From 26a029d407be480d791972afb5975cf62c9360a6 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Fri, 19 Apr 2024 02:47:55 +0200 Subject: Adding upstream version 124.0.1. Signed-off-by: Daniel Baumann --- security/nss/doc/html/signver.html | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 security/nss/doc/html/signver.html (limited to 'security/nss/doc/html/signver.html') diff --git a/security/nss/doc/html/signver.html b/security/nss/doc/html/signver.html new file mode 100644 index 0000000000..c2263f8eca --- /dev/null +++ b/security/nss/doc/html/signver.html @@ -0,0 +1,33 @@ +SIGNVER
SIGNVER

Name

signver — Verify a detached PKCS#7 signature for a file.

Synopsis

signtool -A | -V -d directory [-a] [-i input_file] [-o output_file] [-s signature_file] [-v]

STATUS

This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 +

Description

The Signature Verification Tool, signver, is a simple command-line utility that unpacks a base-64-encoded PKCS#7 signed object and verifies the digital signature using standard cryptographic techniques. The Signature Verification Tool can also display the contents of the signed object.

Options

-A

Displays all of the information in the PKCS#7 signature.

-V

Verifies the digital signature.

-d directory

Specify the database directory which contains the certificates and keys.

signver supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt). If the prefix dbm: is not used, then the tool assumes that the given databases are in the SQLite format.

-a

Sets that the given signature file is in ASCII format.

-i input_file

Gives the input file for the object with signed data.

-o output_file

Gives the output file to which to write the results.

-s signature_file

Gives the input file for the digital signature.

-v

Enables verbose output.

Extended Examples

Verifying a Signature

The -V option verifies that the signature in a given signature file is valid when used to sign the given object (from the input file).

signver -V -s signature_file -i signed_file -d /home/my/sharednssdb
+
+signatureValid=yes

Printing Signature Data

+ The -A option prints all of the information contained in a signature file. Using the -o option prints the signature file information to the given output file rather than stdout. + 

signver -A -s signature_file -o output_file

NSS Database Types

NSS originally used BerkeleyDB databases to store security information. +The last versions of these legacy databases are:

  • + cert8.db for certificates +

  • + key3.db for keys +

  • + secmod.db for PKCS #11 module information +

BerkeleyDB has performance limitations, though, which prevent it from being easily used by multiple applications simultaneously. NSS has +some flexibility that allows applications to use their own, independent database engine while keeping a shared database and working around the access issues. Still, NSS +requires more flexibility to provide a truly shared security database.

In 2009, NSS introduced a new set of databases that are SQLite databases rather than +BerkleyDB. These new databases provide more accessibility and performance:

  • + cert9.db for certificates +

  • + key4.db for keys +

  • + pkcs11.txt, which is listing of all of the PKCS #11 modules contained in a new subdirectory in the security databases directory +

Because the SQLite databases are designed to be shared, these are the shared database type. The shared database type is preferred; the legacy format is included for backward compatibility.

By default, the tools (certutil, pk12util, modutil) assume that the given security databases use the SQLite type +Using the legacy databases must be manually specified by using the dbm: prefix with the given security directory. For example:

# signver -A -s signature -d dbm:/home/my/sharednssdb

To set the legacy database type as the default type for the tools, set the NSS_DEFAULT_DB_TYPE environment variable to dbm:

export NSS_DEFAULT_DB_TYPE="dbm"

This line can be added to the ~/.bashrc file to make the change permanent for the user.

  • + https://wiki.mozilla.org/NSS_Shared_DB_Howto

For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki:

  • + https://wiki.mozilla.org/NSS_Shared_DB +

See Also

signtool (1)

The NSS wiki has information on the new database design and how to configure applications to use it.

  • Setting up the shared NSS database

    https://wiki.mozilla.org/NSS_Shared_DB_Howto

  • + Engineering and technical information about the shared NSS database +

    + https://wiki.mozilla.org/NSS_Shared_DB +

Additional Resources

For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases.

Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto

IRC: Freenode at #dogtag-pki

Authors

The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.

+ Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. +

LICENSE

Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. +

-- cgit v1.2.3