.. _mozilla_projects_nss_index: Index ===== .. container:: **Found 361 pages:** +--------------------------------+--------------------------------+--------------------------------+ | # | Page | Tags and summary | +================================+================================+================================+ | 1 | :ref:`mozilla_projects_nss` | **JSS, NSS, NeedsMigration** | +--------------------------------+--------------------------------+--------------------------------+ | | | **Network Security Services** | | | | (**NSS**) is a set of | | | | libraries designed to support | | | | cross-platform development of | | | | security-enabled client and | | | | server applications. | | | | Applications built with NSS | | | | can support SSL v3, TLS, PKCS | | | | #5, PKCS #7, PKCS #11, PKCS | | | | #12, S/MIME, X.509 v3 | | | | certificates, and other | | | | security standards. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 2 | :ref:`mozilla_projects_nss | **API, Intermediate, Intro, | | | _an_overview_of_nss_internals` | NSS, Tools** | +--------------------------------+--------------------------------+--------------------------------+ | | | A High-Level Overview to the | | | | Internals of `Network Security | | | | Services | | | | (NSS) `__ | | | | Software developed by the | | | | Mozilla.org projects | | | | traditionally used its own | | | | implementation of security | | | | protocols and cryptographic | | | | algorithms, originally called | | | | Netscape Security Services, | | | | nowadays called Network | | | | Security Services (NSS). NSS | | | | is a library written in the C | | | | programming language. It's | | | | free and open source software, | | | | and many other software | | | | projects have decided to use | | | | it. In order to support | | | | multiple operating systems | | | | (OS), it is based on a cross | | | | platform portability layer, | | | | called the Netscape Portable | | | | Runtime (NSPR), which provides | | | | cross platform application | | | | programming interfaces (APIs) | | | | for OS specific APIs like file | | | | system access, memory | | | | management, network | | | | communication, and | | | | multithreaded programming. | | | | NSS offers lots of | | | | functionality; we'll walk | | | | through the list of modules, | | | | design principles, and | | | | important relevant standards. | | | | In order to allow | | | | interoperability between | | | | software and devices that | | | | perform cryptographic | | | | operations, NSS conforms to a | | | | standard called PKCS#11. (Note | | | | that it's important to look at | | | | the number 11, as there are | | | | other PKCS standards with | | | | different numbers that define | | | | quite different topics.) | | | | A software or hardware module | | | | conforming to the PKCS#11 | | | | standard implements an | | | | interface of C calls, which | | | | allow querying the | | | | characteristics and offered | | | | services of the module. | | | | Multiple elements of NSS's own | | | | modules have been implemented | | | | with this interface, and NSS | | | | makes use of this interface | | | | when talking to those modules. | | | | This strategy allows NSS to | | | | work with many hardware | | | | devices (e.g., to speed up the | | | | calculations required for | | | | cryptographic operations, or | | | | to access smartcards that | | | | securely protect a secret key) | | | | and software modules (e.g., to | | | | allow to load such modules as | | | | a plugin that provides | | | | additional algorithms or | | | | stores key or trust | | | | information) that implement | | | | the PKCS#11 interface. | | | | A core element of NSS is | | | | FreeBL, a base library | | | | providing hash functions, big | | | | number calculations, and | | | | cryptographic algorithms. | | | | Softoken is an NSS module that | | | | exposes most FreeBL | | | | functionality as a PKCS#11 | | | | module. | | | | Some cryptography uses the | | | | same secret key for both | | | | encrypting and decrypting, for | | | | example password based | | | | encryption (PBE). This is | | | | often sufficient if you | | | | encrypt data for yourself, but | | | | as soon as you need to | | | | exchange signed/encrypted data | | | | with communication partners, | | | | using public key encryption | | | | simplifies the key management. | | | | The environment that describes | | | | how to use public key | | | | encryption is called Public | | | | Key Infrastructure (PKI). The | | | | public keys that are exchanged | | | | between parties are | | | | transported using a container; | | | | the container is called a | | | | certificate, following | | | | standard X.509 version 3. A | | | | certificate contains lots of | | | | other details; for example, it | | | | contains a signature by a | | | | third party that expresses | | | | trust in the ownership | | | | relationship for the | | | | certificate. The trust | | | | assigned by the third party | | | | might be restricted to certain | | | | uses, which are listed in | | | | certificate extensions that | | | | are contained in the | | | | certificate. | | | | Many (if not most) of the | | | | operations performed by NSS | | | | involve the use of X.509 | | | | certificates (often | | | | abbreviated as “cert”, | | | | unfortunately making it easy | | | | to confuse with the term | | | | “computer emergency response | | | | team“). | | | | When checking whether a | | | | certificate is trusted or not, | | | | it's necessary to find a | | | | relevant trust anchor (root | | | | certificate) that represents | | | | the signing capability of a | | | | trusted third party, usually | | | | called a Certificate Authority | | | | (CA). A trust anchor is just | | | | another X.509 certificate that | | | | is already known and has been | | | | deliberately marked as trusted | | | | by a software vendor, | | | | administrators inside an | | | | organizational infrastructure, | | | | or the software user. NSS | | | | ships a predefined set of CA | | | | certificates. This set, | | | | including their trust | | | | assignments, is provided by | | | | NSS as a software module, | | | | called CKBI (“built-in root | | | | certificates”), which also | | | | implements the PKCS#11 | | | | interface. On an | | | | organizational level the | | | | contents of the set are | | | | managed according to the | | | | Mozilla CA policy. On a | | | | technical level the set is a | | | | binary software module. | | | | A cryptographic transaction, | | | | such as encryption or | | | | decryption related to a data | | | | exchange, usually involves | | | | working with the X.509 certs | | | | of your communication partners | | | | (peer). It's also required | | | | that you safely keep your own | | | | secret keys that belong to | | | | your own certificates. You | | | | might want to protect the | | | | storage of your secret keys | | | | with PBE. You might decide to | | | | modify the default trust | | | | provided by NSS. All of this | | | | requires storing, looking up, | | | | and retrieving data. NSS | | | | simplifies performing these | | | | operations by offering storage | | | | and management APIs. NSS | | | | doesn't require the programmer | | | | to manage individual files | | | | containing individual | | | | certificates or keys. Instead, | | | | NSS offers to use its own | | | | database(s). Once you have | | | | imported certificates and keys | | | | into the NSS database, you can | | | | easily look them up and use | | | | them again. | | | | Because of NSS's expectation | | | | to operate with an NSS | | | | database, it's mandatory that | | | | you perform an initialization | | | | call, where you tell NSS which | | | | database you will be using. In | | | | the most simple scenario, the | | | | programmer will provide a | | | | directory on your filesystem | | | | as a parameter to the init | | | | function, and NSS is designed | | | | to do the rest. It will detect | | | | and open an existing database, | | | | or it can create a new one. | | | | Alternatively, should you | | | | decide that you don't want to | | | | work with any persistent | | | | recording of certificates, you | | | | may initialize NSS in a | | | | no-database mode. Usually, NSS | | | | will flush all data to disk as | | | | soon as new data has been | | | | added to permanent storage. | | | | Storage consists of multiple | | | | files: a key database file, | | | | which contains your secret | | | | keys, and a certificate | | | | database file which contains | | | | the public portion of your own | | | | certificates, the certificates | | | | of peers or CAs, and a list of | | | | trust decisions (such as to | | | | not trust a built-in CA, or to | | | | explicitly trust other CAs). | | | | Examples for the database | | | | files are key3.db and | | | | cert8.db, where the numbers | | | | are file version numbers. A | | | | third file contains the list | | | | of external PKCS#11 modules | | | | that have been registered to | | | | be used by NSS. The file could | | | | be named secmod.db, but in | | | | newer database generations a | | | | file named pkcs11.txt is used. | | | | Only NSS is allowed to access | | | | and manipulate these database | | | | files directly; a programmer | | | | using NSS must go through the | | | | APIs offered by NSS to | | | | manipulate the data stored in | | | | these files. The programmer's | | | | task is to initialize NSS with | | | | the required parameters (such | | | | as a database), and NSS will | | | | then transparently manage the | | | | database files. | | | | Most of the time certificates | | | | and keys are supposed to be | | | | stored in the NSS database. | | | | Therefore, after initial | | | | import or creation, the | | | | programmer usually doesn't | | | | deal with their raw bytes. | | | | Instead, the programmer will | | | | use lookup functions, and NSS | | | | will provide an access handle | | | | that will be subsequently used | | | | by the application's code. | | | | Those handles are reference | | | | counted. NSS will usually | | | | create an in-memory (RAM) | | | | presentation of certificates, | | | | once a certificate has been | | | | received from the network, | | | | read from disk, or looked up | | | | from the database, and prepare | | | | in-memory data structures that | | | | contain the certificate's | | | | properties, as well as | | | | providing a handle for the | | | | programmer to use. Once the | | | | application is done with a | | | | handle, it should be released, | | | | allowing NSS to free the | | | | associated resources. When | | | | working with handles to | | | | private keys it's usually | | | | difficult (and undesired) that | | | | an application gets access to | | | | the raw key data; therefore it | | | | may be difficult to extract | | | | such data from NSS. The usual | | | | minimum requirement is that | | | | private keys must be wrapped | | | | using a protective layer (such | | | | as password-based encryption). | | | | The intention is to make it | | | | easier to review code for | | | | security. The less code that | | | | has access to raw secret keys, | | | | the less code that must be | | | | reviewed. | | | | NSS has only limited | | | | functionality to look up raw | | | | keys. The preferred approach | | | | is to use certificates, and to | | | | look up certificates by | | | | properties such as the | | | | contained subject name | | | | (information that describes | | | | the owner of the certificate). | | | | For example, while NSS | | | | supports random calculation | | | | (creation) of a new | | | | public/private key pair, it's | | | | difficult to work with such a | | | | raw key pair. The usual | | | | approach is to create a | | | | certificate signing request | | | | (CSR) as soon as an | | | | application is done with the | | | | creation step, which will have | | | | created a handle to the key | | | | pair, and which can be used | | | | for the necessary related | | | | operations, like producing a | | | | proof-of-ownership of the | | | | private key, which is usually | | | | required when submitting the | | | | public key with a CSR to a CA. | | | | The usual follow up action is | | | | receiving a signed certificate | | | | from a CA. (However, it's also | | | | possible to use NSS | | | | functionality to create a | | | | self-signed certificate, | | | | which, however, usually won't | | | | be trusted by other parties.) | | | | Once received, it's sufficient | | | | to tell NSS to import such a | | | | new certificate into the NSS | | | | database, and NSS will | | | | automatically perform a lookup | | | | of the embedded public key, be | | | | able to find the associated | | | | private key, and subsequently | | | | be able to treat it as a | | | | personal certificate. (A | | | | personal certificate is a | | | | certificate for which the | | | | private key is in possession, | | | | and which could be used for | | | | signing data or for decrypting | | | | data.) A unique nickname | | | | can/should be assigned to the | | | | certificate at the time of | | | | import, which can later be | | | | used to easily identify and | | | | retrieve it. | | | | It's important to note that | | | | NSS requires strict cleanup | | | | for all handles returned by | | | | NSS. The application should | | | | always call the appropriate | | | | dereference (destroy) | | | | functions once a handle is no | | | | longer needed. This is | | | | particularly important for | | | | applications that might need | | | | to close a database and | | | | reinitialize NSS using a | | | | different one, without | | | | restarting. Such an operation | | | | might fail at runtime if data | | | | elements are still being | | | | referenced. | | | | In addition to the FreeBL, | | | | Softoken, and CKBI modules, | | | | there is an utility library | | | | for general operations (e.g., | | | | encoding/decoding between data | | | | formats, a list of | | | | standardized object | | | | identifiers (OID)). NSS has an | | | | SSL/TLS module that implements | | | | the Secure Sockets | | | | Layer/Transport Layer Security | | | | network protocols, an S/MIME | | | | module that implements CMS | | | | messaging used by secure email | | | | and some instant messaging | | | | implementations, a DBM library | | | | that implements the classic | | | | database storage, and finally | | | | a core NSS library for the big | | | | set of “everything else”. | | | | Newer generations of the | | | | database use the SQLite | | | | database to allow concurrent | | | | access by multiple | | | | applications. | | | | All of the above are provided | | | | as shared libraries. The CRMF | | | | library, which is used to | | | | produce certain kinds of | | | | certificate requests, is | | | | available as a library for | | | | static linking only. | | | | When dealing with certificates | | | | (X.509), file formats such as | | | | PKCS#12 (certificates and | | | | keys), PKCS#7 (signed data), | | | | and message formats as CMS, we | | | | should mention ASN.1, which is | | | | a syntax for storing | | | | structured data in a very | | | | efficient (small sized) | | | | presentation. It was | | | | originally developed for | | | | telecommunication systems at | | | | times where it was critical to | | | | minimize data as much as | | | | possible (although it still | | | | makes sense to use that | | | | principle today for good | | | | performance). In order to | | | | process data available in the | | | | ASN.1 format, the usual | | | | approach is to parse it and | | | | transfer it to a presentation | | | | that requires more space but | | | | is easier to work with, such | | | | as (nested) C data structures. | | | | Over the time NSS has received | | | | three different ASN.1 parser | | | | implementations, each having | | | | their own specific properties, | | | | advantages and disadvantages, | | | | which is why all of them are | | | | still being used (nobody has | | | | yet dared to replace the older | | | | with the newer ones because of | | | | risks for side effects). When | | | | using the ASN.1 parser(s), a | | | | template definition is passed | | | | to the parser, which will | | | | analyze the ASN.1 data stream | | | | accordingly. The templates are | | | | usually closely aligned to | | | | definitions found in RFC | | | | documents. | | | | A data block described as DER | | | | is usually in ASN.1 format. | | | | You must know which data you | | | | are expecting, and use the | | | | correct template for parsing, | | | | based on the context of your | | | | software's interaction. Data | | | | described as PEM is a base64 | | | | encoded presentation of DER, | | | | usually wrapped between human | | | | readable BEGIN/END lines. NSS | | | | prefers the binary | | | | presentation, but is often | | | | capable to use base64 or ASCII | | | | presentations, especially when | | | | importing data from files. A | | | | recent development adds | | | | support for loading external | | | | PEM files that contain private | | | | keys, in a software library | | | | called nss-pem, which is | | | | separately available, but | | | | should eventually become a | | | | core part of NSS. | | | | Looking at the code level, NSS | | | | deals with blocks of raw data | | | | all the time. The common | | | | structure to store such an | | | | untyped block is SECItem, | | | | which contains a size and an | | | | untyped C pointer variable. | | | | When dealing with memory, NSS | | | | makes use of arenas, which are | | | | an attempt to simplify | | | | management with the limited | | | | offerings of C (because there | | | | are no destructors). The idea | | | | is to group multiple memory | | | | allocations in order to | | | | simplify cleanup. Performing | | | | an operation often involves | | | | allocating many individual | | | | data items, and the code might | | | | be required to abort a task at | | | | many positions in the logic. | | | | An arena is requested once | | | | processing of a task starts, | | | | and all memory allocations | | | | that are logically associated | | | | to that task are requested | | | | from the associated arena. The | | | | implementation of arenas makes | | | | sure that all individual | | | | memory blocks are tracked. | | | | Once a task is done, | | | | regardless whether it | | | | completed or was aborted, the | | | | programmer simply needs to | | | | release the arena, and all | | | | individually allocated blocks | | | | will be released | | | | automatically. Often freeing | | | | is combined with immediately | | | | erasing (zeroing, zfree) the | | | | memory associated to the | | | | arena, in order to make it | | | | more difficult for attackers | | | | to extract keys from a memory | | | | dump. | | | | NSS uses many C data | | | | structures. Often NSS has | | | | multiple implementations for | | | | the same or similar concepts. | | | | For example, there are | | | | multiple presentations of | | | | certificates, and the NSS | | | | internals (and sometimes even | | | | the application using NSS) | | | | might have to convert between | | | | them. | | | | Key responsibilites of NSS are | | | | verification of signatures and | | | | certificates. In order to | | | | verify a digital signature, we | | | | have to look at the | | | | application data (e.g., a | | | | document that was signed), the | | | | signature data block (the | | | | digital signature), and a | | | | public key (as found in a | | | | certificate that is believed | | | | to be the signer, e.g., | | | | identified by metadata | | | | received together with the | | | | signature). The signature is | | | | verified if it can be shown | | | | that the signature data block | | | | must have been produced by the | | | | owner of the public key | | | | (because only that owner has | | | | the associated private key). | | | | Verifying a certificate (A) | | | | requires some additional | | | | steps. First, you must | | | | identify the potential signer | | | | (B) of a certificate (A). This | | | | is done by reading the “issuer | | | | name” attribute of a | | | | certificate (A), and trying to | | | | find that issuer certificate | | | | (B) (by looking for a | | | | certificate that uses that | | | | name as its “subject name”). | | | | Then you attempt to verify the | | | | signature found in (A) using | | | | the public key found in (B). | | | | It might be necessary to try | | | | multiple certificates (B1, B2, | | | | ...) each having the same | | | | subject name. | | | | After succeeding, it might be | | | | necessary to repeat this | | | | procedure recursively. The | | | | goal is to eventually find a | | | | certificate B (or C or ...) | | | | that has an appropriate trust | | | | assigned (e.g., because it can | | | | be found in the CKBI module | | | | and the user hasn't made any | | | | overriding trust decisions, or | | | | it can be found in a NSS | | | | database file managed by the | | | | user or by the local | | | | environment). | | | | After having successfully | | | | verified the signatures in a | | | | (chain of) issuer | | | | certificate(s), we're still | | | | not done with verifying the | | | | certificate A. In a PKI it's | | | | suggested/required to perform | | | | additional checks. For | | | | example: Certificates were | | | | valid at the time the | | | | signature was made, name in | | | | certificates matches the | | | | expected signer (check subject | | | | name, common name, email, | | | | based on application), the | | | | trust restrictions recorded | | | | inside the certificate | | | | (extensions) permit the use | | | | (e.g., encryption might be | | | | allowed, but not signing), and | | | | based on | | | | environment/application policy | | | | it might be required to | | | | perform a revocation check | | | | (OCSP or CRL), that asks the | | | | issuer(s) of the certificates | | | | whether there have been events | | | | that made it necessary to | | | | revoke the trust (revoke the | | | | validity of the cert). | | | | Trust anchors contained in the | | | | CKBI module are usually self | | | | signed, which is defined as | | | | having identical subject name | | | | and issuer name fields. If a | | | | self-signed certificate is | | | | marked as explicitly trusted, | | | | NSS will skip checking the | | | | self-signature for validity. | | | | NSS has multiple APIs to | | | | perform verification of | | | | certificates. There is a | | | | classic engine that is very | | | | stable and works fine in all | | | | simple scenarios, for example | | | | if all (B) candidate issuer | | | | certificates have the same | | | | subject and issuer names and | | | | differ by validity period; | | | | however, it works only in a | | | | limited amount of more | | | | advanced scenarios. | | | | Unfortunately, the world of | | | | certificates has become more | | | | complex in the recent past. | | | | New Certificate Authorities | | | | enter the global PKI market, | | | | and in order to get started | | | | with their business, they | | | | might make deals with | | | | established CAs and receive | | | | so-called | | | | cross-signing-certificates. As | | | | a result, when searching for a | | | | trust path from (A) to a | | | | trusted anchor (root) | | | | certificate (Z), the set of | | | | candidate issuer certificates | | | | might have different issuer | | | | names (referring to the second | | | | or higher issuer level). As a | | | | consequence, it will be | | | | necessary to try multiple | | | | different alternative routes | | | | while searching for (Z), in a | | | | recursive manner. Only the | | | | newer verification engine | | | | (internally named libPKIX) is | | | | capable of doing that | | | | properly. | | | | It's worth mentioning the | | | | Extended Validation (EV) | | | | principle, which is an effort | | | | by software vendors and CAs to | | | | define a stricter set of rules | | | | for issuing certificates for | | | | web site certificates. Instead | | | | of simply verifying that the | | | | requester of a certificate is | | | | in control of an | | | | administrative email address | | | | at the desired web site's | | | | domain, it's required that the | | | | CA performs a verification of | | | | real world identity documents | | | | (such as a company | | | | registration document with the | | | | country's authority), and it's | | | | also required that a browser | | | | software performs a revocation | | | | check with the CA, prior to | | | | granting validity to the | | | | certificate. In order to | | | | distinguish an EV certificate, | | | | CAs will embed a policy OID in | | | | the certificate, and the | | | | browser is expected to verify | | | | that a trust chain permits the | | | | end entity (EE) certificate to | | | | make use of the policy. Only | | | | the APIs of the newer libPKIX | | | | engine are capable of | | | | performing a policy | | | | verification. | | | | That's a good opportunity to | | | | talk about SSL/TLS connections | | | | to servers in general (not | | | | just EV, not just websites). | | | | Whenever this document | | | | mentions SSL, it refers to | | | | either SSL or TLS. (TLS is a | | | | newer version of SSL with | | | | enhanced features.) | | | | When establishing an SSL | | | | connection to a server, (at | | | | least) a server certificate | | | | (and its trust chain) is | | | | exchanged from the server to | | | | the client (e.g., the | | | | browser), and the client | | | | verifies that the certificate | | | | can be verified (including | | | | matching the name of the | | | | expected destination server). | | | | Another part of the handshake | | | | between both parties is a key | | | | exchange. Because public key | | | | encryption is more expensive | | | | (more calculations required) | | | | than symmetric encryption | | | | (where both parties use the | | | | same key), a key agreement | | | | protocol will be executed, | | | | where the public and private | | | | keys are used to proof and | | | | verify the exchanged initial | | | | information. Once the key | | | | agreement is done, a symmetric | | | | encryption will be used (until | | | | a potential re-handshake on an | | | | existing channel). The | | | | combination of the hash and | | | | encryption algorithms used for | | | | a SSL connection is called a | | | | cipher suite. | | | | NSS ships with a set of cipher | | | | suites that it supports at a | | | | technical level. In addition, | | | | NSS ships with a default | | | | policy that defines which | | | | cipher suites are enabled by | | | | default. An application is | | | | able to modify the policy used | | | | at program runtime, by using | | | | function calls to modify the | | | | set of enabled cipher suites. | | | | If a programmer wants to | | | | influence how NSS verifies | | | | certificates or how NSS | | | | verifies the data presented in | | | | a SSL connection handshake, it | | | | is possible to register | | | | application-defined callback | | | | functions which will be called | | | | by NSS at the appropriate | | | | point of time, and which can | | | | be used to override the | | | | decisions made by NSS. | | | | If you would like to use NSS | | | | as a toolkit that implements | | | | SSL, remember that you must | | | | init NSS first. But if you | | | | don't care about modifying the | | | | default trust permanently | | | | (recorded on disk), you can | | | | use the no-database init | | | | calls. When creating the | | | | network socket for data | | | | exchange, note that you must | | | | use the operating system | | | | independent APIs provided by | | | | NSPR and NSS. It might be | | | | interesting to mention a | | | | property of the NSPR file | | | | descriptors, which are stacked | | | | in layers. This means you can | | | | define multiple layers that | | | | are involved in data | | | | processing. A file descriptor | | | | has a pointer to the first | | | | layer handling the data. That | | | | layer has a pointer to a | | | | potential second layer, which | | | | might have another pointer to | | | | a third layer, etc. Each layer | | | | defines its own functions for | | | | the | | | | ope | | | | n/close/read/write/poll/select | | | | (etc.) functions. When using | | | | an SSL network connection, | | | | you'll already have two | | | | layers, the basic NSPR layer | | | | and an SSL library layer. The | | | | Mozilla applications define a | | | | third layer where application | | | | specific processing is | | | | performed. You can find more | | | | details in the NSPR reference | | | | documents. | | | | NSS occassionally has to | | | | create outbound network | | | | connections, in addition to | | | | the connections requested by | | | | the application. Examples are | | | | retrieving OCSP (Online | | | | Certificate Status Protocol) | | | | information or downloading a | | | | CRL (Certificate Revocation | | | | List). However, NSS doesn't | | | | have an implementation to work | | | | with network proxies. If you | | | | must support proxies in your | | | | application, you are able to | | | | register your own | | | | implementation of an http | | | | request callback interface, | | | | and NSS can use your | | | | application code that supports | | | | proxies. | | | | When using hashing, | | | | encryption, and decryption | | | | functions, it is possible to | | | | stream data (as opposed to | | | | operating on a large buffer). | | | | Create a context handle while | | | | providing all the parameters | | | | required for the operation, | | | | then call an “update” function | | | | multiple times to pass subsets | | | | of the input to NSS. The data | | | | will be processed and either | | | | returned directly or sent to a | | | | callback function registered | | | | in the context. When done, you | | | | call a finalization function | | | | that will flush out any | | | | pending data and free the | | | | resources. | | | | This line is a placeholder for | | | | future sections that should | | | | explain how libpkix works and | | | | is designed. | | | | If you want to work with NSS, | | | | it's often helpful to use the | | | | command line utilities that | | | | are provided by the NSS | | | | developers. There are tools | | | | for managing NSS databases, | | | | for dumping or verifying | | | | certificates, for registering | | | | PKCS#11 modules with a | | | | database, for processing CMS | | | | encrypted/signed messages, | | | | etc. | | | | For example, if you wanted to | | | | create your own pair of keys | | | | and request a new certificate | | | | from a CA, you could use | | | | certutil to create an empty | | | | database, then use certutil to | | | | operate on your database and | | | | create a certificate request | | | | (which involves creating the | | | | desired key pair) and export | | | | it to a file, submit the | | | | request file to the CA, | | | | receive the file from the CA, | | | | and import the certificate | | | | into your database. You should | | | | assign a good nickname to a | | | | certificate when importing it, | | | | making it easier for you to | | | | refer to it later. | | | | It should be noted that the | | | | first database format that can | | | | be accessed simultaneously by | | | | multiple applications is | | | | key4.db/cert9.db – database | | | | files with lower numbers will | | | | most likely experience | | | | unrecoverable corruption if | | | | you access them with multiple | | | | applications at the same time. | | | | In other words, if your | | | | browser or your server | | | | operates on an older NSS | | | | database format, don't use the | | | | NSS tools to operate on it | | | | while the other software is | | | | executing. At the time of | | | | writing NSS and the Mozilla | | | | applications still use the | | | | older database file format by | | | | default, where each | | | | application has its own NSS | | | | database. | | | | If you require a copy of a | | | | certificate stored in an NSS | | | | database, including its | | | | private key, you can use | | | | pk12util to export it to the | | | | PKCS#12 file format. If you | | | | require it in PEM format, you | | | | could use the openssl pkcs12 | | | | command (that's not NSS) to | | | | convert the PKCS#12 file to | | | | PEM. | | | | This line is a placeholder for | | | | how to prepare a database, how | | | | to dump a cert, and how to | | | | convert data. | | | | You might have been motivated | | | | to work with NSS because it is | | | | used by the Mozilla | | | | applications such as Firefox, | | | | Thunderbird, etc. If you build | | | | the Mozilla application, it | | | | will automatically build the | | | | NSS library, too. However, if | | | | you want to work with the NSS | | | | command line tools, you will | | | | have to follow the standalone | | | | NSS build instructions, and | | | | build NSS outside of the | | | | Mozilla application sources. | | | | The key database file will | | | | contain at least one symmetric | | | | key, which NSS will | | | | automatically create on | | | | demand, and which will be used | | | | to protect your secret | | | | (private) keys. The symmetric | | | | key can be protected with PBE | | | | by setting a master password | | | | on the database. As soon as | | | | you set a master password, an | | | | attacker stealing your key | | | | database will no longer be | | | | able to get access to your | | | | private key, unless the | | | | attacker would also succeed in | | | | stealing the master password. | | | | Now you might be interest in | | | | how to get the | | | | :ref:`mozilla_projects_nss | | | | _nss_sources_building_testing` | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 3 | :ref:`mozill | **NSS** | | | a_projects_nss_blank_function` | | +--------------------------------+--------------------------------+--------------------------------+ | | | One-line description of what | | | | the function does (more than | | | | just what it returns). | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 4 | :ref:` | **Guide, NSS, Security** | | | mozilla_projects_nss_building` | | +--------------------------------+--------------------------------+--------------------------------+ | | | This page has detailed | | | | information on how to build | | | | NSS. Because NSS is a | | | | cross-platform library that | | | | builds on many different | | | | platforms and has many | | | | options, it may be complex to | | | | build. Please read these | | | | instructions carefully before | | | | attempting to build. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 5 | :ref:`mozilla_projec | **NSS** | | | ts_nss_cert_findcertbydercert` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Find a certificate in the | | | | database that matches a | | | | DER-encoded certificate. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 6 | :ref:`mozilla_projects_n | **NSS** | | | ss_cert_findcertbyissuerandsn` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Find a certificate in the | | | | database with the given issuer | | | | and serial number. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 7 | :r | **NSS** | | | ef:`mozilla_projects_nss_certi | | | | ficate_download_specification` | | +--------------------------------+--------------------------------+--------------------------------+ | | | This document describes the | | | | data formats used by NSS 3.x | | | | for installing certificates. | | | | This document is currently | | | | being revised and has not yet | | | | been reviewed for accuracy. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 8 | :ref:`mozilla_proje | **NSS** | | | cts_nss_certificate_functions` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The public functions listed | | | | here are used to interact with | | | | certificate databases. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 9 | :ref:`mozill | **NSS** | | | a_projects_nss_certverify_log` | | +--------------------------------+--------------------------------+--------------------------------+ | | | All the NSS verify functions | | | | except, the \*VerifyNow() | | | | functions, take a parameter | | | | called 'CERTVerifyLog'. If you | | | | supply the log parameter, NSS | | | | will continue chain validation | | | | after each error . The log | | | | tells you what the problem was | | | | with the chain and what | | | | certificate in the chain | | | | failed. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 10 | :ref:`mozil | **NSS** | | | la_projects_nss_code_coverage` | | +--------------------------------+--------------------------------+--------------------------------+ | | | *No summary!* | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 11 | :ref:`mozilla_projec | **NSS** | | | ts_nss_cryptography_functions` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The public functions listed | | | | here perform cryptographic | | | | operations based on the PKCS | | | | #11 interface. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 12 | :ref:`mozilla_projects | **NSS** | | | _nss_deprecated_ssl_functions` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The following SSL functions | | | | have been replaced with newer | | | | versions. The deprecated | | | | functions are not supported by | | | | the new SSL shared libraries. | | | | Applications that want to use | | | | the SSL shared libraries must | | | | convert to calling the new | | | | replacement functions listed | | | | below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 13 | :ref:`mozil | **Decrypt, Encryption, | | | la_projects_nss_encrypt_decryp | Example, NSS, Sample code** | | | t_mac_keys_as_session_objects` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Generates encryption/mac keys | | | | and uses session objects. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 14 | :ref:`mozilla_projects_nss_en | **Example, Intermediate, | | | crypt_decrypt_mac_using_token` | Mozilla, NSS** | +--------------------------------+--------------------------------+--------------------------------+ | | | Generates encryption/mac keys | | | | and uses token for storing. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 15 | : | **NSS, NeedsUpdate** | | | ref:`mozilla_projects_nss_faq` | | +--------------------------------+--------------------------------+--------------------------------+ | | | NSS is set of libraries, APIs, | | | | utilities, and documentation | | | | designed to support | | | | cross-platform development of | | | | security-enabled client and | | | | server applications. It | | | | provides a complete | | | | open-source implementation of | | | | the crypto libraries used by | | | | Mozilla and other companies in | | | | the Firefox browser, AOL | | | | Instant Messenger (AIM), | | | | server products from Red Hat, | | | | and other products. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 16 | :ref:`mozilla_projects_n | **NSS** | | | ss_fips_mode_-_an_explanation` | | +--------------------------------+--------------------------------+--------------------------------+ | | | NSS has a "FIPS Mode" that can | | | | be enabled when NSS is | | | | compiled in a specific way. | | | | (Note: Mozilla does not | | | | distribute a "FIPS Mode"-ready | | | | NSS with Firefox.) This page | | | | attempts to provide an | | | | informal explanation of what | | | | it is, who would use it, and | | | | why. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 17 | :ref:`mozilla_projects | **Samples WIP** | | | _nss_getting_started_with_nss` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) is a base library for | | | | cryptographic algorithms and | | | | secure network protocols used | | | | by Mozilla software. | | | | Would you like to get involved | | | | and help us to improve the | | | | core security of Mozilla | | | | Firefox and other applications | | | | that make use of NSS? We are | | | | looking forward to your | | | | contributions! | | | | We have a large list of tasks | | | | waiting for attention, and we | | | | are happy to assist you in | | | | identifying areas that match | | | | your interest or skills. You | | | | can find us on `Mozilla | | | | IRC `__ | | | | in channel | | | | `#nss < | | | | https://chat.mozilla.org/#/room/#nss:mozilla.org>`__ | | | | or you could ask your | | | | questions on the | | | | `mozilla.dev.tech.cry | | | | pto `__ | | | | newsgroup. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 18 | :ref:`mozilla_proje | **Advanced, Guide, NSS** | | | cts_nss_http_delegation_clone` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Up to version 3.11, | | | | :ref:`mozilla_projects_nss` | | | | connects directly over | | | | `HTTP `__ | | | | to an OCSP responder to make | | | | the request and fetch the | | | | response. It does so in a | | | | blocking fashion, and also | | | | directly to the responder, | | | | ignoring any proxy the | | | | application may wish to use. | | | | This causes OCSP requests to | | | | fail if the network | | | | environment requires the use | | | | of a proxy. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 19 | :ref:`mozilla | **Advanced, Guide, NSS** | | | _projects_nss_http_delegation` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Up to version 3.11, | | | | :ref:`mozilla_projects_nss` | | | | connects directly over | | | | `HTTP `__ | | | | to an OCSP responder to make | | | | the request and fetch the | | | | response. It does so in a | | | | blocking fashion, and also | | | | directly to the responder, | | | | ignoring any proxy the | | | | application may wish to use. | | | | This causes OCSP requests to | | | | fail if the network | | | | environment requires the use | | | | of a proxy. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 20 | :ref:`moz | **Introduction, Mozilla, NSS** | | | illa_projects_nss_introduction | | | | _to_network_security_services` | | +--------------------------------+--------------------------------+--------------------------------+ | | | **Network Security Services | | | | (NSS)** is a set of libraries | | | | designed to support | | | | cross-platform development of | | | | communications applications | | | | that support SSL, S/MIME, and | | | | other Internet security | | | | standards. For a general | | | | overview of NSS and the | | | | standards it supports, see | | | | :ref:`m | | | | ozilla_projects_nss_overview`. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 21 | :ref:`mozilla_project | **D** | | | s_nss_jss_4_4_0_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The Java Security Services | | | | (JSS) team has released JSS | | | | 4.4.0, which is a minor | | | | release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 22 | : | **Guide, JSS, NSS, | | | ref:`mozilla_projects_nss_jss` | NeedsMigration** | +--------------------------------+--------------------------------+--------------------------------+ | | | **The JSS project has been | | | | relocated!** | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 23 | :ref:`mozilla_proj | **JSS, NSS** | | | ects_nss_jss_4_3_releasenotes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services for | | | | Java (JSS) 4.3 is a minor | | | | release with the following new | | | | features: | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 24 | :ref:`mozilla_project | **JSS, NSPR, NSS** | | | s_nss_jss_4_3_1_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services for | | | | Java (JSS) 4.3.1 is a minor | | | | release with the following new | | | | features: | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 25 | :ref | **JSS** | | | :`mozilla_projects_nss_jss_bui | | | | ld_instructions_for_jss_4_3_x` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Newsgroup: | | | | `mozilla.dev.tech | | | | .crypto `__ | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 26 | :ref | **JSS** | | | :`mozilla_projects_nss_jss_bui | | | | ld_instructions_for_jss_4_4_x` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Newsgroup: | | | | `mozilla.dev.tech | | | | .crypto `__ | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 27 | :ref:`moz | **JSS** | | | illa_projects_nss_jss_jss_faq` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Newsgroup: | | | | `mozilla.dev.tech.cry | | | | pto `__ | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 28 | :ref:`mozilla_projec | **Crypto, JSS, Security** | | | ts_nss_jss_jss_provider_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | This page has been moved to | | | | http://www.do | | | | gtagpki.org/wiki/JSS_Provider. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 29 | :r | | | | ef:`mozilla_projects_nss_jss_m | | | | ozilla-jss_jca_provider_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | * | | | | Newsgroup:*\ `mozilla.dev.tech | | | | .crypto `__ | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 30 | :ref:`mozil | **JSS** | | | la_projects_nss_jss_using_jss` | | +--------------------------------+--------------------------------+--------------------------------+ | | | *News | | | | group:*\ `mozilla.dev.tech.cry | | | | pto `__ | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 31 | :ref:`mozill | | | | a_projects_nss_key_log_format` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Key logs can be written by NSS | | | | so that external programs can | | | | decrypt TLS connections. | | | | Wireshark 1.6.0 and above can | | | | use these log files to decrypt | | | | packets. You can tell | | | | Wireshark where to find the | | | | key file via | | | | *Edit→Preferences→Pro | | | | tocols→TLS→(Pre)-Master-Secret | | | | log filename*. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 32 | :ref:`mozilla_p | **NSS** | | | rojects_nss_memory_allocation` | | +--------------------------------+--------------------------------+--------------------------------+ | | | NSS makes extensive use of | | | | NSPR's PLArenaPools for memory | | | | allocation. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 33 | :ref:`mozilla_pr | | | | ojects_nss_modutil-tasks_html` | | +--------------------------------+--------------------------------+--------------------------------+ | | | *No summary!* | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 34 | :ref:`mozilla | **Example** | | | _projects_nss_new_nss_samples` | | +--------------------------------+--------------------------------+--------------------------------+ | | | This collection of sample code | | | | demonstrates how NSS can be | | | | used for cryptographic | | | | operations, certificate | | | | handling, SSL, etc. It also | | | | demonstrates some best | | | | practices in the application | | | | of cryptography. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 35 | :ref:`moz | **Gecko, NSS, Security** | | | illa_projects_nss_notes_on_tls | | | | _-_ssl_3_0_intolerant_servers` | | +--------------------------------+--------------------------------+--------------------------------+ | | | A number of Netscape 6.x/7.x | | | | and Mozilla users have | | | | reported that some secure | | | | sites -- typically sites | | | | featuring online transactions | | | | or online banking over the | | | | HTTPS protocol -- do not | | | | display any content at all. | | | | The connection seems | | | | terminated and a blank page is | | | | displayed. This is the main | | | | symptom of the problem when | | | | Mozilla based browsers | | | | encounter TLS/SSL 3.0 | | | | intolerant servers. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 36 | :ref:`mozilla_projects_nss_n | | | | ss_3_11_10_release_notes_html` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Newsgroup: mozilla. | | | | dev.tech.crypto | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 37 | :ref:`mozilla_projects_ns | | | | s_nss_3_12_release_notes_html` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Newsgroup: | | | | `mozilla.dev.tech | | | | .crypto `__ | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 38 | :ref:`mozilla_projects_nss_ | | | | nss_3_12_1_release_notes_html` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Newsgroup: | | | | `mozilla.dev.tech | | | | .crypto `__ | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 39 | :ref:`mozilla_projects_nss_ | | | | nss_3_12_2_release_notes_html` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Newsgroup: | | | | `mozilla.dev.tech | | | | .crypto `__ | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 40 | :ref:`mozilla_projects | | | | _nss_nss_3_12_3_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Newsgroup: | | | | `mozilla.dev.tech | | | | .crypto `__ | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 41 | :ref:`mozilla_projects | | | | _nss_nss_3_12_4_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.12.4 is a patch | | | | release for NSS 3.12. The bug | | | | fixes in NSS 3.12.4 are | | | | described in the "`Bugs | | | | Fixed <#bugsfixed>`__" section | | | | below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 42 | :ref:`mozilla_projects | | | | _nss_nss_3_12_5_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.12.5 is a patch | | | | release for NSS 3.12. The bug | | | | fixes in NSS 3.12.5 are | | | | described in the "`Bugs | | | | Fixed `__" | | | | section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 43 | :ref:`mozilla_projects | | | | _nss_nss_3_12_6_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.12.6 is a patch | | | | release for NSS 3.12. The bug | | | | fixes in NSS 3.12.6 are | | | | described in the "`Bugs | | | | Fixed `__" | | | | section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 44 | :ref:`mozilla_projects | **NSS** | | | _nss_nss_3_12_9_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.12.9 is a patch | | | | release for NSS 3.12. The bug | | | | fixes in NSS 3.12.9 are | | | | described in the "\ `Bugs | | | | Fixed <#bugsfixed>`__" section | | | | below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 45 | :ref:`mozilla_projec | | | | ts_nss_nss_3_14_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS team has released | | | | Network Security Services | | | | (NSS) 3.14, which is a minor | | | | release with the following new | | | | features: | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 46 | :ref:`mozilla_projects | | | | _nss_nss_3_14_1_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.14.1 is a patch | | | | release for NSS 3.14. The bug | | | | fixes in NSS 3.14.1 are | | | | described in the "Bugs Fixed" | | | | section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 47 | :ref:`mozilla_projects | | | | _nss_nss_3_14_2_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.14.2 is a patch | | | | release for NSS 3.14. The bug | | | | fixes in NSS 3.14.2 are | | | | described in the "Bugs Fixed" | | | | section below. NSS 3.14.2 | | | | should be used with NSPR 4.9.5 | | | | or newer. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 48 | :ref:`mozilla_projects | | | | _nss_nss_3_14_3_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.14.3 is a patch | | | | release for NSS 3.14. The bug | | | | fixes in NSS 3.14.3 are | | | | described in the "Bugs Fixed" | | | | section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 49 | :ref:`mozilla_projects | | | | _nss_nss_3_14_4_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.14.4 is a patch | | | | release for NSS 3.14. The bug | | | | fixes in NSS 3.14.4 are | | | | described in the "Bugs Fixed" | | | | section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 50 | :ref:`mozilla_projects | | | | _nss_nss_3_14_5_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.14.5 is a patch | | | | release for NSS 3.14. The bug | | | | fixes in NSS 3.14.5 are | | | | described in the "Bugs Fixed" | | | | section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 51 | :ref:`mozilla_projec | | | | ts_nss_nss_3_15_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS team has released | | | | Network Security Services | | | | (NSS) 3.15, which is a minor | | | | release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 52 | :ref:`mozilla_projects | | | | _nss_nss_3_15_1_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.15.1 is a patch | | | | release for NSS 3.15. The bug | | | | fixes in NSS 3.15.1 are | | | | described in the "Bugs Fixed" | | | | section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 53 | :ref:`mozilla_projects | | | | _nss_nss_3_15_2_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.15.2 is a patch | | | | release for NSS 3.15. The bug | | | | fixes in NSS 3.15.2 are | | | | described in the "Bugs Fixed" | | | | section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 54 | :ref:`mozilla_projects | | | | _nss_nss_3_15_3_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.15.3 is a patch | | | | release for NSS 3.15. The bug | | | | fixes in NSS 3.15.3 are | | | | described in the "Bugs Fixed" | | | | section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 55 | :ref:`mozilla_projects_n | | | | ss_nss_3_15_3_1_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.15.3.1 is a patch | | | | release for NSS 3.15. The bug | | | | fixes in NSS 3.15.3.1 are | | | | described in the "Bugs Fixed" | | | | section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 56 | :ref:`mozilla_projects | | | | _nss_nss_3_15_4_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.15.4 is a patch | | | | release for NSS 3.15. The bug | | | | fixes in NSS 3.15.4 are | | | | described in the "Bugs Fixed" | | | | section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 57 | :ref:`mozilla_projects | | | | _nss_nss_3_15_5_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.15.5 is a patch | | | | release for NSS 3.15. The bug | | | | fixes in NSS 3.15.5 are | | | | described in the "Bugs Fixed" | | | | section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 58 | :ref:`mozilla_projec | | | | ts_nss_nss_3_16_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS team has released | | | | Network Security Services | | | | (NSS) 3.16, which is a minor | | | | release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 59 | :ref:`mozilla_projects | | | | _nss_nss_3_16_1_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.16.1 is a patch | | | | release for NSS 3.16. The bug | | | | fixes in NSS 3.16.1 are | | | | described in the "Bugs Fixed" | | | | section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 60 | :ref:`mozilla_projects | | | | _nss_nss_3_16_2_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.16.2 is a patch | | | | release for NSS 3.16. The bug | | | | fixes in NSS 3.16.2 are | | | | described in the "Bugs Fixed" | | | | section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 61 | :ref:`mozilla_projects_n | **Reference, Security** | | | ss_nss_3_16_2_1_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.16.2.1 is a patch | | | | release for NSS 3.16, based on | | | | the NSS 3.16.2 release. The | | | | bug fixes in NSS 3.16.2.1 are | | | | described in the "Bugs Fixed" | | | | section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 62 | :ref:`mozilla_projects_n | **Reference, Security** | | | ss_nss_3_16_2_2_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.16.2.2 is a patch | | | | release for NSS 3.16. The bug | | | | fixes in NSS 3.16.2.2 are | | | | described in the "Bugs Fixed" | | | | section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 63 | :ref:`mozilla_projects_n | **Reference, Security** | | | ss_nss_3_16_2_3_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.16.2.3 is a patch | | | | release for NSS 3.16. The bug | | | | fixes in NSS 3.16.2.3 are | | | | described in the "Bugs Fixed" | | | | section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 64 | :ref:`mozilla_projects | | | | _nss_nss_3_16_3_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.16.3 is a patch | | | | release for NSS 3.16. The bug | | | | fixes in NSS 3.16.3 are | | | | described in the "Bugs Fixed" | | | | section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 65 | :ref:`mozilla_projects | | | | _nss_nss_3_16_4_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.16.4 is a patch | | | | release for NSS 3.16. The bug | | | | fixes in NSS 3.16.4 are | | | | described in the "Bugs Fixed" | | | | section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 66 | :ref:`mozilla_projects | **Reference, Security** | | | _nss_nss_3_16_5_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.16.5 is a patch | | | | release for NSS 3.16. The bug | | | | fixes in NSS 3.16.5 are | | | | described in the "Bugs Fixed" | | | | section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 67 | :ref:`mozilla_projects | **Reference, Security** | | | _nss_nss_3_16_6_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.16.6 is a patch | | | | release for NSS 3.16. The bug | | | | fixes in NSS 3.16.6 are | | | | described in the "Bugs Fixed" | | | | section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 68 | :ref:`mozilla_projec | | | | ts_nss_nss_3_17_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS team has released | | | | Network Security Services | | | | (NSS) 3.17, which is a minor | | | | release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 69 | :ref:`mozilla_projects | **Reference, Security** | | | _nss_nss_3_17_1_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.17.1 is a patch | | | | release for NSS 3.17. The bug | | | | fixes in NSS 3.17.1 are | | | | described in the "Bugs Fixed" | | | | section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 70 | :ref:`mozilla_projects | | | | _nss_nss_3_17_2_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.17.2 is a patch | | | | release for NSS 3.17. The bug | | | | fixes in NSS 3.17.2 are | | | | described in the "Bugs Fixed" | | | | section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 71 | :ref:`mozilla_projects | **Guide, NSS, Security** | | | _nss_nss_3_17_3_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.17.3 is a patch | | | | release for NSS 3.17. The bug | | | | fixes in NSS 3.17.3 are | | | | described in the "Bugs Fixed" | | | | section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 72 | :ref:`mozilla_projects | **Guide, NSS, Security** | | | _nss_nss_3_17_4_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.17.4 is a patch | | | | release for NSS 3.17. The bug | | | | fixes in NSS 3.17.4 are | | | | described in the "Bugs Fixed" | | | | section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 73 | :ref:`mozilla_projec | **Guide, NSS, NeedsContent, | | | ts_nss_nss_3_18_release_notes` | Security** | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS team has released | | | | Network Security Services | | | | (NSS) 3.18, which is a minor | | | | release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 74 | :ref:`mozilla_projects | **Networking, Security** | | | _nss_nss_3_18_1_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.18.1 is a patch | | | | release for NSS 3.18. The bug | | | | fixes in NSS 3.18.1 are | | | | described in the "Bugs Fixed" | | | | section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 75 | :ref:`mozilla_projec | | | | ts_nss_nss_3_19_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS team has released | | | | Network Security Services | | | | (NSS) 3.19, which is a minor | | | | security release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 76 | :ref:`mozilla_projects | | | | _nss_nss_3_19_1_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.19.1 is a security | | | | release for NSS 3.19. The bug | | | | fixes in NSS 3.19.1 are | | | | described in the "Bugs Fixed" | | | | section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 77 | :ref:`mozilla_projects | | | | _nss_nss_3_19_2_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.19.2 is a patch | | | | release for NSS 3.19 that | | | | addresses compatibility issues | | | | in NSS 3.19.1. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 78 | :ref:`mozilla_projects_n | | | | ss_nss_3_19_2_1_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.19.2.1 is a patch | | | | release for NSS 3.19.2. The | | | | bug fixes in NSS 3.19.2.1 are | | | | described in the "Security | | | | Advisories" section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 79 | :ref:`mozilla_projects_n | | | | ss_nss_3_19_2_2_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.19.2.2 is a security | | | | patch release for NSS 3.19.2. | | | | The bug fixes in NSS 3.19.2.2 | | | | are described in the "Security | | | | Fixes" section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 80 | :ref:`mozilla_projects_n | | | | ss_nss_3_19_2_3_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.19.2.3 is a security | | | | patch release for NSS 3.19.2. | | | | The bug fixes in NSS 3.19.2.3 | | | | are described in the "Security | | | | Fixes" section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 81 | :ref:`mozilla_projects_n | **NSS** | | | ss_nss_3_19_2_4_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.19.2.4 is a security | | | | patch release for NSS 3.19.2. | | | | The bug fixed in NSS 3.19.2.4 | | | | have been described in the | | | | "Security Fixes" section | | | | below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 82 | :ref:`mozilla_projects | | | | _nss_nss_3_19_3_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.19.3 is a patch | | | | release for NSS 3.19. The bug | | | | fixes in NSS 3.19.3 are | | | | described in the "Bugs Fixed" | | | | section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 83 | :ref:`mozilla_projects | | | | _nss_nss_3_19_4_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.19.4 is a patch | | | | release for NSS 3.19. The bug | | | | fixes in NSS 3.19.4 are | | | | described in the "Security | | | | Advisories" section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 84 | :ref:`mozilla_projec | | | | ts_nss_nss_3_20_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS team has released | | | | Network Security Services | | | | (NSS) 3.20, which is a minor | | | | release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 85 | :ref:`mozilla_projects | | | | _nss_nss_3_20_1_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.20.1 is a patch | | | | release for NSS 3.20. The bug | | | | fixes in NSS 3.20.1 are | | | | described in the "Security | | | | Advisories" section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 86 | :ref:`mozilla_projects | | | | _nss_nss_3_20_2_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.20.2 is a security | | | | patch release for NSS 3.20. | | | | The bug fixes in NSS 3.20.2 | | | | are described in the "Security | | | | Fixes" section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 87 | :ref:`mozilla_projec | | | | ts_nss_nss_3_21_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | 2016-01-07, this page has been | | | | updated to include additional | | | | information about the release. | | | | The sections "Security Fixes" | | | | and "Acknowledgements" have | | | | been added. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 88 | :ref:`mozilla_projects | | | | _nss_nss_3_21_1_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.21.1 is a security | | | | patch release for NSS 3.21. | | | | The bug fixes in NSS 3.21.1 | | | | are described in the "Security | | | | Fixes" section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 89 | :ref:`mozilla_projects | | | | _nss_nss_3_21_2_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.21.2 is a security | | | | patch release for NSS 3.21.1. | | | | The bug fixes in NSS 3.21.2 | | | | are described in the "Security | | | | Fixes" section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 90 | :ref:`mozilla_projects | | | | _nss_nss_3_21_3_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.21.3 is a security | | | | patch release for NSS 3.21.2. | | | | The bug fixes in NSS 3.21.3 | | | | are described in the "Security | | | | Fixes" section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 91 | :ref:`mozilla_projects | | | | _nss_nss_3_21_4_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.21.4 is a security | | | | patch release for NSS 3.21. | | | | The bug fixes in NSS 3.21.4 | | | | are described in the "Bugs | | | | Fixed" section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 92 | :ref:`mozilla_projec | | | | ts_nss_nss_3_22_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS team has released | | | | Network Security Services | | | | (NSS) 3.22, which is a minor | | | | release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 93 | :ref:`mozilla_projects | | | | _nss_nss_3_22_1_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.22.1 is a patch | | | | release for NSS 3.22. The bug | | | | fixes in NSS 3.22.1 are | | | | described in the "Notable | | | | Changes" section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 94 | :ref:`mozilla_projects | | | | _nss_nss_3_22_2_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.22.2 is a security | | | | patch release for NSS 3.22. | | | | The bug fixes in NSS 3.22.2 | | | | are described in the "Security | | | | Fixes" section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 95 | :ref:`mozilla_projects | | | | _nss_nss_3_22_3_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.22.3 is a patch | | | | release for NSS 3.22. The bug | | | | fixes in NSS 3.22.3 are | | | | described in the "Bugs fixed" | | | | section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 96 | :ref:`mozilla_projec | **Networking, Security** | | | ts_nss_nss_3_23_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS team has released | | | | Network Security Services | | | | (NSS) 3.23, which is a minor | | | | release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 97 | :ref:`mozilla_projec | **NSS, Release Notes** | | | ts_nss_nss_3_24_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The Network Security Services | | | | (NSS) team has released NSS | | | | 3.24, which is a minor | | | | release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 98 | :ref:`mozilla_projec | **NSS, Release Notes** | | | ts_nss_nss_3_25_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The Network Security Services | | | | (NSS) team has released NSS | | | | 3.25, which is a minor | | | | release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 99 | :ref:`mozilla_projects | | | | _nss_nss_3_25_1_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.25.1 is a patch | | | | release for NSS 3.25. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 100 | :ref:`mozilla_projec | **NSS, Release Notes** | | | ts_nss_nss_3_26_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The Network Security Services | | | | (NSS) team has released NSS | | | | 3.26, which is a minor | | | | release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 101 | :ref:`mozilla_projects | | | | _nss_nss_3_26_2_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.26.2 is a patch | | | | release for NSS 3.26. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 102 | :ref:`mozilla_projec | | | | ts_nss_nss_3_27_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The Network Security Services | | | | (NSS) team has released NSS | | | | 3.27, which is a minor | | | | release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 103 | :ref:`mozilla_projects | | | | _nss_nss_3_27_1_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.27.1 is a patch | | | | release for NSS 3.27. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 104 | :ref:`mozilla_projects | | | | _nss_nss_3_27_2_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.27.2 is a patch | | | | release for NSS 3.27. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 105 | :ref:`mozilla_projec | | | | ts_nss_nss_3_28_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The Network Security Services | | | | (NSS) team has released NSS | | | | 3.28, which is a minor | | | | release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 106 | :ref:`mozilla_projects | | | | _nss_nss_3_28_1_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.28.1 is a patch | | | | release for NSS 3.28. The bug | | | | fixes in NSS 3.28.1 are | | | | described in the "Bugs Fixed" | | | | section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 107 | :ref:`mozilla_projects | | | | _nss_nss_3_28_2_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.28.2 is a patch | | | | release for NSS 3.28. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 108 | :ref:`mozilla_projects | | | | _nss_nss_3_28_3_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.28.3 is a patch | | | | release for NSS 3.28. The bug | | | | fixes in NSS 3.28.3 are | | | | described in the "Bugs Fixed" | | | | section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 109 | :ref:`mozilla_projects | | | | _nss_nss_3_28_4_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.28.4 is a security | | | | patch release for NSS 3.28. | | | | The bug fixes in NSS 3.28.4 | | | | are described in the "Bugs | | | | Fixed" section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 110 | :ref:`mozilla_projects | | | | _nss_nss_3_28_5_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.28.5 is a patch | | | | release for NSS 3.28. The bug | | | | fixes in NSS 3.28.5 are | | | | described in the "Bugs Fixed" | | | | section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 111 | :ref:`mozilla_projec | | | | ts_nss_nss_3_29_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The Network Security Services | | | | (NSS) team has released NSS | | | | 3.29, which is a minor | | | | release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 112 | :ref:`mozilla_projects | | | | _nss_nss_3_29_1_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.29.1 is a patch | | | | release for NSS 3.29. The bug | | | | fixes in NSS 3.29.1 are | | | | described in the "Bugs Fixed" | | | | section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 113 | :ref:`mozilla_projects | | | | _nss_nss_3_29_2_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.29.2 is a patch | | | | release for NSS 3.29. The bug | | | | fixes in NSS 3.29.2 are | | | | described in the "Bugs Fixed" | | | | section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 114 | :ref:`mozilla_projects | | | | _nss_nss_3_29_3_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.29.3 is a patch | | | | release for NSS 3.29. The bug | | | | fixes in NSS 3.29.3 are | | | | described in the "Bugs Fixed" | | | | section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 115 | :ref:`mozilla_projects | | | | _nss_nss_3_29_5_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.29.5 is a security | | | | patch release for NSS 3.29. | | | | The bug fixes in NSS 3.29.5 | | | | are described in the "Bugs | | | | Fixed" section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 116 | :ref:`mozilla_projec | | | | ts_nss_nss_3_30_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The Network Security Services | | | | (NSS) team has released NSS | | | | 3.30, which is a minor | | | | release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 117 | :ref:`mozilla_projects | | | | _nss_nss_3_30_1_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.30.1 is a security | | | | patch release for NSS 3.30. | | | | The bug fixes in NSS 3.30.1 | | | | are described in the "Bugs | | | | Fixed" section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 118 | :ref:`mozilla_projects | | | | _nss_nss_3_30_2_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.30.2 is a patch | | | | release for NSS 3.30. The bug | | | | fixes in NSS 3.30.2 are | | | | described in the "Bugs Fixed" | | | | section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 119 | :ref:`mozilla_projec | | | | ts_nss_nss_3_31_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The Network Security Services | | | | (NSS) team has released NSS | | | | 3.31, which is a minor | | | | release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 120 | :ref:`mozilla_projects | | | | _nss_nss_3_31_1_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The Network Security Services | | | | (NSS) team has released NSS | | | | 3.31.1, which is a patch | | | | release for NSS 3.31. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 121 | :ref:`mozilla_projec | | | | ts_nss_nss_3_32_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The Network Security Services | | | | (NSS) team has released NSS | | | | 3.32, which is a minor | | | | release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 122 | :ref:`mozilla_projec | | | | ts_nss_nss_3_33_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The Network Security Services | | | | (NSS) team has released NSS | | | | 3.33, which is a minor | | | | release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 123 | :ref:`mozilla_projec | | | | ts_nss_nss_3_34_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The Network Security Services | | | | (NSS) team has released NSS | | | | 3.34, which is a minor | | | | release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 124 | :ref:`mozilla_projects | | | | _nss_nss_3_34_1_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The Network Security Services | | | | (NSS) team has released NSS | | | | 3.34.1, which is a minor | | | | release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 125 | :ref:`mozilla_projec | | | | ts_nss_nss_3_35_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS team has released | | | | Network Security Services | | | | (NSS) 3.35, which is a minor | | | | release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 126 | :ref:`mozilla_projec | | | | ts_nss_nss_3_36_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS team has released | | | | Network Security Services | | | | (NSS) 3.36, which is a minor | | | | release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 127 | :ref:`mozilla_projects | | | | _nss_nss_3_36_1_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.36.1 is a patch | | | | release for NSS 3.36. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 128 | :ref:`mozilla_projects | **NSS, Release Notes** | | | _nss_nss_3_36_2_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.36.2 is a patch | | | | release for NSS 3.36. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 129 | :ref:`mozilla_projects | **NSS, Release Notes** | | | _nss_nss_3_36_4_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.36.4 is a patch | | | | release for NSS 3.36. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 130 | :ref:`mozilla_projects | **Mozilla, NSS, Release | | | _nss_nss_3_36_5_release_notes` | Notes** | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.36.5 is a patch | | | | release for NSS 3.36. The bug | | | | fixes in NSS 3.36.5 are | | | | described in the "Bugs Fixed" | | | | section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 131 | :ref:`mozilla_projects | **Mozilla, NSS, Release | | | _nss_nss_3_36_6_release_notes` | Notes** | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.36.6 is a patch | | | | release for NSS 3.36. The bug | | | | fixes in NSS 3.36.6 are | | | | described in the "Bugs Fixed" | | | | section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 132 | :ref:`mozilla_projects | | | | _nss_nss_3_36_7_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.36.7 is a patch | | | | release for NSS 3.36. The bug | | | | fixes in NSS 3.36.7 are | | | | described in the "Bugs Fixed" | | | | section below. It was released | | | | on 19 January 2019. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 133 | :ref:`mozilla_projects | | | | _nss_nss_3_36_8_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.36.8 is a patch | | | | release for NSS 3.36. The bug | | | | fixes in NSS 3.36.8 are | | | | described in the "Bugs Fixed" | | | | section below. It was released | | | | on 21 June 2019. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 134 | :ref:`mozilla_projec | | | | ts_nss_nss_3_37_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS team has released | | | | Network Security Services | | | | (NSS) 3.37, which is a minor | | | | release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 135 | :ref:`mozilla_projects | | | | _nss_nss_3_37_1_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.37.1 is a patch | | | | release for NSS 3.37. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 136 | :ref:`mozilla_project | | | | s_nss_nss_3_37_3release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.37.3 is a patch | | | | release for NSS 3.37. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 137 | :ref:`mozilla_projec | **Mozilla, NSS, Release | | | ts_nss_nss_3_38_release_notes` | Notes** | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS team has released | | | | Network Security Services | | | | (NSS) 3.38, which is a minor | | | | release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 138 | :ref:`mozilla_projec | | | | ts_nss_nss_3_39_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS team has released | | | | Network Security Services | | | | (NSS) 3.39, which is a minor | | | | release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 139 | :ref:`mozilla_projec | | | | ts_nss_nss_3_40_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS team has released | | | | Network Security Services | | | | (NSS) 3.40, which is a minor | | | | release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 140 | :ref:`mozilla_projects | | | | _nss_nss_3_40_1_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS team has released | | | | Network Security Services | | | | (NSS) 3.40.1, which is a patch | | | | release for NSS 3.40 | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 141 | :ref:`mozilla_projec | | | | ts_nss_nss_3_41_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS team has released | | | | Network Security Services | | | | (NSS) 3.41 on 7 December 2018, | | | | which is a minor release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 142 | :ref:`mozilla_projects | | | | _nss_nss_3_41_1_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.41.1 is a patch | | | | release for NSS 3.41. The bug | | | | fixes in NSS 3.41.1 are | | | | described in the "Bugs Fixed" | | | | section below. It was released | | | | on 22 January 2019. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 143 | :ref:`mozilla_projec | | | | ts_nss_nss_3_42_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS team has released | | | | Network Security Services | | | | (NSS) 3.42 on 25 January 2019, | | | | which is a minor release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 144 | :ref:`mozilla_projects | | | | _nss_nss_3_42_1_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS team has released | | | | Network Security Services | | | | (NSS) 3.42.1 on 31 January | | | | 2019, which is a patch | | | | release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 145 | :ref:`mozilla_projec | | | | ts_nss_nss_3_43_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS team has released | | | | Network Security Services | | | | (NSS) 3.43 on 16 March 2019, | | | | which is a minor release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 146 | :ref:`mozilla_projec | | | | ts_nss_nss_3_44_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS team has released | | | | Network Security Services | | | | (NSS) 3.44 on 10 May 2019, | | | | which is a minor release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 147 | :ref:`mozilla_projects | | | | _nss_nss_3_44_1_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.44.1 is a patch | | | | release for NSS 3.44. The bug | | | | fixes in NSS 3.44.1 are | | | | described in the "Bugs Fixed" | | | | section below. It was released | | | | on 21 June 2019. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 148 | :ref:`mozilla_projects | | | | _nss_nss_3_44_2_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.44.2 is a patch | | | | release for NSS 3.44. The bug | | | | fixes in NSS 3.44.2 are | | | | described in the "Bugs Fixed" | | | | section below. It was released | | | | on 2 October 2019. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 149 | :ref:`mozilla_projects | | | | _nss_nss_3_44_3_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.44.3 is a patch | | | | release for NSS 3.44. The bug | | | | fixes in NSS 3.44.3 are | | | | described in the "Bugs Fixed" | | | | section below. It was released | | | | on 19 November 2019. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 150 | :ref:`mozilla_projects | | | | _nss_nss_3_44_4_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS team has released | | | | Network Security Services | | | | (NSS) 3.44.4 on **19 May | | | | 2020**. This is a security | | | | patch release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 151 | :ref:`mozilla_projec | | | | ts_nss_nss_3_45_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS team has released | | | | Network Security Services | | | | (NSS) 3.45 on **5 July 2019**, | | | | which is a minor release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 152 | :ref:`mozilla_projec | | | | ts_nss_nss_3_46_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS team has released | | | | Network Security Services | | | | (NSS) 3.46 on **30 August | | | | 2019**, which is a minor | | | | release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 153 | :ref:`mozilla_projects | | | | _nss_nss_3_46_1_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.46.1 is a patch | | | | release for NSS 3.46. The bug | | | | fixes in NSS 3.46.1 are | | | | described in the "Bugs Fixed" | | | | section below. It was released | | | | on 2 October 2019. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 154 | :ref:`mozilla_projec | | | | ts_nss_nss_3_47_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS team has released | | | | Network Security Services | | | | (NSS) 3.47 on **18 October | | | | 2019**, which is a minor | | | | release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 155 | :ref:`mozilla_projects | | | | _nss_nss_3_47_1_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.47.1 is a patch | | | | release for NSS 3.47. The bug | | | | fixes in NSS 3.47.1 are | | | | described in the "Bugs Fixed" | | | | section below. It was released | | | | on 19 November 2019. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 156 | :ref:`mozilla_projec | | | | ts_nss_nss_3_48_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS team has released | | | | Network Security Services | | | | (NSS) 3.48 on **5 December | | | | 2019**, which is a minor | | | | release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 157 | :ref:`mozilla_projects | | | | _nss_nss_3_48_1_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.48.1 is a patch | | | | release for NSS 3.48. The bug | | | | fixes in NSS 3.48.1 are | | | | described in the "Bugs Fixed" | | | | section below. It was released | | | | on **13 January 2020**. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 158 | :ref:`mozilla_projec | | | | ts_nss_nss_3_49_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS team has released | | | | Network Security Services | | | | (NSS) 3.49 on **3 January | | | | 2020**, which is a minor | | | | release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 159 | :ref:`mozilla_projects | | | | _nss_nss_3_49_1_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.49.1 is a patch | | | | release for NSS 3.49. The bug | | | | fixes in NSS 3.49.1 are | | | | described in the "Bugs Fixed" | | | | section below. It was released | | | | on **13 January 2020**. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 160 | :ref:`mozilla_projects | | | | _nss_nss_3_49_2_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.49.2 is a patch | | | | release for NSS 3.49. The bug | | | | fixes in NSS 3.49.2 are | | | | described in the "Bugs Fixed" | | | | section below. It was released | | | | on **23 January 2020**. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 161 | :ref:`mozilla_projec | | | | ts_nss_nss_3_50_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS team has released | | | | Network Security Services | | | | (NSS) 3.50 on **7 February | | | | 2020**, which is a minor | | | | release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 162 | :ref:`mozilla_projec | | | | ts_nss_nss_3_51_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS team has released | | | | Network Security Services | | | | (NSS) 3.51 on **6 March | | | | 2020**, which is a minor | | | | release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 163 | :ref:`mozilla_projects | | | | _nss_nss_3_51_1_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS team has released | | | | Network Security Services | | | | (NSS) 3.51.1 on **3 April | | | | 2020**. This is a minor | | | | release focusing on functional | | | | bug fixes and low-risk patches | | | | only. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 164 | :ref:`mozilla_projec | | | | ts_nss_nss_3_52_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS team has released | | | | Network Security Services | | | | (NSS) 3.52 on **1 May 2020**. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 165 | :ref:`mozilla_projects | | | | _nss_nss_3_52_1_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS team has released | | | | Network Security Services | | | | (NSS) 3.52.1 on **19 May | | | | 2020**. This is a security | | | | patch release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 166 | :ref:`mozilla_projec | | | | ts_nss_nss_3_53_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS team released Network | | | | Security Services (NSS) 3.53 | | | | on **29 May 2020**. NSS 3.53 | | | | will be a long-term support | | | | release, supporting Firefox 78 | | | | ESR. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 167 | :ref:`mozilla_projects | | | | _nss_nss_3_53_1_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS team has released | | | | Network Security Services | | | | (NSS) 3.53.1 on **16 June | | | | 2020**. This is a security | | | | patch release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 168 | :ref:`mozilla_projec | | | | ts_nss_nss_3_54_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS team has released | | | | Network Security Services | | | | (NSS) 3.54 on **26 June | | | | 2020**, which is a minor | | | | release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 169 | :ref:`mozilla_projec | | | | ts_nss_nss_3_55_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS team has released | | | | Network Security Services | | | | (NSS) 3.55 on **24 July | | | | 2020**, which is a minor | | | | release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 170 | :ref:`mozilla_projec | | | | ts_nss_nss_3_56_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS team has released | | | | Network Security Services | | | | (NSS) 3.56 on **21 August | | | | 2020**, which is a minor | | | | release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 171 | :ref:`mozilla_projec | | | | ts_nss_nss_3_57_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS team has released | | | | Network Security Services | | | | (NSS) 3.57 on **18 September | | | | 2020**, which is a minor | | | | release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 172 | :ref:`mozilla_projec | | | | ts_nss_nss_3_58_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS team has released | | | | Network Security Services | | | | (NSS) 3.58 on **16 October | | | | 2020**, which is a minor | | | | release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 173 | :ref:`mozilla_projec | | | | ts_nss_nss_3_59_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS team has released | | | | Network Security Services | | | | (NSS) 3.59 on **13 November | | | | 2020**, which is a minor | | | | release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 174 | :ref:`mozilla_projects | | | | _nss_nss_3_59_1_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS team has released | | | | Network Security Services | | | | (NSS) 3.59.1 on **18 December | | | | 2020**, which is a patch | | | | release for NSS 3.59. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 175 | :ref:`mozilla_projec | | | | ts_nss_nss_3_60_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS team has released | | | | Network Security Services | | | | (NSS) 3.60 on **11 December | | | | 2020**, which is a minor | | | | release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 176 | :ref:`mozilla_projects | | | | _nss_nss_3_60_1_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS team released Network | | | | Security Services (NSS) 3.60.1 | | | | on **4 January 2021**, which | | | | is a patch release for NSS | | | | 3.60. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 177 | :ref:`mozilla_projec | | | | ts_nss_nss_3_61_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS team released Network | | | | Security Services (NSS) 3.61 | | | | on **22 January 2021**, which | | | | is a minor release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 178 | :ref:`mozilla_projec | | | | ts_nss_nss_3_62_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS team released Network | | | | Security Services (NSS) 3.62 | | | | on **19 February 2021**, which | | | | is a minor release. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 179 | :ref:`mozilla_projec | | | | ts_nss_nss_3_63_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.63 was released on | | | | **18 March 2021**. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 180 | :ref:`mozilla_projects | | | | _nss_nss_3_63_1_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.63.1 was released on | | | | **6 April 2021**. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 181 | :ref:`mozilla_projec | | | | ts_nss_nss_3_64_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Network Security Services | | | | (NSS) 3.64 was released on | | | | **15 April 2021**. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 182 | :ref:`mozilla_pr | | | | ojects_nss_nss_api_guidelines` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Newsgroup: | | | | `mozilla.dev.tech | | | | .crypto `__ | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 183 | :ref:`mozilla_pr | | | | ojects_nss_nss_config_options` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The specified ciphers will be | | | | allowed by policy, but an | | | | application may allow more by | | | | policy explicitly: | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 184 | :ref:`mozilla_projec | **NSS, Tutorial** | | | ts_nss_nss_developer_tutorial` | | +--------------------------------+--------------------------------+--------------------------------+ | | | **Line length** should not | | | | exceed 80 characters. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 185 | :ref:`mozilla_projects_n | | | | ss_nss_release_notes_template` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS team has released | | | | Network Security Services | | | | (NSS) 3.XX, which is a minor | | | | release. | | | | or | | | | Network Security Services | | | | (NSS) 3.XX.y is a patch | | | | release for NSS 3.XX. The bug | | | | fixes in NSS 3.XX.y are | | | | described in the "Bugs Fixed" | | | | section below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 186 | :ref:`mozi | **Landing, Mozilla, NSS, | | | lla_projects_nss_nss_releases` | Networking, Project, Release | | | | Notes, Security** | +--------------------------------+--------------------------------+--------------------------------+ | | | The current **Stable** release | | | | of NSS is 3.64, which was | | | | released on **15 April 2021**. | | | | (:ref:`mozilla_project | | | | s_nss_nss_3_64_release_notes`) | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 187 | :ref:`mozilla | **Example** | | | _projects_nss_nss_sample_code` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The collection of sample code | | | | here demonstrates how NSS can | | | | be used for cryptographic | | | | operations, certificate | | | | handling, SSL, etc. It also | | | | demonstrates some best | | | | practices in the application | | | | of cryptography. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 188 | :ref:`mozilla_projec | | | | ts_nss_nss_sample_code_enc_dec | | | | _mac_output_plblic_key_as_csr` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Generates encryption/mac keys | | | | and outputs public key as | | | | certificate signing request | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 189 | :ref:`mozilla_projects_nss_ns | | | | s_sample_code_enc_dec_mac_usin | | | | g_key_wrap_certreq_pkcs10_csr` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Generates encryption/mac keys | | | | and outputs public key as | | | | pkcs11 certificate signing | | | | request | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 190 | :ref:`mozilla_p | | | | rojects_nss_nss_sample_code_en | | | | crypt_decrypt_mac_using_token` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Generates encryption/mac keys | | | | and uses token for storing. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 191 | :ref:`mozilla_pr | **Examples, NSS, Security** | | | ojects_nss_nss_sample_code_nss | | | | _sample_code_sample_1_hashing` | | +--------------------------------+--------------------------------+--------------------------------+ | | | This is an example program | | | | that demonstrates how to | | | | compute the hash of a file and | | | | save it to another file. This | | | | program illustrates the use of | | | | NSS message APIs. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 192 | :ref:`mozilla_projects_nss_nss | **Examples, NSS, Security** | | | _sample_code_nss_sample_code_s | | | | ample_2_initialization_of_nss` | | +--------------------------------+--------------------------------+--------------------------------+ | | | This example program | | | | demonstrates how to initialize | | | | the NSS Database. This | | | | program illustrates password | | | | handling. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 193 | :ref | **Examples, NSS, Security** | | | :`mozilla_projects_nss_nss_sam | | | | ple_code_nss_sample_code_sampl | | | | e_3_basic_encryption_and_maci` | | +--------------------------------+--------------------------------+--------------------------------+ | | | This example program | | | | demonstrates how to encrypt | | | | and MAC a file. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 194 | :ref:`m | | | | ozilla_projects_nss_nss_sample | | | | _code_nss_sample_code_sample1` | | +--------------------------------+--------------------------------+--------------------------------+ | | | This is an example program | | | | that demonstrates how to do | | | | key generation and transport | | | | between cooperating servers. | | | | This program shows the | | | | following: | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 195 | :ref:`m | | | | ozilla_projects_nss_nss_sample | | | | _code_nss_sample_code_sample2` | | +--------------------------------+--------------------------------+--------------------------------+ | | | *No summary!* | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 196 | :ref:`m | | | | ozilla_projects_nss_nss_sample | | | | _code_nss_sample_code_sample3` | | +--------------------------------+--------------------------------+--------------------------------+ | | | *No summary!* | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 197 | :ref:`m | | | | ozilla_projects_nss_nss_sample | | | | _code_nss_sample_code_sample4` | | +--------------------------------+--------------------------------+--------------------------------+ | | | *No summary!* | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 198 | :ref:`m | | | | ozilla_projects_nss_nss_sample | | | | _code_nss_sample_code_sample5` | | +--------------------------------+--------------------------------+--------------------------------+ | | | *No summary!* | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 199 | :ref:`m | | | | ozilla_projects_nss_nss_sample | | | | _code_nss_sample_code_sample6` | | +--------------------------------+--------------------------------+--------------------------------+ | | | *No summary!* | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 200 | :ref:`mozil | **Examples, NSS, Security** | | | la_projects_nss_nss_sample_cod | | | | e_nss_sample_code_utililies_1` | | +--------------------------------+--------------------------------+--------------------------------+ | | | This is a library of utilities | | | | used by many of the samples. | | | | This code shows the following: | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 201 | : | **HTML, Hashing Sample, | | | ref:`mozilla_projects_nss_nss_ | JavaScript, NSS, Web | | | sample_code_sample1_-_hashing` | Development, hashing** | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS same code below | | | | computes the hash of a file | | | | and saves it to another file, | | | | this illustrates the use of | | | | NSS message APIs. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 202 | :ref:`mozilla_project | **Example, NSS** | | | s_nss_nss_sample_code_sample1` | | +--------------------------------+--------------------------------+--------------------------------+ | | | 1. A program to compute the | | | | hash of a file and save it to | | | | another file. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 203 | :ref:`mozilla_pro | **HTML, JavaScript, NSS, NSS | | | jects_nss_nss_sample_code_samp | Article, NSS Initialization, | | | le2_-_initialize_nss_database` | Web Development** | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS sample code below | | | | demonstrates how to initialize | | | | the NSS database. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 204 | :ref:`mozilla_project | | | | s_nss_nss_sample_code_sample2` | | +--------------------------------+--------------------------------+--------------------------------+ | | | *No summary!* | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 205 | :ref:`mozilla_projects | **EncDeCMac, HTML, NCC, NCC | | | _nss_nss_sample_code_sample3_- | Article, Web, Web | | | _encdecmac_using_token_object` | Development** | +--------------------------------+--------------------------------+--------------------------------+ | | | Computes the hash of a file | | | | and saves it to another file, | | | | illustrates the use of NSS | | | | message APIs. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 206 | :ref:`moz | | | | illa_projects_nss_nss_sample_c | | | | ode_utiltiies_for_nss_samples` | | +--------------------------------+--------------------------------+--------------------------------+ | | | These utility functions are | | | | adapted from those found in | | | | the sectool library used by | | | | the NSS security tools and | | | | other NSS test applications. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 207 | :ref:`mozilla_projects_nss | **Build documentation, Guide, | | | _nss_sources_building_testing` | NSS, Security** | +--------------------------------+--------------------------------+--------------------------------+ | | | Getting the source code of | | | | :ref:`mozilla_projects_nss`, | | | | how to build it, and how to | | | | run its test suite. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 208 | :ref:`mozill | **NSS** | | | a_projects_nss_nss_tech_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Newsgroup: | | | | `mozilla.dev.tech | | | | .crypto `__ | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 209 | :ref:`mozilla_projects_nss_ | | | | nss_tech_notes_nss_tech_note1` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The main non-streaming APIs | | | | for these two decoders have an | | | | identical prototype : | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 210 | :ref:`mozilla_projects_nss_ | | | | nss_tech_notes_nss_tech_note2` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The logger displays all | | | | activity between NSS and a | | | | specified PKCS #11 module. It | | | | works by inserting a special | | | | set of entry points between | | | | NSS and the module. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 211 | :ref:`mozilla_projects_nss_ | | | | nss_tech_notes_nss_tech_note3` | | +--------------------------------+--------------------------------+--------------------------------+ | | | *No summary!* | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 212 | :ref:`mozilla_projects_nss_ | | | | nss_tech_notes_nss_tech_note4` | | +--------------------------------+--------------------------------+--------------------------------+ | | | *No summary!* | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 213 | :ref:`mozilla_projects_nss_ | | | | nss_tech_notes_nss_tech_note5` | | +--------------------------------+--------------------------------+--------------------------------+ | | | **Note:** AES encryption, a | | | | fixed blocksize of 16 bytes is | | | | used. The Rijndael algorithm | | | | permits 3 blocksizes (16, 24, | | | | 32 bytes), but the AES | | | | standard requires the | | | | blocksize to be 16 bytes. The | | | | keysize can vary and these | | | | keysizes are permitted: 16, | | | | 24, 32 bytes. | | | | You can also look at a `sample | | | | program <. | | | | ./sample-code/sample2.html>`__ | | | | illustrating encryption | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 214 | :ref:`mozilla_projects_nss_ | | | | nss_tech_notes_nss_tech_note6` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The following applies to NSS | | | | 3.8 through 3.10 : | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 215 | :ref:`mozilla_projects_nss_ | | | | nss_tech_notes_nss_tech_note7` | | +--------------------------------+--------------------------------+--------------------------------+ | | | This technical note explains | | | | how to use NSS to perform RSA | | | | signing and encryption. The | | | | industry standard for RSA | | | | signing and encryption is | | | | `PKCS | | | | #1 `__. | | | | NSS supports PKCS #1 v1.5. NSS | | | | doesn't yet support PKCS #1 | | | | v2.0 and v2.1, in particular | | | | OAEP, but OAEP support is on | | | | our `to-do | | | | li | | | | st `__. | | | | Your contribution is welcome. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 216 | :ref:`mozilla_projects_nss_ | | | | nss_tech_notes_nss_tech_note8` | | +--------------------------------+--------------------------------+--------------------------------+ | | | *No summary!* | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 217 | :ref:`mozilla_proj | **NSS, Security, Third-Party | | | ects_nss_nss_third-party_code` | Code** | +--------------------------------+--------------------------------+--------------------------------+ | | | This is a list of third-party | | | | code included in the NSS | | | | repository, broken into two | | | | lists: Code that can be | | | | compiled into the NSS | | | | libraries, and code that is | | | | only used for testing. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 218 | :ref:`mozilla_proje | | | | cts_nss_nss_tools_sslstrength` | | +--------------------------------+--------------------------------+--------------------------------+ | | | 2) sslstrength hostname[:port] | | | | [ciphers=xyz] [debug] | | | | [verbose] | | | | [policy=export|domestic] | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 219 | :ref:` | **NSS** | | | mozilla_projects_nss_overview` | | +--------------------------------+--------------------------------+--------------------------------+ | | | If you want to add support for | | | | SSL, S/MIME, or other Internet | | | | security standards to your | | | | application, you can use | | | | Network Security Services | | | | (NSS) to implement all your | | | | security features. NSS | | | | provides a complete | | | | open-source implementation of | | | | the crypto libraries used by | | | | AOL, Red Hat, Google, and | | | | other companies in a variety | | | | of products, including the | | | | following: | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 220 | :ref:`mozilla_p | **NSS** | | | rojects_nss_pkcs_12_functions` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The public functions listed | | | | here perform PKCS #12 | | | | operations required by some of | | | | the NSS tools and other | | | | applications. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 221 | :ref:`mozilla_ | **NSS** | | | projects_nss_pkcs_7_functions` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The public functions listed | | | | here perform PKCS #7 | | | | operations required by mail | | | | and news applications and by | | | | some of the NSS tools. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 222 | :ref:`mozilla_ | **NSS** | | | projects_nss_pkcs11_functions` | | +--------------------------------+--------------------------------+--------------------------------+ | | | This chapter describes the | | | | core PKCS #11 functions that | | | | an application needs for | | | | communicating with | | | | cryptographic modules. In | | | | particular, these functions | | | | are used for obtaining | | | | certificates, keys, and | | | | passwords. This was converted | | | | from `"Chapter 7: PKCS #11 | | | | Functions" `__. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 223 | :ref:`mozilla_ | | | | projects_nss_pkcs11_implement` | | +--------------------------------+--------------------------------+--------------------------------+ | | | **NOTE:** This document was | | | | originally for the Netscape | | | | Security Library that came | | | | with Netscape Communicator | | | | 4.0. This note will be removed | | | | once the document is updated | | | | for the current version of | | | | NSS. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 224 | :ref | **NSS, Security** | | | :`mozilla_projects_nss_pkcs11` | | +--------------------------------+--------------------------------+--------------------------------+ | | | PKCS #11 information for | | | | implementors of cryptographic | | | | modules: | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 225 | :ref:`mo | **NSS, Security** | | | zilla_projects_nss_pkcs11_faq` | | +--------------------------------+--------------------------------+--------------------------------+ | | | NSS searches all the installed | | | | PKCS #11 modules when looking | | | | for certificates. Once you've | | | | installed the module, the | | | | module's certificates simply | | | | appear in the list of | | | | certificates displayed in the | | | | Certificate window. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 226 | :ref:`mozilla_projects_n | **Authentication, Biometric, | | | ss_pkcs11_module_installation` | Mozilla, NSS, PKCS #11, | | | | Projects, Security, Smart | | | | Card, Smart-card, Smartcard, | | | | pkcs11** | +--------------------------------+--------------------------------+--------------------------------+ | | | `PKCS #11 `__ | | | | modules are external modules | | | | which add to Firefox support | | | | for smartcard readers, | | | | biometric security devices, | | | | and external certificate | | | | stores. This article covers | | | | the two methods for installing | | | | PKCS #11 modules into Firefox. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 227 | :ref:`mozilla_pro | **NSS** | | | jects_nss_pkcs11_module_specs` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The following is a proposal to | | | | the | | | | `PKCS `__ | | | | #11 working group made in | | | | August 2001 for configuring | | | | PKCS #11 modules. NSS | | | | currently implements this | | | | proposal internally. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 228 | :ref:`mozilla_projec | | | | ts_nss_python_binding_for_nss` | | +--------------------------------+--------------------------------+--------------------------------+ | | | python-nss is a Python binding | | | | for NSS (Network Security | | | | Services) and NSPR (Netscape | | | | Portable Runtime). NSS | | | | provides cryptography services | | | | supporting SSL, TLS, PKI, | | | | PKIX, X509, PKCS*, etc. NSS is | | | | an alternative to OpenSSL and | | | | used extensively by major | | | | software projects. NSS is | | | | FIPS-140 certified. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 229 | :ref:`m | **NSS** | | | ozilla_projects_nss_reference` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Based on | | | | :ref:`mozilla_projec | | | | ts_nss_ssl_functions_sslintro` | | | | in the SSL Reference. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 230 | :ref: | **NSS** | | | `mozilla_projects_nss_referenc | | | | e_building_and_installing_nss` | | +--------------------------------+--------------------------------+--------------------------------+ | | | This chapter describes how to | | | | build and install NSS. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 231 | :ref:`mozilla_projects_n | **NSS** | | | ss_reference_building_and_inst | | | | alling_nss_build_instructions` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Numerous optional features of | | | | NSS builds are controlled | | | | through make variables. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 232 | :ref:`mozilla_projects_n | **NSS** | | | ss_reference_building_and_inst | | | | alling_nss_installation_guide` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The build system of NSS | | | | originated from Netscape's | | | | build system, which predated | | | | the "configure; make; make | | | | test; make install" sequence | | | | that we're familiar with now. | | | | Our makefiles also have an | | | | "install" target, but it has a | | | | different meaning: our | | | | "install" means installing the | | | | headers, libraries, and | | | | programs in the appropriate | | | | directories under | | | | mozilla/dist. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 233 | :ref:`mozilla_project | | | | s_nss_reference_building_and_i | | | | nstalling_nss_migration_to_hg` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSPR, NSS and related | | | | projects have stopped using | | | | Mozilla'a CVS server, but have | | | | migrated to | | | | Mozilla's HG (Mercurial) | | | | server. | | | | Each project now lives in its | | | | own separate space, they can | | | | be found at: | | | | https:/ | | | | /hg.mozilla.org/projects/nspr/ | | | | https: | | | | //hg.mozilla.org/projects/nss/ | | | | https: | | | | //hg.mozilla.org/projects/jss/ | | | | | | | | https://hg.mo | | | | zilla.org/projects/python-nss/ | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 234 | :r | **NSS** | | | ef:`mozilla_projects_nss_refer | | | | ence_building_and_installing_n | | | | ss_sample_manual_installation` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The NSS build system does not | | | | include a target to install | | | | header files and shared | | | | libraries in the system | | | | directories, so this needs to | | | | be done manually. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 235 | :ref:`mozilla_projects_ns | **NSS** | | | s_reference_fc_cancelfunction` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_CancelFunction - cancel a | | | | function running in parallel | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 236 | :ref:`mozilla_projects_nss_ | **NSS** | | | reference_fc_closeallsessions` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_CloseAllSessions - close | | | | all sessions between an | | | | application and a token. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 237 | :ref:`mozilla_projects_ | **NSS** | | | nss_reference_fc_closesession` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_CloseSession - close a | | | | session opened between an | | | | application and a token. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 238 | :ref:`mozilla_project | **NSS** | | | s_nss_reference_fc_copyobject` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_CopyObject - create a copy | | | | of an object. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 239 | :ref:`mozilla_projects_ | **NSS** | | | nss_reference_fc_createobject` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_CreateObject - create a new | | | | object. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 240 | :ref:`mozilla_proj | **NSS** | | | ects_nss_reference_fc_decrypt` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_Decrypt - Decrypt a block | | | | of data. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 241 | :ref:`mozilla_projects_nss_ref | **NSS** | | | erence_fc_decryptdigestupdate` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_DecryptDigestUpdate - | | | | continue a multi-part decrypt | | | | and digest operation | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 242 | :ref:`mozilla_projects_ | **NSS** | | | nss_reference_fc_decryptfinal` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_DecryptFinal - finish a | | | | multi-part decryption | | | | operation. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 243 | :ref:`mozilla_projects | **NSS** | | | _nss_reference_fc_decryptinit` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_DecryptInit - initialize a | | | | decryption operation. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 244 | :ref:`mozilla_projects_n | **NSS** | | | ss_reference_fc_decryptupdate` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_DecryptUpdate - decrypt a | | | | block of a multi-part | | | | encryption operation. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 245 | :ref:`mozilla_projects_nss_ref | **NSS** | | | erence_fc_decryptverifyupdate` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_DecryptVerifyUpdate - | | | | continue a multi-part decrypt | | | | and verify operation | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 246 | :ref:`mozilla_projec | **NSS** | | | ts_nss_reference_fc_derivekey` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_DeriveKey - derive a key | | | | from a base key | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 247 | :ref:`mozilla_projects_n | **NSS** | | | ss_reference_fc_destroyobject` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_DestroyObject - destroy an | | | | object. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 248 | :ref:`mozilla_pro | **NSS** | | | jects_nss_reference_fc_digest` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_Digest - digest a block of | | | | data. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 249 | :ref:`mozilla_projects_nss_ref | **NSS** | | | erence_fc_digestencryptupdate` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_DigestEncryptUpdate - | | | | continue a multi-part digest | | | | and encryption operation | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 250 | :ref:`mozilla_projects | **NSS** | | | _nss_reference_fc_digestfinal` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_DigestFinal - finish a | | | | multi-part digest operation. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 251 | :ref:`mozilla_project | **NSS** | | | s_nss_reference_fc_digestinit` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_DigestInit - initialize a | | | | message-digest operation. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 252 | :ref:`mozilla_projec | **NSS** | | | ts_nss_reference_fc_digestkey` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_DigestKey - add the digest | | | | of a key to a multi-part | | | | digest operation. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 253 | :ref:`mozilla_projects_ | **NSS** | | | nss_reference_fc_digestupdate` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_DigestUpdate - process the | | | | next block of a multi-part | | | | digest operation. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 254 | :ref:`mozilla_proj | **NSS** | | | ects_nss_reference_fc_encrypt` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_Encrypt - Encrypt a block | | | | of data. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 255 | :ref:`mozilla_projects_ | **NSS** | | | nss_reference_fc_encryptfinal` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_EncryptFinal - finish a | | | | multi-part encryption | | | | operation. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 256 | :ref:`mozilla_projects | **NSS** | | | _nss_reference_fc_encryptinit` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_EncryptInit - initialize an | | | | encryption operation. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 257 | :ref:`mozilla_projects_n | **NSS** | | | ss_reference_fc_encryptupdate` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_EncryptUpdate - encrypt a | | | | block of a multi-part | | | | encryption operation. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 258 | :ref:`mozilla_proje | **NSS** | | | cts_nss_reference_fc_finalize` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_Finalize - indicate that an | | | | application is done with the | | | | PKCS #11 library. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 259 | :ref:`mozilla_projects | **NSS** | | | _nss_reference_fc_findobjects` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_FindObjects - Search for | | | | one or more objects | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 260 | :ref:`mozilla_projects_nss_ | **NSS** | | | reference_fc_findobjectsfinal` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_FindObjectsFinal - | | | | terminate an object search. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 261 | :ref:`mozilla_projects_nss | **NSS** | | | _reference_fc_findobjectsinit` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_FindObjectsInit - | | | | initialize the parameters for | | | | an object search. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 262 | :ref:`mozilla_projects | **NSS** | | | _nss_reference_fc_generatekey` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_GenerateKey - generate a | | | | new key | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 263 | :ref:`mozilla_projects_nss | **NSS** | | | _reference_fc_generatekeypair` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_GenerateKeyPair - generate | | | | a new public/private key pair | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 264 | :ref:`mozilla_projects_ns | **NSS** | | | s_reference_fc_generaterandom` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_GenerateRandom - generate a | | | | random number. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 265 | :ref:`mozilla_projects_nss_r | **NSS** | | | eference_fc_getattributevalue` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_GetAttributeValue - get the | | | | value of attributes of an | | | | object. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 266 | :ref:`mozilla_projects_nss | **NSS** | | | _reference_fc_getfunctionlist` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_GetFunctionList - get a | | | | pointer to the list of | | | | function pointers in the FIPS | | | | mode of operation. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 267 | :ref:`mozilla_projects_nss_r | **NSS** | | | eference_fc_getfunctionstatus` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_GetFunctionStatus - get the | | | | status of a function running | | | | in parallel | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 268 | :ref:`mozilla_proj | **NSS** | | | ects_nss_reference_fc_getinfo` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_GetInfo - return general | | | | information about the PKCS #11 | | | | library. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 269 | :ref:`mozilla_projects_nss_ | **NSS** | | | reference_fc_getmechanisminfo` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_GetMechanismInfo - get | | | | information on a particular | | | | mechanism. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 270 | :ref:`mozilla_projects_nss_ | **NSS** | | | reference_fc_getmechanismlist` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_GetMechanismList - get a | | | | list of mechanism types | | | | supported by a token. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 271 | :ref:`mozilla_projects_n | **NSS** | | | ss_reference_fc_getobjectsize` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_GetObjectSize - create a | | | | copy of an object. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 272 | :ref:`mozilla_projects_nss_r | **NSS** | | | eference_fc_getoperationstate` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_GetOperationState - get the | | | | cryptographic operation state | | | | of a session. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 273 | :ref:`mozilla_projects_ns | **NSS** | | | s_reference_fc_getsessioninfo` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_GetSessionInfo - obtain | | | | information about a session. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 274 | :ref:`mozilla_projects | **NSS** | | | _nss_reference_fc_getslotinfo` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_GetSlotInfo - get | | | | information about a particular | | | | slot in the system. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 275 | :ref:`mozilla_projects | **NSS** | | | _nss_reference_fc_getslotlist` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_GetSlotList - Obtain a list | | | | of slots in the system. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 276 | :ref:`mozilla_projects_ | **NSS** | | | nss_reference_fc_gettokeninfo` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_GetTokenInfo - obtain | | | | information about a particular | | | | token in the system. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 277 | :ref:`mozilla_project | **NSS** | | | s_nss_reference_fc_initialize` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_Initialize - initialize the | | | | PKCS #11 library. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 278 | :ref:`mozilla_proj | **NSS** | | | ects_nss_reference_fc_initpin` | | +--------------------------------+--------------------------------+--------------------------------+ | | | ``FC_InitPIN()`` - Initialize | | | | the user's PIN. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 279 | :ref:`mozilla_projec | **NSS** | | | ts_nss_reference_fc_inittoken` | | +--------------------------------+--------------------------------+--------------------------------+ | | | ``FC_InitToken()`` - | | | | initialize or re-initialize a | | | | token. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 280 | :ref:`mozilla_pr | **NSS** | | | ojects_nss_reference_fc_login` | | +--------------------------------+--------------------------------+--------------------------------+ | | | ``FC_Login()`` - log a user | | | | into a token. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 281 | :ref:`mozilla_pro | **NSS** | | | jects_nss_reference_fc_logout` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_Logout - log a user out | | | | from a token. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 282 | :ref:`mozilla_projects | **NSS** | | | _nss_reference_fc_opensession` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_OpenSession - open a | | | | session between an application | | | | and a token. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 283 | :ref:`mozilla_project | **NSS** | | | s_nss_reference_fc_seedrandom` | | +--------------------------------+--------------------------------+--------------------------------+ | | | ``FC_SeedRandom()`` - mix | | | | additional seed material into | | | | the random number generator. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 284 | :ref:`mozilla_projects_nss_r | **NSS** | | | eference_fc_setattributevalue` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_SetAttributeValue - set the | | | | values of attributes of an | | | | object. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 285 | :ref:`mozilla_projects_nss_r | **NSS** | | | eference_fc_setoperationstate` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_SetOperationState - restore | | | | the cryptographic operation | | | | state of a session. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 286 | :ref:`mozilla_pro | **NSS** | | | jects_nss_reference_fc_setpin` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_SetPIN - Modify the user's | | | | PIN. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 287 | :ref:`mozilla_p | **NSS** | | | rojects_nss_reference_fc_sign` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_Sign - sign a block of | | | | data. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 288 | :ref:`mozilla_projects_nss_r | **NSS** | | | eference_fc_signencryptupdate` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_SignEncryptUpdate - | | | | continue a multi-part signing | | | | and encryption operation | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 289 | :ref:`mozilla_projec | **NSS** | | | ts_nss_reference_fc_signfinal` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_SignFinal - finish a | | | | multi-part signing operation. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 290 | :ref:`mozilla_proje | **NSS** | | | cts_nss_reference_fc_signinit` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_SignInit - initialize a | | | | signing operation. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 291 | :ref:`mozilla_projects | **NSS** | | | _nss_reference_fc_signrecover` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_SignRecover - Sign data in | | | | a single recoverable | | | | operation. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 292 | :ref:`mozilla_projects_nss | **NSS** | | | _reference_fc_signrecoverinit` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_SignRecoverInit - | | | | initialize a sign recover | | | | operation. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 293 | :ref:`mozilla_project | **NSS** | | | s_nss_reference_fc_signupdate` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_SignUpdate - process the | | | | next block of a multi-part | | | | signing operation. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 294 | :ref:`mozilla_projec | **NSS** | | | ts_nss_reference_fc_unwrapkey` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_UnwrapKey - unwrap a key | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 295 | :ref:`mozilla_pro | **NSS** | | | jects_nss_reference_fc_verify` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_Verify - sign a block of | | | | data. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 296 | :ref:`mozilla_projects | **NSS** | | | _nss_reference_fc_verifyfinal` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_VerifyFinal - finish a | | | | multi-part verify operation. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 297 | :ref:`mozilla_project | **NSS** | | | s_nss_reference_fc_verifyinit` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_VerifyInit - initialize a | | | | verification operation. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 298 | :ref:`mozilla_projects_n | **NSS** | | | ss_reference_fc_verifyrecover` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_VerifyRecover - Verify data | | | | in a single recoverable | | | | operation. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 299 | :ref:`mozilla_projects_nss_r | **NSS** | | | eference_fc_verifyrecoverinit` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_VerifyRecoverInit - | | | | initialize a verification | | | | operation where data is | | | | recoverable. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 300 | :ref:`mozilla_projects_ | **NSS** | | | nss_reference_fc_verifyupdate` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_VerifyUpdate - process the | | | | next block of a multi-part | | | | verify operation. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 301 | :ref:`mozilla_projects_nss_ | **NSS** | | | reference_fc_waitforslotevent` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_WaitForSlotEvent - waits | | | | for a slot event, such as | | | | token insertion or token | | | | removal, to occur. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 302 | :ref:`mozilla_proj | **NSS** | | | ects_nss_reference_fc_wrapkey` | | +--------------------------------+--------------------------------+--------------------------------+ | | | FC_WrapKey - wrap a key | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 303 | :ref:`mozilla_project | **NSS** | | | s_nss_reference_nsc_inittoken` | | +--------------------------------+--------------------------------+--------------------------------+ | | | ``NSC_InitToken()`` - | | | | initialize or re-initialize a | | | | token. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 304 | :ref:`mozilla_pro | **NSS** | | | jects_nss_reference_nsc_login` | | +--------------------------------+--------------------------------+--------------------------------+ | | | ``NSC_Login()`` - log a user | | | | into a token. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 305 | :ref:`mozilla_projects | | | | _nss_reference_nspr_functions` | | +--------------------------------+--------------------------------+--------------------------------+ | | | `NSPR `__ | | | | is a platform abstraction | | | | library that provides a | | | | cross-platform API to common | | | | OS services. NSS uses NSPR | | | | internally as the porting | | | | layer. However, a small | | | | number of NSPR functions are | | | | required for using the | | | | certificate verification and | | | | SSL functions in NSS. These | | | | NSPR functions are listed in | | | | this section. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 306 | :re | **NSS** | | | f:`mozilla_projects_nss_refere | | | | nce_nss_certificate_functions` | | +--------------------------------+--------------------------------+--------------------------------+ | | | This chapter describes the | | | | functions and related types | | | | used to work with a | | | | certificate database such as | | | | the cert8.db database provided | | | | with NSS. This was converted | | | | from `"Chapter 5: Certificate | | | | Functions" `__. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 307 | :r | **NSS** | | | ef:`mozilla_projects_nss_refer | | | | ence_nss_cryptographic_module` | | +--------------------------------+--------------------------------+--------------------------------+ | | | This chapter describes the | | | | data types and functions that | | | | one can use to perform | | | | cryptographic operations with | | | | the NSS cryptographic module. | | | | The NSS cryptographic module | | | | uses the industry standard | | | | `PKCS | | | | #11 `__ | | | | v2.20 as its API with some | | | | extensions. Therefore, an | | | | application that supports PKCS | | | | #11 cryptographic tokens can | | | | be easily modified to use the | | | | NSS cryptographic module. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 308 | :ref:`mozilla_projects_ns | **NSS** | | | s_reference_nss_cryptographic_ | | | | module_fips_mode_of_operation` | | +--------------------------------+--------------------------------+--------------------------------+ | | | These functions manage | | | | certificates and keys. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 309 | :re | **NSS** | | | f:`mozilla_projects_nss_refere | | | | nce_nss_environment_variables` | | +--------------------------------+--------------------------------+--------------------------------+ | | | These environment variables | | | | affect the RUN TIME behavior | | | | of NSS shared libraries. There | | | | is a separate set of | | | | environment variables that | | | | affect how NSS is built, | | | | documented below. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 310 | :ref:`mozilla_project | **NSS** | | | s_nss_reference_nss_functions` | | +--------------------------------+--------------------------------+--------------------------------+ | | | This page lists all exported | | | | functions in NSS 3.11.7 It was | | | | ported from | | | | `here `__. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 311 | :ref:`mozilla_projects | | | | _nss_reference_nss_initialize` | | +--------------------------------+--------------------------------+--------------------------------+ | | | NSS_Initialize - initialize | | | | NSS. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 312 | :ref:`mozilla_projects_ns | **NSS** | | | s_reference_nss_key_functions` | | +--------------------------------+--------------------------------+--------------------------------+ | | | This chapter describes two | | | | functions used to manipulate | | | | private keys and key databases | | | | such as the key3.db database | | | | provided with NSS. This was | | | | converted from `"Chapter 6: | | | | Key | | | | Functions" `__. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 313 | :ref:`mozilla_projects_nss_r | | | | eference_nss_tools_:_certutil` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Name | | | | certutil — Manage keys and | | | | certificate in both NSS | | | | databases and other NSS tokens | | | | Synopsis | | | | certutil [options] | | | | [[arguments]] | | | | Description | | | | The Certificate Database | | | | Tool, certutil, is a | | | | command-line utility | | | | that can create and modify | | | | certificate and key databases. | | | | It can specifically list, | | | | generate, modify, or delete | | | | certificates, create or | | | | change the password, | | | | generate new public and | | | | private key pairs, | | | | display the contents of the | | | | key database, or delete key | | | | pairs within the key | | | | database. | | | | Certificate issuance, part | | | | of the key and certificate | | | | management process, requires | | | | that | | | | keys and certificates be | | | | created in the key database. | | | | This document discusses | | | | certificate | | | | and key database | | | | management. For information on | | | | the security module database | | | | management, | | | | see the modutil manpage. | | | | Options and Arguments | | | | Running certutil always | | | | requires one and only one | | | | command option to | | | | specify the type of | | | | certificate operation. Each | | | | option may take arguments, | | | | anywhere from none to | | | | multiple arguments. The | | | | command option -H will list | | | | all the command options | | | | available and their relevant | | | | arguments. | | | | Command Options | | | | -A | | | | Add an existing | | | | certificate to a certificate | | | | database. | | | | The certificate | | | | database should already exist; | | | | if one is | | | | not present, this | | | | command option will initialize | | | | one by default. | | | | -B | | | | Run a series of | | | | commands from the specified | | | | batch file. | | | | This requires the -i | | | | argument. | | | | -C | | | | Create a new binary | | | | certificate file from a binary | | | | certificate request | | | | file. Use the -i argument to | | | | specify | | | | the certificate | | | | request file. If this argument | | | | is not | | | | used, certutil | | | | prompts for a filename. | | | | -D | | | | Delete a certificate | | | | from the certificate database. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 314 | :ref:`mozilla_projects_nss_ | | | | reference_nss_tools_:_cmsutil` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Name | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 315 | :ref:`mozilla_projects_nss_ | **Reference** | | | reference_nss_tools_:_crlutil` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Name | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 316 | :ref:`mozilla_projects_nss_ | **Mozilla, NSS, Reference, | | | reference_nss_tools_:_modutil` | Security, Tools, Utilities, | | | | modutil** | +--------------------------------+--------------------------------+--------------------------------+ | | | Name | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 317 | :ref:`mozilla_projects_nss_r | | | | eference_nss_tools_:_pk12util` | | +--------------------------------+--------------------------------+--------------------------------+ | | | NSS tools : pk12util | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 318 | :ref:`mozilla_projects_nss | | | | _reference_nss_tools_:_ssltab` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Name | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 319 | :ref:`mozilla_projects_nss | | | | _reference_nss_tools_:_ssltap` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Name | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 320 | :ref:`mozilla_projects_nss_r | | | | eference_nss_tools_:_vfychain` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Name | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 321 | :ref:`mozilla_projects_nss_ | | | | reference_nss_tools_:_vfyserv` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Name | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 322 | :ref:`mozilla_pro | | | | jects_nss_reference_nss_tools` | | +--------------------------------+--------------------------------+--------------------------------+ | | | certutil | | | | :ref:`mozilla_projects_nss_r | | | | eference_nss_tools_:_certutil` | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 323 | :ref:`mozilla_projec | | | | ts_nss_reference_troubleshoot` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Newsgroup: | | | | `mozilla.dev.tech | | | | .crypto `__ | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 324 | :ref:`mozil | | | | la_projects_nss_release_notes` | | +--------------------------------+--------------------------------+--------------------------------+ | | | This page lists release notes | | | | for older versions of NSS. | | | | See :ref:`mozi | | | | lla_projects_nss_nss_releases` | | | | :ref:`mozi | | | | lla_projects_nss_nss_releases` | | | | for recent release notes. The | | | | links below are provided for | | | | historical information. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 325 | :ref:`mozilla_ | **NSS** | | | projects_nss_s_mime_functions` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The public functions listed | | | | here perform S/MIME operations | | | | using the `S/MIME | | | | Toolkit `__. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 326 | :ref:`mozil | **NSS** | | | la_projects_nss_ssl_functions` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The public functions listed | | | | here are used to configure | | | | sockets for communication via | | | | the SSL and TLS protocols. In | | | | addition to the functions | | | | listed here, applications that | | | | support SSL use some of the | | | | Certificate functions, Crypto | | | | functions, and Utility | | | | functions described below on | | | | this page. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 327 | :ref:`mozilla_pro | | | | jects_nss_ssl_functions_gtstd` | | +--------------------------------+--------------------------------+--------------------------------+ | | | This chapter describes how to | | | | set up your environment, | | | | including certificate and key | | | | databases. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 328 | :ref:`mozilla_projects_nss_ss | **NSS** | | | l_functions_old_ssl_reference` | | +--------------------------------+--------------------------------+--------------------------------+ | | | *New | | | | sgroup:*\ `mozilla.dev.tech.cr | | | | ypto `__\ * | | | | Writer: Sean Cotter | | | | Manager: Wan-Teh Chang* | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 329 | :ref:`mozilla_pro | | | | jects_nss_ssl_functions_pkfnc` | | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 330 | :ref:`mozilla_proj | | | | ects_nss_ssl_functions_sslcrt` | | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 331 | :ref:`mozilla_proj | | | | ects_nss_ssl_functions_sslerr` | | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 332 | :ref:`mozilla_proj | | | | ects_nss_ssl_functions_sslfnc` | | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 333 | :ref:`mozilla_projec | | | | ts_nss_ssl_functions_sslintro` | | +--------------------------------+--------------------------------+--------------------------------+ | | | SSL and related APIs allow | | | | compliant applications to | | | | configure sockets for | | | | authenticated, tamper-proof, | | | | and encrypted communications. | | | | This chapter introduces some | | | | of the basic SSL functions. | | | | `Chapter 2, "Getting Started | | | | With | | | | SSL" `__ | | | | illustrates their use in | | | | sample client and server | | | | applications. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 334 | :ref:`mozilla_proj | | | | ects_nss_ssl_functions_sslkey` | | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 335 | :ref:`mozilla_proj | | | | ects_nss_ssl_functions_ssltyp` | | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 336 | :ref:`mozilla_projects_n | **NSS** | | | ss_tls_cipher_suite_discovery` | | +--------------------------------+--------------------------------+--------------------------------+ | | | In order to communicate | | | | securely, an TLS client and | | | | TLS server must agree on the | | | | cryptographic algorithms and | | | | keys that they will both use | | | | on the secured connection. | | | | They must agree on these | | | | items: | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 337 | :re | **NSS** | | | f:`mozilla_projects_nss_tools` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Newsgroup: | | | | `mozilla.dev.tech | | | | .crypto `__ | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 338 | :ref:`mozill | | | | a_projects_nss_tools_certutil` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Name | | | | certutil — Manage keys and | | | | certificate in the NSS | | | | database. | | | | Synopsis | | | | certutil [options] | | | | `arguments `__ | | | | Description | | | | The Certificate Database | | | | Tool, certutil, is a | | | | command-line utility that | | | | can create and modify | | | | certificate and key database | | | | files. It can also | | | | list, generate, modify, or | | | | delete certificates within the | | | | database, create | | | | or change the password, | | | | generate new public and | | | | private key pairs, display | | | | the contents of the key | | | | database, or delete key pairs | | | | within the key | | | | database. | | | | The key and certificate | | | | management process generally | | | | begins with creating | | | | keys in the key database, | | | | then generating and managing | | | | certificates in the | | | | certificate database. This | | | | document discusses certificate | | | | and key database | | | | management. For information | | | | security module database | | | | management, see the | | | | modutil manpages. | | | | Options and Arguments | | | | Running certutil always | | | | requires one (and only one) | | | | option to specify the | | | | type of certificate | | | | operation. Each option may | | | | take arguments, anywhere | | | | from none to multiple | | | | arguments. Run the command | | | | option and -H to see the | | | | arguments available for | | | | each command option. | | | | Options | | | | Options specify an action | | | | and are uppercase. | | | | -A | | | | Add an existing | | | | certificate to a certificate | | | | database. The | | | | certificate | | | | database should already exist; | | | | if one is not present, | | | | this option will | | | | initialize one by default. | | | | -B | | | | Run a series of | | | | commands from the specified | | | | batch file. This | | | | requires the -i | | | | argument. | | | | -C | | | | Create a new binary | | | | certificate file from a binary | | | | certificate | | | | request file. Use | | | | the -i argument to specify the | | | | certificate | | | | request file. If | | | | this argument is not used, | | | | certutil prompts for a | | | | filename. | | | | -D | | | | Delete a | | | | certificate from the | | | | certificate database. | | | | -E | | | | Add an email | | | | certificate to the certificate | | | | database. | | | | -F | | | | Delete a private | | | | key from a key database. | | | | Specify the key to | | | | delete with the -n | | | | argument. Specify the database | | | | from which to | | | | delete the key with | | | | the -d argument. Use the -k | | | | argument to | | | | specify explicitly | | | | whether to delete a DSA, RSA, | | | | or ECC key. If | | | | you don't use the | | | | -k argument, the option looks | | | | for an RSA key | | | | matching the | | | | specified nickname. | | | | When you delete | | | | keys, be sure to also remove | | | | any certificates | | | | associated with | | | | those keys from the | | | | certificate database, by using | | | | -D. Some smart | | | | cards (for example, the | | | | Litronic card) do not let | | | | you remove a public | | | | key you have generated. In | | | | such a case, only | | | | the private key is | | | | deleted from the key pair. You | | | | can display the | | | | public key with the | | | | command certutil -K -h | | | | tokenname. | | | | -G | | | | Generate a new | | | | public and private key pair | | | | within a key database. | | | | The key database | | | | should already exist; if one | | | | is not present, this | | | | option will | | | | initialize one by default. | | | | Some smart cards (for | | | | example, the | | | | Litronic card) can store only | | | | one key pair. If you | | | | create a new key | | | | pair for such a card, the | | | | previous pair is | | | | overwritten. | | | | -H | | | | Display a list of | | | | the options and arguments used | | | | by the | | | | Certificate | | | | Database Tool. | | | | -K | | | | List the key ID of | | | | keys in the key database. A | | | | key ID is the | | | | modulus of the RSA | | | | key or the publicValue of the | | | | DSA key. IDs are | | | | displayed in | | | | hexadecimal ("0x" is not | | | | shown). | | | | -L | | | | List all the | | | | certificates, or display | | | | information about a named | | | | certificate, in a | | | | certificate database. Use the | | | | -h tokenname | | | | argument to specify | | | | the certificate database on a | | | | particular | | | | hardware or | | | | software token. | | | | -M | | | | Modify a | | | | certificate's trust attributes | | | | using the values of the -t | | | | argument. | | | | -N | | | | Create new | | | | certificate and key databases. | | | | -O | | | | Print the | | | | certificate chain. | | | | -R | | | | Create a | | | | certificate request file that | | | | can be submitted to a | | | | Certificate | | | | Authority (CA) for processing | | | | into a finished | | | | certificate. Output | | | | defaults to standard out | | | | unless you use -o | | | | output-file | | | | argument. Use the -a argument | | | | to specify ASCII output. | | | | -S | | | | Create an | | | | individual certificate and add | | | | it to a certificate | | | | database. | | | | -T | | | | Reset the key | | | | database or token. | | | | -U | | | | List all available | | | | modules or print a single | | | | named module. | | | | -V | | | | Check the validity | | | | of a certificate and its | | | | attributes. | | | | -W | | | | Change the password | | | | to a key database. | | | | --merge | | | | Merge a source | | | | database into the target | | | | database. This is used to | | | | merge legacy NSS | | | | databases (cert8.db and | | | | key3.db) into the newer | | | | SQLite databases | | | | (cert9.db and key4.db). | | | | --upgrade-merge | | | | Upgrade an old | | | | database and merge it into a | | | | new database. This is | | | | used to migrate | | | | legacy NSS databases (cert8.db | | | | and key3.db) into | | | | the newer SQLite | | | | databases (cert9.db and | | | | key4.db). | | | | Arguments | | | | Option arguments modify an | | | | action and are lowercase. | | | | -a | | | | Use ASCII format or | | | | allow the use of ASCII format | | | | for input or | | | | output. This | | | | formatting follows RFC 1113. | | | | For certificate | | | | requests, ASCII | | | | output defaults to standard | | | | output unless | | | | redirected. | | | | -b validity-time | | | | Specify a time at | | | | which a certificate is | | | | required to be valid. Use | | | | when checking | | | | certificate validity with the | | | | -V option. The format | | | | of the | | | | validity-time argument is | | | | YYMMDDHHMMSS[+HHMM|-HHMM|Z], | | | | which allows | | | | offsets to be set relative to | | | | the validity end time. | | | | Specifying seconds | | | | (SS) is optional. When | | | | specifying an explicit | | | | time, use a Z at | | | | the end of the term, | | | | YYMMDDHHMMSSZ, to close it. | | | | When specifying an | | | | offset time, use | | | | YYMMDDHHMMSS+HHMM or | | | | YYMMDDHHMMSS-HHMM | | | | for adding or subtracting | | | | time, respectively. | | | | If this option is | | | | not used, the validity check | | | | defaults to the | | | | current system | | | | time. | | | | -c issuer | | | | Identify the | | | | certificate of the CA from | | | | which a new certificate | | | | will derive its | | | | authenticity. Use the exact | | | | nickname or alias of | | | | the CA certificate, | | | | or use the CA's email address. | | | | Bracket the | | | | issuer string with | | | | quotation marks if it contains | | | | spaces. | | | | -d [sql:]directory | | | | Specify the | | | | database directory containing | | | | the certificate and key | | | | database files. | | | | certutil supports | | | | two types of databases: the | | | | legacy security | | | | databases | | | | (cert8.db, key3.db, and | | | | secmod.db) and new SQLite | | | | databases | | | | (cert9.db, key4.db, and | | | | pkcs11.txt). If the prefix | | | | sql: | | | | is not used, then | | | | the tool assumes that the | | | | given databases are in | | | | the old format. | | | | -e | | | | Check a | | | | certificate's signature during | | | | the process of validating a | | | | certificate. | | | | -f password-file | | | | Specify a file that | | | | will automatically supply the | | | | password to | | | | include in a | | | | certificate or to access a | | | | certificate database. This | | | | is a plain-text | | | | file containing one password. | | | | Be sure to prevent | | | | unauthorized access | | | | to this file. | | | | -g keysize | | | | Set a key size to | | | | use when generating new public | | | | and private key | | | | pairs. The minimum | | | | is 512 bits and the maximum is | | | | 8192 bits. The | | | | default is 1024 | | | | bits. Any size between the | | | | minimum and maximum is | | | | allowed. | | | | -h tokenname | | | | Specify the name of | | | | a token to use or act on. | | | | Unless specified | | | | otherwise the | | | | default token is an internal | | | | slot (specifically, | | | | internal slot 2). | | | | This slot can also be | | | | explicitly named with the | | | | string "internal". | | | | An internal slots is a virtual | | | | slot maintained | | | | in software, rather | | | | than a hardware device. | | | | Internal slot 2 is | | | | used by key and | | | | certificate services. Internal | | | | slot 1 is used by | | | | cryptographic | | | | services. | | | | -i input_file | | | | Pass an input file | | | | to the command. Depending on | | | | the command | | | | option, an input | | | | file can be a specific | | | | certificate, a certificate | | | | request file, or a | | | | batch file of commands. | | | | -k rsa|dsa|ec|all | | | | Specify the type of | | | | a key. The valid options are | | | | RSA, DSA, ECC, or | | | | all. The default | | | | value is rsa. Specifying the | | | | type of key can | | | | avoid mistakes | | | | caused by duplicate nicknames. | | | | -k key-type-or-id | | | | Specify the type or | | | | specific ID of a key. Giving a | | | | key type | | | | generates a new key | | | | pair; giving the ID of an | | | | existing key reuses | | | | that key pair | | | | (which is required to renew | | | | certificates). | | | | -l | | | | Display detailed | | | | information when validating a | | | | certificate with | | | | the -V option. | | | | -m serial-number | | | | Assign a unique | | | | serial number to a certificate | | | | being created. This | | | | operation should be | | | | performed by a CA. The default | | | | serial number | | | | is 0 (zero). Serial | | | | numbers are limited to | | | | integers. | | | | -n nickname | | | | Specify the | | | | nickname of a certificate or | | | | key to list, create, add | | | | to a database, | | | | modify, or validate. Bracket | | | | the nickname string | | | | with quotation | | | | marks if it contains spaces. | | | | -o output-file | | | | Specify the output | | | | file name for new certificates | | | | or binary | | | | certificate | | | | requests. Bracket the | | | | output-file string with | | | | quotation marks if | | | | it contains spaces. If this | | | | argument is not | | | | used the output | | | | destination defaults to | | | | standard output. | | | | -P dbPrefix | | | | Specify the prefix | | | | used on the certificate and | | | | key database file. | | | | This option is | | | | provided as a special case. | | | | Changing the names of | | | | the certificate and | | | | key databases is not | | | | recommended. | | | | -p phone | | | | Specify a contact | | | | telephone number to include in | | | | new certificates | | | | or certificate | | | | requests. Bracket this string | | | | with quotation marks | | | | if it contains | | | | spaces. | | | | -q pqgfile | | | | Read an alternate | | | | PQG value from the specified | | | | file when | | | | generating DSA key | | | | pairs. If this argument is not | | | | used, certutil | | | | generates its own | | | | PQG value. PQG files are | | | | created with a separate | | | | DSA utility. | | | | -q curve-name | | | | Set the elliptic | | | | curve name to use when | | | | generating ECC key pairs. | | | | A complete list of | | | | ECC curves is given in the | | | | help (-H). | | | | -r | | | | Display a | | | | certificate's binary DER | | | | encoding when listing | | | | information about | | | | that certificate with the -L | | | | option. | | | | -s subject | | | | Identify a | | | | particular certificate owner | | | | for new certificates or | | | | certificate | | | | requests. Bracket this string | | | | with quotation marks if | | | | it contains spaces. | | | | The subject identification | | | | format follows RFC | | | | #1485. | | | | -t trustargs | | | | Specify the trust | | | | attributes to modify in an | | | | existing certificate | | | | or to apply to a | | | | certificate when creating it | | | | or adding it to a | | | | database. There are | | | | three available trust | | | | categories for each | | | | certificate, | | | | expressed in the order SSL, | | | | email, object signing for | | | | each trust setting. | | | | In each category position, use | | | | none, any, or | | | | all of the | | | | attribute codes: | | | | o p - Valid peer | | | | o P - Trusted | | | | peer (implies p) | | | | o c - Valid CA | | | | o T - Trusted CA | | | | to issue client certificates | | | | (implies c) | | | | o C - Trusted CA | | | | to issue server certificates | | | | (SSL only) | | | | (implies c) | | | | o u - | | | | Certificate can be used for | | | | authentication or signing | | | | o w - Send | | | | warning (use with other | | | | attributes to include a | | | | warning when | | | | the certificate is used in | | | | that context) | | | | The attribute codes | | | | for the categories are | | | | separated by commas, | | | | and the entire set | | | | of attributes enclosed by | | | | quotation marks. For | | | | example: | | | | -t "TCu,Cu,Tuw" | | | | Use the -L option | | | | to see a list of the current | | | | certificates and | | | | trust attributes in | | | | a certificate database. | | | | -u certusage | | | | Specify a usage | | | | context to apply when | | | | validating a certificate | | | | with the -V option. | | | | The contexts are | | | | the following: | | | | o C (as an SSL | | | | client) | | | | o V (as an SSL | | | | server) | | | | o S (as an email | | | | signer) | | | | o R (as an email | | | | recipient) | | | | o O (as an OCSP | | | | status responder) | | | | o J (as an | | | | object signer) | | | | -v valid-months | | | | Set the number of | | | | months a new certificate will | | | | be valid. The | | | | validity period | | | | begins at the current system | | | | time unless an offset | | | | is added or | | | | subtracted with the -w option. | | | | If this argument is not | | | | used, the default | | | | validity period is three | | | | months. When this | | | | argument is used, | | | | the default three-month period | | | | is automatically | | | | added to any value | | | | given in the valid-month | | | | argument. For example, | | | | using this option | | | | to set a value of 3 would | | | | cause 3 to be added to | | | | the three-month | | | | default, creating a validity | | | | period of six months. | | | | You can use | | | | negative values to reduce the | | | | default period. For | | | | example, setting a | | | | value of -2 would subtract 2 | | | | from the default | | | | and create a | | | | validity period of one month. | | | | -w offset-months | | | | Set an offset from | | | | the current system time, in | | | | months, for the | | | | beginning of a | | | | certificate's validity period. | | | | Use when creating | | | | the certificate or | | | | adding it to a database. | | | | Express the offset in | | | | integers, using a | | | | minus sign (-) to indicate a | | | | negative offset. If | | | | this argument is | | | | not used, the validity period | | | | begins at the | | | | current system | | | | time. The length of the | | | | validity period is set with | | | | the -v argument. | | | | -X | | | | Force the key and | | | | certificate database to open | | | | in read-write mode. | | | | This is used with | | | | the -U and -L command options. | | | | -x | | | | Use certutil to | | | | generate the signature for a | | | | certificate being | | | | created or added to | | | | a database, rather than | | | | obtaining a signature | | | | from a separate CA. | | | | -y exp | | | | Set an alternate | | | | exponent value to use in | | | | generating a new RSA | | | | public key for the | | | | database, instead of the | | | | default value of | | | | 65537. The | | | | available alternate values are | | | | 3 and 17. | | | | -z noise-file | | | | Read a seed value | | | | from the specified file to | | | | generate a new | | | | private and public | | | | key pair. This argument makes | | | | it possible to | | | | use | | | | hardware-generated seed values | | | | or manually create a value | | | | from | | | | the keyboard. The | | | | minimum file size is 20 bytes. | | | | -0 SSO_password | | | | Set a site security | | | | officer password on a token. | | | | -1 \| --keyUsage | | | | keyword,keyword | | | | Set a Netscape | | | | Certificate Type Extension in | | | | the certificate. | | | | There are several | | | | available keywords: | | | | o digital | | | | signature | | | | o nonRepudiation | | | | | | | | o keyEncipherment | | | | | | | | o dataEncipherment | | | | o keyAgreement | | | | o certSigning | | | | o crlSigning | | | | o critical | | | | -2 | | | | Add a basic | | | | constraint extension to a | | | | certificate that is being | | | | created or added to | | | | a database. This extension | | | | supports the | | | | certificate chain | | | | verification process. certutil | | | | prompts for the | | | | certificate | | | | constraint extension to | | | | select. | | | | X.509 certificate | | | | extensions are described in | | | | RFC 5280. | | | | -3 | | | | Add an authority | | | | key ID extension to a | | | | certificate that is being | | | | created or added to | | | | a database. This extension | | | | supports the | | | | identification of a | | | | particular certificate, from | | | | among multiple | | | | certificates | | | | associated with one subject | | | | name, as the correct | | | | issuer of a | | | | certificate. The Certificate | | | | Database Tool will prompt | | | | you to select the | | | | authority key ID extension. | | | | X.509 certificate | | | | extensions are described in | | | | RFC 5280. | | | | -4 | | | | Add a CRL | | | | distribution point extension | | | | to a certificate that is | | | | being created or | | | | added to a database. This | | | | extension identifies | | | | the URL of a | | | | certificate's associated | | | | certificate revocation list | | | | (CRL). certutil | | | | prompts for the URL. | | | | X.509 certificate | | | | extensions are described in | | | | RFC 5280. | | | | -5 \| --nsCertType | | | | keyword,keyword | | | | Add a Netscape | | | | certificate type extension to | | | | a certificate that is | | | | being created or | | | | added to the database. There | | | | are several | | | | available keywords: | | | | o sslClient | | | | o sslServer | | | | o smime | | | | o objectSigning | | | | o sslCA | | | | o smimeCA | | | | | | | | o objectSigningCA | | | | o critical | | | | X.509 certificate | | | | extensions are described in | | | | RFC 5280. | | | | -6 \| --extKeyUsage | | | | keyword,keyword | | | | Add an extended key | | | | usage extension to a | | | | certificate that is being | | | | created or added to | | | | the database. Several keywords | | | | are available: | | | | o serverAuth | | | | o clientAuth | | | | o codeSigning | | | | | | | | o emailProtection | | | | o timeStamp | | | | o ocspResponder | | | | o stepUp | | | | o critical | | | | X.509 certificate | | | | extensions are described in | | | | RFC 5280. | | | | -7 emailAddrs | | | | Add a | | | | comma-separated list of email | | | | addresses to the subject | | | | alternative name | | | | extension of a certificate or | | | | certificate request | | | | that is being | | | | created or added to the | | | | database. Subject | | | | alternative name | | | | extensions are described in | | | | Section 4.2.1.7 of | | | | RFC 3280. | | | | -8 dns-names | | | | Add a | | | | comma-separated list of DNS | | | | names to the subject | | | | alternative | | | | name extension of a | | | | certificate or certificate | | | | request that is | | | | being created or | | | | added to the database. Subject | | | | alternative name | | | | extensions are | | | | described in Section 4.2.1.7 | | | | of RFC 3280. | | | | --extAIA | | | | Add the Authority | | | | Information Access extension | | | | to the certificate. | | | | X.509 certificate | | | | extensions are described in | | | | RFC 5280. | | | | --extSIA | | | | Add the Subject | | | | Information Access extension | | | | to the certificate. | | | | X.509 certificate | | | | extensions are described in | | | | RFC 5280. | | | | --extCP | | | | Add the Certificate | | | | Policies extension to the | | | | certificate. X.509 | | | | certificate | | | | extensions are described in | | | | RFC 5280. | | | | --extPM | | | | Add the Policy | | | | Mappings extension to the | | | | certificate. X.509 | | | | certificate | | | | extensions are described in | | | | RFC 5280. | | | | --extPC | | | | Add the Policy | | | | Constraints extension to the | | | | certificate. X.509 | | | | certificate | | | | extensions are described in | | | | RFC 5280. | | | | --extIA | | | | Add the Inhibit Any | | | | Policy Access extension to the | | | | certificate. | | | | X.509 certificate | | | | extensions are described in | | | | RFC 5280. | | | | --extSKID | | | | Add the Subject Key | | | | ID extension to the | | | | certificate. X.509 | | | | certificate | | | | extensions are described in | | | | RFC 5280. | | | | --source-dir certdir | | | | Identify the | | | | certificate database directory | | | | to upgrade. | | | | --source-prefix certdir | | | | Give the prefix of | | | | the certificate and key | | | | databases to upgrade. | | | | --upgrade-id uniqueID | | | | Give the unique ID | | | | of the database to upgrade. | | | | --upgrade-token-name name | | | | Set the name of the | | | | token to use while it is being | | | | upgraded. | | | | -@ pwfile | | | | Give the name of a | | | | password file to use for the | | | | database being | | | | upgraded. | | | | Usage and Examples | | | | Most of the command options | | | | in the examples listed here | | | | have more | | | | arguments available. The | | | | arguments included in these | | | | examples are the most | | | | common ones or are used to | | | | illustrate a specific | | | | scenario. Use the -H | | | | option to show the complete | | | | list of arguments for each | | | | command option. | | | | Creating New Security | | | | Databases | | | | Certificates, keys, and | | | | security modules related to | | | | managing certificates | | | | are stored in three related | | | | databases: | | | | o cert8.db or cert9.db | | | | o key3.db or key4.db | | | | o secmod.db or pkcs11.txt | | | | These databases must be | | | | created before certificates or | | | | keys can be | | | | generated. | | | | certutil -N -d | | | | [sql:]directory | | | | Creating a Certificate | | | | Request | | | | A certificate request | | | | contains most or all of the | | | | information that is used | | | | to generate the final | | | | certificate. This request is | | | | submitted separately to | | | | a certificate authority and | | | | is then approved by some | | | | mechanism | | | | (automatically or by human | | | | review). Once the request is | | | | approved, then the | | | | certificate is generated. | | | | $ certutil -R -k | | | | key-type-or-id [-q | | | | pqgfile|curve-name] -g | | | | key-size -s subject [-h | | | | tokenname] -d [sql:]directory | | | | [-p phone] [-o output-file] | | | | [-a] | | | | The -R command options | | | | requires four arguments: | | | | o -k to specify either | | | | the key type to generate or, | | | | when renewing a | | | | certificate, the | | | | existing key pair to use | | | | o -g to set the keysize | | | | of the key to generate | | | | o -s to set the subject | | | | name of the certificate | | | | o -d to give the security | | | | database directory | | | | The new certificate request | | | | can be output in ASCII format | | | | (-a) or can be | | | | written to a specified file | | | | (-o). | | | | For example: | | | | $ certutil -R -k ec -q | | | | nistb409 -g 512 -s "CN=John | | | | Smith,O=Example | | | | Corp,L=Mountain | | | | View,ST=California,C=US" -d | | | | sql:/home/my/sharednssdb -p | | | | 650-555-0123 -a -o cert.cer | | | | Generating key. This may | | | | take a few moments... | | | | Certificate request generated | | | | by Netscape | | | | Phone: 650-555-0123 | | | | Common Name: John Smith | | | | Email: (not ed) | | | | Organization: Example Corp | | | | State: California | | | | Country: US | | | | -----BEGIN NEW CERTIFICATE | | | | REQUEST----- | | | | MIIB | | | | IDCBywIBADBmMQswCQYDVQQGEwJVUz | | | | ETMBEGA1UECBMKQ2FsaWZvcm5pYTEW | | | | MBQG | | | | A1UEBxMNTW91bnRhaW4gVmlldzEVMB | | | | MGA1UEChMMRXhhbXBsZSBDb3JwMRMw | | | | EQYD | | | | VQQDEwpKb2huIFNtaXRoMFwwDQYJKo | | | | ZIhvcNAQEBBQADSwAwSAJBAMVUpDOZ | | | | KmHn | | | | Ox7reP8Cc0Lk+fFWEuYIDX9W5K/Bio | | | | QOKvEjXyQZhit9aThzBVMoSf1Y1S8J | | | | CzdU | | | | bCg1+IbnXaECAwEAAaAAMA0GCSqGSI | | | | b3DQEBBQUAA0EAryqZvpYrUtQ486Ny | | | | qmty | | | | QNjIi1F8c1Z+TL4uFYlMg8z6LG/J/u | | | | 1E5t1QqB5e9Q4+BhRbrQjRR1JZx3tB | | | | 1hP9Gg== | | | | -----END NEW CERTIFICATE | | | | REQUEST----- | | | | Creating a Certificate | | | | A valid certificate must be | | | | issued by a trusted CA. This | | | | can be done by | | | | specifying a CA certificate | | | | (-c) that is stored in the | | | | certificate | | | | database. If a CA key pair | | | | is not available, you can | | | | create a self-signed | | | | certificate using the -x | | | | argument with the -S command | | | | option. | | | | $ certutil -S -k rsa|dsa|ec | | | | -n certname -s subject [-c | | | | issuer \|-x] -t trustargs -d | | | | [sql:]directory [-m | | | | serial-number] [-v | | | | valid-months] [-w | | | | offset-months] [-p phone] [-1] | | | | [-2] [-3] [-4] [-5 keyword] | | | | [-6 keyword] [-7 emailAddress] | | | | [-8 dns-names] [--extAIA] | | | | [--extSIA] [--extCP] [--extPM] | | | | [--extPC] [--extIA] | | | | [--extSKID] | | | | The series of numbers and | | | | --ext\* options set | | | | certificate extensions that | | | | can be added to the | | | | certificate when it is | | | | generated by the CA. | | | | For example, this creates a | | | | self-signed certificate: | | | | $ certutil -S -s "CN=Example | | | | CA" -n my-ca-cert -x -t | | | | "C,C,C" -1 -2 -5 -m 3650 | | | | From there, new | | | | certificates can reference the | | | | self-signed certificate: | | | | $ certutil -S -s "CN=My | | | | Server Cert" -n my-server-cert | | | | -c "my-ca-cert" -t "u,u,u" -1 | | | | -5 -6 -8 -m 730 | | | | Generating a Certificate | | | | from a Certificate Request | | | | When a certificate request | | | | is created, a certificate can | | | | be generated by | | | | using the request and then | | | | referencing a certificate | | | | authority signing | | | | certificate (the issuer | | | | specified in the -c argument). | | | | The issuing | | | | certificate must be in the | | | | certificate database in the | | | | specified | | | | directory. | | | | certutil -C -c issuer -i | | | | cert-request-file -o | | | | output-file [-m serial-number] | | | | [-v valid-months] [-w | | | | offset-months] -d | | | | [sql:]directory [-1] [-2] [-3] | | | | [-4] [-5 keyword] [-6 keyword] | | | | [-7 emailAddress] [-8 | | | | dns-names] | | | | For example: | | | | $ certutil -C -c "my-ca-cert" | | | | -i /home/certs/cert.req -o | | | | cert.cer -m 010 -v 12 -w 1 -d | | | | sql:/home/my/sharednssdb -1 | | | | n | | | | onRepudiation,dataEncipherment | | | | -5 sslClient -6 clientAuth -7 | | | | jsmith@example.com | | | | Generating Key Pairs | | | | Key pairs are generated | | | | automatically with a | | | | certificate request or | | | | certificate, but they can | | | | also be generated | | | | independently using the -G | | | | command option. | | | | certutil -G -d | | | | [sql:]directory \| -h | | | | tokenname -k key-type -g | | | | key-size [-y exponent-value] | | | | -q pqgfile|curve-name | | | | For example: | | | | $ certutil -G -h lunasa -k ec | | | | -g 256 -q sect193r2 | | | | Listing Certificates | | | | The -L command option lists | | | | all of the certificates listed | | | | in the | | | | certificate database. The | | | | path to the directory (-d) is | | | | required. | | | | $ certutil -L -d | | | | sql:/home/my/sharednssdb | | | | Certificate | | | | Nickname | | | | | | | | Trust Attributes | | | | | | | | | | | | | | | | SSL,S/MIME,JAR/XPI | | | | CA Administrator of Instance | | | | pki-ca1's Example Domain | | | | ID u,u,u | | | | TPS Administrator's Example | | | | Domain | | | | ID | | | | u,u,u | | | | Google Internet | | | | Authority | | | | | | | | ,, | | | | Certificate Authority - | | | | Example | | | | Domain | | | | CT,C,C | | | | Using additional arguments | | | | with -L can return and print | | | | the information | | | | for a single, specific | | | | certificate. For example, the | | | | -n argument passes | | | | the certificate name, while | | | | the -a argument prints the | | | | certificate in | | | | ASCII format: | | | | $ certutil -L -d | | | | sql:/home/my/sharednssdb -a -n | | | | "Certificate Authority - | | | | Example Domain" | | | | -----BEGIN CERTIFICATE----- | | | | MIID | | | | mTCCAoGgAwIBAgIBATANBgkqhkiG9w | | | | 0BAQUFADA5MRcwFQYDVQQKEw5FeGFt | | | | cGxl | | | | IERvbWFpbjEeMBwGA1UEAxMVQ2VydG | | | | lmaWNhdGUgQXV0aG9yaXR5MB4XDTEw | | | | MDQy | | | | OTIxNTY1OFoXDTEyMDQxODIxNTY1OF | | | | owOTEXMBUGA1UEChMORXhhbXBsZSBE | | | | b21h | | | | aW4xHjAcBgNVBAMTFUNlcnRpZmljYX | | | | RlIEF1dGhvcml0eTCCASIwDQYJKoZI | | | | hvcN | | | | AQEBBQADggEPADCCAQoCggEBAO/bqU | | | | li2KwqXFKmMMG93KN1SANzNTXA/Vlf | | | | Tmri | | | | h3hQgjvR1ktIY9aG6cB7DSKWmtHp/+ | | | | p4PUCMqL4ZrSGt901qxkePyZ2dYmM2 | | | | Rnel | | | | K+SEUIPiUtoZaDhNdiYsE/yuDE8vQW | | | | j0vHCVL0w72qFUcSQ/WZT7FCrnUIUI | | | | udeW | | | | noPSUn70gLhcj/lvxl7K9BHyD4Sq5C | | | | zktwYtFWLiiwV+ZY/Fl6JgbGaQyQB2 | | | | bP4i | | | | RMfloGqsxGuB1evWVDF1haGpFDSPgM | | | | nEPSLg3/3dXn+HDJbZ29EU8/xKzQEb | | | | 3V0A | | | | HKbu80zGllLEt2Zx/WDIrgJEN9yMfg | | | | KFpcmL+BvIRsmh0VsCAwEAAaOBqzCB | | | | qDAf | | | | BgNVHSMEGDAWgBQATgxHQyRUfKIZtd | | | | p55bZlFr+tFzAPBgNVHRMBAf8EBTAD | | | | AQH/ | | | | MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ | | | | 4EFgQUAE4MR0MkVHyiGbXaeeW2ZRa/ | | | | rRcw | | | | RQYIKwYBBQUHAQEEOTA3MDUGCCsGAQ | | | | UFBzABhilodHRwOi8vbG9jYWxob3N0 | | | | Lmxv | | | | Y2FsZG9tYWluOjkxODAvY2Evb2NzcD | | | | ANBgkqhkiG9w0BAQUFAAOCAQEAi8Gk | | | | L3XO | | | | 43u7/TDOeEsWPmq+jZsDZ3GZ85Ajt3 | | | | KROLWeKVZZZa2E2Hnsvf2uXbk5amKe | | | | lRxd | | | | SeRH9g85pv4KY7Z8xZ71NrI3+K3uwm | | | | nqkc6t0hhYb1mw/gx8OAAoluQx3biX | | | | JBDx | | | | jI73Cf7XUopplHBjjiwyGIJUO8BEZJ | | | | 5L+TF4P38MJz1snLtzZpEAX5bl0U76 | | | | bfu/ | | | | tZFWBbE8YAWYtkCtMcalBPj6jn2WD3 | | | | M01kGozW4mmbvsj1cRB9HnsGsqyHCu | | | | U0uj | | | | lL1H/RWcjn607+CTeKH9jLMUqCIqPJ | | | | NOa+kq/6F7NhNRRiuzASIbZc30BZ5a | | | | nI7q5n1USM3eWQlVXw== | | | | -----END CERTIFICATE----- | | | | Listing Keys | | | | Keys are the original | | | | material used to encrypt | | | | certificate data. The keys | | | | generated for certificates | | | | are stored separately, in the | | | | key database. | | | | To list all keys in the | | | | database, use the -K command | | | | option and the | | | | (required) -d argument to | | | | give the path to the | | | | directory. | | | | $ certutil -K -d | | | | sql:/home/my/sharednssdb | | | | certutil: Checking token "NSS | | | | Certificate DB" in slot "NSS | | | | User Private Key and | | | | Certificate | | | | Services " | | | | < 0> rsa | | | | 455a6673bde9 | | | | 375c2887ec8bf8016b3f9f35861d | | | | Thawte Freemail Member's | | | | Thawte Consulting (Pty) Ltd. | | | | ID | | | | < 1> rsa | | | | 40defeeb522a | | | | de11090eacebaaf1196a172127df | | | | Example Domain Administrator | | | | Cert | | | | < 2> rsa | | | | 1d0b06f44f6c | | | | 03842f7d4f4a1dc78b3bcd1b85a5 | | | | John Smith user cert | | | | There are ways to narrow | | | | the keys listed in the search | | | | results: | | | | o To return a specific | | | | key, use the -n name argument | | | | with the name of | | | | the key. | | | | o If there are multiple | | | | security devices loaded, then | | | | the -h tokenname | | | | argument can search a | | | | specific token or all tokens. | | | | o If there are multiple | | | | key types available, then the | | | | -k key-type | | | | argument can search a | | | | specific type of key, like | | | | RSA, DSA, or ECC. | | | | Listing Security Modules | | | | The devices that can be | | | | used to store certificates -- | | | | both internal | | | | databases and external | | | | devices like smart cards -- | | | | are recognized and used | | | | by loading security | | | | modules. The -U command option | | | | lists all of the | | | | security modules listed in | | | | the secmod.db database. The | | | | path to the | | | | directory (-d) is required. | | | | $ certutil -U -d | | | | sql:/home/my/sharednssdb | | | | slot: NSS User Private | | | | Key and Certificate Services | | | | token: NSS Certificate DB | | | | slot: NSS Internal | | | | Cryptographic Services | | | | token: NSS Generic Crypto | | | | Services | | | | Adding Certificates to the | | | | Database | | | | Existing certificates or | | | | certificate requests can be | | | | added manually to the | | | | certificate database, even | | | | if they were generated | | | | elsewhere. This uses the | | | | -A command option. | | | | certutil -A -n certname -t | | | | trustargs -d [sql:]directory | | | | [-a] [-i input-file] | | | | For example: | | | | $ certutil -A -n "CN=My SSL | | | | Certificate" -t "u,u,u" -d | | | | sql:/home/my/sharednssdb -i | | | | /home/example-certs/cert.cer | | | | A related command option, | | | | -E, is used specifically to | | | | add email | | | | certificates to the | | | | certificate database. The -E | | | | command has the same | | | | arguments as the -A | | | | command. The trust arguments | | | | for certificates have the | | | | format | | | | SSL,S/MIME,Code-signing, so | | | | the middle trust settings | | | | relate most | | | | to email certificates | | | | (though the others can be | | | | set). For example: | | | | $ certutil -E -n "CN=John | | | | Smith Email Cert" -t ",Pu," -d | | | | sql:/home/my/sharednssdb -i | | | | /home/example-certs/email.cer | | | | Deleting Certificates to | | | | the Database | | | | Certificates can be deleted | | | | from a database using the -D | | | | option. The only | | | | required options are to | | | | give the security database | | | | directory and to | | | | identify the certificate | | | | nickname. | | | | certutil -D -d | | | | [sql:]directory -n "nickname" | | | | For example: | | | | $ certutil -D -d | | | | sql:/home/my/sharednssdb -n | | | | "my-ssl-cert" | | | | Validating Certificates | | | | A certificate contains an | | | | expiration date in itself, and | | | | expired | | | | certificates are easily | | | | rejected. However, | | | | certificates can also be | | | | revoked before they hit | | | | their expiration date. | | | | Checking whether a | | | | certificate has been | | | | revoked requires validating | | | | the certificate. | | | | Validation can also be used | | | | to ensure that the certificate | | | | is only used | | | | for the purposes it was | | | | initially issued for. | | | | Validation is carried out by | | | | the -V command option. | | | | certutil -V -n | | | | certificate-name [-b time] | | | | [-e] [-u cert-usage] -d | | | | [sql:]directory | | | | For example, to validate an | | | | email certificate: | | | | $ certutil -V -n "John | | | | Smith's Email Cert" -e -u S,R | | | | -d sql:/home/my/sharednssdb | | | | Modifying Certificate Trust | | | | Settings | | | | The trust settings (which | | | | relate to the operations that | | | | a certificate is | | | | allowed to be used for) can | | | | be changed after a certificate | | | | is created or | | | | added to the database. This | | | | is especially useful for CA | | | | certificates, but | | | | it can be performed for any | | | | type of certificate. | | | | certutil -M -n | | | | certificate-name -t trust-args | | | | -d [sql:]directory | | | | For example: | | | | $ certutil -M -n "My CA | | | | Certificate" -d | | | | sql:/home/my/sharednssdb -t | | | | "CTu,CTu,CTu" | | | | Printing the Certificate | | | | Chain | | | | Certificates can be issued | | | | in chains because every | | | | certificate authority | | | | itself has a certificate; | | | | when a CA issues a | | | | certificate, it essentially | | | | stamps that certificate | | | | with its own fingerprint. The | | | | -O prints the full | | | | chain of a certificate, | | | | going from the initial CA (the | | | | root CA) through | | | | ever intermediary CA to the | | | | actual certificate. For | | | | example, for an email | | | | certificate with two CAs in | | | | the chain: | | | | $ certutil -d | | | | sql:/home/my/sharednssdb -O -n | | | | "jsmith@example.com" | | | | "Builtin Object Token:Thawte | | | | Personal Freemail CA" | | | | [E=personal | | | | -freemail@thawte.com,CN=Thawte | | | | Personal Freemail | | | | CA,OU=Certification Services | | | | Division,O=Thawte | | | | Consulting,L=Cape | | | | Town,ST=Western Cape,C=ZA] | | | | "Thawte Personal Freemail | | | | Issuing CA - Thawte | | | | Consulting" [CN=Thawte | | | | Personal Freemail Issuing | | | | CA,O=Thawte Consulting (Pty) | | | | Ltd.,C=ZA] | | | | "(null)" | | | | [ | | | | E=jsmith@example.com,CN=Thawte | | | | Freemail Member] | | | | Resetting a Token | | | | The device which stores | | | | certificates -- both external | | | | hardware devices and | | | | internal software databases | | | | -- can be blanked and reused. | | | | This operation | | | | is performed on the device | | | | which stores the data, not | | | | directly on the | | | | security databases, so the | | | | location must be referenced | | | | through the token | | | | name (-h) as well as any | | | | directory path. If there is no | | | | external token | | | | used, the default value is | | | | internal. | | | | certutil -T -d | | | | [sql:]directory -h token-name | | | | -0 security-officer-password | | | | Many networks have | | | | dedicated personnel who handle | | | | changes to security | | | | tokens (the security | | | | officer). This person must | | | | supply the password to | | | | access the specified token. | | | | For example: | | | | $ certutil -T -d | | | | sql:/home/my/sharednssdb -h | | | | nethsm -0 secret | | | | Upgrading or Merging the | | | | Security Databases | | | | Many networks or | | | | applications may be using | | | | older BerkeleyDB versions of | | | | the certificate database | | | | (cert8.db). Databases can be | | | | upgraded to the new | | | | SQLite version of the | | | | database (cert9.db) using the | | | | --upgrade-merge | | | | command option or existing | | | | databases can be merged with | | | | the new cert9.db | | | | databases using the | | | | ---merge command. | | | | The --upgrade-merge command | | | | must give information about | | | | the original | | | | database and then use the | | | | standard arguments (like -d) | | | | to give the | | | | information about the new | | | | databases. The command also | | | | requires information | | | | that the tool uses for the | | | | process to upgrade and write | | | | over the original | | | | database. | | | | certutil --upgrade-merge -d | | | | [sql:]directory [-P dbprefix] | | | | --source-dir directory | | | | --source-prefix dbprefix | | | | --upgrade-id id | | | | --upgrade-token-name name [-@ | | | | password-file] | | | | For example: | | | | $ certutil --upgrade-merge -d | | | | sql:/home/my/sharednssdb | | | | --source-dir | | | | /opt/my-app/alias/ | | | | --source-prefix serverapp- | | | | --upgrade-id 1 | | | | --upgrade-token-name internal | | | | The --merge command only | | | | requires information about the | | | | location of the | | | | original database; since it | | | | doesn't change the format of | | | | the database, it | | | | can write over information | | | | without performing interim | | | | step. | | | | certutil --merge -d | | | | [sql:]directory [-P dbprefix] | | | | --source-dir directory | | | | --source-prefix dbprefix [-@ | | | | password-file] | | | | For example: | | | | $ certutil --merge -d | | | | sql:/home/my/sharednssdb | | | | --source-dir | | | | /opt/my-app/alias/ | | | | --source-prefix serverapp- | | | | Running certutil Commands | | | | from a Batch File | | | | A series of commands can be | | | | run sequentially from a text | | | | file with the -B | | | | command option. The only | | | | argument for this specifies | | | | the input file. | | | | $ certutil -B -i | | | | /path/to/batch-file | | | | NSS Database Types | | | | NSS originally used | | | | BerkeleyDB databases to store | | | | security information. | | | | The last versions of these | | | | legacy databases are: | | | | o cert8.db for | | | | certificates | | | | o key3.db for keys | | | | o secmod.db for PKCS #11 | | | | module information | | | | BerkeleyDB has performance | | | | limitations, though, which | | | | prevent it from | | | | being easily used by | | | | multiple applications | | | | simultaneously. NSS has some | | | | flexibility that allows | | | | applications to use their own, | | | | independent | | | | database engine while | | | | keeping a shared database and | | | | working around the | | | | access issues. Still, NSS | | | | requires more flexibility to | | | | provide a truly | | | | shared security database. | | | | In 2009, NSS introduced a | | | | new set of databases that are | | | | SQLite databases | | | | rather than BerkleyDB. | | | | These new databases provide | | | | more accessibility and | | | | performance: | | | | o cert9.db for | | | | certificates | | | | o key4.db for keys | | | | o pkcs11.txt, which is | | | | listing of all of the PKCS #11 | | | | modules contained | | | | in a new subdirectory | | | | in the security databases | | | | directory | | | | Because the SQLite | | | | databases are designed to be | | | | shared, these are the | | | | shared database type. The | | | | shared database type is | | | | preferred; the legacy | | | | format is included for | | | | backward compatibility. | | | | By default, the tools | | | | (certutil, pk12util, modutil) | | | | assume that the given | | | | security databases follow | | | | the more common legacy type. | | | | Using the SQLite | | | | databases must be manually | | | | specified by using the sql: | | | | prefix with the | | | | given security directory. | | | | For example: | | | | $ certutil -L -d | | | | sql:/home/my/sharednssdb | | | | To set the shared database | | | | type as the default type for | | | | the tools, set the | | | | NSS_DEFAULT_DB_TYPE | | | | environment variable to sql: | | | | export | | | | NSS_DEFAULT_DB_TYPE="sql" | | | | This line can be set added | | | | to the ~/.bashrc file to make | | | | the change | | | | permanent. | | | | Most applications do not | | | | use the shared database by | | | | default, but they can | | | | be configured to use them. | | | | For example, this how-to | | | | article covers how to | | | | configure Firefox and | | | | Thunderbird to use the new | | | | shared NSS databases: | | | | | | | | o https://wiki.m | | | | ozilla.org/NSS_Shared_DB_Howto | | | | For an engineering draft on | | | | the changes in the shared NSS | | | | databases, see | | | | the NSS project wiki: | | | | | | | | o https:// | | | | wiki.mozilla.org/NSS_Shared_DB | | | | See Also | | | | pk12util (1) | | | | modutil (1) | | | | certutil has arguments or | | | | operations that use features | | | | defined in several | | | | IETF RFCs. | | | | | | | | o `http://tools.ietf.org/htm | | | | l/rfc5280 `__ | | | | | | | | o `http://tools.ietf.org/htm | | | | l/rfc1113 `__ | | | | | | | | o `http://tools.ietf.org/htm | | | | l/rfc1485 `__ | | | | The NSS wiki has | | | | information on the new | | | | database design and how to | | | | configure applications to | | | | use it. | | | | | | | | o https://wiki.m | | | | ozilla.org/NSS_Shared_DB_Howto | | | | | | | | o https:// | | | | wiki.mozilla.org/NSS_Shared_DB | | | | Additional Resources | | | | For information about NSS | | | | and other tools related to NSS | | | | (like JSS), check | | | | out the NSS project wiki at | | | | | | | | [1]\ `http://www.mozil | | | | la.org/projects/security/pki/n | | | | ss/ `__. | | | | The NSS site relates | | | | directly to NSS code | | | | changes and releases. | | | | Mailing lists: | | | | https://lists.mozill | | | | a.org/listinfo/dev-tech-crypto | | | | IRC: Freenode at | | | | #dogtag-pki | | | | Authors | | | | The NSS tools were written | | | | and maintained by developers | | | | with Netscape, Red | | | | Hat, and Sun. | | | | Authors: Elio Maldonado | | | | , Deon | | | | Lackey | | | | . | | | | Copyright | | | | (c) 2010, Red Hat, Inc. | | | | Licensed under the GNU Public | | | | License version 2. | | | | References | | | | Visible links | | | | 1. | | | | `http://www.mozi | | | | lla.org/projects/security/pki/ | | | | nss/ `__ | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 339 | :ref:`mozil | | | | la_projects_nss_tools_cmsutil` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Name | | | | cmsutil — Performs basic | | | | cryptograpic operations, such | | | | as encryption and | | | | decryption, on | | | | Cryptographic Message Syntax | | | | (CMS) messages. | | | | Synopsis | | | | cmsutil [options] | | | | `arguments `__ | | | | Description | | | | The cmsutil command-line | | | | uses the S/MIME Toolkit to | | | | perform basic | | | | operations, such as | | | | encryption and decryption, on | | | | Cryptographic Message | | | | Syntax (CMS) messages. | | | | To run cmsutil, type the | | | | command cmsutil option | | | | [arguments] where option | | | | and arguments are | | | | combinations of the options | | | | and arguments listed in the | | | | following section. Each | | | | command takes one option. Each | | | | option may take | | | | zero or more arguments. To | | | | see a usage string, issue the | | | | command without | | | | options. | | | | Options and Arguments | | | | Options | | | | Options specify an action. | | | | Option arguments modify an | | | | action. The options | | | | and arguments for the | | | | cmsutil command are defined as | | | | follows: | | | | -D | | | | Decode a message. | | | | -C | | | | Encrypt a message. | | | | -E | | | | Envelope a message. | | | | -O | | | | Create a | | | | certificates-only message. | | | | -S | | | | Sign a message. | | | | Arguments | | | | Option arguments modify an | | | | action and are lowercase. | | | | -c content | | | | Use this detached | | | | content (decode only). | | | | -d dbdir | | | | Specify the | | | | key/certificate database | | | | directory (default is ".") | | | | -e envfile | | | | Specify a file | | | | containing an enveloped | | | | message for a set of | | | | recipients to which | | | | you would like to send an | | | | encrypted message. | | | | If this is the | | | | first encrypted message for | | | | that set of recipients, | | | | a new enveloped | | | | message will be created that | | | | you can then use for | | | | future messages | | | | (encrypt only). | | | | -G | | | | Include a signing | | | | time attribute (sign only). | | | | -h num | | | | Generate email | | | | headers with info about CMS | | | | message (decode only). | | | | -i infile | | | | Use infile as a | | | | source of data (default is | | | | stdin). | | | | -N nickname | | | | Specify nickname of | | | | certificate to sign with (sign | | | | only). | | | | -n | | | | Suppress output of | | | | contents (decode only). | | | | -o outfile | | | | Use outfile as a | | | | destination of data (default | | | | is stdout). | | | | -P | | | | Include an S/MIME | | | | capabilities attribute. | | | | -p password | | | | Use password as key | | | | database password. | | | | -r recipient1,recipient2, | | | | ... | | | | Specify list of | | | | recipients (email addresses) | | | | for an encrypted or | | | | enveloped message. | | | | For certificates-only message, | | | | list of | | | | certificates to | | | | send. | | | | -T | | | | Suppress content in | | | | CMS message (sign only). | | | | -u certusage | | | | Set type of cert | | | | usage (default is | | | | certUsageEmailSigner). | | | | -Y ekprefnick | | | | Specify an | | | | encryption key preference by | | | | nickname. | | | | Usage | | | | Encrypt Example | | | | cmsutil -C [-i infile] [-o | | | | outfile] [-d dbdir] [-p | | | | password] -r | | | | "recipient1,recipient2, . . ." | | | | -e envfile | | | | Decode Example | | | | cmsutil -D [-i infile] [-o | | | | outfile] [-d dbdir] [-p | | | | password] [-c content] [-n] | | | | [-h num] | | | | Envelope Example | | | | cmsutil -E [-i infile] [-o | | | | outfile] [-d dbdir] [-p | | | | password] -r | | | | "recipient1,recipient2, ..." | | | | Certificate-only Example | | | | cmsutil -O [-i infile] [-o | | | | outfile] [-d dbdir] [-p | | | | password] -r "cert1,cert2, . . | | | | ." | | | | Sign Message Example | | | | cmsutil -S [-i infile] [-o | | | | outfile] [-d dbdir] [-p | | | | password] -N nickname[-TGP] | | | | [-Y ekprefnick] | | | | See also | | | | certutil(1) | | | | See Also | | | | Additional Resources | | | | NSS is maintained in | | | | conjunction with PKI and | | | | security-related projects | | | | through Mozilla dn Fedora. | | | | The most closely-related | | | | project is Dogtag PKI, | | | | with a project wiki at | | | | [1]\ http: | | | | //pki.fedoraproject.org/wiki/. | | | | For information | | | | specifically about NSS, the | | | | NSS project wiki is located at | | | | | | | | [2]\ `http://www.mozil | | | | la.org/projects/security/pki/n | | | | ss/ `__. | | | | The NSS site relates | | | | directly to NSS code | | | | changes and releases. | | | | Mailing lists: | | | | pki-devel@redhat.com and | | | | pki-users@redhat.com | | | | IRC: Freenode at | | | | #dogtag-pki | | | | Authors | | | | The NSS tools were written | | | | and maintained by developers | | | | with Netscape and | | | | now with Red Hat. | | | | Authors: Elio Maldonado | | | | , Deon | | | | Lackey | | | | . | | | | Copyright | | | | (c) 2010, Red Hat, Inc. | | | | Licensed under the GNU Public | | | | License version 2. | | | | References | | | | Visible links | | | | 1. | | | | http | | | | ://pki.fedoraproject.org/wiki/ | | | | 2. | | | | `http://www.mozi | | | | lla.org/projects/security/pki/ | | | | nss/ `__ | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 340 | :ref:`mozil | | | | la_projects_nss_tools_crlutil` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Name | | | | crlutil — List, generate, | | | | modify, or delete CRLs within | | | | the NSS security | | | | database file(s) and list, | | | | create, modify or delete | | | | certificates entries | | | | in a particular CRL. | | | | Synopsis | | | | crlutil [options] | | | | `arguments `__ | | | | Description | | | | The Certificate Revocation | | | | List (CRL) Management Tool, | | | | crlutil, is a | | | | command-line utility that | | | | can list, generate, modify, or | | | | delete CRLs | | | | within the NSS security | | | | database file(s) and list, | | | | create, modify or | | | | delete certificates entries | | | | in a particular CRL. | | | | The key and certificate | | | | management process generally | | | | begins with creating | | | | keys in the key database, | | | | then generating and managing | | | | certificates in the | | | | certificate database(see | | | | certutil tool) and continues | | | | with certificates | | | | expiration or revocation. | | | | This document discusses | | | | certificate revocation list | | | | management. For | | | | information on security | | | | module database management, | | | | see Using the Security | | | | Module Database Tool. For | | | | information on certificate and | | | | key database | | | | management, see Using the | | | | Certificate Database Tool. | | | | To run the Certificate | | | | Revocation List Management | | | | Tool, type the command | | | | crlutil option [arguments] | | | | where options and arguments | | | | are combinations of the | | | | options and arguments | | | | listed in the following | | | | section. Each command takes | | | | one option. Each | | | | option may take zero or | | | | more arguments. To see a usage | | | | string, issue the | | | | command without options, or | | | | with the -H option. | | | | Options and Arguments | | | | Options | | | | Options specify an action. | | | | Option arguments modify an | | | | action. The options | | | | and arguments for the | | | | crlutil command are defined as | | | | follows: | | | | -G | | | | Create new | | | | Certificate Revocation | | | | List(CRL). | | | | -D | | | | Delete Certificate | | | | Revocation List from cert | | | | database. | | | | -I | | | | Import a CRL to the | | | | cert database | | | | -E | | | | Erase all CRLs of | | | | specified type from the cert | | | | database | | | | -L | | | | List existing CRL | | | | located in cert database file. | | | | -M | | | | Modify existing CRL | | | | which can be located in cert | | | | db or in | | | | arbitrary file. If | | | | located in file it should be | | | | encoded in ASN.1 | | | | encode format. | | | | -G | | | | Arguments | | | | Option arguments modify an | | | | action and are lowercase. | | | | -B | | | | Bypass CA signature | | | | checks. | | | | -P dbprefix | | | | Specify the prefix | | | | used on the NSS security | | | | database files (for | | | | example, | | | | my_cert8.db and my_key3.db). | | | | This option is provided as a | | | | special case. | | | | Changing the names of the | | | | certificate and key | | | | databases is not | | | | recommended. | | | | -a | | | | Use ASCII format or | | | | allow the use of ASCII format | | | | for input and | | | | output. This | | | | formatting follows RFC #1113. | | | | -c crl-gen-file | | | | Specify script file | | | | that will be used to control | | | | crl | | | | | | | | generation/modification. See | | | | crl-cript-file format below. | | | | If | | | | options -M|-G is | | | | used and -c crl-script-file is | | | | not specified, | | | | crlutil will read | | | | script data from standard | | | | input. | | | | -d directory | | | | Specify the | | | | database directory containing | | | | the certificate and key | | | | database files. On | | | | Unix the Certificate Database | | | | Tool defaults to | | | | $HOME/.netscape | | | | (that is, ~/.netscape). On | | | | Windows NT the default | | | | is the current | | | | directory. | | | | The NSS database | | | | files must reside in the same | | | | directory. | | | | -i crl-import-file | | | | Specify the file | | | | which contains the CRL to | | | | import | | | | -f password-file | | | | Specify a file that | | | | will automatically supply the | | | | password to | | | | include in a | | | | certificate or to access a | | | | certificate database. This | | | | is a plain-text | | | | file containing one password. | | | | Be sure to prevent | | | | unauthorized access | | | | to this file. | | | | -l algorithm-name | | | | Specify a specific | | | | signature algorithm. List of | | | | possible | | | | algorithms: MD2 \| | | | | MD4 \| MD5 \| SHA1 \| SHA256 | | | | \| SHA384 \| SHA512 | | | | -n nickname | | | | Specify the | | | | nickname of a certificate or | | | | key to list, create, add | | | | to a database, | | | | modify, or validate. Bracket | | | | the nickname string | | | | with quotation | | | | marks if it contains spaces. | | | | -o output-file | | | | Specify the output | | | | file name for new CRL. Bracket | | | | the output-file | | | | string with | | | | quotation marks if it contains | | | | spaces. If this | | | | argument is not | | | | used the output destination | | | | defaults to standard | | | | output. | | | | -t crl-type | | | | Specify type of | | | | CRL. possible types are: 0 - | | | | SEC_KRL_TYPE, 1 - | | | | SEC_CRL_TYPE. This | | | | option is obsolete | | | | -u url | | | | Specify the url. | | | | CRL Generation script syntax | | | | CRL generation script file | | | | has the following syntax: | | | | \* Line with comments | | | | should have # as a first | | | | symbol of a line | | | | \* Set "this update" or | | | | "next update" CRL fields: | | | | update=YYYYMMDDhhmmssZ | | | | nextupdate=YYYYMMDDhhmmssZ | | | | Field "next update" is | | | | optional. Time should be in | | | | GeneralizedTime format | | | | (YYYYMMDDhhmmssZ). For | | | | example: 20050204153000Z | | | | \* Add an extension to a | | | | CRL or a crl certificate | | | | entry: | | | | addext extension-name | | | | critical/non-critical | | | | [arg1[arg2 ...]] | | | | Where: | | | | extension-name: string | | | | value of a name of known | | | | extensions. | | | | critical/non-critical: is 1 | | | | when extension is critical and | | | | 0 otherwise. | | | | arg1, arg2: specific to | | | | extension type extension | | | | parameters | | | | addext uses the range that | | | | was set earlier by addcert and | | | | will install an | | | | extension to every cert | | | | entries within the range. | | | | \* Add certificate | | | | entries(s) to CRL: | | | | addcert range date | | | | range: two integer values | | | | separated by dash: range of | | | | certificates that | | | | will be added by this | | | | command. dash is used as a | | | | delimiter. Only one cert | | | | will be added if there is | | | | no delimiter. date: revocation | | | | date of a cert. | | | | Date should be represented | | | | in GeneralizedTime format | | | | (YYYYMMDDhhmmssZ). | | | | \* Remove certificate | | | | entry(s) from CRL | | | | rmcert range | | | | Where: | | | | range: two integer values | | | | separated by dash: range of | | | | certificates that | | | | will be added by this | | | | command. dash is used as a | | | | delimiter. Only one cert | | | | will be added if there is | | | | no delimiter. | | | | \* Change range of | | | | certificate entry(s) in CRL | | | | range new-range | | | | Where: | | | | new-range: two integer | | | | values separated by dash: | | | | range of certificates | | | | that will be added by this | | | | command. dash is used as a | | | | delimiter. Only one | | | | cert will be added if there | | | | is no delimiter. | | | | Implemented Extensions | | | | The extensions defined for | | | | CRL provide methods for | | | | associating additional | | | | attributes with CRLs of | | | | theirs entries. For more | | | | information see RFC #3280 | | | | \* Add The Authority Key | | | | Identifier extension: | | | | The authority key | | | | identifier extension provides | | | | a means of identifying the | | | | public key corresponding to | | | | the private key used to sign a | | | | CRL. | | | | authKeyId critical [key-id | | | | \| dn cert-serial] | | | | Where: | | | | authKeyIdent: identifies | | | | the name of an extension | | | | critical: value of 1 of | | | | 0. Should be set to 1 if | | | | this extension is critical or | | | | 0 otherwise. | | | | key-id: key identifier | | | | represented in octet string. | | | | dn:: is a CA | | | | distinguished name | | | | cert-serial: authority | | | | certificate serial number. | | | | \* Add Issuer Alternative | | | | Name extension: | | | | The issuer alternative | | | | names extension allows | | | | additional identities to be | | | | associated with the issuer | | | | of the CRL. Defined options | | | | include an rfc822 | | | | name (electronic mail | | | | address), a DNS name, an IP | | | | address, and a URI. | | | | issuerAltNames non-critical | | | | name-list | | | | Where: | | | | subjAltNames: identifies | | | | the name of an extension | | | | should be set to 0 since | | | | this is non-critical | | | | extension name-list: comma | | | | separated list of names | | | | \* Add CRL Number | | | | extension: | | | | The CRL number is a | | | | non-critical CRL extension | | | | which conveys a | | | | monotonically increasing | | | | sequence number for a given | | | | CRL scope and CRL | | | | issuer. This extension | | | | allows users to easily | | | | determine when a particular | | | | CRL supersedes another CRL | | | | crlNumber non-critical | | | | number | | | | Where: | | | | crlNumber: identifies the | | | | name of an extension critical: | | | | should be set to | | | | 0 since this is | | | | non-critical extension number: | | | | value of long which | | | | identifies the sequential | | | | number of a CRL. | | | | \* Add Revocation Reason | | | | Code extension: | | | | The reasonCode is a | | | | non-critical CRL entry | | | | extension that identifies the | | | | reason for the certificate | | | | revocation. | | | | reasonCode non-critical | | | | code | | | | Where: | | | | reasonCode: identifies the | | | | name of an extension | | | | non-critical: should be | | | | set to 0 since this is | | | | non-critical extension code: | | | | the following codes | | | | are available: | | | | unspecified (0), | | | | keyCompromise (1), | | | | cACompromise (2), | | | | affiliationChanged | | | | (3), superseded (4), | | | | cessationOfOperation (5), | | | | certificateHold (6), | | | | removeFromCRL (8), | | | | privilegeWithdrawn (9), | | | | aACompromise (10) | | | | \* Add Invalidity Date | | | | extension: | | | | The invalidity date is a | | | | non-critical CRL entry | | | | extension that provides | | | | the date on which it is | | | | known or suspected that the | | | | private key was | | | | compromised or that the | | | | certificate otherwise became | | | | invalid. | | | | invalidityDate non-critical | | | | date | | | | Where: | | | | crlNumber: identifies the | | | | name of an extension | | | | non-critical: should be set | | | | to 0 since this is | | | | non-critical extension date: | | | | invalidity date of a cert. | | | | Date should be represented | | | | in GeneralizedTime format | | | | (YYYYMMDDhhmmssZ). | | | | Usage | | | | The Certificate Revocation | | | | List Management Tool's | | | | capabilities are grouped | | | | as follows, using these | | | | combinations of options and | | | | arguments. Options and | | | | arguments in square | | | | brackets are optional, those | | | | without square brackets | | | | are required. | | | | See "Implemented | | | | extensions" for more | | | | information regarding | | | | extensions and | | | | their parameters. | | | | \* Creating or modifying a | | | | CRL: | | | | crlutil -G|-M -c crl-gen-file | | | | -n nickname [-i crl] [-u url] | | | | [-d keydir] [-P dbprefix] [-l | | | | alg] [-a] [-B] | | | | \* Listing all CRls or a | | | | named CRL: | | | | crlutil -L [-n | | | | crl-name] [-d krydir] | | | | \* Deleting CRL from db: | | | | crlutil -D -n | | | | nickname [-d keydir] [-P | | | | dbprefix] | | | | \* Erasing CRLs from db: | | | | crlutil -E [-d | | | | keydir] [-P dbprefix] | | | | \* Deleting CRL from db: | | | | crlutil -D -n | | | | nickname [-d keydir] [-P | | | | dbprefix] | | | | \* Erasing CRLs from db: | | | | crlutil -E [-d | | | | keydir] [-P dbprefix] | | | | \* Import CRL from file: | | | | crlutil -I -i crl | | | | [-t crlType] [-u url] [-d | | | | keydir] [-P dbprefix] [-B] | | | | See also | | | | certutil(1) | | | | See Also | | | | Additional Resources | | | | NSS is maintained in | | | | conjunction with PKI and | | | | security-related projects | | | | through Mozilla dn Fedora. | | | | The most closely-related | | | | project is Dogtag PKI, | | | | with a project wiki at | | | | [1]\ http: | | | | //pki.fedoraproject.org/wiki/. | | | | For information | | | | specifically about NSS, the | | | | NSS project wiki is located at | | | | | | | | [2]\ `http://www.mozil | | | | la.org/projects/security/pki/n | | | | ss/ `__. | | | | The NSS site relates | | | | directly to NSS code | | | | changes and releases. | | | | Mailing lists: | | | | pki-devel@redhat.com and | | | | pki-users@redhat.com | | | | IRC: Freenode at | | | | #dogtag-pki | | | | Authors | | | | The NSS tools were written | | | | and maintained by developers | | | | with Netscape and | | | | now with Red Hat. | | | | Authors: Elio Maldonado | | | | , Deon | | | | Lackey | | | | . | | | | Copyright | | | | (c) 2010, Red Hat, Inc. | | | | Licensed under the GNU Public | | | | License version 2. | | | | References | | | | Visible links | | | | 1. | | | | http | | | | ://pki.fedoraproject.org/wiki/ | | | | 2. | | | | `http://www.mozi | | | | lla.org/projects/security/pki/ | | | | nss/ `__ | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 341 | :ref:`mozil | | | | la_projects_nss_tools_modutil` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Name | | | | modutil — Manage PKCS #11 | | | | module information within the | | | | security module | | | | database. | | | | Synopsis | | | | modutil [options] | | | | `arguments `__ | | | | Description | | | | The Security Module | | | | Database Tool, modutil, is a | | | | command-line utility for | | | | managing PKCS #11 module | | | | information both within | | | | secmod.db files and | | | | within hardware tokens. | | | | modutil can add and delete | | | | PKCS #11 modules, | | | | change passwords on | | | | security databases, set | | | | defaults, list module | | | | contents, enable or disable | | | | slots, enable or disable FIPS | | | | 140-2 | | | | compliance, and assign | | | | default providers for | | | | cryptographic operations. | | | | This tool can also create | | | | certificate, key, and module | | | | security database | | | | files. | | | | The tasks associated with | | | | security module database | | | | management are part of | | | | a process that typically | | | | also involves managing key | | | | databases and | | | | certificate databases. | | | | Options | | | | Running modutil always | | | | requires one (and only one) | | | | option to specify the | | | | type of module operation. | | | | Each option may take | | | | arguments, anywhere from | | | | none to multiple arguments. | | | | Options | | | | -add modulename | | | | Add the named PKCS | | | | #11 module to the database. | | | | Use this option | | | | with the -libfile, | | | | -ciphers, and -mechanisms | | | | arguments. | | | | -changepw tokenname | | | | Change the password | | | | on the named token. If the | | | | token has not been | | | | initialized, this | | | | option initializes the | | | | password. Use this option | | | | with the -pwfile | | | | and -newpwfile arguments. A | | | | password is | | | | equivalent to a | | | | personal identification number | | | | (PIN). | | | | -chkfips | | | | Verify whether the | | | | module is in the given FIPS | | | | mode. true means to | | | | verify that the | | | | module is in FIPS mode, while | | | | false means to | | | | verify that the | | | | module is not in FIPS mode. | | | | -create | | | | Create new | | | | certificate, key, and module | | | | databases. Use the -dbdir | | | | directory argument | | | | to specify a directory. If any | | | | of these | | | | databases already | | | | exist in a specified | | | | directory, modutil returns | | | | an error message. | | | | -default modulename | | | | Specify the | | | | security mechanisms for which | | | | the named module will be | | | | a default provider. | | | | The security mechanisms are | | | | specified with the | | | | -mechanisms | | | | argument. | | | | -delete modulename | | | | Delete the named | | | | module. The default NSS PKCS | | | | #11 module cannot be | | | | deleted. | | | | -disable modulename | | | | Disable all slots | | | | on the named module. Use the | | | | -slot argument to | | | | disable a specific | | | | slot. | | | | -enable modulename | | | | Enable all slots on | | | | the named module. Use the | | | | -slot argument to | | | | enable a specific | | | | slot. | | | | -fips [true \| false] | | | | Enable (true) or | | | | disable (false) FIPS 140-2 | | | | compliance for the | | | | default NSS module. | | | | -force | | | | Disable modutil's | | | | interactive prompts so it can | | | | be run from a | | | | script. Use this | | | | option only after manually | | | | testing each planned | | | | operation to check | | | | for warnings and to ensure | | | | that bypassing the | | | | prompts will cause | | | | no security lapses or loss of | | | | database | | | | integrity. | | | | -jar JAR-file | | | | Add a new PKCS #11 | | | | module to the database using | | | | the named JAR | | | | file. Use this | | | | command with the -installdir | | | | and -tempdir | | | | arguments. The JAR | | | | file uses the NSS PKCS #11 JAR | | | | format to | | | | identify all the | | | | files to be installed, the | | | | module's name, the | | | | mechanism flags, | | | | and the cipher flags, as well | | | | as any files to be | | | | installed on the | | | | target machine, including the | | | | PKCS #11 module | | | | library file and | | | | other files such as | | | | documentation. This is | | | | covered in the JAR | | | | installation file section in | | | | the man page, | | | | which details the | | | | special script needed to | | | | perform an installation | | | | through a server or | | | | with modutil. | | | | -list [modulename] | | | | Display basic | | | | information about the contents | | | | of the secmod.db | | | | file. Specifying a | | | | modulename displays detailed | | | | information about | | | | a particular module | | | | and its slots and tokens. | | | | -rawadd | | | | Add the module spec | | | | string to the secmod.db | | | | database. | | | | -rawlist | | | | Display the module | | | | specs for a specified module | | | | or for all | | | | loadable modules. | | | | -undefault modulename | | | | Specify the | | | | security mechanisms for which | | | | the named module will | | | | not be a default | | | | provider. The security | | | | mechanisms are specified | | | | with the | | | | -mechanisms argument. | | | | Arguments | | | | MODULE | | | | Give the security | | | | module to access. | | | | MODULESPEC | | | | Give the security | | | | module spec to load into the | | | | security database. | | | | -ciphers cipher-enable-list | | | | Enable specific | | | | ciphers in a module that is | | | | being added to the | | | | database. The | | | | cipher-enable-list is a | | | | colon-delimited list of | | | | cipher names. | | | | Enclose this list in quotation | | | | marks if it contains | | | | spaces. | | | | -dbdir [sql:]directory | | | | Specify the | | | | database directory in which to | | | | access or create | | | | security module | | | | database files. | | | | modutil supports | | | | two types of databases: the | | | | legacy security | | | | databases | | | | (cert8.db, key3.db, and | | | | secmod.db) and new SQLite | | | | databases | | | | (cert9.db, key4.db, and | | | | pkcs11.txt). If the prefix | | | | sql: | | | | is not used, then | | | | the tool assumes that the | | | | given databases are in | | | | the old format. | | | | --dbprefix prefix | | | | Specify the prefix | | | | used on the database files, | | | | such as my\_ for | | | | my_cert8.db. This | | | | option is provided as a | | | | special case. Changing | | | | the names of the | | | | certificate and key databases | | | | is not recommended. | | | | -installdir | | | | root-installation-directory | | | | Specify the root | | | | installation directory | | | | relative to which files | | | | will be installed | | | | by the -jar option. This | | | | directory should be one | | | | below which it is | | | | appropriate to store dynamic | | | | library files, such | | | | as a server's root | | | | directory. | | | | -libfile library-file | | | | Specify a path to a | | | | library file containing the | | | | implementation of | | | | the PKCS #11 | | | | interface module that is being | | | | added to the database. | | | | -mechanisms mechanism-list | | | | Specify the | | | | security mechanisms for which | | | | a particular module will | | | | be flagged as a | | | | default provider. The | | | | mechanism-list is a | | | | colon-delimited | | | | list of mechanism names. | | | | Enclose this list in | | | | quotation marks if | | | | it contains spaces. | | | | The module becomes | | | | a default provider for the | | | | listed mechanisms | | | | when those | | | | mechanisms are enabled. If | | | | more than one module claims | | | | to be a particular | | | | mechanism's default provider, | | | | that mechanism's | | | | default provider is | | | | undefined. | | | | modutil supports | | | | several mechanisms: RSA, DSA, | | | | RC2, RC4, RC5, AES, | | | | DES, DH, SHA1, | | | | SHA256, SHA512, SSL, TLS, MD5, | | | | MD2, RANDOM (for | | | | random number | | | | generation), and FRIENDLY | | | | (meaning certificates are | | | | publicly readable). | | | | -newpwfile | | | | new-password-file | | | | Specify a text file | | | | containing a token's new or | | | | replacement | | | | password so that a | | | | password can be entered | | | | automatically with the | | | | -changepw option. | | | | -nocertdb | | | | Do not open the | | | | certificate or key databases. | | | | This has several | | | | effects: | | | | o With the | | | | -create command, only a module | | | | security file is | | | | created; | | | | certificate and key databases | | | | are not created. | | | | o With the -jar | | | | command, signatures on the JAR | | | | file are not | | | | checked. | | | | o With the | | | | -changepw command, the | | | | password on the NSS internal | | | | module cannot | | | | be set or changed, since this | | | | password is | | | | stored in the | | | | key database. | | | | -pwfile old-password-file | | | | Specify a text file | | | | containing a token's existing | | | | password so that | | | | a password can be | | | | entered automatically when the | | | | -changepw option | | | | is used to change | | | | passwords. | | | | -secmod secmodname | | | | Give the name of | | | | the security module database | | | | (like secmod.db) to | | | | load. | | | | -slot slotname | | | | Specify a | | | | particular slot to be enabled | | | | or disabled with the | | | | -enable or -disable | | | | options. | | | | -string CONFIG_STRING | | | | Pass a | | | | configuration string for the | | | | module being added to the | | | | database. | | | | -tempdir | | | | temporary-directory | | | | Give a directory | | | | location where temporary files | | | | are created during | | | | the installation by | | | | the -jar option. If no | | | | temporary directory is | | | | specified, the | | | | current directory is used. | | | | Usage and Examples | | | | Creating Database Files | | | | Before any operations can | | | | be performed, there must be a | | | | set of security | | | | databases available. | | | | modutil can be used to create | | | | these files. The only | | | | required argument is the | | | | database that where the | | | | databases will be | | | | located. | | | | modutil -create -dbdir | | | | [sql:]directory | | | | Adding a Cryptographic | | | | Module | | | | Adding a PKCS #11 module | | | | means submitting a supporting | | | | library file, | | | | enabling its ciphers, and | | | | setting default provider | | | | status for various | | | | security mechanisms. This | | | | can be done by supplying all | | | | of the information | | | | through modutil directly or | | | | by running a JAR file and | | | | install script. For | | | | the most basic case, simply | | | | upload the library: | | | | modutil -add modulename | | | | -libfile library-file | | | | [-ciphers cipher-enable-list] | | | | [-mechanisms mechanism-list] | | | | For example: | | | | modutil -dbdir | | | | sql:/home/my/sharednssdb -add | | | | "Example PKCS #11 Module" | | | | -libfile "/tmp/crypto.so" | | | | -mechanisms RSA:DSA:RC2:RANDOM | | | | Using database directory ... | | | | Module "Example PKCS #11 | | | | Module" added to database. | | | | Installing a Cryptographic | | | | Module from a JAR File | | | | PKCS #11 modules can also | | | | be loaded using a JAR file, | | | | which contains all | | | | of the required libraries | | | | and an installation script | | | | that describes how to | | | | install the module. The JAR | | | | install script is described in | | | | more detail in | | | | [1]the section called “JAR | | | | Installation File Format”. | | | | The JAR installation script | | | | defines the setup information | | | | for each | | | | platform that the module | | | | can be installed on. For | | | | example: | | | | Platforms { | | | | Linux:5.4.08:x86 { | | | | ModuleName { "Example | | | | PKCS #11 Module" } | | | | ModuleFile { crypto.so | | | | } | | | | | | | | DefaultMechanismFlags{0x0000} | | | | | | | | CipherEnableFlags{0x0000} | | | | Files { | | | | crypto.so { | | | | Path{ | | | | /tmp/crypto.so } | | | | } | | | | setup.sh { | | | | Executable | | | | Path{ | | | | /tmp/setup.sh } | | | | } | | | | } | | | | } | | | | Linux:6.0.0:x86 { | | | | EquivalentPlatform { | | | | Linux:5.4.08:x86 } | | | | } | | | | } | | | | Both the install script and | | | | the required libraries must be | | | | bundled in a | | | | JAR file, which is | | | | specified with the -jar | | | | argument. | | | | modutil -dbdir | | | | sql:/home/mt | | | | "jar-install-filey/sharednssdb | | | | -jar install.jar -installdir | | | | sql:/home/my/sharednssdb | | | | This installation JAR file | | | | was signed by: | | | | ---------------- | | | | ------------------------------ | | | | **SUBJECT NAME*\* | | | | C=US, ST=California, | | | | L=Mountain View, | | | | CN=Cryptorific Inc., | | | | OU=Digital ID | | | | Class 3 - Netscape Object | | | | Signing, | | | | OU="w | | | | ww.verisign.com/repository/CPS | | | | Incorp. by Ref.,LIAB.LTD(c)9 | | | | 6", OU=www.verisign.com/CPS | | | | Incorp.by Ref | | | | . LIABILITY LTD.(c)97 | | | | VeriSign, OU=VeriSign Object | | | | Signing CA - Class 3 | | | | Organization, OU="VeriSign, | | | | Inc.", O=VeriSign Trust | | | | Network \**ISSUER | | | | NAME**, | | | | OU=www.verisign.com/CPS | | | | Incorp.by Ref. LIABILITY | | | | LTD.(c)97 | | | | VeriSign, OU=VeriSign Object | | | | Signing CA - Class 3 | | | | Organization, | | | | OU="VeriSign, Inc.", | | | | O=VeriSign Trust Network | | | | ---------------- | | | | ------------------------------ | | | | Do you wish to continue this | | | | installation? (y/n) y | | | | Using installer script | | | | "installer_script" | | | | Successfully parsed | | | | installation script | | | | Current platform is | | | | Linux:5.4.08:x86 | | | | Using installation parameters | | | | for platform Linux:5.4.08:x86 | | | | Installed file crypto.so to | | | | /tmp/crypto.so | | | | Installed file setup.sh to | | | | ./pk11inst.dir/setup.sh | | | | Executing | | | | "./pk11inst.dir/setup.sh"... | | | | "./pk11inst.dir/setup.sh" | | | | executed successfully | | | | Installed module "Example | | | | PKCS #11 Module" into module | | | | database | | | | Installation completed | | | | successfully | | | | Adding Module Spec | | | | Each module has information | | | | stored in the security | | | | database about its | | | | configuration and | | | | parameters. These can be added | | | | or edited using the | | | | -rawadd command. For the | | | | current settings or to see the | | | | format of the | | | | module spec in the | | | | database, use the -rawlist | | | | option. | | | | modutil -rawadd modulespec | | | | Deleting a Module | | | | A specific PKCS #11 module | | | | can be deleted from the | | | | secmod.db database: | | | | modutil -delete modulename | | | | -dbdir [sql:]directory | | | | Displaying Module | | | | Information | | | | The secmod.db database | | | | contains information about the | | | | PKCS #11 modules | | | | that are available to an | | | | application or server to use. | | | | The list of all | | | | modules, information about | | | | specific modules, and database | | | | configuration | | | | specs for modules can all | | | | be viewed. | | | | To simply get a list of | | | | modules in the database, use | | | | the -list command. | | | | modutil -list [modulename] | | | | -dbdir [sql:]directory | | | | Listing the modules shows | | | | the module name, their status, | | | | and other | | | | associated security | | | | databases for certificates and | | | | keys. For example: | | | | modutil -list -dbdir | | | | sql:/home/my/sharednssdb | | | | Listing of PKCS #11 Modules | | | | ----------------------------- | | | | ------------------------------ | | | | 1. NSS Internal PKCS #11 | | | | Module | | | | slots: 2 slots | | | | attached | | | | status: loaded | | | | slot: NSS Internal | | | | Cryptographic Services | | | | token: NSS Generic | | | | Crypto Services | | | | slot: NSS User | | | | Private Key and Certificate | | | | Services | | | | token: NSS | | | | Certificate DB | | | | ----------------------------- | | | | ------------------------------ | | | | Passing a specific module | | | | name with the -list returns | | | | details information | | | | about the module itself, | | | | like supported cipher | | | | mechanisms, version | | | | numbers, serial numbers, | | | | and other information about | | | | the module and the | | | | token it is loaded on. For | | | | example: | | | | modutil -list "NSS Internal | | | | PKCS #11 Module" -dbdir | | | | sql:/home/my/sharednssdb | | | | ----------------------------- | | | | ------------------------------ | | | | Name: NSS Internal PKCS #11 | | | | Module | | | | Library file: \**Internal | | | | ONLY module*\* | | | | Manufacturer: Mozilla | | | | Foundation | | | | Description: NSS Internal | | | | Crypto Services | | | | PKCS #11 Version 2.20 | | | | Library Version: 3.11 | | | | Cipher Enable Flags: None | | | | Default Mechanism Flags: | | | | RSA:RC2:RC4:D | | | | ES:DH:SHA1:MD5:MD2:SSL:TLS:AES | | | | Slot: NSS Internal | | | | Cryptographic Services | | | | Slot Mechanism Flags: | | | | RSA:RC2:RC4:D | | | | ES:DH:SHA1:MD5:MD2:SSL:TLS:AES | | | | Manufacturer: Mozilla | | | | Foundation | | | | Type: Software | | | | Version Number: 3.11 | | | | Firmware Version: 0.0 | | | | Status: Enabled | | | | Token Name: NSS Generic | | | | Crypto Services | | | | Token Manufacturer: Mozilla | | | | Foundation | | | | Token Model: NSS 3 | | | | Token Serial Number: | | | | 0000000000000000 | | | | Token Version: 4.0 | | | | Token Firmware Version: 0.0 | | | | Access: Write Protected | | | | Login Type: Public (no | | | | login required) | | | | User Pin: NOT Initialized | | | | Slot: NSS User Private Key | | | | and Certificate Services | | | | Slot Mechanism Flags: None | | | | Manufacturer: Mozilla | | | | Foundation | | | | Type: Software | | | | Version Number: 3.11 | | | | Firmware Version: 0.0 | | | | Status: Enabled | | | | Token Name: NSS Certificate | | | | DB | | | | Token Manufacturer: Mozilla | | | | Foundation | | | | Token Model: NSS 3 | | | | Token Serial Number: | | | | 0000000000000000 | | | | Token Version: 8.3 | | | | Token Firmware Version: 0.0 | | | | Access: NOT Write Protected | | | | Login Type: Login required | | | | User Pin: Initialized | | | | A related command, -rawlist | | | | returns information about the | | | | database | | | | configuration for the | | | | modules. (This information can | | | | be edited by loading | | | | new specs using the -rawadd | | | | command.) | | | | modutil -rawlist -dbdir | | | | sql:/home/my/sharednssdb | | | | name="NSS Internal PKCS #11 | | | | Module" | | | | parameters="configdir=. | | | | certPrefix= keyPrefix= | | | | secmod=secmod.db | | | | flags=readOnly " | | | | NSS="trustOrder=75 | | | | cipherOrder=100 | | | | slotParams={0x00000001=[ | | | | slotFlags=RSA,RC4,RC2,DES,DH,S | | | | HA1,MD5,MD2,SSL,TLS,AES,RANDOM | | | | askpw=any timeout=30 ] } | | | | Flags=internal,critical" | | | | Setting a Default Provider | | | | for Security Mechanisms | | | | Multiple security modules | | | | may provide support for the | | | | same security | | | | mechanisms. It is possible | | | | to set a specific security | | | | module as the | | | | default provider for a | | | | specific security mechanism | | | | (or, conversely, to | | | | prohibit a provider from | | | | supplying those mechanisms). | | | | modutil -default modulename | | | | -mechanisms mechanism-list | | | | To set a module as the | | | | default provider for | | | | mechanisms, use the -default | | | | command with a | | | | colon-separated list of | | | | mechanisms. The available | | | | mechanisms depend on the | | | | module; NSS supplies almost | | | | all common | | | | mechanisms. For example: | | | | modutil -default "NSS | | | | Internal PKCS #11 Module" | | | | -dbdir -mechanisms RSA:DSA:RC2 | | | | Using database directory | | | | c:\databases... | | | | Successfully changed | | | | defaults. | | | | Clearing the default | | | | provider has the same format: | | | | modutil -undefault "NSS | | | | Internal PKCS #11 Module" | | | | -dbdir -mechanisms MD2:MD5 | | | | Enabling and Disabling | | | | Modules and Slots | | | | Modules, and specific slots | | | | on modules, can be selectively | | | | enabled or | | | | disabled using modutil. | | | | Both commands have the same | | | | format: | | | | modutil -enable|-disable | | | | modulename [-slot slotname] | | | | For example: | | | | modutil -enable "NSS Internal | | | | PKCS #11 Module" -slot "NSS | | | | Internal Cryptographic | | | | Servi | | | | ces | | | | " -dbdir . | | | | Slot "NSS Internal | | | | Cryptographic | | | | Servi | | | | ces | | | | " enabled. | | | | Be sure that the | | | | appropriate amount of trailing | | | | whitespace is after the | | | | slot name. Some slot names | | | | have a significant amount of | | | | whitespace that | | | | must be included, or the | | | | operation will fail. | | | | Enabling and Verifying FIPS | | | | Compliance | | | | The NSS modules can have | | | | FIPS 140-2 compliance enabled | | | | or disabled using | | | | modutil with the -fips | | | | option. For example: | | | | modutil -fips true -dbdir | | | | sql:/home/my/sharednssdb/ | | | | FIPS mode enabled. | | | | To verify that status of | | | | FIPS mode, run the -chkfips | | | | command with either a | | | | true or false flag (it | | | | doesn't matter which). The | | | | tool returns the current | | | | FIPS setting. | | | | modutil -chkfips false -dbdir | | | | sql:/home/my/sharednssdb/ | | | | FIPS mode enabled. | | | | Changing the Password on a | | | | Token | | | | Initializing or changing a | | | | token's password: | | | | modutil -changepw tokenname | | | | [-pwfile old-password-file] | | | | [-newpwfile new-password-file] | | | | modutil -dbdir | | | | sql:/home/my/sharednssdb | | | | -changepw "NSS Certificate DB" | | | | Enter old password: | | | | Incorrect password, try | | | | again... | | | | Enter old password: | | | | Enter new password: | | | | Re-enter new password: | | | | Token "Communicator | | | | Certificate DB" password | | | | changed successfully. | | | | JAR Installation File Format | | | | When a JAR file is run by a | | | | server, by modutil, or by any | | | | program that | | | | does not interpret | | | | JavaScript, a special | | | | information file must be | | | | included | | | | to install the libraries. | | | | There are several things to | | | | keep in mind with | | | | this file: | | | | o It must be declared in | | | | the JAR archive's manifest | | | | file. | | | | o The script can have any | | | | name. | | | | o The metainfo tag for | | | | this is Pkcs11_install_script. | | | | To declare | | | | meta-information in the | | | | manifest file, put it in a | | | | file that is passed | | | | to signtool. | | | | Sample Script | | | | For example, the PKCS #11 | | | | installer script could be in | | | | the file | | | | pk11install. If so, the | | | | metainfo file for signtool | | | | includes a line such as | | | | this: | | | | + Pkcs11_install_script: | | | | pk11install | | | | The script must define the | | | | platform and version number, | | | | the module name | | | | and file, and any optional | | | | information like supported | | | | ciphers and | | | | mechanisms. Multiple | | | | platforms can be defined in a | | | | single install file. | | | | ForwardCompatible { | | | | IRIX:6.2:mips | | | | SUNOS:5.5.1:sparc } | | | | Platforms { | | | | WINNT::x86 { | | | | ModuleName { "Example | | | | Module" } | | | | ModuleFile { | | | | win32/fort32.dll } | | | | | | | | DefaultMechanismFlags{0x0001} | | | | | | | | DefaultCipherFlags{0x0001} | | | | Files { | | | | win32/setup.exe { | | | | Executable | | | | RelativePath { | | | | %temp%/setup.exe } | | | | } | | | | win32/setup.hlp { | | | | RelativePath { | | | | %temp%/setup.hlp } | | | | } | | | | win32/setup.cab { | | | | RelativePath { | | | | %temp%/setup.cab } | | | | } | | | | } | | | | } | | | | WIN95::x86 { | | | | EquivalentPlatform | | | | {WINNT::x86} | | | | } | | | | SUNOS:5.5.1:sparc { | | | | ModuleName { "Example | | | | UNIX Module" } | | | | ModuleFile { | | | | unix/fort.so } | | | | | | | | DefaultMechanismFlags{0x0001} | | | | | | | | CipherEnableFlags{0x0001} | | | | Files { | | | | unix/fort.so { | | | | | | | | Re | | | | lativePath{%root%/lib/fort.so} | | | | | | | | AbsolutePath{/u | | | | sr/local/netscape/lib/fort.so} | | | | | | | | FilePermissions{555} | | | | } | | | | xplat/instr.html { | | | | | | | | Relat | | | | ivePath{%root%/docs/inst.html} | | | | | | | | AbsolutePath{/usr/ | | | | local/netscape/docs/inst.html} | | | | | | | | FilePermissions{555} | | | | } | | | | } | | | | } | | | | IRIX:6.2:mips { | | | | EquivalentPlatform { | | | | SUNOS:5.5.1:sparc } | | | | } | | | | } | | | | Script Grammar | | | | The script is basic Java, | | | | allowing lists, key-value | | | | pairs, strings, and | | | | combinations of all of | | | | them. | | | | --> valuelist | | | | valuelist --> value valuelist | | | | | | | | value ---> key_value_pair | | | | string | | | | key_value_pair --> key { | | | | valuelist } | | | | key --> string | | | | string --> simple_string | | | | "complex_string" | | | | simple_string --> [^ | | | | \\t\n\""{""}"]+ | | | | complex_string --> | | | | ([^\"\\\r\n]|(\\\")|(\\\\))+ | | | | Quotes and backslashes must | | | | be escaped with a backslash. A | | | | complex string | | | | must not include newlines | | | | or carriage returns.Outside of | | | | complex strings, | | | | all white space (for | | | | example, spaces, tabs, and | | | | carriage returns) is | | | | considered equal and is | | | | used only to delimit tokens. | | | | Keys | | | | The Java install file uses | | | | keys to define the platform | | | | and module | | | | information. | | | | ForwardCompatible gives a | | | | list of platforms that are | | | | forward compatible. | | | | If the current platform | | | | cannot be found in the list of | | | | supported | | | | platforms, then the | | | | ForwardCompatible list is | | | | checked for any platforms | | | | that have the same OS and | | | | architecture in an earlier | | | | version. If one is | | | | found, its attributes are | | | | used for the current platform. | | | | Platforms (required) Gives | | | | a list of platforms. Each | | | | entry in the list is | | | | itself a key-value pair: | | | | the key is the name of the | | | | platform and the value | | | | list contains various | | | | attributes of the platform. | | | | The platform string is | | | | in the format system | | | | name:OS release:architecture. | | | | The installer obtains | | | | these values from NSPR. OS | | | | release is an empty string on | | | | non-Unix | | | | operating systems. NSPR | | | | supports these platforms: | | | | o AIX (rs6000) | | | | o BSDI (x86) | | | | o FREEBSD (x86) | | | | o HPUX (hppa1.1) | | | | o IRIX (mips) | | | | o LINUX (ppc, alpha, x86) | | | | o MacOS (PowerPC) | | | | o NCR (x86) | | | | o NEC (mips) | | | | o OS2 (x86) | | | | o OSF (alpha) | | | | o ReliantUNIX (mips) | | | | o SCO (x86) | | | | o SOLARIS (sparc) | | | | o SONY (mips) | | | | o SUNOS (sparc) | | | | o UnixWare (x86) | | | | o WIN16 (x86) | | | | o WIN95 (x86) | | | | o WINNT (x86) | | | | For example: | | | | IRIX:6.2:mips | | | | SUNOS:5.5.1:sparc | | | | Linux:2.0.32:x86 | | | | WIN95::x86 | | | | The module information is | | | | defined independently for each | | | | platform in the | | | | ModuleName, ModuleFile, and | | | | Files attributes. These | | | | attributes must be | | | | given unless an | | | | EquivalentPlatform attribute | | | | is specified. | | | | Per-Platform Keys | | | | Per-platform keys have | | | | meaning only within the value | | | | list of an entry in | | | | the Platforms list. | | | | ModuleName (required) gives | | | | the common name for the | | | | module. This name is | | | | used to reference the | | | | module by servers and by the | | | | modutil tool. | | | | ModuleFile (required) names | | | | the PKCS #11 module file for | | | | this platform. | | | | The name is given as the | | | | relative path of the file | | | | within the JAR archive. | | | | Files (required) lists the | | | | files that need to be | | | | installed for this | | | | module. Each entry in the | | | | file list is a key-value pair. | | | | The key is the | | | | path of the file in the JAR | | | | archive, and the value list | | | | contains | | | | attributes of the file. At | | | | least RelativePath or | | | | AbsolutePath must be | | | | specified for each file. | | | | DefaultMechanismFlags | | | | specifies mechanisms for which | | | | this module is the | | | | default provider; this is | | | | equivalent to the -mechanism | | | | option with the | | | | -add command. This | | | | key-value pair is a bitstring | | | | specified in hexadecimal | | | | (0x) format. It is | | | | constructed as a bitwise OR. | | | | If the | | | | DefaultMechanismFlags entry | | | | is omitted, the value defaults | | | | to 0x0. | | | | RSA: | | | | 0x00000001 | | | | DSA: | | | | 0x00000002 | | | | RC2: | | | | 0x00000004 | | | | RC4: | | | | 0x00000008 | | | | DES: | | | | 0x00000010 | | | | DH: | | | | 0x00000020 | | | | FORTEZZA: | | | | 0x00000040 | | | | RC5: | | | | 0x00000080 | | | | SHA1: | | | | 0x00000100 | | | | MD5: | | | | 0x00000200 | | | | MD2: | | | | 0x00000400 | | | | RANDOM: | | | | 0x08000000 | | | | FRIENDLY: | | | | 0x10000000 | | | | OWN_PW_DEFAULTS: | | | | 0x20000000 | | | | DISABLE: | | | | 0x40000000 | | | | CipherEnableFlags specifies | | | | ciphers that this module | | | | provides that NSS | | | | does not provide (so that | | | | the module enables those | | | | ciphers for NSS). This | | | | is equivalent to the | | | | -cipher argument with the -add | | | | command. This key is a | | | | bitstring specified in | | | | hexadecimal (0x) format. It is | | | | constructed as a | | | | bitwise OR. If the | | | | CipherEnableFlags entry is | | | | omitted, the value defaults | | | | to 0x0. | | | | EquivalentPlatform | | | | specifies that the attributes | | | | of the named platform | | | | should also be used for the | | | | current platform. This makes | | | | it easier when | | | | more than one platform uses | | | | the same settings. | | | | Per-File Keys | | | | Some keys have meaning only | | | | within the value list of an | | | | entry in a Files | | | | list. | | | | Each file requires a path | | | | key the identifies where the | | | | file is. Either | | | | RelativePath or | | | | AbsolutePath must be | | | | specified. If both are | | | | specified, the | | | | relative path is tried | | | | first, and the absolute path | | | | is used only if no | | | | relative root directory is | | | | provided by the installer | | | | program. | | | | RelativePath specifies the | | | | destination directory of the | | | | file, relative to | | | | some directory decided at | | | | install time. Two variables | | | | can be used in the | | | | relative path: %root% and | | | | %temp%. %root% is replaced at | | | | run time with the | | | | directory relative to which | | | | files should be installed; for | | | | example, it may | | | | be the server's root | | | | directory. The %temp% | | | | directory is created at the | | | | beginning of the | | | | installation and destroyed at | | | | the end. The purpose of | | | | %temp% is to hold | | | | executable files (such as | | | | setup programs) or files that | | | | are used by these programs. | | | | Files destined for the | | | | temporary directory are | | | | guaranteed to be in place | | | | before any executable file is | | | | run; they are not | | | | deleted until all | | | | executable files have | | | | finished. | | | | AbsolutePath specifies the | | | | destination directory of the | | | | file as an | | | | absolute path. | | | | Executable specifies that | | | | the file is to be executed | | | | during the course of | | | | the installation. | | | | Typically, this string is used | | | | for a setup program | | | | provided by a module | | | | vendor, such as a | | | | self-extracting setup | | | | executable. | | | | More than one file can be | | | | specified as executable, in | | | | which case the files | | | | are run in the order in | | | | which they are specified in | | | | the script file. | | | | FilePermissions sets | | | | permissions on any referenced | | | | files in a string of | | | | octal digits, according to | | | | the standard Unix format. This | | | | string is a | | | | bitwise OR. | | | | user read: | | | | 0400 | | | | user write: | | | | 0200 | | | | user execute: | | | | 0100 | | | | group read: | | | | 0040 | | | | group write: | | | | 0020 | | | | group execute: | | | | 0010 | | | | other read: | | | | 0004 | | | | other write: | | | | 0002 | | | | other execute: 0001 | | | | Some platforms may not | | | | understand these permissions. | | | | They are applied only | | | | insofar as they make sense | | | | for the current platform. If | | | | this attribute is | | | | omitted, a default of 777 | | | | is assumed. | | | | NSS Database Types | | | | NSS originally used | | | | BerkeleyDB databases to store | | | | security information. | | | | The last versions of these | | | | legacy databases are: | | | | o cert8.db for | | | | certificates | | | | o key3.db for keys | | | | o secmod.db for PKCS #11 | | | | module information | | | | BerkeleyDB has performance | | | | limitations, though, which | | | | prevent it from | | | | being easily used by | | | | multiple applications | | | | simultaneously. NSS has some | | | | flexibility that allows | | | | applications to use their own, | | | | independent | | | | database engine while | | | | keeping a shared database and | | | | working around the | | | | access issues. Still, NSS | | | | requires more flexibility to | | | | provide a truly | | | | shared security database. | | | | In 2009, NSS introduced a | | | | new set of databases that are | | | | SQLite databases | | | | rather than BerkleyDB. | | | | These new databases provide | | | | more accessibility and | | | | performance: | | | | o cert9.db for | | | | certificates | | | | o key4.db for keys | | | | o pkcs11.txt, which is | | | | listing of all of the PKCS #11 | | | | modules contained | | | | in a new subdirectory | | | | in the security databases | | | | directory | | | | Because the SQLite | | | | databases are designed to be | | | | shared, these are the | | | | shared database type. The | | | | shared database type is | | | | preferred; the legacy | | | | format is included for | | | | backward compatibility. | | | | By default, the tools | | | | (certutil, pk12util, modutil) | | | | assume that the given | | | | security databases follow | | | | the more common legacy type. | | | | Using the SQLite | | | | databases must be manually | | | | specified by using the sql: | | | | prefix with the | | | | given security directory. | | | | For example: | | | | modutil -create -dbdir | | | | sql:/home/my/sharednssdb | | | | To set the shared database | | | | type as the default type for | | | | the tools, set the | | | | NSS_DEFAULT_DB_TYPE | | | | environment variable to sql: | | | | export | | | | NSS_DEFAULT_DB_TYPE="sql" | | | | This line can be set added | | | | to the ~/.bashrc file to make | | | | the change | | | | permanent. | | | | Most applications do not | | | | use the shared database by | | | | default, but they can | | | | be configured to use them. | | | | For example, this how-to | | | | article covers how to | | | | configure Firefox and | | | | Thunderbird to use the new | | | | shared NSS databases: | | | | | | | | o https://wiki.m | | | | ozilla.org/NSS_Shared_DB_Howto | | | | For an engineering draft on | | | | the changes in the shared NSS | | | | databases, see | | | | the NSS project wiki: | | | | | | | | o https:// | | | | wiki.mozilla.org/NSS_Shared_DB | | | | See Also | | | | certutil (1) | | | | pk12util (1) | | | | signtool (1) | | | | The NSS wiki has | | | | information on the new | | | | database design and how to | | | | configure applications to | | | | use it. | | | | | | | | o https://wiki.m | | | | ozilla.org/NSS_Shared_DB_Howto | | | | | | | | o https:// | | | | wiki.mozilla.org/NSS_Shared_DB | | | | Additional Resources | | | | For information about NSS | | | | and other tools related to NSS | | | | (like JSS), check | | | | out the NSS project wiki at | | | | | | | | [2]\ `http://www.mozil | | | | la.org/projects/security/pki/n | | | | ss/ `__. | | | | The NSS site relates | | | | directly to NSS code | | | | changes and releases. | | | | Mailing lists: | | | | https://lists.mozill | | | | a.org/listinfo/dev-tech-crypto | | | | IRC: Freenode at | | | | #dogtag-pki | | | | Authors | | | | The NSS tools were written | | | | and maintained by developers | | | | with Netscape, Red | | | | Hat, and Sun. | | | | Authors: Elio Maldonado | | | | , Deon | | | | Lackey | | | | . | | | | Copyright | | | | (c) 2010, Red Hat, Inc. | | | | Licensed under the GNU Public | | | | License version 2. | | | | References | | | | Visible links | | | | 1. JAR Installation File | | | | Format | | | | | | | | ``file:///tmp/xmlto.6gGxS0/ | | | | modutil.pro...r-install-file`` | | | | 2. | | | | https://www.mozilla. | | | | org/projects/security/pki/nss/ | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 342 | :ref:`mozilla_projects_nss_t | | | | ools_nss_tools_certutil-tasks` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Newsgroup: | | | | `mozilla.dev.tech | | | | .crypto `__ | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 343 | :ref:`mozilla_projects | **certificates, x509v3** | | | _nss_tools_nss_tools_certutil` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The Certificate Database Tool | | | | is a command-line utility that | | | | can create and modify the | | | | Netscape Communicator | | | | ``cert8.db`` and | | | | ``key3.db``\ database files. | | | | It can also list, generate, | | | | modify, or delete certificates | | | | within the ``cert8.db``\ file | | | | and create or change the | | | | password, generate new public | | | | and private key pairs, display | | | | the contents of the key | | | | database, or delete key pairs | | | | within the ``key3.db`` file. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 344 | :ref:`mozilla_project | | | | s_nss_tools_nss_tools_cmsutil` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The cmsutil command-line | | | | utility uses the `S/MIME | | | | Toolkit <../smime/>`__ to | | | | perform basic operations, such | | | | as encryption and decryption, | | | | on `Cryptographic Message | | | | Syntax (CMS) `__ | | | | messages. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 345 | :ref:`mozilla_project | | | | s_nss_tools_nss_tools_crlutil` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Newsgroup: | | | | `mozilla.dev.tech | | | | .crypto `__ | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 346 | :ref:`mozilla_projects_n | | | | ss_tools_nss_tools_dbck-tasks` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Newsgroup: | | | | `mozilla.dev.tech | | | | .crypto `__ | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 347 | :ref:`mozilla_projects_nss_ | | | | tools_nss_tools_modutil-tasks` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Newsgroup: | | | | `mozilla.dev.tech | | | | .crypto `__ | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 348 | :ref:`mozilla_project | | | | s_nss_tools_nss_tools_modutil` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The Security Module Database | | | | Tool is a command-line utility | | | | for managing PKCS #11 module | | | | information within | | | | ``secmod.db`` files or within | | | | hardware tokens. You can use | | | | the tool to add and delete | | | | PKCS #11 modules, change | | | | passwords, set defaults, list | | | | module contents, enable or | | | | disable slots, enable or | | | | disable FIPS 140-2 compliance, | | | | and assign default providers | | | | for cryptographic operations. | | | | This tool can also create | | | | ``key3.db``, ``cert8.db``, and | | | | ``secmod.db`` security | | | | database files. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 349 | :ref:`mozilla_projects_nss_t | | | | ools_nss_tools_pk12util-tasks` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Newsgroup: | | | | `mozilla.dev.tech | | | | .crypto `__ | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 350 | :ref:`mozilla_projects | | | | _nss_tools_nss_tools_pk12util` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The PKCS #12 utility makes | | | | sharing of certificates among | | | | Enterprise server 3.x and any | | | | server (Netscape products or | | | | non-Netscape products) that | | | | supports PKCS#12 possible. The | | | | tool allows you to import | | | | certificates and keys from | | | | pkcs #12 files into NSS or | | | | export them and also list | | | | certificates and keys in such | | | | files. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 351 | :ref:`mozilla_projects_nss_ | | | | tools_nss_tools_signver-tasks` | | +--------------------------------+--------------------------------+--------------------------------+ | | | *No summary!* | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 352 | :ref:`mozilla_projects_ns | | | | s_tools_nss_tools_sslstrength` | | +--------------------------------+--------------------------------+--------------------------------+ | | | A simple command-line client | | | | which connects to an | | | | SSL-server, and reports back | | | | the encryption cipher and | | | | strength used. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 353 | :ref:`mozilla_projec | | | | ts_nss_tools_nss_tools_ssltap` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The SSL Debugging Tool is an | | | | SSL-aware command-line proxy. | | | | It watches TCP connections and | | | | displays the data going by. If | | | | a connection is SSL, the data | | | | display includes interpreted | | | | SSL records and handshaking. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 354 | :ref:`mozill | | | | a_projects_nss_tools_pk12util` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Name | | | | pk12util — Export and | | | | import keys and certificate to | | | | or from a PKCS #12 | | | | file and the NSS database | | | | Synopsis | | | | pk12util [-i p12File [-h | | | | tokenname] [-v] | | | | [common-options] ] [ -l | | | | p12File | | | | [-h tokenname] [-r] | | | | [common-options] ] [ -o | | | | p12File -n certname [-c | | | | keyCipher] [-C certCipher] | | | | [-m|--key_len keyLen] | | | | [-n|--cert_key_len | | | | certKeyLen] | | | | [common-options] ] [ | | | | common-options are: [-d | | | | [sql:]directory] | | | | [-P dbprefix] [-k | | | | slotPasswordFile|-K | | | | slotPassword] [-w | | | | p12filePasswordFile|-W | | | | p12filePassword] ] | | | | Description | | | | The PKCS #12 utility, | | | | pk12util, enables sharing | | | | certificates among any | | | | server that supports | | | | PKCS#12. The tool can import | | | | certificates and keys | | | | from PKCS#12 files into | | | | security databases, export | | | | certificates, and list | | | | certificates and keys. | | | | Options and Arguments | | | | Options | | | | -i p12file | | | | Import keys and | | | | certificates from a PKCS#12 | | | | file into a security | | | | database. | | | | -l p12file | | | | List the keys and | | | | certificates in PKCS#12 file. | | | | -o p12file | | | | Export keys and | | | | certificates from the security | | | | database to a | | | | PKCS#12 file. | | | | Arguments | | | | -n certname | | | | Specify the | | | | nickname of the cert and | | | | private key to export. | | | | -d [sql:]directory | | | | Specify the | | | | database directory into which | | | | to import to or export | | | | from certificates | | | | and keys. | | | | pk12util supports | | | | two types of databases: the | | | | legacy security | | | | databases | | | | (cert8.db, key3.db, and | | | | secmod.db) and new SQLite | | | | databases | | | | (cert9.db, key4.db, and | | | | pkcs11.txt). If the prefix | | | | sql: | | | | is not used, then | | | | the tool assumes that the | | | | given databases are in | | | | the old format. | | | | -P prefix | | | | Specify the prefix | | | | used on the certificate and | | | | key databases. This | | | | option is provided | | | | as a special case. Changing | | | | the names of the | | | | certificate and key | | | | databases is not recommended. | | | | -h tokenname | | | | Specify the name of | | | | the token to import into or | | | | export from. | | | | -v | | | | Enable debug | | | | logging when importing. | | | | -k slotPasswordFile | | | | Specify the text | | | | file containing the slot's | | | | password. | | | | -K slotPassword | | | | Specify the slot's | | | | password. | | | | -w p12filePasswordFile | | | | Specify the text | | | | file containing the pkcs #12 | | | | file password. | | | | -W p12filePassword | | | | Specify the pkcs | | | | #12 file password. | | | | -c keyCipher | | | | Specify the key | | | | encryption algorithm. | | | | -C certCipher | | | | Specify the key | | | | cert (overall package) | | | | encryption algorithm. | | | | -m \| --key-len keyLength | | | | Specify the desired | | | | length of the symmetric key to | | | | be used to | | | | encrypt the private | | | | key. | | | | -n \| --cert-key-len | | | | certKeyLength | | | | Specify the desired | | | | length of the symmetric key to | | | | be used to | | | | encrypt the | | | | certificates and other | | | | meta-data. | | | | -r | | | | Dumps all of the | | | | data in raw (binary) form. | | | | This must be saved as | | | | a DER file. The | | | | default is to return | | | | information in a pretty-print | | | | ASCII format, which | | | | displays the information about | | | | the | | | | certificates and | | | | public keys in the p12 file. | | | | Return Codes | | | | o 0 - No error | | | | o 1 - User Cancelled | | | | o 2 - Usage error | | | | o 6 - NLS init error | | | | o 8 - Certificate DB open | | | | error | | | | o 9 - Key DB open error | | | | o 10 - File | | | | initialization error | | | | o 11 - Unicode conversion | | | | error | | | | o 12 - Temporary file | | | | creation error | | | | o 13 - PKCS11 get slot | | | | error | | | | o 14 - PKCS12 decoder | | | | start error | | | | o 15 - error read from | | | | import file | | | | o 16 - pkcs12 decode | | | | error | | | | o 17 - pkcs12 decoder | | | | verify error | | | | o 18 - pkcs12 decoder | | | | validate bags error | | | | o 19 - pkcs12 decoder | | | | import bags error | | | | o 20 - key db conversion | | | | version 3 to version 2 error | | | | o 21 - cert db conversion | | | | version 7 to version 5 error | | | | o 22 - cert and key dbs | | | | patch error | | | | o 23 - get default cert | | | | db error | | | | o 24 - find cert by | | | | nickname error | | | | o 25 - create export | | | | context error | | | | o 26 - PKCS12 add | | | | password itegrity error | | | | o 27 - cert and key Safes | | | | creation error | | | | o 28 - PKCS12 add cert | | | | and key error | | | | o 29 - PKCS12 encode | | | | error | | | | Examples | | | | Importing Keys and | | | | Certificates | | | | The most basic usage of | | | | pk12util for importing a | | | | certificate or key is the | | | | PKCS#12 input file (-i) and | | | | some way to specify the | | | | security database | | | | being accessed (either -d | | | | for a directory or -h for a | | | | token). | | | | pk12util -i p12File [-h | | | | tokenname] [-v] [-d | | | | [sql:]directory] [-P dbprefix] | | | | [-k slotPasswordFile|-K | | | | slotPassword] [-w | | | | p12filePasswordFile|-W | | | | p12filePassword] | | | | For example: | | | | # pk12util -i | | | | /tmp/cert-files/users.p12 -d | | | | sql:/home/my/sharednssdb | | | | Enter a password which will | | | | be used to encrypt your keys. | | | | The password should be at | | | | least 8 characters long, | | | | and should contain at least | | | | one non-alphabetic character. | | | | Enter new password: | | | | Re-enter password: | | | | Enter password for PKCS12 | | | | file: | | | | pk12util: PKCS12 IMPORT | | | | SUCCESSFUL | | | | Exporting Keys and | | | | Certificates | | | | Using the pk12util command | | | | to export certificates and | | | | keys requires both | | | | the name of the certificate | | | | to extract from the database | | | | (-n) and the | | | | PKCS#12-formatted output | | | | file to write to. There are | | | | optional parameters | | | | that can be used to encrypt | | | | the file to protect the | | | | certificate material. | | | | pk12util -o p12File -n | | | | certname [-c keyCipher] [-C | | | | certCipher] [-m|--key_len | | | | keyLen] [-n|--cert_key_len | | | | certKeyLen] [-d | | | | [sql:]directory] [-P dbprefix] | | | | [-k slotPasswordFile|-K | | | | slotPassword] [-w | | | | p12filePasswordFile|-W | | | | p12filePassword] | | | | For example: | | | | # pk12util -o certs.p12 -n | | | | Server-Cert -d | | | | sql:/home/my/sharednssdb | | | | Enter password for PKCS12 | | | | file: | | | | Re-enter password: | | | | Listing Keys and | | | | Certificates | | | | The information in a .p12 | | | | file are not human-readable. | | | | The certificates | | | | and keys in the file can be | | | | printed (listed) in a | | | | human-readable | | | | pretty-print format that | | | | shows information for every | | | | certificate and any | | | | public keys in the .p12 | | | | file. | | | | pk12util -l p12File [-h | | | | tokenname] [-r] [-d | | | | [sql:]directory] [-P dbprefix] | | | | [-k slotPasswordFile|-K | | | | slotPassword] [-w | | | | p12filePasswordFile|-W | | | | p12filePassword] | | | | For example, this prints | | | | the default ASCII output: | | | | # pk12util -l certs.p12 | | | | Enter password for PKCS12 | | | | file: | | | | Key(shrouded): | | | | Friendly Name: Thawte | | | | Freemail Member's Thawte | | | | Consulting (Pty) Ltd. ID | | | | Encryption algorithm: | | | | PKCS #12 V2 PBE With SHA-1 And | | | | 3KEY Triple DES-CBC | | | | Parameters: | | | | Salt: | | | | | | | | 45:2e:6a:a0:03:4d | | | | :7b:a1:63:3c:15:ea:67:37:62:1f | | | | Iteration Count: | | | | 1 (0x1) | | | | Certificate: | | | | Data: | | | | Version: 3 (0x2) | | | | Serial Number: 13 | | | | (0xd) | | | | Signature Algorithm: | | | | PKCS #1 SHA-1 With RSA | | | | Encryption | | | | Issuer: | | | | "E=personal | | | | -freemail@thawte.com,CN=Thawte | | | | Personal Freemail C | | | | | | | | A,OU=Certification Services | | | | Division,O=Thawte | | | | Consulting,L=Cape T | | | | own,ST=Western | | | | Cape,C=ZA" | | | | .... | | | | Alternatively, the -r | | | | prints the certificates and | | | | then exports them into | | | | separate DER binary files. | | | | This allows the certificates | | | | to be fed to | | | | another application that | | | | supports .p12 files. Each | | | | certificate is written | | | | to a sequentially-number | | | | file, beginning with | | | | file0001.der and continuing | | | | through file000N.der, | | | | incrementing the number for | | | | every certificate: | | | | # pk12util -l test.p12 -r | | | | Enter password for PKCS12 | | | | file: | | | | Key(shrouded): | | | | Friendly Name: Thawte | | | | Freemail Member's Thawte | | | | Consulting (Pty) Ltd. ID | | | | Encryption algorithm: | | | | PKCS #12 V2 PBE With SHA-1 And | | | | 3KEY Triple DES-CBC | | | | Parameters: | | | | Salt: | | | | | | | | 45:2e:6a:a0:03:4d | | | | :7b:a1:63:3c:15:ea:67:37:62:1f | | | | Iteration Count: | | | | 1 (0x1) | | | | Certificate Friendly Name: | | | | Thawte Personal Freemail | | | | Issuing CA - Thawte Consulting | | | | Certificate Friendly Name: | | | | Thawte Freemail Member's | | | | Thawte Consulting (Pty) Ltd. | | | | ID | | | | Password Encryption | | | | PKCS#12 provides for not | | | | only the protection of the | | | | private keys but also | | | | the certificate and | | | | meta-data associated with the | | | | keys. Password-based | | | | encryption is used to | | | | protect private keys on export | | | | to a PKCS#12 file | | | | and, optionally, the entire | | | | package. If no algorithm is | | | | specified, the | | | | tool defaults to using | | | | PKCS12 V2 PBE with SHA1 and | | | | 3KEY Triple DES-cbc for | | | | private key encryption. | | | | PKCS12 V2 PBE with SHA1 and 40 | | | | Bit RC4 is the | | | | default for the overall | | | | package encryption when not in | | | | FIPS mode. When in | | | | FIPS mode, there is no | | | | package encryption. | | | | The private key is always | | | | protected with strong | | | | encryption by default. | | | | Several types of ciphers | | | | are supported. | | | | Symmetric CBC ciphers for | | | | PKCS#5 V2 | | | | DES_CBC | | | | o RC2-CBC | | | | o RC5-CBCPad | | | | o DES-EDE3-CBC | | | | (the default for key | | | | encryption) | | | | o AES-128-CBC | | | | o AES-192-CBC | | | | o AES-256-CBC | | | | | | | | o CAMELLIA-128-CBC | | | | | | | | o CAMELLIA-192-CBC | | | | | | | | o CAMELLIA-256-CBC | | | | PKCS#12 PBE ciphers | | | | PKCS #12 PBE with | | | | Sha1 and 128 Bit RC4 | | | | o PKCS #12 PBE | | | | with Sha1 and 40 Bit RC4 | | | | o PKCS #12 PBE | | | | with Sha1 and Triple DES CBC | | | | o PKCS #12 PBE | | | | with Sha1 and 128 Bit RC2 CBC | | | | o PKCS #12 PBE | | | | with Sha1 and 40 Bit RC2 CBC | | | | o PKCS12 V2 PBE | | | | with SHA1 and 128 Bit RC4 | | | | o PKCS12 V2 PBE | | | | with SHA1 and 40 Bit RC4 (the | | | | default for | | | | non-FIPS mode) | | | | o PKCS12 V2 PBE | | | | with SHA1 and 3KEY Triple | | | | DES-cbc | | | | o PKCS12 V2 PBE | | | | with SHA1 and 2KEY Triple | | | | DES-cbc | | | | o PKCS12 V2 PBE | | | | with SHA1 and 128 Bit RC2 CBC | | | | o PKCS12 V2 PBE | | | | with SHA1 and 40 Bit RC2 CBC | | | | PKCS#5 PBE ciphers | | | | PKCS #5 Password | | | | Based Encryption with MD2 and | | | | DES CBC | | | | o PKCS #5 | | | | Password Based Encryption with | | | | MD5 and DES CBC | | | | o PKCS #5 | | | | Password Based Encryption with | | | | SHA1 and DES CBC | | | | With PKCS#12, the crypto | | | | provider may be the soft token | | | | module or an | | | | external hardware module. | | | | If the cryptographic module | | | | does not support the | | | | requested algorithm, then | | | | the next best fit will be | | | | selected (usually the | | | | default). If no suitable | | | | replacement for the desired | | | | algorithm can be | | | | found, the tool returns the | | | | error no security module can | | | | perform the | | | | requested operation. | | | | NSS Database Types | | | | NSS originally used | | | | BerkeleyDB databases to store | | | | security information. | | | | The last versions of these | | | | legacy databases are: | | | | o cert8.db for | | | | certificates | | | | o key3.db for keys | | | | o secmod.db for PKCS #11 | | | | module information | | | | BerkeleyDB has performance | | | | limitations, though, which | | | | prevent it from | | | | being easily used by | | | | multiple applications | | | | simultaneously. NSS has some | | | | flexibility that allows | | | | applications to use their own, | | | | independent | | | | database engine while | | | | keeping a shared database and | | | | working around the | | | | access issues. Still, NSS | | | | requires more flexibility to | | | | provide a truly | | | | shared security database. | | | | In 2009, NSS introduced a | | | | new set of databases that are | | | | SQLite databases | | | | rather than BerkleyDB. | | | | These new databases provide | | | | more accessibility and | | | | performance: | | | | o cert9.db for | | | | certificates | | | | o key4.db for keys | | | | o pkcs11.txt, which is | | | | listing of all of the PKCS #11 | | | | modules contained | | | | in a new subdirectory | | | | in the security databases | | | | directory | | | | Because the SQLite | | | | databases are designed to be | | | | shared, these are the | | | | shared database type. The | | | | shared database type is | | | | preferred; the legacy | | | | format is included for | | | | backward compatibility. | | | | By default, the tools | | | | (certutil, pk12util, modutil) | | | | assume that the given | | | | security databases follow | | | | the more common legacy type. | | | | Using the SQLite | | | | databases must be manually | | | | specified by using the sql: | | | | prefix with the | | | | given security directory. | | | | For example: | | | | # pk12util -i | | | | /tmp/cert-files/users.p12 -d | | | | sql:/home/my/sharednssdb | | | | To set the shared database | | | | type as the default type for | | | | the tools, set the | | | | NSS_DEFAULT_DB_TYPE | | | | environment variable to sql: | | | | export | | | | NSS_DEFAULT_DB_TYPE="sql" | | | | This line can be set added | | | | to the ~/.bashrc file to make | | | | the change | | | | permanent. | | | | Most applications do not | | | | use the shared database by | | | | default, but they can | | | | be configured to use them. | | | | For example, this how-to | | | | article covers how to | | | | configure Firefox and | | | | Thunderbird to use the new | | | | shared NSS databases: | | | | | | | | o https://wiki.m | | | | ozilla.org/NSS_Shared_DB_Howto | | | | For an engineering draft on | | | | the changes in the shared NSS | | | | databases, see | | | | the NSS project wiki: | | | | | | | | o https:// | | | | wiki.mozilla.org/NSS_Shared_DB | | | | See Also | | | | certutil (1) | | | | modutil (1) | | | | The NSS wiki has | | | | information on the new | | | | database design and how to | | | | configure applications to | | | | use it. | | | | | | | | o https://wiki.m | | | | ozilla.org/NSS_Shared_DB_Howto | | | | | | | | o https:// | | | | wiki.mozilla.org/NSS_Shared_DB | | | | Additional Resources | | | | For information about NSS | | | | and other tools related to NSS | | | | (like JSS), check | | | | out the NSS project wiki at | | | | | | | | [1]\ `http://www.mozil | | | | la.org/projects/security/pki/n | | | | ss/ `__. | | | | The NSS site relates | | | | directly to NSS code | | | | changes and releases. | | | | Mailing lists: | | | | https://lists.mozill | | | | a.org/listinfo/dev-tech-crypto | | | | IRC: Freenode at | | | | #dogtag-pki | | | | Authors | | | | The NSS tools were written | | | | and maintained by developers | | | | with Netscape, Red | | | | Hat, and Sun. | | | | Authors: Elio Maldonado | | | | , Deon | | | | Lackey | | | | . | | | | Copyright | | | | (c) 2010, Red Hat, Inc. | | | | Licensed under the GNU Public | | | | License version 2. | | | | References | | | | Visible links | | | | 1. | | | | `http://www.mozi | | | | lla.org/projects/security/pki/ | | | | nss/ `__ | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 355 | :ref:`mozill | | | | a_projects_nss_tools_signtool` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Name | | | | signtool — Digitally sign | | | | objects and files. | | | | Synopsis | | | | signtool [-k keyName] | | | | `-h <-h>`__ `-H <-H>`__ | | | | `-l <-l>`__ `-L <-L>`__ | | | | `-M <-M>`__ `-v <-v>`__ | | | | `-w <-w>`__ | | | | `-G | | | | nickname <-G_nickname>`__ `-s | | | | size <--keysize>`__ `-b | | | | basename <-b_basename>`__ [[-c | | | | Compression | | | | Level] ] [[-d cert-dir] ] | | | | [[-i installer script] ] [[-m | | | | metafile] ] [[-x | | | | name] ] [[-f filename] ] | | | | [[-t|--token tokenname] ] [[-e | | | | extension] ] [[-o] | | | | ] [[-z] ] [[-X] ] | | | | [[--outfile] ] [[--verbose | | | | value] ] [[--norecurse] ] | | | | [[--leavearc] ] [[-j | | | | directory] ] [[-Z jarfile] ] | | | | [[-O] ] [[-p password] ] | | | | [directory-tree] [archive] | | | | Description | | | | The Signing Tool, signtool, | | | | creates digital signatures and | | | | uses a Java | | | | Archive (JAR) file to | | | | associate the signatures with | | | | files in a directory. | | | | Electronic software | | | | distribution over any network | | | | involves potential | | | | security problems. To help | | | | address some of these | | | | problems, you can | | | | associate digital | | | | signatures with the files in a | | | | JAR archive. Digital | | | | signatures allow | | | | SSL-enabled clients to perform | | | | two important operations: | | | | \* Confirm the identity of | | | | the individual, company, or | | | | other entity whose | | | | digital signature is | | | | associated with the files | | | | \* Check whether the files | | | | have been tampered with since | | | | being signed | | | | If you have a signing | | | | certificate, you can use | | | | Netscape Signing Tool to | | | | digitally sign files and | | | | package them as a JAR file. An | | | | object-signing | | | | certificate is a special | | | | kind of certificate that | | | | allows you to associate | | | | your digital signature with | | | | one or more files. | | | | An individual file can | | | | potentially be signed with | | | | multiple digital | | | | signatures. For example, a | | | | commercial software developer | | | | might sign the | | | | files that constitute a | | | | software product to prove that | | | | the files are | | | | indeed from a particular | | | | company. A network | | | | administrator manager might | | | | sign the same files with an | | | | additional digital signature | | | | based on a | | | | company-generated | | | | certificate to indicate that | | | | the product is approved for | | | | use within the company. | | | | The significance of a | | | | digital signature is | | | | comparable to the significance | | | | of a handwritten signature. | | | | Once you have signed a file, | | | | it is difficult | | | | to claim later that you | | | | didn't sign it. In some | | | | situations, a digital | | | | signature may be considered | | | | as legally binding as a | | | | handwritten signature. | | | | Therefore, you should take | | | | great care to ensure that you | | | | can stand behind | | | | any file you sign and | | | | distribute. | | | | For example, if you are a | | | | software developer, you should | | | | test your code to | | | | make sure it is virus-free | | | | before signing it. Similarly, | | | | if you are a | | | | network administrator, you | | | | should make sure, before | | | | signing any code, that | | | | it comes from a reliable | | | | source and will run correctly | | | | with the software | | | | installed on the machines | | | | to which you are distributing | | | | it. | | | | Before you can use Netscape | | | | Signing Tool to sign files, | | | | you must have an | | | | object-signing certificate, | | | | which is a special certificate | | | | whose | | | | associated private key is | | | | used to create digital | | | | signatures. For testing | | | | purposes only, you can | | | | create an object-signing | | | | certificate with Netscape | | | | Signing Tool 1.3. When | | | | testing is finished and you | | | | are ready to | | | | disitribute your software, | | | | you should obtain an | | | | object-signing certificate | | | | from one of two kinds of | | | | sources: | | | | \* An independent | | | | certificate authority (CA) | | | | that authenticates your | | | | identity and charges you a | | | | fee. You typically get a | | | | certificate from an | | | | independent CA if you want | | | | to sign software that will be | | | | distributed over | | | | the Internet. | | | | \* CA server software | | | | running on your corporate | | | | intranet or extranet. | | | | Netscape Certificate | | | | Management System provides a | | | | complete management | | | | solution for creating, | | | | deploying, and managing | | | | certificates, including CAs | | | | that issue object-signing | | | | certificates. | | | | You must also have a | | | | certificate for the CA that | | | | issues your signing | | | | certificate before you can | | | | sign files. If the certificate | | | | authority's | | | | certificate isn't already | | | | installed in your copy of | | | | Communicator, you | | | | typically install it by | | | | clicking the appropriate link | | | | on the certificate | | | | authority's web site, for | | | | example on the page from which | | | | you initiated | | | | enrollment for your signing | | | | certificate. This is the case | | | | for some test | | | | certificates, as well as | | | | certificates issued by | | | | Netscape Certificate | | | | Management System: you must | | | | download the CA certificate in | | | | addition to | | | | obtaining your own signing | | | | certificate. CA certificates | | | | for several | | | | certificate authorities are | | | | preinstalled in the | | | | Communicator certificate | | | | database. | | | | When you receive an | | | | object-signing certificate for | | | | your own use, it is | | | | automatically installed in | | | | your copy of the Communicator | | | | client software. | | | | Communicator supports the | | | | public-key cryptography | | | | standard known as PKCS | | | | #12, which governs key | | | | portability. You can, for | | | | example, move an | | | | object-signing certificate | | | | and its associated private key | | | | from one | | | | computer to another on a | | | | credit-card-sized device | | | | called a smart card. | | | | Options | | | | -b basename | | | | Specifies the base | | | | filename for the .rsa and .sf | | | | files in the | | | | META-INF directory | | | | to conform with the JAR | | | | format. For example, -b | | | | signatures causes | | | | the files to be named | | | | signatures.rsa and | | | | signatures.sf. The | | | | default is signtool. | | | | -c# | | | | Specifies the | | | | compression level for the -J | | | | or -Z option. The | | | | symbol # represents | | | | a number from 0 to 9, where 0 | | | | means no | | | | compression and 9 | | | | means maximum compression. The | | | | higher the level | | | | of compression, the | | | | smaller the output but the | | | | longer the | | | | operation takes. If | | | | the -c# option is not used | | | | with either the -J | | | | or the -Z option, | | | | the default compression value | | | | used by both the | | | | -J and -Z options | | | | is 6. | | | | -d certdir | | | | Specifies your | | | | certificate database | | | | directory; that is, the | | | | directory in which | | | | you placed your key3.db and | | | | cert7.db files. To | | | | specify the current | | | | directory, use "-d." | | | | (including the period). | | | | The Unix version of | | | | signtool assumes ~/.netscape | | | | unless told | | | | otherwise. The NT | | | | version of signtool always | | | | requires the use of | | | | the -d option to | | | | specify where the database | | | | files are located. | | | | -e extension | | | | Tells signtool to | | | | sign only files with the given | | | | extension; for | | | | example, use | | | | -e".class" to sign only Java | | | | class files. Note that | | | | with Netscape | | | | Signing Tool version 1.1 and | | | | later this option can | | | | appear multiple | | | | times on one command line, | | | | making it possible to | | | | specify multiple | | | | file types or classes to | | | | include. | | | | -f commandfile | | | | Specifies a text | | | | file containing Netscape | | | | Signing Tool options and | | | | arguments in | | | | keyword=value format. All | | | | options and arguments can | | | | be expressed | | | | through this file. For more | | | | information about the | | | | syntax used with | | | | this file, see "Tips and | | | | Techniques". | | | | -i scriptname | | | | Specifies the name | | | | of an installer script for | | | | SmartUpdate. This | | | | script installs | | | | files from the JAR archive in | | | | the local system | | | | after SmartUpdate | | | | has validated the digital | | | | signature. For more | | | | details, see the | | | | description of -m that | | | | follows. The -i option | | | | provides a | | | | straightforward way to provide | | | | this information if you | | | | don't need to | | | | specify any metadata other | | | | than an installer script. | | | | -j directory | | | | Specifies a special | | | | JavaScript directory. This | | | | option causes the | | | | specified directory | | | | to be signed and tags its | | | | entries as inline | | | | JavaScript. This | | | | special type of entry does not | | | | have to appear in | | | | the JAR file | | | | itself. Instead, it is located | | | | in the HTML page | | | | containing the | | | | inline scripts. When you use | | | | signtool -v, these | | | | entries are | | | | displayed with the string NOT | | | | PRESENT. | | | | -k key ... directory | | | | Specifies the | | | | nickname (key) of the | | | | certificate you want to sign | | | | with and signs the | | | | files in the specified | | | | directory. The directory | | | | to sign is always | | | | specified as the last | | | | command-line argument. | | | | Thus, it is | | | | possible to write signtool -k | | | | MyCert -d . signdir You | | | | may have trouble if | | | | the nickname contains a single | | | | quotation mark. | | | | To avoid problems, | | | | escape the quotation mark | | | | using the escape | | | | conventions for | | | | your platform. It's also | | | | possible to use the -k | | | | option without | | | | signing any files or | | | | specifying a directory. For | | | | example, you can | | | | use it with the -l option to | | | | get detailed | | | | information about a | | | | particular signing | | | | certificate. | | | | -G nickname | | | | Generates a new | | | | private-public key pair and | | | | corresponding | | | | object-signing | | | | certificate with the given | | | | nickname. The newly | | | | generated keys and | | | | certificate are installed into | | | | the key and | | | | certificate | | | | databases in the directory | | | | specified by the -d option. | | | | With the NT version | | | | of Netscape Signing Tool, you | | | | must use the -d | | | | option with the -G | | | | option. With the Unix version | | | | of Netscape | | | | Signing Tool, | | | | omitting the -d option causes | | | | the tool to install | | | | the keys and | | | | certificate in the | | | | Communicator key and | | | | certificate | | | | databases. If you | | | | are installing the keys and | | | | certificate in the | | | | Communicator | | | | databases, you must exit | | | | Communicator before using | | | | this option; | | | | otherwise, you risk corrupting | | | | the databases. In all | | | | cases, the | | | | certificate is also output to | | | | a file named x509.cacert, | | | | which has the | | | | MIME-type | | | | application/x-x509-ca-cert. | | | | Unlike | | | | certificates | | | | normally used to sign finished | | | | code to be distributed | | | | over a network, a | | | | test certificate created with | | | | -G is not signed | | | | by a recognized | | | | certificate authority. | | | | Instead, it is self-signed. | | | | In addition, a | | | | single test signing | | | | certificate functions as both | | | | an object-signing | | | | certificate and a CA. When you | | | | are using it to | | | | sign objects, it | | | | behaves like an object-signing | | | | certificate. When | | | | it is imported into | | | | browser software such as | | | | Communicator, it | | | | behaves like an | | | | object-signing CA and cannot | | | | be used to sign | | | | objects. The -G | | | | option is available in | | | | Netscape Signing Tool 1.0 | | | | and later versions | | | | only. By default, it produces | | | | only RSA | | | | certificates with | | | | 1024-byte keys in the internal | | | | token. However, | | | | you can use the -s | | | | option specify the required | | | | key size and the -t | | | | option to specify | | | | the token. For more | | | | information about the use of | | | | the -G option, see | | | | "Generating Test | | | | Object-Signing | | | | | | | | Certificates""Generating Test | | | | Object-Signing Certificates" | | | | on page | | | | 1241. | | | | -l | | | | Lists signing | | | | certificates, including | | | | issuing CAs. If any of your | | | | certificates are | | | | expired or invalid, the list | | | | will so specify. | | | | This option can be | | | | used with the -k option to | | | | list detailed | | | | information about a | | | | particular signing | | | | certificate. The -l option | | | | is available in | | | | Netscape Signing Tool 1.0 and | | | | later versions only. | | | | -J | | | | Signs a directory | | | | of HTML files containing | | | | JavaScript and creates | | | | as many archive | | | | files as are specified in the | | | | HTML tags. Even if | | | | signtool creates | | | | more than one archive file, | | | | you need to supply | | | | the key database | | | | password only once. The -J | | | | option is available | | | | only in Netscape | | | | Signing Tool 1.0 and later | | | | versions. The -J | | | | option cannot be | | | | used at the same time as the | | | | -Z option. If the | | | | -c# option is not | | | | used with the -J option, the | | | | default compression | | | | value is 6. Note | | | | that versions 1.1 and later of | | | | Netscape Signing | | | | Tool correctly | | | | recognizes the CODEBASE | | | | attribute, allows paths to | | | | be expressed for | | | | the CLASS and SRC attributes | | | | instead of filenames | | | | only, processes | | | | LINK tags and parses HTML | | | | correctly, and offers | | | | clearer error | | | | messages. | | | | -L | | | | Lists the | | | | certificates in your database. | | | | An asterisk appears to | | | | the left of the | | | | nickname for any certificate | | | | that can be used to | | | | sign objects with | | | | signtool. | | | | --leavearc | | | | Retains the | | | | temporary .arc (archive) | | | | directories that the -J | | | | option creates. | | | | These directories are | | | | automatically erased by | | | | default. Retaining | | | | the temporary directories can | | | | be an aid to | | | | debugging. | | | | -m metafile | | | | Specifies the name | | | | of a metadata control file. | | | | Metadata is signed | | | | information | | | | attached either to the JAR | | | | archive itself or to files | | | | within the archive. | | | | This metadata can be any ASCII | | | | string, but is | | | | used mainly for | | | | specifying an installer | | | | script. The metadata file | | | | contains one entry | | | | per line, each with three | | | | fields: field #1: | | | | file specification, | | | | or + if you want to specify | | | | global metadata | | | | (that is, metadata | | | | about the JAR archive itself | | | | or all entries in | | | | the archive) field | | | | #2: the name of the data you | | | | are specifying; | | | | for example: | | | | Install-Script field #3: data | | | | corresponding to the | | | | name in field #2 | | | | For example, the -i option | | | | uses the equivalent of | | | | this line: + | | | | Install-Script: script.js This | | | | example associates a | | | | MIME type with a | | | | file: movie.qt MIME-Type: | | | | video/quicktime For | | | | information about | | | | the way installer script | | | | information appears in | | | | the manifest file | | | | for a JAR archive, see The JAR | | | | Format on | | | | Netscape DevEdge. | | | | -M | | | | Lists the PKCS #11 | | | | modules available to signtool, | | | | including smart | | | | cards. The -M | | | | option is available in | | | | Netscape Signing Tool 1.0 and | | | | later versions | | | | only. For information on using | | | | Netscape Signing | | | | Tool with smart | | | | cards, see "Using Netscape | | | | Signing Tool with Smart | | | | Cards". For | | | | information on using the -M | | | | option to verify | | | | FIPS-140-1 | | | | validated mode, see "Netscape | | | | Signing Tool and | | | | FIPS-140-1". | | | | --norecurse | | | | Blocks recursion | | | | into subdirectories when | | | | signing a directory's | | | | contents or when | | | | parsing HTML. | | | | -o | | | | Optimizes the | | | | archive for size. Use this | | | | only if you are signing | | | | very large archives | | | | containing hundreds of files. | | | | This option | | | | makes the manifest | | | | files (required by the JAR | | | | format) considerably | | | | smaller, but they | | | | contain slightly less | | | | information. | | | | --outfile outputfile | | | | Specifies a file to | | | | receive redirected output from | | | | Netscape | | | | Signing Tool. | | | | -p password | | | | Specifies a | | | | password for the private-key | | | | database. Note that the | | | | password entered on | | | | the command line is displayed | | | | as plain text. | | | | -s keysize | | | | Specifies the size | | | | of the key for generated | | | | certificate. Use the | | | | -M option to find | | | | out what tokens are available. | | | | The -s option can | | | | be used with the -G | | | | option only. | | | | -t token | | | | Specifies which | | | | available token should | | | | generate the key and | | | | receive the | | | | certificate. Use the -M option | | | | to find out what tokens | | | | are available. The | | | | -t option can be used with the | | | | -G option only. | | | | -v archive | | | | Displays the | | | | contents of an archive and | | | | verifies the cryptographic | | | | integrity of the | | | | digital signatures it contains | | | | and the files with | | | | which they are | | | | associated. This includes | | | | checking that the | | | | certificate for the | | | | issuer of the object-signing | | | | certificate is | | | | listed in the | | | | certificate database, that the | | | | CA's digital | | | | signature on the | | | | object-signing certificate is | | | | valid, that the | | | | relevant | | | | certificates have not expired, | | | | and so on. | | | | --verbosity value | | | | Sets the quantity | | | | of information Netscape | | | | Signing Tool generates | | | | in operation. A | | | | value of 0 (zero) is the | | | | default and gives full | | | | information. A | | | | value of -1 suppresses most | | | | messages, but not error | | | | messages. | | | | -w archive | | | | Displays the names | | | | of signers of any files in the | | | | archive. | | | | -x directory | | | | Excludes the | | | | specified directory from | | | | signing. Note that with | | | | Netscape Signing | | | | Tool version 1.1 and later | | | | this option can appear | | | | multiple times on | | | | one command line, making it | | | | possible to specify | | | | several particular | | | | directories to exclude. | | | | -z | | | | Tells signtool not | | | | to store the signing time in | | | | the digital | | | | signature. This | | | | option is useful if you want | | | | the expiration date | | | | of the signature | | | | checked against the current | | | | date and time rather | | | | than the time the | | | | files were signed. | | | | -Z jarfile | | | | Creates a JAR file | | | | with the specified name. You | | | | must specify this | | | | option if you want | | | | signtool to create the JAR | | | | file; it does not do | | | | so automatically. | | | | If you don't specify -Z, you | | | | must use an | | | | external ZIP tool | | | | to create the JAR file. The -Z | | | | option cannot be | | | | used at the same | | | | time as the -J option. If the | | | | -c# option is not | | | | used with the -Z | | | | option, the default | | | | compression value is 6. | | | | The Command File Format | | | | Entries in a Netscape | | | | Signing Tool command file have | | | | this general format: | | | | keyword=value Everything | | | | before the = sign on a single | | | | line is a keyword, | | | | and everything from the = | | | | sign to the end of line is a | | | | value. The value | | | | may include = signs; only | | | | the first = sign on a line is | | | | interpreted. Blank | | | | lines are ignored, but | | | | white space on a line with | | | | keywords and values is | | | | assumed to be part of the | | | | keyword (if it comes before | | | | the equal sign) or | | | | part of the value (if it | | | | comes after the first equal | | | | sign). Keywords are | | | | case insensitive, values | | | | are generally case sensitive. | | | | Since the = sign | | | | and newline delimit the | | | | value, it should not be | | | | quoted. | | | | Subsection | | | | basename | | | | Same as -b option. | | | | compression | | | | Same as -c option. | | | | certdir | | | | Same as -d option. | | | | extension | | | | Same as -e option. | | | | generate | | | | Same as -G option. | | | | installscript | | | | Same as -i option. | | | | javascriptdir | | | | Same as -j option. | | | | htmldir | | | | Same as -J option. | | | | certname | | | | Nickname of | | | | certificate, as with -k and -l | | | | -k options. | | | | signdir | | | | The directory to be | | | | signed, as with -k option. | | | | list | | | | Same as -l option. | | | | Value is ignored, but = sign | | | | must be present. | | | | listall | | | | Same as -L option. | | | | Value is ignored, but = sign | | | | must be present. | | | | metafile | | | | Same as -m option. | | | | modules | | | | Same as -M option. | | | | Value is ignored, but = sign | | | | must be present. | | | | optimize | | | | Same as -o option. | | | | Value is ignored, but = sign | | | | must be present. | | | | password | | | | Same as -p option. | | | | keysize | | | | Same as -s option. | | | | token | | | | Same as -t option. | | | | verify | | | | Same as -v option. | | | | who | | | | Same as -w option. | | | | exclude | | | | Same as -x option. | | | | notime | | | | Same as -z option. | | | | value is ignored, but = sign | | | | must be present. | | | | jarfile | | | | Same as -Z option. | | | | outfile | | | | Name of a file to | | | | which output and error | | | | messages will be | | | | redirected. This | | | | option has no command-line | | | | equivalent. | | | | Extended Examples | | | | The following example will | | | | do this and that | | | | Listing Available Signing | | | | Certificates | | | | You use the -L option to | | | | list the nicknames for all | | | | available certificates | | | | and check which ones are | | | | signing certificates. | | | | signtool -L | | | | using certificate directory: | | | | /u/jsmith/.netscape | | | | S Certificates | | | | - ------------ | | | | BBN Certificate Services CA | | | | Root 1 | | | | IBM World Registry CA | | | | VeriSign Class 1 CA - | | | | Individual Subscriber - | | | | VeriSign, Inc. | | | | GTE CyberTrust Root CA | | | | Uptime Group Plc. Class 4 | | | | CA | | | | \* Verisign Object Signing | | | | Cert | | | | Integrion CA | | | | GTE CyberTrust Secure | | | | Server CA | | | | AT&T Directory Services | | | | \* test object signing cert | | | | Uptime Group Plc. Class 1 | | | | CA | | | | VeriSign Class 1 Primary CA | | | | - ------------ | | | | Certificates that can be used | | | | to sign objects have \*'s to | | | | their left. | | | | Two signing certificates | | | | are displayed: Verisign Object | | | | Signing Cert and | | | | test object signing cert. | | | | You use the -l option to | | | | get a list of signing | | | | certificates only, | | | | including the signing CA | | | | for each. | | | | signtool -l | | | | using certificate directory: | | | | /u/jsmith/.netscape | | | | Object signing certificates | | | | --------- | | | | ------------------------------ | | | | Verisign Object Signing Cert | | | | Issued by: VeriSign, Inc. | | | | - Verisign, Inc. | | | | Expires: Tue May 19, 1998 | | | | test object signing cert | | | | Issued by: test object | | | | signing cert (Signtool 1.0 | | | | Testing | | | | Certificate (960187691)) | | | | Expires: Sun May 17, 1998 | | | | --------- | | | | ------------------------------ | | | | For a list including CAs, | | | | use the -L option. | | | | Signing a File | | | | 1. Create an empty | | | | directory. | | | | mkdir signdir | | | | 2. Put some file into it. | | | | echo boo > signdir/test.f | | | | 3. Specify the name of your | | | | object-signing certificate and | | | | sign the | | | | directory. | | | | signtool -k MySignCert -Z | | | | testjar.jar signdir | | | | using key "MySignCert" | | | | using certificate directory: | | | | /u/jsmith/.netscape | | | | Generating | | | | signdir/META-INF/manifest.mf | | | | file.. | | | | --> test.f | | | | adding signdir/test.f to | | | | testjar.jar | | | | Generating signtool.sf file.. | | | | Enter Password or Pin for | | | | "Communicator Certificate DB": | | | | adding | | | | signdir/META-INF/manifest.mf | | | | to testjar.jar | | | | adding | | | | signdir/META-INF/signtool.sf | | | | to testjar.jar | | | | adding | | | | signdir/META-INF/signtool.rsa | | | | to testjar.jar | | | | tree "signdir" signed | | | | successfully | | | | 4. Test the archive you | | | | just created. | | | | signtool -v testjar.jar | | | | using certificate directory: | | | | /u/jsmith/.netscape | | | | archive "testjar.jar" has | | | | passed crypto verification. | | | | status path | | | | ------------ | | | | ------------------- | | | | verified test.f | | | | Using Netscape Signing Tool | | | | with a ZIP Utility | | | | To use Netscape Signing | | | | Tool with a ZIP utility, you | | | | must have the utility | | | | in your path environment | | | | variable. You should use the | | | | zip.exe utility | | | | rather than pkzip.exe, | | | | which cannot handle long | | | | filenames. You can use a | | | | ZIP utility instead of the | | | | -Z option to package a signed | | | | archive into a | | | | JAR file after you have | | | | signed it: | | | | cd signdir | | | | zip -r ../myjar.jar \* | | | | adding: META-INF/ (stored | | | | 0%) | | | | adding: | | | | META-INF/manifest.mf (deflated | | | | 15%) | | | | adding: | | | | META-INF/signtool.sf (deflated | | | | 28%) | | | | adding: | | | | META-INF/signtool.rsa (stored | | | | 0%) | | | | adding: text.txt (stored | | | | 0%) | | | | Generating the Keys and | | | | Certificate | | | | The signtool option -G | | | | generates a new public-private | | | | key pair and | | | | certificate. It takes the | | | | nickname of the new | | | | certificate as an argument. | | | | The newly generated keys | | | | and certificate are installed | | | | into the key and | | | | certificate databases in | | | | the directory specified by the | | | | -d option. With | | | | the NT version of Netscape | | | | Signing Tool, you must use the | | | | -d option with | | | | the -G option. With the | | | | Unix version of Netscape | | | | Signing Tool, omitting | | | | the -d option causes the | | | | tool to install the keys and | | | | certificate in the | | | | Communicator key and | | | | certificate databases. In all | | | | cases, the certificate | | | | is also output to a file | | | | named x509.cacert, which has | | | | the MIME-type | | | | application/x-x509-ca-cert. | | | | Certificates contain | | | | standard information about the | | | | entity they identify, | | | | such as the common name and | | | | organization name. Netscape | | | | Signing Tool | | | | prompts you for this | | | | information when you run the | | | | command with the -G | | | | option. However, all of the | | | | requested fields are optional | | | | for test | | | | certificates. If you do not | | | | enter a common name, the tool | | | | provides a | | | | default name. In the | | | | following example, the user | | | | input is in boldface: | | | | signtool -G MyTestCert | | | | using certificate directory: | | | | /u/someuser/.netscape | | | | Enter certificate | | | | information. All fields are | | | | optional. Acceptable | | | | characters are numbers, | | | | letters, spaces, and | | | | apostrophes. | | | | certificate common name: Test | | | | Object Signing Certificate | | | | organization: Netscape | | | | Communications Corp. | | | | organization unit: Server | | | | Products Division | | | | state or province: California | | | | country (must be exactly 2 | | | | characters): US | | | | username: someuser | | | | email address: | | | | someuser@netscape.com | | | | Enter Password or Pin for | | | | "Communicator Certificate DB": | | | | [Password will not echo] | | | | generated public/private key | | | | pair | | | | certificate request generated | | | | certificate has been signed | | | | certificate "MyTestCert" | | | | added to database | | | | Exported certificate to | | | | x509.raw and x509.cacert. | | | | The certificate information | | | | is read from standard input. | | | | Therefore, the | | | | information can be read | | | | from a file using the | | | | redirection operator (<) in | | | | some operating systems. To | | | | create a file for this | | | | purpose, enter each of | | | | the seven input fields, in | | | | order, on a separate line. | | | | Make sure there is a | | | | newline character at the | | | | end of the last line. Then run | | | | signtool with | | | | standard input redirected | | | | from your file as follows: | | | | signtool -G MyTestCert | | | | inputfile | | | | The prompts show up on the | | | | screen, but the responses will | | | | be automatically | | | | read from the file. The | | | | password will still be read | | | | from the console | | | | unless you use the -p | | | | option to give the password on | | | | the command line. | | | | Using the -M Option to List | | | | Smart Cards | | | | You can use the -M option | | | | to list the PKCS #11 modules, | | | | including smart | | | | cards, that are available | | | | to signtool: | | | | signtool -d | | | | "c:\netscape\users\jsmith" -M | | | | using certificate directory: | | | | c:\netscape\users\username | | | | Listing of PKCS11 modules | | | | ----------------- | | | | ------------------------------ | | | | 1. Netscape Internal | | | | PKCS #11 Module | | | | | | | | (this module is internally | | | | loaded) | | | | | | | | slots: 2 slots attached | | | | | | | | status: loaded | | | | slot: Communicator | | | | Internal Cryptographic | | | | Services Version 4.0 | | | | token: Communicator | | | | Generic Crypto Svcs | | | | slot: Communicator | | | | User Private Key and | | | | Certificate Services | | | | token: Communicator | | | | Certificate DB | | | | 2. CryptOS | | | | | | | | (this is an external module) | | | | DLL name: core32 | | | | slots: 1 slots | | | | attached | | | | status: loaded | | | | slot: Litronic 210 | | | | token: | | | | | | | | ----------------- | | | | ------------------------------ | | | | Using Netscape Signing Tool | | | | and a Smart Card to Sign Files | | | | The signtool command | | | | normally takes an argument of | | | | the -k option to | | | | specify a signing | | | | certificate. To sign with a | | | | smart card, you supply only | | | | the fully qualified name of | | | | the certificate. | | | | To see fully qualified | | | | certificate names when you run | | | | Communicator, click | | | | the Security button in | | | | Navigator, then click Yours | | | | under Certificates in | | | | the left frame. Fully | | | | qualified names are of the | | | | format smart | | | | card:certificate, for | | | | example "MyCard:My Signing | | | | Cert". You use this name | | | | with the -k argument as | | | | follows: | | | | signtool -k "MyCard:My | | | | Signing Cert" directory | | | | Verifying FIPS Mode | | | | Use the -M option to verify | | | | that you are using the | | | | FIPS-140-1 module. | | | | signtool -d | | | | "c:\netscape\users\jsmith" -M | | | | using certificate directory: | | | | c:\netscape\users\jsmith | | | | Listing of PKCS11 modules | | | | ----------------- | | | | ------------------------------ | | | | 1. Netscape Internal PKCS | | | | #11 Module | | | | (this module is | | | | internally loaded) | | | | slots: 2 slots | | | | attached | | | | status: loaded | | | | slot: Communicator | | | | Internal Cryptographic | | | | Services Version 4.0 | | | | token: Communicator | | | | Generic Crypto Svcs | | | | slot: Communicator User | | | | Private Key and Certificate | | | | Services | | | | token: Communicator | | | | Certificate DB | | | | ----------------- | | | | ------------------------------ | | | | This Unix example shows | | | | that Netscape Signing Tool is | | | | using a FIPS-140-1 | | | | module: | | | | signtool -d | | | | "c:\netscape\users\jsmith" -M | | | | using certificate directory: | | | | c:\netscape\users\jsmith | | | | Enter Password or Pin for | | | | "Communicator Certificate DB": | | | | [password will not echo] | | | | Listing of PKCS11 modules | | | | ----------------- | | | | ------------------------------ | | | | 1. Netscape Internal FIPS | | | | PKCS #11 Module | | | | (this module is internally | | | | loaded) | | | | slots: 1 slots attached | | | | status: loaded | | | | slot: Netscape Internal | | | | FIPS-140-1 Cryptographic | | | | Services | | | | token: Communicator | | | | Certificate DB | | | | ----------------- | | | | ------------------------------ | | | | See Also | | | | signver (1) | | | | The NSS wiki has | | | | information on the new | | | | database design and how to | | | | configure applications to | | | | use it. | | | | | | | | o https://wiki.m | | | | ozilla.org/NSS_Shared_DB_Howto | | | | | | | | o https:// | | | | wiki.mozilla.org/NSS_Shared_DB | | | | Additional Resources | | | | For information about NSS | | | | and other tools related to NSS | | | | (like JSS), check | | | | out the NSS project wiki at | | | | | | | | [1]\ `http://www.mozil | | | | la.org/projects/security/pki/n | | | | ss/ `__. | | | | The NSS site relates | | | | directly to NSS code | | | | changes and releases. | | | | Mailing lists: | | | | https://lists.mozill | | | | a.org/listinfo/dev-tech-crypto | | | | IRC: Freenode at | | | | #dogtag-pki | | | | Authors | | | | The NSS tools were written | | | | and maintained by developers | | | | with Netscape, Red | | | | Hat, and Sun. | | | | Authors: Elio Maldonado | | | | , Deon | | | | Lackey | | | | . | | | | Copyright | | | | (c) 2010, Red Hat, Inc. | | | | Licensed under the GNU Public | | | | License version 2. | | | | References | | | | Visible links | | | | 1. | | | | `http://www.mozi | | | | lla.org/projects/security/pki/ | | | | nss/ `__ | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 356 | :ref:`mozil | | | | la_projects_nss_tools_signver` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Name | | | | signver — Verify a detached | | | | PKCS#7 signature for a file. | | | | Synopsis | | | | signtool -A \| -V -d | | | | directory [-a] [-i input_file] | | | | [-o output_file] [-s | | | | signature_file] [-v] | | | | Description | | | | The Signature Verification | | | | Tool, signver, is a simple | | | | command-line utility | | | | that unpacks a | | | | base-64-encoded PKCS#7 signed | | | | object and verifies the | | | | digital signature using | | | | standard cryptographic | | | | techniques. The Signature | | | | Verification Tool can also | | | | display the contents of the | | | | signed object. | | | | Options | | | | -A | | | | Displays all of the | | | | information in the PKCS#7 | | | | signature. | | | | -V | | | | Verifies the | | | | digital signature. | | | | -d [sql:]directory | | | | Specify the | | | | database directory which | | | | contains the certificates and | | | | keys. | | | | signver supports | | | | two types of databases: the | | | | legacy security | | | | databases | | | | (cert8.db, key3.db, and | | | | secmod.db) and new SQLite | | | | databases | | | | (cert9.db, key4.db, and | | | | pkcs11.txt). If the prefix | | | | sql: | | | | is not used, then | | | | the tool assumes that the | | | | given databases are in | | | | the old format. | | | | -a | | | | Sets that the given | | | | signature file is in ASCII | | | | format. | | | | -i input_file | | | | Gives the input | | | | file for the object with | | | | signed data. | | | | -o output_file | | | | Gives the output | | | | file to which to write the | | | | results. | | | | -s signature_file | | | | Gives the input | | | | file for the digital | | | | signature. | | | | -v | | | | Enables verbose | | | | output. | | | | Extended Examples | | | | Verifying a Signature | | | | The -V option verifies that | | | | the signature in a given | | | | signature file is | | | | valid when used to sign the | | | | given object (from the input | | | | file). | | | | signver -V -s signature_file | | | | -i signed_file -d | | | | sql:/home/my/sharednssdb | | | | signatureValid=yes | | | | Printing Signature Data | | | | The -A option prints all of | | | | the information contained in a | | | | signature file. | | | | Using the -o option prints | | | | the signature file information | | | | to the given | | | | output file rather than | | | | stdout. | | | | signver -A -s signature_file | | | | -o output_file | | | | NSS Database Types | | | | NSS originally used | | | | BerkeleyDB databases to store | | | | security information. | | | | The last versions of these | | | | legacy databases are: | | | | o cert8.db for | | | | certificates | | | | o key3.db for keys | | | | o secmod.db for PKCS #11 | | | | module information | | | | BerkeleyDB has performance | | | | limitations, though, which | | | | prevent it from | | | | being easily used by | | | | multiple applications | | | | simultaneously. NSS has some | | | | flexibility that allows | | | | applications to use their own, | | | | independent | | | | database engine while | | | | keeping a shared database and | | | | working around the | | | | access issues. Still, NSS | | | | requires more flexibility to | | | | provide a truly | | | | shared security database. | | | | In 2009, NSS introduced a | | | | new set of databases that are | | | | SQLite databases | | | | rather than BerkleyDB. | | | | These new databases provide | | | | more accessibility and | | | | performance: | | | | o cert9.db for | | | | certificates | | | | o key4.db for keys | | | | o pkcs11.txt, which is | | | | listing of all of the PKCS #11 | | | | modules contained | | | | in a new subdirectory | | | | in the security databases | | | | directory | | | | Because the SQLite | | | | databases are designed to be | | | | shared, these are the | | | | shared database type. The | | | | shared database type is | | | | preferred; the legacy | | | | format is included for | | | | backward compatibility. | | | | By default, the tools | | | | (certutil, pk12util, modutil) | | | | assume that the given | | | | security databases follow | | | | the more common legacy type. | | | | Using the SQLite | | | | databases must be manually | | | | specified by using the sql: | | | | prefix with the | | | | given security directory. | | | | For example: | | | | # signver -A -s signature -d | | | | sql:/home/my/sharednssdb | | | | To set the shared database | | | | type as the default type for | | | | the tools, set the | | | | NSS_DEFAULT_DB_TYPE | | | | environment variable to sql: | | | | export | | | | NSS_DEFAULT_DB_TYPE="sql" | | | | This line can be set added | | | | to the ~/.bashrc file to make | | | | the change | | | | permanent. | | | | Most applications do not | | | | use the shared database by | | | | default, but they can | | | | be configured to use them. | | | | For example, this how-to | | | | article covers how to | | | | configure Firefox and | | | | Thunderbird to use the new | | | | shared NSS databases: | | | | | | | | o https://wiki.m | | | | ozilla.org/NSS_Shared_DB_Howto | | | | For an engineering draft on | | | | the changes in the shared NSS | | | | databases, see | | | | the NSS project wiki: | | | | | | | | o https:// | | | | wiki.mozilla.org/NSS_Shared_DB | | | | See Also | | | | signtool (1) | | | | The NSS wiki has | | | | information on the new | | | | database design and how to | | | | configure applications to | | | | use it. | | | | o Setting up the shared | | | | NSS database | | | | | | | | https://wiki.m | | | | ozilla.org/NSS_Shared_DB_Howto | | | | o Engineering and | | | | technical information about | | | | the shared NSS database | | | | | | | | https:// | | | | wiki.mozilla.org/NSS_Shared_DB | | | | Additional Resources | | | | For information about NSS | | | | and other tools related to NSS | | | | (like JSS), check | | | | out the NSS project wiki at | | | | | | | | [1]\ `http://www.mozil | | | | la.org/projects/security/pki/n | | | | ss/ `__. | | | | The NSS site relates | | | | directly to NSS code | | | | changes and releases. | | | | Mailing lists: | | | | https://lists.mozill | | | | a.org/listinfo/dev-tech-crypto | | | | IRC: Freenode at | | | | #dogtag-pki | | | | Authors | | | | The NSS tools were written | | | | and maintained by developers | | | | with Netscape, Red | | | | Hat, and Sun. | | | | Authors: Elio Maldonado | | | | , Deon | | | | Lackey | | | | . | | | | Copyright | | | | (c) 2010, Red Hat, Inc. | | | | Licensed under the GNU Public | | | | License version 2. | | | | References | | | | Visible links | | | | 1. | | | | `http://www.mozi | | | | lla.org/projects/security/pki/ | | | | nss/ `__ | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 357 | :ref:`mozi | | | | lla_projects_nss_tools_ssltap` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Name | | | | ssltap — Tap into SSL | | | | connections and display the | | | | data going by | | | | Synopsis | | | | libssltap [-vhfsxl] [-p | | | | port] [hostname:port] | | | | Description | | | | The SSL Debugging Tool | | | | ssltap is an SSL-aware | | | | command-line proxy. It | | | | watches TCP connections and | | | | displays the data going by. If | | | | a connection is | | | | SSL, the data display | | | | includes interpreted SSL | | | | records and handshaking | | | | Options | | | | -v | | | | Print a version | | | | string for the tool. | | | | -h | | | | Turn on hex/ASCII | | | | printing. Instead of | | | | outputting raw data, the | | | | command interprets | | | | each record as a numbered line | | | | of hex values, | | | | followed by the | | | | same data as ASCII characters. | | | | The two parts are | | | | separated by a | | | | vertical bar. Nonprinting | | | | characters are replaced | | | | by dots. | | | | -f | | | | Turn on fancy | | | | printing. Output is printed in | | | | colored HTML. Data | | | | sent from the | | | | client to the server is in | | | | blue; the server's reply | | | | is in red. When | | | | used with looping mode, the | | | | different connections | | | | are separated with | | | | horizontal lines. You can use | | | | this option to | | | | upload the output | | | | into a browser. | | | | -s | | | | Turn on SSL parsing | | | | and decoding. The tool does | | | | not automatically | | | | detect SSL | | | | sessions. If you are | | | | intercepting an SSL | | | | connection, | | | | use this option so | | | | that the tool can detect and | | | | decode SSL | | | | structures. | | | | If the tool detects | | | | a certificate chain, it saves | | | | the DER-encoded | | | | certificates into | | | | files in the current | | | | directory. The files are | | | | named cert.0x, | | | | where x is the sequence number | | | | of the certificate. | | | | If the -s option is | | | | used with -h, two separate | | | | parts are printed | | | | for each record: | | | | the plain hex/ASCII output, | | | | and the parsed SSL | | | | output. | | | | -x | | | | Turn on hex/ASCII | | | | printing of undecoded data | | | | inside parsed SSL | | | | records. Used only | | | | with the -s option. This | | | | option uses the same | | | | output format as | | | | the -h option. | | | | -l prefix | | | | Turn on looping; | | | | that is, continue to accept | | | | connections rather | | | | than stopping after | | | | the first connection is | | | | complete. | | | | -p port | | | | Change the default | | | | rendezvous port (1924) to | | | | another port. | | | | The following are | | | | well-known port numbers: | | | | \* HTTP 80 | | | | \* HTTPS 443 | | | | \* SMTP 25 | | | | \* FTP 21 | | | | \* IMAP 143 | | | | \* IMAPS 993 (IMAP | | | | over SSL) | | | | \* NNTP 119 | | | | \* NNTPS 563 (NNTP | | | | over SSL) | | | | Usage and Examples | | | | You can use the SSL | | | | Debugging Tool to intercept | | | | any connection | | | | information. Although you | | | | can run the tool at its most | | | | basic by issuing | | | | the ssltap command with no | | | | options other than | | | | hostname:port, the | | | | information you get in this | | | | way is not very useful. For | | | | example, assume | | | | your development machine is | | | | called intercept. The simplest | | | | way to use the | | | | debugging tool is to | | | | execute the following command | | | | from a command shell: | | | | $ ssltap www.netscape.com | | | | The program waits for an | | | | incoming connection on the | | | | default port 1924. In | | | | your browser window, enter | | | | the URL http://intercept:1924. | | | | The browser | | | | retrieves the requested | | | | page from the server at | | | | www.netscape.com, but the | | | | page is intercepted and | | | | passed on to the browser by | | | | the debugging tool on | | | | intercept. On its way to | | | | the browser, the data is | | | | printed to the command | | | | shell from which you issued | | | | the command. Data sent from | | | | the client to the | | | | server is surrounded by the | | | | following symbols: --> [ data | | | | ] Data sent from | | | | the server to the client is | | | | surrounded by the following | | | | symbols: "left | | | | arrow"-- [ data ] The raw | | | | data stream is sent to | | | | standard output and is | | | | not interpreted in any way. | | | | This can result in peculiar | | | | effects, such as | | | | sounds, flashes, and even | | | | crashes of the command shell | | | | window. To output a | | | | basic, printable | | | | interpretation of the data, | | | | use the -h option, or, if you | | | | are looking at an SSL | | | | connection, the -s option. You | | | | will notice that the | | | | page you retrieved looks | | | | incomplete in the browser. | | | | This is because, by | | | | default, the tool closes | | | | down after the first | | | | connection is complete, so | | | | the browser is not able to | | | | load images. To make the tool | | | | continue to | | | | accept connections, switch | | | | on looping mode with the -l | | | | option. The | | | | following examples show the | | | | output from commonly used | | | | combinations of | | | | options. | | | | Example 1 | | | | $ ssltap.exe -sx -p 444 | | | | interzone.mcom.com:443 > | | | | sx.txt | | | | Output | | | | Connected to | | | | interzone.mcom.com:443 | | | | -->; [ | | | | alloclen = 66 bytes | | | | [ssl2] ClientHelloV2 { | | | | version = {0x03, | | | | 0x00} | | | | | | | | cipher-specs-length = 39 | | | | (0x27) | | | | sid-length = 0 | | | | (0x00) | | | | challenge-length | | | | = 16 (0x10) | | | | cipher-suites = { | | | | (0x010080) | | | | SSL2/RSA/RC4-128/MD5 | | | | (0x020080) | | | | SSL2/RSA/RC4-40/MD5 | | | | (0x030080) | | | | SSL2/RSA/RC2CBC128/MD5 | | | | (0x040080) | | | | SSL2/RSA/RC2CBC40/MD5 | | | | (0x060040) | | | | SSL2/RSA/DES64CBC/MD5 | | | | (0x0700c0) | | | | SSL2/RSA/3DES192EDE-CBC/MD5 | | | | (0x000004) | | | | SSL3/RSA/RC4-128/MD5 | | | | (0x00ffe0) | | | | SS | | | | L3/RSA-FIPS/3DES192EDE-CBC/SHA | | | | (0x00000a) | | | | SSL3/RSA/3DES192EDE-CBC/SHA | | | | (0x00ffe1) | | | | SSL3/RSA-FIPS/DES64CBC/SHA | | | | (0x000009) | | | | SSL3/RSA/DES64CBC/SHA | | | | (0x000003) | | | | SSL3/RSA/RC4-40/MD5 | | | | (0x000006) | | | | SSL3/RSA/RC2CBC40/MD5 | | | | } | | | | session-id = { } | | | | challenge = { | | | | 0xec5d 0x8edb 0x37c9 0xb5c9 | | | | 0x7b70 0x8fe9 0xd1d3 | | | | 0x2592 } | | | | } | | | | ] | | | | <-- [ | | | | SSLRecord { | | | | 0: 16 03 00 03 | | | | e5 | | | | | | | | \|..... | | | | type = 22 (handshake) | | | | version = { 3,0 } | | | | length = 997 (0x3e5) | | | | handshake { | | | | 0: 02 00 00 | | | | 46 | | | | | | | | \|...F | | | | type = 2 (server_hello) | | | | length = 70 (0x000046) | | | | ServerHello { | | | | server_version = | | | | {3, 0} | | | | random = {...} | | | | 0: 77 8c 6e 26 6c 0c ec | | | | c0 d9 58 4f 47 d3 2d 01 45 | | | | \| | | | | wn&l.ì..XOG.-.E | | | | 10: 5c 17 75 43 a7 4c 88 | | | | c7 88 64 3c 50 41 48 4f 7f | | | | \| | | | | \.uC§L.Ç.d [ | | | | SSLRecord { | | | | 0: 16 03 00 00 | | | | 44 | | | | | | | | \|....D | | | | type = 22 (handshake) | | | | version = { 3,0 } | | | | length = 68 (0x44) | | | | handshake { | | | | 0: 10 00 00 | | | | 40 | | | | | | | | \|...@ | | | | type = 16 | | | | (client_key_exchange) | | | | length = 64 (0x000040) | | | | ClientKeyExchange { | | | | message = {...} | | | | } | | | | } | | | | } | | | | ] | | | | --> [ | | | | SSLRecord { | | | | 0: 14 03 00 00 | | | | 01 | | | | | | | | \|..... | | | | type = 20 | | | | (change_cipher_spec) | | | | version = { 3,0 } | | | | length = 1 (0x1) | | | | 0: | | | | 01 | | | | | | | | \|. | | | | } | | | | SSLRecord { | | | | 0: 16 03 00 00 | | | | 38 | | | | | | | | \|....8 | | | | type = 22 (handshake) | | | | version = { 3,0 } | | | | length = 56 (0x38) | | | | < encrypted > | | | | } | | | | ] | | | | <-- [ | | | | SSLRecord { | | | | 0: 14 03 00 00 | | | | 01 | | | | | | | | \|..... | | | | type = 20 | | | | (change_cipher_spec) | | | | version = { 3,0 } | | | | length = 1 (0x1) | | | | 0: | | | | 01 | | | | | | | | \|. | | | | } | | | | ] | | | | <-- [ | | | | SSLRecord { | | | | 0: 16 03 00 00 | | | | 38 | | | | | | | | \|....8 | | | | type = 22 (handshake) | | | | version = { 3,0 } | | | | length = 56 (0x38) | | | | < encrypted | | | | > | | | | } | | | | ] | | | | --> [ | | | | SSLRecord { | | | | 0: 17 03 00 01 | | | | 1f | | | | | | | | \|..... | | | | type = 23 | | | | (application_data) | | | | version = { 3,0 } | | | | length = 287 (0x11f) | | | | < encrypted > | | | | } | | | | ] | | | | <-- [ | | | | SSLRecord { | | | | 0: 17 03 00 00 | | | | a0 | | | | | | | | \|.... | | | | type = 23 | | | | (application_data) | | | | version = { 3,0 } | | | | length = 160 (0xa0) | | | | < encrypted > | | | | } | | | | ] | | | | <-- [ | | | | SSLRecord { | | | | 0: 17 03 00 00 | | | | df | | | | | | | | \|....ß | | | | type = 23 | | | | (application_data) | | | | version = { 3,0 } | | | | length = 223 (0xdf) | | | | < encrypted > | | | | } | | | | SSLRecord { | | | | 0: 15 03 00 00 | | | | 12 | | | | | | | | \|..... | | | | type = 21 (alert) | | | | version = { 3,0 } | | | | length = 18 (0x12) | | | | < encrypted > | | | | } | | | | ] | | | | Server socket closed. | | | | Example 2 | | | | The -s option turns on SSL | | | | parsing. Because the -x option | | | | is not used in | | | | this example, undecoded | | | | values are output as raw data. | | | | The output is | | | | routed to a text file. | | | | $ ssltap -s -p 444 | | | | interzone.mcom.com:443 > s.txt | | | | Output | | | | Connected to | | | | interzone.mcom.com:443 | | | | --> [ | | | | alloclen = 63 bytes | | | | [ssl2] ClientHelloV2 { | | | | version = {0x03, | | | | 0x00} | | | | | | | | cipher-specs-length = 36 | | | | (0x24) | | | | sid-length = 0 | | | | (0x00) | | | | challenge-length | | | | = 16 (0x10) | | | | cipher-suites = { | | | | (0x010080) | | | | SSL2/RSA/RC4-128/MD5 | | | | (0x020080) | | | | SSL2/RSA/RC4-40/MD5 | | | | (0x030080) | | | | SSL2/RSA/RC2CBC128/MD5 | | | | (0x060040) | | | | SSL2/RSA/DES64CBC/MD5 | | | | (0x0700c0) | | | | SSL2/RSA/3DES192EDE-CBC/MD5 | | | | (0x000004) | | | | SSL3/RSA/RC4-128/MD5 | | | | (0x00ffe0) | | | | SS | | | | L3/RSA-FIPS/3DES192EDE-CBC/SHA | | | | (0x00000a) | | | | SSL3/RSA/3DES192EDE-CBC/SHA | | | | (0x00ffe1) | | | | SSL3/RSA-FIPS/DES64CBC/SHA | | | | (0x000009) | | | | SSL3/RSA/DES64CBC/SHA | | | | (0x000003) | | | | SSL3/RSA/RC4-40/MD5 | | | | } | | | | session-id = { | | | | } | | | | challenge = { | | | | 0x713c 0x9338 0x30e1 0xf8d6 | | | | 0xb934 0x7351 0x200c | | | | 0x3fd0 } | | | | ] | | | | >-- [ | | | | SSLRecord { | | | | type = 22 (handshake) | | | | version = { 3,0 } | | | | length = 997 (0x3e5) | | | | handshake { | | | | type = 2 | | | | (server_hello) | | | | length = 70 | | | | (0x000046) | | | | ServerHello { | | | | server_version = | | | | {3, 0} | | | | random = {...} | | | | session ID = { | | | | length = 32 | | | | contents = | | | | {..} | | | | } | | | | cipher_suite = | | | | (0x0003) SSL3/RSA/RC4-40/MD5 | | | | } | | | | type = 11 | | | | (certificate) | | | | length = 709 | | | | (0x0002c5) | | | | CertificateChain | | | | { | | | | chainlength = | | | | 706 (0x02c2) | | | | Certificate { | | | | size = 703 | | | | (0x02bf) | | | | data = { | | | | saved in file 'cert.001' } | | | | } | | | | } | | | | type = 12 | | | | (server_key_exchange) | | | | length = 202 | | | | (0x0000ca) | | | | type = 14 | | | | (server_hello_done) | | | | length = 0 | | | | (0x000000) | | | | } | | | | } | | | | ] | | | | --> [ | | | | SSLRecord { | | | | type = 22 (handshake) | | | | version = { 3,0 } | | | | length = 68 (0x44) | | | | handshake { | | | | type = 16 | | | | (client_key_exchange) | | | | length = 64 | | | | (0x000040) | | | | ClientKeyExchange | | | | { | | | | message = | | | | {...} | | | | } | | | | } | | | | } | | | | ] | | | | --> [ | | | | SSLRecord { | | | | type = 20 | | | | (change_cipher_spec) | | | | version = { 3,0 } | | | | length = 1 (0x1) | | | | } | | | | SSLRecord { | | | | type = 22 (handshake) | | | | version = { 3,0 } | | | | length = 56 (0x38) | | | | > encrypted > | | | | } | | | | ] | | | | >-- [ | | | | SSLRecord { | | | | type = 20 | | | | (change_cipher_spec) | | | | version = { 3,0 } | | | | length = 1 (0x1) | | | | } | | | | ] | | | | >-- [ | | | | SSLRecord { | | | | type = 22 (handshake) | | | | version = { 3,0 } | | | | length = 56 (0x38) | | | | > encrypted > | | | | } | | | | ] | | | | --> [ | | | | SSLRecord { | | | | type = 23 | | | | (application_data) | | | | version = { 3,0 } | | | | length = 287 (0x11f) | | | | > encrypted > | | | | } | | | | ] | | | | [ | | | | SSLRecord { | | | | type = 23 | | | | (application_data) | | | | version = { 3,0 } | | | | length = 160 (0xa0) | | | | > encrypted > | | | | } | | | | ] | | | | >-- [ | | | | SSLRecord { | | | | type = 23 | | | | (application_data) | | | | version = { 3,0 } | | | | length = 223 (0xdf) | | | | > encrypted > | | | | } | | | | SSLRecord { | | | | type = 21 (alert) | | | | version = { 3,0 } | | | | length = 18 (0x12) | | | | > encrypted > | | | | } | | | | ] | | | | Server socket closed. | | | | Example 3 | | | | In this example, the -h | | | | option turns hex/ASCII format. | | | | There is no SSL | | | | parsing or decoding. The | | | | output is routed to a text | | | | file. | | | | $ ssltap -h -p 444 | | | | interzone.mcom.com:443 > h.txt | | | | Output | | | | Connected to | | | | interzone.mcom.com:443 | | | | --> [ | | | | 0: 80 40 01 03 00 00 27 | | | | 00 00 00 10 01 00 80 02 00 | | | | \| .@....'......... | | | | 10: 80 03 00 80 04 00 80 | | | | 06 00 40 07 00 c0 00 00 04 | | | | \| .........@...... | | | | 20: 00 ff e0 00 00 0a 00 | | | | ff e1 00 00 09 00 00 03 00 | | | | \| ........á....... | | | | 30: 00 06 9b fe 5b 56 96 | | | | 49 1f 9f ca dd d5 ba b9 52 | | | | \| ..þ[V.I.\xd9 ...º¹R | | | | 40: 6f | | | | 2d | | | | | | | | \|o- | | | | ] | | | | <-- [ | | | | 0: 16 03 00 03 e5 02 00 | | | | 00 46 03 00 7f e5 0d 1b 1d | | | | \| ........F....... | | | | 10: 68 7f 3a 79 60 d5 17 | | | | 3c 1d 9c 96 b3 88 d2 69 3b | | | | \| h.:y`..<..³.Òi; | | | | 20: 78 e2 4b 8b a6 52 12 | | | | 4b 46 e8 c2 20 14 11 89 05 | | | | \| x.K.¦R.KFè. ... | | | | 30: 4d 52 91 fd 93 e0 51 | | | | 48 91 90 08 96 c1 b6 76 77 | | | | \| MR.ý..QH.....¶vw | | | | 40: 2a f4 00 08 a1 06 61 | | | | a2 64 1f 2e 9b 00 03 00 0b | | | | \| \*ô..¡.a¢d...... | | | | 50: 00 02 c5 00 02 c2 00 | | | | 02 bf 30 82 02 bb 30 82 02 | | | | \| ..Å......0...0.. | | | | 60: 24 a0 03 02 01 02 02 | | | | 02 01 36 30 0d 06 09 2a 86 | | | | \| $ .......60...*. | | | | 70: 48 86 f7 0d 01 01 04 | | | | 05 00 30 77 31 0b 30 09 06 | | | | \| H.÷......0w1.0.. | | | | 80: 03 55 04 06 13 02 55 | | | | 53 31 2c 30 2a 06 03 55 04 | | | | \| .U....US1,0*..U. | | | | 90: 0a 13 23 4e 65 74 73 | | | | 63 61 70 65 20 43 6f 6d 6d | | | | \| ..#Netscape Comm | | | | a0: 75 6e 69 63 61 74 69 | | | | 6f 6e 73 20 43 6f 72 70 6f | | | | \| unications Corpo | | | | b0: 72 61 74 69 6f 6e 31 | | | | 11 30 0f 06 03 55 04 0b 13 | | | | \| ration1.0...U... | | | | c0: 08 48 61 72 64 63 6f | | | | 72 65 31 27 30 25 06 03 55 | | | | \| .Hardcore1'0%..U | | | | d0: 04 03 13 1e 48 61 72 | | | | 64 63 6f 72 65 20 43 65 72 | | | | \| ....Hardcore Cer | | | | e0: 74 69 66 69 63 61 74 | | | | 65 20 53 65 72 76 65 72 20 | | | | \| tificate Server | | | | f0: 49 49 30 1e 17 0d 39 | | | | 38 30 35 31 36 30 31 30 33 | | | | \| II0...9805160103 | | | | | | | | ] | | | | | | | | Server socket closed. | | | | Example 4 | | | | In this example, the -s | | | | option turns on SSL parsing, | | | | and the -h option | | | | turns on hex/ASCII format. | | | | Both formats are shown for | | | | each record. The | | | | output is routed to a text | | | | file. | | | | $ ssltap -hs -p 444 | | | | interzone.mcom.com:443 > | | | | hs.txt | | | | Output | | | | Connected to | | | | interzone.mcom.com:443 | | | | --> [ | | | | 0: 80 3d 01 03 00 00 24 | | | | 00 00 00 10 01 00 80 02 00 | | | | \| .=....$......... | | | | 10: 80 03 00 80 04 00 80 | | | | 06 00 40 07 00 c0 00 00 04 | | | | \| .........@...... | | | | 20: 00 ff e0 00 00 0a 00 | | | | ff e1 00 00 09 00 00 03 03 | | | | \| ........á....... | | | | 30: 55 e6 e4 99 79 c7 d7 | | | | 2c 86 78 96 5d b5 cf e9 | | | | \|U..yÇ\xb0 ,.x.]µÏé | | | | alloclen = 63 bytes | | | | [ssl2] ClientHelloV2 { | | | | version = {0x03, | | | | 0x00} | | | | | | | | cipher-specs-length = 36 | | | | (0x24) | | | | sid-length = 0 | | | | (0x00) | | | | challenge-length | | | | = 16 (0x10) | | | | cipher-suites = { | | | | (0x010080) | | | | SSL2/RSA/RC4-128/MD5 | | | | (0x020080) | | | | SSL2/RSA/RC4-40/MD5 | | | | (0x030080) | | | | SSL2/RSA/RC2CBC128/MD5 | | | | (0x040080) | | | | SSL2/RSA/RC2CBC40/MD5 | | | | (0x060040) | | | | SSL2/RSA/DES64CBC/MD5 | | | | (0x0700c0) | | | | SSL2/RSA/3DES192EDE-CBC/MD5 | | | | (0x000004) | | | | SSL3/RSA/RC4-128/MD5 | | | | (0x00ffe0) | | | | SS | | | | L3/RSA-FIPS/3DES192EDE-CBC/SHA | | | | (0x00000a) | | | | SSL3/RSA/3DES192EDE-CBC/SHA | | | | (0x00ffe1) | | | | SSL3/RSA-FIPS/DES64CBC/SHA | | | | (0x000009) | | | | SSL3/RSA/DES64CBC/SHA | | | | (0x000003) | | | | SSL3/RSA/RC4-40/MD5 | | | | } | | | | session-id = { } | | | | challenge = { | | | | 0x0355 0xe6e4 0x9979 0xc7d7 | | | | 0x2c86 0x7896 0x5db | | | | 0xcfe9 } | | | | } | | | | ] | | | | | | | | Server socket closed. | | | | Usage Tips | | | | When SSL restarts a | | | | previous session, it makes use | | | | of cached information | | | | to do a partial handshake. | | | | If you wish to capture a full | | | | SSL handshake, | | | | restart the browser to | | | | clear the session id cache. | | | | If you run the tool on a | | | | machine other than the SSL | | | | server to which you | | | | are trying to connect, the | | | | browser will complain that the | | | | host name you | | | | are trying to connect to is | | | | different from the | | | | certificate. If you are | | | | using the default BadCert | | | | callback, you can still | | | | connect through a | | | | dialog. If you are not | | | | using the default BadCert | | | | callback, the one you | | | | supply must allow for this | | | | possibility. | | | | See Also | | | | The NSS Security Tools are | | | | also documented at | | | | | | | | [1]\ `http://www.mozil | | | | la.org/projects/security/pki/n | | | | ss/ `__. | | | | Additional Resources | | | | NSS is maintained in | | | | conjunction with PKI and | | | | security-related projects | | | | through Mozilla dn Fedora. | | | | The most closely-related | | | | project is Dogtag PKI, | | | | with a project wiki at | | | | [2]\ http: | | | | //pki.fedoraproject.org/wiki/. | | | | For information | | | | specifically about NSS, the | | | | NSS project wiki is located at | | | | | | | | [3]\ `http://www.mozil | | | | la.org/projects/security/pki/n | | | | ss/ `__. | | | | The NSS site relates | | | | directly to NSS code | | | | changes and releases. | | | | Mailing lists: | | | | pki-devel@redhat.com and | | | | pki-users@redhat.com | | | | IRC: Freenode at | | | | #dogtag-pki | | | | Authors | | | | The NSS tools were written | | | | and maintained by developers | | | | with Netscape and | | | | now with Red Hat and Sun. | | | | Authors: Elio Maldonado | | | | , Deon | | | | Lackey | | | | . | | | | Copyright | | | | (c) 2010, Red Hat, Inc. | | | | Licensed under the GNU Public | | | | License version 2. | | | | References | | | | Visible links | | | | 1. | | | | `http://www.mozilla.org/p | | | | rojects/secu.../pki/nss/tools | | | | `__ | | | | 2. | | | | http | | | | ://pki.fedoraproject.org/wiki/ | | | | 3. | | | | `http://www.mozi | | | | lla.org/projects/security/pki/ | | | | nss/ `__ | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 358 | :ref:`mozill | | | | a_projects_nss_tools_vfychain` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Name | | | | vfychain — vfychain | | | | [options] [revocation options] | | | | certfile [[options] | | | | certfile] ... | | | | Synopsis | | | | vfychain | | | | Description | | | | The verification Tool, | | | | vfychain, verifies certificate | | | | chains. modutil can | | | | add and delete PKCS #11 | | | | modules, change passwords on | | | | security databases, | | | | set defaults, list module | | | | contents, enable or disable | | | | slots, enable or | | | | disable FIPS 140-2 | | | | compliance, and assign default | | | | providers for | | | | cryptographic operations. | | | | This tool can also create | | | | certificate, key, and | | | | module security database | | | | files. | | | | The tasks associated with | | | | security module database | | | | management are part of | | | | a process that typically | | | | also involves managing key | | | | databases and | | | | certificate databases. | | | | Options | | | | -a | | | | the following | | | | certfile is base64 encoded | | | | -b YYMMDDHHMMZ | | | | Validate date | | | | (default: now) | | | | -d directory | | | | database directory | | | | -f | | | | Enable cert | | | | fetching from AIA URL | | | | -o oid | | | | Set policy OID for | | | | cert validation(Format | | | | OID.1.2.3) | | | | -p | | | | Use PKIX Library to | | | | validate certificate by | | | | calling: | | | | \* | | | | CERT_VerifyCertificate if | | | | specified once, | | | | \* | | | | CERT_PKIXVerifyCert if | | | | specified twice and more. | | | | -r | | | | Following certfile | | | | is raw binary DER (default) | | | | -t | | | | Following cert is | | | | explicitly trusted (overrides | | | | db trust) | | | | -u usage | | | | 0=SSL client, 1=SSL | | | | server, 2=SSL StepUp, 3=SSL | | | | CA, 4=Email | | | | signer, 5=Email | | | | recipient, 6=Object signer, | | | | | | | | 9=ProtectedObjectSigner, | | | | 10=OCSP responder, 11=Any CA | | | | -v | | | | Verbose mode. | | | | Prints root cert | | | | subject(double the argument | | | | for | | | | whole root cert | | | | info) | | | | -w password | | | | Database password | | | | -W pwfile | | | | Password file | | | | Revocation options | | | | for PKIX API (invoked with -pp | | | | options) is a | | | | collection of the | | | | following flags: [-g type [-h | | | | flags] [-m type | | | | [-s flags]] ...] | | | | ... | | | | Where: | | | | -g test-type | | | | Sets status | | | | checking test type. Possible | | | | values are "leaf" or | | | | "chain" | | | | -g test type | | | | Sets status | | | | checking test type. Possible | | | | values are "leaf" or | | | | "chain". | | | | -h test flags | | | | Sets revocation | | | | flags for the test type it | | | | follows. Possible | | | | flags: | | | | "testLocalInfoFirst" and | | | | "requireFreshInfo". | | | | -m method type | | | | Sets method type | | | | for the test type it follows. | | | | Possible types are | | | | "crl" and "ocsp". | | | | -s method flags | | | | Sets revocation | | | | flags for the method it | | | | follows. Possible types | | | | are "doNotUse", | | | | "forbidFetching", | | | | "ignoreDefaultSrc", | | | | "requireInfo" and | | | | "failIfNoInfo". | | | | Additional Resources | | | | For information about NSS | | | | and other tools related to NSS | | | | (like JSS), check | | | | out the NSS project wiki at | | | | | | | | [1]\ `http://www.mozil | | | | la.org/projects/security/pki/n | | | | ss/ `__. | | | | The NSS site relates | | | | directly to NSS code | | | | changes and releases. | | | | Mailing lists: | | | | https://lists.mozill | | | | a.org/listinfo/dev-tech-crypto | | | | IRC: Freenode at | | | | #dogtag-pki | | | | Authors | | | | The NSS tools were written | | | | and maintained by developers | | | | with Netscape, Red | | | | Hat, and Sun. | | | | Authors: Elio Maldonado | | | | , Deon | | | | Lackey | | | | . | | | | Copyright | | | | (c) 2010, Red Hat, Inc. | | | | Licensed under the GNU Public | | | | License version 2. | | | | References | | | | Visible links | | | | 1. | | | | `http://www.mozi | | | | lla.org/projects/security/pki/ | | | | nss/ `__ | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 359 | :ref:`mozil | | | | la_projects_nss_tools_vfyserv` | | +--------------------------------+--------------------------------+--------------------------------+ | | | Coming soon | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 360 | :ref:`mozilla | **NSS** | | | _projects_nss_troubleshooting` | | +--------------------------------+--------------------------------+--------------------------------+ | | | On this page, let's collect | | | | information on how to | | | | troubleshoot NSS at runtime. | | | | Debugging tips, how to enable | | | | tracing of the various | | | | modules, etc. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+ | 361 | :ref:`mozilla_p | **NSS** | | | rojects_nss_utility_functions` | | +--------------------------------+--------------------------------+--------------------------------+ | | | The public functions listed | | | | here perform initialization | | | | tasks and other services. | +--------------------------------+--------------------------------+--------------------------------+ | | | | +--------------------------------+--------------------------------+--------------------------------+