Bug 845556, reorganize NSS directory layout, moving files, very large changeset! r=wtc

1 files changed, 232 insertions, 0 deletions

diff --git a/doc/signver.xml b/doc/signver.xml
new file mode 100644
index 000000000..fd973fcdf
--- /dev/null
+++ b/doc/signver.xml
@@ -0,0 +1,232 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<!ENTITY date SYSTEM "date.xml">
+<!ENTITY version SYSTEM "version.xml">
+]>
+
+<refentry id="signver">
+
+  <refentryinfo>
+    <date>&date;</date>
+    <title>NSS Security Tools</title>
+    <productname>nss-tools</productname>
+    <productnumber>&version;</productnumber>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>SIGNVER</refentrytitle>
+    <manvolnum>1</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>signver</refname>
+    <refpurpose>Verify a detached PKCS#7 signature for a file.</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>signtool</command>
+	<group choice="plain">
+		<arg choice="plain">-A</arg>
+		<arg choice="plain">-V</arg>
+	</group>
+      <arg choice="plain">-d <replaceable>directory</replaceable></arg>
+      <arg>-a</arg>
+	<arg>-i <replaceable>input_file</replaceable></arg>
+	<arg>-o <replaceable>output_file</replaceable></arg>
+	<arg>-s <replaceable>signature_file</replaceable></arg>
+      <arg>-v</arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsection>
+    <title>STATUS</title>
+    <para>This documentation is still work in progress. Please contribute to the initial review in <ulink url="https://bugzilla.mozilla.org/show_bug.cgi?id=836477">Mozilla NSS bug 836477</ulink>
+    </para>
+  </refsection>
+
+  <refsection id="description">
+    <title>Description</title>
+
+    <para>The Signature Verification Tool, <command>signver</command>, is a simple command-line utility that unpacks a base-64-encoded PKCS#7 signed object and verifies the digital signature using standard cryptographic techniques. The Signature Verification Tool can also display the contents of the signed object.</para>
+  </refsection>
+  
+  <refsection id="options">
+    <title>Options</title>
+    <variablelist>
+      <varlistentry>
+        <term>-A</term>
+        <listitem><para>Displays all of the information in the PKCS#7 signature.</para></listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>-V</term>
+        <listitem><para>Verifies the digital signature.</para></listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>-d [sql:]<emphasis>directory</emphasis></term>
+        <listitem><para>Specify the database directory which contains the certificates and keys.</para>
+	<para><command>signver</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and new SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). If the prefix <command>sql:</command> is not used, then the tool assumes that the given databases are in the old format.</para></listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>-a</term>
+        <listitem><para>Sets that the given signature file is in ASCII format.</para></listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>-i <emphasis>input_file</emphasis></term>
+        <listitem><para>Gives the input file for the object with signed data.</para></listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>-o <emphasis>output_file</emphasis></term>
+        <listitem><para>Gives the output file to which to write the results.</para></listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>-s <emphasis>signature_file</emphasis></term>
+        <listitem><para>Gives the input file for the digital signature.</para></listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>-v</term>
+        <listitem><para>Enables verbose output.</para></listitem>
+      </varlistentry>
+    </variablelist>
+  </refsection>
+
+  <refsection id="examples">
+    <title>Extended Examples</title>
+	<refsection><title>Verifying a Signature</title>
+	<para>The <option>-V</option> option verifies that the signature in a given signature file is valid when used to sign the given object (from the input file).</para>
+<programlisting>signver -V -s <replaceable>signature_file</replaceable> -i <replaceable>signed_file</replaceable> -d sql:/home/my/sharednssdb
+
+signatureValid=yes</programlisting>
+	</refsection>
+
+	<refsection><title>Printing Signature Data</title>
+		<para>
+			The <option>-A</option> option prints all of the information contained in a signature file. Using the <option>-o</option> option prints the signature file information to the given output file rather than stdout.
+		</para>
+<programlisting>signver -A -s <replaceable>signature_file</replaceable> -o <replaceable>output_file</replaceable></programlisting>
+	</refsection>
+  </refsection>
+
+<refsection id="databases"><title>NSS Database Types</title>
+<para>NSS originally used BerkeleyDB databases to store security information. 
+The last versions of these <emphasis>legacy</emphasis> databases are:</para>
+<itemizedlist>
+	<listitem>
+		<para>
+			cert8.db for certificates
+		</para>
+	</listitem>
+	<listitem>
+		<para>
+			key3.db for keys
+		</para>
+	</listitem>
+	<listitem>
+		<para>
+			secmod.db for PKCS #11 module information
+		</para>
+	</listitem>
+</itemizedlist>
+
+<para>BerkeleyDB has performance limitations, though, which prevent it from being easily used by multiple applications simultaneously. NSS has 
+some flexibility that allows applications to use their own, independent database engine while keeping a shared database and working around the access issues. Still, NSS
+requires more flexibility to provide a truly shared security database.</para>
+
+<para>In 2009, NSS introduced a new set of databases that are SQLite databases rather than 
+BerkleyDB. These new databases provide more accessibility and performance:</para>
+<itemizedlist>
+	<listitem>
+		<para>
+			cert9.db for certificates
+		</para>
+	</listitem>
+	<listitem>
+		<para>
+			key4.db for keys
+		</para>
+	</listitem>
+	<listitem>
+		<para>
+			pkcs11.txt, which is listing of all of the PKCS #11 modules contained in a new subdirectory in the security databases directory
+		</para>
+	</listitem>
+</itemizedlist>
+
+<para>Because the SQLite databases are designed to be shared, these are the <emphasis>shared</emphasis> database type. The shared database type is preferred; the legacy format is included for backward compatibility.</para>
+
+<para>By default, the tools (<command>certutil</command>, <command>pk12util</command>, <command>modutil</command>) assume that the given security databases follow the more common legacy type. 
+Using the SQLite databases must be manually specified by using the <command>sql:</command> prefix with the given security directory. For example:</para>
+
+<programlisting># signver -A -s <replaceable>signature</replaceable> -d sql:/home/my/sharednssdb</programlisting>
+
+<para>To set the shared database type as the default type for the tools, set the <envar>NSS_DEFAULT_DB_TYPE</envar> environment variable to <envar>sql</envar>:</para>
+<programlisting>export NSS_DEFAULT_DB_TYPE="sql"</programlisting>
+
+<para>This line can be set added to the <filename>~/.bashrc</filename> file to make the change permanent.</para>
+
+<para>Most applications do not use the shared database by default, but they can be configured to use them. For example, this how-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases:</para>
+<itemizedlist>
+	<listitem>
+		<para>
+			https://wiki.mozilla.org/NSS_Shared_DB_Howto</para>
+	</listitem>
+</itemizedlist>
+<para>For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki:</para>
+<itemizedlist>
+	<listitem>
+		<para>
+			https://wiki.mozilla.org/NSS_Shared_DB
+		</para>
+	</listitem>
+</itemizedlist>
+</refsection>
+
+  <refsection id="seealso">
+    <title>See Also</title>
+    <para>signtool (1)</para>
+
+	<para>The NSS wiki has information on the new database design and how to configure applications to use it.</para>
+	<itemizedlist>
+		<listitem>
+			<para>Setting up the shared NSS database</para>
+			<para>https://wiki.mozilla.org/NSS_Shared_DB_Howto</para>
+		</listitem>
+		<listitem>
+			<para>
+				Engineering and technical information about the shared NSS database
+			</para>
+			<para>
+				https://wiki.mozilla.org/NSS_Shared_DB
+			</para>
+		</listitem>
+	</itemizedlist>
+  </refsection>
+
+<!-- don't change -->
+  <refsection id="resources">
+    <title>Additional Resources</title>
+	<para>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <ulink url="http://www.mozilla.org/projects/security/pki/nss/">http://www.mozilla.org/projects/security/pki/nss/</ulink>. The NSS site relates directly to NSS code changes and releases.</para>
+	<para>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</para>
+	<para>IRC: Freenode at #dogtag-pki</para>
+  </refsection>
+
+<!-- fill in your name first; keep the other names for reference -->
+  <refsection id="authors">
+    <title>Authors</title>
+    <para>The NSS tools were written and maintained by developers with Netscape, Red Hat, and Sun.</para>
+    <para>
+	Authors: Elio Maldonado &lt;emaldona@redhat.com>, Deon Lackey &lt;dlackey@redhat.com>.
+    </para>
+  </refsection>
+
+<!-- don't change -->
+  <refsection id="license">
+    <title>LICENSE</title>
+    <para>Licensed under the Mozilla Public License, version 1.1,
+        and/or the GNU General Public License, version 2 or later,
+        and/or the GNU Lesser General Public License, version 2.1 or later.
+    </para>
+  </refsection>
+
+</refentry>