed -i 's/\xc2\xa0/ /g' $(fd .rst)
Differential Revision: https://phabricator.services.mozilla.com/D165617
135 files changed, 7927 insertions, 7927 deletions
diff --git a/doc/rst/build.rst b/doc/rst/build.rst index 8192e466a..ade2c379f 100644 --- a/doc/rst/build.rst +++ b/doc/rst/build.rst @@ -20,7 +20,7 @@ Building NSS .. container:: - NSS needs a C and C++ compiler. It has minimal dependencies, including only + NSS needs a C and C++ compiler. It has minimal dependencies, including only standard C and C++ libraries, plus `zlib <https://www.zlib.net/>`__. For building, you also need `make <https://www.gnu.org/software/make/>`__. Ideally, also install `gyp-next <https://github.com/nodejs/gyp-next>`__ and `ninja @@ -181,7 +181,7 @@ Building NSS .. container:: - NSS contains extensive unit tests. Scripts to run these are found in the ``tests`` directory. + NSS contains extensive unit tests. Scripts to run these are found in the ``tests`` directory. Run the standard suite by: .. code:: @@ -221,7 +221,7 @@ Building NSS Running all tests can take a considerable amount of time. - Test output is stored in ``tests_results/security/$HOST.$NUMBER/``. The file + Test output is stored in ``tests_results/security/$HOST.$NUMBER/``. The file ``results.html`` summarizes the results, ``output.log`` captures all the test output. diff --git a/doc/rst/build_artifacts.rst b/doc/rst/build_artifacts.rst index 973e08010..a1ddac79c 100644 --- a/doc/rst/build_artifacts.rst +++ b/doc/rst/build_artifacts.rst @@ -63,7 +63,7 @@ Build artifacts libraries: ======= ======== =============================== - Windows Unix + Windows Unix static ``.lib`` ``.a`` dynamic ``.dll`` ``.so`` or ``.dylib`` or ``.sl`` ======= ======== =============================== diff --git a/doc/rst/legacy/building/index.rst b/doc/rst/legacy/building/index.rst index 21120ddf7..aee480c4d 100644 --- a/doc/rst/legacy/building/index.rst +++ b/doc/rst/legacy/building/index.rst @@ -19,12 +19,12 @@ Building NSS .. container:: - NSS needs a C and C++ compiler. It has minimal dependencies, including only standard C and C++ + NSS needs a C and C++ compiler. It has minimal dependencies, including only standard C and C++ libraries, plus `zlib <https://www.zlib.net/>`__. - For building, you also need `make <https://www.gnu.org/software/make/>`__. Ideally, also install + For building, you also need `make <https://www.gnu.org/software/make/>`__. Ideally, also install `gyp <https://gyp.gsrc.io/>`__ and `ninja <https://ninja-build.org/>`__ and put them on your - path. This is recommended, as the build is faster and more reliable. + path. This is recommended, as the build is faster and more reliable. `Windows <#windows>`__ ~~~~~~~~~~~~~~~~~~~~~~ @@ -78,7 +78,7 @@ Building NSS .. container:: Alternatively, there is a ``make`` target called "nss_build_all", which produces a similar - result. This supports some alternative options, but can be a lot slower. + result. This supports some alternative options, but can be a lot slower. .. code:: @@ -113,7 +113,7 @@ Building NSS .. container:: - NSS contains extensive unit tests. Scripts to run these are found in the ``tests`` directory. + NSS contains extensive unit tests. Scripts to run these are found in the ``tests`` directory. Run the standard suite by: .. code:: @@ -152,7 +152,7 @@ Building NSS Running all tests can take a considerable amount of time. - Test output is stored in ``tests_results/security/$HOST.$NUMBER/``. The file ``results.html`` + Test output is stored in ``tests_results/security/$HOST.$NUMBER/``. The file ``results.html`` summarizes the results, ``output.log`` captures all the test output. Other subdirectories of ``nss/tests`` contain scripts that run a subset of the full suite. Those diff --git a/doc/rst/legacy/cert_findcertbydercert/index.rst b/doc/rst/legacy/cert_findcertbydercert/index.rst index c7b87d218..7e297a2df 100644 --- a/doc/rst/legacy/cert_findcertbydercert/index.rst +++ b/doc/rst/legacy/cert_findcertbydercert/index.rst @@ -38,7 +38,7 @@ CERT_FindCertByDERCert .. container:: - This function looks in the ?NSSCryptoContext? and the ?NSSTrustDomain? to find the certificate + This function looks in the ?NSSCryptoContext? and the ?NSSTrustDomain? to find the certificate that matches the DER-encoded certificate. A match is found when the issuer and serial number of the DER-encoded certificate are found on a certificate in the certificate database. diff --git a/doc/rst/legacy/certificate_download_specification/index.rst b/doc/rst/legacy/certificate_download_specification/index.rst index c81a67a8f..5fe98aa6b 100644 --- a/doc/rst/legacy/certificate_download_specification/index.rst +++ b/doc/rst/legacy/certificate_download_specification/index.rst @@ -45,7 +45,7 @@ NSS Certificate Download Specification .. code:: - CertificateSequence ::= SEQUENCE OF Certificate + CertificateSequence ::= SEQUENCE OF Certificate See the section below on :ref:`mozilla_projects_nss_certificate_download_specification#importing_certificate_chains` for @@ -170,7 +170,7 @@ NSS Certificate Download Specification .. code:: - netscape OBJECT IDENTIFIER ::= { 2 16 840 1 113730 } + netscape OBJECT IDENTIFIER ::= { 2 16 840 1 113730 } The hexadecimal byte value of this OID when DER encoded is: @@ -182,5 +182,5 @@ NSS Certificate Download Specification .. code:: - netscape-data-type OBJECT IDENTIFIER :: = { netscape 2 } - netscape-cert-sequence OBJECT IDENTIFIER :: = { netscape-data-type 5 }
\ No newline at end of file + netscape-data-type OBJECT IDENTIFIER :: = { netscape 2 } + netscape-cert-sequence OBJECT IDENTIFIER :: = { netscape-data-type 5 }
\ No newline at end of file diff --git a/doc/rst/legacy/code_coverage/index.rst b/doc/rst/legacy/code_coverage/index.rst index 5db3763a9..143cf61bf 100644 --- a/doc/rst/legacy/code_coverage/index.rst +++ b/doc/rst/legacy/code_coverage/index.rst @@ -58,7 +58,7 @@ NSS Code Coverage - Example: Not tested (0/?/878). - 0 - tested blocks in file (always 0). - - ? - total blocks in file (there is no trivial method to get this number without TCOV). + - ? - total blocks in file (there is no trivial method to get this number without TCOV). - 878 - total lines in file (by wc -l command). .. rubric:: Numbers in total count diff --git a/doc/rst/legacy/fips_mode_-_an_explanation/index.rst b/doc/rst/legacy/fips_mode_-_an_explanation/index.rst index 9665ce331..3e141cca5 100644 --- a/doc/rst/legacy/fips_mode_-_an_explanation/index.rst +++ b/doc/rst/legacy/fips_mode_-_an_explanation/index.rst @@ -5,9 +5,9 @@ FIPS Mode - an explanation .. container:: - NSS has a "FIPS Mode" that can be enabled when NSS is compiled in a specific way. (Note: Mozilla + NSS has a "FIPS Mode" that can be enabled when NSS is compiled in a specific way. (Note: Mozilla does not distribute a "FIPS Mode"-ready NSS with Firefox.) This page attempts to provide an - informal explanation of what it is, who would use it, and why. + informal explanation of what it is, who would use it, and why. .. _what's_a_fips: @@ -17,69 +17,69 @@ FIPS Mode - an explanation .. container:: The United States government defines many (several hundred) "Federal Information Processing - Standard" (FIPS) documents. (FIPS sounds plural, but is singular; one FIPS document is a FIPS, - not a FIP.) FIPS documents define rules, regulations, and standards for many aspects of handling - of information by computers and by people. They apply to all US government employees and - personnel, including soldiers in the armed forces. Generally speaking, any use of a computer by - US government personnel must conform to all the relevant FIPS regulations. If you're a - US government worker, and you want to use a Mozilla software product such as Firefox, or any + Standard" (FIPS) documents. (FIPS sounds plural, but is singular; one FIPS document is a FIPS, + not a FIP.) FIPS documents define rules, regulations, and standards for many aspects of handling + of information by computers and by people. They apply to all US government employees and + personnel, including soldiers in the armed forces. Generally speaking, any use of a computer by + US government personnel must conform to all the relevant FIPS regulations. If you're a + US government worker, and you want to use a Mozilla software product such as Firefox, or any product that uses NSS, you will want to use it in a way that is fully conformant with all the - relevant FIPS regulations. Some other governments have also adopted many of the FIPS - regulations, so their applicability is somewhat wider than just the US government's personnel. + relevant FIPS regulations. Some other governments have also adopted many of the FIPS + regulations, so their applicability is somewhat wider than just the US government's personnel. .. _what_is_fips_mode: -`What is "FIPS Mode"? <#what_is_fips_mode>`__ +`What is "FIPS Mode"? <#what_is_fips_mode>`__ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. container:: - One of the FIPS regulations, FIPS 140, governs the use of encryption and cryptographic services. - It requires that ALL cryptography done by US government personnel MUST be done in "devices" that + One of the FIPS regulations, FIPS 140, governs the use of encryption and cryptographic services. + It requires that ALL cryptography done by US government personnel MUST be done in "devices" that have been independently tested, and certified by NIST, to meet the extensive requirements of that - document. These devices may be hardware or software, but either way, they must function and - behave as prescribed. So, in order for Mozilla Firefox and Thunderbird to be usable by people + document. These devices may be hardware or software, but either way, they must function and + behave as prescribed. So, in order for Mozilla Firefox and Thunderbird to be usable by people who are subject to the FIPS regulations, Mozilla's cryptographic software must be able to operate - in a mode that is fully compliant with FIPS 140. To that end, Mozilla products can function in a - "FIPS Mode", which is really "FIPS 140 Mode", when paired with a compliant copy of NSS. (Note, - the current version of FIPS 140 is revision 2, a.k.a. FIPS 140-2. FIPS 140-3 is being devised by - NIST now for adoption in the future.) Users who are subject to the FIPS regulations must ensure - that they have Mozilla's FIPS Mode enabled when they use Mozilla software, in order to be fully - conformant. Instructions for how to configure Firefox into FIPS mode may be found on + in a mode that is fully compliant with FIPS 140. To that end, Mozilla products can function in a + "FIPS Mode", which is really "FIPS 140 Mode", when paired with a compliant copy of NSS. (Note, + the current version of FIPS 140 is revision 2, a.k.a. FIPS 140-2. FIPS 140-3 is being devised by + NIST now for adoption in the future.) Users who are subject to the FIPS regulations must ensure + that they have Mozilla's FIPS Mode enabled when they use Mozilla software, in order to be fully + conformant. Instructions for how to configure Firefox into FIPS mode may be found on `support.mozilla.com <https://support.mozilla.com/en-US/kb/Configuring+Firefox+for+FIPS+140-2>`__. .. _is_nss_fips-140_compliant: -`Is NSS FIPS-140 compliant? <#is_nss_fips-140_compliant>`__ +`Is NSS FIPS-140 compliant? <#is_nss_fips-140_compliant>`__ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. container:: Mozilla's NSS cryptographic software has been tested by government-approved independent testing - labs and certified by NIST as being FIPS 140 compliant *when operated in FIPS mode* on 4 previous - occasions. As of this writing, NSS is now being retested to be recertified for the fifth time. - NSS was the first open source cryptographic library to be FIPS certified. + labs and certified by NIST as being FIPS 140 compliant *when operated in FIPS mode* on 4 previous + occasions. As of this writing, NSS is now being retested to be recertified for the fifth time. + NSS was the first open source cryptographic library to be FIPS certified. .. _what_is_fips_mode_all_about: -`What is FIPS Mode all about? <#what_is_fips_mode_all_about>`__ +`What is FIPS Mode all about? <#what_is_fips_mode_all_about>`__ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. container:: - A FIPS-140 compliant application must do ALL of its cryptography in a FIPS-140 certified - "device". Whether it is hardware or software, that device will have all the cryptographic - engines in it, and also will stores keys and perhaps certificates inside. The device must have a + A FIPS-140 compliant application must do ALL of its cryptography in a FIPS-140 certified + "device". Whether it is hardware or software, that device will have all the cryptographic + engines in it, and also will stores keys and perhaps certificates inside. The device must have a way for users to authenticate to it (to "login" to it), to prove to it that they are authorized - to use the cryptographic engines and keys it contains. It may not do ANY cryptographic + to use the cryptographic engines and keys it contains. It may not do ANY cryptographic operations that involve the use of cryptographic keys, nor allow ANY of the keys or certificates - it holds to be seen or used, except when a user has successfully authenticated to it. If users - authenticate to it with a password, it must ensure that their passwords are strong passwords. It - must implement the US government standard algorithms (also specified in other FIPS documents) + it holds to be seen or used, except when a user has successfully authenticated to it. If users + authenticate to it with a password, it must ensure that their passwords are strong passwords. It + must implement the US government standard algorithms (also specified in other FIPS documents) such as AES, triple-DES, SHA-1 and SHA-256, that are needed to do whatever job the application - wants it to perform. It must generate or derive cryptographic keys and store them internally. + wants it to perform. It must generate or derive cryptographic keys and store them internally. Except for "public keys", it must not allow any keys to leave it (to get outside of it) unless - they are encrypted ("wrapped") in a special way. This makes it difficult to move keys from one + they are encrypted ("wrapped") in a special way. This makes it difficult to move keys from one device to another, and consequently, all crypto engines and key storage must be in a single device rather than being split up into several devices. @@ -90,28 +90,28 @@ FIPS Mode - an explanation .. container:: - These requirements have several implications for users. In FIPS Mode, every user must have a + These requirements have several implications for users. In FIPS Mode, every user must have a good strong "master password", and must enter it each time they start or restart Firefox before - they can visit any web sites that use cryptography (https). Firefox can only use the latest - version of SSL, known as "TLS", and not the older SSL 2 or SSL 3.0 protocols, and Firefox can - only talk to those servers that use FIPS standard encryption algorithms such as AES or - triple-DES. Servers that can only use non-FIPS-approved encryption, such as RC4, cannot be used - in FIPS mode. + they can visit any web sites that use cryptography (https). Firefox can only use the latest + version of SSL, known as "TLS", and not the older SSL 2 or SSL 3.0 protocols, and Firefox can + only talk to those servers that use FIPS standard encryption algorithms such as AES or + triple-DES. Servers that can only use non-FIPS-approved encryption, such as RC4, cannot be used + in FIPS mode. .. _how_is_fips_mode_different_from_normal_non-fips_mode: -`How is FIPS Mode different from normal non-FIPS Mode? <#how_is_fips_mode_different_from_normal_non-fips_mode>`__ +`How is FIPS Mode different from normal non-FIPS Mode? <#how_is_fips_mode_different_from_normal_non-fips_mode>`__ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. container:: In normal non-FIPS Mode, the "master password" is optional and is allowed to be a weak short - password. The user is only required to enter his master password to use his own private keys (if - he has any) or to access his stored web-site passwords. The user is not required to enter the + password. The user is only required to enter his master password to use his own private keys (if + he has any) or to access his stored web-site passwords. The user is not required to enter the master password to visit ordinary https servers, nor to view certificates he has previously - stored. In non-FIPS mode, NSS is willing and able to use popular non-FIPS approved cryptographic - algorithms, such as RC4 and MD5, to communicate with older https servers. NSS divides its - operations up into two "devices" rather than just one. One device does all the operations that + stored. In non-FIPS mode, NSS is willing and able to use popular non-FIPS approved cryptographic + algorithms, such as RC4 and MD5, to communicate with older https servers. NSS divides its + operations up into two "devices" rather than just one. One device does all the operations that may be done without needing to authenticate, and the other device stores the user's certificates and private keys and performs operations that use those private keys. @@ -122,7 +122,7 @@ FIPS Mode - an explanation .. container:: - Instructions for how to configure Firefox into FIPS mode may be found on + Instructions for how to configure Firefox into FIPS mode may be found on `support.mozilla.com <https://support.mozilla.com/en-US/kb/Configuring+Firefox+for+FIPS+140-2>`__. Some third-parties distribute Firefox ready for FIPS mode, `a partial list can be found at the NSS diff --git a/doc/rst/legacy/http_delegation/index.rst b/doc/rst/legacy/http_delegation/index.rst index 456ce3032..f0288507d 100644 --- a/doc/rst/legacy/http_delegation/index.rst +++ b/doc/rst/legacy/http_delegation/index.rst @@ -20,7 +20,7 @@ HTTP delegation an OSCP responder. This NSS feature is currently targeted to first appear in NSS version 3.11.1. More details can be - found in `bug 152426 <https://bugzilla.mozilla.org/show_bug.cgi?id=152426>`__. + found in `bug 152426 <https://bugzilla.mozilla.org/show_bug.cgi?id=152426>`__. In order to use the HTTP Delegation feature in your NSS-based application, you need to implement several callback functions. Your callback functions might be a full implementation of a HTTP @@ -32,7 +32,7 @@ HTTP delegation with SEC_Http. To find an example implementation, you may look at - `bug 111384 <https://bugzilla.mozilla.org/show_bug.cgi?id=111384>`__, which tracks the + `bug 111384 <https://bugzilla.mozilla.org/show_bug.cgi?id=111384>`__, which tracks the implementation in Mozilla client applications. .. _instructions_for_specifying_an_ocsp_proxy: diff --git a/doc/rst/legacy/http_delegation_clone/index.rst b/doc/rst/legacy/http_delegation_clone/index.rst index e2b966f1c..ac305b2dd 100644 --- a/doc/rst/legacy/http_delegation_clone/index.rst +++ b/doc/rst/legacy/http_delegation_clone/index.rst @@ -20,7 +20,7 @@ HTTP delegation an OSCP responder. This NSS feature is currently targeted to first appear in NSS version 3.11.1. More details can be - found in `bug 152426 <https://bugzilla.mozilla.org/show_bug.cgi?id=152426>`__. + found in `bug 152426 <https://bugzilla.mozilla.org/show_bug.cgi?id=152426>`__. In order to use the HTTP Delegation feature in your NSS-based application, you need to implement several callback functions. Your callback functions might be a full implementation of a HTTP @@ -32,7 +32,7 @@ HTTP delegation with SEC_Http. To find an example implementation, you may look at - `bug 111384 <https://bugzilla.mozilla.org/show_bug.cgi?id=111384>`__, which tracks the + `bug 111384 <https://bugzilla.mozilla.org/show_bug.cgi?id=111384>`__, which tracks the implementation in Mozilla client applications. .. _instructions_for_specifying_an_ocsp_proxy: diff --git a/doc/rst/legacy/index/index.rst b/doc/rst/legacy/index/index.rst index 97431db3c..c7a1946a7 100644 --- a/doc/rst/legacy/index/index.rst +++ b/doc/rst/legacy/index/index.rst @@ -1129,7 +1129,7 @@ Index | 16 | :ref:`mozilla_projects_n | **NSS** | | | ss_fips_mode_-_an_explanation` | | +--------------------------------+--------------------------------+--------------------------------+ - | | | NSS has a "FIPS Mode" that can | + | | | NSS has a "FIPS Mode" that can | | | | be enabled when NSS is | | | | compiled in a specific way. | | | | (Note: Mozilla does not | @@ -1138,7 +1138,7 @@ Index | | | attempts to provide an | | | | informal explanation of what | | | | it is, who would use it, and | - | | | why. | + | | | why. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ @@ -1876,7 +1876,7 @@ Index | | | The NSS team has released | | | | Network Security Services | | | | (NSS) 3.19, which is a minor | - | | | security release. | + | | | security release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ @@ -2695,7 +2695,7 @@ Index | | | The NSS team has released | | | | Network Security Services | | | | (NSS) 3.44.4 on **19 May | - | | | 2020**. This is a security | + | | | 2020**. This is a security | | | | patch release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | @@ -2847,7 +2847,7 @@ Index | | | The NSS team has released | | | | Network Security Services | | | | (NSS) 3.51.1 on **3 April | - | | | 2020**. This is a minor | + | | | 2020**. This is a minor | | | | release focusing on functional | | | | bug fixes and low-risk patches | | | | only. | @@ -2869,7 +2869,7 @@ Index | | | The NSS team has released | | | | Network Security Services | | | | (NSS) 3.52.1 on **19 May | - | | | 2020**. This is a security | + | | | 2020**. This is a security | | | | patch release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | @@ -3151,7 +3151,7 @@ Index | | | This is an example program | | | | that demonstrates how to | | | | compute the hash of a file and | - | | | save it to another file. This | + | | | save it to another file. This | | | | program illustrates the use of | | | | NSS message APIs. | +--------------------------------+--------------------------------+--------------------------------+ @@ -3163,7 +3163,7 @@ Index +--------------------------------+--------------------------------+--------------------------------+ | | | This example program | | | | demonstrates how to initialize | - | | | the NSS Database. This | + | | | the NSS Database. This | | | | program illustrates password | | | | handling. | +--------------------------------+--------------------------------+--------------------------------+ @@ -3176,7 +3176,7 @@ Index +--------------------------------+--------------------------------+--------------------------------+ | | | This example program | | | | demonstrates how to encrypt | - | | | and MAC a file. | + | | | and MAC a file. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ @@ -3187,7 +3187,7 @@ Index | | | This is an example program | | | | that demonstrates how to do | | | | key generation and transport | - | | | between cooperating servers. | + | | | between cooperating servers. | | | | This program shows the | | | | following: | +--------------------------------+--------------------------------+--------------------------------+ @@ -3238,7 +3238,7 @@ Index | | e_nss_sample_code_utililies_1` | | +--------------------------------+--------------------------------+--------------------------------+ | | | This is a library of utilities | - | | | used by many of the samples. | + | | | used by many of the samples. | | | | This code shows the following: | +--------------------------------+--------------------------------+--------------------------------+ | | | | @@ -3269,7 +3269,7 @@ Index | | le2_-_initialize_nss_database` | Web Development** | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS sample code below | - | | | demonstrates how to initialize | + | | | demonstrates how to initialize | | | | the NSS database. | +--------------------------------+--------------------------------+--------------------------------+ | | | | @@ -3300,7 +3300,7 @@ Index | | | adapted from those found in | | | | the sectool library used by | | | | the NSS security tools and | - | | | other NSS test applications. | + | | | other NSS test applications. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ @@ -3551,7 +3551,7 @@ Index | | | biometric security devices, | | | | and external certificate | | | | stores. This article covers | - | | | the two methods for installing | + | | | the two methods for installing | | | | PKCS #11 modules into Firefox. | +--------------------------------+--------------------------------+--------------------------------+ | | | | @@ -3651,13 +3651,13 @@ Index | | | Each project now lives in its | | | | own separate space, they can | | | | be found at: | - | | | https:/ | + | | | https:/ | | | | /hg.mozilla.org/projects/nspr/ | - | | | https: | + | | | https: | | | | //hg.mozilla.org/projects/nss/ | - | | | https: | + | | | https: | | | | //hg.mozilla.org/projects/jss/ | - | | | | + | | | | | | | https://hg.mo | | | | zilla.org/projects/python-nss/ | +--------------------------------+--------------------------------+--------------------------------+ @@ -4282,13 +4282,13 @@ Index | | | is a platform abstraction | | | | library that provides a | | | | cross-platform API to common | - | | | OS services. NSS uses NSPR | + | | | OS services. NSS uses NSPR | | | | internally as the porting | - | | | layer. However, a small | + | | | layer. However, a small | | | | number of NSPR functions are | | | | required for using the | | | | certificate verification and | - | | | SSL functions in NSS. These | + | | | SSL functions in NSS. These | | | | NSPR functions are listed in | | | | this section. | +--------------------------------+--------------------------------+--------------------------------+ @@ -4397,84 +4397,84 @@ Index | | eference_nss_tools_:_certutil` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Name | - | | | certutil — Manage keys and | + | | | certutil — Manage keys and | | | | certificate in both NSS | | | | databases and other NSS tokens | | | | Synopsis | - | | | certutil [options] | + | | | certutil [options] | | | | [[arguments]] | | | | Description | - | | | The Certificate Database | + | | | The Certificate Database | | | | Tool, certutil, is a | | | | command-line utility | - | | | that can create and modify | + | | | that can create and modify | | | | certificate and key databases. | - | | | It can specifically list, | + | | | It can specifically list, | | | | generate, modify, or delete | | | | certificates, create or | - | | | change the password, | + | | | change the password, | | | | generate new public and | | | | private key pairs, | - | | | display the contents of the | + | | | display the contents of the | | | | key database, or delete key | - | | | pairs within the key | + | | | pairs within the key | | | | database. | - | | | Certificate issuance, part | + | | | Certificate issuance, part | | | | of the key and certificate | | | | management process, requires | | | | that | - | | | keys and certificates be | + | | | keys and certificates be | | | | created in the key database. | | | | This document discusses | | | | certificate | - | | | and key database | + | | | and key database | | | | management. For information on | - | | | the security module database | + | | | the security module database | | | | management, | - | | | see the modutil manpage. | + | | | see the modutil manpage. | | | | Options and Arguments | - | | | Running certutil always | + | | | Running certutil always | | | | requires one and only one | | | | command option to | - | | | specify the type of | + | | | specify the type of | | | | certificate operation. Each | | | | option may take arguments, | - | | | anywhere from none to | + | | | anywhere from none to | | | | multiple arguments. The | | | | command option -H will list | - | | | all the command options | + | | | all the command options | | | | available and their relevant | | | | arguments. | - | | | Command Options | - | | | -A | - | | | Add an existing | + | | | Command Options | + | | | -A | + | | | Add an existing | | | | certificate to a certificate | | | | database. | - | | | The certificate | + | | | The certificate | | | | database should already exist; | | | | if one is | - | | | not present, this | + | | | not present, this | | | | command option will initialize | | | | one by default. | - | | | -B | - | | | Run a series of | + | | | -B | + | | | Run a series of | | | | commands from the specified | | | | batch file. | - | | | This requires the -i | + | | | This requires the -i | | | | argument. | - | | | -C | - | | | Create a new binary | + | | | -C | + | | | Create a new binary | | | | certificate file from a binary | - | | | certificate request | + | | | certificate request | | | | file. Use the -i argument to | | | | specify | - | | | the certificate | + | | | the certificate | | | | request file. If this argument | | | | is not | - | | | used, certutil | + | | | used, certutil | | | | prompts for a filename. | - | | | -D | - | | | Delete a certificate | + | | | -D | + | | | Delete a certificate | | | | from the certificate database. | +--------------------------------+--------------------------------+--------------------------------+ | | | | @@ -4560,7 +4560,7 @@ Index +--------------------------------+--------------------------------+--------------------------------+ | | | This page lists release notes | | | | for older versions of NSS. | - | | | See :ref:`mozi | + | | | See :ref:`mozi | | | | lla_projects_nss_nss_releases` | | | | :ref:`mozi | | | | lla_projects_nss_nss_releases` | @@ -4659,7 +4659,7 @@ Index | | | and encrypted communications. | | | | This chapter introduces some | | | | of the basic SSL functions. | - | | | `Chapter 2, "Getting Started | + | | | `Chapter 2, "Getting Started | | | | With | | | | SSL" <gtstd.html#1005439>`__ | | | | illustrates their use in | @@ -4710,974 +4710,974 @@ Index | | a_projects_nss_tools_certutil` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Name | - | | | certutil — Manage keys and | + | | | certutil — Manage keys and | | | | certificate in the NSS | | | | database. | | | | Synopsis | - | | | certutil [options] | + | | | certutil [options] | | | | `arguments <arguments>`__ | | | | Description | - | | | The Certificate Database | + | | | The Certificate Database | | | | Tool, certutil, is a | | | | command-line utility that | - | | | can create and modify | + | | | can create and modify | | | | certificate and key database | | | | files. It can also | - | | | list, generate, modify, or | + | | | list, generate, modify, or | | | | delete certificates within the | | | | database, create | - | | | or change the password, | + | | | or change the password, | | | | generate new public and | | | | private key pairs, display | - | | | the contents of the key | + | | | the contents of the key | | | | database, or delete key pairs | | | | within the key | - | | | database. | - | | | The key and certificate | + | | | database. | + | | | The key and certificate | | | | management process generally | | | | begins with creating | - | | | keys in the key database, | + | | | keys in the key database, | | | | then generating and managing | | | | certificates in the | - | | | certificate database. This | + | | | certificate database. This | | | | document discusses certificate | | | | and key database | - | | | management. For information | + | | | management. For information | | | | security module database | | | | management, see the | - | | | modutil manpages. | + | | | modutil manpages. | | | | Options and Arguments | - | | | Running certutil always | + | | | Running certutil always | | | | requires one (and only one) | | | | option to specify the | - | | | type of certificate | + | | | type of certificate | | | | operation. Each option may | | | | take arguments, anywhere | - | | | from none to multiple | + | | | from none to multiple | | | | arguments. Run the command | | | | option and -H to see the | - | | | arguments available for | + | | | arguments available for | | | | each command option. | - | | | Options | - | | | Options specify an action | + | | | Options | + | | | Options specify an action | | | | and are uppercase. | - | | | -A | - | | | Add an existing | + | | | -A | + | | | Add an existing | | | | certificate to a certificate | | | | database. The | - | | | certificate | + | | | certificate | | | | database should already exist; | | | | if one is not present, | - | | | this option will | + | | | this option will | | | | initialize one by default. | - | | | -B | - | | | Run a series of | + | | | -B | + | | | Run a series of | | | | commands from the specified | | | | batch file. This | - | | | requires the -i | + | | | requires the -i | | | | argument. | - | | | -C | - | | | Create a new binary | + | | | -C | + | | | Create a new binary | | | | certificate file from a binary | | | | certificate | - | | | request file. Use | + | | | request file. Use | | | | the -i argument to specify the | | | | certificate | - | | | request file. If | + | | | request file. If | | | | this argument is not used, | | | | certutil prompts for a | - | | | filename. | - | | | -D | - | | | Delete a | + | | | filename. | + | | | -D | + | | | Delete a | | | | certificate from the | | | | certificate database. | - | | | -E | - | | | Add an email | + | | | -E | + | | | Add an email | | | | certificate to the certificate | | | | database. | - | | | -F | - | | | Delete a private | + | | | -F | + | | | Delete a private | | | | key from a key database. | | | | Specify the key to | - | | | delete with the -n | + | | | delete with the -n | | | | argument. Specify the database | | | | from which to | - | | | delete the key with | + | | | delete the key with | | | | the -d argument. Use the -k | | | | argument to | - | | | specify explicitly | + | | | specify explicitly | | | | whether to delete a DSA, RSA, | | | | or ECC key. If | - | | | you don't use the | + | | | you don't use the | | | | -k argument, the option looks | | | | for an RSA key | - | | | matching the | + | | | matching the | | | | specified nickname. | - | | | When you delete | + | | | When you delete | | | | keys, be sure to also remove | | | | any certificates | - | | | associated with | + | | | associated with | | | | those keys from the | | | | certificate database, by using | - | | | -D. Some smart | + | | | -D. Some smart | | | | cards (for example, the | | | | Litronic card) do not let | - | | | you remove a public | + | | | you remove a public | | | | key you have generated. In | | | | such a case, only | - | | | the private key is | + | | | the private key is | | | | deleted from the key pair. You | | | | can display the | - | | | public key with the | + | | | public key with the | | | | command certutil -K -h | | | | tokenname. | - | | | -G | - | | | Generate a new | + | | | -G | + | | | Generate a new | | | | public and private key pair | | | | within a key database. | - | | | The key database | + | | | The key database | | | | should already exist; if one | | | | is not present, this | - | | | option will | + | | | option will | | | | initialize one by default. | | | | Some smart cards (for | - | | | example, the | + | | | example, the | | | | Litronic card) can store only | | | | one key pair. If you | - | | | create a new key | + | | | create a new key | | | | pair for such a card, the | | | | previous pair is | - | | | overwritten. | - | | | -H | - | | | Display a list of | + | | | overwritten. | + | | | -H | + | | | Display a list of | | | | the options and arguments used | | | | by the | - | | | Certificate | + | | | Certificate | | | | Database Tool. | - | | | -K | - | | | List the key ID of | + | | | -K | + | | | List the key ID of | | | | keys in the key database. A | | | | key ID is the | - | | | modulus of the RSA | + | | | modulus of the RSA | | | | key or the publicValue of the | | | | DSA key. IDs are | - | | | displayed in | + | | | displayed in | | | | hexadecimal ("0x" is not | | | | shown). | - | | | -L | - | | | List all the | + | | | -L | + | | | List all the | | | | certificates, or display | | | | information about a named | - | | | certificate, in a | + | | | certificate, in a | | | | certificate database. Use the | | | | -h tokenname | - | | | argument to specify | + | | | argument to specify | | | | the certificate database on a | | | | particular | - | | | hardware or | + | | | hardware or | | | | software token. | - | | | -M | - | | | Modify a | + | | | -M | + | | | Modify a | | | | certificate's trust attributes | | | | using the values of the -t | - | | | argument. | - | | | -N | - | | | Create new | + | | | argument. | + | | | -N | + | | | Create new | | | | certificate and key databases. | - | | | -O | - | | | Print the | + | | | -O | + | | | Print the | | | | certificate chain. | - | | | -R | - | | | Create a | + | | | -R | + | | | Create a | | | | certificate request file that | | | | can be submitted to a | - | | | Certificate | + | | | Certificate | | | | Authority (CA) for processing | | | | into a finished | - | | | certificate. Output | + | | | certificate. Output | | | | defaults to standard out | | | | unless you use -o | - | | | output-file | + | | | output-file | | | | argument. Use the -a argument | | | | to specify ASCII output. | - | | | -S | - | | | Create an | + | | | -S | + | | | Create an | | | | individual certificate and add | | | | it to a certificate | - | | | database. | - | | | -T | - | | | Reset the key | + | | | database. | + | | | -T | + | | | Reset the key | | | | database or token. | - | | | -U | - | | | List all available | + | | | -U | + | | | List all available | | | | modules or print a single | | | | named module. | - | | | -V | - | | | Check the validity | + | | | -V | + | | | Check the validity | | | | of a certificate and its | | | | attributes. | - | | | -W | - | | | Change the password | + | | | -W | + | | | Change the password | | | | to a key database. | - | | | --merge | - | | | Merge a source | + | | | --merge | + | | | Merge a source | | | | database into the target | | | | database. This is used to | - | | | merge legacy NSS | + | | | merge legacy NSS | | | | databases (cert8.db and | | | | key3.db) into the newer | - | | | SQLite databases | + | | | SQLite databases | | | | (cert9.db and key4.db). | - | | | --upgrade-merge | - | | | Upgrade an old | + | | | --upgrade-merge | + | | | Upgrade an old | | | | database and merge it into a | | | | new database. This is | - | | | used to migrate | + | | | used to migrate | | | | legacy NSS databases (cert8.db | | | | and key3.db) into | - | | | the newer SQLite | + | | | the newer SQLite | | | | databases (cert9.db and | | | | key4.db). | - | | | Arguments | - | | | Option arguments modify an | + | | | Arguments | + | | | Option arguments modify an | | | | action and are lowercase. | - | | | -a | - | | | Use ASCII format or | + | | | -a | + | | | Use ASCII format or | | | | allow the use of ASCII format | | | | for input or | - | | | output. This | + | | | output. This | | | | formatting follows RFC 1113. | | | | For certificate | - | | | requests, ASCII | + | | | requests, ASCII | | | | output defaults to standard | | | | output unless | - | | | redirected. | - | | | -b validity-time | - | | | Specify a time at | + | | | redirected. | + | | | -b validity-time | + | | | Specify a time at | | | | which a certificate is | | | | required to be valid. Use | - | | | when checking | + | | | when checking | | | | certificate validity with the | | | | -V option. The format | - | | | of the | + | | | of the | | | | validity-time argument is | | | | YYMMDDHHMMSS[+HHMM|-HHMM|Z], | - | | | which allows | + | | | which allows | | | | offsets to be set relative to | | | | the validity end time. | - | | | Specifying seconds | + | | | Specifying seconds | | | | (SS) is optional. When | | | | specifying an explicit | - | | | time, use a Z at | + | | | time, use a Z at | | | | the end of the term, | | | | YYMMDDHHMMSSZ, to close it. | - | | | When specifying an | + | | | When specifying an | | | | offset time, use | | | | YYMMDDHHMMSS+HHMM or | - | | | YYMMDDHHMMSS-HHMM | + | | | YYMMDDHHMMSS-HHMM | | | | for adding or subtracting | | | | time, respectively. | - | | | If this option is | + | | | If this option is | | | | not used, the validity check | | | | defaults to the | - | | | current system | + | | | current system | | | | time. | - | | | -c issuer | - | | | Identify the | + | | | -c issuer | + | | | Identify the | | | | certificate of the CA from | | | | which a new certificate | - | | | will derive its | + | | | will derive its | | | | authenticity. Use the exact | | | | nickname or alias of | - | | | the CA certificate, | + | | | the CA certificate, | | | | or use the CA's email address. | | | | Bracket the | - | | | issuer string with | + | | | issuer string with | | | | quotation marks if it contains | | | | spaces. | - | | | -d [sql:]directory | - | | | Specify the | + | | | -d [sql:]directory | + | | | Specify the | | | | database directory containing | | | | the certificate and key | - | | | database files. | - | | | certutil supports | + | | | database files. | + | | | certutil supports | | | | two types of databases: the | | | | legacy security | - | | | databases | + | | | databases | | | | (cert8.db, key3.db, and | | | | secmod.db) and new SQLite | - | | | databases | + | | | databases | | | | (cert9.db, key4.db, and | | | | pkcs11.txt). If the prefix | | | | sql: | - | | | is not used, then | + | | | is not used, then | | | | the tool assumes that the | | | | given databases are in | - | | | the old format. | - | | | -e | - | | | Check a | + | | | the old format. | + | | | -e | + | | | Check a | | | | certificate's signature during | | | | the process of validating a | - | | | certificate. | - | | | -f password-file | - | | | Specify a file that | + | | | certificate. | + | | | -f password-file | + | | | Specify a file that | | | | will automatically supply the | | | | password to | - | | | include in a | + | | | include in a | | | | certificate or to access a | | | | certificate database. This | - | | | is a plain-text | + | | | is a plain-text | | | | file containing one password. | | | | Be sure to prevent | - | | | unauthorized access | + | | | unauthorized access | | | | to this file. | - | | | -g keysize | - | | | Set a key size to | + | | | -g keysize | + | | | Set a key size to | | | | use when generating new public | | | | and private key | - | | | pairs. The minimum | + | | | pairs. The minimum | | | | is 512 bits and the maximum is | | | | 8192 bits. The | - | | | default is 1024 | + | | | default is 1024 | | | | bits. Any size between the | | | | minimum and maximum is | - | | | allowed. | - | | | -h tokenname | - | | | Specify the name of | + | | | allowed. | + | | | -h tokenname | + | | | Specify the name of | | | | a token to use or act on. | | | | Unless specified | - | | | otherwise the | + | | | otherwise the | | | | default token is an internal | | | | slot (specifically, | - | | | internal slot 2). | + | | | internal slot 2). | | | | This slot can also be | | | | explicitly named with the | - | | | string "internal". | + | | | string "internal". | | | | An internal slots is a virtual | | | | slot maintained | - | | | in software, rather | + | | | in software, rather | | | | than a hardware device. | | | | Internal slot 2 is | - | | | used by key and | + | | | used by key and | | | | certificate services. Internal | | | | slot 1 is used by | - | | | cryptographic | + | | | cryptographic | | | | services. | - | | | -i input_file | - | | | Pass an input file | + | | | -i input_file | + | | | Pass an input file | | | | to the command. Depending on | | | | the command | - | | | option, an input | + | | | option, an input | | | | file can be a specific | | | | certificate, a certificate | - | | | request file, or a | + | | | request file, or a | | | | batch file of commands. | - | | | -k rsa|dsa|ec|all | - | | | Specify the type of | + | | | -k rsa|dsa|ec|all | + | | | Specify the type of | | | | a key. The valid options are | | | | RSA, DSA, ECC, or | - | | | all. The default | + | | | all. The default | | | | value is rsa. Specifying the | | | | type of key can | - | | | avoid mistakes | + | | | avoid mistakes | | | | caused by duplicate nicknames. | - | | | -k key-type-or-id | - | | | Specify the type or | + | | | -k key-type-or-id | + | | | Specify the type or | | | | specific ID of a key. Giving a | | | | key type | - | | | generates a new key | + | | | generates a new key | | | | pair; giving the ID of an | | | | existing key reuses | - | | | that key pair | + | | | that key pair | | | | (which is required to renew | | | | certificates). | - | | | -l | - | | | Display detailed | + | | | -l | + | | | Display detailed | | | | information when validating a | | | | certificate with | - | | | the -V option. | - | | | -m serial-number | - | | | Assign a unique | + | | | the -V option. | + | | | -m serial-number | + | | | Assign a unique | | | | serial number to a certificate | | | | being created. This | - | | | operation should be | + | | | operation should be | | | | performed by a CA. The default | | | | serial number | - | | | is 0 (zero). Serial | + | | | is 0 (zero). Serial | | | | numbers are limited to | | | | integers. | - | | | -n nickname | - | | | Specify the | + | | | -n nickname | + | | | Specify the | | | | nickname of a certificate or | | | | key to list, create, add | - | | | to a database, | + | | | to a database, | | | | modify, or validate. Bracket | | | | the nickname string | - | | | with quotation | + | | | with quotation | | | | marks if it contains spaces. | - | | | -o output-file | - | | | Specify the output | + | | | -o output-file | + | | | Specify the output | | | | file name for new certificates | | | | or binary | - | | | certificate | + | | | certificate | | | | requests. Bracket the | | | | output-file string with | - | | | quotation marks if | + | | | quotation marks if | | | | it contains spaces. If this | | | | argument is not | - | | | used the output | + | | | used the output | | | | destination defaults to | | | | standard output. | - | | | -P dbPrefix | - | | | Specify the prefix | + | | | -P dbPrefix | + | | | Specify the prefix | | | | used on the certificate and | | | | key database file. | - | | | This option is | + | | | This option is | | | | provided as a special case. | | | | Changing the names of | - | | | the certificate and | + | | | the certificate and | | | | key databases is not | | | | recommended. | - | | | -p phone | - | | | Specify a contact | + | | | -p phone | + | | | Specify a contact | | | | telephone number to include in | | | | new certificates | - | | | or certificate | + | | | or certificate | | | | requests. Bracket this string | | | | with quotation marks | - | | | if it contains | + | | | if it contains | | | | spaces. | - | | | -q pqgfile | - | | | Read an alternate | + | | | -q pqgfile | + | | | Read an alternate | | | | PQG value from the specified | | | | file when | - | | | generating DSA key | + | | | generating DSA key | | | | pairs. If this argument is not | | | | used, certutil | - | | | generates its own | + | | | generates its own | | | | PQG value. PQG files are | | | | created with a separate | - | | | DSA utility. | - | | | -q curve-name | - | | | Set the elliptic | + | | | DSA utility. | + | | | -q curve-name | + | | | Set the elliptic | | | | curve name to use when | | | | generating ECC key pairs. | - | | | A complete list of | + | | | A complete list of | | | | ECC curves is given in the | | | | help (-H). | - | | | -r | - | | | Display a | + | | | -r | + | | | Display a | | | | certificate's binary DER | | | | encoding when listing | - | | | information about | + | | | information about | | | | that certificate with the -L | | | | option. | - | | | -s subject | - | | | Identify a | + | | | -s subject | + | | | Identify a | | | | particular certificate owner | | | | for new certificates or | - | | | certificate | + | | | certificate | | | | requests. Bracket this string | | | | with quotation marks if | - | | | it contains spaces. | + | | | it contains spaces. | | | | The subject identification | | | | format follows RFC | - | | | #1485. | - | | | -t trustargs | - | | | Specify the trust | + | | | #1485. | + | | | -t trustargs | + | | | Specify the trust | | | | attributes to modify in an | | | | existing certificate | - | | | or to apply to a | + | | | or to apply to a | | | | certificate when creating it | | | | or adding it to a | - | | | database. There are | + | | | database. There are | | | | three available trust | | | | categories for each | - | | | certificate, | + | | | certificate, | | | | expressed in the order SSL, | | | | email, object signing for | - | | | each trust setting. | + | | | each trust setting. | | | | In each category position, use | | | | none, any, or | - | | | all of the | + | | | all of the | | | | attribute codes: | - | | | o p - Valid peer | - | | | o P - Trusted | + | | | o p - Valid peer | + | | | o P - Trusted | | | | peer (implies p) | - | | | o c - Valid CA | - | | | o T - Trusted CA | + | | | o c - Valid CA | + | | | o T - Trusted CA | | | | to issue client certificates | | | | (implies c) | - | | | o C - Trusted CA | + | | | o C - Trusted CA | | | | to issue server certificates | | | | (SSL only) | - | | | (implies c) | - | | | o u - | + | | | (implies c) | + | | | o u - | | | | Certificate can be used for | | | | authentication or signing | - | | | o w - Send | + | | | o w - Send | | | | warning (use with other | | | | attributes to include a | - | | | warning when | + | | | warning when | | | | the certificate is used in | | | | that context) | - | | | The attribute codes | + | | | The attribute codes | | | | for the categories are | | | | separated by commas, | - | | | and the entire set | + | | | and the entire set | | | | of attributes enclosed by | | | | quotation marks. For | - | | | example: | - | | | -t "TCu,Cu,Tuw" | - | | | Use the -L option | + | | | example: | + | | | -t "TCu,Cu,Tuw" | + | | | Use the -L option | | | | to see a list of the current | | | | certificates and | - | | | trust attributes in | + | | | trust attributes in | | | | a certificate database. | - | | | -u certusage | - | | | Specify a usage | + | | | -u certusage | + | | | Specify a usage | | | | context to apply when | | | | validating a certificate | - | | | with the -V option. | - | | | The contexts are | + | | | with the -V option. | + | | | The contexts are | | | | the following: | - | | | o C (as an SSL | + | | | o C (as an SSL | | | | client) | - | | | o V (as an SSL | + | | | o V (as an SSL | | | | server) | - | | | o S (as an email | + | | | o S (as an email | | | | signer) | - | | | o R (as an email | + | | | o R (as an email | | | | recipient) | - | | | o O (as an OCSP | + | | | o O (as an OCSP | | | | status responder) | - | | | o J (as an | + | | | o J (as an | | | | object signer) | - | | | -v valid-months | - | | | Set the number of | + | | | -v valid-months | + | | | Set the number of | | | | months a new certificate will | | | | be valid. The | - | | | validity period | + | | | validity period | | | | begins at the current system | | | | time unless an offset | - | | | is added or | + | | | is added or | | | | subtracted with the -w option. | | | | If this argument is not | - | | | used, the default | + | | | used, the default | | | | validity period is three | | | | months. When this | - | | | argument is used, | + | | | argument is used, | | | | the default three-month period | | | | is automatically | - | | | added to any value | + | | | added to any value | | | | given in the valid-month | | | | argument. For example, | - | | | using this option | + | | | using this option | | | | to set a value of 3 would | | | | cause 3 to be added to | - | | | the three-month | + | | | the three-month | | | | default, creating a validity | | | | period of six months. | - | | | You can use | + | | | You can use | | | | negative values to reduce the | | | | default period. For | - | | | example, setting a | + | | | example, setting a | | | | value of -2 would subtract 2 | | | | from the default | - | | | and create a | + | | | and create a | | | | validity period of one month. | - | | | -w offset-months | - | | | Set an offset from | + | | | -w offset-months | + | | | Set an offset from | | | | the current system time, in | | | | months, for the | - | | | beginning of a | + | | | beginning of a | | | | certificate's validity period. | | | | Use when creating | - | | | the certificate or | + | | | the certificate or | | | | adding it to a database. | | | | Express the offset in | - | | | integers, using a | + | | | integers, using a | | | | minus sign (-) to indicate a | | | | negative offset. If | - | | | this argument is | + | | | this argument is | | | | not used, the validity period | | | | begins at the | - | | | current system | + | | | current system | | | | time. The length of the | | | | validity period is set with | - | | | the -v argument. | - | | | -X | - | | | Force the key and | + | | | the -v argument. | + | | | -X | + | | | Force the key and | | | | certificate database to open | | | | in read-write mode. | - | | | This is used with | + | | | This is used with | | | | the -U and -L command options. | - | | | -x | - | | | Use certutil to | + | | | -x | + | | | Use certutil to | | | | generate the signature for a | | | | certificate being | - | | | created or added to | + | | | created or added to | | | | a database, rather than | | | | obtaining a signature | - | | | from a separate CA. | - | | | -y exp | - | | | Set an alternate | + | | | from a separate CA. | + | | | -y exp | + | | | Set an alternate | | | | exponent value to use in | | | | generating a new RSA | - | | | public key for the | + | | | public key for the | | | | database, instead of the | | | | default value of | - | | | 65537. The | + | | | 65537. The | | | | available alternate values are | | | | 3 and 17. | - | | | -z noise-file | - | | | Read a seed value | + | | | -z noise-file | + | | | Read a seed value | | | | from the specified file to | | | | generate a new | - | | | private and public | + | | | private and public | | | | key pair. This argument makes | | | | it possible to | - | | | use | + | | | use | | | | hardware-generated seed values | | | | or manually create a value | | | | from | - | | | the keyboard. The | + | | | the keyboard. The | | | | minimum file size is 20 bytes. | - | | | -0 SSO_password | - | | | Set a site security | + | | | -0 SSO_password | + | | | Set a site security | | | | officer password on a token. | - | | | -1 \| --keyUsage | + | | | -1 \| --keyUsage | | | | keyword,keyword | - | | | Set a Netscape | + | | | Set a Netscape | | | | Certificate Type Extension in | | | | the certificate. | - | | | There are several | + | | | There are several | | | | available keywords: | - | | | o digital | + | | | o digital | | | | signature | - | | | o nonRepudiation | - | | | | - | | | o keyEncipherment | - | | | | - | | | o dataEncipherment | - | | | o keyAgreement | - | | | o certSigning | - | | | o crlSigning | - | | | o critical | - | | | -2 | - | | | Add a basic | + | | | o nonRepudiation | + | | | | + | | | o keyEncipherment | + | | | | + | | | o dataEncipherment | + | | | o keyAgreement | + | | | o certSigning | + | | | o crlSigning | + | | | o critical | + | | | -2 | + | | | Add a basic | | | | constraint extension to a | | | | certificate that is being | - | | | created or added to | + | | | created or added to | | | | a database. This extension | | | | supports the | - | | | certificate chain | + | | | certificate chain | | | | verification process. certutil | | | | prompts for the | - | | | certificate | + | | | certificate | | | | constraint extension to | | | | select. | - | | | X.509 certificate | + | | | X.509 certificate | | | | extensions are described in | | | | RFC 5280. | - | | | -3 | - | | | Add an authority | + | | | -3 | + | | | Add an authority | | | | key ID extension to a | | | | certificate that is being | - | | | created or added to | + | | | created or added to | | | | a database. This extension | | | | supports the | - | | | identification of a | + | | | identification of a | | | | particular certificate, from | | | | among multiple | - | | | certificates | + | | | certificates | | | | associated with one subject | | | | name, as the correct | - | | | issuer of a | + | | | issuer of a | | | | certificate. The Certificate | | | | Database Tool will prompt | - | | | you to select the | + | | | you to select the | | | | authority key ID extension. | - | | | X.509 certificate | + | | | X.509 certificate | | | | extensions are described in | | | | RFC 5280. | - | | | -4 | - | | | Add a CRL | + | | | -4 | + | | | Add a CRL | | | | distribution point extension | | | | to a certificate that is | - | | | being created or | + | | | being created or | | | | added to a database. This | | | | extension identifies | - | | | the URL of a | + | | | the URL of a | | | | certificate's associated | | | | certificate revocation list | - | | | (CRL). certutil | + | | | (CRL). certutil | | | | prompts for the URL. | - | | | X.509 certificate | + | | | X.509 certificate | | | | extensions are described in | | | | RFC 5280. | - | | | -5 \| --nsCertType | + | | | -5 \| --nsCertType | | | | keyword,keyword | - | | | Add a Netscape | + | | | Add a Netscape | | | | certificate type extension to | | | | a certificate that is | - | | | being created or | + | | | being created or | | | | added to the database. There | | | | are several | - | | | available keywords: | - | | | o sslClient | - | | | o sslServer | - | | | o smime | - | | | o objectSigning | - | | | o sslCA | - | | | o smimeCA | - | | | | - | | | o objectSigningCA | - | | | o critical | - | | | X.509 certificate | + | | | available keywords: | + | | | o sslClient | + | | | o sslServer | + | | | o smime | + | | | o objectSigning | + | | | o sslCA | + | | | o smimeCA | + | | | | + | | | o objectSigningCA | + | | | o critical | + | | | X.509 certificate | | | | extensions are described in | | | | RFC 5280. | - | | | -6 \| --extKeyUsage | + | | | -6 \| --extKeyUsage | | | | keyword,keyword | - | | | Add an extended key | + | | | Add an extended key | | | | usage extension to a | | | | certificate that is being | - | | | created or added to | + | | | created or added to | | | | the database. Several keywords | | | | are available: | - | | | o serverAuth | - | | | o clientAuth | - | | | o codeSigning | - | | | | - | | | o emailProtection | - | | | o timeStamp | - | | | o ocspResponder | - | | | o stepUp | - | | | o critical | - | | | X.509 certificate | + | | | o serverAuth | + | | | o clientAuth | + | | | o codeSigning | + | | | | + | | | o emailProtection | + | | | o timeStamp | + | | | o ocspResponder | + | | | o stepUp | + | | | o critical | + | | | X.509 certificate | | | | extensions are described in | | | | RFC 5280. | - | | | -7 emailAddrs | - | | | Add a | + | | | -7 emailAddrs | + | | | Add a | | | | comma-separated list of email | | | | addresses to the subject | - | | | alternative name | + | | | alternative name | | | | extension of a certificate or | | | | certificate request | - | | | that is being | + | | | that is being | | | | created or added to the | | | | database. Subject | - | | | alternative name | + | | | alternative name | | | | extensions are described in | | | | Section 4.2.1.7 of | - | | | RFC 3280. | - | | | -8 dns-names | - | | | Add a | + | | | RFC 3280. | + | | | -8 dns-names | + | | | Add a | | | | comma-separated list of DNS | | | | names to the subject | | | | alternative | - | | | name extension of a | + | | | name extension of a | | | | certificate or certificate | | | | request that is | - | | | being created or | + | | | being created or | | | | added to the database. Subject | | | | alternative name | - | | | extensions are | + | | | extensions are | | | | described in Section 4.2.1.7 | | | | of RFC 3280. | - | | | --extAIA | - | | | Add the Authority | + | | | --extAIA | + | | | Add the Authority | | | | Information Access extension | | | | to the certificate. | - | | | X.509 certificate | + | | | X.509 certificate | | | | extensions are described in | | | | RFC 5280. | - | | | --extSIA | - | | | Add the Subject | + | | | --extSIA | + | | | Add the Subject | | | | Information Access extension | | | | to the certificate. | - | | | X.509 certificate | + | | | X.509 certificate | | | | extensions are described in | | | | RFC 5280. | - | | | --extCP | - | | | Add the Certificate | + | | | --extCP | + | | | Add the Certificate | | | | Policies extension to the | | | | certificate. X.509 | - | | | certificate | + | | | certificate | | | | extensions are described in | | | | RFC 5280. | - | | | --extPM | - | | | Add the Policy | + | | | --extPM | + | | | Add the Policy | | | | Mappings extension to the | | | | certificate. X.509 | - | | | certificate | + | | | certificate | | | | extensions are described in | | | | RFC 5280. | - | | | --extPC | - | | | Add the Policy | + | | | --extPC | + | | | Add the Policy | | | | Constraints extension to the | | | | certificate. X.509 | - | | | certificate | + | | | certificate | | | | extensions are described in | | | | RFC 5280. | - | | | --extIA | - | | | Add the Inhibit Any | + | | | --extIA | + | | | Add the Inhibit Any | | | | Policy Access extension to the | | | | certificate. | - | | | X.509 certificate | + | | | X.509 certificate | | | | extensions are described in | | | | RFC 5280. | - | | | --extSKID | - | | | Add the Subject Key | + | | | --extSKID | + | | | Add the Subject Key | | | | ID extension to the | | | | certificate. X.509 | - | | | certificate | + | | | certificate | | | | extensions are described in | | | | RFC 5280. | - | | | --source-dir certdir | - | | | Identify the | + | | | --source-dir certdir | + | | | Identify the | | | | certificate database directory | | | | to upgrade. | - | | | --source-prefix certdir | - | | | Give the prefix of | + | | | --source-prefix certdir | + | | | Give the prefix of | | | | the certificate and key | | | | databases to upgrade. | - | | | --upgrade-id uniqueID | - | | | Give the unique ID | + | | | --upgrade-id uniqueID | + | | | Give the unique ID | | | | of the database to upgrade. | - | | | --upgrade-token-name name | - | | | Set the name of the | + | | | --upgrade-token-name name | + | | | Set the name of the | | | | token to use while it is being | | | | upgraded. | - | | | -@ pwfile | - | | | Give the name of a | + | | | -@ pwfile | + | | | Give the name of a | | | | password file to use for the | | | | database being | - | | | upgraded. | + | | | upgraded. | | | | Usage and Examples | - | | | Most of the command options | + | | | Most of the command options | | | | in the examples listed here | | | | have more | - | | | arguments available. The | + | | | arguments available. The | | | | arguments included in these | | | | examples are the most | - | | | common ones or are used to | + | | | common ones or are used to | | | | illustrate a specific | | | | scenario. Use the -H | - | | | option to show the complete | + | | | option to show the complete | | | | list of arguments for each | | | | command option. | - | | | Creating New Security | + | | | Creating New Security | | | | Databases | - | | | Certificates, keys, and | + | | | Certificates, keys, and | | | | security modules related to | | | | managing certificates | - | | | are stored in three related | + | | | are stored in three related | | | | databases: | - | | | o cert8.db or cert9.db | - | | | o key3.db or key4.db | - | | | o secmod.db or pkcs11.txt | - | | | These databases must be | + | | | o cert8.db or cert9.db | + | | | o key3.db or key4.db | + | | | o secmod.db or pkcs11.txt | + | | | These databases must be | | | | created before certificates or | | | | keys can be | - | | | generated. | - | | | certutil -N -d | + | | | generated. | + | | | certutil -N -d | | | | [sql:]directory | - | | | Creating a Certificate | + | | | Creating a Certificate | | | | Request | - | | | A certificate request | + | | | A certificate request | | | | contains most or all of the | | | | information that is used | - | | | to generate the final | + | | | to generate the final | | | | certificate. This request is | | | | submitted separately to | - | | | a certificate authority and | + | | | a certificate authority and | | | | is then approved by some | | | | mechanism | - | | | (automatically or by human | + | | | (automatically or by human | | | | review). Once the request is | | | | approved, then the | - | | | certificate is generated. | - | | | $ certutil -R -k | + | | | certificate is generated. | + | | | $ certutil -R -k | | | | key-type-or-id [-q | | | | pqgfile|curve-name] -g | | | | key-size -s subject [-h | | | | tokenname] -d [sql:]directory | | | | [-p phone] [-o output-file] | | | | [-a] | - | | | The -R command options | + | | | The -R command options | | | | requires four arguments: | - | | | o -k to specify either | + | | | o -k to specify either | | | | the key type to generate or, | | | | when renewing a | - | | | certificate, the | + | | | certificate, the | | | | existing key pair to use | - | | | o -g to set the keysize | + | | | o -g to set the keysize | | | | of the key to generate | - | | | o -s to set the subject | + | | | o -s to set the subject | | | | name of the certificate | - | | | o -d to give the security | + | | | o -d to give the security | | | | database directory | - | | | The new certificate request | + | | | The new certificate request | | | | can be output in ASCII format | | | | (-a) or can be | - | | | written to a specified file | + | | | written to a specified file | | | | (-o). | - | | | For example: | - | | | $ certutil -R -k ec -q | + | | | For example: | + | | | $ certutil -R -k ec -q | | | | nistb409 -g 512 -s "CN=John | | | | Smith,O=Example | | | | Corp,L=Mountain | | | | View,ST=California,C=US" -d | | | | sql:/home/my/sharednssdb -p | | | | 650-555-0123 -a -o cert.cer | - | | | Generating key. This may | + | | | Generating key. This may | | | | take a few moments... | - | | | Certificate request generated | + | | | Certificate request generated | | | | by Netscape | - | | | Phone: 650-555-0123 | - | | | Common Name: John Smith | - | | | Email: (not ed) | - | | | Organization: Example Corp | - | | | State: California | - | | | Country: US | - | | | -----BEGIN NEW CERTIFICATE | + | | | Phone: 650-555-0123 | + | | | Common Name: John Smith | + | | | Email: (not ed) | + | | | Organization: Example Corp | + | | | State: California | + | | | Country: US | + | | | -----BEGIN NEW CERTIFICATE | | | | REQUEST----- | - | | | MIIB | + | | | MIIB | | | | IDCBywIBADBmMQswCQYDVQQGEwJVUz | | | | ETMBEGA1UECBMKQ2FsaWZvcm5pYTEW | - | | | MBQG | + | | | MBQG | | | | A1UEBxMNTW91bnRhaW4gVmlldzEVMB | | | | MGA1UEChMMRXhhbXBsZSBDb3JwMRMw | - | | | EQYD | + | | | EQYD | | | | VQQDEwpKb2huIFNtaXRoMFwwDQYJKo | | | | ZIhvcNAQEBBQADSwAwSAJBAMVUpDOZ | - | | | KmHn | + | | | KmHn | | | | Ox7reP8Cc0Lk+fFWEuYIDX9W5K/Bio | | | | QOKvEjXyQZhit9aThzBVMoSf1Y1S8J | - | | | CzdU | + | | | CzdU | | | | bCg1+IbnXaECAwEAAaAAMA0GCSqGSI | | | | b3DQEBBQUAA0EAryqZvpYrUtQ486Ny | - | | | qmty | + | | | qmty | | | | QNjIi1F8c1Z+TL4uFYlMg8z6LG/J/u | | | | 1E5t1QqB5e9Q4+BhRbrQjRR1JZx3tB | - | | | 1hP9Gg== | - | | | -----END NEW CERTIFICATE | + | | | 1hP9Gg== | + | | | -----END NEW CERTIFICATE | | | | REQUEST----- | - | | | Creating a Certificate | - | | | A valid certificate must be | + | | | Creating a Certificate | + | | | A valid certificate must be | | | | issued by a trusted CA. This | | | | can be done by | - | | | specifying a CA certificate | + | | | specifying a CA certificate | | | | (-c) that is stored in the | | | | certificate | - | | | database. If a CA key pair | + | | | database. If a CA key pair | | | | is not available, you can | | | | create a self-signed | - | | | certificate using the -x | + | | | certificate using the -x | | | | argument with the -S command | | | | option. | - | | | $ certutil -S -k rsa|dsa|ec | + | | | $ certutil -S -k rsa|dsa|ec | | | | -n certname -s subject [-c | | | | issuer \|-x] -t trustargs -d | | | | [sql:]directory [-m | @@ -5690,40 +5690,40 @@ Index | | | [--extSIA] [--extCP] [--extPM] | | | | [--extPC] [--extIA] | | | | [--extSKID] | - | | | The series of numbers and | + | | | The series of numbers and | | | | --ext\* options set | | | | certificate extensions that | - | | | can be added to the | + | | | can be added to the | | | | certificate when it is | | | | generated by the CA. | - | | | For example, this creates a | + | | | For example, this creates a | | | | self-signed certificate: | - | | | $ certutil -S -s "CN=Example | + | | | $ certutil -S -s "CN=Example | | | | CA" -n my-ca-cert -x -t | | | | "C,C,C" -1 -2 -5 -m 3650 | - | | | From there, new | + | | | From there, new | | | | certificates can reference the | | | | self-signed certificate: | - | | | $ certutil -S -s "CN=My | + | | | $ certutil -S -s "CN=My | | | | Server Cert" -n my-server-cert | | | | -c "my-ca-cert" -t "u,u,u" -1 | | | | -5 -6 -8 -m 730 | - | | | Generating a Certificate | + | | | Generating a Certificate | | | | from a Certificate Request | - | | | When a certificate request | + | | | When a certificate request | | | | is created, a certificate can | | | | be generated by | - | | | using the request and then | + | | | using the request and then | | | | referencing a certificate | | | | authority signing | - | | | certificate (the issuer | + | | | certificate (the issuer | | | | specified in the -c argument). | | | | The issuing | - | | | certificate must be in the | + | | | certificate must be in the | | | | certificate database in the | | | | specified | - | | | directory. | - | | | certutil -C -c issuer -i | + | | | directory. | + | | | certutil -C -c issuer -i | | | | cert-request-file -o | | | | output-file [-m serial-number] | | | | [-v valid-months] [-w | @@ -5732,8 +5732,8 @@ Index | | | [-4] [-5 keyword] [-6 keyword] | | | | [-7 emailAddress] [-8 | | | | dns-names] | - | | | For example: | - | | | $ certutil -C -c "my-ca-cert" | + | | | For example: | + | | | $ certutil -C -c "my-ca-cert" | | | | -i /home/certs/cert.req -o | | | | cert.cer -m 010 -v 12 -w 1 -d | | | | sql:/home/my/sharednssdb -1 | @@ -5741,330 +5741,330 @@ Index | | | onRepudiation,dataEncipherment | | | | -5 sslClient -6 clientAuth -7 | | | | jsmith@example.com | - | | | Generating Key Pairs | - | | | Key pairs are generated | + | | | Generating Key Pairs | + | | | Key pairs are generated | | | | automatically with a | | | | certificate request or | - | | | certificate, but they can | + | | | certificate, but they can | | | | also be generated | | | | independently using the -G | - | | | command option. | - | | | certutil -G -d | + | | | command option. | + | | | certutil -G -d | | | | [sql:]directory \| -h | | | | tokenname -k key-type -g | | | | key-size [-y exponent-value] | | | | -q pqgfile|curve-name | - | | | For example: | - | | | $ certutil -G -h lunasa -k ec | + | | | For example: | + | | | $ certutil -G -h lunasa -k ec | | | | -g 256 -q sect193r2 | - | | | Listing Certificates | - | | | The -L command option lists | + | | | Listing Certificates | + | | | The -L command option lists | | | | all of the certificates listed | | | | in the | - | | | certificate database. The | + | | | certificate database. The | | | | path to the directory (-d) is | | | | required. | - | | | $ certutil -L -d | + | | | $ certutil -L -d | | | | sql:/home/my/sharednssdb | - | | | Certificate | - | | | Nickname | - | | | | + | | | Certificate | + | | | Nickname | + | | | | | | | Trust Attributes | - | | | | - | | | | - | | | | + | | | | + | | | | + | | | | | | | SSL,S/MIME,JAR/XPI | - | | | CA Administrator of Instance | + | | | CA Administrator of Instance | | | | pki-ca1's Example Domain | - | | | ID u,u,u | - | | | TPS Administrator's Example | + | | | ID u,u,u | + | | | TPS Administrator's Example | | | | Domain | - | | | ID | + | | | ID | | | | u,u,u | - | | | Google Internet | - | | | Authority | - | | | | + | | | Google Internet | + | | | Authority | + | | | | | | | ,, | - | | | Certificate Authority - | + | | | Certificate Authority - | | | | Example | - | | | Domain | + | | | Domain | | | | CT,C,C | - | | | Using additional arguments | + | | | Using additional arguments | | | | with -L can return and print | | | | the information | - | | | for a single, specific | + | | | for a single, specific | | | | certificate. For example, the | | | | -n argument passes | - | | | the certificate name, while | + | | | the certificate name, while | | | | the -a argument prints the | | | | certificate in | - | | | ASCII format: | - | | | $ certutil -L -d | + | | | ASCII format: | + | | | $ certutil -L -d | | | | sql:/home/my/sharednssdb -a -n | | | | "Certificate Authority - | | | | Example Domain" | - | | | -----BEGIN CERTIFICATE----- | - | | | MIID | + | | | -----BEGIN CERTIFICATE----- | + | | | MIID | | | | mTCCAoGgAwIBAgIBATANBgkqhkiG9w | | | | 0BAQUFADA5MRcwFQYDVQQKEw5FeGFt | - | | | cGxl | + | | | cGxl | | | | IERvbWFpbjEeMBwGA1UEAxMVQ2VydG | | | | lmaWNhdGUgQXV0aG9yaXR5MB4XDTEw | - | | | MDQy | + | | | MDQy | | | | OTIxNTY1OFoXDTEyMDQxODIxNTY1OF | | | | owOTEXMBUGA1UEChMORXhhbXBsZSBE | - | | | b21h | + | | | b21h | | | | aW4xHjAcBgNVBAMTFUNlcnRpZmljYX | | | | RlIEF1dGhvcml0eTCCASIwDQYJKoZI | - | | | hvcN | + | | | hvcN | | | | AQEBBQADggEPADCCAQoCggEBAO/bqU | | | | li2KwqXFKmMMG93KN1SANzNTXA/Vlf | - | | | Tmri | + | | | Tmri | | | | h3hQgjvR1ktIY9aG6cB7DSKWmtHp/+ | | | | p4PUCMqL4ZrSGt901qxkePyZ2dYmM2 | - | | | Rnel | + | | | Rnel | | | | K+SEUIPiUtoZaDhNdiYsE/yuDE8vQW | | | | j0vHCVL0w72qFUcSQ/WZT7FCrnUIUI | - | | | udeW | + | | | udeW | | | | noPSUn70gLhcj/lvxl7K9BHyD4Sq5C | | | | zktwYtFWLiiwV+ZY/Fl6JgbGaQyQB2 | - | | | bP4i | + | | | bP4i | | | | RMfloGqsxGuB1evWVDF1haGpFDSPgM | | | | nEPSLg3/3dXn+HDJbZ29EU8/xKzQEb | - | | | 3V0A | + | | | 3V0A | | | | HKbu80zGllLEt2Zx/WDIrgJEN9yMfg | | | | KFpcmL+BvIRsmh0VsCAwEAAaOBqzCB | - | | | qDAf | + | | | qDAf | | | | BgNVHSMEGDAWgBQATgxHQyRUfKIZtd | | | | p55bZlFr+tFzAPBgNVHRMBAf8EBTAD | - | | | AQH/ | + | | | AQH/ | | | | MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ | | | | 4EFgQUAE4MR0MkVHyiGbXaeeW2ZRa/ | - | | | rRcw | + | | | rRcw | | | | RQYIKwYBBQUHAQEEOTA3MDUGCCsGAQ | | | | UFBzABhilodHRwOi8vbG9jYWxob3N0 | - | | | Lmxv | + | | | Lmxv | | | | Y2FsZG9tYWluOjkxODAvY2Evb2NzcD | | | | ANBgkqhkiG9w0BAQUFAAOCAQEAi8Gk | - | | | L3XO | + | | | L3XO | | | | 43u7/TDOeEsWPmq+jZsDZ3GZ85Ajt3 | | | | KROLWeKVZZZa2E2Hnsvf2uXbk5amKe | - | | | lRxd | + | | | lRxd | | | | SeRH9g85pv4KY7Z8xZ71NrI3+K3uwm | | | | nqkc6t0hhYb1mw/gx8OAAoluQx3biX | - | | | JBDx | + | | | JBDx | | | | jI73Cf7XUopplHBjjiwyGIJUO8BEZJ | | | | 5L+TF4P38MJz1snLtzZpEAX5bl0U76 | - | | | bfu/ | + | | | bfu/ | | | | tZFWBbE8YAWYtkCtMcalBPj6jn2WD3 | | | | M01kGozW4mmbvsj1cRB9HnsGsqyHCu | - | | | U0uj | + | | | U0uj | | | | lL1H/RWcjn607+CTeKH9jLMUqCIqPJ | | | | NOa+kq/6F7NhNRRiuzASIbZc30BZ5a | - | | | nI7q5n1USM3eWQlVXw== | - | | | -----END CERTIFICATE----- | - | | | Listing Keys | - | | | Keys are the original | + | | | nI7q5n1USM3eWQlVXw== | + | | | -----END CERTIFICATE----- | + | | | Listing Keys | + | | | Keys are the original | | | | material used to encrypt | | | | certificate data. The keys | - | | | generated for certificates | + | | | generated for certificates | | | | are stored separately, in the | | | | key database. | - | | | To list all keys in the | + | | | To list all keys in the | | | | database, use the -K command | | | | option and the | - | | | (required) -d argument to | + | | | (required) -d argument to | | | | give the path to the | | | | directory. | - | | | $ certutil -K -d | + | | | $ certutil -K -d | | | | sql:/home/my/sharednssdb | - | | | certutil: Checking token "NSS | + | | | certutil: Checking token "NSS | | | | Certificate DB" in slot "NSS | | | | User Private Key and | | | | Certificate | - | | | Services " | - | | | < 0> rsa | + | | | Services " | + | | | < 0> rsa | | | | 455a6673bde9 | - | | | 375c2887ec8bf8016b3f9f35861d | + | | | 375c2887ec8bf8016b3f9f35861d | | | | Thawte Freemail Member's | | | | Thawte Consulting (Pty) Ltd. | | | | ID | - | | | < 1> rsa | + | | | < 1> rsa | | | | 40defeeb522a | - | | | de11090eacebaaf1196a172127df | + | | | de11090eacebaaf1196a172127df | | | | Example Domain Administrator | | | | Cert | - | | | < 2> rsa | + | | | < 2> rsa | | | | 1d0b06f44f6c | - | | | 03842f7d4f4a1dc78b3bcd1b85a5 | + | | | 03842f7d4f4a1dc78b3bcd1b85a5 | | | | John Smith user cert | - | | | There are ways to narrow | + | | | There are ways to narrow | | | | the keys listed in the search | | | | results: | - | | | o To return a specific | + | | | o To return a specific | | | | key, use the -n name argument | | | | with the name of | - | | | the key. | - | | | o If there are multiple | + | | | the key. | + | | | o If there are multiple | | | | security devices loaded, then | | | | the -h tokenname | - | | | argument can search a | + | | | argument can search a | | | | specific token or all tokens. | - | | | o If there are multiple | + | | | o If there are multiple | | | | key types available, then the | | | | -k key-type | - | | | argument can search a | + | | | argument can search a | | | | specific type of key, like | | | | RSA, DSA, or ECC. | - | | | Listing Security Modules | - | | | The devices that can be | + | | | Listing Security Modules | + | | | The devices that can be | | | | used to store certificates -- | | | | both internal | - | | | databases and external | + | | | databases and external | | | | devices like smart cards -- | | | | are recognized and used | - | | | by loading security | + | | | by loading security | | | | modules. The -U command option | | | | lists all of the | - | | | security modules listed in | + | | | security modules listed in | | | | the secmod.db database. The | | | | path to the | - | | | directory (-d) is required. | - | | | $ certutil -U -d | + | | | directory (-d) is required. | + | | | $ certutil -U -d | | | | sql:/home/my/sharednssdb | - | | | slot: NSS User Private | + | | | slot: NSS User Private | | | | Key and Certificate Services | - | | | token: NSS Certificate DB | - | | | slot: NSS Internal | + | | | token: NSS Certificate DB | + | | | slot: NSS Internal | | | | Cryptographic Services | - | | | token: NSS Generic Crypto | + | | | token: NSS Generic Crypto | | | | Services | - | | | Adding Certificates to the | + | | | Adding Certificates to the | | | | Database | - | | | Existing certificates or | + | | | Existing certificates or | | | | certificate requests can be | | | | added manually to the | - | | | certificate database, even | + | | | certificate database, even | | | | if they were generated | | | | elsewhere. This uses the | - | | | -A command option. | - | | | certutil -A -n certname -t | + | | | -A command option. | + | | | certutil -A -n certname -t | | | | trustargs -d [sql:]directory | | | | [-a] [-i input-file] | - | | | For example: | - | | | $ certutil -A -n "CN=My SSL | + | | | For example: | + | | | $ certutil -A -n "CN=My SSL | | | | Certificate" -t "u,u,u" -d | | | | sql:/home/my/sharednssdb -i | | | | /home/example-certs/cert.cer | - | | | A related command option, | + | | | A related command option, | | | | -E, is used specifically to | | | | add email | - | | | certificates to the | + | | | certificates to the | | | | certificate database. The -E | | | | command has the same | - | | | arguments as the -A | + | | | arguments as the -A | | | | command. The trust arguments | | | | for certificates have the | - | | | format | + | | | format | | | | SSL,S/MIME,Code-signing, so | | | | the middle trust settings | | | | relate most | - | | | to email certificates | + | | | to email certificates | | | | (though the others can be | | | | set). For example: | - | | | $ certutil -E -n "CN=John | + | | | $ certutil -E -n "CN=John | | | | Smith Email Cert" -t ",Pu," -d | | | | sql:/home/my/sharednssdb -i | | | | /home/example-certs/email.cer | - | | | Deleting Certificates to | + | | | Deleting Certificates to | | | | the Database | - | | | Certificates can be deleted | + | | | Certificates can be deleted | | | | from a database using the -D | | | | option. The only | - | | | required options are to | + | | | required options are to | | | | give the security database | | | | directory and to | - | | | identify the certificate | + | | | identify the certificate | | | | nickname. | - | | | certutil -D -d | + | | | certutil -D -d | | | | [sql:]directory -n "nickname" | - | | | For example: | - | | | $ certutil -D -d | + | | | For example: | + | | | $ certutil -D -d | | | | sql:/home/my/sharednssdb -n | | | | "my-ssl-cert" | - | | | Validating Certificates | - | | | A certificate contains an | + | | | Validating Certificates | + | | | A certificate contains an | | | | expiration date in itself, and | | | | expired | - | | | certificates are easily | + | | | certificates are easily | | | | rejected. However, | | | | certificates can also be | - | | | revoked before they hit | + | | | revoked before they hit | | | | their expiration date. | | | | Checking whether a | - | | | certificate has been | + | | | certificate has been | | | | revoked requires validating | | | | the certificate. | - | | | Validation can also be used | + | | | Validation can also be used | | | | to ensure that the certificate | | | | is only used | - | | | for the purposes it was | + | | | for the purposes it was | | | | initially issued for. | | | | Validation is carried out by | - | | | the -V command option. | - | | | certutil -V -n | + | | | the -V command option. | + | | | certutil -V -n | | | | certificate-name [-b time] | | | | [-e] [-u cert-usage] -d | | | | [sql:]directory | - | | | For example, to validate an | + | | | For example, to validate an | | | | email certificate: | - | | | $ certutil -V -n "John | + | | | $ certutil -V -n "John | | | | Smith's Email Cert" -e -u S,R | | | | -d sql:/home/my/sharednssdb | - | | | Modifying Certificate Trust | + | | | Modifying Certificate Trust | | | | Settings | - | | | The trust settings (which | + | | | The trust settings (which | | | | relate to the operations that | | | | a certificate is | - | | | allowed to be used for) can | + | | | allowed to be used for) can | | | | be changed after a certificate | | | | is created or | - | | | added to the database. This | + | | | added to the database. This | | | | is especially useful for CA | | | | certificates, but | - | | | it can be performed for any | + | | | it can be performed for any | | | | type of certificate. | - | | | certutil -M -n | + | | | certutil -M -n | | | | certificate-name -t trust-args | | | | -d [sql:]directory | - | | | For example: | - | | | $ certutil -M -n "My CA | + | | | For example: | + | | | $ certutil -M -n "My CA | | | | Certificate" -d | | | | sql:/home/my/sharednssdb -t | | | | "CTu,CTu,CTu" | - | | | Printing the Certificate | + | | | Printing the Certificate | | | | Chain | - | | | Certificates can be issued | + | | | Certificates can be issued | | | | in chains because every | | | | certificate authority | - | | | itself has a certificate; | + | | | itself has a certificate; | | | | when a CA issues a | | | | certificate, it essentially | - | | | stamps that certificate | + | | | stamps that certificate | | | | with its own fingerprint. The | | | | -O prints the full | - | | | chain of a certificate, | + | | | chain of a certificate, | | | | going from the initial CA (the | | | | root CA) through | - | | | ever intermediary CA to the | + | | | ever intermediary CA to the | | | | actual certificate. For | | | | example, for an email | - | | | certificate with two CAs in | + | | | certificate with two CAs in | | | | the chain: | - | | | $ certutil -d | + | | | $ certutil -d | | | | sql:/home/my/sharednssdb -O -n | | | | "jsmith@example.com" | - | | | "Builtin Object Token:Thawte | + | | | "Builtin Object Token:Thawte | | | | Personal Freemail CA" | | | | [E=personal | | | | -freemail@thawte.com,CN=Thawte | @@ -6073,280 +6073,280 @@ Index | | | Division,O=Thawte | | | | Consulting,L=Cape | | | | Town,ST=Western Cape,C=ZA] | - | | | "Thawte Personal Freemail | + | | | "Thawte Personal Freemail | | | | Issuing CA - Thawte | | | | Consulting" [CN=Thawte | | | | Personal Freemail Issuing | | | | CA,O=Thawte Consulting (Pty) | | | | Ltd.,C=ZA] | - | | | "(null)" | + | | | "(null)" | | | | [ | | | | E=jsmith@example.com,CN=Thawte | | | | Freemail Member] | - | | | Resetting a Token | - | | | The device which stores | + | | | Resetting a Token | + | | | The device which stores | | | | certificates -- both external | | | | hardware devices and | - | | | internal software databases | + | | | internal software databases | | | | -- can be blanked and reused. | | | | This operation | - | | | is performed on the device | + | | | is performed on the device | | | | which stores the data, not | | | | directly on the | - | | | security databases, so the | + | | | security databases, so the | | | | location must be referenced | | | | through the token | - | | | name (-h) as well as any | + | | | name (-h) as well as any | | | | directory path. If there is no | | | | external token | - | | | used, the default value is | + | | | used, the default value is | | | | internal. | - | | | certutil -T -d | + | | | certutil -T -d | | | | [sql:]directory -h token-name | | | | -0 security-officer-password | - | | | Many networks have | + | | | Many networks have | | | | dedicated personnel who handle | | | | changes to security | - | | | tokens (the security | + | | | tokens (the security | | | | officer). This person must | | | | supply the password to | - | | | access the specified token. | + | | | access the specified token. | | | | For example: | - | | | $ certutil -T -d | + | | | $ certutil -T -d | | | | sql:/home/my/sharednssdb -h | | | | nethsm -0 secret | - | | | Upgrading or Merging the | + | | | Upgrading or Merging the | | | | Security Databases | - | | | Many networks or | + | | | Many networks or | | | | applications may be using | | | | older BerkeleyDB versions of | - | | | the certificate database | + | | | the certificate database | | | | (cert8.db). Databases can be | | | | upgraded to the new | - | | | SQLite version of the | + | | | SQLite version of the | | | | database (cert9.db) using the | | | | --upgrade-merge | - | | | command option or existing | + | | | command option or existing | | | | databases can be merged with | | | | the new cert9.db | - | | | databases using the | + | | | databases using the | | | | ---merge command. | - | | | The --upgrade-merge command | + | | | The --upgrade-merge command | | | | must give information about | | | | the original | - | | | database and then use the | + | | | database and then use the | | | | standard arguments (like -d) | | | | to give the | - | | | information about the new | + | | | information about the new | | | | databases. The command also | | | | requires information | - | | | that the tool uses for the | + | | | that the tool uses for the | | | | process to upgrade and write | | | | over the original | - | | | database. | - | | | certutil --upgrade-merge -d | + | | | database. | + | | | certutil --upgrade-merge -d | | | | [sql:]directory [-P dbprefix] | | | | --source-dir directory | | | | --source-prefix dbprefix | | | | --upgrade-id id | | | | --upgrade-token-name name [-@ | | | | password-file] | - | | | For example: | - | | | $ certutil --upgrade-merge -d | + | | | For example: | + | | | $ certutil --upgrade-merge -d | | | | sql:/home/my/sharednssdb | | | | --source-dir | | | | /opt/my-app/alias/ | | | | --source-prefix serverapp- | | | | --upgrade-id 1 | | | | --upgrade-token-name internal | - | | | The --merge command only | + | | | The --merge command only | | | | requires information about the | | | | location of the | - | | | original database; since it | + | | | original database; since it | | | | doesn't change the format of | | | | the database, it | - | | | can write over information | + | | | can write over information | | | | without performing interim | | | | step. | - | | | certutil --merge -d | + | | | certutil --merge -d | | | | [sql:]directory [-P dbprefix] | | | | --source-dir directory | | | | --source-prefix dbprefix [-@ | | | | password-file] | - | | | For example: | - | | | $ certutil --merge -d | + | | | For example: | + | | | $ certutil --merge -d | | | | sql:/home/my/sharednssdb | | | | --source-dir | | | | /opt/my-app/alias/ | | | | --source-prefix serverapp- | - | | | Running certutil Commands | + | | | Running certutil Commands | | | | from a Batch File | - | | | A series of commands can be | + | | | A series of commands can be | | | | run sequentially from a text | | | | file with the -B | - | | | command option. The only | + | | | command option. The only | | | | argument for this specifies | | | | the input file. | - | | | $ certutil -B -i | + | | | $ certutil -B -i | | | | /path/to/batch-file | | | | NSS Database Types | - | | | NSS originally used | + | | | NSS originally used | | | | BerkeleyDB databases to store | | | | security information. | - | | | The last versions of these | + | | | The last versions of these | | | | legacy databases are: | - | | | o cert8.db for | + | | | o cert8.db for | | | | certificates | - | | | o key3.db for keys | - | | | o secmod.db for PKCS #11 | + | | | o key3.db for keys | + | | | o secmod.db for PKCS #11 | | | | module information | - | | | BerkeleyDB has performance | + | | | BerkeleyDB has performance | | | | limitations, though, which | | | | prevent it from | - | | | being easily used by | + | | | being easily used by | | | | multiple applications | | | | simultaneously. NSS has some | - | | | flexibility that allows | + | | | flexibility that allows | | | | applications to use their own, | | | | independent | - | | | database engine while | + | | | database engine while | | | | keeping a shared database and | | | | working around the | - | | | access issues. Still, NSS | + | | | access issues. Still, NSS | | | | requires more flexibility to | | | | provide a truly | - | | | shared security database. | - | | | In 2009, NSS introduced a | + | | | shared security database. | + | | | In 2009, NSS introduced a | | | | new set of databases that are | | | | SQLite databases | - | | | rather than BerkleyDB. | + | | | rather than BerkleyDB. | | | | These new databases provide | | | | more accessibility and | - | | | performance: | - | | | o cert9.db for | + | | | performance: | + | | | o cert9.db for | | | | certificates | - | | | o key4.db for keys | - | | | o pkcs11.txt, which is | + | | | o key4.db for keys | + | | | o pkcs11.txt, which is | | | | listing of all of the PKCS #11 | | | | modules contained | - | | | in a new subdirectory | + | | | in a new subdirectory | | | | in the security databases | | | | directory | - | | | Because the SQLite | + | | | Because the SQLite | | | | databases are designed to be | | | | shared, these are the | - | | | shared database type. The | + | | | shared database type. The | | | | shared database type is | | | | preferred; the legacy | - | | | format is included for | + | | | format is included for | | | | backward compatibility. | - | | | By default, the tools | + | | | By default, the tools | | | | (certutil, pk12util, modutil) | | | | assume that the given | - | | | security databases follow | + | | | security databases follow | | | | the more common legacy type. | | | | Using the SQLite | - | | | databases must be manually | + | | | databases must be manually | | | | specified by using the sql: | | | | prefix with the | - | | | given security directory. | + | | | given security directory. | | | | For example: | - | | | $ certutil -L -d | + | | | $ certutil -L -d | | | | sql:/home/my/sharednssdb | - | | | To set the shared database | + | | | To set the shared database | | | | type as the default type for | | | | the tools, set the | - | | | NSS_DEFAULT_DB_TYPE | + | | | NSS_DEFAULT_DB_TYPE | | | | environment variable to sql: | - | | | export | + | | | export | | | | NSS_DEFAULT_DB_TYPE="sql" | - | | | This line can be set added | + | | | This line can be set added | | | | to the ~/.bashrc file to make | | | | the change | - | | | permanent. | - | | | Most applications do not | + | | | permanent. | + | | | Most applications do not | | | | use the shared database by | | | | default, but they can | - | | | be configured to use them. | + | | | be configured to use them. | | | | For example, this how-to | | | | article covers how to | - | | | configure Firefox and | + | | | configure Firefox and | | | | Thunderbird to use the new | | | | shared NSS databases: | - | | | | - | | | o https://wiki.m | + | | | | + | | | o https://wiki.m | | | | ozilla.org/NSS_Shared_DB_Howto | - | | | For an engineering draft on | + | | | For an engineering draft on | | | | the changes in the shared NSS | | | | databases, see | - | | | the NSS project wiki: | - | | | | - | | | o https:// | + | | | the NSS project wiki: | + | | | | + | | | o https:// | | | | wiki.mozilla.org/NSS_Shared_DB | | | | See Also | - | | | pk12util (1) | - | | | modutil (1) | - | | | certutil has arguments or | + | | | pk12util (1) | + | | | modutil (1) | + | | | certutil has arguments or | | | | operations that use features | | | | defined in several | - | | | IETF RFCs. | - | | | | - | | | o `http://tools.ietf.org/htm | + | | | IETF RFCs. | + | | | | + | | | o `http://tools.ietf.org/htm | | | | l/rfc5280 <https://datatracker | | | | .ietf.org/doc/html/rfc5280>`__ | - | | | | - | | | o `http://tools.ietf.org/htm | + | | | | + | | | o `http://tools.ietf.org/htm | | | | l/rfc1113 <https://datatracker | | | | .ietf.org/doc/html/rfc1113>`__ | - | | | | - | | | o `http://tools.ietf.org/htm | + | | | | + | | | o `http://tools.ietf.org/htm | | | | l/rfc1485 <https://datatracker | | | | .ietf.org/doc/html/rfc1485>`__ | - | | | The NSS wiki has | + | | | The NSS wiki has | | | | information on the new | | | | database design and how to | - | | | configure applications to | + | | | configure applications to | | | | use it. | - | | | | - | | | o https://wiki.m | + | | | | + | | | o https://wiki.m | | | | ozilla.org/NSS_Shared_DB_Howto | - | | | | - | | | o https:// | + | | | | + | | | o https:// | | | | wiki.mozilla.org/NSS_Shared_DB | | | | Additional Resources | - | | | For information about NSS | + | | | For information about NSS | | | | and other tools related to NSS | | | | (like JSS), check | - | | | out the NSS project wiki at | - | | | | + | | | out the NSS project wiki at | + | | | | | | | [1]\ `http://www.mozil | | | | la.org/projects/security/pki/n | | | | ss/ <https://www.mozilla.org/p | | | | rojects/security/pki/nss/>`__. | | | | The NSS site relates | - | | | directly to NSS code | + | | | directly to NSS code | | | | changes and releases. | - | | | Mailing lists: | + | | | Mailing lists: | | | | https://lists.mozill | | | | a.org/listinfo/dev-tech-crypto | - | | | IRC: Freenode at | + | | | IRC: Freenode at | | | | #dogtag-pki | | | | Authors | - | | | The NSS tools were written | + | | | The NSS tools were written | | | | and maintained by developers | | | | with Netscape, Red | - | | | Hat, and Sun. | - | | | Authors: Elio Maldonado | + | | | Hat, and Sun. | + | | | Authors: Elio Maldonado | | | | <emaldona@redhat.com>, Deon | | | | Lackey | - | | | <dlackey@redhat.com>. | + | | | <dlackey@redhat.com>. | | | | Copyright | - | | | (c) 2010, Red Hat, Inc. | + | | | (c) 2010, Red Hat, Inc. | | | | Licensed under the GNU Public | | | | License version 2. | | | | References | - | | | Visible links | - | | | 1. | + | | | Visible links | + | | | 1. | | | | `http://www.mozi | | | | lla.org/projects/security/pki/ | | | | nss/ <https://www.mozilla.org/ | @@ -6358,204 +6358,204 @@ Index | | la_projects_nss_tools_cmsutil` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Name | - | | | cmsutil — Performs basic | + | | | cmsutil — Performs basic | | | | cryptograpic operations, such | | | | as encryption and | - | | | decryption, on | + | | | decryption, on | | | | Cryptographic Message Syntax | | | | (CMS) messages. | | | | Synopsis | - | | | cmsutil [options] | + | | | cmsutil [options] | | | | `arguments <arguments>`__ | | | | Description | - | | | The cmsutil command-line | + | | | The cmsutil command-line | | | | uses the S/MIME Toolkit to | | | | perform basic | - | | | operations, such as | + | | | operations, such as | | | | encryption and decryption, on | | | | Cryptographic Message | - | | | Syntax (CMS) messages. | - | | | To run cmsutil, type the | + | | | Syntax (CMS) messages. | + | | | To run cmsutil, type the | | | | command cmsutil option | | | | [arguments] where option | - | | | and arguments are | + | | | and arguments are | | | | combinations of the options | | | | and arguments listed in the | - | | | following section. Each | + | | | following section. Each | | | | command takes one option. Each | | | | option may take | - | | | zero or more arguments. To | + | | | zero or more arguments. To | | | | see a usage string, issue the | | | | command without | - | | | options. | + | | | options. | | | | Options and Arguments | - | | | Options | - | | | Options specify an action. | + | | | Options | + | | | Options specify an action. | | | | Option arguments modify an | | | | action. The options | - | | | and arguments for the | + | | | and arguments for the | | | | cmsutil command are defined as | | | | follows: | - | | | -D | - | | | Decode a message. | - | | | -C | - | | | Encrypt a message. | - | | | -E | - | | | Envelope a message. | - | | | -O | - | | | Create a | + | | | -D | + | | | Decode a message. | + | | | -C | + | | | Encrypt a message. | + | | | -E | + | | | Envelope a message. | + | | | -O | + | | | Create a | | | | certificates-only message. | - | | | -S | - | | | Sign a message. | - | | | Arguments | - | | | Option arguments modify an | + | | | -S | + | | | Sign a message. | + | | | Arguments | + | | | Option arguments modify an | | | | action and are lowercase. | - | | | -c content | - | | | Use this detached | + | | | -c content | + | | | Use this detached | | | | content (decode only). | - | | | -d dbdir | - | | | Specify the | + | | | -d dbdir | + | | | Specify the | | | | key/certificate database | | | | directory (default is ".") | - | | | -e envfile | - | | | Specify a file | + | | | -e envfile | + | | | Specify a file | | | | containing an enveloped | | | | message for a set of | - | | | recipients to which | + | | | recipients to which | | | | you would like to send an | | | | encrypted message. | - | | | If this is the | + | | | If this is the | | | | first encrypted message for | | | | that set of recipients, | - | | | a new enveloped | + | | | a new enveloped | | | | message will be created that | | | | you can then use for | - | | | future messages | + | | | future messages | | | | (encrypt only). | - | | | -G | - | | | Include a signing | + | | | -G | + | | | Include a signing | | | | time attribute (sign only). | - | | | -h num | - | | | Generate email | + | | | -h num | + | | | Generate email | | | | headers with info about CMS | | | | message (decode only). | - | | | -i infile | - | | | Use infile as a | + | | | -i infile | + | | | Use infile as a | | | | source of data (default is | | | | stdin). | - | | | -N nickname | - | | | Specify nickname of | + | | | -N nickname | + | | | Specify nickname of | | | | certificate to sign with (sign | | | | only). | - | | | -n | - | | | Suppress output of | + | | | -n | + | | | Suppress output of | | | | contents (decode only). | - | | | -o outfile | - | | | Use outfile as a | + | | | -o outfile | + | | | Use outfile as a | | | | destination of data (default | | | | is stdout). | - | | | -P | - | | | Include an S/MIME | + | | | -P | + | | | Include an S/MIME | | | | capabilities attribute. | - | | | -p password | - | | | Use password as key | + | | | -p password | + | | | Use password as key | | | | database password. | - | | | -r recipient1,recipient2, | + | | | -r recipient1,recipient2, | | | | ... | - | | | Specify list of | + | | | Specify list of | | | | recipients (email addresses) | | | | for an encrypted or | - | | | enveloped message. | + | | | enveloped message. | | | | For certificates-only message, | | | | list of | - | | | certificates to | + | | | certificates to | | | | send. | - | | | -T | - | | | Suppress content in | + | | | -T | + | | | Suppress content in | | | | CMS message (sign only). | - | | | -u certusage | - | | | Set type of cert | + | | | -u certusage | + | | | Set type of cert | | | | usage (default is | | | | certUsageEmailSigner). | - | | | -Y ekprefnick | - | | | Specify an | + | | | -Y ekprefnick | + | | | Specify an | | | | encryption key preference by | | | | nickname. | | | | Usage | - | | | Encrypt Example | - | | | cmsutil -C [-i infile] [-o | + | | | Encrypt Example | + | | | cmsutil -C [-i infile] [-o | | | | outfile] [-d dbdir] [-p | | | | password] -r | | | | "recipient1,recipient2, . . ." | | | | -e envfile | - | | | Decode Example | - | | | cmsutil -D [-i infile] [-o | + | | | Decode Example | + | | | cmsutil -D [-i infile] [-o | | | | outfile] [-d dbdir] [-p | | | | password] [-c content] [-n] | | | | [-h num] | - | | | Envelope Example | - | | | cmsutil -E [-i infile] [-o | + | | | Envelope Example | + | | | cmsutil -E [-i infile] [-o | | | | outfile] [-d dbdir] [-p | | | | password] -r | | | | "recipient1,recipient2, ..." | - | | | Certificate-only Example | - | | | cmsutil -O [-i infile] [-o | + | | | Certificate-only Example | + | | | cmsutil -O [-i infile] [-o | | | | outfile] [-d dbdir] [-p | | | | password] -r "cert1,cert2, . . | | | | ." | - | | | Sign Message Example | - | | | cmsutil -S [-i infile] [-o | + | | | Sign Message Example | + | | | cmsutil -S [-i infile] [-o | | | | outfile] [-d dbdir] [-p | | | | password] -N nickname[-TGP] | | | | [-Y ekprefnick] | | | | See also | - | | | certutil(1) | + | | | certutil(1) | | | | See Also | | | | Additional Resources | - | | | NSS is maintained in | + | | | NSS is maintained in | | | | conjunction with PKI and | | | | security-related projects | - | | | through Mozilla dn Fedora. | + | | | through Mozilla dn Fedora. | | | | The most closely-related | | | | project is Dogtag PKI, | - | | | with a project wiki at | + | | | with a project wiki at | | | | [1]\ http: | | | | //pki.fedoraproject.org/wiki/. | - | | | For information | + | | | For information | | | | specifically about NSS, the | | | | NSS project wiki is located at | - | | | | + | | | | | | | [2]\ `http://www.mozil | | | | la.org/projects/security/pki/n | | | | ss/ <https://www.mozilla.org/p | | | | rojects/security/pki/nss/>`__. | | | | The NSS site relates | - | | | directly to NSS code | + | | | directly to NSS code | | | | changes and releases. | - | | | Mailing lists: | + | | | Mailing lists: | | | | pki-devel@redhat.com and | | | | pki-users@redhat.com | - | | | IRC: Freenode at | + | | | IRC: Freenode at | | | | #dogtag-pki | | | | Authors | - | | | The NSS tools were written | + | | | The NSS tools were written | | | | and maintained by developers | | | | with Netscape and | - | | | now with Red Hat. | - | | | Authors: Elio Maldonado | + | | | now with Red Hat. | + | | | Authors: Elio Maldonado | | | | <emaldona@redhat.com>, Deon | | | | Lackey | - | | | <dlackey@redhat.com>. | + | | | <dlackey@redhat.com>. | | | | Copyright | - | | | (c) 2010, Red Hat, Inc. | + | | | (c) 2010, Red Hat, Inc. | | | | Licensed under the GNU Public | | | | License version 2. | | | | References | - | | | Visible links | - | | | 1. | + | | | Visible links | + | | | 1. | | | | http | | | | ://pki.fedoraproject.org/wiki/ | - | | | 2. | + | | | 2. | | | | `http://www.mozi | | | | lla.org/projects/security/pki/ | | | | nss/ <https://www.mozilla.org/ | @@ -6567,493 +6567,493 @@ Index | | la_projects_nss_tools_crlutil` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Name | - | | | crlutil — List, generate, | + | | | crlutil — List, generate, | | | | modify, or delete CRLs within | | | | the NSS security | - | | | database file(s) and list, | + | | | database file(s) and list, | | | | create, modify or delete | | | | certificates entries | - | | | in a particular CRL. | + | | | in a particular CRL. | | | | Synopsis | - | | | crlutil [options] | + | | | crlutil [options] | | | | `arguments <arguments>`__ | | | | Description | - | | | The Certificate Revocation | + | | | The Certificate Revocation | | | | List (CRL) Management Tool, | | | | crlutil, is a | - | | | command-line utility that | + | | | command-line utility that | | | | can list, generate, modify, or | | | | delete CRLs | - | | | within the NSS security | + | | | within the NSS security | | | | database file(s) and list, | | | | create, modify or | - | | | delete certificates entries | + | | | delete certificates entries | | | | in a particular CRL. | - | | | The key and certificate | + | | | The key and certificate | | | | management process generally | | | | begins with creating | - | | | keys in the key database, | + | | | keys in the key database, | | | | then generating and managing | | | | certificates in the | - | | | certificate database(see | + | | | certificate database(see | | | | certutil tool) and continues | | | | with certificates | - | | | expiration or revocation. | - | | | This document discusses | + | | | expiration or revocation. | + | | | This document discusses | | | | certificate revocation list | | | | management. For | - | | | information on security | + | | | information on security | | | | module database management, | | | | see Using the Security | - | | | Module Database Tool. For | + | | | Module Database Tool. For | | | | information on certificate and | | | | key database | - | | | management, see Using the | + | | | management, see Using the | | | | Certificate Database Tool. | - | | | To run the Certificate | + | | | To run the Certificate | | | | Revocation List Management | | | | Tool, type the command | - | | | crlutil option [arguments] | - | | | where options and arguments | + | | | crlutil option [arguments] | + | | | where options and arguments | | | | are combinations of the | | | | options and arguments | - | | | listed in the following | + | | | listed in the following | | | | section. Each command takes | | | | one option. Each | - | | | option may take zero or | + | | | option may take zero or | | | | more arguments. To see a usage | | | | string, issue the | - | | | command without options, or | + | | | command without options, or | | | | with the -H option. | | | | Options and Arguments | - | | | Options | - | | | Options specify an action. | + | | | Options | + | | | Options specify an action. | | | | Option arguments modify an | | | | action. The options | - | | | and arguments for the | + | | | and arguments for the | | | | crlutil command are defined as | | | | follows: | - | | | -G | - | | | Create new | + | | | -G | + | | | Create new | | | | Certificate Revocation | | | | List(CRL). | - | | | -D | - | | | Delete Certificate | + | | | -D | + | | | Delete Certificate | | | | Revocation List from cert | | | | database. | - | | | -I | - | | | Import a CRL to the | + | | | -I | + | | | Import a CRL to the | | | | cert database | - | | | -E | - | | | Erase all CRLs of | + | | | -E | + | | | Erase all CRLs of | | | | specified type from the cert | | | | database | - | | | -L | - | | | List existing CRL | + | | | -L | + | | | List existing CRL | | | | located in cert database file. | - | | | -M | - | | | Modify existing CRL | + | | | -M | + | | | Modify existing CRL | | | | which can be located in cert | | | | db or in | - | | | arbitrary file. If | + | | | arbitrary file. If | | | | located in file it should be | | | | encoded in ASN.1 | - | | | encode format. | - | | | -G | - | | | Arguments | - | | | Option arguments modify an | + | | | encode format. | + | | | -G | + | | | Arguments | + | | | Option arguments modify an | | | | action and are lowercase. | - | | | -B | - | | | Bypass CA signature | + | | | -B | + | | | Bypass CA signature | | | | checks. | - | | | -P dbprefix | - | | | Specify the prefix | + | | | -P dbprefix | + | | | Specify the prefix | | | | used on the NSS security | | | | database files (for | - | | | example, | + | | | example, | | | | my_cert8.db and my_key3.db). | | | | This option is provided as a | - | | | special case. | + | | | special case. | | | | Changing the names of the | | | | certificate and key | - | | | databases is not | + | | | databases is not | | | | recommended. | - | | | -a | - | | | Use ASCII format or | + | | | -a | + | | | Use ASCII format or | | | | allow the use of ASCII format | | | | for input and | - | | | output. This | + | | | output. This | | | | formatting follows RFC #1113. | - | | | -c crl-gen-file | - | | | Specify script file | + | | | -c crl-gen-file | + | | | Specify script file | | | | that will be used to control | | | | crl | - | | | | + | | | | | | | generation/modification. See | | | | crl-cript-file format below. | | | | If | - | | | options -M|-G is | + | | | options -M|-G is | | | | used and -c crl-script-file is | | | | not specified, | - | | | crlutil will read | + | | | crlutil will read | | | | script data from standard | | | | input. | - | | | -d directory | - | | | Specify the | + | | | -d directory | + | | | Specify the | | | | database directory containing | | | | the certificate and key | - | | | database files. On | + | | | database files. On | | | | Unix the Certificate Database | | | | Tool defaults to | - | | | $HOME/.netscape | + | | | $HOME/.netscape | | | | (that is, ~/.netscape). On | | | | Windows NT the default | - | | | is the current | + | | | is the current | | | | directory. | - | | | The NSS database | + | | | The NSS database | | | | files must reside in the same | | | | directory. | - | | | -i crl-import-file | - | | | Specify the file | + | | | -i crl-import-file | + | | | Specify the file | | | | which contains the CRL to | | | | import | - | | | -f password-file | - | | | Specify a file that | + | | | -f password-file | + | | | Specify a file that | | | | will automatically supply the | | | | password to | - | | | include in a | + | | | include in a | | | | certificate or to access a | | | | certificate database. This | - | | | is a plain-text | + | | | is a plain-text | | | | file containing one password. | | | | Be sure to prevent | - | | | unauthorized access | + | | | unauthorized access | | | | to this file. | - | | | -l algorithm-name | - | | | Specify a specific | + | | | -l algorithm-name | + | | | Specify a specific | | | | signature algorithm. List of | | | | possible | - | | | algorithms: MD2 \| | + | | | algorithms: MD2 \| | | | | MD4 \| MD5 \| SHA1 \| SHA256 | | | | \| SHA384 \| SHA512 | - | | | -n nickname | - | | | Specify the | + | | | -n nickname | + | | | Specify the | | | | nickname of a certificate or | | | | key to list, create, add | - | | | to a database, | + | | | to a database, | | | | modify, or validate. Bracket | | | | the nickname string | - | | | with quotation | + | | | with quotation | | | | marks if it contains spaces. | - | | | -o output-file | - | | | Specify the output | + | | | -o output-file | + | | | Specify the output | | | | file name for new CRL. Bracket | | | | the output-file | - | | | string with | + | | | string with | | | | quotation marks if it contains | | | | spaces. If this | - | | | argument is not | + | | | argument is not | | | | used the output destination | | | | defaults to standard | - | | | output. | - | | | -t crl-type | - | | | Specify type of | + | | | output. | + | | | -t crl-type | + | | | Specify type of | | | | CRL. possible types are: 0 - | | | | SEC_KRL_TYPE, 1 - | - | | | SEC_CRL_TYPE. This | + | | | SEC_CRL_TYPE. This | | | | option is obsolete | - | | | -u url | - | | | Specify the url. | + | | | -u url | + | | | Specify the url. | | | | CRL Generation script syntax | - | | | CRL generation script file | + | | | CRL generation script file | | | | has the following syntax: | - | | | \* Line with comments | + | | | \* Line with comments | | | | should have # as a first | | | | symbol of a line | - | | | \* Set "this update" or | + | | | \* Set "this update" or | | | | "next update" CRL fields: | - | | | update=YYYYMMDDhhmmssZ | + | | | update=YYYYMMDDhhmmssZ | | | | nextupdate=YYYYMMDDhhmmssZ | - | | | Field "next update" is | + | | | Field "next update" is | | | | optional. Time should be in | | | | GeneralizedTime format | - | | | (YYYYMMDDhhmmssZ). For | + | | | (YYYYMMDDhhmmssZ). For | | | | example: 20050204153000Z | - | | | \* Add an extension to a | + | | | \* Add an extension to a | | | | CRL or a crl certificate | | | | entry: | - | | | addext extension-name | + | | | addext extension-name | | | | critical/non-critical | | | | [arg1[arg2 ...]] | - | | | Where: | - | | | extension-name: string | + | | | Where: | + | | | extension-name: string | | | | value of a name of known | | | | extensions. | - | | | critical/non-critical: is 1 | + | | | critical/non-critical: is 1 | | | | when extension is critical and | | | | 0 otherwise. | - | | | arg1, arg2: specific to | + | | | arg1, arg2: specific to | | | | extension type extension | | | | parameters | - | | | addext uses the range that | + | | | addext uses the range that | | | | was set earlier by addcert and | | | | will install an | - | | | extension to every cert | + | | | extension to every cert | | | | entries within the range. | - | | | \* Add certificate | + | | | \* Add certificate | | | | entries(s) to CRL: | - | | | addcert range date | - | | | range: two integer values | + | | | addcert range date | + | | | range: two integer values | | | | separated by dash: range of | | | | certificates that | - | | | will be added by this | + | | | will be added by this | | | | command. dash is used as a | | | | delimiter. Only one cert | - | | | will be added if there is | + | | | will be added if there is | | | | no delimiter. date: revocation | | | | date of a cert. | - | | | Date should be represented | + | | | Date should be represented | | | | in GeneralizedTime format | | | | (YYYYMMDDhhmmssZ). | - | | | \* Remove certificate | + | | | \* Remove certificate | | | | entry(s) from CRL | - | | | rmcert range | - | | | Where: | - | | | range: two integer values | + | | | rmcert range | + | | | Where: | + | | | range: two integer values | | | | separated by dash: range of | | | | certificates that | - | | | will be added by this | + | | | will be added by this | | | | command. dash is used as a | | | | delimiter. Only one cert | - | | | will be added if there is | + | | | will be added if there is | | | | no delimiter. | - | | | \* Change range of | + | | | \* Change range of | | | | certificate entry(s) in CRL | - | | | range new-range | - | | | Where: | - | | | new-range: two integer | + | | | range new-range | + | | | Where: | + | | | new-range: two integer | | | | values separated by dash: | | | | range of certificates | - | | | that will be added by this | + | | | that will be added by this | | | | command. dash is used as a | | | | delimiter. Only one | - | | | cert will be added if there | + | | | cert will be added if there | | | | is no delimiter. | - | | | Implemented Extensions | - | | | The extensions defined for | + | | | Implemented Extensions | + | | | The extensions defined for | | | | CRL provide methods for | | | | associating additional | - | | | attributes with CRLs of | + | | | attributes with CRLs of | | | | theirs entries. For more | | | | information see RFC #3280 | - | | | \* Add The Authority Key | + | | | \* Add The Authority Key | | | | Identifier extension: | - | | | The authority key | + | | | The authority key | | | | identifier extension provides | | | | a means of identifying the | - | | | public key corresponding to | + | | | public key corresponding to | | | | the private key used to sign a | | | | CRL. | - | | | authKeyId critical [key-id | + | | | authKeyId critical [key-id | | | | \| dn cert-serial] | - | | | Where: | - | | | authKeyIdent: identifies | + | | | Where: | + | | | authKeyIdent: identifies | | | | the name of an extension | | | | critical: value of 1 of | - | | | 0. Should be set to 1 if | + | | | 0. Should be set to 1 if | | | | this extension is critical or | | | | 0 otherwise. | - | | | key-id: key identifier | + | | | key-id: key identifier | | | | represented in octet string. | | | | dn:: is a CA | - | | | distinguished name | + | | | distinguished name | | | | cert-serial: authority | | | | certificate serial number. | - | | | \* Add Issuer Alternative | + | | | \* Add Issuer Alternative | | | | Name extension: | - | | | The issuer alternative | + | | | The issuer alternative | | | | names extension allows | | | | additional identities to be | - | | | associated with the issuer | + | | | associated with the issuer | | | | of the CRL. Defined options | | | | include an rfc822 | - | | | name (electronic mail | + | | | name (electronic mail | | | | address), a DNS name, an IP | | | | address, and a URI. | - | | | issuerAltNames non-critical | + | | | issuerAltNames non-critical | | | | name-list | - | | | Where: | - | | | subjAltNames: identifies | + | | | Where: | + | | | subjAltNames: identifies | | | | the name of an extension | | | | should be set to 0 since | - | | | this is non-critical | + | | | this is non-critical | | | | extension name-list: comma | | | | separated list of names | - | | | \* Add CRL Number | + | | | \* Add CRL Number | | | | extension: | - | | | The CRL number is a | + | | | The CRL number is a | | | | non-critical CRL extension | | | | which conveys a | - | | | monotonically increasing | + | | | monotonically increasing | | | | sequence number for a given | | | | CRL scope and CRL | - | | | issuer. This extension | + | | | issuer. This extension | | | | allows users to easily | | | | determine when a particular | - | | | CRL supersedes another CRL | - | | | crlNumber non-critical | + | | | CRL supersedes another CRL | + | | | crlNumber non-critical | | | | number | - | | | Where: | - | | | crlNumber: identifies the | + | | | Where: | + | | | crlNumber: identifies the | | | | name of an extension critical: | | | | should be set to | - | | | 0 since this is | + | | | 0 since this is | | | | non-critical extension number: | | | | value of long which | - | | | identifies the sequential | + | | | identifies the sequential | | | | number of a CRL. | - | | | \* Add Revocation Reason | + | | | \* Add Revocation Reason | | | | Code extension: | - | | | The reasonCode is a | + | | | The reasonCode is a | | | | non-critical CRL entry | | | | extension that identifies the | - | | | reason for the certificate | + | | | reason for the certificate | | | | revocation. | - | | | reasonCode non-critical | + | | | reasonCode non-critical | | | | code | - | | | Where: | - | | | reasonCode: identifies the | + | | | Where: | + | | | reasonCode: identifies the | | | | name of an extension | | | | non-critical: should be | - | | | set to 0 since this is | + | | | set to 0 since this is | | | | non-critical extension code: | | | | the following codes | - | | | are available: | - | | | unspecified (0), | + | | | are available: | + | | | unspecified (0), | | | | keyCompromise (1), | | | | cACompromise (2), | | | | affiliationChanged | - | | | (3), superseded (4), | + | | | (3), superseded (4), | | | | cessationOfOperation (5), | | | | certificateHold (6), | - | | | removeFromCRL (8), | + | | | removeFromCRL (8), | | | | privilegeWithdrawn (9), | | | | aACompromise (10) | - | | | \* Add Invalidity Date | + | | | \* Add Invalidity Date | | | | extension: | - | | | The invalidity date is a | + | | | The invalidity date is a | | | | non-critical CRL entry | | | | extension that provides | - | | | the date on which it is | + | | | the date on which it is | | | | known or suspected that the | | | | private key was | - | | | compromised or that the | + | | | compromised or that the | | | | certificate otherwise became | | | | invalid. | - | | | invalidityDate non-critical | + | | | invalidityDate non-critical | | | | date | - | | | Where: | - | | | crlNumber: identifies the | + | | | Where: | + | | | crlNumber: identifies the | | | | name of an extension | | | | non-critical: should be set | - | | | to 0 since this is | + | | | to 0 since this is | | | | non-critical extension date: | | | | invalidity date of a cert. | - | | | Date should be represented | + | | | Date should be represented | | | | in GeneralizedTime format | | | | (YYYYMMDDhhmmssZ). | | | | Usage | - | | | The Certificate Revocation | + | | | The Certificate Revocation | | | | List Management Tool's | | | | capabilities are grouped | - | | | as follows, using these | + | | | as follows, using these | | | | combinations of options and | | | | arguments. Options and | - | | | arguments in square | + | | | arguments in square | | | | brackets are optional, those | | | | without square brackets | - | | | are required. | - | | | See "Implemented | + | | | are required. | + | | | See "Implemented | | | | extensions" for more | | | | information regarding | | | | extensions and | - | | | their parameters. | - | | | \* Creating or modifying a | + | | | their parameters. | + | | | \* Creating or modifying a | | | | CRL: | - | | | crlutil -G|-M -c crl-gen-file | + | | | crlutil -G|-M -c crl-gen-file | | | | -n nickname [-i crl] [-u url] | | | | [-d keydir] [-P dbprefix] [-l | | | | alg] [-a] [-B] | - | | | \* Listing all CRls or a | + | | | \* Listing all CRls or a | | | | named CRL: | - | | | crlutil -L [-n | + | | | crlutil -L [-n | | | | crl-name] [-d krydir] | - | | | \* Deleting CRL from db: | - | | | crlutil -D -n | + | | | \* Deleting CRL from db: | + | | | crlutil -D -n | | | | nickname [-d keydir] [-P | | | | dbprefix] | - | | | \* Erasing CRLs from db: | - | | | crlutil -E [-d | + | | | \* Erasing CRLs from db: | + | | | crlutil -E [-d | | | | keydir] [-P dbprefix] | - | | | \* Deleting CRL from db: | - | | | crlutil -D -n | + | | | \* Deleting CRL from db: | + | | | crlutil -D -n | | | | nickname [-d keydir] [-P | | | | dbprefix] | - | | | \* Erasing CRLs from db: | - | | | crlutil -E [-d | + | | | \* Erasing CRLs from db: | + | | | crlutil -E [-d | | | | keydir] [-P dbprefix] | - | | | \* Import CRL from file: | - | | | crlutil -I -i crl | + | | | \* Import CRL from file: | + | | | crlutil -I -i crl | | | | [-t crlType] [-u url] [-d | | | | keydir] [-P dbprefix] [-B] | | | | See also | - | | | certutil(1) | + | | | certutil(1) | | | | See Also | | | | Additional Resources | - | | | NSS is maintained in | + | | | NSS is maintained in | | | | conjunction with PKI and | | | | security-related projects | - | | | through Mozilla dn Fedora. | + | | | through Mozilla dn Fedora. | | | | The most closely-related | | | | project is Dogtag PKI, | - | | | with a project wiki at | + | | | with a project wiki at | | | | [1]\ http: | | | | //pki.fedoraproject.org/wiki/. | - | | | For information | + | | | For information | | | | specifically about NSS, the | | | | NSS project wiki is located at | - | | | | + | | | | | | | [2]\ `http://www.mozil | | | | la.org/projects/security/pki/n | | | | ss/ <https://www.mozilla.org/p | | | | rojects/security/pki/nss/>`__. | | | | The NSS site relates | - | | | directly to NSS code | + | | | directly to NSS code | | | | changes and releases. | - | | | Mailing lists: | + | | | Mailing lists: | | | | pki-devel@redhat.com and | | | | pki-users@redhat.com | - | | | IRC: Freenode at | + | | | IRC: Freenode at | | | | #dogtag-pki | | | | Authors | - | | | The NSS tools were written | + | | | The NSS tools were written | | | | and maintained by developers | | | | with Netscape and | - | | | now with Red Hat. | - | | | Authors: Elio Maldonado | + | | | now with Red Hat. | + | | | Authors: Elio Maldonado | | | | <emaldona@redhat.com>, Deon | | | | Lackey | - | | | <dlackey@redhat.com>. | + | | | <dlackey@redhat.com>. | | | | Copyright | - | | | (c) 2010, Red Hat, Inc. | + | | | (c) 2010, Red Hat, Inc. | | | | Licensed under the GNU Public | | | | License version 2. | | | | References | - | | | Visible links | - | | | 1. | + | | | Visible links | + | | | 1. | | | | http | | | | ://pki.fedoraproject.org/wiki/ | - | | | 2. | + | | | 2. | | | | `http://www.mozi | | | | lla.org/projects/security/pki/ | | | | nss/ <https://www.mozilla.org/ | @@ -7065,670 +7065,670 @@ Index | | la_projects_nss_tools_modutil` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Name | - | | | modutil — Manage PKCS #11 | + | | | modutil — Manage PKCS #11 | | | | module information within the | | | | security module | - | | | database. | + | | | database. | | | | Synopsis | - | | | modutil [options] | + | | | modutil [options] | | | | `arguments <arguments>`__ | | | | Description | - | | | The Security Module | + | | | The Security Module | | | | Database Tool, modutil, is a | | | | command-line utility for | - | | | managing PKCS #11 module | + | | | managing PKCS #11 module | | | | information both within | | | | secmod.db files and | - | | | within hardware tokens. | + | | | within hardware tokens. | | | | modutil can add and delete | | | | PKCS #11 modules, | - | | | change passwords on | + | | | change passwords on | | | | security databases, set | | | | defaults, list module | - | | | contents, enable or disable | + | | | contents, enable or disable | | | | slots, enable or disable FIPS | | | | 140-2 | - | | | compliance, and assign | + | | | compliance, and assign | | | | default providers for | | | | cryptographic operations. | - | | | This tool can also create | + | | | This tool can also create | | | | certificate, key, and module | | | | security database | - | | | files. | - | | | The tasks associated with | + | | | files. | + | | | The tasks associated with | | | | security module database | | | | management are part of | - | | | a process that typically | + | | | a process that typically | | | | also involves managing key | | | | databases and | - | | | certificate databases. | + | | | certificate databases. | | | | Options | - | | | Running modutil always | + | | | Running modutil always | | | | requires one (and only one) | | | | option to specify the | - | | | type of module operation. | + | | | type of module operation. | | | | Each option may take | | | | arguments, anywhere from | - | | | none to multiple arguments. | - | | | Options | - | | | -add modulename | - | | | Add the named PKCS | + | | | none to multiple arguments. | + | | | Options | + | | | -add modulename | + | | | Add the named PKCS | | | | #11 module to the database. | | | | Use this option | - | | | with the -libfile, | + | | | with the -libfile, | | | | -ciphers, and -mechanisms | | | | arguments. | - | | | -changepw tokenname | - | | | Change the password | + | | | -changepw tokenname | + | | | Change the password | | | | on the named token. If the | | | | token has not been | - | | | initialized, this | + | | | initialized, this | | | | option initializes the | | | | password. Use this option | - | | | with the -pwfile | + | | | with the -pwfile | | | | and -newpwfile arguments. A | | | | password is | - | | | equivalent to a | + | | | equivalent to a | | | | personal identification number | | | | (PIN). | - | | | -chkfips | - | | | Verify whether the | + | | | -chkfips | + | | | Verify whether the | | | | module is in the given FIPS | | | | mode. true means to | - | | | verify that the | + | | | verify that the | | | | module is in FIPS mode, while | | | | false means to | - | | | verify that the | + | | | verify that the | | | | module is not in FIPS mode. | - | | | -create | - | | | Create new | + | | | -create | + | | | Create new | | | | certificate, key, and module | | | | databases. Use the -dbdir | - | | | directory argument | + | | | directory argument | | | | to specify a directory. If any | | | | of these | - | | | databases already | + | | | databases already | | | | exist in a specified | | | | directory, modutil returns | - | | | an error message. | - | | | -default modulename | - | | | Specify the | + | | | an error message. | + | | | -default modulename | + | | | Specify the | | | | security mechanisms for which | | | | the named module will be | - | | | a default provider. | + | | | a default provider. | | | | The security mechanisms are | | | | specified with the | - | | | -mechanisms | + | | | -mechanisms | | | | argument. | - | | | -delete modulename | - | | | Delete the named | + | | | -delete modulename | + | | | Delete the named | | | | module. The default NSS PKCS | | | | #11 module cannot be | - | | | deleted. | - | | | -disable modulename | - | | | Disable all slots | + | | | deleted. | + | | | -disable modulename | + | | | Disable all slots | | | | on the named module. Use the | | | | -slot argument to | - | | | disable a specific | + | | | disable a specific | | | | slot. | - | | | -enable modulename | - | | | Enable all slots on | + | | | -enable modulename | + | | | Enable all slots on | | | | the named module. Use the | | | | -slot argument to | - | | | enable a specific | + | | | enable a specific | | | | slot. | - | | | -fips [true \| false] | - | | | Enable (true) or | + | | | -fips [true \| false] | + | | | Enable (true) or | | | | disable (false) FIPS 140-2 | | | | compliance for the | - | | | default NSS module. | - | | | -force | - | | | Disable modutil's | + | | | default NSS module. | + | | | -force | + | | | Disable modutil's | | | | interactive prompts so it can | | | | be run from a | - | | | script. Use this | + | | | script. Use this | | | | option only after manually | | | | testing each planned | - | | | operation to check | + | | | operation to check | | | | for warnings and to ensure | | | | that bypassing the | - | | | prompts will cause | + | | | prompts will cause | | | | no security lapses or loss of | | | | database | - | | | integrity. | - | | | -jar JAR-file | - | | | Add a new PKCS #11 | + | | | integrity. | + | | | -jar JAR-file | + | | | Add a new PKCS #11 | | | | module to the database using | | | | the named JAR | - | | | file. Use this | + | | | file. Use this | | | | command with the -installdir | | | | and -tempdir | - | | | arguments. The JAR | + | | | arguments. The JAR | | | | file uses the NSS PKCS #11 JAR | | | | format to | - | | | identify all the | + | | | identify all the | | | | files to be installed, the | | | | module's name, the | - | | | mechanism flags, | + | | | mechanism flags, | | | | and the cipher flags, as well | | | | as any files to be | - | | | installed on the | + | | | installed on the | | | | target machine, including the | | | | PKCS #11 module | - | | | library file and | + | | | library file and | | | | other files such as | | | | documentation. This is | - | | | covered in the JAR | + | | | covered in the JAR | | | | installation file section in | | | | the man page, | - | | | which details the | + | | | which details the | | | | special script needed to | | | | perform an installation | - | | | through a server or | + | | | through a server or | | | | with modutil. | - | | | -list [modulename] | - | | | Display basic | + | | | -list [modulename] | + | | | Display basic | | | | information about the contents | | | | of the secmod.db | - | | | file. Specifying a | + | | | file. Specifying a | | | | modulename displays detailed | | | | information about | - | | | a particular module | + | | | a particular module | | | | and its slots and tokens. | - | | | -rawadd | - | | | Add the module spec | + | | | -rawadd | + | | | Add the module spec | | | | string to the secmod.db | | | | database. | - | | | -rawlist | - | | | Display the module | + | | | -rawlist | + | | | Display the module | | | | specs for a specified module | | | | or for all | - | | | loadable modules. | - | | | -undefault modulename | - | | | Specify the | + | | | loadable modules. | + | | | -undefault modulename | + | | | Specify the | | | | security mechanisms for which | | | | the named module will | - | | | not be a default | + | | | not be a default | | | | provider. The security | | | | mechanisms are specified | - | | | with the | + | | | with the | | | | -mechanisms argument. | - | | | Arguments | - | | | MODULE | - | | | Give the security | + | | | Arguments | + | | | MODULE | + | | | Give the security | | | | module to access. | - | | | MODULESPEC | - | | | Give the security | + | | | MODULESPEC | + | | | Give the security | | | | module spec to load into the | | | | security database. | - | | | -ciphers cipher-enable-list | - | | | Enable specific | + | | | -ciphers cipher-enable-list | + | | | Enable specific | | | | ciphers in a module that is | | | | being added to the | - | | | database. The | + | | | database. The | | | | cipher-enable-list is a | | | | colon-delimited list of | - | | | cipher names. | + | | | cipher names. | | | | Enclose this list in quotation | | | | marks if it contains | - | | | spaces. | - | | | -dbdir [sql:]directory | - | | | Specify the | + | | | spaces. | + | | | -dbdir [sql:]directory | + | | | Specify the | | | | database directory in which to | | | | access or create | - | | | security module | + | | | security module | | | | database files. | - | | | modutil supports | + | | | modutil supports | | | | two types of databases: the | | | | legacy security | - | | | databases | + | | | databases | | | | (cert8.db, key3.db, and | | | | secmod.db) and new SQLite | - | | | databases | + | | | databases | | | | (cert9.db, key4.db, and | | | | pkcs11.txt). If the prefix | | | | sql: | - | | | is not used, then | + | | | is not used, then | | | | the tool assumes that the | | | | given databases are in | - | | | the old format. | - | | | --dbprefix prefix | - | | | Specify the prefix | + | | | the old format. | + | | | --dbprefix prefix | + | | | Specify the prefix | | | | used on the database files, | | | | such as my\_ for | - | | | my_cert8.db. This | + | | | my_cert8.db. This | | | | option is provided as a | | | | special case. Changing | - | | | the names of the | + | | | the names of the | | | | certificate and key databases | | | | is not recommended. | - | | | -installdir | + | | | -installdir | | | | root-installation-directory | - | | | Specify the root | + | | | Specify the root | | | | installation directory | | | | relative to which files | - | | | will be installed | + | | | will be installed | | | | by the -jar option. This | | | | directory should be one | - | | | below which it is | + | | | below which it is | | | | appropriate to store dynamic | | | | library files, such | - | | | as a server's root | + | | | as a server's root | | | | directory. | - | | | -libfile library-file | - | | | Specify a path to a | + | | | -libfile library-file | + | | | Specify a path to a | | | | library file containing the | | | | implementation of | - | | | the PKCS #11 | + | | | the PKCS #11 | | | | interface module that is being | | | | added to the database. | - | | | -mechanisms mechanism-list | - | | | Specify the | + | | | -mechanisms mechanism-list | + | | | Specify the | | | | security mechanisms for which | | | | a particular module will | - | | | be flagged as a | + | | | be flagged as a | | | | default provider. The | | | | mechanism-list is a | - | | | colon-delimited | + | | | colon-delimited | | | | list of mechanism names. | | | | Enclose this list in | - | | | quotation marks if | + | | | quotation marks if | | | | it contains spaces. | - | | | The module becomes | + | | | The module becomes | | | | a default provider for the | | | | listed mechanisms | - | | | when those | + | | | when those | | | | mechanisms are enabled. If | | | | more than one module claims | - | | | to be a particular | + | | | to be a particular | | | | mechanism's default provider, | | | | that mechanism's | - | | | default provider is | + | | | default provider is | | | | undefined. | - | | | modutil supports | + | | | modutil supports | | | | several mechanisms: RSA, DSA, | | | | RC2, RC4, RC5, AES, | - | | | DES, DH, SHA1, | + | | | DES, DH, SHA1, | | | | SHA256, SHA512, SSL, TLS, MD5, | | | | MD2, RANDOM (for | - | | | random number | + | | | random number | | | | generation), and FRIENDLY | | | | (meaning certificates are | - | | | publicly readable). | - | | | -newpwfile | + | | | publicly readable). | + | | | -newpwfile | | | | new-password-file | - | | | Specify a text file | + | | | Specify a text file | | | | containing a token's new or | | | | replacement | - | | | password so that a | + | | | password so that a | | | | password can be entered | | | | automatically with the | - | | | -changepw option. | - | | | -nocertdb | - | | | Do not open the | + | | | -changepw option. | + | | | -nocertdb | + | | | Do not open the | | | | certificate or key databases. | | | | This has several | - | | | effects: | - | | | o With the | + | | | effects: | + | | | o With the | | | | -create command, only a module | | | | security file is | - | | | created; | + | | | created; | | | | certificate and key databases | | | | are not created. | - | | | o With the -jar | + | | | o With the -jar | | | | command, signatures on the JAR | | | | file are not | - | | | checked. | - | | | o With the | + | | | checked. | + | | | o With the | | | | -changepw command, the | | | | password on the NSS internal | - | | | module cannot | + | | | module cannot | | | | be set or changed, since this | | | | password is | - | | | stored in the | + | | | stored in the | | | | key database. | - | | | -pwfile old-password-file | - | | | Specify a text file | + | | | -pwfile old-password-file | + | | | Specify a text file | | | | containing a token's existing | | | | password so that | - | | | a password can be | + | | | a password can be | | | | entered automatically when the | | | | -changepw option | - | | | is used to change | + | | | is used to change | | | | passwords. | - | | | -secmod secmodname | - | | | Give the name of | + | | | -secmod secmodname | + | | | Give the name of | | | | the security module database | | | | (like secmod.db) to | - | | | load. | - | | | -slot slotname | - | | | Specify a | + | | | load. | + | | | -slot slotname | + | | | Specify a | | | | particular slot to be enabled | | | | or disabled with the | - | | | -enable or -disable | + | | | -enable or -disable | | | | options. | - | | | -string CONFIG_STRING | - | | | Pass a | + | | | -string CONFIG_STRING | + | | | Pass a | | | | configuration string for the | | | | module being added to the | - | | | database. | - | | | -tempdir | + | | | database. | + | | | -tempdir | | | | temporary-directory | - | | | Give a directory | + | | | Give a directory | | | | location where temporary files | | | | are created during | - | | | the installation by | + | | | the installation by | | | | the -jar option. If no | | | | temporary directory is | - | | | specified, the | + | | | specified, the | | | | current directory is used. | | | | Usage and Examples | - | | | Creating Database Files | - | | | Before any operations can | + | | | Creating Database Files | + | | | Before any operations can | | | | be performed, there must be a | | | | set of security | - | | | databases available. | + | | | databases available. | | | | modutil can be used to create | | | | these files. The only | - | | | required argument is the | + | | | required argument is the | | | | database that where the | | | | databases will be | - | | | located. | - | | | modutil -create -dbdir | + | | | located. | + | | | modutil -create -dbdir | | | | [sql:]directory | - | | | Adding a Cryptographic | + | | | Adding a Cryptographic | | | | Module | - | | | Adding a PKCS #11 module | + | | | Adding a PKCS #11 module | | | | means submitting a supporting | | | | library file, | - | | | enabling its ciphers, and | + | | | enabling its ciphers, and | | | | setting default provider | | | | status for various | - | | | security mechanisms. This | + | | | security mechanisms. This | | | | can be done by supplying all | | | | of the information | - | | | through modutil directly or | + | | | through modutil directly or | | | | by running a JAR file and | | | | install script. For | - | | | the most basic case, simply | + | | | the most basic case, simply | | | | upload the library: | - | | | modutil -add modulename | + | | | modutil -add modulename | | | | -libfile library-file | | | | [-ciphers cipher-enable-list] | | | | [-mechanisms mechanism-list] | - | | | For example: | - | | | modutil -dbdir | + | | | For example: | + | | | modutil -dbdir | | | | sql:/home/my/sharednssdb -add | | | | "Example PKCS #11 Module" | | | | -libfile "/tmp/crypto.so" | | | | -mechanisms RSA:DSA:RC2:RANDOM | - | | | Using database directory ... | - | | | Module "Example PKCS #11 | + | | | Using database directory ... | + | | | Module "Example PKCS #11 | | | | Module" added to database. | - | | | Installing a Cryptographic | + | | | Installing a Cryptographic | | | | Module from a JAR File | - | | | PKCS #11 modules can also | + | | | PKCS #11 modules can also | | | | be loaded using a JAR file, | | | | which contains all | - | | | of the required libraries | + | | | of the required libraries | | | | and an installation script | | | | that describes how to | - | | | install the module. The JAR | + | | | install the module. The JAR | | | | install script is described in | | | | more detail in | - | | | [1]the section called “JAR | + | | | [1]the section called “JAR | | | | Installation File Format”. | - | | | The JAR installation script | + | | | The JAR installation script | | | | defines the setup information | | | | for each | - | | | platform that the module | + | | | platform that the module | | | | can be installed on. For | | | | example: | - | | | Platforms { | - | | | Linux:5.4.08:x86 { | - | | | ModuleName { "Example | + | | | Platforms { | + | | | Linux:5.4.08:x86 { | + | | | ModuleName { "Example | | | | PKCS #11 Module" } | - | | | ModuleFile { crypto.so | + | | | ModuleFile { crypto.so | | | | } | - | | | | + | | | | | | | DefaultMechanismFlags{0x0000} | - | | | | + | | | | | | | CipherEnableFlags{0x0000} | - | | | Files { | - | | | crypto.so { | - | | | Path{ | + | | | Files { | + | | | crypto.so { | + | | | Path{ | | | | /tmp/crypto.so } | - | | | } | - | | | setup.sh { | - | | | Executable | - | | | Path{ | + | | | } | + | | | setup.sh { | + | | | Executable | + | | | Path{ | | | | /tmp/setup.sh } | - | | | } | - | | | } | - | | | } | - | | | Linux:6.0.0:x86 { | - | | | EquivalentPlatform { | + | | | } | + | | | } | + | | | } | + | | | Linux:6.0.0:x86 { | + | | | EquivalentPlatform { | | | | Linux:5.4.08:x86 } | - | | | } | - | | | } | - | | | Both the install script and | + | | | } | + | | | } | + | | | Both the install script and | | | | the required libraries must be | | | | bundled in a | - | | | JAR file, which is | + | | | JAR file, which is | | | | specified with the -jar | | | | argument. | - | | | modutil -dbdir | + | | | modutil -dbdir | | | | sql:/home/mt | | | | "jar-install-filey/sharednssdb | | | | -jar install.jar -installdir | | | | sql:/home/my/sharednssdb | - | | | This installation JAR file | + | | | This installation JAR file | | | | was signed by: | - | | | ---------------- | + | | | ---------------- | | | | ------------------------------ | - | | | **SUBJECT NAME*\* | - | | | C=US, ST=California, | + | | | **SUBJECT NAME*\* | + | | | C=US, ST=California, | | | | L=Mountain View, | | | | CN=Cryptorific Inc., | | | | OU=Digital ID | - | | | Class 3 - Netscape Object | + | | | Class 3 - Netscape Object | | | | Signing, | | | | OU="w | | | | ww.verisign.com/repository/CPS | - | | | Incorp. by Ref.,LIAB.LTD(c)9 | + | | | Incorp. by Ref.,LIAB.LTD(c)9 | | | | 6", OU=www.verisign.com/CPS | | | | Incorp.by Ref | - | | | . LIABILITY LTD.(c)97 | + | | | . LIABILITY LTD.(c)97 | | | | VeriSign, OU=VeriSign Object | | | | Signing CA - Class 3 | - | | | Organization, OU="VeriSign, | + | | | Organization, OU="VeriSign, | | | | Inc.", O=VeriSign Trust | | | | Network \**ISSUER | - | | | NAME**, | + | | | NAME**, | | | | OU=www.verisign.com/CPS | | | | Incorp.by Ref. LIABILITY | | | | LTD.(c)97 | - | | | VeriSign, OU=VeriSign Object | + | | | VeriSign, OU=VeriSign Object | | | | Signing CA - Class 3 | | | | Organization, | - | | | OU="VeriSign, Inc.", | + | | | OU="VeriSign, Inc.", | | | | O=VeriSign Trust Network | - | | | ---------------- | + | | | ---------------- | | | | ------------------------------ | - | | | Do you wish to continue this | + | | | Do you wish to continue this | | | | installation? (y/n) y | - | | | Using installer script | + | | | Using installer script | | | | "installer_script" | - | | | Successfully parsed | + | | | Successfully parsed | | | | installation script | - | | | Current platform is | + | | | Current platform is | | | | Linux:5.4.08:x86 | - | | | Using installation parameters | + | | | Using installation parameters | | | | for platform Linux:5.4.08:x86 | - | | | Installed file crypto.so to | + | | | Installed file crypto.so to | | | | /tmp/crypto.so | - | | | Installed file setup.sh to | + | | | Installed file setup.sh to | | | | ./pk11inst.dir/setup.sh | - | | | Executing | + | | | Executing | | | | "./pk11inst.dir/setup.sh"... | - | | | "./pk11inst.dir/setup.sh" | + | | | "./pk11inst.dir/setup.sh" | | | | executed successfully | - | | | Installed module "Example | + | | | Installed module "Example | | | | PKCS #11 Module" into module | | | | database | - | | | Installation completed | + | | | Installation completed | | | | successfully | - | | | Adding Module Spec | - | | | Each module has information | + | | | Adding Module Spec | + | | | Each module has information | | | | stored in the security | | | | database about its | - | | | configuration and | + | | | configuration and | | | | parameters. These can be added | | | | or edited using the | - | | | -rawadd command. For the | + | | | -rawadd command. For the | | | | current settings or to see the | | | | format of the | - | | | module spec in the | + | | | module spec in the | | | | database, use the -rawlist | | | | option. | - | | | modutil -rawadd modulespec | - | | | Deleting a Module | - | | | A specific PKCS #11 module | + | | | modutil -rawadd modulespec | + | | | Deleting a Module | + | | | A specific PKCS #11 module | | | | can be deleted from the | | | | secmod.db database: | - | | | modutil -delete modulename | + | | | modutil -delete modulename | | | | -dbdir [sql:]directory | - | | | Displaying Module | + | | | Displaying Module | | | | Information | - | | | The secmod.db database | + | | | The secmod.db database | | | | contains information about the | | | | PKCS #11 modules | - | | | that are available to an | + | | | that are available to an | | | | application or server to use. | | | | The list of all | - | | | modules, information about | + | | | modules, information about | | | | specific modules, and database | | | | configuration | - | | | specs for modules can all | + | | | specs for modules can all | | | | be viewed. | - | | | To simply get a list of | + | | | To simply get a list of | | | | modules in the database, use | | | | the -list command. | - | | | modutil -list [modulename] | + | | | modutil -list [modulename] | | | | -dbdir [sql:]directory | - | | | Listing the modules shows | + | | | Listing the modules shows | | | | the module name, their status, | | | | and other | - | | | associated security | + | | | associated security | | | | databases for certificates and | | | | keys. For example: | - | | | modutil -list -dbdir | + | | | modutil -list -dbdir | | | | sql:/home/my/sharednssdb | - | | | Listing of PKCS #11 Modules | - | | | ----------------------------- | + | | | Listing of PKCS #11 Modules | + | | | ----------------------------- | | | | ------------------------------ | - | | | 1. NSS Internal PKCS #11 | + | | | 1. NSS Internal PKCS #11 | | | | Module | - | | | slots: 2 slots | + | | | slots: 2 slots | | | | attached | - | | | status: loaded | - | | | slot: NSS Internal | + | | | status: loaded | + | | | slot: NSS Internal | | | | Cryptographic Services | - | | | token: NSS Generic | + | | | token: NSS Generic | | | | Crypto Services | - | | | slot: NSS User | + | | | slot: NSS User | | | | Private Key and Certificate | | | | Services | - | | | token: NSS | + | | | token: NSS | | | | Certificate DB | - | | | ----------------------------- | + | | | ----------------------------- | | | | ------------------------------ | - | | | Passing a specific module | + | | | Passing a specific module | | | | name with the -list returns | | | | details information | - | | | about the module itself, | + | | | about the module itself, | | | | like supported cipher | | | | mechanisms, version | - | | | numbers, serial numbers, | + | | | numbers, serial numbers, | | | | and other information about | | | | the module and the | - | | | token it is loaded on. For | + | | | token it is loaded on. For | | | | example: | - | | | modutil -list "NSS Internal | + | | | modutil -list "NSS Internal | | | | PKCS #11 Module" -dbdir | | | | sql:/home/my/sharednssdb | - | | | ----------------------------- | + | | | ----------------------------- | | | | ------------------------------ | - | | | Name: NSS Internal PKCS #11 | + | | | Name: NSS Internal PKCS #11 | | | | Module | - | | | Library file: \**Internal | + | | | Library file: \**Internal | | | | ONLY module*\* | - | | | Manufacturer: Mozilla | + | | | Manufacturer: Mozilla | | | | Foundation | - | | | Description: NSS Internal | + | | | Description: NSS Internal | | | | Crypto Services | - | | | PKCS #11 Version 2.20 | - | | | Library Version: 3.11 | - | | | Cipher Enable Flags: None | - | | | Default Mechanism Flags: | + | | | PKCS #11 Version 2.20 | + | | | Library Version: 3.11 | + | | | Cipher Enable Flags: None | + | | | Default Mechanism Flags: | | | | RSA:RC2:RC4:D | | | | ES:DH:SHA1:MD5:MD2:SSL:TLS:AES | - | | | Slot: NSS Internal | + | | | Slot: NSS Internal | | | | Cryptographic Services | - | | | Slot Mechanism Flags: | + | | | Slot Mechanism Flags: | | | | RSA:RC2:RC4:D | | | | ES:DH:SHA1:MD5:MD2:SSL:TLS:AES | - | | | Manufacturer: Mozilla | + | | | Manufacturer: Mozilla | | | | Foundation | - | | | Type: Software | - | | | Version Number: 3.11 | - | | | Firmware Version: 0.0 | - | | | Status: Enabled | - | | | Token Name: NSS Generic | + | | | Type: Software | + | | | Version Number: 3.11 | + | | | Firmware Version: 0.0 | + | | | Status: Enabled | + | | | Token Name: NSS Generic | | | | Crypto Services | - | | | Token Manufacturer: Mozilla | + | | | Token Manufacturer: Mozilla | | | | Foundation | - | | | Token Model: NSS 3 | - | | | Token Serial Number: | + | | | Token Model: NSS 3 | + | | | Token Serial Number: | | | | 0000000000000000 | - | | | Token Version: 4.0 | - | | | Token Firmware Version: 0.0 | - | | | Access: Write Protected | - | | | Login Type: Public (no | + | | | Token Version: 4.0 | + | | | Token Firmware Version: 0.0 | + | | | Access: Write Protected | + | | | Login Type: Public (no | | | | login required) | - | | | User Pin: NOT Initialized | - | | | Slot: NSS User Private Key | + | | | User Pin: NOT Initialized | + | | | Slot: NSS User Private Key | | | | and Certificate Services | - | | | Slot Mechanism Flags: None | - | | | Manufacturer: Mozilla | + | | | Slot Mechanism Flags: None | + | | | Manufacturer: Mozilla | | | | Foundation | - | | | Type: Software | - | | | Version Number: 3.11 | - | | | Firmware Version: 0.0 | - | | | Status: Enabled | - | | | Token Name: NSS Certificate | + | | | Type: Software | + | | | Version Number: 3.11 | + | | | Firmware Version: 0.0 | + | | | Status: Enabled | + | | | Token Name: NSS Certificate | | | | DB | - | | | Token Manufacturer: Mozilla | + | | | Token Manufacturer: Mozilla | | | | Foundation | - | | | Token Model: NSS 3 | - | | | Token Serial Number: | + | | | Token Model: NSS 3 | + | | | Token Serial Number: | | | | 0000000000000000 | - | | | Token Version: 8.3 | - | | | Token Firmware Version: 0.0 | - | | | Access: NOT Write Protected | - | | | Login Type: Login required | - | | | User Pin: Initialized | - | | | A related command, -rawlist | + | | | Token Version: 8.3 | + | | | Token Firmware Version: 0.0 | + | | | Access: NOT Write Protected | + | | | Login Type: Login required | + | | | User Pin: Initialized | + | | | A related command, -rawlist | | | | returns information about the | | | | database | - | | | configuration for the | + | | | configuration for the | | | | modules. (This information can | | | | be edited by loading | - | | | new specs using the -rawadd | + | | | new specs using the -rawadd | | | | command.) | - | | | modutil -rawlist -dbdir | + | | | modutil -rawlist -dbdir | | | | sql:/home/my/sharednssdb | - | | | name="NSS Internal PKCS #11 | + | | | name="NSS Internal PKCS #11 | | | | Module" | | | | parameters="configdir=. | | | | certPrefix= keyPrefix= | @@ -7739,675 +7739,675 @@ Index | | | slotParams={0x00000001=[ | | | | slotFlags=RSA,RC4,RC2,DES,DH,S | | | | HA1,MD5,MD2,SSL,TLS,AES,RANDOM | - | | | askpw=any timeout=30 ] } | + | | | askpw=any timeout=30 ] } | | | | Flags=internal,critical" | - | | | Setting a Default Provider | + | | | Setting a Default Provider | | | | for Security Mechanisms | - | | | Multiple security modules | + | | | Multiple security modules | | | | may provide support for the | | | | same security | - | | | mechanisms. It is possible | + | | | mechanisms. It is possible | | | | to set a specific security | | | | module as the | - | | | default provider for a | + | | | default provider for a | | | | specific security mechanism | | | | (or, conversely, to | - | | | prohibit a provider from | + | | | prohibit a provider from | | | | supplying those mechanisms). | - | | | modutil -default modulename | + | | | modutil -default modulename | | | | -mechanisms mechanism-list | - | | | To set a module as the | + | | | To set a module as the | | | | default provider for | | | | mechanisms, use the -default | - | | | command with a | + | | | command with a | | | | colon-separated list of | | | | mechanisms. The available | - | | | mechanisms depend on the | + | | | mechanisms depend on the | | | | module; NSS supplies almost | | | | all common | - | | | mechanisms. For example: | - | | | modutil -default "NSS | + | | | mechanisms. For example: | + | | | modutil -default "NSS | | | | Internal PKCS #11 Module" | | | | -dbdir -mechanisms RSA:DSA:RC2 | - | | | Using database directory | + | | | Using database directory | | | | c:\databases... | - | | | Successfully changed | + | | | Successfully changed | | | | defaults. | - | | | Clearing the default | + | | | Clearing the default | | | | provider has the same format: | - | | | modutil -undefault "NSS | + | | | modutil -undefault "NSS | | | | Internal PKCS #11 Module" | | | | -dbdir -mechanisms MD2:MD5 | - | | | Enabling and Disabling | + | | | Enabling and Disabling | | | | Modules and Slots | - | | | Modules, and specific slots | + | | | Modules, and specific slots | | | | on modules, can be selectively | | | | enabled or | - | | | disabled using modutil. | + | | | disabled using modutil. | | | | Both commands have the same | | | | format: | - | | | modutil -enable|-disable | + | | | modutil -enable|-disable | | | | modulename [-slot slotname] | - | | | For example: | - | | | modutil -enable "NSS Internal | + | | | For example: | + | | | modutil -enable "NSS Internal | | | | PKCS #11 Module" -slot "NSS | | | | Internal Cryptographic | | | | Servi | - | | | ces | + | | | ces | | | | " -dbdir . | - | | | Slot "NSS Internal | + | | | Slot "NSS Internal | | | | Cryptographic | | | | Servi | - | | | ces | + | | | ces | | | | " enabled. | - | | | Be sure that the | + | | | Be sure that the | | | | appropriate amount of trailing | | | | whitespace is after the | - | | | slot name. Some slot names | + | | | slot name. Some slot names | | | | have a significant amount of | | | | whitespace that | - | | | must be included, or the | + | | | must be included, or the | | | | operation will fail. | - | | | Enabling and Verifying FIPS | + | | | Enabling and Verifying FIPS | | | | Compliance | - | | | The NSS modules can have | + | | | The NSS modules can have | | | | FIPS 140-2 compliance enabled | | | | or disabled using | - | | | modutil with the -fips | + | | | modutil with the -fips | | | | option. For example: | - | | | modutil -fips true -dbdir | + | | | modutil -fips true -dbdir | | | | sql:/home/my/sharednssdb/ | - | | | FIPS mode enabled. | - | | | To verify that status of | + | | | FIPS mode enabled. | + | | | To verify that status of | | | | FIPS mode, run the -chkfips | | | | command with either a | - | | | true or false flag (it | + | | | true or false flag (it | | | | doesn't matter which). The | | | | tool returns the current | - | | | FIPS setting. | - | | | modutil -chkfips false -dbdir | + | | | FIPS setting. | + | | | modutil -chkfips false -dbdir | | | | sql:/home/my/sharednssdb/ | - | | | FIPS mode enabled. | - | | | Changing the Password on a | + | | | FIPS mode enabled. | + | | | Changing the Password on a | | | | Token | - | | | Initializing or changing a | + | | | Initializing or changing a | | | | token's password: | - | | | modutil -changepw tokenname | + | | | modutil -changepw tokenname | | | | [-pwfile old-password-file] | | | | [-newpwfile new-password-file] | - | | | modutil -dbdir | + | | | modutil -dbdir | | | | sql:/home/my/sharednssdb | | | | -changepw "NSS Certificate DB" | - | | | Enter old password: | - | | | Incorrect password, try | + | | | Enter old password: | + | | | Incorrect password, try | | | | again... | - | | | Enter old password: | - | | | Enter new password: | - | | | Re-enter new password: | - | | | Token "Communicator | + | | | Enter old password: | + | | | Enter new password: | + | | | Re-enter new password: | + | | | Token "Communicator | | | | Certificate DB" password | | | | changed successfully. | | | | JAR Installation File Format | - | | | When a JAR file is run by a | + | | | When a JAR file is run by a | | | | server, by modutil, or by any | | | | program that | - | | | does not interpret | + | | | does not interpret | | | | JavaScript, a special | | | | information file must be | | | | included | - | | | to install the libraries. | + | | | to install the libraries. | | | | There are several things to | | | | keep in mind with | - | | | this file: | - | | | o It must be declared in | + | | | this file: | + | | | o It must be declared in | | | | the JAR archive's manifest | | | | file. | - | | | o The script can have any | + | | | o The script can have any | | | | name. | - | | | o The metainfo tag for | + | | | o The metainfo tag for | | | | this is Pkcs11_install_script. | | | | To declare | - | | | meta-information in the | + | | | meta-information in the | | | | manifest file, put it in a | | | | file that is passed | - | | | to signtool. | - | | | Sample Script | - | | | For example, the PKCS #11 | + | | | to signtool. | + | | | Sample Script | + | | | For example, the PKCS #11 | | | | installer script could be in | | | | the file | - | | | pk11install. If so, the | + | | | pk11install. If so, the | | | | metainfo file for signtool | | | | includes a line such as | - | | | this: | - | | | + Pkcs11_install_script: | + | | | this: | + | | | + Pkcs11_install_script: | | | | pk11install | - | | | The script must define the | + | | | The script must define the | | | | platform and version number, | | | | the module name | - | | | and file, and any optional | + | | | and file, and any optional | | | | information like supported | | | | ciphers and | - | | | mechanisms. Multiple | + | | | mechanisms. Multiple | | | | platforms can be defined in a | | | | single install file. | - | | | ForwardCompatible { | + | | | ForwardCompatible { | | | | IRIX:6.2:mips | | | | SUNOS:5.5.1:sparc } | - | | | Platforms { | - | | | WINNT::x86 { | - | | | ModuleName { "Example | + | | | Platforms { | + | | | WINNT::x86 { | + | | | ModuleName { "Example | | | | Module" } | - | | | ModuleFile { | + | | | ModuleFile { | | | | win32/fort32.dll } | - | | | | + | | | | | | | DefaultMechanismFlags{0x0001} | - | | | | + | | | | | | | DefaultCipherFlags{0x0001} | - | | | Files { | - | | | win32/setup.exe { | - | | | Executable | - | | | RelativePath { | + | | | Files { | + | | | win32/setup.exe { | + | | | Executable | + | | | RelativePath { | | | | %temp%/setup.exe } | - | | | } | - | | | win32/setup.hlp { | - | | | RelativePath { | + | | | } | + | | | win32/setup.hlp { | + | | | RelativePath { | | | | %temp%/setup.hlp } | - | | | } | - | | | win32/setup.cab { | - | | | RelativePath { | + | | | } | + | | | win32/setup.cab { | + | | | RelativePath { | | | | %temp%/setup.cab } | - | | | } | - | | | } | - | | | } | - | | | WIN95::x86 { | - | | | EquivalentPlatform | + | | | } | + | | | } | + | | | } | + | | | WIN95::x86 { | + | | | EquivalentPlatform | | | | {WINNT::x86} | - | | | } | - | | | SUNOS:5.5.1:sparc { | - | | | ModuleName { "Example | + | | | } | + | | | SUNOS:5.5.1:sparc { | + | | | ModuleName { "Example | | | | UNIX Module" } | - | | | ModuleFile { | + | | | ModuleFile { | | | | unix/fort.so } | - | | | | + | | | | | | | DefaultMechanismFlags{0x0001} | - | | | | + | | | | | | | CipherEnableFlags{0x0001} | - | | | Files { | - | | | unix/fort.so { | - | | | | + | | | Files { | + | | | unix/fort.so { | + | | | | | | | Re | | | | lativePath{%root%/lib/fort.so} | - | | | | + | | | | | | | AbsolutePath{/u | | | | sr/local/netscape/lib/fort.so} | - | | | | + | | | | | | | FilePermissions{555} | - | | | } | - | | | xplat/instr.html { | - | | | | + | | | } | + | | | xplat/instr.html { | + | | | | | | | Relat | | | | ivePath{%root%/docs/inst.html} | - | | | | + | | | | | | | AbsolutePath{/usr/ | | | | local/netscape/docs/inst.html} | - | | | | + | | | | | | | FilePermissions{555} | - | | | } | - | | | } | - | | | } | - | | | IRIX:6.2:mips { | - | | | EquivalentPlatform { | + | | | } | + | | | } | + | | | } | + | | | IRIX:6.2:mips { | + | | | EquivalentPlatform { | | | | SUNOS:5.5.1:sparc } | - | | | } | - | | | } | - | | | Script Grammar | - | | | The script is basic Java, | + | | | } | + | | | } | + | | | Script Grammar | + | | | The script is basic Java, | | | | allowing lists, key-value | | | | pairs, strings, and | - | | | combinations of all of | + | | | combinations of all of | | | | them. | - | | | --> valuelist | - | | | valuelist --> value valuelist | - | | | <null> | - | | | value ---> key_value_pair | - | | | string | - | | | key_value_pair --> key { | + | | | --> valuelist | + | | | valuelist --> value valuelist | + | | | <null> | + | | | value ---> key_value_pair | + | | | string | + | | | key_value_pair --> key { | | | | valuelist } | - | | | key --> string | - | | | string --> simple_string | - | | | "complex_string" | - | | | simple_string --> [^ | + | | | key --> string | + | | | string --> simple_string | + | | | "complex_string" | + | | | simple_string --> [^ | | | | \\t\n\""{""}"]+ | - | | | complex_string --> | + | | | complex_string --> | | | | ([^\"\\\r\n]|(\\\")|(\\\\))+ | - | | | Quotes and backslashes must | + | | | Quotes and backslashes must | | | | be escaped with a backslash. A | | | | complex string | - | | | must not include newlines | + | | | must not include newlines | | | | or carriage returns.Outside of | | | | complex strings, | - | | | all white space (for | + | | | all white space (for | | | | example, spaces, tabs, and | | | | carriage returns) is | - | | | considered equal and is | + | | | considered equal and is | | | | used only to delimit tokens. | - | | | Keys | - | | | The Java install file uses | + | | | Keys | + | | | The Java install file uses | | | | keys to define the platform | | | | and module | - | | | information. | - | | | ForwardCompatible gives a | + | | | information. | + | | | ForwardCompatible gives a | | | | list of platforms that are | | | | forward compatible. | - | | | If the current platform | + | | | If the current platform | | | | cannot be found in the list of | | | | supported | - | | | platforms, then the | + | | | platforms, then the | | | | ForwardCompatible list is | | | | checked for any platforms | - | | | that have the same OS and | + | | | that have the same OS and | | | | architecture in an earlier | | | | version. If one is | - | | | found, its attributes are | + | | | found, its attributes are | | | | used for the current platform. | - | | | Platforms (required) Gives | + | | | Platforms (required) Gives | | | | a list of platforms. Each | | | | entry in the list is | - | | | itself a key-value pair: | + | | | itself a key-value pair: | | | | the key is the name of the | | | | platform and the value | - | | | list contains various | + | | | list contains various | | | | attributes of the platform. | | | | The platform string is | - | | | in the format system | + | | | in the format system | | | | name:OS release:architecture. | | | | The installer obtains | - | | | these values from NSPR. OS | + | | | these values from NSPR. OS | | | | release is an empty string on | | | | non-Unix | - | | | operating systems. NSPR | + | | | operating systems. NSPR | | | | supports these platforms: | - | | | o AIX (rs6000) | - | | | o BSDI (x86) | - | | | o FREEBSD (x86) | - | | | o HPUX (hppa1.1) | - | | | o IRIX (mips) | - | | | o LINUX (ppc, alpha, x86) | - | | | o MacOS (PowerPC) | - | | | o NCR (x86) | - | | | o NEC (mips) | - | | | o OS2 (x86) | - | | | o OSF (alpha) | - | | | o ReliantUNIX (mips) | - | | | o SCO (x86) | - | | | o SOLARIS (sparc) | - | | | o SONY (mips) | - | | | o SUNOS (sparc) | - | | | o UnixWare (x86) | - | | | o WIN16 (x86) | - | | | o WIN95 (x86) | - | | | o WINNT (x86) | - | | | For example: | - | | | IRIX:6.2:mips | - | | | SUNOS:5.5.1:sparc | - | | | Linux:2.0.32:x86 | - | | | WIN95::x86 | - | | | The module information is | + | | | o AIX (rs6000) | + | | | o BSDI (x86) | + | | | o FREEBSD (x86) | + | | | o HPUX (hppa1.1) | + | | | o IRIX (mips) | + | | | o LINUX (ppc, alpha, x86) | + | | | o MacOS (PowerPC) | + | | | o NCR (x86) | + | | | o NEC (mips) | + | | | o OS2 (x86) | + | | | o OSF (alpha) | + | | | o ReliantUNIX (mips) | + | | | o SCO (x86) | + | | | o SOLARIS (sparc) | + | | | o SONY (mips) | + | | | o SUNOS (sparc) | + | | | o UnixWare (x86) | + | | | o WIN16 (x86) | + | | | o WIN95 (x86) | + | | | o WINNT (x86) | + | | | For example: | + | | | IRIX:6.2:mips | + | | | SUNOS:5.5.1:sparc | + | | | Linux:2.0.32:x86 | + | | | WIN95::x86 | + | | | The module information is | | | | defined independently for each | | | | platform in the | - | | | ModuleName, ModuleFile, and | + | | | ModuleName, ModuleFile, and | | | | Files attributes. These | | | | attributes must be | - | | | given unless an | + | | | given unless an | | | | EquivalentPlatform attribute | | | | is specified. | - | | | Per-Platform Keys | - | | | Per-platform keys have | + | | | Per-Platform Keys | + | | | Per-platform keys have | | | | meaning only within the value | | | | list of an entry in | - | | | the Platforms list. | - | | | ModuleName (required) gives | + | | | the Platforms list. | + | | | ModuleName (required) gives | | | | the common name for the | | | | module. This name is | - | | | used to reference the | + | | | used to reference the | | | | module by servers and by the | | | | modutil tool. | - | | | ModuleFile (required) names | + | | | ModuleFile (required) names | | | | the PKCS #11 module file for | | | | this platform. | - | | | The name is given as the | + | | | The name is given as the | | | | relative path of the file | | | | within the JAR archive. | - | | | Files (required) lists the | + | | | Files (required) lists the | | | | files that need to be | | | | installed for this | - | | | module. Each entry in the | + | | | module. Each entry in the | | | | file list is a key-value pair. | | | | The key is the | - | | | path of the file in the JAR | + | | | path of the file in the JAR | | | | archive, and the value list | | | | contains | - | | | attributes of the file. At | + | | | attributes of the file. At | | | | least RelativePath or | | | | AbsolutePath must be | - | | | specified for each file. | - | | | DefaultMechanismFlags | + | | | specified for each file. | + | | | DefaultMechanismFlags | | | | specifies mechanisms for which | | | | this module is the | - | | | default provider; this is | + | | | default provider; this is | | | | equivalent to the -mechanism | | | | option with the | - | | | -add command. This | + | | | -add command. This | | | | key-value pair is a bitstring | | | | specified in hexadecimal | - | | | (0x) format. It is | + | | | (0x) format. It is | | | | constructed as a bitwise OR. | | | | If the | - | | | DefaultMechanismFlags entry | + | | | DefaultMechanismFlags entry | | | | is omitted, the value defaults | | | | to 0x0. | - | | | RSA: | + | | | RSA: | | | | 0x00000001 | - | | | DSA: | + | | | DSA: | | | | 0x00000002 | - | | | RC2: | + | | | RC2: | | | | 0x00000004 | - | | | RC4: | + | | | RC4: | | | | 0x00000008 | - | | | DES: | + | | | DES: | | | | 0x00000010 | - | | | DH: | + | | | DH: | | | | 0x00000020 | - | | | FORTEZZA: | + | | | FORTEZZA: | | | | 0x00000040 | - | | | RC5: | + | | | RC5: | | | | 0x00000080 | - | | | SHA1: | + | | | SHA1: | | | | 0x00000100 | - | | | MD5: | + | | | MD5: | | | | 0x00000200 | - | | | MD2: | + | | | MD2: | | | | 0x00000400 | - | | | RANDOM: | + | | | RANDOM: | | | | 0x08000000 | - | | | FRIENDLY: | + | | | FRIENDLY: | | | | 0x10000000 | - | | | OWN_PW_DEFAULTS: | + | | | OWN_PW_DEFAULTS: | | | | 0x20000000 | - | | | DISABLE: | + | | | DISABLE: | | | | 0x40000000 | - | | | CipherEnableFlags specifies | + | | | CipherEnableFlags specifies | | | | ciphers that this module | | | | provides that NSS | - | | | does not provide (so that | + | | | does not provide (so that | | | | the module enables those | | | | ciphers for NSS). This | - | | | is equivalent to the | + | | | is equivalent to the | | | | -cipher argument with the -add | | | | command. This key is a | - | | | bitstring specified in | + | | | bitstring specified in | | | | hexadecimal (0x) format. It is | | | | constructed as a | - | | | bitwise OR. If the | + | | | bitwise OR. If the | | | | CipherEnableFlags entry is | | | | omitted, the value defaults | - | | | to 0x0. | - | | | EquivalentPlatform | + | | | to 0x0. | + | | | EquivalentPlatform | | | | specifies that the attributes | | | | of the named platform | - | | | should also be used for the | + | | | should also be used for the | | | | current platform. This makes | | | | it easier when | - | | | more than one platform uses | + | | | more than one platform uses | | | | the same settings. | - | | | Per-File Keys | - | | | Some keys have meaning only | + | | | Per-File Keys | + | | | Some keys have meaning only | | | | within the value list of an | | | | entry in a Files | - | | | list. | - | | | Each file requires a path | + | | | list. | + | | | Each file requires a path | | | | key the identifies where the | | | | file is. Either | - | | | RelativePath or | + | | | RelativePath or | | | | AbsolutePath must be | | | | specified. If both are | | | | specified, the | - | | | relative path is tried | + | | | relative path is tried | | | | first, and the absolute path | | | | is used only if no | - | | | relative root directory is | + | | | relative root directory is | | | | provided by the installer | | | | program. | - | | | RelativePath specifies the | + | | | RelativePath specifies the | | | | destination directory of the | | | | file, relative to | - | | | some directory decided at | + | | | some directory decided at | | | | install time. Two variables | | | | can be used in the | - | | | relative path: %root% and | + | | | relative path: %root% and | | | | %temp%. %root% is replaced at | | | | run time with the | - | | | directory relative to which | + | | | directory relative to which | | | | files should be installed; for | | | | example, it may | - | | | be the server's root | + | | | be the server's root | | | | directory. The %temp% | | | | directory is created at the | - | | | beginning of the | + | | | beginning of the | | | | installation and destroyed at | | | | the end. The purpose of | - | | | %temp% is to hold | + | | | %temp% is to hold | | | | executable files (such as | | | | setup programs) or files that | - | | | are used by these programs. | + | | | are used by these programs. | | | | Files destined for the | | | | temporary directory are | - | | | guaranteed to be in place | + | | | guaranteed to be in place | | | | before any executable file is | | | | run; they are not | - | | | deleted until all | + | | | deleted until all | | | | executable files have | | | | finished. | - | | | AbsolutePath specifies the | + | | | AbsolutePath specifies the | | | | destination directory of the | | | | file as an | - | | | absolute path. | - | | | Executable specifies that | + | | | absolute path. | + | | | Executable specifies that | | | | the file is to be executed | | | | during the course of | - | | | the installation. | + | | | the installation. | | | | Typically, this string is used | | | | for a setup program | - | | | provided by a module | + | | | provided by a module | | | | vendor, such as a | | | | self-extracting setup | | | | executable. | - | | | More than one file can be | + | | | More than one file can be | | | | specified as executable, in | | | | which case the files | - | | | are run in the order in | + | | | are run in the order in | | | | which they are specified in | | | | the script file. | - | | | FilePermissions sets | + | | | FilePermissions sets | | | | permissions on any referenced | | | | files in a string of | - | | | octal digits, according to | + | | | octal digits, according to | | | | the standard Unix format. This | | | | string is a | - | | | bitwise OR. | - | | | user read: | + | | | bitwise OR. | + | | | user read: | | | | 0400 | - | | | user write: | + | | | user write: | | | | 0200 | - | | | user execute: | + | | | user execute: | | | | 0100 | - | | | group read: | + | | | group read: | | | | 0040 | - | | | group write: | + | | | group write: | | | | 0020 | - | | | group execute: | + | | | group execute: | | | | 0010 | - | | | other read: | + | | | other read: | | | | 0004 | - | | | other write: | + | | | other write: | | | | 0002 | - | | | other execute: 0001 | - | | | Some platforms may not | + | | | other execute: 0001 | + | | | Some platforms may not | | | | understand these permissions. | | | | They are applied only | - | | | insofar as they make sense | + | | | insofar as they make sense | | | | for the current platform. If | | | | this attribute is | - | | | omitted, a default of 777 | + | | | omitted, a default of 777 | | | | is assumed. | | | | NSS Database Types | - | | | NSS originally used | + | | | NSS originally used | | | | BerkeleyDB databases to store | | | | security information. | - | | | The last versions of these | + | | | The last versions of these | | | | legacy databases are: | - | | | o cert8.db for | + | | | o cert8.db for | | | | certificates | - | | | o key3.db for keys | - | | | o secmod.db for PKCS #11 | + | | | o key3.db for keys | + | | | o secmod.db for PKCS #11 | | | | module information | - | | | BerkeleyDB has performance | + | | | BerkeleyDB has performance | | | | limitations, though, which | | | | prevent it from | - | | | being easily used by | + | | | being easily used by | | | | multiple applications | | | | simultaneously. NSS has some | - | | | flexibility that allows | + | | | flexibility that allows | | | | applications to use their own, | | | | independent | - | | | database engine while | + | | | database engine while | | | | keeping a shared database and | | | | working around the | - | | | access issues. Still, NSS | + | | | access issues. Still, NSS | | | | requires more flexibility to | | | | provide a truly | - | | | shared security database. | - | | | In 2009, NSS introduced a | + | | | shared security database. | + | | | In 2009, NSS introduced a | | | | new set of databases that are | | | | SQLite databases | - | | | rather than BerkleyDB. | + | | | rather than BerkleyDB. | | | | These new databases provide | | | | more accessibility and | - | | | performance: | - | | | o cert9.db for | + | | | performance: | + | | | o cert9.db for | | | | certificates | - | | | o key4.db for keys | - | | | o pkcs11.txt, which is | + | | | o key4.db for keys | + | | | o pkcs11.txt, which is | | | | listing of all of the PKCS #11 | | | | modules contained | - | | | in a new subdirectory | + | | | in a new subdirectory | | | | in the security databases | | | | directory | - | | | Because the SQLite | + | | | Because the SQLite | | | | databases are designed to be | | | | shared, these are the | - | | | shared database type. The | + | | | shared database type. The | | | | shared database type is | | | | preferred; the legacy | - | | | format is included for | + | | | format is included for | | | | backward compatibility. | - | | | By default, the tools | + | | | By default, the tools | | | | (certutil, pk12util, modutil) | | | | assume that the given | - | | | security databases follow | + | | | security databases follow | | | | the more common legacy type. | | | | Using the SQLite | - | | | databases must be manually | + | | | databases must be manually | | | | specified by using the sql: | | | | prefix with the | - | | | given security directory. | + | | | given security directory. | | | | For example: | - | | | modutil -create -dbdir | + | | | modutil -create -dbdir | | | | sql:/home/my/sharednssdb | - | | | To set the shared database | + | | | To set the shared database | | | | type as the default type for | | | | the tools, set the | - | | | NSS_DEFAULT_DB_TYPE | + | | | NSS_DEFAULT_DB_TYPE | | | | environment variable to sql: | - | | | export | + | | | export | | | | NSS_DEFAULT_DB_TYPE="sql" | - | | | This line can be set added | + | | | This line can be set added | | | | to the ~/.bashrc file to make | | | | the change | - | | | permanent. | - | | | Most applications do not | + | | | permanent. | + | | | Most applications do not | | | | use the shared database by | | | | default, but they can | - | | | be configured to use them. | + | | | be configured to use them. | | | | For example, this how-to | | | | article covers how to | - | | | configure Firefox and | + | | | configure Firefox and | | | | Thunderbird to use the new | | | | shared NSS databases: | - | | | | - | | | o https://wiki.m | + | | | | + | | | o https://wiki.m | | | | ozilla.org/NSS_Shared_DB_Howto | - | | | For an engineering draft on | + | | | For an engineering draft on | | | | the changes in the shared NSS | | | | databases, see | - | | | the NSS project wiki: | - | | | | - | | | o https:// | + | | | the NSS project wiki: | + | | | | + | | | o https:// | | | | wiki.mozilla.org/NSS_Shared_DB | | | | See Also | - | | | certutil (1) | - | | | pk12util (1) | - | | | signtool (1) | - | | | The NSS wiki has | + | | | certutil (1) | + | | | pk12util (1) | + | | | signtool (1) | + | | | The NSS wiki has | | | | information on the new | | | | database design and how to | - | | | configure applications to | + | | | configure applications to | | | | use it. | - | | | | - | | | o https://wiki.m | + | | | | + | | | o https://wiki.m | | | | ozilla.org/NSS_Shared_DB_Howto | - | | | | - | | | o https:// | + | | | | + | | | o https:// | | | | wiki.mozilla.org/NSS_Shared_DB | | | | Additional Resources | - | | | For information about NSS | + | | | For information about NSS | | | | and other tools related to NSS | | | | (like JSS), check | - | | | out the NSS project wiki at | - | | | | + | | | out the NSS project wiki at | + | | | | | | | [2]\ `http://www.mozil | | | | la.org/projects/security/pki/n | | | | ss/ <https://www.mozilla.org/p | | | | rojects/security/pki/nss/>`__. | | | | The NSS site relates | - | | | directly to NSS code | + | | | directly to NSS code | | | | changes and releases. | - | | | Mailing lists: | + | | | Mailing lists: | | | | https://lists.mozill | | | | a.org/listinfo/dev-tech-crypto | - | | | IRC: Freenode at | + | | | IRC: Freenode at | | | | #dogtag-pki | | | | Authors | - | | | The NSS tools were written | + | | | The NSS tools were written | | | | and maintained by developers | | | | with Netscape, Red | - | | | Hat, and Sun. | - | | | Authors: Elio Maldonado | + | | | Hat, and Sun. | + | | | Authors: Elio Maldonado | | | | <emaldona@redhat.com>, Deon | | | | Lackey | - | | | <dlackey@redhat.com>. | + | | | <dlackey@redhat.com>. | | | | Copyright | - | | | (c) 2010, Red Hat, Inc. | + | | | (c) 2010, Red Hat, Inc. | | | | Licensed under the GNU Public | | | | License version 2. | | | | References | - | | | Visible links | - | | | 1. JAR Installation File | + | | | Visible links | + | | | 1. JAR Installation File | | | | Format | - | | | | + | | | | | | | ``file:///tmp/xmlto.6gGxS0/ | | | | modutil.pro...r-install-file`` | - | | | 2. | + | | | 2. | | | | https://www.mozilla. | | | | org/projects/security/pki/nss/ | +--------------------------------+--------------------------------+--------------------------------+ @@ -8453,7 +8453,7 @@ Index | | | perform basic operations, such | | | | as encryption and decryption, | | | | on `Cryptographic Message | - | | | Syntax (CMS) <http://ww | + | | | Syntax (CMS) <http://ww | | | | w.ietf.org/rfc/rfc2630.txt>`__ | | | | messages. | +--------------------------------+--------------------------------+--------------------------------+ @@ -8576,242 +8576,242 @@ Index | | a_projects_nss_tools_pk12util` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Name | - | | | pk12util — Export and | + | | | pk12util — Export and | | | | import keys and certificate to | | | | or from a PKCS #12 | - | | | file and the NSS database | + | | | file and the NSS database | | | | Synopsis | - | | | pk12util [-i p12File [-h | + | | | pk12util [-i p12File [-h | | | | tokenname] [-v] | | | | [common-options] ] [ -l | | | | p12File | - | | | [-h tokenname] [-r] | + | | | [-h tokenname] [-r] | | | | [common-options] ] [ -o | | | | p12File -n certname [-c | - | | | keyCipher] [-C certCipher] | + | | | keyCipher] [-C certCipher] | | | | [-m|--key_len keyLen] | | | | [-n|--cert_key_len | - | | | certKeyLen] | + | | | certKeyLen] | | | | [common-options] ] [ | | | | common-options are: [-d | | | | [sql:]directory] | - | | | [-P dbprefix] [-k | + | | | [-P dbprefix] [-k | | | | slotPasswordFile|-K | | | | slotPassword] [-w | - | | | p12filePasswordFile|-W | + | | | p12filePasswordFile|-W | | | | p12filePassword] ] | | | | Description | - | | | The PKCS #12 utility, | + | | | The PKCS #12 utility, | | | | pk12util, enables sharing | | | | certificates among any | - | | | server that supports | + | | | server that supports | | | | PKCS#12. The tool can import | | | | certificates and keys | - | | | from PKCS#12 files into | + | | | from PKCS#12 files into | | | | security databases, export | | | | certificates, and list | - | | | certificates and keys. | + | | | certificates and keys. | | | | Options and Arguments | - | | | Options | - | | | -i p12file | - | | | Import keys and | + | | | Options | + | | | -i p12file | + | | | Import keys and | | | | certificates from a PKCS#12 | | | | file into a security | - | | | database. | - | | | -l p12file | - | | | List the keys and | + | | | database. | + | | | -l p12file | + | | | List the keys and | | | | certificates in PKCS#12 file. | - | | | -o p12file | - | | | Export keys and | + | | | -o p12file | + | | | Export keys and | | | | certificates from the security | | | | database to a | - | | | PKCS#12 file. | - | | | Arguments | - | | | -n certname | - | | | Specify the | + | | | PKCS#12 file. | + | | | Arguments | + | | | -n certname | + | | | Specify the | | | | nickname of the cert and | | | | private key to export. | - | | | -d [sql:]directory | - | | | Specify the | + | | | -d [sql:]directory | + | | | Specify the | | | | database directory into which | | | | to import to or export | - | | | from certificates | + | | | from certificates | | | | and keys. | - | | | pk12util supports | + | | | pk12util supports | | | | two types of databases: the | | | | legacy security | - | | | databases | + | | | databases | | | | (cert8.db, key3.db, and | | | | secmod.db) and new SQLite | - | | | databases | + | | | databases | | | | (cert9.db, key4.db, and | | | | pkcs11.txt). If the prefix | | | | sql: | - | | | is not used, then | + | | | is not used, then | | | | the tool assumes that the | | | | given databases are in | - | | | the old format. | - | | | -P prefix | - | | | Specify the prefix | + | | | the old format. | + | | | -P prefix | + | | | Specify the prefix | | | | used on the certificate and | | | | key databases. This | - | | | option is provided | + | | | option is provided | | | | as a special case. Changing | | | | the names of the | - | | | certificate and key | + | | | certificate and key | | | | databases is not recommended. | - | | | -h tokenname | - | | | Specify the name of | + | | | -h tokenname | + | | | Specify the name of | | | | the token to import into or | | | | export from. | - | | | -v | - | | | Enable debug | + | | | -v | + | | | Enable debug | | | | logging when importing. | - | | | -k slotPasswordFile | - | | | Specify the text | + | | | -k slotPasswordFile | + | | | Specify the text | | | | file containing the slot's | | | | password. | - | | | -K slotPassword | - | | | Specify the slot's | + | | | -K slotPassword | + | | | Specify the slot's | | | | password. | - | | | -w p12filePasswordFile | - | | | Specify the text | + | | | -w p12filePasswordFile | + | | | Specify the text | | | | file containing the pkcs #12 | | | | file password. | - | | | -W p12filePassword | - | | | Specify the pkcs | + | | | -W p12filePassword | + | | | Specify the pkcs | | | | #12 file password. | - | | | -c keyCipher | - | | | Specify the key | + | | | -c keyCipher | + | | | Specify the key | | | | encryption algorithm. | - | | | -C certCipher | - | | | Specify the key | + | | | -C certCipher | + | | | Specify the key | | | | cert (overall package) | | | | encryption algorithm. | - | | | -m \| --key-len keyLength | - | | | Specify the desired | + | | | -m \| --key-len keyLength | + | | | Specify the desired | | | | length of the symmetric key to | | | | be used to | - | | | encrypt the private | + | | | encrypt the private | | | | key. | - | | | -n \| --cert-key-len | + | | | -n \| --cert-key-len | | | | certKeyLength | - | | | Specify the desired | + | | | Specify the desired | | | | length of the symmetric key to | | | | be used to | - | | | encrypt the | + | | | encrypt the | | | | certificates and other | | | | meta-data. | - | | | -r | - | | | Dumps all of the | + | | | -r | + | | | Dumps all of the | | | | data in raw (binary) form. | | | | This must be saved as | - | | | a DER file. The | + | | | a DER file. The | | | | default is to return | | | | information in a pretty-print | - | | | ASCII format, which | + | | | ASCII format, which | | | | displays the information about | | | | the | - | | | certificates and | + | | | certificates and | | | | public keys in the p12 file. | | | | Return Codes | - | | | o 0 - No error | - | | | o 1 - User Cancelled | - | | | o 2 - Usage error | - | | | o 6 - NLS init error | - | | | o 8 - Certificate DB open | + | | | o 0 - No error | + | | | o 1 - User Cancelled | + | | | o 2 - Usage error | + | | | o 6 - NLS init error | + | | | o 8 - Certificate DB open | | | | error | - | | | o 9 - Key DB open error | - | | | o 10 - File | + | | | o 9 - Key DB open error | + | | | o 10 - File | | | | initialization error | - | | | o 11 - Unicode conversion | + | | | o 11 - Unicode conversion | | | | error | - | | | o 12 - Temporary file | + | | | o 12 - Temporary file | | | | creation error | - | | | o 13 - PKCS11 get slot | + | | | o 13 - PKCS11 get slot | | | | error | - | | | o 14 - PKCS12 decoder | + | | | o 14 - PKCS12 decoder | | | | start error | - | | | o 15 - error read from | + | | | o 15 - error read from | | | | import file | - | | | o 16 - pkcs12 decode | + | | | o 16 - pkcs12 decode | | | | error | - | | | o 17 - pkcs12 decoder | + | | | o 17 - pkcs12 decoder | | | | verify error | - | | | o 18 - pkcs12 decoder | + | | | o 18 - pkcs12 decoder | | | | validate bags error | - | | | o 19 - pkcs12 decoder | + | | | o 19 - pkcs12 decoder | | | | import bags error | - | | | o 20 - key db conversion | + | | | o 20 - key db conversion | | | | version 3 to version 2 error | - | | | o 21 - cert db conversion | + | | | o 21 - cert db conversion | | | | version 7 to version 5 error | - | | | o 22 - cert and key dbs | + | | | o 22 - cert and key dbs | | | | patch error | - | | | o 23 - get default cert | + | | | o 23 - get default cert | | | | db error | - | | | o 24 - find cert by | + | | | o 24 - find cert by | | | | nickname error | - | | | o 25 - create export | + | | | o 25 - create export | | | | context error | - | | | o 26 - PKCS12 add | + | | | o 26 - PKCS12 add | | | | password itegrity error | - | | | o 27 - cert and key Safes | + | | | o 27 - cert and key Safes | | | | creation error | - | | | o 28 - PKCS12 add cert | + | | | o 28 - PKCS12 add cert | | | | and key error | - | | | o 29 - PKCS12 encode | + | | | o 29 - PKCS12 encode | | | | error | | | | Examples | - | | | Importing Keys and | + | | | Importing Keys and | | | | Certificates | - | | | The most basic usage of | + | | | The most basic usage of | | | | pk12util for importing a | | | | certificate or key is the | - | | | PKCS#12 input file (-i) and | + | | | PKCS#12 input file (-i) and | | | | some way to specify the | | | | security database | - | | | being accessed (either -d | + | | | being accessed (either -d | | | | for a directory or -h for a | | | | token). | - | | | pk12util -i p12File [-h | + | | | pk12util -i p12File [-h | | | | tokenname] [-v] [-d | | | | [sql:]directory] [-P dbprefix] | | | | [-k slotPasswordFile|-K | | | | slotPassword] [-w | | | | p12filePasswordFile|-W | | | | p12filePassword] | - | | | For example: | - | | | # pk12util -i | + | | | For example: | + | | | # pk12util -i | | | | /tmp/cert-files/users.p12 -d | | | | sql:/home/my/sharednssdb | - | | | Enter a password which will | + | | | Enter a password which will | | | | be used to encrypt your keys. | - | | | The password should be at | + | | | The password should be at | | | | least 8 characters long, | - | | | and should contain at least | + | | | and should contain at least | | | | one non-alphabetic character. | - | | | Enter new password: | - | | | Re-enter password: | - | | | Enter password for PKCS12 | + | | | Enter new password: | + | | | Re-enter password: | + | | | Enter password for PKCS12 | | | | file: | - | | | pk12util: PKCS12 IMPORT | + | | | pk12util: PKCS12 IMPORT | | | | SUCCESSFUL | - | | | Exporting Keys and | + | | | Exporting Keys and | | | | Certificates | - | | | Using the pk12util command | + | | | Using the pk12util command | | | | to export certificates and | | | | keys requires both | - | | | the name of the certificate | + | | | the name of the certificate | | | | to extract from the database | | | | (-n) and the | - | | | PKCS#12-formatted output | + | | | PKCS#12-formatted output | | | | file to write to. There are | | | | optional parameters | - | | | that can be used to encrypt | + | | | that can be used to encrypt | | | | the file to protect the | | | | certificate material. | - | | | pk12util -o p12File -n | + | | | pk12util -o p12File -n | | | | certname [-c keyCipher] [-C | | | | certCipher] [-m|--key_len | | | | keyLen] [-n|--cert_key_len | @@ -8821,352 +8821,352 @@ Index | | | slotPassword] [-w | | | | p12filePasswordFile|-W | | | | p12filePassword] | - | | | For example: | - | | | # pk12util -o certs.p12 -n | + | | | For example: | + | | | # pk12util -o certs.p12 -n | | | | Server-Cert -d | | | | sql:/home/my/sharednssdb | - | | | Enter password for PKCS12 | + | | | Enter password for PKCS12 | | | | file: | - | | | Re-enter password: | - | | | Listing Keys and | + | | | Re-enter password: | + | | | Listing Keys and | | | | Certificates | - | | | The information in a .p12 | + | | | The information in a .p12 | | | | file are not human-readable. | | | | The certificates | - | | | and keys in the file can be | + | | | and keys in the file can be | | | | printed (listed) in a | | | | human-readable | - | | | pretty-print format that | + | | | pretty-print format that | | | | shows information for every | | | | certificate and any | - | | | public keys in the .p12 | + | | | public keys in the .p12 | | | | file. | - | | | pk12util -l p12File [-h | + | | | pk12util -l p12File [-h | | | | tokenname] [-r] [-d | | | | [sql:]directory] [-P dbprefix] | | | | [-k slotPasswordFile|-K | | | | slotPassword] [-w | | | | p12filePasswordFile|-W | | | | p12filePassword] | - | | | For example, this prints | + | | | For example, this prints | | | | the default ASCII output: | - | | | # pk12util -l certs.p12 | - | | | Enter password for PKCS12 | + | | | # pk12util -l certs.p12 | + | | | Enter password for PKCS12 | | | | file: | - | | | Key(shrouded): | - | | | Friendly Name: Thawte | + | | | Key(shrouded): | + | | | Friendly Name: Thawte | | | | Freemail Member's Thawte | | | | Consulting (Pty) Ltd. ID | - | | | Encryption algorithm: | + | | | Encryption algorithm: | | | | PKCS #12 V2 PBE With SHA-1 And | | | | 3KEY Triple DES-CBC | - | | | Parameters: | - | | | Salt: | - | | | | + | | | Parameters: | + | | | Salt: | + | | | | | | | 45:2e:6a:a0:03:4d | | | | :7b:a1:63:3c:15:ea:67:37:62:1f | - | | | Iteration Count: | + | | | Iteration Count: | | | | 1 (0x1) | - | | | Certificate: | - | | | Data: | - | | | Version: 3 (0x2) | - | | | Serial Number: 13 | + | | | Certificate: | + | | | Data: | + | | | Version: 3 (0x2) | + | | | Serial Number: 13 | | | | (0xd) | - | | | Signature Algorithm: | + | | | Signature Algorithm: | | | | PKCS #1 SHA-1 With RSA | | | | Encryption | - | | | Issuer: | + | | | Issuer: | | | | "E=personal | | | | -freemail@thawte.com,CN=Thawte | | | | Personal Freemail C | - | | | | + | | | | | | | A,OU=Certification Services | | | | Division,O=Thawte | | | | Consulting,L=Cape T | - | | | own,ST=Western | + | | | own,ST=Western | | | | Cape,C=ZA" | - | | | .... | - | | | Alternatively, the -r | + | | | .... | + | | | Alternatively, the -r | | | | prints the certificates and | | | | then exports them into | - | | | separate DER binary files. | + | | | separate DER binary files. | | | | This allows the certificates | | | | to be fed to | - | | | another application that | + | | | another application that | | | | supports .p12 files. Each | | | | certificate is written | - | | | to a sequentially-number | + | | | to a sequentially-number | | | | file, beginning with | | | | file0001.der and continuing | - | | | through file000N.der, | + | | | through file000N.der, | | | | incrementing the number for | | | | every certificate: | - | | | # pk12util -l test.p12 -r | - | | | Enter password for PKCS12 | + | | | # pk12util -l test.p12 -r | + | | | Enter password for PKCS12 | | | | file: | - | | | Key(shrouded): | - | | | Friendly Name: Thawte | + | | | Key(shrouded): | + | | | Friendly Name: Thawte | | | | Freemail Member's Thawte | | | | Consulting (Pty) Ltd. ID | - | | | Encryption algorithm: | + | | | Encryption algorithm: | | | | PKCS #12 V2 PBE With SHA-1 And | | | | 3KEY Triple DES-CBC | - | | | Parameters: | - | | | Salt: | - | | | | + | | | Parameters: | + | | | Salt: | + | | | | | | | 45:2e:6a:a0:03:4d | | | | :7b:a1:63:3c:15:ea:67:37:62:1f | - | | | Iteration Count: | + | | | Iteration Count: | | | | 1 (0x1) | - | | | Certificate Friendly Name: | + | | | Certificate Friendly Name: | | | | Thawte Personal Freemail | | | | Issuing CA - Thawte Consulting | - | | | Certificate Friendly Name: | + | | | Certificate Friendly Name: | | | | Thawte Freemail Member's | | | | Thawte Consulting (Pty) Ltd. | | | | ID | | | | Password Encryption | - | | | PKCS#12 provides for not | + | | | PKCS#12 provides for not | | | | only the protection of the | | | | private keys but also | - | | | the certificate and | + | | | the certificate and | | | | meta-data associated with the | | | | keys. Password-based | - | | | encryption is used to | + | | | encryption is used to | | | | protect private keys on export | | | | to a PKCS#12 file | - | | | and, optionally, the entire | + | | | and, optionally, the entire | | | | package. If no algorithm is | | | | specified, the | - | | | tool defaults to using | + | | | tool defaults to using | | | | PKCS12 V2 PBE with SHA1 and | | | | 3KEY Triple DES-cbc for | - | | | private key encryption. | + | | | private key encryption. | | | | PKCS12 V2 PBE with SHA1 and 40 | | | | Bit RC4 is the | - | | | default for the overall | + | | | default for the overall | | | | package encryption when not in | | | | FIPS mode. When in | - | | | FIPS mode, there is no | + | | | FIPS mode, there is no | | | | package encryption. | - | | | The private key is always | + | | | The private key is always | | | | protected with strong | | | | encryption by default. | - | | | Several types of ciphers | + | | | Several types of ciphers | | | | are supported. | - | | | Symmetric CBC ciphers for | + | | | Symmetric CBC ciphers for | | | | PKCS#5 V2 | - | | | DES_CBC | - | | | o RC2-CBC | - | | | o RC5-CBCPad | - | | | o DES-EDE3-CBC | + | | | DES_CBC | + | | | o RC2-CBC | + | | | o RC5-CBCPad | + | | | o DES-EDE3-CBC | | | | (the default for key | | | | encryption) | - | | | o AES-128-CBC | - | | | o AES-192-CBC | - | | | o AES-256-CBC | - | | | | - | | | o CAMELLIA-128-CBC | - | | | | - | | | o CAMELLIA-192-CBC | - | | | | - | | | o CAMELLIA-256-CBC | - | | | PKCS#12 PBE ciphers | - | | | PKCS #12 PBE with | + | | | o AES-128-CBC | + | | | o AES-192-CBC | + | | | o AES-256-CBC | + | | | | + | | | o CAMELLIA-128-CBC | + | | | | + | | | o CAMELLIA-192-CBC | + | | | | + | | | o CAMELLIA-256-CBC | + | | | PKCS#12 PBE ciphers | + | | | PKCS #12 PBE with | | | | Sha1 and 128 Bit RC4 | - | | | o PKCS #12 PBE | + | | | o PKCS #12 PBE | | | | with Sha1 and 40 Bit RC4 | - | | | o PKCS #12 PBE | + | | | o PKCS #12 PBE | | | | with Sha1 and Triple DES CBC | - | | | o PKCS #12 PBE | + | | | o PKCS #12 PBE | | | | with Sha1 and 128 Bit RC2 CBC | - | | | o PKCS #12 PBE | + | | | o PKCS #12 PBE | | | | with Sha1 and 40 Bit RC2 CBC | - | | | o PKCS12 V2 PBE | + | | | o PKCS12 V2 PBE | | | | with SHA1 and 128 Bit RC4 | - | | | o PKCS12 V2 PBE | + | | | o PKCS12 V2 PBE | | | | with SHA1 and 40 Bit RC4 (the | | | | default for | - | | | non-FIPS mode) | - | | | o PKCS12 V2 PBE | + | | | non-FIPS mode) | + | | | o PKCS12 V2 PBE | | | | with SHA1 and 3KEY Triple | | | | DES-cbc | - | | | o PKCS12 V2 PBE | + | | | o PKCS12 V2 PBE | | | | with SHA1 and 2KEY Triple | | | | DES-cbc | - | | | o PKCS12 V2 PBE | + | | | o PKCS12 V2 PBE | | | | with SHA1 and 128 Bit RC2 CBC | - | | | o PKCS12 V2 PBE | + | | | o PKCS12 V2 PBE | | | | with SHA1 and 40 Bit RC2 CBC | - | | | PKCS#5 PBE ciphers | - | | | PKCS #5 Password | + | | | PKCS#5 PBE ciphers | + | | | PKCS #5 Password | | | | Based Encryption with MD2 and | | | | DES CBC | - | | | o PKCS #5 | + | | | o PKCS #5 | | | | Password Based Encryption with | | | | MD5 and DES CBC | - | | | o PKCS #5 | + | | | o PKCS #5 | | | | Password Based Encryption with | | | | SHA1 and DES CBC | - | | | With PKCS#12, the crypto | + | | | With PKCS#12, the crypto | | | | provider may be the soft token | | | | module or an | - | | | external hardware module. | + | | | external hardware module. | | | | If the cryptographic module | | | | does not support the | - | | | requested algorithm, then | + | | | requested algorithm, then | | | | the next best fit will be | | | | selected (usually the | - | | | default). If no suitable | + | | | default). If no suitable | | | | replacement for the desired | | | | algorithm can be | - | | | found, the tool returns the | + | | | found, the tool returns the | | | | error no security module can | | | | perform the | - | | | requested operation. | + | | | requested operation. | | | | NSS Database Types | - | | | NSS originally used | + | | | NSS originally used | | | | BerkeleyDB databases to store | | | | security information. | - | | | The last versions of these | + | | | The last versions of these | | | | legacy databases are: | - | | | o cert8.db for | + | | | o cert8.db for | | | | certificates | - | | | o key3.db for keys | - | | | o secmod.db for PKCS #11 | + | | | o key3.db for keys | + | | | o secmod.db for PKCS #11 | | | | module information | - | | | BerkeleyDB has performance | + | | | BerkeleyDB has performance | | | | limitations, though, which | | | | prevent it from | - | | | being easily used by | + | | | being easily used by | | | | multiple applications | | | | simultaneously. NSS has some | - | | | flexibility that allows | + | | | flexibility that allows | | | | applications to use their own, | | | | independent | - | | | database engine while | + | | | database engine while | | | | keeping a shared database and | | | | working around the | - | | | access issues. Still, NSS | + | | | access issues. Still, NSS | | | | requires more flexibility to | | | | provide a truly | - | | | shared security database. | - | | | In 2009, NSS introduced a | + | | | shared security database. | + | | | In 2009, NSS introduced a | | | | new set of databases that are | | | | SQLite databases | - | | | rather than BerkleyDB. | + | | | rather than BerkleyDB. | | | | These new databases provide | | | | more accessibility and | - | | | performance: | - | | | o cert9.db for | + | | | performance: | + | | | o cert9.db for | | | | certificates | - | | | o key4.db for keys | - | | | o pkcs11.txt, which is | + | | | o key4.db for keys | + | | | o pkcs11.txt, which is | | | | listing of all of the PKCS #11 | | | | modules contained | - | | | in a new subdirectory | + | | | in a new subdirectory | | | | in the security databases | | | | directory | - | | | Because the SQLite | + | | | Because the SQLite | | | | databases are designed to be | | | | shared, these are the | - | | | shared database type. The | + | | | shared database type. The | | | | shared database type is | | | | preferred; the legacy | - | | | format is included for | + | | | format is included for | | | | backward compatibility. | - | | | By default, the tools | + | | | By default, the tools | | | | (certutil, pk12util, modutil) | | | | assume that the given | - | | | security databases follow | + | | | security databases follow | | | | the more common legacy type. | | | | Using the SQLite | - | | | databases must be manually | + | | | databases must be manually | | | | specified by using the sql: | | | | prefix with the | - | | | given security directory. | + | | | given security directory. | | | | For example: | - | | | # pk12util -i | + | | | # pk12util -i | | | | /tmp/cert-files/users.p12 -d | | | | sql:/home/my/sharednssdb | - | | | To set the shared database | + | | | To set the shared database | | | | type as the default type for | | | | the tools, set the | - | | | NSS_DEFAULT_DB_TYPE | + | | | NSS_DEFAULT_DB_TYPE | | | | environment variable to sql: | - | | | export | + | | | export | | | | NSS_DEFAULT_DB_TYPE="sql" | - | | | This line can be set added | + | | | This line can be set added | | | | to the ~/.bashrc file to make | | | | the change | - | | | permanent. | - | | | Most applications do not | + | | | permanent. | + | | | Most applications do not | | | | use the shared database by | | | | default, but they can | - | | | be configured to use them. | + | | | be configured to use them. | | | | For example, this how-to | | | | article covers how to | - | | | configure Firefox and | + | | | configure Firefox and | | | | Thunderbird to use the new | | | | shared NSS databases: | - | | | | - | | | o https://wiki.m | + | | | | + | | | o https://wiki.m | | | | ozilla.org/NSS_Shared_DB_Howto | - | | | For an engineering draft on | + | | | For an engineering draft on | | | | the changes in the shared NSS | | | | databases, see | - | | | the NSS project wiki: | - | | | | - | | | o https:// | + | | | the NSS project wiki: | + | | | | + | | | o https:// | | | | wiki.mozilla.org/NSS_Shared_DB | | | | See Also | - | | | certutil (1) | - | | | modutil (1) | - | | | The NSS wiki has | + | | | certutil (1) | + | | | modutil (1) | + | | | The NSS wiki has | | | | information on the new | | | | database design and how to | - | | | configure applications to | + | | | configure applications to | | | | use it. | - | | | | - | | | o https://wiki.m | + | | | | + | | | o https://wiki.m | | | | ozilla.org/NSS_Shared_DB_Howto | - | | | | - | | | o https:// | + | | | | + | | | o https:// | | | | wiki.mozilla.org/NSS_Shared_DB | | | | Additional Resources | - | | | For information about NSS | + | | | For information about NSS | | | | and other tools related to NSS | | | | (like JSS), check | - | | | out the NSS project wiki at | - | | | | + | | | out the NSS project wiki at | + | | | | | | | [1]\ `http://www.mozil | | | | la.org/projects/security/pki/n | | | | ss/ <https://www.mozilla.org/p | | | | rojects/security/pki/nss/>`__. | | | | The NSS site relates | - | | | directly to NSS code | + | | | directly to NSS code | | | | changes and releases. | - | | | Mailing lists: | + | | | Mailing lists: | | | | https://lists.mozill | | | | a.org/listinfo/dev-tech-crypto | - | | | IRC: Freenode at | + | | | IRC: Freenode at | | | | #dogtag-pki | | | | Authors | - | | | The NSS tools were written | + | | | The NSS tools were written | | | | and maintained by developers | | | | with Netscape, Red | - | | | Hat, and Sun. | - | | | Authors: Elio Maldonado | + | | | Hat, and Sun. | + | | | Authors: Elio Maldonado | | | | <emaldona@redhat.com>, Deon | | | | Lackey | - | | | <dlackey@redhat.com>. | + | | | <dlackey@redhat.com>. | | | | Copyright | - | | | (c) 2010, Red Hat, Inc. | + | | | (c) 2010, Red Hat, Inc. | | | | Licensed under the GNU Public | | | | License version 2. | | | | References | - | | | Visible links | - | | | 1. | + | | | Visible links | + | | | 1. | | | | `http://www.mozi | | | | lla.org/projects/security/pki/ | | | | nss/ <https://www.mozilla.org/ | @@ -9178,1239 +9178,1239 @@ Index | | a_projects_nss_tools_signtool` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Name | - | | | signtool — Digitally sign | + | | | signtool — Digitally sign | | | | objects and files. | | | | Synopsis | - | | | signtool [-k keyName] | + | | | signtool [-k keyName] | | | | `-h <-h>`__ `-H <-H>`__ | | | | `-l <-l>`__ `-L <-L>`__ | | | | `-M <-M>`__ `-v <-v>`__ | | | | `-w <-w>`__ | - | | | `-G | + | | | `-G | | | | nickname <-G_nickname>`__ `-s | | | | size <--keysize>`__ `-b | | | | basename <-b_basename>`__ [[-c | | | | Compression | - | | | Level] ] [[-d cert-dir] ] | + | | | Level] ] [[-d cert-dir] ] | | | | [[-i installer script] ] [[-m | | | | metafile] ] [[-x | - | | | name] ] [[-f filename] ] | + | | | name] ] [[-f filename] ] | | | | [[-t|--token tokenname] ] [[-e | | | | extension] ] [[-o] | - | | | ] [[-z] ] [[-X] ] | + | | | ] [[-z] ] [[-X] ] | | | | [[--outfile] ] [[--verbose | | | | value] ] [[--norecurse] ] | - | | | [[--leavearc] ] [[-j | + | | | [[--leavearc] ] [[-j | | | | directory] ] [[-Z jarfile] ] | | | | [[-O] ] [[-p password] ] | - | | | [directory-tree] [archive] | + | | | [directory-tree] [archive] | | | | Description | - | | | The Signing Tool, signtool, | + | | | The Signing Tool, signtool, | | | | creates digital signatures and | | | | uses a Java | - | | | Archive (JAR) file to | + | | | Archive (JAR) file to | | | | associate the signatures with | | | | files in a directory. | - | | | Electronic software | + | | | Electronic software | | | | distribution over any network | | | | involves potential | - | | | security problems. To help | + | | | security problems. To help | | | | address some of these | | | | problems, you can | - | | | associate digital | + | | | associate digital | | | | signatures with the files in a | | | | JAR archive. Digital | - | | | signatures allow | + | | | signatures allow | | | | SSL-enabled clients to perform | | | | two important operations: | - | | | \* Confirm the identity of | + | | | \* Confirm the identity of | | | | the individual, company, or | | | | other entity whose | - | | | digital signature is | + | | | digital signature is | | | | associated with the files | - | | | \* Check whether the files | + | | | \* Check whether the files | | | | have been tampered with since | | | | being signed | - | | | If you have a signing | + | | | If you have a signing | | | | certificate, you can use | | | | Netscape Signing Tool to | - | | | digitally sign files and | + | | | digitally sign files and | | | | package them as a JAR file. An | | | | object-signing | - | | | certificate is a special | + | | | certificate is a special | | | | kind of certificate that | | | | allows you to associate | - | | | your digital signature with | + | | | your digital signature with | | | | one or more files. | - | | | An individual file can | + | | | An individual file can | | | | potentially be signed with | | | | multiple digital | - | | | signatures. For example, a | + | | | signatures. For example, a | | | | commercial software developer | | | | might sign the | - | | | files that constitute a | + | | | files that constitute a | | | | software product to prove that | | | | the files are | - | | | indeed from a particular | + | | | indeed from a particular | | | | company. A network | | | | administrator manager might | - | | | sign the same files with an | + | | | sign the same files with an | | | | additional digital signature | | | | based on a | - | | | company-generated | + | | | company-generated | | | | certificate to indicate that | | | | the product is approved for | - | | | use within the company. | - | | | The significance of a | + | | | use within the company. | + | | | The significance of a | | | | digital signature is | | | | comparable to the significance | - | | | of a handwritten signature. | + | | | of a handwritten signature. | | | | Once you have signed a file, | | | | it is difficult | - | | | to claim later that you | + | | | to claim later that you | | | | didn't sign it. In some | | | | situations, a digital | - | | | signature may be considered | + | | | signature may be considered | | | | as legally binding as a | | | | handwritten signature. | - | | | Therefore, you should take | + | | | Therefore, you should take | | | | great care to ensure that you | | | | can stand behind | - | | | any file you sign and | + | | | any file you sign and | | | | distribute. | - | | | For example, if you are a | + | | | For example, if you are a | | | | software developer, you should | | | | test your code to | - | | | make sure it is virus-free | + | | | make sure it is virus-free | | | | before signing it. Similarly, | | | | if you are a | - | | | network administrator, you | + | | | network administrator, you | | | | should make sure, before | | | | signing any code, that | - | | | it comes from a reliable | + | | | it comes from a reliable | | | | source and will run correctly | | | | with the software | - | | | installed on the machines | + | | | installed on the machines | | | | to which you are distributing | | | | it. | - | | | Before you can use Netscape | + | | | Before you can use Netscape | | | | Signing Tool to sign files, | | | | you must have an | - | | | object-signing certificate, | + | | | object-signing certificate, | | | | which is a special certificate | | | | whose | - | | | associated private key is | + | | | associated private key is | | | | used to create digital | | | | signatures. For testing | - | | | purposes only, you can | + | | | purposes only, you can | | | | create an object-signing | | | | certificate with Netscape | - | | | Signing Tool 1.3. When | + | | | Signing Tool 1.3. When | | | | testing is finished and you | | | | are ready to | - | | | disitribute your software, | + | | | disitribute your software, | | | | you should obtain an | | | | object-signing certificate | - | | | from one of two kinds of | + | | | from one of two kinds of | | | | sources: | - | | | \* An independent | + | | | \* An independent | | | | certificate authority (CA) | | | | that authenticates your | - | | | identity and charges you a | + | | | identity and charges you a | | | | fee. You typically get a | | | | certificate from an | - | | | independent CA if you want | + | | | independent CA if you want | | | | to sign software that will be | | | | distributed over | - | | | the Internet. | - | | | \* CA server software | + | | | the Internet. | + | | | \* CA server software | | | | running on your corporate | | | | intranet or extranet. | - | | | Netscape Certificate | + | | | Netscape Certificate | | | | Management System provides a | | | | complete management | - | | | solution for creating, | + | | | solution for creating, | | | | deploying, and managing | | | | certificates, including CAs | - | | | that issue object-signing | + | | | that issue object-signing | | | | certificates. | - | | | You must also have a | + | | | You must also have a | | | | certificate for the CA that | | | | issues your signing | - | | | certificate before you can | + | | | certificate before you can | | | | sign files. If the certificate | | | | authority's | - | | | certificate isn't already | + | | | certificate isn't already | | | | installed in your copy of | | | | Communicator, you | - | | | typically install it by | + | | | typically install it by | | | | clicking the appropriate link | | | | on the certificate | - | | | authority's web site, for | + | | | authority's web site, for | | | | example on the page from which | | | | you initiated | - | | | enrollment for your signing | + | | | enrollment for your signing | | | | certificate. This is the case | | | | for some test | - | | | certificates, as well as | + | | | certificates, as well as | | | | certificates issued by | | | | Netscape Certificate | - | | | Management System: you must | + | | | Management System: you must | | | | download the CA certificate in | | | | addition to | - | | | obtaining your own signing | + | | | obtaining your own signing | | | | certificate. CA certificates | | | | for several | - | | | certificate authorities are | + | | | certificate authorities are | | | | preinstalled in the | | | | Communicator certificate | - | | | database. | - | | | When you receive an | + | | | database. | + | | | When you receive an | | | | object-signing certificate for | | | | your own use, it is | - | | | automatically installed in | + | | | automatically installed in | | | | your copy of the Communicator | | | | client software. | - | | | Communicator supports the | + | | | Communicator supports the | | | | public-key cryptography | | | | standard known as PKCS | - | | | #12, which governs key | + | | | #12, which governs key | | | | portability. You can, for | | | | example, move an | - | | | object-signing certificate | + | | | object-signing certificate | | | | and its associated private key | | | | from one | - | | | computer to another on a | + | | | computer to another on a | | | | credit-card-sized device | | | | called a smart card. | | | | Options | - | | | -b basename | - | | | Specifies the base | + | | | -b basename | + | | | Specifies the base | | | | filename for the .rsa and .sf | | | | files in the | - | | | META-INF directory | + | | | META-INF directory | | | | to conform with the JAR | | | | format. For example, -b | - | | | signatures causes | + | | | signatures causes | | | | the files to be named | | | | signatures.rsa and | - | | | signatures.sf. The | + | | | signatures.sf. The | | | | default is signtool. | - | | | -c# | - | | | Specifies the | + | | | -c# | + | | | Specifies the | | | | compression level for the -J | | | | or -Z option. The | - | | | symbol # represents | + | | | symbol # represents | | | | a number from 0 to 9, where 0 | | | | means no | - | | | compression and 9 | + | | | compression and 9 | | | | means maximum compression. The | | | | higher the level | - | | | of compression, the | + | | | of compression, the | | | | smaller the output but the | | | | longer the | - | | | operation takes. If | + | | | operation takes. If | | | | the -c# option is not used | | | | with either the -J | - | | | or the -Z option, | + | | | or the -Z option, | | | | the default compression value | | | | used by both the | - | | | -J and -Z options | + | | | -J and -Z options | | | | is 6. | - | | | -d certdir | - | | | Specifies your | + | | | -d certdir | + | | | Specifies your | | | | certificate database | | | | directory; that is, the | - | | | directory in which | + | | | directory in which | | | | you placed your key3.db and | | | | cert7.db files. To | - | | | specify the current | + | | | specify the current | | | | directory, use "-d." | | | | (including the period). | - | | | The Unix version of | + | | | The Unix version of | | | | signtool assumes ~/.netscape | | | | unless told | - | | | otherwise. The NT | + | | | otherwise. The NT | | | | version of signtool always | | | | requires the use of | - | | | the -d option to | + | | | the -d option to | | | | specify where the database | | | | files are located. | - | | | -e extension | - | | | Tells signtool to | + | | | -e extension | + | | | Tells signtool to | | | | sign only files with the given | | | | extension; for | - | | | example, use | + | | | example, use | | | | -e".class" to sign only Java | | | | class files. Note that | - | | | with Netscape | + | | | with Netscape | | | | Signing Tool version 1.1 and | | | | later this option can | - | | | appear multiple | + | | | appear multiple | | | | times on one command line, | | | | making it possible to | - | | | specify multiple | + | | | specify multiple | | | | file types or classes to | | | | include. | - | | | -f commandfile | - | | | Specifies a text | + | | | -f commandfile | + | | | Specifies a text | | | | file containing Netscape | | | | Signing Tool options and | - | | | arguments in | + | | | arguments in | | | | keyword=value format. All | | | | options and arguments can | - | | | be expressed | + | | | be expressed | | | | through this file. For more | | | | information about the | - | | | syntax used with | + | | | syntax used with | | | | this file, see "Tips and | | | | Techniques". | - | | | -i scriptname | - | | | Specifies the name | + | | | -i scriptname | + | | | Specifies the name | | | | of an installer script for | | | | SmartUpdate. This | - | | | script installs | + | | | script installs | | | | files from the JAR archive in | | | | the local system | - | | | after SmartUpdate | + | | | after SmartUpdate | | | | has validated the digital | | | | signature. For more | - | | | details, see the | + | | | details, see the | | | | description of -m that | | | | follows. The -i option | - | | | provides a | + | | | provides a | | | | straightforward way to provide | | | | this information if you | - | | | don't need to | + | | | don't need to | | | | specify any metadata other | | | | than an installer script. | - | | | -j directory | - | | | Specifies a special | + | | | -j directory | + | | | Specifies a special | | | | JavaScript directory. This | | | | option causes the | - | | | specified directory | + | | | specified directory | | | | to be signed and tags its | | | | entries as inline | - | | | JavaScript. This | + | | | JavaScript. This | | | | special type of entry does not | | | | have to appear in | - | | | the JAR file | + | | | the JAR file | | | | itself. Instead, it is located | | | | in the HTML page | - | | | containing the | + | | | containing the | | | | inline scripts. When you use | | | | signtool -v, these | - | | | entries are | + | | | entries are | | | | displayed with the string NOT | | | | PRESENT. | - | | | -k key ... directory | - | | | Specifies the | + | | | -k key ... directory | + | | | Specifies the | | | | nickname (key) of the | | | | certificate you want to sign | - | | | with and signs the | + | | | with and signs the | | | | files in the specified | | | | directory. The directory | - | | | to sign is always | + | | | to sign is always | | | | specified as the last | | | | command-line argument. | - | | | Thus, it is | + | | | Thus, it is | | | | possible to write signtool -k | | | | MyCert -d . signdir You | - | | | may have trouble if | + | | | may have trouble if | | | | the nickname contains a single | | | | quotation mark. | - | | | To avoid problems, | + | | | To avoid problems, | | | | escape the quotation mark | | | | using the escape | - | | | conventions for | + | | | conventions for | | | | your platform. It's also | | | | possible to use the -k | - | | | option without | + | | | option without | | | | signing any files or | | | | specifying a directory. For | - | | | example, you can | + | | | example, you can | | | | use it with the -l option to | | | | get detailed | - | | | information about a | + | | | information about a | | | | particular signing | | | | certificate. | - | | | -G nickname | - | | | Generates a new | + | | | -G nickname | + | | | Generates a new | | | | private-public key pair and | | | | corresponding | - | | | object-signing | + | | | object-signing | | | | certificate with the given | | | | nickname. The newly | - | | | generated keys and | + | | | generated keys and | | | | certificate are installed into | | | | the key and | - | | | certificate | + | | | certificate | | | | databases in the directory | | | | specified by the -d option. | - | | | With the NT version | + | | | With the NT version | | | | of Netscape Signing Tool, you | | | | must use the -d | - | | | option with the -G | + | | | option with the -G | | | | option. With the Unix version | | | | of Netscape | - | | | Signing Tool, | + | | | Signing Tool, | | | | omitting the -d option causes | | | | the tool to install | - | | | the keys and | + | | | the keys and | | | | certificate in the | | | | Communicator key and | | | | certificate | - | | | databases. If you | + | | | databases. If you | | | | are installing the keys and | | | | certificate in the | - | | | Communicator | + | | | Communicator | | | | databases, you must exit | | | | Communicator before using | - | | | this option; | + | | | this option; | | | | otherwise, you risk corrupting | | | | the databases. In all | - | | | cases, the | + | | | cases, the | | | | certificate is also output to | | | | a file named x509.cacert, | - | | | which has the | + | | | which has the | | | | MIME-type | | | | application/x-x509-ca-cert. | | | | Unlike | - | | | certificates | + | | | certificates | | | | normally used to sign finished | | | | code to be distributed | - | | | over a network, a | + | | | over a network, a | | | | test certificate created with | | | | -G is not signed | - | | | by a recognized | + | | | by a recognized | | | | certificate authority. | | | | Instead, it is self-signed. | - | | | In addition, a | + | | | In addition, a | | | | single test signing | | | | certificate functions as both | - | | | an object-signing | + | | | an object-signing | | | | certificate and a CA. When you | | | | are using it to | - | | | sign objects, it | + | | | sign objects, it | | | | behaves like an object-signing | | | | certificate. When | - | | | it is imported into | + | | | it is imported into | | | | browser software such as | | | | Communicator, it | - | | | behaves like an | + | | | behaves like an | | | | object-signing CA and cannot | | | | be used to sign | - | | | objects. The -G | + | | | objects. The -G | | | | option is available in | | | | Netscape Signing Tool 1.0 | - | | | and later versions | + | | | and later versions | | | | only. By default, it produces | | | | only RSA | - | | | certificates with | + | | | certificates with | | | | 1024-byte keys in the internal | | | | token. However, | - | | | you can use the -s | + | | | you can use the -s | | | | option specify the required | | | | key size and the -t | - | | | option to specify | + | | | option to specify | | | | the token. For more | | | | information about the use of | - | | | the -G option, see | + | | | the -G option, see | | | | "Generating Test | | | | Object-Signing | - | | | | + | | | | | | | Certificates""Generating Test | | | | Object-Signing Certificates" | | | | on page | - | | | 1241. | - | | | -l | - | | | Lists signing | + | | | 1241. | + | | | -l | + | | | Lists signing | | | | certificates, including | | | | issuing CAs. If any of your | - | | | certificates are | + | | | certificates are | | | | expired or invalid, the list | | | | will so specify. | - | | | This option can be | + | | | This option can be | | | | used with the -k option to | | | | list detailed | - | | | information about a | + | | | information about a | | | | particular signing | | | | certificate. The -l option | - | | | is available in | + | | | is available in | | | | Netscape Signing Tool 1.0 and | | | | later versions only. | - | | | -J | - | | | Signs a directory | + | | | -J | + | | | Signs a directory | | | | of HTML files containing | | | | JavaScript and creates | - | | | as many archive | + | | | as many archive | | | | files as are specified in the | | | | HTML tags. Even if | - | | | signtool creates | + | | | signtool creates | | | | more than one archive file, | | | | you need to supply | - | | | the key database | + | | | the key database | | | | password only once. The -J | | | | option is available | - | | | only in Netscape | + | | | only in Netscape | | | | Signing Tool 1.0 and later | | | | versions. The -J | - | | | option cannot be | + | | | option cannot be | | | | used at the same time as the | | | | -Z option. If the | - | | | -c# option is not | + | | | -c# option is not | | | | used with the -J option, the | | | | default compression | - | | | value is 6. Note | + | | | value is 6. Note | | | | that versions 1.1 and later of | | | | Netscape Signing | - | | | Tool correctly | + | | | Tool correctly | | | | recognizes the CODEBASE | | | | attribute, allows paths to | - | | | be expressed for | + | | | be expressed for | | | | the CLASS and SRC attributes | | | | instead of filenames | - | | | only, processes | + | | | only, processes | | | | LINK tags and parses HTML | | | | correctly, and offers | - | | | clearer error | + | | | clearer error | | | | messages. | - | | | -L | - | | | Lists the | + | | | -L | + | | | Lists the | | | | certificates in your database. | | | | An asterisk appears to | - | | | the left of the | + | | | the left of the | | | | nickname for any certificate | | | | that can be used to | - | | | sign objects with | + | | | sign objects with | | | | signtool. | - | | | --leavearc | - | | | Retains the | + | | | --leavearc | + | | | Retains the | | | | temporary .arc (archive) | | | | directories that the -J | - | | | option creates. | + | | | option creates. | | | | These directories are | | | | automatically erased by | - | | | default. Retaining | + | | | default. Retaining | | | | the temporary directories can | | | | be an aid to | - | | | debugging. | - | | | -m metafile | - | | | Specifies the name | + | | | debugging. | + | | | -m metafile | + | | | Specifies the name | | | | of a metadata control file. | | | | Metadata is signed | - | | | information | + | | | information | | | | attached either to the JAR | | | | archive itself or to files | - | | | within the archive. | + | | | within the archive. | | | | This metadata can be any ASCII | | | | string, but is | - | | | used mainly for | + | | | used mainly for | | | | specifying an installer | | | | script. The metadata file | - | | | contains one entry | + | | | contains one entry | | | | per line, each with three | | | | fields: field #1: | - | | | file specification, | + | | | file specification, | | | | or + if you want to specify | | | | global metadata | - | | | (that is, metadata | + | | | (that is, metadata | | | | about the JAR archive itself | | | | or all entries in | - | | | the archive) field | + | | | the archive) field | | | | #2: the name of the data you | | | | are specifying; | - | | | for example: | + | | | for example: | | | | Install-Script field #3: data | | | | corresponding to the | - | | | name in field #2 | + | | | name in field #2 | | | | For example, the -i option | | | | uses the equivalent of | - | | | this line: + | + | | | this line: + | | | | Install-Script: script.js This | | | | example associates a | - | | | MIME type with a | + | | | MIME type with a | | | | file: movie.qt MIME-Type: | | | | video/quicktime For | - | | | information about | + | | | information about | | | | the way installer script | | | | information appears in | - | | | the manifest file | + | | | the manifest file | | | | for a JAR archive, see The JAR | | | | Format on | - | | | Netscape DevEdge. | - | | | -M | - | | | Lists the PKCS #11 | + | | | Netscape DevEdge. | + | | | -M | + | | | Lists the PKCS #11 | | | | modules available to signtool, | | | | including smart | - | | | cards. The -M | + | | | cards. The -M | | | | option is available in | | | | Netscape Signing Tool 1.0 and | - | | | later versions | + | | | later versions | | | | only. For information on using | | | | Netscape Signing | - | | | Tool with smart | + | | | Tool with smart | | | | cards, see "Using Netscape | | | | Signing Tool with Smart | - | | | Cards". For | + | | | Cards". For | | | | information on using the -M | | | | option to verify | - | | | FIPS-140-1 | + | | | FIPS-140-1 | | | | validated mode, see "Netscape | | | | Signing Tool and | - | | | FIPS-140-1". | - | | | --norecurse | - | | | Blocks recursion | + | | | FIPS-140-1". | + | | | --norecurse | + | | | Blocks recursion | | | | into subdirectories when | | | | signing a directory's | - | | | contents or when | + | | | contents or when | | | | parsing HTML. | - | | | -o | - | | | Optimizes the | + | | | -o | + | | | Optimizes the | | | | archive for size. Use this | | | | only if you are signing | - | | | very large archives | + | | | very large archives | | | | containing hundreds of files. | | | | This option | - | | | makes the manifest | + | | | makes the manifest | | | | files (required by the JAR | | | | format) considerably | - | | | smaller, but they | + | | | smaller, but they | | | | contain slightly less | | | | information. | - | | | --outfile outputfile | - | | | Specifies a file to | + | | | --outfile outputfile | + | | | Specifies a file to | | | | receive redirected output from | | | | Netscape | - | | | Signing Tool. | - | | | -p password | - | | | Specifies a | + | | | Signing Tool. | + | | | -p password | + | | | Specifies a | | | | password for the private-key | | | | database. Note that the | - | | | password entered on | + | | | password entered on | | | | the command line is displayed | | | | as plain text. | - | | | -s keysize | - | | | Specifies the size | + | | | -s keysize | + | | | Specifies the size | | | | of the key for generated | | | | certificate. Use the | - | | | -M option to find | + | | | -M option to find | | | | out what tokens are available. | | | | The -s option can | - | | | be used with the -G | + | | | be used with the -G | | | | option only. | - | | | -t token | - | | | Specifies which | + | | | -t token | + | | | Specifies which | | | | available token should | | | | generate the key and | - | | | receive the | + | | | receive the | | | | certificate. Use the -M option | | | | to find out what tokens | - | | | are available. The | + | | | are available. The | | | | -t option can be used with the | | | | -G option only. | - | | | -v archive | - | | | Displays the | + | | | -v archive | + | | | Displays the | | | | contents of an archive and | | | | verifies the cryptographic | - | | | integrity of the | + | | | integrity of the | | | | digital signatures it contains | | | | and the files with | - | | | which they are | + | | | which they are | | | | associated. This includes | | | | checking that the | - | | | certificate for the | + | | | certificate for the | | | | issuer of the object-signing | | | | certificate is | - | | | listed in the | + | | | listed in the | | | | certificate database, that the | | | | CA's digital | - | | | signature on the | + | | | signature on the | | | | object-signing certificate is | | | | valid, that the | - | | | relevant | + | | | relevant | | | | certificates have not expired, | | | | and so on. | - | | | --verbosity value | - | | | Sets the quantity | + | | | --verbosity value | + | | | Sets the quantity | | | | of information Netscape | | | | Signing Tool generates | - | | | in operation. A | + | | | in operation. A | | | | value of 0 (zero) is the | | | | default and gives full | - | | | information. A | + | | | information. A | | | | value of -1 suppresses most | | | | messages, but not error | - | | | messages. | - | | | -w archive | - | | | Displays the names | + | | | messages. | + | | | -w archive | + | | | Displays the names | | | | of signers of any files in the | | | | archive. | - | | | -x directory | - | | | Excludes the | + | | | -x directory | + | | | Excludes the | | | | specified directory from | | | | signing. Note that with | - | | | Netscape Signing | + | | | Netscape Signing | | | | Tool version 1.1 and later | | | | this option can appear | - | | | multiple times on | + | | | multiple times on | | | | one command line, making it | | | | possible to specify | - | | | several particular | + | | | several particular | | | | directories to exclude. | - | | | -z | - | | | Tells signtool not | + | | | -z | + | | | Tells signtool not | | | | to store the signing time in | | | | the digital | - | | | signature. This | + | | | signature. This | | | | option is useful if you want | | | | the expiration date | - | | | of the signature | + | | | of the signature | | | | checked against the current | | | | date and time rather | - | | | than the time the | + | | | than the time the | | | | files were signed. | - | | | -Z jarfile | - | | | Creates a JAR file | + | | | -Z jarfile | + | | | Creates a JAR file | | | | with the specified name. You | | | | must specify this | - | | | option if you want | + | | | option if you want | | | | signtool to create the JAR | | | | file; it does not do | - | | | so automatically. | + | | | so automatically. | | | | If you don't specify -Z, you | | | | must use an | - | | | external ZIP tool | + | | | external ZIP tool | | | | to create the JAR file. The -Z | | | | option cannot be | - | | | used at the same | + | | | used at the same | | | | time as the -J option. If the | | | | -c# option is not | - | | | used with the -Z | + | | | used with the -Z | | | | option, the default | | | | compression value is 6. | | | | The Command File Format | - | | | Entries in a Netscape | + | | | Entries in a Netscape | | | | Signing Tool command file have | | | | this general format: | - | | | keyword=value Everything | + | | | keyword=value Everything | | | | before the = sign on a single | | | | line is a keyword, | - | | | and everything from the = | + | | | and everything from the = | | | | sign to the end of line is a | | | | value. The value | - | | | may include = signs; only | + | | | may include = signs; only | | | | the first = sign on a line is | | | | interpreted. Blank | - | | | lines are ignored, but | + | | | lines are ignored, but | | | | white space on a line with | | | | keywords and values is | - | | | assumed to be part of the | + | | | assumed to be part of the | | | | keyword (if it comes before | | | | the equal sign) or | - | | | part of the value (if it | + | | | part of the value (if it | | | | comes after the first equal | | | | sign). Keywords are | - | | | case insensitive, values | + | | | case insensitive, values | | | | are generally case sensitive. | | | | Since the = sign | - | | | and newline delimit the | + | | | and newline delimit the | | | | value, it should not be | | | | quoted. | - | | | Subsection | - | | | basename | - | | | Same as -b option. | - | | | compression | - | | | Same as -c option. | - | | | certdir | - | | | Same as -d option. | - | | | extension | - | | | Same as -e option. | - | | | generate | - | | | Same as -G option. | - | | | installscript | - | | | Same as -i option. | - | | | javascriptdir | - | | | Same as -j option. | - | | | htmldir | - | | | Same as -J option. | - | | | certname | - | | | Nickname of | + | | | Subsection | + | | | basename | + | | | Same as -b option. | + | | | compression | + | | | Same as -c option. | + | | | certdir | + | | | Same as -d option. | + | | | extension | + | | | Same as -e option. | + | | | generate | + | | | Same as -G option. | + | | | installscript | + | | | Same as -i option. | + | | | javascriptdir | + | | | Same as -j option. | + | | | htmldir | + | | | Same as -J option. | + | | | certname | + | | | Nickname of | | | | certificate, as with -k and -l | | | | -k options. | - | | | signdir | - | | | The directory to be | + | | | signdir | + | | | The directory to be | | | | signed, as with -k option. | - | | | list | - | | | Same as -l option. | + | | | list | + | | | Same as -l option. | | | | Value is ignored, but = sign | | | | must be present. | - | | | listall | - | | | Same as -L option. | + | | | listall | + | | | Same as -L option. | | | | Value is ignored, but = sign | | | | must be present. | - | | | metafile | - | | | Same as -m option. | - | | | modules | - | | | Same as -M option. | + | | | metafile | + | | | Same as -m option. | + | | | modules | + | | | Same as -M option. | | | | Value is ignored, but = sign | | | | must be present. | - | | | optimize | - | | | Same as -o option. | + | | | optimize | + | | | Same as -o option. | | | | Value is ignored, but = sign | | | | must be present. | - | | | password | - | | | Same as -p option. | - | | | keysize | - | | | Same as -s option. | - | | | token | - | | | Same as -t option. | - | | | verify | - | | | Same as -v option. | - | | | who | - | | | Same as -w option. | - | | | exclude | - | | | Same as -x option. | - | | | notime | - | | | Same as -z option. | + | | | password | + | | | Same as -p option. | + | | | keysize | + | | | Same as -s option. | + | | | token | + | | | Same as -t option. | + | | | verify | + | | | Same as -v option. | + | | | who | + | | | Same as -w option. | + | | | exclude | + | | | Same as -x option. | + | | | notime | + | | | Same as -z option. | | | | value is ignored, but = sign | | | | must be present. | - | | | jarfile | - | | | Same as -Z option. | - | | | outfile | - | | | Name of a file to | + | | | jarfile | + | | | Same as -Z option. | + | | | outfile | + | | | Name of a file to | | | | which output and error | | | | messages will be | - | | | redirected. This | + | | | redirected. This | | | | option has no command-line | | | | equivalent. | | | | Extended Examples | - | | | The following example will | + | | | The following example will | | | | do this and that | - | | | Listing Available Signing | + | | | Listing Available Signing | | | | Certificates | - | | | You use the -L option to | + | | | You use the -L option to | | | | list the nicknames for all | | | | available certificates | - | | | and check which ones are | + | | | and check which ones are | | | | signing certificates. | - | | | signtool -L | - | | | using certificate directory: | + | | | signtool -L | + | | | using certificate directory: | | | | /u/jsmith/.netscape | - | | | S Certificates | - | | | - ------------ | - | | | BBN Certificate Services CA | + | | | S Certificates | + | | | - ------------ | + | | | BBN Certificate Services CA | | | | Root 1 | - | | | IBM World Registry CA | - | | | VeriSign Class 1 CA - | + | | | IBM World Registry CA | + | | | VeriSign Class 1 CA - | | | | Individual Subscriber - | | | | VeriSign, Inc. | - | | | GTE CyberTrust Root CA | - | | | Uptime Group Plc. Class 4 | + | | | GTE CyberTrust Root CA | + | | | Uptime Group Plc. Class 4 | | | | CA | - | | | \* Verisign Object Signing | + | | | \* Verisign Object Signing | | | | Cert | - | | | Integrion CA | - | | | GTE CyberTrust Secure | + | | | Integrion CA | + | | | GTE CyberTrust Secure | | | | Server CA | - | | | AT&T Directory Services | - | | | \* test object signing cert | - | | | Uptime Group Plc. Class 1 | + | | | AT&T Directory Services | + | | | \* test object signing cert | + | | | Uptime Group Plc. Class 1 | | | | CA | - | | | VeriSign Class 1 Primary CA | - | | | - ------------ | - | | | Certificates that can be used | + | | | VeriSign Class 1 Primary CA | + | | | - ------------ | + | | | Certificates that can be used | | | | to sign objects have \*'s to | | | | their left. | - | | | Two signing certificates | + | | | Two signing certificates | | | | are displayed: Verisign Object | | | | Signing Cert and | - | | | test object signing cert. | - | | | You use the -l option to | + | | | test object signing cert. | + | | | You use the -l option to | | | | get a list of signing | | | | certificates only, | - | | | including the signing CA | + | | | including the signing CA | | | | for each. | - | | | signtool -l | - | | | using certificate directory: | + | | | signtool -l | + | | | using certificate directory: | | | | /u/jsmith/.netscape | - | | | Object signing certificates | - | | | --------- | + | | | Object signing certificates | + | | | --------- | | | | ------------------------------ | - | | | Verisign Object Signing Cert | - | | | Issued by: VeriSign, Inc. | + | | | Verisign Object Signing Cert | + | | | Issued by: VeriSign, Inc. | | | | - Verisign, Inc. | - | | | Expires: Tue May 19, 1998 | - | | | test object signing cert | - | | | Issued by: test object | + | | | Expires: Tue May 19, 1998 | + | | | test object signing cert | + | | | Issued by: test object | | | | signing cert (Signtool 1.0 | | | | Testing | - | | | Certificate (960187691)) | - | | | Expires: Sun May 17, 1998 | - | | | --------- | + | | | Certificate (960187691)) | + | | | Expires: Sun May 17, 1998 | + | | | --------- | | | | ------------------------------ | - | | | For a list including CAs, | + | | | For a list including CAs, | | | | use the -L option. | - | | | Signing a File | - | | | 1. Create an empty | + | | | Signing a File | + | | | 1. Create an empty | | | | directory. | - | | | mkdir signdir | - | | | 2. Put some file into it. | - | | | echo boo > signdir/test.f | - | | | 3. Specify the name of your | + | | | mkdir signdir | + | | | 2. Put some file into it. | + | | | echo boo > signdir/test.f | + | | | 3. Specify the name of your | | | | object-signing certificate and | | | | sign the | - | | | directory. | - | | | signtool -k MySignCert -Z | + | | | directory. | + | | | signtool -k MySignCert -Z | | | | testjar.jar signdir | - | | | using key "MySignCert" | - | | | using certificate directory: | + | | | using key "MySignCert" | + | | | using certificate directory: | | | | /u/jsmith/.netscape | - | | | Generating | + | | | Generating | | | | signdir/META-INF/manifest.mf | | | | file.. | - | | | --> test.f | - | | | adding signdir/test.f to | + | | | --> test.f | + | | | adding signdir/test.f to | | | | testjar.jar | - | | | Generating signtool.sf file.. | - | | | Enter Password or Pin for | + | | | Generating signtool.sf file.. | + | | | Enter Password or Pin for | | | | "Communicator Certificate DB": | - | | | adding | + | | | adding | | | | signdir/META-INF/manifest.mf | | | | to testjar.jar | - | | | adding | + | | | adding | | | | signdir/META-INF/signtool.sf | | | | to testjar.jar | - | | | adding | + | | | adding | | | | signdir/META-INF/signtool.rsa | | | | to testjar.jar | - | | | tree "signdir" signed | + | | | tree "signdir" signed | | | | successfully | - | | | 4. Test the archive you | + | | | 4. Test the archive you | | | | just created. | - | | | signtool -v testjar.jar | - | | | using certificate directory: | + | | | signtool -v testjar.jar | + | | | using certificate directory: | | | | /u/jsmith/.netscape | - | | | archive "testjar.jar" has | + | | | archive "testjar.jar" has | | | | passed crypto verification. | - | | | status path | - | | | ------------ | + | | | status path | + | | | ------------ | | | | ------------------- | - | | | verified test.f | - | | | Using Netscape Signing Tool | + | | | verified test.f | + | | | Using Netscape Signing Tool | | | | with a ZIP Utility | - | | | To use Netscape Signing | + | | | To use Netscape Signing | | | | Tool with a ZIP utility, you | | | | must have the utility | - | | | in your path environment | + | | | in your path environment | | | | variable. You should use the | | | | zip.exe utility | - | | | rather than pkzip.exe, | + | | | rather than pkzip.exe, | | | | which cannot handle long | | | | filenames. You can use a | - | | | ZIP utility instead of the | + | | | ZIP utility instead of the | | | | -Z option to package a signed | | | | archive into a | - | | | JAR file after you have | + | | | JAR file after you have | | | | signed it: | - | | | cd signdir | - | | | zip -r ../myjar.jar \* | - | | | adding: META-INF/ (stored | + | | | cd signdir | + | | | zip -r ../myjar.jar \* | + | | | adding: META-INF/ (stored | | | | 0%) | - | | | adding: | + | | | adding: | | | | META-INF/manifest.mf (deflated | | | | 15%) | - | | | adding: | + | | | adding: | | | | META-INF/signtool.sf (deflated | | | | 28%) | - | | | adding: | + | | | adding: | | | | META-INF/signtool.rsa (stored | | | | 0%) | - | | | adding: text.txt (stored | + | | | adding: text.txt (stored | | | | 0%) | - | | | Generating the Keys and | + | | | Generating the Keys and | | | | Certificate | - | | | The signtool option -G | + | | | The signtool option -G | | | | generates a new public-private | | | | key pair and | - | | | certificate. It takes the | + | | | certificate. It takes the | | | | nickname of the new | | | | certificate as an argument. | - | | | The newly generated keys | + | | | The newly generated keys | | | | and certificate are installed | | | | into the key and | - | | | certificate databases in | + | | | certificate databases in | | | | the directory specified by the | | | | -d option. With | - | | | the NT version of Netscape | + | | | the NT version of Netscape | | | | Signing Tool, you must use the | | | | -d option with | - | | | the -G option. With the | + | | | the -G option. With the | | | | Unix version of Netscape | | | | Signing Tool, omitting | - | | | the -d option causes the | + | | | the -d option causes the | | | | tool to install the keys and | | | | certificate in the | - | | | Communicator key and | + | | | Communicator key and | | | | certificate databases. In all | | | | cases, the certificate | - | | | is also output to a file | + | | | is also output to a file | | | | named x509.cacert, which has | | | | the MIME-type | - | | | application/x-x509-ca-cert. | - | | | Certificates contain | + | | | application/x-x509-ca-cert. | + | | | Certificates contain | | | | standard information about the | | | | entity they identify, | - | | | such as the common name and | + | | | such as the common name and | | | | organization name. Netscape | | | | Signing Tool | - | | | prompts you for this | + | | | prompts you for this | | | | information when you run the | | | | command with the -G | - | | | option. However, all of the | + | | | option. However, all of the | | | | requested fields are optional | | | | for test | - | | | certificates. If you do not | + | | | certificates. If you do not | | | | enter a common name, the tool | | | | provides a | - | | | default name. In the | + | | | default name. In the | | | | following example, the user | | | | input is in boldface: | - | | | signtool -G MyTestCert | - | | | using certificate directory: | + | | | signtool -G MyTestCert | + | | | using certificate directory: | | | | /u/someuser/.netscape | - | | | Enter certificate | + | | | Enter certificate | | | | information. All fields are | | | | optional. Acceptable | - | | | characters are numbers, | + | | | characters are numbers, | | | | letters, spaces, and | | | | apostrophes. | - | | | certificate common name: Test | + | | | certificate common name: Test | | | | Object Signing Certificate | - | | | organization: Netscape | + | | | organization: Netscape | | | | Communications Corp. | - | | | organization unit: Server | + | | | organization unit: Server | | | | Products Division | - | | | state or province: California | - | | | country (must be exactly 2 | + | | | state or province: California | + | | | country (must be exactly 2 | | | | characters): US | - | | | username: someuser | - | | | email address: | + | | | username: someuser | + | | | email address: | | | | someuser@netscape.com | - | | | Enter Password or Pin for | + | | | Enter Password or Pin for | | | | "Communicator Certificate DB": | | | | [Password will not echo] | - | | | generated public/private key | + | | | generated public/private key | | | | pair | - | | | certificate request generated | - | | | certificate has been signed | - | | | certificate "MyTestCert" | + | | | certificate request generated | + | | | certificate has been signed | + | | | certificate "MyTestCert" | | | | added to database | - | | | Exported certificate to | + | | | Exported certificate to | | | | x509.raw and x509.cacert. | - | | | The certificate information | + | | | The certificate information | | | | is read from standard input. | | | | Therefore, the | - | | | information can be read | + | | | information can be read | | | | from a file using the | | | | redirection operator (<) in | - | | | some operating systems. To | + | | | some operating systems. To | | | | create a file for this | | | | purpose, enter each of | - | | | the seven input fields, in | + | | | the seven input fields, in | | | | order, on a separate line. | | | | Make sure there is a | - | | | newline character at the | + | | | newline character at the | | | | end of the last line. Then run | | | | signtool with | - | | | standard input redirected | + | | | standard input redirected | | | | from your file as follows: | - | | | signtool -G MyTestCert | + | | | signtool -G MyTestCert | | | | inputfile | - | | | The prompts show up on the | + | | | The prompts show up on the | | | | screen, but the responses will | | | | be automatically | - | | | read from the file. The | + | | | read from the file. The | | | | password will still be read | | | | from the console | - | | | unless you use the -p | + | | | unless you use the -p | | | | option to give the password on | | | | the command line. | - | | | Using the -M Option to List | + | | | Using the -M Option to List | | | | Smart Cards | - | | | You can use the -M option | + | | | You can use the -M option | | | | to list the PKCS #11 modules, | | | | including smart | - | | | cards, that are available | + | | | cards, that are available | | | | to signtool: | - | | | signtool -d | + | | | signtool -d | | | | "c:\netscape\users\jsmith" -M | - | | | using certificate directory: | + | | | using certificate directory: | | | | c:\netscape\users\username | - | | | Listing of PKCS11 modules | - | | | ----------------- | + | | | Listing of PKCS11 modules | + | | | ----------------- | | | | ------------------------------ | - | | | 1. Netscape Internal | + | | | 1. Netscape Internal | | | | PKCS #11 Module | - | | | | + | | | | | | | (this module is internally | | | | loaded) | - | | | | + | | | | | | | slots: 2 slots attached | - | | | | + | | | | | | | status: loaded | - | | | slot: Communicator | + | | | slot: Communicator | | | | Internal Cryptographic | | | | Services Version 4.0 | - | | | token: Communicator | + | | | token: Communicator | | | | Generic Crypto Svcs | - | | | slot: Communicator | + | | | slot: Communicator | | | | User Private Key and | | | | Certificate Services | - | | | token: Communicator | + | | | token: Communicator | | | | Certificate DB | - | | | 2. CryptOS | - | | | | + | | | 2. CryptOS | + | | | | | | | (this is an external module) | - | | | DLL name: core32 | - | | | slots: 1 slots | + | | | DLL name: core32 | + | | | slots: 1 slots | | | | attached | - | | | status: loaded | - | | | slot: Litronic 210 | - | | | token: | - | | | | + | | | status: loaded | + | | | slot: Litronic 210 | + | | | token: | + | | | | | | | ----------------- | | | | ------------------------------ | - | | | Using Netscape Signing Tool | + | | | Using Netscape Signing Tool | | | | and a Smart Card to Sign Files | - | | | The signtool command | + | | | The signtool command | | | | normally takes an argument of | | | | the -k option to | - | | | specify a signing | + | | | specify a signing | | | | certificate. To sign with a | | | | smart card, you supply only | - | | | the fully qualified name of | + | | | the fully qualified name of | | | | the certificate. | - | | | To see fully qualified | + | | | To see fully qualified | | | | certificate names when you run | | | | Communicator, click | - | | | the Security button in | + | | | the Security button in | | | | Navigator, then click Yours | | | | under Certificates in | - | | | the left frame. Fully | + | | | the left frame. Fully | | | | qualified names are of the | | | | format smart | - | | | card:certificate, for | + | | | card:certificate, for | | | | example "MyCard:My Signing | | | | Cert". You use this name | - | | | with the -k argument as | + | | | with the -k argument as | | | | follows: | - | | | signtool -k "MyCard:My | + | | | signtool -k "MyCard:My | | | | Signing Cert" directory | - | | | Verifying FIPS Mode | - | | | Use the -M option to verify | + | | | Verifying FIPS Mode | + | | | Use the -M option to verify | | | | that you are using the | | | | FIPS-140-1 module. | - | | | signtool -d | + | | | signtool -d | | | | "c:\netscape\users\jsmith" -M | - | | | using certificate directory: | + | | | using certificate directory: | | | | c:\netscape\users\jsmith | - | | | Listing of PKCS11 modules | - | | | ----------------- | + | | | Listing of PKCS11 modules | + | | | ----------------- | | | | ------------------------------ | - | | | 1. Netscape Internal PKCS | + | | | 1. Netscape Internal PKCS | | | | #11 Module | - | | | (this module is | + | | | (this module is | | | | internally loaded) | - | | | slots: 2 slots | + | | | slots: 2 slots | | | | attached | - | | | status: loaded | - | | | slot: Communicator | + | | | status: loaded | + | | | slot: Communicator | | | | Internal Cryptographic | | | | Services Version 4.0 | - | | | token: Communicator | + | | | token: Communicator | | | | Generic Crypto Svcs | - | | | slot: Communicator User | + | | | slot: Communicator User | | | | Private Key and Certificate | | | | Services | - | | | token: Communicator | + | | | token: Communicator | | | | Certificate DB | - | | | ----------------- | + | | | ----------------- | | | | ------------------------------ | - | | | This Unix example shows | + | | | This Unix example shows | | | | that Netscape Signing Tool is | | | | using a FIPS-140-1 | - | | | module: | - | | | signtool -d | + | | | module: | + | | | signtool -d | | | | "c:\netscape\users\jsmith" -M | - | | | using certificate directory: | + | | | using certificate directory: | | | | c:\netscape\users\jsmith | - | | | Enter Password or Pin for | + | | | Enter Password or Pin for | | | | "Communicator Certificate DB": | | | | [password will not echo] | - | | | Listing of PKCS11 modules | - | | | ----------------- | + | | | Listing of PKCS11 modules | + | | | ----------------- | | | | ------------------------------ | - | | | 1. Netscape Internal FIPS | + | | | 1. Netscape Internal FIPS | | | | PKCS #11 Module | - | | | (this module is internally | + | | | (this module is internally | | | | loaded) | - | | | slots: 1 slots attached | - | | | status: loaded | - | | | slot: Netscape Internal | + | | | slots: 1 slots attached | + | | | status: loaded | + | | | slot: Netscape Internal | | | | FIPS-140-1 Cryptographic | | | | Services | - | | | token: Communicator | + | | | token: Communicator | | | | Certificate DB | - | | | ----------------- | + | | | ----------------- | | | | ------------------------------ | | | | See Also | - | | | signver (1) | - | | | The NSS wiki has | + | | | signver (1) | + | | | The NSS wiki has | | | | information on the new | | | | database design and how to | - | | | configure applications to | + | | | configure applications to | | | | use it. | - | | | | - | | | o https://wiki.m | + | | | | + | | | o https://wiki.m | | | | ozilla.org/NSS_Shared_DB_Howto | - | | | | - | | | o https:// | + | | | | + | | | o https:// | | | | wiki.mozilla.org/NSS_Shared_DB | | | | Additional Resources | - | | | For information about NSS | + | | | For information about NSS | | | | and other tools related to NSS | | | | (like JSS), check | - | | | out the NSS project wiki at | - | | | | + | | | out the NSS project wiki at | + | | | | | | | [1]\ `http://www.mozil | | | | la.org/projects/security/pki/n | | | | ss/ <https://www.mozilla.org/p | | | | rojects/security/pki/nss/>`__. | | | | The NSS site relates | - | | | directly to NSS code | + | | | directly to NSS code | | | | changes and releases. | - | | | Mailing lists: | + | | | Mailing lists: | | | | https://lists.mozill | | | | a.org/listinfo/dev-tech-crypto | - | | | IRC: Freenode at | + | | | IRC: Freenode at | | | | #dogtag-pki | | | | Authors | - | | | The NSS tools were written | + | | | The NSS tools were written | | | | and maintained by developers | | | | with Netscape, Red | - | | | Hat, and Sun. | - | | | Authors: Elio Maldonado | + | | | Hat, and Sun. | + | | | Authors: Elio Maldonado | | | | <emaldona@redhat.com>, Deon | | | | Lackey | - | | | <dlackey@redhat.com>. | + | | | <dlackey@redhat.com>. | | | | Copyright | - | | | (c) 2010, Red Hat, Inc. | + | | | (c) 2010, Red Hat, Inc. | | | | Licensed under the GNU Public | | | | License version 2. | | | | References | - | | | Visible links | - | | | 1. | + | | | Visible links | + | | | 1. | | | | `http://www.mozi | | | | lla.org/projects/security/pki/ | | | | nss/ <https://www.mozilla.org/ | @@ -10422,241 +10422,241 @@ Index | | la_projects_nss_tools_signver` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Name | - | | | signver — Verify a detached | + | | | signver — Verify a detached | | | | PKCS#7 signature for a file. | | | | Synopsis | - | | | signtool -A \| -V -d | + | | | signtool -A \| -V -d | | | | directory [-a] [-i input_file] | | | | [-o output_file] [-s | - | | | signature_file] [-v] | + | | | signature_file] [-v] | | | | Description | - | | | The Signature Verification | + | | | The Signature Verification | | | | Tool, signver, is a simple | | | | command-line utility | - | | | that unpacks a | + | | | that unpacks a | | | | base-64-encoded PKCS#7 signed | | | | object and verifies the | - | | | digital signature using | + | | | digital signature using | | | | standard cryptographic | | | | techniques. The Signature | - | | | Verification Tool can also | + | | | Verification Tool can also | | | | display the contents of the | | | | signed object. | | | | Options | - | | | -A | - | | | Displays all of the | + | | | -A | + | | | Displays all of the | | | | information in the PKCS#7 | | | | signature. | - | | | -V | - | | | Verifies the | + | | | -V | + | | | Verifies the | | | | digital signature. | - | | | -d [sql:]directory | - | | | Specify the | + | | | -d [sql:]directory | + | | | Specify the | | | | database directory which | | | | contains the certificates and | - | | | keys. | - | | | signver supports | + | | | keys. | + | | | signver supports | | | | two types of databases: the | | | | legacy security | - | | | databases | + | | | databases | | | | (cert8.db, key3.db, and | | | | secmod.db) and new SQLite | - | | | databases | + | | | databases | | | | (cert9.db, key4.db, and | | | | pkcs11.txt). If the prefix | | | | sql: | - | | | is not used, then | + | | | is not used, then | | | | the tool assumes that the | | | | given databases are in | - | | | the old format. | - | | | -a | - | | | Sets that the given | + | | | the old format. | + | | | -a | + | | | Sets that the given | | | | signature file is in ASCII | | | | format. | - | | | -i input_file | - | | | Gives the input | + | | | -i input_file | + | | | Gives the input | | | | file for the object with | | | | signed data. | - | | | -o output_file | - | | | Gives the output | + | | | -o output_file | + | | | Gives the output | | | | file to which to write the | | | | results. | - | | | -s signature_file | - | | | Gives the input | + | | | -s signature_file | + | | | Gives the input | | | | file for the digital | | | | signature. | - | | | -v | - | | | Enables verbose | + | | | -v | + | | | Enables verbose | | | | output. | | | | Extended Examples | - | | | Verifying a Signature | - | | | The -V option verifies that | + | | | Verifying a Signature | + | | | The -V option verifies that | | | | the signature in a given | | | | signature file is | - | | | valid when used to sign the | + | | | valid when used to sign the | | | | given object (from the input | | | | file). | - | | | signver -V -s signature_file | + | | | signver -V -s signature_file | | | | -i signed_file -d | | | | sql:/home/my/sharednssdb | - | | | signatureValid=yes | - | | | Printing Signature Data | - | | | The -A option prints all of | + | | | signatureValid=yes | + | | | Printing Signature Data | + | | | The -A option prints all of | | | | the information contained in a | | | | signature file. | - | | | Using the -o option prints | + | | | Using the -o option prints | | | | the signature file information | | | | to the given | - | | | output file rather than | + | | | output file rather than | | | | stdout. | - | | | signver -A -s signature_file | + | | | signver -A -s signature_file | | | | -o output_file | | | | NSS Database Types | - | | | NSS originally used | + | | | NSS originally used | | | | BerkeleyDB databases to store | | | | security information. | - | | | The last versions of these | + | | | The last versions of these | | | | legacy databases are: | - | | | o cert8.db for | + | | | o cert8.db for | | | | certificates | - | | | o key3.db for keys | - | | | o secmod.db for PKCS #11 | + | | | o key3.db for keys | + | | | o secmod.db for PKCS #11 | | | | module information | - | | | BerkeleyDB has performance | + | | | BerkeleyDB has performance | | | | limitations, though, which | | | | prevent it from | - | | | being easily used by | + | | | being easily used by | | | | multiple applications | | | | simultaneously. NSS has some | - | | | flexibility that allows | + | | | flexibility that allows | | | | applications to use their own, | | | | independent | - | | | database engine while | + | | | database engine while | | | | keeping a shared database and | | | | working around the | - | | | access issues. Still, NSS | + | | | access issues. Still, NSS | | | | requires more flexibility to | | | | provide a truly | - | | | shared security database. | - | | | In 2009, NSS introduced a | + | | | shared security database. | + | | | In 2009, NSS introduced a | | | | new set of databases that are | | | | SQLite databases | - | | | rather than BerkleyDB. | + | | | rather than BerkleyDB. | | | | These new databases provide | | | | more accessibility and | - | | | performance: | - | | | o cert9.db for | + | | | performance: | + | | | o cert9.db for | | | | certificates | - | | | o key4.db for keys | - | | | o pkcs11.txt, which is | + | | | o key4.db for keys | + | | | o pkcs11.txt, which is | | | | listing of all of the PKCS #11 | | | | modules contained | - | | | in a new subdirectory | + | | | in a new subdirectory | | | | in the security databases | | | | directory | - | | | Because the SQLite | + | | | Because the SQLite | | | | databases are designed to be | | | | shared, these are the | - | | | shared database type. The | + | | | shared database type. The | | | | shared database type is | | | | preferred; the legacy | - | | | format is included for | + | | | format is included for | | | | backward compatibility. | - | | | By default, the tools | + | | | By default, the tools | | | | (certutil, pk12util, modutil) | | | | assume that the given | - | | | security databases follow | + | | | security databases follow | | | | the more common legacy type. | | | | Using the SQLite | - | | | databases must be manually | + | | | databases must be manually | | | | specified by using the sql: | | | | prefix with the | - | | | given security directory. | + | | | given security directory. | | | | For example: | - | | | # signver -A -s signature -d | + | | | # signver -A -s signature -d | | | | sql:/home/my/sharednssdb | - | | | To set the shared database | + | | | To set the shared database | | | | type as the default type for | | | | the tools, set the | - | | | NSS_DEFAULT_DB_TYPE | + | | | NSS_DEFAULT_DB_TYPE | | | | environment variable to sql: | - | | | export | + | | | export | | | | NSS_DEFAULT_DB_TYPE="sql" | - | | | This line can be set added | + | | | This line can be set added | | | | to the ~/.bashrc file to make | | | | the change | - | | | permanent. | - | | | Most applications do not | + | | | permanent. | + | | | Most applications do not | | | | use the shared database by | | | | default, but they can | - | | | be configured to use them. | + | | | be configured to use them. | | | | For example, this how-to | | | | article covers how to | - | | | configure Firefox and | + | | | configure Firefox and | | | | Thunderbird to use the new | | | | shared NSS databases: | - | | | | - | | | o https://wiki.m | + | | | | + | | | o https://wiki.m | | | | ozilla.org/NSS_Shared_DB_Howto | - | | | For an engineering draft on | + | | | For an engineering draft on | | | | the changes in the shared NSS | | | | databases, see | - | | | the NSS project wiki: | - | | | | - | | | o https:// | + | | | the NSS project wiki: | + | | | | + | | | o https:// | | | | wiki.mozilla.org/NSS_Shared_DB | | | | See Also | - | | | signtool (1) | - | | | The NSS wiki has | + | | | signtool (1) | + | | | The NSS wiki has | | | | information on the new | | | | database design and how to | - | | | configure applications to | + | | | configure applications to | | | | use it. | - | | | o Setting up the shared | + | | | o Setting up the shared | | | | NSS database | - | | | | + | | | | | | | https://wiki.m | | | | ozilla.org/NSS_Shared_DB_Howto | - | | | o Engineering and | + | | | o Engineering and | | | | technical information about | | | | the shared NSS database | - | | | | + | | | | | | | https:// | | | | wiki.mozilla.org/NSS_Shared_DB | | | | Additional Resources | - | | | For information about NSS | + | | | For information about NSS | | | | and other tools related to NSS | | | | (like JSS), check | - | | | out the NSS project wiki at | - | | | | + | | | out the NSS project wiki at | + | | | | | | | [1]\ `http://www.mozil | | | | la.org/projects/security/pki/n | | | | ss/ <https://www.mozilla.org/p | | | | rojects/security/pki/nss/>`__. | | | | The NSS site relates | - | | | directly to NSS code | + | | | directly to NSS code | | | | changes and releases. | - | | | Mailing lists: | + | | | Mailing lists: | | | | https://lists.mozill | | | | a.org/listinfo/dev-tech-crypto | - | | | IRC: Freenode at | + | | | IRC: Freenode at | | | | #dogtag-pki | | | | Authors | - | | | The NSS tools were written | + | | | The NSS tools were written | | | | and maintained by developers | | | | with Netscape, Red | - | | | Hat, and Sun. | - | | | Authors: Elio Maldonado | + | | | Hat, and Sun. | + | | | Authors: Elio Maldonado | | | | <emaldona@redhat.com>, Deon | | | | Lackey | - | | | <dlackey@redhat.com>. | + | | | <dlackey@redhat.com>. | | | | Copyright | - | | | (c) 2010, Red Hat, Inc. | + | | | (c) 2010, Red Hat, Inc. | | | | Licensed under the GNU Public | | | | License version 2. | | | | References | - | | | Visible links | - | | | 1. | + | | | Visible links | + | | | 1. | | | | `http://www.mozi | | | | lla.org/projects/security/pki/ | | | | nss/ <https://www.mozilla.org/ | @@ -10668,883 +10668,883 @@ Index | | lla_projects_nss_tools_ssltap` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Name | - | | | ssltap — Tap into SSL | + | | | ssltap — Tap into SSL | | | | connections and display the | | | | data going by | | | | Synopsis | - | | | libssltap [-vhfsxl] [-p | + | | | libssltap [-vhfsxl] [-p | | | | port] [hostname:port] | | | | Description | - | | | The SSL Debugging Tool | + | | | The SSL Debugging Tool | | | | ssltap is an SSL-aware | | | | command-line proxy. It | - | | | watches TCP connections and | + | | | watches TCP connections and | | | | displays the data going by. If | | | | a connection is | - | | | SSL, the data display | + | | | SSL, the data display | | | | includes interpreted SSL | | | | records and handshaking | | | | Options | - | | | -v | - | | | Print a version | + | | | -v | + | | | Print a version | | | | string for the tool. | - | | | -h | - | | | Turn on hex/ASCII | + | | | -h | + | | | Turn on hex/ASCII | | | | printing. Instead of | | | | outputting raw data, the | - | | | command interprets | + | | | command interprets | | | | each record as a numbered line | | | | of hex values, | - | | | followed by the | + | | | followed by the | | | | same data as ASCII characters. | | | | The two parts are | - | | | separated by a | + | | | separated by a | | | | vertical bar. Nonprinting | | | | characters are replaced | - | | | by dots. | - | | | -f | - | | | Turn on fancy | + | | | by dots. | + | | | -f | + | | | Turn on fancy | | | | printing. Output is printed in | | | | colored HTML. Data | - | | | sent from the | + | | | sent from the | | | | client to the server is in | | | | blue; the server's reply | - | | | is in red. When | + | | | is in red. When | | | | used with looping mode, the | | | | different connections | - | | | are separated with | + | | | are separated with | | | | horizontal lines. You can use | | | | this option to | - | | | upload the output | + | | | upload the output | | | | into a browser. | - | | | -s | - | | | Turn on SSL parsing | + | | | -s | + | | | Turn on SSL parsing | | | | and decoding. The tool does | | | | not automatically | - | | | detect SSL | + | | | detect SSL | | | | sessions. If you are | | | | intercepting an SSL | | | | connection, | - | | | use this option so | + | | | use this option so | | | | that the tool can detect and | | | | decode SSL | - | | | structures. | - | | | If the tool detects | + | | | structures. | + | | | If the tool detects | | | | a certificate chain, it saves | | | | the DER-encoded | - | | | certificates into | + | | | certificates into | | | | files in the current | | | | directory. The files are | - | | | named cert.0x, | + | | | named cert.0x, | | | | where x is the sequence number | | | | of the certificate. | - | | | If the -s option is | + | | | If the -s option is | | | | used with -h, two separate | | | | parts are printed | - | | | for each record: | + | | | for each record: | | | | the plain hex/ASCII output, | | | | and the parsed SSL | - | | | output. | - | | | -x | - | | | Turn on hex/ASCII | + | | | output. | + | | | -x | + | | | Turn on hex/ASCII | | | | printing of undecoded data | | | | inside parsed SSL | - | | | records. Used only | + | | | records. Used only | | | | with the -s option. This | | | | option uses the same | - | | | output format as | + | | | output format as | | | | the -h option. | - | | | -l prefix | - | | | Turn on looping; | + | | | -l prefix | + | | | Turn on looping; | | | | that is, continue to accept | | | | connections rather | - | | | than stopping after | + | | | than stopping after | | | | the first connection is | | | | complete. | - | | | -p port | - | | | Change the default | + | | | -p port | + | | | Change the default | | | | rendezvous port (1924) to | | | | another port. | - | | | The following are | + | | | The following are | | | | well-known port numbers: | - | | | \* HTTP 80 | - | | | \* HTTPS 443 | - | | | \* SMTP 25 | - | | | \* FTP 21 | - | | | \* IMAP 143 | - | | | \* IMAPS 993 (IMAP | + | | | \* HTTP 80 | + | | | \* HTTPS 443 | + | | | \* SMTP 25 | + | | | \* FTP 21 | + | | | \* IMAP 143 | + | | | \* IMAPS 993 (IMAP | | | | over SSL) | - | | | \* NNTP 119 | - | | | \* NNTPS 563 (NNTP | + | | | \* NNTP 119 | + | | | \* NNTPS 563 (NNTP | | | | over SSL) | | | | Usage and Examples | - | | | You can use the SSL | + | | | You can use the SSL | | | | Debugging Tool to intercept | | | | any connection | - | | | information. Although you | + | | | information. Although you | | | | can run the tool at its most | | | | basic by issuing | - | | | the ssltap command with no | + | | | the ssltap command with no | | | | options other than | | | | hostname:port, the | - | | | information you get in this | + | | | information you get in this | | | | way is not very useful. For | | | | example, assume | - | | | your development machine is | + | | | your development machine is | | | | called intercept. The simplest | | | | way to use the | - | | | debugging tool is to | + | | | debugging tool is to | | | | execute the following command | | | | from a command shell: | - | | | $ ssltap www.netscape.com | - | | | The program waits for an | + | | | $ ssltap www.netscape.com | + | | | The program waits for an | | | | incoming connection on the | | | | default port 1924. In | - | | | your browser window, enter | + | | | your browser window, enter | | | | the URL http://intercept:1924. | | | | The browser | - | | | retrieves the requested | + | | | retrieves the requested | | | | page from the server at | | | | www.netscape.com, but the | - | | | page is intercepted and | + | | | page is intercepted and | | | | passed on to the browser by | | | | the debugging tool on | - | | | intercept. On its way to | + | | | intercept. On its way to | | | | the browser, the data is | | | | printed to the command | - | | | shell from which you issued | + | | | shell from which you issued | | | | the command. Data sent from | | | | the client to the | - | | | server is surrounded by the | + | | | server is surrounded by the | | | | following symbols: --> [ data | | | | ] Data sent from | - | | | the server to the client is | + | | | the server to the client is | | | | surrounded by the following | | | | symbols: "left | - | | | arrow"-- [ data ] The raw | + | | | arrow"-- [ data ] The raw | | | | data stream is sent to | | | | standard output and is | - | | | not interpreted in any way. | + | | | not interpreted in any way. | | | | This can result in peculiar | | | | effects, such as | - | | | sounds, flashes, and even | + | | | sounds, flashes, and even | | | | crashes of the command shell | | | | window. To output a | - | | | basic, printable | + | | | basic, printable | | | | interpretation of the data, | | | | use the -h option, or, if you | - | | | are looking at an SSL | + | | | are looking at an SSL | | | | connection, the -s option. You | | | | will notice that the | - | | | page you retrieved looks | + | | | page you retrieved looks | | | | incomplete in the browser. | | | | This is because, by | - | | | default, the tool closes | + | | | default, the tool closes | | | | down after the first | | | | connection is complete, so | - | | | the browser is not able to | + | | | the browser is not able to | | | | load images. To make the tool | | | | continue to | - | | | accept connections, switch | + | | | accept connections, switch | | | | on looping mode with the -l | | | | option. The | - | | | following examples show the | + | | | following examples show the | | | | output from commonly used | | | | combinations of | - | | | options. | - | | | Example 1 | - | | | $ ssltap.exe -sx -p 444 | + | | | options. | + | | | Example 1 | + | | | $ ssltap.exe -sx -p 444 | | | | interzone.mcom.com:443 > | | | | sx.txt | - | | | Output | - | | | Connected to | + | | | Output | + | | | Connected to | | | | interzone.mcom.com:443 | - | | | -->; [ | - | | | alloclen = 66 bytes | - | | | [ssl2] ClientHelloV2 { | - | | | version = {0x03, | + | | | -->; [ | + | | | alloclen = 66 bytes | + | | | [ssl2] ClientHelloV2 { | + | | | version = {0x03, | | | | 0x00} | - | | | | + | | | | | | | cipher-specs-length = 39 | | | | (0x27) | - | | | sid-length = 0 | + | | | sid-length = 0 | | | | (0x00) | - | | | challenge-length | + | | | challenge-length | | | | = 16 (0x10) | - | | | cipher-suites = { | - | | | (0x010080) | + | | | cipher-suites = { | + | | | (0x010080) | | | | SSL2/RSA/RC4-128/MD5 | - | | | (0x020080) | + | | | (0x020080) | | | | SSL2/RSA/RC4-40/MD5 | - | | | (0x030080) | + | | | (0x030080) | | | | SSL2/RSA/RC2CBC128/MD5 | - | | | (0x040080) | + | | | (0x040080) | | | | SSL2/RSA/RC2CBC40/MD5 | - | | | (0x060040) | + | | | (0x060040) | | | | SSL2/RSA/DES64CBC/MD5 | - | | | (0x0700c0) | + | | | (0x0700c0) | | | | SSL2/RSA/3DES192EDE-CBC/MD5 | - | | | (0x000004) | + | | | (0x000004) | | | | SSL3/RSA/RC4-128/MD5 | - | | | (0x00ffe0) | + | | | (0x00ffe0) | | | | SS | | | | L3/RSA-FIPS/3DES192EDE-CBC/SHA | - | | | (0x00000a) | + | | | (0x00000a) | | | | SSL3/RSA/3DES192EDE-CBC/SHA | - | | | (0x00ffe1) | + | | | (0x00ffe1) | | | | SSL3/RSA-FIPS/DES64CBC/SHA | - | | | (0x000009) | + | | | (0x000009) | | | | SSL3/RSA/DES64CBC/SHA | - | | | (0x000003) | + | | | (0x000003) | | | | SSL3/RSA/RC4-40/MD5 | - | | | (0x000006) | + | | | (0x000006) | | | | SSL3/RSA/RC2CBC40/MD5 | - | | | } | - | | | session-id = { } | - | | | challenge = { | + | | | } | + | | | session-id = { } | + | | | challenge = { | | | | 0xec5d 0x8edb 0x37c9 0xb5c9 | | | | 0x7b70 0x8fe9 0xd1d3 | - | | | 0x2592 } | - | | | } | - | | | ] | - | | | <-- [ | - | | | SSLRecord { | - | | | 0: 16 03 00 03 | - | | | e5 | - | | | | + | | | 0x2592 } | + | | | } | + | | | ] | + | | | <-- [ | + | | | SSLRecord { | + | | | 0: 16 03 00 03 | + | | | e5 | + | | | | | | | \|..... | - | | | type = 22 (handshake) | - | | | version = { 3,0 } | - | | | length = 997 (0x3e5) | - | | | handshake { | - | | | 0: 02 00 00 | - | | | 46 | - | | | | + | | | type = 22 (handshake) | + | | | version = { 3,0 } | + | | | length = 997 (0x3e5) | + | | | handshake { | + | | | 0: 02 00 00 | + | | | 46 | + | | | | | | | \|...F | - | | | type = 2 (server_hello) | - | | | length = 70 (0x000046) | - | | | ServerHello { | - | | | server_version = | + | | | type = 2 (server_hello) | + | | | length = 70 (0x000046) | + | | | ServerHello { | + | | | server_version = | | | | {3, 0} | - | | | random = {...} | - | | | 0: 77 8c 6e 26 6c 0c ec | - | | | c0 d9 58 4f 47 d3 2d 01 45 | + | | | random = {...} | + | | | 0: 77 8c 6e 26 6c 0c ec | + | | | c0 d9 58 4f 47 d3 2d 01 45 | | | | \| | - | | | wn&l.ì..XOG.-.E | - | | | 10: 5c 17 75 43 a7 4c 88 | - | | | c7 88 64 3c 50 41 48 4f 7f | + | | | wn&l.ì..XOG.-.E | + | | | 10: 5c 17 75 43 a7 4c 88 | + | | | c7 88 64 3c 50 41 48 4f 7f | | | | \| | - | | | \.uC§L.Ç.d<PAHO. | - | | | session ID | + | | | \.uC§L.Ç.d<PAHO. | + | | | session ID | | | | = { | - | | | length = 32 | - | | | contents = | + | | | length = 32 | + | | | contents = | | | | {..} | - | | | 0: 14 11 07 a8 2a 31 91 | - | | | 29 11 94 40 37 57 10 a7 32 | + | | | 0: 14 11 07 a8 2a 31 91 | + | | | 29 11 94 40 37 57 10 a7 32 | | | | \| ...¨*1.)..@7W.§2 | - | | | 10: 56 6f 52 62 fe 3d b3 | - | | | 65 b1 e4 13 0f 52 a3 c8 f6 | + | | | 10: 56 6f 52 62 fe 3d b3 | + | | | 65 b1 e4 13 0f 52 a3 c8 f6 | | | | \| VoRbþ=³e±...R£È. | - | | | } | - | | | cipher_suite = | + | | | } | + | | | cipher_suite = | | | | (0x0003) SSL3/RSA/RC4-40/MD5 | - | | | } | - | | | 0: 0b 00 02 | - | | | c5 | - | | | | + | | | } | + | | | 0: 0b 00 02 | + | | | c5 | + | | | | | | | \|...Å | - | | | type = 11 (certificate) | - | | | length = 709 (0x0002c5) | - | | | CertificateChain | + | | | type = 11 (certificate) | + | | | length = 709 (0x0002c5) | + | | | CertificateChain | | | | { | - | | | chainlength = 706 | + | | | chainlength = 706 | | | | (0x02c2) | - | | | Certificate { | - | | | size = 703 | + | | | Certificate { | + | | | size = 703 | | | | (0x02bf) | - | | | data = { saved | + | | | data = { saved | | | | in file 'cert.001' } | - | | | } | - | | | } | - | | | 0: 0c 00 00 | - | | | ca | - | | | | + | | | } | + | | | } | + | | | 0: 0c 00 00 | + | | | ca | + | | | | | | | \|.... | - | | | type = 12 | + | | | type = 12 | | | | (server_key_exchange) | - | | | length = 202 | + | | | length = 202 | | | | (0x0000ca) | - | | | 0: 0e 00 00 | - | | | 00 | - | | | | + | | | 0: 0e 00 00 | + | | | 00 | + | | | | | | | \|.... | - | | | type = 14 | + | | | type = 14 | | | | (server_hello_done) | - | | | length = 0 | + | | | length = 0 | | | | (0x000000) | - | | | } | - | | | } | - | | | ] | - | | | --> [ | - | | | SSLRecord { | - | | | 0: 16 03 00 00 | - | | | 44 | - | | | | + | | | } | + | | | } | + | | | ] | + | | | --> [ | + | | | SSLRecord { | + | | | 0: 16 03 00 00 | + | | | 44 | + | | | | | | | \|....D | - | | | type = 22 (handshake) | - | | | version = { 3,0 } | - | | | length = 68 (0x44) | - | | | handshake { | - | | | 0: 10 00 00 | - | | | 40 | - | | | | + | | | type = 22 (handshake) | + | | | version = { 3,0 } | + | | | length = 68 (0x44) | + | | | handshake { | + | | | 0: 10 00 00 | + | | | 40 | + | | | | | | | \|...@ | - | | | type = 16 | + | | | type = 16 | | | | (client_key_exchange) | - | | | length = 64 (0x000040) | - | | | ClientKeyExchange { | - | | | message = {...} | - | | | } | - | | | } | - | | | } | - | | | ] | - | | | --> [ | - | | | SSLRecord { | - | | | 0: 14 03 00 00 | - | | | 01 | - | | | | + | | | length = 64 (0x000040) | + | | | ClientKeyExchange { | + | | | message = {...} | + | | | } | + | | | } | + | | | } | + | | | ] | + | | | --> [ | + | | | SSLRecord { | + | | | 0: 14 03 00 00 | + | | | 01 | + | | | | | | | \|..... | - | | | type = 20 | + | | | type = 20 | | | | (change_cipher_spec) | - | | | version = { 3,0 } | - | | | length = 1 (0x1) | - | | | 0: | - | | | 01 | - | | | | + | | | version = { 3,0 } | + | | | length = 1 (0x1) | + | | | 0: | + | | | 01 | + | | | | | | | \|. | - | | | } | - | | | SSLRecord { | - | | | 0: 16 03 00 00 | - | | | 38 | - | | | | + | | | } | + | | | SSLRecord { | + | | | 0: 16 03 00 00 | + | | | 38 | + | | | | | | | \|....8 | - | | | type = 22 (handshake) | - | | | version = { 3,0 } | - | | | length = 56 (0x38) | - | | | < encrypted > | - | | | } | - | | | ] | - | | | <-- [ | - | | | SSLRecord { | - | | | 0: 14 03 00 00 | - | | | 01 | - | | | | + | | | type = 22 (handshake) | + | | | version = { 3,0 } | + | | | length = 56 (0x38) | + | | | < encrypted > | + | | | } | + | | | ] | + | | | <-- [ | + | | | SSLRecord { | + | | | 0: 14 03 00 00 | + | | | 01 | + | | | | | | | \|..... | - | | | type = 20 | + | | | type = 20 | | | | (change_cipher_spec) | - | | | version = { 3,0 } | - | | | length = 1 (0x1) | - | | | 0: | - | | | 01 | - | | | | + | | | version = { 3,0 } | + | | | length = 1 (0x1) | + | | | 0: | + | | | 01 | + | | | | | | | \|. | - | | | } | - | | | ] | - | | | <-- [ | - | | | SSLRecord { | - | | | 0: 16 03 00 00 | - | | | 38 | - | | | | + | | | } | + | | | ] | + | | | <-- [ | + | | | SSLRecord { | + | | | 0: 16 03 00 00 | + | | | 38 | + | | | | | | | \|....8 | - | | | type = 22 (handshake) | - | | | version = { 3,0 } | - | | | length = 56 (0x38) | - | | | < encrypted | + | | | type = 22 (handshake) | + | | | version = { 3,0 } | + | | | length = 56 (0x38) | + | | | < encrypted | | | | > | - | | | } | - | | | ] | - | | | --> [ | - | | | SSLRecord { | - | | | 0: 17 03 00 01 | - | | | 1f | - | | | | + | | | } | + | | | ] | + | | | --> [ | + | | | SSLRecord { | + | | | 0: 17 03 00 01 | + | | | 1f | + | | | | | | | \|..... | - | | | type = 23 | + | | | type = 23 | | | | (application_data) | - | | | version = { 3,0 } | - | | | length = 287 (0x11f) | - | | | < encrypted > | - | | | } | - | | | ] | - | | | <-- [ | - | | | SSLRecord { | - | | | 0: 17 03 00 00 | - | | | a0 | - | | | | + | | | version = { 3,0 } | + | | | length = 287 (0x11f) | + | | | < encrypted > | + | | | } | + | | | ] | + | | | <-- [ | + | | | SSLRecord { | + | | | 0: 17 03 00 00 | + | | | a0 | + | | | | | | | \|.... | - | | | type = 23 | + | | | type = 23 | | | | (application_data) | - | | | version = { 3,0 } | - | | | length = 160 (0xa0) | - | | | < encrypted > | - | | | } | - | | | ] | - | | | <-- [ | - | | | SSLRecord { | - | | | 0: 17 03 00 00 | - | | | df | - | | | | + | | | version = { 3,0 } | + | | | length = 160 (0xa0) | + | | | < encrypted > | + | | | } | + | | | ] | + | | | <-- [ | + | | | SSLRecord { | + | | | 0: 17 03 00 00 | + | | | df | + | | | | | | | \|....ß | - | | | type = 23 | + | | | type = 23 | | | | (application_data) | - | | | version = { 3,0 } | - | | | length = 223 (0xdf) | - | | | < encrypted > | - | | | } | - | | | SSLRecord { | - | | | 0: 15 03 00 00 | - | | | 12 | - | | | | + | | | version = { 3,0 } | + | | | length = 223 (0xdf) | + | | | < encrypted > | + | | | } | + | | | SSLRecord { | + | | | 0: 15 03 00 00 | + | | | 12 | + | | | | | | | \|..... | - | | | type = 21 (alert) | - | | | version = { 3,0 } | - | | | length = 18 (0x12) | - | | | < encrypted > | - | | | } | - | | | ] | - | | | Server socket closed. | - | | | Example 2 | - | | | The -s option turns on SSL | + | | | type = 21 (alert) | + | | | version = { 3,0 } | + | | | length = 18 (0x12) | + | | | < encrypted > | + | | | } | + | | | ] | + | | | Server socket closed. | + | | | Example 2 | + | | | The -s option turns on SSL | | | | parsing. Because the -x option | | | | is not used in | - | | | this example, undecoded | + | | | this example, undecoded | | | | values are output as raw data. | | | | The output is | - | | | routed to a text file. | - | | | $ ssltap -s -p 444 | + | | | routed to a text file. | + | | | $ ssltap -s -p 444 | | | | interzone.mcom.com:443 > s.txt | - | | | Output | - | | | Connected to | + | | | Output | + | | | Connected to | | | | interzone.mcom.com:443 | - | | | --> [ | - | | | alloclen = 63 bytes | - | | | [ssl2] ClientHelloV2 { | - | | | version = {0x03, | + | | | --> [ | + | | | alloclen = 63 bytes | + | | | [ssl2] ClientHelloV2 { | + | | | version = {0x03, | | | | 0x00} | - | | | | + | | | | | | | cipher-specs-length = 36 | | | | (0x24) | - | | | sid-length = 0 | + | | | sid-length = 0 | | | | (0x00) | - | | | challenge-length | + | | | challenge-length | | | | = 16 (0x10) | - | | | cipher-suites = { | - | | | (0x010080) | + | | | cipher-suites = { | + | | | (0x010080) | | | | SSL2/RSA/RC4-128/MD5 | - | | | (0x020080) | + | | | (0x020080) | | | | SSL2/RSA/RC4-40/MD5 | - | | | (0x030080) | + | | | (0x030080) | | | | SSL2/RSA/RC2CBC128/MD5 | - | | | (0x060040) | + | | | (0x060040) | | | | SSL2/RSA/DES64CBC/MD5 | - | | | (0x0700c0) | + | | | (0x0700c0) | | | | SSL2/RSA/3DES192EDE-CBC/MD5 | - | | | (0x000004) | + | | | (0x000004) | | | | SSL3/RSA/RC4-128/MD5 | - | | | (0x00ffe0) | + | | | (0x00ffe0) | | | | SS | | | | L3/RSA-FIPS/3DES192EDE-CBC/SHA | - | | | (0x00000a) | + | | | (0x00000a) | | | | SSL3/RSA/3DES192EDE-CBC/SHA | - | | | (0x00ffe1) | + | | | (0x00ffe1) | | | | SSL3/RSA-FIPS/DES64CBC/SHA | - | | | (0x000009) | + | | | (0x000009) | | | | SSL3/RSA/DES64CBC/SHA | - | | | (0x000003) | + | | | (0x000003) | | | | SSL3/RSA/RC4-40/MD5 | - | | | } | - | | | session-id = { | + | | | } | + | | | session-id = { | | | | } | - | | | challenge = { | + | | | challenge = { | | | | 0x713c 0x9338 0x30e1 0xf8d6 | | | | 0xb934 0x7351 0x200c | - | | | 0x3fd0 } | - | | | ] | - | | | >-- [ | - | | | SSLRecord { | - | | | type = 22 (handshake) | - | | | version = { 3,0 } | - | | | length = 997 (0x3e5) | - | | | handshake { | - | | | type = 2 | + | | | 0x3fd0 } | + | | | ] | + | | | >-- [ | + | | | SSLRecord { | + | | | type = 22 (handshake) | + | | | version = { 3,0 } | + | | | length = 997 (0x3e5) | + | | | handshake { | + | | | type = 2 | | | | (server_hello) | - | | | length = 70 | + | | | length = 70 | | | | (0x000046) | - | | | ServerHello { | - | | | server_version = | + | | | ServerHello { | + | | | server_version = | | | | {3, 0} | - | | | random = {...} | - | | | session ID = { | - | | | length = 32 | - | | | contents = | + | | | random = {...} | + | | | session ID = { | + | | | length = 32 | + | | | contents = | | | | {..} | - | | | } | - | | | cipher_suite = | + | | | } | + | | | cipher_suite = | | | | (0x0003) SSL3/RSA/RC4-40/MD5 | - | | | } | - | | | type = 11 | + | | | } | + | | | type = 11 | | | | (certificate) | - | | | length = 709 | + | | | length = 709 | | | | (0x0002c5) | - | | | CertificateChain | + | | | CertificateChain | | | | { | - | | | chainlength = | + | | | chainlength = | | | | 706 (0x02c2) | - | | | Certificate { | - | | | size = 703 | + | | | Certificate { | + | | | size = 703 | | | | (0x02bf) | - | | | data = { | + | | | data = { | | | | saved in file 'cert.001' } | - | | | } | - | | | } | - | | | type = 12 | + | | | } | + | | | } | + | | | type = 12 | | | | (server_key_exchange) | - | | | length = 202 | + | | | length = 202 | | | | (0x0000ca) | - | | | type = 14 | + | | | type = 14 | | | | (server_hello_done) | - | | | length = 0 | + | | | length = 0 | | | | (0x000000) | - | | | } | - | | | } | - | | | ] | - | | | --> [ | - | | | SSLRecord { | - | | | type = 22 (handshake) | - | | | version = { 3,0 } | - | | | length = 68 (0x44) | - | | | handshake { | - | | | type = 16 | + | | | } | + | | | } | + | | | ] | + | | | --> [ | + | | | SSLRecord { | + | | | type = 22 (handshake) | + | | | version = { 3,0 } | + | | | length = 68 (0x44) | + | | | handshake { | + | | | type = 16 | | | | (client_key_exchange) | - | | | length = 64 | + | | | length = 64 | | | | (0x000040) | - | | | ClientKeyExchange | + | | | ClientKeyExchange | | | | { | - | | | message = | + | | | message = | | | | {...} | - | | | } | - | | | } | - | | | } | - | | | ] | - | | | --> [ | - | | | SSLRecord { | - | | | type = 20 | + | | | } | + | | | } | + | | | } | + | | | ] | + | | | --> [ | + | | | SSLRecord { | + | | | type = 20 | | | | (change_cipher_spec) | - | | | version = { 3,0 } | - | | | length = 1 (0x1) | - | | | } | - | | | SSLRecord { | - | | | type = 22 (handshake) | - | | | version = { 3,0 } | - | | | length = 56 (0x38) | - | | | > encrypted > | - | | | } | - | | | ] | - | | | >-- [ | - | | | SSLRecord { | - | | | type = 20 | + | | | version = { 3,0 } | + | | | length = 1 (0x1) | + | | | } | + | | | SSLRecord { | + | | | type = 22 (handshake) | + | | | version = { 3,0 } | + | | | length = 56 (0x38) | + | | | > encrypted > | + | | | } | + | | | ] | + | | | >-- [ | + | | | SSLRecord { | + | | | type = 20 | | | | (change_cipher_spec) | - | | | version = { 3,0 } | - | | | length = 1 (0x1) | - | | | } | - | | | ] | - | | | >-- [ | - | | | SSLRecord { | - | | | type = 22 (handshake) | - | | | version = { 3,0 } | - | | | length = 56 (0x38) | - | | | > encrypted > | - | | | } | - | | | ] | - | | | --> [ | - | | | SSLRecord { | - | | | type = 23 | + | | | version = { 3,0 } | + | | | length = 1 (0x1) | + | | | } | + | | | ] | + | | | >-- [ | + | | | SSLRecord { | + | | | type = 22 (handshake) | + | | | version = { 3,0 } | + | | | length = 56 (0x38) | + | | | > encrypted > | + | | | } | + | | | ] | + | | | --> [ | + | | | SSLRecord { | + | | | type = 23 | | | | (application_data) | - | | | version = { 3,0 } | - | | | length = 287 (0x11f) | - | | | > encrypted > | - | | | } | - | | | ] | - | | | [ | - | | | SSLRecord { | - | | | type = 23 | + | | | version = { 3,0 } | + | | | length = 287 (0x11f) | + | | | > encrypted > | + | | | } | + | | | ] | + | | | [ | + | | | SSLRecord { | + | | | type = 23 | | | | (application_data) | - | | | version = { 3,0 } | - | | | length = 160 (0xa0) | - | | | > encrypted > | - | | | } | - | | | ] | - | | | >-- [ | - | | | SSLRecord { | - | | | type = 23 | + | | | version = { 3,0 } | + | | | length = 160 (0xa0) | + | | | > encrypted > | + | | | } | + | | | ] | + | | | >-- [ | + | | | SSLRecord { | + | | | type = 23 | | | | (application_data) | - | | | version = { 3,0 } | - | | | length = 223 (0xdf) | - | | | > encrypted > | - | | | } | - | | | SSLRecord { | - | | | type = 21 (alert) | - | | | version = { 3,0 } | - | | | length = 18 (0x12) | - | | | > encrypted > | - | | | } | - | | | ] | - | | | Server socket closed. | - | | | Example 3 | - | | | In this example, the -h | + | | | version = { 3,0 } | + | | | length = 223 (0xdf) | + | | | > encrypted > | + | | | } | + | | | SSLRecord { | + | | | type = 21 (alert) | + | | | version = { 3,0 } | + | | | length = 18 (0x12) | + | | | > encrypted > | + | | | } | + | | | ] | + | | | Server socket closed. | + | | | Example 3 | + | | | In this example, the -h | | | | option turns hex/ASCII format. | | | | There is no SSL | - | | | parsing or decoding. The | + | | | parsing or decoding. The | | | | output is routed to a text | | | | file. | - | | | $ ssltap -h -p 444 | + | | | $ ssltap -h -p 444 | | | | interzone.mcom.com:443 > h.txt | - | | | Output | - | | | Connected to | + | | | Output | + | | | Connected to | | | | interzone.mcom.com:443 | - | | | --> [ | - | | | 0: 80 40 01 03 00 00 27 | - | | | 00 00 00 10 01 00 80 02 00 | + | | | --> [ | + | | | 0: 80 40 01 03 00 00 27 | + | | | 00 00 00 10 01 00 80 02 00 | | | | \| .@....'......... | - | | | 10: 80 03 00 80 04 00 80 | - | | | 06 00 40 07 00 c0 00 00 04 | + | | | 10: 80 03 00 80 04 00 80 | + | | | 06 00 40 07 00 c0 00 00 04 | | | | \| .........@...... | - | | | 20: 00 ff e0 00 00 0a 00 | - | | | ff e1 00 00 09 00 00 03 00 | + | | | 20: 00 ff e0 00 00 0a 00 | + | | | ff e1 00 00 09 00 00 03 00 | | | | \| ........á....... | - | | | 30: 00 06 9b fe 5b 56 96 | - | | | 49 1f 9f ca dd d5 ba b9 52 | + | | | 30: 00 06 9b fe 5b 56 96 | + | | | 49 1f 9f ca dd d5 ba b9 52 | | | | \| ..þ[V.I.\xd9 ...º¹R | - | | | 40: 6f | - | | | 2d | - | | | | + | | | 40: 6f | + | | | 2d | + | | | | | | | \|o- | - | | | ] | - | | | <-- [ | - | | | 0: 16 03 00 03 e5 02 00 | - | | | 00 46 03 00 7f e5 0d 1b 1d | + | | | ] | + | | | <-- [ | + | | | 0: 16 03 00 03 e5 02 00 | + | | | 00 46 03 00 7f e5 0d 1b 1d | | | | \| ........F....... | - | | | 10: 68 7f 3a 79 60 d5 17 | - | | | 3c 1d 9c 96 b3 88 d2 69 3b | + | | | 10: 68 7f 3a 79 60 d5 17 | + | | | 3c 1d 9c 96 b3 88 d2 69 3b | | | | \| h.:y`..<..³.Òi; | - | | | 20: 78 e2 4b 8b a6 52 12 | - | | | 4b 46 e8 c2 20 14 11 89 05 | + | | | 20: 78 e2 4b 8b a6 52 12 | + | | | 4b 46 e8 c2 20 14 11 89 05 | | | | \| x.K.¦R.KFè. ... | - | | | 30: 4d 52 91 fd 93 e0 51 | - | | | 48 91 90 08 96 c1 b6 76 77 | + | | | 30: 4d 52 91 fd 93 e0 51 | + | | | 48 91 90 08 96 c1 b6 76 77 | | | | \| MR.ý..QH.....¶vw | - | | | 40: 2a f4 00 08 a1 06 61 | - | | | a2 64 1f 2e 9b 00 03 00 0b | + | | | 40: 2a f4 00 08 a1 06 61 | + | | | a2 64 1f 2e 9b 00 03 00 0b | | | | \| \*ô..¡.a¢d...... | - | | | 50: 00 02 c5 00 02 c2 00 | - | | | 02 bf 30 82 02 bb 30 82 02 | + | | | 50: 00 02 c5 00 02 c2 00 | + | | | 02 bf 30 82 02 bb 30 82 02 | | | | \| ..Å......0...0.. | - | | | 60: 24 a0 03 02 01 02 02 | - | | | 02 01 36 30 0d 06 09 2a 86 | + | | | 60: 24 a0 03 02 01 02 02 | + | | | 02 01 36 30 0d 06 09 2a 86 | | | | \| $ .......60...*. | - | | | 70: 48 86 f7 0d 01 01 04 | - | | | 05 00 30 77 31 0b 30 09 06 | + | | | 70: 48 86 f7 0d 01 01 04 | + | | | 05 00 30 77 31 0b 30 09 06 | | | | \| H.÷......0w1.0.. | - | | | 80: 03 55 04 06 13 02 55 | - | | | 53 31 2c 30 2a 06 03 55 04 | + | | | 80: 03 55 04 06 13 02 55 | + | | | 53 31 2c 30 2a 06 03 55 04 | | | | \| .U....US1,0*..U. | - | | | 90: 0a 13 23 4e 65 74 73 | - | | | 63 61 70 65 20 43 6f 6d 6d | + | | | 90: 0a 13 23 4e 65 74 73 | + | | | 63 61 70 65 20 43 6f 6d 6d | | | | \| ..#Netscape Comm | - | | | a0: 75 6e 69 63 61 74 69 | - | | | 6f 6e 73 20 43 6f 72 70 6f | + | | | a0: 75 6e 69 63 61 74 69 | + | | | 6f 6e 73 20 43 6f 72 70 6f | | | | \| unications Corpo | - | | | b0: 72 61 74 69 6f 6e 31 | - | | | 11 30 0f 06 03 55 04 0b 13 | + | | | b0: 72 61 74 69 6f 6e 31 | + | | | 11 30 0f 06 03 55 04 0b 13 | | | | \| ration1.0...U... | - | | | c0: 08 48 61 72 64 63 6f | - | | | 72 65 31 27 30 25 06 03 55 | + | | | c0: 08 48 61 72 64 63 6f | + | | | 72 65 31 27 30 25 06 03 55 | | | | \| .Hardcore1'0%..U | - | | | d0: 04 03 13 1e 48 61 72 | - | | | 64 63 6f 72 65 20 43 65 72 | + | | | d0: 04 03 13 1e 48 61 72 | + | | | 64 63 6f 72 65 20 43 65 72 | | | | \| ....Hardcore Cer | - | | | e0: 74 69 66 69 63 61 74 | - | | | 65 20 53 65 72 76 65 72 20 | + | | | e0: 74 69 66 69 63 61 74 | + | | | 65 20 53 65 72 76 65 72 20 | | | | \| tificate Server | - | | | f0: 49 49 30 1e 17 0d 39 | - | | | 38 30 35 31 36 30 31 30 33 | + | | | f0: 49 49 30 1e 17 0d 39 | + | | | 38 30 35 31 36 30 31 30 33 | | | | \| II0...9805160103 | - | | | <additional data lines> | - | | | ] | - | | | <additional records in same | + | | | <additional data lines> | + | | | ] | + | | | <additional records in same | | | | format> | - | | | Server socket closed. | - | | | Example 4 | - | | | In this example, the -s | + | | | Server socket closed. | + | | | Example 4 | + | | | In this example, the -s | | | | option turns on SSL parsing, | | | | and the -h option | - | | | turns on hex/ASCII format. | + | | | turns on hex/ASCII format. | | | | Both formats are shown for | | | | each record. The | - | | | output is routed to a text | + | | | output is routed to a text | | | | file. | - | | | $ ssltap -hs -p 444 | + | | | $ ssltap -hs -p 444 | | | | interzone.mcom.com:443 > | | | | hs.txt | - | | | Output | - | | | Connected to | + | | | Output | + | | | Connected to | | | | interzone.mcom.com:443 | - | | | --> [ | - | | | 0: 80 3d 01 03 00 00 24 | - | | | 00 00 00 10 01 00 80 02 00 | + | | | --> [ | + | | | 0: 80 3d 01 03 00 00 24 | + | | | 00 00 00 10 01 00 80 02 00 | | | | \| .=....$......... | - | | | 10: 80 03 00 80 04 00 80 | - | | | 06 00 40 07 00 c0 00 00 04 | + | | | 10: 80 03 00 80 04 00 80 | + | | | 06 00 40 07 00 c0 00 00 04 | | | | \| .........@...... | - | | | 20: 00 ff e0 00 00 0a 00 | - | | | ff e1 00 00 09 00 00 03 03 | + | | | 20: 00 ff e0 00 00 0a 00 | + | | | ff e1 00 00 09 00 00 03 03 | | | | \| ........á....... | - | | | 30: 55 e6 e4 99 79 c7 d7 | - | | | 2c 86 78 96 5d b5 cf e9 | + | | | 30: 55 e6 e4 99 79 c7 d7 | + | | | 2c 86 78 96 5d b5 cf e9 | | | | \|U..yÇ\xb0 ,.x.]µÏé | - | | | alloclen = 63 bytes | - | | | [ssl2] ClientHelloV2 { | - | | | version = {0x03, | + | | | alloclen = 63 bytes | + | | | [ssl2] ClientHelloV2 { | + | | | version = {0x03, | | | | 0x00} | - | | | | + | | | | | | | cipher-specs-length = 36 | | | | (0x24) | - | | | sid-length = 0 | + | | | sid-length = 0 | | | | (0x00) | - | | | challenge-length | + | | | challenge-length | | | | = 16 (0x10) | - | | | cipher-suites = { | - | | | (0x010080) | + | | | cipher-suites = { | + | | | (0x010080) | | | | SSL2/RSA/RC4-128/MD5 | - | | | (0x020080) | + | | | (0x020080) | | | | SSL2/RSA/RC4-40/MD5 | - | | | (0x030080) | + | | | (0x030080) | | | | SSL2/RSA/RC2CBC128/MD5 | - | | | (0x040080) | + | | | (0x040080) | | | | SSL2/RSA/RC2CBC40/MD5 | - | | | (0x060040) | + | | | (0x060040) | | | | SSL2/RSA/DES64CBC/MD5 | - | | | (0x0700c0) | + | | | (0x0700c0) | | | | SSL2/RSA/3DES192EDE-CBC/MD5 | - | | | (0x000004) | + | | | (0x000004) | | | | SSL3/RSA/RC4-128/MD5 | - | | | (0x00ffe0) | + | | | (0x00ffe0) | | | | SS | | | | L3/RSA-FIPS/3DES192EDE-CBC/SHA | - | | | (0x00000a) | + | | | (0x00000a) | | | | SSL3/RSA/3DES192EDE-CBC/SHA | - | | | (0x00ffe1) | + | | | (0x00ffe1) | | | | SSL3/RSA-FIPS/DES64CBC/SHA | - | | | (0x000009) | + | | | (0x000009) | | | | SSL3/RSA/DES64CBC/SHA | - | | | (0x000003) | + | | | (0x000003) | | | | SSL3/RSA/RC4-40/MD5 | - | | | } | - | | | session-id = { } | - | | | challenge = { | + | | | } | + | | | session-id = { } | + | | | challenge = { | | | | 0x0355 0xe6e4 0x9979 0xc7d7 | | | | 0x2c86 0x7896 0x5db | - | | | 0xcfe9 } | - | | | } | - | | | ] | - | | | <additional records in same | + | | | 0xcfe9 } | + | | | } | + | | | ] | + | | | <additional records in same | | | | formats> | - | | | Server socket closed. | + | | | Server socket closed. | | | | Usage Tips | - | | | When SSL restarts a | + | | | When SSL restarts a | | | | previous session, it makes use | | | | of cached information | - | | | to do a partial handshake. | + | | | to do a partial handshake. | | | | If you wish to capture a full | | | | SSL handshake, | - | | | restart the browser to | + | | | restart the browser to | | | | clear the session id cache. | - | | | If you run the tool on a | + | | | If you run the tool on a | | | | machine other than the SSL | | | | server to which you | - | | | are trying to connect, the | + | | | are trying to connect, the | | | | browser will complain that the | | | | host name you | - | | | are trying to connect to is | + | | | are trying to connect to is | | | | different from the | | | | certificate. If you are | - | | | using the default BadCert | + | | | using the default BadCert | | | | callback, you can still | | | | connect through a | - | | | dialog. If you are not | + | | | dialog. If you are not | | | | using the default BadCert | | | | callback, the one you | - | | | supply must allow for this | + | | | supply must allow for this | | | | possibility. | | | | See Also | - | | | The NSS Security Tools are | + | | | The NSS Security Tools are | | | | also documented at | - | | | | + | | | | | | | [1]\ `http://www.mozil | | | | la.org/projects/security/pki/n | | | | ss/ <https://www.mozilla.org/p | | | | rojects/security/pki/nss/>`__. | | | | Additional Resources | - | | | NSS is maintained in | + | | | NSS is maintained in | | | | conjunction with PKI and | | | | security-related projects | - | | | through Mozilla dn Fedora. | + | | | through Mozilla dn Fedora. | | | | The most closely-related | | | | project is Dogtag PKI, | - | | | with a project wiki at | + | | | with a project wiki at | | | | [2]\ http: | | | | //pki.fedoraproject.org/wiki/. | - | | | For information | + | | | For information | | | | specifically about NSS, the | | | | NSS project wiki is located at | - | | | | + | | | | | | | [3]\ `http://www.mozil | | | | la.org/projects/security/pki/n | | | | ss/ <https://www.mozilla.org/p | | | | rojects/security/pki/nss/>`__. | | | | The NSS site relates | - | | | directly to NSS code | + | | | directly to NSS code | | | | changes and releases. | - | | | Mailing lists: | + | | | Mailing lists: | | | | pki-devel@redhat.com and | | | | pki-users@redhat.com | - | | | IRC: Freenode at | + | | | IRC: Freenode at | | | | #dogtag-pki | | | | Authors | - | | | The NSS tools were written | + | | | The NSS tools were written | | | | and maintained by developers | | | | with Netscape and | - | | | now with Red Hat and Sun. | - | | | Authors: Elio Maldonado | + | | | now with Red Hat and Sun. | + | | | Authors: Elio Maldonado | | | | <emaldona@redhat.com>, Deon | | | | Lackey | - | | | <dlackey@redhat.com>. | + | | | <dlackey@redhat.com>. | | | | Copyright | - | | | (c) 2010, Red Hat, Inc. | + | | | (c) 2010, Red Hat, Inc. | | | | Licensed under the GNU Public | | | | License version 2. | | | | References | - | | | Visible links | - | | | 1. | + | | | Visible links | + | | | 1. | | | | `http://www.mozilla.org/p | | | | rojects/secu.../pki/nss/tools | | | | <https://www.mozilla.org/proje | | | | cts/security/pki/nss/tools>`__ | - | | | 2. | + | | | 2. | | | | http | | | | ://pki.fedoraproject.org/wiki/ | - | | | 3. | + | | | 3. | | | | `http://www.mozi | | | | lla.org/projects/security/pki/ | | | | nss/ <https://www.mozilla.org/ | @@ -11556,164 +11556,164 @@ Index | | a_projects_nss_tools_vfychain` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Name | - | | | vfychain — vfychain | + | | | vfychain — vfychain | | | | [options] [revocation options] | | | | certfile [[options] | - | | | certfile] ... | + | | | certfile] ... | | | | Synopsis | - | | | vfychain | + | | | vfychain | | | | Description | - | | | The verification Tool, | + | | | The verification Tool, | | | | vfychain, verifies certificate | | | | chains. modutil can | - | | | add and delete PKCS #11 | + | | | add and delete PKCS #11 | | | | modules, change passwords on | | | | security databases, | - | | | set defaults, list module | + | | | set defaults, list module | | | | contents, enable or disable | | | | slots, enable or | - | | | disable FIPS 140-2 | + | | | disable FIPS 140-2 | | | | compliance, and assign default | | | | providers for | - | | | cryptographic operations. | + | | | cryptographic operations. | | | | This tool can also create | | | | certificate, key, and | - | | | module security database | + | | | module security database | | | | files. | - | | | The tasks associated with | + | | | The tasks associated with | | | | security module database | | | | management are part of | - | | | a process that typically | + | | | a process that typically | | | | also involves managing key | | | | databases and | - | | | certificate databases. | + | | | certificate databases. | | | | Options | - | | | -a | - | | | the following | + | | | -a | + | | | the following | | | | certfile is base64 encoded | - | | | -b YYMMDDHHMMZ | - | | | Validate date | + | | | -b YYMMDDHHMMZ | + | | | Validate date | | | | (default: now) | - | | | -d directory | - | | | database directory | - | | | -f | - | | | Enable cert | + | | | -d directory | + | | | database directory | + | | | -f | + | | | Enable cert | | | | fetching from AIA URL | - | | | -o oid | - | | | Set policy OID for | + | | | -o oid | + | | | Set policy OID for | | | | cert validation(Format | | | | OID.1.2.3) | - | | | -p | - | | | Use PKIX Library to | + | | | -p | + | | | Use PKIX Library to | | | | validate certificate by | | | | calling: | - | | | \* | + | | | \* | | | | CERT_VerifyCertificate if | | | | specified once, | - | | | \* | + | | | \* | | | | CERT_PKIXVerifyCert if | | | | specified twice and more. | - | | | -r | - | | | Following certfile | + | | | -r | + | | | Following certfile | | | | is raw binary DER (default) | - | | | -t | - | | | Following cert is | + | | | -t | + | | | Following cert is | | | | explicitly trusted (overrides | | | | db trust) | - | | | -u usage | - | | | 0=SSL client, 1=SSL | + | | | -u usage | + | | | 0=SSL client, 1=SSL | | | | server, 2=SSL StepUp, 3=SSL | | | | CA, 4=Email | - | | | signer, 5=Email | + | | | signer, 5=Email | | | | recipient, 6=Object signer, | - | | | | + | | | | | | | 9=ProtectedObjectSigner, | | | | 10=OCSP responder, 11=Any CA | - | | | -v | - | | | Verbose mode. | + | | | -v | + | | | Verbose mode. | | | | Prints root cert | | | | subject(double the argument | | | | for | - | | | whole root cert | + | | | whole root cert | | | | info) | - | | | -w password | - | | | Database password | - | | | -W pwfile | - | | | Password file | - | | | Revocation options | + | | | -w password | + | | | Database password | + | | | -W pwfile | + | | | Password file | + | | | Revocation options | | | | for PKIX API (invoked with -pp | | | | options) is a | - | | | collection of the | + | | | collection of the | | | | following flags: [-g type [-h | | | | flags] [-m type | - | | | [-s flags]] ...] | + | | | [-s flags]] ...] | | | | ... | - | | | Where: | - | | | -g test-type | - | | | Sets status | + | | | Where: | + | | | -g test-type | + | | | Sets status | | | | checking test type. Possible | | | | values are "leaf" or | - | | | "chain" | - | | | -g test type | - | | | Sets status | + | | | "chain" | + | | | -g test type | + | | | Sets status | | | | checking test type. Possible | | | | values are "leaf" or | - | | | "chain". | - | | | -h test flags | - | | | Sets revocation | + | | | "chain". | + | | | -h test flags | + | | | Sets revocation | | | | flags for the test type it | | | | follows. Possible | - | | | flags: | + | | | flags: | | | | "testLocalInfoFirst" and | | | | "requireFreshInfo". | - | | | -m method type | - | | | Sets method type | + | | | -m method type | + | | | Sets method type | | | | for the test type it follows. | | | | Possible types are | - | | | "crl" and "ocsp". | - | | | -s method flags | - | | | Sets revocation | + | | | "crl" and "ocsp". | + | | | -s method flags | + | | | Sets revocation | | | | flags for the method it | | | | follows. Possible types | - | | | are "doNotUse", | + | | | are "doNotUse", | | | | "forbidFetching", | | | | "ignoreDefaultSrc", | - | | | "requireInfo" and | + | | | "requireInfo" and | | | | "failIfNoInfo". | | | | Additional Resources | - | | | For information about NSS | + | | | For information about NSS | | | | and other tools related to NSS | | | | (like JSS), check | - | | | out the NSS project wiki at | - | | | | + | | | out the NSS project wiki at | + | | | | | | | [1]\ `http://www.mozil | | | | la.org/projects/security/pki/n | | | | ss/ <https://www.mozilla.org/p | | | | rojects/security/pki/nss/>`__. | | | | The NSS site relates | - | | | directly to NSS code | + | | | directly to NSS code | | | | changes and releases. | - | | | Mailing lists: | + | | | Mailing lists: | | | | https://lists.mozill | | | | a.org/listinfo/dev-tech-crypto | - | | | IRC: Freenode at | + | | | IRC: Freenode at | | | | #dogtag-pki | | | | Authors | - | | | The NSS tools were written | + | | | The NSS tools were written | | | | and maintained by developers | | | | with Netscape, Red | - | | | Hat, and Sun. | - | | | Authors: Elio Maldonado | + | | | Hat, and Sun. | + | | | Authors: Elio Maldonado | | | | <emaldona@redhat.com>, Deon | | | | Lackey | - | | | <dlackey@redhat.com>. | + | | | <dlackey@redhat.com>. | | | | Copyright | - | | | (c) 2010, Red Hat, Inc. | + | | | (c) 2010, Red Hat, Inc. | | | | Licensed under the GNU Public | | | | License version 2. | | | | References | - | | | Visible links | - | | | 1. | + | | | Visible links | + | | | 1. | | | | `http://www.mozi | | | | lla.org/projects/security/pki/ | | | | nss/ <https://www.mozilla.org/ | diff --git a/doc/rst/legacy/introduction_to_network_security_services/index.rst b/doc/rst/legacy/introduction_to_network_security_services/index.rst index 031f4ab64..b2010de17 100644 --- a/doc/rst/legacy/introduction_to_network_security_services/index.rst +++ b/doc/rst/legacy/introduction_to_network_security_services/index.rst @@ -53,7 +53,7 @@ Introduction to Network Security Services Windows and Unix use different naming conventions for static and dynamic libraries: ======= ======== ================== - Windows Unix + Windows Unix static ``.lib`` ``.a`` dynamic ``.dll`` ``.so`` or ``.sl`` ======= ======== ================== diff --git a/doc/rst/legacy/jss/4.3.1_release_notes/index.rst b/doc/rst/legacy/jss/4.3.1_release_notes/index.rst index 1f7a0f19b..21cda1271 100644 --- a/doc/rst/legacy/jss/4.3.1_release_notes/index.rst +++ b/doc/rst/legacy/jss/4.3.1_release_notes/index.rst @@ -30,11 +30,11 @@ .. container:: - A list of bug fixes and enhancement requests were implemented in this release can be obtained by + A list of bug fixes and enhancement requests were implemented in this release can be obtained by running this `bugzilla query <http://bugzilla.mozilla.org/buglist.cgi?product=JSS&target_milestone=4.3.1&target_milestone=4.3.1&bug_status=RESOLVED&resolution=FIXED>`__ - **JSS 4.3.1 requires :ref:`mozilla_projects_nss_3_12_5_release_notes` or higher.** + **JSS 4.3.1 requires :ref:`mozilla_projects_nss_3_12_5_release_notes` or higher.** .. rubric:: SSL3 & TLS Renegotiation Vulnerability :name: ssl3_tls_renegotiation_vulnerability @@ -44,7 +44,7 @@ vulnerability. All SSL/TLS renegotiation is disabled by default in NSS 3.12.5 and therefore will be disabled by - default with JSS 4.3.1. This will cause programs that attempt to perform renegotiation to + default with JSS 4.3.1. This will cause programs that attempt to perform renegotiation to experience failures where they formerly experienced successes, and is necessary for them to not be vulnerable, until such time as a new safe renegotiation scheme is standardized by the IETF. @@ -71,11 +71,11 @@ .. rubric:: Explicitly set the key usage for the generated private key :name: explicitly_set_the_key_usage_for_the_generated_private_key - | In PKCS #11, each keypair can be marked with the operations it will - | be used to perform. Some tokens require that a key be marked for - | an operation before the key can be used to perform that operation; - | other tokens don't care. NSS/JSS provides a way to specify a set of - | flags and a corresponding mask for these flags. + | In PKCS #11, each keypair can be marked with the operations it will + | be used to perform. Some tokens require that a key be marked for + | an operation before the key can be used to perform that operation; + | other tokens don't care. NSS/JSS provides a way to specify a set of + | flags and a corresponding mask for these flags. - see generateECKeyPairWithOpFlags - see generateRSAKeyPairWithOpFlags @@ -92,10 +92,10 @@ - The CVS tag for the JSS 4.3.1 release is ``JSS_4_3_1_RTM``. - Source tarballs are available from `ftp://ftp.mozilla.org/pub/mozilla.or...-4.3.1.tar.bz2 <ftp://ftp.mozilla.org/pub/mozilla.org/security/jss/releases/JSS_4_3_1_RTM/src/jss-4.3.1.tar.bz2>`__ - - Binary releases are no longer available on mozilla. JSS is a JNI library we provide the + - Binary releases are no longer available on mozilla. JSS is a JNI library we provide the jss4.jar but expect you to build the JSS's matching JNI shared library. We provide the - jss4.jar in case you do not want to obtain your own JCE code signing certificate. JSS is a - JCE provider and therefore the jss4.jar must be signed. + jss4.jar in case you do not want to obtain your own JCE code signing certificate. JSS is a + JCE provider and therefore the jss4.jar must be signed. `ftp://ftp.mozilla.org/pub/mozilla.org/security/jss/releases/JSS_4_3_1_RTM <ftp://ftp.mozilla.org/pub/mozilla.org/security/jss/releases/JSS_4_3_1_RTM/>`__. `Documentation <#documentation>`__ @@ -111,8 +111,8 @@ - Read the instructions on `using JSS </using_jss.html>`__. - Source may be viewed with a browser (via the MXR tool) at http://mxr.mozilla.org/mozilla/source/security/jss/ - - The RUN TIME behavior of JSS can be affected by the - :ref:`mozilla_projects_nss_reference_nss_environment_variables`. + - The RUN TIME behavior of JSS can be affected by the + :ref:`mozilla_projects_nss_reference_nss_environment_variables`. .. _platform_information: @@ -145,7 +145,7 @@ - For a list of reported bugs that have not yet been fixed, `click here. <http://bugzilla.mozilla.org/buglist.cgi?bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&&product=JSS>`__ - Note that some bugs may have been fixed since JSS 4.3.1 was released. + Note that some bugs may have been fixed since JSS 4.3.1 was released. `Compatibility <#compatibility>`__ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -158,7 +158,7 @@ JAR file must be used with the JSS shared library from the exact same release. - To obtain the version info from the jar file use, "System.out.println(org.mozilla.jss.CryptoManager.JAR_JSS_VERSION)" and to check the shared - library: strings libjss4.so \| grep -i header + library: strings libjss4.so \| grep -i header `Feedback <#feedback>`__ ~~~~~~~~~~~~~~~~~~~~~~~~ @@ -167,7 +167,7 @@ - Bugs discovered should be reported by filing a bug report with `bugzilla <http://bugzilla.mozilla.org/enter_bug.cgi?product=JSS>`__. - - You can also give feedback directly to the developers on the Mozilla Cryptography forums... + - You can also give feedback directly to the developers on the Mozilla Cryptography forums... - `Mailing list <https://lists.mozilla.org/listinfo/dev-tech-crypto>`__ - `Newsgroup <http://groups.google.com/group/mozilla.dev.tech.crypto>`__ diff --git a/doc/rst/legacy/jss/4_3_releasenotes/index.rst b/doc/rst/legacy/jss/4_3_releasenotes/index.rst index 8e51027f1..ca2b5e41b 100644 --- a/doc/rst/legacy/jss/4_3_releasenotes/index.rst +++ b/doc/rst/legacy/jss/4_3_releasenotes/index.rst @@ -21,7 +21,7 @@ - libpkix: an RFC 3280 Compliant Certificate Path Validation Library - PKCS11 needsLogin method - support HmacSHA256, HmacSHA384, and HmacSHA512 - - support for all NSS 3.12 initialization options + - support for all NSS 3.12 initialization options JSS 4.3 is `tri-licensed <https://www.mozilla.org/MPL>`__ under MPL 1.1/GPL 2.0/LGPL 2.1. @@ -32,24 +32,24 @@ .. container:: - A list of bug fixes and enhancement requests were implemented in this release can be obtained by + A list of bug fixes and enhancement requests were implemented in this release can be obtained by running this `bugzilla query <http://bugzilla.mozilla.org/buglist.cgi?product=JSS&target_milestone=4.2.5&target_milestone=4.3&bug_status=RESOLVED&resolution=FIXED>`__ - **JSS 4.3 requires**\ `NSS + **JSS 4.3 requires**\ `NSS 3.12 <https://www.mozilla.org/projects/security/pki/nss/nss-3.12/nss-3.12-release-notes.html>`__\ **or higher.** - New `SQLite-Based Shareable Certificate and Key Databases <https://wiki.mozilla.org/NSS_Shared_DB>`__ by prepending the string "sql:" to the directory path passed to configdir parameter for Crypomanager.initialize method or using the - NSS environment variable :ref:`mozilla_projects_nss_reference_nss_environment_variables`. + NSS environment variable :ref:`mozilla_projects_nss_reference_nss_environment_variables`. - Libpkix: an RFC 3280 Compliant Certificate Path Validation Library (see `PKIXVerify <http://mxr.mozilla.org/mozilla/ident?i=PKIXVerify>`__) - PK11Token.needsLogin method (see needsLogin) - support HmacSHA256, HmacSHA384, and HmacSHA512 (see `HMACTest.java <http://mxr.mozilla.org/mozilla/source/security/jss/org/mozilla/jss/tests/HMACTest.java>`__) - - support for all NSS 3.12 initialization options (see InitializationValues) + - support for all NSS 3.12 initialization options (see InitializationValues) - New SSL error codes (see https://mxr.mozilla.org/security/sour...util/SSLerrs.h) - SSL_ERROR_UNSUPPORTED_EXTENSION_ALERT @@ -92,10 +92,10 @@ - The CVS tag for the JSS 4.3 release is ``JSS_4_3_RTM``. - Source tarballs are available from https://archive.mozilla.org/pub/security/jss/releases/JSS_4_3_RTM/src/jss-4.3.tar.bz2 - - Binary releases are no longer available on mozilla. JSS is a JNI library we provide the + - Binary releases are no longer available on mozilla. JSS is a JNI library we provide the jss4.jar but expect you to build the JSS's matching JNI shared library. We provide the - jss4.jar in case you do not want to obtain your own JCE code signing certificate. JSS is a - JCE provider and therefore the jss4.jar must be signed. + jss4.jar in case you do not want to obtain your own JCE code signing certificate. JSS is a + JCE provider and therefore the jss4.jar must be signed. https://archive.mozilla.org/pub/security/jss/releases/JSS_4_3_RTM/ -------------- @@ -113,8 +113,8 @@ - Read the instructions on `using JSS </using_jss.html>`__. - Source may be viewed with a browser (via the MXR tool) at http://mxr.mozilla.org/mozilla/source/security/jss/ - - The RUN TIME behavior of JSS can be affected by the - :ref:`mozilla_projects_nss_reference_nss_environment_variables`. + - The RUN TIME behavior of JSS can be affected by the + :ref:`mozilla_projects_nss_reference_nss_environment_variables`. .. _platform_information: @@ -142,7 +142,7 @@ - For a list of reported bugs that have not yet been fixed, `click here. <http://bugzilla.mozilla.org/buglist.cgi?bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&&product=JSS>`__ - Note that some bugs may have been fixed since JSS 4.3 was released. + Note that some bugs may have been fixed since JSS 4.3 was released. -------------- @@ -157,7 +157,7 @@ file must be used with the JSS shared library from the exact same release. - To obtain the version info from the jar file use, "System.out.println(org.mozilla.jss.CryptoManager.JAR_JSS_VERSION)" and to check the shared - library: strings libjss4.so \| grep -i header + library: strings libjss4.so \| grep -i header -------------- @@ -168,7 +168,7 @@ - Bugs discovered should be reported by filing a bug report with `bugzilla <http://bugzilla.mozilla.org/enter_bug.cgi?product=JSS>`__. - - You can also give feedback directly to the developers on the Mozilla Cryptography forums... + - You can also give feedback directly to the developers on the Mozilla Cryptography forums... - `Mailing list <https://lists.mozilla.org/listinfo/dev-tech-crypto>`__ - `Newsgroup <http://groups.google.com/group/mozilla.dev.tech.crypto>`__ diff --git a/doc/rst/legacy/jss/build_instructions_for_jss_4.3.x/index.rst b/doc/rst/legacy/jss/build_instructions_for_jss_4.3.x/index.rst index c72a3c729..a864a452e 100644 --- a/doc/rst/legacy/jss/build_instructions_for_jss_4.3.x/index.rst +++ b/doc/rst/legacy/jss/build_instructions_for_jss_4.3.x/index.rst @@ -39,7 +39,7 @@ Build instructions for JSS 4.3.x #. Setup environment variables needed for compiling Java source. The ``JAVA_HOME`` variable indicates the directory containing your Java SDK installation. Note, on Windows platforms it - is best to have JAVA_HOME set to a directory path that doest not have spaces. + is best to have JAVA_HOME set to a directory path that doest not have spaces. **Unix** @@ -74,9 +74,9 @@ Build instructions for JSS 4.3.x | Mac OS X | It has been recently reported that special build instructions are necessary to succeed building JSS on OSX. Please - see `HOWTO_successfully_compile_JSS_and_NSS_for_32_and_64_bits_on_OSX_10.6_(10.6.7) </HOWTO_successfully_compile_JSS_and_NSS_for_32_and_64_bits_on_OSX_10.6_(10.6.7)>`__ + see `HOWTO_successfully_compile_JSS_and_NSS_for_32_and_64_bits_on_OSX_10.6_(10.6.7) </HOWTO_successfully_compile_JSS_and_NSS_for_32_and_64_bits_on_OSX_10.6_(10.6.7)>`__ for contributed instructions. - | + | #. Build JSS. diff --git a/doc/rst/legacy/jss/index.rst b/doc/rst/legacy/jss/index.rst index a9dfee3db..c09374dbc 100644 --- a/doc/rst/legacy/jss/index.rst +++ b/doc/rst/legacy/jss/index.rst @@ -28,15 +28,15 @@ JSS - http://www.dogtagpki.org/wiki/JSS - **NOTE: As much of the JSS documentation is sorely out-of-date, updated information will be a + **NOTE: As much of the JSS documentation is sorely out-of-date, updated information will be a work in progress, and many portions of any legacy documentation will be re-written over the - course of time. Stay tuned!** + course of time. Stay tuned!** Legacy JSS information can still be found at: - SOURCE: https://hg.mozilla.org/projects/jss - - ISSUES: https://bugzilla.mozilla.org/buglist.cgi?product=JSS - - WIKI: :ref:`mozilla_projects_nss_jss` + - ISSUES: https://bugzilla.mozilla.org/buglist.cgi?product=JSS + - WIKI: :ref:`mozilla_projects_nss_jss` Network Security Services for Java (JSS) is a Java interface to `NSS <https://developer.mozilla.org/en-US/docs/NSS>`__. JSS supports most of the security @@ -96,7 +96,7 @@ JSS | the SSL handshake. | | | | - `Security <https: | | For information on downloading NSS releases, | //developer.mozilla.org/en-US/docs/Security>`__ | - | see `NSS sources building | | + | see `NSS sources building | | | testing <NSS_Sources_Building_Te | | | sting>`__\ `. <NSS_Sources_Building_Testing>`__ | | | | | diff --git a/doc/rst/legacy/jss/jss_faq/index.rst b/doc/rst/legacy/jss/jss_faq/index.rst index 843b9ea3f..d41958645 100644 --- a/doc/rst/legacy/jss/jss_faq/index.rst +++ b/doc/rst/legacy/jss/jss_faq/index.rst @@ -208,7 +208,7 @@ JSS FAQ CryptoManager.getTokenByName(), but a better way is to call CryptoManager.getInternalKeyStorageToken(), which works no matter what the token is named. In general, a key is a handle to an underlying object on a PKCS #11 token, not merely a Java - object residing in memory. Symmetric Key usage: basically encrypt/decrypt is for data and + object residing in memory. Symmetric Key usage: basically encrypt/decrypt is for data and wrap/unwrap is for keys. J\ **SS 3.2 has JCA support. When will JSS have JSSE support?** diff --git a/doc/rst/legacy/jss/using_jss/index.rst b/doc/rst/legacy/jss/using_jss/index.rst index f1ce88c50..3a5f19f9c 100644 --- a/doc/rst/legacy/jss/using_jss/index.rst +++ b/doc/rst/legacy/jss/using_jss/index.rst @@ -122,7 +122,7 @@ Using JSS zip -r ../jss42.jar . If you are downloading binaries, get jss42.jar - from http://ftp.mozilla.org/pub/mozilla.org/security/jss/releases/. + from http://ftp.mozilla.org/pub/mozilla.org/security/jss/releases/. .. _setup_your_runtime_environment: diff --git a/doc/rst/legacy/key_log_format/index.rst b/doc/rst/legacy/key_log_format/index.rst index 01459c48c..99bdf87e1 100644 --- a/doc/rst/legacy/key_log_format/index.rst +++ b/doc/rst/legacy/key_log_format/index.rst @@ -27,7 +27,7 @@ NSS Key Log Format hexadecimal characters. - ``<Secret>`` depends on the Label (see below). - The following labels are defined, followed by a description of the secret: + The following labels are defined, followed by a description of the secret: - ``RSA``: 48 bytes for the premaster secret, encoded as 96 hexadecimal characters (removed in NSS 3.34) diff --git a/doc/rst/legacy/notes_on_tls_-_ssl_3.0_intolerant_servers/index.rst b/doc/rst/legacy/notes_on_tls_-_ssl_3.0_intolerant_servers/index.rst index c7a6ca116..6dd0d47de 100644 --- a/doc/rst/legacy/notes_on_tls_-_ssl_3.0_intolerant_servers/index.rst +++ b/doc/rst/legacy/notes_on_tls_-_ssl_3.0_intolerant_servers/index.rst @@ -45,7 +45,7 @@ Notes on TLS - SSL 3.0 Intolerant Servers For up-to-date information, you can read a Bugzilla bug report which keeps track of this problem with Mozilla-based browsers. See - `bug 59321 <https://bugzilla.mozilla.org/show_bug.cgi?id=59321>`__. + `bug 59321 <https://bugzilla.mozilla.org/show_bug.cgi?id=59321>`__. .. _servers_currently_known_to_exhibit_this_intolerant_behavior: @@ -69,7 +69,7 @@ Notes on TLS - SSL 3.0 Intolerant Servers N.B. There might be servers other than those listed above which exhibit this problem. If you find such a server, feel free to add it to this page. For up-to-date information, you can read this - `bug 59321 <https://bugzilla.mozilla.org/show_bug.cgi?id=59321>`__ which keeps a list of TLS/SSL + `bug 59321 <https://bugzilla.mozilla.org/show_bug.cgi?id=59321>`__ which keeps a list of TLS/SSL 3.0 intolerant servers. .. _users:_how_to_avoid_this_problem.3f: @@ -157,7 +157,7 @@ Notes on TLS - SSL 3.0 Intolerant Servers For instance, to check ``https://bugzilla.mozilla.org/``, then visit `http://toolbar.netcraft.com/site_rep...a.mozilla.org/ <http://toolbar.netcraft.com/site_report?url=https://bugzilla.mozilla.org/>`__. - Add the information on such a server (software, URL) to - `bug 59321 <https://bugzilla.mozilla.org/show_bug.cgi?id=59321>`__ at Bugzilla. (Note: You + `bug 59321 <https://bugzilla.mozilla.org/show_bug.cgi?id=59321>`__ at Bugzilla. (Note: You will be asked to provide your email address before you can file a bug at Bugzilla.) .. _original_document_information: @@ -167,6 +167,6 @@ Notes on TLS - SSL 3.0 Intolerant Servers .. container:: - - Author : Katsuhiko Momoi + - Author : Katsuhiko Momoi - Last Updated Date: January 27th, 2003 - Copyright © 2001-2003 Netscape. All rights reserved.
\ No newline at end of file diff --git a/doc/rst/legacy/nss_3.11.10_release_notes.html/index.rst b/doc/rst/legacy/nss_3.11.10_release_notes.html/index.rst index 0fc8d4e83..ef0d376f7 100644 --- a/doc/rst/legacy/nss_3.11.10_release_notes.html/index.rst +++ b/doc/rst/legacy/nss_3.11.10_release_notes.html/index.rst @@ -159,7 +159,7 @@ NSS_3.11.10_release_notes.html NSS 3.11.10 shared libraries are backward compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.11.10 shared libraries - without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in `NSS Public Functions <../ref/nssfunctions.html>`__ will remain compatible with future versions of the NSS shared libraries. diff --git a/doc/rst/legacy/nss_3.12.1_release_notes.html/index.rst b/doc/rst/legacy/nss_3.12.1_release_notes.html/index.rst index 3992c2141..b99fec18b 100644 --- a/doc/rst/legacy/nss_3.12.1_release_notes.html/index.rst +++ b/doc/rst/legacy/nss_3.12.1_release_notes.html/index.rst @@ -240,7 +240,7 @@ NSS_3.12.1_release_notes.html NSS 3.12.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.12.1 shared libraries - without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in `NSS Public Functions <../ref/nssfunctions.html>`__ will remain compatible with future versions of the NSS shared libraries. diff --git a/doc/rst/legacy/nss_3.12.2_release_notes.html/index.rst b/doc/rst/legacy/nss_3.12.2_release_notes.html/index.rst index c9903a805..a5dfb2aa7 100644 --- a/doc/rst/legacy/nss_3.12.2_release_notes.html/index.rst +++ b/doc/rst/legacy/nss_3.12.2_release_notes.html/index.rst @@ -202,7 +202,7 @@ NSS_3.12.2_release_notes.html NSS 3.12.2 shared libraries are backward compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.12.2 shared libraries - without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in `NSS Public Functions <../ref/nssfunctions.html>`__ will remain compatible with future versions of the NSS shared libraries. diff --git a/doc/rst/legacy/nss_api_guidelines/index.rst b/doc/rst/legacy/nss_api_guidelines/index.rst index 57faeea12..05483bb24 100644 --- a/doc/rst/legacy/nss_api_guidelines/index.rst +++ b/doc/rst/legacy/nss_api_guidelines/index.rst @@ -314,7 +314,7 @@ NSS API Guidelines .. code:: "@(#) $RCSfile: nss-guidelines.html, - v $ $Revision: 48936 $ $Date: 2009-08-11 07:45:57 -0700 (Tue, 11 Aug 2009) $ $Name$" + v $ $Revision: 48936 $ $Date: 2009-08-11 07:45:57 -0700 (Tue, 11 Aug 2009) $ $Name$" You can put the string in a comment or in a static char array. Use #ifdef DEBUG to include the array in debug builds only. The advantage of using an array is that you can use strings(1) to @@ -328,7 +328,7 @@ NSS API Guidelines #ifdef DEBUG static const char BASET_CVS_ID[] = "@(#) $RCSfile: nss-guidelines.html, - v $ $Revision: 48936 $ $Date: 2009-08-11 07:45:57 -0700 (Tue, 11 Aug 2009) $ $Name$"; + v $ $Revision: 48936 $ $Date: 2009-08-11 07:45:57 -0700 (Tue, 11 Aug 2009) $ $Name$"; #endif /* DEBUG */ The difference, between this and Id, is that Id has some useless information (*every* file is @@ -345,7 +345,7 @@ NSS API Guidelines | We have a preferred naming system for include files. We had been moving towards one, for some time, but for the NSS 3.0 project we finally wrote it down. - | + | ========================= =========== =================== \ Data Types Function Prototypes @@ -371,11 +371,11 @@ NSS API Guidelines #. Header files for consumption outside NSS start with "nss." #. Header files with types have a trailing "t", header files with prototypes don't. - "extern" declarations of data also go in the prototypes files. - #. "Friend" headers are for things that we really wish weren't used by non-NSS code, but which - are. Those files have a trailing "f," and their use should be deprecated. - #. "Module" headers are for things used only within a specific subset of NSS; things which would - have been "static" if we had combined separate C source files together. These header files + "extern" declarations of data also go in the prototypes files. + #. "Friend" headers are for things that we really wish weren't used by non-NSS code, but which + are. Those files have a trailing "f," and their use should be deprecated. + #. "Module" headers are for things used only within a specific subset of NSS; things which would + have been "static" if we had combined separate C source files together. These header files have a trailing "m." .. _functions_and_types: @@ -509,7 +509,7 @@ NSS API Guidelines #. Thread A marks the arena, and allocates some memory from it. #. Thread B allocates some memory from the arena. - #. Thread A releases the arena back to the mark. + #. Thread A releases the arena back to the mark. #. Thread B now finds itself with a pointer to released data. #. Some thread -- doesn't matter which -- allocates some data from the arena; this may overlap the chunk thread B has. @@ -553,7 +553,7 @@ NSS API Guidelines Errors, though not integers, are done as external constants, instead of preprocessor definitions. This is so any additional error doesn't trigger the entire tree to rebuild. Likewise, the external references to errors are made in the prototypes files, with the functions which can - return them. Error stacks are thread-private. + return them. Error stacks are thread-private. The usual semantic is that public routines clear the stack first, private routines don't. Usually, every public routine has a private counterpart, and the implementation of the public @@ -572,8 +572,8 @@ NSS API Guidelines nss_ClearErrorStack(); #ifdef DEBUG - if( !nssFoo_verifyPointer(arg1) ) return (rv *)NULL; - if( !nssBar_verifyPointer(arg2) ) return (rv *)NULL; + if( !nssFoo_verifyPointer(arg1) ) return (rv *)NULL; + if( !nssBar_verifyPointer(arg2) ) return (rv *)NULL; #endif /* DEBUG */ return nssType_Method(t, arg1, arg2); @@ -808,7 +808,7 @@ NSS API Guidelines These functions should have the form LAYER_TraverseStorageObjectOrList(). List and Array returning functions should be available at the higher layers of the API, most - wrapping LAYER_Traverse() functions. They should have the form + wrapping LAYER_Traverse() functions. They should have the form LAYER_LookupDataType{List|Array}[ByDataType](). .. _accesssor_functions: diff --git a/doc/rst/legacy/nss_config_options/index.rst b/doc/rst/legacy/nss_config_options/index.rst index 90edef498..7f62e36f9 100644 --- a/doc/rst/legacy/nss_config_options/index.rst +++ b/doc/rst/legacy/nss_config_options/index.rst @@ -5,7 +5,7 @@ NSS Config Options .. _nss_config_options_format: -` NSS Config Options Format <#nss_config_options_format>`__ +` NSS Config Options Format <#nss_config_options_format>`__ ----------------------------------------------------------- .. container:: @@ -64,7 +64,7 @@ NSS Config Options ssl-default-lock: turn off the ability for applications to change cipher suite states with SSL_EnableCipher, SSL_DisableCipher. - .. rubric:: ECC Curves + .. rubric:: ECC Curves :name: ecc_curves | diff --git a/doc/rst/legacy/nss_developer_tutorial/index.rst b/doc/rst/legacy/nss_developer_tutorial/index.rst index f7f3f3118..22252997b 100644 --- a/doc/rst/legacy/nss_developer_tutorial/index.rst +++ b/doc/rst/legacy/nss_developer_tutorial/index.rst @@ -147,16 +147,16 @@ NSS Developer Tutorial .. container:: - NSS requires C99. However, not all features from C99 are equally available. + NSS requires C99. However, not all features from C99 are equally available. - Variables can be declared, at the point they are first used. - The ``inline`` keyword can be used. - Variadic macro arguments are permitted, but their use should be limited to using ``__VA_ARGS__``. - The exact-width integer types in NSPR should be used, in preference to those declared in - ``<stdint.h>`` (which will be used by NSPR in the future). + ``<stdint.h>`` (which will be used by NSPR in the future). - Universal character names are not permitted, as are wide character types (``char16_t`` and - ``char32_t``). NSS source should only include ASCII text. Escape non-printing characters + ``char32_t``). NSS source should only include ASCII text. Escape non-printing characters (with ``\x`` if there is no special escape such as \\r, \\n, and \\t) and avoid defining string literals that use non-ASCII characters. - One line comments starting with ``//`` are permitted. @@ -164,7 +164,7 @@ NSS Developer Tutorial Check with nss-dev@ before using a language feature not already used, if you are uncertain. Please update this list if you do. - These restrictions are different for C++ unit tests, which can use most C++11 features. The + These restrictions are different for C++ unit tests, which can use most C++11 features. The `Mozilla C++ language features guide <https://developer.mozilla.org/en-US/docs/Using_CXX_in_Mozilla_code>`__, and the `Chromium C++ usage guide <https://chromium-cpp.appspot.com/>`__, list C++ features that are known to be diff --git a/doc/rst/legacy/nss_releases/index.rst b/doc/rst/legacy/nss_releases/index.rst index aa5e948a1..74858e969 100644 --- a/doc/rst/legacy/nss_releases/index.rst +++ b/doc/rst/legacy/nss_releases/index.rst @@ -10,7 +10,7 @@ Release notes for recent versions of NSS The current **ESR** releases of NSS are 3.44.4 (:ref:`mozilla_projects_nss_nss_3_44_4_release_notes`), intended for Firefox ESR 68, which was - released on **19 May 2020**, and 3.53.1 :ref:`mozilla_projects_nss_nss_3_53_1_release_notes`, + released on **19 May 2020**, and 3.53.1 :ref:`mozilla_projects_nss_nss_3_53_1_release_notes`, intended for Firefox ESR 78, which was released on **16 June 2020**. .. _past_releases: diff --git a/doc/rst/legacy/nss_releases/jss_4.4.0_release_notes/index.rst b/doc/rst/legacy/nss_releases/jss_4.4.0_release_notes/index.rst index f14d7ce21..d5c5d43fa 100644 --- a/doc/rst/legacy/nss_releases/jss_4.4.0_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/jss_4.4.0_release_notes/index.rst @@ -81,7 +81,7 @@ JSS 4.4.0 Release Notes .. container:: - - You can check out the source from mercurial via hg clone -r 055aa3ce8a61 + - You can check out the source from mercurial via hg clone -r 055aa3ce8a61 https://hg.mozilla.org/projects/jss - JSS 4.4.0 works with OpenJDK versions 1.7 or higher we suggest the latest - OpenJDK 1.8. diff --git a/doc/rst/legacy/nss_releases/nss_3.12.3_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.12.3_release_notes/index.rst index 36e42aae4..f11a2f85e 100644 --- a/doc/rst/legacy/nss_releases/nss_3.12.3_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.12.3_release_notes/index.rst @@ -53,7 +53,7 @@ NSS_3.12.3_release_notes.html .. container:: - | The CVS tag for the NSS 3.12.3 release is NSS_3_12_3_RTM. NSS 3.12.3 requires `NSPR + | The CVS tag for the NSS 3.12.3 release is NSS_3_12_3_RTM. NSS 3.12.3 requires `NSPR 4.7.4 <https://www.mozilla.org/projects/nspr/release-notes/nspr474.html>`__. | See the `Documentation <#documentation>`__ section for the build instructions. @@ -419,7 +419,7 @@ NSS_3.12.3_release_notes.html NSS 3.12.3 shared libraries are backward compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.12.3 shared libraries - without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in `NSS Public Functions <../ref/nssfunctions.html>`__ will remain compatible with future versions of the NSS shared libraries. diff --git a/doc/rst/legacy/nss_releases/nss_3.12.4_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.12.4_release_notes/index.rst index f00c4ef29..400ff005c 100644 --- a/doc/rst/legacy/nss_releases/nss_3.12.4_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.12.4_release_notes/index.rst @@ -22,7 +22,7 @@ NSS 3.12.4 release notes :name: Distribution_Information This release is built from the source, at the CVS repository rooted at cvs.mozilla.org:/cvsroot, - with the CVS tag ``NSS_3_12_4_RTM``. + with the CVS tag ``NSS_3_12_4_RTM``. NSS 3.12.4 requires `NSPR 4.8 <https://www.mozilla.org/projects/nspr/release-notes/>`__. This is not a hard requirement. Our QA tested NSS 3.12.4 with NSPR 4.8, but it should work with NSPR @@ -48,7 +48,7 @@ NSS 3.12.4 release notes - NSS 3.12.4 is the version that we submitted to NIST for FIPS 140-2 validation. Currently NSS 3.12.4 is in the "Review Pending" state in the FIPS 140-2 pre-validation list at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf - - Added CRL Distribution Point support (see cert.h). + - Added CRL Distribution Point support (see cert.h). **CERT_DecodeCRLIssuingDistributionPoint** **CERT_FindCRLIssuingDistPointExten** - The old documentation of the expression matching syntax rules was @@ -316,7 +316,7 @@ NSS 3.12.4 release notes NSS 3.12.4 shared libraries are backward compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.12.4 shared libraries - without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in `NSS Public Functions </ref/nssfunctions.html>`__ will remain compatible with future versions of the NSS shared libraries. diff --git a/doc/rst/legacy/nss_releases/nss_3.12.5_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.12.5_release_notes/index.rst index cd641dd88..b36b631e5 100644 --- a/doc/rst/legacy/nss_releases/nss_3.12.5_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.12.5_release_notes/index.rst @@ -35,7 +35,7 @@ NSS 3.12.5 release_notes .. rubric:: Distribution Information :name: Distribution_Information - The CVS tag for the NSS 3.12.5 release is ``NSS_3_12_5_RTM``. + The CVS tag for the NSS 3.12.5 release is ``NSS_3_12_5_RTM``. NSS 3.12.5 requires `NSPR 4.8 <https://www.mozilla.org/projects/nspr/release-notes/>`__. @@ -267,7 +267,7 @@ NSS 3.12.5 release_notes NSS 3.12.5 shared libraries are backward compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.12.5 - shared libraries without recompiling or relinking. Furthermore, applications that restrict + shared libraries without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in `NSS Public Functions <https://www.mozilla.org/projects/security/pki/nss/ref/nssfunctions.html>`__ will remain compatible with future versions of the NSS shared libraries. diff --git a/doc/rst/legacy/nss_releases/nss_3.12.6_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.12.6_release_notes/index.rst index 48895ed75..19087bb9e 100644 --- a/doc/rst/legacy/nss_releases/nss_3.12.6_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.12.6_release_notes/index.rst @@ -33,7 +33,7 @@ NSS 3.12.6 release notes .. rubric:: Distribution Information :name: Distribution_Information - | The CVS tag for the NSS 3.12.6 release is ``NSS_3_12_6_RTM``. NSS 3.12.6 requires `NSPR + | The CVS tag for the NSS 3.12.6 release is ``NSS_3_12_6_RTM``. NSS 3.12.6 requires `NSPR 4.8.4 <https://www.mozilla.org/projects/nspr/release-notes/>`__. | See the `Documentation <http://mdn.beonex.com/en/NSS_3.12.6_release_notes.html#docs>`__ section for the build instructions. @@ -303,7 +303,7 @@ NSS 3.12.6 release notes NSS 3.12.6 shared libraries are backward compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.12.6 - shared libraries without recompiling or relinking. Furthermore, applications that restrict + shared libraries without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in `NSS Public Functions <https://www.mozilla.org/projects/security/pki/nss/ref/nssfunctions.html>`__ will remain compatible with future versions of the NSS shared libraries. diff --git a/doc/rst/legacy/nss_releases/nss_3.12.9_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.12.9_release_notes/index.rst index 0b2a546c8..2f534fd0a 100644 --- a/doc/rst/legacy/nss_releases/nss_3.12.9_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.12.9_release_notes/index.rst @@ -30,7 +30,7 @@ NSS 3.12.9 release notes .. rubric:: Distribution Information :name: Distribution_Information - | The CVS tag for the NSS 3.12.9 release is ``NSS_3.12.9_RTM``. NSS 3.12.9 requires `NSPR + | The CVS tag for the NSS 3.12.9 release is ``NSS_3.12.9_RTM``. NSS 3.12.9 requires `NSPR 4.8.7 <https://www.mozilla.org/projects/nspr/release-notes/nspr486.html>`__. | See the `Documentation <#docs>`__ section for the build instructions. @@ -130,7 +130,7 @@ NSS 3.12.9 release notes NSS 3.12.9 shared libraries are backward compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.12.9 shared libraries - without recompiling or relinking. Furthermore, applications that restrict their use of NSS + without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in `NSS Public Functions </en-US/ref/nssfunctions.html>`__ will remain compatible with future versions of the NSS shared libraries. diff --git a/doc/rst/legacy/nss_releases/nss_3.14.1_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.14.1_release_notes/index.rst index fc56f5c5e..ccd86f58f 100644 --- a/doc/rst/legacy/nss_releases/nss_3.14.1_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.14.1_release_notes/index.rst @@ -72,29 +72,29 @@ NSS 3.14.1 release notes .. container:: - Windows CE support has been removed from the code base. - - `Bug 812399 <https://bugzilla.mozilla.org/show_bug.cgi?id=812399>`__ - In NSS 3.14, a + - `Bug 812399 <https://bugzilla.mozilla.org/show_bug.cgi?id=812399>`__ - In NSS 3.14, a regression caused `Bug 641052 <https://bugzilla.mozilla.org/show_bug.cgi?id=641052>`__ / CVE-2011-3640 to be re-introduced under certain situations. This regression only affected applications that initialize NSS via the NSS_NoDB_Init function. NSS 3.14.1 includes the complete fix for this issue. - - `Bug 357025 <https://bugzilla.mozilla.org/show_bug.cgi?id=357025>`__ - NSS 3.14 added support + - `Bug 357025 <https://bugzilla.mozilla.org/show_bug.cgi?id=357025>`__ - NSS 3.14 added support for tokens that make use of CKA_ALWAYS_AUTHENTICATE. However, when authenticating with such tokens, it was possible for an internal lock to be acquired twice, causing a hang. This hang has been fixed in NSS 3.14.1. - - `Bug 802429 <https://bugzilla.mozilla.org/show_bug.cgi?id=802429>`__ - In previous versions of + - `Bug 802429 <https://bugzilla.mozilla.org/show_bug.cgi?id=802429>`__ - In previous versions of NSS, the "cipherOrder" slot configuration flag was not respected, causing the most recently added slot that supported the requested PKCS#11 mechanism to be used instead. NSS now correctly respects the supplied cipherOrder. Applications which use multiple PKCS#11 modules, which do not indicate which tokens should be used by default for particular algorithms, and which do make use of cipherOrder may now find that cryptographic operations occur on a different PKCS#11 token. - - `Bug 802429 <https://bugzilla.mozilla.org/show_bug.cgi?id=802429>`__ - The NSS softoken is now + - `Bug 802429 <https://bugzilla.mozilla.org/show_bug.cgi?id=802429>`__ - The NSS softoken is now the default token for SHA-256 and SHA-512. In previous versions of NSS, these algorithms would be handled by the most recently added PKCS#11 token that supported them. - - `Bug 611451 <https://bugzilla.mozilla.org/show_bug.cgi?id=611451>`__ - When built with the + - `Bug 611451 <https://bugzilla.mozilla.org/show_bug.cgi?id=611451>`__ - When built with the current version of Apple XCode on Mac OS X, the NSS shared libraries will now only export the public NSS functions. - - `Bug 810582 <https://bugzilla.mozilla.org/show_bug.cgi?id=810582>`__ - TLS False Start is now + - `Bug 810582 <https://bugzilla.mozilla.org/show_bug.cgi?id=810582>`__ - TLS False Start is now only used with servers that negotiate a cipher suite that supports forward secrecy. **Note**: The criteria for False Start may change again in future NSS releases. diff --git a/doc/rst/legacy/nss_releases/nss_3.14_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.14_release_notes/index.rst index 075056f9b..a1974d156 100644 --- a/doc/rst/legacy/nss_releases/nss_3.14_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.14_release_notes/index.rst @@ -132,7 +132,7 @@ NSS 3.14 release notes .. container:: - - `Bug 333601 <https://bugzilla.mozilla.org/show_bug.cgi?id=333601>`__ - Performance + - `Bug 333601 <https://bugzilla.mozilla.org/show_bug.cgi?id=333601>`__ - Performance enhancements for Intel Macs When building for Intel Macs, NSS will now take advantage of optimized assembly code for diff --git a/doc/rst/legacy/nss_releases/nss_3.15.1_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.15.1_release_notes/index.rst index 9b4456861..72d40ccbe 100644 --- a/doc/rst/legacy/nss_releases/nss_3.15.1_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.15.1_release_notes/index.rst @@ -85,8 +85,8 @@ NSS 3.15.1 release notes .. container:: - - `Bug 856060 <https://bugzilla.mozilla.org/show_bug.cgi?id=856060>`__ - Enforce name - constraints on the common name in libpkix when no subjectAltName is present. + - `Bug 856060 <https://bugzilla.mozilla.org/show_bug.cgi?id=856060>`__ - Enforce name + constraints on the common name in libpkix when no subjectAltName is present. - `Bug 875156 <https://bugzilla.mozilla.org/show_bug.cgi?id=875156>`__ - Add const to the function arguments of SEC_CertNicknameConflict. - `Bug 877798 <https://bugzilla.mozilla.org/show_bug.cgi?id=877798>`__ - Fix ssltap to print the diff --git a/doc/rst/legacy/nss_releases/nss_3.15.5_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.15.5_release_notes/index.rst index 1da92af3e..7b40b1fd9 100644 --- a/doc/rst/legacy/nss_releases/nss_3.15.5_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.15.5_release_notes/index.rst @@ -45,7 +45,7 @@ NSS 3.15.5 release notes ALPN (or both) should be used for application layer protocol negotiation. - Added the TLS `padding extension <https://datatracker.ietf.org/doc/html/draft-agl-tls-padding>`__. The extension type - value is 35655, which may change when an official extension type value is assigned by IANA. + value is 35655, which may change when an official extension type value is assigned by IANA. NSS automatically adds the padding extension to ClientHello when necessary. - Added a new macro ``CERT_LIST_TAIL``, defined in ``certt.h``, for getting the tail of a ``CERTCertList``. @@ -57,9 +57,9 @@ NSS 3.15.5 release notes .. container:: - - `Bug 950129 <https://bugzilla.mozilla.org/show_bug.cgi?id=950129>`__: Improve the OCSP + - `Bug 950129 <https://bugzilla.mozilla.org/show_bug.cgi?id=950129>`__: Improve the OCSP fetching policy when verifying OCSP responses - - `Bug 949060 <https://bugzilla.mozilla.org/show_bug.cgi?id=949060>`__: Validate the ``iov`` + - `Bug 949060 <https://bugzilla.mozilla.org/show_bug.cgi?id=949060>`__: Validate the ``iov`` input argument (an array of ``PRIOVec`` structures) of ``ssl_WriteV`` (called via ``PR_Writev``). Applications should still take care when converting ``struct iov`` to ``PRIOVec`` because the ``iov_len`` members of the two structures have different types diff --git a/doc/rst/legacy/nss_releases/nss_3.16.1_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.16.1_release_notes/index.rst index 26868046a..4385f96b8 100644 --- a/doc/rst/legacy/nss_releases/nss_3.16.1_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.16.1_release_notes/index.rst @@ -47,13 +47,13 @@ NSS 3.16.1 release notes - *in pk11pub.h* - - **PK11_ExportDERPrivateKeyInfo and PK11_ExportPrivKeyInfo** - exports a private key in a + - **PK11_ExportDERPrivateKeyInfo and PK11_ExportPrivKeyInfo** - exports a private key in a DER-encoded ASN.1 PrivateKeyInfo type or a SECKEYPrivateKeyInfo structure. Only RSA private keys are supported now. - *in secmod.h* - - **SECMOD_InternalToPubMechFlags** - converts from NSS-internal to public representation of + - **SECMOD_InternalToPubMechFlags** - converts from NSS-internal to public representation of mechanism flags. .. rubric:: New Types @@ -61,21 +61,21 @@ NSS 3.16.1 release notes - *in sslt.h* - - **ssl_padding_xtn** - the value of this enum constant changed from the experimental value - 35655 to the IANA-assigned value 21. . + - **ssl_padding_xtn** - the value of this enum constant changed from the experimental value + 35655 to the IANA-assigned value 21. . .. rubric:: New Macros :name: new_macros - *in secmod.h* - - **PUBLIC_MECH_ECC_FLAG** - a public mechanism flag for elliptic curve cryptography (ECC) + - **PUBLIC_MECH_ECC_FLAG** - a public mechanism flag for elliptic curve cryptography (ECC) operations. - *in utilmodt.h* - - **SECMOD_ECC_FLAG** - an NSS-internal mechanism flag for elliptic curve cryptography (ECC) - operations. This macro has the same numeric value as **PUBLIC_MECH_ECC_FLAG.** + - **SECMOD_ECC_FLAG** - an NSS-internal mechanism flag for elliptic curve cryptography (ECC) + operations. This macro has the same numeric value as **PUBLIC_MECH_ECC_FLAG.** .. _notable_changes_in_nss_3.16.1: diff --git a/doc/rst/legacy/nss_releases/nss_3.16.2.3_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.16.2.3_release_notes/index.rst index aa9960d89..1b834338e 100644 --- a/doc/rst/legacy/nss_releases/nss_3.16.2.3_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.16.2.3_release_notes/index.rst @@ -55,16 +55,16 @@ NSS 3.16.2.3 release notes - *in ssl.h* - - **SSL_ENABLE_FALLBACK_SCSV** - an SSL socket option that enables TLS_FALLBACK_SCSV. Off by + - **SSL_ENABLE_FALLBACK_SCSV** - an SSL socket option that enables TLS_FALLBACK_SCSV. Off by default. - *in sslerr.h* - - **SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT** - a new SSL error code. + - **SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT** - a new SSL error code. - *in sslproto.h* - - **TLS_FALLBACK_SCSV** - a signaling cipher suite value that indicates a handshake is the + - **TLS_FALLBACK_SCSV** - a signaling cipher suite value that indicates a handshake is the result of TLS version fallback. .. _notable_changes_in_nss_3.16.2.3: @@ -87,7 +87,7 @@ NSS 3.16.2.3 release notes - `Bug 1057161 <https://bugzilla.mozilla.org/show_bug.cgi?id=1057161>`__ - NSS hangs with 100% CPU on invalid EC key - - `Bug 1036735 <https://bugzilla.mozilla.org/show_bug.cgi?id=1036735>`__ - Add support for + - `Bug 1036735 <https://bugzilla.mozilla.org/show_bug.cgi?id=1036735>`__ - Add support for draft-ietf-tls-downgrade-scsv to NSS `Compatibility <#compatibility>`__ diff --git a/doc/rst/legacy/nss_releases/nss_3.16.2_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.16.2_release_notes/index.rst index 64d75a4f9..8895b3fa4 100644 --- a/doc/rst/legacy/nss_releases/nss_3.16.2_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.16.2_release_notes/index.rst @@ -52,14 +52,14 @@ NSS 3.16.2 release notes - *in cert.h* - - **CERT_AddExtensionByOID** - adds an extension to a certificate. It is the same as + - **CERT_AddExtensionByOID** - adds an extension to a certificate. It is the same as CERT_AddExtension except that the OID is represented by a SECItem instead of a SECOidTag. - *in pk11pub.h* - - **PK11_PrivDecrypt** - decrypts with a private key. The algorithm is specified with a + - **PK11_PrivDecrypt** - decrypts with a private key. The algorithm is specified with a CK_MECHANISM_TYPE. - - **PK11_PubEncrypt** - encrypts with a public key. The algorithm is specified with a + - **PK11_PubEncrypt** - encrypts with a public key. The algorithm is specified with a CK_MECHANISM_TYPE. .. rubric:: New Macros @@ -67,9 +67,9 @@ NSS 3.16.2 release notes - *in sslerr.h* - - **SSL_ERROR_NEXT_PROTOCOL_NO_CALLBACK** - An SSL error code that means the next protcol + - **SSL_ERROR_NEXT_PROTOCOL_NO_CALLBACK** - An SSL error code that means the next protcol negotiation extension was enabled, but the callback was cleared prior to being needed. - - **SSL_ERROR_NEXT_PROTOCOL_NO_PROTOCOL** - An SSL error code that means the server supports + - **SSL_ERROR_NEXT_PROTOCOL_NO_PROTOCOL** - An SSL error code that means the server supports no protocols that the client advertises in the ALPN extension. .. _notable_changes_in_nss_3.16.2: @@ -95,14 +95,14 @@ NSS 3.16.2 release notes - The certutil command has three new certificate usage specifiers: - - L: certificateUsageSSLCA - - A: certificateUsageAnyCA - - Y: certificateUsageVerifyCA + - L: certificateUsageSSLCA + - A: certificateUsageAnyCA + - Y: certificateUsageVerifyCA - The pp command has a new command-line option -u, which means "use UTF-8". The default is to show a non-ASCII character as ".". - - On Linux, NSS is built with the -ffunction-sections -fdata-sections compiler flags and the - --gc-sections linker flag to allow unused functions to be discarded. + - On Linux, NSS is built with the -ffunction-sections -fdata-sections compiler flags and the + --gc-sections linker flag to allow unused functions to be discarded. .. _bugs_fixed_in_nss_3.16.2: @@ -114,4 +114,4 @@ NSS 3.16.2 release notes This Bugzilla query returns all the bugs fixed in NSS 3.16.2: | https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.16.2 - |
\ No newline at end of file + |
\ No newline at end of file diff --git a/doc/rst/legacy/nss_releases/nss_3.16.3_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.16.3_release_notes/index.rst index a900f1ef5..4bbf16cc4 100644 --- a/doc/rst/legacy/nss_releases/nss_3.16.3_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.16.3_release_notes/index.rst @@ -168,4 +168,4 @@ NSS 3.16.3 release notes This Bugzilla query returns all the bugs fixed in NSS 3.16.3: | https://bugzilla.mozilla.org/buglist.cgi?resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.16.3 - |
\ No newline at end of file + |
\ No newline at end of file diff --git a/doc/rst/legacy/nss_releases/nss_3.16_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.16_release_notes/index.rst index 715d6393c..34c820aa3 100644 --- a/doc/rst/legacy/nss_releases/nss_3.16_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.16_release_notes/index.rst @@ -46,7 +46,7 @@ NSS 3.16 release notes - *in cms.h* - - **NSS_CMSSignerInfo_Verify** - verify the signature of a single SignerInfo. It just + - **NSS_CMSSignerInfo_Verify** - verify the signature of a single SignerInfo. It just verifies the signature, assuming that the certificate has been verified already. .. rubric:: New Macros @@ -54,7 +54,7 @@ NSS 3.16 release notes - *in sslproto.h* - - **TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, etc.** - cipher suites that were + - **TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, etc.** - cipher suites that were first defined in SSL 3.0 can now be referred to with their official IANA names in TLS, with the TLS\_ prefix. Previously, they had to be referred to with their names in SSL 3.0, with the SSL\_ prefix. diff --git a/doc/rst/legacy/nss_releases/nss_3.17.1_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.17.1_release_notes/index.rst index e94095cb1..cc1f7a711 100644 --- a/doc/rst/legacy/nss_releases/nss_3.17.1_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.17.1_release_notes/index.rst @@ -69,16 +69,16 @@ NSS 3.17.1 release notes - *in ssl.h* - - **SSL_ENABLE_FALLBACK_SCSV** - an SSL socket option that enables TLS_FALLBACK_SCSV. Off by + - **SSL_ENABLE_FALLBACK_SCSV** - an SSL socket option that enables TLS_FALLBACK_SCSV. Off by default. - *in sslerr.h* - - **SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT** - a new SSL error code. + - **SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT** - a new SSL error code. - *in sslproto.h* - - **TLS_FALLBACK_SCSV** - a signaling cipher suite value that indicates a handshake is the + - **TLS_FALLBACK_SCSV** - a signaling cipher suite value that indicates a handshake is the result of TLS version fallback. .. _notable_changes_in_nss_3.17.1: diff --git a/doc/rst/legacy/nss_releases/nss_3.17.4_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.17.4_release_notes/index.rst index 24ebb4e58..d1acbd9d4 100644 --- a/doc/rst/legacy/nss_releases/nss_3.17.4_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.17.4_release_notes/index.rst @@ -50,7 +50,7 @@ NSS 3.17.4 release notes - `Bug 1084986 <https://bugzilla.mozilla.org/show_bug.cgi?id=1084986>`__: If an SSL/TLS connection fails, because client and server don't have any common protocol version enabled, - NSS has been changed to report error code SSL_ERROR_UNSUPPORTED_VERSION (instead of reporting + NSS has been changed to report error code SSL_ERROR_UNSUPPORTED_VERSION (instead of reporting SSL_ERROR_NO_CYPHER_OVERLAP). - `Bug 1112461 <https://bugzilla.mozilla.org/show_bug.cgi?id=1112461>`__: libpkix was fixed to prefer the newest certificate, if multiple certificates match. diff --git a/doc/rst/legacy/nss_releases/nss_3.18.1_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.18.1_release_notes/index.rst index 71fff8ebb..33d2dae71 100644 --- a/doc/rst/legacy/nss_releases/nss_3.18.1_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.18.1_release_notes/index.rst @@ -45,9 +45,9 @@ NSS 3.18.1 release notes - The following CA certificate had the Websites and Code Signing trust **bits restored to their original state** to allow more time to develop a better transition strategy for affected sites. The Websites and Code Signing trust bits were turned off in - :ref:`mozilla_projects_nss_nss_3_18_release_notes`. But when Firefox 38 went into Beta, there + :ref:`mozilla_projects_nss_nss_3_18_release_notes`. But when Firefox 38 went into Beta, there was a huge spike in the number of certificate verification errors attributed to this change. - So, to give website administrators more time to update their web servers, we reverted the + So, to give website administrators more time to update their web servers, we reverted the trust bits back to being enabled. - OU = Equifax Secure Certificate Authority @@ -65,7 +65,7 @@ NSS 3.18.1 release notes - The following intermediate CA certificate has been added as `actively distrusted <https://wiki.mozilla.org/CA:MaintenanceAndEnforcement#Actively_Distrusting_a_Certificate>`__ because it was - `misused <https://blog.mozilla.org/security/2015/04/02/distrusting-new-cnnic-certificates/>`__ to + `misused <https://blog.mozilla.org/security/2015/04/02/distrusting-new-cnnic-certificates/>`__ to issue certificates for domain names the holder did not own or control. - CN=MCSHOLDING TEST, O=MCSHOLDING, C=EG diff --git a/doc/rst/legacy/nss_releases/nss_3.19.1_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.19.1_release_notes/index.rst index 79d682dbc..60fd9a67a 100644 --- a/doc/rst/legacy/nss_releases/nss_3.19.1_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.19.1_release_notes/index.rst @@ -33,7 +33,7 @@ NSS 3.19.1 release notes .. container:: - `Bug - 1138554 <https://bugzilla.mozilla.org/show_bug.cgi?id=1138554>`__ / `CVE-2015-4000 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000>`__ - + 1138554 <https://bugzilla.mozilla.org/show_bug.cgi?id=1138554>`__ / `CVE-2015-4000 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000>`__ - The minimum strength of keys that libssl will accept for finite field algorithms (RSA, Diffie-Hellman, and DSA) have been increased to 1023 bits. @@ -61,11 +61,11 @@ NSS 3.19.1 release notes .. container:: - - NSS reports the bit length of keys more accurately. Thus, the SECKEY_PublicKeyStrength and + - NSS reports the bit length of keys more accurately. Thus, the SECKEY_PublicKeyStrength and SECKEY_PublicKeyStrengthInBits functions could report smaller values for values that have leading zero values. This affects the key strength values that are reported by SSL_GetChannelInfo. - - The minimum size of keys that NSS will generate, import, or use has been raised: + - The minimum size of keys that NSS will generate, import, or use has been raised: - The minimum modulus size for RSA keys is now 512 bits - The minimum modulus size for DSA keys is now 1023 bits @@ -88,7 +88,7 @@ NSS 3.19.1 release notes .. container:: The NSS development team would like to thank Matthew Green and Karthikeyan Bhargavan for - responsibly disclosing the issue in `bug + responsibly disclosing the issue in `bug 1138554 <https://bugzilla.mozilla.org/show_bug.cgi?id=1138554>`__. `Compatibility <#compatibility>`__ @@ -102,7 +102,7 @@ NSS 3.19.1 release notes to the functions listed in NSS Public Functions will remain compatible with future versions of the NSS shared libraries. - **Note:** NSS 3.19.1 increases the minimum size of keys it is willing to use. This has been shown + **Note:** NSS 3.19.1 increases the minimum size of keys it is willing to use. This has been shown to break some applications. :ref:`mozilla_projects_nss_nss_3_19_2_release_notes` reverts the behaviour to the NSS 3.19 and earlier limits. diff --git a/doc/rst/legacy/nss_releases/nss_3.19.2_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.19.2_release_notes/index.rst index 3b16e7a6e..1c4efd522 100644 --- a/doc/rst/legacy/nss_releases/nss_3.19.2_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.19.2_release_notes/index.rst @@ -52,17 +52,17 @@ NSS 3.19.2 release notes minimum key sizes that the freebl cryptographic implementation (part of the softoken cryptographic module used by default by NSS) was willing to generate or use was increased - for RSA keys, to 512 bits, and for DH keys, 1023 bits. This was done as part of a security fix - for `Bug 1138554 <https://bugzilla.mozilla.org/show_bug.cgi?id=1138554>`__ / + for `Bug 1138554 <https://bugzilla.mozilla.org/show_bug.cgi?id=1138554>`__ / `CVE-2015-4000 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000>`__. Applications that requested or attempted to use keys smaller then the minimum size would fail. - However, this change in behaviour unintentionally broke existing NSS applications that need to + However, this change in behaviour unintentionally broke existing NSS applications that need to generate or use such keys, via APIs such as SECKEY_CreateRSAPrivateKey or SECKEY_CreateDHPrivateKey. In NSS 3.19.2, this change in freebl behaviour has been reverted. The fix for `Bug - 1138554 <https://bugzilla.mozilla.org/show_bug.cgi?id=1138554>`__ has been moved to libssl, + 1138554 <https://bugzilla.mozilla.org/show_bug.cgi?id=1138554>`__ has been moved to libssl, and will now only affect the minimum keystrengths used in SSL/TLS. - **Note:** Future versions of NSS *may* increase the minimum keysizes required by the freebl - module. Consumers of NSS are **strongly** encouraged to migrate to stronger cryptographic + **Note:** Future versions of NSS *may* increase the minimum keysizes required by the freebl + module. Consumers of NSS are **strongly** encouraged to migrate to stronger cryptographic strengths as soon as possible. .. _bugs_fixed_in_nss_3.19.2: diff --git a/doc/rst/legacy/nss_releases/nss_3.19_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.19_release_notes/index.rst index 454d7a767..6c644e40e 100644 --- a/doc/rst/legacy/nss_releases/nss_3.19_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.19_release_notes/index.rst @@ -9,7 +9,7 @@ NSS 3.19 release notes .. container:: The NSS team has released Network Security Services (NSS) 3.19, which is a minor - security release. + security release. .. _distribution_information: @@ -32,10 +32,10 @@ NSS 3.19 release notes .. container:: - - `Bug 1086145 <https://bugzilla.mozilla.org/show_bug.cgi?id=1086145>`__ / - `CVE-2015-2721 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2721>`__ - Fixed a + - `Bug 1086145 <https://bugzilla.mozilla.org/show_bug.cgi?id=1086145>`__ / + `CVE-2015-2721 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2721>`__ - Fixed a bug related to the ordering of TLS handshake messages. This was also known - as `SMACK <https://www.smacktls.com/>`__. + as `SMACK <https://www.smacktls.com/>`__. .. _new_in_nss_3.19: @@ -51,9 +51,9 @@ NSS 3.19 release notes .. container:: - - For some certificates, such as root CA certificates that don't embed any constraints, NSS - might impose additional constraints such as name constraints. A new API - (`CERT_GetImposedNameConstraints <http://mxr.mozilla.org/nss/ident?i=CERT_GetImposedNameConstraints>`__) has + - For some certificates, such as root CA certificates that don't embed any constraints, NSS + might impose additional constraints such as name constraints. A new API + (`CERT_GetImposedNameConstraints <http://mxr.mozilla.org/nss/ident?i=CERT_GetImposedNameConstraints>`__) has been added that allows one to lookup imposed constraints. - It is possible to override the directory (`SQLITE_LIB_DIR <https://bugzilla.mozilla.org/show_bug.cgi?id=1138820>`__) in which the NSS @@ -65,7 +65,7 @@ NSS 3.19 release notes - *in cert.h* - **CERT_GetImposedNameConstraints** - Check if any imposed constraints exist for the given - certificate, and if found, return the constraints as encoded certificate extensions. + certificate, and if found, return the constraints as encoded certificate extensions. .. _notable_changes_in_nss_3.19: @@ -77,7 +77,7 @@ NSS 3.19 release notes - The SSL 3 protocol has been disabled by default. - NSS now more strictly validates TLS extensions and will fail a handshake that contains malformed extensions (`bug 753136 <https://bugzilla.mozilla.org/show_bug.cgi?id=753136>`__). - - In TLS 1.2 handshakes, NSS advertises support for the SHA512 hash algorithm in order to be + - In TLS 1.2 handshakes, NSS advertises support for the SHA512 hash algorithm in order to be compatible with TLS servers that use certificates with a SHA512 signature (`bug 1155922 <https://bugzilla.mozilla.org/show_bug.cgi?id=1155922>`__). @@ -98,7 +98,7 @@ NSS 3.19 release notes .. container:: The NSS development team would like to thank Karthikeyan Bhargavan from - `INRIA <http://inria.fr/>`__ for responsibly disclosing the issue in `bug + `INRIA <http://inria.fr/>`__ for responsibly disclosing the issue in `bug 1086145 <https://bugzilla.mozilla.org/show_bug.cgi?id=1086145>`__. `Compatibility <#compatibility>`__ diff --git a/doc/rst/legacy/nss_releases/nss_3.20_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.20_release_notes/index.rst index 5d7e34db1..a491f6c54 100644 --- a/doc/rst/legacy/nss_releases/nss_3.20_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.20_release_notes/index.rst @@ -48,7 +48,7 @@ NSS 3.20 release notes - **SSL_DHEGroupPrefSet** - Configure the set of allowed/enabled DHE group parameters that can be used by NSS for a server socket. - **SSL_EnableWeakDHEPrimeGroup** - Enable the use of weak DHE group parameters that are - smaller than default minimum size of the library. + smaller than default minimum size of the library. .. rubric:: New Types :name: new_types @@ -74,10 +74,10 @@ NSS 3.20 release notes .. container:: - The TLS library has been extended to support DHE ciphersuites in server applications. - - For backward compatibility reasons, the server side implementation of the TLS library keeps + - For backward compatibility reasons, the server side implementation of the TLS library keeps all DHE ciphersuites disabled by default. They can be enabled with the new socket option SSL_ENABLE_SERVER_DHE and the SSL_OptionSet or the SSL_OptionSetDefault API. - - The server side implementation of the TLS does not support session tickets while using a DHE + - The server side implementation of the TLS does not support session tickets while using a DHE ciphersuite (see `bug 1174677 <https://bugzilla.mozilla.org/show_bug.cgi?id=1174677>`__). - Support for the following ciphersuites has been added: @@ -96,7 +96,7 @@ NSS 3.20 release notes select one or multiple of the embedded DHE parameters as the preferred parameters. The current implementation of NSS will always use the first entry in the array that is passed as a parameter to the SSL_DHEGroupPrefSet API. In future versions of the TLS implementation, a TLS - client might show a preference for certain DHE parameters, and the NSS TLS server side + client might show a preference for certain DHE parameters, and the NSS TLS server side implementation might select a matching entry from the set of parameters that have been configured as preferred on the server side. - NSS optionally supports the use of weak DHE parameters with DHE ciphersuites in order to @@ -138,5 +138,5 @@ NSS 3.20 release notes .. container:: Bugs discovered should be reported by filing a bug report - at ` bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product + at ` bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS).
\ No newline at end of file diff --git a/doc/rst/legacy/nss_releases/nss_3.21.2_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.21.2_release_notes/index.rst index a4c121650..3ee3a98d7 100644 --- a/doc/rst/legacy/nss_releases/nss_3.21.2_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.21.2_release_notes/index.rst @@ -49,7 +49,7 @@ NSS 3.21.2 release notes .. container:: - `Bug 1293334 <https://bugzilla.mozilla.org/show_bug.cgi?id=1293334>`__ / - `CVE-2016-9074 <https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9074>`__ - Fixed + `CVE-2016-9074 <https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9074>`__ - Fixed a timing side channel in the TLS CBC code. `Compatibility <#compatibility>`__ diff --git a/doc/rst/legacy/nss_releases/nss_3.21.4_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.21.4_release_notes/index.rst index c62151b7e..194e39c6d 100644 --- a/doc/rst/legacy/nss_releases/nss_3.21.4_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.21.4_release_notes/index.rst @@ -18,7 +18,7 @@ NSS 3.21.4 release notes .. container:: - The HG tag is NSS_3_21_4_RTM. NSS 3.21.4 requires NSPR 4.12 or newer. + The HG tag is NSS_3_21_4_RTM. NSS 3.21.4 requires NSPR 4.12 or newer. NSS 3.21.4 source distributions are available on ftp.mozilla.org for secure HTTPS download: @@ -41,7 +41,7 @@ NSS 3.21.4 release notes .. container:: - - `Bug 1344380 <https://bugzilla.mozilla.org/show_bug.cgi?id=1344380>`__ / Out-of-bounds write + - `Bug 1344380 <https://bugzilla.mozilla.org/show_bug.cgi?id=1344380>`__ / Out-of-bounds write in Base64 encoding in NSS (`CVE-2017-5461 <https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5461>`__) - `Bug 1345089 <https://bugzilla.mozilla.org/show_bug.cgi?id=1345089>`__ / DRBG flaw in NSS diff --git a/doc/rst/legacy/nss_releases/nss_3.22_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.22_release_notes/index.rst index 4d08ef9f9..9915b9316 100644 --- a/doc/rst/legacy/nss_releases/nss_3.22_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.22_release_notes/index.rst @@ -67,8 +67,8 @@ NSS 3.22 release notes - **PK11_VerifyWithMechanism** - This function is an extended version of ``PK11_Verify()``. - These functions take an explicit mechanism and parameters as arguments rather than - inferring it from the key type using ``PK11_MapSignKeyType()``. The mechanism type - CKM_RSA_PKCS_PSS is now supported for RSA in addition to CKM_RSA_PKCS. The + inferring it from the key type using ``PK11_MapSignKeyType()``. The mechanism type + CKM_RSA_PKCS_PSS is now supported for RSA in addition to CKM_RSA_PKCS. The CK_RSA_PKCS_PSS mechanism takes a parameter of type CK_RSA_PKCS_PSS_PARAMS. - *in ssl.h* @@ -162,7 +162,7 @@ NSS 3.22 release notes .. container:: - - NSS C++ tests are built by default, requiring a C++11 compiler. Set the NSS_DISABLE_GTESTS + - NSS C++ tests are built by default, requiring a C++11 compiler. Set the NSS_DISABLE_GTESTS variable to 1 to disable building these tests. .. _bugs_fixed_in_nss_3.22: diff --git a/doc/rst/legacy/nss_releases/nss_3.23_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.23_release_notes/index.rst index f088bcafe..8f5cbad93 100644 --- a/doc/rst/legacy/nss_releases/nss_3.23_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.23_release_notes/index.rst @@ -54,9 +54,9 @@ NSS 3.23 release notes - *in ssl.h* - - **SSL_SetDowngradeCheckVersion** - Set maximum version for new ServerRandom anti-downgrade + - **SSL_SetDowngradeCheckVersion** - Set maximum version for new ServerRandom anti-downgrade mechanism. Clients that perform a version downgrade (which is a dangerous practice) call - this with the highest version number that they possibly support. This gives them access to + this with the highest version number that they possibly support. This gives them access to the `version downgrade protection from TLS 1.3 <https://tlswg.github.io/tls13-spec/#client-hello>`__. diff --git a/doc/rst/legacy/nss_releases/nss_3.24_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.24_release_notes/index.rst index 146baf87a..ac7bd6ef7 100644 --- a/doc/rst/legacy/nss_releases/nss_3.24_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.24_release_notes/index.rst @@ -59,12 +59,12 @@ NSS 3.24 release notes certificate and private key. Use this new function in place of SSL_ConfigSecureServer, SSL_ConfigSecureServerWithCertChain, SSL_SetStapledOCSPResponses, and SSL_SetSignedCertTimestamps. SSL_ConfigServerCert automatically determines the certificate - type from the certificate and private key. The caller is no longer required to use SSLKEAType + type from the certificate and private key. The caller is no longer required to use SSLKEAType explicitly to select a "slot" into which the certificate is configured (which incorrectly identifies a key agreement type rather than a certificate). Separate functions for configuring Online Certificate Status Protocol (OCSP) responses or Signed Certificate Timestamps are not needed, since these can be added to the optional SSLExtraServerCertData struct provided to - SSL_ConfigServerCert. Also, partial support for RSA Probabilistic Signature Scheme (RSA-PSS) + SSL_ConfigServerCert. Also, partial support for RSA Probabilistic Signature Scheme (RSA-PSS) certificates has been added. Although these certificates can be configured, they will not be used by NSS in this version. - For functions that use temporary arenas, allocating a PORTCheapArena on the stack is more diff --git a/doc/rst/legacy/nss_releases/nss_3.25_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.25_release_notes/index.rst index 02a427ade..a8dc32646 100644 --- a/doc/rst/legacy/nss_releases/nss_3.25_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.25_release_notes/index.rst @@ -43,7 +43,7 @@ NSS 3.25 release notes - Added support for ChaCha with TLS 1.3. - Added support for TLS 1.2 ciphersuites that use SHA384 as the PRF. - Removed the limitation that allowed NSS to only support certificate_verify messages that used - the same signature hash algorithm as the PRF when using TLS 1.2 client authentication. + the same signature hash algorithm as the PRF when using TLS 1.2 client authentication. - Several functions have been added to the public API of the NSS Cryptoki Framework. .. rubric:: New Functions diff --git a/doc/rst/legacy/nss_releases/nss_3.27.2_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.27.2_release_notes/index.rst index 3d55f2a23..10d6ce39d 100644 --- a/doc/rst/legacy/nss_releases/nss_3.27.2_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.27.2_release_notes/index.rst @@ -49,12 +49,12 @@ NSS 3.27.2 Release Notes .. container:: The ``SSL_SetTrustAnchors()`` function is used to set the distinguished names that an NSS server - includes in its TLS CertificateRequest message. If this function is not used, NSS will include - the distinguished names for all trust anchors installed in the database. This can be a lengthy + includes in its TLS CertificateRequest message. If this function is not used, NSS will include + the distinguished names for all trust anchors installed in the database. This can be a lengthy list. Previous versions of NSS leaked the memory used to store distinguished names when - ``SSL_SetTrustAnchors()`` was used. This release fixes that error. + ``SSL_SetTrustAnchors()`` was used. This release fixes that error. .. _bugs_fixed_in_nss_3.27.2: diff --git a/doc/rst/legacy/nss_releases/nss_3.28.4_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.28.4_release_notes/index.rst index 992ad44e1..9b213e545 100644 --- a/doc/rst/legacy/nss_releases/nss_3.28.4_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.28.4_release_notes/index.rst @@ -41,7 +41,7 @@ NSS 3.28.4 release notes .. container:: - - `Bug 1344380 <https://bugzilla.mozilla.org/show_bug.cgi?id=1344380>`__ / Out-of-bounds write + - `Bug 1344380 <https://bugzilla.mozilla.org/show_bug.cgi?id=1344380>`__ / Out-of-bounds write in Base64 encoding in NSS (`CVE-2017-5461 <https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5461>`__) - `Bug 1345089 <https://bugzilla.mozilla.org/show_bug.cgi?id=1345089>`__ / DRBG flaw in NSS diff --git a/doc/rst/legacy/nss_releases/nss_3.28_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.28_release_notes/index.rst index 0d188dc88..813404f4c 100644 --- a/doc/rst/legacy/nss_releases/nss_3.28_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.28_release_notes/index.rst @@ -39,15 +39,15 @@ NSS 3.28 release notes .. container:: - NSS includes support for `TLS 1.3 draft - -18 <https://datatracker.ietf.org/doc/html/draft-ietf-tls-tls13-18>`__. This includes a + -18 <https://datatracker.ietf.org/doc/html/draft-ietf-tls-tls13-18>`__. This includes a number of improvements to TLS 1.3: - The signed certificate timestamp, used in certificate transparency, is supported in TLS 1.3 (`bug 1252745 <https://bugzilla.mozilla.org/show_bug.cgi?id=1252745>`__). - Key exporters for TLS 1.3 are supported (`bug - 1310610 <https://bugzilla.mozilla.org/show_bug.cgi?id=1310610>`__). This includes the + 1310610 <https://bugzilla.mozilla.org/show_bug.cgi?id=1310610>`__). This includes the early key exporter, which can be used if 0-RTT is enabled. Note that there is a difference - between TLS 1.3 and key exporters in older versions of TLS. TLS 1.3 does not distinguish + between TLS 1.3 and key exporters in older versions of TLS. TLS 1.3 does not distinguish between an empty context and no context. - The TLS 1.3 (draft) protocol can be enabled, by defining NSS_ENABLE_TLS_1_3=1 when building NSS. @@ -63,7 +63,7 @@ NSS 3.28 release notes - in ssl.h - **SSL_ExportEarlyKeyingMaterial** implements a key exporter based on the TLS 1.3 early - exporter secret. This API is equivalent in function to SSL_ExportKeyingMaterial, but it + exporter secret. This API is equivalent in function to SSL_ExportKeyingMaterial, but it can only succeed if 0-RTT was attempted (on the client) or accepted (on the server). - **SSL_SendAdditionalKeyShares** configures a TLS 1.3 client so that it generates additional @@ -94,7 +94,7 @@ NSS 3.28 release notes will therefore enable support for the TLS 1.3 protocol. In order to prepare for this future change, we'd like to encourage all users of NSS to override - the standard NSS 3.28 build configuration, by defining NSS_ENABLE_TLS_1_3=1 at build time. This + the standard NSS 3.28 build configuration, by defining NSS_ENABLE_TLS_1_3=1 at build time. This will enable support for TLS 1.3. Please give feedback to the NSS developers for any compatibility issues that you encounter in your tests. @@ -107,7 +107,7 @@ NSS 3.28 release notes - NSS can no longer be compiled with support for additional elliptic curves (the NSS_ECC_MORE_THAN_SUITE_B option, `bug - 1253912 <https://bugzilla.mozilla.org/show_bug.cgi?id=1253912>`__). This was previously + 1253912 <https://bugzilla.mozilla.org/show_bug.cgi?id=1253912>`__). This was previously possible by replacing certain NSS source files. - NSS will now detect the presence of tokens that support additional elliptic curves and enable those curves for use in TLS (`bug @@ -119,12 +119,12 @@ NSS 3.28 release notes - Support for "export" grade SSL/TLS cipher suites has been removed (`bug 1252849 <https://bugzilla.mozilla.org/show_bug.cgi?id=1252849>`__). - NSS now uses the signature schemes definition in TLS 1.3 (`bug - 1309446 <https://bugzilla.mozilla.org/show_bug.cgi?id=1309446>`__). This also affects TLS + 1309446 <https://bugzilla.mozilla.org/show_bug.cgi?id=1309446>`__). This also affects TLS 1.2. NSS will now only generate signatures with the combinations of hash and signature scheme that are defined in TLS 1.3, even when negotiating TLS 1.2. - This means that SHA-256 will only be used with P-256 ECDSA certificates, SHA-384 with P-384 - certificates, and SHA-512 with P-521 certificates. SHA-1 is permitted (in TLS 1.2 only) + certificates, and SHA-512 with P-521 certificates. SHA-1 is permitted (in TLS 1.2 only) with any certificate for backward compatibility reasons. - New functions to configure signature schemes are provided: **SSL_SignatureSchemePrefSet, SSL_SignatureSchemePrefGet**. The old SSL_SignaturePrefSet and SSL_SignaturePrefSet diff --git a/doc/rst/legacy/nss_releases/nss_3.29.5_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.29.5_release_notes/index.rst index 57821a3c7..d4dd1eafd 100644 --- a/doc/rst/legacy/nss_releases/nss_3.29.5_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.29.5_release_notes/index.rst @@ -41,7 +41,7 @@ NSS 3.29.5 release notes .. container:: - - `Bug 1344380 <https://bugzilla.mozilla.org/show_bug.cgi?id=1344380>`__ / Out-of-bounds write + - `Bug 1344380 <https://bugzilla.mozilla.org/show_bug.cgi?id=1344380>`__ / Out-of-bounds write in Base64 encoding in NSS (`CVE-2017-5461 <https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5461>`__) - `Bug 1345089 <https://bugzilla.mozilla.org/show_bug.cgi?id=1345089>`__ / DRBG flaw in NSS diff --git a/doc/rst/legacy/nss_releases/nss_3.30.1_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.30.1_release_notes/index.rst index 0474ffe23..cafb0f58b 100644 --- a/doc/rst/legacy/nss_releases/nss_3.30.1_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.30.1_release_notes/index.rst @@ -41,7 +41,7 @@ NSS 3.30.1 release notes .. container:: - - `Bug 1344380 <https://bugzilla.mozilla.org/show_bug.cgi?id=1344380>`__ / Out-of-bounds write + - `Bug 1344380 <https://bugzilla.mozilla.org/show_bug.cgi?id=1344380>`__ / Out-of-bounds write in Base64 encoding in NSS (`CVE-2017-5461 <https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5461>`__) diff --git a/doc/rst/legacy/nss_releases/nss_3.30_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.30_release_notes/index.rst index 22a3e4e74..b27c387f3 100644 --- a/doc/rst/legacy/nss_releases/nss_3.30_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.30_release_notes/index.rst @@ -72,7 +72,7 @@ NSS 3.30 release notes - *in ciferfam.h* - - **PKCS12_AES_CBC_128, PKCS12_AES_CBC_192, PKCS12_AES_CBC_256** - cipher family identifiers + - **PKCS12_AES_CBC_128, PKCS12_AES_CBC_192, PKCS12_AES_CBC_256** - cipher family identifiers corresponding to the PKCS#5 v2.1 AES based encryption schemes used in the PKCS#12 support in NSS diff --git a/doc/rst/legacy/nss_releases/nss_3.31_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.31_release_notes/index.rst index 2c80c618b..3caa79b5c 100644 --- a/doc/rst/legacy/nss_releases/nss_3.31_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.31_release_notes/index.rst @@ -89,11 +89,11 @@ NSS 3.31 release notes overlap with a systemwide crypto policy, if configured. **SSL_VersionRangeGetSupported** can be used to query the overlap between the library's supported range of TLS versions and the systemwide policy. - - Previously, **SSL_VersionRangeSet** and **SSL_VersionRangeSetDefault** returned a failure if + - Previously, **SSL_VersionRangeSet** and **SSL_VersionRangeSetDefault** returned a failure if the requested version range wasn't fully allowed by the systemwide crypto policy. They have been changed to return success, if at least one TLS version overlaps between the requested range and the systemwide policy. An application may call **SSL_VersionRangeGet** - and **SSL_VersionRangeGetDefault** to query the TLS version range that was effectively + and **SSL_VersionRangeGetDefault** to query the TLS version range that was effectively activated. - Corrected the encoding of Domain Name Constraints extensions created by certutil - NSS supports a clean seeding mechanism for \*NIX systems now using only /dev/urandom. This is diff --git a/doc/rst/legacy/nss_releases/nss_3.34_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.34_release_notes/index.rst index 80f6442c3..2aa842af9 100644 --- a/doc/rst/legacy/nss_releases/nss_3.34_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.34_release_notes/index.rst @@ -128,7 +128,7 @@ NSS 3.34 release notes - SHA-256 Fingerprint: 3C:FC:3C:14:D1:F6:84:FF:17:E3:8C:43:CA:44:0C:00:B9:67:EC:93:3E:8B:FE:06:4C:A1:D7:2C:90:F2:AD:B0 - - CN = CA 沃通根证书, O=WoSign CA Limited + - CN = CA 沃通根证书, O=WoSign CA Limited - SHA-256 Fingerprint: D6:F0:34:BD:94:AA:23:3F:02:97:EC:A4:24:5B:28:39:73:E4:47:AA:59:0F:31:0C:77:F4:8F:DF:83:11:22:54 @@ -178,7 +178,7 @@ NSS 3.34 release notes when the session was resumed. - ``PRBool resumed`` is ``PR_TRUE`` when the session is resumed, and ``PR_FALSE`` otherwise. - - RSA-PSS signatures are now supported on certificates. Certificates with RSA-PSS or + - RSA-PSS signatures are now supported on certificates. Certificates with RSA-PSS or RSA-PKCS#1v1.5 keys can be used to create an RSA-PSS signature on a certificate, using the ``--pss-sign`` argument to ``certutil``. diff --git a/doc/rst/legacy/nss_releases/nss_3.35_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.35_release_notes/index.rst index 3f1d2a830..3a02e0257 100644 --- a/doc/rst/legacy/nss_releases/nss_3.35_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.35_release_notes/index.rst @@ -48,7 +48,7 @@ NSS 3.35 release notes - **SSLHandshakeType** - The type of a TLS handshake message. - For the **SSLSignatureScheme** enum, the enumerated values ssl_sig_rsa_pss_sha\* are - deprecated in response to a change in TLS 1.3. Please use the equivalent + deprecated in response to a change in TLS 1.3. Please use the equivalent ssl_sig_rsa_pss_rsae_sha\* for rsaEncryption keys, or ssl_sig_rsa_pss_pss_sha\* for PSS keys. Note that this release does not include support for the latter. @@ -133,7 +133,7 @@ NSS 3.35 release notes - Significant changes to TLS 1.3 were made, along with the update from draft -18 to draft -23: - - Support for KeyUpdate was added. KeyUpdate will be used automatically, if a cipher is used + - Support for KeyUpdate was added. KeyUpdate will be used automatically, if a cipher is used for a sufficient number of records. - SSL_KEYLOGFILE support was updated for TLS 1.3. - An option to enable TLS 1.3 compatibility mode, SSL_ENABLE_TLS13_COMPAT_MODE, was added. @@ -143,22 +143,22 @@ NSS 3.35 release notes - Note: The value of ssl_tls13_key_share_xtn value, from the SSLExtensionType, has been renumbered to match changes in TLS 1.3. This is not expected to cause problems; code compiled against previous versions of TLS will now refer to an unsupported codepoint, if - this value was used. Recompilation should correct any mismatches. + this value was used. Recompilation should correct any mismatches. - Note: DTLS support is promoted in draft -23, but this is currently not compliant with the DTLS 1.3 draft -23 specification. - - TLS servers are able to handle a ClientHello statelessly, if the client supports TLS 1.3. If + - TLS servers are able to handle a ClientHello statelessly, if the client supports TLS 1.3. If the server sends a HelloRetryRequest, it is possible to discard the server socket, and make a - new socket to handle any subsequent ClientHello. This better enables stateless server - operation. (This feature is added in support of QUIC, but it also has utility for DTLS 1.3 + new socket to handle any subsequent ClientHello. This better enables stateless server + operation. (This feature is added in support of QUIC, but it also has utility for DTLS 1.3 servers.) - - The tstclnt utility now supports DTLS, using the -P option. Note that a DTLS server is also + - The tstclnt utility now supports DTLS, using the -P option. Note that a DTLS server is also provided in tstclnt. - - TLS compression is no longer possible with NSS. The option can be enabled, but NSS will no + - TLS compression is no longer possible with NSS. The option can be enabled, but NSS will no longer negotiate compression. - The signatures of functions SSL_OptionSet, SSL_OptionGet, SSL_OptionSetDefault and - SSL_OptionGetDefault have been modified, to take a PRIntn argument rather than PRBool. This - makes it clearer, that options can have values other than 0 or 1. Note this does not affect + SSL_OptionGetDefault have been modified, to take a PRIntn argument rather than PRBool. This + makes it clearer, that options can have values other than 0 or 1. Note this does not affect ABI compatibility, because PRBool is a typedef for PRIntn. .. _experimental_apis_and_functionality: @@ -197,17 +197,17 @@ NSS 3.35 release notes - Several experimental APIs were added in support of TLS 1.3 features: - TLS servers are able to send session tickets to clients on demand, using the experimental - SSL_SendSessionTicket function. This ticket can include arbitrary application-chosen + SSL_SendSessionTicket function. This ticket can include arbitrary application-chosen content. - An anti-replay mechanism was added for 0-RTT, through the experimental SSL_SetupAntiReplay - function. *This mechanism must be enabled for 0-RTT to be accepted when NSS is being used + function. *This mechanism must be enabled for 0-RTT to be accepted when NSS is being used as a server.* - KeyUpdate can be triggered by the experimental SSL_KeyUpdate() function. - TLS servers can screen new TLS 1.3 connections, as they are made using the experimental - SSL_HelloRetryRequestCallback function. This function allows for callbacks to be - installed, which are called when a server receives a new TLS ClientHello. The application + SSL_HelloRetryRequestCallback function. This function allows for callbacks to be + installed, which are called when a server receives a new TLS ClientHello. The application is then able to examine application-chosen content from the session tickets, or - HelloRetryRequest cookie, and decide whether to proceed with the connection. For an + HelloRetryRequest cookie, and decide whether to proceed with the connection. For an initial ClientHello, an application can control whether NSS sends a HelloRetryRequest, and include application-chosen content in the cookie. diff --git a/doc/rst/legacy/nss_releases/nss_3.36.1_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.36.1_release_notes/index.rst index eec1340b6..10a820595 100644 --- a/doc/rst/legacy/nss_releases/nss_3.36.1_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.36.1_release_notes/index.rst @@ -49,7 +49,7 @@ NSS 3.36.1 release notes .. container:: - In NSS version 3.35 the iteration count in optimized builds, which is used for password based - encryption algorithm related to encrypted PKCS#7 or PKCS#12 data, was increased to one million + encryption algorithm related to encrypted PKCS#7 or PKCS#12 data, was increased to one million iterations. That change had caused an interoperability regression with operating systems that are limited to 600 K iterations. NSS 3.36.1 has been changed to use the same 600 K limit. diff --git a/doc/rst/legacy/nss_releases/nss_3.36.6_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.36.6_release_notes/index.rst index ef726fa1d..5a3019aa7 100644 --- a/doc/rst/legacy/nss_releases/nss_3.36.6_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.36.6_release_notes/index.rst @@ -49,7 +49,7 @@ NSS 3.36.6 release notes .. container:: `Bug 1485864 <https://bugzilla.mozilla.org/show_bug.cgi?id=1485864>`__ - Cache side-channel - variant of the Bleichenbacher attack (CVE-2018-12404) + variant of the Bleichenbacher attack (CVE-2018-12404) `Bug 1389967 <https://bugzilla.mozilla.org/show_bug.cgi?id=1389967>`__ and `Bug 1448748 <https://bugzilla.mozilla.org/show_bug.cgi?id=1448748>`__ - Fixes for MinGW on x64 diff --git a/doc/rst/legacy/nss_releases/nss_3.36.8_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.36.8_release_notes/index.rst index 6490ad830..19ee025e9 100644 --- a/doc/rst/legacy/nss_releases/nss_3.36.8_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.36.8_release_notes/index.rst @@ -54,7 +54,7 @@ NSS 3.36.8 release notes .. container:: - `1554336 <https://bugzilla.mozilla.org/show_bug.cgi?id=1554336>`__ - Optimize away unneeded + `1554336 <https://bugzilla.mozilla.org/show_bug.cgi?id=1554336>`__ - Optimize away unneeded loop in mpi.c - diff --git a/doc/rst/legacy/nss_releases/nss_3.39_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.39_release_notes/index.rst index e8e7e73ca..baf5fd9f1 100644 --- a/doc/rst/legacy/nss_releases/nss_3.39_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.39_release_notes/index.rst @@ -41,7 +41,7 @@ NSS 3.39 release notes - The ``tstclnt`` and ``selfserv`` utilities added support for configuring the enabled TLS signature schemes using the ``-J`` parameter. - - NSS will use RSA-PSS keys to authenticate in TLS. Support for these keys is disabled by + - NSS will use RSA-PSS keys to authenticate in TLS. Support for these keys is disabled by default but can be enabled using ``SSL_SignatureSchemePrefSet()``. - ``certutil`` added the ability to delete an orphan private key from an NSS key database. diff --git a/doc/rst/legacy/nss_releases/nss_3.40.1_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.40.1_release_notes/index.rst index dbf7ad48d..5c40c5cf8 100644 --- a/doc/rst/legacy/nss_releases/nss_3.40.1_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.40.1_release_notes/index.rst @@ -61,7 +61,7 @@ NSS 3.40.1 release notes .. container:: `Bug 1485864 <https://bugzilla.mozilla.org/show_bug.cgi?id=1485864>`__ - Cache - side-channel variant of the Bleichenbacher attack (CVE-2018-12404) + side-channel variant of the Bleichenbacher attack (CVE-2018-12404) `Compatibility <#compatibility>`__ ---------------------------------- diff --git a/doc/rst/legacy/nss_releases/nss_3.40_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.40_release_notes/index.rst index e9f9bb79c..e847f44c6 100644 --- a/doc/rst/legacy/nss_releases/nss_3.40_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.40_release_notes/index.rst @@ -54,8 +54,8 @@ NSS 3.40 release notes .. container:: - - The mozilla::pkix library has been ported from Mozilla PSM to NSS. This is a C++ library for - building certification paths. mozilla::pkix APIs are not exposed in the libraries NSS builds. + - The mozilla::pkix library has been ported from Mozilla PSM to NSS. This is a C++ library for + building certification paths. mozilla::pkix APIs are not exposed in the libraries NSS builds. - It is easier to build NSS on Windows in `mozilla-build <https://wiki.mozilla.org/MozillaBuild>`__ environments. - The following CA certificates were **Removed**: diff --git a/doc/rst/legacy/nss_releases/nss_3.41_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.41_release_notes/index.rst index c70d926a4..11eea3118 100644 --- a/doc/rst/legacy/nss_releases/nss_3.41_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.41_release_notes/index.rst @@ -130,7 +130,7 @@ NSS 3.41 release notes supported_signature_algorithms in Certificate Request in TLS 1.2 - `Bug 1485864 <https://bugzilla.mozilla.org/show_bug.cgi?id=1485864>`__ - Cache side-channel - variant of the Bleichenbacher attack (CVE-2018-12404) + variant of the Bleichenbacher attack (CVE-2018-12404) - `Bug 1481271 <https://bugzilla.mozilla.org/show_bug.cgi?id=1481271>`__ - Resend the same ticket in ClientHello after HelloRetryRequest diff --git a/doc/rst/legacy/nss_releases/nss_3.44.4_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.44.4_release_notes/index.rst index 4bb5beb67..6828d3941 100644 --- a/doc/rst/legacy/nss_releases/nss_3.44.4_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.44.4_release_notes/index.rst @@ -8,7 +8,7 @@ NSS 3.44.4 release notes .. container:: - The NSS team has released Network Security Services (NSS) 3.44.4 on **19 May 2020**. This is a + The NSS team has released Network Security Services (NSS) 3.44.4 on **19 May 2020**. This is a security patch release. Thank you to Cesar Pereida Garcia and the Network and Information Security Group (NISEC) at diff --git a/doc/rst/legacy/nss_releases/nss_3.45_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.45_release_notes/index.rst index 832f51bf6..122359d11 100644 --- a/doc/rst/legacy/nss_releases/nss_3.45_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.45_release_notes/index.rst @@ -144,7 +144,7 @@ NSS 3.45 release notes divide-by-zero in makePfromQandSeed from lib/freebl/pqg.c (static analysis) - `Bug 1227096 <https://bugzilla.mozilla.org/show_bug.cgi?id=1227096>`__ - Fix a potential - divide-by-zero in PQG_VerifyParams from lib/freebl/pqg.c (static analysis) + divide-by-zero in PQG_VerifyParams from lib/freebl/pqg.c (static analysis) - `Bug 1509432 <https://bugzilla.mozilla.org/show_bug.cgi?id=1509432>`__ - De-duplicate code between mp_set_long and mp_set_ulong diff --git a/doc/rst/legacy/nss_releases/nss_3.46_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.46_release_notes/index.rst index c66f8fe6b..f1a13d7c5 100644 --- a/doc/rst/legacy/nss_releases/nss_3.46_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.46_release_notes/index.rst @@ -42,7 +42,7 @@ NSS 3.46 release notes .. container:: This release contains no significant new functionality, but concentrates on providing improved - performance, stability, and security. Of particular note are significant improvements to AES-GCM + performance, stability, and security. Of particular note are significant improvements to AES-GCM performance on ARM. .. _notable_changes_in_nss_3.46: @@ -92,10 +92,10 @@ NSS 3.46 release notes will be released in October: - `TLS 1.3 <https://datatracker.ietf.org/doc/html/rfc8446>`__ will be the default maximum TLS - version. See `Bug 1573118 <https://bugzilla.mozilla.org/show_bug.cgi?id=1573118>`__ for + version. See `Bug 1573118 <https://bugzilla.mozilla.org/show_bug.cgi?id=1573118>`__ for details. - `TLS extended master secret <https://datatracker.ietf.org/doc/html/rfc7627>`__ will be enabled - by default, where possible. See `Bug + by default, where possible. See `Bug 1575411 <https://bugzilla.mozilla.org/show_bug.cgi?id=1575411>`__ for details. .. _bugs_fixed_in_nss_3.46: diff --git a/doc/rst/legacy/nss_releases/nss_3.47_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.47_release_notes/index.rst index e3221929d..57ffce14a 100644 --- a/doc/rst/legacy/nss_releases/nss_3.47_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.47_release_notes/index.rst @@ -44,10 +44,10 @@ NSS 3.47 release notes will be released in early December: - `TLS 1.3 <https://datatracker.ietf.org/doc/html/rfc8446>`__ will be the default maximum TLS - version. See `Bug 1573118 <https://bugzilla.mozilla.org/show_bug.cgi?id=1573118>`__ for + version. See `Bug 1573118 <https://bugzilla.mozilla.org/show_bug.cgi?id=1573118>`__ for details. - `TLS extended master secret <https://datatracker.ietf.org/doc/html/rfc7627>`__ will be enabled - by default, where possible. See `Bug + by default, where possible. See `Bug 1575411 <https://bugzilla.mozilla.org/show_bug.cgi?id=1575411>`__ for details. .. _notable_changes_in_nss_3.47: diff --git a/doc/rst/legacy/nss_releases/nss_3.48_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.48_release_notes/index.rst index 59437a7fa..fb1b02370 100644 --- a/doc/rst/legacy/nss_releases/nss_3.48_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.48_release_notes/index.rst @@ -42,10 +42,10 @@ NSS 3.48 release notes .. container:: - `TLS 1.3 <https://datatracker.ietf.org/doc/html/rfc8446>`__ is the default maximum TLS - version. See `Bug 1573118 <https://bugzilla.mozilla.org/show_bug.cgi?id=1573118>`__ for + version. See `Bug 1573118 <https://bugzilla.mozilla.org/show_bug.cgi?id=1573118>`__ for details. - `TLS extended master secret <https://datatracker.ietf.org/doc/html/rfc7627>`__ is enabled by - default, where possible. See `Bug + default, where possible. See `Bug 1575411 <https://bugzilla.mozilla.org/show_bug.cgi?id=1575411>`__ for details. - The master password PBE now uses 10,000 iterations by default when using the default sql (key4.db) storage. Because using an iteration count higher than 1 with the legacy dbm diff --git a/doc/rst/legacy/nss_releases/nss_3.49.2_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.49.2_release_notes/index.rst index e7acc54bf..70e362743 100644 --- a/doc/rst/legacy/nss_releases/nss_3.49.2_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.49.2_release_notes/index.rst @@ -44,7 +44,7 @@ NSS 3.49.2 release notes .. container:: - `Bug 1606992 <https://bugzilla.mozilla.org/show_bug.cgi?id=1606992>`__ - Cache the most - recent PBKDF1 password hash, to speed up repeated SDR operations, important with the increased + recent PBKDF1 password hash, to speed up repeated SDR operations, important with the increased KDF iteration counts. NSS 3.49.1 sped up PBKDF2 operations, though PBKDF1 operations are also relevant for older NSS databases. - `Bug 1608327 <https://bugzilla.mozilla.org/show_bug.cgi?id=1608327>`__ - Fix compilation diff --git a/doc/rst/legacy/nss_releases/nss_3.50_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.50_release_notes/index.rst index 849ac267b..bc910ee41 100644 --- a/doc/rst/legacy/nss_releases/nss_3.50_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.50_release_notes/index.rst @@ -61,7 +61,7 @@ NSS 3.50 release notes - `Bug 1599603 <https://bugzilla.mozilla.org/show_bug.cgi?id=1599603>`__ - NIST SP800-108 KBKDF - PKCS#11 implementation - `Bug 1606992 <https://bugzilla.mozilla.org/show_bug.cgi?id=1606992>`__ - Cache the most - recent PBKDF1 password hash, to speed up repeated SDR operations, important with the increased + recent PBKDF1 password hash, to speed up repeated SDR operations, important with the increased KDF iteration counts. NSS 3.49.1 sped up PBKDF2 operations, though PBKDF1 operations are also relevant for older NSS databases (also included in NSS 3.49.2) - `Bug 1608895 <https://bugzilla.mozilla.org/show_bug.cgi?id=1608895>`__ - Gyp builds on diff --git a/doc/rst/legacy/nss_releases/nss_3.51.1_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.51.1_release_notes/index.rst index bb12d283d..5ac0fedc3 100644 --- a/doc/rst/legacy/nss_releases/nss_3.51.1_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.51.1_release_notes/index.rst @@ -8,7 +8,7 @@ NSS 3.51.1 release notes .. container:: - The NSS team has released Network Security Services (NSS) 3.51.1 on **3 April 2020**. This is a + The NSS team has released Network Security Services (NSS) 3.51.1 on **3 April 2020**. This is a minor release focusing on functional bug fixes and low-risk patches only. .. _distribution_information: diff --git a/doc/rst/legacy/nss_releases/nss_3.52.1_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.52.1_release_notes/index.rst index 709ce32a1..8c2670a32 100644 --- a/doc/rst/legacy/nss_releases/nss_3.52.1_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.52.1_release_notes/index.rst @@ -8,7 +8,7 @@ NSS 3.52.1 release notes .. container:: - The NSS team has released Network Security Services (NSS) 3.52.1 on **19 May 2020**. This is a + The NSS team has released Network Security Services (NSS) 3.52.1 on **19 May 2020**. This is a security patch release. Thank you to Cesar Pereida Garcia and the Network and Information Security Group (NISEC) at diff --git a/doc/rst/legacy/nss_releases/nss_3.53_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.53_release_notes/index.rst index 374f4744a..d9605ca31 100644 --- a/doc/rst/legacy/nss_releases/nss_3.53_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.53_release_notes/index.rst @@ -55,7 +55,7 @@ NSS 3.53 release notes attribute, which NSS consumers can query to further refine trust decisions. (`Bug 1618404, <https://bugzilla.mozilla.org/show_bug.cgi?id=1618404>`__ `Bug 1621159 <https://bugzilla.mozilla.org/show_bug.cgi?id=1621159>`__) If a builtin certificate - has a CKA_NSS_SERVER_DISTRUST_AFTER timestamp before the SCT or NotBefore date of a + has a CKA_NSS_SERVER_DISTRUST_AFTER timestamp before the SCT or NotBefore date of a certificate that builtin issued, then clients can elect not to trust it. - This attribute provides a more graceful phase-out for certificate authorities than complete diff --git a/doc/rst/legacy/nss_releases/nss_3.55_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.55_release_notes/index.rst index 954198116..4da2a6b20 100644 --- a/doc/rst/legacy/nss_releases/nss_3.55_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.55_release_notes/index.rst @@ -70,7 +70,7 @@ NSS 3.55 release notes .. container:: - `Bug 1631583 <https://bugzilla.mozilla.org/show_bug.cgi?id=1631583>`__ (CVE-2020-6829, - CVE-2020-12400) - Replace P384 and P521 with new, verifiable implementations from + CVE-2020-12400) - Replace P384 and P521 with new, verifiable implementations from `Fiat-Crypto <https://github.com/mit-plv/fiat-crypto>`__ and `ECCKiila <https://gitlab.com/nisec/ecckiila/>`__. - `Bug 1649487 <https://bugzilla.mozilla.org/show_bug.cgi?id=1649487>`__ - Move overzealous diff --git a/doc/rst/legacy/nss_releases/nss_3.59_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.59_release_notes/index.rst index 6246fc593..96490dda3 100644 --- a/doc/rst/legacy/nss_releases/nss_3.59_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.59_release_notes/index.rst @@ -34,7 +34,7 @@ NSS 3.59 release notes .. container:: - - Exported two existing functions from libnss, CERT_AddCertToListHeadWithData and + - Exported two existing functions from libnss, CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData .. _build_requirements: @@ -69,7 +69,7 @@ NSS 3.59 release notes - `Bug 1644209 <https://bugzilla.mozilla.org/show_bug.cgi?id=1644209>`__ - Fix broken SelectedCipherSuiteReplacer filter to solve some test intermittents - `Bug 1672703 <https://bugzilla.mozilla.org/show_bug.cgi?id=1672703>`__ - Tolerate the first - CCS in TLS 1.3 to fix a regression in our CVE-2020-25648 fix that broke purple-discord + CCS in TLS 1.3 to fix a regression in our CVE-2020-25648 fix that broke purple-discord - `Bug 1666891 <https://bugzilla.mozilla.org/show_bug.cgi?id=1666891>`__ - Support key wrap/unwrap with RSA-OAEP - `Bug 1667989 <https://bugzilla.mozilla.org/show_bug.cgi?id=1667989>`__ - Fix gyp linking on diff --git a/doc/rst/legacy/nss_releases/nss_3.60_release_notes/index.rst b/doc/rst/legacy/nss_releases/nss_3.60_release_notes/index.rst index b09f2e649..579124030 100644 --- a/doc/rst/legacy/nss_releases/nss_3.60_release_notes/index.rst +++ b/doc/rst/legacy/nss_releases/nss_3.60_release_notes/index.rst @@ -114,7 +114,7 @@ NSS 3.60 release notes - Bug 1678384 - Add a build flag to allow building nssckbi-testlib in m-c. - Bug 1570539 - Remove -X alt-server-hello option from tstclnt. - Bug 1675523 - Fix incorrect pkcs11t.h value CKR_PUBLIC_KEY_INVALID. - - Bug 1642174 - Fix PowerPC ABI version 1 build failure. + - Bug 1642174 - Fix PowerPC ABI version 1 build failure. - Bug 1674819 - Fix undefined shift in fuzzer mode. - Bug 1678990 - Fix ARM crypto extensions detection on macOS. - Bug 1679290 - Fix lock order inversion and potential deadlock with libnsspem. diff --git a/doc/rst/legacy/nss_sample_code/nss_sample_code_sample1/index.rst b/doc/rst/legacy/nss_sample_code/nss_sample_code_sample1/index.rst index 36ca99314..10926903a 100644 --- a/doc/rst/legacy/nss_sample_code/nss_sample_code_sample1/index.rst +++ b/doc/rst/legacy/nss_sample_code/nss_sample_code_sample1/index.rst @@ -11,7 +11,7 @@ NSS Sample Code Sample1 .. container:: This is an example program that demonstrates how to do key generation and transport between - cooperating servers. This program shows the following: + cooperating servers. This program shows the following: - RSA key pair generation - Naming RSA key pairs diff --git a/doc/rst/legacy/nss_sample_code/nss_sample_code_sample_1_hashing/index.rst b/doc/rst/legacy/nss_sample_code/nss_sample_code_sample_1_hashing/index.rst index 9435e0b8a..fa0c820b4 100644 --- a/doc/rst/legacy/nss_sample_code/nss_sample_code_sample_1_hashing/index.rst +++ b/doc/rst/legacy/nss_sample_code/nss_sample_code_sample_1_hashing/index.rst @@ -11,7 +11,7 @@ NSS Sample Code Sample_1_Hashing .. container:: This is an example program that demonstrates how to compute the hash of a file and save it to - another file. This program illustrates the use of NSS message APIs. + another file. This program illustrates the use of NSS message APIs. .. _sample_code_1: diff --git a/doc/rst/legacy/nss_sample_code/nss_sample_code_sample_2_initialization_of_nss/index.rst b/doc/rst/legacy/nss_sample_code/nss_sample_code_sample_2_initialization_of_nss/index.rst index 276f2c338..52aa4ecf7 100644 --- a/doc/rst/legacy/nss_sample_code/nss_sample_code_sample_2_initialization_of_nss/index.rst +++ b/doc/rst/legacy/nss_sample_code/nss_sample_code_sample_2_initialization_of_nss/index.rst @@ -10,7 +10,7 @@ NSS Sample Code Sample_2_Initialization of NSS .. container:: - This example program demonstrates how to initialize the NSS Database. This program illustrates + This example program demonstrates how to initialize the NSS Database. This program illustrates password handling. .. _sample_code_1: diff --git a/doc/rst/legacy/nss_sample_code/nss_sample_code_sample_3_basic_encryption_and_maci/index.rst b/doc/rst/legacy/nss_sample_code/nss_sample_code_sample_3_basic_encryption_and_maci/index.rst index e89c30958..89247620d 100644 --- a/doc/rst/legacy/nss_sample_code/nss_sample_code_sample_3_basic_encryption_and_maci/index.rst +++ b/doc/rst/legacy/nss_sample_code/nss_sample_code_sample_3_basic_encryption_and_maci/index.rst @@ -10,7 +10,7 @@ NSS Sample Code Sample_3_Basic Encryption and MACing .. container:: - This example program demonstrates how to encrypt and MAC a file. + This example program demonstrates how to encrypt and MAC a file. .. _sample_code_3: diff --git a/doc/rst/legacy/nss_sample_code/nss_sample_code_utililies_1/index.rst b/doc/rst/legacy/nss_sample_code/nss_sample_code_utililies_1/index.rst index f55ddffc2..261b587f9 100644 --- a/doc/rst/legacy/nss_sample_code/nss_sample_code_utililies_1/index.rst +++ b/doc/rst/legacy/nss_sample_code/nss_sample_code_utililies_1/index.rst @@ -10,7 +10,7 @@ NSS Sample Code Utilities_1 .. container:: - This is a library of utilities used by many of the samples. This code shows the following: + This is a library of utilities used by many of the samples. This code shows the following: - Extract seed from noise file - Read DER encoding from a file diff --git a/doc/rst/legacy/nss_sample_code/sample2_-_initialize_nss_database/index.rst b/doc/rst/legacy/nss_sample_code/sample2_-_initialize_nss_database/index.rst index 7a8c89caf..43a401815 100644 --- a/doc/rst/legacy/nss_sample_code/sample2_-_initialize_nss_database/index.rst +++ b/doc/rst/legacy/nss_sample_code/sample2_-_initialize_nss_database/index.rst @@ -10,7 +10,7 @@ Initialize NSS database - sample 2 .. container:: - The NSS sample code below demonstrates how to initialize the NSS database. + The NSS sample code below demonstrates how to initialize the NSS database. .. code:: brush: diff --git a/doc/rst/legacy/nss_sample_code/utiltiies_for_nss_samples/index.rst b/doc/rst/legacy/nss_sample_code/utiltiies_for_nss_samples/index.rst index 233d28995..84ba6ed40 100644 --- a/doc/rst/legacy/nss_sample_code/utiltiies_for_nss_samples/index.rst +++ b/doc/rst/legacy/nss_sample_code/utiltiies_for_nss_samples/index.rst @@ -11,7 +11,7 @@ Utilities for nss samples .. container:: These utility functions are adapted from those found in the sectool library used by the NSS - security tools and other NSS test applications. + security tools and other NSS test applications. It shows the following: diff --git a/doc/rst/legacy/nss_tech_notes/nss_tech_note4/index.rst b/doc/rst/legacy/nss_tech_notes/nss_tech_note4/index.rst index 202451faf..7a7334bee 100644 --- a/doc/rst/legacy/nss_tech_notes/nss_tech_note4/index.rst +++ b/doc/rst/legacy/nss_tech_notes/nss_tech_note4/index.rst @@ -29,28 +29,28 @@ nss tech note4 .. rubric:: Get the handle of the cert associated with an SSL connection :name: get_the_handle_of_the_cert_associated_with_an_ssl_connection - *CERTCertificate\* cert = SSL_PeerCertificate(PRFileDesc \*fd);* - If SSL client, this will get you the server's cert handle; - If SSL server, this will get you the client's cert handle IF client auth is enabled + *CERTCertificate\* cert = SSL_PeerCertificate(PRFileDesc \*fd);* + If SSL client, this will get you the server's cert handle; + If SSL server, this will get you the client's cert handle IF client auth is enabled *CERTCertificate\* cert = SSL_LocalCertificate(PRFileDesc \*fd);* - If SSL client, this will get you the client cert's handle, IF client auth happened - If SSL server, this will get you the server's cert handle + If SSL client, this will get you the client cert's handle, IF client auth happened + If SSL server, this will get you the server's cert handle .. rubric:: Don't forget to clean up the cert handle when you're done with it :name: don't_forget_to_clean_up_the_cert_handle_when_you're_done_with_it *void CERT_DestroyCertificate(CERTCertificate \*cert);* - .. rubric:: Some info is readily available + .. rubric:: Some info is readily available :name: some_info_is_readily_available cert->subjectName (char*) cert->issuerName (char*) cert->emailAddr (char*) - OR char \*CERT_GetCertificateEmailAddress(CERTCertificate \*cert); + OR char \*CERT_GetCertificateEmailAddress(CERTCertificate \*cert); cert->keyUsage (unsigned int) .. rubric:: To break the issuer and subject names into components :name: to_break_the_issuer_and_subject_names_into_components - Pass &(cert->issuer) or &(cert->subject) to the following functions + Pass &(cert->issuer) or &(cert->subject) to the following functions *char \*CERT_GetCommonName(CERTName \*name); char \*CERT_GetCertEmailAddress(CERTName \*name); char \*CERT_GetCountryName(CERTName \*name); @@ -68,7 +68,7 @@ nss tech note4 An extension has the following attributes - Object Id (OID) : A unique OID represents an algorithm, a mechanism, a piece of information, - etc. Examples: X500 RSA Encryption, Certificate Basic Constraints, PKCS#7 Digested Data, etc. + etc. Examples: X500 RSA Encryption, Certificate Basic Constraints, PKCS#7 Digested Data, etc. There is a long list of pre-defined OIDs, and new ones can be *added dynamically by an application.* The OID data structure contains an array of identifier bytes (each byte is a "level" in a @@ -82,48 +82,48 @@ nss tech note4 *CERTCertExtension*\* extensions =cert->extensions;* *if (extensions)* *{* - * while (*extensions)* - * {* - * SECItem \*ext_oid = &(*extensions)->id;* - * SECItem \*ext_critical = &(*extensions)->critical;* - * SECItem \*ext_value = &(*extensions)->value;* - * /\* id attribute of the extension \*/* - * SECOidData \*oiddata = SECOID_FindOID(ext_oid);* - * if (oiddata == NULL)* - * {* + * while (*extensions)* + * {* + * SECItem \*ext_oid = &(*extensions)->id;* + * SECItem \*ext_critical = &(*extensions)->critical;* + * SECItem \*ext_value = &(*extensions)->value;* + * /\* id attribute of the extension \*/* + * SECOidData \*oiddata = SECOID_FindOID(ext_oid);* + * if (oiddata == NULL)* + * {* */\* OID not found \*/* */\* SECItem ext_oid has type (SECItemType), data (unsigned char \*) and len (unsigned int) fields* - * - the application interprets these \*/* + * - the application interprets these \*/* *.......* - * }* - * else* - * {* + * }* + * else* + * {* *char \*name = oiddata->desc; /\* name of the extension \*/* *.......* - * }* - * /\* critical attribute of the extension \*/* - * if (ext_critical->len > 0)* - * {* + * }* + * /\* critical attribute of the extension \*/* + * if (ext_critical->len > 0)* + * {* *if (ext_critical->data[0])* - * /\* the extension is critical \*/* + * /\* the extension is critical \*/* *else* - * /\* the extension is not critical \*/* - * }* - * /\* value attribute of the extension \*/* - * /\* SECItem ext_value has type (SECItemType), data (unsigned char \*) and len + * /\* the extension is not critical \*/* + * }* + * /\* value attribute of the extension \*/* + * /\* SECItem ext_value has type (SECItemType), data (unsigned char \*) and len (unsigned int) fields* *- the application interprets these \*/* - * SECOidTag oidtag = SECOID_FindOIDTag(ext_oid);* - * switch (oidtag)* - * {* + * SECOidTag oidtag = SECOID_FindOIDTag(ext_oid);* + * switch (oidtag)* + * {* *case a_tag_that_app_recognizes:* - * .....* + * .....* *case .....* - * ......* - * }* - * extensions++;* - * }* + * ......* + * }* + * extensions++;* + * }* *}* .. rubric:: An example custom cert extension @@ -131,24 +131,24 @@ nss tech note4 *struct \_myCertExtData* *{* - * SECItem version;* - * SECItem streetaddress;* - * SECItem phonenum;* - * SECItem rfc822name;* - * SECItem id;* - * SECItem maxusers;* + * SECItem version;* + * SECItem streetaddress;* + * SECItem phonenum;* + * SECItem rfc822name;* + * SECItem id;* + * SECItem maxusers;* *};* *typedef struct \_myCertExtData myCertExtData;* */\* template used for decoding the extension \*/* *const SEC_ASN1Template myCertExtTemplate[] = {* - * { SEC_ASN1_SEQUENCE, 0, NULL, sizeof( myCertExtData ) },* - * { SEC_ASN1_INTEGER, offsetof(myCertExtData, version) },* - * { SEC_ASN1_OCTET_STRING, offsetof( myCertExtData, streetaddress ) },* - * { SEC_ASN1_OCTET_STRING, offsetof( myCertExtData, phonenum ) },* - * { SEC_ASN1_OCTET_STRING, offsetof( myCertExtData, rfc822name ) },* - * { SEC_ASN1_OCTET_STRING, offsetof( myCertExtData, id ) },* - * { SEC_ASN1_INTEGER, offsetof(myCertExtData, maxusers ) },* - * { 0 }* + * { SEC_ASN1_SEQUENCE, 0, NULL, sizeof( myCertExtData ) },* + * { SEC_ASN1_INTEGER, offsetof(myCertExtData, version) },* + * { SEC_ASN1_OCTET_STRING, offsetof( myCertExtData, streetaddress ) },* + * { SEC_ASN1_OCTET_STRING, offsetof( myCertExtData, phonenum ) },* + * { SEC_ASN1_OCTET_STRING, offsetof( myCertExtData, rfc822name ) },* + * { SEC_ASN1_OCTET_STRING, offsetof( myCertExtData, id ) },* + * { SEC_ASN1_INTEGER, offsetof(myCertExtData, maxusers ) },* + * { 0 }* *};* */\* OID for my cert extension - replace 0xff with appropriate values*/* *static const unsigned char myoid[] = { 0xff, 0xff, 0xff, 0xff, .... };* @@ -159,19 +159,19 @@ nss tech note4 *SECStatus rv = CERT_FindCertExtensionByOID(cert, &myoidItem, &myextvalue); if (rv == SECSuccess) { - SEC_ASN1DecoderContext \* context = SEC_ASN1DecoderStart(NULL, &data, myCertExtTemplate); - rv = SEC_ASN1DecoderUpdate( context, (const char \*)(myextvalue.data), myextvalue.len); - if (rv == SECSuccess) - { - /\* Now you can extract info from SECItem fields of your extension data structure \*/ - /\* See "Misc helper functions" below \*/ - ....... - /\* free the SECItem fields \*/ - SECITEM_FreeItem(&data.version, PR_FALSE); - SECITEM_FreeItem(&data.streetaddress, PR_FALSE); - ...... - SECITEM_FreeItem(&data.maxusers, PR_FALSE); - } + SEC_ASN1DecoderContext \* context = SEC_ASN1DecoderStart(NULL, &data, myCertExtTemplate); + rv = SEC_ASN1DecoderUpdate( context, (const char \*)(myextvalue.data), myextvalue.len); + if (rv == SECSuccess) + { + /\* Now you can extract info from SECItem fields of your extension data structure \*/ + /\* See "Misc helper functions" below \*/ + ....... + /\* free the SECItem fields \*/ + SECITEM_FreeItem(&data.version, PR_FALSE); + SECITEM_FreeItem(&data.streetaddress, PR_FALSE); + ...... + SECITEM_FreeItem(&data.maxusers, PR_FALSE); + } }* .. rubric:: Some miscellaneous helper functions @@ -189,20 +189,20 @@ nss tech note4 :name: some_higher_level_extension_functions - Get a specific extension from the list of extensions, given the extension tag - *SECStatus CERT_FindCertExtension (CERTCertificate \*cert, int tag, SECItem \*value);* + *SECStatus CERT_FindCertExtension (CERTCertificate \*cert, int tag, SECItem \*value);* - Get a specific extension from the ISSUER's cert\ * - SECStatus CERT_FindIssuerCertExtension (CERTCertificate \*cert, int tag, SECItem \*value);* + SECStatus CERT_FindIssuerCertExtension (CERTCertificate \*cert, int tag, SECItem \*value);* - Get the value of an extension with the given OID *SECStatus CERT_FindCertExtensionByOID (CERTCertificate \*cert, SECItem \*oid, SECItem \*value);* - Get the decoded value of the "Basic Constraints" extension *SECStatus CERT_FindBasicConstraintExten (CERTCertificate \*cert, CERTBasicConstraints \*value);* - - Get value of the keyUsage extension. This uses PR_Alloc to allocate buffer for the decoded - value, The caller should free up the storage allocated in value->data. + - Get value of the keyUsage extension. This uses PR_Alloc to allocate buffer for the decoded + value, The caller should free up the storage allocated in value->data. *SECStatus CERT_FindKeyUsageExtension (CERTCertificate \*cert, SECItem \*value);* - - Get decoded value of the subjectKeyID extension. This uses PR_Alloc to allocate buffer for - the decoded value, The caller should free up the storage allocated in value->data. + - Get decoded value of the subjectKeyID extension. This uses PR_Alloc to allocate buffer for + the decoded value, The caller should free up the storage allocated in value->data. *SECStatus CERT_FindSubjectKeyIDExten (CERTCertificate \*cert, SECItem \*retItem);* * @@ -216,6 +216,6 @@ nss tech note4 .. container:: - Browse through the NSS source code online at - http://lxr.mozilla.org/mozilla/source/security/nss/ and http://lxr.mozilla.org/security/ + http://lxr.mozilla.org/mozilla/source/security/nss/ and http://lxr.mozilla.org/security/ - documentation on some cert funcs `http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslcrt.html <https://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslcrt.html>`__
\ No newline at end of file diff --git a/doc/rst/legacy/nss_tech_notes/nss_tech_note5/index.rst b/doc/rst/legacy/nss_tech_notes/nss_tech_note5/index.rst index 032597309..d9b7b9ddf 100644 --- a/doc/rst/legacy/nss_tech_notes/nss_tech_note5/index.rst +++ b/doc/rst/legacy/nss_tech_notes/nss_tech_note5/index.rst @@ -20,7 +20,7 @@ nss tech note5 - NSS Project Info is at `http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__ - You can browse the NSS source online at http://lxr.mozilla.org/mozilla/source/security/nss/ - and http://lxr.mozilla.org/security/ + and http://lxr.mozilla.org/security/ - Be sure to look for :ref:`mozilla_projects_nss_sample_code` first for things you need to do. - **Note:** This document contains code snippets that focus on essential aspects of the task and often do not illustrate all the cleanup that needs to be done. Also, this document does not @@ -46,7 +46,7 @@ nss tech note5 - grep for CKF_EN_DE_. *CK_MECHANISM_TYPE cipherMech = CKM_DES_CBC_PAD* <big>(for example)</big> #. Choose a slot on which to do the operation - *PK11SlotInfo\* slot = PK11_GetBestSlot(cipherMech, NULL); *\ **OR**\ * + *PK11SlotInfo\* slot = PK11_GetBestSlot(cipherMech, NULL); *\ **OR**\ * PK11SlotInfo\* slot = PK11_GetInternalKeySlot(); /\* alwys returns internal slot, may not be optimal \*/* #. Prepare the Key @@ -58,11 +58,11 @@ nss tech note5 keyItem.len = /\* length of the array of key bytes \*/ /\* turn the SECItem into a key object \*/ PK11SymKey\* SymKey = PK11_ImportSymKey(slot, cipherMech, PK11_OriginUnwrap, - + CKA_ENCRYPT, &keyItem, NULL)*; - If generating the key - see section `Generate a Symmetric Key <#generate_a_symmetric_key>`__ - + #. <big>Prepare the parameter for crypto context. IV is relevant only when using CBC mode of encryption. If not using CBC mode, just pass a NULL IV parm to PK11_ParamFromIV function @@ -74,16 +74,16 @@ nss tech note5 - Create Encryption context *PK11Context\* EncContext = PK11_CreateContextBySymKey(cipherMech, - - CKA_ENCRYPT or CKA_DECRYPT, - SymKey, + + CKA_ENCRYPT or CKA_DECRYPT, + SymKey, SecParam);* - Do the Operation. If encrypting, outbuf len must be atleast (inbuflen + blocksize). If decrypting, outbuflen must be atleast inbuflen. *SECStatus s = PK11_CipherOp(EncContext, outbuf, &tmp1_outlen, sizeof outbuf, inbuf, - inbuflen); + inbuflen); s = PK11_DigestFinal(EncContext, outbuf+tmp1_outlen, &tmp2_outlen, - sizeof outbuf - tmp1_outlen); + sizeof outbuf - tmp1_outlen); result_len = tmp1_outlen + tmp2_outlen;* - <big>Destroy the Context *PK11_DestroyContext(EncContext, PR_TRUE);*\ </big> @@ -147,7 +147,7 @@ nss tech note5 security/nss/lib/softoken/pkcs11.c - grep for CKF_DIGEST. *CK_MECHANISM_TYPE digestMech = CKM_MD5* <big>(for example)</big> #. Choose a slot on which to do the operation - *PK11SlotInfo\* slot = PK11_GetBestSlot(digestMech, NULL); *\ **OR**\ * + *PK11SlotInfo\* slot = PK11_GetBestSlot(digestMech, NULL); *\ **OR**\ * PK11SlotInfo\* slot = PK11_GetInternalKeySlot(); /\* always returns int slot, may not be optimal \*/* #. Prepare the Key @@ -159,12 +159,12 @@ nss tech note5 keyItem.len = /\* length of the array of key bytes \*/ /\* turn the SECItem into a key object \*/ PK11SymKey\* SymKey = PK11_ImportSymKey(slot, digestMech, PK11_OriginUnwrap, - + CKA_DIGEST, &keyItem, NULL)*; - If generating the key - see section `Generate a Symmetric Key <#generate_a_symmetric_key>`__. Can use *CKM_GENERIC_SECRET_KEY_GEN* as the key gen mechanism. - + #. <big>Prepare the parameter for crypto context. The param must be provided, but can be empty. *SECItem param; @@ -172,8 +172,8 @@ nss tech note5 param.len = 0;*\ </big> #. <big>Create Crypto context</big> *PK11Context\* DigestContext = PK11_CreateContextBySymKey(digestMech, CKA_DIGEST, SymKey, - - ¶m);* + + ¶m);* #. <big>Digest the data</big>, providing the key <big>\ *SECStatus s = PK11_DigestBegin(DigestContext); s = PK11_DigestKey(DigestContext, SymKey); @@ -200,12 +200,12 @@ nss tech note5 #. Make sure NSS is initialized.The simplest Init function, in case you don't need a NSS database is *NSS_NoDB_Init(".")* - #. Choose a HMAC mechanism. You can find a list of HMAC mechanisms in + #. Choose a HMAC mechanism. You can find a list of HMAC mechanisms in security/nss/lib/softoken/pkcs11.c - grep for CKF_SN_VR, and choose the mechanisms that contain HMAC in the name *CK_MECHANISM_TYPE hmacMech = CKM_MD5_HMAC;* <big>(for example)</big> #. Choose a slot on which to do the operation - *PK11SlotInfo\* slot = PK11_GetBestSlot(hmacMech, NULL); *\ **OR**\ * + *PK11SlotInfo\* slot = PK11_GetBestSlot(hmacMech, NULL); *\ **OR**\ * PK11SlotInfo\* slot = PK11_GetInternalKeySlot(); /\* always returns int slot, may not be optimal \*/* #. Prepare the Key @@ -218,12 +218,12 @@ nss tech note5 keyItem.len = /\* length of the array of key bytes \*/ /\* turn the SECItem into a key object \*/ PK11SymKey\* SymKey = PK11_ImportSymKey(slot, hmacMech, PK11_OriginUnwrap, - - CKA_SIGN, &keyItem, NULL)*; + + CKA_SIGN, &keyItem, NULL)*; - If generating the key - see section `Generate a Symmetric Key <#generate_a_symmetric_key>`__. Can use *CKM_GENERIC_SECRET_KEY_GEN* as the key gen mechanism. - + #. <big>Prepare the parameter for crypto context. The param must be provided, but can be empty. *SECItem param; @@ -232,8 +232,8 @@ nss tech note5 param.len = 0;*\ </big> #. <big>Create Crypto context</big> *PK11Context\* DigestContext = PK11_CreateContextBySymKey(hmacMech, CKA_SIGN, - - SymKey, ¶m);* + + SymKey, ¶m);* #. <big>Digest the data</big> <big>\ *SECStatus s = PK11_DigestBegin(DigestContext); s = PK11_DigestOp(DigestContext, data, sizeof data); @@ -263,12 +263,12 @@ nss tech note5 #. Make sure NSS is initialized.The simplest Init function, in case you don't need a NSS database is *NSS_NoDB_Init(".")* - #. Choose a Wrapping mechanism. See wrapMechanismList in security/nss/lib/pk11wrap/pk11slot.c + #. Choose a Wrapping mechanism. See wrapMechanismList in security/nss/lib/pk11wrap/pk11slot.c and security/nss/lib/ssl/ssl3con.c for examples of wrapping mechanisms. Most of them are cipher mechanisms. *CK_MECHANISM_TYPE wrapMech = CKM_DES3_ECB;* <big>(for example)</big> #. Choose a slot on which to do the operation - *PK11SlotInfo\* slot = PK11_GetBestSlot(wrapMech, NULL); *\ **OR**\ * + *PK11SlotInfo\* slot = PK11_GetBestSlot(wrapMech, NULL); *\ **OR**\ * PK11SlotInfo\* slot = PK11_GetInternalKeySlot(); /\* always returns int slot, may not be optimal \*/* <big>Regarding the choice of slot and wrapMech, if you know one, you can derive the other. You @@ -284,14 +284,14 @@ nss tech note5 keyItem.len = /\* length of the array of key bytes \*/ /\* turn the SECItem into a key object \*/ PK11SymKey\* WrappingSymKey = PK11_ImportSymKey(slot, wrapMech, - - PK11_OriginUnwrap, - - CKA_WRAP, &keyItem, NULL)* - + + PK11_OriginUnwrap, + + CKA_WRAP, &keyItem, NULL)* + - If generating the key - see section `Generate a Symmetric Key <#generate_a_symmetric_key>`__ - + #. Prepare the To-be-Wrapped Key @@ -302,13 +302,13 @@ nss tech note5 keyItem.len = /\* length of the array of key bytes \*/ /\* turn the SECItem into a key object \*/ PK11SymKey\* ToBeWrappedSymKey = PK11_ImportSymKey(slot, wrapMech,, - - PK11_OriginUnwrap, - - CKA_WRAP, &keyItem, NULL)*; + + PK11_OriginUnwrap, + + CKA_WRAP, &keyItem, NULL)*; - If generating the key - see section `Generate a Symmetric Key <#generate_a_symmetric_key>`__ - + #. <big>Prepare the parameter for crypto context. IV is relevant only when using CBC cipher mode. If not using CBC mode, just pass a NULL *SecParam* to *PK11_WrapSymKey* or *PK11_UnwrapSymKey* @@ -322,30 +322,30 @@ nss tech note5 WrappedKey.len = SOME_LEN; WrappedKey.data = allocate (SOME_LEN) bytes;* #. <big>Do the Wrap</big>. Note that the WrappingSymKey and the ToBeWrappedSymKey must be on the - slot where the wrap is going to happen. To move keys to the desired slot, see section `Moving + slot where the wrap is going to happen. To move keys to the desired slot, see section `Moving a Key from one slot to another <#moving_a_key_from_one_slot_to_another>`__ <big>\ *SECStatus s = PK11_WrapSymKey(wrapMech, SecParam, WrappingSymKey, - ToBeWrappedSymKey, + ToBeWrappedSymKey, &WrappedKey);*\ </big> #. <big><big>Transport/Store or do whatever with the Wrapped Key (WrappedKey.data, WrappedKey.len)</big></big> - #. <big><big>Unwrapping. </big></big> + #. <big><big>Unwrapping. </big></big> - <big><big>Set up the args to the function *PK11_UnwrapSymKey*, most of which are - illustrated above. The *keyTypeMech* arg of type *CK_MECHANISM_TYPE *\ <big>indicates the + illustrated above. The *keyTypeMech* arg of type *CK_MECHANISM_TYPE *\ <big>indicates the type of key that was wrapped and can be same as the *wrapMech* (e.g. *wrapMech=CKM_SKIPJACK_WRAP, keyTypeMech=CKM_SKIPJACK_CBC64; wrapMech=CKM_SKIPJACK_CBC64, keyTypeMech=CKM_SKIPJACK_CBC64*).</big>\ </big></big> - Do the unwrap <big><big>\ *PK11SymKey\* UnwrappedSymKey = PK11_UnwrapSymKey(WrappingSymKey, - + wrapMech*\ </big></big><big><big>\ *, SecParam, &WrappedKey, - + keyTypeMech,*\ </big></big> - <big><big>\ * - CKA_UNWRAP, /\* or CKA_DECRYPT? \*/ - - size_of_key_that_was_wrapped_bytes);*\ </big></big> + <big><big>\ * + CKA_UNWRAP, /\* or CKA_DECRYPT? \*/ + + size_of_key_that_was_wrapped_bytes);*\ </big></big> #. Clean up *PK11_FreeSymKey(WrappingSymKey);* @@ -353,7 +353,7 @@ nss tech note5 PK11_FreeSymKey(UnwrappedSymKey); if (SecParam) SECITEM_FreeItem(SecParam, PR_TRUE); SECITEM_FreeItem(&WrappedKey, PR_TRUE); - PK11_FreeSlot(slot); * + PK11_FreeSlot(slot); * -------------- @@ -368,12 +368,12 @@ nss tech note5 *#include "nss.h" #include "pk11pub.h"* #. Make sure NSS is initialized. - #. Choose a Wrapping mechanism. See wrapMechanismList in security/nss/lib/pk11wrap/pk11slot.c + #. Choose a Wrapping mechanism. See wrapMechanismList in security/nss/lib/pk11wrap/pk11slot.c and security/nss/lib/ssl/ssl3con.c for examples of wrapping mechanisms. Most of them are cipher mechanisms. *CK_MECHANISM_TYPE wrapMech = CKM_DES3_ECB;* <big>(for example).</big> #. Slot on which to do the operation - *PK11SlotInfo\* slot = PK11_GetBestSlot(wrapMech, NULL); *\ **OR**\ * + *PK11SlotInfo\* slot = PK11_GetBestSlot(wrapMech, NULL); *\ **OR**\ * PK11SlotInfo\* slot = PK11_GetInternalKeySlot(); /\* always returns int slot, may not be optimal \*/* This should be the slot that is best suited for the wrapping. This may or may not be the slot @@ -391,17 +391,17 @@ nss tech note5 keyItem.len = /\* length of the array of key bytes \*/ /\* turn the SECItem into a key object \*/ PK11SymKey\* WrappingSymKey = PK11_ImportSymKey(slot, wrapMech, - - PK11_OriginUnwrap, - - CKA_WRAP, &keyItem, NULL)*; + + PK11_OriginUnwrap, + + CKA_WRAP, &keyItem, NULL)*; - If generating the key - see section `Generate a Symmetric Key <#generate_a_symmetric_key>`__ - + #. Prepare the To-be-Wrapped Key - - *SECKEYPrivateKey \*ToBeWrappedPrivKey * + - *SECKEYPrivateKey \*ToBeWrappedPrivKey * #. <big>Prepare the parameter for crypto context. IV is relevant only when using CBC cipher mode. If not using CBC mode, just pass a NULL *SecParam* to *PK11_WrapPrivKey* function @@ -415,10 +415,10 @@ nss tech note5 WrappedKey.len = SOME_LEN; WrappedKey.data = allocate (SOME_LEN) bytes;* #. <big>Do the Wrap</big>. Note that the WrappingSymKey and the ToBeWrappedPvtKey must be on the - slot where the wrap is going to happen. To move keys to the desired slot, see section `Moving + slot where the wrap is going to happen. To move keys to the desired slot, see section `Moving a Key from one slot to another <#moving_a_key_from_one_slot_to_another>`__ - <big>\ *SECStatus s = PK11_WrapPrivKey(slot, WrappingSymKey, ToBeWrappedPvtKey, wrapMech, - SecParam, &WrappedKey, + <big>\ *SECStatus s = PK11_WrapPrivKey(slot, WrappingSymKey, ToBeWrappedPvtKey, wrapMech, + SecParam, &WrappedKey, NULL);*\ </big> #. <big><big>Transport/Store or do whatever with the Wrapped Key (WrappedKey.data, WrappedKey.len)</big></big> @@ -437,28 +437,28 @@ nss tech note5 int numAttribs; /\* figure out which operations to enable for this key \*/ if( keyType == CKK_RSA ) { - attribs[0] = CKA_SIGN; - attribs[1] = CKA_DECRYPT; - attribs[2] = CKA_SIGN_RECOVER; - attribs[3] = CKA_UNWRAP; - numAttribs = 4; + attribs[0] = CKA_SIGN; + attribs[1] = CKA_DECRYPT; + attribs[2] = CKA_SIGN_RECOVER; + attribs[3] = CKA_UNWRAP; + numAttribs = 4; } else if(keyType == CKK_DSA) { - attribs[0] = CKA_SIGN; - numAttribs = 1; + attribs[0] = CKA_SIGN; + numAttribs = 1; }* - <big>Do the unwrap</big> *SECKEYPrivateKey \*UnwrappedPvtKey = - PK11_UnwrapPrivKey(slot, WrappingSymKey, wrapMech, SecParam, &WrappedKey, - &label, pubValue, token, PR_TRUE + PK11_UnwrapPrivKey(slot, WrappingSymKey, wrapMech, SecParam, &WrappedKey, + &label, pubValue, token, PR_TRUE /\* sensitive \*/ - keyType, attribs, numAttribs, + keyType, attribs, numAttribs, NULL /*wincx*/);* #. Clean up *PK11_FreeSymKey(WrappingSymKey);* <big>\ *if (SecParam) SECITEM_FreeItem(SecParam, PR_TRUE);*\ </big> <big>\ *SECITEM_FreeItem(&WrappedKey, PR_TRUE);*\ </big> - *if (pubValue) SECITEM_FreeItem(pubValue, PR_TRUE);* + *if (pubValue) SECITEM_FreeItem(pubValue, PR_TRUE);* *if (UnwrappedPvtKey) SECKEY_DestroyPrivateKey(UnwrappedPvtKey);* *if (ToBeWrappedPvtKey) SECKEY_DestroyPrivateKey(ToBeWrappedPvtKey);* *PK11_FreeSlot(slot);* @@ -476,12 +476,12 @@ nss tech note5 *#include "nss.h" #include "pk11pub.h"* #. Make sure NSS is initialized. - #. Choose a Wrapping mechanism. See wrapMechanismList in security/nss/lib/pk11wrap/pk11slot.c + #. Choose a Wrapping mechanism. See wrapMechanismList in security/nss/lib/pk11wrap/pk11slot.c and security/nss/lib/ssl/ssl3con.c for examples of wrapping mechanisms. Most of them are cipher mechanisms. *CK_MECHANISM_TYPE wrapMech = CKM_DES3_ECB;* <big>(for example)</big> #. Slot on which to do the operation - *PK11SlotInfo\* slot = PK11_GetBestSlot(wrapMech, NULL); *\ **OR**\ * + *PK11SlotInfo\* slot = PK11_GetBestSlot(wrapMech, NULL); *\ **OR**\ * PK11SlotInfo\* slot = PK11_GetInternalKeySlot(); /\* always returns int slot, may not be optimal \*/* This should be the slot that is best suited for the wrapping. This may or may not be the slot @@ -503,10 +503,10 @@ nss tech note5 keyItem.len = /\* length of the array of key bytes \*/ /\* turn the SECItem into a key object \*/ PK11SymKey\* ToBeWrappedSymKey = PK11_ImportSymKey(slot, wrapMech,, - - PK11_OriginUnwrap, - - CKA_WRAP, &keyItem, NULL)*; + + PK11_OriginUnwrap, + + CKA_WRAP, &keyItem, NULL)*; - If generating the key - see section `Generate a Symmetric Key <#generate_a_symmetric_key>`__ @@ -515,10 +515,10 @@ nss tech note5 WrappedKey.len = SOME_LEN; WrappedKey.data = allocate (SOME_LEN) bytes;* #. <big>Do the Wrap</big>. Note that the WrappingPubKey and the ToBeWrappedSymKey must be on the - slot where the wrap is going to happen. To move keys to the desired slot, see section `Moving + slot where the wrap is going to happen. To move keys to the desired slot, see section `Moving a Key from one slot to another <#moving_a_key_from_one_slot_to_another>`__ <big>\ *SECStatus s = PK11_PubWrapSymKey(wrapMech, WrappingPubKey, - ToBeWrappedSymKey, + ToBeWrappedSymKey, &WrappedKey);*\ </big> #. <big><big>Transport/Store or do whatever with the Wrapped Key (WrappedKey.data, WrappedKey.len)</big></big> @@ -529,11 +529,11 @@ nss tech note5 CK_MECHANISM_TYPE keyTypeMech = ??;* - <big>Do the unwrap</big> *PK11SymKey \*UnwrappedSymKey = - PK11_PubUnwrapSymKey(UnWrappingPvtKey, WrappedKey, keyTypeMech, - *<big><big>\ *CKA_UNWRAP, /\* + PK11_PubUnwrapSymKey(UnWrappingPvtKey, WrappedKey, keyTypeMech, + *<big><big>\ *CKA_UNWRAP, /\* or CKA_DECRYPT? \*/ - - *\ </big></big><big><big>\ *size_of_key_that_was_wrapped_bytes);*\ </big></big> + + *\ </big></big><big><big>\ *size_of_key_that_was_wrapped_bytes);*\ </big></big> #. Clean up *PK11_FreeSymKey(ToBeWrappedSymKey);* @@ -557,7 +557,7 @@ nss tech note5 raw form. You can find a list of key generation mechanisms in security/nss/lib/softoken/pkcs11.c - grep for CKF_GENERATE. For some key gen mechanisms, the keysize is in bytes, and for some it is in bits. - | + | #. <big>Choose a key generation mechanism</big> *CK_MECHANISM_TYPE keygenMech = CKM_DES_KEY_GEN;* (for example) @@ -569,7 +569,7 @@ nss tech note5 .. rubric:: Extract the raw key (This should not normally be used. Better to use wrapping instead. See `method1 <#symmetric_key_wrappingunwrapping_sym_key>`__ and - `method2 <#pki_wrap_symkey>`__ ). + `method2 <#pki_wrap_symkey>`__ ). :name: extract_the_raw_key_(this_should_not_normally_be_used._better_to_use_wrapping_instead._see_method1_and_method2_). *SECStatus rv = PK11_ExtractKeyValue(SymKey); @@ -583,9 +583,9 @@ nss tech note5 keyid.data = /\* ptr to an array of bytes representing the id of the key to be generated \*/; keyid.len = /\* length of the array of bytes \*/; /\* keysize must be 0 for fixed key-length algorithms like DES... and appropriate value - \* for non fixed-key-length algorithms \*/ + \* for non fixed-key-length algorithms \*/ PK11SymKey \*key = PK11_TokenKeyGen(slot, cipherMech, 0, 32 /\* keysize \*/, - &keyid, PR_TRUE, + &keyid, PR_TRUE, 0);* | *int keylen = PK11_GetKeyLength(key); cipherMech = PK11_GetMechanism(key);* @@ -654,6 +654,6 @@ nss tech note5 *int keylen = PK11_GetKeyLength(PK11SymKey \*symkey);* #. Get the mechanism given a symmetric key *CK_MECHANISM_TYPE mech = PK11_GetMechanism(PK11SymKey \*key);* - + --------------
\ No newline at end of file diff --git a/doc/rst/legacy/nss_tech_notes/nss_tech_note6/index.rst b/doc/rst/legacy/nss_tech_notes/nss_tech_note6/index.rst index 117839892..a55425c75 100644 --- a/doc/rst/legacy/nss_tech_notes/nss_tech_note6/index.rst +++ b/doc/rst/legacy/nss_tech_notes/nss_tech_note6/index.rst @@ -19,17 +19,17 @@ nss tech note6 .. container:: In NSS 3.8, we added checksum files required for the NSS softoken to operate in FIPS 140 mode. - The new checksum file is called libsoftokn3.chk on Unix/Linux and softokn3.chk on Windows. It + The new checksum file is called libsoftokn3.chk on Unix/Linux and softokn3.chk on Windows. It must be put in the same directory as the NSS libraries. The libsoftokn3.chk/softokn3.chk file contains a checksum for the softoken. When in FIPS 140 mode, the softoken is required to compute its checksum and compare it with the value in libsoftokn3.chk/softokn3.chk. - + The following applies to NSS 3.8 through 3.10 : | On 32-bit Solaris SPARC (i.e., not x86, and not 64-bit SPARC) and 32-bit HP-UX PA-RISC (i.e., not Itanium, and not 64-bit PA-RISC), there are two more .chk files: libfreebl_pure32_3.chk and libfreebl_hybrid_3.chk. - | + | The following applies to NSS 3.11 : @@ -77,28 +77,28 @@ nss tech note6 If your build process modifies NSS libraries in any way (for example, to strip the symbols), it should consider not doing so for the reasons cited above. If you still decide to make unsupported changes, you can allow the softoken to come up in FIPS 140 mode of operation by regenerating the - .chk files yourself. The tool to do that is called shlibsign. It is released as part of the NSS + .chk files yourself. The tool to do that is called shlibsign. It is released as part of the NSS binary distributions. If your build process does not modify NSS shared libraries, you can just use the .chk files in the NSS binary distributions. - + So you have two options. - + 1. Do not modify NSS libraries in your build process. Specifically, do not modify libsoftokn3.so, libsoftokn3.sl, softokn3.dll, libfreebl_pure32_3.so, libfreebl_pure32_3.sl, libfreebl_hybrid_3.so,libfreebl_hybrid_3.sl, libfreebl3.so, libfreebl3.sl, freebl3.dll, libfreebl_32int64_3.so, libfreebl_32int_3.so, libfreebl_32fpu_3.so, libfreebl_64int_3.so, libfreebl_64fpu_3.so, libfreebl_32int_3.sl, libfreebl_32fpu_3.sl; or - - 2. Use shlibsign to regenerate the .chk files. For example, on 32-bit Solaris SPARC for NSS + + 2. Use shlibsign to regenerate the .chk files. For example, on 32-bit Solaris SPARC for NSS 3.11, say - + shlibsign -v -i libsoftokn3.so shlibsign -v -i libfreebl_32int64_3.so shlibsign -v -i libfreebl_32fpu_3.so shlibsign -v -i libfreebl_32int_3.so - + (You need to set LD_LIBRARY_PATH appropriately and specify the correct pathnames of the libraries.) - + Option 1 is simpler and highly preferred.
\ No newline at end of file diff --git a/doc/rst/legacy/nss_tools_sslstrength/index.rst b/doc/rst/legacy/nss_tools_sslstrength/index.rst index 3efcbe98c..3a53baa60 100644 --- a/doc/rst/legacy/nss_tools_sslstrength/index.rst +++ b/doc/rst/legacy/nss_tools_sslstrength/index.rst @@ -30,7 +30,7 @@ NSS Tools sslstrength .. container:: The first form simple lists out the possible ciphers. The letter in the first column of the - output is used to identify the cipher preferences in the ciphers= command. + output is used to identify the cipher preferences in the ciphers= command. The second form attempts to connect to the named ssl host. The hostname argument must be present. However, the port number is an optional argument, and if not given, will default to the https port (443). @@ -46,11 +46,11 @@ NSS Tools sslstrength command can be used to further restrict the ciphers available. The argument to the ciphers command is a string of characters, where each single character represents a cipher. You can obtain this list of character->cipher mappings by doing 'sslstrength ciphers'. For example, - ** ciphers=bfi** will turn on these cipher preferences and turn off all others. + ** ciphers=bfi** will turn on these cipher preferences and turn off all others. - ** policy=export** or **policy=domestic** will set your policies appropriately. + ** policy=export** or **policy=domestic** will set your policies appropriately. - | ** policy** will default to domestic if not specified. + | ** policy** will default to domestic if not specified. .. rubric:: Step-up :name: step-up diff --git a/doc/rst/legacy/pkcs11/module_installation/index.rst b/doc/rst/legacy/pkcs11/module_installation/index.rst index fefafd891..bd3502e4b 100644 --- a/doc/rst/legacy/pkcs11/module_installation/index.rst +++ b/doc/rst/legacy/pkcs11/module_installation/index.rst @@ -7,20 +7,20 @@ PKCS11 module installation `PKCS #11 </en-US/PKCS11>`__ modules are external modules which add to Firefox support for smartcard readers, biometric security devices, and external certificate stores. This article - covers the two methods for installing PKCS #11 modules into Firefox. Users can use the + covers the two methods for installing PKCS #11 modules into Firefox. Users can use the preferences dialog to install or remove PKCS #11 module. Extensions can programmatically manage PKCS #11 modules using the nsIPKCS11 programming interface. .. note:: - **Note:** The information in this article is specific to Firefox 3.5 and newer. Older versions + **Note:** The information in this article is specific to Firefox 3.5 and newer. Older versions of Firefox may support the `window.pkcs11 <https://developer.mozilla.org/en-US/docs/Web/API/Window/pkcs11>`__ property for installing PKCS #11 modules. .. _using_the_firefox_preferences_to_install_pkcs_11_modules: -`Using the Firefox preferences to install PKCS #11 modules <#using_the_firefox_preferences_to_install_pkcs_11_modules>`__ +`Using the Firefox preferences to install PKCS #11 modules <#using_the_firefox_preferences_to_install_pkcs_11_modules>`__ ------------------------------------------------------------------------------------------------------------------------- .. container:: diff --git a/doc/rst/legacy/pkcs11/module_specs/index.rst b/doc/rst/legacy/pkcs11/module_specs/index.rst index 08475b11c..cb8729161 100644 --- a/doc/rst/legacy/pkcs11/module_specs/index.rst +++ b/doc/rst/legacy/pkcs11/module_specs/index.rst @@ -36,11 +36,11 @@ PKCS #11 Module Specs All applications/libraries must be able recognize the following name values: - library + library This specifies the path to the pkcs #11 library. - name + name This specifies the name of the pkcs #11 library. - parameter + parameter This specifies a pkcs #11 library parameter with the application must pass to the pkcs #11 library at ``C_Initialize()`` time (see below). @@ -237,50 +237,50 @@ PKCS #11 Module Specs Valid values are: - configDir + configDir Configuration Directory where NSS can store persistant state information (typically databases). - secmod + secmod Name of the secmod database (default = secmod.db). - certPrefix + certPrefix Prefix for the cert database. - keyPrefix + keyPrefix Prefix for the key database. - minPWLen + minPWLen Minimum password length in bytes. - manufacturerID + manufacturerID Override the default ``manufactureID`` value for the module returned in the ``CK_INFO``, ``CK_SLOT_INFO``, and ``CK_TOKEN_INFO`` structures with an internationalize string (UTF8). This value will be truncated at 32 bytes (no NULL, partial UTF8 characters dropped). - libraryDescription + libraryDescription Override the default ``libraryDescription`` value for the module returned in the ``CK_INFO`` structure with an internationalize string (UTF8). This value will be truncated at 32 bytes (no ``NULL``, partial UTF8 characters dropped). - cryptoTokenDescription + cryptoTokenDescription Override the default label value for the internal crypto token returned in the ``CK_TOKEN_INFO`` structure with an internationalize string (UTF8). This value will be truncated at 32 bytes (no NULL, partial UTF8 characters dropped). - dbTokenDescription + dbTokenDescription Override the default label value for the internal DB token returned in the ``CK_TOKEN_INFO`` structure with an internationalize string (UTF8). This value will be truncated at 32 bytes (no NULL, partial UTF8 characters dropped). - FIPSTokenDescription + FIPSTokenDescription Override the default label value for the internal FIPS token returned in the ``CK_TOKEN_INFO`` structure with an internationalize string (UTF8). This value will be truncated at 32 bytes (no NULL, partial UTF8 characters dropped). - cryptoSlotDescription + cryptoSlotDescription Override the default ``slotDescription`` value for the internal crypto token returned in the ``CK_SLOT_INFO`` structure with an internationalize string (UTF8). This value will be truncated at 64 bytes (no NULL, partial UTF8 characters dropped). - dbSlotDescription + dbSlotDescription Override the default ``slotDescription`` value for the internal DB token returned in the ``CK_SLOT_INFO`` structure with an internationalize string (UTF8). This value will be truncated at 64 bytes (no NULL, partial UTF8 characters dropped). - FIPSSlotDescription + FIPSSlotDescription Override the default ``slotDescription`` value for the internal FIPS token returned in the ``CK_SLOT_INFO`` structure with an internationalize string (UTF8). This value will be truncated at 64 bytes (no NULL, partial UTF8 characters dropped). - flags + flags comma separated list of flag values, parsed case-insensitive. .. rubric:: Flags @@ -288,23 +288,23 @@ PKCS #11 Module Specs Valid flags are: - noModDB + noModDB Don't open ``secmod.db`` and try to supply the strings. The MOD DB function is not through standard PKCS #11 interfaces. - readOnly + readOnly Databases should be opened read only. - noCertDB + noCertDB Don't try to open a certificate database. - noKeyDB + noKeyDB Don't try to open a key database. - forceOpen + forceOpen Don't fail to initialize the token if the databases could not be opened. - passwordRequired + passwordRequired Zero length passwords are not acceptable (valid only if there is a keyDB). - optimizeSpace + optimizeSpace allocate smaller hash tables and lock tables. When this flag is not specified, Softoken will allocate large tables to prevent lock contention. - tokens + tokens configure 'tokens' by hand. The tokens parameter specifies a space separated list of slotIDS, each of which specify their own set of parameters affecting that token. Typically 'tokens' would not be specified unless additional databases are to be opened as additional tokens. If @@ -329,37 +329,37 @@ PKCS #11 Module Specs Parameters: - configDir + configDir The location of the databases for this token. If ``configDir`` is not specified, the default ``configDir`` specified earlier will be used. - certPrefix + certPrefix Cert prefix for this token. - keyPrefix + keyPrefix Prefix for the key database for this token. - tokenDescription + tokenDescription The label value for this token returned in the ``CK_TOKEN_INFO`` structure with an internationalize string (UTF8). This value will be truncated at 32 bytes (no NULL, partial UTF8 characters dropped). - slotDescription + slotDescription The ``slotDescription`` value for this token returned in the ``CK_SLOT_INFO`` structure with an internationalize string (UTF8). This value will be truncated at 64 bytes (no NULL, partial UTF8 characters dropped). - minPWLen + minPWLen minimum password length for this token. - flags + flags comma separated list of flag values, parsed case-insensitive. Valid flags are: - readOnly + readOnly Databases should be opened read only. - noCertDB + noCertDB Don't try to open a certificate database. - noKeyDB + noKeyDB Don't try to open a key database. - forceOpen + forceOpen Don't fail to initialize the token if the databases could not be opened. - passwordRequired + passwordRequired Zero length passwords are not acceptable (valid only if there is a ``keyDB``). - optimizeSpace + optimizeSpace allocate smaller hash tables and lock tables. When this flag is not specified, Softoken will allocate large tables to prevent lock contention.
\ No newline at end of file diff --git a/doc/rst/legacy/python_binding_for_nss/index.rst b/doc/rst/legacy/python_binding_for_nss/index.rst index c90afb56e..c3bf61d80 100644 --- a/doc/rst/legacy/python_binding_for_nss/index.rst +++ b/doc/rst/legacy/python_binding_for_nss/index.rst @@ -636,14 +636,14 @@ Python binding for NSS | Change Log | The primary enhancements in this version was | | | fixing access to extensions in a | | | CertificateRequest and giving access to | - | | CertificateRequest attributes. There is a bug | + | | CertificateRequest attributes. There is a bug | | | in NSS which hides the existence of extensions | | | in a CSR if the extensions are not contained in | - | | the first CSR attribute. This was fixable in | - | | python-nss without requiring a patch to NSS. | + | | the first CSR attribute. This was fixable in | + | | python-nss without requiring a patch to NSS. | | | Formerly python-nss did not provide access to | | | the attributes in a CSR only the extensions, | - | | with this release all components of a CSR can | + | | with this release all components of a CSR can | | | be accessed. See test/test_cert_request.py for | | | examples. | | | | @@ -1387,7 +1387,7 @@ Internal Changes +-------------------------------------------------+-------------------------------------------------+ | SCM Tag | PYNSS_RELEASE_0_9_0 | +-------------------------------------------------+-------------------------------------------------+ - | Source Download | | + | Source Download | | +-------------------------------------------------+-------------------------------------------------+ | Change Log | .. rubric:: General Modifications: | | | :name: general_modifications | @@ -1558,7 +1558,7 @@ Internal Changes +-------------------------------------------------+-------------------------------------------------+ | SCM Tag | PYNSS_RELEASE_0_8_0 | +-------------------------------------------------+-------------------------------------------------+ - | Source Download | | + | Source Download | | +-------------------------------------------------+-------------------------------------------------+ | Change Log | .. rubric:: General Modifications: | | | :name: general_modifications_2 | @@ -1594,9 +1594,9 @@ Internal Changes +-------------------------------------------------+-------------------------------------------------+ | Release Date | 2009-09-18 | +-------------------------------------------------+-------------------------------------------------+ - | SCM Tag | | + | SCM Tag | | +-------------------------------------------------+-------------------------------------------------+ - | Source Download | | + | Source Download | | +-------------------------------------------------+-------------------------------------------------+ | Change Log | .. rubric:: General Modifications: | | | :name: general_modifications_3 | @@ -1665,9 +1665,9 @@ Internal Changes +-------------------------------------------------+-------------------------------------------------+ | Release Date | 2009-07-08 | +-------------------------------------------------+-------------------------------------------------+ - | SCM Tag | | + | SCM Tag | | +-------------------------------------------------+-------------------------------------------------+ - | Source Download | | + | Source Download | | +-------------------------------------------------+-------------------------------------------------+ | Change Log | .. rubric:: General Modifications: | | | :name: general_modifications_4 | @@ -1687,9 +1687,9 @@ Internal Changes +-------------------------------------------------+-------------------------------------------------+ | Release Date | 2009-07-01 | +-------------------------------------------------+-------------------------------------------------+ - | SCM Tag | | + | SCM Tag | | +-------------------------------------------------+-------------------------------------------------+ - | Source Download | | + | Source Download | | +-------------------------------------------------+-------------------------------------------------+ | Change Log | .. rubric:: General Modifications: | | | :name: general_modifications_5 | @@ -1709,9 +1709,9 @@ Internal Changes +-------------------------------------------------+-------------------------------------------------+ | Release Date | 2009-06-30 | +-------------------------------------------------+-------------------------------------------------+ - | SCM Tag | | + | SCM Tag | | +-------------------------------------------------+-------------------------------------------------+ - | Source Download | | + | Source Download | | +-------------------------------------------------+-------------------------------------------------+ | Change Log | .. rubric:: General Modifications: | | | :name: general_modifications_6 | @@ -1732,9 +1732,9 @@ Internal Changes +-------------------------------------------------+-------------------------------------------------+ | Release Date | 2009-06-04 | +-------------------------------------------------+-------------------------------------------------+ - | SCM Tag | | + | SCM Tag | | +-------------------------------------------------+-------------------------------------------------+ - | Source Download | | + | Source Download | | +-------------------------------------------------+-------------------------------------------------+ | Change Log | .. rubric:: General Modifications: | | | :name: general_modifications_7 | @@ -1753,9 +1753,9 @@ Internal Changes +-------------------------------------------------+-------------------------------------------------+ | Release Date | 2009-05-21 | +-------------------------------------------------+-------------------------------------------------+ - | SCM Tag | | + | SCM Tag | | +-------------------------------------------------+-------------------------------------------------+ - | Source Download | | + | Source Download | | +-------------------------------------------------+-------------------------------------------------+ | Change Log | .. rubric:: General Modifications: | | | :name: general_modifications_8 | @@ -1789,7 +1789,7 @@ Internal Changes =============== =============== Release Date 2008-07-09 - SCM Tag - Source Download + SCM Tag + Source Download Change Log Initial release =============== ===============
\ No newline at end of file diff --git a/doc/rst/legacy/reference/building_and_installing_nss/build_instructions/index.rst b/doc/rst/legacy/reference/building_and_installing_nss/build_instructions/index.rst index 18e1d2f75..bc6e44a76 100644 --- a/doc/rst/legacy/reference/building_and_installing_nss/build_instructions/index.rst +++ b/doc/rst/legacy/reference/building_and_installing_nss/build_instructions/index.rst @@ -7,7 +7,7 @@ Build instructions .. note:: - These instructions are outdated. Use the :ref:`mozilla_projects_nss_building` page for more + These instructions are outdated. Use the :ref:`mozilla_projects_nss_building` page for more recent information. Numerous optional features of NSS builds are controlled through make variables. @@ -47,7 +47,7 @@ Build instructions set to "0". For Windows, install - the `MozillaBuild <https://developer.mozilla.org/en-US/docs/Mozilla/Developer_guide/Build_Instructions/Windows_Prerequisites#mozillabuild>`__ environment + the `MozillaBuild <https://developer.mozilla.org/en-US/docs/Mozilla/Developer_guide/Build_Instructions/Windows_Prerequisites#mozillabuild>`__ environment and Microsoft Visual Studio 2010. (The free edition works, and other versions like Visual Studio 2008 and Visual Studio 2012 may also work.) Use start-shell-msvc2010.bat from MozillaBuild to get a bash shell with the PATH already configured, and execute these instructions from within that diff --git a/doc/rst/legacy/reference/building_and_installing_nss/migration_to_hg/index.rst b/doc/rst/legacy/reference/building_and_installing_nss/migration_to_hg/index.rst index 4be4ef099..11bd04eab 100644 --- a/doc/rst/legacy/reference/building_and_installing_nss/migration_to_hg/index.rst +++ b/doc/rst/legacy/reference/building_and_installing_nss/migration_to_hg/index.rst @@ -9,10 +9,10 @@ Migration to HG to | Mozilla's HG (Mercurial) server. | Each project now lives in its own separate space, they can be found at: - | https://hg.mozilla.org/projects/nspr/ - | https://hg.mozilla.org/projects/nss/ - | https://hg.mozilla.org/projects/jss/ - | https://hg.mozilla.org/projects/python-nss/ + | https://hg.mozilla.org/projects/nspr/ + | https://hg.mozilla.org/projects/nss/ + | https://hg.mozilla.org/projects/jss/ + | https://hg.mozilla.org/projects/python-nss/ | This migration has been used as an opportunity to change the layout of the | source directories. @@ -33,14 +33,14 @@ Migration to HG | platform (this part hasn't changed). | However, below is a brief summary that shows how to checkout the | source code and build both NSPR and NSS: - | mkdir workarea - | cd workarea - | hg clone https://hg.mozilla.org/projects/nspr - | hg clone https://hg.mozilla.org/projects/nss - | cd nss - | # set USE_64=1 on 64 bit architectures - | # set BUILD_OPT=1 to get an optimized build - | make nss_build_all + | mkdir workarea + | cd workarea + | hg clone https://hg.mozilla.org/projects/nspr + | hg clone https://hg.mozilla.org/projects/nss + | cd nss + | # set USE_64=1 on 64 bit architectures + | # set BUILD_OPT=1 to get an optimized build + | make nss_build_all | Note that the JSS project has been given a private copy of the former | mozilla/security/coreconf directory, allowing it to remain stable, | and only update its build system as necessary. diff --git a/doc/rst/legacy/reference/fc_getinfo/index.rst b/doc/rst/legacy/reference/fc_getinfo/index.rst index 21bc7c654..1b73f2508 100644 --- a/doc/rst/legacy/reference/fc_getinfo/index.rst +++ b/doc/rst/legacy/reference/fc_getinfo/index.rst @@ -91,12 +91,12 @@ FC_GetInfo crv = pFunctionList->C_GetInfo(&info); assert(crv == CKR_OK); printf("General information about the PKCS #11 library:\n"); - printf(" PKCS #11 version: %d.%d\n", + printf(" PKCS #11 version: %d.%d\n", (int)info.cryptokiVersion.major, (int)info.cryptokiVersion.minor); - printf(" manufacturer ID: %.32s\n", info.manufacturerID); + printf(" manufacturer ID: %.32s\n", info.manufacturerID); printf(" flags: 0x%08lx\n", info.flags); - printf(" library description: %.32s\n", info.libraryDescription); - printf(" library version: %d.%d\n", + printf(" library description: %.32s\n", info.libraryDescription); + printf(" library version: %d.%d\n", (int)info.libraryVersion.major, (int)info.libraryVersion.minor); printf("\n"); diff --git a/doc/rst/legacy/reference/index.rst b/doc/rst/legacy/reference/index.rst index c872837e5..a5cbc957a 100644 --- a/doc/rst/legacy/reference/index.rst +++ b/doc/rst/legacy/reference/index.rst @@ -292,7 +292,7 @@ NSS reference .. container:: A small number of :ref:`mozilla_projects_nss_reference_nspr_functions` are required for using the - certificate verification and SSL functions in NSS. These functions are listed in this section. + certificate verification and SSL functions in NSS. These functions are listed in this section. .. _error_codes: diff --git a/doc/rst/legacy/reference/nspr_functions/index.rst b/doc/rst/legacy/reference/nspr_functions/index.rst index ca0046fc9..55d33200e 100644 --- a/doc/rst/legacy/reference/nspr_functions/index.rst +++ b/doc/rst/legacy/reference/nspr_functions/index.rst @@ -6,9 +6,9 @@ NSPR functions .. container:: `NSPR <https://www.mozilla.org/projects/nspr/>`__ is a platform abstraction library that provides - a cross-platform API to common OS services. NSS uses NSPR internally as the porting layer. + a cross-platform API to common OS services. NSS uses NSPR internally as the porting layer. However, a small number of NSPR functions are required for using the certificate verification and - SSL functions in NSS. These NSPR functions are listed in this section. + SSL functions in NSS. These NSPR functions are listed in this section. .. _nspr_initialization_and_shutdown: @@ -17,7 +17,7 @@ NSPR functions .. container:: - NSPR is automatically initialized by the first NSPR function called by the application. Call + NSPR is automatically initialized by the first NSPR function called by the application. Call ```PR_Cleanup`` </en-US/PR_Cleanup>`__ to shut down NSPR and clean up its resources.\ ` </en-US/PR_Init>`__ @@ -30,9 +30,9 @@ NSPR functions .. container:: - NSS uses NSPR's thread-specific error code to report errors. Call + NSS uses NSPR's thread-specific error code to report errors. Call ```PR_GetError`` </en-US/PR_GetError>`__ to get the error code of the last failed NSS or NSPR - function. Call ```PR_SetError`` </en-US/PR_SetError>`__ to set the error code, which can be + function. Call ```PR_SetError`` </en-US/PR_SetError>`__ to set the error code, which can be retrieved with ``PR_GetError`` later. The NSS functions ``PORT_GetError`` and ``PORT_SetError`` are simply wrappers of ``PR_GetError`` @@ -49,7 +49,7 @@ NSPR functions .. container:: NSS certificate verification functions take a ``PRTime`` parameter that specifies the time - instant at which the validity of the certificate should verified. The NSPR function + instant at which the validity of the certificate should verified. The NSPR function ```PR_Now`` </en-US/PR_Now>`__ returns the current time in ``PRTime``. - `PR_Now </en-US/PR_Now>`__ @@ -63,7 +63,7 @@ NSPR functions The NSPR socket I/O functions ```PR_Recv`` </en-US/PR_Recv>`__ and ```PR_Send`` </en-US/PR_Send>`__ (used by the NSS SSL functions) take a ``PRIntervalTime`` - timeout parameter. ``PRIntervalTime`` has an abstract, platform-dependent time unit. Call + timeout parameter. ``PRIntervalTime`` has an abstract, platform-dependent time unit. Call ```PR_SecondsToInterval`` </en-US/PR_SecondsToInterval>`__ or ``PR_MillisecondsToInterval`` to convert a time interval in seconds or milliseconds to ``PRIntervalTime``. @@ -77,11 +77,11 @@ NSPR functions .. container:: - NSPR file descriptors can be layered, corresponding to the layers in the network stack. The SSL + NSPR file descriptors can be layered, corresponding to the layers in the network stack. The SSL library in NSS implements the SSL protocol as an NSPR I/O layer, which sits on top of another NSPR I/O layer that represents TCP. - You can implement an NSPR I/O layer that wraps your own TCP socket code. The following NSPR + You can implement an NSPR I/O layer that wraps your own TCP socket code. The following NSPR functions allow you to create your own NSPR I/O layer and manipulate it. - `PR_GetUniqueIdentity </en-US/PR_GetUniqueIdentity>`__ @@ -100,7 +100,7 @@ NSPR functions .. container:: If your current TCP socket code uses the standard BSD socket API, a lighter-weight method than - creating your own NSPR I/O layer is to simply import a native file descriptor into NSPR. This + creating your own NSPR I/O layer is to simply import a native file descriptor into NSPR. This method is convenient and works for most applications. - `PR_ImportTCPSocket </en-US/PR_ImportTCPSocket>`__ @@ -112,7 +112,7 @@ NSPR functions .. container:: - As mentioned above, the SSL library in NSS implements the SSL protocol as an NSPR I/O layer. + As mentioned above, the SSL library in NSS implements the SSL protocol as an NSPR I/O layer. Users call NSPR socket I/O functions to read from, write to, and shut down an SSL connection, and to close an NSPR file descriptor. diff --git a/doc/rst/legacy/reference/nss_certificate_functions/index.rst b/doc/rst/legacy/reference/nss_certificate_functions/index.rst index 0bf034414..01d694d49 100644 --- a/doc/rst/legacy/reference/nss_certificate_functions/index.rst +++ b/doc/rst/legacy/reference/nss_certificate_functions/index.rst @@ -221,7 +221,7 @@ NSS Certificate Functions certificates: - \* matches anything - - ? matches one character + - ? matches one character - \\ escapes a special character - $ matches the end of the string - [abc] matches one occurrence of a, b, or c. The only character that needs to be escaped in diff --git a/doc/rst/legacy/reference/nss_environment_variables/index.rst b/doc/rst/legacy/reference/nss_environment_variables/index.rst index 6d214b9b4..248256596 100644 --- a/doc/rst/legacy/reference/nss_environment_variables/index.rst +++ b/doc/rst/legacy/reference/nss_environment_variables/index.rst @@ -28,7 +28,7 @@ NSS environment variables | | | named in the | | | | | environment variable | | | | | NSRANDFILE (see | | - | | | below). Makes | | + | | | below). Makes | | | | | NSRANDFILE usable with | | | | | /dev/urandom. | | +------------------------+------------------------+------------------------+------------------------+ @@ -239,7 +239,7 @@ NSS environment variables | | | and will report an | | | | | error in non-DEBUG | | | | | builds. | | - | | | - If set to | | + | | | - If set to | | | | | "DISABLED", | | | | | Softoken will | | | | | ignore forks, and | | @@ -259,7 +259,7 @@ NSS environment variables | | | shutdown NSS before | | | | | freeing all the | | | | | resources it acquired | | - | | | from NSS while NSS was | | + | | | from NSS while NSS was | | | | | initialized. | | +------------------------+------------------------+------------------------+------------------------+ | ``NSS_TRACE_OCSP`` | Boolean | Enables OCSP tracing. | 3.12 | @@ -278,7 +278,7 @@ NSS environment variables | | | the non-standard | | | | | unencoded format that | | | | | was used by default | | - | | | before NSS 3.12.3. | | + | | | before NSS 3.12.3. | | +------------------------+------------------------+------------------------+------------------------+ | ``NSS_US | Boolean | Tells NSS to allow | 3.12.3 | | E_SHEXP_IN_CERT_NAME`` | (any value to enable) | shell-style wildcard | | diff --git a/doc/rst/legacy/reference/nss_initialize/index.rst b/doc/rst/legacy/reference/nss_initialize/index.rst index 9ae09efcb..f316e507e 100644 --- a/doc/rst/legacy/reference/nss_initialize/index.rst +++ b/doc/rst/legacy/reference/nss_initialize/index.rst @@ -51,32 +51,32 @@ NSS_Initialize and ``NSS_NoDB_Init``. If any of those simpler NSS initialization functions suffices for your needs, call that instead. - The ``flags`` parameter is a bitwise OR of the following flags: + The ``flags`` parameter is a bitwise OR of the following flags: - NSS_INIT_READONLY - Open the databases read only. - - NSS_INIT_NOCERTDB - Don't open the cert DB and key DB's, just initialize the volatile certdb. - - NSS_INIT_NOMODDB - Don't open the security module DB, just initialize the PKCS #11 module. - - NSS_INIT_FORCEOPEN - Continue to force initializations even if the databases cannot be opened. - - NSS_INIT_NOROOTINIT - Don't try to look for the root certs module automatically. + - NSS_INIT_NOCERTDB - Don't open the cert DB and key DB's, just initialize the volatile certdb. + - NSS_INIT_NOMODDB - Don't open the security module DB, just initialize the PKCS #11 module. + - NSS_INIT_FORCEOPEN - Continue to force initializations even if the databases cannot be opened. + - NSS_INIT_NOROOTINIT - Don't try to look for the root certs module automatically. - NSS_INIT_OPTIMIZESPACE - Optimize for space instead of speed. Use smaller tables and caches. - - NSS_INIT_PK11THREADSAFE - only load PKCS#11 modules that are thread-safe, i.e., that support - locking - either OS locking or NSS-provided locks . If a PKCS#11 module isn't thread-safe, - don't serialize its calls; just don't load it instead. This is necessary if another piece of - code is using the same PKCS#11 modules that NSS is accessing without going through NSS, for + - NSS_INIT_PK11THREADSAFE - only load PKCS#11 modules that are thread-safe, i.e., that support + locking - either OS locking or NSS-provided locks . If a PKCS#11 module isn't thread-safe, + don't serialize its calls; just don't load it instead. This is necessary if another piece of + code is using the same PKCS#11 modules that NSS is accessing without going through NSS, for example, the Java SunPKCS11 provider. - - NSS_INIT_PK11RELOAD - ignore the CKR_CRYPTOKI_ALREADY_INITIALIZED error when loading PKCS#11 - modules. This is necessary if another piece of code is using the same PKCS#11 modules that NSS - is accessing without going through NSS, for example, Java SunPKCS11 provider. - - NSS_INIT_NOPK11FINALIZE - never call C_Finalize on any PKCS#11 module. This may be necessary - in order to ensure continuous operation and proper shutdown sequence if another piece of code - is using the same PKCS#11 modules that NSS is accessing without going through NSS, for - example, Java SunPKCS11 provider. The following limitation applies when this is set - : SECMOD_WaitForAnyTokenEvent will not use C_WaitForSlotEvent, in order to prevent the need - for C_Finalize. This call will be emulated instead. - - NSS_INIT_RESERVED - Currently has no effect, but may be used in the future to trigger better - cooperation between PKCS#11 modules used by both NSS and the Java SunPKCS11 provider. This - should occur after a new flag is defined for C_Initialize by the PKCS#11 working group. - - NSS_INIT_COOPERATE - Sets the above four recommended options for applications that use both + - NSS_INIT_PK11RELOAD - ignore the CKR_CRYPTOKI_ALREADY_INITIALIZED error when loading PKCS#11 + modules. This is necessary if another piece of code is using the same PKCS#11 modules that NSS + is accessing without going through NSS, for example, Java SunPKCS11 provider. + - NSS_INIT_NOPK11FINALIZE - never call C_Finalize on any PKCS#11 module. This may be necessary + in order to ensure continuous operation and proper shutdown sequence if another piece of code + is using the same PKCS#11 modules that NSS is accessing without going through NSS, for + example, Java SunPKCS11 provider. The following limitation applies when this is set + : SECMOD_WaitForAnyTokenEvent will not use C_WaitForSlotEvent, in order to prevent the need + for C_Finalize. This call will be emulated instead. + - NSS_INIT_RESERVED - Currently has no effect, but may be used in the future to trigger better + cooperation between PKCS#11 modules used by both NSS and the Java SunPKCS11 provider. This + should occur after a new flag is defined for C_Initialize by the PKCS#11 working group. + - NSS_INIT_COOPERATE - Sets the above four recommended options for applications that use both NSS and the Java SunPKCS11 provider. .. _return_value: diff --git a/doc/rst/legacy/reference/nss_tools/index.rst b/doc/rst/legacy/reference/nss_tools/index.rst index 1dca36b61..f43984728 100644 --- a/doc/rst/legacy/reference/nss_tools/index.rst +++ b/doc/rst/legacy/reference/nss_tools/index.rst @@ -21,6 +21,6 @@ NSS Tools Man Pages - work in progress ssltap :ref:`mozilla_projects_nss_reference_nss_tools_:_ssltab` - This is still a work in progress and in early stages. + This is still a work in progress and in early stages. These man pages where generated from XML docbook files.
\ No newline at end of file diff --git a/doc/rst/legacy/reference/nss_tools__colon__certutil/index.rst b/doc/rst/legacy/reference/nss_tools__colon__certutil/index.rst index 0c1535b73..134cce4e3 100644 --- a/doc/rst/legacy/reference/nss_tools__colon__certutil/index.rst +++ b/doc/rst/legacy/reference/nss_tools__colon__certutil/index.rst @@ -6,519 +6,519 @@ NSS tools : certutil .. container:: | Name - | certutil — Manage keys and certificate in both NSS databases and other NSS tokens + | certutil — Manage keys and certificate in both NSS databases and other NSS tokens | Synopsis - | certutil [options] [[arguments]] + | certutil [options] [[arguments]] | Description - | The Certificate Database Tool, certutil, is a command-line utility - | that can create and modify certificate and key databases. - | It can specifically list, generate, modify, or delete certificates, create or - | change the password, generate new public and private key pairs, - | display the contents of the key database, or delete key pairs within the key database. - | Certificate issuance, part of the key and certificate management process, requires that - | keys and certificates be created in the key database. This document discusses certificate - | and key database management. For information on the security module database management, - | see the modutil manpage. + | The Certificate Database Tool, certutil, is a command-line utility + | that can create and modify certificate and key databases. + | It can specifically list, generate, modify, or delete certificates, create or + | change the password, generate new public and private key pairs, + | display the contents of the key database, or delete key pairs within the key database. + | Certificate issuance, part of the key and certificate management process, requires that + | keys and certificates be created in the key database. This document discusses certificate + | and key database management. For information on the security module database management, + | see the modutil manpage. | Options and Arguments - | Running certutil always requires one and only one command option to - | specify the type of certificate operation. Each option may take arguments, - | anywhere from none to multiple arguments. The command option -H will list - | all the command options available and their relevant arguments. - | Command Options - | -A - | Add an existing certificate to a certificate database. - | The certificate database should already exist; if one is - | not present, this command option will initialize one by default. - | -B - | Run a series of commands from the specified batch file. - | This requires the -i argument. - | -C - | Create a new binary certificate file from a binary - | certificate request file. Use the -i argument to specify - | the certificate request file. If this argument is not - | used, certutil prompts for a filename. - | -D - | Delete a certificate from the certificate database. - - | --rename - | Change the database nickname of a certificate. + | Running certutil always requires one and only one command option to + | specify the type of certificate operation. Each option may take arguments, + | anywhere from none to multiple arguments. The command option -H will list + | all the command options available and their relevant arguments. + | Command Options + | -A + | Add an existing certificate to a certificate database. + | The certificate database should already exist; if one is + | not present, this command option will initialize one by default. + | -B + | Run a series of commands from the specified batch file. + | This requires the -i argument. + | -C + | Create a new binary certificate file from a binary + | certificate request file. Use the -i argument to specify + | the certificate request file. If this argument is not + | used, certutil prompts for a filename. + | -D + | Delete a certificate from the certificate database. + + | --rename + | Change the database nickname of a certificate. | - | -E - | Add an email certificate to the certificate database. - | -F - | Delete a private key from a key database. Specify the - | key to delete with the -n argument. Specify the database - | from which to delete the key with the -d argument. Use - | the -k argument to specify explicitly whether to delete - | a DSA, RSA, or ECC key. If you don't use the -k - | argument, the option looks for an RSA key matching the - | specified nickname. - | When you delete keys, be sure to also remove any - | certificates associated with those keys from the - | certificate database, by using -D. Some smart cards (for - | example, the Litronic card) do not let you remove a - | public key you have generated. In such a case, only the - | private key is deleted from the key pair. You can - | display the public key with the command certutil -K -h - | tokenname. - | -G - | Generate a new public and private key pair within a key - | database. The key database should already exist; if one - | is not present, this option will initialize one by - | default. Some smart cards (for example, the Litronic - | card) can store only one key pair. If you create a new - | key pair for such a card, the previous pair is - | overwritten. - | -H - | Display a list of the options and arguments used by the - | Certificate Database Tool. - | -K - | List the key ID of keys in the key database. A key ID is - | the modulus of the RSA key or the publicValue of the DSA - | key. IDs are displayed in hexadecimal ("0x" is not - | shown). - | -L - | List all the certificates, or display information about - | a named certificate, in a certificate database. Use the - | -h tokenname argument to specify the certificate - | database on a particular hardware or software token. - | -M - | Modify a certificate's trust attributes using the values - | of the -t argument. - | -N - | Create new certificate and key databases. - | -O - | Print the certificate chain. - | -R - | Create a certificate request file that can be submitted - | to a Certificate Authority (CA) for processing into a - | finished certificate. Output defaults to standard out - | unless you use -o output-file argument. Use the -a - | argument to specify ASCII output. - | -S - | Create an individual certificate and add it to a - | certificate database. - | -T - | Reset the key database or token. - | -U - | List all available modules or print a single named - | module. - | -V - | Check the validity of a certificate and its attributes. - | -W - | Change the password to a key database. - | --merge - | Merge two databases into one. - | --upgrade-merge - | Upgrade an old database and merge it into a new - | database. This is used to migrate legacy NSS databases - | (cert8.db and key3.db) into the newer SQLite databases - | (cert9.db and key4.db). - | Arguments - | Arguments modify a command option and are usually lower case, numbers, or symbols. - | -a - | Use ASCII format or allow the use of ASCII format for - | input or output. This formatting follows RFC 1113. For - | certificate requests, ASCII output defaults to standard - | output unless redirected. - | -b validity-time - | Specify a time at which a certificate is required to be - | valid. Use when checking certificate validity with the - | -V option. The format of the validity-time argument is - | YYMMDDHHMMSS[+HHMM|-HHMM|Z], which allows offsets to be - | set relative to the validity end time. Specifying - | seconds (SS) is optional. When specifying an explicit - | time, use a Z at the end of the term, YYMMDDHHMMSSZ, to - | close it. When specifying an offset time, use - | YYMMDDHHMMSS+HHMM or YYMMDDHHMMSS-HHMM for adding or - | subtracting time, respectively. - | If this option is not used, the validity check defaults - | to the current system time. - | -c issuer - | Identify the certificate of the CA from which a new - | certificate will derive its authenticity. Use the exact - | nickname or alias of the CA certificate, or use the CA's - | email address. Bracket the issuer string with quotation - | marks if it contains spaces. - | -d [prefix]directory - | Specify the database directory containing the - | certificate and key database files. - | certutil supports two types of databases: the legacy - | security databases (cert8.db, key3.db, and secmod.db) - | and new SQLite databases (cert9.db, key4.db, and - | pkcs11.txt). - - NSS recognizes the following prefixes: - - · sql: requests the newer database - - · dbm: requests the legacy database - - | If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE. If + | -E + | Add an email certificate to the certificate database. + | -F + | Delete a private key from a key database. Specify the + | key to delete with the -n argument. Specify the database + | from which to delete the key with the -d argument. Use + | the -k argument to specify explicitly whether to delete + | a DSA, RSA, or ECC key. If you don't use the -k + | argument, the option looks for an RSA key matching the + | specified nickname. + | When you delete keys, be sure to also remove any + | certificates associated with those keys from the + | certificate database, by using -D. Some smart cards (for + | example, the Litronic card) do not let you remove a + | public key you have generated. In such a case, only the + | private key is deleted from the key pair. You can + | display the public key with the command certutil -K -h + | tokenname. + | -G + | Generate a new public and private key pair within a key + | database. The key database should already exist; if one + | is not present, this option will initialize one by + | default. Some smart cards (for example, the Litronic + | card) can store only one key pair. If you create a new + | key pair for such a card, the previous pair is + | overwritten. + | -H + | Display a list of the options and arguments used by the + | Certificate Database Tool. + | -K + | List the key ID of keys in the key database. A key ID is + | the modulus of the RSA key or the publicValue of the DSA + | key. IDs are displayed in hexadecimal ("0x" is not + | shown). + | -L + | List all the certificates, or display information about + | a named certificate, in a certificate database. Use the + | -h tokenname argument to specify the certificate + | database on a particular hardware or software token. + | -M + | Modify a certificate's trust attributes using the values + | of the -t argument. + | -N + | Create new certificate and key databases. + | -O + | Print the certificate chain. + | -R + | Create a certificate request file that can be submitted + | to a Certificate Authority (CA) for processing into a + | finished certificate. Output defaults to standard out + | unless you use -o output-file argument. Use the -a + | argument to specify ASCII output. + | -S + | Create an individual certificate and add it to a + | certificate database. + | -T + | Reset the key database or token. + | -U + | List all available modules or print a single named + | module. + | -V + | Check the validity of a certificate and its attributes. + | -W + | Change the password to a key database. + | --merge + | Merge two databases into one. + | --upgrade-merge + | Upgrade an old database and merge it into a new + | database. This is used to migrate legacy NSS databases + | (cert8.db and key3.db) into the newer SQLite databases + | (cert9.db and key4.db). + | Arguments + | Arguments modify a command option and are usually lower case, numbers, or symbols. + | -a + | Use ASCII format or allow the use of ASCII format for + | input or output. This formatting follows RFC 1113. For + | certificate requests, ASCII output defaults to standard + | output unless redirected. + | -b validity-time + | Specify a time at which a certificate is required to be + | valid. Use when checking certificate validity with the + | -V option. The format of the validity-time argument is + | YYMMDDHHMMSS[+HHMM|-HHMM|Z], which allows offsets to be + | set relative to the validity end time. Specifying + | seconds (SS) is optional. When specifying an explicit + | time, use a Z at the end of the term, YYMMDDHHMMSSZ, to + | close it. When specifying an offset time, use + | YYMMDDHHMMSS+HHMM or YYMMDDHHMMSS-HHMM for adding or + | subtracting time, respectively. + | If this option is not used, the validity check defaults + | to the current system time. + | -c issuer + | Identify the certificate of the CA from which a new + | certificate will derive its authenticity. Use the exact + | nickname or alias of the CA certificate, or use the CA's + | email address. Bracket the issuer string with quotation + | marks if it contains spaces. + | -d [prefix]directory + | Specify the database directory containing the + | certificate and key database files. + | certutil supports two types of databases: the legacy + | security databases (cert8.db, key3.db, and secmod.db) + | and new SQLite databases (cert9.db, key4.db, and + | pkcs11.txt). + + NSS recognizes the following prefixes: + + · sql: requests the newer database + + · dbm: requests the legacy database + + | If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE. If NSS_DEFAULT_DB_TYPE is not set - | then dbm: is the default. + | then dbm: is the default. - | --dump-ext-val OID - | For single cert, print binary DER encoding of extension OID. - | -e - | Check a certificate's signature during the process of - | validating a certificate. + | --dump-ext-val OID + | For single cert, print binary DER encoding of extension OID. + | -e + | Check a certificate's signature during the process of + | validating a certificate. - | --email email-address - | Specify the email address of a certificate to list. Used with the -L command option. + | --email email-address + | Specify the email address of a certificate to list. Used with the -L command option. - | --extGeneric OID:critical-flag:filename[,OID:critical-flag:filename]... - | Add one or multiple extensions that certutil cannot encode yet, by loading their + | --extGeneric OID:critical-flag:filename[,OID:critical-flag:filename]... + | Add one or multiple extensions that certutil cannot encode yet, by loading their encodings from external files. - · OID (example): 1.2.3.4 + · OID (example): 1.2.3.4 - · critical-flag: critical or not-critical + · critical-flag: critical or not-critical - · filename: full path to a file containing an encoded extension + · filename: full path to a file containing an encoded extension | - | -f password-file - | Specify a file that will automatically supply the - | password to include in a certificate or to access a - | certificate database. This is a plain-text file - | containing one password. Be sure to prevent unauthorized - | access to this file. - | -g keysize - | Set a key size to use when generating new public and - | private key pairs. The minimum is 512 bits and the - | maximum is 16384 bits. The default is 2048 bits. Any size - | between the minimum and maximum is allowed. - | -h tokenname - | Specify the name of a token to use or act on. Unless - | specified otherwise the default token is an internal - | slot. - | -i input_file - | Pass an input file to the command. Depending on the - | command option, an input file can be a specific - | certificate, a certificate request file, or a batch file - | of commands. - | -k rsa|dsa|ec|all - | Specify the type of a key. The valid options are RSA, - | DSA, ECC, or all. The default value is rsa. Specifying - | the type of key can avoid mistakes caused by duplicate - | nicknames. - | -k key-type-or-id - | Specify the type or specific ID of a key. - - | The valid key type options are rsa, dsa, ec, or all. The default value is rsa. + | -f password-file + | Specify a file that will automatically supply the + | password to include in a certificate or to access a + | certificate database. This is a plain-text file + | containing one password. Be sure to prevent unauthorized + | access to this file. + | -g keysize + | Set a key size to use when generating new public and + | private key pairs. The minimum is 512 bits and the + | maximum is 16384 bits. The default is 2048 bits. Any size + | between the minimum and maximum is allowed. + | -h tokenname + | Specify the name of a token to use or act on. Unless + | specified otherwise the default token is an internal + | slot. + | -i input_file + | Pass an input file to the command. Depending on the + | command option, an input file can be a specific + | certificate, a certificate request file, or a batch file + | of commands. + | -k rsa|dsa|ec|all + | Specify the type of a key. The valid options are RSA, + | DSA, ECC, or all. The default value is rsa. Specifying + | the type of key can avoid mistakes caused by duplicate + | nicknames. + | -k key-type-or-id + | Specify the type or specific ID of a key. + + | The valid key type options are rsa, dsa, ec, or all. The default value is rsa. Specifying the type of key can avoid - | mistakes caused by duplicate nicknames. Giving a key type generates a new key pair; + | mistakes caused by duplicate nicknames. Giving a key type generates a new key pair; giving the ID of an existing key - | reuses that key pair (which is required to renew certificates). - | -l - | Display detailed information when validating a - | certificate with the -V option. - | -m serial-number - | Assign a unique serial number to a certificate being created. This operation should + | reuses that key pair (which is required to renew certificates). + | -l + | Display detailed information when validating a + | certificate with the -V option. + | -m serial-number + | Assign a unique serial number to a certificate being created. This operation should be performed by a CA. If no - | serial number is provided a default serial number is made from the current time. + | serial number is provided a default serial number is made from the current time. Serial numbers are limited to - | integers. - | -n nickname - | Specify the nickname of a certificate or key to list, - | create, add to a database, modify, or validate. Bracket - | the nickname string with quotation marks if it contains - | spaces. - | -o output-file - | Specify the output file name for new certificates or - | binary certificate requests. Bracket the output-file - | string with quotation marks if it contains spaces. If - | this argument is not used the output destination - | defaults to standard output. - | -P dbPrefix - | Specify the prefix used on the certificate and key - | database file. This argument is provided to support - | legacy servers. Most applications do not use a database prefix. - | -p phone - | Specify a contact telephone number to include in new - | certificates or certificate requests. Bracket this - | string with quotation marks if it contains spaces. - | -q pqgfile or curve-name - | Read an alternate PQG value from the specified file when generating DSA key pairs. - | If this argument is not used,certutil generates its own PQG value. PQG files are + | integers. + | -n nickname + | Specify the nickname of a certificate or key to list, + | create, add to a database, modify, or validate. Bracket + | the nickname string with quotation marks if it contains + | spaces. + | -o output-file + | Specify the output file name for new certificates or + | binary certificate requests. Bracket the output-file + | string with quotation marks if it contains spaces. If + | this argument is not used the output destination + | defaults to standard output. + | -P dbPrefix + | Specify the prefix used on the certificate and key + | database file. This argument is provided to support + | legacy servers. Most applications do not use a database prefix. + | -p phone + | Specify a contact telephone number to include in new + | certificates or certificate requests. Bracket this + | string with quotation marks if it contains spaces. + | -q pqgfile or curve-name + | Read an alternate PQG value from the specified file when generating DSA key pairs. + | If this argument is not used,certutil generates its own PQG value. PQG files are created with a separate DSA utility. - Elliptic curve name is one of the ones from SUITE B: nistp256, nistp384, nistp521 + Elliptic curve name is one of the ones from SUITE B: nistp256, nistp384, nistp521 - | If NSS has been compiled with support curves outside of SUITE B: sect163k1, + | If NSS has been compiled with support curves outside of SUITE B: sect163k1, nistk163, sect163r1, sect163r2, nistb163, - | sect193r1, sect193r2, sect233k1, nistk233, sect233r1, nistb233, sect239k1, + | sect193r1, sect193r2, sect233k1, nistk233, sect233r1, nistb233, sect239k1, sect283k1, nistk283, sect283r1, nistb283, - | sect409k1, nistk409, sect409r1, nistb409, sect571k1, nistk571, sect571r1, nistb571, + | sect409k1, nistk409, sect409r1, nistb409, sect571k1, nistk571, sect571r1, nistb571, secp160k1, secp160r1, secp160r2, - | secp192k1, secp192r1, nistp192, secp224k1, secp224r1, nistp224, secp256k1, + | secp192k1, secp192r1, nistp192, secp224k1, secp224r1, nistp224, secp256k1, secp256r1, secp384r1, secp521r1, - | prime192v1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, c2pnb163v1, + | prime192v1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, c2pnb163v1, c2pnb163v2, c2pnb163v3, - | c2pnb176v1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2pnb208w1, c2tnb239v1, c2tnb239v2, + | c2pnb176v1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2pnb272w1, - | c2pnb304w1, c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1, secp112r2, secp128r1, + | c2pnb304w1, c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1, secp112r2, secp128r1, secp128r2, sect113r1, sect113r2 - | sect131r1, sect131r2 + | sect131r1, sect131r2 | - | -r - | Display a certificate's binary DER encoding when listing - | information about that certificate with the -L option. - | -s subject - | Identify a particular certificate owner for new - | certificates or certificate requests. Bracket this - | string with quotation marks if it contains spaces. The - | subject identification format follows RFC #1485. - | -t trustargs - | Specify the trust attributes to modify in an existing - | certificate or to apply to a certificate when creating - | it or adding it to a database. There are three available - | trust categories for each certificate, expressed in the - | order SSL, email, object signing for each trust setting. - | In each category position, use none, any, or all of the - | attribute codes: - | + p - Valid peer - | + P - Trusted peer (implies p) - | + c - Valid CA - | + T - Trusted CA to issue client certificates (implies - | c) - | + C - Trusted CA to issue server certificates (SSL only) - | (implies c) - | + u - Certificate can be used for authentication or - | signing - | + w - Send warning (use with other attributes to include - | a warning when the certificate is used in that - | context) - | The attribute codes for the categories are separated by - | commas, and the entire set of attributes enclosed by - | quotation marks. For example: - | -t "TC,C,T" - | Use the -L option to see a list of the current - | certificates and trust attributes in a certificate - | database. - - | Note that the output of the -L option may include "u" flag, which means that there + | -r + | Display a certificate's binary DER encoding when listing + | information about that certificate with the -L option. + | -s subject + | Identify a particular certificate owner for new + | certificates or certificate requests. Bracket this + | string with quotation marks if it contains spaces. The + | subject identification format follows RFC #1485. + | -t trustargs + | Specify the trust attributes to modify in an existing + | certificate or to apply to a certificate when creating + | it or adding it to a database. There are three available + | trust categories for each certificate, expressed in the + | order SSL, email, object signing for each trust setting. + | In each category position, use none, any, or all of the + | attribute codes: + | + p - Valid peer + | + P - Trusted peer (implies p) + | + c - Valid CA + | + T - Trusted CA to issue client certificates (implies + | c) + | + C - Trusted CA to issue server certificates (SSL only) + | (implies c) + | + u - Certificate can be used for authentication or + | signing + | + w - Send warning (use with other attributes to include + | a warning when the certificate is used in that + | context) + | The attribute codes for the categories are separated by + | commas, and the entire set of attributes enclosed by + | quotation marks. For example: + | -t "TC,C,T" + | Use the -L option to see a list of the current + | certificates and trust attributes in a certificate + | database. + + | Note that the output of the -L option may include "u" flag, which means that there is a private key associated with - | the certificate. It is a dynamic flag and you cannot set it with certutil. - | -u certusage - | Specify a usage context to apply when validating a - | certificate with the -V option. - | The contexts are the following: + | the certificate. It is a dynamic flag and you cannot set it with certutil. + | -u certusage + | Specify a usage context to apply when validating a + | certificate with the -V option. + | The contexts are the following: - · C (as an SSL client) + · C (as an SSL client) - · V (as an SSL server) + · V (as an SSL server) - · L (as an SSL CA) + · L (as an SSL CA) - · A (as Any CA) + · A (as Any CA) - · Y (Verify CA) + · Y (Verify CA) - · S (as an email signer) + · S (as an email signer) - · R (as an email recipient) + · R (as an email recipient) - · O (as an OCSP status responder) + · O (as an OCSP status responder) - · J (as an object signer) + · J (as an object signer) | - | -v valid-months - | Set the number of months a new certificate will be - | valid. The validity period begins at the current system - | time unless an offset is added or subtracted with the -w - | option. If this argument is not used, the default - | validity period is three months. When this argument is - | used, the default three-month period is automatically - | added to any value given in the valid-month argument. - | For example, using this option to set a value of 3 would - | cause 3 to be added to the three-month default, creating - | a validity period of six months. You can use negative - | values to reduce the default period. For example, - | setting a value of -2 would subtract 2 from the default - | and create a validity period of one month. - | -w offset-months - | Set an offset from the current system time, in months, - | for the beginning of a certificate's validity period. - | Use when creating the certificate or adding it to a - | database. Express the offset in integers, using a minus - | sign (-) to indicate a negative offset. If this argument - | is not used, the validity period begins at the current - | system time. The length of the validity period is set - | with the -v argument. - | -X - | Force the key and certificate database to open in - | read-write mode. This is used with the -U and -L command - | options. - | -x - | Use certutil to generate the signature for a certificate - | being created or added to a database, rather than - | obtaining a signature from a separate CA. - | -y exp - | Set an alternate exponent value to use in generating a - | new RSA public key for the database, instead of the - | default value of 65537. The available alternate values - | are 3 and 17. - | -z noise-file - | Read a seed value from the specified file to generate a - | new private and public key pair. This argument makes it - | possible to use hardware-generated seed values or - | manually create a value from the keyboard. The minimum - | file size is 20 bytes. - | -0 SSO_password - | Set a site security officer password on a token. - | -1 \| --keyUsage keyword,keyword - | Set a Netscape Certificate Type Extension in the - | certificate. There are several available keywords: - | + digital signature - | + nonRepudiation - | + keyEncipherment - | + dataEncipherment - | + keyAgreement - | + certSigning - | + crlSigning - | + critical - | -2 - | Add a basic constraint extension to a certificate that - | is being created or added to a database. This extension - | supports the certificate chain verification process. - | certutil prompts for the certificate constraint - | extension to select. - | X.509 certificate extensions are described in RFC 5280. - | -3 - | Add an authority key ID extension to a certificate that - | is being created or added to a database. This extension - | supports the identification of a particular certificate, - | from among multiple certificates associated with one - | subject name, as the correct issuer of a certificate. - | The Certificate Database Tool will prompt you to select - | the authority key ID extension. - | X.509 certificate extensions are described in RFC 5280. - | -4 - | Add a CRL distribution point extension to a certificate - | that is being created or added to a database. This - | extension identifies the URL of a certificate's - | associated certificate revocation list (CRL). certutil - | prompts for the URL. - | X.509 certificate extensions are described in RFC 5280. - | -5 \| --nsCertType keyword,keyword - | Add a Netscape certificate type extension to a - | certificate that is being created or added to the - | database. There are several available keywords: - | + sslClient - | + sslServer - | + smime - | + objectSigning - | + sslCA - | + smimeCA - | + objectSigningCA - | + critical - | X.509 certificate extensions are described in RFC 5280. - | -6 \| --extKeyUsage keyword,keyword - | Add an extended key usage extension to a certificate - | that is being created or added to the database. Several - | keywords are available: - | + serverAuth - | + clientAuth - | + codeSigning - | + emailProtection - | + timeStamp - | + ocspResponder - | + stepUp - | + critical - | X.509 certificate extensions are described in RFC 5280. - | -7 emailAddrs - | Add a comma-separated list of email addresses to the - | subject alternative name extension of a certificate or - | certificate request that is being created or added to - | the database. Subject alternative name extensions are - | described in Section 4.2.1.7 of RFC 3280. - | -8 dns-names - | Add a comma-separated list of DNS names to the subject - | alternative name extension of a certificate or - | certificate request that is being created or added to - | the database. Subject alternative name extensions are - | described in Section 4.2.1.7 of RFC 3280. - | --extAIA - | Add the Authority Information Access extension to the - | certificate. X.509 certificate extensions are described - | in RFC 5280. - | --extSIA - | Add the Subject Information Access extension to the - | certificate. X.509 certificate extensions are described - | in RFC 5280. - | --extCP - | Add the Certificate Policies extension to the - | certificate. X.509 certificate extensions are described - | in RFC 5280. - | --extPM - | Add the Policy Mappings extension to the certificate. - | X.509 certificate extensions are described in RFC 5280. - | --extPC - | Add the Policy Constraints extension to the certificate. - | X.509 certificate extensions are described in RFC 5280. - | --extIA - | Add the Inhibit Any Policy Access extension to the - | certificate. X.509 certificate extensions are described - | in RFC 5280. - | --extSKID - | Add the Subject Key ID extension to the certificate. - | X.509 certificate extensions are described in RFC 5280. - | --source-dir certdir - | Identify the certificate database directory to upgrade. - | --source-prefix certdir - | Give the prefix of the certificate and key databases to - | upgrade. - | --upgrade-id uniqueID - | Give the unique ID of the database to upgrade. - | --upgrade-token-name name - | Set the name of the token to use while it is being - | upgraded. - | -@ pwfile - | Give the name of a password file to use for the database - | being upgraded. + | -v valid-months + | Set the number of months a new certificate will be + | valid. The validity period begins at the current system + | time unless an offset is added or subtracted with the -w + | option. If this argument is not used, the default + | validity period is three months. When this argument is + | used, the default three-month period is automatically + | added to any value given in the valid-month argument. + | For example, using this option to set a value of 3 would + | cause 3 to be added to the three-month default, creating + | a validity period of six months. You can use negative + | values to reduce the default period. For example, + | setting a value of -2 would subtract 2 from the default + | and create a validity period of one month. + | -w offset-months + | Set an offset from the current system time, in months, + | for the beginning of a certificate's validity period. + | Use when creating the certificate or adding it to a + | database. Express the offset in integers, using a minus + | sign (-) to indicate a negative offset. If this argument + | is not used, the validity period begins at the current + | system time. The length of the validity period is set + | with the -v argument. + | -X + | Force the key and certificate database to open in + | read-write mode. This is used with the -U and -L command + | options. + | -x + | Use certutil to generate the signature for a certificate + | being created or added to a database, rather than + | obtaining a signature from a separate CA. + | -y exp + | Set an alternate exponent value to use in generating a + | new RSA public key for the database, instead of the + | default value of 65537. The available alternate values + | are 3 and 17. + | -z noise-file + | Read a seed value from the specified file to generate a + | new private and public key pair. This argument makes it + | possible to use hardware-generated seed values or + | manually create a value from the keyboard. The minimum + | file size is 20 bytes. + | -0 SSO_password + | Set a site security officer password on a token. + | -1 \| --keyUsage keyword,keyword + | Set a Netscape Certificate Type Extension in the + | certificate. There are several available keywords: + | + digital signature + | + nonRepudiation + | + keyEncipherment + | + dataEncipherment + | + keyAgreement + | + certSigning + | + crlSigning + | + critical + | -2 + | Add a basic constraint extension to a certificate that + | is being created or added to a database. This extension + | supports the certificate chain verification process. + | certutil prompts for the certificate constraint + | extension to select. + | X.509 certificate extensions are described in RFC 5280. + | -3 + | Add an authority key ID extension to a certificate that + | is being created or added to a database. This extension + | supports the identification of a particular certificate, + | from among multiple certificates associated with one + | subject name, as the correct issuer of a certificate. + | The Certificate Database Tool will prompt you to select + | the authority key ID extension. + | X.509 certificate extensions are described in RFC 5280. + | -4 + | Add a CRL distribution point extension to a certificate + | that is being created or added to a database. This + | extension identifies the URL of a certificate's + | associated certificate revocation list (CRL). certutil + | prompts for the URL. + | X.509 certificate extensions are described in RFC 5280. + | -5 \| --nsCertType keyword,keyword + | Add a Netscape certificate type extension to a + | certificate that is being created or added to the + | database. There are several available keywords: + | + sslClient + | + sslServer + | + smime + | + objectSigning + | + sslCA + | + smimeCA + | + objectSigningCA + | + critical + | X.509 certificate extensions are described in RFC 5280. + | -6 \| --extKeyUsage keyword,keyword + | Add an extended key usage extension to a certificate + | that is being created or added to the database. Several + | keywords are available: + | + serverAuth + | + clientAuth + | + codeSigning + | + emailProtection + | + timeStamp + | + ocspResponder + | + stepUp + | + critical + | X.509 certificate extensions are described in RFC 5280. + | -7 emailAddrs + | Add a comma-separated list of email addresses to the + | subject alternative name extension of a certificate or + | certificate request that is being created or added to + | the database. Subject alternative name extensions are + | described in Section 4.2.1.7 of RFC 3280. + | -8 dns-names + | Add a comma-separated list of DNS names to the subject + | alternative name extension of a certificate or + | certificate request that is being created or added to + | the database. Subject alternative name extensions are + | described in Section 4.2.1.7 of RFC 3280. + | --extAIA + | Add the Authority Information Access extension to the + | certificate. X.509 certificate extensions are described + | in RFC 5280. + | --extSIA + | Add the Subject Information Access extension to the + | certificate. X.509 certificate extensions are described + | in RFC 5280. + | --extCP + | Add the Certificate Policies extension to the + | certificate. X.509 certificate extensions are described + | in RFC 5280. + | --extPM + | Add the Policy Mappings extension to the certificate. + | X.509 certificate extensions are described in RFC 5280. + | --extPC + | Add the Policy Constraints extension to the certificate. + | X.509 certificate extensions are described in RFC 5280. + | --extIA + | Add the Inhibit Any Policy Access extension to the + | certificate. X.509 certificate extensions are described + | in RFC 5280. + | --extSKID + | Add the Subject Key ID extension to the certificate. + | X.509 certificate extensions are described in RFC 5280. + | --source-dir certdir + | Identify the certificate database directory to upgrade. + | --source-prefix certdir + | Give the prefix of the certificate and key databases to + | upgrade. + | --upgrade-id uniqueID + | Give the unique ID of the database to upgrade. + | --upgrade-token-name name + | Set the name of the token to use while it is being + | upgraded. + | -@ pwfile + | Give the name of a password file to use for the database + | being upgraded. | Usage and Examples - | Most of the command options in the examples listed here have - | more arguments available. The arguments included in these - | examples are the most common ones or are used to illustrate a - | specific scenario. Use the -H option to show the complete list - | of arguments for each command option. - | Creating New Security Databases - | Certificates, keys, and security modules related to managing - | certificates are stored in three related databases: - | \* cert8.db or cert9.db - | \* key3.db or key4.db - | \* secmod.db or pkcs11.txt - | These databases must be created before certificates or keys can - | be generated. + | Most of the command options in the examples listed here have + | more arguments available. The arguments included in these + | examples are the most common ones or are used to illustrate a + | specific scenario. Use the -H option to show the complete list + | of arguments for each command option. + | Creating New Security Databases + | Certificates, keys, and security modules related to managing + | certificates are stored in three related databases: + | \* cert8.db or cert9.db + | \* key3.db or key4.db + | \* secmod.db or pkcs11.txt + | These databases must be created before certificates or keys can + | be generated. | certutil -N -d [sql:]directory - | Creating a Certificate Request - | A certificate request contains most or all of the information - | that is used to generate the final certificate. This request is - | submitted separately to a certificate authority and is then - | approved by some mechanism (automatically or by human review). - | Once the request is approved, then the certificate is - | generated. + | Creating a Certificate Request + | A certificate request contains most or all of the information + | that is used to generate the final certificate. This request is + | submitted separately to a certificate authority and is then + | approved by some mechanism (automatically or by human review). + | Once the request is approved, then the certificate is + | generated. | $ certutil -R -k key-type-or-id [-q pqgfile|curve-name] -g key-size -s s | ubject [-h tokenname] -d [sql:]directory [-p phone] [-o output-file] [-a | ] - | The -R command options requires four arguments: - | \* -k to specify either the key type to generate or, when - | renewing a certificate, the existing key pair to use - | \* -g to set the keysize of the key to generate - | \* -s to set the subject name of the certificate - | \* -d to give the security database directory - | The new certificate request can be output in ASCII format (-a) - | or can be written to a specified file (-o). - | For example: + | The -R command options requires four arguments: + | \* -k to specify either the key type to generate or, when + | renewing a certificate, the existing key pair to use + | \* -g to set the keysize of the key to generate + | \* -s to set the subject name of the certificate + | \* -d to give the security database directory + | The new certificate request can be output in ASCII format (-a) + | or can be written to a specified file (-o). + | For example: | $ certutil -R -k ec -q nistb409 -g 512 -s "CN=John Smith,O=Example Corp, | L=Mountain View,ST=California,C=US" -d sql:/home/my/sharednssdb -p 650-5 | 55-0123 -a -o cert.cer - | Generating key. This may take a few moments... + | Generating key. This may take a few moments... | Certificate request generated by Netscape | Phone: 650-555-0123 | Common Name: John Smith @@ -535,67 +535,67 @@ NSS tools : certutil | qmtyQNjIi1F8c1Z+TL4uFYlMg8z6LG/J/u1E5t1QqB5e9Q4+BhRbrQjRR1JZx3tB | 1hP9Gg== | -----END NEW CERTIFICATE REQUEST----- - | Creating a Certificate - | A valid certificate must be issued by a trusted CA. This can be - | done by specifying a CA certificate (-c) that is stored in the - | certificate database. If a CA key pair is not available, you - | can create a self-signed certificate using the -x argument with - | the -S command option. + | Creating a Certificate + | A valid certificate must be issued by a trusted CA. This can be + | done by specifying a CA certificate (-c) that is stored in the + | certificate database. If a CA key pair is not available, you + | can create a self-signed certificate using the -x argument with + | the -S command option. | $ certutil -S -k rsa|dsa|ec -n certname -s subject [-c issuer \|-x] -t tr | ustargs -d [sql:]directory [-m serial-number] [-v valid-months] [-w offs | et-months] [-p phone] [-1] [-2] [-3] [-4] [-5 keyword] [-6 keyword] [-7 | emailAddress] [-8 dns-names] [--extAIA] [--extSIA] [--extCP] [--extPM] [ | --extPC] [--extIA] [--extSKID] - | The series of numbers and --ext\* options set certificate - | extensions that can be added to the certificate when it is - | generated by the CA. - | For example, this creates a self-signed certificate: + | The series of numbers and --ext\* options set certificate + | extensions that can be added to the certificate when it is + | generated by the CA. + | For example, this creates a self-signed certificate: | $ certutil -S -s "CN=Example CA" -n my-ca-cert -x -t "C,C,C" -1 -2 -5 -m - | 3650 - | From there, new certificates can reference the self-signed - | certificate: + | 3650 + | From there, new certificates can reference the self-signed + | certificate: | $ certutil -S -s "CN=My Server Cert" -n my-server-cert -c "my-ca-cert" - | t "u,u,u" -1 -5 -6 -8 -m 730 - | Generating a Certificate from a Certificate Request - | When a certificate request is created, a certificate can be - | generated by using the request and then referencing a - | certificate authority signing certificate (the issuer specified - | in the -c argument). The issuing certificate must be in the - | certificate database in the specified directory. + | Generating a Certificate from a Certificate Request + | When a certificate request is created, a certificate can be + | generated by using the request and then referencing a + | certificate authority signing certificate (the issuer specified + | in the -c argument). The issuing certificate must be in the + | certificate database in the specified directory. | certutil -C -c issuer -i cert-request-file -o output-file [-m serial-num | ber] [-v valid-months] [-w offset-months] -d [sql:]directory [-1] [-2] [ | -3] [-4] [-5 keyword] [-6 keyword] [-7 emailAddress] [-8 dns-names] - | For example: + | For example: | $ certutil -C -c "my-ca-cert" -i /home/certs/cert.req -o cert.cer -m 010 - | -v 12 -w 1 -d sql:/home/my/sharednssdb -1 nonRepudiation,dataEncipherme + | -v 12 -w 1 -d sql:/home/my/sharednssdb -1 nonRepudiation,dataEncipherme | nt -5 sslClient -6 clientAuth -7 jsmith@example.com - | Generating Key Pairs - | Key pairs are generated automatically with a certificate - | request or certificate, but they can also be generated - | independently using the -G command option. + | Generating Key Pairs + | Key pairs are generated automatically with a certificate + | request or certificate, but they can also be generated + | independently using the -G command option. | certutil -G -d [sql:]directory \| -h tokenname -k key-type -g key-size [- | y exponent-value] -q pqgfile|curve-name - | For example: + | For example: | $ certutil -G -h lunasa -k ec -g 256 -q sect193r2 - | Listing Certificates - | The -L command option lists all of the certificates listed in - | the certificate database. The path to the directory (-d) is - | required. + | Listing Certificates + | The -L command option lists all of the certificates listed in + | the certificate database. The path to the directory (-d) is + | required. | $ certutil -L -d sql:/home/my/sharednssdb - | Certificate Nickname Trust Attri + | Certificate Nickname Trust Attri | butes - | SSL,S/MIME, + | SSL,S/MIME, | JAR/XPI - | CA Administrator of Instance pki-ca1's Example Domain ID u,u,u - | TPS Administrator's Example Domain ID u,u,u - | Google Internet Authority ,, - | Certificate Authority - Example Domain CT,C,C - | Using additional arguments with -L can return and print the - | information for a single, specific certificate. For example, - | the -n argument passes the certificate name, while the -a - | argument prints the certificate in ASCII format: + | CA Administrator of Instance pki-ca1's Example Domain ID u,u,u + | TPS Administrator's Example Domain ID u,u,u + | Google Internet Authority ,, + | Certificate Authority - Example Domain CT,C,C + | Using additional arguments with -L can return and print the + | information for a single, specific certificate. For example, + | the -n argument passes the certificate name, while the -a + | argument prints the certificate in ASCII format: | $ certutil -L -d sql:/home/my/sharednssdb -a -n "Certificate Authority - - | Example Domain" + | Example Domain" | -----BEGIN CERTIFICATE----- | MIIDmTCCAoGgAwIBAgIBATANBgkqhkiG9w0BAQUFADA5MRcwFQYDVQQKEw5FeGFt | cGxlIERvbWFpbjEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEw @@ -618,228 +618,228 @@ NSS tools : certutil | U0ujlL1H/RWcjn607+CTeKH9jLMUqCIqPJNOa+kq/6F7NhNRRiuzASIbZc30BZ5a | nI7q5n1USM3eWQlVXw== | -----END CERTIFICATE----- - | Listing Keys - | Keys are the original material used to encrypt certificate - | data. The keys generated for certificates are stored - | separately, in the key database. - | To list all keys in the database, use the -K command option and - | the (required) -d argument to give the path to the directory. + | Listing Keys + | Keys are the original material used to encrypt certificate + | data. The keys generated for certificates are stored + | separately, in the key database. + | To list all keys in the database, use the -K command option and + | the (required) -d argument to give the path to the directory. | $ certutil -K -d sql:/home/my/sharednssdb | certutil: Checking token "NSS Certificate DB" in slot "NSS User Private - | Key and Certificate Services " - | < 0> rsa 455a6673bde9375c2887ec8bf8016b3f9f35861d Thawte Freemail - | Member's Thawte Consulting (Pty) Ltd. ID - | < 1> rsa 40defeeb522ade11090eacebaaf1196a172127df Example Domain + | Key and Certificate Services " + | < 0> rsa 455a6673bde9375c2887ec8bf8016b3f9f35861d Thawte Freemail + | Member's Thawte Consulting (Pty) Ltd. ID + | < 1> rsa 40defeeb522ade11090eacebaaf1196a172127df Example Domain | Administrator Cert - | < 2> rsa 1d0b06f44f6c03842f7d4f4a1dc78b3bcd1b85a5 John Smith user - | cert - | There are ways to narrow the keys listed in the search results: - | \* To return a specific key, use the -n name argument with the - | name of the key. - | \* If there are multiple security devices loaded, then the -h - | tokenname argument can search a specific token or all - | tokens. - | \* If there are multiple key types available, then the -k - | key-type argument can search a specific type of key, like - | RSA, DSA, or ECC. - | Listing Security Modules - | The devices that can be used to store certificates -- both - | internal databases and external devices like smart cards -- are - | recognized and used by loading security modules. The -U command - | option lists all of the security modules listed in the - | secmod.db database. The path to the directory (-d) is required. + | < 2> rsa 1d0b06f44f6c03842f7d4f4a1dc78b3bcd1b85a5 John Smith user + | cert + | There are ways to narrow the keys listed in the search results: + | \* To return a specific key, use the -n name argument with the + | name of the key. + | \* If there are multiple security devices loaded, then the -h + | tokenname argument can search a specific token or all + | tokens. + | \* If there are multiple key types available, then the -k + | key-type argument can search a specific type of key, like + | RSA, DSA, or ECC. + | Listing Security Modules + | The devices that can be used to store certificates -- both + | internal databases and external devices like smart cards -- are + | recognized and used by loading security modules. The -U command + | option lists all of the security modules listed in the + | secmod.db database. The path to the directory (-d) is required. | $ certutil -U -d sql:/home/my/sharednssdb - | slot: NSS User Private Key and Certificate Services - | token: NSS Certificate DB - | slot: NSS Internal Cryptographic Services - | token: NSS Generic Crypto Services - | Adding Certificates to the Database - | Existing certificates or certificate requests can be added - | manually to the certificate database, even if they were - | generated elsewhere. This uses the -A command option. + | slot: NSS User Private Key and Certificate Services + | token: NSS Certificate DB + | slot: NSS Internal Cryptographic Services + | token: NSS Generic Crypto Services + | Adding Certificates to the Database + | Existing certificates or certificate requests can be added + | manually to the certificate database, even if they were + | generated elsewhere. This uses the -A command option. | certutil -A -n certname -t trustargs -d [sql:]directory [-a] [-i input-f | ile] - | For example: + | For example: | $ certutil -A -n "CN=My SSL Certificate" -t "u,u,u" -d sql:/home/my/shar | ednssdb -i /home/example-certs/cert.cer - | A related command option, -E, is used specifically to add email - | certificates to the certificate database. The -E command has - | the same arguments as the -A command. The trust arguments for - | certificates have the format SSL,S/MIME,Code-signing, so the - | middle trust settings relate most to email certificates (though - | the others can be set). For example: + | A related command option, -E, is used specifically to add email + | certificates to the certificate database. The -E command has + | the same arguments as the -A command. The trust arguments for + | certificates have the format SSL,S/MIME,Code-signing, so the + | middle trust settings relate most to email certificates (though + | the others can be set). For example: | $ certutil -E -n "CN=John Smith Email Cert" -t ",Pu," -d sql:/home/my/sh | arednssdb -i /home/example-certs/email.cer - | Deleting Certificates to the Database - | Certificates can be deleted from a database using the -D - | option. The only required options are to give the security - | database directory and to identify the certificate nickname. + | Deleting Certificates to the Database + | Certificates can be deleted from a database using the -D + | option. The only required options are to give the security + | database directory and to identify the certificate nickname. | certutil -D -d [sql:]directory -n "nickname" - | For example: + | For example: | $ certutil -D -d sql:/home/my/sharednssdb -n "my-ssl-cert" - | Validating Certificates - | A certificate contains an expiration date in itself, and - | expired certificates are easily rejected. However, certificates - | can also be revoked before they hit their expiration date. - | Checking whether a certificate has been revoked requires - | validating the certificate. Validation can also be used to - | ensure that the certificate is only used for the purposes it - | was initially issued for. Validation is carried out by the -V - | command option. + | Validating Certificates + | A certificate contains an expiration date in itself, and + | expired certificates are easily rejected. However, certificates + | can also be revoked before they hit their expiration date. + | Checking whether a certificate has been revoked requires + | validating the certificate. Validation can also be used to + | ensure that the certificate is only used for the purposes it + | was initially issued for. Validation is carried out by the -V + | command option. | certutil -V -n certificate-name [-b time] [-e] [-u cert-usage] -d [sql:] | directory - | For example, to validate an email certificate: + | For example, to validate an email certificate: | $ certutil -V -n "John Smith's Email Cert" -e -u S,R -d sql:/home/my/sha | rednssdb - | Modifying Certificate Trust Settings - | The trust settings (which relate to the operations that a - | certificate is allowed to be used for) can be changed after a - | certificate is created or added to the database. This is - | especially useful for CA certificates, but it can be performed - | for any type of certificate. + | Modifying Certificate Trust Settings + | The trust settings (which relate to the operations that a + | certificate is allowed to be used for) can be changed after a + | certificate is created or added to the database. This is + | especially useful for CA certificates, but it can be performed + | for any type of certificate. | certutil -M -n certificate-name -t trust-args -d [sql:]directory - | For example: + | For example: | $ certutil -M -n "My CA Certificate" -d sql:/home/my/sharednssdb -t "CTu | ,CTu,CTu" - | Printing the Certificate Chain - | Certificates can be issued in chains because every certificate - | authority itself has a certificate; when a CA issues a - | certificate, it essentially stamps that certificate with its - | own fingerprint. The -O prints the full chain of a certificate, - | going from the initial CA (the root CA) through ever - | intermediary CA to the actual certificate. For example, for an - | email certificate with two CAs in the chain: + | Printing the Certificate Chain + | Certificates can be issued in chains because every certificate + | authority itself has a certificate; when a CA issues a + | certificate, it essentially stamps that certificate with its + | own fingerprint. The -O prints the full chain of a certificate, + | going from the initial CA (the root CA) through ever + | intermediary CA to the actual certificate. For example, for an + | email certificate with two CAs in the chain: | $ certutil -d sql:/home/my/sharednssdb -O -n "jsmith@example.com" | "Builtin Object Token:Thawte Personal Freemail CA" [E=personal-freemail@ | thawte.com,CN=Thawte Personal Freemail CA,OU=Certification Services Divi | sion,O=Thawte Consulting,L=Cape Town,ST=Western Cape,C=ZA] - | "Thawte Personal Freemail Issuing CA - Thawte Consulting" [CN=Thawte P + | "Thawte Personal Freemail Issuing CA - Thawte Consulting" [CN=Thawte P | ersonal Freemail Issuing CA,O=Thawte Consulting (Pty) Ltd.,C=ZA] - | "(null)" [E=jsmith@example.com,CN=Thawte Freemail Member] - | Resetting a Token - | The device which stores certificates -- both external hardware - | devices and internal software databases -- can be blanked and - | reused. This operation is performed on the device which stores - | the data, not directly on the security databases, so the - | location must be referenced through the token name (-h) as well - | as any directory path. If there is no external token used, the - | default value is internal. + | "(null)" [E=jsmith@example.com,CN=Thawte Freemail Member] + | Resetting a Token + | The device which stores certificates -- both external hardware + | devices and internal software databases -- can be blanked and + | reused. This operation is performed on the device which stores + | the data, not directly on the security databases, so the + | location must be referenced through the token name (-h) as well + | as any directory path. If there is no external token used, the + | default value is internal. | certutil -T -d [sql:]directory -h token-name -0 security-officer-passwor | d - | Many networks have dedicated personnel who handle changes to - | security tokens (the security officer). This person must supply - | the password to access the specified token. For example: + | Many networks have dedicated personnel who handle changes to + | security tokens (the security officer). This person must supply + | the password to access the specified token. For example: | $ certutil -T -d sql:/home/my/sharednssdb -h nethsm -0 secret - | Upgrading or Merging the Security Databases - | Many networks or applications may be using older BerkeleyDB - | versions of the certificate database (cert8.db). Databases can - | be upgraded to the new SQLite version of the database - | (cert9.db) using the --upgrade-merge command option or existing - | databases can be merged with the new cert9.db databases using - | the ---merge command. - | The --upgrade-merge command must give information about the - | original database and then use the standard arguments (like -d) - | to give the information about the new databases. The command - | also requires information that the tool uses for the process to - | upgrade and write over the original database. + | Upgrading or Merging the Security Databases + | Many networks or applications may be using older BerkeleyDB + | versions of the certificate database (cert8.db). Databases can + | be upgraded to the new SQLite version of the database + | (cert9.db) using the --upgrade-merge command option or existing + | databases can be merged with the new cert9.db databases using + | the ---merge command. + | The --upgrade-merge command must give information about the + | original database and then use the standard arguments (like -d) + | to give the information about the new databases. The command + | also requires information that the tool uses for the process to + | upgrade and write over the original database. | certutil --upgrade-merge -d [sql:]directory [-P dbprefix] --source-dir d | irectory --source-prefix dbprefix --upgrade-id id --upgrade-token-name n | ame [-@ password-file] - | For example: + | For example: | $ certutil --upgrade-merge -d sql:/home/my/sharednssdb --source-dir /opt | /my-app/alias/ --source-prefix serverapp- --upgrade-id 1 --upgrade-token | -name internal - | The --merge command only requires information about the - | location of the original database; since it doesn't change the - | format of the database, it can write over information without - | performing interim step. + | The --merge command only requires information about the + | location of the original database; since it doesn't change the + | format of the database, it can write over information without + | performing interim step. | certutil --merge -d [sql:]directory [-P dbprefix] --source-dir directory - | --source-prefix dbprefix [-@ password-file] - | For example: + | --source-prefix dbprefix [-@ password-file] + | For example: | $ certutil --merge -d sql:/home/my/sharednssdb --source-dir /opt/my-app/ | alias/ --source-prefix serverapp- - | Running certutil Commands from a Batch File - | A series of commands can be run sequentially from a text file - | with the -B command option. The only argument for this - | specifies the input file. + | Running certutil Commands from a Batch File + | A series of commands can be run sequentially from a text file + | with the -B command option. The only argument for this + | specifies the input file. | $ certutil -B -i /path/to/batch-file | NSS Database Types - | NSS originally used BerkeleyDB databases to store security - | information. The last versions of these legacy databases are: - | \* cert8.db for certificates - | \* key3.db for keys - | \* secmod.db for PKCS #11 module information - | BerkeleyDB has performance limitations, though, which prevent - | it from being easily used by multiple applications - | simultaneously. NSS has some flexibility that allows - | applications to use their own, independent database engine - | while keeping a shared database and working around the access - | issues. Still, NSS requires more flexibility to provide a truly - | shared security database. - | In 2009, NSS introduced a new set of databases that are SQLite - | databases rather than BerkleyDB. These new databases provide - | more accessibility and performance: - | \* cert9.db for certificates - | \* key4.db for keys - | \* pkcs11.txt, which is listing of all of the PKCS #11 modules - | contained in a new subdirectory in the security databases - | directory - | Because the SQLite databases are designed to be shared, these - | are the shared database type. The shared database type is - | preferred; the legacy format is included for backward - | compatibility. - | By default, the tools (certutil, pk12util, modutil) assume that - | the given security databases follow the more common legacy - | type. Using the SQLite databases must be manually specified by - | using the sql: prefix with the given security directory. For - | example: + | NSS originally used BerkeleyDB databases to store security + | information. The last versions of these legacy databases are: + | \* cert8.db for certificates + | \* key3.db for keys + | \* secmod.db for PKCS #11 module information + | BerkeleyDB has performance limitations, though, which prevent + | it from being easily used by multiple applications + | simultaneously. NSS has some flexibility that allows + | applications to use their own, independent database engine + | while keeping a shared database and working around the access + | issues. Still, NSS requires more flexibility to provide a truly + | shared security database. + | In 2009, NSS introduced a new set of databases that are SQLite + | databases rather than BerkleyDB. These new databases provide + | more accessibility and performance: + | \* cert9.db for certificates + | \* key4.db for keys + | \* pkcs11.txt, which is listing of all of the PKCS #11 modules + | contained in a new subdirectory in the security databases + | directory + | Because the SQLite databases are designed to be shared, these + | are the shared database type. The shared database type is + | preferred; the legacy format is included for backward + | compatibility. + | By default, the tools (certutil, pk12util, modutil) assume that + | the given security databases follow the more common legacy + | type. Using the SQLite databases must be manually specified by + | using the sql: prefix with the given security directory. For + | example: | $ certutil -L -d sql:/home/my/sharednssdb - | To set the shared database type as the default type for the - | tools, set the NSS_DEFAULT_DB_TYPE environment variable to sql: + | To set the shared database type as the default type for the + | tools, set the NSS_DEFAULT_DB_TYPE environment variable to sql: | export NSS_DEFAULT_DB_TYPE="sql" - | This line can be set added to the ~/.bashrc file to make the - | change permanent. - | Most applications do not use the shared database by default, - | but they can be configured to use them. For example, this - | how-to article covers how to configure Firefox and Thunderbird - | to use the new shared NSS databases: - | \* https://wiki.mozilla.org/NSS_Shared_DB_Howto - | For an engineering draft on the changes in the shared NSS - | databases, see the NSS project wiki: - | \* https://wiki.mozilla.org/NSS_Shared_DB + | This line can be set added to the ~/.bashrc file to make the + | change permanent. + | Most applications do not use the shared database by default, + | but they can be configured to use them. For example, this + | how-to article covers how to configure Firefox and Thunderbird + | to use the new shared NSS databases: + | \* https://wiki.mozilla.org/NSS_Shared_DB_Howto + | For an engineering draft on the changes in the shared NSS + | databases, see the NSS project wiki: + | \* https://wiki.mozilla.org/NSS_Shared_DB | See Also - | pk12util (1) - | modutil (1) - | certutil has arguments or operations that use features defined - | in several IETF RFCs. - | \* `http://tools.ietf.org/html/rfc5280 <https://datatracker.ietf.org/doc/html/rfc5280>`__ - | \* `http://tools.ietf.org/html/rfc1113 <https://datatracker.ietf.org/doc/html/rfc1113>`__ - | \* `http://tools.ietf.org/html/rfc1485 <https://datatracker.ietf.org/doc/html/rfc1485>`__ - | The NSS wiki has information on the new database design and how - | to configure applications to use it. - | \* https://wiki.mozilla.org/NSS_Shared_DB_Howto - | \* https://wiki.mozilla.org/NSS_Shared_DB + | pk12util (1) + | modutil (1) + | certutil has arguments or operations that use features defined + | in several IETF RFCs. + | \* `http://tools.ietf.org/html/rfc5280 <https://datatracker.ietf.org/doc/html/rfc5280>`__ + | \* `http://tools.ietf.org/html/rfc1113 <https://datatracker.ietf.org/doc/html/rfc1113>`__ + | \* `http://tools.ietf.org/html/rfc1485 <https://datatracker.ietf.org/doc/html/rfc1485>`__ + | The NSS wiki has information on the new database design and how + | to configure applications to use it. + | \* https://wiki.mozilla.org/NSS_Shared_DB_Howto + | \* https://wiki.mozilla.org/NSS_Shared_DB | Additional Resources - | For information about NSS and other tools related to NSS (like - | JSS), check out the NSS project wiki at - | + | For information about NSS and other tools related to NSS (like + | JSS), check out the NSS project wiki at + | `http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__. The NSS site - | relates directly to NSS code changes and releases. - | Mailing lists: - | https://lists.mozilla.org/listinfo/dev-tech-crypto - | IRC: Freenode at #dogtag-pki + | relates directly to NSS code changes and releases. + | Mailing lists: + | https://lists.mozilla.org/listinfo/dev-tech-crypto + | IRC: Freenode at #dogtag-pki | Authors - | The NSS tools were written and maintained by developers with - | Netscape, Red Hat, Sun, Oracle, Mozilla, and Google. - | Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey - | <dlackey@redhat.com>. + | The NSS tools were written and maintained by developers with + | Netscape, Red Hat, Sun, Oracle, Mozilla, and Google. + | Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey + | <dlackey@redhat.com>. | LICENSE - | Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not + | Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can - | obtain one at https://mozilla.org/MPL/2.0/. + | obtain one at https://mozilla.org/MPL/2.0/. | NOTES - | 1. Mozilla NSS bug 836477 - | https://bugzilla.mozilla.org/show_bug.cgi?id=836477
\ No newline at end of file + | 1. Mozilla NSS bug 836477 + | https://bugzilla.mozilla.org/show_bug.cgi?id=836477
\ No newline at end of file diff --git a/doc/rst/legacy/reference/nss_tools__colon__crlutil/index.rst b/doc/rst/legacy/reference/nss_tools__colon__crlutil/index.rst index 61462f9f5..9745be2a0 100644 --- a/doc/rst/legacy/reference/nss_tools__colon__crlutil/index.rst +++ b/doc/rst/legacy/reference/nss_tools__colon__crlutil/index.rst @@ -367,7 +367,7 @@ NSS tools : crlutil Licensed under the Mozilla Public License, v. 2.0. | If a copy of the MPL was not distributed with this file, You can - | obtain one at https://mozilla.org/MPL/2.0/. + | obtain one at https://mozilla.org/MPL/2.0/. References diff --git a/doc/rst/legacy/reference/troubleshoot/index.rst b/doc/rst/legacy/reference/troubleshoot/index.rst index 3a38049a8..d2b11c30c 100644 --- a/doc/rst/legacy/reference/troubleshoot/index.rst +++ b/doc/rst/legacy/reference/troubleshoot/index.rst @@ -72,7 +72,7 @@ troubleshoot cp shmsdos.exe shmsdos.bak *(backup shmsdos)* cp sh.exe shmsdos.exe *(substitute alternative shell)* - Making this change will probably break other builds you are making on the same machine. You + Making this change will probably break other builds you are making on the same machine. You may need to switch the shell back and forthdepending on which product you are building. We will try to provide a moreconvenient solution in the future. If you have the MKS toolkit - installed, the <tt>sh.exe</tt> that comes with this toolkit can be used as well.
\ No newline at end of file + installed, the <tt>sh.exe</tt> that comes with this toolkit can be used as well.
\ No newline at end of file diff --git a/doc/rst/legacy/release_notes/index.rst b/doc/rst/legacy/release_notes/index.rst index c36479589..53904229b 100644 --- a/doc/rst/legacy/release_notes/index.rst +++ b/doc/rst/legacy/release_notes/index.rst @@ -6,7 +6,7 @@ Older NSS release notes .. container:: This page lists release notes for older versions of NSS. - See :ref:`mozilla_projects_nss_nss_releases` :ref:`mozilla_projects_nss_nss_releases` for recent + See :ref:`mozilla_projects_nss_nss_releases` :ref:`mozilla_projects_nss_nss_releases` for recent release notes. The links below are provided for historical information. - NSS 3.14 diff --git a/doc/rst/legacy/ssl_functions/gtstd/index.rst b/doc/rst/legacy/ssl_functions/gtstd/index.rst index 6f1348329..c6e074d35 100644 --- a/doc/rst/legacy/ssl_functions/gtstd/index.rst +++ b/doc/rst/legacy/ssl_functions/gtstd/index.rst @@ -57,7 +57,7 @@ gtstd related low-level OS operations. On any given server or client, one or more PKCS #11 modules may be available. - **Figure 2.1 Relationships among NSS libraries, cryptographic modules, slots, and tokens** + **Figure 2.1 Relationships among NSS libraries, cryptographic modules, slots, and tokens** .. image:: /en-US/docs/Mozilla/Projects/NSS/SSL_functions/gtstd/pkcs.gif diff --git a/doc/rst/legacy/ssl_functions/old_ssl_reference/index.rst b/doc/rst/legacy/ssl_functions/old_ssl_reference/index.rst index 8fcb82ef0..c39e51557 100644 --- a/doc/rst/legacy/ssl_functions/old_ssl_reference/index.rst +++ b/doc/rst/legacy/ssl_functions/old_ssl_reference/index.rst @@ -27,12 +27,12 @@ OLD SSL Reference Writer: Sean Cotter Manager: Wan-Teh Chang* - .. rubric:: `Chapter 1 Overview of an SSL Application <sslintro.html#1028068>`__ + .. rubric:: `Chapter 1 Overview of an SSL Application <sslintro.html#1028068>`__ :name: chapter_1_overview_of_an_ssl_application SSL and related APIs allow compliant applications to configure sockets for authenticated, tamper-proof, and encrypted communications. This chapter introduces some of the basic SSL - functions. Chapter 2, "Getting Started With SSL" illustrates their use in sample client and + functions. Chapter 2, "Getting Started With SSL" illustrates their use in sample client and server applications. - `Initialization <sslintro.html#1027662>`__ @@ -44,7 +44,7 @@ OLD SSL Reference - `Functions Used by Callbacks <sslintro.html#1027820>`__ ` <sslintro.html#1030535>`__ - `Cleanup <sslintro.html#1030535>`__ - .. rubric:: `Chapter 2 Getting Started With SSL <gtstd.html#1005439>`__ + .. rubric:: `Chapter 2 Getting Started With SSL <gtstd.html#1005439>`__ :name: chapter_2_getting_started_with_ssl This chapter describes how to set up your environment, including certificate and key @@ -62,7 +62,7 @@ OLD SSL Reference - `Building NSS Programs <gtstd.html#1013274>`__ - .. rubric:: `Chapter 3 Selected SSL Types and Structures <ssltyp.html#1029792>`__ + .. rubric:: `Chapter 3 Selected SSL Types and Structures <ssltyp.html#1029792>`__ :name: chapter_3_selected_ssl_types_and_structures This chapter describes some of the most important types and structures used with the functions @@ -204,7 +204,7 @@ OLD SSL Reference :ref:`mozilla_projects_nss_ssl_functions_sslfnc#1231825` - :ref:`mozilla_projects_nss_ssl_functions_sslfnc#1231825` - .. rubric:: `Chapter 5 Certificate Functions <sslcrt.html#1047959>`__ + .. rubric:: `Chapter 5 Certificate Functions <sslcrt.html#1047959>`__ :name: chapter_5_certificate_functions This chapter describes the functions and related types used to work with a certificate @@ -234,7 +234,7 @@ OLD SSL Reference - `SECITEM_CompareItem <sslcrt.html#1057028>`__ - .. rubric:: `Chapter 6 Key Functions <sslkey.html#1047959>`__ + .. rubric:: `Chapter 6 Key Functions <sslkey.html#1047959>`__ :name: chapter_6_key_functions This chapter describes two functions used to manipulate private keys and key databases such as @@ -243,7 +243,7 @@ OLD SSL Reference - `SECKEY_GetDefaultKeyDB <sslkey.html#1051479>`__ ` <sslkey.html#1051017>`__ - `SECKEY_DestroyPrivateKey <sslkey.html#1051017>`__ - .. rubric:: `Chapter 7 PKCS #11 Functions <pkfnc.html#1027946>`__ + .. rubric:: `Chapter 7 PKCS #11 Functions <pkfnc.html#1027946>`__ :name: chapter_7_pkcs_11_functions This chapter describes the core PKCS #11 functions that an application needs for communicating @@ -259,7 +259,7 @@ OLD SSL Reference - `PK11_IsReadOnly <pkfnc.html#1022991>`__ ` <pkfnc.html#1023128>`__ - `PK11_SetPasswordFunc <pkfnc.html#1023128>`__ - .. rubric:: `Chapter 8 NSS and SSL Error Codes <sslerr.html#1013897>`__ + .. rubric:: `Chapter 8 NSS and SSL Error Codes <sslerr.html#1013897>`__ :name: chapter_8_nss_and_ssl_error_codes NSS error codes are retrieved using the NSPR function PR_GetError. In addition to the error diff --git a/doc/rst/legacy/ssl_functions/pkfnc/index.rst b/doc/rst/legacy/ssl_functions/pkfnc/index.rst index df09d2d82..b71487dd7 100644 --- a/doc/rst/legacy/ssl_functions/pkfnc/index.rst +++ b/doc/rst/legacy/ssl_functions/pkfnc/index.rst @@ -56,8 +56,8 @@ PKCS #11 Functions <#chapter_7_pkcs_11_functions>`__ .. code:: CERTCertificate *PK11_FindCertFromNickname( - char *nickname, - void *wincx); + char *nickname, + void *wincx); .. rubric:: Parameters :name: parameters @@ -117,8 +117,8 @@ PKCS #11 Functions <#chapter_7_pkcs_11_functions>`__ .. code:: SECKEYPrivateKey *PK11_FindKeyByAnyCert( - CERTCertificate *cert, - void *wincx); + CERTCertificate *cert, + void *wincx); .. rubric:: Parameters :name: parameters_2 @@ -391,9 +391,9 @@ PKCS #11 Functions <#chapter_7_pkcs_11_functions>`__ .. code:: typedef char *(*PK11PasswordFunc)( - PK11SlotInfo *slot, - PRBool retry, - void *arg); + PK11SlotInfo *slot, + PRBool retry, + void *arg); This callback function has the following parameters: diff --git a/doc/rst/legacy/ssl_functions/sslcrt/index.rst b/doc/rst/legacy/ssl_functions/sslcrt/index.rst index bc06dbab8..677ec4f59 100644 --- a/doc/rst/legacy/ssl_functions/sslcrt/index.rst +++ b/doc/rst/legacy/ssl_functions/sslcrt/index.rst @@ -63,11 +63,11 @@ sslcrt .. code:: SECStatus CERT_VerifyCertNow( - CERTCertDBHandle *handle, - CERTCertificate *cert, - PRBool checkSig, - SECCertUsage certUsage, - void *wincx); + CERTCertDBHandle *handle, + CERTCertificate *cert, + PRBool checkSig, + SECCertUsage certUsage, + void *wincx); .. rubric:: Parameters :name: parameters @@ -141,8 +141,8 @@ sslcrt .. code:: SECStatus CERT_VerifyCertName( - CERTCertificate *cert, - char *hostname); + CERTCertificate *cert, + char *hostname); .. rubric:: Parameters :name: parameters_2 @@ -207,8 +207,8 @@ sslcrt .. code:: SECCertTimeValidity CERT_CheckCertValidTimes( - CERTCertificate *cert, - int64 t); + CERTCertificate *cert, + int64 t); .. rubric:: Parameters :name: parameters_3 @@ -233,9 +233,9 @@ sslcrt .. code:: typedef enum { - secCertTimeValid, - secCertTimeExpired, - secCertTimeNotValidYet + secCertTimeValid, + secCertTimeExpired, + secCertTimeNotValidYet } SECCertTimeValidity; .. rubric:: NSS_CmpCertChainWCANames @@ -254,8 +254,8 @@ sslcrt .. code:: SECStatus NSS_CmpCertChainWCANames( - CERTCertificate *cert, - CERTDistNames *caNames); + CERTCertificate *cert, + CERTDistNames *caNames); .. rubric:: Parameters :name: parameters_4 @@ -403,8 +403,8 @@ sslcrt .. code:: CERTCertificate *CERT_FindCertByName ( - CERTCertDBHandle *handle, - SECItem *name); + CERTCertDBHandle *handle, + SECItem *name); .. rubric:: Parameters :name: parameters_6 @@ -443,9 +443,9 @@ sslcrt .. code:: CERTCertNicknames *CERT_GetCertNicknames ( - CERTCertDBHandle *handle, - int what, - void *wincx); + CERTCertDBHandle *handle, + int what, + void *wincx); .. rubric:: Parameters :name: parameters_7 @@ -600,8 +600,8 @@ sslcrt .. code:: SECComparison SECITEM_CompareItem( - SECItem *a, - SECItem *b); + SECItem *a, + SECItem *b); .. rubric:: Parameters :name: parameters_9 @@ -626,7 +626,7 @@ sslcrt .. code:: typedef enum _SECComparison { - SECLessThan = -1, - SECEqual = 0, - SECGreaterThan = 1 + SECLessThan = -1, + SECEqual = 0, + SECGreaterThan = 1 } SECComparison;
\ No newline at end of file diff --git a/doc/rst/legacy/ssl_functions/sslerr/index.rst b/doc/rst/legacy/ssl_functions/sslerr/index.rst index e9937a3a5..50d5a19c8 100644 --- a/doc/rst/legacy/ssl_functions/sslerr/index.rst +++ b/doc/rst/legacy/ssl_functions/sslerr/index.rst @@ -92,18 +92,18 @@ sslerr | | | for authentication." | | | | | | | | This error has many potential | - | | | causes; for example: | + | | | causes; for example: | | | | | | | | Certificate or key not found | - | | | in database. | + | | | in database. | | | | | | | | Certificate not marked trusted | | | | in database and Certificate's | | | | issuer not marked trusted in | - | | | database. | + | | | database. | | | | | | | | Wrong password for key | - | | | database. | + | | | database. | | | | | | | | Missing database. | +--------------------------------+--------------------------------+--------------------------------+ @@ -197,7 +197,7 @@ sslerr | | | the matching rules specified | | | | for | | | | `CERT_VerifyCertN | - | | | ame <sslcrt.html#1050342>`__. | + | | | ame <sslcrt.html#1050342>`__. | +--------------------------------+--------------------------------+--------------------------------+ | SSL_ERROR_POST_WARNING | -12275 | (unused) | +--------------------------------+--------------------------------+--------------------------------+ @@ -361,7 +361,7 @@ sslerr | | | end the connection. The | | | | receipt of this alert is an | | | | error only if it occurs while | - | | | a handshake is in progress. | + | | | a handshake is in progress. | +--------------------------------+--------------------------------+--------------------------------+ | SSL_ERR | -12210 | "SSL Server attempted to use | | OR_PUB_KEY_SIZE_LIMIT_EXCEEDED | | domestic-grade public key with | @@ -461,7 +461,7 @@ sslerr +--------------------------------+--------------------------------+--------------------------------+ | **Received a malformed (too | | | | long or short or invalid | | | - | content) SSL handshake: ** | | | + | content) SSL handshake: ** | | | | | | | | All the error codes in the | | | | following block indicate that | | | @@ -470,7 +470,7 @@ sslerr | handshake message from the | | | | remote peer. This probably | | | | indicates a flaw in the remote | | | - | peer's implementation. | | | + | peer's implementation. | | | +--------------------------------+--------------------------------+--------------------------------+ | SSL_ER | -12261 | "SSL received a malformed | | ROR_RX_MALFORMED_HELLO_REQUEST | | Hello Request handshake | @@ -489,7 +489,7 @@ sslerr | | | message." | +--------------------------------+--------------------------------+--------------------------------+ | SSL_ERROR | -12257 | "SSL received a malformed | - | _RX_MALFORMED_SERVER_KEY_EXCH | | Server Key Exchange handshake | + | _RX_MALFORMED_SERVER_KEY_EXCH | | Server Key Exchange handshake | | | | message." | +--------------------------------+--------------------------------+--------------------------------+ | SSL_E | -12256 | "SSL received a malformed | @@ -505,7 +505,7 @@ sslerr | | | message." | +--------------------------------+--------------------------------+--------------------------------+ | SSL_ERROR | -12253 | "SSL received a malformed | - | _RX_MALFORMED_CLIENT_KEY_EXCH | | Client Key Exchange handshake | + | _RX_MALFORMED_CLIENT_KEY_EXCH | | Client Key Exchange handshake | | | | message." | +--------------------------------+--------------------------------+--------------------------------+ | S | -12252 | "SSL received a malformed | @@ -525,7 +525,7 @@ sslerr | record from the remote peer. | | | | This probably indicates a flaw | | | | in the remote peer's | | | - | implementation. | | | + | implementation. | | | +--------------------------------+--------------------------------+--------------------------------+ | SSL_ER | -12251 | "SSL received a malformed | | ROR_RX_MALFORMED_CHANGE_CIPHER | | Change Cipher Spec record." | @@ -537,7 +537,7 @@ sslerr | L_ERROR_RX_MALFORMED_HANDSHAKE | | Handshake record." | +--------------------------------+--------------------------------+--------------------------------+ | SSL_ERROR_ | -12248 | "SSL received a malformed | - | RX_MALFORMED_APPLICATION_DATA | | Application Data record." | + | RX_MALFORMED_APPLICATION_DATA | | Application Data record." | +--------------------------------+--------------------------------+--------------------------------+ | **Received an SSL handshake | | | | that was inappropriate for the | | | @@ -554,7 +554,7 @@ sslerr | received a message from | | | | another server. This probably | | | | indicates a flaw in the remote | | | - | peer's implementation. | | | + | peer's implementation. | | | +--------------------------------+--------------------------------+--------------------------------+ | SSL_ERR | -12247 | "SSL received an unexpected | | OR_RX_UNEXPECTED_HELLO_REQUEST | | Hello Request handshake | @@ -573,7 +573,7 @@ sslerr | | | message." | +--------------------------------+--------------------------------+--------------------------------+ | SSL_ERROR_ | -12243 | "SSL received an unexpected | - | RX_UNEXPECTED_SERVER_KEY_EXCH | | Server Key Exchange handshake | + | RX_UNEXPECTED_SERVER_KEY_EXCH | | Server Key Exchange handshake | | | | message." | +--------------------------------+--------------------------------+--------------------------------+ | SSL_ER | -12242 | "SSL received an unexpected | @@ -589,7 +589,7 @@ sslerr | | | message." | +--------------------------------+--------------------------------+--------------------------------+ | SSL_ERROR_ | -12239 | "SSL received an unexpected | - | RX_UNEXPECTED_CLIENT_KEY_EXCH | | Client Key Exchange handshake | + | RX_UNEXPECTED_CLIENT_KEY_EXCH | | Client Key Exchange handshake | | | | message." | +--------------------------------+--------------------------------+--------------------------------+ | SS | -12238 | "SSL received an unexpected | @@ -612,7 +612,7 @@ sslerr | have sent this message. This | | | | probably indicates a flaw in | | | | the remote peer's | | | - | implementation. | | | + | implementation. | | | +--------------------------------+--------------------------------+--------------------------------+ | SSL_ERR | -12237 | "SSL received an unexpected | | OR_RX_UNEXPECTED_CHANGE_CIPHER | | Change Cipher Spec record." | @@ -1072,7 +1072,7 @@ sslerr | | | module can perform the | | | | requested operation. | +--------------------------------+--------------------------------+--------------------------------+ - | SEC_ERROR_NO_TOKEN | -8127 | The security card or token | + | SEC_ERROR_NO_TOKEN | -8127 | The security card or token | | | | does not exist, needs to be | | | | initialized, or has been | | | | removed. | @@ -1125,7 +1125,7 @@ sslerr | | | modes supported. | +--------------------------------+--------------------------------+--------------------------------+ | SEC_ERROR | -8110 | Unable to import. File | - | _PKCS12_CORRUPT_PFX_STRUCTURE | | structure is corrupt. | + | _PKCS12_CORRUPT_PFX_STRUCTURE | | structure is corrupt. | +--------------------------------+--------------------------------+--------------------------------+ | SEC_ERROR_PK | -8109 | Unable to import. Encryption | | CS12_UNSUPPORTED_PBE_ALGORITHM | | algorithm not supported. | @@ -1171,7 +1171,7 @@ sslerr | | | nickname. | +--------------------------------+--------------------------------+--------------------------------+ | SEC_ERRO | -8096 | Unable to export. Private key | - | R_PKCS12_UNABLE_TO_EXPORT_KEY | | could not be located and | + | R_PKCS12_UNABLE_TO_EXPORT_KEY | | could not be located and | | | | exported. | +--------------------------------+--------------------------------+--------------------------------+ | SE | -8095 | Unable to export. Unable to | diff --git a/doc/rst/legacy/ssl_functions/sslfnc/index.rst b/doc/rst/legacy/ssl_functions/sslfnc/index.rst index d08f50c1b..4d3f020fa 100644 --- a/doc/rst/legacy/ssl_functions/sslfnc/index.rst +++ b/doc/rst/legacy/ssl_functions/sslfnc/index.rst @@ -605,9 +605,9 @@ sslfnc 16-bit integer named ``SSL_NumImplementedCiphers``. The macro ``SSL_IS_SSL2_CIPHER`` can be used to determine whether a particular value is an SSL2 or an SSL3 cipher. - **WARNING**: Using the external array ``SSL_ImplementedCiphers[]`` directly is deprecated. It + **WARNING**: Using the external array ``SSL_ImplementedCiphers[]`` directly is deprecated. It causes dynamic linking issues at run-time after an update of NSS because the actual size of the - array changes between releases. The recommended way of accessing the array is through the + array changes between releases. The recommended way of accessing the array is through the ``SSL_GetImplementedCiphers()`` and ``SSL_GetNumImplementedCiphers()`` accessors. By default, all SSL2 and 12 SSL3/TLS cipher suites are enabled. However, this does not @@ -730,10 +730,10 @@ sslfnc .. code:: SECStatus SSL_ConfigServerSessionIDCache( - int maxCacheEntries, - PRUint32 timeout, - PRUint32 ssl3_timeout, - const char *directory); + int maxCacheEntries, + PRUint32 timeout, + PRUint32 ssl3_timeout, + const char *directory); .. rubric:: Parameters :name: parameters_5 @@ -837,10 +837,10 @@ sslfnc .. code:: SECStatus SSL_ConfigMPServerSIDCache( - int maxCacheEntries, - PRUint32 timeout, - PRUint32 ssl3_timeout, - const char *directory); + int maxCacheEntries, + PRUint32 timeout, + PRUint32 ssl3_timeout, + const char *directory); .. rubric:: Parameters :name: parameters_6 @@ -1429,8 +1429,8 @@ sslfnc .. code:: PRFileDesc *SSL_ImportFD( - PRFileDesc *model, - PRFileDesc *fd); + PRFileDesc *model, + PRFileDesc *fd); .. rubric:: Parameters :name: parameters_10 @@ -1489,9 +1489,9 @@ sslfnc .. code:: SECStatus SSL_OptionSet( - PRFileDesc *fd, - PRInt32 option, - PRBool on); + PRFileDesc *fd, + PRInt32 option, + PRBool on); .. rubric:: Parameters :name: parameters_11 @@ -1714,9 +1714,9 @@ sslfnc .. code:: SECStatus SSL_OptionGet( - PRFileDesc *fd, - PRInt32 option, - PRBool *on); + PRFileDesc *fd, + PRInt32 option, + PRBool *on); .. rubric:: Parameters :name: parameters_12 @@ -1766,9 +1766,9 @@ sslfnc .. code:: SECStatus SSL_CipherPrefSet( - PRFileDesc *fd, - PRInt32 cipher, - PRBool enabled); + PRFileDesc *fd, + PRInt32 cipher, + PRBool enabled); .. rubric:: Parameters :name: parameters_13 @@ -1865,9 +1865,9 @@ sslfnc .. code:: SECStatus SSL_CipherPrefGet( - PRFileDesc *fd, - PRInt32 cipher, - PRBool *enabled); + PRFileDesc *fd, + PRInt32 cipher, + PRBool *enabled); .. rubric:: Parameters :name: parameters_14 @@ -1910,10 +1910,10 @@ sslfnc .. code:: SECStatus SSL_ConfigSecureServer( - PRFileDesc *fd, - CERTCertificate *cert, - SECKEYPrivateKey *key, - SSLKEAType keaType); + PRFileDesc *fd, + CERTCertificate *cert, + SECKEYPrivateKey *key, + SSLKEAType keaType); .. rubric:: Parameters :name: parameters_15 @@ -1991,8 +1991,8 @@ sslfnc .. code:: int SSL_SetURL( - PRFileDesc *fd, - char *url); + PRFileDesc *fd, + char *url); .. rubric:: Parameters :name: parameters_16 @@ -2109,7 +2109,7 @@ sslfnc ```PK11_SetPasswordFunc`` <pkfnc.html#1023128>`__ to set up the password callback function during NSS initialization. - For examples of the callback functions listed here, see `Chapter 2, "Getting Started With + For examples of the callback functions listed here, see `Chapter 2, "Getting Started With SSL." <gtstd.html#1005439>`__ .. rubric:: SSL_AuthCertificateHook @@ -2128,9 +2128,9 @@ sslfnc .. code:: SECStatus SSL_AuthCertificateHook( - PRFileDesc *fd, - SSLAuthCertificate f, - void *arg); + PRFileDesc *fd, + SSLAuthCertificate f, + void *arg); .. rubric:: Parameters :name: parameters_18 @@ -2173,10 +2173,10 @@ sslfnc .. code:: typedef SECStatus (*SSLAuthCertificate) ( - void *arg, - PRFileDesc *fd, - PRBool checksig, - PRBool isServer); + void *arg, + PRFileDesc *fd, + PRBool checksig, + PRBool isServer); This callback function has the following parameters: @@ -2228,7 +2228,7 @@ sslfnc :name: see_also_2 For examples of certificate authentication callback functions, see the sample code referenced - from `Chapter 2, "Getting Started With SSL." <gtstd.html#1005439>`__ + from `Chapter 2, "Getting Started With SSL." <gtstd.html#1005439>`__ .. rubric:: SSL_AuthCertificate :name: ssl_authcertificate @@ -2248,10 +2248,10 @@ sslfnc .. code:: SECStatus SSL_AuthCertificate( - void *arg, - PRFileDesc *fd, - PRBool checksig, - PRBool isServer); + void *arg, + PRFileDesc *fd, + PRBool checksig, + PRBool isServer); .. rubric:: Parameters :name: parameters_19 @@ -2317,9 +2317,9 @@ sslfnc .. code:: SECStatus SSL_BadCertHook( - PRFileDesc *fd, - SSLBadCertHandler f, - void *arg); + PRFileDesc *fd, + SSLBadCertHandler f, + void *arg); .. rubric:: Parameters :name: parameters_20 @@ -2358,8 +2358,8 @@ sslfnc .. code:: typedef SECStatus (*SSLBadCertHandler)( - void *arg, - PRFileDesc *fd); + void *arg, + PRFileDesc *fd); This callback function has the following parameters: @@ -2409,9 +2409,9 @@ sslfnc .. code:: SECStatus SSL_GetClientAuthDataHook( - PRFileDesc *fd, - SSLGetClientAuthData f, - void *a); + PRFileDesc *fd, + SSLGetClientAuthData f, + void *a); .. rubric:: Parameters :name: parameters_21 @@ -2456,11 +2456,11 @@ sslfnc .. code:: typedef SECStatus (*SSLGetClientAuthData)( - void *arg, - PRFileDesc *fd, - CertDistNames *caNames, - CERTCertificate **pRetCert, - SECKEYPrivateKey **pRetKey); + void *arg, + PRFileDesc *fd, + CertDistNames *caNames, + CERTCertificate **pRetCert, + SECKEYPrivateKey **pRetKey); This callback function has the following parameters: @@ -2493,11 +2493,11 @@ sslfnc .. code:: SECStatus NSS_GetClientAuthData( - void * arg, - PRFileDesc *socket, - struct CERTDistNamesStr *caNames, - struct CERTCertificateStr **pRetCert, - struct SECKEYPrivateKeyStr **pRetKey); + void * arg, + PRFileDesc *socket, + struct CERTDistNamesStr *caNames, + struct CERTCertificateStr **pRetCert, + struct SECKEYPrivateKeyStr **pRetKey); .. rubric:: Parameters :name: parameters_22 @@ -2558,9 +2558,9 @@ sslfnc .. code:: SECStatus SSL_HandshakeCallback( - PRFileDesc *fd, - SSLHandshakeCallback cb, - void *client_data); + PRFileDesc *fd, + SSLHandshakeCallback cb, + void *client_data); .. rubric:: Parameters :name: parameters_23 @@ -2594,8 +2594,8 @@ sslfnc .. code:: typedef void (*SSLHandshakeCallback)( - PRFileDesc *fd, - void *client_data); + PRFileDesc *fd, + void *client_data); This callback function has the following parameters: @@ -2731,13 +2731,13 @@ sslfnc .. code:: SECStatus SSL_SecurityStatus( - PRFileDesc *fd, - int *on, - char **cipher, - int *keysize, - int *secretKeySize, - char **issuer, - char **subject); + PRFileDesc *fd, + int *on, + char **cipher, + int *keysize, + int *secretKeySize, + char **issuer, + char **subject); .. rubric:: Parameters :name: parameters_24 @@ -3249,8 +3249,8 @@ sslfnc .. code:: SECStatus SSL_ResetHandshake( - PRFileDesc *fd, - PRBool asServer); + PRFileDesc *fd, + PRBool asServer); .. rubric:: Parameters :name: parameters_27 @@ -3402,9 +3402,9 @@ sslfnc .. code:: SECStatus SSL_Enable( - PRFileDesc *fd, - int which, - PRBool on); + PRFileDesc *fd, + int which, + PRBool on); .. rubric:: Parameters :name: parameters_29 diff --git a/doc/rst/legacy/ssl_functions/sslintro/index.rst b/doc/rst/legacy/ssl_functions/sslintro/index.rst index e2ab39e96..aeedd90b9 100644 --- a/doc/rst/legacy/ssl_functions/sslintro/index.rst +++ b/doc/rst/legacy/ssl_functions/sslintro/index.rst @@ -29,7 +29,7 @@ sslintro SSL and related APIs allow compliant applications to configure sockets for authenticated, tamper-proof, and encrypted communications. This chapter introduces some of the basic SSL - functions. `Chapter 2, "Getting Started With SSL" <gtstd.html#1005439>`__ illustrates their use + functions. `Chapter 2, "Getting Started With SSL" <gtstd.html#1005439>`__ illustrates their use in sample client and server applications. An SSL application typically includes five parts: diff --git a/doc/rst/legacy/ssl_functions/ssltyp/index.rst b/doc/rst/legacy/ssl_functions/ssltyp/index.rst index f35b64d95..1ec221042 100644 --- a/doc/rst/legacy/ssl_functions/ssltyp/index.rst +++ b/doc/rst/legacy/ssl_functions/ssltyp/index.rst @@ -262,8 +262,8 @@ ssltyp .. code:: SECStatus SECItem_FreeItem ( - SECItem *item, - PRBool freeItem) + SECItem *item, + PRBool freeItem) .. rubric:: Parameter :name: parameter @@ -309,8 +309,8 @@ ssltyp .. code:: SECStatus SECItem_ZfreeItem ( - SECItem *item, - PRBool freeItem) + SECItem *item, + PRBool freeItem) .. rubric:: Parameter :name: parameter_2 diff --git a/doc/rst/legacy/tls_cipher_suite_discovery/index.rst b/doc/rst/legacy/tls_cipher_suite_discovery/index.rst index a31f9b1ab..f9a3fc851 100644 --- a/doc/rst/legacy/tls_cipher_suite_discovery/index.rst +++ b/doc/rst/legacy/tls_cipher_suite_discovery/index.rst @@ -23,7 +23,7 @@ TLS Cipher Suite Discovery Each Cipher Suite is represented by a 16-bit number. The number of well-defined cipher suites grows with time, and no TLS implementation offers all known cipher suites at all times. An implementation that claimed to offer all defined Cipher Suites would only be able to make that - claim for a short time until another new Cipher Suite was defined. At any time, any real + claim for a short time until another new Cipher Suite was defined. At any time, any real implementation implements some subset of the complete set of well-defined cipher suites. Each new release of a TLS implementation may contain support for new Cipher Suites not supported @@ -104,10 +104,10 @@ TLS Cipher Suite Discovery SSLMACAlgorithm macAlgorithm; PRUint16 macBits; - PRUintn isFIPS : 1; - PRUintn isExportable : 1; - PRUintn nonStandard : 1; - PRUintn reservedBits :29; + PRUintn isFIPS : 1; + PRUintn isExportable : 1; + PRUintn nonStandard : 1; + PRUintn reservedBits :29; } SSLCipherSuiteInfo; diff --git a/doc/rst/legacy/tools/certutil/index.rst b/doc/rst/legacy/tools/certutil/index.rst index 5e3e63b2f..d7d943958 100644 --- a/doc/rst/legacy/tools/certutil/index.rst +++ b/doc/rst/legacy/tools/certutil/index.rst @@ -6,697 +6,697 @@ certutil .. container:: | Name - | certutil — Manage keys and certificate in the NSS database. + | certutil — Manage keys and certificate in the NSS database. | Synopsis - | certutil [options] `arguments <arguments>`__ + | certutil [options] `arguments <arguments>`__ | Description - | The Certificate Database Tool, certutil, is a command-line utility that - | can create and modify certificate and key database files. It can also - | list, generate, modify, or delete certificates within the database, create - | or change the password, generate new public and private key pairs, display - | the contents of the key database, or delete key pairs within the key - | database. - | The key and certificate management process generally begins with creating - | keys in the key database, then generating and managing certificates in the - | certificate database. This document discusses certificate and key database - | management. For information security module database management, see the - | modutil manpages. + | The Certificate Database Tool, certutil, is a command-line utility that + | can create and modify certificate and key database files. It can also + | list, generate, modify, or delete certificates within the database, create + | or change the password, generate new public and private key pairs, display + | the contents of the key database, or delete key pairs within the key + | database. + | The key and certificate management process generally begins with creating + | keys in the key database, then generating and managing certificates in the + | certificate database. This document discusses certificate and key database + | management. For information security module database management, see the + | modutil manpages. | Options and Arguments - | Running certutil always requires one (and only one) option to specify the - | type of certificate operation. Each option may take arguments, anywhere - | from none to multiple arguments. Run the command option and -H to see the - | arguments available for each command option. - | Options - | Options specify an action and are uppercase. - | -A - | Add an existing certificate to a certificate database. The - | certificate database should already exist; if one is not present, - | this option will initialize one by default. - | -B - | Run a series of commands from the specified batch file. This - | requires the -i argument. - | -C - | Create a new binary certificate file from a binary certificate - | request file. Use the -i argument to specify the certificate - | request file. If this argument is not used, certutil prompts for a - | filename. - | -D - | Delete a certificate from the certificate database. - | -E - | Add an email certificate to the certificate database. - | -F - | Delete a private key from a key database. Specify the key to - | delete with the -n argument. Specify the database from which to - | delete the key with the -d argument. Use the -k argument to - | specify explicitly whether to delete a DSA, RSA, or ECC key. If - | you don't use the -k argument, the option looks for an RSA key - | matching the specified nickname. - | When you delete keys, be sure to also remove any certificates - | associated with those keys from the certificate database, by using - | -D. Some smart cards (for example, the Litronic card) do not let - | you remove a public key you have generated. In such a case, only - | the private key is deleted from the key pair. You can display the - | public key with the command certutil -K -h tokenname. - | -G - | Generate a new public and private key pair within a key database. - | The key database should already exist; if one is not present, this - | option will initialize one by default. Some smart cards (for - | example, the Litronic card) can store only one key pair. If you - | create a new key pair for such a card, the previous pair is - | overwritten. - | -H - | Display a list of the options and arguments used by the - | Certificate Database Tool. - | -K - | List the key ID of keys in the key database. A key ID is the - | modulus of the RSA key or the publicValue of the DSA key. IDs are - | displayed in hexadecimal ("0x" is not shown). - | -L - | List all the certificates, or display information about a named - | certificate, in a certificate database. Use the -h tokenname - | argument to specify the certificate database on a particular - | hardware or software token. - | -M - | Modify a certificate's trust attributes using the values of the -t - | argument. - | -N - | Create new certificate and key databases. - | -O - | Print the certificate chain. - | -R - | Create a certificate request file that can be submitted to a - | Certificate Authority (CA) for processing into a finished - | certificate. Output defaults to standard out unless you use -o - | output-file argument. Use the -a argument to specify ASCII output. - | -S - | Create an individual certificate and add it to a certificate - | database. - | -T - | Reset the key database or token. - | -U - | List all available modules or print a single named module. - | -V - | Check the validity of a certificate and its attributes. - | -W - | Change the password to a key database. - | --merge - | Merge a source database into the target database. This is used to - | merge legacy NSS databases (cert8.db and key3.db) into the newer - | SQLite databases (cert9.db and key4.db). - | --upgrade-merge - | Upgrade an old database and merge it into a new database. This is - | used to migrate legacy NSS databases (cert8.db and key3.db) into - | the newer SQLite databases (cert9.db and key4.db). - | Arguments - | Option arguments modify an action and are lowercase. - | -a - | Use ASCII format or allow the use of ASCII format for input or - | output. This formatting follows RFC 1113. For certificate - | requests, ASCII output defaults to standard output unless - | redirected. - | -b validity-time - | Specify a time at which a certificate is required to be valid. Use - | when checking certificate validity with the -V option. The format - | of the validity-time argument is YYMMDDHHMMSS[+HHMM|-HHMM|Z], - | which allows offsets to be set relative to the validity end time. - | Specifying seconds (SS) is optional. When specifying an explicit - | time, use a Z at the end of the term, YYMMDDHHMMSSZ, to close it. - | When specifying an offset time, use YYMMDDHHMMSS+HHMM or - | YYMMDDHHMMSS-HHMM for adding or subtracting time, respectively. - | If this option is not used, the validity check defaults to the - | current system time. - | -c issuer - | Identify the certificate of the CA from which a new certificate - | will derive its authenticity. Use the exact nickname or alias of - | the CA certificate, or use the CA's email address. Bracket the - | issuer string with quotation marks if it contains spaces. - | -d [sql:]directory - | Specify the database directory containing the certificate and key - | database files. - | certutil supports two types of databases: the legacy security - | databases (cert8.db, key3.db, and secmod.db) and new SQLite - | databases (cert9.db, key4.db, and pkcs11.txt). If the prefix sql: - | is not used, then the tool assumes that the given databases are in - | the old format. - | -e - | Check a certificate's signature during the process of validating a - | certificate. - | -f password-file - | Specify a file that will automatically supply the password to - | include in a certificate or to access a certificate database. This - | is a plain-text file containing one password. Be sure to prevent - | unauthorized access to this file. - | -g keysize - | Set a key size to use when generating new public and private key - | pairs. The minimum is 512 bits and the maximum is 8192 bits. The - | default is 1024 bits. Any size between the minimum and maximum is - | allowed. - | -h tokenname - | Specify the name of a token to use or act on. Unless specified - | otherwise the default token is an internal slot (specifically, - | internal slot 2). This slot can also be explicitly named with the - | string "internal". An internal slots is a virtual slot maintained - | in software, rather than a hardware device. Internal slot 2 is - | used by key and certificate services. Internal slot 1 is used by - | cryptographic services. - | -i input_file - | Pass an input file to the command. Depending on the command - | option, an input file can be a specific certificate, a certificate - | request file, or a batch file of commands. - | -k rsa|dsa|ec|all - | Specify the type of a key. The valid options are RSA, DSA, ECC, or - | all. The default value is rsa. Specifying the type of key can - | avoid mistakes caused by duplicate nicknames. - | -k key-type-or-id - | Specify the type or specific ID of a key. Giving a key type - | generates a new key pair; giving the ID of an existing key reuses - | that key pair (which is required to renew certificates). - | -l - | Display detailed information when validating a certificate with - | the -V option. - | -m serial-number - | Assign a unique serial number to a certificate being created. This - | operation should be performed by a CA. The default serial number - | is 0 (zero). Serial numbers are limited to integers. - | -n nickname - | Specify the nickname of a certificate or key to list, create, add - | to a database, modify, or validate. Bracket the nickname string - | with quotation marks if it contains spaces. - | -o output-file - | Specify the output file name for new certificates or binary - | certificate requests. Bracket the output-file string with - | quotation marks if it contains spaces. If this argument is not - | used the output destination defaults to standard output. - | -P dbPrefix - | Specify the prefix used on the certificate and key database file. - | This option is provided as a special case. Changing the names of - | the certificate and key databases is not recommended. - | -p phone - | Specify a contact telephone number to include in new certificates - | or certificate requests. Bracket this string with quotation marks - | if it contains spaces. - | -q pqgfile - | Read an alternate PQG value from the specified file when - | generating DSA key pairs. If this argument is not used, certutil - | generates its own PQG value. PQG files are created with a separate - | DSA utility. - | -q curve-name - | Set the elliptic curve name to use when generating ECC key pairs. - | A complete list of ECC curves is given in the help (-H). - | -r - | Display a certificate's binary DER encoding when listing - | information about that certificate with the -L option. - | -s subject - | Identify a particular certificate owner for new certificates or - | certificate requests. Bracket this string with quotation marks if - | it contains spaces. The subject identification format follows RFC - | #1485. - | -t trustargs - | Specify the trust attributes to modify in an existing certificate - | or to apply to a certificate when creating it or adding it to a - | database. There are three available trust categories for each - | certificate, expressed in the order SSL, email, object signing for - | each trust setting. In each category position, use none, any, or - | all of the attribute codes: - | o p - Valid peer - | o P - Trusted peer (implies p) - | o c - Valid CA - | o T - Trusted CA to issue client certificates (implies c) - | o C - Trusted CA to issue server certificates (SSL only) - | (implies c) - | o u - Certificate can be used for authentication or signing - | o w - Send warning (use with other attributes to include a - | warning when the certificate is used in that context) - | The attribute codes for the categories are separated by commas, - | and the entire set of attributes enclosed by quotation marks. For - | example: - | -t "TCu,Cu,Tuw" - | Use the -L option to see a list of the current certificates and - | trust attributes in a certificate database. - | -u certusage - | Specify a usage context to apply when validating a certificate - | with the -V option. - | The contexts are the following: - | o C (as an SSL client) - | o V (as an SSL server) - | o S (as an email signer) - | o R (as an email recipient) - | o O (as an OCSP status responder) - | o J (as an object signer) - | -v valid-months - | Set the number of months a new certificate will be valid. The - | validity period begins at the current system time unless an offset - | is added or subtracted with the -w option. If this argument is not - | used, the default validity period is three months. When this - | argument is used, the default three-month period is automatically - | added to any value given in the valid-month argument. For example, - | using this option to set a value of 3 would cause 3 to be added to - | the three-month default, creating a validity period of six months. - | You can use negative values to reduce the default period. For - | example, setting a value of -2 would subtract 2 from the default - | and create a validity period of one month. - | -w offset-months - | Set an offset from the current system time, in months, for the - | beginning of a certificate's validity period. Use when creating - | the certificate or adding it to a database. Express the offset in - | integers, using a minus sign (-) to indicate a negative offset. If - | this argument is not used, the validity period begins at the - | current system time. The length of the validity period is set with - | the -v argument. - | -X - | Force the key and certificate database to open in read-write mode. - | This is used with the -U and -L command options. - | -x - | Use certutil to generate the signature for a certificate being - | created or added to a database, rather than obtaining a signature - | from a separate CA. - | -y exp - | Set an alternate exponent value to use in generating a new RSA - | public key for the database, instead of the default value of - | 65537. The available alternate values are 3 and 17. - | -z noise-file - | Read a seed value from the specified file to generate a new - | private and public key pair. This argument makes it possible to - | use hardware-generated seed values or manually create a value from - | the keyboard. The minimum file size is 20 bytes. - | -0 SSO_password - | Set a site security officer password on a token. - | -1 \| --keyUsage keyword,keyword - | Set a Netscape Certificate Type Extension in the certificate. - | There are several available keywords: - | o digital signature - | o nonRepudiation - | o keyEncipherment - | o dataEncipherment - | o keyAgreement - | o certSigning - | o crlSigning - | o critical - | -2 - | Add a basic constraint extension to a certificate that is being - | created or added to a database. This extension supports the - | certificate chain verification process. certutil prompts for the - | certificate constraint extension to select. - | X.509 certificate extensions are described in RFC 5280. - | -3 - | Add an authority key ID extension to a certificate that is being - | created or added to a database. This extension supports the - | identification of a particular certificate, from among multiple - | certificates associated with one subject name, as the correct - | issuer of a certificate. The Certificate Database Tool will prompt - | you to select the authority key ID extension. - | X.509 certificate extensions are described in RFC 5280. - | -4 - | Add a CRL distribution point extension to a certificate that is - | being created or added to a database. This extension identifies - | the URL of a certificate's associated certificate revocation list - | (CRL). certutil prompts for the URL. - | X.509 certificate extensions are described in RFC 5280. - | -5 \| --nsCertType keyword,keyword - | Add a Netscape certificate type extension to a certificate that is - | being created or added to the database. There are several - | available keywords: - | o sslClient - | o sslServer - | o smime - | o objectSigning - | o sslCA - | o smimeCA - | o objectSigningCA - | o critical - | X.509 certificate extensions are described in RFC 5280. - | -6 \| --extKeyUsage keyword,keyword - | Add an extended key usage extension to a certificate that is being - | created or added to the database. Several keywords are available: - | o serverAuth - | o clientAuth - | o codeSigning - | o emailProtection - | o timeStamp - | o ocspResponder - | o stepUp - | o critical - | X.509 certificate extensions are described in RFC 5280. - | -7 emailAddrs - | Add a comma-separated list of email addresses to the subject - | alternative name extension of a certificate or certificate request - | that is being created or added to the database. Subject - | alternative name extensions are described in Section 4.2.1.7 of - | RFC 3280. - | -8 dns-names - | Add a comma-separated list of DNS names to the subject alternative - | name extension of a certificate or certificate request that is - | being created or added to the database. Subject alternative name - | extensions are described in Section 4.2.1.7 of RFC 3280. - | --extAIA - | Add the Authority Information Access extension to the certificate. - | X.509 certificate extensions are described in RFC 5280. - | --extSIA - | Add the Subject Information Access extension to the certificate. - | X.509 certificate extensions are described in RFC 5280. - | --extCP - | Add the Certificate Policies extension to the certificate. X.509 - | certificate extensions are described in RFC 5280. - | --extPM - | Add the Policy Mappings extension to the certificate. X.509 - | certificate extensions are described in RFC 5280. - | --extPC - | Add the Policy Constraints extension to the certificate. X.509 - | certificate extensions are described in RFC 5280. - | --extIA - | Add the Inhibit Any Policy Access extension to the certificate. - | X.509 certificate extensions are described in RFC 5280. - | --extSKID - | Add the Subject Key ID extension to the certificate. X.509 - | certificate extensions are described in RFC 5280. - | --source-dir certdir - | Identify the certificate database directory to upgrade. - | --source-prefix certdir - | Give the prefix of the certificate and key databases to upgrade. - | --upgrade-id uniqueID - | Give the unique ID of the database to upgrade. - | --upgrade-token-name name - | Set the name of the token to use while it is being upgraded. - | -@ pwfile - | Give the name of a password file to use for the database being - | upgraded. + | Running certutil always requires one (and only one) option to specify the + | type of certificate operation. Each option may take arguments, anywhere + | from none to multiple arguments. Run the command option and -H to see the + | arguments available for each command option. + | Options + | Options specify an action and are uppercase. + | -A + | Add an existing certificate to a certificate database. The + | certificate database should already exist; if one is not present, + | this option will initialize one by default. + | -B + | Run a series of commands from the specified batch file. This + | requires the -i argument. + | -C + | Create a new binary certificate file from a binary certificate + | request file. Use the -i argument to specify the certificate + | request file. If this argument is not used, certutil prompts for a + | filename. + | -D + | Delete a certificate from the certificate database. + | -E + | Add an email certificate to the certificate database. + | -F + | Delete a private key from a key database. Specify the key to + | delete with the -n argument. Specify the database from which to + | delete the key with the -d argument. Use the -k argument to + | specify explicitly whether to delete a DSA, RSA, or ECC key. If + | you don't use the -k argument, the option looks for an RSA key + | matching the specified nickname. + | When you delete keys, be sure to also remove any certificates + | associated with those keys from the certificate database, by using + | -D. Some smart cards (for example, the Litronic card) do not let + | you remove a public key you have generated. In such a case, only + | the private key is deleted from the key pair. You can display the + | public key with the command certutil -K -h tokenname. + | -G + | Generate a new public and private key pair within a key database. + | The key database should already exist; if one is not present, this + | option will initialize one by default. Some smart cards (for + | example, the Litronic card) can store only one key pair. If you + | create a new key pair for such a card, the previous pair is + | overwritten. + | -H + | Display a list of the options and arguments used by the + | Certificate Database Tool. + | -K + | List the key ID of keys in the key database. A key ID is the + | modulus of the RSA key or the publicValue of the DSA key. IDs are + | displayed in hexadecimal ("0x" is not shown). + | -L + | List all the certificates, or display information about a named + | certificate, in a certificate database. Use the -h tokenname + | argument to specify the certificate database on a particular + | hardware or software token. + | -M + | Modify a certificate's trust attributes using the values of the -t + | argument. + | -N + | Create new certificate and key databases. + | -O + | Print the certificate chain. + | -R + | Create a certificate request file that can be submitted to a + | Certificate Authority (CA) for processing into a finished + | certificate. Output defaults to standard out unless you use -o + | output-file argument. Use the -a argument to specify ASCII output. + | -S + | Create an individual certificate and add it to a certificate + | database. + | -T + | Reset the key database or token. + | -U + | List all available modules or print a single named module. + | -V + | Check the validity of a certificate and its attributes. + | -W + | Change the password to a key database. + | --merge + | Merge a source database into the target database. This is used to + | merge legacy NSS databases (cert8.db and key3.db) into the newer + | SQLite databases (cert9.db and key4.db). + | --upgrade-merge + | Upgrade an old database and merge it into a new database. This is + | used to migrate legacy NSS databases (cert8.db and key3.db) into + | the newer SQLite databases (cert9.db and key4.db). + | Arguments + | Option arguments modify an action and are lowercase. + | -a + | Use ASCII format or allow the use of ASCII format for input or + | output. This formatting follows RFC 1113. For certificate + | requests, ASCII output defaults to standard output unless + | redirected. + | -b validity-time + | Specify a time at which a certificate is required to be valid. Use + | when checking certificate validity with the -V option. The format + | of the validity-time argument is YYMMDDHHMMSS[+HHMM|-HHMM|Z], + | which allows offsets to be set relative to the validity end time. + | Specifying seconds (SS) is optional. When specifying an explicit + | time, use a Z at the end of the term, YYMMDDHHMMSSZ, to close it. + | When specifying an offset time, use YYMMDDHHMMSS+HHMM or + | YYMMDDHHMMSS-HHMM for adding or subtracting time, respectively. + | If this option is not used, the validity check defaults to the + | current system time. + | -c issuer + | Identify the certificate of the CA from which a new certificate + | will derive its authenticity. Use the exact nickname or alias of + | the CA certificate, or use the CA's email address. Bracket the + | issuer string with quotation marks if it contains spaces. + | -d [sql:]directory + | Specify the database directory containing the certificate and key + | database files. + | certutil supports two types of databases: the legacy security + | databases (cert8.db, key3.db, and secmod.db) and new SQLite + | databases (cert9.db, key4.db, and pkcs11.txt). If the prefix sql: + | is not used, then the tool assumes that the given databases are in + | the old format. + | -e + | Check a certificate's signature during the process of validating a + | certificate. + | -f password-file + | Specify a file that will automatically supply the password to + | include in a certificate or to access a certificate database. This + | is a plain-text file containing one password. Be sure to prevent + | unauthorized access to this file. + | -g keysize + | Set a key size to use when generating new public and private key + | pairs. The minimum is 512 bits and the maximum is 8192 bits. The + | default is 1024 bits. Any size between the minimum and maximum is + | allowed. + | -h tokenname + | Specify the name of a token to use or act on. Unless specified + | otherwise the default token is an internal slot (specifically, + | internal slot 2). This slot can also be explicitly named with the + | string "internal". An internal slots is a virtual slot maintained + | in software, rather than a hardware device. Internal slot 2 is + | used by key and certificate services. Internal slot 1 is used by + | cryptographic services. + | -i input_file + | Pass an input file to the command. Depending on the command + | option, an input file can be a specific certificate, a certificate + | request file, or a batch file of commands. + | -k rsa|dsa|ec|all + | Specify the type of a key. The valid options are RSA, DSA, ECC, or + | all. The default value is rsa. Specifying the type of key can + | avoid mistakes caused by duplicate nicknames. + | -k key-type-or-id + | Specify the type or specific ID of a key. Giving a key type + | generates a new key pair; giving the ID of an existing key reuses + | that key pair (which is required to renew certificates). + | -l + | Display detailed information when validating a certificate with + | the -V option. + | -m serial-number + | Assign a unique serial number to a certificate being created. This + | operation should be performed by a CA. The default serial number + | is 0 (zero). Serial numbers are limited to integers. + | -n nickname + | Specify the nickname of a certificate or key to list, create, add + | to a database, modify, or validate. Bracket the nickname string + | with quotation marks if it contains spaces. + | -o output-file + | Specify the output file name for new certificates or binary + | certificate requests. Bracket the output-file string with + | quotation marks if it contains spaces. If this argument is not + | used the output destination defaults to standard output. + | -P dbPrefix + | Specify the prefix used on the certificate and key database file. + | This option is provided as a special case. Changing the names of + | the certificate and key databases is not recommended. + | -p phone + | Specify a contact telephone number to include in new certificates + | or certificate requests. Bracket this string with quotation marks + | if it contains spaces. + | -q pqgfile + | Read an alternate PQG value from the specified file when + | generating DSA key pairs. If this argument is not used, certutil + | generates its own PQG value. PQG files are created with a separate + | DSA utility. + | -q curve-name + | Set the elliptic curve name to use when generating ECC key pairs. + | A complete list of ECC curves is given in the help (-H). + | -r + | Display a certificate's binary DER encoding when listing + | information about that certificate with the -L option. + | -s subject + | Identify a particular certificate owner for new certificates or + | certificate requests. Bracket this string with quotation marks if + | it contains spaces. The subject identification format follows RFC + | #1485. + | -t trustargs + | Specify the trust attributes to modify in an existing certificate + | or to apply to a certificate when creating it or adding it to a + | database. There are three available trust categories for each + | certificate, expressed in the order SSL, email, object signing for + | each trust setting. In each category position, use none, any, or + | all of the attribute codes: + | o p - Valid peer + | o P - Trusted peer (implies p) + | o c - Valid CA + | o T - Trusted CA to issue client certificates (implies c) + | o C - Trusted CA to issue server certificates (SSL only) + | (implies c) + | o u - Certificate can be used for authentication or signing + | o w - Send warning (use with other attributes to include a + | warning when the certificate is used in that context) + | The attribute codes for the categories are separated by commas, + | and the entire set of attributes enclosed by quotation marks. For + | example: + | -t "TCu,Cu,Tuw" + | Use the -L option to see a list of the current certificates and + | trust attributes in a certificate database. + | -u certusage + | Specify a usage context to apply when validating a certificate + | with the -V option. + | The contexts are the following: + | o C (as an SSL client) + | o V (as an SSL server) + | o S (as an email signer) + | o R (as an email recipient) + | o O (as an OCSP status responder) + | o J (as an object signer) + | -v valid-months + | Set the number of months a new certificate will be valid. The + | validity period begins at the current system time unless an offset + | is added or subtracted with the -w option. If this argument is not + | used, the default validity period is three months. When this + | argument is used, the default three-month period is automatically + | added to any value given in the valid-month argument. For example, + | using this option to set a value of 3 would cause 3 to be added to + | the three-month default, creating a validity period of six months. + | You can use negative values to reduce the default period. For + | example, setting a value of -2 would subtract 2 from the default + | and create a validity period of one month. + | -w offset-months + | Set an offset from the current system time, in months, for the + | beginning of a certificate's validity period. Use when creating + | the certificate or adding it to a database. Express the offset in + | integers, using a minus sign (-) to indicate a negative offset. If + | this argument is not used, the validity period begins at the + | current system time. The length of the validity period is set with + | the -v argument. + | -X + | Force the key and certificate database to open in read-write mode. + | This is used with the -U and -L command options. + | -x + | Use certutil to generate the signature for a certificate being + | created or added to a database, rather than obtaining a signature + | from a separate CA. + | -y exp + | Set an alternate exponent value to use in generating a new RSA + | public key for the database, instead of the default value of + | 65537. The available alternate values are 3 and 17. + | -z noise-file + | Read a seed value from the specified file to generate a new + | private and public key pair. This argument makes it possible to + | use hardware-generated seed values or manually create a value from + | the keyboard. The minimum file size is 20 bytes. + | -0 SSO_password + | Set a site security officer password on a token. + | -1 \| --keyUsage keyword,keyword + | Set a Netscape Certificate Type Extension in the certificate. + | There are several available keywords: + | o digital signature + | o nonRepudiation + | o keyEncipherment + | o dataEncipherment + | o keyAgreement + | o certSigning + | o crlSigning + | o critical + | -2 + | Add a basic constraint extension to a certificate that is being + | created or added to a database. This extension supports the + | certificate chain verification process. certutil prompts for the + | certificate constraint extension to select. + | X.509 certificate extensions are described in RFC 5280. + | -3 + | Add an authority key ID extension to a certificate that is being + | created or added to a database. This extension supports the + | identification of a particular certificate, from among multiple + | certificates associated with one subject name, as the correct + | issuer of a certificate. The Certificate Database Tool will prompt + | you to select the authority key ID extension. + | X.509 certificate extensions are described in RFC 5280. + | -4 + | Add a CRL distribution point extension to a certificate that is + | being created or added to a database. This extension identifies + | the URL of a certificate's associated certificate revocation list + | (CRL). certutil prompts for the URL. + | X.509 certificate extensions are described in RFC 5280. + | -5 \| --nsCertType keyword,keyword + | Add a Netscape certificate type extension to a certificate that is + | being created or added to the database. There are several + | available keywords: + | o sslClient + | o sslServer + | o smime + | o objectSigning + | o sslCA + | o smimeCA + | o objectSigningCA + | o critical + | X.509 certificate extensions are described in RFC 5280. + | -6 \| --extKeyUsage keyword,keyword + | Add an extended key usage extension to a certificate that is being + | created or added to the database. Several keywords are available: + | o serverAuth + | o clientAuth + | o codeSigning + | o emailProtection + | o timeStamp + | o ocspResponder + | o stepUp + | o critical + | X.509 certificate extensions are described in RFC 5280. + | -7 emailAddrs + | Add a comma-separated list of email addresses to the subject + | alternative name extension of a certificate or certificate request + | that is being created or added to the database. Subject + | alternative name extensions are described in Section 4.2.1.7 of + | RFC 3280. + | -8 dns-names + | Add a comma-separated list of DNS names to the subject alternative + | name extension of a certificate or certificate request that is + | being created or added to the database. Subject alternative name + | extensions are described in Section 4.2.1.7 of RFC 3280. + | --extAIA + | Add the Authority Information Access extension to the certificate. + | X.509 certificate extensions are described in RFC 5280. + | --extSIA + | Add the Subject Information Access extension to the certificate. + | X.509 certificate extensions are described in RFC 5280. + | --extCP + | Add the Certificate Policies extension to the certificate. X.509 + | certificate extensions are described in RFC 5280. + | --extPM + | Add the Policy Mappings extension to the certificate. X.509 + | certificate extensions are described in RFC 5280. + | --extPC + | Add the Policy Constraints extension to the certificate. X.509 + | certificate extensions are described in RFC 5280. + | --extIA + | Add the Inhibit Any Policy Access extension to the certificate. + | X.509 certificate extensions are described in RFC 5280. + | --extSKID + | Add the Subject Key ID extension to the certificate. X.509 + | certificate extensions are described in RFC 5280. + | --source-dir certdir + | Identify the certificate database directory to upgrade. + | --source-prefix certdir + | Give the prefix of the certificate and key databases to upgrade. + | --upgrade-id uniqueID + | Give the unique ID of the database to upgrade. + | --upgrade-token-name name + | Set the name of the token to use while it is being upgraded. + | -@ pwfile + | Give the name of a password file to use for the database being + | upgraded. | Usage and Examples - | Most of the command options in the examples listed here have more - | arguments available. The arguments included in these examples are the most - | common ones or are used to illustrate a specific scenario. Use the -H - | option to show the complete list of arguments for each command option. - | Creating New Security Databases - | Certificates, keys, and security modules related to managing certificates - | are stored in three related databases: - | o cert8.db or cert9.db - | o key3.db or key4.db - | o secmod.db or pkcs11.txt - | These databases must be created before certificates or keys can be - | generated. - | certutil -N -d [sql:]directory - | Creating a Certificate Request - | A certificate request contains most or all of the information that is used - | to generate the final certificate. This request is submitted separately to - | a certificate authority and is then approved by some mechanism - | (automatically or by human review). Once the request is approved, then the - | certificate is generated. - | $ certutil -R -k key-type-or-id [-q pqgfile|curve-name] -g key-size -s subject [-h tokenname] + | Most of the command options in the examples listed here have more + | arguments available. The arguments included in these examples are the most + | common ones or are used to illustrate a specific scenario. Use the -H + | option to show the complete list of arguments for each command option. + | Creating New Security Databases + | Certificates, keys, and security modules related to managing certificates + | are stored in three related databases: + | o cert8.db or cert9.db + | o key3.db or key4.db + | o secmod.db or pkcs11.txt + | These databases must be created before certificates or keys can be + | generated. + | certutil -N -d [sql:]directory + | Creating a Certificate Request + | A certificate request contains most or all of the information that is used + | to generate the final certificate. This request is submitted separately to + | a certificate authority and is then approved by some mechanism + | (automatically or by human review). Once the request is approved, then the + | certificate is generated. + | $ certutil -R -k key-type-or-id [-q pqgfile|curve-name] -g key-size -s subject [-h tokenname] -d [sql:]directory [-p phone] [-o output-file] [-a] - | The -R command options requires four arguments: - | o -k to specify either the key type to generate or, when renewing a - | certificate, the existing key pair to use - | o -g to set the keysize of the key to generate - | o -s to set the subject name of the certificate - | o -d to give the security database directory - | The new certificate request can be output in ASCII format (-a) or can be - | written to a specified file (-o). - | For example: - | $ certutil -R -k ec -q nistb409 -g 512 -s "CN=John Smith,O=Example Corp,L=Mountain + | The -R command options requires four arguments: + | o -k to specify either the key type to generate or, when renewing a + | certificate, the existing key pair to use + | o -g to set the keysize of the key to generate + | o -s to set the subject name of the certificate + | o -d to give the security database directory + | The new certificate request can be output in ASCII format (-a) or can be + | written to a specified file (-o). + | For example: + | $ certutil -R -k ec -q nistb409 -g 512 -s "CN=John Smith,O=Example Corp,L=Mountain View,ST=California,C=US" -d sql:/home/my/sharednssdb -p 650-555-0123 -a -o cert.cer - | Generating key. This may take a few moments... - | Certificate request generated by Netscape - | Phone: 650-555-0123 - | Common Name: John Smith - | Email: (not ed) - | Organization: Example Corp - | State: California - | Country: US - | -----BEGIN NEW CERTIFICATE REQUEST----- - | MIIBIDCBywIBADBmMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEW - | MBQGA1UEBxMNTW91bnRhaW4gVmlldzEVMBMGA1UEChMMRXhhbXBsZSBDb3JwMRMw - | EQYDVQQDEwpKb2huIFNtaXRoMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMVUpDOZ - | KmHnOx7reP8Cc0Lk+fFWEuYIDX9W5K/BioQOKvEjXyQZhit9aThzBVMoSf1Y1S8J - | CzdUbCg1+IbnXaECAwEAAaAAMA0GCSqGSIb3DQEBBQUAA0EAryqZvpYrUtQ486Ny - | qmtyQNjIi1F8c1Z+TL4uFYlMg8z6LG/J/u1E5t1QqB5e9Q4+BhRbrQjRR1JZx3tB - | 1hP9Gg== - | -----END NEW CERTIFICATE REQUEST----- - | Creating a Certificate - | A valid certificate must be issued by a trusted CA. This can be done by - | specifying a CA certificate (-c) that is stored in the certificate - | database. If a CA key pair is not available, you can create a self-signed - | certificate using the -x argument with the -S command option. - | $ certutil -S -k rsa|dsa|ec -n certname -s subject [-c issuer \|-x] -t trustargs -d + | Generating key. This may take a few moments... + | Certificate request generated by Netscape + | Phone: 650-555-0123 + | Common Name: John Smith + | Email: (not ed) + | Organization: Example Corp + | State: California + | Country: US + | -----BEGIN NEW CERTIFICATE REQUEST----- + | MIIBIDCBywIBADBmMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEW + | MBQGA1UEBxMNTW91bnRhaW4gVmlldzEVMBMGA1UEChMMRXhhbXBsZSBDb3JwMRMw + | EQYDVQQDEwpKb2huIFNtaXRoMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMVUpDOZ + | KmHnOx7reP8Cc0Lk+fFWEuYIDX9W5K/BioQOKvEjXyQZhit9aThzBVMoSf1Y1S8J + | CzdUbCg1+IbnXaECAwEAAaAAMA0GCSqGSIb3DQEBBQUAA0EAryqZvpYrUtQ486Ny + | qmtyQNjIi1F8c1Z+TL4uFYlMg8z6LG/J/u1E5t1QqB5e9Q4+BhRbrQjRR1JZx3tB + | 1hP9Gg== + | -----END NEW CERTIFICATE REQUEST----- + | Creating a Certificate + | A valid certificate must be issued by a trusted CA. This can be done by + | specifying a CA certificate (-c) that is stored in the certificate + | database. If a CA key pair is not available, you can create a self-signed + | certificate using the -x argument with the -S command option. + | $ certutil -S -k rsa|dsa|ec -n certname -s subject [-c issuer \|-x] -t trustargs -d [sql:]directory [-m serial-number] [-v valid-months] [-w offset-months] [-p phone] [-1] [-2] [-3] [-4] [-5 keyword] [-6 keyword] [-7 emailAddress] [-8 dns-names] [--extAIA] [--extSIA] [--extCP] [--extPM] [--extPC] [--extIA] [--extSKID] - | The series of numbers and --ext\* options set certificate extensions that - | can be added to the certificate when it is generated by the CA. - | For example, this creates a self-signed certificate: - | $ certutil -S -s "CN=Example CA" -n my-ca-cert -x -t "C,C,C" -1 -2 -5 -m 3650 - | From there, new certificates can reference the self-signed certificate: - | $ certutil -S -s "CN=My Server Cert" -n my-server-cert -c "my-ca-cert" -t "u,u,u" -1 -5 -6 -8 + | The series of numbers and --ext\* options set certificate extensions that + | can be added to the certificate when it is generated by the CA. + | For example, this creates a self-signed certificate: + | $ certutil -S -s "CN=Example CA" -n my-ca-cert -x -t "C,C,C" -1 -2 -5 -m 3650 + | From there, new certificates can reference the self-signed certificate: + | $ certutil -S -s "CN=My Server Cert" -n my-server-cert -c "my-ca-cert" -t "u,u,u" -1 -5 -6 -8 -m 730 - | Generating a Certificate from a Certificate Request - | When a certificate request is created, a certificate can be generated by - | using the request and then referencing a certificate authority signing - | certificate (the issuer specified in the -c argument). The issuing - | certificate must be in the certificate database in the specified - | directory. - | certutil -C -c issuer -i cert-request-file -o output-file [-m serial-number] [-v valid-months] + | Generating a Certificate from a Certificate Request + | When a certificate request is created, a certificate can be generated by + | using the request and then referencing a certificate authority signing + | certificate (the issuer specified in the -c argument). The issuing + | certificate must be in the certificate database in the specified + | directory. + | certutil -C -c issuer -i cert-request-file -o output-file [-m serial-number] [-v valid-months] [-w offset-months] -d [sql:]directory [-1] [-2] [-3] [-4] [-5 keyword] [-6 keyword] [-7 emailAddress] [-8 dns-names] - | For example: - | $ certutil -C -c "my-ca-cert" -i /home/certs/cert.req -o cert.cer -m 010 -v 12 -w 1 -d + | For example: + | $ certutil -C -c "my-ca-cert" -i /home/certs/cert.req -o cert.cer -m 010 -v 12 -w 1 -d sql:/home/my/sharednssdb -1 nonRepudiation,dataEncipherment -5 sslClient -6 clientAuth -7 jsmith@example.com - | Generating Key Pairs - | Key pairs are generated automatically with a certificate request or - | certificate, but they can also be generated independently using the -G - | command option. - | certutil -G -d [sql:]directory \| -h tokenname -k key-type -g key-size [-y exponent-value] -q + | Generating Key Pairs + | Key pairs are generated automatically with a certificate request or + | certificate, but they can also be generated independently using the -G + | command option. + | certutil -G -d [sql:]directory \| -h tokenname -k key-type -g key-size [-y exponent-value] -q pqgfile|curve-name - | For example: - | $ certutil -G -h lunasa -k ec -g 256 -q sect193r2 - | Listing Certificates - | The -L command option lists all of the certificates listed in the - | certificate database. The path to the directory (-d) is required. - | $ certutil -L -d sql:/home/my/sharednssdb - | Certificate Nickname Trust Attributes - | SSL,S/MIME,JAR/XPI - | CA Administrator of Instance pki-ca1's Example Domain ID u,u,u - | TPS Administrator's Example Domain ID u,u,u - | Google Internet Authority ,, - | Certificate Authority - Example Domain CT,C,C - | Using additional arguments with -L can return and print the information - | for a single, specific certificate. For example, the -n argument passes - | the certificate name, while the -a argument prints the certificate in - | ASCII format: - | $ certutil -L -d sql:/home/my/sharednssdb -a -n "Certificate Authority - Example Domain" - | -----BEGIN CERTIFICATE----- - | MIIDmTCCAoGgAwIBAgIBATANBgkqhkiG9w0BAQUFADA5MRcwFQYDVQQKEw5FeGFt - | cGxlIERvbWFpbjEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEw - | MDQyOTIxNTY1OFoXDTEyMDQxODIxNTY1OFowOTEXMBUGA1UEChMORXhhbXBsZSBE - | b21haW4xHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZI - | hvcNAQEBBQADggEPADCCAQoCggEBAO/bqUli2KwqXFKmMMG93KN1SANzNTXA/Vlf - | Tmrih3hQgjvR1ktIY9aG6cB7DSKWmtHp/+p4PUCMqL4ZrSGt901qxkePyZ2dYmM2 - | RnelK+SEUIPiUtoZaDhNdiYsE/yuDE8vQWj0vHCVL0w72qFUcSQ/WZT7FCrnUIUI - | udeWnoPSUn70gLhcj/lvxl7K9BHyD4Sq5CzktwYtFWLiiwV+ZY/Fl6JgbGaQyQB2 - | bP4iRMfloGqsxGuB1evWVDF1haGpFDSPgMnEPSLg3/3dXn+HDJbZ29EU8/xKzQEb - | 3V0AHKbu80zGllLEt2Zx/WDIrgJEN9yMfgKFpcmL+BvIRsmh0VsCAwEAAaOBqzCB - | qDAfBgNVHSMEGDAWgBQATgxHQyRUfKIZtdp55bZlFr+tFzAPBgNVHRMBAf8EBTAD - | AQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQUAE4MR0MkVHyiGbXaeeW2ZRa/ - | rRcwRQYIKwYBBQUHAQEEOTA3MDUGCCsGAQUFBzABhilodHRwOi8vbG9jYWxob3N0 - | LmxvY2FsZG9tYWluOjkxODAvY2Evb2NzcDANBgkqhkiG9w0BAQUFAAOCAQEAi8Gk - | L3XO43u7/TDOeEsWPmq+jZsDZ3GZ85Ajt3KROLWeKVZZZa2E2Hnsvf2uXbk5amKe - | lRxdSeRH9g85pv4KY7Z8xZ71NrI3+K3uwmnqkc6t0hhYb1mw/gx8OAAoluQx3biX - | JBDxjI73Cf7XUopplHBjjiwyGIJUO8BEZJ5L+TF4P38MJz1snLtzZpEAX5bl0U76 - | bfu/tZFWBbE8YAWYtkCtMcalBPj6jn2WD3M01kGozW4mmbvsj1cRB9HnsGsqyHCu - | U0ujlL1H/RWcjn607+CTeKH9jLMUqCIqPJNOa+kq/6F7NhNRRiuzASIbZc30BZ5a - | nI7q5n1USM3eWQlVXw== - | -----END CERTIFICATE----- - | Listing Keys - | Keys are the original material used to encrypt certificate data. The keys - | generated for certificates are stored separately, in the key database. - | To list all keys in the database, use the -K command option and the - | (required) -d argument to give the path to the directory. - | $ certutil -K -d sql:/home/my/sharednssdb - | certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate - Services " - | < 0> rsa 455a6673bde9375c2887ec8bf8016b3f9f35861d Thawte Freemail Member's Thawte + | For example: + | $ certutil -G -h lunasa -k ec -g 256 -q sect193r2 + | Listing Certificates + | The -L command option lists all of the certificates listed in the + | certificate database. The path to the directory (-d) is required. + | $ certutil -L -d sql:/home/my/sharednssdb + | Certificate Nickname Trust Attributes + | SSL,S/MIME,JAR/XPI + | CA Administrator of Instance pki-ca1's Example Domain ID u,u,u + | TPS Administrator's Example Domain ID u,u,u + | Google Internet Authority ,, + | Certificate Authority - Example Domain CT,C,C + | Using additional arguments with -L can return and print the information + | for a single, specific certificate. For example, the -n argument passes + | the certificate name, while the -a argument prints the certificate in + | ASCII format: + | $ certutil -L -d sql:/home/my/sharednssdb -a -n "Certificate Authority - Example Domain" + | -----BEGIN CERTIFICATE----- + | MIIDmTCCAoGgAwIBAgIBATANBgkqhkiG9w0BAQUFADA5MRcwFQYDVQQKEw5FeGFt + | cGxlIERvbWFpbjEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEw + | MDQyOTIxNTY1OFoXDTEyMDQxODIxNTY1OFowOTEXMBUGA1UEChMORXhhbXBsZSBE + | b21haW4xHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIwDQYJKoZI + | hvcNAQEBBQADggEPADCCAQoCggEBAO/bqUli2KwqXFKmMMG93KN1SANzNTXA/Vlf + | Tmrih3hQgjvR1ktIY9aG6cB7DSKWmtHp/+p4PUCMqL4ZrSGt901qxkePyZ2dYmM2 + | RnelK+SEUIPiUtoZaDhNdiYsE/yuDE8vQWj0vHCVL0w72qFUcSQ/WZT7FCrnUIUI + | udeWnoPSUn70gLhcj/lvxl7K9BHyD4Sq5CzktwYtFWLiiwV+ZY/Fl6JgbGaQyQB2 + | bP4iRMfloGqsxGuB1evWVDF1haGpFDSPgMnEPSLg3/3dXn+HDJbZ29EU8/xKzQEb + | 3V0AHKbu80zGllLEt2Zx/WDIrgJEN9yMfgKFpcmL+BvIRsmh0VsCAwEAAaOBqzCB + | qDAfBgNVHSMEGDAWgBQATgxHQyRUfKIZtdp55bZlFr+tFzAPBgNVHRMBAf8EBTAD + | AQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQUAE4MR0MkVHyiGbXaeeW2ZRa/ + | rRcwRQYIKwYBBQUHAQEEOTA3MDUGCCsGAQUFBzABhilodHRwOi8vbG9jYWxob3N0 + | LmxvY2FsZG9tYWluOjkxODAvY2Evb2NzcDANBgkqhkiG9w0BAQUFAAOCAQEAi8Gk + | L3XO43u7/TDOeEsWPmq+jZsDZ3GZ85Ajt3KROLWeKVZZZa2E2Hnsvf2uXbk5amKe + | lRxdSeRH9g85pv4KY7Z8xZ71NrI3+K3uwmnqkc6t0hhYb1mw/gx8OAAoluQx3biX + | JBDxjI73Cf7XUopplHBjjiwyGIJUO8BEZJ5L+TF4P38MJz1snLtzZpEAX5bl0U76 + | bfu/tZFWBbE8YAWYtkCtMcalBPj6jn2WD3M01kGozW4mmbvsj1cRB9HnsGsqyHCu + | U0ujlL1H/RWcjn607+CTeKH9jLMUqCIqPJNOa+kq/6F7NhNRRiuzASIbZc30BZ5a + | nI7q5n1USM3eWQlVXw== + | -----END CERTIFICATE----- + | Listing Keys + | Keys are the original material used to encrypt certificate data. The keys + | generated for certificates are stored separately, in the key database. + | To list all keys in the database, use the -K command option and the + | (required) -d argument to give the path to the directory. + | $ certutil -K -d sql:/home/my/sharednssdb + | certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate + Services " + | < 0> rsa 455a6673bde9375c2887ec8bf8016b3f9f35861d Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID - | < 1> rsa 40defeeb522ade11090eacebaaf1196a172127df Example Domain Administrator Cert - | < 2> rsa 1d0b06f44f6c03842f7d4f4a1dc78b3bcd1b85a5 John Smith user cert - | There are ways to narrow the keys listed in the search results: - | o To return a specific key, use the -n name argument with the name of - | the key. - | o If there are multiple security devices loaded, then the -h tokenname - | argument can search a specific token or all tokens. - | o If there are multiple key types available, then the -k key-type - | argument can search a specific type of key, like RSA, DSA, or ECC. - | Listing Security Modules - | The devices that can be used to store certificates -- both internal - | databases and external devices like smart cards -- are recognized and used - | by loading security modules. The -U command option lists all of the - | security modules listed in the secmod.db database. The path to the - | directory (-d) is required. - | $ certutil -U -d sql:/home/my/sharednssdb - | slot: NSS User Private Key and Certificate Services - | token: NSS Certificate DB - | slot: NSS Internal Cryptographic Services - | token: NSS Generic Crypto Services - | Adding Certificates to the Database - | Existing certificates or certificate requests can be added manually to the - | certificate database, even if they were generated elsewhere. This uses the - | -A command option. - | certutil -A -n certname -t trustargs -d [sql:]directory [-a] [-i input-file] - | For example: - | $ certutil -A -n "CN=My SSL Certificate" -t "u,u,u" -d sql:/home/my/sharednssdb -i + | < 1> rsa 40defeeb522ade11090eacebaaf1196a172127df Example Domain Administrator Cert + | < 2> rsa 1d0b06f44f6c03842f7d4f4a1dc78b3bcd1b85a5 John Smith user cert + | There are ways to narrow the keys listed in the search results: + | o To return a specific key, use the -n name argument with the name of + | the key. + | o If there are multiple security devices loaded, then the -h tokenname + | argument can search a specific token or all tokens. + | o If there are multiple key types available, then the -k key-type + | argument can search a specific type of key, like RSA, DSA, or ECC. + | Listing Security Modules + | The devices that can be used to store certificates -- both internal + | databases and external devices like smart cards -- are recognized and used + | by loading security modules. The -U command option lists all of the + | security modules listed in the secmod.db database. The path to the + | directory (-d) is required. + | $ certutil -U -d sql:/home/my/sharednssdb + | slot: NSS User Private Key and Certificate Services + | token: NSS Certificate DB + | slot: NSS Internal Cryptographic Services + | token: NSS Generic Crypto Services + | Adding Certificates to the Database + | Existing certificates or certificate requests can be added manually to the + | certificate database, even if they were generated elsewhere. This uses the + | -A command option. + | certutil -A -n certname -t trustargs -d [sql:]directory [-a] [-i input-file] + | For example: + | $ certutil -A -n "CN=My SSL Certificate" -t "u,u,u" -d sql:/home/my/sharednssdb -i /home/example-certs/cert.cer - | A related command option, -E, is used specifically to add email - | certificates to the certificate database. The -E command has the same - | arguments as the -A command. The trust arguments for certificates have the - | format SSL,S/MIME,Code-signing, so the middle trust settings relate most - | to email certificates (though the others can be set). For example: - | $ certutil -E -n "CN=John Smith Email Cert" -t ",Pu," -d sql:/home/my/sharednssdb -i + | A related command option, -E, is used specifically to add email + | certificates to the certificate database. The -E command has the same + | arguments as the -A command. The trust arguments for certificates have the + | format SSL,S/MIME,Code-signing, so the middle trust settings relate most + | to email certificates (though the others can be set). For example: + | $ certutil -E -n "CN=John Smith Email Cert" -t ",Pu," -d sql:/home/my/sharednssdb -i /home/example-certs/email.cer - | Deleting Certificates to the Database - | Certificates can be deleted from a database using the -D option. The only - | required options are to give the security database directory and to - | identify the certificate nickname. - | certutil -D -d [sql:]directory -n "nickname" - | For example: - | $ certutil -D -d sql:/home/my/sharednssdb -n "my-ssl-cert" - | Validating Certificates - | A certificate contains an expiration date in itself, and expired - | certificates are easily rejected. However, certificates can also be - | revoked before they hit their expiration date. Checking whether a - | certificate has been revoked requires validating the certificate. - | Validation can also be used to ensure that the certificate is only used - | for the purposes it was initially issued for. Validation is carried out by - | the -V command option. - | certutil -V -n certificate-name [-b time] [-e] [-u cert-usage] -d [sql:]directory - | For example, to validate an email certificate: - | $ certutil -V -n "John Smith's Email Cert" -e -u S,R -d sql:/home/my/sharednssdb - | Modifying Certificate Trust Settings - | The trust settings (which relate to the operations that a certificate is - | allowed to be used for) can be changed after a certificate is created or - | added to the database. This is especially useful for CA certificates, but - | it can be performed for any type of certificate. - | certutil -M -n certificate-name -t trust-args -d [sql:]directory - | For example: - | $ certutil -M -n "My CA Certificate" -d sql:/home/my/sharednssdb -t "CTu,CTu,CTu" - | Printing the Certificate Chain - | Certificates can be issued in chains because every certificate authority - | itself has a certificate; when a CA issues a certificate, it essentially - | stamps that certificate with its own fingerprint. The -O prints the full - | chain of a certificate, going from the initial CA (the root CA) through - | ever intermediary CA to the actual certificate. For example, for an email - | certificate with two CAs in the chain: - | $ certutil -d sql:/home/my/sharednssdb -O -n "jsmith@example.com" - | "Builtin Object Token:Thawte Personal Freemail CA" [E=personal-freemail@thawte.com,CN=Thawte + | Deleting Certificates to the Database + | Certificates can be deleted from a database using the -D option. The only + | required options are to give the security database directory and to + | identify the certificate nickname. + | certutil -D -d [sql:]directory -n "nickname" + | For example: + | $ certutil -D -d sql:/home/my/sharednssdb -n "my-ssl-cert" + | Validating Certificates + | A certificate contains an expiration date in itself, and expired + | certificates are easily rejected. However, certificates can also be + | revoked before they hit their expiration date. Checking whether a + | certificate has been revoked requires validating the certificate. + | Validation can also be used to ensure that the certificate is only used + | for the purposes it was initially issued for. Validation is carried out by + | the -V command option. + | certutil -V -n certificate-name [-b time] [-e] [-u cert-usage] -d [sql:]directory + | For example, to validate an email certificate: + | $ certutil -V -n "John Smith's Email Cert" -e -u S,R -d sql:/home/my/sharednssdb + | Modifying Certificate Trust Settings + | The trust settings (which relate to the operations that a certificate is + | allowed to be used for) can be changed after a certificate is created or + | added to the database. This is especially useful for CA certificates, but + | it can be performed for any type of certificate. + | certutil -M -n certificate-name -t trust-args -d [sql:]directory + | For example: + | $ certutil -M -n "My CA Certificate" -d sql:/home/my/sharednssdb -t "CTu,CTu,CTu" + | Printing the Certificate Chain + | Certificates can be issued in chains because every certificate authority + | itself has a certificate; when a CA issues a certificate, it essentially + | stamps that certificate with its own fingerprint. The -O prints the full + | chain of a certificate, going from the initial CA (the root CA) through + | ever intermediary CA to the actual certificate. For example, for an email + | certificate with two CAs in the chain: + | $ certutil -d sql:/home/my/sharednssdb -O -n "jsmith@example.com" + | "Builtin Object Token:Thawte Personal Freemail CA" [E=personal-freemail@thawte.com,CN=Thawte Personal Freemail CA,OU=Certification Services Division,O=Thawte Consulting,L=Cape Town,ST=Western Cape,C=ZA] - | "Thawte Personal Freemail Issuing CA - Thawte Consulting" [CN=Thawte Personal Freemail + | "Thawte Personal Freemail Issuing CA - Thawte Consulting" [CN=Thawte Personal Freemail Issuing CA,O=Thawte Consulting (Pty) Ltd.,C=ZA] - | "(null)" [E=jsmith@example.com,CN=Thawte Freemail Member] - | Resetting a Token - | The device which stores certificates -- both external hardware devices and - | internal software databases -- can be blanked and reused. This operation - | is performed on the device which stores the data, not directly on the - | security databases, so the location must be referenced through the token - | name (-h) as well as any directory path. If there is no external token - | used, the default value is internal. - | certutil -T -d [sql:]directory -h token-name -0 security-officer-password - | Many networks have dedicated personnel who handle changes to security - | tokens (the security officer). This person must supply the password to - | access the specified token. For example: - | $ certutil -T -d sql:/home/my/sharednssdb -h nethsm -0 secret - | Upgrading or Merging the Security Databases - | Many networks or applications may be using older BerkeleyDB versions of - | the certificate database (cert8.db). Databases can be upgraded to the new - | SQLite version of the database (cert9.db) using the --upgrade-merge - | command option or existing databases can be merged with the new cert9.db - | databases using the ---merge command. - | The --upgrade-merge command must give information about the original - | database and then use the standard arguments (like -d) to give the - | information about the new databases. The command also requires information - | that the tool uses for the process to upgrade and write over the original - | database. - | certutil --upgrade-merge -d [sql:]directory [-P dbprefix] --source-dir directory + | "(null)" [E=jsmith@example.com,CN=Thawte Freemail Member] + | Resetting a Token + | The device which stores certificates -- both external hardware devices and + | internal software databases -- can be blanked and reused. This operation + | is performed on the device which stores the data, not directly on the + | security databases, so the location must be referenced through the token + | name (-h) as well as any directory path. If there is no external token + | used, the default value is internal. + | certutil -T -d [sql:]directory -h token-name -0 security-officer-password + | Many networks have dedicated personnel who handle changes to security + | tokens (the security officer). This person must supply the password to + | access the specified token. For example: + | $ certutil -T -d sql:/home/my/sharednssdb -h nethsm -0 secret + | Upgrading or Merging the Security Databases + | Many networks or applications may be using older BerkeleyDB versions of + | the certificate database (cert8.db). Databases can be upgraded to the new + | SQLite version of the database (cert9.db) using the --upgrade-merge + | command option or existing databases can be merged with the new cert9.db + | databases using the ---merge command. + | The --upgrade-merge command must give information about the original + | database and then use the standard arguments (like -d) to give the + | information about the new databases. The command also requires information + | that the tool uses for the process to upgrade and write over the original + | database. + | certutil --upgrade-merge -d [sql:]directory [-P dbprefix] --source-dir directory --source-prefix dbprefix --upgrade-id id --upgrade-token-name name [-@ password-file] - | For example: - | $ certutil --upgrade-merge -d sql:/home/my/sharednssdb --source-dir /opt/my-app/alias/ + | For example: + | $ certutil --upgrade-merge -d sql:/home/my/sharednssdb --source-dir /opt/my-app/alias/ --source-prefix serverapp- --upgrade-id 1 --upgrade-token-name internal - | The --merge command only requires information about the location of the - | original database; since it doesn't change the format of the database, it - | can write over information without performing interim step. - | certutil --merge -d [sql:]directory [-P dbprefix] --source-dir directory --source-prefix + | The --merge command only requires information about the location of the + | original database; since it doesn't change the format of the database, it + | can write over information without performing interim step. + | certutil --merge -d [sql:]directory [-P dbprefix] --source-dir directory --source-prefix dbprefix [-@ password-file] - | For example: - | $ certutil --merge -d sql:/home/my/sharednssdb --source-dir /opt/my-app/alias/ --source-prefix + | For example: + | $ certutil --merge -d sql:/home/my/sharednssdb --source-dir /opt/my-app/alias/ --source-prefix serverapp- - | Running certutil Commands from a Batch File - | A series of commands can be run sequentially from a text file with the -B - | command option. The only argument for this specifies the input file. - | $ certutil -B -i /path/to/batch-file + | Running certutil Commands from a Batch File + | A series of commands can be run sequentially from a text file with the -B + | command option. The only argument for this specifies the input file. + | $ certutil -B -i /path/to/batch-file | NSS Database Types - | NSS originally used BerkeleyDB databases to store security information. - | The last versions of these legacy databases are: - | o cert8.db for certificates - | o key3.db for keys - | o secmod.db for PKCS #11 module information - | BerkeleyDB has performance limitations, though, which prevent it from - | being easily used by multiple applications simultaneously. NSS has some - | flexibility that allows applications to use their own, independent - | database engine while keeping a shared database and working around the - | access issues. Still, NSS requires more flexibility to provide a truly - | shared security database. - | In 2009, NSS introduced a new set of databases that are SQLite databases - | rather than BerkleyDB. These new databases provide more accessibility and - | performance: - | o cert9.db for certificates - | o key4.db for keys - | o pkcs11.txt, which is listing of all of the PKCS #11 modules contained - | in a new subdirectory in the security databases directory - | Because the SQLite databases are designed to be shared, these are the - | shared database type. The shared database type is preferred; the legacy - | format is included for backward compatibility. - | By default, the tools (certutil, pk12util, modutil) assume that the given - | security databases follow the more common legacy type. Using the SQLite - | databases must be manually specified by using the sql: prefix with the - | given security directory. For example: - | $ certutil -L -d sql:/home/my/sharednssdb - | To set the shared database type as the default type for the tools, set the - | NSS_DEFAULT_DB_TYPE environment variable to sql: - | export NSS_DEFAULT_DB_TYPE="sql" - | This line can be set added to the ~/.bashrc file to make the change - | permanent. - | Most applications do not use the shared database by default, but they can - | be configured to use them. For example, this how-to article covers how to - | configure Firefox and Thunderbird to use the new shared NSS databases: - | o https://wiki.mozilla.org/NSS_Shared_DB_Howto - | For an engineering draft on the changes in the shared NSS databases, see - | the NSS project wiki: - | o https://wiki.mozilla.org/NSS_Shared_DB + | NSS originally used BerkeleyDB databases to store security information. + | The last versions of these legacy databases are: + | o cert8.db for certificates + | o key3.db for keys + | o secmod.db for PKCS #11 module information + | BerkeleyDB has performance limitations, though, which prevent it from + | being easily used by multiple applications simultaneously. NSS has some + | flexibility that allows applications to use their own, independent + | database engine while keeping a shared database and working around the + | access issues. Still, NSS requires more flexibility to provide a truly + | shared security database. + | In 2009, NSS introduced a new set of databases that are SQLite databases + | rather than BerkleyDB. These new databases provide more accessibility and + | performance: + | o cert9.db for certificates + | o key4.db for keys + | o pkcs11.txt, which is listing of all of the PKCS #11 modules contained + | in a new subdirectory in the security databases directory + | Because the SQLite databases are designed to be shared, these are the + | shared database type. The shared database type is preferred; the legacy + | format is included for backward compatibility. + | By default, the tools (certutil, pk12util, modutil) assume that the given + | security databases follow the more common legacy type. Using the SQLite + | databases must be manually specified by using the sql: prefix with the + | given security directory. For example: + | $ certutil -L -d sql:/home/my/sharednssdb + | To set the shared database type as the default type for the tools, set the + | NSS_DEFAULT_DB_TYPE environment variable to sql: + | export NSS_DEFAULT_DB_TYPE="sql" + | This line can be set added to the ~/.bashrc file to make the change + | permanent. + | Most applications do not use the shared database by default, but they can + | be configured to use them. For example, this how-to article covers how to + | configure Firefox and Thunderbird to use the new shared NSS databases: + | o https://wiki.mozilla.org/NSS_Shared_DB_Howto + | For an engineering draft on the changes in the shared NSS databases, see + | the NSS project wiki: + | o https://wiki.mozilla.org/NSS_Shared_DB | See Also - | pk12util (1) - | modutil (1) - | certutil has arguments or operations that use features defined in several - | IETF RFCs. - | o `http://tools.ietf.org/html/rfc5280 <https://datatracker.ietf.org/doc/html/rfc5280>`__ - | o `http://tools.ietf.org/html/rfc1113 <https://datatracker.ietf.org/doc/html/rfc1113>`__ - | o `http://tools.ietf.org/html/rfc1485 <https://datatracker.ietf.org/doc/html/rfc1485>`__ - | The NSS wiki has information on the new database design and how to - | configure applications to use it. - | o https://wiki.mozilla.org/NSS_Shared_DB_Howto - | o https://wiki.mozilla.org/NSS_Shared_DB + | pk12util (1) + | modutil (1) + | certutil has arguments or operations that use features defined in several + | IETF RFCs. + | o `http://tools.ietf.org/html/rfc5280 <https://datatracker.ietf.org/doc/html/rfc5280>`__ + | o `http://tools.ietf.org/html/rfc1113 <https://datatracker.ietf.org/doc/html/rfc1113>`__ + | o `http://tools.ietf.org/html/rfc1485 <https://datatracker.ietf.org/doc/html/rfc1485>`__ + | The NSS wiki has information on the new database design and how to + | configure applications to use it. + | o https://wiki.mozilla.org/NSS_Shared_DB_Howto + | o https://wiki.mozilla.org/NSS_Shared_DB | Additional Resources - | For information about NSS and other tools related to NSS (like JSS), check - | out the NSS project wiki at - | + | For information about NSS and other tools related to NSS (like JSS), check + | out the NSS project wiki at + | [1]\ `http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__. The NSS site relates - | directly to NSS code changes and releases. - | Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto - | IRC: Freenode at #dogtag-pki + | directly to NSS code changes and releases. + | Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto + | IRC: Freenode at #dogtag-pki | Authors - | The NSS tools were written and maintained by developers with Netscape, Red - | Hat, and Sun. - | Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey - | <dlackey@redhat.com>. + | The NSS tools were written and maintained by developers with Netscape, Red + | Hat, and Sun. + | Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey + | <dlackey@redhat.com>. | Copyright - | (c) 2010, Red Hat, Inc. Licensed under the GNU Public License version 2. + | (c) 2010, Red Hat, Inc. Licensed under the GNU Public License version 2. | References - | Visible links - | 1. + | Visible links + | 1. `http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__
\ No newline at end of file diff --git a/doc/rst/legacy/tools/cmsutil/index.rst b/doc/rst/legacy/tools/cmsutil/index.rst index a4b1ae51d..1a56ff471 100644 --- a/doc/rst/legacy/tools/cmsutil/index.rst +++ b/doc/rst/legacy/tools/cmsutil/index.rst @@ -6,106 +6,106 @@ NSS tools : cmsutil .. container:: | Name - | cmsutil — Performs basic cryptograpic operations, such as encryption and - | decryption, on Cryptographic Message Syntax (CMS) messages. + | cmsutil — Performs basic cryptograpic operations, such as encryption and + | decryption, on Cryptographic Message Syntax (CMS) messages. | Synopsis - | cmsutil [options] `arguments <arguments>`__ + | cmsutil [options] `arguments <arguments>`__ | Description - | The cmsutil command-line uses the S/MIME Toolkit to perform basic - | operations, such as encryption and decryption, on Cryptographic Message - | Syntax (CMS) messages. - | To run cmsutil, type the command cmsutil option [arguments] where option - | and arguments are combinations of the options and arguments listed in the - | following section. Each command takes one option. Each option may take - | zero or more arguments. To see a usage string, issue the command without - | options. + | The cmsutil command-line uses the S/MIME Toolkit to perform basic + | operations, such as encryption and decryption, on Cryptographic Message + | Syntax (CMS) messages. + | To run cmsutil, type the command cmsutil option [arguments] where option + | and arguments are combinations of the options and arguments listed in the + | following section. Each command takes one option. Each option may take + | zero or more arguments. To see a usage string, issue the command without + | options. | Options and Arguments - | Options - | Options specify an action. Option arguments modify an action. The options - | and arguments for the cmsutil command are defined as follows: - | -D - | Decode a message. - | -C - | Encrypt a message. - | -E - | Envelope a message. - | -O - | Create a certificates-only message. - | -S - | Sign a message. - | Arguments - | Option arguments modify an action and are lowercase. - | -c content - | Use this detached content (decode only). - | -d dbdir - | Specify the key/certificate database directory (default is ".") - | -e envfile - | Specify a file containing an enveloped message for a set of - | recipients to which you would like to send an encrypted message. - | If this is the first encrypted message for that set of recipients, - | a new enveloped message will be created that you can then use for - | future messages (encrypt only). - | -G - | Include a signing time attribute (sign only). - | -h num - | Generate email headers with info about CMS message (decode only). - | -i infile - | Use infile as a source of data (default is stdin). - | -N nickname - | Specify nickname of certificate to sign with (sign only). - | -n - | Suppress output of contents (decode only). - | -o outfile - | Use outfile as a destination of data (default is stdout). - | -P - | Include an S/MIME capabilities attribute. - | -p password - | Use password as key database password. - | -r recipient1,recipient2, ... - | Specify list of recipients (email addresses) for an encrypted or - | enveloped message. For certificates-only message, list of - | certificates to send. - | -T - | Suppress content in CMS message (sign only). - | -u certusage - | Set type of cert usage (default is certUsageEmailSigner). - | -Y ekprefnick - | Specify an encryption key preference by nickname. + | Options + | Options specify an action. Option arguments modify an action. The options + | and arguments for the cmsutil command are defined as follows: + | -D + | Decode a message. + | -C + | Encrypt a message. + | -E + | Envelope a message. + | -O + | Create a certificates-only message. + | -S + | Sign a message. + | Arguments + | Option arguments modify an action and are lowercase. + | -c content + | Use this detached content (decode only). + | -d dbdir + | Specify the key/certificate database directory (default is ".") + | -e envfile + | Specify a file containing an enveloped message for a set of + | recipients to which you would like to send an encrypted message. + | If this is the first encrypted message for that set of recipients, + | a new enveloped message will be created that you can then use for + | future messages (encrypt only). + | -G + | Include a signing time attribute (sign only). + | -h num + | Generate email headers with info about CMS message (decode only). + | -i infile + | Use infile as a source of data (default is stdin). + | -N nickname + | Specify nickname of certificate to sign with (sign only). + | -n + | Suppress output of contents (decode only). + | -o outfile + | Use outfile as a destination of data (default is stdout). + | -P + | Include an S/MIME capabilities attribute. + | -p password + | Use password as key database password. + | -r recipient1,recipient2, ... + | Specify list of recipients (email addresses) for an encrypted or + | enveloped message. For certificates-only message, list of + | certificates to send. + | -T + | Suppress content in CMS message (sign only). + | -u certusage + | Set type of cert usage (default is certUsageEmailSigner). + | -Y ekprefnick + | Specify an encryption key preference by nickname. | Usage - | Encrypt Example - | cmsutil -C [-i infile] [-o outfile] [-d dbdir] [-p password] -r "recipient1,recipient2, . . ." + | Encrypt Example + | cmsutil -C [-i infile] [-o outfile] [-d dbdir] [-p password] -r "recipient1,recipient2, . . ." -e envfile - | Decode Example - | cmsutil -D [-i infile] [-o outfile] [-d dbdir] [-p password] [-c content] [-n] [-h num] - | Envelope Example - | cmsutil -E [-i infile] [-o outfile] [-d dbdir] [-p password] -r "recipient1,recipient2, ..." - | Certificate-only Example - | cmsutil -O [-i infile] [-o outfile] [-d dbdir] [-p password] -r "cert1,cert2, . . ." - | Sign Message Example - | cmsutil -S [-i infile] [-o outfile] [-d dbdir] [-p password] -N nickname[-TGP] [-Y ekprefnick] + | Decode Example + | cmsutil -D [-i infile] [-o outfile] [-d dbdir] [-p password] [-c content] [-n] [-h num] + | Envelope Example + | cmsutil -E [-i infile] [-o outfile] [-d dbdir] [-p password] -r "recipient1,recipient2, ..." + | Certificate-only Example + | cmsutil -O [-i infile] [-o outfile] [-d dbdir] [-p password] -r "cert1,cert2, . . ." + | Sign Message Example + | cmsutil -S [-i infile] [-o outfile] [-d dbdir] [-p password] -N nickname[-TGP] [-Y ekprefnick] | See also - | certutil(1) + | certutil(1) | See Also | Additional Resources - | NSS is maintained in conjunction with PKI and security-related projects - | through Mozilla dn Fedora. The most closely-related project is Dogtag PKI, - | with a project wiki at [1]\ http://pki.fedoraproject.org/wiki/. - | For information specifically about NSS, the NSS project wiki is located at - | + | NSS is maintained in conjunction with PKI and security-related projects + | through Mozilla dn Fedora. The most closely-related project is Dogtag PKI, + | with a project wiki at [1]\ http://pki.fedoraproject.org/wiki/. + | For information specifically about NSS, the NSS project wiki is located at + | [2]\ `http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__. The NSS site relates - | directly to NSS code changes and releases. - | Mailing lists: pki-devel@redhat.com and pki-users@redhat.com - | IRC: Freenode at #dogtag-pki + | directly to NSS code changes and releases. + | Mailing lists: pki-devel@redhat.com and pki-users@redhat.com + | IRC: Freenode at #dogtag-pki | Authors - | The NSS tools were written and maintained by developers with Netscape and - | now with Red Hat. - | Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey - | <dlackey@redhat.com>. + | The NSS tools were written and maintained by developers with Netscape and + | now with Red Hat. + | Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey + | <dlackey@redhat.com>. | Copyright - | (c) 2010, Red Hat, Inc. Licensed under the GNU Public License version 2. + | (c) 2010, Red Hat, Inc. Licensed under the GNU Public License version 2. | References - | Visible links - | 1. http://pki.fedoraproject.org/wiki/ - | 2. + | Visible links + | 1. http://pki.fedoraproject.org/wiki/ + | 2. `http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__
\ No newline at end of file diff --git a/doc/rst/legacy/tools/crlutil/index.rst b/doc/rst/legacy/tools/crlutil/index.rst index 90b38cc91..ee68b4dbf 100644 --- a/doc/rst/legacy/tools/crlutil/index.rst +++ b/doc/rst/legacy/tools/crlutil/index.rst @@ -6,224 +6,224 @@ NSS tools : crlutil .. container:: | Name - | crlutil — List, generate, modify, or delete CRLs within the NSS security - | database file(s) and list, create, modify or delete certificates entries - | in a particular CRL. + | crlutil — List, generate, modify, or delete CRLs within the NSS security + | database file(s) and list, create, modify or delete certificates entries + | in a particular CRL. | Synopsis - | crlutil [options] `arguments <arguments>`__ + | crlutil [options] `arguments <arguments>`__ | Description - | The Certificate Revocation List (CRL) Management Tool, crlutil, is a - | command-line utility that can list, generate, modify, or delete CRLs - | within the NSS security database file(s) and list, create, modify or - | delete certificates entries in a particular CRL. - | The key and certificate management process generally begins with creating - | keys in the key database, then generating and managing certificates in the - | certificate database(see certutil tool) and continues with certificates - | expiration or revocation. - | This document discusses certificate revocation list management. For - | information on security module database management, see Using the Security - | Module Database Tool. For information on certificate and key database - | management, see Using the Certificate Database Tool. - | To run the Certificate Revocation List Management Tool, type the command - | crlutil option [arguments] - | where options and arguments are combinations of the options and arguments - | listed in the following section. Each command takes one option. Each - | option may take zero or more arguments. To see a usage string, issue the - | command without options, or with the -H option. + | The Certificate Revocation List (CRL) Management Tool, crlutil, is a + | command-line utility that can list, generate, modify, or delete CRLs + | within the NSS security database file(s) and list, create, modify or + | delete certificates entries in a particular CRL. + | The key and certificate management process generally begins with creating + | keys in the key database, then generating and managing certificates in the + | certificate database(see certutil tool) and continues with certificates + | expiration or revocation. + | This document discusses certificate revocation list management. For + | information on security module database management, see Using the Security + | Module Database Tool. For information on certificate and key database + | management, see Using the Certificate Database Tool. + | To run the Certificate Revocation List Management Tool, type the command + | crlutil option [arguments] + | where options and arguments are combinations of the options and arguments + | listed in the following section. Each command takes one option. Each + | option may take zero or more arguments. To see a usage string, issue the + | command without options, or with the -H option. | Options and Arguments - | Options - | Options specify an action. Option arguments modify an action. The options - | and arguments for the crlutil command are defined as follows: - | -G - | Create new Certificate Revocation List(CRL). - | -D - | Delete Certificate Revocation List from cert database. - | -I - | Import a CRL to the cert database - | -E - | Erase all CRLs of specified type from the cert database - | -L - | List existing CRL located in cert database file. - | -M - | Modify existing CRL which can be located in cert db or in - | arbitrary file. If located in file it should be encoded in ASN.1 - | encode format. - | -G - | Arguments - | Option arguments modify an action and are lowercase. - | -B - | Bypass CA signature checks. - | -P dbprefix - | Specify the prefix used on the NSS security database files (for - | example, my_cert8.db and my_key3.db). This option is provided as a - | special case. Changing the names of the certificate and key - | databases is not recommended. - | -a - | Use ASCII format or allow the use of ASCII format for input and - | output. This formatting follows RFC #1113. - | -c crl-gen-file - | Specify script file that will be used to control crl - | generation/modification. See crl-cript-file format below. If - | options -M|-G is used and -c crl-script-file is not specified, - | crlutil will read script data from standard input. - | -d directory - | Specify the database directory containing the certificate and key - | database files. On Unix the Certificate Database Tool defaults to - | $HOME/.netscape (that is, ~/.netscape). On Windows NT the default - | is the current directory. - | The NSS database files must reside in the same directory. - | -i crl-import-file - | Specify the file which contains the CRL to import - | -f password-file - | Specify a file that will automatically supply the password to - | include in a certificate or to access a certificate database. This - | is a plain-text file containing one password. Be sure to prevent - | unauthorized access to this file. - | -l algorithm-name - | Specify a specific signature algorithm. List of possible - | algorithms: MD2 \| MD4 \| MD5 \| SHA1 \| SHA256 \| SHA384 \| SHA512 - | -n nickname - | Specify the nickname of a certificate or key to list, create, add - | to a database, modify, or validate. Bracket the nickname string - | with quotation marks if it contains spaces. - | -o output-file - | Specify the output file name for new CRL. Bracket the output-file - | string with quotation marks if it contains spaces. If this - | argument is not used the output destination defaults to standard - | output. - | -t crl-type - | Specify type of CRL. possible types are: 0 - SEC_KRL_TYPE, 1 - - | SEC_CRL_TYPE. This option is obsolete - | -u url - | Specify the url. + | Options + | Options specify an action. Option arguments modify an action. The options + | and arguments for the crlutil command are defined as follows: + | -G + | Create new Certificate Revocation List(CRL). + | -D + | Delete Certificate Revocation List from cert database. + | -I + | Import a CRL to the cert database + | -E + | Erase all CRLs of specified type from the cert database + | -L + | List existing CRL located in cert database file. + | -M + | Modify existing CRL which can be located in cert db or in + | arbitrary file. If located in file it should be encoded in ASN.1 + | encode format. + | -G + | Arguments + | Option arguments modify an action and are lowercase. + | -B + | Bypass CA signature checks. + | -P dbprefix + | Specify the prefix used on the NSS security database files (for + | example, my_cert8.db and my_key3.db). This option is provided as a + | special case. Changing the names of the certificate and key + | databases is not recommended. + | -a + | Use ASCII format or allow the use of ASCII format for input and + | output. This formatting follows RFC #1113. + | -c crl-gen-file + | Specify script file that will be used to control crl + | generation/modification. See crl-cript-file format below. If + | options -M|-G is used and -c crl-script-file is not specified, + | crlutil will read script data from standard input. + | -d directory + | Specify the database directory containing the certificate and key + | database files. On Unix the Certificate Database Tool defaults to + | $HOME/.netscape (that is, ~/.netscape). On Windows NT the default + | is the current directory. + | The NSS database files must reside in the same directory. + | -i crl-import-file + | Specify the file which contains the CRL to import + | -f password-file + | Specify a file that will automatically supply the password to + | include in a certificate or to access a certificate database. This + | is a plain-text file containing one password. Be sure to prevent + | unauthorized access to this file. + | -l algorithm-name + | Specify a specific signature algorithm. List of possible + | algorithms: MD2 \| MD4 \| MD5 \| SHA1 \| SHA256 \| SHA384 \| SHA512 + | -n nickname + | Specify the nickname of a certificate or key to list, create, add + | to a database, modify, or validate. Bracket the nickname string + | with quotation marks if it contains spaces. + | -o output-file + | Specify the output file name for new CRL. Bracket the output-file + | string with quotation marks if it contains spaces. If this + | argument is not used the output destination defaults to standard + | output. + | -t crl-type + | Specify type of CRL. possible types are: 0 - SEC_KRL_TYPE, 1 - + | SEC_CRL_TYPE. This option is obsolete + | -u url + | Specify the url. | CRL Generation script syntax - | CRL generation script file has the following syntax: - | \* Line with comments should have # as a first symbol of a line - | \* Set "this update" or "next update" CRL fields: - | update=YYYYMMDDhhmmssZ nextupdate=YYYYMMDDhhmmssZ - | Field "next update" is optional. Time should be in GeneralizedTime format - | (YYYYMMDDhhmmssZ). For example: 20050204153000Z - | \* Add an extension to a CRL or a crl certificate entry: - | addext extension-name critical/non-critical [arg1[arg2 ...]] - | Where: - | extension-name: string value of a name of known extensions. - | critical/non-critical: is 1 when extension is critical and 0 otherwise. - | arg1, arg2: specific to extension type extension parameters - | addext uses the range that was set earlier by addcert and will install an - | extension to every cert entries within the range. - | \* Add certificate entries(s) to CRL: - | addcert range date - | range: two integer values separated by dash: range of certificates that - | will be added by this command. dash is used as a delimiter. Only one cert - | will be added if there is no delimiter. date: revocation date of a cert. - | Date should be represented in GeneralizedTime format (YYYYMMDDhhmmssZ). - | \* Remove certificate entry(s) from CRL - | rmcert range - | Where: - | range: two integer values separated by dash: range of certificates that - | will be added by this command. dash is used as a delimiter. Only one cert - | will be added if there is no delimiter. - | \* Change range of certificate entry(s) in CRL - | range new-range - | Where: - | new-range: two integer values separated by dash: range of certificates - | that will be added by this command. dash is used as a delimiter. Only one - | cert will be added if there is no delimiter. - | Implemented Extensions - | The extensions defined for CRL provide methods for associating additional - | attributes with CRLs of theirs entries. For more information see RFC #3280 - | \* Add The Authority Key Identifier extension: - | The authority key identifier extension provides a means of identifying the - | public key corresponding to the private key used to sign a CRL. - | authKeyId critical [key-id \| dn cert-serial] - | Where: - | authKeyIdent: identifies the name of an extension critical: value of 1 of - | 0. Should be set to 1 if this extension is critical or 0 otherwise. - | key-id: key identifier represented in octet string. dn:: is a CA - | distinguished name cert-serial: authority certificate serial number. - | \* Add Issuer Alternative Name extension: - | The issuer alternative names extension allows additional identities to be - | associated with the issuer of the CRL. Defined options include an rfc822 - | name (electronic mail address), a DNS name, an IP address, and a URI. - | issuerAltNames non-critical name-list - | Where: - | subjAltNames: identifies the name of an extension should be set to 0 since - | this is non-critical extension name-list: comma separated list of names - | \* Add CRL Number extension: - | The CRL number is a non-critical CRL extension which conveys a - | monotonically increasing sequence number for a given CRL scope and CRL - | issuer. This extension allows users to easily determine when a particular - | CRL supersedes another CRL - | crlNumber non-critical number - | Where: - | crlNumber: identifies the name of an extension critical: should be set to - | 0 since this is non-critical extension number: value of long which - | identifies the sequential number of a CRL. - | \* Add Revocation Reason Code extension: - | The reasonCode is a non-critical CRL entry extension that identifies the - | reason for the certificate revocation. - | reasonCode non-critical code - | Where: - | reasonCode: identifies the name of an extension non-critical: should be - | set to 0 since this is non-critical extension code: the following codes - | are available: - | unspecified (0), keyCompromise (1), cACompromise (2), affiliationChanged - | (3), superseded (4), cessationOfOperation (5), certificateHold (6), - | removeFromCRL (8), privilegeWithdrawn (9), aACompromise (10) - | \* Add Invalidity Date extension: - | The invalidity date is a non-critical CRL entry extension that provides - | the date on which it is known or suspected that the private key was - | compromised or that the certificate otherwise became invalid. - | invalidityDate non-critical date - | Where: - | crlNumber: identifies the name of an extension non-critical: should be set - | to 0 since this is non-critical extension date: invalidity date of a cert. - | Date should be represented in GeneralizedTime format (YYYYMMDDhhmmssZ). + | CRL generation script file has the following syntax: + | \* Line with comments should have # as a first symbol of a line + | \* Set "this update" or "next update" CRL fields: + | update=YYYYMMDDhhmmssZ nextupdate=YYYYMMDDhhmmssZ + | Field "next update" is optional. Time should be in GeneralizedTime format + | (YYYYMMDDhhmmssZ). For example: 20050204153000Z + | \* Add an extension to a CRL or a crl certificate entry: + | addext extension-name critical/non-critical [arg1[arg2 ...]] + | Where: + | extension-name: string value of a name of known extensions. + | critical/non-critical: is 1 when extension is critical and 0 otherwise. + | arg1, arg2: specific to extension type extension parameters + | addext uses the range that was set earlier by addcert and will install an + | extension to every cert entries within the range. + | \* Add certificate entries(s) to CRL: + | addcert range date + | range: two integer values separated by dash: range of certificates that + | will be added by this command. dash is used as a delimiter. Only one cert + | will be added if there is no delimiter. date: revocation date of a cert. + | Date should be represented in GeneralizedTime format (YYYYMMDDhhmmssZ). + | \* Remove certificate entry(s) from CRL + | rmcert range + | Where: + | range: two integer values separated by dash: range of certificates that + | will be added by this command. dash is used as a delimiter. Only one cert + | will be added if there is no delimiter. + | \* Change range of certificate entry(s) in CRL + | range new-range + | Where: + | new-range: two integer values separated by dash: range of certificates + | that will be added by this command. dash is used as a delimiter. Only one + | cert will be added if there is no delimiter. + | Implemented Extensions + | The extensions defined for CRL provide methods for associating additional + | attributes with CRLs of theirs entries. For more information see RFC #3280 + | \* Add The Authority Key Identifier extension: + | The authority key identifier extension provides a means of identifying the + | public key corresponding to the private key used to sign a CRL. + | authKeyId critical [key-id \| dn cert-serial] + | Where: + | authKeyIdent: identifies the name of an extension critical: value of 1 of + | 0. Should be set to 1 if this extension is critical or 0 otherwise. + | key-id: key identifier represented in octet string. dn:: is a CA + | distinguished name cert-serial: authority certificate serial number. + | \* Add Issuer Alternative Name extension: + | The issuer alternative names extension allows additional identities to be + | associated with the issuer of the CRL. Defined options include an rfc822 + | name (electronic mail address), a DNS name, an IP address, and a URI. + | issuerAltNames non-critical name-list + | Where: + | subjAltNames: identifies the name of an extension should be set to 0 since + | this is non-critical extension name-list: comma separated list of names + | \* Add CRL Number extension: + | The CRL number is a non-critical CRL extension which conveys a + | monotonically increasing sequence number for a given CRL scope and CRL + | issuer. This extension allows users to easily determine when a particular + | CRL supersedes another CRL + | crlNumber non-critical number + | Where: + | crlNumber: identifies the name of an extension critical: should be set to + | 0 since this is non-critical extension number: value of long which + | identifies the sequential number of a CRL. + | \* Add Revocation Reason Code extension: + | The reasonCode is a non-critical CRL entry extension that identifies the + | reason for the certificate revocation. + | reasonCode non-critical code + | Where: + | reasonCode: identifies the name of an extension non-critical: should be + | set to 0 since this is non-critical extension code: the following codes + | are available: + | unspecified (0), keyCompromise (1), cACompromise (2), affiliationChanged + | (3), superseded (4), cessationOfOperation (5), certificateHold (6), + | removeFromCRL (8), privilegeWithdrawn (9), aACompromise (10) + | \* Add Invalidity Date extension: + | The invalidity date is a non-critical CRL entry extension that provides + | the date on which it is known or suspected that the private key was + | compromised or that the certificate otherwise became invalid. + | invalidityDate non-critical date + | Where: + | crlNumber: identifies the name of an extension non-critical: should be set + | to 0 since this is non-critical extension date: invalidity date of a cert. + | Date should be represented in GeneralizedTime format (YYYYMMDDhhmmssZ). | Usage - | The Certificate Revocation List Management Tool's capabilities are grouped - | as follows, using these combinations of options and arguments. Options and - | arguments in square brackets are optional, those without square brackets - | are required. - | See "Implemented extensions" for more information regarding extensions and - | their parameters. - | \* Creating or modifying a CRL: - | crlutil -G|-M -c crl-gen-file -n nickname [-i crl] [-u url] [-d keydir] [-P dbprefix] [-l alg] + | The Certificate Revocation List Management Tool's capabilities are grouped + | as follows, using these combinations of options and arguments. Options and + | arguments in square brackets are optional, those without square brackets + | are required. + | See "Implemented extensions" for more information regarding extensions and + | their parameters. + | \* Creating or modifying a CRL: + | crlutil -G|-M -c crl-gen-file -n nickname [-i crl] [-u url] [-d keydir] [-P dbprefix] [-l alg] [-a] [-B] - | \* Listing all CRls or a named CRL: - | crlutil -L [-n crl-name] [-d krydir] - | \* Deleting CRL from db: - | crlutil -D -n nickname [-d keydir] [-P dbprefix] - | \* Erasing CRLs from db: - | crlutil -E [-d keydir] [-P dbprefix] - | \* Deleting CRL from db: - | crlutil -D -n nickname [-d keydir] [-P dbprefix] - | \* Erasing CRLs from db: - | crlutil -E [-d keydir] [-P dbprefix] - | \* Import CRL from file: - | crlutil -I -i crl [-t crlType] [-u url] [-d keydir] [-P dbprefix] [-B] + | \* Listing all CRls or a named CRL: + | crlutil -L [-n crl-name] [-d krydir] + | \* Deleting CRL from db: + | crlutil -D -n nickname [-d keydir] [-P dbprefix] + | \* Erasing CRLs from db: + | crlutil -E [-d keydir] [-P dbprefix] + | \* Deleting CRL from db: + | crlutil -D -n nickname [-d keydir] [-P dbprefix] + | \* Erasing CRLs from db: + | crlutil -E [-d keydir] [-P dbprefix] + | \* Import CRL from file: + | crlutil -I -i crl [-t crlType] [-u url] [-d keydir] [-P dbprefix] [-B] | See also - | certutil(1) + | certutil(1) | See Also | Additional Resources - | NSS is maintained in conjunction with PKI and security-related projects - | through Mozilla dn Fedora. The most closely-related project is Dogtag PKI, - | with a project wiki at [1]\ http://pki.fedoraproject.org/wiki/. - | For information specifically about NSS, the NSS project wiki is located at - | + | NSS is maintained in conjunction with PKI and security-related projects + | through Mozilla dn Fedora. The most closely-related project is Dogtag PKI, + | with a project wiki at [1]\ http://pki.fedoraproject.org/wiki/. + | For information specifically about NSS, the NSS project wiki is located at + | [2]\ `http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__. The NSS site relates - | directly to NSS code changes and releases. - | Mailing lists: pki-devel@redhat.com and pki-users@redhat.com - | IRC: Freenode at #dogtag-pki + | directly to NSS code changes and releases. + | Mailing lists: pki-devel@redhat.com and pki-users@redhat.com + | IRC: Freenode at #dogtag-pki | Authors - | The NSS tools were written and maintained by developers with Netscape and - | now with Red Hat. - | Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey - | <dlackey@redhat.com>. + | The NSS tools were written and maintained by developers with Netscape and + | now with Red Hat. + | Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey + | <dlackey@redhat.com>. | Copyright - | (c) 2010, Red Hat, Inc. Licensed under the GNU Public License version 2. + | (c) 2010, Red Hat, Inc. Licensed under the GNU Public License version 2. | References - | Visible links - | 1. http://pki.fedoraproject.org/wiki/ - | 2. + | Visible links + | 1. http://pki.fedoraproject.org/wiki/ + | 2. `http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__
\ No newline at end of file diff --git a/doc/rst/legacy/tools/modutil/index.rst b/doc/rst/legacy/tools/modutil/index.rst index 52ffcabbc..b3251735d 100644 --- a/doc/rst/legacy/tools/modutil/index.rst +++ b/doc/rst/legacy/tools/modutil/index.rst @@ -6,635 +6,635 @@ NSS tools : modutil .. container:: | Name - | modutil — Manage PKCS #11 module information within the security module - | database. + | modutil — Manage PKCS #11 module information within the security module + | database. | Synopsis - | modutil [options] `arguments <arguments>`__ + | modutil [options] `arguments <arguments>`__ | Description - | The Security Module Database Tool, modutil, is a command-line utility for - | managing PKCS #11 module information both within secmod.db files and - | within hardware tokens. modutil can add and delete PKCS #11 modules, - | change passwords on security databases, set defaults, list module - | contents, enable or disable slots, enable or disable FIPS 140-2 - | compliance, and assign default providers for cryptographic operations. - | This tool can also create certificate, key, and module security database - | files. - | The tasks associated with security module database management are part of - | a process that typically also involves managing key databases and - | certificate databases. + | The Security Module Database Tool, modutil, is a command-line utility for + | managing PKCS #11 module information both within secmod.db files and + | within hardware tokens. modutil can add and delete PKCS #11 modules, + | change passwords on security databases, set defaults, list module + | contents, enable or disable slots, enable or disable FIPS 140-2 + | compliance, and assign default providers for cryptographic operations. + | This tool can also create certificate, key, and module security database + | files. + | The tasks associated with security module database management are part of + | a process that typically also involves managing key databases and + | certificate databases. | Options - | Running modutil always requires one (and only one) option to specify the - | type of module operation. Each option may take arguments, anywhere from - | none to multiple arguments. - | Options - | -add modulename - | Add the named PKCS #11 module to the database. Use this option - | with the -libfile, -ciphers, and -mechanisms arguments. - | -changepw tokenname - | Change the password on the named token. If the token has not been - | initialized, this option initializes the password. Use this option - | with the -pwfile and -newpwfile arguments. A password is - | equivalent to a personal identification number (PIN). - | -chkfips - | Verify whether the module is in the given FIPS mode. true means to - | verify that the module is in FIPS mode, while false means to - | verify that the module is not in FIPS mode. - | -create - | Create new certificate, key, and module databases. Use the -dbdir - | directory argument to specify a directory. If any of these - | databases already exist in a specified directory, modutil returns - | an error message. - | -default modulename - | Specify the security mechanisms for which the named module will be - | a default provider. The security mechanisms are specified with the - | -mechanisms argument. - | -delete modulename - | Delete the named module. The default NSS PKCS #11 module cannot be - | deleted. - | -disable modulename - | Disable all slots on the named module. Use the -slot argument to - | disable a specific slot. - | -enable modulename - | Enable all slots on the named module. Use the -slot argument to - | enable a specific slot. - | -fips [true \| false] - | Enable (true) or disable (false) FIPS 140-2 compliance for the - | default NSS module. - | -force - | Disable modutil's interactive prompts so it can be run from a - | script. Use this option only after manually testing each planned - | operation to check for warnings and to ensure that bypassing the - | prompts will cause no security lapses or loss of database - | integrity. - | -jar JAR-file - | Add a new PKCS #11 module to the database using the named JAR - | file. Use this command with the -installdir and -tempdir - | arguments. The JAR file uses the NSS PKCS #11 JAR format to - | identify all the files to be installed, the module's name, the - | mechanism flags, and the cipher flags, as well as any files to be - | installed on the target machine, including the PKCS #11 module - | library file and other files such as documentation. This is - | covered in the JAR installation file section in the man page, - | which details the special script needed to perform an installation - | through a server or with modutil. - | -list [modulename] - | Display basic information about the contents of the secmod.db - | file. Specifying a modulename displays detailed information about - | a particular module and its slots and tokens. - | -rawadd - | Add the module spec string to the secmod.db database. - | -rawlist - | Display the module specs for a specified module or for all - | loadable modules. - | -undefault modulename - | Specify the security mechanisms for which the named module will - | not be a default provider. The security mechanisms are specified - | with the -mechanisms argument. - | Arguments - | MODULE - | Give the security module to access. - | MODULESPEC - | Give the security module spec to load into the security database. - | -ciphers cipher-enable-list - | Enable specific ciphers in a module that is being added to the - | database. The cipher-enable-list is a colon-delimited list of - | cipher names. Enclose this list in quotation marks if it contains - | spaces. - | -dbdir [sql:]directory - | Specify the database directory in which to access or create - | security module database files. - | modutil supports two types of databases: the legacy security - | databases (cert8.db, key3.db, and secmod.db) and new SQLite - | databases (cert9.db, key4.db, and pkcs11.txt). If the prefix sql: - | is not used, then the tool assumes that the given databases are in - | the old format. - | --dbprefix prefix - | Specify the prefix used on the database files, such as my\_ for - | my_cert8.db. This option is provided as a special case. Changing - | the names of the certificate and key databases is not recommended. - | -installdir root-installation-directory - | Specify the root installation directory relative to which files - | will be installed by the -jar option. This directory should be one - | below which it is appropriate to store dynamic library files, such - | as a server's root directory. - | -libfile library-file - | Specify a path to a library file containing the implementation of - | the PKCS #11 interface module that is being added to the database. - | -mechanisms mechanism-list - | Specify the security mechanisms for which a particular module will - | be flagged as a default provider. The mechanism-list is a - | colon-delimited list of mechanism names. Enclose this list in - | quotation marks if it contains spaces. - | The module becomes a default provider for the listed mechanisms - | when those mechanisms are enabled. If more than one module claims - | to be a particular mechanism's default provider, that mechanism's - | default provider is undefined. - | modutil supports several mechanisms: RSA, DSA, RC2, RC4, RC5, AES, - | DES, DH, SHA1, SHA256, SHA512, SSL, TLS, MD5, MD2, RANDOM (for - | random number generation), and FRIENDLY (meaning certificates are - | publicly readable). - | -newpwfile new-password-file - | Specify a text file containing a token's new or replacement - | password so that a password can be entered automatically with the - | -changepw option. - | -nocertdb - | Do not open the certificate or key databases. This has several - | effects: - | o With the -create command, only a module security file is - | created; certificate and key databases are not created. - | o With the -jar command, signatures on the JAR file are not - | checked. - | o With the -changepw command, the password on the NSS internal - | module cannot be set or changed, since this password is - | stored in the key database. - | -pwfile old-password-file - | Specify a text file containing a token's existing password so that - | a password can be entered automatically when the -changepw option - | is used to change passwords. - | -secmod secmodname - | Give the name of the security module database (like secmod.db) to - | load. - | -slot slotname - | Specify a particular slot to be enabled or disabled with the - | -enable or -disable options. - | -string CONFIG_STRING - | Pass a configuration string for the module being added to the - | database. - | -tempdir temporary-directory - | Give a directory location where temporary files are created during - | the installation by the -jar option. If no temporary directory is - | specified, the current directory is used. + | Running modutil always requires one (and only one) option to specify the + | type of module operation. Each option may take arguments, anywhere from + | none to multiple arguments. + | Options + | -add modulename + | Add the named PKCS #11 module to the database. Use this option + | with the -libfile, -ciphers, and -mechanisms arguments. + | -changepw tokenname + | Change the password on the named token. If the token has not been + | initialized, this option initializes the password. Use this option + | with the -pwfile and -newpwfile arguments. A password is + | equivalent to a personal identification number (PIN). + | -chkfips + | Verify whether the module is in the given FIPS mode. true means to + | verify that the module is in FIPS mode, while false means to + | verify that the module is not in FIPS mode. + | -create + | Create new certificate, key, and module databases. Use the -dbdir + | directory argument to specify a directory. If any of these + | databases already exist in a specified directory, modutil returns + | an error message. + | -default modulename + | Specify the security mechanisms for which the named module will be + | a default provider. The security mechanisms are specified with the + | -mechanisms argument. + | -delete modulename + | Delete the named module. The default NSS PKCS #11 module cannot be + | deleted. + | -disable modulename + | Disable all slots on the named module. Use the -slot argument to + | disable a specific slot. + | -enable modulename + | Enable all slots on the named module. Use the -slot argument to + | enable a specific slot. + | -fips [true \| false] + | Enable (true) or disable (false) FIPS 140-2 compliance for the + | default NSS module. + | -force + | Disable modutil's interactive prompts so it can be run from a + | script. Use this option only after manually testing each planned + | operation to check for warnings and to ensure that bypassing the + | prompts will cause no security lapses or loss of database + | integrity. + | -jar JAR-file + | Add a new PKCS #11 module to the database using the named JAR + | file. Use this command with the -installdir and -tempdir + | arguments. The JAR file uses the NSS PKCS #11 JAR format to + | identify all the files to be installed, the module's name, the + | mechanism flags, and the cipher flags, as well as any files to be + | installed on the target machine, including the PKCS #11 module + | library file and other files such as documentation. This is + | covered in the JAR installation file section in the man page, + | which details the special script needed to perform an installation + | through a server or with modutil. + | -list [modulename] + | Display basic information about the contents of the secmod.db + | file. Specifying a modulename displays detailed information about + | a particular module and its slots and tokens. + | -rawadd + | Add the module spec string to the secmod.db database. + | -rawlist + | Display the module specs for a specified module or for all + | loadable modules. + | -undefault modulename + | Specify the security mechanisms for which the named module will + | not be a default provider. The security mechanisms are specified + | with the -mechanisms argument. + | Arguments + | MODULE + | Give the security module to access. + | MODULESPEC + | Give the security module spec to load into the security database. + | -ciphers cipher-enable-list + | Enable specific ciphers in a module that is being added to the + | database. The cipher-enable-list is a colon-delimited list of + | cipher names. Enclose this list in quotation marks if it contains + | spaces. + | -dbdir [sql:]directory + | Specify the database directory in which to access or create + | security module database files. + | modutil supports two types of databases: the legacy security + | databases (cert8.db, key3.db, and secmod.db) and new SQLite + | databases (cert9.db, key4.db, and pkcs11.txt). If the prefix sql: + | is not used, then the tool assumes that the given databases are in + | the old format. + | --dbprefix prefix + | Specify the prefix used on the database files, such as my\_ for + | my_cert8.db. This option is provided as a special case. Changing + | the names of the certificate and key databases is not recommended. + | -installdir root-installation-directory + | Specify the root installation directory relative to which files + | will be installed by the -jar option. This directory should be one + | below which it is appropriate to store dynamic library files, such + | as a server's root directory. + | -libfile library-file + | Specify a path to a library file containing the implementation of + | the PKCS #11 interface module that is being added to the database. + | -mechanisms mechanism-list + | Specify the security mechanisms for which a particular module will + | be flagged as a default provider. The mechanism-list is a + | colon-delimited list of mechanism names. Enclose this list in + | quotation marks if it contains spaces. + | The module becomes a default provider for the listed mechanisms + | when those mechanisms are enabled. If more than one module claims + | to be a particular mechanism's default provider, that mechanism's + | default provider is undefined. + | modutil supports several mechanisms: RSA, DSA, RC2, RC4, RC5, AES, + | DES, DH, SHA1, SHA256, SHA512, SSL, TLS, MD5, MD2, RANDOM (for + | random number generation), and FRIENDLY (meaning certificates are + | publicly readable). + | -newpwfile new-password-file + | Specify a text file containing a token's new or replacement + | password so that a password can be entered automatically with the + | -changepw option. + | -nocertdb + | Do not open the certificate or key databases. This has several + | effects: + | o With the -create command, only a module security file is + | created; certificate and key databases are not created. + | o With the -jar command, signatures on the JAR file are not + | checked. + | o With the -changepw command, the password on the NSS internal + | module cannot be set or changed, since this password is + | stored in the key database. + | -pwfile old-password-file + | Specify a text file containing a token's existing password so that + | a password can be entered automatically when the -changepw option + | is used to change passwords. + | -secmod secmodname + | Give the name of the security module database (like secmod.db) to + | load. + | -slot slotname + | Specify a particular slot to be enabled or disabled with the + | -enable or -disable options. + | -string CONFIG_STRING + | Pass a configuration string for the module being added to the + | database. + | -tempdir temporary-directory + | Give a directory location where temporary files are created during + | the installation by the -jar option. If no temporary directory is + | specified, the current directory is used. | Usage and Examples - | Creating Database Files - | Before any operations can be performed, there must be a set of security - | databases available. modutil can be used to create these files. The only - | required argument is the database that where the databases will be - | located. - | modutil -create -dbdir [sql:]directory - | Adding a Cryptographic Module - | Adding a PKCS #11 module means submitting a supporting library file, - | enabling its ciphers, and setting default provider status for various - | security mechanisms. This can be done by supplying all of the information - | through modutil directly or by running a JAR file and install script. For - | the most basic case, simply upload the library: - | modutil -add modulename -libfile library-file [-ciphers cipher-enable-list] [-mechanisms + | Creating Database Files + | Before any operations can be performed, there must be a set of security + | databases available. modutil can be used to create these files. The only + | required argument is the database that where the databases will be + | located. + | modutil -create -dbdir [sql:]directory + | Adding a Cryptographic Module + | Adding a PKCS #11 module means submitting a supporting library file, + | enabling its ciphers, and setting default provider status for various + | security mechanisms. This can be done by supplying all of the information + | through modutil directly or by running a JAR file and install script. For + | the most basic case, simply upload the library: + | modutil -add modulename -libfile library-file [-ciphers cipher-enable-list] [-mechanisms mechanism-list] - | For example: - | modutil -dbdir sql:/home/my/sharednssdb -add "Example PKCS #11 Module" -libfile + | For example: + | modutil -dbdir sql:/home/my/sharednssdb -add "Example PKCS #11 Module" -libfile "/tmp/crypto.so" -mechanisms RSA:DSA:RC2:RANDOM - | Using database directory ... - | Module "Example PKCS #11 Module" added to database. - | Installing a Cryptographic Module from a JAR File - | PKCS #11 modules can also be loaded using a JAR file, which contains all - | of the required libraries and an installation script that describes how to - | install the module. The JAR install script is described in more detail in - | [1]the section called “JAR Installation File Format”. - | The JAR installation script defines the setup information for each - | platform that the module can be installed on. For example: - | Platforms { - | Linux:5.4.08:x86 { - | ModuleName { "Example PKCS #11 Module" } - | ModuleFile { crypto.so } - | DefaultMechanismFlags{0x0000} - | CipherEnableFlags{0x0000} - | Files { - | crypto.so { - | Path{ /tmp/crypto.so } - | } - | setup.sh { - | Executable - | Path{ /tmp/setup.sh } - | } - | } - | } - | Linux:6.0.0:x86 { - | EquivalentPlatform { Linux:5.4.08:x86 } - | } - | } - | Both the install script and the required libraries must be bundled in a - | JAR file, which is specified with the -jar argument. - | modutil -dbdir sql:/home/mt"jar-install-filey/sharednssdb -jar install.jar -installdir + | Using database directory ... + | Module "Example PKCS #11 Module" added to database. + | Installing a Cryptographic Module from a JAR File + | PKCS #11 modules can also be loaded using a JAR file, which contains all + | of the required libraries and an installation script that describes how to + | install the module. The JAR install script is described in more detail in + | [1]the section called “JAR Installation File Format”. + | The JAR installation script defines the setup information for each + | platform that the module can be installed on. For example: + | Platforms { + | Linux:5.4.08:x86 { + | ModuleName { "Example PKCS #11 Module" } + | ModuleFile { crypto.so } + | DefaultMechanismFlags{0x0000} + | CipherEnableFlags{0x0000} + | Files { + | crypto.so { + | Path{ /tmp/crypto.so } + | } + | setup.sh { + | Executable + | Path{ /tmp/setup.sh } + | } + | } + | } + | Linux:6.0.0:x86 { + | EquivalentPlatform { Linux:5.4.08:x86 } + | } + | } + | Both the install script and the required libraries must be bundled in a + | JAR file, which is specified with the -jar argument. + | modutil -dbdir sql:/home/mt"jar-install-filey/sharednssdb -jar install.jar -installdir sql:/home/my/sharednssdb - | This installation JAR file was signed by: - | ---------------------------------------------- - | **SUBJECT NAME*\* - | C=US, ST=California, L=Mountain View, CN=Cryptorific Inc., OU=Digital ID - | Class 3 - Netscape Object Signing, OU="www.verisign.com/repository/CPS - | Incorp. by Ref.,LIAB.LTD(c)9 6", OU=www.verisign.com/CPS Incorp.by Ref - | . LIABILITY LTD.(c)97 VeriSign, OU=VeriSign Object Signing CA - Class 3 - | Organization, OU="VeriSign, Inc.", O=VeriSign Trust Network \**ISSUER - | NAME**, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 - | VeriSign, OU=VeriSign Object Signing CA - Class 3 Organization, - | OU="VeriSign, Inc.", O=VeriSign Trust Network - | ---------------------------------------------- - | Do you wish to continue this installation? (y/n) y - | Using installer script "installer_script" - | Successfully parsed installation script - | Current platform is Linux:5.4.08:x86 - | Using installation parameters for platform Linux:5.4.08:x86 - | Installed file crypto.so to /tmp/crypto.so - | Installed file setup.sh to ./pk11inst.dir/setup.sh - | Executing "./pk11inst.dir/setup.sh"... - | "./pk11inst.dir/setup.sh" executed successfully - | Installed module "Example PKCS #11 Module" into module database - | Installation completed successfully - | Adding Module Spec - | Each module has information stored in the security database about its - | configuration and parameters. These can be added or edited using the - | -rawadd command. For the current settings or to see the format of the - | module spec in the database, use the -rawlist option. - | modutil -rawadd modulespec - | Deleting a Module - | A specific PKCS #11 module can be deleted from the secmod.db database: - | modutil -delete modulename -dbdir [sql:]directory - | Displaying Module Information - | The secmod.db database contains information about the PKCS #11 modules - | that are available to an application or server to use. The list of all - | modules, information about specific modules, and database configuration - | specs for modules can all be viewed. - | To simply get a list of modules in the database, use the -list command. - | modutil -list [modulename] -dbdir [sql:]directory - | Listing the modules shows the module name, their status, and other - | associated security databases for certificates and keys. For example: - | modutil -list -dbdir sql:/home/my/sharednssdb - | Listing of PKCS #11 Modules - | ----------------------------------------------------------- - | 1. NSS Internal PKCS #11 Module - | slots: 2 slots attached - | status: loaded - | slot: NSS Internal Cryptographic Services - | token: NSS Generic Crypto Services - | slot: NSS User Private Key and Certificate Services - | token: NSS Certificate DB - | ----------------------------------------------------------- - | Passing a specific module name with the -list returns details information - | about the module itself, like supported cipher mechanisms, version - | numbers, serial numbers, and other information about the module and the - | token it is loaded on. For example: - | modutil -list "NSS Internal PKCS #11 Module" -dbdir sql:/home/my/sharednssdb - | ----------------------------------------------------------- - | Name: NSS Internal PKCS #11 Module - | Library file: \**Internal ONLY module*\* - | Manufacturer: Mozilla Foundation - | Description: NSS Internal Crypto Services - | PKCS #11 Version 2.20 - | Library Version: 3.11 - | Cipher Enable Flags: None - | Default Mechanism Flags: RSA:RC2:RC4:DES:DH:SHA1:MD5:MD2:SSL:TLS:AES - | Slot: NSS Internal Cryptographic Services - | Slot Mechanism Flags: RSA:RC2:RC4:DES:DH:SHA1:MD5:MD2:SSL:TLS:AES - | Manufacturer: Mozilla Foundation - | Type: Software - | Version Number: 3.11 - | Firmware Version: 0.0 - | Status: Enabled - | Token Name: NSS Generic Crypto Services - | Token Manufacturer: Mozilla Foundation - | Token Model: NSS 3 - | Token Serial Number: 0000000000000000 - | Token Version: 4.0 - | Token Firmware Version: 0.0 - | Access: Write Protected - | Login Type: Public (no login required) - | User Pin: NOT Initialized - | Slot: NSS User Private Key and Certificate Services - | Slot Mechanism Flags: None - | Manufacturer: Mozilla Foundation - | Type: Software - | Version Number: 3.11 - | Firmware Version: 0.0 - | Status: Enabled - | Token Name: NSS Certificate DB - | Token Manufacturer: Mozilla Foundation - | Token Model: NSS 3 - | Token Serial Number: 0000000000000000 - | Token Version: 8.3 - | Token Firmware Version: 0.0 - | Access: NOT Write Protected - | Login Type: Login required - | User Pin: Initialized - | A related command, -rawlist returns information about the database - | configuration for the modules. (This information can be edited by loading - | new specs using the -rawadd command.) - | modutil -rawlist -dbdir sql:/home/my/sharednssdb - | name="NSS Internal PKCS #11 Module" parameters="configdir=. certPrefix= keyPrefix= + | This installation JAR file was signed by: + | ---------------------------------------------- + | **SUBJECT NAME*\* + | C=US, ST=California, L=Mountain View, CN=Cryptorific Inc., OU=Digital ID + | Class 3 - Netscape Object Signing, OU="www.verisign.com/repository/CPS + | Incorp. by Ref.,LIAB.LTD(c)9 6", OU=www.verisign.com/CPS Incorp.by Ref + | . LIABILITY LTD.(c)97 VeriSign, OU=VeriSign Object Signing CA - Class 3 + | Organization, OU="VeriSign, Inc.", O=VeriSign Trust Network \**ISSUER + | NAME**, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 + | VeriSign, OU=VeriSign Object Signing CA - Class 3 Organization, + | OU="VeriSign, Inc.", O=VeriSign Trust Network + | ---------------------------------------------- + | Do you wish to continue this installation? (y/n) y + | Using installer script "installer_script" + | Successfully parsed installation script + | Current platform is Linux:5.4.08:x86 + | Using installation parameters for platform Linux:5.4.08:x86 + | Installed file crypto.so to /tmp/crypto.so + | Installed file setup.sh to ./pk11inst.dir/setup.sh + | Executing "./pk11inst.dir/setup.sh"... + | "./pk11inst.dir/setup.sh" executed successfully + | Installed module "Example PKCS #11 Module" into module database + | Installation completed successfully + | Adding Module Spec + | Each module has information stored in the security database about its + | configuration and parameters. These can be added or edited using the + | -rawadd command. For the current settings or to see the format of the + | module spec in the database, use the -rawlist option. + | modutil -rawadd modulespec + | Deleting a Module + | A specific PKCS #11 module can be deleted from the secmod.db database: + | modutil -delete modulename -dbdir [sql:]directory + | Displaying Module Information + | The secmod.db database contains information about the PKCS #11 modules + | that are available to an application or server to use. The list of all + | modules, information about specific modules, and database configuration + | specs for modules can all be viewed. + | To simply get a list of modules in the database, use the -list command. + | modutil -list [modulename] -dbdir [sql:]directory + | Listing the modules shows the module name, their status, and other + | associated security databases for certificates and keys. For example: + | modutil -list -dbdir sql:/home/my/sharednssdb + | Listing of PKCS #11 Modules + | ----------------------------------------------------------- + | 1. NSS Internal PKCS #11 Module + | slots: 2 slots attached + | status: loaded + | slot: NSS Internal Cryptographic Services + | token: NSS Generic Crypto Services + | slot: NSS User Private Key and Certificate Services + | token: NSS Certificate DB + | ----------------------------------------------------------- + | Passing a specific module name with the -list returns details information + | about the module itself, like supported cipher mechanisms, version + | numbers, serial numbers, and other information about the module and the + | token it is loaded on. For example: + | modutil -list "NSS Internal PKCS #11 Module" -dbdir sql:/home/my/sharednssdb + | ----------------------------------------------------------- + | Name: NSS Internal PKCS #11 Module + | Library file: \**Internal ONLY module*\* + | Manufacturer: Mozilla Foundation + | Description: NSS Internal Crypto Services + | PKCS #11 Version 2.20 + | Library Version: 3.11 + | Cipher Enable Flags: None + | Default Mechanism Flags: RSA:RC2:RC4:DES:DH:SHA1:MD5:MD2:SSL:TLS:AES + | Slot: NSS Internal Cryptographic Services + | Slot Mechanism Flags: RSA:RC2:RC4:DES:DH:SHA1:MD5:MD2:SSL:TLS:AES + | Manufacturer: Mozilla Foundation + | Type: Software + | Version Number: 3.11 + | Firmware Version: 0.0 + | Status: Enabled + | Token Name: NSS Generic Crypto Services + | Token Manufacturer: Mozilla Foundation + | Token Model: NSS 3 + | Token Serial Number: 0000000000000000 + | Token Version: 4.0 + | Token Firmware Version: 0.0 + | Access: Write Protected + | Login Type: Public (no login required) + | User Pin: NOT Initialized + | Slot: NSS User Private Key and Certificate Services + | Slot Mechanism Flags: None + | Manufacturer: Mozilla Foundation + | Type: Software + | Version Number: 3.11 + | Firmware Version: 0.0 + | Status: Enabled + | Token Name: NSS Certificate DB + | Token Manufacturer: Mozilla Foundation + | Token Model: NSS 3 + | Token Serial Number: 0000000000000000 + | Token Version: 8.3 + | Token Firmware Version: 0.0 + | Access: NOT Write Protected + | Login Type: Login required + | User Pin: Initialized + | A related command, -rawlist returns information about the database + | configuration for the modules. (This information can be edited by loading + | new specs using the -rawadd command.) + | modutil -rawlist -dbdir sql:/home/my/sharednssdb + | name="NSS Internal PKCS #11 Module" parameters="configdir=. certPrefix= keyPrefix= secmod=secmod.db flags=readOnly " NSS="trustOrder=75 cipherOrder=100 slotParams={0x00000001=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM askpw=any - timeout=30 ] } Flags=internal,critical" - | Setting a Default Provider for Security Mechanisms - | Multiple security modules may provide support for the same security - | mechanisms. It is possible to set a specific security module as the - | default provider for a specific security mechanism (or, conversely, to - | prohibit a provider from supplying those mechanisms). - | modutil -default modulename -mechanisms mechanism-list - | To set a module as the default provider for mechanisms, use the -default - | command with a colon-separated list of mechanisms. The available - | mechanisms depend on the module; NSS supplies almost all common - | mechanisms. For example: - | modutil -default "NSS Internal PKCS #11 Module" -dbdir -mechanisms RSA:DSA:RC2 - | Using database directory c:\databases... - | Successfully changed defaults. - | Clearing the default provider has the same format: - | modutil -undefault "NSS Internal PKCS #11 Module" -dbdir -mechanisms MD2:MD5 - | Enabling and Disabling Modules and Slots - | Modules, and specific slots on modules, can be selectively enabled or - | disabled using modutil. Both commands have the same format: - | modutil -enable|-disable modulename [-slot slotname] - | For example: - | modutil -enable "NSS Internal PKCS #11 Module" -slot "NSS Internal Cryptographic - Services " -dbdir . - | Slot "NSS Internal Cryptographic Services " enabled. - | Be sure that the appropriate amount of trailing whitespace is after the - | slot name. Some slot names have a significant amount of whitespace that - | must be included, or the operation will fail. - | Enabling and Verifying FIPS Compliance - | The NSS modules can have FIPS 140-2 compliance enabled or disabled using - | modutil with the -fips option. For example: - | modutil -fips true -dbdir sql:/home/my/sharednssdb/ - | FIPS mode enabled. - | To verify that status of FIPS mode, run the -chkfips command with either a - | true or false flag (it doesn't matter which). The tool returns the current - | FIPS setting. - | modutil -chkfips false -dbdir sql:/home/my/sharednssdb/ - | FIPS mode enabled. - | Changing the Password on a Token - | Initializing or changing a token's password: - | modutil -changepw tokenname [-pwfile old-password-file] [-newpwfile new-password-file] - | modutil -dbdir sql:/home/my/sharednssdb -changepw "NSS Certificate DB" - | Enter old password: - | Incorrect password, try again... - | Enter old password: - | Enter new password: - | Re-enter new password: - | Token "Communicator Certificate DB" password changed successfully. + timeout=30 ] } Flags=internal,critical" + | Setting a Default Provider for Security Mechanisms + | Multiple security modules may provide support for the same security + | mechanisms. It is possible to set a specific security module as the + | default provider for a specific security mechanism (or, conversely, to + | prohibit a provider from supplying those mechanisms). + | modutil -default modulename -mechanisms mechanism-list + | To set a module as the default provider for mechanisms, use the -default + | command with a colon-separated list of mechanisms. The available + | mechanisms depend on the module; NSS supplies almost all common + | mechanisms. For example: + | modutil -default "NSS Internal PKCS #11 Module" -dbdir -mechanisms RSA:DSA:RC2 + | Using database directory c:\databases... + | Successfully changed defaults. + | Clearing the default provider has the same format: + | modutil -undefault "NSS Internal PKCS #11 Module" -dbdir -mechanisms MD2:MD5 + | Enabling and Disabling Modules and Slots + | Modules, and specific slots on modules, can be selectively enabled or + | disabled using modutil. Both commands have the same format: + | modutil -enable|-disable modulename [-slot slotname] + | For example: + | modutil -enable "NSS Internal PKCS #11 Module" -slot "NSS Internal Cryptographic + Services " -dbdir . + | Slot "NSS Internal Cryptographic Services " enabled. + | Be sure that the appropriate amount of trailing whitespace is after the + | slot name. Some slot names have a significant amount of whitespace that + | must be included, or the operation will fail. + | Enabling and Verifying FIPS Compliance + | The NSS modules can have FIPS 140-2 compliance enabled or disabled using + | modutil with the -fips option. For example: + | modutil -fips true -dbdir sql:/home/my/sharednssdb/ + | FIPS mode enabled. + | To verify that status of FIPS mode, run the -chkfips command with either a + | true or false flag (it doesn't matter which). The tool returns the current + | FIPS setting. + | modutil -chkfips false -dbdir sql:/home/my/sharednssdb/ + | FIPS mode enabled. + | Changing the Password on a Token + | Initializing or changing a token's password: + | modutil -changepw tokenname [-pwfile old-password-file] [-newpwfile new-password-file] + | modutil -dbdir sql:/home/my/sharednssdb -changepw "NSS Certificate DB" + | Enter old password: + | Incorrect password, try again... + | Enter old password: + | Enter new password: + | Re-enter new password: + | Token "Communicator Certificate DB" password changed successfully. | JAR Installation File Format - | When a JAR file is run by a server, by modutil, or by any program that - | does not interpret JavaScript, a special information file must be included - | to install the libraries. There are several things to keep in mind with - | this file: - | o It must be declared in the JAR archive's manifest file. - | o The script can have any name. - | o The metainfo tag for this is Pkcs11_install_script. To declare - | meta-information in the manifest file, put it in a file that is passed - | to signtool. - | Sample Script - | For example, the PKCS #11 installer script could be in the file - | pk11install. If so, the metainfo file for signtool includes a line such as - | this: - | + Pkcs11_install_script: pk11install - | The script must define the platform and version number, the module name - | and file, and any optional information like supported ciphers and - | mechanisms. Multiple platforms can be defined in a single install file. - | ForwardCompatible { IRIX:6.2:mips SUNOS:5.5.1:sparc } - | Platforms { - | WINNT::x86 { - | ModuleName { "Example Module" } - | ModuleFile { win32/fort32.dll } - | DefaultMechanismFlags{0x0001} - | DefaultCipherFlags{0x0001} - | Files { - | win32/setup.exe { - | Executable - | RelativePath { %temp%/setup.exe } - | } - | win32/setup.hlp { - | RelativePath { %temp%/setup.hlp } - | } - | win32/setup.cab { - | RelativePath { %temp%/setup.cab } - | } - | } - | } - | WIN95::x86 { - | EquivalentPlatform {WINNT::x86} - | } - | SUNOS:5.5.1:sparc { - | ModuleName { "Example UNIX Module" } - | ModuleFile { unix/fort.so } - | DefaultMechanismFlags{0x0001} - | CipherEnableFlags{0x0001} - | Files { - | unix/fort.so { - | RelativePath{%root%/lib/fort.so} - | AbsolutePath{/usr/local/netscape/lib/fort.so} - | FilePermissions{555} - | } - | xplat/instr.html { - | RelativePath{%root%/docs/inst.html} - | AbsolutePath{/usr/local/netscape/docs/inst.html} - | FilePermissions{555} - | } - | } - | } - | IRIX:6.2:mips { - | EquivalentPlatform { SUNOS:5.5.1:sparc } - | } - | } - | Script Grammar - | The script is basic Java, allowing lists, key-value pairs, strings, and - | combinations of all of them. - | --> valuelist - | valuelist --> value valuelist - | <null> - | value ---> key_value_pair - | string - | key_value_pair --> key { valuelist } - | key --> string - | string --> simple_string - | "complex_string" - | simple_string --> [^ \\t\n\""{""}"]+ - | complex_string --> ([^\"\\\r\n]|(\\\")|(\\\\))+ - | Quotes and backslashes must be escaped with a backslash. A complex string - | must not include newlines or carriage returns.Outside of complex strings, - | all white space (for example, spaces, tabs, and carriage returns) is - | considered equal and is used only to delimit tokens. - | Keys - | The Java install file uses keys to define the platform and module - | information. - | ForwardCompatible gives a list of platforms that are forward compatible. - | If the current platform cannot be found in the list of supported - | platforms, then the ForwardCompatible list is checked for any platforms - | that have the same OS and architecture in an earlier version. If one is - | found, its attributes are used for the current platform. - | Platforms (required) Gives a list of platforms. Each entry in the list is - | itself a key-value pair: the key is the name of the platform and the value - | list contains various attributes of the platform. The platform string is - | in the format system name:OS release:architecture. The installer obtains - | these values from NSPR. OS release is an empty string on non-Unix - | operating systems. NSPR supports these platforms: - | o AIX (rs6000) - | o BSDI (x86) - | o FREEBSD (x86) - | o HPUX (hppa1.1) - | o IRIX (mips) - | o LINUX (ppc, alpha, x86) - | o MacOS (PowerPC) - | o NCR (x86) - | o NEC (mips) - | o OS2 (x86) - | o OSF (alpha) - | o ReliantUNIX (mips) - | o SCO (x86) - | o SOLARIS (sparc) - | o SONY (mips) - | o SUNOS (sparc) - | o UnixWare (x86) - | o WIN16 (x86) - | o WIN95 (x86) - | o WINNT (x86) - | For example: - | IRIX:6.2:mips - | SUNOS:5.5.1:sparc - | Linux:2.0.32:x86 - | WIN95::x86 - | The module information is defined independently for each platform in the - | ModuleName, ModuleFile, and Files attributes. These attributes must be - | given unless an EquivalentPlatform attribute is specified. - | Per-Platform Keys - | Per-platform keys have meaning only within the value list of an entry in - | the Platforms list. - | ModuleName (required) gives the common name for the module. This name is - | used to reference the module by servers and by the modutil tool. - | ModuleFile (required) names the PKCS #11 module file for this platform. - | The name is given as the relative path of the file within the JAR archive. - | Files (required) lists the files that need to be installed for this - | module. Each entry in the file list is a key-value pair. The key is the - | path of the file in the JAR archive, and the value list contains - | attributes of the file. At least RelativePath or AbsolutePath must be - | specified for each file. - | DefaultMechanismFlags specifies mechanisms for which this module is the - | default provider; this is equivalent to the -mechanism option with the - | -add command. This key-value pair is a bitstring specified in hexadecimal - | (0x) format. It is constructed as a bitwise OR. If the - | DefaultMechanismFlags entry is omitted, the value defaults to 0x0. - | RSA: 0x00000001 - | DSA: 0x00000002 - | RC2: 0x00000004 - | RC4: 0x00000008 - | DES: 0x00000010 - | DH: 0x00000020 - | FORTEZZA: 0x00000040 - | RC5: 0x00000080 - | SHA1: 0x00000100 - | MD5: 0x00000200 - | MD2: 0x00000400 - | RANDOM: 0x08000000 - | FRIENDLY: 0x10000000 - | OWN_PW_DEFAULTS: 0x20000000 - | DISABLE: 0x40000000 - | CipherEnableFlags specifies ciphers that this module provides that NSS - | does not provide (so that the module enables those ciphers for NSS). This - | is equivalent to the -cipher argument with the -add command. This key is a - | bitstring specified in hexadecimal (0x) format. It is constructed as a - | bitwise OR. If the CipherEnableFlags entry is omitted, the value defaults - | to 0x0. - | EquivalentPlatform specifies that the attributes of the named platform - | should also be used for the current platform. This makes it easier when - | more than one platform uses the same settings. - | Per-File Keys - | Some keys have meaning only within the value list of an entry in a Files - | list. - | Each file requires a path key the identifies where the file is. Either - | RelativePath or AbsolutePath must be specified. If both are specified, the - | relative path is tried first, and the absolute path is used only if no - | relative root directory is provided by the installer program. - | RelativePath specifies the destination directory of the file, relative to - | some directory decided at install time. Two variables can be used in the - | relative path: %root% and %temp%. %root% is replaced at run time with the - | directory relative to which files should be installed; for example, it may - | be the server's root directory. The %temp% directory is created at the - | beginning of the installation and destroyed at the end. The purpose of - | %temp% is to hold executable files (such as setup programs) or files that - | are used by these programs. Files destined for the temporary directory are - | guaranteed to be in place before any executable file is run; they are not - | deleted until all executable files have finished. - | AbsolutePath specifies the destination directory of the file as an - | absolute path. - | Executable specifies that the file is to be executed during the course of - | the installation. Typically, this string is used for a setup program - | provided by a module vendor, such as a self-extracting setup executable. - | More than one file can be specified as executable, in which case the files - | are run in the order in which they are specified in the script file. - | FilePermissions sets permissions on any referenced files in a string of - | octal digits, according to the standard Unix format. This string is a - | bitwise OR. - | user read: 0400 - | user write: 0200 - | user execute: 0100 - | group read: 0040 - | group write: 0020 - | group execute: 0010 - | other read: 0004 - | other write: 0002 - | other execute: 0001 - | Some platforms may not understand these permissions. They are applied only - | insofar as they make sense for the current platform. If this attribute is - | omitted, a default of 777 is assumed. + | When a JAR file is run by a server, by modutil, or by any program that + | does not interpret JavaScript, a special information file must be included + | to install the libraries. There are several things to keep in mind with + | this file: + | o It must be declared in the JAR archive's manifest file. + | o The script can have any name. + | o The metainfo tag for this is Pkcs11_install_script. To declare + | meta-information in the manifest file, put it in a file that is passed + | to signtool. + | Sample Script + | For example, the PKCS #11 installer script could be in the file + | pk11install. If so, the metainfo file for signtool includes a line such as + | this: + | + Pkcs11_install_script: pk11install + | The script must define the platform and version number, the module name + | and file, and any optional information like supported ciphers and + | mechanisms. Multiple platforms can be defined in a single install file. + | ForwardCompatible { IRIX:6.2:mips SUNOS:5.5.1:sparc } + | Platforms { + | WINNT::x86 { + | ModuleName { "Example Module" } + | ModuleFile { win32/fort32.dll } + | DefaultMechanismFlags{0x0001} + | DefaultCipherFlags{0x0001} + | Files { + | win32/setup.exe { + | Executable + | RelativePath { %temp%/setup.exe } + | } + | win32/setup.hlp { + | RelativePath { %temp%/setup.hlp } + | } + | win32/setup.cab { + | RelativePath { %temp%/setup.cab } + | } + | } + | } + | WIN95::x86 { + | EquivalentPlatform {WINNT::x86} + | } + | SUNOS:5.5.1:sparc { + | ModuleName { "Example UNIX Module" } + | ModuleFile { unix/fort.so } + | DefaultMechanismFlags{0x0001} + | CipherEnableFlags{0x0001} + | Files { + | unix/fort.so { + | RelativePath{%root%/lib/fort.so} + | AbsolutePath{/usr/local/netscape/lib/fort.so} + | FilePermissions{555} + | } + | xplat/instr.html { + | RelativePath{%root%/docs/inst.html} + | AbsolutePath{/usr/local/netscape/docs/inst.html} + | FilePermissions{555} + | } + | } + | } + | IRIX:6.2:mips { + | EquivalentPlatform { SUNOS:5.5.1:sparc } + | } + | } + | Script Grammar + | The script is basic Java, allowing lists, key-value pairs, strings, and + | combinations of all of them. + | --> valuelist + | valuelist --> value valuelist + | <null> + | value ---> key_value_pair + | string + | key_value_pair --> key { valuelist } + | key --> string + | string --> simple_string + | "complex_string" + | simple_string --> [^ \\t\n\""{""}"]+ + | complex_string --> ([^\"\\\r\n]|(\\\")|(\\\\))+ + | Quotes and backslashes must be escaped with a backslash. A complex string + | must not include newlines or carriage returns.Outside of complex strings, + | all white space (for example, spaces, tabs, and carriage returns) is + | considered equal and is used only to delimit tokens. + | Keys + | The Java install file uses keys to define the platform and module + | information. + | ForwardCompatible gives a list of platforms that are forward compatible. + | If the current platform cannot be found in the list of supported + | platforms, then the ForwardCompatible list is checked for any platforms + | that have the same OS and architecture in an earlier version. If one is + | found, its attributes are used for the current platform. + | Platforms (required) Gives a list of platforms. Each entry in the list is + | itself a key-value pair: the key is the name of the platform and the value + | list contains various attributes of the platform. The platform string is + | in the format system name:OS release:architecture. The installer obtains + | these values from NSPR. OS release is an empty string on non-Unix + | operating systems. NSPR supports these platforms: + | o AIX (rs6000) + | o BSDI (x86) + | o FREEBSD (x86) + | o HPUX (hppa1.1) + | o IRIX (mips) + | o LINUX (ppc, alpha, x86) + | o MacOS (PowerPC) + | o NCR (x86) + | o NEC (mips) + | o OS2 (x86) + | o OSF (alpha) + | o ReliantUNIX (mips) + | o SCO (x86) + | o SOLARIS (sparc) + | o SONY (mips) + | o SUNOS (sparc) + | o UnixWare (x86) + | o WIN16 (x86) + | o WIN95 (x86) + | o WINNT (x86) + | For example: + | IRIX:6.2:mips + | SUNOS:5.5.1:sparc + | Linux:2.0.32:x86 + | WIN95::x86 + | The module information is defined independently for each platform in the + | ModuleName, ModuleFile, and Files attributes. These attributes must be + | given unless an EquivalentPlatform attribute is specified. + | Per-Platform Keys + | Per-platform keys have meaning only within the value list of an entry in + | the Platforms list. + | ModuleName (required) gives the common name for the module. This name is + | used to reference the module by servers and by the modutil tool. + | ModuleFile (required) names the PKCS #11 module file for this platform. + | The name is given as the relative path of the file within the JAR archive. + | Files (required) lists the files that need to be installed for this + | module. Each entry in the file list is a key-value pair. The key is the + | path of the file in the JAR archive, and the value list contains + | attributes of the file. At least RelativePath or AbsolutePath must be + | specified for each file. + | DefaultMechanismFlags specifies mechanisms for which this module is the + | default provider; this is equivalent to the -mechanism option with the + | -add command. This key-value pair is a bitstring specified in hexadecimal + | (0x) format. It is constructed as a bitwise OR. If the + | DefaultMechanismFlags entry is omitted, the value defaults to 0x0. + | RSA: 0x00000001 + | DSA: 0x00000002 + | RC2: 0x00000004 + | RC4: 0x00000008 + | DES: 0x00000010 + | DH: 0x00000020 + | FORTEZZA: 0x00000040 + | RC5: 0x00000080 + | SHA1: 0x00000100 + | MD5: 0x00000200 + | MD2: 0x00000400 + | RANDOM: 0x08000000 + | FRIENDLY: 0x10000000 + | OWN_PW_DEFAULTS: 0x20000000 + | DISABLE: 0x40000000 + | CipherEnableFlags specifies ciphers that this module provides that NSS + | does not provide (so that the module enables those ciphers for NSS). This + | is equivalent to the -cipher argument with the -add command. This key is a + | bitstring specified in hexadecimal (0x) format. It is constructed as a + | bitwise OR. If the CipherEnableFlags entry is omitted, the value defaults + | to 0x0. + | EquivalentPlatform specifies that the attributes of the named platform + | should also be used for the current platform. This makes it easier when + | more than one platform uses the same settings. + | Per-File Keys + | Some keys have meaning only within the value list of an entry in a Files + | list. + | Each file requires a path key the identifies where the file is. Either + | RelativePath or AbsolutePath must be specified. If both are specified, the + | relative path is tried first, and the absolute path is used only if no + | relative root directory is provided by the installer program. + | RelativePath specifies the destination directory of the file, relative to + | some directory decided at install time. Two variables can be used in the + | relative path: %root% and %temp%. %root% is replaced at run time with the + | directory relative to which files should be installed; for example, it may + | be the server's root directory. The %temp% directory is created at the + | beginning of the installation and destroyed at the end. The purpose of + | %temp% is to hold executable files (such as setup programs) or files that + | are used by these programs. Files destined for the temporary directory are + | guaranteed to be in place before any executable file is run; they are not + | deleted until all executable files have finished. + | AbsolutePath specifies the destination directory of the file as an + | absolute path. + | Executable specifies that the file is to be executed during the course of + | the installation. Typically, this string is used for a setup program + | provided by a module vendor, such as a self-extracting setup executable. + | More than one file can be specified as executable, in which case the files + | are run in the order in which they are specified in the script file. + | FilePermissions sets permissions on any referenced files in a string of + | octal digits, according to the standard Unix format. This string is a + | bitwise OR. + | user read: 0400 + | user write: 0200 + | user execute: 0100 + | group read: 0040 + | group write: 0020 + | group execute: 0010 + | other read: 0004 + | other write: 0002 + | other execute: 0001 + | Some platforms may not understand these permissions. They are applied only + | insofar as they make sense for the current platform. If this attribute is + | omitted, a default of 777 is assumed. | NSS Database Types - | NSS originally used BerkeleyDB databases to store security information. - | The last versions of these legacy databases are: - | o cert8.db for certificates - | o key3.db for keys - | o secmod.db for PKCS #11 module information - | BerkeleyDB has performance limitations, though, which prevent it from - | being easily used by multiple applications simultaneously. NSS has some - | flexibility that allows applications to use their own, independent - | database engine while keeping a shared database and working around the - | access issues. Still, NSS requires more flexibility to provide a truly - | shared security database. - | In 2009, NSS introduced a new set of databases that are SQLite databases - | rather than BerkleyDB. These new databases provide more accessibility and - | performance: - | o cert9.db for certificates - | o key4.db for keys - | o pkcs11.txt, which is listing of all of the PKCS #11 modules contained - | in a new subdirectory in the security databases directory - | Because the SQLite databases are designed to be shared, these are the - | shared database type. The shared database type is preferred; the legacy - | format is included for backward compatibility. - | By default, the tools (certutil, pk12util, modutil) assume that the given - | security databases follow the more common legacy type. Using the SQLite - | databases must be manually specified by using the sql: prefix with the - | given security directory. For example: - | modutil -create -dbdir sql:/home/my/sharednssdb - | To set the shared database type as the default type for the tools, set the - | NSS_DEFAULT_DB_TYPE environment variable to sql: - | export NSS_DEFAULT_DB_TYPE="sql" - | This line can be set added to the ~/.bashrc file to make the change - | permanent. - | Most applications do not use the shared database by default, but they can - | be configured to use them. For example, this how-to article covers how to - | configure Firefox and Thunderbird to use the new shared NSS databases: - | o https://wiki.mozilla.org/NSS_Shared_DB_Howto - | For an engineering draft on the changes in the shared NSS databases, see - | the NSS project wiki: - | o https://wiki.mozilla.org/NSS_Shared_DB + | NSS originally used BerkeleyDB databases to store security information. + | The last versions of these legacy databases are: + | o cert8.db for certificates + | o key3.db for keys + | o secmod.db for PKCS #11 module information + | BerkeleyDB has performance limitations, though, which prevent it from + | being easily used by multiple applications simultaneously. NSS has some + | flexibility that allows applications to use their own, independent + | database engine while keeping a shared database and working around the + | access issues. Still, NSS requires more flexibility to provide a truly + | shared security database. + | In 2009, NSS introduced a new set of databases that are SQLite databases + | rather than BerkleyDB. These new databases provide more accessibility and + | performance: + | o cert9.db for certificates + | o key4.db for keys + | o pkcs11.txt, which is listing of all of the PKCS #11 modules contained + | in a new subdirectory in the security databases directory + | Because the SQLite databases are designed to be shared, these are the + | shared database type. The shared database type is preferred; the legacy + | format is included for backward compatibility. + | By default, the tools (certutil, pk12util, modutil) assume that the given + | security databases follow the more common legacy type. Using the SQLite + | databases must be manually specified by using the sql: prefix with the + | given security directory. For example: + | modutil -create -dbdir sql:/home/my/sharednssdb + | To set the shared database type as the default type for the tools, set the + | NSS_DEFAULT_DB_TYPE environment variable to sql: + | export NSS_DEFAULT_DB_TYPE="sql" + | This line can be set added to the ~/.bashrc file to make the change + | permanent. + | Most applications do not use the shared database by default, but they can + | be configured to use them. For example, this how-to article covers how to + | configure Firefox and Thunderbird to use the new shared NSS databases: + | o https://wiki.mozilla.org/NSS_Shared_DB_Howto + | For an engineering draft on the changes in the shared NSS databases, see + | the NSS project wiki: + | o https://wiki.mozilla.org/NSS_Shared_DB | See Also - | certutil (1) - | pk12util (1) - | signtool (1) - | The NSS wiki has information on the new database design and how to - | configure applications to use it. - | o https://wiki.mozilla.org/NSS_Shared_DB_Howto - | o https://wiki.mozilla.org/NSS_Shared_DB + | certutil (1) + | pk12util (1) + | signtool (1) + | The NSS wiki has information on the new database design and how to + | configure applications to use it. + | o https://wiki.mozilla.org/NSS_Shared_DB_Howto + | o https://wiki.mozilla.org/NSS_Shared_DB | Additional Resources - | For information about NSS and other tools related to NSS (like JSS), check - | out the NSS project wiki at - | + | For information about NSS and other tools related to NSS (like JSS), check + | out the NSS project wiki at + | [2]\ `http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__. The NSS site relates - | directly to NSS code changes and releases. - | Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto - | IRC: Freenode at #dogtag-pki + | directly to NSS code changes and releases. + | Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto + | IRC: Freenode at #dogtag-pki | Authors - | The NSS tools were written and maintained by developers with Netscape, Red - | Hat, and Sun. - | Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey - | <dlackey@redhat.com>. + | The NSS tools were written and maintained by developers with Netscape, Red + | Hat, and Sun. + | Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey + | <dlackey@redhat.com>. | Copyright - | (c) 2010, Red Hat, Inc. Licensed under the GNU Public License version 2. + | (c) 2010, Red Hat, Inc. Licensed under the GNU Public License version 2. | References - | Visible links - | 1. JAR Installation File Format - | ``file:///tmp/xmlto.6gGxS0/modutil.pro...r-install-file`` - | 2. https://www.mozilla.org/projects/security/pki/nss/
\ No newline at end of file + | Visible links + | 1. JAR Installation File Format + | ``file:///tmp/xmlto.6gGxS0/modutil.pro...r-install-file`` + | 2. https://www.mozilla.org/projects/security/pki/nss/
\ No newline at end of file diff --git a/doc/rst/legacy/tools/nss_tools_certutil/index.rst b/doc/rst/legacy/tools/nss_tools_certutil/index.rst index 451f3869e..06a8f0022 100644 --- a/doc/rst/legacy/tools/nss_tools_certutil/index.rst +++ b/doc/rst/legacy/tools/nss_tools_certutil/index.rst @@ -59,7 +59,7 @@ NSS Tools certutil Certificate Database Tool command options and their arguments are defined as follows: +-------------------------------------------------+-------------------------------------------------+ - | **Options** | | + | **Options** | | +-------------------------------------------------+-------------------------------------------------+ | ``-N`` | Create new certificate and key databases. | +-------------------------------------------------+-------------------------------------------------+ @@ -278,17 +278,17 @@ NSS Tools certutil | | each category position use zero or more of the | | | following attribute codes: | | | | - | | | ``p`` prohibited (explicitly distrusted) | - | | | ``P`` Trusted peer | - | | | ``c`` Valid CA | - | | | ``T`` Trusted CA to issue client | + | | | ``p`` prohibited (explicitly distrusted) | + | | | ``P`` Trusted peer | + | | | ``c`` Valid CA | + | | | ``T`` Trusted CA to issue client | | | certificates (implies ``c``) | - | | | ``C`` Trusted CA to issue server | + | | | ``C`` Trusted CA to issue server | | | certificates (SSL only) | - | | | (implies ``c``) | - | | | ``u`` Certificate can be used for | + | | | (implies ``c``) | + | | | ``u`` Certificate can be used for | | | authentication or signing | - | | | ``w`` Send warning (use with other | + | | | ``w`` Send warning (use with other | | | attributes to include a warning when the | | | certificate is used in that context) | | | | @@ -562,8 +562,8 @@ NSS Tools certutil The Certificate Database Tool displays output similar to the following: - | ``Certificate Name Trust Attributes`` - | ``Uptime Group Plc. Class 1 CA C,C, VeriSign Class 1 Primary CA ,C, VeriSign Class 2 Primary CA C,C,C AT&T Certificate Services C,C, GTE CyberTrust Secure Server CA C,, Verisign/RSA Commercial CA C,C, AT&T Directory Services C,C, BelSign Secure Server CA C,, Verisign/RSA Secure Server CA C,C, GTE CyberTrust Root CA C,C, Uptime Group Plc. Class 4 CA ,C, VeriSign Class 3 Primary CA C,C,C Canada Post Corporation CA C,C, Integrion CA C,C,C IBM World Registry CA C,C,C GTIS/PWGSC, Canada Gov. Web CA C,C, GTIS/PWGSC, Canada Gov. Secure CA C,C,C MCI Mall CA C,C, VeriSign Class 4 Primary CA C,C,C KEYWITNESS, Canada CA C,C, BelSign Object Publishing CA ,,C BBN Certificate Services CA Root 1 C,C, p prohibited (explicitly distrusted) P Trusted peer c Valid CA T Trusted CA to issue client certs (implies c) C Trusted CA to issue server certs(for ssl only) (implies c) u User cert w Send warning`` + | ``Certificate Name Trust Attributes`` + | ``Uptime Group Plc. Class 1 CA C,C, VeriSign Class 1 Primary CA ,C, VeriSign Class 2 Primary CA C,C,C AT&T Certificate Services C,C, GTE CyberTrust Secure Server CA C,, Verisign/RSA Commercial CA C,C, AT&T Directory Services C,C, BelSign Secure Server CA C,, Verisign/RSA Secure Server CA C,C, GTE CyberTrust Root CA C,C, Uptime Group Plc. Class 4 CA ,C, VeriSign Class 3 Primary CA C,C,C Canada Post Corporation CA C,C, Integrion CA C,C,C IBM World Registry CA C,C,C GTIS/PWGSC, Canada Gov. Web CA C,C, GTIS/PWGSC, Canada Gov. Secure CA C,C,C MCI Mall CA C,C, VeriSign Class 4 Primary CA C,C,C KEYWITNESS, Canada CA C,C, BelSign Object Publishing CA ,,C BBN Certificate Services CA Root 1 C,C, p prohibited (explicitly distrusted) P Trusted peer c Valid CA T Trusted CA to issue client certs (implies c) C Trusted CA to issue server certs(for ssl only) (implies c) u User cert w Send warning`` .. _creating_a_certificate_request: @@ -630,9 +630,9 @@ NSS Tools certutil The Certificate Database Tool displays output similar to the following: - | ``Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: PKCS #1 MD5 With RSA Encryption Issuer: CN=John Smith, O=Netscape, L=Mountain View, ST=California, C=US Validity: Not Before: Thu Mar 12 00:10:40 1998 Not After: Sat Sep 12 00:10:40 1998 Subject: CN=John Smith, O=Netscape, L=Mountain View, ST=California, C=US`` - | ``Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: 00:da:53:23:58:00:91:6a:d1:a2:39:26:2f:06:3a: 38:eb:d4:c1:54:a3:62:00:b9:f0:7f:d6:00:76:aa: 18:da:6b:79:71:5b:d9:8a:82:24:07:ed:49:5b:33: bf:c5:79:7c:f6:22:a7:18:66:9f:ab:2d:33:03:ec: 63:eb:9d:0d:02:1b:da:32:ae:6c:d4:40:95:9f:b3: 44:8b:8e:8e:a3:ae:ad:08:38:4f:2e:53:e9:e1:3f: 8e:43:7f:51:61:b9:0f:f3:a6:25:1e:0b:93:74:8f: c6:13:a3:cd:51:40:84:0e:79:ea:b7:6b:d1:cc:6b: 78:d0:5d:da:be:2b:57:c2:6f Exponent: 65537 (0x10001) Signature Algorithm: PKCS #1 MD5 With RSA Encryption Signature: 44:15:e5:ae:c4:30:2c:cd:60:89:f1:1d:22:ed:5e:5b:10:c8: 7e:5f:56:8c:b4:00:12:ed:5f:a4:6a:12:c3:0d:01:03:09:f2: 2f:e7:fd:95:25:47:80:ea:c1:25:5a:33:98:16:52:78:24:80: c9:53:11:40:99:f5:bd:b8:e9:35:0e:5d:3e:38:6a:5c:10:d1: c6:f9:54:af:28:56:62:f4:2f:b3:9b:50:e1:c3:a2:ba:27:ee: 07:9f:89:2e:78:5c:6d:46:b6:5e:99:de:e6:9d:eb:d9:ff:b2: 5f:c6:f6:c6:52:4a:d4:67:be:8d:fc:dd:52:51:8e:a2:d7:15: 71:3e`` - | ``Certificate Trust Flags: SSL Flags: Valid CA Trusted CA Email Flags: Valid CA Trusted CA Object Signing Flags: Valid CA Trusted CA`` + | ``Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: PKCS #1 MD5 With RSA Encryption Issuer: CN=John Smith, O=Netscape, L=Mountain View, ST=California, C=US Validity: Not Before: Thu Mar 12 00:10:40 1998 Not After: Sat Sep 12 00:10:40 1998 Subject: CN=John Smith, O=Netscape, L=Mountain View, ST=California, C=US`` + | ``Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: 00:da:53:23:58:00:91:6a:d1:a2:39:26:2f:06:3a: 38:eb:d4:c1:54:a3:62:00:b9:f0:7f:d6:00:76:aa: 18:da:6b:79:71:5b:d9:8a:82:24:07:ed:49:5b:33: bf:c5:79:7c:f6:22:a7:18:66:9f:ab:2d:33:03:ec: 63:eb:9d:0d:02:1b:da:32:ae:6c:d4:40:95:9f:b3: 44:8b:8e:8e:a3:ae:ad:08:38:4f:2e:53:e9:e1:3f: 8e:43:7f:51:61:b9:0f:f3:a6:25:1e:0b:93:74:8f: c6:13:a3:cd:51:40:84:0e:79:ea:b7:6b:d1:cc:6b: 78:d0:5d:da:be:2b:57:c2:6f Exponent: 65537 (0x10001) Signature Algorithm: PKCS #1 MD5 With RSA Encryption Signature: 44:15:e5:ae:c4:30:2c:cd:60:89:f1:1d:22:ed:5e:5b:10:c8: 7e:5f:56:8c:b4:00:12:ed:5f:a4:6a:12:c3:0d:01:03:09:f2: 2f:e7:fd:95:25:47:80:ea:c1:25:5a:33:98:16:52:78:24:80: c9:53:11:40:99:f5:bd:b8:e9:35:0e:5d:3e:38:6a:5c:10:d1: c6:f9:54:af:28:56:62:f4:2f:b3:9b:50:e1:c3:a2:ba:27:ee: 07:9f:89:2e:78:5c:6d:46:b6:5e:99:de:e6:9d:eb:d9:ff:b2: 5f:c6:f6:c6:52:4a:d4:67:be:8d:fc:dd:52:51:8e:a2:d7:15: 71:3e`` + | ``Certificate Trust Flags: SSL Flags: Valid CA Trusted CA Email Flags: Valid CA Trusted CA Object Signing Flags: Valid CA Trusted CA`` .. _validating_a_certificate: diff --git a/doc/rst/legacy/tools/nss_tools_cmsutil/index.rst b/doc/rst/legacy/tools/nss_tools_cmsutil/index.rst index 34aca375c..9697bce4f 100644 --- a/doc/rst/legacy/tools/nss_tools_cmsutil/index.rst +++ b/doc/rst/legacy/tools/nss_tools_cmsutil/index.rst @@ -13,7 +13,7 @@ NSS Tools cmsutil Newsgroup: `mozilla.dev.tech.crypto <news://news.mozilla.org/mozilla.dev.tech.crypto>`__ The cmsutil command-line utility uses the `S/MIME Toolkit <../smime/>`__ to perform basic operations, such as encryption and decryption, on `Cryptographic Message - Syntax (CMS) <http://www.ietf.org/rfc/rfc2630.txt>`__ messages. + Syntax (CMS) <http://www.ietf.org/rfc/rfc2630.txt>`__ messages. .. _syntax_2: @@ -86,7 +86,7 @@ NSS Tools cmsutil | -p *password* | Use password as key database password. | +------------------------------------------------+------------------------------------------------+ | - | Specify list of recipients (email addresses) | - | r \ *recipient1*,\ *recipient2, . . .* | for an encrypted or enveloped message. For | + | r \ *recipient1*,\ *recipient2, . . .* | for an encrypted or enveloped message. For | | | certificates-only message, list of | | | certificates to send. | +------------------------------------------------+------------------------------------------------+ @@ -105,7 +105,7 @@ NSS Tools cmsutil .. container:: cmsutil -C [-i *infile*] [-o *outfile*] [-d *dbdir*] [-p *password*] -r - "*recipient1*,\ *recipient2*, . . ." -e *envfile* + "*recipient1*,\ *recipient2*, . . ." -e *envfile* cmsutil -D [-i *infile*] [-o *outfile*] [-d *dbdir*] [-p *password*] [-c *content*] [-n] [-h *num*] @@ -113,7 +113,7 @@ NSS Tools cmsutil "*recipient1*,\ *recipient2*, . . ." cmsutil -O [-i *infile*] [-o *outfile*] [-d *dbdir*] [-p *password*] -r - "*cert1*,\ *cert2*, . . ." + "*cert1*,\ *cert2*, . . ." cmsutil -S [-i *infile*] [-o *outfile*] [-d *dbdir*] [-p *password*] -N *nickname*\ [-TGP] [-Y *ekprefnick*]
\ No newline at end of file diff --git a/doc/rst/legacy/tools/nss_tools_crlutil/index.rst b/doc/rst/legacy/tools/nss_tools_crlutil/index.rst index 98362542a..d190e576e 100644 --- a/doc/rst/legacy/tools/nss_tools_crlutil/index.rst +++ b/doc/rst/legacy/tools/nss_tools_crlutil/index.rst @@ -386,14 +386,14 @@ NSS Tools crlutil The CRL Management Tool displays output similar to the following: - ``CRL Name CRL Type`` + ``CRL Name CRL Type`` - ``CN=NSS Test CA,O=BOGUS NSS,L=Mountain View,ST=California,C=US CRL CN=John Smith,O=Netscape,L=Mountain View,ST=California,C=US CRL`` + ``CN=NSS Test CA,O=BOGUS NSS,L=Mountain View,ST=California,C=US CRL CN=John Smith,O=Netscape,L=Mountain View,ST=California,C=US CRL`` | To view a particular CRL user should specify *-n nickname* parameter. | ``crlutil -L -d``\ *certdir*\ ``-n`` *nickname* - ``CRL Info: : Version: 2 (0x1) Signature Algorithm: PKCS #1 MD5 With RSA Encryption Issuer: "CN=NSS Test CA,O=BOGUS NSS,L=Mountain View,ST=California,C=US" This Update: Wed Feb 23 12:08:38 2005 Entry (1): Serial Number: 40 (0x28) Revocation Date: Wed Feb 23 12:08:10 2005 Entry (2): Serial Number: 42 (0x2a) Revocation Date: Wed Feb 23 12:08:40 2005`` + ``CRL Info: : Version: 2 (0x1) Signature Algorithm: PKCS #1 MD5 With RSA Encryption Issuer: "CN=NSS Test CA,O=BOGUS NSS,L=Mountain View,ST=California,C=US" This Update: Wed Feb 23 12:08:38 2005 Entry (1): Serial Number: 40 (0x28) Revocation Date: Wed Feb 23 12:08:10 2005 Entry (2): Serial Number: 42 (0x2a) Revocation Date: Wed Feb 23 12:08:40 2005`` .. _deleting_crl_from_a_database: diff --git a/doc/rst/legacy/tools/nss_tools_modutil/index.rst b/doc/rst/legacy/tools/nss_tools_modutil/index.rst index 80ac1845f..65b4317a0 100644 --- a/doc/rst/legacy/tools/nss_tools_modutil/index.rst +++ b/doc/rst/legacy/tools/nss_tools_modutil/index.rst @@ -335,48 +335,48 @@ NSS Tools modutil ForwardCompatible { IRIX:6.2:mips SUNOS:5.5.1:sparc } Platforms { - WINNT::x86 { - ModuleName { "Fortezza Module" } - ModuleFile { win32/fort32.dll } - DefaultMechanismFlags{0x0001} - DefaultCipherFlags{0x0001} - Files { - win32/setup.exe { - Executable - RelativePath { %temp%/setup.exe } - } - win32/setup.hlp { - RelativePath { %temp%/setup.hlp } - } - win32/setup.cab { - RelativePath { %temp%/setup.cab } - } - } - } - WIN95::x86 { - EquivalentPlatform {WINNT::x86} - } - SUNOS:5.5.1:sparc { - ModuleName { "Fortezza UNIX Module" } - ModuleFile { unix/fort.so } - DefaultMechanismFlags{0x0001} - CipherEnableFlags{0x0001} - Files { - unix/fort.so { - RelativePath{%root%/lib/fort.so} - AbsolutePath{/usr/local/netscape/lib/fort.so} - FilePermissions{555} - } - xplat/instr.html { - RelativePath{%root%/docs/inst.html} - AbsolutePath{/usr/local/netscape/docs/inst.html} - FilePermissions{555} - } - } - } - IRIX:6.2:mips { - EquivalentPlatform { SUNOS:5.5.1:sparc } - } + WINNT::x86 { + ModuleName { "Fortezza Module" } + ModuleFile { win32/fort32.dll } + DefaultMechanismFlags{0x0001} + DefaultCipherFlags{0x0001} + Files { + win32/setup.exe { + Executable + RelativePath { %temp%/setup.exe } + } + win32/setup.hlp { + RelativePath { %temp%/setup.hlp } + } + win32/setup.cab { + RelativePath { %temp%/setup.cab } + } + } + } + WIN95::x86 { + EquivalentPlatform {WINNT::x86} + } + SUNOS:5.5.1:sparc { + ModuleName { "Fortezza UNIX Module" } + ModuleFile { unix/fort.so } + DefaultMechanismFlags{0x0001} + CipherEnableFlags{0x0001} + Files { + unix/fort.so { + RelativePath{%root%/lib/fort.so} + AbsolutePath{/usr/local/netscape/lib/fort.so} + FilePermissions{555} + } + xplat/instr.html { + RelativePath{%root%/docs/inst.html} + AbsolutePath{/usr/local/netscape/docs/inst.html} + FilePermissions{555} + } + } + } + IRIX:6.2:mips { + EquivalentPlatform { SUNOS:5.5.1:sparc } + } } .. _script_grammar: @@ -394,12 +394,12 @@ NSS Tools modutil .. code:: valuelist --> value valuelist - <null> + <null> .. code:: value ---> key_value_pair - string + string .. code:: @@ -412,7 +412,7 @@ NSS Tools modutil .. code:: string --> simple_string - "complex_string" + "complex_string" .. code:: @@ -499,21 +499,21 @@ NSS Tools modutil value defaults to 0x0. .. code:: - RSA: 0x00000001 - DSA: 0x00000002 - RC2: 0x00000004 - RC4: 0x00000008 - DES: 0x00000010 - DH: 0x00000020 - FORTEZZA: 0x00000040 - RC5: 0x00000080 - SHA1: 0x00000100 - MD5: 0x00000200 - MD2: 0x00000400 - RANDOM: 0x08000000 - FRIENDLY: 0x10000000 - OWN_PW_DEFAULTS: 0x20000000 - DISABLE: 0x40000000 + RSA: 0x00000001 + DSA: 0x00000002 + RC2: 0x00000004 + RC4: 0x00000008 + DES: 0x00000010 + DH: 0x00000020 + FORTEZZA: 0x00000040 + RC5: 0x00000080 + SHA1: 0x00000100 + MD5: 0x00000200 + MD2: 0x00000400 + RANDOM: 0x08000000 + FRIENDLY: 0x10000000 + OWN_PW_DEFAULTS: 0x20000000 + DISABLE: 0x40000000 ``CipherEnableFlags`` Specifies ciphers that this module provides but Netscape Communicator does not, so that Communicator can enable them. This key is a bitstring specified in hexadecimal (0x) @@ -521,7 +521,7 @@ NSS Tools modutil ``CipherEnableFlags`` entry is omitted, the value defaults to 0x0. .. code:: - FORTEZZA: 0x0000 0001 + FORTEZZA: 0x0000 0001 ``EquivalentPlatform`` Specifies that the attributes of the named platform should also be used for the current platform. Saves typing when there is more than one platform using the same @@ -554,15 +554,15 @@ NSS Tools modutil following constants: .. code:: - user read: 0400 - user write: 0200 - user execute: 0100 - group read: 0040 - group write: 0020 - group execute: 0010 - other read: 0004 - other write: 0002 - other execute: 0001 + user read: 0400 + user write: 0200 + user execute: 0100 + group read: 0040 + group write: 0020 + group execute: 0010 + other read: 0004 + other write: 0002 + other execute: 0001 Some platforms may not understand these permissions. They are applied only insofar as they make sense for the current platform. If this attribute is omitted, a default of 777 is assumed. @@ -797,24 +797,24 @@ NSS Tools modutil .. code:: Platforms { - WinNT::x86 { - ModuleName { "Cryptorific Module" } - ModuleFile { crypto.dll } - DefaultMechanismFlags{0x0000} - CipherEnableFlags{0x0000} - Files { - crypto.dll { - RelativePath{ %root%/system32/crypto.dll } - } - setup.exe { - Executable - RelativePath{ %temp%/setup.exe } - } - } - } - Win95::x86 { - EquivalentPlatform { Winnt::x86 } - } + WinNT::x86 { + ModuleName { "Cryptorific Module" } + ModuleFile { crypto.dll } + DefaultMechanismFlags{0x0000} + CipherEnableFlags{0x0000} + Files { + crypto.dll { + RelativePath{ %root%/system32/crypto.dll } + } + setup.exe { + Executable + RelativePath{ %temp%/setup.exe } + } + } + } + Win95::x86 { + EquivalentPlatform { Winnt::x86 } + } } To install from the script, use the following command. The root directory should be the Windows diff --git a/doc/rst/legacy/tools/nss_tools_pk12util/index.rst b/doc/rst/legacy/tools/nss_tools_pk12util/index.rst index 69aa24594..245173e02 100644 --- a/doc/rst/legacy/tools/nss_tools_pk12util/index.rst +++ b/doc/rst/legacy/tools/nss_tools_pk12util/index.rst @@ -31,12 +31,12 @@ NSS Tools pk12util .. container:: **pk12util** ``-i p12File [-h tokenname] [-v] [common-options]`` - or + or **pk12util** ``-o p12File -n certname [-c keyCipher] [-C certCipher] [-m | --key_len keyLen] [-n | --cert_key_len certKeyLen] [common-options]`` - or + or **pk12util** ``-l p12File [-h tokenname] [-r] [common-options]`` - where + where **[common-options]** = ``[-d dir] [-P dbprefix] [-k slotPasswordFile | -K slotPassword] [-w p12filePasswordFile | -W p12filePassword]`` diff --git a/doc/rst/legacy/tools/nss_tools_sslstrength/index.rst b/doc/rst/legacy/tools/nss_tools_sslstrength/index.rst index fc7c5d20a..b1b6b5dd5 100644 --- a/doc/rst/legacy/tools/nss_tools_sslstrength/index.rst +++ b/doc/rst/legacy/tools/nss_tools_sslstrength/index.rst @@ -31,7 +31,7 @@ NSS Tools sslstrength .. container:: The first form simple lists out the possible ciphers. The letter in the first column of the - output is used to identify the cipher preferences in the ciphers= command. + output is used to identify the cipher preferences in the ciphers= command. The second form attempts to connect to the named ssl host. The hostname argument must be present. However, the port number is an optional argument, and if not given, will default to the https @@ -49,12 +49,12 @@ NSS Tools sslstrength command is a string of characters, where each single character represents a cipher. You can obtain this list of character->cipher mappings by doing 'sslstrength ciphers'. For example, - ** ciphers=bfi** will turn on these cipher preferences and turn off all others. + ** ciphers=bfi** will turn on these cipher preferences and turn off all others. - ** policy=export** or **policy=domestic** will set your policies appropriately. + ** policy=export** or **policy=domestic** will set your policies appropriately. - | ** policy** will default to domestic if not specified. - | + | ** policy** will default to domestic if not specified. + | .. rubric:: Step-up :name: step-up @@ -70,7 +70,7 @@ NSS Tools sslstrength .. container:: | You should have a cert7.db in the directory in which you run sslstrength. - | + | `Other <#other>`__ ~~~~~~~~~~~~~~~~~~ @@ -78,7 +78,7 @@ NSS Tools sslstrength .. container:: | For references, here is a table of well-known SSL port numbers: - | + | ===== === HTTPS 443 diff --git a/doc/rst/legacy/tools/nss_tools_ssltap/index.rst b/doc/rst/legacy/tools/nss_tools_ssltap/index.rst index 202a228fc..61544ea83 100644 --- a/doc/rst/legacy/tools/nss_tools_ssltap/index.rst +++ b/doc/rst/legacy/tools/nss_tools_ssltap/index.rst @@ -106,21 +106,21 @@ NSS Tools ssltap | | another port. The following are well-known port | | | numbers: | | | | - | | HTTP 80 | + | | HTTP 80 | | | | - | | HTTPS 443 | + | | HTTPS 443 | | | | - | | SMTP 25 | + | | SMTP 25 | | | | - | | FTP 21 | + | | FTP 21 | | | | - | | IMAP 143 | + | | IMAP 143 | | | | - | | IMAPS 993 (IMAP over SSL) | + | | IMAPS 993 (IMAP over SSL) | | | | - | | NNTP 119 | + | | NNTP 119 | | | | - | | NNTPS 563 (NNTP over SSL) | + | | NNTPS 563 (NNTP over SSL) | +-------------------------------------------------+-------------------------------------------------+ .. _examples_2: @@ -175,31 +175,31 @@ NSS Tools ssltap Connected to interzone.mcom.com:443 --> [ alloclen = 66 bytes - [ssl2] ClientHelloV2 { - version = {0x03, 0x00} - cipher-specs-length = 39 (0x27) - sid-length = 0 (0x00) - challenge-length = 16 (0x10) - cipher-suites = { + [ssl2] ClientHelloV2 { + version = {0x03, 0x00} + cipher-specs-length = 39 (0x27) + sid-length = 0 (0x00) + challenge-length = 16 (0x10) + cipher-suites = { .. code:: (0x010080) SSL2/RSA/RC4-128/MD5 - (0x020080) SSL2/RSA/RC4-40/MD5 - (0x030080) SSL2/RSA/RC2CBC128/MD5 - (0x040080) SSL2/RSA/RC2CBC40/MD5 - (0x060040) SSL2/RSA/DES64CBC/MD5 - (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5 - (0x000004) SSL3/RSA/RC4-128/MD5 - (0x00ffe0) SSL3/RSA-FIPS/3DES192EDE-CBC/SHA - (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA - (0x00ffe1) SSL3/RSA-FIPS/DES64CBC/SHA - (0x000009) SSL3/RSA/DES64CBC/SHA - (0x000003) SSL3/RSA/RC4-40/MD5 - (0x000006) SSL3/RSA/RC2CBC40/MD5 - } - session-id = { } - challenge = { 0xec5d 0x8edb 0x37c9 0xb5c9 0x7b70 0x8fe9 0xd1d3 + (0x020080) SSL2/RSA/RC4-40/MD5 + (0x030080) SSL2/RSA/RC2CBC128/MD5 + (0x040080) SSL2/RSA/RC2CBC40/MD5 + (0x060040) SSL2/RSA/DES64CBC/MD5 + (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5 + (0x000004) SSL3/RSA/RC4-128/MD5 + (0x00ffe0) SSL3/RSA-FIPS/3DES192EDE-CBC/SHA + (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA + (0x00ffe1) SSL3/RSA-FIPS/DES64CBC/SHA + (0x000009) SSL3/RSA/DES64CBC/SHA + (0x000003) SSL3/RSA/RC4-40/MD5 + (0x000006) SSL3/RSA/RC2CBC40/MD5 + } + session-id = { } + challenge = { 0xec5d 0x8edb 0x37c9 0xb5c9 0x7b70 0x8fe9 0xd1d3 .. code:: @@ -208,84 +208,84 @@ NSS Tools ssltap ] <-- [ SSLRecord { - 0: 16 03 00 03 e5 |..... - type = 22 (handshake) - version = { 3,0 } - length = 997 (0x3e5) - handshake { - 0: 02 00 00 46 |...F - type = 2 (server_hello) - length = 70 (0x000046) - ServerHello { - server_version = {3, 0} - random = {...} - 0: 77 8c 6e 26 6c 0c ec c0 d9 58 4f 47 d3 2d 01 45 | + 0: 16 03 00 03 e5 |..... + type = 22 (handshake) + version = { 3,0 } + length = 997 (0x3e5) + handshake { + 0: 02 00 00 46 |...F + type = 2 (server_hello) + length = 70 (0x000046) + ServerHello { + server_version = {3, 0} + random = {...} + 0: 77 8c 6e 26 6c 0c ec c0 d9 58 4f 47 d3 2d 01 45 | wn&l.ì..XOG.-.E - 10: 5c 17 75 43 a7 4c 88 c7 88 64 3c 50 41 48 4f 7f | + 10: 5c 17 75 43 a7 4c 88 c7 88 64 3c 50 41 48 4f 7f | .. code:: \.uC§L.Ç.d<PAHO. - session ID = { - length = 32 + session ID = { + length = 32 .. code:: contents = {..} - 0: 14 11 07 a8 2a 31 91 29 11 94 40 37 57 10 a7 32 | ...¨*1.)..@7W.§2 - 10: 56 6f 52 62 fe 3d b3 65 b1 e4 13 0f 52 a3 c8 f6 | VoRbþ=³e±...R£È. - } - cipher_suite = (0x0003) SSL3/RSA/RC4-40/MD5 - } - 0: 0b 00 02 c5 |...Å - type = 11 (certificate) - length = 709 (0x0002c5) - CertificateChain { - chainlength = 706 (0x02c2) - Certificate { - size = 703 (0x02bf) - data = { saved in file 'cert.001' } - } - } - 0: 0c 00 00 ca |.... - type = 12 (server_key_exchange) - length = 202 (0x0000ca) - 0: 0e 00 00 00 |.... - type = 14 (server_hello_done) - length = 0 (0x000000) - } + 0: 14 11 07 a8 2a 31 91 29 11 94 40 37 57 10 a7 32 | ...¨*1.)..@7W.§2 + 10: 56 6f 52 62 fe 3d b3 65 b1 e4 13 0f 52 a3 c8 f6 | VoRbþ=³e±...R£È. + } + cipher_suite = (0x0003) SSL3/RSA/RC4-40/MD5 + } + 0: 0b 00 02 c5 |...Å + type = 11 (certificate) + length = 709 (0x0002c5) + CertificateChain { + chainlength = 706 (0x02c2) + Certificate { + size = 703 (0x02bf) + data = { saved in file 'cert.001' } + } + } + 0: 0c 00 00 ca |.... + type = 12 (server_key_exchange) + length = 202 (0x0000ca) + 0: 0e 00 00 00 |.... + type = 14 (server_hello_done) + length = 0 (0x000000) + } } ] --> [ SSLRecord { - 0: 16 03 00 00 44 |....D - type = 22 (handshake) - version = { 3,0 } - length = 68 (0x44) - handshake { - 0: 10 00 00 40 |...@ - type = 16 (client_key_exchange) - length = 64 (0x000040) - ClientKeyExchange { - message = {...} - } - } + 0: 16 03 00 00 44 |....D + type = 22 (handshake) + version = { 3,0 } + length = 68 (0x44) + handshake { + 0: 10 00 00 40 |...@ + type = 16 (client_key_exchange) + length = 64 (0x000040) + ClientKeyExchange { + message = {...} + } + } } ] --> [ SSLRecord { - 0: 14 03 00 00 01 |..... - type = 20 (change_cipher_spec) - version = { 3,0 } - length = 1 (0x1) - 0: 01 |. + 0: 14 03 00 00 01 |..... + type = 20 (change_cipher_spec) + version = { 3,0 } + length = 1 (0x1) + 0: 01 |. } SSLRecord { - 0: 16 03 00 00 38 |....8 - type = 22 (handshake) - version = { 3,0 } - length = 56 (0x38) - < encrypted > + 0: 16 03 00 00 38 |....8 + type = 22 (handshake) + version = { 3,0 } + length = 56 (0x38) + < encrypted > .. code:: @@ -293,20 +293,20 @@ NSS Tools ssltap ] <-- [ SSLRecord { - 0: 14 03 00 00 01 |..... - type = 20 (change_cipher_spec) - version = { 3,0 } - length = 1 (0x1) - 0: 01 |. + 0: 14 03 00 00 01 |..... + type = 20 (change_cipher_spec) + version = { 3,0 } + length = 1 (0x1) + 0: 01 |. } ] <-- [ SSLRecord { - 0: 16 03 00 00 38 |....8 - type = 22 (handshake) - version = { 3,0 } - length = 56 (0x38) - < encrypted > + 0: 16 03 00 00 38 |....8 + type = 22 (handshake) + version = { 3,0 } + length = 56 (0x38) + < encrypted > .. code:: @@ -314,20 +314,20 @@ NSS Tools ssltap ] --> [ SSLRecord { - 0: 17 03 00 01 1f |..... - type = 23 (application_data) - version = { 3,0 } - length = 287 (0x11f) - < encrypted > + 0: 17 03 00 01 1f |..... + type = 23 (application_data) + version = { 3,0 } + length = 287 (0x11f) + < encrypted > } ] <-- [ SSLRecord { - 0: 17 03 00 00 a0 |.... - type = 23 (application_data) - version = { 3,0 } - length = 160 (0xa0) - < encrypted > + 0: 17 03 00 00 a0 |.... + type = 23 (application_data) + version = { 3,0 } + length = 160 (0xa0) + < encrypted > .. code:: @@ -336,20 +336,20 @@ NSS Tools ssltap <-- [ SSLRecord { 0: 17 03 00 00 df |....ß - type = 23 (application_data) - version = { 3,0 } - length = 223 (0xdf) - < encrypted > + type = 23 (application_data) + version = { 3,0 } + length = 223 (0xdf) + < encrypted > .. code:: } SSLRecord { - 0: 15 03 00 00 12 |..... - type = 21 (alert) - version = { 3,0 } - length = 18 (0x12) - < encrypted > + 0: 15 03 00 00 12 |..... + type = 21 (alert) + version = { 3,0 } + length = 18 (0x12) + < encrypted > } ] Server socket closed. @@ -374,131 +374,131 @@ NSS Tools ssltap Connected to interzone.mcom.com:443 --> [ alloclen = 63 bytes - [ssl2] ClientHelloV2 { - version = {0x03, 0x00} - cipher-specs-length = 36 (0x24) - sid-length = 0 (0x00) - challenge-length = 16 (0x10) - cipher-suites = { - (0x010080) SSL2/RSA/RC4-128/MD5 - (0x020080) SSL2/RSA/RC4-40/MD5 - (0x030080) SSL2/RSA/RC2CBC128/MD5 - (0x060040) SSL2/RSA/DES64CBC/MD5 - (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5 - (0x000004) SSL3/RSA/RC4-128/MD5 - (0x00ffe0) SSL3/RSA-FIPS/3DES192EDE-CBC/SHA - (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA - (0x00ffe1) SSL3/RSA-FIPS/DES64CBC/SHA - (0x000009) SSL3/RSA/DES64CBC/SHA - (0x000003) SSL3/RSA/RC4-40/MD5 - } - session-id = { } - challenge = { 0x713c 0x9338 0x30e1 0xf8d6 0xb934 0x7351 0x200c + [ssl2] ClientHelloV2 { + version = {0x03, 0x00} + cipher-specs-length = 36 (0x24) + sid-length = 0 (0x00) + challenge-length = 16 (0x10) + cipher-suites = { + (0x010080) SSL2/RSA/RC4-128/MD5 + (0x020080) SSL2/RSA/RC4-40/MD5 + (0x030080) SSL2/RSA/RC2CBC128/MD5 + (0x060040) SSL2/RSA/DES64CBC/MD5 + (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5 + (0x000004) SSL3/RSA/RC4-128/MD5 + (0x00ffe0) SSL3/RSA-FIPS/3DES192EDE-CBC/SHA + (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA + (0x00ffe1) SSL3/RSA-FIPS/DES64CBC/SHA + (0x000009) SSL3/RSA/DES64CBC/SHA + (0x000003) SSL3/RSA/RC4-40/MD5 + } + session-id = { } + challenge = { 0x713c 0x9338 0x30e1 0xf8d6 0xb934 0x7351 0x200c 0x3fd0 } ] <-- [ SSLRecord { - type = 22 (handshake) - version = { 3,0 } - length = 997 (0x3e5) - handshake { - type = 2 (server_hello) - length = 70 (0x000046) - ServerHello { - server_version = {3, 0} - random = {...} - session ID = { - length = 32 - contents = {..} - } - cipher_suite = (0x0003) SSL3/RSA/RC4-40/MD5 - } - type = 11 (certificate) - length = 709 (0x0002c5) - CertificateChain { - chainlength = 706 (0x02c2) - Certificate { - size = 703 (0x02bf) - data = { saved in file 'cert.001' } - } - } - type = 12 (server_key_exchange) - length = 202 (0x0000ca) - type = 14 (server_hello_done) - length = 0 (0x000000) - } + type = 22 (handshake) + version = { 3,0 } + length = 997 (0x3e5) + handshake { + type = 2 (server_hello) + length = 70 (0x000046) + ServerHello { + server_version = {3, 0} + random = {...} + session ID = { + length = 32 + contents = {..} + } + cipher_suite = (0x0003) SSL3/RSA/RC4-40/MD5 + } + type = 11 (certificate) + length = 709 (0x0002c5) + CertificateChain { + chainlength = 706 (0x02c2) + Certificate { + size = 703 (0x02bf) + data = { saved in file 'cert.001' } + } + } + type = 12 (server_key_exchange) + length = 202 (0x0000ca) + type = 14 (server_hello_done) + length = 0 (0x000000) + } } ] --> [ SSLRecord { - type = 22 (handshake) - version = { 3,0 } - length = 68 (0x44) - handshake { - type = 16 (client_key_exchange) - length = 64 (0x000040) - ClientKeyExchange { - message = {...} - } - } + type = 22 (handshake) + version = { 3,0 } + length = 68 (0x44) + handshake { + type = 16 (client_key_exchange) + length = 64 (0x000040) + ClientKeyExchange { + message = {...} + } + } } ] --> [ SSLRecord { - type = 20 (change_cipher_spec) - version = { 3,0 } - length = 1 (0x1) + type = 20 (change_cipher_spec) + version = { 3,0 } + length = 1 (0x1) } SSLRecord { - type = 22 (handshake) - version = { 3,0 } - length = 56 (0x38) - < encrypted > + type = 22 (handshake) + version = { 3,0 } + length = 56 (0x38) + < encrypted > } ] <-- [ SSLRecord { - type = 20 (change_cipher_spec) - version = { 3,0 } - length = 1 (0x1) + type = 20 (change_cipher_spec) + version = { 3,0 } + length = 1 (0x1) } ] <-- [ SSLRecord { - type = 22 (handshake) - version = { 3,0 } - length = 56 (0x38) - < encrypted > + type = 22 (handshake) + version = { 3,0 } + length = 56 (0x38) + < encrypted > } ] --> [ SSLRecord { - type = 23 (application_data) - version = { 3,0 } - length = 287 (0x11f) - < encrypted > + type = 23 (application_data) + version = { 3,0 } + length = 287 (0x11f) + < encrypted > } ] [ SSLRecord { - type = 23 (application_data) - version = { 3,0 } - length = 160 (0xa0) - < encrypted > + type = 23 (application_data) + version = { 3,0 } + length = 160 (0xa0) + < encrypted > } ] <-- [ SSLRecord { - type = 23 (application_data) - version = { 3,0 } - length = 223 (0xdf) - < encrypted > + type = 23 (application_data) + version = { 3,0 } + length = 223 (0xdf) + < encrypted > } SSLRecord { - type = 21 (alert) - version = { 3,0 } - length = 18 (0x12) - < encrypted > + type = 21 (alert) + version = { 3,0 } + length = 18 (0x12) + < encrypted > } ] Server socket closed. @@ -522,29 +522,29 @@ NSS Tools ssltap Connected to interzone.mcom.com:443 --> [ - 0: 80 40 01 03 00 00 27 00 00 00 10 01 00 80 02 00 | .@....'......... - 10: 80 03 00 80 04 00 80 06 00 40 07 00 c0 00 00 04 | .........@...... - 20: 00 ff e0 00 00 0a 00 ff e1 00 00 09 00 00 03 00 | ........á....... - 30: 00 06 9b fe 5b 56 96 49 1f 9f ca dd d5 ba b9 52 | ..þ[V.I.\xd9 ...º¹R - 40: 6f 2d |o- + 0: 80 40 01 03 00 00 27 00 00 00 10 01 00 80 02 00 | .@....'......... + 10: 80 03 00 80 04 00 80 06 00 40 07 00 c0 00 00 04 | .........@...... + 20: 00 ff e0 00 00 0a 00 ff e1 00 00 09 00 00 03 00 | ........á....... + 30: 00 06 9b fe 5b 56 96 49 1f 9f ca dd d5 ba b9 52 | ..þ[V.I.\xd9 ...º¹R + 40: 6f 2d |o- ] <-- [ - 0: 16 03 00 03 e5 02 00 00 46 03 00 7f e5 0d 1b 1d | ........F....... - 10: 68 7f 3a 79 60 d5 17 3c 1d 9c 96 b3 88 d2 69 3b | h.:y`..<..³.Òi; - 20: 78 e2 4b 8b a6 52 12 4b 46 e8 c2 20 14 11 89 05 | x.K.¦R.KFè. ... - 30: 4d 52 91 fd 93 e0 51 48 91 90 08 96 c1 b6 76 77 | MR.ý..QH.....¶vw - 40: 2a f4 00 08 a1 06 61 a2 64 1f 2e 9b 00 03 00 0b | *ô..¡.a¢d...... - 50: 00 02 c5 00 02 c2 00 02 bf 30 82 02 bb 30 82 02 | ..Å......0...0.. - 60: 24 a0 03 02 01 02 02 02 01 36 30 0d 06 09 2a 86 | $ .......60...*. - 70: 48 86 f7 0d 01 01 04 05 00 30 77 31 0b 30 09 06 | H.÷......0w1.0.. - 80: 03 55 04 06 13 02 55 53 31 2c 30 2a 06 03 55 04 | .U....US1,0*..U. - 90: 0a 13 23 4e 65 74 73 63 61 70 65 20 43 6f 6d 6d | ..#Netscape Comm - a0: 75 6e 69 63 61 74 69 6f 6e 73 20 43 6f 72 70 6f | unications Corpo - b0: 72 61 74 69 6f 6e 31 11 30 0f 06 03 55 04 0b 13 | ration1.0...U... - c0: 08 48 61 72 64 63 6f 72 65 31 27 30 25 06 03 55 | .Hardcore1'0%..U - d0: 04 03 13 1e 48 61 72 64 63 6f 72 65 20 43 65 72 | ....Hardcore Cer - e0: 74 69 66 69 63 61 74 65 20 53 65 72 76 65 72 20 | tificate Server - f0: 49 49 30 1e 17 0d 39 38 30 35 31 36 30 31 30 33 | II0...9805160103 + 0: 16 03 00 03 e5 02 00 00 46 03 00 7f e5 0d 1b 1d | ........F....... + 10: 68 7f 3a 79 60 d5 17 3c 1d 9c 96 b3 88 d2 69 3b | h.:y`..<..³.Òi; + 20: 78 e2 4b 8b a6 52 12 4b 46 e8 c2 20 14 11 89 05 | x.K.¦R.KFè. ... + 30: 4d 52 91 fd 93 e0 51 48 91 90 08 96 c1 b6 76 77 | MR.ý..QH.....¶vw + 40: 2a f4 00 08 a1 06 61 a2 64 1f 2e 9b 00 03 00 0b | *ô..¡.a¢d...... + 50: 00 02 c5 00 02 c2 00 02 bf 30 82 02 bb 30 82 02 | ..Å......0...0.. + 60: 24 a0 03 02 01 02 02 02 01 36 30 0d 06 09 2a 86 | $ .......60...*. + 70: 48 86 f7 0d 01 01 04 05 00 30 77 31 0b 30 09 06 | H.÷......0w1.0.. + 80: 03 55 04 06 13 02 55 53 31 2c 30 2a 06 03 55 04 | .U....US1,0*..U. + 90: 0a 13 23 4e 65 74 73 63 61 70 65 20 43 6f 6d 6d | ..#Netscape Comm + a0: 75 6e 69 63 61 74 69 6f 6e 73 20 43 6f 72 70 6f | unications Corpo + b0: 72 61 74 69 6f 6e 31 11 30 0f 06 03 55 04 0b 13 | ration1.0...U... + c0: 08 48 61 72 64 63 6f 72 65 31 27 30 25 06 03 55 | .Hardcore1'0%..U + d0: 04 03 13 1e 48 61 72 64 63 6f 72 65 20 43 65 72 | ....Hardcore Cer + e0: 74 69 66 69 63 61 74 65 20 53 65 72 76 65 72 20 | tificate Server + f0: 49 49 30 1e 17 0d 39 38 30 35 31 36 30 31 30 33 | II0...9805160103 <additional data lines> ] <additional records in same format> @@ -569,32 +569,32 @@ NSS Tools ssltap Connected to interzone.mcom.com:443 --> [ - 0: 80 3d 01 03 00 00 24 00 00 00 10 01 00 80 02 00 | .=....$......... - 10: 80 03 00 80 04 00 80 06 00 40 07 00 c0 00 00 04 | .........@...... - 20: 00 ff e0 00 00 0a 00 ff e1 00 00 09 00 00 03 03 | ........á....... - 30: 55 e6 e4 99 79 c7 d7 2c 86 78 96 5d b5 cf e9 |U..yÇ\xb0 ,.x.]µÏé + 0: 80 3d 01 03 00 00 24 00 00 00 10 01 00 80 02 00 | .=....$......... + 10: 80 03 00 80 04 00 80 06 00 40 07 00 c0 00 00 04 | .........@...... + 20: 00 ff e0 00 00 0a 00 ff e1 00 00 09 00 00 03 03 | ........á....... + 30: 55 e6 e4 99 79 c7 d7 2c 86 78 96 5d b5 cf e9 |U..yÇ\xb0 ,.x.]µÏé alloclen = 63 bytes - [ssl2] ClientHelloV2 { - version = {0x03, 0x00} - cipher-specs-length = 36 (0x24) - sid-length = 0 (0x00) - challenge-length = 16 (0x10) - cipher-suites = { - (0x010080) SSL2/RSA/RC4-128/MD5 - (0x020080) SSL2/RSA/RC4-40/MD5 - (0x030080) SSL2/RSA/RC2CBC128/MD5 - (0x040080) SSL2/RSA/RC2CBC40/MD5 - (0x060040) SSL2/RSA/DES64CBC/MD5 - (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5 - (0x000004) SSL3/RSA/RC4-128/MD5 - (0x00ffe0) SSL3/RSA-FIPS/3DES192EDE-CBC/SHA - (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA - (0x00ffe1) SSL3/RSA-FIPS/DES64CBC/SHA - (0x000009) SSL3/RSA/DES64CBC/SHA - (0x000003) SSL3/RSA/RC4-40/MD5 - } - session-id = { } - challenge = { 0x0355 0xe6e4 0x9979 0xc7d7 0x2c86 0x7896 0x5db + [ssl2] ClientHelloV2 { + version = {0x03, 0x00} + cipher-specs-length = 36 (0x24) + sid-length = 0 (0x00) + challenge-length = 16 (0x10) + cipher-suites = { + (0x010080) SSL2/RSA/RC4-128/MD5 + (0x020080) SSL2/RSA/RC4-40/MD5 + (0x030080) SSL2/RSA/RC2CBC128/MD5 + (0x040080) SSL2/RSA/RC2CBC40/MD5 + (0x060040) SSL2/RSA/DES64CBC/MD5 + (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5 + (0x000004) SSL3/RSA/RC4-128/MD5 + (0x00ffe0) SSL3/RSA-FIPS/3DES192EDE-CBC/SHA + (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA + (0x00ffe1) SSL3/RSA-FIPS/DES64CBC/SHA + (0x000009) SSL3/RSA/DES64CBC/SHA + (0x000003) SSL3/RSA/RC4-40/MD5 + } + session-id = { } + challenge = { 0x0355 0xe6e4 0x9979 0xc7d7 0x2c86 0x7896 0x5db 0xcfe9 } } diff --git a/doc/rst/legacy/tools/pk12util/index.rst b/doc/rst/legacy/tools/pk12util/index.rst index 84cbd3980..b08da3276 100644 --- a/doc/rst/legacy/tools/pk12util/index.rst +++ b/doc/rst/legacy/tools/pk12util/index.rst @@ -6,277 +6,277 @@ NSS tools : pk12util .. container:: | Name - | pk12util — Export and import keys and certificate to or from a PKCS #12 - | file and the NSS database + | pk12util — Export and import keys and certificate to or from a PKCS #12 + | file and the NSS database | Synopsis - | pk12util [-i p12File [-h tokenname] [-v] [common-options] ] [ -l p12File - | [-h tokenname] [-r] [common-options] ] [ -o p12File -n certname [-c - | keyCipher] [-C certCipher] [-m|--key_len keyLen] [-n|--cert_key_len - | certKeyLen] [common-options] ] [ common-options are: [-d [sql:]directory] - | [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w - | p12filePasswordFile|-W p12filePassword] ] + | pk12util [-i p12File [-h tokenname] [-v] [common-options] ] [ -l p12File + | [-h tokenname] [-r] [common-options] ] [ -o p12File -n certname [-c + | keyCipher] [-C certCipher] [-m|--key_len keyLen] [-n|--cert_key_len + | certKeyLen] [common-options] ] [ common-options are: [-d [sql:]directory] + | [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w + | p12filePasswordFile|-W p12filePassword] ] | Description - | The PKCS #12 utility, pk12util, enables sharing certificates among any - | server that supports PKCS#12. The tool can import certificates and keys - | from PKCS#12 files into security databases, export certificates, and list - | certificates and keys. + | The PKCS #12 utility, pk12util, enables sharing certificates among any + | server that supports PKCS#12. The tool can import certificates and keys + | from PKCS#12 files into security databases, export certificates, and list + | certificates and keys. | Options and Arguments - | Options - | -i p12file - | Import keys and certificates from a PKCS#12 file into a security - | database. - | -l p12file - | List the keys and certificates in PKCS#12 file. - | -o p12file - | Export keys and certificates from the security database to a - | PKCS#12 file. - | Arguments - | -n certname - | Specify the nickname of the cert and private key to export. - | -d [sql:]directory - | Specify the database directory into which to import to or export - | from certificates and keys. - | pk12util supports two types of databases: the legacy security - | databases (cert8.db, key3.db, and secmod.db) and new SQLite - | databases (cert9.db, key4.db, and pkcs11.txt). If the prefix sql: - | is not used, then the tool assumes that the given databases are in - | the old format. - | -P prefix - | Specify the prefix used on the certificate and key databases. This - | option is provided as a special case. Changing the names of the - | certificate and key databases is not recommended. - | -h tokenname - | Specify the name of the token to import into or export from. - | -v - | Enable debug logging when importing. - | -k slotPasswordFile - | Specify the text file containing the slot's password. - | -K slotPassword - | Specify the slot's password. - | -w p12filePasswordFile - | Specify the text file containing the pkcs #12 file password. - | -W p12filePassword - | Specify the pkcs #12 file password. - | -c keyCipher - | Specify the key encryption algorithm. - | -C certCipher - | Specify the key cert (overall package) encryption algorithm. - | -m \| --key-len keyLength - | Specify the desired length of the symmetric key to be used to - | encrypt the private key. - | -n \| --cert-key-len certKeyLength - | Specify the desired length of the symmetric key to be used to - | encrypt the certificates and other meta-data. - | -r - | Dumps all of the data in raw (binary) form. This must be saved as - | a DER file. The default is to return information in a pretty-print - | ASCII format, which displays the information about the - | certificates and public keys in the p12 file. + | Options + | -i p12file + | Import keys and certificates from a PKCS#12 file into a security + | database. + | -l p12file + | List the keys and certificates in PKCS#12 file. + | -o p12file + | Export keys and certificates from the security database to a + | PKCS#12 file. + | Arguments + | -n certname + | Specify the nickname of the cert and private key to export. + | -d [sql:]directory + | Specify the database directory into which to import to or export + | from certificates and keys. + | pk12util supports two types of databases: the legacy security + | databases (cert8.db, key3.db, and secmod.db) and new SQLite + | databases (cert9.db, key4.db, and pkcs11.txt). If the prefix sql: + | is not used, then the tool assumes that the given databases are in + | the old format. + | -P prefix + | Specify the prefix used on the certificate and key databases. This + | option is provided as a special case. Changing the names of the + | certificate and key databases is not recommended. + | -h tokenname + | Specify the name of the token to import into or export from. + | -v + | Enable debug logging when importing. + | -k slotPasswordFile + | Specify the text file containing the slot's password. + | -K slotPassword + | Specify the slot's password. + | -w p12filePasswordFile + | Specify the text file containing the pkcs #12 file password. + | -W p12filePassword + | Specify the pkcs #12 file password. + | -c keyCipher + | Specify the key encryption algorithm. + | -C certCipher + | Specify the key cert (overall package) encryption algorithm. + | -m \| --key-len keyLength + | Specify the desired length of the symmetric key to be used to + | encrypt the private key. + | -n \| --cert-key-len certKeyLength + | Specify the desired length of the symmetric key to be used to + | encrypt the certificates and other meta-data. + | -r + | Dumps all of the data in raw (binary) form. This must be saved as + | a DER file. The default is to return information in a pretty-print + | ASCII format, which displays the information about the + | certificates and public keys in the p12 file. | Return Codes - | o 0 - No error - | o 1 - User Cancelled - | o 2 - Usage error - | o 6 - NLS init error - | o 8 - Certificate DB open error - | o 9 - Key DB open error - | o 10 - File initialization error - | o 11 - Unicode conversion error - | o 12 - Temporary file creation error - | o 13 - PKCS11 get slot error - | o 14 - PKCS12 decoder start error - | o 15 - error read from import file - | o 16 - pkcs12 decode error - | o 17 - pkcs12 decoder verify error - | o 18 - pkcs12 decoder validate bags error - | o 19 - pkcs12 decoder import bags error - | o 20 - key db conversion version 3 to version 2 error - | o 21 - cert db conversion version 7 to version 5 error - | o 22 - cert and key dbs patch error - | o 23 - get default cert db error - | o 24 - find cert by nickname error - | o 25 - create export context error - | o 26 - PKCS12 add password itegrity error - | o 27 - cert and key Safes creation error - | o 28 - PKCS12 add cert and key error - | o 29 - PKCS12 encode error + | o 0 - No error + | o 1 - User Cancelled + | o 2 - Usage error + | o 6 - NLS init error + | o 8 - Certificate DB open error + | o 9 - Key DB open error + | o 10 - File initialization error + | o 11 - Unicode conversion error + | o 12 - Temporary file creation error + | o 13 - PKCS11 get slot error + | o 14 - PKCS12 decoder start error + | o 15 - error read from import file + | o 16 - pkcs12 decode error + | o 17 - pkcs12 decoder verify error + | o 18 - pkcs12 decoder validate bags error + | o 19 - pkcs12 decoder import bags error + | o 20 - key db conversion version 3 to version 2 error + | o 21 - cert db conversion version 7 to version 5 error + | o 22 - cert and key dbs patch error + | o 23 - get default cert db error + | o 24 - find cert by nickname error + | o 25 - create export context error + | o 26 - PKCS12 add password itegrity error + | o 27 - cert and key Safes creation error + | o 28 - PKCS12 add cert and key error + | o 29 - PKCS12 encode error | Examples - | Importing Keys and Certificates - | The most basic usage of pk12util for importing a certificate or key is the - | PKCS#12 input file (-i) and some way to specify the security database - | being accessed (either -d for a directory or -h for a token). - | pk12util -i p12File [-h tokenname] [-v] [-d [sql:]directory] [-P dbprefix] [-k + | Importing Keys and Certificates + | The most basic usage of pk12util for importing a certificate or key is the + | PKCS#12 input file (-i) and some way to specify the security database + | being accessed (either -d for a directory or -h for a token). + | pk12util -i p12File [-h tokenname] [-v] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword] - | For example: - | # pk12util -i /tmp/cert-files/users.p12 -d sql:/home/my/sharednssdb - | Enter a password which will be used to encrypt your keys. - | The password should be at least 8 characters long, - | and should contain at least one non-alphabetic character. - | Enter new password: - | Re-enter password: - | Enter password for PKCS12 file: - | pk12util: PKCS12 IMPORT SUCCESSFUL - | Exporting Keys and Certificates - | Using the pk12util command to export certificates and keys requires both - | the name of the certificate to extract from the database (-n) and the - | PKCS#12-formatted output file to write to. There are optional parameters - | that can be used to encrypt the file to protect the certificate material. - | pk12util -o p12File -n certname [-c keyCipher] [-C certCipher] [-m|--key_len keyLen] + | For example: + | # pk12util -i /tmp/cert-files/users.p12 -d sql:/home/my/sharednssdb + | Enter a password which will be used to encrypt your keys. + | The password should be at least 8 characters long, + | and should contain at least one non-alphabetic character. + | Enter new password: + | Re-enter password: + | Enter password for PKCS12 file: + | pk12util: PKCS12 IMPORT SUCCESSFUL + | Exporting Keys and Certificates + | Using the pk12util command to export certificates and keys requires both + | the name of the certificate to extract from the database (-n) and the + | PKCS#12-formatted output file to write to. There are optional parameters + | that can be used to encrypt the file to protect the certificate material. + | pk12util -o p12File -n certname [-c keyCipher] [-C certCipher] [-m|--key_len keyLen] [-n|--cert_key_len certKeyLen] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword] - | For example: - | # pk12util -o certs.p12 -n Server-Cert -d sql:/home/my/sharednssdb - | Enter password for PKCS12 file: - | Re-enter password: - | Listing Keys and Certificates - | The information in a .p12 file are not human-readable. The certificates - | and keys in the file can be printed (listed) in a human-readable - | pretty-print format that shows information for every certificate and any - | public keys in the .p12 file. - | pk12util -l p12File [-h tokenname] [-r] [-d [sql:]directory] [-P dbprefix] [-k + | For example: + | # pk12util -o certs.p12 -n Server-Cert -d sql:/home/my/sharednssdb + | Enter password for PKCS12 file: + | Re-enter password: + | Listing Keys and Certificates + | The information in a .p12 file are not human-readable. The certificates + | and keys in the file can be printed (listed) in a human-readable + | pretty-print format that shows information for every certificate and any + | public keys in the .p12 file. + | pk12util -l p12File [-h tokenname] [-r] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword] - | For example, this prints the default ASCII output: - | # pk12util -l certs.p12 - | Enter password for PKCS12 file: - | Key(shrouded): - | Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID - | Encryption algorithm: PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC - | Parameters: - | Salt: - | 45:2e:6a:a0:03:4d:7b:a1:63:3c:15:ea:67:37:62:1f - | Iteration Count: 1 (0x1) - | Certificate: - | Data: - | Version: 3 (0x2) - | Serial Number: 13 (0xd) - | Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption - | Issuer: "E=personal-freemail@thawte.com,CN=Thawte Personal Freemail C - | A,OU=Certification Services Division,O=Thawte Consulting,L=Cape T - | own,ST=Western Cape,C=ZA" - | .... - | Alternatively, the -r prints the certificates and then exports them into - | separate DER binary files. This allows the certificates to be fed to - | another application that supports .p12 files. Each certificate is written - | to a sequentially-number file, beginning with file0001.der and continuing - | through file000N.der, incrementing the number for every certificate: - | # pk12util -l test.p12 -r - | Enter password for PKCS12 file: - | Key(shrouded): - | Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID - | Encryption algorithm: PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC - | Parameters: - | Salt: - | 45:2e:6a:a0:03:4d:7b:a1:63:3c:15:ea:67:37:62:1f - | Iteration Count: 1 (0x1) - | Certificate Friendly Name: Thawte Personal Freemail Issuing CA - Thawte Consulting - | Certificate Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID + | For example, this prints the default ASCII output: + | # pk12util -l certs.p12 + | Enter password for PKCS12 file: + | Key(shrouded): + | Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID + | Encryption algorithm: PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC + | Parameters: + | Salt: + | 45:2e:6a:a0:03:4d:7b:a1:63:3c:15:ea:67:37:62:1f + | Iteration Count: 1 (0x1) + | Certificate: + | Data: + | Version: 3 (0x2) + | Serial Number: 13 (0xd) + | Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption + | Issuer: "E=personal-freemail@thawte.com,CN=Thawte Personal Freemail C + | A,OU=Certification Services Division,O=Thawte Consulting,L=Cape T + | own,ST=Western Cape,C=ZA" + | .... + | Alternatively, the -r prints the certificates and then exports them into + | separate DER binary files. This allows the certificates to be fed to + | another application that supports .p12 files. Each certificate is written + | to a sequentially-number file, beginning with file0001.der and continuing + | through file000N.der, incrementing the number for every certificate: + | # pk12util -l test.p12 -r + | Enter password for PKCS12 file: + | Key(shrouded): + | Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID + | Encryption algorithm: PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC + | Parameters: + | Salt: + | 45:2e:6a:a0:03:4d:7b:a1:63:3c:15:ea:67:37:62:1f + | Iteration Count: 1 (0x1) + | Certificate Friendly Name: Thawte Personal Freemail Issuing CA - Thawte Consulting + | Certificate Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID | Password Encryption - | PKCS#12 provides for not only the protection of the private keys but also - | the certificate and meta-data associated with the keys. Password-based - | encryption is used to protect private keys on export to a PKCS#12 file - | and, optionally, the entire package. If no algorithm is specified, the - | tool defaults to using PKCS12 V2 PBE with SHA1 and 3KEY Triple DES-cbc for - | private key encryption. PKCS12 V2 PBE with SHA1 and 40 Bit RC4 is the - | default for the overall package encryption when not in FIPS mode. When in - | FIPS mode, there is no package encryption. - | The private key is always protected with strong encryption by default. - | Several types of ciphers are supported. - | Symmetric CBC ciphers for PKCS#5 V2 - | DES_CBC - | o RC2-CBC - | o RC5-CBCPad - | o DES-EDE3-CBC (the default for key encryption) - | o AES-128-CBC - | o AES-192-CBC - | o AES-256-CBC - | o CAMELLIA-128-CBC - | o CAMELLIA-192-CBC - | o CAMELLIA-256-CBC - | PKCS#12 PBE ciphers - | PKCS #12 PBE with Sha1 and 128 Bit RC4 - | o PKCS #12 PBE with Sha1 and 40 Bit RC4 - | o PKCS #12 PBE with Sha1 and Triple DES CBC - | o PKCS #12 PBE with Sha1 and 128 Bit RC2 CBC - | o PKCS #12 PBE with Sha1 and 40 Bit RC2 CBC - | o PKCS12 V2 PBE with SHA1 and 128 Bit RC4 - | o PKCS12 V2 PBE with SHA1 and 40 Bit RC4 (the default for - | non-FIPS mode) - | o PKCS12 V2 PBE with SHA1 and 3KEY Triple DES-cbc - | o PKCS12 V2 PBE with SHA1 and 2KEY Triple DES-cbc - | o PKCS12 V2 PBE with SHA1 and 128 Bit RC2 CBC - | o PKCS12 V2 PBE with SHA1 and 40 Bit RC2 CBC - | PKCS#5 PBE ciphers - | PKCS #5 Password Based Encryption with MD2 and DES CBC - | o PKCS #5 Password Based Encryption with MD5 and DES CBC - | o PKCS #5 Password Based Encryption with SHA1 and DES CBC - | With PKCS#12, the crypto provider may be the soft token module or an - | external hardware module. If the cryptographic module does not support the - | requested algorithm, then the next best fit will be selected (usually the - | default). If no suitable replacement for the desired algorithm can be - | found, the tool returns the error no security module can perform the - | requested operation. + | PKCS#12 provides for not only the protection of the private keys but also + | the certificate and meta-data associated with the keys. Password-based + | encryption is used to protect private keys on export to a PKCS#12 file + | and, optionally, the entire package. If no algorithm is specified, the + | tool defaults to using PKCS12 V2 PBE with SHA1 and 3KEY Triple DES-cbc for + | private key encryption. PKCS12 V2 PBE with SHA1 and 40 Bit RC4 is the + | default for the overall package encryption when not in FIPS mode. When in + | FIPS mode, there is no package encryption. + | The private key is always protected with strong encryption by default. + | Several types of ciphers are supported. + | Symmetric CBC ciphers for PKCS#5 V2 + | DES_CBC + | o RC2-CBC + | o RC5-CBCPad + | o DES-EDE3-CBC (the default for key encryption) + | o AES-128-CBC + | o AES-192-CBC + | o AES-256-CBC + | o CAMELLIA-128-CBC + | o CAMELLIA-192-CBC + | o CAMELLIA-256-CBC + | PKCS#12 PBE ciphers + | PKCS #12 PBE with Sha1 and 128 Bit RC4 + | o PKCS #12 PBE with Sha1 and 40 Bit RC4 + | o PKCS #12 PBE with Sha1 and Triple DES CBC + | o PKCS #12 PBE with Sha1 and 128 Bit RC2 CBC + | o PKCS #12 PBE with Sha1 and 40 Bit RC2 CBC + | o PKCS12 V2 PBE with SHA1 and 128 Bit RC4 + | o PKCS12 V2 PBE with SHA1 and 40 Bit RC4 (the default for + | non-FIPS mode) + | o PKCS12 V2 PBE with SHA1 and 3KEY Triple DES-cbc + | o PKCS12 V2 PBE with SHA1 and 2KEY Triple DES-cbc + | o PKCS12 V2 PBE with SHA1 and 128 Bit RC2 CBC + | o PKCS12 V2 PBE with SHA1 and 40 Bit RC2 CBC + | PKCS#5 PBE ciphers + | PKCS #5 Password Based Encryption with MD2 and DES CBC + | o PKCS #5 Password Based Encryption with MD5 and DES CBC + | o PKCS #5 Password Based Encryption with SHA1 and DES CBC + | With PKCS#12, the crypto provider may be the soft token module or an + | external hardware module. If the cryptographic module does not support the + | requested algorithm, then the next best fit will be selected (usually the + | default). If no suitable replacement for the desired algorithm can be + | found, the tool returns the error no security module can perform the + | requested operation. | NSS Database Types - | NSS originally used BerkeleyDB databases to store security information. - | The last versions of these legacy databases are: - | o cert8.db for certificates - | o key3.db for keys - | o secmod.db for PKCS #11 module information - | BerkeleyDB has performance limitations, though, which prevent it from - | being easily used by multiple applications simultaneously. NSS has some - | flexibility that allows applications to use their own, independent - | database engine while keeping a shared database and working around the - | access issues. Still, NSS requires more flexibility to provide a truly - | shared security database. - | In 2009, NSS introduced a new set of databases that are SQLite databases - | rather than BerkleyDB. These new databases provide more accessibility and - | performance: - | o cert9.db for certificates - | o key4.db for keys - | o pkcs11.txt, which is listing of all of the PKCS #11 modules contained - | in a new subdirectory in the security databases directory - | Because the SQLite databases are designed to be shared, these are the - | shared database type. The shared database type is preferred; the legacy - | format is included for backward compatibility. - | By default, the tools (certutil, pk12util, modutil) assume that the given - | security databases follow the more common legacy type. Using the SQLite - | databases must be manually specified by using the sql: prefix with the - | given security directory. For example: - | # pk12util -i /tmp/cert-files/users.p12 -d sql:/home/my/sharednssdb - | To set the shared database type as the default type for the tools, set the - | NSS_DEFAULT_DB_TYPE environment variable to sql: - | export NSS_DEFAULT_DB_TYPE="sql" - | This line can be set added to the ~/.bashrc file to make the change - | permanent. - | Most applications do not use the shared database by default, but they can - | be configured to use them. For example, this how-to article covers how to - | configure Firefox and Thunderbird to use the new shared NSS databases: - | o https://wiki.mozilla.org/NSS_Shared_DB_Howto - | For an engineering draft on the changes in the shared NSS databases, see - | the NSS project wiki: - | o https://wiki.mozilla.org/NSS_Shared_DB + | NSS originally used BerkeleyDB databases to store security information. + | The last versions of these legacy databases are: + | o cert8.db for certificates + | o key3.db for keys + | o secmod.db for PKCS #11 module information + | BerkeleyDB has performance limitations, though, which prevent it from + | being easily used by multiple applications simultaneously. NSS has some + | flexibility that allows applications to use their own, independent + | database engine while keeping a shared database and working around the + | access issues. Still, NSS requires more flexibility to provide a truly + | shared security database. + | In 2009, NSS introduced a new set of databases that are SQLite databases + | rather than BerkleyDB. These new databases provide more accessibility and + | performance: + | o cert9.db for certificates + | o key4.db for keys + | o pkcs11.txt, which is listing of all of the PKCS #11 modules contained + | in a new subdirectory in the security databases directory + | Because the SQLite databases are designed to be shared, these are the + | shared database type. The shared database type is preferred; the legacy + | format is included for backward compatibility. + | By default, the tools (certutil, pk12util, modutil) assume that the given + | security databases follow the more common legacy type. Using the SQLite + | databases must be manually specified by using the sql: prefix with the + | given security directory. For example: + | # pk12util -i /tmp/cert-files/users.p12 -d sql:/home/my/sharednssdb + | To set the shared database type as the default type for the tools, set the + | NSS_DEFAULT_DB_TYPE environment variable to sql: + | export NSS_DEFAULT_DB_TYPE="sql" + | This line can be set added to the ~/.bashrc file to make the change + | permanent. + | Most applications do not use the shared database by default, but they can + | be configured to use them. For example, this how-to article covers how to + | configure Firefox and Thunderbird to use the new shared NSS databases: + | o https://wiki.mozilla.org/NSS_Shared_DB_Howto + | For an engineering draft on the changes in the shared NSS databases, see + | the NSS project wiki: + | o https://wiki.mozilla.org/NSS_Shared_DB | See Also - | certutil (1) - | modutil (1) - | The NSS wiki has information on the new database design and how to - | configure applications to use it. - | o https://wiki.mozilla.org/NSS_Shared_DB_Howto - | o https://wiki.mozilla.org/NSS_Shared_DB + | certutil (1) + | modutil (1) + | The NSS wiki has information on the new database design and how to + | configure applications to use it. + | o https://wiki.mozilla.org/NSS_Shared_DB_Howto + | o https://wiki.mozilla.org/NSS_Shared_DB | Additional Resources - | For information about NSS and other tools related to NSS (like JSS), check - | out the NSS project wiki at - | + | For information about NSS and other tools related to NSS (like JSS), check + | out the NSS project wiki at + | [1]\ `http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__. The NSS site relates - | directly to NSS code changes and releases. - | Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto - | IRC: Freenode at #dogtag-pki + | directly to NSS code changes and releases. + | Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto + | IRC: Freenode at #dogtag-pki | Authors - | The NSS tools were written and maintained by developers with Netscape, Red - | Hat, and Sun. - | Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey - | <dlackey@redhat.com>. + | The NSS tools were written and maintained by developers with Netscape, Red + | Hat, and Sun. + | Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey + | <dlackey@redhat.com>. | Copyright - | (c) 2010, Red Hat, Inc. Licensed under the GNU Public License version 2. + | (c) 2010, Red Hat, Inc. Licensed under the GNU Public License version 2. | References - | Visible links - | 1. + | Visible links + | 1. `http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__
\ No newline at end of file diff --git a/doc/rst/legacy/tools/signtool/index.rst b/doc/rst/legacy/tools/signtool/index.rst index 428f491a9..5e6740779 100644 --- a/doc/rst/legacy/tools/signtool/index.rst +++ b/doc/rst/legacy/tools/signtool/index.rst @@ -6,542 +6,542 @@ NSS tools : signtool .. container:: | Name - | signtool — Digitally sign objects and files. + | signtool — Digitally sign objects and files. | Synopsis - | signtool [-k keyName] `-h <-h>`__ `-H <-H>`__ `-l <-l>`__ `-L <-L>`__ `-M <-M>`__ + | signtool [-k keyName] `-h <-h>`__ `-H <-H>`__ `-l <-l>`__ `-L <-L>`__ `-M <-M>`__ `-v <-v>`__ `-w <-w>`__ - | `-G nickname <-G_nickname>`__ `-s size <--keysize>`__ `-b basename <-b_basename>`__ [[-c + | `-G nickname <-G_nickname>`__ `-s size <--keysize>`__ `-b basename <-b_basename>`__ [[-c Compression - | Level] ] [[-d cert-dir] ] [[-i installer script] ] [[-m metafile] ] [[-x - | name] ] [[-f filename] ] [[-t|--token tokenname] ] [[-e extension] ] [[-o] - | ] [[-z] ] [[-X] ] [[--outfile] ] [[--verbose value] ] [[--norecurse] ] - | [[--leavearc] ] [[-j directory] ] [[-Z jarfile] ] [[-O] ] [[-p password] ] - | [directory-tree] [archive] + | Level] ] [[-d cert-dir] ] [[-i installer script] ] [[-m metafile] ] [[-x + | name] ] [[-f filename] ] [[-t|--token tokenname] ] [[-e extension] ] [[-o] + | ] [[-z] ] [[-X] ] [[--outfile] ] [[--verbose value] ] [[--norecurse] ] + | [[--leavearc] ] [[-j directory] ] [[-Z jarfile] ] [[-O] ] [[-p password] ] + | [directory-tree] [archive] | Description - | The Signing Tool, signtool, creates digital signatures and uses a Java - | Archive (JAR) file to associate the signatures with files in a directory. - | Electronic software distribution over any network involves potential - | security problems. To help address some of these problems, you can - | associate digital signatures with the files in a JAR archive. Digital - | signatures allow SSL-enabled clients to perform two important operations: - | \* Confirm the identity of the individual, company, or other entity whose - | digital signature is associated with the files - | \* Check whether the files have been tampered with since being signed - | If you have a signing certificate, you can use Netscape Signing Tool to - | digitally sign files and package them as a JAR file. An object-signing - | certificate is a special kind of certificate that allows you to associate - | your digital signature with one or more files. - | An individual file can potentially be signed with multiple digital - | signatures. For example, a commercial software developer might sign the - | files that constitute a software product to prove that the files are - | indeed from a particular company. A network administrator manager might - | sign the same files with an additional digital signature based on a - | company-generated certificate to indicate that the product is approved for - | use within the company. - | The significance of a digital signature is comparable to the significance - | of a handwritten signature. Once you have signed a file, it is difficult - | to claim later that you didn't sign it. In some situations, a digital - | signature may be considered as legally binding as a handwritten signature. - | Therefore, you should take great care to ensure that you can stand behind - | any file you sign and distribute. - | For example, if you are a software developer, you should test your code to - | make sure it is virus-free before signing it. Similarly, if you are a - | network administrator, you should make sure, before signing any code, that - | it comes from a reliable source and will run correctly with the software - | installed on the machines to which you are distributing it. - | Before you can use Netscape Signing Tool to sign files, you must have an - | object-signing certificate, which is a special certificate whose - | associated private key is used to create digital signatures. For testing - | purposes only, you can create an object-signing certificate with Netscape - | Signing Tool 1.3. When testing is finished and you are ready to - | disitribute your software, you should obtain an object-signing certificate - | from one of two kinds of sources: - | \* An independent certificate authority (CA) that authenticates your - | identity and charges you a fee. You typically get a certificate from an - | independent CA if you want to sign software that will be distributed over - | the Internet. - | \* CA server software running on your corporate intranet or extranet. - | Netscape Certificate Management System provides a complete management - | solution for creating, deploying, and managing certificates, including CAs - | that issue object-signing certificates. - | You must also have a certificate for the CA that issues your signing - | certificate before you can sign files. If the certificate authority's - | certificate isn't already installed in your copy of Communicator, you - | typically install it by clicking the appropriate link on the certificate - | authority's web site, for example on the page from which you initiated - | enrollment for your signing certificate. This is the case for some test - | certificates, as well as certificates issued by Netscape Certificate - | Management System: you must download the CA certificate in addition to - | obtaining your own signing certificate. CA certificates for several - | certificate authorities are preinstalled in the Communicator certificate - | database. - | When you receive an object-signing certificate for your own use, it is - | automatically installed in your copy of the Communicator client software. - | Communicator supports the public-key cryptography standard known as PKCS - | #12, which governs key portability. You can, for example, move an - | object-signing certificate and its associated private key from one - | computer to another on a credit-card-sized device called a smart card. + | The Signing Tool, signtool, creates digital signatures and uses a Java + | Archive (JAR) file to associate the signatures with files in a directory. + | Electronic software distribution over any network involves potential + | security problems. To help address some of these problems, you can + | associate digital signatures with the files in a JAR archive. Digital + | signatures allow SSL-enabled clients to perform two important operations: + | \* Confirm the identity of the individual, company, or other entity whose + | digital signature is associated with the files + | \* Check whether the files have been tampered with since being signed + | If you have a signing certificate, you can use Netscape Signing Tool to + | digitally sign files and package them as a JAR file. An object-signing + | certificate is a special kind of certificate that allows you to associate + | your digital signature with one or more files. + | An individual file can potentially be signed with multiple digital + | signatures. For example, a commercial software developer might sign the + | files that constitute a software product to prove that the files are + | indeed from a particular company. A network administrator manager might + | sign the same files with an additional digital signature based on a + | company-generated certificate to indicate that the product is approved for + | use within the company. + | The significance of a digital signature is comparable to the significance + | of a handwritten signature. Once you have signed a file, it is difficult + | to claim later that you didn't sign it. In some situations, a digital + | signature may be considered as legally binding as a handwritten signature. + | Therefore, you should take great care to ensure that you can stand behind + | any file you sign and distribute. + | For example, if you are a software developer, you should test your code to + | make sure it is virus-free before signing it. Similarly, if you are a + | network administrator, you should make sure, before signing any code, that + | it comes from a reliable source and will run correctly with the software + | installed on the machines to which you are distributing it. + | Before you can use Netscape Signing Tool to sign files, you must have an + | object-signing certificate, which is a special certificate whose + | associated private key is used to create digital signatures. For testing + | purposes only, you can create an object-signing certificate with Netscape + | Signing Tool 1.3. When testing is finished and you are ready to + | disitribute your software, you should obtain an object-signing certificate + | from one of two kinds of sources: + | \* An independent certificate authority (CA) that authenticates your + | identity and charges you a fee. You typically get a certificate from an + | independent CA if you want to sign software that will be distributed over + | the Internet. + | \* CA server software running on your corporate intranet or extranet. + | Netscape Certificate Management System provides a complete management + | solution for creating, deploying, and managing certificates, including CAs + | that issue object-signing certificates. + | You must also have a certificate for the CA that issues your signing + | certificate before you can sign files. If the certificate authority's + | certificate isn't already installed in your copy of Communicator, you + | typically install it by clicking the appropriate link on the certificate + | authority's web site, for example on the page from which you initiated + | enrollment for your signing certificate. This is the case for some test + | certificates, as well as certificates issued by Netscape Certificate + | Management System: you must download the CA certificate in addition to + | obtaining your own signing certificate. CA certificates for several + | certificate authorities are preinstalled in the Communicator certificate + | database. + | When you receive an object-signing certificate for your own use, it is + | automatically installed in your copy of the Communicator client software. + | Communicator supports the public-key cryptography standard known as PKCS + | #12, which governs key portability. You can, for example, move an + | object-signing certificate and its associated private key from one + | computer to another on a credit-card-sized device called a smart card. | Options - | -b basename - | Specifies the base filename for the .rsa and .sf files in the - | META-INF directory to conform with the JAR format. For example, -b - | signatures causes the files to be named signatures.rsa and - | signatures.sf. The default is signtool. - | -c# - | Specifies the compression level for the -J or -Z option. The - | symbol # represents a number from 0 to 9, where 0 means no - | compression and 9 means maximum compression. The higher the level - | of compression, the smaller the output but the longer the - | operation takes. If the -c# option is not used with either the -J - | or the -Z option, the default compression value used by both the - | -J and -Z options is 6. - | -d certdir - | Specifies your certificate database directory; that is, the - | directory in which you placed your key3.db and cert7.db files. To - | specify the current directory, use "-d." (including the period). - | The Unix version of signtool assumes ~/.netscape unless told - | otherwise. The NT version of signtool always requires the use of - | the -d option to specify where the database files are located. - | -e extension - | Tells signtool to sign only files with the given extension; for - | example, use -e".class" to sign only Java class files. Note that - | with Netscape Signing Tool version 1.1 and later this option can - | appear multiple times on one command line, making it possible to - | specify multiple file types or classes to include. - | -f commandfile - | Specifies a text file containing Netscape Signing Tool options and - | arguments in keyword=value format. All options and arguments can - | be expressed through this file. For more information about the - | syntax used with this file, see "Tips and Techniques". - | -i scriptname - | Specifies the name of an installer script for SmartUpdate. This - | script installs files from the JAR archive in the local system - | after SmartUpdate has validated the digital signature. For more - | details, see the description of -m that follows. The -i option - | provides a straightforward way to provide this information if you - | don't need to specify any metadata other than an installer script. - | -j directory - | Specifies a special JavaScript directory. This option causes the - | specified directory to be signed and tags its entries as inline - | JavaScript. This special type of entry does not have to appear in - | the JAR file itself. Instead, it is located in the HTML page - | containing the inline scripts. When you use signtool -v, these - | entries are displayed with the string NOT PRESENT. - | -k key ... directory - | Specifies the nickname (key) of the certificate you want to sign - | with and signs the files in the specified directory. The directory - | to sign is always specified as the last command-line argument. - | Thus, it is possible to write signtool -k MyCert -d . signdir You - | may have trouble if the nickname contains a single quotation mark. - | To avoid problems, escape the quotation mark using the escape - | conventions for your platform. It's also possible to use the -k - | option without signing any files or specifying a directory. For - | example, you can use it with the -l option to get detailed - | information about a particular signing certificate. - | -G nickname - | Generates a new private-public key pair and corresponding - | object-signing certificate with the given nickname. The newly - | generated keys and certificate are installed into the key and - | certificate databases in the directory specified by the -d option. - | With the NT version of Netscape Signing Tool, you must use the -d - | option with the -G option. With the Unix version of Netscape - | Signing Tool, omitting the -d option causes the tool to install - | the keys and certificate in the Communicator key and certificate - | databases. If you are installing the keys and certificate in the - | Communicator databases, you must exit Communicator before using - | this option; otherwise, you risk corrupting the databases. In all - | cases, the certificate is also output to a file named x509.cacert, - | which has the MIME-type application/x-x509-ca-cert. Unlike - | certificates normally used to sign finished code to be distributed - | over a network, a test certificate created with -G is not signed - | by a recognized certificate authority. Instead, it is self-signed. - | In addition, a single test signing certificate functions as both - | an object-signing certificate and a CA. When you are using it to - | sign objects, it behaves like an object-signing certificate. When - | it is imported into browser software such as Communicator, it - | behaves like an object-signing CA and cannot be used to sign - | objects. The -G option is available in Netscape Signing Tool 1.0 - | and later versions only. By default, it produces only RSA - | certificates with 1024-byte keys in the internal token. However, - | you can use the -s option specify the required key size and the -t - | option to specify the token. For more information about the use of - | the -G option, see "Generating Test Object-Signing - | Certificates""Generating Test Object-Signing Certificates" on page - | 1241. - | -l - | Lists signing certificates, including issuing CAs. If any of your - | certificates are expired or invalid, the list will so specify. - | This option can be used with the -k option to list detailed - | information about a particular signing certificate. The -l option - | is available in Netscape Signing Tool 1.0 and later versions only. - | -J - | Signs a directory of HTML files containing JavaScript and creates - | as many archive files as are specified in the HTML tags. Even if - | signtool creates more than one archive file, you need to supply - | the key database password only once. The -J option is available - | only in Netscape Signing Tool 1.0 and later versions. The -J - | option cannot be used at the same time as the -Z option. If the - | -c# option is not used with the -J option, the default compression - | value is 6. Note that versions 1.1 and later of Netscape Signing - | Tool correctly recognizes the CODEBASE attribute, allows paths to - | be expressed for the CLASS and SRC attributes instead of filenames - | only, processes LINK tags and parses HTML correctly, and offers - | clearer error messages. - | -L - | Lists the certificates in your database. An asterisk appears to - | the left of the nickname for any certificate that can be used to - | sign objects with signtool. - | --leavearc - | Retains the temporary .arc (archive) directories that the -J - | option creates. These directories are automatically erased by - | default. Retaining the temporary directories can be an aid to - | debugging. - | -m metafile - | Specifies the name of a metadata control file. Metadata is signed - | information attached either to the JAR archive itself or to files - | within the archive. This metadata can be any ASCII string, but is - | used mainly for specifying an installer script. The metadata file - | contains one entry per line, each with three fields: field #1: - | file specification, or + if you want to specify global metadata - | (that is, metadata about the JAR archive itself or all entries in - | the archive) field #2: the name of the data you are specifying; - | for example: Install-Script field #3: data corresponding to the - | name in field #2 For example, the -i option uses the equivalent of - | this line: + Install-Script: script.js This example associates a - | MIME type with a file: movie.qt MIME-Type: video/quicktime For - | information about the way installer script information appears in - | the manifest file for a JAR archive, see The JAR Format on - | Netscape DevEdge. - | -M - | Lists the PKCS #11 modules available to signtool, including smart - | cards. The -M option is available in Netscape Signing Tool 1.0 and - | later versions only. For information on using Netscape Signing - | Tool with smart cards, see "Using Netscape Signing Tool with Smart - | Cards". For information on using the -M option to verify - | FIPS-140-1 validated mode, see "Netscape Signing Tool and - | FIPS-140-1". - | --norecurse - | Blocks recursion into subdirectories when signing a directory's - | contents or when parsing HTML. - | -o - | Optimizes the archive for size. Use this only if you are signing - | very large archives containing hundreds of files. This option - | makes the manifest files (required by the JAR format) considerably - | smaller, but they contain slightly less information. - | --outfile outputfile - | Specifies a file to receive redirected output from Netscape - | Signing Tool. - | -p password - | Specifies a password for the private-key database. Note that the - | password entered on the command line is displayed as plain text. - | -s keysize - | Specifies the size of the key for generated certificate. Use the - | -M option to find out what tokens are available. The -s option can - | be used with the -G option only. - | -t token - | Specifies which available token should generate the key and - | receive the certificate. Use the -M option to find out what tokens - | are available. The -t option can be used with the -G option only. - | -v archive - | Displays the contents of an archive and verifies the cryptographic - | integrity of the digital signatures it contains and the files with - | which they are associated. This includes checking that the - | certificate for the issuer of the object-signing certificate is - | listed in the certificate database, that the CA's digital - | signature on the object-signing certificate is valid, that the - | relevant certificates have not expired, and so on. - | --verbosity value - | Sets the quantity of information Netscape Signing Tool generates - | in operation. A value of 0 (zero) is the default and gives full - | information. A value of -1 suppresses most messages, but not error - | messages. - | -w archive - | Displays the names of signers of any files in the archive. - | -x directory - | Excludes the specified directory from signing. Note that with - | Netscape Signing Tool version 1.1 and later this option can appear - | multiple times on one command line, making it possible to specify - | several particular directories to exclude. - | -z - | Tells signtool not to store the signing time in the digital - | signature. This option is useful if you want the expiration date - | of the signature checked against the current date and time rather - | than the time the files were signed. - | -Z jarfile - | Creates a JAR file with the specified name. You must specify this - | option if you want signtool to create the JAR file; it does not do - | so automatically. If you don't specify -Z, you must use an - | external ZIP tool to create the JAR file. The -Z option cannot be - | used at the same time as the -J option. If the -c# option is not - | used with the -Z option, the default compression value is 6. + | -b basename + | Specifies the base filename for the .rsa and .sf files in the + | META-INF directory to conform with the JAR format. For example, -b + | signatures causes the files to be named signatures.rsa and + | signatures.sf. The default is signtool. + | -c# + | Specifies the compression level for the -J or -Z option. The + | symbol # represents a number from 0 to 9, where 0 means no + | compression and 9 means maximum compression. The higher the level + | of compression, the smaller the output but the longer the + | operation takes. If the -c# option is not used with either the -J + | or the -Z option, the default compression value used by both the + | -J and -Z options is 6. + | -d certdir + | Specifies your certificate database directory; that is, the + | directory in which you placed your key3.db and cert7.db files. To + | specify the current directory, use "-d." (including the period). + | The Unix version of signtool assumes ~/.netscape unless told + | otherwise. The NT version of signtool always requires the use of + | the -d option to specify where the database files are located. + | -e extension + | Tells signtool to sign only files with the given extension; for + | example, use -e".class" to sign only Java class files. Note that + | with Netscape Signing Tool version 1.1 and later this option can + | appear multiple times on one command line, making it possible to + | specify multiple file types or classes to include. + | -f commandfile + | Specifies a text file containing Netscape Signing Tool options and + | arguments in keyword=value format. All options and arguments can + | be expressed through this file. For more information about the + | syntax used with this file, see "Tips and Techniques". + | -i scriptname + | Specifies the name of an installer script for SmartUpdate. This + | script installs files from the JAR archive in the local system + | after SmartUpdate has validated the digital signature. For more + | details, see the description of -m that follows. The -i option + | provides a straightforward way to provide this information if you + | don't need to specify any metadata other than an installer script. + | -j directory + | Specifies a special JavaScript directory. This option causes the + | specified directory to be signed and tags its entries as inline + | JavaScript. This special type of entry does not have to appear in + | the JAR file itself. Instead, it is located in the HTML page + | containing the inline scripts. When you use signtool -v, these + | entries are displayed with the string NOT PRESENT. + | -k key ... directory + | Specifies the nickname (key) of the certificate you want to sign + | with and signs the files in the specified directory. The directory + | to sign is always specified as the last command-line argument. + | Thus, it is possible to write signtool -k MyCert -d . signdir You + | may have trouble if the nickname contains a single quotation mark. + | To avoid problems, escape the quotation mark using the escape + | conventions for your platform. It's also possible to use the -k + | option without signing any files or specifying a directory. For + | example, you can use it with the -l option to get detailed + | information about a particular signing certificate. + | -G nickname + | Generates a new private-public key pair and corresponding + | object-signing certificate with the given nickname. The newly + | generated keys and certificate are installed into the key and + | certificate databases in the directory specified by the -d option. + | With the NT version of Netscape Signing Tool, you must use the -d + | option with the -G option. With the Unix version of Netscape + | Signing Tool, omitting the -d option causes the tool to install + | the keys and certificate in the Communicator key and certificate + | databases. If you are installing the keys and certificate in the + | Communicator databases, you must exit Communicator before using + | this option; otherwise, you risk corrupting the databases. In all + | cases, the certificate is also output to a file named x509.cacert, + | which has the MIME-type application/x-x509-ca-cert. Unlike + | certificates normally used to sign finished code to be distributed + | over a network, a test certificate created with -G is not signed + | by a recognized certificate authority. Instead, it is self-signed. + | In addition, a single test signing certificate functions as both + | an object-signing certificate and a CA. When you are using it to + | sign objects, it behaves like an object-signing certificate. When + | it is imported into browser software such as Communicator, it + | behaves like an object-signing CA and cannot be used to sign + | objects. The -G option is available in Netscape Signing Tool 1.0 + | and later versions only. By default, it produces only RSA + | certificates with 1024-byte keys in the internal token. However, + | you can use the -s option specify the required key size and the -t + | option to specify the token. For more information about the use of + | the -G option, see "Generating Test Object-Signing + | Certificates""Generating Test Object-Signing Certificates" on page + | 1241. + | -l + | Lists signing certificates, including issuing CAs. If any of your + | certificates are expired or invalid, the list will so specify. + | This option can be used with the -k option to list detailed + | information about a particular signing certificate. The -l option + | is available in Netscape Signing Tool 1.0 and later versions only. + | -J + | Signs a directory of HTML files containing JavaScript and creates + | as many archive files as are specified in the HTML tags. Even if + | signtool creates more than one archive file, you need to supply + | the key database password only once. The -J option is available + | only in Netscape Signing Tool 1.0 and later versions. The -J + | option cannot be used at the same time as the -Z option. If the + | -c# option is not used with the -J option, the default compression + | value is 6. Note that versions 1.1 and later of Netscape Signing + | Tool correctly recognizes the CODEBASE attribute, allows paths to + | be expressed for the CLASS and SRC attributes instead of filenames + | only, processes LINK tags and parses HTML correctly, and offers + | clearer error messages. + | -L + | Lists the certificates in your database. An asterisk appears to + | the left of the nickname for any certificate that can be used to + | sign objects with signtool. + | --leavearc + | Retains the temporary .arc (archive) directories that the -J + | option creates. These directories are automatically erased by + | default. Retaining the temporary directories can be an aid to + | debugging. + | -m metafile + | Specifies the name of a metadata control file. Metadata is signed + | information attached either to the JAR archive itself or to files + | within the archive. This metadata can be any ASCII string, but is + | used mainly for specifying an installer script. The metadata file + | contains one entry per line, each with three fields: field #1: + | file specification, or + if you want to specify global metadata + | (that is, metadata about the JAR archive itself or all entries in + | the archive) field #2: the name of the data you are specifying; + | for example: Install-Script field #3: data corresponding to the + | name in field #2 For example, the -i option uses the equivalent of + | this line: + Install-Script: script.js This example associates a + | MIME type with a file: movie.qt MIME-Type: video/quicktime For + | information about the way installer script information appears in + | the manifest file for a JAR archive, see The JAR Format on + | Netscape DevEdge. + | -M + | Lists the PKCS #11 modules available to signtool, including smart + | cards. The -M option is available in Netscape Signing Tool 1.0 and + | later versions only. For information on using Netscape Signing + | Tool with smart cards, see "Using Netscape Signing Tool with Smart + | Cards". For information on using the -M option to verify + | FIPS-140-1 validated mode, see "Netscape Signing Tool and + | FIPS-140-1". + | --norecurse + | Blocks recursion into subdirectories when signing a directory's + | contents or when parsing HTML. + | -o + | Optimizes the archive for size. Use this only if you are signing + | very large archives containing hundreds of files. This option + | makes the manifest files (required by the JAR format) considerably + | smaller, but they contain slightly less information. + | --outfile outputfile + | Specifies a file to receive redirected output from Netscape + | Signing Tool. + | -p password + | Specifies a password for the private-key database. Note that the + | password entered on the command line is displayed as plain text. + | -s keysize + | Specifies the size of the key for generated certificate. Use the + | -M option to find out what tokens are available. The -s option can + | be used with the -G option only. + | -t token + | Specifies which available token should generate the key and + | receive the certificate. Use the -M option to find out what tokens + | are available. The -t option can be used with the -G option only. + | -v archive + | Displays the contents of an archive and verifies the cryptographic + | integrity of the digital signatures it contains and the files with + | which they are associated. This includes checking that the + | certificate for the issuer of the object-signing certificate is + | listed in the certificate database, that the CA's digital + | signature on the object-signing certificate is valid, that the + | relevant certificates have not expired, and so on. + | --verbosity value + | Sets the quantity of information Netscape Signing Tool generates + | in operation. A value of 0 (zero) is the default and gives full + | information. A value of -1 suppresses most messages, but not error + | messages. + | -w archive + | Displays the names of signers of any files in the archive. + | -x directory + | Excludes the specified directory from signing. Note that with + | Netscape Signing Tool version 1.1 and later this option can appear + | multiple times on one command line, making it possible to specify + | several particular directories to exclude. + | -z + | Tells signtool not to store the signing time in the digital + | signature. This option is useful if you want the expiration date + | of the signature checked against the current date and time rather + | than the time the files were signed. + | -Z jarfile + | Creates a JAR file with the specified name. You must specify this + | option if you want signtool to create the JAR file; it does not do + | so automatically. If you don't specify -Z, you must use an + | external ZIP tool to create the JAR file. The -Z option cannot be + | used at the same time as the -J option. If the -c# option is not + | used with the -Z option, the default compression value is 6. | The Command File Format - | Entries in a Netscape Signing Tool command file have this general format: - | keyword=value Everything before the = sign on a single line is a keyword, - | and everything from the = sign to the end of line is a value. The value - | may include = signs; only the first = sign on a line is interpreted. Blank - | lines are ignored, but white space on a line with keywords and values is - | assumed to be part of the keyword (if it comes before the equal sign) or - | part of the value (if it comes after the first equal sign). Keywords are - | case insensitive, values are generally case sensitive. Since the = sign - | and newline delimit the value, it should not be quoted. - | Subsection - | basename - | Same as -b option. - | compression - | Same as -c option. - | certdir - | Same as -d option. - | extension - | Same as -e option. - | generate - | Same as -G option. - | installscript - | Same as -i option. - | javascriptdir - | Same as -j option. - | htmldir - | Same as -J option. - | certname - | Nickname of certificate, as with -k and -l -k options. - | signdir - | The directory to be signed, as with -k option. - | list - | Same as -l option. Value is ignored, but = sign must be present. - | listall - | Same as -L option. Value is ignored, but = sign must be present. - | metafile - | Same as -m option. - | modules - | Same as -M option. Value is ignored, but = sign must be present. - | optimize - | Same as -o option. Value is ignored, but = sign must be present. - | password - | Same as -p option. - | keysize - | Same as -s option. - | token - | Same as -t option. - | verify - | Same as -v option. - | who - | Same as -w option. - | exclude - | Same as -x option. - | notime - | Same as -z option. value is ignored, but = sign must be present. - | jarfile - | Same as -Z option. - | outfile - | Name of a file to which output and error messages will be - | redirected. This option has no command-line equivalent. + | Entries in a Netscape Signing Tool command file have this general format: + | keyword=value Everything before the = sign on a single line is a keyword, + | and everything from the = sign to the end of line is a value. The value + | may include = signs; only the first = sign on a line is interpreted. Blank + | lines are ignored, but white space on a line with keywords and values is + | assumed to be part of the keyword (if it comes before the equal sign) or + | part of the value (if it comes after the first equal sign). Keywords are + | case insensitive, values are generally case sensitive. Since the = sign + | and newline delimit the value, it should not be quoted. + | Subsection + | basename + | Same as -b option. + | compression + | Same as -c option. + | certdir + | Same as -d option. + | extension + | Same as -e option. + | generate + | Same as -G option. + | installscript + | Same as -i option. + | javascriptdir + | Same as -j option. + | htmldir + | Same as -J option. + | certname + | Nickname of certificate, as with -k and -l -k options. + | signdir + | The directory to be signed, as with -k option. + | list + | Same as -l option. Value is ignored, but = sign must be present. + | listall + | Same as -L option. Value is ignored, but = sign must be present. + | metafile + | Same as -m option. + | modules + | Same as -M option. Value is ignored, but = sign must be present. + | optimize + | Same as -o option. Value is ignored, but = sign must be present. + | password + | Same as -p option. + | keysize + | Same as -s option. + | token + | Same as -t option. + | verify + | Same as -v option. + | who + | Same as -w option. + | exclude + | Same as -x option. + | notime + | Same as -z option. value is ignored, but = sign must be present. + | jarfile + | Same as -Z option. + | outfile + | Name of a file to which output and error messages will be + | redirected. This option has no command-line equivalent. | Extended Examples - | The following example will do this and that - | Listing Available Signing Certificates - | You use the -L option to list the nicknames for all available certificates - | and check which ones are signing certificates. - | signtool -L - | using certificate directory: /u/jsmith/.netscape - | S Certificates - | - ------------ - | BBN Certificate Services CA Root 1 - | IBM World Registry CA - | VeriSign Class 1 CA - Individual Subscriber - VeriSign, Inc. - | GTE CyberTrust Root CA - | Uptime Group Plc. Class 4 CA - | \* Verisign Object Signing Cert - | Integrion CA - | GTE CyberTrust Secure Server CA - | AT&T Directory Services - | \* test object signing cert - | Uptime Group Plc. Class 1 CA - | VeriSign Class 1 Primary CA - | - ------------ - | Certificates that can be used to sign objects have \*'s to their left. - | Two signing certificates are displayed: Verisign Object Signing Cert and - | test object signing cert. - | You use the -l option to get a list of signing certificates only, - | including the signing CA for each. - | signtool -l - | using certificate directory: /u/jsmith/.netscape - | Object signing certificates - | --------------------------------------- - | Verisign Object Signing Cert - | Issued by: VeriSign, Inc. - Verisign, Inc. - | Expires: Tue May 19, 1998 - | test object signing cert - | Issued by: test object signing cert (Signtool 1.0 Testing - | Certificate (960187691)) - | Expires: Sun May 17, 1998 - | --------------------------------------- - | For a list including CAs, use the -L option. - | Signing a File - | 1. Create an empty directory. - | mkdir signdir - | 2. Put some file into it. - | echo boo > signdir/test.f - | 3. Specify the name of your object-signing certificate and sign the - | directory. - | signtool -k MySignCert -Z testjar.jar signdir - | using key "MySignCert" - | using certificate directory: /u/jsmith/.netscape - | Generating signdir/META-INF/manifest.mf file.. - | --> test.f - | adding signdir/test.f to testjar.jar - | Generating signtool.sf file.. - | Enter Password or Pin for "Communicator Certificate DB": - | adding signdir/META-INF/manifest.mf to testjar.jar - | adding signdir/META-INF/signtool.sf to testjar.jar - | adding signdir/META-INF/signtool.rsa to testjar.jar - | tree "signdir" signed successfully - | 4. Test the archive you just created. - | signtool -v testjar.jar - | using certificate directory: /u/jsmith/.netscape - | archive "testjar.jar" has passed crypto verification. - | status path - | ------------ ------------------- - | verified test.f - | Using Netscape Signing Tool with a ZIP Utility - | To use Netscape Signing Tool with a ZIP utility, you must have the utility - | in your path environment variable. You should use the zip.exe utility - | rather than pkzip.exe, which cannot handle long filenames. You can use a - | ZIP utility instead of the -Z option to package a signed archive into a - | JAR file after you have signed it: - | cd signdir - | zip -r ../myjar.jar \* - | adding: META-INF/ (stored 0%) - | adding: META-INF/manifest.mf (deflated 15%) - | adding: META-INF/signtool.sf (deflated 28%) - | adding: META-INF/signtool.rsa (stored 0%) - | adding: text.txt (stored 0%) - | Generating the Keys and Certificate - | The signtool option -G generates a new public-private key pair and - | certificate. It takes the nickname of the new certificate as an argument. - | The newly generated keys and certificate are installed into the key and - | certificate databases in the directory specified by the -d option. With - | the NT version of Netscape Signing Tool, you must use the -d option with - | the -G option. With the Unix version of Netscape Signing Tool, omitting - | the -d option causes the tool to install the keys and certificate in the - | Communicator key and certificate databases. In all cases, the certificate - | is also output to a file named x509.cacert, which has the MIME-type - | application/x-x509-ca-cert. - | Certificates contain standard information about the entity they identify, - | such as the common name and organization name. Netscape Signing Tool - | prompts you for this information when you run the command with the -G - | option. However, all of the requested fields are optional for test - | certificates. If you do not enter a common name, the tool provides a - | default name. In the following example, the user input is in boldface: - | signtool -G MyTestCert - | using certificate directory: /u/someuser/.netscape - | Enter certificate information. All fields are optional. Acceptable - | characters are numbers, letters, spaces, and apostrophes. - | certificate common name: Test Object Signing Certificate - | organization: Netscape Communications Corp. - | organization unit: Server Products Division - | state or province: California - | country (must be exactly 2 characters): US - | username: someuser - | email address: someuser@netscape.com - | Enter Password or Pin for "Communicator Certificate DB": [Password will not echo] - | generated public/private key pair - | certificate request generated - | certificate has been signed - | certificate "MyTestCert" added to database - | Exported certificate to x509.raw and x509.cacert. - | The certificate information is read from standard input. Therefore, the - | information can be read from a file using the redirection operator (<) in - | some operating systems. To create a file for this purpose, enter each of - | the seven input fields, in order, on a separate line. Make sure there is a - | newline character at the end of the last line. Then run signtool with - | standard input redirected from your file as follows: - | signtool -G MyTestCert inputfile - | The prompts show up on the screen, but the responses will be automatically - | read from the file. The password will still be read from the console - | unless you use the -p option to give the password on the command line. - | Using the -M Option to List Smart Cards - | You can use the -M option to list the PKCS #11 modules, including smart - | cards, that are available to signtool: - | signtool -d "c:\netscape\users\jsmith" -M - | using certificate directory: c:\netscape\users\username - | Listing of PKCS11 modules - | ----------------------------------------------- - | 1. Netscape Internal PKCS #11 Module - | (this module is internally loaded) - | slots: 2 slots attached - | status: loaded - | slot: Communicator Internal Cryptographic Services Version 4.0 - | token: Communicator Generic Crypto Svcs - | slot: Communicator User Private Key and Certificate Services - | token: Communicator Certificate DB - | 2. CryptOS - | (this is an external module) - | DLL name: core32 - | slots: 1 slots attached - | status: loaded - | slot: Litronic 210 - | token: - | ----------------------------------------------- - | Using Netscape Signing Tool and a Smart Card to Sign Files - | The signtool command normally takes an argument of the -k option to - | specify a signing certificate. To sign with a smart card, you supply only - | the fully qualified name of the certificate. - | To see fully qualified certificate names when you run Communicator, click - | the Security button in Navigator, then click Yours under Certificates in - | the left frame. Fully qualified names are of the format smart - | card:certificate, for example "MyCard:My Signing Cert". You use this name - | with the -k argument as follows: - | signtool -k "MyCard:My Signing Cert" directory - | Verifying FIPS Mode - | Use the -M option to verify that you are using the FIPS-140-1 module. - | signtool -d "c:\netscape\users\jsmith" -M - | using certificate directory: c:\netscape\users\jsmith - | Listing of PKCS11 modules - | ----------------------------------------------- - | 1. Netscape Internal PKCS #11 Module - | (this module is internally loaded) - | slots: 2 slots attached - | status: loaded - | slot: Communicator Internal Cryptographic Services Version 4.0 - | token: Communicator Generic Crypto Svcs - | slot: Communicator User Private Key and Certificate Services - | token: Communicator Certificate DB - | ----------------------------------------------- - | This Unix example shows that Netscape Signing Tool is using a FIPS-140-1 - | module: - | signtool -d "c:\netscape\users\jsmith" -M - | using certificate directory: c:\netscape\users\jsmith - | Enter Password or Pin for "Communicator Certificate DB": [password will not echo] - | Listing of PKCS11 modules - | ----------------------------------------------- - | 1. Netscape Internal FIPS PKCS #11 Module - | (this module is internally loaded) - | slots: 1 slots attached - | status: loaded - | slot: Netscape Internal FIPS-140-1 Cryptographic Services - | token: Communicator Certificate DB - | ----------------------------------------------- + | The following example will do this and that + | Listing Available Signing Certificates + | You use the -L option to list the nicknames for all available certificates + | and check which ones are signing certificates. + | signtool -L + | using certificate directory: /u/jsmith/.netscape + | S Certificates + | - ------------ + | BBN Certificate Services CA Root 1 + | IBM World Registry CA + | VeriSign Class 1 CA - Individual Subscriber - VeriSign, Inc. + | GTE CyberTrust Root CA + | Uptime Group Plc. Class 4 CA + | \* Verisign Object Signing Cert + | Integrion CA + | GTE CyberTrust Secure Server CA + | AT&T Directory Services + | \* test object signing cert + | Uptime Group Plc. Class 1 CA + | VeriSign Class 1 Primary CA + | - ------------ + | Certificates that can be used to sign objects have \*'s to their left. + | Two signing certificates are displayed: Verisign Object Signing Cert and + | test object signing cert. + | You use the -l option to get a list of signing certificates only, + | including the signing CA for each. + | signtool -l + | using certificate directory: /u/jsmith/.netscape + | Object signing certificates + | --------------------------------------- + | Verisign Object Signing Cert + | Issued by: VeriSign, Inc. - Verisign, Inc. + | Expires: Tue May 19, 1998 + | test object signing cert + | Issued by: test object signing cert (Signtool 1.0 Testing + | Certificate (960187691)) + | Expires: Sun May 17, 1998 + | --------------------------------------- + | For a list including CAs, use the -L option. + | Signing a File + | 1. Create an empty directory. + | mkdir signdir + | 2. Put some file into it. + | echo boo > signdir/test.f + | 3. Specify the name of your object-signing certificate and sign the + | directory. + | signtool -k MySignCert -Z testjar.jar signdir + | using key "MySignCert" + | using certificate directory: /u/jsmith/.netscape + | Generating signdir/META-INF/manifest.mf file.. + | --> test.f + | adding signdir/test.f to testjar.jar + | Generating signtool.sf file.. + | Enter Password or Pin for "Communicator Certificate DB": + | adding signdir/META-INF/manifest.mf to testjar.jar + | adding signdir/META-INF/signtool.sf to testjar.jar + | adding signdir/META-INF/signtool.rsa to testjar.jar + | tree "signdir" signed successfully + | 4. Test the archive you just created. + | signtool -v testjar.jar + | using certificate directory: /u/jsmith/.netscape + | archive "testjar.jar" has passed crypto verification. + | status path + | ------------ ------------------- + | verified test.f + | Using Netscape Signing Tool with a ZIP Utility + | To use Netscape Signing Tool with a ZIP utility, you must have the utility + | in your path environment variable. You should use the zip.exe utility + | rather than pkzip.exe, which cannot handle long filenames. You can use a + | ZIP utility instead of the -Z option to package a signed archive into a + | JAR file after you have signed it: + | cd signdir + | zip -r ../myjar.jar \* + | adding: META-INF/ (stored 0%) + | adding: META-INF/manifest.mf (deflated 15%) + | adding: META-INF/signtool.sf (deflated 28%) + | adding: META-INF/signtool.rsa (stored 0%) + | adding: text.txt (stored 0%) + | Generating the Keys and Certificate + | The signtool option -G generates a new public-private key pair and + | certificate. It takes the nickname of the new certificate as an argument. + | The newly generated keys and certificate are installed into the key and + | certificate databases in the directory specified by the -d option. With + | the NT version of Netscape Signing Tool, you must use the -d option with + | the -G option. With the Unix version of Netscape Signing Tool, omitting + | the -d option causes the tool to install the keys and certificate in the + | Communicator key and certificate databases. In all cases, the certificate + | is also output to a file named x509.cacert, which has the MIME-type + | application/x-x509-ca-cert. + | Certificates contain standard information about the entity they identify, + | such as the common name and organization name. Netscape Signing Tool + | prompts you for this information when you run the command with the -G + | option. However, all of the requested fields are optional for test + | certificates. If you do not enter a common name, the tool provides a + | default name. In the following example, the user input is in boldface: + | signtool -G MyTestCert + | using certificate directory: /u/someuser/.netscape + | Enter certificate information. All fields are optional. Acceptable + | characters are numbers, letters, spaces, and apostrophes. + | certificate common name: Test Object Signing Certificate + | organization: Netscape Communications Corp. + | organization unit: Server Products Division + | state or province: California + | country (must be exactly 2 characters): US + | username: someuser + | email address: someuser@netscape.com + | Enter Password or Pin for "Communicator Certificate DB": [Password will not echo] + | generated public/private key pair + | certificate request generated + | certificate has been signed + | certificate "MyTestCert" added to database + | Exported certificate to x509.raw and x509.cacert. + | The certificate information is read from standard input. Therefore, the + | information can be read from a file using the redirection operator (<) in + | some operating systems. To create a file for this purpose, enter each of + | the seven input fields, in order, on a separate line. Make sure there is a + | newline character at the end of the last line. Then run signtool with + | standard input redirected from your file as follows: + | signtool -G MyTestCert inputfile + | The prompts show up on the screen, but the responses will be automatically + | read from the file. The password will still be read from the console + | unless you use the -p option to give the password on the command line. + | Using the -M Option to List Smart Cards + | You can use the -M option to list the PKCS #11 modules, including smart + | cards, that are available to signtool: + | signtool -d "c:\netscape\users\jsmith" -M + | using certificate directory: c:\netscape\users\username + | Listing of PKCS11 modules + | ----------------------------------------------- + | 1. Netscape Internal PKCS #11 Module + | (this module is internally loaded) + | slots: 2 slots attached + | status: loaded + | slot: Communicator Internal Cryptographic Services Version 4.0 + | token: Communicator Generic Crypto Svcs + | slot: Communicator User Private Key and Certificate Services + | token: Communicator Certificate DB + | 2. CryptOS + | (this is an external module) + | DLL name: core32 + | slots: 1 slots attached + | status: loaded + | slot: Litronic 210 + | token: + | ----------------------------------------------- + | Using Netscape Signing Tool and a Smart Card to Sign Files + | The signtool command normally takes an argument of the -k option to + | specify a signing certificate. To sign with a smart card, you supply only + | the fully qualified name of the certificate. + | To see fully qualified certificate names when you run Communicator, click + | the Security button in Navigator, then click Yours under Certificates in + | the left frame. Fully qualified names are of the format smart + | card:certificate, for example "MyCard:My Signing Cert". You use this name + | with the -k argument as follows: + | signtool -k "MyCard:My Signing Cert" directory + | Verifying FIPS Mode + | Use the -M option to verify that you are using the FIPS-140-1 module. + | signtool -d "c:\netscape\users\jsmith" -M + | using certificate directory: c:\netscape\users\jsmith + | Listing of PKCS11 modules + | ----------------------------------------------- + | 1. Netscape Internal PKCS #11 Module + | (this module is internally loaded) + | slots: 2 slots attached + | status: loaded + | slot: Communicator Internal Cryptographic Services Version 4.0 + | token: Communicator Generic Crypto Svcs + | slot: Communicator User Private Key and Certificate Services + | token: Communicator Certificate DB + | ----------------------------------------------- + | This Unix example shows that Netscape Signing Tool is using a FIPS-140-1 + | module: + | signtool -d "c:\netscape\users\jsmith" -M + | using certificate directory: c:\netscape\users\jsmith + | Enter Password or Pin for "Communicator Certificate DB": [password will not echo] + | Listing of PKCS11 modules + | ----------------------------------------------- + | 1. Netscape Internal FIPS PKCS #11 Module + | (this module is internally loaded) + | slots: 1 slots attached + | status: loaded + | slot: Netscape Internal FIPS-140-1 Cryptographic Services + | token: Communicator Certificate DB + | ----------------------------------------------- | See Also - | signver (1) - | The NSS wiki has information on the new database design and how to - | configure applications to use it. - | o https://wiki.mozilla.org/NSS_Shared_DB_Howto - | o https://wiki.mozilla.org/NSS_Shared_DB + | signver (1) + | The NSS wiki has information on the new database design and how to + | configure applications to use it. + | o https://wiki.mozilla.org/NSS_Shared_DB_Howto + | o https://wiki.mozilla.org/NSS_Shared_DB | Additional Resources - | For information about NSS and other tools related to NSS (like JSS), check - | out the NSS project wiki at - | + | For information about NSS and other tools related to NSS (like JSS), check + | out the NSS project wiki at + | [1]\ `http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__. The NSS site relates - | directly to NSS code changes and releases. - | Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto - | IRC: Freenode at #dogtag-pki + | directly to NSS code changes and releases. + | Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto + | IRC: Freenode at #dogtag-pki | Authors - | The NSS tools were written and maintained by developers with Netscape, Red - | Hat, and Sun. - | Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey - | <dlackey@redhat.com>. + | The NSS tools were written and maintained by developers with Netscape, Red + | Hat, and Sun. + | Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey + | <dlackey@redhat.com>. | Copyright - | (c) 2010, Red Hat, Inc. Licensed under the GNU Public License version 2. + | (c) 2010, Red Hat, Inc. Licensed under the GNU Public License version 2. | References - | Visible links - | 1. + | Visible links + | 1. `http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__
\ No newline at end of file diff --git a/doc/rst/legacy/tools/signver/index.rst b/doc/rst/legacy/tools/signver/index.rst index b68a170cc..18fa331bd 100644 --- a/doc/rst/legacy/tools/signver/index.rst +++ b/doc/rst/legacy/tools/signver/index.rst @@ -6,113 +6,113 @@ NSS tools : signver .. container:: | Name - | signver — Verify a detached PKCS#7 signature for a file. + | signver — Verify a detached PKCS#7 signature for a file. | Synopsis - | signtool -A \| -V -d directory [-a] [-i input_file] [-o output_file] [-s - | signature_file] [-v] + | signtool -A \| -V -d directory [-a] [-i input_file] [-o output_file] [-s + | signature_file] [-v] | Description - | The Signature Verification Tool, signver, is a simple command-line utility - | that unpacks a base-64-encoded PKCS#7 signed object and verifies the - | digital signature using standard cryptographic techniques. The Signature - | Verification Tool can also display the contents of the signed object. + | The Signature Verification Tool, signver, is a simple command-line utility + | that unpacks a base-64-encoded PKCS#7 signed object and verifies the + | digital signature using standard cryptographic techniques. The Signature + | Verification Tool can also display the contents of the signed object. | Options - | -A - | Displays all of the information in the PKCS#7 signature. - | -V - | Verifies the digital signature. - | -d [sql:]directory - | Specify the database directory which contains the certificates and - | keys. - | signver supports two types of databases: the legacy security - | databases (cert8.db, key3.db, and secmod.db) and new SQLite - | databases (cert9.db, key4.db, and pkcs11.txt). If the prefix sql: - | is not used, then the tool assumes that the given databases are in - | the old format. - | -a - | Sets that the given signature file is in ASCII format. - | -i input_file - | Gives the input file for the object with signed data. - | -o output_file - | Gives the output file to which to write the results. - | -s signature_file - | Gives the input file for the digital signature. - | -v - | Enables verbose output. + | -A + | Displays all of the information in the PKCS#7 signature. + | -V + | Verifies the digital signature. + | -d [sql:]directory + | Specify the database directory which contains the certificates and + | keys. + | signver supports two types of databases: the legacy security + | databases (cert8.db, key3.db, and secmod.db) and new SQLite + | databases (cert9.db, key4.db, and pkcs11.txt). If the prefix sql: + | is not used, then the tool assumes that the given databases are in + | the old format. + | -a + | Sets that the given signature file is in ASCII format. + | -i input_file + | Gives the input file for the object with signed data. + | -o output_file + | Gives the output file to which to write the results. + | -s signature_file + | Gives the input file for the digital signature. + | -v + | Enables verbose output. | Extended Examples - | Verifying a Signature - | The -V option verifies that the signature in a given signature file is - | valid when used to sign the given object (from the input file). - | signver -V -s signature_file -i signed_file -d sql:/home/my/sharednssdb - | signatureValid=yes - | Printing Signature Data - | The -A option prints all of the information contained in a signature file. - | Using the -o option prints the signature file information to the given - | output file rather than stdout. - | signver -A -s signature_file -o output_file + | Verifying a Signature + | The -V option verifies that the signature in a given signature file is + | valid when used to sign the given object (from the input file). + | signver -V -s signature_file -i signed_file -d sql:/home/my/sharednssdb + | signatureValid=yes + | Printing Signature Data + | The -A option prints all of the information contained in a signature file. + | Using the -o option prints the signature file information to the given + | output file rather than stdout. + | signver -A -s signature_file -o output_file | NSS Database Types - | NSS originally used BerkeleyDB databases to store security information. - | The last versions of these legacy databases are: - | o cert8.db for certificates - | o key3.db for keys - | o secmod.db for PKCS #11 module information - | BerkeleyDB has performance limitations, though, which prevent it from - | being easily used by multiple applications simultaneously. NSS has some - | flexibility that allows applications to use their own, independent - | database engine while keeping a shared database and working around the - | access issues. Still, NSS requires more flexibility to provide a truly - | shared security database. - | In 2009, NSS introduced a new set of databases that are SQLite databases - | rather than BerkleyDB. These new databases provide more accessibility and - | performance: - | o cert9.db for certificates - | o key4.db for keys - | o pkcs11.txt, which is listing of all of the PKCS #11 modules contained - | in a new subdirectory in the security databases directory - | Because the SQLite databases are designed to be shared, these are the - | shared database type. The shared database type is preferred; the legacy - | format is included for backward compatibility. - | By default, the tools (certutil, pk12util, modutil) assume that the given - | security databases follow the more common legacy type. Using the SQLite - | databases must be manually specified by using the sql: prefix with the - | given security directory. For example: - | # signver -A -s signature -d sql:/home/my/sharednssdb - | To set the shared database type as the default type for the tools, set the - | NSS_DEFAULT_DB_TYPE environment variable to sql: - | export NSS_DEFAULT_DB_TYPE="sql" - | This line can be set added to the ~/.bashrc file to make the change - | permanent. - | Most applications do not use the shared database by default, but they can - | be configured to use them. For example, this how-to article covers how to - | configure Firefox and Thunderbird to use the new shared NSS databases: - | o https://wiki.mozilla.org/NSS_Shared_DB_Howto - | For an engineering draft on the changes in the shared NSS databases, see - | the NSS project wiki: - | o https://wiki.mozilla.org/NSS_Shared_DB + | NSS originally used BerkeleyDB databases to store security information. + | The last versions of these legacy databases are: + | o cert8.db for certificates + | o key3.db for keys + | o secmod.db for PKCS #11 module information + | BerkeleyDB has performance limitations, though, which prevent it from + | being easily used by multiple applications simultaneously. NSS has some + | flexibility that allows applications to use their own, independent + | database engine while keeping a shared database and working around the + | access issues. Still, NSS requires more flexibility to provide a truly + | shared security database. + | In 2009, NSS introduced a new set of databases that are SQLite databases + | rather than BerkleyDB. These new databases provide more accessibility and + | performance: + | o cert9.db for certificates + | o key4.db for keys + | o pkcs11.txt, which is listing of all of the PKCS #11 modules contained + | in a new subdirectory in the security databases directory + | Because the SQLite databases are designed to be shared, these are the + | shared database type. The shared database type is preferred; the legacy + | format is included for backward compatibility. + | By default, the tools (certutil, pk12util, modutil) assume that the given + | security databases follow the more common legacy type. Using the SQLite + | databases must be manually specified by using the sql: prefix with the + | given security directory. For example: + | # signver -A -s signature -d sql:/home/my/sharednssdb + | To set the shared database type as the default type for the tools, set the + | NSS_DEFAULT_DB_TYPE environment variable to sql: + | export NSS_DEFAULT_DB_TYPE="sql" + | This line can be set added to the ~/.bashrc file to make the change + | permanent. + | Most applications do not use the shared database by default, but they can + | be configured to use them. For example, this how-to article covers how to + | configure Firefox and Thunderbird to use the new shared NSS databases: + | o https://wiki.mozilla.org/NSS_Shared_DB_Howto + | For an engineering draft on the changes in the shared NSS databases, see + | the NSS project wiki: + | o https://wiki.mozilla.org/NSS_Shared_DB | See Also - | signtool (1) - | The NSS wiki has information on the new database design and how to - | configure applications to use it. - | o Setting up the shared NSS database - | https://wiki.mozilla.org/NSS_Shared_DB_Howto - | o Engineering and technical information about the shared NSS database - | https://wiki.mozilla.org/NSS_Shared_DB + | signtool (1) + | The NSS wiki has information on the new database design and how to + | configure applications to use it. + | o Setting up the shared NSS database + | https://wiki.mozilla.org/NSS_Shared_DB_Howto + | o Engineering and technical information about the shared NSS database + | https://wiki.mozilla.org/NSS_Shared_DB | Additional Resources - | For information about NSS and other tools related to NSS (like JSS), check - | out the NSS project wiki at - | + | For information about NSS and other tools related to NSS (like JSS), check + | out the NSS project wiki at + | [1]\ `http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__. The NSS site relates - | directly to NSS code changes and releases. - | Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto - | IRC: Freenode at #dogtag-pki + | directly to NSS code changes and releases. + | Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto + | IRC: Freenode at #dogtag-pki | Authors - | The NSS tools were written and maintained by developers with Netscape, Red - | Hat, and Sun. - | Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey - | <dlackey@redhat.com>. + | The NSS tools were written and maintained by developers with Netscape, Red + | Hat, and Sun. + | Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey + | <dlackey@redhat.com>. | Copyright - | (c) 2010, Red Hat, Inc. Licensed under the GNU Public License version 2. + | (c) 2010, Red Hat, Inc. Licensed under the GNU Public License version 2. | References - | Visible links - | 1. + | Visible links + | 1. `http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__
\ No newline at end of file diff --git a/doc/rst/legacy/tools/ssltap/index.rst b/doc/rst/legacy/tools/ssltap/index.rst index 1fd152fa8..3c63acc5c 100644 --- a/doc/rst/legacy/tools/ssltap/index.rst +++ b/doc/rst/legacy/tools/ssltap/index.rst @@ -6,490 +6,490 @@ NSS tools : ssltap .. container:: | Name - | ssltap — Tap into SSL connections and display the data going by + | ssltap — Tap into SSL connections and display the data going by | Synopsis - | libssltap [-vhfsxl] [-p port] [hostname:port] + | libssltap [-vhfsxl] [-p port] [hostname:port] | Description - | The SSL Debugging Tool ssltap is an SSL-aware command-line proxy. It - | watches TCP connections and displays the data going by. If a connection is - | SSL, the data display includes interpreted SSL records and handshaking + | The SSL Debugging Tool ssltap is an SSL-aware command-line proxy. It + | watches TCP connections and displays the data going by. If a connection is + | SSL, the data display includes interpreted SSL records and handshaking | Options - | -v - | Print a version string for the tool. - | -h - | Turn on hex/ASCII printing. Instead of outputting raw data, the - | command interprets each record as a numbered line of hex values, - | followed by the same data as ASCII characters. The two parts are - | separated by a vertical bar. Nonprinting characters are replaced - | by dots. - | -f - | Turn on fancy printing. Output is printed in colored HTML. Data - | sent from the client to the server is in blue; the server's reply - | is in red. When used with looping mode, the different connections - | are separated with horizontal lines. You can use this option to - | upload the output into a browser. - | -s - | Turn on SSL parsing and decoding. The tool does not automatically - | detect SSL sessions. If you are intercepting an SSL connection, - | use this option so that the tool can detect and decode SSL - | structures. - | If the tool detects a certificate chain, it saves the DER-encoded - | certificates into files in the current directory. The files are - | named cert.0x, where x is the sequence number of the certificate. - | If the -s option is used with -h, two separate parts are printed - | for each record: the plain hex/ASCII output, and the parsed SSL - | output. - | -x - | Turn on hex/ASCII printing of undecoded data inside parsed SSL - | records. Used only with the -s option. This option uses the same - | output format as the -h option. - | -l prefix - | Turn on looping; that is, continue to accept connections rather - | than stopping after the first connection is complete. - | -p port - | Change the default rendezvous port (1924) to another port. - | The following are well-known port numbers: - | \* HTTP 80 - | \* HTTPS 443 - | \* SMTP 25 - | \* FTP 21 - | \* IMAP 143 - | \* IMAPS 993 (IMAP over SSL) - | \* NNTP 119 - | \* NNTPS 563 (NNTP over SSL) + | -v + | Print a version string for the tool. + | -h + | Turn on hex/ASCII printing. Instead of outputting raw data, the + | command interprets each record as a numbered line of hex values, + | followed by the same data as ASCII characters. The two parts are + | separated by a vertical bar. Nonprinting characters are replaced + | by dots. + | -f + | Turn on fancy printing. Output is printed in colored HTML. Data + | sent from the client to the server is in blue; the server's reply + | is in red. When used with looping mode, the different connections + | are separated with horizontal lines. You can use this option to + | upload the output into a browser. + | -s + | Turn on SSL parsing and decoding. The tool does not automatically + | detect SSL sessions. If you are intercepting an SSL connection, + | use this option so that the tool can detect and decode SSL + | structures. + | If the tool detects a certificate chain, it saves the DER-encoded + | certificates into files in the current directory. The files are + | named cert.0x, where x is the sequence number of the certificate. + | If the -s option is used with -h, two separate parts are printed + | for each record: the plain hex/ASCII output, and the parsed SSL + | output. + | -x + | Turn on hex/ASCII printing of undecoded data inside parsed SSL + | records. Used only with the -s option. This option uses the same + | output format as the -h option. + | -l prefix + | Turn on looping; that is, continue to accept connections rather + | than stopping after the first connection is complete. + | -p port + | Change the default rendezvous port (1924) to another port. + | The following are well-known port numbers: + | \* HTTP 80 + | \* HTTPS 443 + | \* SMTP 25 + | \* FTP 21 + | \* IMAP 143 + | \* IMAPS 993 (IMAP over SSL) + | \* NNTP 119 + | \* NNTPS 563 (NNTP over SSL) | Usage and Examples - | You can use the SSL Debugging Tool to intercept any connection - | information. Although you can run the tool at its most basic by issuing - | the ssltap command with no options other than hostname:port, the - | information you get in this way is not very useful. For example, assume - | your development machine is called intercept. The simplest way to use the - | debugging tool is to execute the following command from a command shell: - | $ ssltap www.netscape.com - | The program waits for an incoming connection on the default port 1924. In - | your browser window, enter the URL http://intercept:1924. The browser - | retrieves the requested page from the server at www.netscape.com, but the - | page is intercepted and passed on to the browser by the debugging tool on - | intercept. On its way to the browser, the data is printed to the command - | shell from which you issued the command. Data sent from the client to the - | server is surrounded by the following symbols: --> [ data ] Data sent from - | the server to the client is surrounded by the following symbols: "left - | arrow"-- [ data ] The raw data stream is sent to standard output and is - | not interpreted in any way. This can result in peculiar effects, such as - | sounds, flashes, and even crashes of the command shell window. To output a - | basic, printable interpretation of the data, use the -h option, or, if you - | are looking at an SSL connection, the -s option. You will notice that the - | page you retrieved looks incomplete in the browser. This is because, by - | default, the tool closes down after the first connection is complete, so - | the browser is not able to load images. To make the tool continue to - | accept connections, switch on looping mode with the -l option. The - | following examples show the output from commonly used combinations of - | options. - | Example 1 - | $ ssltap.exe -sx -p 444 interzone.mcom.com:443 > sx.txt - | Output - | Connected to interzone.mcom.com:443 - | -->; [ - | alloclen = 66 bytes - | [ssl2] ClientHelloV2 { - | version = {0x03, 0x00} - | cipher-specs-length = 39 (0x27) - | sid-length = 0 (0x00) - | challenge-length = 16 (0x10) - | cipher-suites = { - | (0x010080) SSL2/RSA/RC4-128/MD5 - | (0x020080) SSL2/RSA/RC4-40/MD5 - | (0x030080) SSL2/RSA/RC2CBC128/MD5 - | (0x040080) SSL2/RSA/RC2CBC40/MD5 - | (0x060040) SSL2/RSA/DES64CBC/MD5 - | (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5 - | (0x000004) SSL3/RSA/RC4-128/MD5 - | (0x00ffe0) SSL3/RSA-FIPS/3DES192EDE-CBC/SHA - | (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA - | (0x00ffe1) SSL3/RSA-FIPS/DES64CBC/SHA - | (0x000009) SSL3/RSA/DES64CBC/SHA - | (0x000003) SSL3/RSA/RC4-40/MD5 - | (0x000006) SSL3/RSA/RC2CBC40/MD5 - | } - | session-id = { } - | challenge = { 0xec5d 0x8edb 0x37c9 0xb5c9 0x7b70 0x8fe9 0xd1d3 - | 0x2592 } - | } - | ] - | <-- [ - | SSLRecord { - | 0: 16 03 00 03 e5 \|..... - | type = 22 (handshake) - | version = { 3,0 } - | length = 997 (0x3e5) - | handshake { - | 0: 02 00 00 46 \|...F - | type = 2 (server_hello) - | length = 70 (0x000046) - | ServerHello { - | server_version = {3, 0} - | random = {...} - | 0: 77 8c 6e 26 6c 0c ec c0 d9 58 4f 47 d3 2d 01 45 \| - | wn&l.ì..XOG.-.E - | 10: 5c 17 75 43 a7 4c 88 c7 88 64 3c 50 41 48 4f 7f \| - | \.uC§L.Ç.d<PAHO. - | session ID = { - | length = 32 - | contents = {..} - | 0: 14 11 07 a8 2a 31 91 29 11 94 40 37 57 10 a7 32 \| ...¨*1.)..@7W.§2 - | 10: 56 6f 52 62 fe 3d b3 65 b1 e4 13 0f 52 a3 c8 f6 \| VoRbþ=³e±...R£È. - | } - | cipher_suite = (0x0003) SSL3/RSA/RC4-40/MD5 - | } - | 0: 0b 00 02 c5 \|...Å - | type = 11 (certificate) - | length = 709 (0x0002c5) - | CertificateChain { - | chainlength = 706 (0x02c2) - | Certificate { - | size = 703 (0x02bf) - | data = { saved in file 'cert.001' } - | } - | } - | 0: 0c 00 00 ca \|.... - | type = 12 (server_key_exchange) - | length = 202 (0x0000ca) - | 0: 0e 00 00 00 \|.... - | type = 14 (server_hello_done) - | length = 0 (0x000000) - | } - | } - | ] - | --> [ - | SSLRecord { - | 0: 16 03 00 00 44 \|....D - | type = 22 (handshake) - | version = { 3,0 } - | length = 68 (0x44) - | handshake { - | 0: 10 00 00 40 \|...@ - | type = 16 (client_key_exchange) - | length = 64 (0x000040) - | ClientKeyExchange { - | message = {...} - | } - | } - | } - | ] - | --> [ - | SSLRecord { - | 0: 14 03 00 00 01 \|..... - | type = 20 (change_cipher_spec) - | version = { 3,0 } - | length = 1 (0x1) - | 0: 01 \|. - | } - | SSLRecord { - | 0: 16 03 00 00 38 \|....8 - | type = 22 (handshake) - | version = { 3,0 } - | length = 56 (0x38) - | < encrypted > - | } - | ] - | <-- [ - | SSLRecord { - | 0: 14 03 00 00 01 \|..... - | type = 20 (change_cipher_spec) - | version = { 3,0 } - | length = 1 (0x1) - | 0: 01 \|. - | } - | ] - | <-- [ - | SSLRecord { - | 0: 16 03 00 00 38 \|....8 - | type = 22 (handshake) - | version = { 3,0 } - | length = 56 (0x38) - | < encrypted > - | } - | ] - | --> [ - | SSLRecord { - | 0: 17 03 00 01 1f \|..... - | type = 23 (application_data) - | version = { 3,0 } - | length = 287 (0x11f) - | < encrypted > - | } - | ] - | <-- [ - | SSLRecord { - | 0: 17 03 00 00 a0 \|.... - | type = 23 (application_data) - | version = { 3,0 } - | length = 160 (0xa0) - | < encrypted > - | } - | ] - | <-- [ - | SSLRecord { - | 0: 17 03 00 00 df \|....ß - | type = 23 (application_data) - | version = { 3,0 } - | length = 223 (0xdf) - | < encrypted > - | } - | SSLRecord { - | 0: 15 03 00 00 12 \|..... - | type = 21 (alert) - | version = { 3,0 } - | length = 18 (0x12) - | < encrypted > - | } - | ] - | Server socket closed. - | Example 2 - | The -s option turns on SSL parsing. Because the -x option is not used in - | this example, undecoded values are output as raw data. The output is - | routed to a text file. - | $ ssltap -s -p 444 interzone.mcom.com:443 > s.txt - | Output - | Connected to interzone.mcom.com:443 - | --> [ - | alloclen = 63 bytes - | [ssl2] ClientHelloV2 { - | version = {0x03, 0x00} - | cipher-specs-length = 36 (0x24) - | sid-length = 0 (0x00) - | challenge-length = 16 (0x10) - | cipher-suites = { - | (0x010080) SSL2/RSA/RC4-128/MD5 - | (0x020080) SSL2/RSA/RC4-40/MD5 - | (0x030080) SSL2/RSA/RC2CBC128/MD5 - | (0x060040) SSL2/RSA/DES64CBC/MD5 - | (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5 - | (0x000004) SSL3/RSA/RC4-128/MD5 - | (0x00ffe0) SSL3/RSA-FIPS/3DES192EDE-CBC/SHA - | (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA - | (0x00ffe1) SSL3/RSA-FIPS/DES64CBC/SHA - | (0x000009) SSL3/RSA/DES64CBC/SHA - | (0x000003) SSL3/RSA/RC4-40/MD5 - | } - | session-id = { } - | challenge = { 0x713c 0x9338 0x30e1 0xf8d6 0xb934 0x7351 0x200c - | 0x3fd0 } - | ] - | >-- [ - | SSLRecord { - | type = 22 (handshake) - | version = { 3,0 } - | length = 997 (0x3e5) - | handshake { - | type = 2 (server_hello) - | length = 70 (0x000046) - | ServerHello { - | server_version = {3, 0} - | random = {...} - | session ID = { - | length = 32 - | contents = {..} - | } - | cipher_suite = (0x0003) SSL3/RSA/RC4-40/MD5 - | } - | type = 11 (certificate) - | length = 709 (0x0002c5) - | CertificateChain { - | chainlength = 706 (0x02c2) - | Certificate { - | size = 703 (0x02bf) - | data = { saved in file 'cert.001' } - | } - | } - | type = 12 (server_key_exchange) - | length = 202 (0x0000ca) - | type = 14 (server_hello_done) - | length = 0 (0x000000) - | } - | } - | ] - | --> [ - | SSLRecord { - | type = 22 (handshake) - | version = { 3,0 } - | length = 68 (0x44) - | handshake { - | type = 16 (client_key_exchange) - | length = 64 (0x000040) - | ClientKeyExchange { - | message = {...} - | } - | } - | } - | ] - | --> [ - | SSLRecord { - | type = 20 (change_cipher_spec) - | version = { 3,0 } - | length = 1 (0x1) - | } - | SSLRecord { - | type = 22 (handshake) - | version = { 3,0 } - | length = 56 (0x38) - | > encrypted > - | } - | ] - | >-- [ - | SSLRecord { - | type = 20 (change_cipher_spec) - | version = { 3,0 } - | length = 1 (0x1) - | } - | ] - | >-- [ - | SSLRecord { - | type = 22 (handshake) - | version = { 3,0 } - | length = 56 (0x38) - | > encrypted > - | } - | ] - | --> [ - | SSLRecord { - | type = 23 (application_data) - | version = { 3,0 } - | length = 287 (0x11f) - | > encrypted > - | } - | ] - | [ - | SSLRecord { - | type = 23 (application_data) - | version = { 3,0 } - | length = 160 (0xa0) - | > encrypted > - | } - | ] - | >-- [ - | SSLRecord { - | type = 23 (application_data) - | version = { 3,0 } - | length = 223 (0xdf) - | > encrypted > - | } - | SSLRecord { - | type = 21 (alert) - | version = { 3,0 } - | length = 18 (0x12) - | > encrypted > - | } - | ] - | Server socket closed. - | Example 3 - | In this example, the -h option turns hex/ASCII format. There is no SSL - | parsing or decoding. The output is routed to a text file. - | $ ssltap -h -p 444 interzone.mcom.com:443 > h.txt - | Output - | Connected to interzone.mcom.com:443 - | --> [ - | 0: 80 40 01 03 00 00 27 00 00 00 10 01 00 80 02 00 \| .@....'......... - | 10: 80 03 00 80 04 00 80 06 00 40 07 00 c0 00 00 04 \| .........@...... - | 20: 00 ff e0 00 00 0a 00 ff e1 00 00 09 00 00 03 00 \| ........á....... - | 30: 00 06 9b fe 5b 56 96 49 1f 9f ca dd d5 ba b9 52 \| ..þ[V.I.\xd9 ...º¹R - | 40: 6f 2d \|o- - | ] - | <-- [ - | 0: 16 03 00 03 e5 02 00 00 46 03 00 7f e5 0d 1b 1d \| ........F....... - | 10: 68 7f 3a 79 60 d5 17 3c 1d 9c 96 b3 88 d2 69 3b \| h.:y`..<..³.Òi; - | 20: 78 e2 4b 8b a6 52 12 4b 46 e8 c2 20 14 11 89 05 \| x.K.¦R.KFè. ... - | 30: 4d 52 91 fd 93 e0 51 48 91 90 08 96 c1 b6 76 77 \| MR.ý..QH.....¶vw - | 40: 2a f4 00 08 a1 06 61 a2 64 1f 2e 9b 00 03 00 0b \| \*ô..¡.a¢d...... - | 50: 00 02 c5 00 02 c2 00 02 bf 30 82 02 bb 30 82 02 \| ..Å......0...0.. - | 60: 24 a0 03 02 01 02 02 02 01 36 30 0d 06 09 2a 86 \| $ .......60...*. - | 70: 48 86 f7 0d 01 01 04 05 00 30 77 31 0b 30 09 06 \| H.÷......0w1.0.. - | 80: 03 55 04 06 13 02 55 53 31 2c 30 2a 06 03 55 04 \| .U....US1,0*..U. - | 90: 0a 13 23 4e 65 74 73 63 61 70 65 20 43 6f 6d 6d \| ..#Netscape Comm - | a0: 75 6e 69 63 61 74 69 6f 6e 73 20 43 6f 72 70 6f \| unications Corpo - | b0: 72 61 74 69 6f 6e 31 11 30 0f 06 03 55 04 0b 13 \| ration1.0...U... - | c0: 08 48 61 72 64 63 6f 72 65 31 27 30 25 06 03 55 \| .Hardcore1'0%..U - | d0: 04 03 13 1e 48 61 72 64 63 6f 72 65 20 43 65 72 \| ....Hardcore Cer - | e0: 74 69 66 69 63 61 74 65 20 53 65 72 76 65 72 20 \| tificate Server - | f0: 49 49 30 1e 17 0d 39 38 30 35 31 36 30 31 30 33 \| II0...9805160103 - | <additional data lines> - | ] - | <additional records in same format> - | Server socket closed. - | Example 4 - | In this example, the -s option turns on SSL parsing, and the -h option - | turns on hex/ASCII format. Both formats are shown for each record. The - | output is routed to a text file. - | $ ssltap -hs -p 444 interzone.mcom.com:443 > hs.txt - | Output - | Connected to interzone.mcom.com:443 - | --> [ - | 0: 80 3d 01 03 00 00 24 00 00 00 10 01 00 80 02 00 \| .=....$......... - | 10: 80 03 00 80 04 00 80 06 00 40 07 00 c0 00 00 04 \| .........@...... - | 20: 00 ff e0 00 00 0a 00 ff e1 00 00 09 00 00 03 03 \| ........á....... - | 30: 55 e6 e4 99 79 c7 d7 2c 86 78 96 5d b5 cf e9 \|U..yÇ\xb0 ,.x.]µÏé - | alloclen = 63 bytes - | [ssl2] ClientHelloV2 { - | version = {0x03, 0x00} - | cipher-specs-length = 36 (0x24) - | sid-length = 0 (0x00) - | challenge-length = 16 (0x10) - | cipher-suites = { - | (0x010080) SSL2/RSA/RC4-128/MD5 - | (0x020080) SSL2/RSA/RC4-40/MD5 - | (0x030080) SSL2/RSA/RC2CBC128/MD5 - | (0x040080) SSL2/RSA/RC2CBC40/MD5 - | (0x060040) SSL2/RSA/DES64CBC/MD5 - | (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5 - | (0x000004) SSL3/RSA/RC4-128/MD5 - | (0x00ffe0) SSL3/RSA-FIPS/3DES192EDE-CBC/SHA - | (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA - | (0x00ffe1) SSL3/RSA-FIPS/DES64CBC/SHA - | (0x000009) SSL3/RSA/DES64CBC/SHA - | (0x000003) SSL3/RSA/RC4-40/MD5 - | } - | session-id = { } - | challenge = { 0x0355 0xe6e4 0x9979 0xc7d7 0x2c86 0x7896 0x5db - | 0xcfe9 } - | } - | ] - | <additional records in same formats> - | Server socket closed. + | You can use the SSL Debugging Tool to intercept any connection + | information. Although you can run the tool at its most basic by issuing + | the ssltap command with no options other than hostname:port, the + | information you get in this way is not very useful. For example, assume + | your development machine is called intercept. The simplest way to use the + | debugging tool is to execute the following command from a command shell: + | $ ssltap www.netscape.com + | The program waits for an incoming connection on the default port 1924. In + | your browser window, enter the URL http://intercept:1924. The browser + | retrieves the requested page from the server at www.netscape.com, but the + | page is intercepted and passed on to the browser by the debugging tool on + | intercept. On its way to the browser, the data is printed to the command + | shell from which you issued the command. Data sent from the client to the + | server is surrounded by the following symbols: --> [ data ] Data sent from + | the server to the client is surrounded by the following symbols: "left + | arrow"-- [ data ] The raw data stream is sent to standard output and is + | not interpreted in any way. This can result in peculiar effects, such as + | sounds, flashes, and even crashes of the command shell window. To output a + | basic, printable interpretation of the data, use the -h option, or, if you + | are looking at an SSL connection, the -s option. You will notice that the + | page you retrieved looks incomplete in the browser. This is because, by + | default, the tool closes down after the first connection is complete, so + | the browser is not able to load images. To make the tool continue to + | accept connections, switch on looping mode with the -l option. The + | following examples show the output from commonly used combinations of + | options. + | Example 1 + | $ ssltap.exe -sx -p 444 interzone.mcom.com:443 > sx.txt + | Output + | Connected to interzone.mcom.com:443 + | -->; [ + | alloclen = 66 bytes + | [ssl2] ClientHelloV2 { + | version = {0x03, 0x00} + | cipher-specs-length = 39 (0x27) + | sid-length = 0 (0x00) + | challenge-length = 16 (0x10) + | cipher-suites = { + | (0x010080) SSL2/RSA/RC4-128/MD5 + | (0x020080) SSL2/RSA/RC4-40/MD5 + | (0x030080) SSL2/RSA/RC2CBC128/MD5 + | (0x040080) SSL2/RSA/RC2CBC40/MD5 + | (0x060040) SSL2/RSA/DES64CBC/MD5 + | (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5 + | (0x000004) SSL3/RSA/RC4-128/MD5 + | (0x00ffe0) SSL3/RSA-FIPS/3DES192EDE-CBC/SHA + | (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA + | (0x00ffe1) SSL3/RSA-FIPS/DES64CBC/SHA + | (0x000009) SSL3/RSA/DES64CBC/SHA + | (0x000003) SSL3/RSA/RC4-40/MD5 + | (0x000006) SSL3/RSA/RC2CBC40/MD5 + | } + | session-id = { } + | challenge = { 0xec5d 0x8edb 0x37c9 0xb5c9 0x7b70 0x8fe9 0xd1d3 + | 0x2592 } + | } + | ] + | <-- [ + | SSLRecord { + | 0: 16 03 00 03 e5 \|..... + | type = 22 (handshake) + | version = { 3,0 } + | length = 997 (0x3e5) + | handshake { + | 0: 02 00 00 46 \|...F + | type = 2 (server_hello) + | length = 70 (0x000046) + | ServerHello { + | server_version = {3, 0} + | random = {...} + | 0: 77 8c 6e 26 6c 0c ec c0 d9 58 4f 47 d3 2d 01 45 \| + | wn&l.ì..XOG.-.E + | 10: 5c 17 75 43 a7 4c 88 c7 88 64 3c 50 41 48 4f 7f \| + | \.uC§L.Ç.d<PAHO. + | session ID = { + | length = 32 + | contents = {..} + | 0: 14 11 07 a8 2a 31 91 29 11 94 40 37 57 10 a7 32 \| ...¨*1.)..@7W.§2 + | 10: 56 6f 52 62 fe 3d b3 65 b1 e4 13 0f 52 a3 c8 f6 \| VoRbþ=³e±...R£È. + | } + | cipher_suite = (0x0003) SSL3/RSA/RC4-40/MD5 + | } + | 0: 0b 00 02 c5 \|...Å + | type = 11 (certificate) + | length = 709 (0x0002c5) + | CertificateChain { + | chainlength = 706 (0x02c2) + | Certificate { + | size = 703 (0x02bf) + | data = { saved in file 'cert.001' } + | } + | } + | 0: 0c 00 00 ca \|.... + | type = 12 (server_key_exchange) + | length = 202 (0x0000ca) + | 0: 0e 00 00 00 \|.... + | type = 14 (server_hello_done) + | length = 0 (0x000000) + | } + | } + | ] + | --> [ + | SSLRecord { + | 0: 16 03 00 00 44 \|....D + | type = 22 (handshake) + | version = { 3,0 } + | length = 68 (0x44) + | handshake { + | 0: 10 00 00 40 \|...@ + | type = 16 (client_key_exchange) + | length = 64 (0x000040) + | ClientKeyExchange { + | message = {...} + | } + | } + | } + | ] + | --> [ + | SSLRecord { + | 0: 14 03 00 00 01 \|..... + | type = 20 (change_cipher_spec) + | version = { 3,0 } + | length = 1 (0x1) + | 0: 01 \|. + | } + | SSLRecord { + | 0: 16 03 00 00 38 \|....8 + | type = 22 (handshake) + | version = { 3,0 } + | length = 56 (0x38) + | < encrypted > + | } + | ] + | <-- [ + | SSLRecord { + | 0: 14 03 00 00 01 \|..... + | type = 20 (change_cipher_spec) + | version = { 3,0 } + | length = 1 (0x1) + | 0: 01 \|. + | } + | ] + | <-- [ + | SSLRecord { + | 0: 16 03 00 00 38 \|....8 + | type = 22 (handshake) + | version = { 3,0 } + | length = 56 (0x38) + | < encrypted > + | } + | ] + | --> [ + | SSLRecord { + | 0: 17 03 00 01 1f \|..... + | type = 23 (application_data) + | version = { 3,0 } + | length = 287 (0x11f) + | < encrypted > + | } + | ] + | <-- [ + | SSLRecord { + | 0: 17 03 00 00 a0 \|.... + | type = 23 (application_data) + | version = { 3,0 } + | length = 160 (0xa0) + | < encrypted > + | } + | ] + | <-- [ + | SSLRecord { + | 0: 17 03 00 00 df \|....ß + | type = 23 (application_data) + | version = { 3,0 } + | length = 223 (0xdf) + | < encrypted > + | } + | SSLRecord { + | 0: 15 03 00 00 12 \|..... + | type = 21 (alert) + | version = { 3,0 } + | length = 18 (0x12) + | < encrypted > + | } + | ] + | Server socket closed. + | Example 2 + | The -s option turns on SSL parsing. Because the -x option is not used in + | this example, undecoded values are output as raw data. The output is + | routed to a text file. + | $ ssltap -s -p 444 interzone.mcom.com:443 > s.txt + | Output + | Connected to interzone.mcom.com:443 + | --> [ + | alloclen = 63 bytes + | [ssl2] ClientHelloV2 { + | version = {0x03, 0x00} + | cipher-specs-length = 36 (0x24) + | sid-length = 0 (0x00) + | challenge-length = 16 (0x10) + | cipher-suites = { + | (0x010080) SSL2/RSA/RC4-128/MD5 + | (0x020080) SSL2/RSA/RC4-40/MD5 + | (0x030080) SSL2/RSA/RC2CBC128/MD5 + | (0x060040) SSL2/RSA/DES64CBC/MD5 + | (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5 + | (0x000004) SSL3/RSA/RC4-128/MD5 + | (0x00ffe0) SSL3/RSA-FIPS/3DES192EDE-CBC/SHA + | (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA + | (0x00ffe1) SSL3/RSA-FIPS/DES64CBC/SHA + | (0x000009) SSL3/RSA/DES64CBC/SHA + | (0x000003) SSL3/RSA/RC4-40/MD5 + | } + | session-id = { } + | challenge = { 0x713c 0x9338 0x30e1 0xf8d6 0xb934 0x7351 0x200c + | 0x3fd0 } + | ] + | >-- [ + | SSLRecord { + | type = 22 (handshake) + | version = { 3,0 } + | length = 997 (0x3e5) + | handshake { + | type = 2 (server_hello) + | length = 70 (0x000046) + | ServerHello { + | server_version = {3, 0} + | random = {...} + | session ID = { + | length = 32 + | contents = {..} + | } + | cipher_suite = (0x0003) SSL3/RSA/RC4-40/MD5 + | } + | type = 11 (certificate) + | length = 709 (0x0002c5) + | CertificateChain { + | chainlength = 706 (0x02c2) + | Certificate { + | size = 703 (0x02bf) + | data = { saved in file 'cert.001' } + | } + | } + | type = 12 (server_key_exchange) + | length = 202 (0x0000ca) + | type = 14 (server_hello_done) + | length = 0 (0x000000) + | } + | } + | ] + | --> [ + | SSLRecord { + | type = 22 (handshake) + | version = { 3,0 } + | length = 68 (0x44) + | handshake { + | type = 16 (client_key_exchange) + | length = 64 (0x000040) + | ClientKeyExchange { + | message = {...} + | } + | } + | } + | ] + | --> [ + | SSLRecord { + | type = 20 (change_cipher_spec) + | version = { 3,0 } + | length = 1 (0x1) + | } + | SSLRecord { + | type = 22 (handshake) + | version = { 3,0 } + | length = 56 (0x38) + | > encrypted > + | } + | ] + | >-- [ + | SSLRecord { + | type = 20 (change_cipher_spec) + | version = { 3,0 } + | length = 1 (0x1) + | } + | ] + | >-- [ + | SSLRecord { + | type = 22 (handshake) + | version = { 3,0 } + | length = 56 (0x38) + | > encrypted > + | } + | ] + | --> [ + | SSLRecord { + | type = 23 (application_data) + | version = { 3,0 } + | length = 287 (0x11f) + | > encrypted > + | } + | ] + | [ + | SSLRecord { + | type = 23 (application_data) + | version = { 3,0 } + | length = 160 (0xa0) + | > encrypted > + | } + | ] + | >-- [ + | SSLRecord { + | type = 23 (application_data) + | version = { 3,0 } + | length = 223 (0xdf) + | > encrypted > + | } + | SSLRecord { + | type = 21 (alert) + | version = { 3,0 } + | length = 18 (0x12) + | > encrypted > + | } + | ] + | Server socket closed. + | Example 3 + | In this example, the -h option turns hex/ASCII format. There is no SSL + | parsing or decoding. The output is routed to a text file. + | $ ssltap -h -p 444 interzone.mcom.com:443 > h.txt + | Output + | Connected to interzone.mcom.com:443 + | --> [ + | 0: 80 40 01 03 00 00 27 00 00 00 10 01 00 80 02 00 \| .@....'......... + | 10: 80 03 00 80 04 00 80 06 00 40 07 00 c0 00 00 04 \| .........@...... + | 20: 00 ff e0 00 00 0a 00 ff e1 00 00 09 00 00 03 00 \| ........á....... + | 30: 00 06 9b fe 5b 56 96 49 1f 9f ca dd d5 ba b9 52 \| ..þ[V.I.\xd9 ...º¹R + | 40: 6f 2d \|o- + | ] + | <-- [ + | 0: 16 03 00 03 e5 02 00 00 46 03 00 7f e5 0d 1b 1d \| ........F....... + | 10: 68 7f 3a 79 60 d5 17 3c 1d 9c 96 b3 88 d2 69 3b \| h.:y`..<..³.Òi; + | 20: 78 e2 4b 8b a6 52 12 4b 46 e8 c2 20 14 11 89 05 \| x.K.¦R.KFè. ... + | 30: 4d 52 91 fd 93 e0 51 48 91 90 08 96 c1 b6 76 77 \| MR.ý..QH.....¶vw + | 40: 2a f4 00 08 a1 06 61 a2 64 1f 2e 9b 00 03 00 0b \| \*ô..¡.a¢d...... + | 50: 00 02 c5 00 02 c2 00 02 bf 30 82 02 bb 30 82 02 \| ..Å......0...0.. + | 60: 24 a0 03 02 01 02 02 02 01 36 30 0d 06 09 2a 86 \| $ .......60...*. + | 70: 48 86 f7 0d 01 01 04 05 00 30 77 31 0b 30 09 06 \| H.÷......0w1.0.. + | 80: 03 55 04 06 13 02 55 53 31 2c 30 2a 06 03 55 04 \| .U....US1,0*..U. + | 90: 0a 13 23 4e 65 74 73 63 61 70 65 20 43 6f 6d 6d \| ..#Netscape Comm + | a0: 75 6e 69 63 61 74 69 6f 6e 73 20 43 6f 72 70 6f \| unications Corpo + | b0: 72 61 74 69 6f 6e 31 11 30 0f 06 03 55 04 0b 13 \| ration1.0...U... + | c0: 08 48 61 72 64 63 6f 72 65 31 27 30 25 06 03 55 \| .Hardcore1'0%..U + | d0: 04 03 13 1e 48 61 72 64 63 6f 72 65 20 43 65 72 \| ....Hardcore Cer + | e0: 74 69 66 69 63 61 74 65 20 53 65 72 76 65 72 20 \| tificate Server + | f0: 49 49 30 1e 17 0d 39 38 30 35 31 36 30 31 30 33 \| II0...9805160103 + | <additional data lines> + | ] + | <additional records in same format> + | Server socket closed. + | Example 4 + | In this example, the -s option turns on SSL parsing, and the -h option + | turns on hex/ASCII format. Both formats are shown for each record. The + | output is routed to a text file. + | $ ssltap -hs -p 444 interzone.mcom.com:443 > hs.txt + | Output + | Connected to interzone.mcom.com:443 + | --> [ + | 0: 80 3d 01 03 00 00 24 00 00 00 10 01 00 80 02 00 \| .=....$......... + | 10: 80 03 00 80 04 00 80 06 00 40 07 00 c0 00 00 04 \| .........@...... + | 20: 00 ff e0 00 00 0a 00 ff e1 00 00 09 00 00 03 03 \| ........á....... + | 30: 55 e6 e4 99 79 c7 d7 2c 86 78 96 5d b5 cf e9 \|U..yÇ\xb0 ,.x.]µÏé + | alloclen = 63 bytes + | [ssl2] ClientHelloV2 { + | version = {0x03, 0x00} + | cipher-specs-length = 36 (0x24) + | sid-length = 0 (0x00) + | challenge-length = 16 (0x10) + | cipher-suites = { + | (0x010080) SSL2/RSA/RC4-128/MD5 + | (0x020080) SSL2/RSA/RC4-40/MD5 + | (0x030080) SSL2/RSA/RC2CBC128/MD5 + | (0x040080) SSL2/RSA/RC2CBC40/MD5 + | (0x060040) SSL2/RSA/DES64CBC/MD5 + | (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5 + | (0x000004) SSL3/RSA/RC4-128/MD5 + | (0x00ffe0) SSL3/RSA-FIPS/3DES192EDE-CBC/SHA + | (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA + | (0x00ffe1) SSL3/RSA-FIPS/DES64CBC/SHA + | (0x000009) SSL3/RSA/DES64CBC/SHA + | (0x000003) SSL3/RSA/RC4-40/MD5 + | } + | session-id = { } + | challenge = { 0x0355 0xe6e4 0x9979 0xc7d7 0x2c86 0x7896 0x5db + | 0xcfe9 } + | } + | ] + | <additional records in same formats> + | Server socket closed. | Usage Tips - | When SSL restarts a previous session, it makes use of cached information - | to do a partial handshake. If you wish to capture a full SSL handshake, - | restart the browser to clear the session id cache. - | If you run the tool on a machine other than the SSL server to which you - | are trying to connect, the browser will complain that the host name you - | are trying to connect to is different from the certificate. If you are - | using the default BadCert callback, you can still connect through a - | dialog. If you are not using the default BadCert callback, the one you - | supply must allow for this possibility. + | When SSL restarts a previous session, it makes use of cached information + | to do a partial handshake. If you wish to capture a full SSL handshake, + | restart the browser to clear the session id cache. + | If you run the tool on a machine other than the SSL server to which you + | are trying to connect, the browser will complain that the host name you + | are trying to connect to is different from the certificate. If you are + | using the default BadCert callback, you can still connect through a + | dialog. If you are not using the default BadCert callback, the one you + | supply must allow for this possibility. | See Also - | The NSS Security Tools are also documented at - | + | The NSS Security Tools are also documented at + | [1]\ `http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__. | Additional Resources - | NSS is maintained in conjunction with PKI and security-related projects - | through Mozilla dn Fedora. The most closely-related project is Dogtag PKI, - | with a project wiki at [2]\ http://pki.fedoraproject.org/wiki/. - | For information specifically about NSS, the NSS project wiki is located at - | + | NSS is maintained in conjunction with PKI and security-related projects + | through Mozilla dn Fedora. The most closely-related project is Dogtag PKI, + | with a project wiki at [2]\ http://pki.fedoraproject.org/wiki/. + | For information specifically about NSS, the NSS project wiki is located at + | [3]\ `http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__. The NSS site relates - | directly to NSS code changes and releases. - | Mailing lists: pki-devel@redhat.com and pki-users@redhat.com - | IRC: Freenode at #dogtag-pki + | directly to NSS code changes and releases. + | Mailing lists: pki-devel@redhat.com and pki-users@redhat.com + | IRC: Freenode at #dogtag-pki | Authors - | The NSS tools were written and maintained by developers with Netscape and - | now with Red Hat and Sun. - | Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey - | <dlackey@redhat.com>. + | The NSS tools were written and maintained by developers with Netscape and + | now with Red Hat and Sun. + | Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey + | <dlackey@redhat.com>. | Copyright - | (c) 2010, Red Hat, Inc. Licensed under the GNU Public License version 2. + | (c) 2010, Red Hat, Inc. Licensed under the GNU Public License version 2. | References - | Visible links - | 1. + | Visible links + | 1. `http://www.mozilla.org/projects/secu.../pki/nss/tools <https://www.mozilla.org/projects/security/pki/nss/tools>`__ - | 2. http://pki.fedoraproject.org/wiki/ - | 3. + | 2. http://pki.fedoraproject.org/wiki/ + | 3. `http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__
\ No newline at end of file diff --git a/doc/rst/legacy/tools/vfychain/index.rst b/doc/rst/legacy/tools/vfychain/index.rst index faa418db0..ffd1cdf86 100644 --- a/doc/rst/legacy/tools/vfychain/index.rst +++ b/doc/rst/legacy/tools/vfychain/index.rst @@ -6,87 +6,87 @@ NSS tools : vfychain .. container:: | Name - | vfychain — vfychain [options] [revocation options] certfile [[options] - | certfile] ... + | vfychain — vfychain [options] [revocation options] certfile [[options] + | certfile] ... | Synopsis - | vfychain + | vfychain | Description - | The verification Tool, vfychain, verifies certificate chains. modutil can - | add and delete PKCS #11 modules, change passwords on security databases, - | set defaults, list module contents, enable or disable slots, enable or - | disable FIPS 140-2 compliance, and assign default providers for - | cryptographic operations. This tool can also create certificate, key, and - | module security database files. - | The tasks associated with security module database management are part of - | a process that typically also involves managing key databases and - | certificate databases. + | The verification Tool, vfychain, verifies certificate chains. modutil can + | add and delete PKCS #11 modules, change passwords on security databases, + | set defaults, list module contents, enable or disable slots, enable or + | disable FIPS 140-2 compliance, and assign default providers for + | cryptographic operations. This tool can also create certificate, key, and + | module security database files. + | The tasks associated with security module database management are part of + | a process that typically also involves managing key databases and + | certificate databases. | Options - | -a - | the following certfile is base64 encoded - | -b YYMMDDHHMMZ - | Validate date (default: now) - | -d directory - | database directory - | -f - | Enable cert fetching from AIA URL - | -o oid - | Set policy OID for cert validation(Format OID.1.2.3) - | -p - | Use PKIX Library to validate certificate by calling: - | \* CERT_VerifyCertificate if specified once, - | \* CERT_PKIXVerifyCert if specified twice and more. - | -r - | Following certfile is raw binary DER (default) - | -t - | Following cert is explicitly trusted (overrides db trust) - | -u usage - | 0=SSL client, 1=SSL server, 2=SSL StepUp, 3=SSL CA, 4=Email - | signer, 5=Email recipient, 6=Object signer, - | 9=ProtectedObjectSigner, 10=OCSP responder, 11=Any CA - | -v - | Verbose mode. Prints root cert subject(double the argument for - | whole root cert info) - | -w password - | Database password - | -W pwfile - | Password file - | Revocation options for PKIX API (invoked with -pp options) is a - | collection of the following flags: [-g type [-h flags] [-m type - | [-s flags]] ...] ... - | Where: - | -g test-type - | Sets status checking test type. Possible values are "leaf" or - | "chain" - | -g test type - | Sets status checking test type. Possible values are "leaf" or - | "chain". - | -h test flags - | Sets revocation flags for the test type it follows. Possible - | flags: "testLocalInfoFirst" and "requireFreshInfo". - | -m method type - | Sets method type for the test type it follows. Possible types are - | "crl" and "ocsp". - | -s method flags - | Sets revocation flags for the method it follows. Possible types - | are "doNotUse", "forbidFetching", "ignoreDefaultSrc", - | "requireInfo" and "failIfNoInfo". + | -a + | the following certfile is base64 encoded + | -b YYMMDDHHMMZ + | Validate date (default: now) + | -d directory + | database directory + | -f + | Enable cert fetching from AIA URL + | -o oid + | Set policy OID for cert validation(Format OID.1.2.3) + | -p + | Use PKIX Library to validate certificate by calling: + | \* CERT_VerifyCertificate if specified once, + | \* CERT_PKIXVerifyCert if specified twice and more. + | -r + | Following certfile is raw binary DER (default) + | -t + | Following cert is explicitly trusted (overrides db trust) + | -u usage + | 0=SSL client, 1=SSL server, 2=SSL StepUp, 3=SSL CA, 4=Email + | signer, 5=Email recipient, 6=Object signer, + | 9=ProtectedObjectSigner, 10=OCSP responder, 11=Any CA + | -v + | Verbose mode. Prints root cert subject(double the argument for + | whole root cert info) + | -w password + | Database password + | -W pwfile + | Password file + | Revocation options for PKIX API (invoked with -pp options) is a + | collection of the following flags: [-g type [-h flags] [-m type + | [-s flags]] ...] ... + | Where: + | -g test-type + | Sets status checking test type. Possible values are "leaf" or + | "chain" + | -g test type + | Sets status checking test type. Possible values are "leaf" or + | "chain". + | -h test flags + | Sets revocation flags for the test type it follows. Possible + | flags: "testLocalInfoFirst" and "requireFreshInfo". + | -m method type + | Sets method type for the test type it follows. Possible types are + | "crl" and "ocsp". + | -s method flags + | Sets revocation flags for the method it follows. Possible types + | are "doNotUse", "forbidFetching", "ignoreDefaultSrc", + | "requireInfo" and "failIfNoInfo". | Additional Resources - | For information about NSS and other tools related to NSS (like JSS), check - | out the NSS project wiki at - | + | For information about NSS and other tools related to NSS (like JSS), check + | out the NSS project wiki at + | [1]\ `http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__. The NSS site relates - | directly to NSS code changes and releases. - | Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto - | IRC: Freenode at #dogtag-pki + | directly to NSS code changes and releases. + | Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto + | IRC: Freenode at #dogtag-pki | Authors - | The NSS tools were written and maintained by developers with Netscape, Red - | Hat, and Sun. - | Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey - | <dlackey@redhat.com>. + | The NSS tools were written and maintained by developers with Netscape, Red + | Hat, and Sun. + | Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey + | <dlackey@redhat.com>. | Copyright - | (c) 2010, Red Hat, Inc. Licensed under the GNU Public License version 2. + | (c) 2010, Red Hat, Inc. Licensed under the GNU Public License version 2. | References - | Visible links - | 1. + | Visible links + | 1. `http://www.mozilla.org/projects/security/pki/nss/ <https://www.mozilla.org/projects/security/pki/nss/>`__
\ No newline at end of file |