From 26a029d407be480d791972afb5975cf62c9360a6 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Fri, 19 Apr 2024 02:47:55 +0200 Subject: Adding upstream version 124.0.1. Signed-off-by: Daniel Baumann --- .../legacy/an_overview_of_nss_internals/index.rst | 302 ++ .../nss/doc/rst/legacy/blank_function/index.rst | 70 + security/nss/doc/rst/legacy/building/index.rst | 159 + .../rst/legacy/cert_findcertbydercert/index.rst | 64 + .../legacy/cert_findcertbyissuerandsn/index.rst | 82 + .../certificate_download_specification/index.rst | 186 + .../doc/rst/legacy/certificate_functions/index.rst | 410 +++ .../nss/doc/rst/legacy/certverify_log/index.rst | 55 + .../nss/doc/rst/legacy/code_coverage/index.rst | 73 + .../rst/legacy/cryptography_functions/index.rst | 500 +++ .../rst/legacy/deprecated_ssl_functions/index.rst | 34 + .../index.rst | 1206 +++++++ .../encrypt_decrypt_mac_using_token/index.rst | 1206 +++++++ security/nss/doc/rst/legacy/faq/index.rst | 280 ++ .../legacy/fips_mode_-_an_explanation/index.rst | 129 + .../nss/doc/rst/legacy/http_delegation/index.rst | 105 + .../doc/rst/legacy/http_delegation_clone/index.rst | 105 + security/nss/doc/rst/legacy/index.rst | 178 + .../index.rst | 162 + .../rst/legacy/jss/4.3.1_release_notes/index.rst | 174 + .../doc/rst/legacy/jss/4_3_releasenotes/index.rst | 175 + .../jss/build_instructions_for_jss_4.3.x/index.rst | 99 + .../jss/build_instructions_for_jss_4.4.x/index.rst | 19 + security/nss/doc/rst/legacy/jss/index.rst | 165 + security/nss/doc/rst/legacy/jss/jss_faq/index.rst | 217 ++ .../rst/legacy/jss/jss_provider_notes/index.rst | 489 +++ .../jss/mozilla-jss_jca_provider_notes/index.rst | 472 +++ .../nss/doc/rst/legacy/jss/using_jss/index.rst | 152 + .../nss/doc/rst/legacy/key_log_format/index.rst | 61 + .../nss/doc/rst/legacy/memory_allocation/index.rst | 52 + .../doc/rst/legacy/modutil-tasks.html/index.rst | 24 + security/nss/doc/rst/legacy/more_docs.rst | 10 + .../nss/doc/rst/legacy/new_nss_samples/index.rst | 41 + .../index.rst | 172 + security/nss/doc/rst/legacy/nroff/certutil.1 | 2165 ++++++++++++ security/nss/doc/rst/legacy/nroff/cmsutil.1 | 271 ++ security/nss/doc/rst/legacy/nroff/crlutil.1 | 389 +++ security/nss/doc/rst/legacy/nroff/derdump.1 | 92 + security/nss/doc/rst/legacy/nroff/modutil.1 | 1452 ++++++++ security/nss/doc/rst/legacy/nroff/pk12util.1 | 872 +++++ security/nss/doc/rst/legacy/nroff/pp.1 | 108 + security/nss/doc/rst/legacy/nroff/signtool.1 | 681 ++++ security/nss/doc/rst/legacy/nroff/signver.1 | 318 ++ security/nss/doc/rst/legacy/nroff/ssltap.1 | 609 ++++ security/nss/doc/rst/legacy/nroff/vfychain.1 | 169 + security/nss/doc/rst/legacy/nroff/vfyserv.1 | 70 + .../nss_3.11.10_release_notes.html/index.rst | 174 + .../legacy/nss_3.12.1_release_notes.html/index.rst | 255 ++ .../legacy/nss_3.12.2_release_notes.html/index.rst | 217 ++ .../legacy/nss_3.12_release_notes.html/index.rst | 919 +++++ .../rst/legacy/nss_3.37.3release_notes/index.rst | 72 + .../doc/rst/legacy/nss_api_guidelines/index.rst | 882 +++++ .../doc/rst/legacy/nss_config_options/index.rst | 217 ++ .../rst/legacy/nss_developer_tutorial/index.rst | 277 ++ .../legacy/nss_release_notes_template/index.rst | 126 + security/nss/doc/rst/legacy/nss_releases/index.rst | 161 + .../nss_releases/jss_4.4.0_release_notes/index.rst | 109 + .../nss_3.12.3_release_notes/index.rst | 432 +++ .../nss_3.12.4_release_notes/index.rst | 327 ++ .../nss_3.12.5_release_notes/index.rst | 285 ++ .../nss_3.12.6_release_notes/index.rst | 318 ++ .../nss_3.12.9_release_notes/index.rst | 144 + .../nss_3.14.1_release_notes/index.rst | 127 + .../nss_3.14.2_release_notes/index.rst | 103 + .../nss_3.14.3_release_notes/index.rst | 132 + .../nss_3.14.4_release_notes/index.rst | 82 + .../nss_3.14.5_release_notes/index.rst | 82 + .../nss_releases/nss_3.14_release_notes/index.rst | 174 + .../nss_3.15.1_release_notes/index.rst | 131 + .../nss_3.15.2_release_notes/index.rst | 126 + .../nss_3.15.3.1_release_notes/index.rst | 89 + .../nss_3.15.3_release_notes/index.rst | 94 + .../nss_3.15.4_release_notes/index.rst | 137 + .../nss_3.15.5_release_notes/index.rst | 93 + .../nss_releases/nss_3.15_release_notes/index.rst | 157 + .../nss_3.16.1_release_notes/index.rst | 97 + .../nss_3.16.2.1_release_notes/index.rst | 99 + .../nss_3.16.2.2_release_notes/index.rst | 81 + .../nss_3.16.2.3_release_notes/index.rst | 110 + .../nss_3.16.2_release_notes/index.rst | 113 + .../nss_3.16.3_release_notes/index.rst | 171 + .../nss_3.16.4_release_notes/index.rst | 75 + .../nss_3.16.5_release_notes/index.rst | 98 + .../nss_3.16.6_release_notes/index.rst | 81 + .../nss_releases/nss_3.16_release_notes/index.rst | 98 + .../nss_3.17.1_release_notes/index.rst | 132 + .../nss_3.17.2_release_notes/index.rst | 88 + .../nss_3.17.3_release_notes/index.rst | 134 + .../nss_3.17.4_release_notes/index.rst | 90 + .../nss_releases/nss_3.17_release_notes/index.rst | 72 + .../nss_3.18.1_release_notes/index.rst | 105 + .../nss_releases/nss_3.18_release_notes/index.rst | 169 + .../nss_3.19.1_release_notes/index.rst | 113 + .../nss_3.19.2.1_release_notes/index.rst | 88 + .../nss_3.19.2.2_release_notes/index.rst | 84 + .../nss_3.19.2.3_release_notes/index.rst | 84 + .../nss_3.19.2.4_release_notes/index.rst | 82 + .../nss_3.19.2_release_notes/index.rst | 94 + .../nss_3.19.3_release_notes/index.rst | 117 + .../nss_3.19.4_release_notes/index.rst | 88 + .../nss_releases/nss_3.19_release_notes/index.rst | 119 + .../nss_3.20.1_release_notes/index.rst | 88 + .../nss_3.20.2_release_notes/index.rst | 80 + .../nss_releases/nss_3.20_release_notes/index.rst | 140 + .../nss_3.21.1_release_notes/index.rst | 80 + .../nss_3.21.2_release_notes/index.rst | 70 + .../nss_3.21.3_release_notes/index.rst | 78 + .../nss_3.21.4_release_notes/index.rst | 75 + .../nss_releases/nss_3.21_release_notes/index.rst | 277 ++ .../nss_3.22.1_release_notes/index.rst | 69 + .../nss_3.22.2_release_notes/index.rst | 90 + .../nss_3.22.3_release_notes/index.rst | 70 + .../nss_releases/nss_3.22_release_notes/index.rst | 194 ++ .../nss_releases/nss_3.23_release_notes/index.rst | 192 ++ .../nss_releases/nss_3.24_release_notes/index.rst | 201 ++ .../nss_3.25.1_release_notes/index.rst | 80 + .../nss_releases/nss_3.25_release_notes/index.rst | 140 + .../nss_3.26.2_release_notes/index.rst | 80 + .../nss_releases/nss_3.26_release_notes/index.rst | 91 + .../nss_3.27.1_release_notes/index.rst | 92 + .../nss_3.27.2_release_notes/index.rst | 84 + .../nss_releases/nss_3.27_release_notes/index.rst | 149 + .../nss_3.28.1_release_notes/index.rst | 148 + .../nss_3.28.2_release_notes/index.rst | 79 + .../nss_3.28.3_release_notes/index.rst | 95 + .../nss_3.28.4_release_notes/index.rst | 77 + .../nss_3.28.5_release_notes/index.rst | 116 + .../nss_releases/nss_3.28_release_notes/index.rst | 170 + .../nss_3.29.1_release_notes/index.rst | 94 + .../nss_3.29.2_release_notes/index.rst | 71 + .../nss_3.29.3_release_notes/index.rst | 73 + .../nss_3.29.5_release_notes/index.rst | 75 + .../nss_releases/nss_3.29_release_notes/index.rst | 68 + .../nss_3.30.1_release_notes/index.rst | 73 + .../nss_3.30.2_release_notes/index.rst | 115 + .../nss_releases/nss_3.30_release_notes/index.rst | 125 + .../nss_3.31.1_release_notes/index.rst | 71 + .../nss_releases/nss_3.31_release_notes/index.rst | 129 + .../nss_releases/nss_3.32_release_notes/index.rst | 143 + .../nss_releases/nss_3.33_release_notes/index.rst | 115 + .../nss_3.34.1_release_notes/index.rst | 94 + .../nss_releases/nss_3.34_release_notes/index.rst | 215 ++ .../nss_releases/nss_3.35_release_notes/index.rst | 273 ++ .../nss_3.36.1_release_notes/index.rst | 84 + .../nss_3.36.2_release_notes/index.rst | 75 + .../nss_3.36.4_release_notes/index.rst | 68 + .../nss_3.36.5_release_notes/index.rst | 69 + .../nss_3.36.6_release_notes/index.rst | 73 + .../nss_3.36.7_release_notes/index.rst | 74 + .../nss_3.36.8_release_notes/index.rst | 90 + .../nss_releases/nss_3.36_release_notes/index.rst | 78 + .../nss_3.37.1_release_notes/index.rst | 75 + .../nss_releases/nss_3.37_release_notes/index.rst | 112 + .../nss_releases/nss_3.38_release_notes/index.rst | 106 + .../nss_releases/nss_3.39_release_notes/index.rst | 149 + .../nss_3.40.1_release_notes/index.rst | 81 + .../nss_releases/nss_3.40_release_notes/index.rst | 102 + .../nss_3.41.1_release_notes/index.rst | 76 + .../nss_releases/nss_3.41_release_notes/index.rst | 163 + .../nss_3.42.1_release_notes/index.rst | 65 + .../nss_releases/nss_3.42_release_notes/index.rst | 143 + .../nss_releases/nss_3.43_release_notes/index.rst | 151 + .../nss_3.44.1_release_notes/index.rst | 140 + .../nss_3.44.2_release_notes/index.rst | 72 + .../nss_3.44.3_release_notes/index.rst | 76 + .../nss_3.44.4_release_notes/index.rst | 69 + .../nss_releases/nss_3.44_release_notes/index.rst | 146 + .../nss_releases/nss_3.45_release_notes/index.rst | 224 ++ .../nss_3.46.1_release_notes/index.rst | 72 + .../nss_releases/nss_3.46_release_notes/index.rst | 219 ++ .../nss_3.47.1_release_notes/index.rst | 78 + .../nss_releases/nss_3.47_release_notes/index.rst | 179 + .../nss_3.48.1_release_notes/index.rst | 71 + .../nss_releases/nss_3.48_release_notes/index.rst | 178 + .../nss_3.49.1_release_notes/index.rst | 71 + .../nss_3.49.2_release_notes/index.rst | 76 + .../nss_releases/nss_3.49_release_notes/index.rst | 103 + .../nss_releases/nss_3.50_release_notes/index.rst | 120 + .../nss_3.51.1_release_notes/index.rst | 79 + .../nss_releases/nss_3.51_release_notes/index.rst | 103 + .../nss_3.52.1_release_notes/index.rst | 69 + .../nss_releases/nss_3.52_release_notes/index.rst | 158 + .../nss_3.53.1_release_notes/index.rst | 69 + .../nss_releases/nss_3.53_release_notes/index.rst | 128 + .../nss_releases/nss_3.54_release_notes/index.rst | 184 + .../nss_releases/nss_3.55_release_notes/index.rst | 135 + .../nss_releases/nss_3.56_release_notes/index.rst | 98 + .../nss_releases/nss_3.57_release_notes/index.rst | 151 + .../nss_releases/nss_3.58_release_notes/index.rst | 76 + .../nss_3.59.1_release_notes/index.rst | 57 + .../nss_releases/nss_3.59_release_notes/index.rst | 108 + .../nss_3.60.1_release_notes/index.rst | 58 + .../nss_releases/nss_3.60_release_notes/index.rst | 144 + .../nss_releases/nss_3.61_release_notes/index.rst | 65 + .../nss_releases/nss_3.62_release_notes/index.rst | 84 + .../nss_3.63.1_release_notes/index.rst | 66 + .../nss_releases/nss_3.63_release_notes/index.rst | 90 + .../nss_releases/nss_3.64_release_notes/index.rst | 69 + .../enc_dec_mac_output_plblic_key_as_csr/index.rst | 1697 +++++++++ .../index.rst | 2090 ++++++++++++ .../encrypt_decrypt_mac_using_token/index.rst | 1206 +++++++ .../nss/doc/rst/legacy/nss_sample_code/index.rst | 31 + .../nss_sample_code_sample1/index.rst | 713 ++++ .../nss_sample_code_sample2/index.rst | 166 + .../nss_sample_code_sample3/index.rst | 169 + .../nss_sample_code_sample4/index.rst | 158 + .../nss_sample_code_sample5/index.rst | 174 + .../nss_sample_code_sample6/index.rst | 153 + .../nss_sample_code_sample_1_hashing/index.rst | 253 ++ .../index.rst | 257 ++ .../index.rst | 1221 +++++++ .../nss_sample_code_utililies_1/index.rst | 553 +++ .../rst/legacy/nss_sample_code/sample1/index.rst | 230 ++ .../nss_sample_code/sample1_-_hashing/index.rst | 257 ++ .../rst/legacy/nss_sample_code/sample2/index.rst | 12 + .../sample2_-_initialize_nss_database/index.rst | 250 ++ .../index.rst | 30 + .../utiltiies_for_nss_samples/index.rst | 747 ++++ .../legacy/nss_sources_building_testing/index.rst | 123 + .../nss/doc/rst/legacy/nss_tech_notes/index.rst | 23 + .../legacy/nss_tech_notes/nss_tech_note1/index.rst | 196 ++ .../legacy/nss_tech_notes/nss_tech_note2/index.rst | 167 + .../legacy/nss_tech_notes/nss_tech_note3/index.rst | 234 ++ .../legacy/nss_tech_notes/nss_tech_note4/index.rst | 221 ++ .../legacy/nss_tech_notes/nss_tech_note5/index.rst | 659 ++++ .../legacy/nss_tech_notes/nss_tech_note6/index.rst | 104 + .../legacy/nss_tech_notes/nss_tech_note7/index.rst | 189 + .../legacy/nss_tech_notes/nss_tech_note8/index.rst | 130 + .../doc/rst/legacy/nss_third-party_code/index.rst | 45 + .../doc/rst/legacy/nss_tools_sslstrength/index.rst | 81 + security/nss/doc/rst/legacy/overview/index.rst | 167 + security/nss/doc/rst/legacy/pkcs11/faq/index.rst | 390 +++ security/nss/doc/rst/legacy/pkcs11/index.rst | 14 + .../legacy/pkcs11/module_installation/index.rst | 56 + .../doc/rst/legacy/pkcs11/module_specs/index.rst | 365 ++ .../nss/doc/rst/legacy/pkcs11_functions/index.rst | 554 +++ .../nss/doc/rst/legacy/pkcs11_implement/index.rst | 477 +++ .../nss/doc/rst/legacy/pkcs_12_functions/index.rst | 37 + .../nss/doc/rst/legacy/pkcs_7_functions/index.rst | 55 + .../rst/legacy/python_binding_for_nss/index.rst | 1795 ++++++++++ .../build_instructions/index.rst | 152 + .../building_and_installing_nss/index.rst | 12 + .../installation_guide/index.rst | 50 + .../migration_to_hg/index.rst | 49 + .../sample_manual_installation/index.rst | 27 + .../legacy/reference/fc_cancelfunction/index.rst | 61 + .../legacy/reference/fc_closeallsessions/index.rst | 66 + .../rst/legacy/reference/fc_closesession/index.rst | 60 + .../rst/legacy/reference/fc_copyobject/index.rst | 74 + .../rst/legacy/reference/fc_createobject/index.rst | 70 + .../doc/rst/legacy/reference/fc_decrypt/index.rst | 73 + .../reference/fc_decryptdigestupdate/index.rst | 76 + .../rst/legacy/reference/fc_decryptfinal/index.rst | 67 + .../rst/legacy/reference/fc_decryptinit/index.rst | 66 + .../legacy/reference/fc_decryptupdate/index.rst | 74 + .../reference/fc_decryptverifyupdate/index.rst | 76 + .../rst/legacy/reference/fc_derivekey/index.rst | 77 + .../legacy/reference/fc_destroyobject/index.rst | 64 + .../doc/rst/legacy/reference/fc_digest/index.rst | 74 + .../reference/fc_digestencryptupdate/index.rst | 76 + .../rst/legacy/reference/fc_digestfinal/index.rst | 69 + .../rst/legacy/reference/fc_digestinit/index.rst | 63 + .../rst/legacy/reference/fc_digestkey/index.rst | 66 + .../rst/legacy/reference/fc_digestupdate/index.rst | 70 + .../doc/rst/legacy/reference/fc_encrypt/index.rst | 73 + .../rst/legacy/reference/fc_encryptfinal/index.rst | 68 + .../rst/legacy/reference/fc_encryptinit/index.rst | 71 + .../legacy/reference/fc_encryptupdate/index.rst | 74 + .../doc/rst/legacy/reference/fc_finalize/index.rst | 88 + .../rst/legacy/reference/fc_findobjects/index.rst | 70 + .../legacy/reference/fc_findobjectsfinal/index.rst | 59 + .../legacy/reference/fc_findobjectsinit/index.rst | 70 + .../rst/legacy/reference/fc_generatekey/index.rst | 73 + .../legacy/reference/fc_generatekeypair/index.rst | 83 + .../legacy/reference/fc_generaterandom/index.rst | 67 + .../reference/fc_getattributevalue/index.rst | 70 + .../legacy/reference/fc_getfunctionlist/index.rst | 79 + .../reference/fc_getfunctionstatus/index.rst | 60 + .../doc/rst/legacy/reference/fc_getinfo/index.rst | 110 + .../legacy/reference/fc_getmechanisminfo/index.rst | 72 + .../legacy/reference/fc_getmechanismlist/index.rst | 70 + .../legacy/reference/fc_getobjectsize/index.rst | 67 + .../reference/fc_getoperationstate/index.rst | 69 + .../legacy/reference/fc_getsessioninfo/index.rst | 76 + .../rst/legacy/reference/fc_getslotinfo/index.rst | 71 + .../rst/legacy/reference/fc_getslotlist/index.rst | 69 + .../rst/legacy/reference/fc_gettokeninfo/index.rst | 106 + .../rst/legacy/reference/fc_initialize/index.rst | 131 + .../doc/rst/legacy/reference/fc_initpin/index.rst | 78 + .../rst/legacy/reference/fc_inittoken/index.rst | 110 + .../doc/rst/legacy/reference/fc_login/index.rst | 88 + .../doc/rst/legacy/reference/fc_logout/index.rst | 58 + .../rst/legacy/reference/fc_opensession/index.rst | 78 + .../rst/legacy/reference/fc_seedrandom/index.rst | 70 + .../reference/fc_setattributevalue/index.rst | 70 + .../reference/fc_setoperationstate/index.rst | 76 + .../doc/rst/legacy/reference/fc_setpin/index.rst | 75 + .../nss/doc/rst/legacy/reference/fc_sign/index.rst | 74 + .../reference/fc_signencryptupdate/index.rst | 75 + .../rst/legacy/reference/fc_signfinal/index.rst | 68 + .../doc/rst/legacy/reference/fc_signinit/index.rst | 68 + .../rst/legacy/reference/fc_signrecover/index.rst | 75 + .../legacy/reference/fc_signrecoverinit/index.rst | 68 + .../rst/legacy/reference/fc_signupdate/index.rst | 69 + .../rst/legacy/reference/fc_unwrapkey/index.rst | 83 + .../doc/rst/legacy/reference/fc_verify/index.rst | 75 + .../rst/legacy/reference/fc_verifyfinal/index.rst | 67 + .../rst/legacy/reference/fc_verifyinit/index.rst | 67 + .../legacy/reference/fc_verifyrecover/index.rst | 75 + .../reference/fc_verifyrecoverinit/index.rst | 68 + .../rst/legacy/reference/fc_verifyupdate/index.rst | 70 + .../legacy/reference/fc_waitforslotevent/index.rst | 61 + .../doc/rst/legacy/reference/fc_wrapkey/index.rst | 77 + security/nss/doc/rst/legacy/reference/index.rst | 340 ++ .../rst/legacy/reference/nsc_inittoken/index.rst | 113 + .../doc/rst/legacy/reference/nsc_login/index.rst | 88 + .../rst/legacy/reference/nspr_functions/index.rst | 126 + .../reference/nss_certificate_functions/index.rst | 609 ++++ .../fips_mode_of_operation/index.rst | 190 ++ .../reference/nss_cryptographic_module/index.rst | 29 + .../reference/nss_environment_variables/index.rst | 515 +++ .../rst/legacy/reference/nss_functions/index.rst | 105 + .../rst/legacy/reference/nss_initialize/index.rst | 113 + .../legacy/reference/nss_key_functions/index.rst | 60 + .../doc/rst/legacy/reference/nss_tools/index.rst | 26 + .../reference/nss_tools__colon__certutil/index.rst | 845 +++++ .../reference/nss_tools__colon__cmsutil/index.rst | 192 ++ .../reference/nss_tools__colon__crlutil/index.rst | 379 +++ .../reference/nss_tools__colon__modutil/index.rst | 901 +++++ .../reference/nss_tools__colon__pk12util/index.rst | 442 +++ .../reference/nss_tools__colon__ssltab/index.rst | 573 ++++ .../reference/nss_tools__colon__ssltap/index.rst | 573 ++++ .../reference/nss_tools__colon__vfychain/index.rst | 132 + .../reference/nss_tools__colon__vfyserv/index.rst | 50 + .../rst/legacy/reference/troubleshoot/index.rst | 78 + .../nss/doc/rst/legacy/release_notes/index.rst | 138 + .../nss/doc/rst/legacy/s_mime_functions/index.rst | 111 + .../doc/rst/legacy/ssl_functions/gtstd/index.rst | 264 ++ .../nss/doc/rst/legacy/ssl_functions/index.rst | 83 + .../ssl_functions/old_ssl_reference/index.rst | 269 ++ .../doc/rst/legacy/ssl_functions/pkfnc/index.rst | 439 +++ .../doc/rst/legacy/ssl_functions/sslcrt/index.rst | 632 ++++ .../doc/rst/legacy/ssl_functions/sslerr/index.rst | 1434 ++++++++ .../doc/rst/legacy/ssl_functions/sslfnc/index.rst | 3595 ++++++++++++++++++++ .../rst/legacy/ssl_functions/sslintro/index.rst | 291 ++ .../doc/rst/legacy/ssl_functions/sslkey/index.rst | 107 + .../doc/rst/legacy/ssl_functions/ssltyp/index.rst | 343 ++ .../legacy/tls_cipher_suite_discovery/index.rst | 114 + .../nss/doc/rst/legacy/tools/certutil/index.rst | 702 ++++ .../nss/doc/rst/legacy/tools/cmsutil/index.rst | 111 + .../nss/doc/rst/legacy/tools/crlutil/index.rst | 229 ++ security/nss/doc/rst/legacy/tools/index.rst | 125 + .../nss/doc/rst/legacy/tools/modutil/index.rst | 640 ++++ .../tools/nss_tools_certutil-tasks/index.rst | 32 + .../rst/legacy/tools/nss_tools_certutil/index.rst | 666 ++++ .../rst/legacy/tools/nss_tools_cmsutil/index.rst | 119 + .../rst/legacy/tools/nss_tools_crlutil/index.rst | 441 +++ .../legacy/tools/nss_tools_dbck-tasks/index.rst | 28 + .../legacy/tools/nss_tools_modutil-tasks/index.rst | 24 + .../rst/legacy/tools/nss_tools_modutil/index.rst | 912 +++++ .../tools/nss_tools_pk12util-tasks/index.rst | 23 + .../rst/legacy/tools/nss_tools_pk12util/index.rst | 217 ++ .../legacy/tools/nss_tools_signver-tasks/index.rst | 22 + .../legacy/tools/nss_tools_sslstrength/index.rst | 87 + .../rst/legacy/tools/nss_tools_ssltap/index.rst | 621 ++++ .../nss/doc/rst/legacy/tools/pk12util/index.rst | 282 ++ .../nss/doc/rst/legacy/tools/signtool/index.rst | 547 +++ .../nss/doc/rst/legacy/tools/signver/index.rst | 118 + security/nss/doc/rst/legacy/tools/ssltap/index.rst | 495 +++ .../nss/doc/rst/legacy/tools/vfychain/index.rst | 92 + .../nss/doc/rst/legacy/tools/vfyserv/index.rst | 8 + .../nss/doc/rst/legacy/troubleshooting/index.rst | 11 + .../nss/doc/rst/legacy/utility_functions/index.rst | 427 +++ 373 files changed, 77534 insertions(+) create mode 100644 security/nss/doc/rst/legacy/an_overview_of_nss_internals/index.rst create mode 100644 security/nss/doc/rst/legacy/blank_function/index.rst create mode 100644 security/nss/doc/rst/legacy/building/index.rst create mode 100644 security/nss/doc/rst/legacy/cert_findcertbydercert/index.rst create mode 100644 security/nss/doc/rst/legacy/cert_findcertbyissuerandsn/index.rst create mode 100644 security/nss/doc/rst/legacy/certificate_download_specification/index.rst create mode 100644 security/nss/doc/rst/legacy/certificate_functions/index.rst create mode 100644 security/nss/doc/rst/legacy/certverify_log/index.rst create mode 100644 security/nss/doc/rst/legacy/code_coverage/index.rst create mode 100644 security/nss/doc/rst/legacy/cryptography_functions/index.rst create mode 100644 security/nss/doc/rst/legacy/deprecated_ssl_functions/index.rst create mode 100644 security/nss/doc/rst/legacy/encrypt_decrypt_mac_keys_as_session_objects/index.rst create mode 100644 security/nss/doc/rst/legacy/encrypt_decrypt_mac_using_token/index.rst create mode 100644 security/nss/doc/rst/legacy/faq/index.rst create mode 100644 security/nss/doc/rst/legacy/fips_mode_-_an_explanation/index.rst create mode 100644 security/nss/doc/rst/legacy/http_delegation/index.rst create mode 100644 security/nss/doc/rst/legacy/http_delegation_clone/index.rst create mode 100644 security/nss/doc/rst/legacy/index.rst create mode 100644 security/nss/doc/rst/legacy/introduction_to_network_security_services/index.rst create mode 100644 security/nss/doc/rst/legacy/jss/4.3.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/jss/4_3_releasenotes/index.rst create mode 100644 security/nss/doc/rst/legacy/jss/build_instructions_for_jss_4.3.x/index.rst create mode 100644 security/nss/doc/rst/legacy/jss/build_instructions_for_jss_4.4.x/index.rst create mode 100644 security/nss/doc/rst/legacy/jss/index.rst create mode 100644 security/nss/doc/rst/legacy/jss/jss_faq/index.rst create mode 100644 security/nss/doc/rst/legacy/jss/jss_provider_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/jss/mozilla-jss_jca_provider_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/jss/using_jss/index.rst create mode 100644 security/nss/doc/rst/legacy/key_log_format/index.rst create mode 100644 security/nss/doc/rst/legacy/memory_allocation/index.rst create mode 100644 security/nss/doc/rst/legacy/modutil-tasks.html/index.rst create mode 100644 security/nss/doc/rst/legacy/more_docs.rst create mode 100644 security/nss/doc/rst/legacy/new_nss_samples/index.rst create mode 100644 security/nss/doc/rst/legacy/notes_on_tls_-_ssl_3.0_intolerant_servers/index.rst create mode 100644 security/nss/doc/rst/legacy/nroff/certutil.1 create mode 100644 security/nss/doc/rst/legacy/nroff/cmsutil.1 create mode 100644 security/nss/doc/rst/legacy/nroff/crlutil.1 create mode 100644 security/nss/doc/rst/legacy/nroff/derdump.1 create mode 100644 security/nss/doc/rst/legacy/nroff/modutil.1 create mode 100644 security/nss/doc/rst/legacy/nroff/pk12util.1 create mode 100644 security/nss/doc/rst/legacy/nroff/pp.1 create mode 100644 security/nss/doc/rst/legacy/nroff/signtool.1 create mode 100644 security/nss/doc/rst/legacy/nroff/signver.1 create mode 100644 security/nss/doc/rst/legacy/nroff/ssltap.1 create mode 100644 security/nss/doc/rst/legacy/nroff/vfychain.1 create mode 100644 security/nss/doc/rst/legacy/nroff/vfyserv.1 create mode 100644 security/nss/doc/rst/legacy/nss_3.11.10_release_notes.html/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_3.12.1_release_notes.html/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_3.12.2_release_notes.html/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_3.12_release_notes.html/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_3.37.3release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_api_guidelines/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_config_options/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_developer_tutorial/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_release_notes_template/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/jss_4.4.0_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.12.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.12.4_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.12.5_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.12.6_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.12.9_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.14.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.14.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.14.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.14.4_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.14.5_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.14_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.15.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.15.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.15.3.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.15.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.15.4_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.15.5_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.15_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.16.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.16.2.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.16.2.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.16.2.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.16.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.16.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.16.4_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.16.5_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.16.6_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.16_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.17.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.17.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.17.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.17.4_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.17_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.18.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.18_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.19.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.19.2.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.19.2.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.19.2.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.19.2.4_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.19.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.19.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.19.4_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.19_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.20.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.20.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.20_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.21.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.21.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.21.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.21.4_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.21_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.22.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.22.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.22.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.22_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.23_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.24_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.25.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.25_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.26.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.26_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.27.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.27.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.27_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.28.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.28.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.28.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.28.4_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.28.5_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.28_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.29.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.29.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.29.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.29.5_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.29_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.30.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.30.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.30_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.31.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.31_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.32_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.33_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.34.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.34_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.35_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.36.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.36.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.36.4_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.36.5_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.36.6_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.36.7_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.36.8_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.36_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.37.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.37_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.38_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.39_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.40.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.40_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.41.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.41_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.42.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.42_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.43_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.44.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.44.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.44.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.44.4_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.44_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.45_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.46.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.46_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.47.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.47_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.48.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.48_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.49.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.49.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.49_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.50_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.51.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.51_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.52.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.52_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.53.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.53_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.54_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.55_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.56_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.57_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.58_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.59.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.59_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.60.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.60_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.61_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.62_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.63.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.63_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.64_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/enc_dec_mac_output_plblic_key_as_csr/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/enc_dec_mac_using_key_wrap_certreq_pkcs10_csr/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/encrypt_decrypt_mac_using_token/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/nss_sample_code_sample1/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/nss_sample_code_sample2/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/nss_sample_code_sample3/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/nss_sample_code_sample4/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/nss_sample_code_sample5/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/nss_sample_code_sample6/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/nss_sample_code_sample_1_hashing/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/nss_sample_code_sample_2_initialization_of_nss/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/nss_sample_code_sample_3_basic_encryption_and_maci/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/nss_sample_code_utililies_1/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/sample1/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/sample1_-_hashing/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/sample2/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/sample2_-_initialize_nss_database/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/sample3_-_encdecmac_using_token_object/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/utiltiies_for_nss_samples/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sources_building_testing/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_tech_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_tech_notes/nss_tech_note1/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_tech_notes/nss_tech_note2/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_tech_notes/nss_tech_note3/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_tech_notes/nss_tech_note4/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_tech_notes/nss_tech_note5/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_tech_notes/nss_tech_note6/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_tech_notes/nss_tech_note7/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_tech_notes/nss_tech_note8/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_third-party_code/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_tools_sslstrength/index.rst create mode 100644 security/nss/doc/rst/legacy/overview/index.rst create mode 100644 security/nss/doc/rst/legacy/pkcs11/faq/index.rst create mode 100644 security/nss/doc/rst/legacy/pkcs11/index.rst create mode 100644 security/nss/doc/rst/legacy/pkcs11/module_installation/index.rst create mode 100644 security/nss/doc/rst/legacy/pkcs11/module_specs/index.rst create mode 100644 security/nss/doc/rst/legacy/pkcs11_functions/index.rst create mode 100644 security/nss/doc/rst/legacy/pkcs11_implement/index.rst create mode 100644 security/nss/doc/rst/legacy/pkcs_12_functions/index.rst create mode 100644 security/nss/doc/rst/legacy/pkcs_7_functions/index.rst create mode 100644 security/nss/doc/rst/legacy/python_binding_for_nss/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/building_and_installing_nss/build_instructions/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/building_and_installing_nss/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/building_and_installing_nss/installation_guide/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/building_and_installing_nss/migration_to_hg/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/building_and_installing_nss/sample_manual_installation/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_cancelfunction/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_closeallsessions/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_closesession/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_copyobject/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_createobject/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_decrypt/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_decryptdigestupdate/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_decryptfinal/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_decryptinit/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_decryptupdate/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_decryptverifyupdate/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_derivekey/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_destroyobject/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_digest/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_digestencryptupdate/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_digestfinal/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_digestinit/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_digestkey/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_digestupdate/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_encrypt/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_encryptfinal/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_encryptinit/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_encryptupdate/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_finalize/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_findobjects/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_findobjectsfinal/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_findobjectsinit/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_generatekey/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_generatekeypair/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_generaterandom/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_getattributevalue/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_getfunctionlist/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_getfunctionstatus/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_getinfo/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_getmechanisminfo/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_getmechanismlist/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_getobjectsize/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_getoperationstate/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_getsessioninfo/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_getslotinfo/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_getslotlist/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_gettokeninfo/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_initialize/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_initpin/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_inittoken/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_login/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_logout/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_opensession/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_seedrandom/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_setattributevalue/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_setoperationstate/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_setpin/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_sign/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_signencryptupdate/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_signfinal/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_signinit/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_signrecover/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_signrecoverinit/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_signupdate/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_unwrapkey/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_verify/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_verifyfinal/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_verifyinit/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_verifyrecover/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_verifyrecoverinit/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_verifyupdate/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_waitforslotevent/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_wrapkey/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nsc_inittoken/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nsc_login/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nspr_functions/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_certificate_functions/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_cryptographic_module/fips_mode_of_operation/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_cryptographic_module/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_environment_variables/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_functions/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_initialize/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_key_functions/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_tools/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_tools__colon__certutil/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_tools__colon__cmsutil/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_tools__colon__crlutil/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_tools__colon__modutil/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_tools__colon__pk12util/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_tools__colon__ssltab/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_tools__colon__ssltap/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_tools__colon__vfychain/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_tools__colon__vfyserv/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/troubleshoot/index.rst create mode 100644 security/nss/doc/rst/legacy/release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/s_mime_functions/index.rst create mode 100644 security/nss/doc/rst/legacy/ssl_functions/gtstd/index.rst create mode 100644 security/nss/doc/rst/legacy/ssl_functions/index.rst create mode 100644 security/nss/doc/rst/legacy/ssl_functions/old_ssl_reference/index.rst create mode 100644 security/nss/doc/rst/legacy/ssl_functions/pkfnc/index.rst create mode 100644 security/nss/doc/rst/legacy/ssl_functions/sslcrt/index.rst create mode 100644 security/nss/doc/rst/legacy/ssl_functions/sslerr/index.rst create mode 100644 security/nss/doc/rst/legacy/ssl_functions/sslfnc/index.rst create mode 100644 security/nss/doc/rst/legacy/ssl_functions/sslintro/index.rst create mode 100644 security/nss/doc/rst/legacy/ssl_functions/sslkey/index.rst create mode 100644 security/nss/doc/rst/legacy/ssl_functions/ssltyp/index.rst create mode 100644 security/nss/doc/rst/legacy/tls_cipher_suite_discovery/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/certutil/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/cmsutil/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/crlutil/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/modutil/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/nss_tools_certutil-tasks/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/nss_tools_certutil/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/nss_tools_cmsutil/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/nss_tools_crlutil/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/nss_tools_dbck-tasks/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/nss_tools_modutil-tasks/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/nss_tools_modutil/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/nss_tools_pk12util-tasks/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/nss_tools_pk12util/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/nss_tools_signver-tasks/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/nss_tools_sslstrength/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/nss_tools_ssltap/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/pk12util/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/signtool/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/signver/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/ssltap/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/vfychain/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/vfyserv/index.rst create mode 100644 security/nss/doc/rst/legacy/troubleshooting/index.rst create mode 100644 security/nss/doc/rst/legacy/utility_functions/index.rst (limited to 'security/nss/doc/rst/legacy') diff --git a/security/nss/doc/rst/legacy/an_overview_of_nss_internals/index.rst b/security/nss/doc/rst/legacy/an_overview_of_nss_internals/index.rst new file mode 100644 index 0000000000..7d705198a8 --- /dev/null +++ b/security/nss/doc/rst/legacy/an_overview_of_nss_internals/index.rst @@ -0,0 +1,302 @@ +.. _mozilla_projects_nss_an_overview_of_nss_internals: + +An overview of NSS Internals +============================ + +.. container:: + + | A High-Level Overview to the Internals of `Network Security Services + (NSS) `__ + | Software developed by the Mozilla.org projects traditionally used its own implementation of + security protocols and cryptographic algorithms, originally called Netscape Security Services, + nowadays called Network Security Services (NSS). NSS is a library written in the C programming + language. It's free and open source software, and many other software projects have decided to + use it. In order to support multiple operating systems (OS), it is based on a cross platform + portability layer, called the Netscape Portable Runtime (NSPR), which provides cross platform + application programming interfaces (APIs) for OS specific APIs like file system access, memory + management, network communication, and multithreaded programming. + | NSS offers lots of functionality; we'll walk through the list of modules, design principles, + and important relevant standards. + | In order to allow interoperability between software and devices that perform cryptographic + operations, NSS conforms to a standard called PKCS#11. (Note that it's important to look at the + number 11, as there are other PKCS standards with different numbers that define quite different + topics.) + | A software or hardware module conforming to the PKCS#11 standard implements an interface of C + calls, which allow querying the characteristics and offered services of the module. Multiple + elements of NSS's own modules have been implemented with this interface, and NSS makes use of + this interface when talking to those modules. This strategy allows NSS to work with many + hardware devices (e.g., to speed up the calculations required for cryptographic operations, or + to access smartcards that securely protect a secret key) and software modules (e.g., to allow + to load such modules as a plugin that provides additional algorithms or stores key or trust + information) that implement the PKCS#11 interface. + | A core element of NSS is FreeBL, a base library providing hash functions, big number + calculations, and cryptographic algorithms. + | Softoken is an NSS module that exposes most FreeBL functionality as a PKCS#11 module. + | Some cryptography uses the same secret key for both encrypting and decrypting, for example + password based encryption (PBE). This is often sufficient if you encrypt data for yourself, but + as soon as you need to exchange signed/encrypted data with communication partners, using public + key encryption simplifies the key management. The environment that describes how to use public + key encryption is called Public Key Infrastructure (PKI). The public keys that are exchanged + between parties are transported using a container; the container is called a certificate, + following standard X.509 version 3. A certificate contains lots of other details; for example, + it contains a signature by a third party that expresses trust in the ownership relationship for + the certificate. The trust assigned by the third party might be restricted to certain uses, + which are listed in certificate extensions that are contained in the certificate. + | Many (if not most) of the operations performed by NSS involve the use of X.509 certificates + (often abbreviated as “cert”, unfortunately making it easy to confuse with the term “computer + emergency response team“). + | When checking whether a certificate is trusted or not, it's necessary to find a relevant trust + anchor (root certificate) that represents the signing capability of a trusted third party, + usually called a Certificate Authority (CA). A trust anchor is just another X.509 certificate + that is already known and has been deliberately marked as trusted by a software vendor, + administrators inside an organizational infrastructure, or the software user. NSS ships a + predefined set of CA certificates. This set, including their trust assignments, is provided by + NSS as a software module, called CKBI (“built-in root certificates”), which also implements the + PKCS#11 interface. On an organizational level the contents of the set are managed according to + the Mozilla CA policy. On a technical level the set is a binary software module. + | A cryptographic transaction, such as encryption or decryption related to a data exchange, + usually involves working with the X.509 certs of your communication partners (peer). It's also + required that you safely keep your own secret keys that belong to your own certificates. You + might want to protect the storage of your secret keys with PBE. You might decide to modify the + default trust provided by NSS. All of this requires storing, looking up, and retrieving data. + NSS simplifies performing these operations by offering storage and management APIs. NSS doesn't + require the programmer to manage individual files containing individual certificates or keys. + Instead, NSS offers to use its own database(s). Once you have imported certificates and keys + into the NSS database, you can easily look them up and use them again. + | Because of NSS's expectation to operate with an NSS database, it's mandatory that you perform + an initialization call, where you tell NSS which database you will be using. In the most simple + scenario, the programmer will provide a directory on your filesystem as a parameter to the init + function, and NSS is designed to do the rest. It will detect and open an existing database, or + it can create a new one. Alternatively, should you decide that you don't want to work with any + persistent recording of certificates, you may initialize NSS in a no-database mode. Usually, + NSS will flush all data to disk as soon as new data has been added to permanent storage. + Storage consists of multiple files: a key database file, which contains your secret keys, and a + certificate database file which contains the public portion of your own certificates, the + certificates of peers or CAs, and a list of trust decisions (such as to not trust a built-in + CA, or to explicitly trust other CAs). Examples for the database files are key3.db and + cert8.db, where the numbers are file version numbers. A third file contains the list of + external PKCS#11 modules that have been registered to be used by NSS. The file could be named + secmod.db, but in newer database generations a file named pkcs11.txt is used. + | Only NSS is allowed to access and manipulate these database files directly; a programmer using + NSS must go through the APIs offered by NSS to manipulate the data stored in these files. The + programmer's task is to initialize NSS with the required parameters (such as a database), and + NSS will then transparently manage the database files. + | Most of the time certificates and keys are supposed to be stored in the NSS database. + Therefore, after initial import or creation, the programmer usually doesn't deal with their raw + bytes. Instead, the programmer will use lookup functions, and NSS will provide an access handle + that will be subsequently used by the application's code. Those handles are reference counted. + NSS will usually create an in-memory (RAM) presentation of certificates, once a certificate has + been received from the network, read from disk, or looked up from the database, and prepare + in-memory data structures that contain the certificate's properties, as well as providing a + handle for the programmer to use. Once the application is done with a handle, it should be + released, allowing NSS to free the associated resources. When working with handles to private + keys it's usually difficult (and undesired) that an application gets access to the raw key + data; therefore it may be difficult to extract such data from NSS. The usual minimum + requirement is that private keys must be wrapped using a protective layer (such as + password-based encryption). The intention is to make it easier to review code for security. The + less code that has access to raw secret keys, the less code that must be reviewed. + | NSS has only limited functionality to look up raw keys. The preferred approach is to use + certificates, and to look up certificates by properties such as the contained subject name + (information that describes the owner of the certificate). For example, while NSS supports + random calculation (creation) of a new public/private key pair, it's difficult to work with + such a raw key pair. The usual approach is to create a certificate signing request (CSR) as + soon as an application is done with the creation step, which will have created a handle to the + key pair, and which can be used for the necessary related operations, like producing a + proof-of-ownership of the private key, which is usually required when submitting the public key + with a CSR to a CA. The usual follow up action is receiving a signed certificate from a CA. + (However, it's also possible to use NSS functionality to create a self-signed certificate, + which, however, usually won't be trusted by other parties.) Once received, it's sufficient to + tell NSS to import such a new certificate into the NSS database, and NSS will automatically + perform a lookup of the embedded public key, be able to find the associated private key, and + subsequently be able to treat it as a personal certificate. (A personal certificate is a + certificate for which the private key is in possession, and which could be used for signing + data or for decrypting data.) A unique nickname can/should be assigned to the certificate at + the time of import, which can later be used to easily identify and retrieve it. + | It's important to note that NSS requires strict cleanup for all handles returned by NSS. The + application should always call the appropriate dereference (destroy) functions once a handle is + no longer needed. This is particularly important for applications that might need to close a + database and reinitialize NSS using a different one, without restarting. Such an operation + might fail at runtime if data elements are still being referenced. + | In addition to the FreeBL, Softoken, and CKBI modules, there is an utility library for general + operations (e.g., encoding/decoding between data formats, a list of standardized object + identifiers (OID)). NSS has an SSL/TLS module that implements the Secure Sockets + Layer/Transport Layer Security network protocols, an S/MIME module that implements CMS + messaging used by secure email and some instant messaging implementations, a DBM library that + implements the classic database storage, and finally a core NSS library for the big set of + “everything else”. Newer generations of the database use the SQLite database to allow + concurrent access by multiple applications. + | All of the above are provided as shared libraries. The CRMF library, which is used to produce + certain kinds of certificate requests, is available as a library for static linking only. + | When dealing with certificates (X.509), file formats such as PKCS#12 (certificates and keys), + PKCS#7 (signed data), and message formats as CMS, we should mention ASN.1, which is a syntax + for storing structured data in a very efficient (small sized) presentation. It was originally + developed for telecommunication systems at times where it was critical to minimize data as much + as possible (although it still makes sense to use that principle today for good performance). + In order to process data available in the ASN.1 format, the usual approach is to parse it and + transfer it to a presentation that requires more space but is easier to work with, such as + (nested) C data structures. Over the time NSS has received three different ASN.1 parser + implementations, each having their own specific properties, advantages and disadvantages, which + is why all of them are still being used (nobody has yet dared to replace the older with the + newer ones because of risks for side effects). When using the ASN.1 parser(s), a template + definition is passed to the parser, which will analyze the ASN.1 data stream accordingly. The + templates are usually closely aligned to definitions found in RFC documents. + | A data block described as DER is usually in ASN.1 format. You must know which data you are + expecting, and use the correct template for parsing, based on the context of your software's + interaction. Data described as PEM is a base64 encoded presentation of DER, usually wrapped + between human readable BEGIN/END lines. NSS prefers the binary presentation, but is often + capable to use base64 or ASCII presentations, especially when importing data from files. A + recent development adds support for loading external PEM files that contain private keys, in a + software library called nss-pem, which is separately available, but should eventually become a + core part of NSS. + | Looking at the code level, NSS deals with blocks of raw data all the time. The common structure + to store such an untyped block is SECItem, which contains a size and an untyped C pointer + variable. + | When dealing with memory, NSS makes use of arenas, which are an attempt to simplify management + with the limited offerings of C (because there are no destructors). The idea is to group + multiple memory allocations in order to simplify cleanup. Performing an operation often + involves allocating many individual data items, and the code might be required to abort a task + at many positions in the logic. An arena is requested once processing of a task starts, and all + memory allocations that are logically associated to that task are requested from the associated + arena. The implementation of arenas makes sure that all individual memory blocks are tracked. + Once a task is done, regardless whether it completed or was aborted, the programmer simply + needs to release the arena, and all individually allocated blocks will be released + automatically. Often freeing is combined with immediately erasing (zeroing, zfree) the memory + associated to the arena, in order to make it more difficult for attackers to extract keys from + a memory dump. + | NSS uses many C data structures. Often NSS has multiple implementations for the same or similar + concepts. For example, there are multiple presentations of certificates, and the NSS internals + (and sometimes even the application using NSS) might have to convert between them. + | Key responsibilites of NSS are verification of signatures and certificates. In order to verify + a digital signature, we have to look at the application data (e.g., a document that was + signed), the signature data block (the digital signature), and a public key (as found in a + certificate that is believed to be the signer, e.g., identified by metadata received together + with the signature). The signature is verified if it can be shown that the signature data block + must have been produced by the owner of the public key (because only that owner has the + associated private key). + | Verifying a certificate (A) requires some additional steps. First, you must identify the + potential signer (B) of a certificate (A). This is done by reading the “issuer name” attribute + of a certificate (A), and trying to find that issuer certificate (B) (by looking for a + certificate that uses that name as its “subject name”). Then you attempt to verify the + signature found in (A) using the public key found in (B). It might be necessary to try multiple + certificates (B1, B2, ...) each having the same subject name. + | After succeeding, it might be necessary to repeat this procedure recursively. The goal is to + eventually find a certificate B (or C or ...) that has an appropriate trust assigned (e.g., + because it can be found in the CKBI module and the user hasn't made any overriding trust + decisions, or it can be found in a NSS database file managed by the user or by the local + environment). + | After having successfully verified the signatures in a (chain of) issuer certificate(s), we're + still not done with verifying the certificate A. In a PKI it's suggested/required to perform + additional checks. For example: Certificates were valid at the time the signature was made, + name in certificates matches the expected signer (check subject name, common name, email, based + on application), the trust restrictions recorded inside the certificate (extensions) permit the + use (e.g., encryption might be allowed, but not signing), and based on environment/application + policy it might be required to perform a revocation check (OCSP or CRL), that asks the + issuer(s) of the certificates whether there have been events that made it necessary to revoke + the trust (revoke the validity of the cert). + | Trust anchors contained in the CKBI module are usually self signed, which is defined as having + identical subject name and issuer name fields. If a self-signed certificate is marked as + explicitly trusted, NSS will skip checking the self-signature for validity. + | NSS has multiple APIs to perform verification of certificates. There is a classic engine that + is very stable and works fine in all simple scenarios, for example if all (B) candidate issuer + certificates have the same subject and issuer names and differ by validity period; however, it + works only in a limited amount of more advanced scenarios. Unfortunately, the world of + certificates has become more complex in the recent past. New Certificate Authorities enter the + global PKI market, and in order to get started with their business, they might make deals with + established CAs and receive so-called cross-signing-certificates. As a result, when searching + for a trust path from (A) to a trusted anchor (root) certificate (Z), the set of candidate + issuer certificates might have different issuer names (referring to the second or higher issuer + level). As a consequence, it will be necessary to try multiple different alternative routes + while searching for (Z), in a recursive manner. Only the newer verification engine (internally + named libPKIX) is capable of doing that properly. + | It's worth mentioning the Extended Validation (EV) principle, which is an effort by software + vendors and CAs to define a stricter set of rules for issuing certificates for web site + certificates. Instead of simply verifying that the requester of a certificate is in control of + an administrative email address at the desired web site's domain, it's required that the CA + performs a verification of real world identity documents (such as a company registration + document with the country's authority), and it's also required that a browser software performs + a revocation check with the CA, prior to granting validity to the certificate. In order to + distinguish an EV certificate, CAs will embed a policy OID in the certificate, and the browser + is expected to verify that a trust chain permits the end entity (EE) certificate to make use of + the policy. Only the APIs of the newer libPKIX engine are capable of performing a policy + verification. + | That's a good opportunity to talk about SSL/TLS connections to servers in general (not just EV, + not just websites). Whenever this document mentions SSL, it refers to either SSL or TLS. (TLS + is a newer version of SSL with enhanced features.) + | When establishing an SSL connection to a server, (at least) a server certificate (and its trust + chain) is exchanged from the server to the client (e.g., the browser), and the client verifies + that the certificate can be verified (including matching the name of the expected destination + server). Another part of the handshake between both parties is a key exchange. Because public + key encryption is more expensive (more calculations required) than symmetric encryption (where + both parties use the same key), a key agreement protocol will be executed, where the public and + private keys are used to proof and verify the exchanged initial information. Once the key + agreement is done, a symmetric encryption will be used (until a potential re-handshake on an + existing channel). The combination of the hash and encryption algorithms used for a SSL + connection is called a cipher suite. + | NSS ships with a set of cipher suites that it supports at a technical level. In addition, NSS + ships with a default policy that defines which cipher suites are enabled by default. An + application is able to modify the policy used at program runtime, by using function calls to + modify the set of enabled cipher suites. + | If a programmer wants to influence how NSS verifies certificates or how NSS verifies the data + presented in a SSL connection handshake, it is possible to register application-defined + callback functions which will be called by NSS at the appropriate point of time, and which can + be used to override the decisions made by NSS. + | If you would like to use NSS as a toolkit that implements SSL, remember that you must init NSS + first. But if you don't care about modifying the default trust permanently (recorded on disk), + you can use the no-database init calls. When creating the network socket for data exchange, + note that you must use the operating system independent APIs provided by NSPR and NSS. It might + be interesting to mention a property of the NSPR file descriptors, which are stacked in layers. + This means you can define multiple layers that are involved in data processing. A file + descriptor has a pointer to the first layer handling the data. That layer has a pointer to a + potential second layer, which might have another pointer to a third layer, etc. Each layer + defines its own functions for the open/close/read/write/poll/select (etc.) functions. When + using an SSL network connection, you'll already have two layers, the basic NSPR layer and an + SSL library layer. The Mozilla applications define a third layer where application specific + processing is performed. You can find more details in the NSPR reference documents. + | NSS occassionally has to create outbound network connections, in addition to the connections + requested by the application. Examples are retrieving OCSP (Online Certificate Status Protocol) + information or downloading a CRL (Certificate Revocation List). However, NSS doesn't have an + implementation to work with network proxies. If you must support proxies in your application, + you are able to register your own implementation of an http request callback interface, and NSS + can use your application code that supports proxies. + | When using hashing, encryption, and decryption functions, it is possible to stream data (as + opposed to operating on a large buffer). Create a context handle while providing all the + parameters required for the operation, then call an “update” function multiple times to pass + subsets of the input to NSS. The data will be processed and either returned directly or sent to + a callback function registered in the context. When done, you call a finalization function that + will flush out any pending data and free the resources. + | This line is a placeholder for future sections that should explain how libpkix works and is + designed. + | If you want to work with NSS, it's often helpful to use the command line utilities that are + provided by the NSS developers. There are tools for managing NSS databases, for dumping or + verifying certificates, for registering PKCS#11 modules with a database, for processing CMS + encrypted/signed messages, etc. + | For example, if you wanted to create your own pair of keys and request a new certificate from a + CA, you could use certutil to create an empty database, then use certutil to operate on your + database and create a certificate request (which involves creating the desired key pair) and + export it to a file, submit the request file to the CA, receive the file from the CA, and + import the certificate into your database. You should assign a good nickname to a certificate + when importing it, making it easier for you to refer to it later. + | It should be noted that the first database format that can be accessed simultaneously by + multiple applications is key4.db/cert9.db – database files with lower numbers will most likely + experience unrecoverable corruption if you access them with multiple applications at the same + time. In other words, if your browser or your server operates on an older NSS database format, + don't use the NSS tools to operate on it while the other software is executing. At the time of + writing NSS and the Mozilla applications still use the older database file format by default, + where each application has its own NSS database. + | If you require a copy of a certificate stored in an NSS database, including its private key, + you can use pk12util to export it to the PKCS#12 file format. If you require it in PEM format, + you could use the openssl pkcs12 command (that's not NSS) to convert the PKCS#12 file to PEM. + | This line is a placeholder for how to prepare a database, how to dump a cert, and how to + convert data. + | You might have been motivated to work with NSS because it is used by the Mozilla applications + such as Firefox, Thunderbird, etc. If you build the Mozilla application, it will automatically + build the NSS library, too. However, if you want to work with the NSS command line tools, you + will have to follow the standalone NSS build instructions, and build NSS outside of the Mozilla + application sources. + | The key database file will contain at least one symmetric key, which NSS will automatically + create on demand, and which will be used to protect your secret (private) keys. The symmetric + key can be protected with PBE by setting a master password on the database. As soon as you set + a master password, an attacker stealing your key database will no longer be able to get access + to your private key, unless the attacker would also succeed in stealing the master password. + | Now you might be interest in how to get the + :ref:`mozilla_projects_nss_nss_sources_building_testing` \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/blank_function/index.rst b/security/nss/doc/rst/legacy/blank_function/index.rst new file mode 100644 index 0000000000..5541bf1a69 --- /dev/null +++ b/security/nss/doc/rst/legacy/blank_function/index.rst @@ -0,0 +1,70 @@ +.. _mozilla_projects_nss_blank_function: + +Function_Name +============= + +.. container:: + + One-line description of what the function does (more than just what it returns). + +`Syntax <#syntax>`__ +~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. code:: + + #include + ReturnType Function_Name( + + ParamType ParamName, + ParamType ParamName, ); + +`Parameters <#parameters>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + +---------------+---------------------------------------------------------------------------------+ + | ``ParamName`` | Sample: *in* pointer to a `CERTCertDBHandle `__ | + | | representing the certificate database to look in | + +---------------+---------------------------------------------------------------------------------+ + | ``ParamName`` | Sample: *in* pointer to an `SECItem `__ whose ``type`` must | + | | be ``siDERCertBuffer`` and whose ``data`` contains a DER-encoded certificate | + +---------------+---------------------------------------------------------------------------------+ + +`Description <#description>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Long description of this function, what it does, and why you would use it. Describe all + side-effects on "out" parameters. Avoid describing the return until the next section, for + example: + + This function looks in the NSSCryptoContext and the NSSTrustDomain to find the certificate that + matches the DER-encoded certificate. A match is found when the issuer and serial number of the + DER-encoded certificate are found on a certificate in the certificate database. + +`Returns <#returns>`__ +~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Full description of the return value, for example: + + A pointer to a `CERTCertificate `__ representing the certificate in + the database that matched the ``derCert``, or ``NULL`` if none was found. The certificate is a + shallow copy, use `CERT_DestroyCertificate `__ to decrement + the reference count on the certificate instance. + +.. _see_also: + +`See Also <#see_also>`__ +~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Copy of the MXR link, with the following text + + Occurrences of ``Function_Name`` in the current NSS source code (generated by MXR). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/building/index.rst b/security/nss/doc/rst/legacy/building/index.rst new file mode 100644 index 0000000000..153166e904 --- /dev/null +++ b/security/nss/doc/rst/legacy/building/index.rst @@ -0,0 +1,159 @@ +.. _mozilla_projects_nss_building_ported: + +Building NSS +============ + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + This page has detailed information on how to build NSS. Because NSS is a cross-platform library + that builds on many different platforms and has many options, it may be complex to build. Please + read these instructions carefully before attempting to build. + +.. _build_environment: + +`Build environment <#build_environment>`__ +------------------------------------------ + +.. container:: + + NSS needs a C and C++ compiler. It has minimal dependencies, including only standard C and C++ + libraries, plus `zlib `__. + + For building, you also need `make `__. Ideally, also install + `gyp `__ and `ninja `__ and put them on your + path. This is recommended, as the build is faster and more reliable. + +`Windows <#windows>`__ +~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + NSS compilation on Windows uses the same shared build system as Mozilla Firefox. You must first + install the `Windows + Prerequisites `__, + including **MozillaBuild**. + + You can also build NSS on the Windows Subsystem for Linux, but the resulting binaries aren't + usable by other Windows applications. + +.. _get_the_source: + +`Get the source <#get_the_source>`__ +------------------------------------ + +.. container:: + + NSS and NSPR use Mercurial for source control like other Mozilla projects. To check out the + latest sources for NSS and NSPR--which may not be part of a stable release--use the following + commands: + + .. code:: + + hg clone https://hg.mozilla.org/projects/nspr + hg clone https://hg.mozilla.org/projects/nss + + To get the source of a specific release, see :ref:`mozilla_projects_nss_nss_releases`. + +`Build <#build>`__ +------------------ + +.. container:: + + Build NSS using our build script: + + .. code:: + + nss/build.sh + + This builds both NSPR and NSS. + +.. _build_with_make: + +`Build with make <#build_with_make>`__ +-------------------------------------- + +.. container:: + + Alternatively, there is a ``make`` target called "nss_build_all", which produces a similar + result. This supports some alternative options, but can be a lot slower. + + .. code:: + + make -C nss nss_build_all USE_64=1 + + The make-based build system for NSS uses a variety of variables to control the build. Below are + some of the variables, along with possible values they may be set to. + + BUILD_OPT + 0 + Build a debug (non-optimized) version of NSS. *This is the default.* + 1 + Build an optimized (non-debug) version of NSS. + + USE_64 + 0 + Build for a 32-bit environment/ABI. *This is the default.* + 1 + Build for a 64-bit environment/ABI. *This is recommended.* + + USE_ASAN + 0 + Do not create an `AddressSanitizer `__ + build. *This is the default.* + 1 + Create an AddressSanitizer build. + +.. _unit_testing: + +`Unit testing <#unit_testing>`__ +-------------------------------- + +.. container:: + + NSS contains extensive unit tests. Scripts to run these are found in the ``tests`` directory. + Run the standard suite by: + + .. code:: + + HOST=localhost DOMSUF=localdomain USE_64=1 nss/tests/all.sh + +.. _unit_test_configuration: + +`Unit test configuration <#unit_test_configuration>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + | NSS tests are configured using environment variables. + | The scripts will attempt to infer values for ``HOST`` and ``DOMSUF``, but can fail. Replace + ``localhost`` and ``localdomain`` with the hostname and domain suffix for your host. You need + to be able to connect to ``$HOST.$DOMSUF``. + + If you don't have a domain suffix you can add an entry to ``/etc/hosts`` (on + Windows,\ ``c:\Windows\System32\drivers\etc\hosts``) as follows: + + .. code:: + + 127.0.0.1 localhost.localdomain + + Validate this opening a command shell and typing: ``ping localhost.localdomain``. + + Remove the ``USE_64=1`` override if using a 32-bit build. + +.. _test_results: + +`Test results <#test_results>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Running all tests can take a considerable amount of time. + + Test output is stored in ``tests_results/security/$HOST.$NUMBER/``. The file ``results.html`` + summarizes the results, ``output.log`` captures all the test output. + + Other subdirectories of ``nss/tests`` contain scripts that run a subset of the full suite. Those + can be run directly instead of ``all.sh``, which might save some time at the cost of coverage. diff --git a/security/nss/doc/rst/legacy/cert_findcertbydercert/index.rst b/security/nss/doc/rst/legacy/cert_findcertbydercert/index.rst new file mode 100644 index 0000000000..7e297a2df5 --- /dev/null +++ b/security/nss/doc/rst/legacy/cert_findcertbydercert/index.rst @@ -0,0 +1,64 @@ +.. _mozilla_projects_nss_cert_findcertbydercert: + +CERT_FindCertByDERCert +====================== + +.. container:: + + Find a certificate in the database that matches a DER-encoded certificate. + +`Syntax <#syntax>`__ +~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. code:: + + #include + CERTCertificate *CERT_FindCertByDERCert( + + CERTCertDBHandle *handle, + SECItem *derCert ); + +`Parameters <#parameters>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + +-------------+-----------------------------------------------------------------------------------+ + | ``handle`` | *in* pointer to a `CERTCertDBHandle `__ representing | + | | the certificate database to look in | + +-------------+-----------------------------------------------------------------------------------+ + | ``derCert`` | *in* pointer to an `SECItem `__ whose ``type`` must be | + | | ``siDERCertBuffer`` and whose ``data`` contains a DER-encoded certificate | + +-------------+-----------------------------------------------------------------------------------+ + +`Description <#description>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + This function looks in the ?NSSCryptoContext? and the ?NSSTrustDomain? to find the certificate + that matches the DER-encoded certificate. A match is found when the issuer and serial number of + the DER-encoded certificate are found on a certificate in the certificate database. + +`Returns <#returns>`__ +~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + A pointer to a `CERTCertificate `__ representing the certificate in + the database that matched the ``derCert``, or ``NULL`` if none was found. The certificate is a + shallow copy, use `CERT_DestroyCertificate `__ to decrement + the reference count on the certificate instance. + +.. _see_also: + +`See Also <#see_also>`__ +~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Occurrences of + ```CERT_FindCertByDERCert`` `__ + in the current NSS source code (generated by `LXR `__). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/cert_findcertbyissuerandsn/index.rst b/security/nss/doc/rst/legacy/cert_findcertbyissuerandsn/index.rst new file mode 100644 index 0000000000..933fff206c --- /dev/null +++ b/security/nss/doc/rst/legacy/cert_findcertbyissuerandsn/index.rst @@ -0,0 +1,82 @@ +.. _mozilla_projects_nss_cert_findcertbyissuerandsn: + +CERT_FindCertByIssuerAndSN +========================== + +.. container:: + + Find a certificate in the database with the given issuer and serial number. + +`Syntax <#syntax>`__ +~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. code:: + + #include + CERTCertificate *CERT_FindCertByIssuerAndSN ( + + CERTCertDBHandle *handle, + CERTIssuerAndSN *issuerAndSN ); + +`Parameters <#parameters>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + +-----------------+-------------------------------------------------------------------------------+ + | ``handle`` | *in* pointer to a `CERTCertDBHandle `__ | + | | representing the certificate database to look in | + +-----------------+-------------------------------------------------------------------------------+ + | ``issuerAndSN`` | *in* pointer to a `CERTIssuerAndSN `__ that must | + | | be properly formed to contain the issuer name and the serial number (see | + | | [Example]) | + +-----------------+-------------------------------------------------------------------------------+ + +`Description <#description>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + This function creates a certificate key using the ``issuerAndSN`` and it then uses the key to + find the matching certificate in the database. + +`Returns <#returns>`__ +~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + A pointer to a `CERTCertificate `__ representing the certificate in + the database that matched the issuer and serial number, or ``NULL`` if none was found. The + certificate is a shallow copy, use + `CERT_DestroyCertificate `__ to decrement the reference count + on the certificate instance. + +`Example <#example>`__ +~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. code:: + + CERTIssuerAndSN issuerSN; + issuerSN.derIssuer.data = caName->data; + issuerSN.derIssuer.len = caName->len; + issuerSN.serialNumber.data = authorityKeyID->authCertSerialNumber.data; + issuerSN.serialNumber.len = authorityKeyID->authCertSerialNumber.len; + issuerCert = CERT_FindCertByIssuerAndSN(cert->dbhandle, &issuerSN); + if ( issuerCert == NULL ) { + PORT_SetError (SEC_ERROR_UNKNOWN_ISSUER); + } + +.. _see_also: + +`See Also <#see_also>`__ +~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Occurrences of + ```CERT_FindCertByIssuerAndSN`` `__ + in the current NSS source code (generated by `LXR `__). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/certificate_download_specification/index.rst b/security/nss/doc/rst/legacy/certificate_download_specification/index.rst new file mode 100644 index 0000000000..5fe98aa6b9 --- /dev/null +++ b/security/nss/doc/rst/legacy/certificate_download_specification/index.rst @@ -0,0 +1,186 @@ +.. _mozilla_projects_nss_certificate_download_specification: + +NSS Certificate Download Specification +====================================== + +.. container:: + + This document describes the data formats used by NSS 3.x for installing certificates. This + document is currently being revised and has not yet been reviewed for accuracy. + +.. _data_formats: + +`Data Formats <#data_formats>`__ +-------------------------------- + +.. container:: + + NSS can accept certificates in several formats. In all cases the certificates are X509 version 1, + 2, or 3. + +.. _binary_formats: + +`Binary Formats <#binary_formats>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + NSS's certificate loader will recognize several binary formats. They are: + + - **DER encoded certificate:** This is a single binary DER encoded certificate. + - **PKCS#7 certificate chain:** This is a single + `PKCS#7 `__ ``SignedData`` object. The only + significant field in the ``SignedData`` object is the ``certificates`` field, which may + contain multiple certificates to be imported together. The contents of the ``version``, + ``digestAlgorithms``, ``contentInfo``, ``crls``, and ``signerInfos`` fields are ignored. + - **Netscape Certificate Sequence:** This is another + `PKCS#7 `__ object format, and like the + ``SignedData`` format, it allows multiple certificates to be imported together. This format is + simpler than the `PKCS#7 `__ ``SignedData`` + object format. It consists of a `PKCS#7 `__ + ``ContentInfo`` structure, wrapping a sequence of certificates. The ``contentType`` field OID + must be ``netscape-cert-sequence`` (see + :ref:`mozilla_projects_nss_certificate_download_specification#object_identifiers`). The + ``content`` field is the following ASN.1 structure: + + .. code:: + + CertificateSequence ::= SEQUENCE OF Certificate + + See the section below on + :ref:`mozilla_projects_nss_certificate_download_specification#importing_certificate_chains` for + more information about how multiple certificates are handled. + +.. _text_formats: + +`Text Formats <#text_formats>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Any of the above :ref:`mozilla_projects_nss_certificate_download_specification#binary_formats` + can also be imported in text form. The text form begins with the following line: + + .. code:: + + -----BEGIN CERTIFICATE----- + + Following this line should be the certificate data, which can be in any of the + :ref:`mozilla_projects_nss_certificate_download_specification#binary_formats` described above. + This data must be base64 encoded as described by `RFC + 1113 `__. Following the data should be the + following line: + + .. code:: + + -----END CERTIFICATE----- + + In a text format download, NSS ignores any text before the first ``BEGIN CERTIFICATE`` line, and + ignores any text after the first ``END CERTIFICATE`` line. Between those two lines, there must be + exactly ONE item of any of the supported binary formats described above, and that one item must + be base64 encoded. Regardless of which of the supported binary formats is used, the ``BEGIN`` and + ``END`` lines must say ``CERTIFICATE``, and not any other word (such as ``KEY``). The ``BEGIN`` + and ``END`` lines must begin and end with 5 dashes, with no extra leading or trailing white space + (excluding the End Of Line characters). + +.. _importing_certificate_chains: + +`Importing Certificate Chains <#importing_certificate_chains>`__ +---------------------------------------------------------------- + +.. container:: + + Several of the formats described above can contain several certificates. When NSS's certificate + decoder encounters one of these collections of multiple certificates they are handled in the + following way: + + - The first certificate is processed in a context specific manner, depending upon how it is + being imported. For Mozilla browsers, this handling will depend upon the mime ``Content-Type`` + that is used on the object being downloaded. For NSS-based servers it will depend upon the + options selected in the server's administration interface. + + - Subsequent certificates are all treated the same. If the certificates contain a + ``BasicConstraints`` certificate extension that indicates they are CA certificates, and do not + already exist in the local certificate database, they are added as untrusted CAs. In this way + they may be used for certificate chain validation, as long as there is a trusted CA somewhere + along the chain. + +.. _importing_certificates_into_mozilla_browsers: + +`Importing Certificates into Mozilla browsers <#importing_certificates_into_mozilla_browsers>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Mozilla browsers import certificates found in HTTP protocol responses. There are several mime + content types that are used to indicate to the browser what type of certificate is being + imported. These mime types are: + + - **``application/x-x509-user-cert``** The certificate being downloaded is a user certificate + belonging to the user operating the browser. If the private key associated with the + certificate does not exist in the user's local key database, then an error dialog is generated + and the certificate is not imported. If a certificate chain is being imported then the first + certificate in the chain must be the user certificate, and any subsequent certificates will be + added as untrusted CA certificates to the local database. + - **``application/x-x509-ca-cert``** The certificate being downloaded represents a Certificate + Authority. When it is downloaded the user will be shown a sequence of dialogs that will guide + them through the process of accepting the Certificate Authority and deciding if they wish to + trust sites certified by the CA. If a certificate chain is being imported then the first + certificate in the chain must be the CA certificate, and any subsequent certificates will be + added as untrusted CA certificates to the local database. + - **``application/x-x509-email-cert``** The certificate being downloaded is a user certificate + belonging to another user for use with S/MIME. If a certificate chain is being imported then + the first certificate in the chain must be the user certificate, and any subsequent + certificates will be added as untrusted CA certificates to the local database. This is + intended to allow people or CAs to post their e-mail certificates on web pages for download by + other users who want to send them encrypted mail. + + Note: the browser checks that the size of the object being downloaded matches the size of the + encoded certificates. Therefore it is important to ensure that no extra characters, such as NULLs + or LineFeeds are added at the end of the object. + +.. _importing_certificates_into_nss-based_servers: + +`Importing Certificates into NSS-based servers <#importing_certificates_into_nss-based_servers>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Consult your server's administration guide for the most accurate information. For some NSS-base + servers, the following information is correct. + + Server certificates are imported via the server admin interface. Certificates are pasted into a + text input field in an HTML form, and then the form is submitted to the admin server. Since the + certificates are pasted into text fields, only the + :ref:`mozilla_projects_nss_certificate_download_specification#text_formats` described above are + supported for servers. The type of certificate being imported (e.g. server or CA or cert chain) + is specified by the server administrator by selections made on the admin pages. If a certificate + chain is being imported then the first certificate in the chain must be the server or CA + certificate, and any subsequent certificates will be added as untrusted CA certificates to the + local database. + +.. _object_identifiers: + +`Object Identifiers <#object_identifiers>`__ +-------------------------------------------- + +.. container:: + + The base of all Netscape object ids is: + + .. code:: + + netscape OBJECT IDENTIFIER ::= { 2 16 840 1 113730 } + + The hexadecimal byte value of this OID when DER encoded is: + + .. code:: + + 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42 + + The following OIDs are mentioned in this document: + + .. code:: + + netscape-data-type OBJECT IDENTIFIER :: = { netscape 2 } + netscape-cert-sequence OBJECT IDENTIFIER :: = { netscape-data-type 5 } \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/certificate_functions/index.rst b/security/nss/doc/rst/legacy/certificate_functions/index.rst new file mode 100644 index 0000000000..c1fc801c58 --- /dev/null +++ b/security/nss/doc/rst/legacy/certificate_functions/index.rst @@ -0,0 +1,410 @@ +.. _mozilla_projects_nss_certificate_functions: + +Certificate functions +===================== + +.. container:: + + The public functions listed here are used to interact with certificate databases. + + If documentation is available for a function listed below, the function name is linked to either + its MDC wiki page or its entry in the + :ref:`mozilla_projects_nss_ssl_functions_old_ssl_reference`. The `Mozilla Cross + Reference `__ (MXR) link for each function provides access to the + function definition, prototype definition, and source code references. The NSS version column + indicates which versions of NSS support the function. + + +-----------------------------------------+-------------+-----------------------------------------+ + | Function name/documentation | Source code | NSS versions | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_AddCertToListTail`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_AddExtension`` | MXR | 3.5 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_AddOCSPAcceptableResponses`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_AddOKDomainName`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_AddRDN`` | MXR | 3.2.1 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_AsciiToName`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CacheCRL`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_ClearOCSPCache`` | MXR | 3.11.7 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CertChainFromCert`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CertListFromCert`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CertTimesValid`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_ChangeCertTrust`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | 3.2 and later | + | jects_nss_ssl_functions_sslcrt#1056662` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CheckNameSpace`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CheckCertUsage`` | MXR | 3.3 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CompareName`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CompareValidityTimes`` | MXR | 3.11 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CompleteCRLDecodeEntries`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_ConvertAndDecodeCertificate`` | MXR | 3.9.3 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CopyName`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CopyRDN`` | MXR | 3.5 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CreateAVA`` | MXR | 3.2.1 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CreateCertificate`` | MXR | 3.5 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CreateCertificateRequest`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CreateName`` | MXR | 3.2.1 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CreateOCSPCertID`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CreateOCSPRequest`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CreateRDN`` | MXR | 3.2.1 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CreateSubjectCertList`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CreateValidity`` | MXR | 3.5 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CRLCacheRefreshIssuer`` | MXR | 3.7 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DecodeAltNameExtension`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DecodeAuthInfoAccessExtension`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DecodeAuthKeyID`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DecodeAVAValue`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DecodeBasicConstraintValue`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DecodeCertFromPackage`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CE | MXR | 3.2 and later | + | RT_DecodeCertificatePoliciesExtension`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DecodeCertPackage`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DecodeCRLDistributionPoints`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DecodeDERCrl`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DecodeDERCrlWithFlags`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DecodeGeneralName`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DecodeNameConstraintsExtension`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DecodeOCSPResponse`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DecodeOidSequence`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``C | MXR | 3.10 and later | + | ERT_DecodePrivKeyUsagePeriodExtension`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DecodeTrustString`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DecodeUserNotice`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DerNameToAscii`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DestroyCertArray`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | 3.2 and later | + | jects_nss_ssl_functions_sslcrt#1050532` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DestroyCertificateList`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CER | MXR | 3.2 and later | + | T_DestroyCertificatePoliciesExtension`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DestroyCertificateRequest`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DestroyCertList`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DestroyName`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DestroyOCSPCertID`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DestroyOCSPRequest`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DestroyOCSPResponse`` | MXR | 3.7 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DestroyOidSequence`` | MXR | 3.9 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DestroyUserNotice`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DestroyValidity`` | MXR | 3.5 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | 3.2 and later | + | jects_nss_ssl_functions_sslcrt#1058344` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DupCertList`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_EnableOCSPChecking`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_EncodeAltNameExtension`` | MXR | 3.7 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_EncodeAndAddBitStrExtension`` | MXR | 3.5 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_EncodeAuthKeyID`` | MXR | 3.5 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_EncodeBasicConstraintValue`` | MXR | 3.5 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_EncodeCertPoliciesExtension`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_EncodeCRLDistributionPoints`` | MXR | 3.5 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_EncodeGeneralName`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_EncodeInfoAccessExtension`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_EncodeInhibitAnyExtension`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_EncodeNoticeReference`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_EncodeOCSPRequest`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | `` | MXR | 3.12 and later | + | CERT_EncodePolicyConstraintsExtension`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_EncodePolicyMappingExtension`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_EncodeSubjectKeyID`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_EncodeUserNotice`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_ExtractPublicKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FindCertByName`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FindCRLEntryReasonExten`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FindCRLNumberExten`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FindNameConstraintsExten`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FilterCertListByCANames`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FilterCertListByUsage`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FilterCertListForUserCerts`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozil | MXR | 3.2 and later | + | la_projects_nss_cert_findcertbydercert` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_p | MXR | 3.2 and later | + | rojects_nss_cert_findcertbyissuerandsn` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FindCertByNickname`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FindCertByNicknameOrEmailAddr`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FindCertBySubjectKeyID`` | MXR | 3.7 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FindCertExtension`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FindCertIssuer`` | MXR | 3.3 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FindKeyUsageExtension`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FindSMimeProfile`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FindSubjectKeyIDExtension`` | MXR | 3.7 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FindUserCertByUsage`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FindUserCertsByUsage`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CE | MXR | 3.10 and later | + | RT_FinishCertificateRequestAttributes`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FinishExtensions`` | MXR | 3.5 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FormatName`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FreeDistNames`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | 3.2 and later | + | jects_nss_ssl_functions_sslcrt#1050349` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetAVATag`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetCertChainFromCert`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetCertEmailAddress`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetCertificateNames`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ` | MXR | 3.10 and later | + | `CERT_GetCertificateRequestExtensions`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetCertIssuerAndSN`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | 3.2 and later | + | jects_nss_ssl_functions_sslcrt#1050346` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetCertTrust`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetCertUid`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetClassicOCSPDisabledPolicy`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_G | MXR | 3.12 and later | + | etClassicOCSPEnabledHardFailurePolicy`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_G | MXR | 3.12 and later | + | etClassicOCSPEnabledSoftFailurePolicy`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetCommonName`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetCountryName`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetDBContentVersion`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | 3.2 and later | + | jects_nss_ssl_functions_sslcrt#1052308` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetDomainComponentName`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetFirstEmailAddress`` | MXR | 3.7 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetLocalityName`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetNextEmailAddress`` | MXR | 3.7 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetNextGeneralName`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetNextNameConstraint`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetOCSPResponseStatus`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetOCSPStatusForCertID`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetOidString`` | MXR | 3.9 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetOrgName`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetOrgUnitName`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CE | MXR | 3.4 and later | + | RT_GetOCSPAuthorityInfoAccessLocation`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``C | MXR | 3.12 and later | + | ERT_GetPKIXVerifyNistRevocationPolicy`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetPrevGeneralName`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetPrevNameConstraint`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetSlopTime`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetSSLCACerts`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetStateName`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetUsePKIXForValidation`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetValidDNSPatternsFromCert`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GenTime2FormattedAscii`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_Hexify`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_ImportCAChain`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_ImportCerts`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_IsRootDERCert`` | MXR | 3.8 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_IsUserCert`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_KeyFromDERCrl`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_MakeCANickname`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_MergeExtensions`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_NameToAscii`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_NewCertList`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_NewTempCertificate`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_NicknameStringsFromCertList`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_OpenCertDBFilename`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_OCSPCacheSettings`` | MXR | 3.11.7 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_PKIXVerifyCert`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_RemoveCertListNode`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_RFC1485_EscapeAndQuote`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_SaveSMimeProfile`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_SetSlopTime`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_SetOCSPFailureMode`` | MXR | 3.11.7 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_SetOCSPTimeout`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_SetUsePKIXForValidation`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_StartCertExtensions`` | MXR | 3.5 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``C | MXR | 3.10 and later | + | ERT_StartCertificateRequestAttributes`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_StartCRLEntryExtensions`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_StartCRLExtensions`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_UncacheCRL`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | 3.2 and later | + | jects_nss_ssl_functions_sslcrt#1050342` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_VerifyCACertForUsage`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_VerifyCert`` | MXR | 3.2 and later. If you need to verify | + | | | for multiple usages use | + | | | CERT_VerifyCertificate | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_VerifyCertificate`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_VerifyCertificateNow`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | 3.2 and later. If you need to verify | + | jects_nss_ssl_functions_sslcrt#1058011` | | for multiple usages use | + | | | CERT_VerifyCertificateNow | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_VerifyOCSPResponseSignature`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_VerifySignedData`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_VerifySignedDataWithPublicKey`` | MXR | 3.7 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``C | MXR | 3.7 and later | + | ERT_VerifySignedDataWithPublicKeyInfo`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | 3.2 and later | + | jects_nss_ssl_functions_sslcrt#1056760` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | 3.2 and later | + | jects_nss_ssl_functions_sslcrt#1056950` | | | + +-----------------------------------------+-------------+-----------------------------------------+ \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/certverify_log/index.rst b/security/nss/doc/rst/legacy/certverify_log/index.rst new file mode 100644 index 0000000000..7c1288e0a4 --- /dev/null +++ b/security/nss/doc/rst/legacy/certverify_log/index.rst @@ -0,0 +1,55 @@ +.. _mozilla_projects_nss_certverify_log: + +NSS CERTVerify Log +================== + +`CERTVerifyLog <#certverifylog>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + All the NSS verify functions except, the \*VerifyNow() functions, take a parameter called + 'CERTVerifyLog'. If you supply the log parameter, NSS will continue chain validation after each + error . The log tells you what the problem was with the chain and what certificate in the chain + failed. + + To create a log: + + .. code:: + + #include "secport.h" + #include "certt.h" + + CERTVerifyLog *log; + + arena = PORT_NewArena(512); + log = PORT_ArenaZNew(arena,log); + log->arena = arena; + + You can then pass this log into your favorite cert verify function. On return: + + - log->count is the number of entries. + - log->head is the first entry; + - log->tail is the last entry. + + Each entry is a CERTVerifyLogNode. Defined in certt.h: + + .. code:: + + /* + * This structure is used to keep a log of errors when verifying + * a cert chain. This allows multiple errors to be reported all at + * once. + */ + struct CERTVerifyLogNodeStr { + CERTCertificate *cert; /* what cert had the error */ + long error; /* what error was it? */ + unsigned int depth; /* how far up the chain are we */ + void *arg; /* error specific argument */ + struct CERTVerifyLogNodeStr *next; /* next in the list */ + struct CERTVerifyLogNodeStr *prev; /* next in the list */ + }; + + The list is a doubly linked NULL terminated list sorted from low to high based on depth into the + cert chain. When you are through, you will need to walk the list and free all the cert entries, + then free the arena. \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/code_coverage/index.rst b/security/nss/doc/rst/legacy/code_coverage/index.rst new file mode 100644 index 0000000000..1bafb3f6c1 --- /dev/null +++ b/security/nss/doc/rst/legacy/code_coverage/index.rst @@ -0,0 +1,73 @@ +.. _mozilla_projects_nss_code_coverage: + +NSS Code Coverage +================= + +.. _nss_-_code_coverage: + +`NSS - Code Coverage <#nss_-_code_coverage>`__ +---------------------------------------------- + +.. _results_link: + +`Results link <#results_link>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - `2007-08-14 - Solaris/Sparc + platform `__ + +.. _results_explanation: + +`Results explanation <#results_explanation>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. rubric:: Files + :name: files + + - Results from every C file are on new line. + - If file was tested, link points to annotated source file (in TCOV directory), otherwise to + original source file (CVS directory). + + .. rubric:: Colors + :name: colors + + - Green: 70-100% of blocks tested. + - Yellow: 40-70% of blocks tested. + - Orange: 0-40% of blocks tested. + - Red: file not tested. File is not part of any binary or library used by test suite. + + .. rubric:: Numbers in tested files + :name: numbers_in_tested_files + + - Example: 72.69% (165/227/731) + + - 72.69% - ratio of tested blocks and total blocks in file (generated by TCOV). + - 165 - tested blocks in file (generated by TCOV). + - 227 - total blocks in file (generated by TCOV). + - 31 - total lines in file (by wc -l command). + + .. rubric:: Numbers in not tested files + :name: numbers_in_not_tested_files + + - Example: Not tested (0/?/878). + + - 0 - tested blocks in file (always 0). + - ? - total blocks in file (there is no trivial method to get this number without TCOV). + - 878 - total lines in file (by wc -l command). + + .. rubric:: Numbers in total count + :name: numbers_in_total_count + + - Example: Total: 42% (574/1351). + + - 42% - ratio of tested blocks and total blocks in file. + - 165 - tested blocks in all files in directory (sum of numbers generated by TCOV). + - 227 - total blocks in all files in directory (sum of numbers generated by TCOV). + + - These numbers doesn't count blocks in files which are not tested (marked with red color), + because we don't know number of blocks there. + - Total count at the end of report counts blocks in all tested files in all directories. \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/cryptography_functions/index.rst b/security/nss/doc/rst/legacy/cryptography_functions/index.rst new file mode 100644 index 0000000000..ca3fb8601a --- /dev/null +++ b/security/nss/doc/rst/legacy/cryptography_functions/index.rst @@ -0,0 +1,500 @@ +.. _mozilla_projects_nss_cryptography_functions: + +Cryptography functions +====================== + +.. container:: + + The public functions listed here perform cryptographic operations based on the PKCS #11 + interface. + + If documentation is available for a function listed below, the function name is linked to either + its MDC wiki page or its entry in the + :ref:`mozilla_projects_nss_ssl_functions_old_ssl_reference`. The `Mozilla Cross + Reference `__ (MXR) link for each function provides access to the + function definition, prototype definition, and source code references. The NSS version column + indicates which versions of NSS support the function. + + +-----------------------------------------+-------------+-----------------------------------------+ + | Function name/documentation | Source code | NSS versions | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_AlgtagToMechanism`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_Authenticate`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_BlockData`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ChangePW`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_CheckUserPassword`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_CipherOp`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_CloneContext`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ConfigurePKCS11`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK1 | MXR | 3.6 and later | + | 1_ConvertSessionPrivKeyToTokenPrivKey`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``P | MXR | 3.6 and later | + | K11_ConvertSessionSymKeyToTokenSymKey`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | `` | MXR | 3.11 and later | + | PK11_CopyTokenPrivKeyToSessionPrivKey`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_CreateContextBySymKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_CreateDigestContext`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_CreateGenericObject`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_CreateMergeLog`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_CreatePBEAlgorithmID`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_CreatePBEV2AlgorithmID`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_DeleteTokenPrivateKey`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_DeleteTokenPublicKey`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_DeleteTokenSymKey`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_Derive`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_DeriveWithFlags`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_DeriveWithFlagsPerm`` | MXR | 3.9 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_DestroyContext`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_DestroyGenericObject`` | MXR | 3.9.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_DestroyGenericObjects`` | MXR | 3.9.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_DestroyMergeLog`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_DestroyObject`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_DestroyTokenObject`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_DigestBegin`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_DigestKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_DigestOp`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_DigestFinal`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_DoesMechanism`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ExportEncryptedPrivateKeyInfo`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ExportEncryptedPrivKeyInfo`` | MXR | 3.9 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ExportPrivateKeyInfo`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_Finalize`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FindBestKEAMatch`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FindCertAndKeyByRecipientList`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | `` | MXR | 3.2 and later | + | PK11_FindCertAndKeyByRecipientListNew`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FindCertByIssuerAndSN`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FindCertFromDERCert`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pr | MXR | 3.2 and later | + | ojects_nss_ssl_functions_pkfnc#1035673` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FindCertInSlot`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FindGenericObjects`` | MXR | 3.9.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FindFixedKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pr | MXR | 3.2 and later | + | ojects_nss_ssl_functions_pkfnc#1026891` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FindKeyByDERCert`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FindPrivateKeyFromCert`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FindSlotByName`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FindSlotsByNames`` | MXR | 3.9 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FortezzaHasKEA`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FortezzaMapSig`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FreeSlot`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FreeSlotList`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FreeSlotListElement`` | MXR | 3.11 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FreeSymKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GenerateFortezzaIV`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GenerateKeyPair`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GenerateKeyPairWithFlags`` | MXR | 3.10.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GenerateKeyPairWithOpFlags`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GenerateNewParam`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GenerateRandom`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GenerateRandomOnSlot`` | MXR | 3.11 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetAllTokens`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetAllSlotsForCert`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetBestKeyLength`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetBestSlot`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetBestSlotMultiple`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetBestWrapMechanism`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetBlockSize`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetCertFromPrivateKey`` | MXR | 3.9.3 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetCurrentWrapIndex`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetDefaultArray`` | MXR | 3.8 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetDefaultFlags`` | MXR | 3.8 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetDisabledReason`` | MXR | 3.8 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetFirstSafe`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetInternalKeySlot`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetInternalSlot`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetKeyGen`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetKeyLength`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetKeyStrength`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetMechanism`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetMinimumPwdLength`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetModInfo`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetModule`` | MXR | 3.3 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetModuleID`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetNextGenericObject`` | MXR | 3.9.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetNextSafe`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetNextSymKey`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetPadMechanism`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetPBECryptoMechanism`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetPBEIV`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetPQGParamsFromPrivateKey`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetPrevGenericObject`` | MXR | 3.9.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetPrivateKeyNickname`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetPrivateModulusLen`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetPublicKeyNickname`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetSlotFromKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetSlotFromPrivateKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetSlotID`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetSlotInfo`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pr | MXR | 3.2 and later | + | ojects_nss_ssl_functions_pkfnc#1030779` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetSlotSeries`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetSymKeyNickname`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetSymKeyType`` | MXR | 3.9 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetSymKeyUserData`` | MXR | 3.11 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetTokenInfo`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | 3.2 and later | + | jects_nss_ssl_functions_sslcrt#1026964` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetWindow`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetWrapKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_HashBuf`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_HasRootCerts`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ImportCert`` | MXR | 3.5 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ImportCertForKeyToSlot`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ImportCRL`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ImportDERCert`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK1 | MXR | 3.4 and later | + | 1_ImportDERPrivateKeyInfoAndReturnKey`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ImportEncryptedPrivateKeyInfo`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ImportPrivateKeyInfo`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | `` | MXR | 3.4 and later | + | PK11_ImportPrivateKeyInfoAndReturnKey`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ImportPublicKey`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ImportSymKeyWithFlags`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_InitPin`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_IsFIPS`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_IsDisabled`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_IsFriendly`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pr | MXR | 3.2 and later | + | ojects_nss_ssl_functions_pkfnc#1026762` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_IsInternal`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | 3.2 and later | + | jects_nss_ssl_functions_sslcrt#1026762` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pr | MXR | 3.2 and later | + | ojects_nss_ssl_functions_pkfnc#1022991` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_IsRemovable`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_IVFromParam`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_KeyGen`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_LinkGenericObject`` | MXR | 3.9.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ListCerts`` | MXR | 3.2 and later. Updated 3.8 with new | + | | | options. See bug | + | | | `215186 `__ | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ListFixedKeysInSlot`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ListPrivKeysInSlot`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ListPublicKeysInSlot`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_LoadPrivKey`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_LogoutAll`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_MakeKEAPubKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | `` | MXR | 3.2 and later | + | PK11_MapPBEMechanismToCryptoMechanism`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_MapSignKeyType`` | MXR | 3.11 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_MechanismToAlgtag`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_MergeTokens`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_MoveSymKey`` | MXR | 3.9 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_NeedLogin`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_NeedUserInit`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ParamFromIV`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ParamFromAlgid`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ParamToAlgid`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_PBEKeyGen`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_PrivDecryptPKCS1`` | MXR | 3.9.3 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ProtectedAuthenticationPath`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_PubDecryptRaw`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_PubDerive`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_PubDeriveWithKDF`` | MXR | 3.9 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_PubEncryptPKCS1`` | MXR | 3.9.3 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_PubEncryptRaw`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_PubUnwrapSymKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_PubUnwrapSymKeyWithFlags`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_PubUnwrapSymKeyWithFlagsPerm`` | MXR | 3.9 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_PubWrapSymKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_RandomUpdate`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ReadRawAttribute`` | MXR | 3.9.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ReferenceSymKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ResetToken`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_RestoreContext`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_SaveContext`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_SaveContextAlloc`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_SetFortezzaHack`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pr | MXR | 3.2 and later | + | ojects_nss_ssl_functions_pkfnc#1023128` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_SetPrivateKeyNickname`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_SetPublicKeyNickname`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_SetSlotPWValues`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_SetSymKeyNickname`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_SetSymKeyUserData`` | MXR | 3.11 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_SetWrapKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_Sign`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_SignatureLen`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_SymKeyFromHandle`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_TokenExists`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_TokenKeyGen`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_TokenKeyGenWithFlags`` | MXR | 3.10.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_TokenRefresh`` | MXR | 3.7.1 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_TraverseCertsForNicknameInSlot`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_TraverseCertsForSubjectInSlot`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_TraverseSlotCerts`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_UnlinkGenericObject`` | MXR | 3.9.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_UnwrapSymKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_UnwrapSymKeyWithFlags`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_UnwrapSymKeyWithFlagsPerm`` | MXR | 3.9 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_UpdateSlotAttribute`` | MXR | 3.8 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_UserEnableSlot`` | MXR | 3.8 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_UserDisableSlot`` | MXR | 3.8 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_Verify`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_VerifyKeyOK`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_WaitForTokenEvent`` | MXR | 3.7 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_WrapSymKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_WriteRawAttribute`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11SDR_Encrypt`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11SDR_Decrypt`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SEC_DeletePermCertificate`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SEC_DeletePermCRL`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SEC_DerSignData`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SEC_DestroyCrl`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SEC_FindCrlByDERCert`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SEC_FindCrlByName`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SEC_LookupCrls`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SEC_NewCrl`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SEC_QuickDERDecodeItem`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SECKEY_CacheStaticFlags`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SECKEY_ConvertToPublicKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SECKEY_CopyPrivateKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SECKEY_CopyPublicKey`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SECKEY_CopySubjectPublicKeyInfo`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SECKEY_CreateDHPrivateKey`` | MXR | 3.3 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SECKEY_CreateECPrivateKey`` | MXR | 3.8 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SECKEY_CreateSubjectPublicKeyInfo`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ` | MXR | 3.4 and later | + | `SECKEY_DecodeDERSubjectPublicKeyInfo`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | 3.2 and later | + | jects_nss_ssl_functions_sslkey#1051017` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SECKEY_ECParamsToBasePointOrderLen`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SECKEY_ECParamsToKeySize`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SECKEY_DestroyPublicKeyList`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SECKEY_DestroySubjectPublicKeyInfo`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SECKEY_GetPublicKeyType`` | MXR | 3.3 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SECKEY_PublicKeyStrengthInBits`` | MXR | 3.8 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SECKEY_SignatureLen`` | MXR | 3.11.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/deprecated_ssl_functions/index.rst b/security/nss/doc/rst/legacy/deprecated_ssl_functions/index.rst new file mode 100644 index 0000000000..3db5071502 --- /dev/null +++ b/security/nss/doc/rst/legacy/deprecated_ssl_functions/index.rst @@ -0,0 +1,34 @@ +.. _mozilla_projects_nss_deprecated_ssl_functions: + +Deprecated SSL functions +======================== + +.. container:: + + The following SSL functions have been replaced with newer versions. The deprecated functions are + not supported by the new SSL shared libraries. Applications that want to use the SSL shared + libraries must convert to calling the new replacement functions listed below. + + Each function name is linked to its entry in the + :ref:`mozilla_projects_nss_ssl_functions_old_ssl_reference`. The `Mozilla Cross + Reference `__ (MXR) link for each function provides access to the + function definition, prototype definition, and source code references. + + +-----------------------------------------+-------------+-----------------------------------------+ + | Function name/documentation | Source code | Replacement in NSS 3.2 | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | :ref:`mozilla_pro | + | jects_nss_ssl_functions_sslfnc#1220189` | | jects_nss_ssl_functions_sslfnc#1086543` | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | :ref:`mozilla_pro | + | jects_nss_ssl_functions_sslfnc#1207298` | | jects_nss_ssl_functions_sslfnc#1084747` | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | :ref:`mozilla_pro | + | jects_nss_ssl_functions_sslfnc#1206365` | | jects_nss_ssl_functions_sslfnc#1068466` | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | :ref:`mozilla_pro | + | jects_nss_ssl_functions_sslfnc#1231825` | | jects_nss_ssl_functions_sslfnc#1232052` | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | :ref:`mozilla_pro | + | jects_nss_ssl_functions_sslfnc#1207350` | | jects_nss_ssl_functions_sslfnc#1104647` | + +-----------------------------------------+-------------+-----------------------------------------+ \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/encrypt_decrypt_mac_keys_as_session_objects/index.rst b/security/nss/doc/rst/legacy/encrypt_decrypt_mac_keys_as_session_objects/index.rst new file mode 100644 index 0000000000..4d6d09bcf0 --- /dev/null +++ b/security/nss/doc/rst/legacy/encrypt_decrypt_mac_keys_as_session_objects/index.rst @@ -0,0 +1,1206 @@ +.. _mozilla_projects_nss_encrypt_decrypt_mac_keys_as_session_objects: + +Encrypt Decrypt MAC Keys As Session Objects +=========================================== + +.. _nss_sample_code_4_encryptiondecryption_and_mac_keys_using_session.: + +`NSS Sample Code 4: Encryption/Decryption and MAC Keys Using Session. <#nss_sample_code_4_encryptiondecryption_and_mac_keys_using_session.>`__ +---------------------------------------------------------------------------------------------------------------------------------------------- + +.. container:: + + Generates encryption/mac keys and uses session objects. + + .. code:: c + + /* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at https://mozilla.org/MPL/2.0/. */ + + /* NSPR Headers */ + #include + #include + #include + #include + #include + #include + #include + + /* NSS headers */ + #include + #include + + /* our samples utilities */ + #include "util.h" + + #define BUFFERSIZE 80 + #define DIGESTSIZE 16 + #define PTEXT_MAC_BUFFER_SIZE 96 + #define CIPHERSIZE 96 + #define BLOCKSIZE 32 + + #define CIPHER_HEADER "-----BEGIN CIPHER-----" + #define CIPHER_TRAILER "-----END CIPHER-----" + #define ENCKEY_HEADER "-----BEGIN AESKEY CKAID-----" + #define ENCKEY_TRAILER "-----END AESKEY CKAID-----" + #define MACKEY_HEADER "-----BEGIN MACKEY CKAID-----" + #define MACKEY_TRAILER "-----END MACKEY CKAID-----" + #define IV_HEADER "-----BEGIN IV-----" + #define IV_TRAILER "-----END IV-----" + #define MAC_HEADER "-----BEGIN MAC-----" + #define MAC_TRAILER "-----END MAC-----" + #define PAD_HEADER "-----BEGIN PAD-----" + #define PAD_TRAILER "-----END PAD-----" + + typedef enum { + ENCRYPT, + DECRYPT, + UNKNOWN + } CommandType; + + typedef enum { + SYMKEY = 0, + MACKEY = 1, + IV = 2, + MAC = 3, + PAD = 4 + } HeaderType; + + + /* + * Print usage message and exit + */ + static void + Usage(const char *progName) + { + fprintf(stderr, "\nUsage: %s -c -d [-z ] " + "[-p | -f ] -i -o \n\n", + progName); + fprintf(stderr, "%-20s Specify 'a' for encrypt operation\n\n", + "-c "); + fprintf(stderr, "%-20s Specify 'b' for decrypt operation\n\n", + " "); + fprintf(stderr, "%-20s Specify db directory path\n\n", + "-d "); + fprintf(stderr, "%-20s Specify db password [optional]\n\n", + "-p "); + fprintf(stderr, "%-20s Specify db password file [optional]\n\n", + "-f "); + fprintf(stderr, "%-20s Specify noise file name [optional]\n\n", + "-z "); + fprintf(stderr, "%-21s Specify an input file name\n\n", + "-i "); + fprintf(stderr, "%-21s Specify an output file name\n\n", + "-o "); + fprintf(stderr, "%-7s For encrypt, it takes as an input file and produces\n", + "Note :"); + fprintf(stderr, "%-7s .enc and .header as intermediate output files.\n\n", + ""); + fprintf(stderr, "%-7s For decrypt, it takes .enc and .header\n", + ""); + fprintf(stderr, "%-7s as input files and produces as a final output file.\n\n", + ""); + exit(-1); + } + + /* + * Gather a CKA_ID + */ + SECStatus + GatherCKA_ID(PK11SymKey* key, SECItem* buf) + { + SECStatus rv = PK11_ReadRawAttribute(PK11_TypeSymKey, key, CKA_ID, buf); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "PK11_ReadRawAttribute returned (%d)\n", rv); + PR_fprintf(PR_STDERR, "Could not read SymKey CKA_ID attribute\n"); + return rv; + } + return rv; + } + + /* + * Generate a Symmetric Key + */ + PK11SymKey * + GenerateSYMKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE mechanism, + int keySize, SECItem *keyID, secuPWData *pwdata) + { + SECStatus rv; + PK11SymKey *key; + + if (PK11_NeedLogin(slot)) { + rv = PK11_Authenticate(slot, PR_TRUE, pwdata); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Could not authenticate to token %s.\n", + PK11_GetTokenName(slot)); + return NULL; + } + } + + /* Generate the symmetric key */ + key = PK11_TokenKeyGen(slot, mechanism, + NULL, keySize, keyID, PR_TRUE, pwdata); + + if (!key) { + PR_fprintf(PR_STDERR, "Symmetric Key Generation Failed \n"); + } + + return key; + } + + /* + * MacInit + */ + SECStatus + MacInit(PK11Context *ctx) + { + SECStatus rv = PK11_DigestBegin(ctx); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Compute MAC Failed : PK11_DigestBegin()\n"); + } + return rv; + } + + /* + * MacUpdate + */ + SECStatus + MacUpdate(PK11Context *ctx, + unsigned char *msg, unsigned int msgLen) + { + SECStatus rv = PK11_DigestOp(ctx, msg, msgLen); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Compute MAC Failed : DigestOp()\n"); + } + return rv; + } + + /* + * Finalize MACing + */ + SECStatus + MacFinal(PK11Context *ctx, + unsigned char *mac, unsigned int *macLen, unsigned int maxLen) + { + SECStatus rv = PK11_DigestFinal(ctx, mac, macLen, maxLen); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Compute MAC Failed : PK11_DigestFinal()\n"); + } + return SECSuccess; + } + + /* + * Compute Mac + */ + SECStatus + ComputeMac(PK11Context *ctxmac, + unsigned char *ptext, unsigned int ptextLen, + unsigned char *mac, unsigned int *macLen, + unsigned int maxLen) + { + SECStatus rv = MacInit(ctxmac); + if (rv != SECSuccess) return rv; + rv = MacUpdate(ctxmac, ptext, ptextLen); + if (rv != SECSuccess) return rv; + rv = MacFinal(ctxmac, mac, macLen, maxLen); + return rv; + } + + /* + * WriteToHeaderFile + */ + SECStatus + WriteToHeaderFile(const char *buf, unsigned int len, HeaderType type, + PRFileDesc *outFile) + { + SECStatus rv; + char header[40]; + char trailer[40]; + char *outString = NULL; + + switch (type) { + case SYMKEY: + strcpy(header, ENCKEY_HEADER); + strcpy(trailer, ENCKEY_TRAILER); + break; + case MACKEY: + strcpy(header, MACKEY_HEADER); + strcpy(trailer, MACKEY_TRAILER); + break; + case IV: + strcpy(header, IV_HEADER); + strcpy(trailer, IV_TRAILER); + break; + case MAC: + strcpy(header, MAC_HEADER); + strcpy(trailer, MAC_TRAILER); + break; + case PAD: + strcpy(header, PAD_HEADER); + strcpy(trailer, PAD_TRAILER); + break; + } + + PR_fprintf(outFile, "%s\n", header); + PrintAsHex(outFile, buf, len); + PR_fprintf(outFile, "%s\n\n", trailer); + return SECSuccess; + } + + /* + * Initialize for encryption or decryption - common code + */ + PK11Context * + CryptInit(PK11SymKey *key, + unsigned char *iv, unsigned int ivLen, + CK_MECHANISM_TYPE type, CK_ATTRIBUTE_TYPE operation) + { + SECItem ivItem = { siBuffer, iv, ivLen }; + PK11Context *ctx = NULL; + + SECItem *secParam = PK11_ParamFromIV(CKM_AES_CBC, &ivItem); + if (secParam == NULL) { + PR_fprintf(PR_STDERR, "Crypt Failed : secParam NULL\n"); + return NULL; + } + ctx = PK11_CreateContextBySymKey(CKM_AES_CBC, operation, key, secParam); + if (ctx == NULL) { + PR_fprintf(PR_STDERR, "Crypt Failed : can't create a context\n"); + goto cleanup; + + } + cleanup: + if (secParam) { + SECITEM_FreeItem(secParam, PR_TRUE); + } + return ctx; + } + + /* + * Common encryption and decryption code + */ + SECStatus + Crypt(PK11Context *ctx, + unsigned char *out, unsigned int *outLen, unsigned int maxOut, + unsigned char *in, unsigned int inLen) + { + SECStatus rv; + + rv = PK11_CipherOp(ctx, out, outLen, maxOut, in, inLen); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Crypt Failed : PK11_CipherOp returned %d\n", rv); + goto cleanup; + } + + cleanup: + if (rv != SECSuccess) { + return rv; + } + return SECSuccess; + } + + /* + * Decrypt + */ + SECStatus + Decrypt(PK11Context *ctx, + unsigned char *out, unsigned int *outLen, unsigned int maxout, + unsigned char *in, unsigned int inLen) + { + return Crypt(ctx, out, outLen, maxout, in, inLen); + } + + /* + * Encrypt + */ + SECStatus + Encrypt(PK11Context* ctx, + unsigned char *out, unsigned int *outLen, unsigned int maxout, + unsigned char *in, unsigned int inLen) + { + return Crypt(ctx, out, outLen, maxout, in, inLen); + } + + /* + * EncryptInit + */ + PK11Context * + EncryptInit(PK11SymKey *ek, unsigned char *iv, unsigned int ivLen, + CK_MECHANISM_TYPE type) + { + return CryptInit(ek, iv, ivLen, type, CKA_ENCRYPT); + } + + /* + * DecryptInit + */ + PK11Context * + DecryptInit(PK11SymKey *dk, unsigned char *iv, unsigned int ivLen, + CK_MECHANISM_TYPE type) + { + return CryptInit(dk, iv, ivLen, type, CKA_DECRYPT); + } + + /* + * Read cryptographic parameters from the header file + */ + SECStatus + ReadFromHeaderFile(const char *fileName, HeaderType type, + SECItem *item, PRBool isHexData) + { + SECStatus rv; + PRFileDesc* file; + SECItem filedata; + SECItem outbuf; + unsigned char *nonbody; + unsigned char *body; + char header[40]; + char trailer[40]; + + outbuf.type = siBuffer; + file = PR_Open(fileName, PR_RDONLY, 0); + if (!file) { + PR_fprintf(PR_STDERR, "Failed to open %s\n", fileName); + return SECFailure; + } + switch (type) { + case SYMKEY: + strcpy(header, ENCKEY_HEADER); + strcpy(trailer, ENCKEY_TRAILER); + break; + case MACKEY: + strcpy(header, MACKEY_HEADER); + strcpy(trailer, MACKEY_TRAILER); + break; + case IV: + strcpy(header, IV_HEADER); + strcpy(trailer, IV_TRAILER); + break; + case MAC: + strcpy(header, MAC_HEADER); + strcpy(trailer, MAC_TRAILER); + break; + case PAD: + strcpy(header, PAD_HEADER); + strcpy(trailer, PAD_TRAILER); + break; + } + + rv = FileToItem(&filedata, file); + nonbody = (char *)filedata.data; + if (!nonbody) { + PR_fprintf(PR_STDERR, "unable to read data from input file\n"); + rv = SECFailure; + goto cleanup; + } + + /* check for headers and trailers and remove them */ + if ((body = strstr(nonbody, header)) != NULL) { + char *trail = NULL; + nonbody = body; + body = PORT_Strchr(body, '\n'); + if (!body) + body = PORT_Strchr(nonbody, '\r'); /* maybe this is a MAC file */ + if (body) + trail = strstr(++body, trailer); + if (trail != NULL) { + *trail = '\0'; + } else { + PR_fprintf(PR_STDERR, "input has header but no trailer\n"); + PORT_Free(filedata.data); + return SECFailure; + } + } else { + body = nonbody; + } + + cleanup: + PR_Close(file); + HexToBuf(body, item, isHexData); + return SECSuccess; + } + + /* + * EncryptAndMac + */ + SECStatus + EncryptAndMac(PRFileDesc *inFile, + PRFileDesc *headerFile, + PRFileDesc *encFile, + PK11SymKey *ek, + PK11SymKey *mk, + unsigned char *iv, unsigned int ivLen, + PRBool ascii) + { + SECStatus rv; + unsigned char ptext[BLOCKSIZE]; + unsigned int ptextLen; + unsigned char mac[DIGESTSIZE]; + unsigned int macLen; + unsigned int nwritten; + unsigned char encbuf[BLOCKSIZE]; + unsigned int encbufLen; + SECItem noParams = { siBuffer, NULL, 0 }; + PK11Context *ctxmac = NULL; + PK11Context *ctxenc = NULL; + unsigned int pad[1]; + SECItem padItem; + unsigned int paddingLength; + + static unsigned int firstTime = 1; + int j; + + ctxmac = PK11_CreateContextBySymKey(CKM_MD5_HMAC, CKA_SIGN, mk, &noParams); + if (ctxmac == NULL) { + PR_fprintf(PR_STDERR, "Can't create MAC context\n"); + rv = SECFailure; + goto cleanup; + } + rv = MacInit(ctxmac); + if (rv != SECSuccess) { + goto cleanup; + } + + ctxenc = EncryptInit(ek, iv, ivLen, CKM_AES_CBC); + + /* read a buffer of plaintext from input file */ + while ((ptextLen = PR_Read(inFile, ptext, sizeof(ptext))) > 0) { + + /* Encrypt using it using CBC, using previously created IV */ + if (ptextLen != BLOCKSIZE) { + paddingLength = BLOCKSIZE - ptextLen; + for ( j=0; j < paddingLength; j++) { + ptext[ptextLen+j] = (unsigned char)paddingLength; + } + ptextLen = BLOCKSIZE; + } + rv = Encrypt(ctxenc, + encbuf, &encbufLen, sizeof(encbuf), + ptext, ptextLen); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Encrypt Failure\n"); + goto cleanup; + } + + /* save the last block of ciphertext as the next IV */ + iv = encbuf; + ivLen = encbufLen; + + /* write the cipher text to intermediate file */ + nwritten = PR_Write(encFile, encbuf, encbufLen); + /*PR_Assert(nwritten == encbufLen);*/ + + rv = MacUpdate(ctxmac, ptext, ptextLen); + } + + rv = MacFinal(ctxmac, mac, &macLen, DIGESTSIZE); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "MacFinal Failure\n"); + goto cleanup; + } + if (macLen == 0) { + PR_fprintf(PR_STDERR, "Bad MAC length\n"); + rv = SECFailure; + goto cleanup; + } + WriteToHeaderFile(mac, macLen, MAC, headerFile); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Write MAC Failure\n"); + goto cleanup; + } + + pad[0] = paddingLength; + padItem.type = siBuffer; + padItem.data = (unsigned char *)pad; + padItem.len = sizeof(pad[0]); + + WriteToHeaderFile(padItem.data, padItem.len, PAD, headerFile); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Write PAD Failure\n"); + goto cleanup; + } + + rv = SECSuccess; + + cleanup: + if (ctxmac != NULL) { + PK11_DestroyContext(ctxmac, PR_TRUE); + } + if (ctxenc != NULL) { + PK11_DestroyContext(ctxenc, PR_TRUE); + } + + return rv; + } + + /* + * Find the Key for the given mechanism + */ + PK11SymKey* + FindKey(PK11SlotInfo *slot, + CK_MECHANISM_TYPE mechanism, + SECItem *keyBuf, secuPWData *pwdata) + { + SECStatus rv; + PK11SymKey *key; + + if (PK11_NeedLogin(slot)) { + rv = PK11_Authenticate(slot, PR_TRUE, pwdata); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, + "Could not authenticate to token %s.\n", + PK11_GetTokenName(slot)); + if (slot) { + PK11_FreeSlot(slot); + } + return NULL; + } + } + + key = PK11_FindFixedKey(slot, mechanism, keyBuf, 0); + if (!key) { + PR_fprintf(PR_STDERR, + "PK11_FindFixedKey failed (err %d)\n", + PR_GetError()); + PK11_FreeSlot(slot); + return NULL; + } + return key; + } + + /* + * Decrypt and Verify MAC + */ + SECStatus + DecryptAndVerifyMac(const char* outFileName, + char *encryptedFileName, + SECItem *cItem, SECItem *macItem, + PK11SymKey* ek, PK11SymKey* mk, SECItem *ivItem, SECItem *padItem) + { + SECStatus rv; + PRFileDesc* inFile; + PRFileDesc* outFile; + + unsigned char decbuf[64]; + unsigned int decbufLen; + + unsigned char ptext[BLOCKSIZE]; + unsigned int ptextLen = 0; + unsigned char ctext[64]; + unsigned int ctextLen; + unsigned char newmac[DIGESTSIZE]; + unsigned int newmacLen = 0; + unsigned int newptextLen = 0; + unsigned int count = 0; + unsigned int temp = 0; + unsigned int blockNumber = 0; + SECItem noParams = { siBuffer, NULL, 0 }; + PK11Context *ctxmac = NULL; + PK11Context *ctxenc = NULL; + + unsigned char iv[BLOCKSIZE]; + unsigned int ivLen = ivItem->len; + unsigned int fileLength; + unsigned int paddingLength; + int j; + + memcpy(iv, ivItem->data, ivItem->len); + paddingLength = (unsigned int)padItem->data[0]; + + ctxmac = PK11_CreateContextBySymKey(CKM_MD5_HMAC, CKA_SIGN, mk, &noParams); + if (ctxmac == NULL) { + PR_fprintf(PR_STDERR, "Can't create MAC context\n"); + rv = SECFailure; + goto cleanup; + } + + /* Open the input file. */ + inFile = PR_Open(encryptedFileName, PR_RDONLY , 0); + if (!inFile) { + PR_fprintf(PR_STDERR, + "Unable to open \"%s\" for writing.\n", + encryptedFileName); + return SECFailure; + } + /* Open the output file. */ + outFile = PR_Open(outFileName, + PR_CREATE_FILE | PR_TRUNCATE | PR_RDWR , 00660); + if (!outFile) { + PR_fprintf(PR_STDERR, + "Unable to open \"%s\" for writing.\n", + outFileName); + return SECFailure; + } + + rv = MacInit(ctxmac); + if (rv != SECSuccess) goto cleanup; + + ctxenc = DecryptInit(ek, iv, ivLen, CKM_AES_CBC); + fileLength = FileSize(encryptedFileName); + + while ((ctextLen = PR_Read(inFile, ctext, sizeof(ctext))) > 0) { + + count += ctextLen; + + /* decrypt cipher text buffer using CBC and IV */ + + rv = Decrypt(ctxenc, decbuf, &decbufLen, sizeof(decbuf), + ctext, ctextLen); + + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Decrypt Failure\n"); + goto cleanup; + } + + if (decbufLen == 0) break; + + rv = MacUpdate(ctxmac, decbuf, decbufLen); + if (rv != SECSuccess) { goto cleanup; } + if (count == fileLength) { + decbufLen = decbufLen-paddingLength; + } + + /* write the plain text to out file */ + temp = PR_Write(outFile, decbuf, decbufLen); + if (temp != decbufLen) { + PR_fprintf(PR_STDERR, "write error\n"); + rv = SECFailure; + break; + } + + /* save last block of ciphertext */ + memcpy(iv, decbuf, decbufLen); + ivLen = decbufLen; + blockNumber++; + } + + if (rv != SECSuccess) { goto cleanup; } + + rv = MacFinal(ctxmac, newmac, &newmacLen, sizeof(newmac)); + if (rv != SECSuccess) { goto cleanup; } + + if (PORT_Memcmp(macItem->data, newmac, newmacLen) == 0) { + rv = SECSuccess; + } else { + PR_fprintf(PR_STDERR, "Check MAC : Failure\n"); + PR_fprintf(PR_STDERR, "Extracted : "); + PrintAsHex(PR_STDERR, macItem->data, macItem->len); + PR_fprintf(PR_STDERR, "Computed : "); + PrintAsHex(PR_STDERR, newmac, newmacLen); + rv = SECFailure; + } + cleanup: + if (ctxmac) { + PK11_DestroyContext(ctxmac, PR_TRUE); + } + if (ctxenc) { + PK11_DestroyContext(ctxenc, PR_TRUE); + } + if (outFile) { + PR_Close(outFile); + } + + return rv; + } + + /* + * Gets IV and CKAIDS From Header File + */ + SECStatus + GetIVandCKAIDSFromHeader(const char *cipherFileName, + SECItem *ivItem, SECItem *encKeyItem, SECItem *macKeyItem) + { + SECStatus rv; + + /* open intermediate file, read in header, get IV and CKA_IDs of two keys + * from it + */ + rv = ReadFromHeaderFile(cipherFileName, IV, ivItem, PR_TRUE); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Could not retrieve IV from cipher file\n"); + goto cleanup; + } + + rv = ReadFromHeaderFile(cipherFileName, SYMKEY, encKeyItem, PR_TRUE); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, + "Could not retrieve AES CKA_ID from cipher file\n"); + goto cleanup; + } + rv = ReadFromHeaderFile(cipherFileName, MACKEY, macKeyItem, PR_TRUE); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, + "Could not retrieve MAC CKA_ID from cipher file\n"); + goto cleanup; + } + cleanup: + return rv; + } + + /* + * DecryptFile + */ + SECStatus + DecryptFile(PK11SlotInfo *slot, + const char *dbdir, + const char *outFileName, + const char *headerFileName, + char *encryptedFileName, + secuPWData *pwdata, + PRBool ascii) + { + /* + * The DB is open read only and we have authenticated to it + * open input file, read in header, get IV and CKA_IDs of two keys from it + * find those keys in the DB token + * Open output file + * loop until EOF(input): + * read a buffer of ciphertext from input file, + * Save last block of ciphertext + * decrypt ciphertext buffer using CBC and IV, + * compute and check MAC, then remove MAC from plaintext + * replace IV with saved last block of ciphertext + * write the plain text to output file + * close files + * report success + */ + + SECStatus rv; + SECItem ivItem; + SECItem encKeyItem; + SECItem macKeyItem; + SECItem cipherItem; + SECItem macItem; + SECItem padItem; + PK11SymKey *encKey = NULL; + PK11SymKey *macKey = NULL; + + + /* open intermediate file, read in header, get IV and CKA_IDs of two keys + * from it + */ + rv = GetIVandCKAIDSFromHeader(headerFileName, + &ivItem, &encKeyItem, &macKeyItem); + if (rv != SECSuccess) { + goto cleanup; + } + + /* find those keys in the DB token */ + encKey = FindKey(slot, CKM_AES_CBC, &encKeyItem, pwdata); + if (encKey == NULL) { + PR_fprintf(PR_STDERR, "Can't find the encryption key\n"); + rv = SECFailure; + goto cleanup; + } + /* CKM_MD5_HMAC or CKM_EXTRACT_KEY_FROM_KEY */ + macKey = FindKey(slot, CKM_MD5_HMAC, &macKeyItem, pwdata); + if (macKey == NULL) { + rv = SECFailure; + goto cleanup; + } + + /* Read in the Mac into item from the intermediate file */ + rv = ReadFromHeaderFile(headerFileName, MAC, &macItem, PR_TRUE); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, + "Could not retrieve MAC from cipher file\n"); + goto cleanup; + } + if (macItem.data == NULL) { + PR_fprintf(PR_STDERR, "MAC has NULL data\n"); + rv = SECFailure; + goto cleanup; + } + if (macItem.len == 0) { + PR_fprintf(PR_STDERR, "MAC has data has 0 length\n"); + /*rv = SECFailure; + goto cleanup;*/ + } + + rv = ReadFromHeaderFile(headerFileName, PAD, &padItem, PR_TRUE); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, + "Could not retrieve PAD detail from header file\n"); + goto cleanup; + } + + if (rv == SECSuccess) { + /* Decrypt and Remove Mac */ + rv = DecryptAndVerifyMac(outFileName, encryptedFileName, + &cipherItem, &macItem, encKey, macKey, &ivItem, &padItem); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Failed while decrypting and removing MAC\n"); + } + } + + cleanup: + if (slot) { + PK11_FreeSlot(slot); + } + if (encKey) { + PK11_FreeSymKey(encKey); + } + if (macKey) { + PK11_FreeSymKey(macKey); + } + + return rv; + } + + /* + * EncryptFile + */ + SECStatus + EncryptFile(PK11SlotInfo *slot, + const char *dbdir, + const char *inFileName, + const char *headerFileName, + const char *encryptedFileName, + const char *noiseFileName, + secuPWData *pwdata, + PRBool ascii) + { + /* + * The DB is open for read/write and we have authenticated to it. + * generate a symmetric AES key as a token object. + * generate a second key to use for MACing, also a token object. + * get their CKA_IDs + * generate a random value to use as IV for AES CBC + * open an input file and an output file, + * write a header to the output that identifies the two keys by + * their CKA_IDs, May include original file name and length. + * loop until EOF(input) + * read a buffer of plaintext from input file, + * MAC it, append the MAC to the plaintext + * encrypt it using CBC, using previously created IV, + * store the last block of ciphertext as the new IV, + * write the cipher text to intermediate file + * close files + * report success + */ + SECStatus rv; + PRFileDesc *inFile; + PRFileDesc *headerFile; + PRFileDesc *encFile; + + unsigned char *encKeyId = (unsigned char *) "Encrypt Key"; + unsigned char *macKeyId = (unsigned char *) "MAC Key"; + SECItem encKeyID = { siAsciiString, encKeyId, PL_strlen(encKeyId) }; + SECItem macKeyID = { siAsciiString, macKeyId, PL_strlen(macKeyId) }; + + SECItem encCKAID; + SECItem macCKAID; + unsigned char iv[BLOCKSIZE]; + SECItem ivItem; + PK11SymKey *encKey = NULL; + PK11SymKey *macKey = NULL; + SECItem temp; + unsigned char c; + + /* generate a symmetric AES key as a token object. */ + encKey = GenerateSYMKey(slot, CKM_AES_KEY_GEN, 128/8, &encKeyID, pwdata); + if (encKey == NULL) { + PR_fprintf(PR_STDERR, "GenerateSYMKey for AES returned NULL.\n"); + rv = SECFailure; + goto cleanup; + } + + /* generate a second key to use for MACing, also a token object. */ + macKey = GenerateSYMKey(slot, CKM_GENERIC_SECRET_KEY_GEN, 160/8, + &macKeyID, pwdata); + if (macKey == NULL) { + PR_fprintf(PR_STDERR, "GenerateSYMKey for MACing returned NULL.\n"); + rv = SECFailure; + goto cleanup; + } + + /* get the encrypt key CKA_ID */ + rv = GatherCKA_ID(encKey, &encCKAID); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Error while wrapping encrypt key\n"); + goto cleanup; + } + + /* get the MAC key CKA_ID */ + rv = GatherCKA_ID(macKey, &macCKAID); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Can't get the MAC key CKA_ID.\n"); + goto cleanup; + } + + if (noiseFileName) { + rv = SeedFromNoiseFile(noiseFileName); + if (rv != SECSuccess) { + PORT_SetError(PR_END_OF_FILE_ERROR); + return SECFailure; + } + rv = PK11_GenerateRandom(iv, BLOCKSIZE); + if (rv != SECSuccess) { + goto cleanup; + } + + } else { + /* generate a random value to use as IV for AES CBC */ + GenerateRandom(iv, BLOCKSIZE); + } + + headerFile = PR_Open(headerFileName, + PR_CREATE_FILE | PR_TRUNCATE | PR_RDWR, 00660); + if (!headerFile) { + PR_fprintf(PR_STDERR, + "Unable to open \"%s\" for writing.\n", + headerFileName); + return SECFailure; + } + encFile = PR_Open(encryptedFileName, + PR_CREATE_FILE | PR_TRUNCATE | PR_RDWR, 00660); + if (!encFile) { + PR_fprintf(PR_STDERR, + "Unable to open \"%s\" for writing.\n", + encryptedFileName); + return SECFailure; + } + /* write to a header file the IV and the CKA_IDs + * identifying the two keys + */ + ivItem.type = siBuffer; + ivItem.data = iv; + ivItem.len = BLOCKSIZE; + + rv = WriteToHeaderFile(iv, BLOCKSIZE, IV, headerFile); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Error writing IV to cipher file - %s\n", + headerFileName); + goto cleanup; + } + + rv = WriteToHeaderFile(encCKAID.data, encCKAID.len, SYMKEY, headerFile); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Error writing AES CKA_ID to cipher file - %s\n", + encryptedFileName); + goto cleanup; + } + rv = WriteToHeaderFile(macCKAID.data, macCKAID.len, MACKEY, headerFile); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Error writing MAC CKA_ID to cipher file - %s\n", + headerFileName); + goto cleanup; + } + + /* Open the input file. */ + inFile = PR_Open(inFileName, PR_RDONLY, 0); + if (!inFile) { + PR_fprintf(PR_STDERR, "Unable to open \"%s\" for reading.\n", + inFileName); + return SECFailure; + } + + /* Macing and Encryption */ + if (rv == SECSuccess) { + rv = EncryptAndMac(inFile, headerFile, encFile, + encKey, macKey, ivItem.data, ivItem.len, ascii); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Failed : Macing and Encryption\n"); + goto cleanup; + } + } + + cleanup: + if (inFile) { + PR_Close(inFile); + } + if (headerFile) { + PR_Close(headerFile); + } + if (encFile) { + PR_Close(encFile); + } + if (slot) { + PK11_FreeSlot(slot); + } + if (encKey) { + PK11_FreeSymKey(encKey); + } + if (macKey) { + PK11_FreeSymKey(macKey); + } + + return rv; + } + + /* + * This example illustrates basic encryption/decryption and MACing + * Generates the encryption/mac keys and uses token for storing. + * Encrypts the input file and appends MAC before storing in intermediate + * header file. + * Writes the CKA_IDs of the encryption keys into intermediate header file. + * Reads the intermediate headerfile for CKA_IDs and encrypted + * contents and decrypts into output file. + */ + int + main(int argc, char **argv) + { + SECStatus rv; + SECStatus rvShutdown; + PK11SlotInfo *slot = NULL; + PLOptState *optstate; + PLOptStatus status; + char headerFileName[50]; + char encryptedFileName[50]; + PRFileDesc *inFile; + PRFileDesc *outFile; + PRBool ascii = PR_FALSE; + CommandType cmd = UNKNOWN; + const char *command = NULL; + const char *dbdir = NULL; + const char *inFileName = NULL; + const char *outFileName = NULL; + const char *noiseFileName = NULL; + secuPWData pwdata = { PW_NONE, 0 }; + + char * progName = strrchr(argv[0], '/'); + progName = progName ? progName + 1 : argv[0]; + + /* Parse command line arguments */ + optstate = PL_CreateOptState(argc, argv, "c:d:i:o:f:p:z:a"); + while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) { + switch (optstate->option) { + case 'a': + ascii = PR_TRUE; + break; + case 'c': + command = strdup(optstate->value); + break; + case 'd': + dbdir = strdup(optstate->value); + break; + case 'f': + pwdata.source = PW_FROMFILE; + pwdata.data = strdup(optstate->value); + break; + case 'p': + pwdata.source = PW_PLAINTEXT; + pwdata.data = strdup(optstate->value); + break; + case 'i': + inFileName = strdup(optstate->value); + break; + case 'o': + outFileName = strdup(optstate->value); + break; + case 'z': + noiseFileName = strdup(optstate->value); + break; + default: + Usage(progName); + break; + } + } + PL_DestroyOptState(optstate); + + if (!command || !dbdir || !inFileName || !outFileName) + Usage(progName); + if (PL_strlen(command)==0) + Usage(progName); + + cmd = command[0] == 'a' ? ENCRYPT : command[0] == 'b' ? DECRYPT : UNKNOWN; + + /* Open the input file. */ + inFile = PR_Open(inFileName, PR_RDONLY, 0); + if (!inFile) { + PR_fprintf(PR_STDERR, "Unable to open \"%s\" for reading.\n", + inFileName); + return SECFailure; + } + PR_Close(inFile); + + /* For intermediate header file, choose filename as inputfile name + with extension ".header" */ + strcpy(headerFileName, inFileName); + strcat(headerFileName, ".header"); + + /* For intermediate encrypted file, choose filename as inputfile name + with extension ".enc" */ + strcpy(encryptedFileName, inFileName); + strcat(encryptedFileName, ".enc"); + + PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0); + + switch (cmd) { + case ENCRYPT: + /* If the intermediate header file already exists, delete it */ + if (PR_Access(headerFileName, PR_ACCESS_EXISTS) == PR_SUCCESS) { + PR_Delete(headerFileName); + } + /* If the intermediate encrypted already exists, delete it */ + if (PR_Access(encryptedFileName, PR_ACCESS_EXISTS) == PR_SUCCESS) { + PR_Delete(encryptedFileName); + } + + /* Open DB for read/write and authenticate to it. */ + rv = NSS_InitReadWrite(dbdir); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "NSS_InitReadWrite Failed\n"); + goto cleanup; + } + + PK11_SetPasswordFunc(GetModulePassword); + slot = PK11_GetInternalKeySlot(); + if (PK11_NeedLogin(slot)) { + rv = PK11_Authenticate(slot, PR_TRUE, &pwdata); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Could not authenticate to token %s.\n", + PK11_GetTokenName(slot)); + goto cleanup; + } + } + rv = EncryptFile(slot, dbdir, + inFileName, headerFileName, encryptedFileName, + noiseFileName, &pwdata, ascii); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "EncryptFile : Failed\n"); + return SECFailure; + } + break; + case DECRYPT: + /* Open DB read only, authenticate to it */ + PK11_SetPasswordFunc(GetModulePassword); + + rv = NSS_Init(dbdir); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "NSS_Init Failed\n"); + return SECFailure; + } + + slot = PK11_GetInternalKeySlot(); + if (PK11_NeedLogin(slot)) { + rv = PK11_Authenticate(slot, PR_TRUE, &pwdata); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Could not authenticate to token %s.\n", + PK11_GetTokenName(slot)); + goto cleanup; + } + } + + rv = DecryptFile(slot, dbdir, + outFileName, headerFileName, + encryptedFileName, &pwdata, ascii); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "DecryptFile : Failed\n"); + return SECFailure; + } + break; + } + + cleanup: + rvShutdown = NSS_Shutdown(); + if (rvShutdown != SECSuccess) { + PR_fprintf(PR_STDERR, "Failed : NSS_Shutdown()\n"); + rv = SECFailure; + } + + PR_Cleanup(); + + return rv; + } \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/encrypt_decrypt_mac_using_token/index.rst b/security/nss/doc/rst/legacy/encrypt_decrypt_mac_using_token/index.rst new file mode 100644 index 0000000000..e2f399166b --- /dev/null +++ b/security/nss/doc/rst/legacy/encrypt_decrypt_mac_using_token/index.rst @@ -0,0 +1,1206 @@ +.. _mozilla_projects_nss_encrypt_decrypt_mac_using_token: + +Encrypt and decrypt MAC using token +=================================== + +.. _nss_sample_code_3_encryptiondecryption_and_mac_using_token_object.: + +`NSS sample code 3: encryption/decryption and MAC using token object. <#nss_sample_code_3_encryptiondecryption_and_mac_using_token_object.>`__ +---------------------------------------------------------------------------------------------------------------------------------------------- + +.. container:: + + Generates encryption/mac keys and uses token for storing. + + .. code:: c + + /* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at https://mozilla.org/MPL/2.0/. */ + + /* NSPR Headers */ + #include + #include + #include + #include + #include + #include + #include + + /* NSS headers */ + #include + #include + + /* our samples utilities */ + #include "util.h" + + #define BUFFERSIZE 80 + #define DIGESTSIZE 16 + #define PTEXT_MAC_BUFFER_SIZE 96 + #define CIPHERSIZE 96 + #define BLOCKSIZE 32 + + #define CIPHER_HEADER "-----BEGIN CIPHER-----" + #define CIPHER_TRAILER "-----END CIPHER-----" + #define ENCKEY_HEADER "-----BEGIN AESKEY CKAID-----" + #define ENCKEY_TRAILER "-----END AESKEY CKAID-----" + #define MACKEY_HEADER "-----BEGIN MACKEY CKAID-----" + #define MACKEY_TRAILER "-----END MACKEY CKAID-----" + #define IV_HEADER "-----BEGIN IV-----" + #define IV_TRAILER "-----END IV-----" + #define MAC_HEADER "-----BEGIN MAC-----" + #define MAC_TRAILER "-----END MAC-----" + #define PAD_HEADER "-----BEGIN PAD-----" + #define PAD_TRAILER "-----END PAD-----" + + typedef enum { + ENCRYPT, + DECRYPT, + UNKNOWN + } CommandType; + + typedef enum { + SYMKEY = 0, + MACKEY = 1, + IV = 2, + MAC = 3, + PAD = 4 + } HeaderType; + + + /* + * Print usage message and exit + */ + static void + Usage(const char *progName) + { + fprintf(stderr, "\nUsage: %s -c -d [-z ] " + "[-p | -f ] -i -o \n\n", + progName); + fprintf(stderr, "%-20s Specify 'a' for encrypt operation\n\n", + "-c "); + fprintf(stderr, "%-20s Specify 'b' for decrypt operation\n\n", + " "); + fprintf(stderr, "%-20s Specify db directory path\n\n", + "-d "); + fprintf(stderr, "%-20s Specify db password [optional]\n\n", + "-p "); + fprintf(stderr, "%-20s Specify db password file [optional]\n\n", + "-f "); + fprintf(stderr, "%-20s Specify noise file name [optional]\n\n", + "-z "); + fprintf(stderr, "%-21s Specify an input file name\n\n", + "-i "); + fprintf(stderr, "%-21s Specify an output file name\n\n", + "-o "); + fprintf(stderr, "%-7s For encrypt, it takes as an input file and produces\n", + "Note :"); + fprintf(stderr, "%-7s .enc and .header as intermediate output files.\n\n", + ""); + fprintf(stderr, "%-7s For decrypt, it takes .enc and .header\n", + ""); + fprintf(stderr, "%-7s as input files and produces as a final output file.\n\n", + ""); + exit(-1); + } + + /* + * Gather a CKA_ID + */ + SECStatus + GatherCKA_ID(PK11SymKey* key, SECItem* buf) + { + SECStatus rv = PK11_ReadRawAttribute(PK11_TypeSymKey, key, CKA_ID, buf); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "PK11_ReadRawAttribute returned (%d)\n", rv); + PR_fprintf(PR_STDERR, "Could not read SymKey CKA_ID attribute\n"); + return rv; + } + return rv; + } + + /* + * Generate a Symmetric Key + */ + PK11SymKey * + GenerateSYMKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE mechanism, + int keySize, SECItem *keyID, secuPWData *pwdata) + { + SECStatus rv; + PK11SymKey *key; + + if (PK11_NeedLogin(slot)) { + rv = PK11_Authenticate(slot, PR_TRUE, pwdata); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Could not authenticate to token %s.\n", + PK11_GetTokenName(slot)); + return NULL; + } + } + + /* Generate the symmetric key */ + key = PK11_TokenKeyGen(slot, mechanism, + NULL, keySize, keyID, PR_TRUE, pwdata); + + if (!key) { + PR_fprintf(PR_STDERR, "Symmetric Key Generation Failed \n"); + } + + return key; + } + + /* + * MacInit + */ + SECStatus + MacInit(PK11Context *ctx) + { + SECStatus rv = PK11_DigestBegin(ctx); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Compute MAC Failed : PK11_DigestBegin()\n"); + } + return rv; + } + + /* + * MacUpdate + */ + SECStatus + MacUpdate(PK11Context *ctx, + unsigned char *msg, unsigned int msgLen) + { + SECStatus rv = PK11_DigestOp(ctx, msg, msgLen); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Compute MAC Failed : DigestOp()\n"); + } + return rv; + } + + /* + * Finalize MACing + */ + SECStatus + MacFinal(PK11Context *ctx, + unsigned char *mac, unsigned int *macLen, unsigned int maxLen) + { + SECStatus rv = PK11_DigestFinal(ctx, mac, macLen, maxLen); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Compute MAC Failed : PK11_DigestFinal()\n"); + } + return SECSuccess; + } + + /* + * Compute Mac + */ + SECStatus + ComputeMac(PK11Context *ctxmac, + unsigned char *ptext, unsigned int ptextLen, + unsigned char *mac, unsigned int *macLen, + unsigned int maxLen) + { + SECStatus rv = MacInit(ctxmac); + if (rv != SECSuccess) return rv; + rv = MacUpdate(ctxmac, ptext, ptextLen); + if (rv != SECSuccess) return rv; + rv = MacFinal(ctxmac, mac, macLen, maxLen); + return rv; + } + + /* + * WriteToHeaderFile + */ + SECStatus + WriteToHeaderFile(const char *buf, unsigned int len, HeaderType type, + PRFileDesc *outFile) + { + SECStatus rv; + char header[40]; + char trailer[40]; + char *outString = NULL; + + switch (type) { + case SYMKEY: + strcpy(header, ENCKEY_HEADER); + strcpy(trailer, ENCKEY_TRAILER); + break; + case MACKEY: + strcpy(header, MACKEY_HEADER); + strcpy(trailer, MACKEY_TRAILER); + break; + case IV: + strcpy(header, IV_HEADER); + strcpy(trailer, IV_TRAILER); + break; + case MAC: + strcpy(header, MAC_HEADER); + strcpy(trailer, MAC_TRAILER); + break; + case PAD: + strcpy(header, PAD_HEADER); + strcpy(trailer, PAD_TRAILER); + break; + } + + PR_fprintf(outFile, "%s\n", header); + PrintAsHex(outFile, buf, len); + PR_fprintf(outFile, "%s\n\n", trailer); + return SECSuccess; + } + + /* + * Initialize for encryption or decryption - common code + */ + PK11Context * + CryptInit(PK11SymKey *key, + unsigned char *iv, unsigned int ivLen, + CK_MECHANISM_TYPE type, CK_ATTRIBUTE_TYPE operation) + { + SECItem ivItem = { siBuffer, iv, ivLen }; + PK11Context *ctx = NULL; + + SECItem *secParam = PK11_ParamFromIV(CKM_AES_CBC, &ivItem); + if (secParam == NULL) { + PR_fprintf(PR_STDERR, "Crypt Failed : secParam NULL\n"); + return NULL; + } + ctx = PK11_CreateContextBySymKey(CKM_AES_CBC, operation, key, secParam); + if (ctx == NULL) { + PR_fprintf(PR_STDERR, "Crypt Failed : can't create a context\n"); + goto cleanup; + + } + cleanup: + if (secParam) { + SECITEM_FreeItem(secParam, PR_TRUE); + } + return ctx; + } + + /* + * Common encryption and decryption code + */ + SECStatus + Crypt(PK11Context *ctx, + unsigned char *out, unsigned int *outLen, unsigned int maxOut, + unsigned char *in, unsigned int inLen) + { + SECStatus rv; + + rv = PK11_CipherOp(ctx, out, outLen, maxOut, in, inLen); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Crypt Failed : PK11_CipherOp returned %d\n", rv); + goto cleanup; + } + + cleanup: + if (rv != SECSuccess) { + return rv; + } + return SECSuccess; + } + + /* + * Decrypt + */ + SECStatus + Decrypt(PK11Context *ctx, + unsigned char *out, unsigned int *outLen, unsigned int maxout, + unsigned char *in, unsigned int inLen) + { + return Crypt(ctx, out, outLen, maxout, in, inLen); + } + + /* + * Encrypt + */ + SECStatus + Encrypt(PK11Context* ctx, + unsigned char *out, unsigned int *outLen, unsigned int maxout, + unsigned char *in, unsigned int inLen) + { + return Crypt(ctx, out, outLen, maxout, in, inLen); + } + + /* + * EncryptInit + */ + PK11Context * + EncryptInit(PK11SymKey *ek, unsigned char *iv, unsigned int ivLen, + CK_MECHANISM_TYPE type) + { + return CryptInit(ek, iv, ivLen, type, CKA_ENCRYPT); + } + + /* + * DecryptInit + */ + PK11Context * + DecryptInit(PK11SymKey *dk, unsigned char *iv, unsigned int ivLen, + CK_MECHANISM_TYPE type) + { + return CryptInit(dk, iv, ivLen, type, CKA_DECRYPT); + } + + /* + * Read cryptographic parameters from the header file + */ + SECStatus + ReadFromHeaderFile(const char *fileName, HeaderType type, + SECItem *item, PRBool isHexData) + { + SECStatus rv; + PRFileDesc* file; + SECItem filedata; + SECItem outbuf; + unsigned char *nonbody; + unsigned char *body; + char header[40]; + char trailer[40]; + + outbuf.type = siBuffer; + file = PR_Open(fileName, PR_RDONLY, 0); + if (!file) { + PR_fprintf(PR_STDERR, "Failed to open %s\n", fileName); + return SECFailure; + } + switch (type) { + case SYMKEY: + strcpy(header, ENCKEY_HEADER); + strcpy(trailer, ENCKEY_TRAILER); + break; + case MACKEY: + strcpy(header, MACKEY_HEADER); + strcpy(trailer, MACKEY_TRAILER); + break; + case IV: + strcpy(header, IV_HEADER); + strcpy(trailer, IV_TRAILER); + break; + case MAC: + strcpy(header, MAC_HEADER); + strcpy(trailer, MAC_TRAILER); + break; + case PAD: + strcpy(header, PAD_HEADER); + strcpy(trailer, PAD_TRAILER); + break; + } + + rv = FileToItem(&filedata, file); + nonbody = (char *)filedata.data; + if (!nonbody) { + PR_fprintf(PR_STDERR, "unable to read data from input file\n"); + rv = SECFailure; + goto cleanup; + } + + /* check for headers and trailers and remove them */ + if ((body = strstr(nonbody, header)) != NULL) { + char *trail = NULL; + nonbody = body; + body = PORT_Strchr(body, '\n'); + if (!body) + body = PORT_Strchr(nonbody, '\r'); /* maybe this is a MAC file */ + if (body) + trail = strstr(++body, trailer); + if (trail != NULL) { + *trail = '\0'; + } else { + PR_fprintf(PR_STDERR, "input has header but no trailer\n"); + PORT_Free(filedata.data); + return SECFailure; + } + } else { + body = nonbody; + } + + cleanup: + PR_Close(file); + HexToBuf(body, item, isHexData); + return SECSuccess; + } + + /* + * EncryptAndMac + */ + SECStatus + EncryptAndMac(PRFileDesc *inFile, + PRFileDesc *headerFile, + PRFileDesc *encFile, + PK11SymKey *ek, + PK11SymKey *mk, + unsigned char *iv, unsigned int ivLen, + PRBool ascii) + { + SECStatus rv; + unsigned char ptext[BLOCKSIZE]; + unsigned int ptextLen; + unsigned char mac[DIGESTSIZE]; + unsigned int macLen; + unsigned int nwritten; + unsigned char encbuf[BLOCKSIZE]; + unsigned int encbufLen; + SECItem noParams = { siBuffer, NULL, 0 }; + PK11Context *ctxmac = NULL; + PK11Context *ctxenc = NULL; + unsigned int pad[1]; + SECItem padItem; + unsigned int paddingLength; + + static unsigned int firstTime = 1; + int j; + + ctxmac = PK11_CreateContextBySymKey(CKM_MD5_HMAC, CKA_SIGN, mk, &noParams); + if (ctxmac == NULL) { + PR_fprintf(PR_STDERR, "Can't create MAC context\n"); + rv = SECFailure; + goto cleanup; + } + rv = MacInit(ctxmac); + if (rv != SECSuccess) { + goto cleanup; + } + + ctxenc = EncryptInit(ek, iv, ivLen, CKM_AES_CBC); + + /* read a buffer of plaintext from input file */ + while ((ptextLen = PR_Read(inFile, ptext, sizeof(ptext))) > 0) { + + /* Encrypt using it using CBC, using previously created IV */ + if (ptextLen != BLOCKSIZE) { + paddingLength = BLOCKSIZE - ptextLen; + for ( j=0; j < paddingLength; j++) { + ptext[ptextLen+j] = (unsigned char)paddingLength; + } + ptextLen = BLOCKSIZE; + } + rv = Encrypt(ctxenc, + encbuf, &encbufLen, sizeof(encbuf), + ptext, ptextLen); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Encrypt Failure\n"); + goto cleanup; + } + + /* save the last block of ciphertext as the next IV */ + iv = encbuf; + ivLen = encbufLen; + + /* write the cipher text to intermediate file */ + nwritten = PR_Write(encFile, encbuf, encbufLen); + /*PR_Assert(nwritten == encbufLen);*/ + + rv = MacUpdate(ctxmac, ptext, ptextLen); + } + + rv = MacFinal(ctxmac, mac, &macLen, DIGESTSIZE); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "MacFinal Failure\n"); + goto cleanup; + } + if (macLen == 0) { + PR_fprintf(PR_STDERR, "Bad MAC length\n"); + rv = SECFailure; + goto cleanup; + } + WriteToHeaderFile(mac, macLen, MAC, headerFile); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Write MAC Failure\n"); + goto cleanup; + } + + pad[0] = paddingLength; + padItem.type = siBuffer; + padItem.data = (unsigned char *)pad; + padItem.len = sizeof(pad[0]); + + WriteToHeaderFile(padItem.data, padItem.len, PAD, headerFile); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Write PAD Failure\n"); + goto cleanup; + } + + rv = SECSuccess; + + cleanup: + if (ctxmac != NULL) { + PK11_DestroyContext(ctxmac, PR_TRUE); + } + if (ctxenc != NULL) { + PK11_DestroyContext(ctxenc, PR_TRUE); + } + + return rv; + } + + /* + * Find the Key for the given mechanism + */ + PK11SymKey* + FindKey(PK11SlotInfo *slot, + CK_MECHANISM_TYPE mechanism, + SECItem *keyBuf, secuPWData *pwdata) + { + SECStatus rv; + PK11SymKey *key; + + if (PK11_NeedLogin(slot)) { + rv = PK11_Authenticate(slot, PR_TRUE, pwdata); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, + "Could not authenticate to token %s.\n", + PK11_GetTokenName(slot)); + if (slot) { + PK11_FreeSlot(slot); + } + return NULL; + } + } + + key = PK11_FindFixedKey(slot, mechanism, keyBuf, 0); + if (!key) { + PR_fprintf(PR_STDERR, + "PK11_FindFixedKey failed (err %d)\n", + PR_GetError()); + PK11_FreeSlot(slot); + return NULL; + } + return key; + } + + /* + * Decrypt and Verify MAC + */ + SECStatus + DecryptAndVerifyMac(const char* outFileName, + char *encryptedFileName, + SECItem *cItem, SECItem *macItem, + PK11SymKey* ek, PK11SymKey* mk, SECItem *ivItem, SECItem *padItem) + { + SECStatus rv; + PRFileDesc* inFile; + PRFileDesc* outFile; + + unsigned char decbuf[64]; + unsigned int decbufLen; + + unsigned char ptext[BLOCKSIZE]; + unsigned int ptextLen = 0; + unsigned char ctext[64]; + unsigned int ctextLen; + unsigned char newmac[DIGESTSIZE]; + unsigned int newmacLen = 0; + unsigned int newptextLen = 0; + unsigned int count = 0; + unsigned int temp = 0; + unsigned int blockNumber = 0; + SECItem noParams = { siBuffer, NULL, 0 }; + PK11Context *ctxmac = NULL; + PK11Context *ctxenc = NULL; + + unsigned char iv[BLOCKSIZE]; + unsigned int ivLen = ivItem->len; + unsigned int fileLength; + unsigned int paddingLength; + int j; + + memcpy(iv, ivItem->data, ivItem->len); + paddingLength = (unsigned int)padItem->data[0]; + + ctxmac = PK11_CreateContextBySymKey(CKM_MD5_HMAC, CKA_SIGN, mk, &noParams); + if (ctxmac == NULL) { + PR_fprintf(PR_STDERR, "Can't create MAC context\n"); + rv = SECFailure; + goto cleanup; + } + + /* Open the input file. */ + inFile = PR_Open(encryptedFileName, PR_RDONLY , 0); + if (!inFile) { + PR_fprintf(PR_STDERR, + "Unable to open \"%s\" for writing.\n", + encryptedFileName); + return SECFailure; + } + /* Open the output file. */ + outFile = PR_Open(outFileName, + PR_CREATE_FILE | PR_TRUNCATE | PR_RDWR , 00660); + if (!outFile) { + PR_fprintf(PR_STDERR, + "Unable to open \"%s\" for writing.\n", + outFileName); + return SECFailure; + } + + rv = MacInit(ctxmac); + if (rv != SECSuccess) goto cleanup; + + ctxenc = DecryptInit(ek, iv, ivLen, CKM_AES_CBC); + fileLength = FileSize(encryptedFileName); + + while ((ctextLen = PR_Read(inFile, ctext, sizeof(ctext))) > 0) { + + count += ctextLen; + + /* decrypt cipher text buffer using CBC and IV */ + + rv = Decrypt(ctxenc, decbuf, &decbufLen, sizeof(decbuf), + ctext, ctextLen); + + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Decrypt Failure\n"); + goto cleanup; + } + + if (decbufLen == 0) break; + + rv = MacUpdate(ctxmac, decbuf, decbufLen); + if (rv != SECSuccess) { goto cleanup; } + if (count == fileLength) { + decbufLen = decbufLen-paddingLength; + } + + /* write the plain text to out file */ + temp = PR_Write(outFile, decbuf, decbufLen); + if (temp != decbufLen) { + PR_fprintf(PR_STDERR, "write error\n"); + rv = SECFailure; + break; + } + + /* save last block of ciphertext */ + memcpy(iv, decbuf, decbufLen); + ivLen = decbufLen; + blockNumber++; + } + + if (rv != SECSuccess) { goto cleanup; } + + rv = MacFinal(ctxmac, newmac, &newmacLen, sizeof(newmac)); + if (rv != SECSuccess) { goto cleanup; } + + if (PORT_Memcmp(macItem->data, newmac, newmacLen) == 0) { + rv = SECSuccess; + } else { + PR_fprintf(PR_STDERR, "Check MAC : Failure\n"); + PR_fprintf(PR_STDERR, "Extracted : "); + PrintAsHex(PR_STDERR, macItem->data, macItem->len); + PR_fprintf(PR_STDERR, "Computed : "); + PrintAsHex(PR_STDERR, newmac, newmacLen); + rv = SECFailure; + } + cleanup: + if (ctxmac) { + PK11_DestroyContext(ctxmac, PR_TRUE); + } + if (ctxenc) { + PK11_DestroyContext(ctxenc, PR_TRUE); + } + if (outFile) { + PR_Close(outFile); + } + + return rv; + } + + /* + * Gets IV and CKAIDS From Header File + */ + SECStatus + GetIVandCKAIDSFromHeader(const char *cipherFileName, + SECItem *ivItem, SECItem *encKeyItem, SECItem *macKeyItem) + { + SECStatus rv; + + /* open intermediate file, read in header, get IV and CKA_IDs of two keys + * from it + */ + rv = ReadFromHeaderFile(cipherFileName, IV, ivItem, PR_TRUE); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Could not retrieve IV from cipher file\n"); + goto cleanup; + } + + rv = ReadFromHeaderFile(cipherFileName, SYMKEY, encKeyItem, PR_TRUE); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, + "Could not retrieve AES CKA_ID from cipher file\n"); + goto cleanup; + } + rv = ReadFromHeaderFile(cipherFileName, MACKEY, macKeyItem, PR_TRUE); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, + "Could not retrieve MAC CKA_ID from cipher file\n"); + goto cleanup; + } + cleanup: + return rv; + } + + /* + * DecryptFile + */ + SECStatus + DecryptFile(PK11SlotInfo *slot, + const char *dbdir, + const char *outFileName, + const char *headerFileName, + char *encryptedFileName, + secuPWData *pwdata, + PRBool ascii) + { + /* + * The DB is open read only and we have authenticated to it + * open input file, read in header, get IV and CKA_IDs of two keys from it + * find those keys in the DB token + * Open output file + * loop until EOF(input): + * read a buffer of ciphertext from input file, + * Save last block of ciphertext + * decrypt ciphertext buffer using CBC and IV, + * compute and check MAC, then remove MAC from plaintext + * replace IV with saved last block of ciphertext + * write the plain text to output file + * close files + * report success + */ + + SECStatus rv; + SECItem ivItem; + SECItem encKeyItem; + SECItem macKeyItem; + SECItem cipherItem; + SECItem macItem; + SECItem padItem; + PK11SymKey *encKey = NULL; + PK11SymKey *macKey = NULL; + + + /* open intermediate file, read in header, get IV and CKA_IDs of two keys + * from it + */ + rv = GetIVandCKAIDSFromHeader(headerFileName, + &ivItem, &encKeyItem, &macKeyItem); + if (rv != SECSuccess) { + goto cleanup; + } + + /* find those keys in the DB token */ + encKey = FindKey(slot, CKM_AES_CBC, &encKeyItem, pwdata); + if (encKey == NULL) { + PR_fprintf(PR_STDERR, "Can't find the encryption key\n"); + rv = SECFailure; + goto cleanup; + } + /* CKM_MD5_HMAC or CKM_EXTRACT_KEY_FROM_KEY */ + macKey = FindKey(slot, CKM_MD5_HMAC, &macKeyItem, pwdata); + if (macKey == NULL) { + rv = SECFailure; + goto cleanup; + } + + /* Read in the Mac into item from the intermediate file */ + rv = ReadFromHeaderFile(headerFileName, MAC, &macItem, PR_TRUE); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, + "Could not retrieve MAC from cipher file\n"); + goto cleanup; + } + if (macItem.data == NULL) { + PR_fprintf(PR_STDERR, "MAC has NULL data\n"); + rv = SECFailure; + goto cleanup; + } + if (macItem.len == 0) { + PR_fprintf(PR_STDERR, "MAC has data has 0 length\n"); + /*rv = SECFailure; + goto cleanup;*/ + } + + rv = ReadFromHeaderFile(headerFileName, PAD, &padItem, PR_TRUE); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, + "Could not retrieve PAD detail from header file\n"); + goto cleanup; + } + + if (rv == SECSuccess) { + /* Decrypt and Remove Mac */ + rv = DecryptAndVerifyMac(outFileName, encryptedFileName, + &cipherItem, &macItem, encKey, macKey, &ivItem, &padItem); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Failed while decrypting and removing MAC\n"); + } + } + + cleanup: + if (slot) { + PK11_FreeSlot(slot); + } + if (encKey) { + PK11_FreeSymKey(encKey); + } + if (macKey) { + PK11_FreeSymKey(macKey); + } + + return rv; + } + + /* + * EncryptFile + */ + SECStatus + EncryptFile(PK11SlotInfo *slot, + const char *dbdir, + const char *inFileName, + const char *headerFileName, + const char *encryptedFileName, + const char *noiseFileName, + secuPWData *pwdata, + PRBool ascii) + { + /* + * The DB is open for read/write and we have authenticated to it. + * generate a symmetric AES key as a token object. + * generate a second key to use for MACing, also a token object. + * get their CKA_IDs + * generate a random value to use as IV for AES CBC + * open an input file and an output file, + * write a header to the output that identifies the two keys by + * their CKA_IDs, May include original file name and length. + * loop until EOF(input) + * read a buffer of plaintext from input file, + * MAC it, append the MAC to the plaintext + * encrypt it using CBC, using previously created IV, + * store the last block of ciphertext as the new IV, + * write the cipher text to intermediate file + * close files + * report success + */ + SECStatus rv; + PRFileDesc *inFile; + PRFileDesc *headerFile; + PRFileDesc *encFile; + + unsigned char *encKeyId = (unsigned char *) "Encrypt Key"; + unsigned char *macKeyId = (unsigned char *) "MAC Key"; + SECItem encKeyID = { siAsciiString, encKeyId, PL_strlen(encKeyId) }; + SECItem macKeyID = { siAsciiString, macKeyId, PL_strlen(macKeyId) }; + + SECItem encCKAID; + SECItem macCKAID; + unsigned char iv[BLOCKSIZE]; + SECItem ivItem; + PK11SymKey *encKey = NULL; + PK11SymKey *macKey = NULL; + SECItem temp; + unsigned char c; + + /* generate a symmetric AES key as a token object. */ + encKey = GenerateSYMKey(slot, CKM_AES_KEY_GEN, 128/8, &encKeyID, pwdata); + if (encKey == NULL) { + PR_fprintf(PR_STDERR, "GenerateSYMKey for AES returned NULL.\n"); + rv = SECFailure; + goto cleanup; + } + + /* generate a second key to use for MACing, also a token object. */ + macKey = GenerateSYMKey(slot, CKM_GENERIC_SECRET_KEY_GEN, 160/8, + &macKeyID, pwdata); + if (macKey == NULL) { + PR_fprintf(PR_STDERR, "GenerateSYMKey for MACing returned NULL.\n"); + rv = SECFailure; + goto cleanup; + } + + /* get the encrypt key CKA_ID */ + rv = GatherCKA_ID(encKey, &encCKAID); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Error while wrapping encrypt key\n"); + goto cleanup; + } + + /* get the MAC key CKA_ID */ + rv = GatherCKA_ID(macKey, &macCKAID); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Can't get the MAC key CKA_ID.\n"); + goto cleanup; + } + + if (noiseFileName) { + rv = SeedFromNoiseFile(noiseFileName); + if (rv != SECSuccess) { + PORT_SetError(PR_END_OF_FILE_ERROR); + return SECFailure; + } + rv = PK11_GenerateRandom(iv, BLOCKSIZE); + if (rv != SECSuccess) { + goto cleanup; + } + + } else { + /* generate a random value to use as IV for AES CBC */ + GenerateRandom(iv, BLOCKSIZE); + } + + headerFile = PR_Open(headerFileName, + PR_CREATE_FILE | PR_TRUNCATE | PR_RDWR, 00660); + if (!headerFile) { + PR_fprintf(PR_STDERR, + "Unable to open \"%s\" for writing.\n", + headerFileName); + return SECFailure; + } + encFile = PR_Open(encryptedFileName, + PR_CREATE_FILE | PR_TRUNCATE | PR_RDWR, 00660); + if (!encFile) { + PR_fprintf(PR_STDERR, + "Unable to open \"%s\" for writing.\n", + encryptedFileName); + return SECFailure; + } + /* write to a header file the IV and the CKA_IDs + * identifying the two keys + */ + ivItem.type = siBuffer; + ivItem.data = iv; + ivItem.len = BLOCKSIZE; + + rv = WriteToHeaderFile(iv, BLOCKSIZE, IV, headerFile); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Error writing IV to cipher file - %s\n", + headerFileName); + goto cleanup; + } + + rv = WriteToHeaderFile(encCKAID.data, encCKAID.len, SYMKEY, headerFile); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Error writing AES CKA_ID to cipher file - %s\n", + encryptedFileName); + goto cleanup; + } + rv = WriteToHeaderFile(macCKAID.data, macCKAID.len, MACKEY, headerFile); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Error writing MAC CKA_ID to cipher file - %s\n", + headerFileName); + goto cleanup; + } + + /* Open the input file. */ + inFile = PR_Open(inFileName, PR_RDONLY, 0); + if (!inFile) { + PR_fprintf(PR_STDERR, "Unable to open \"%s\" for reading.\n", + inFileName); + return SECFailure; + } + + /* Macing and Encryption */ + if (rv == SECSuccess) { + rv = EncryptAndMac(inFile, headerFile, encFile, + encKey, macKey, ivItem.data, ivItem.len, ascii); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Failed : Macing and Encryption\n"); + goto cleanup; + } + } + + cleanup: + if (inFile) { + PR_Close(inFile); + } + if (headerFile) { + PR_Close(headerFile); + } + if (encFile) { + PR_Close(encFile); + } + if (slot) { + PK11_FreeSlot(slot); + } + if (encKey) { + PK11_FreeSymKey(encKey); + } + if (macKey) { + PK11_FreeSymKey(macKey); + } + + return rv; + } + + /* + * This example illustrates basic encryption/decryption and MACing + * Generates the encryption/mac keys and uses token for storing. + * Encrypts the input file and appends MAC before storing in intermediate + * header file. + * Writes the CKA_IDs of the encryption keys into intermediate header file. + * Reads the intermediate headerfile for CKA_IDs and encrypted + * contents and decrypts into output file. + */ + int + main(int argc, char **argv) + { + SECStatus rv; + SECStatus rvShutdown; + PK11SlotInfo *slot = NULL; + PLOptState *optstate; + PLOptStatus status; + char headerFileName[50]; + char encryptedFileName[50]; + PRFileDesc *inFile; + PRFileDesc *outFile; + PRBool ascii = PR_FALSE; + CommandType cmd = UNKNOWN; + const char *command = NULL; + const char *dbdir = NULL; + const char *inFileName = NULL; + const char *outFileName = NULL; + const char *noiseFileName = NULL; + secuPWData pwdata = { PW_NONE, 0 }; + + char * progName = strrchr(argv[0], '/'); + progName = progName ? progName + 1 : argv[0]; + + /* Parse command line arguments */ + optstate = PL_CreateOptState(argc, argv, "c:d:i:o:f:p:z:a"); + while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) { + switch (optstate->option) { + case 'a': + ascii = PR_TRUE; + break; + case 'c': + command = strdup(optstate->value); + break; + case 'd': + dbdir = strdup(optstate->value); + break; + case 'f': + pwdata.source = PW_FROMFILE; + pwdata.data = strdup(optstate->value); + break; + case 'p': + pwdata.source = PW_PLAINTEXT; + pwdata.data = strdup(optstate->value); + break; + case 'i': + inFileName = strdup(optstate->value); + break; + case 'o': + outFileName = strdup(optstate->value); + break; + case 'z': + noiseFileName = strdup(optstate->value); + break; + default: + Usage(progName); + break; + } + } + PL_DestroyOptState(optstate); + + if (!command || !dbdir || !inFileName || !outFileName) + Usage(progName); + if (PL_strlen(command)==0) + Usage(progName); + + cmd = command[0] == 'a' ? ENCRYPT : command[0] == 'b' ? DECRYPT : UNKNOWN; + + /* Open the input file. */ + inFile = PR_Open(inFileName, PR_RDONLY, 0); + if (!inFile) { + PR_fprintf(PR_STDERR, "Unable to open \"%s\" for reading.\n", + inFileName); + return SECFailure; + } + PR_Close(inFile); + + /* For intermediate header file, choose filename as inputfile name + with extension ".header" */ + strcpy(headerFileName, inFileName); + strcat(headerFileName, ".header"); + + /* For intermediate encrypted file, choose filename as inputfile name + with extension ".enc" */ + strcpy(encryptedFileName, inFileName); + strcat(encryptedFileName, ".enc"); + + PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0); + + switch (cmd) { + case ENCRYPT: + /* If the intermediate header file already exists, delete it */ + if (PR_Access(headerFileName, PR_ACCESS_EXISTS) == PR_SUCCESS) { + PR_Delete(headerFileName); + } + /* If the intermediate encrypted already exists, delete it */ + if (PR_Access(encryptedFileName, PR_ACCESS_EXISTS) == PR_SUCCESS) { + PR_Delete(encryptedFileName); + } + + /* Open DB for read/write and authenticate to it. */ + rv = NSS_InitReadWrite(dbdir); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "NSS_InitReadWrite Failed\n"); + goto cleanup; + } + + PK11_SetPasswordFunc(GetModulePassword); + slot = PK11_GetInternalKeySlot(); + if (PK11_NeedLogin(slot)) { + rv = PK11_Authenticate(slot, PR_TRUE, &pwdata); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Could not authenticate to token %s.\n", + PK11_GetTokenName(slot)); + goto cleanup; + } + } + rv = EncryptFile(slot, dbdir, + inFileName, headerFileName, encryptedFileName, + noiseFileName, &pwdata, ascii); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "EncryptFile : Failed\n"); + return SECFailure; + } + break; + case DECRYPT: + /* Open DB read only, authenticate to it */ + PK11_SetPasswordFunc(GetModulePassword); + + rv = NSS_Init(dbdir); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "NSS_Init Failed\n"); + return SECFailure; + } + + slot = PK11_GetInternalKeySlot(); + if (PK11_NeedLogin(slot)) { + rv = PK11_Authenticate(slot, PR_TRUE, &pwdata); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Could not authenticate to token %s.\n", + PK11_GetTokenName(slot)); + goto cleanup; + } + } + + rv = DecryptFile(slot, dbdir, + outFileName, headerFileName, + encryptedFileName, &pwdata, ascii); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "DecryptFile : Failed\n"); + return SECFailure; + } + break; + } + + cleanup: + rvShutdown = NSS_Shutdown(); + if (rvShutdown != SECSuccess) { + PR_fprintf(PR_STDERR, "Failed : NSS_Shutdown()\n"); + rv = SECFailure; + } + + PR_Cleanup(); + + return rv; + } \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/faq/index.rst b/security/nss/doc/rst/legacy/faq/index.rst new file mode 100644 index 0000000000..6c022e7ff1 --- /dev/null +++ b/security/nss/doc/rst/legacy/faq/index.rst @@ -0,0 +1,280 @@ +.. _mozilla_projects_nss_faq: + +NSS FAQ +======= + +.. _general_questions: + +`General Questions <#general_questions>`__ +------------------------------------------ + +.. _what_is_network_security_services_.28nss.29: + +`What is Network Security Services (NSS) <#what_is_network_security_services_.28nss.29>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + NSS is set of libraries, APIs, utilities, and documentation designed to support cross-platform + development of security-enabled client and server applications. It provides a complete + open-source implementation of the crypto libraries used by Mozilla and other companies in the + Firefox browser, AOL Instant Messenger (AIM), server products from Red Hat, and other products. + + For an overview of NSS, see :ref:`mozilla_projects_nss_overview`. For detailed information on the + open-source NSS project, see `NSS Project Page `__. + +.. _what_can_i_do_with_nss.3f_is_nss_appropriate_for_my_application.3f: + +`What can I do with NSS? Is NSS appropriate for my application? <#what_can_i_do_with_nss.3f_is_nss_appropriate_for_my_application.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + If you want add support for SSL, S/MIME, or other Internet security standards to your + application, you can use Network Security Services (NSS) to do so. Because NSS provides complete + support for all versions of SSL and TLS, it is particularly well-suited for applications that + need to communicate with the many clients and servers that already support the SSL protocol. + + The PKCS #11 interface included in NSS means that your application can use `hardware + accelerators <#what_hardware_accelerators_are_supported.3f>`__ on the server and + :ref:`mozilla_projects_nss_faq#how_do_i_integrate_smart_cards_into_my_application_using_nss_3f` + for two-factor authentication. + +.. _how_does_nss_compare_to_openssl.3f: + +`How does NSS compare to OpenSSL? <#how_does_nss_compare_to_openssl.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + `OpenSSL `__ is an open source project that implements server-side SSL, + TLS, and a general-purpose cryptography library. It does not support PKCS #11. It is based on the + SSLeay library developed by Eric A. Young and Tim J. Hudson. OpenSSL is widely used in Apache + servers and is licensed under an Apache-style licence. + + NSS supports both server and client applications as well as + :ref:`mozilla_projects_nss_pkcs11_faq` and S/MIME. To permit its use in as many contexts as + possible, NSS is licensed under the `Mozilla Public License `__, + version 2. + +.. _how_does_nss_compare_to_sslref.3f: + +`How does NSS compare to SSLRef? <#how_does_nss_compare_to_sslref.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + SSLRef was an early reference implementation of the SSL protocol. It contains bugs that were + never fixed, doesn't support TLS or the new 56-bit export cipher suites, and does not contain the + fix to the Bleichenbacher attack on PKCS#1. + + Netscape no longer maintains SSLRef or makes it available. It was built as an example of an SSL + implementation, not for creating production applications. + + NSS was designed from the ground up for use by commercial developers. It provides a complete + software development kit that uses the same architecture used to support security features in + many client and server products from Netscape and other companies. + +.. _what_platforms_and_development_environments_are_supported.3f: + +`What platforms and development environments are supported? <#what_platforms_and_development_environments_are_supported.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. warning:: + + This section is out of date + + iPlanet E-Commerce Solutions has certified NSS 3.1 on 18 platforms, including AIX 4.3, HP-UX + 11.0, Red Hat Linux 6.0, Solaris (2.6 or later), Windows NT (4.0 or later), and Windows 2000. + Other contributors are in the process of certifying additional platforms. The NSS 3.1 API + requires C or C++ development environments. + + For the latest NSS release notes and detailed platform information, see `Project + Information `__. + +.. _what_cryptography_standards_are_supported.3f: + +`What cryptography standards are supported? <#what_cryptography_standards_are_supported.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + NSS supports `SSL v2 and v3 `__, + `TLS `__, `PKCS + #5 `__, `PKCS + #7 `__, `PKCS + #11 `__, `PKCS + #12 `__, + `S/MIME `__, and + `X.509 v3 `__ + certificates. For complete details, see `Encryption Technologies Available in NSS + 3.11 `__ + +.. _what_is_the_relationship_between_nss_and_psm.3f: + +`What is the relationship between NSS and PSM? <#what_is_the_relationship_between_nss_and_psm.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Personal Security Manager (PSM) is built on top of NSS. It consists of libraries and a daemon + designed to support cross-platform development of security-enabled client applications. The PSM + binary provides a client module that performs cryptographic operations on behalf of applications. + Netscape Personal Security Manager ships with Netscape 6 and the Gateway Connected Touch Pad with + Instant AOL, and is also available for use with Communicator 4.7x. + +.. _where_can_i_get_the_source.3f: + +`Where can I get the source? <#where_can_i_get_the_source.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + For instructions on how to check out and build the NSS source code, see + :ref:`mozilla_projects_nss_nss_sources_building_testing`. + +.. _how_much_does_it_cost.3f: + +`How much does it cost? <#how_much_does_it_cost.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + NSS source code and binaries (when they become available) are completely free. No license fees, + no royalty fees, no subscription fees. + +.. _developer_questions: + +`Developer Questions <#developer_questions>`__ +---------------------------------------------- + +.. _what_hardware_accelerators_are_supported.3f: + +`What hardware accelerators are supported? <#what_hardware_accelerators_are_supported.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + NSS supports the PKCS #11 interface for hardware acceleration. Since leading accelerator vendors + such as Chrysalis-IT, nCipher, and Rainbow Technologies also support this interface, NSS-enabled + applications can support a wide variety of hardware accelerators. + +.. _how_do_i_integrate_smart_cards_into_my_application_using_nss.3f: + +`How do I integrate smart cards into my application using NSS? <#how_do_i_integrate_smart_cards_into_my_application_using_nss.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + NSS supports the PKCS #11 interface for smart card integration. Applications that use the PKCS + #11 interface provided by NSS will therefore support smart cards from leading vendors such as + ActiveCard, Litronic, SafeNet, and SecureID Technologies that also support the PKCS #11 + interface. + +.. _does_nss_require_netscape_portable_runtime_.28nspr.29.3f: + +`Does NSS require Netscape Portable Runtime (NSPR)? <#does_nss_require_netscape_portable_runtime_.28nspr.29.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. rubric:: To provide cross-platform support, NSS utilizes Netscape Portable Runtime (NSPR) + libraries as a portability interface and implementation that provides consistent + cross-platform semantics for network I/O and threading models. You can use NSPR throughout + your application or only in the portion that calls into NSS. Mozilla strongly recommends that + multithreaded applications use the NSPR or native OS threading model. (In recent NSPR + releases, the NSPR threading model is compatible with the native threading model if the OS has + native threads.) Alternatively, you can adapt the open-source NSPR implementation to be + compatible with your existing application's threading models. More information about NSPR may + be found at `Netscape Portable + Runtime `__. + :name: to_provide_cross-platform_support_nss_utilizes_netscape_portable_runtime_nspr_libraries_as_a_portability_interface_and_implementation_that_provides_consistent_cross-platform_semantics_for_network_io_and_threading_models._you_can_use_nspr_throughout_your_application_or_only_in_the_portion_that_calls_into_nss._mozilla_strongly_recommends_that_multithreaded_applications_use_the_nspr_or_native_os_threading_model._in_recent_nspr_releases_the_nspr_threading_model_is_compatible_with_the_native_threading_model_if_the_os_has_native_threads._alternatively_you_can_adapt_the_open-source_nspr_implementation_to_be_compatible_with_your_existing_applications_threading_models._more_information_about_nspr_may_be_found_at_netscape_portable_runtime. + +.. _can_i_use_nss_even_if_my_application_protocol_isn.27t_http.3f: + +`Can I use NSS even if my application protocol isn't HTTP? <#can_i_use_nss_even_if_my_application_protocol_isn.27t_http.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Yes, TLS is independent of application protocols. It works with common Internet standard + application protocols (HTTP, POP3, FTP, SMTP, etc.) as well as custom application protocols using + TCP/IP. + +.. _how_long_does_it_take_to_integrate_nss_into_my_application.3f: + +`How long does it take to integrate NSS into my application? <#how_long_does_it_take_to_integrate_nss_into_my_application.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + The integration effort depends on an number of factors, such as developer skill set, application + complexity, and the level of security required for your application. NSS includes detailed + documentation of the SSL API and sample code that demonstrates basic SSL functionality (setting + up an encrypted session, server authentication, and client authentication) to help jump start the + integration process. However, there is little or no documentation currently available for the + rest of the NSS API. If your application requires sophisticated certificate management, smart + card support, or hardware acceleration, your integration effort will be more extensive. + +.. _where_can_i_download_the_nss_tools.3f: + +`Where can I download the NSS tools? <#where_can_i_download_the_nss_tools.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Binary builds of NSS for several platforms including the command-line tools can be downloaded + from + `http://ftp.mozilla.org/pub/mozilla.o...y/nss/releases/ `__. + NSPR, which you will need as well, can be downloaded from + http://ftp.mozilla.org/pub/mozilla.org/nspr/releases/. + +.. _how_can_i_learn_more_about_ssl.3f: + +`How can I learn more about TLS? <#how_can_i_learn_more_about_ssl.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + See https://developer.mozilla.org/en-US/docs/Glossary/TLS. + +.. _licensing_questions: + +`Licensing Questions <#licensing_questions>`__ +---------------------------------------------- + +.. _how_is_nss_licensed.3f: + +`How is NSS licensed? <#how_is_nss_licensed.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + NSS is available under the `Mozilla Public License `__, version 2. + +.. _is_nss_available_outside_the_united_states.3f: + +`Is NSS available outside the United States? <#is_nss_available_outside_the_united_states.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. warning:: + + This section is out of date + + Yes; see `Build Instructions for NSS + 3.1. `__ and + ftp://ftp.mozilla.org/pub/mozilla.org/security/. However, NSS source code is subject to the U.S. + Export Administration Regulations and other U.S. law, and may not be exported or re-exported to + certain countries (Cuba, Iran, Iraq, Libya, North Korea, Serbia, Sudan, Syria, and + Taleban-controlled areas of Afghanistan as of January 2000) or to persons or entities prohibited + from receiving U.S. exports (including those (a) on the Bureau of Industry and Security Denied + Parties List or Entity List, (b) on the Office of Foreign Assets Control list of Specially + Designated Nationals and Blocked Persons, and (c) involved with missile technology or nuclear, + chemical or biological weapons). + + For more information about U.S. export controls on encryption software, see the `Mozilla Crypto + FAQ `__. \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/fips_mode_-_an_explanation/index.rst b/security/nss/doc/rst/legacy/fips_mode_-_an_explanation/index.rst new file mode 100644 index 0000000000..3e141cca5d --- /dev/null +++ b/security/nss/doc/rst/legacy/fips_mode_-_an_explanation/index.rst @@ -0,0 +1,129 @@ +.. _mozilla_projects_nss_fips_mode_-_an_explanation: + +FIPS Mode - an explanation +========================== + +.. container:: + + NSS has a "FIPS Mode" that can be enabled when NSS is compiled in a specific way. (Note: Mozilla + does not distribute a "FIPS Mode"-ready NSS with Firefox.) This page attempts to provide an + informal explanation of what it is, who would use it, and why. + +.. _what's_a_fips: + +`What's a FIPS? <#what's_a_fips>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + The United States government defines many (several hundred) "Federal Information Processing + Standard" (FIPS) documents. (FIPS sounds plural, but is singular; one FIPS document is a FIPS, + not a FIP.) FIPS documents define rules, regulations, and standards for many aspects of handling + of information by computers and by people. They apply to all US government employees and + personnel, including soldiers in the armed forces. Generally speaking, any use of a computer by + US government personnel must conform to all the relevant FIPS regulations. If you're a + US government worker, and you want to use a Mozilla software product such as Firefox, or any + product that uses NSS, you will want to use it in a way that is fully conformant with all the + relevant FIPS regulations. Some other governments have also adopted many of the FIPS + regulations, so their applicability is somewhat wider than just the US government's personnel. + +.. _what_is_fips_mode: + +`What is "FIPS Mode"? <#what_is_fips_mode>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + One of the FIPS regulations, FIPS 140, governs the use of encryption and cryptographic services. + It requires that ALL cryptography done by US government personnel MUST be done in "devices" that + have been independently tested, and certified by NIST, to meet the extensive requirements of that + document. These devices may be hardware or software, but either way, they must function and + behave as prescribed. So, in order for Mozilla Firefox and Thunderbird to be usable by people + who are subject to the FIPS regulations, Mozilla's cryptographic software must be able to operate + in a mode that is fully compliant with FIPS 140. To that end, Mozilla products can function in a + "FIPS Mode", which is really "FIPS 140 Mode", when paired with a compliant copy of NSS. (Note, + the current version of FIPS 140 is revision 2, a.k.a. FIPS 140-2. FIPS 140-3 is being devised by + NIST now for adoption in the future.) Users who are subject to the FIPS regulations must ensure + that they have Mozilla's FIPS Mode enabled when they use Mozilla software, in order to be fully + conformant. Instructions for how to configure Firefox into FIPS mode may be found on + `support.mozilla.com `__. + +.. _is_nss_fips-140_compliant: + +`Is NSS FIPS-140 compliant? <#is_nss_fips-140_compliant>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Mozilla's NSS cryptographic software has been tested by government-approved independent testing + labs and certified by NIST as being FIPS 140 compliant *when operated in FIPS mode* on 4 previous + occasions. As of this writing, NSS is now being retested to be recertified for the fifth time. + NSS was the first open source cryptographic library to be FIPS certified. + +.. _what_is_fips_mode_all_about: + +`What is FIPS Mode all about? <#what_is_fips_mode_all_about>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + A FIPS-140 compliant application must do ALL of its cryptography in a FIPS-140 certified + "device". Whether it is hardware or software, that device will have all the cryptographic + engines in it, and also will stores keys and perhaps certificates inside. The device must have a + way for users to authenticate to it (to "login" to it), to prove to it that they are authorized + to use the cryptographic engines and keys it contains. It may not do ANY cryptographic + operations that involve the use of cryptographic keys, nor allow ANY of the keys or certificates + it holds to be seen or used, except when a user has successfully authenticated to it. If users + authenticate to it with a password, it must ensure that their passwords are strong passwords. It + must implement the US government standard algorithms (also specified in other FIPS documents) + such as AES, triple-DES, SHA-1 and SHA-256, that are needed to do whatever job the application + wants it to perform. It must generate or derive cryptographic keys and store them internally. + Except for "public keys", it must not allow any keys to leave it (to get outside of it) unless + they are encrypted ("wrapped") in a special way. This makes it difficult to move keys from one + device to another, and consequently, all crypto engines and key storage must be in a single + device rather than being split up into several devices. + +.. _how_does_this_affect_firefox_users: + +`How does this affect Firefox users? <#how_does_this_affect_firefox_users>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + These requirements have several implications for users. In FIPS Mode, every user must have a + good strong "master password", and must enter it each time they start or restart Firefox before + they can visit any web sites that use cryptography (https). Firefox can only use the latest + version of SSL, known as "TLS", and not the older SSL 2 or SSL 3.0 protocols, and Firefox can + only talk to those servers that use FIPS standard encryption algorithms such as AES or + triple-DES. Servers that can only use non-FIPS-approved encryption, such as RC4, cannot be used + in FIPS mode. + +.. _how_is_fips_mode_different_from_normal_non-fips_mode: + +`How is FIPS Mode different from normal non-FIPS Mode? <#how_is_fips_mode_different_from_normal_non-fips_mode>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + In normal non-FIPS Mode, the "master password" is optional and is allowed to be a weak short + password. The user is only required to enter his master password to use his own private keys (if + he has any) or to access his stored web-site passwords. The user is not required to enter the + master password to visit ordinary https servers, nor to view certificates he has previously + stored. In non-FIPS mode, NSS is willing and able to use popular non-FIPS approved cryptographic + algorithms, such as RC4 and MD5, to communicate with older https servers. NSS divides its + operations up into two "devices" rather than just one. One device does all the operations that + may be done without needing to authenticate, and the other device stores the user's certificates + and private keys and performs operations that use those private keys. + +.. _how_do_i_put_firefox_into_fips_mode: + +`How do I put Firefox into FIPS Mode? <#how_do_i_put_firefox_into_fips_mode>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Instructions for how to configure Firefox into FIPS mode may be found on + `support.mozilla.com `__. + Some third-parties distribute Firefox ready for FIPS mode, `a partial list can be found at the + NSS + wiki `__. \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/http_delegation/index.rst b/security/nss/doc/rst/legacy/http_delegation/index.rst new file mode 100644 index 0000000000..f0288507d9 --- /dev/null +++ b/security/nss/doc/rst/legacy/http_delegation/index.rst @@ -0,0 +1,105 @@ +.. _mozilla_projects_nss_http_delegation: + +HTTP delegation +=============== + +`Background <#background>`__ +---------------------------- + +.. container:: + + Up to version 3.11, :ref:`mozilla_projects_nss` connects directly over + `HTTP `__ to an OCSP responder to make the + request and fetch the response. It does so in a blocking fashion, and also directly to the + responder, ignoring any proxy the application may wish to use. This causes OCSP requests to fail + if the network environment requires the use of a proxy. + + There are two possible solutions to this limitation. Instead of improving the simple HTTP client + in NSS, the NSS team has decided to provide an NSS API to register application callback + functions. If provided by the application, NSS will use the registered HTTP client for querying + an OSCP responder. + + This NSS feature is currently targeted to first appear in NSS version 3.11.1. More details can be + found in `bug 152426 `__. + + In order to use the HTTP Delegation feature in your NSS-based application, you need to implement + several callback functions. Your callback functions might be a full implementation of a HTTP + client. Or you might choose to leverage an existing HTTP client library and implement the + callback functions as a thin layer that forwards requests from NSS to the HTTP client library. + + To learn about all the details, please read the documentation contained in the NSS C header + files. Look for function SEC_RegisterDefaultHttpClient and all functions having names that start + with SEC_Http. + + To find an example implementation, you may look at + `bug 111384 `__, which tracks the + implementation in Mozilla client applications. + +.. _instructions_for_specifying_an_ocsp_proxy: + +`Specifying an OCSP proxy <#instructions_for_specifying_an_ocsp_proxy>`__ +------------------------------------------------------------------------- + +.. container:: + + The remainder of this document is a short HOWTO. + + One might expect the API defines a simple function that accepts the URI and data to be sent, and + returns the result data. But there is no such simple interface. + + The API should allow NSS to use the HTTP client either asynchronously or synchronously. In + addition, during an application session with OCSP enabled, a large number of OCSP requests might + have to be sent. Therefore the API should allow for keep-alive (persistent) HTTP connections. + + HTTP URIs consist of host:port and a path, e.g. + http://ocsp.provider.com:80/cgi-bin/ocsp-responder + + If NSS needs to access a HTTP server, it will request that an "http server session object" be + created (SEC_HttpServer_CreateSessionFcn). + + The http server session object is logically associated with host and port destination + information, in our example this is "host ocsp.provider.com port 80". The object may be used by + the application to associate it with a physical network connection. + + (NSS might choose to be smart, and only create a single http server session object for each + server encountered. NSS might also choose to be simple, and request multiple objects for the same + server. The application must support both strategies.) + + The logical http server session object is expected to remain valid until explicitly destroyed + (SEC_HttpServer_FreeSessionFcn). Should the application be unable to keep a physical connection + alive all the time, the application is expected to create new connections automatically. + + NSS may choose to repeatedly call a "network connection keep alive" function + (SEC_HttpServer_KeepAliveSessionFcn) on the server session object, giving application code a + chance to do whatever is required. + + For each individual HTTP request, NSS will request the creation of a "http request object" + (SEC_HttpRequest_CreateFcn). No full URI is provided as a parameter. Instead, the parameters are + a server session object (that carries host and port information already) and the request path. In + our example the path is "/cgi-bin/ocsp-responder". (When issueing GET requests, the + "?query-string=data" portion should already be appended to the request path) + + After creation, NSS might call functions to provide additional details of the HTTP request (e.g. + SEC_HttpRequest_SetPostDataFcn). The application is expected to collect the details for later + use. + + Once NSS is finished providing all details, it will request to initiate the actual network + communication (SEC_HttpRequest_TrySendAndReceiveFcn). The application should try to reuse + existing network connections associated with the server session object. + + Once the HTTP response has been obtained from the HTTP server, the function will provide the + results in its "out parameters". + + Please read the source code documentation to learn how to use this API synchronously or + asynchronously. + + Now that we have explained the interaction between NSS, the callback functions and the + application, let's look at the steps required by the application to initially register the + callbacks. + + Make sure you have completed the NSS initialization before you attempt to register the callbacks. + + Look at SEC_HttpClientFcn, which is a (versioned) table of function pointers. Create an instance + of this type and supply a pointer to your implementation for each entry in the function table. + + Finally register your HTTP client implementation with a call to SEC_RegisterDefaultHttpClient. \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/http_delegation_clone/index.rst b/security/nss/doc/rst/legacy/http_delegation_clone/index.rst new file mode 100644 index 0000000000..ac305b2dd3 --- /dev/null +++ b/security/nss/doc/rst/legacy/http_delegation_clone/index.rst @@ -0,0 +1,105 @@ +.. _mozilla_projects_nss_http_delegation_clone: + +HTTP delegation +=============== + +`Background <#background>`__ +---------------------------- + +.. container:: + + Up to version 3.11, :ref:`mozilla_projects_nss` connects directly over + `HTTP `__ to an OCSP responder to make the + request and fetch the response. It does so in a blocking fashion, and also directly to the + responder, ignoring any proxy the application may wish to use. This causes OCSP requests to fail + if the network environment requires the use of a proxy. + + There are two possible solutions to this limitation. Instead of improving the simple HTTP client + in NSS, the NSS team has decided to provide an NSS API to register application callback + functions. If provided by the application, NSS will use the registered HTTP client for querying + an OSCP responder. + + This NSS feature is currently targeted to first appear in NSS version 3.11.1. More details can be + found in `bug 152426 `__. + + In order to use the HTTP Delegation feature in your NSS-based application, you need to implement + several callback functions. Your callback functions might be a full implementation of a HTTP + client. Or you might choose to leverage an existing HTTP client library and implement the + callback functions as a thin layer that forwards requests from NSS to the HTTP client library. + + To learn about all the details, please read the documentation contained in the NSS C header + files. Look for function SEC_RegisterDefaultHttpClient and all functions having names that start + with SEC_Http. + + To find an example implementation, you may look at + `bug 111384 `__, which tracks the + implementation in Mozilla client applications. + +.. _instructions_for_specifying_an_ocsp_proxy: + +`Specifying an OCSP proxy <#instructions_for_specifying_an_ocsp_proxy>`__ +------------------------------------------------------------------------- + +.. container:: + + The remainder of this document is a short HOWTO. + + One might expect the API defines a simple function that accepts the URI and data to be sent, and + returns the result data. But there is no such simple interface. + + The API should allow NSS to use the HTTP client either asynchronously or synchronously. In + addition, during an application session with OCSP enabled, a large number of OCSP requests might + have to be sent. Therefore the API should allow for keep-alive (persistent) HTTP connections. + + HTTP URIs consist of host:port and a path, e.g. + http://ocsp.provider.com:80/cgi-bin/ocsp-responder + + If NSS needs to access a HTTP server, it will request that an "http server session object" be + created (SEC_HttpServer_CreateSessionFcn). + + The http server session object is logically associated with host and port destination + information, in our example this is "host ocsp.provider.com port 80". The object may be used by + the application to associate it with a physical network connection. + + (NSS might choose to be smart, and only create a single http server session object for each + server encountered. NSS might also choose to be simple, and request multiple objects for the same + server. The application must support both strategies.) + + The logical http server session object is expected to remain valid until explicitly destroyed + (SEC_HttpServer_FreeSessionFcn). Should the application be unable to keep a physical connection + alive all the time, the application is expected to create new connections automatically. + + NSS may choose to repeatedly call a "network connection keep alive" function + (SEC_HttpServer_KeepAliveSessionFcn) on the server session object, giving application code a + chance to do whatever is required. + + For each individual HTTP request, NSS will request the creation of a "http request object" + (SEC_HttpRequest_CreateFcn). No full URI is provided as a parameter. Instead, the parameters are + a server session object (that carries host and port information already) and the request path. In + our example the path is "/cgi-bin/ocsp-responder". (When issuing GET requests, the + "?query-string=data" portion should already be appended to the request path) + + After creation, NSS might call functions to provide additional details of the HTTP request (e.g. + SEC_HttpRequest_SetPostDataFcn). The application is expected to collect the details for later + use. + + Once NSS is finished providing all details, it will request to initiate the actual network + communication (SEC_HttpRequest_TrySendAndReceiveFcn). The application should try to reuse + existing network connections associated with the server session object. + + Once the HTTP response has been obtained from the HTTP server, the function will provide the + results in its "out parameters". + + Please read the source code documentation to learn how to use this API synchronously or + asynchronously. + + Now that we have explained the interaction between NSS, the callback functions and the + application, let's look at the steps required by the application to initially register the + callbacks. + + Make sure you have completed the NSS initialization before you attempt to register the callbacks. + + Look at SEC_HttpClientFcn, which is a (versioned) table of function pointers. Create an instance + of this type and supply a pointer to your implementation for each entry in the function table. + + Finally register your HTTP client implementation with a call to SEC_RegisterDefaultHttpClient. \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/index.rst b/security/nss/doc/rst/legacy/index.rst new file mode 100644 index 0000000000..fd55e1ac10 --- /dev/null +++ b/security/nss/doc/rst/legacy/index.rst @@ -0,0 +1,178 @@ +.. _mozilla_projects_nss: + +Legacy documentation +==================== + +.. toctree:: + :maxdepth: 2 + :glob: + :hidden: + + getting_started_with_nss/index.rst + introduction_to_network_security_services/index.rst + More documentation + +.. warning:: + This NSS documentation was just imported from our legacy MDN repository. It currently is very deprecated and likely incorrect or broken in many places. + +Legacy Documentation +-------------------- + +.. container:: + + **Network Security Services** (**NSS**) is a set of libraries designed to support cross-platform + development of security-enabled client and server applications. Applications built with NSS can + support SSL v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and + other security standards. + + For detailed information on standards supported, see :ref:`mozilla_projects_nss_overview`. For a + list of frequently asked questions, see the :ref:`mozilla_projects_nss_faq`. + + NSS is available under the Mozilla Public License. For information on downloading NSS releases as + tar files, see :ref:`mozilla_projects_nss_nss_sources_building_testing`. + + If you're a developer and would like to contribute to NSS, you might want to read the documents + :ref:`mozilla_projects_nss_an_overview_of_nss_internals` and + :ref:`mozilla_projects_nss_getting_started_with_nss`. + + .. rubric:: Background Information + :name: Background_Information + + :ref:`mozilla_projects_nss_overview` + Provides a brief summary of NSS and its capabilities. + :ref:`mozilla_projects_nss_faq` + Answers basic questions about NSS. + `Introduction to Public-Key Cryptography `__ + Explains the basic concepts of public-key cryptography that underlie NSS. + `Introduction to SSL `__ + Introduces the SSL protocol, including information about cryptographic ciphers supported by + SSL and the steps involved in the SSL handshake. + + .. rubric:: Getting Started + :name: Getting_Started + + :ref:`mozilla_projects_nss_nss_releases` + This page contains information about the current and past releases of NSS. + :ref:`mozilla_projects_nss_nss_sources_building_testing` + Instructions on how to build NSS on the different supported platforms. + `Get Mozilla Source Code Using Mercurial `__ + Information about with working with Mercurial. + `Get Mozilla Source Code Using CVS (deprecated) `__ + Old deprecated CVS documentation. + + .. rubric:: NSS APIs + :name: NSS_APIs + + :ref:`mozilla_projects_nss_introduction_to_network_security_services` + Provides an overview of the NSS libraries and what you need to know to use them. + :ref:`mozilla_projects_nss_ssl_functions` + Summarizes the SSL APIs exported by the NSS shared libraries. + :ref:`mozilla_projects_nss_reference` + API used to invoke SSL operations. + :ref:`mozilla_projects_nss_nss_api_guidelines` + Explains how the libraries and code are organized, and guidelines for developing code (naming + conventions, error handling, thread safety, etc.) + :ref:`mozilla_projects_nss_nss_tech_notes` + Links to NSS technical notes, which provide latest information about new NSS features and + supplementary documentation for advanced topics in programming with NSS. + + .. rubric:: Tools, testing, and other technical details + :name: Tools_testing_and_other_technical_details + + :ref:`mozilla_projects_nss_building` + Describe how to check out and build NSS releases. + + :ref:`mozilla_projects_nss_nss_developer_tutorial` + How to make changes in NSS. Coding style, maintaining ABI compatibility. + + :ref:`mozilla_projects_nss_tools` + Tools for developing, debugging, and managing applications that use NSS. + :ref:`mozilla_projects_nss_nss_sample_code` + Demonstrates how NSS can be used for cryptographic operations, certificate handling, SSL, etc. + :ref:`mozilla_projects_nss_nss_third-party_code` + A list of third-party code included in the NSS library. + `NSS 3.2 Test Suite `__ + **Archived version.** Describes how to run the standard NSS tests. + `NSS Performance Reports `__ + **Archived version.** Links to performance reports for NSS 3.2 and later releases. + `Encryption Technologies Available in NSS 3.11 `__ + **Archived version.** Lists the cryptographic algorithms used by NSS 3.11. + `NSS 3.1 Loadable Root Certificates `__ + **Archived version.** Describes the scheme for loading root CA certificates. + `cert7.db `__ + **Archived version.** General format of the cert7.db database. + + .. rubric:: PKCS #11 information + :name: PKCS_11_information + + - :ref:`mozilla_projects_nss_pkcs11` + - :ref:`mozilla_projects_nss_pkcs11_implement` + - :ref:`mozilla_projects_nss_pkcs11_module_specs` + - :ref:`mozilla_projects_nss_pkcs11_faq` + - `Using the JAR Installation Manager to Install a PKCS #11 Cryptographic + Module `__ + - `PKCS #11 Conformance Testing - Archived + version `__ + + .. rubric:: CA certificates pre-loaded into NSS + :name: CA_certificates_pre-loaded_into_NSS + + - `Mozilla CA certificate policy `__ + - `List of pre-loaded CA certificates `__ + + - Consumers of this list must consider the trust bit setting for each included root + certificate. `More + Information `__, `Extracting + roots and their trust bits `__ + + .. rubric:: NSS is built on top of Netscape Portable Runtime (NSPR) + :name: NSS_is_built_on_top_of_Netscape_Portable_Runtime_NSPR + + `Netscape Portable Runtime `__ + NSPR project page. + `NSPR Reference `__ + NSPR API documentation. + + .. rubric:: Additional Information + :name: Additional_Information + + - `Using the window.crypto object from + JavaScript `__ + - :ref:`mozilla_projects_nss_http_delegation` + - :ref:`mozilla_projects_nss_tls_cipher_suite_discovery` + - :ref:`mozilla_projects_nss_certificate_download_specification` + - :ref:`mozilla_projects_nss_fips_mode_-_an_explanation` + - :ref:`mozilla_projects_nss_key_log_format` + + .. rubric:: Planning + :name: Planning + + Information on NSS planning can be found at `wiki.mozilla.org `__, + including: + + - `FIPS Validation `__ + - `NSS Roadmap page `__ + - `NSS Improvement + Project `__ + +Community +~~~~~~~~~ + +- View Mozilla Security forums... + +- `Mailing list `__ +- `Newsgroup `__ +- `RSS feed `__ + +- View Mozilla Cryptography forums... + +- `Mailing list `__ +- `Newsgroup `__ +- `RSS feed `__ + + +Related Topics +~~~~~~~~~~~~~~ + +- `Security `__ + diff --git a/security/nss/doc/rst/legacy/introduction_to_network_security_services/index.rst b/security/nss/doc/rst/legacy/introduction_to_network_security_services/index.rst new file mode 100644 index 0000000000..b2010de17b --- /dev/null +++ b/security/nss/doc/rst/legacy/introduction_to_network_security_services/index.rst @@ -0,0 +1,162 @@ +.. _mozilla_projects_nss_introduction_to_network_security_services: + +Introduction to Network Security Services +========================================= + +.. container:: + + **Network Security Services (NSS)** is a set of libraries designed to support cross-platform + development of communications applications that support SSL, S/MIME, and other Internet security + standards. For a general overview of NSS and the standards it supports, see + :ref:`mozilla_projects_nss_overview`. + +.. _shared_libraries: + +`Shared libraries <#shared_libraries>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Network Security Services provides both static libraries and shared libraries. Applications that + use the shared libraries must use only the APIs that they export. Three shared libraries export + public functions: + + - The SSL library supports core SSL operations. + - The S/MIME library supports core S/MIME operations. + - The NSS library supports core crypto operations. + + We guarantee that applications using the exported APIs will remain compatible with future + versions of those libraries. For a complete list of public functions exported by these shared + libraries in NSS 3.2, see :ref:`mozilla_projects_nss_reference_nss_functions`. + + For information on which static libraries in NSS 3.1.1 are replaced by each of the above shared + libraries in NSS 3.2 , see `Migration from NSS + 3.1.1 `__. + + Figure 1, below, shows a simplified view of the relationships among the three shared libraries + listed above and NSPR, which provides low-level cross platform support for operations such as + threading and I/O. (Note that NSPR is a separate Mozilla project; see `Netscape Portable + Runtime `__ for details.) + + .. image:: /en-US/docs/Mozilla/Projects/NSS/Introduction_to_Network_Security_Services/nss.gif + :alt: Diagram showing the relationships among core NSS libraries and NSPR. + :width: 429px + :height: 196px + +.. _naming_conventions_and_special_libraries: + +`Naming conventions and special libraries <#naming_conventions_and_special_libraries>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Windows and Unix use different naming conventions for static and dynamic libraries: + + ======= ======== ================== + Windows Unix + static ``.lib`` ``.a`` + dynamic ``.dll`` ``.so`` or ``.sl`` + ======= ======== ================== + + In addition, Windows has "import" libraries that bind to dynamic libraries. So the NSS library + has the following forms: + + - ``libnss3.so`` - Unix shared library + - ``libnss3.sl`` - HP-UX shared library + - ``libnss.a`` - Unix static library + - ``nss3.dll`` - Windows shared library + - ``nss3.lib`` - Windows import library binding to ``nss3.dll`` + - ``nss.lib`` - Windows static library + + NSS, SSL, and S/MIME have all of the above forms. + + The following static libraries aren't included in any shared libraries + + - ``libcrmf.a``/``crmf.lib`` provides an API for CRMF operations. + - ``libjar.a``/``jar.lib`` provides an API for creating JAR files. + + The following static libraries are included only in external loadable PKCS #11 modules: + + - ``libnssckfw.a``/``nssckfw.lib`` provides an API for writing PKCS #11 modules. + - ``libswfci.a``/``swfci.lib`` provides support for software FORTEZZA. + + The following shared libraries are standalone loadable modules, not meant to be linked with + directly: + + - ``libfort.so``/``libfort.sl``/``fort32.dll`` provides support for hardware FORTEZZA. + - ``libswft.so``/``libswft.sl``/``swft32.dll`` provides support for software FORTEZZA. + - ``libnssckbi.so``/``libnssckbi.sl``/``nssckbi.dll`` defines the default set of trusted root + certificates. + +.. _support_for_ilp32: + +`Support for ILP32 <#support_for_ilp32>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + In NSS 3.2 and later versions, there are two new shared libraries for the platforms HP-UX for + PARisc CPUs and Solaris for (Ultra)Sparc (not x86) CPUs. These HP and Solaris platforms allow + programs that use the ILP32 program model to run on both 32-bit CPUs and 64-bit CPUs. The two + libraries exist to provide optimal performance on each of the two types of CPUs. + + These two extra shared libraries are not supplied on any other platforms. The names of these + libraries are platform-dependent, as shown in the following table. + + ================================== ============================ ============================ + Platform for 32-bit CPUs for 64-bit CPUs + Solaris/Sparc ``libfreebl_pure32_3.so`` ``libfreebl_hybrid_3.so`` + HPUX/PARisc ``libfreebl_pure32_3.sl`` ``libfreebl_hybrid_3.sl`` + AIX (planned for a future release) ``libfreebl_pure32_3_shr.a`` ``libfreebl_hybrid_3_shr.a`` + ================================== ============================ ============================ + + An application should not link against these libraries, because they are dynamically loaded by + NSS at run time. Linking the application against one or the other of these libraries may produce + an application program that can only run on one type of CPU (e.g. only on 64-bit CPUs, not on + 32-bit CPUs) or that doesn't use the more efficient 64-bit code on 64-bit CPUs, which defeats the + purpose of having these shared libraries. + + On platforms for which these shared libraries exist, NSS 3.2 will fail if these shared libs are + not present. So, an application must include these files in its distribution of NSS shared + libraries. These shared libraries should be installed in the same directory where the other NSS + shared libraries (such as ``libnss3.so``) are installed. Both shared libs should always be + installed whether the target system has a 32-bit CPU or a 64-bit CPU. NSS will pick the right one + for the local system at run time. + + Note that NSS 3.x is also available in the LP64 model for these platforms, but the LP64 model of + NSS 3.x does not have these two extra shared libraries. + +.. _what_you_should_already_know: + +`What you should already know <#what_you_should_already_know>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Before using NSS, you should be familiar with the following topics: + + - Concepts and techniques of public-key cryptography + - The Secure Sockets Layer (SSL) protocol + - The PKCS #11 standard for cryptographic token interfaces + - Cross-platform development issues and techniques + +.. _where_to_find_more_information: + +`Where to find more information <#where_to_find_more_information>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + For information about PKI and SSL that you should understand before using NSS, see the following: + + - `Introduction to Public-Key + Cryptography `__ + - `Introduction to + SSL `__ + + For links to API documentation, build instructions, and other useful information, see the + :ref:`mozilla_projects_nss`. + + As mentioned above, NSS is built on top of NSPR. The API documentation for NSPR is available at + `NSPR API + Reference `__. \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/jss/4.3.1_release_notes/index.rst b/security/nss/doc/rst/legacy/jss/4.3.1_release_notes/index.rst new file mode 100644 index 0000000000..68c920c63b --- /dev/null +++ b/security/nss/doc/rst/legacy/jss/4.3.1_release_notes/index.rst @@ -0,0 +1,174 @@ +.. _mozilla_projects_nss_jss_4_3_1_release_notes: + +4.3.1 Release Notes +=================== + +.. _release_date_2009-12-02: + +`Release Date: 2009-12-02 <#release_date_2009-12-02>`__ +------------------------------------------------------- + +.. container:: + +`Introduction <#introduction>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Network Security Services for Java (JSS) 4.3.1 is a minor release with the following new + features: + + - Support for SSL3 & TLS Renegotiation Vulnerability + - Support to explicitly set the key usage for the generated private key + + JSS 4.3.1 is `tri-licensed `__ under MPL 1.1/GPL 2.0/LGPL 2.1. + +.. _new_in_jss_4.3.1: + +`New in JSS 4.3.1 <#new_in_jss_4.3.1>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + A list of bug fixes and enhancement requests were implemented in this release can be obtained by + running this `bugzilla + query `__ + + **JSS 4.3.1 requires :ref:`mozilla_projects_nss_3_12_5_release_notes` or higher.** + + .. rubric:: SSL3 & TLS Renegotiation Vulnerability + :name: ssl3_tls_renegotiation_vulnerability + + See `CVE-2009-3555 `__ and `US-CERT + VU#120541 `__ for more information about this security + vulnerability. + + All SSL/TLS renegotiation is disabled by default in NSS 3.12.5 and therefore will be disabled by + default with JSS 4.3.1. This will cause programs that attempt to perform renegotiation to + experience failures where they formerly experienced successes, and is necessary for them to not + be vulnerable, until such time as a new safe renegotiation scheme is standardized by the IETF. + + If an application depends on renegotiation feature, it can be enabled by setting the environment + variable NSS_SSL_ENABLE_RENEGOTIATION to 1. By setting this environmental variable, the fix + provided by these patches will have no effect and the application may become vulnerable to the + issue. + + This default setting can also be changed within the application by using the following JSS + methods: + + - SSLServerSocket.enableRenegotiation(int mode) + - SSLSocket.enableRenegotiation(int mode) + - SSLSocket.enableRenegotiationDefault(int mode) + + The mode of renegotiation that the peer must use can be set to the following: + + - SSLSocket.SSL_RENEGOTIATE_NEVER - Never renegotiate at all. (Default) + - SSLSocket.SSL_RENEGOTIATE_UNRESTRICTED - Renegotiate without + restriction, whether or not the peer's client hello bears the + renegotiation info extension (like we always did in the past). + - SSLSocket.SSL_RENEGOTIATE_REQUIRES_XTN - NOT YET IMPLEMENTED + + .. rubric:: Explicitly set the key usage for the generated private key + :name: explicitly_set_the_key_usage_for_the_generated_private_key + + | In PKCS #11, each keypair can be marked with the operations it will + | be used to perform. Some tokens require that a key be marked for + | an operation before the key can be used to perform that operation; + | other tokens don't care. NSS/JSS provides a way to specify a set of + | flags and a corresponding mask for these flags. + + - see generateECKeyPairWithOpFlags + - see generateRSAKeyPairWithOpFlags + - see generateDSAKeyPairWithOpFlags + + + +`Distribution Information <#distribution_information>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - JSS is checked into ``mozilla/security/jss/``. + - The CVS tag for the JSS 4.3.1 release is ``JSS_4_3_1_RTM``. + - Source tarballs are available from + `ftp://ftp.mozilla.org/pub/mozilla.or...-4.3.1.tar.bz2 `__ + - Binary releases are no longer available on mozilla. JSS is a JNI library we provide the + jss4.jar but expect you to build the JSS's matching JNI shared library. We provide the + jss4.jar in case you do not want to obtain your own JCE code signing certificate. JSS is a + JCE provider and therefore the jss4.jar must be signed. + `ftp://ftp.mozilla.org/pub/mozilla.org/security/jss/releases/JSS_4_3_1_RTM `__. + +`Documentation <#documentation>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Documentation for JSS 4.3.1 is available as follows: + + - `Build Instructions for JSS 4.3.1 `__ + - Javadoc `[online] `__ + `[zipped] `__ + - Read the instructions on `using JSS `__. + - Source may be viewed with a browser (via the MXR tool) at + http://mxr.mozilla.org/mozilla/source/security/jss/ + - The RUN TIME behavior of JSS can be affected by the + :ref:`mozilla_projects_nss_reference_nss_environment_variables`. + +.. _platform_information: + +`Platform Information <#platform_information>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - You can check out the source from CVS by + + .. note:: + + cvs co -r JSS_4_3_1_RTM JSS + + - JSS 4.3.1 works with JDK versions 4 or higher we suggest the latest. + + - JSS 4.3.1 requires :ref:`mozilla_projects_nss_3_12_5` or higher. + + - JSS 4.3.1 requires `NSPR 4.7.1 `__ or + higher. + + - JSS only supports the native threading model (no green threads). + +.. _known_bugs_and_issues: + +`Known Bugs and Issues <#known_bugs_and_issues>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - For a list of reported bugs that have not yet been fixed, `click + here. `__ + Note that some bugs may have been fixed since JSS 4.3.1 was released. + +`Compatibility <#compatibility>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - JSS 4.3.1 is backwards compatible with JSS 4.2. Applications compiled against JSS 4.2 will + work with JSS 4.3.1. + - The 4.3.1 version of libjss4.so/jss4.dll must only be used with jss4.jar. In general, a JSS + JAR file must be used with the JSS shared library from the exact same release. + - To obtain the version info from the jar file use, + "System.out.println(org.mozilla.jss.CryptoManager.JAR_JSS_VERSION)" and to check the shared + library: strings libjss4.so \| grep -i header + +`Feedback <#feedback>`__ +~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - Bugs discovered should be reported by filing a bug report with + `bugzilla `__. + - You can also give feedback directly to the developers on the Mozilla Cryptography forums... + + - `Mailing list `__ + - `Newsgroup `__ + - `RSS feed `__ \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/jss/4_3_releasenotes/index.rst b/security/nss/doc/rst/legacy/jss/4_3_releasenotes/index.rst new file mode 100644 index 0000000000..7f65d1d4ed --- /dev/null +++ b/security/nss/doc/rst/legacy/jss/4_3_releasenotes/index.rst @@ -0,0 +1,175 @@ +.. _mozilla_projects_nss_jss_4_3_releasenotes: + +4.3 Release Notes +================= + +.. _release_date_01_april_2009: + +`Release Date: 01 April 2009 <#release_date_01_april_2009>`__ +------------------------------------------------------------- + +.. container:: + +`Introduction <#introduction>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Network Security Services for Java (JSS) 4.3 is a minor release with the following new features: + + - SQLite-Based Shareable Certificate and Key Databases + - libpkix: an RFC 3280 Compliant Certificate Path Validation Library + - PKCS11 needsLogin method + - support HmacSHA256, HmacSHA384, and HmacSHA512 + - support for all NSS 3.12 initialization options + + JSS 4.3 is `tri-licensed `__ under MPL 1.1/GPL 2.0/LGPL 2.1. + +.. _new_in_jss_4.3: + +`New in JSS 4.3 <#new_in_jss_4.3>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + A list of bug fixes and enhancement requests were implemented in this release can be obtained by + running this `bugzilla + query `__ + + **JSS 4.3 requires**\ `NSS + 3.12 `__\ **or + higher.** + + - New `SQLite-Based Shareable Certificate and Key + Databases `__ by prepending the string "sql:" to the + directory path passed to configdir parameter for Crypomanager.initialize method or using the + NSS environment variable :ref:`mozilla_projects_nss_reference_nss_environment_variables`. + - Libpkix: an RFC 3280 Compliant Certificate Path Validation Library (see + `PKIXVerify `__) + - PK11Token.needsLogin method (see needsLogin) + - support HmacSHA256, HmacSHA384, and HmacSHA512 (see + `HMACTest.java `__) + - support for all NSS 3.12 initialization options (see InitializationValues) + - New SSL error codes (see https://mxr.mozilla.org/security/sour...util/SSLerrs.h) + + - SSL_ERROR_UNSUPPORTED_EXTENSION_ALERT + SSL_ERROR_CERTIFICATE_UNOBTAINABLE_ALERT + SSL_ERROR_UNRECOGNIZED_NAME_ALERT + SSL_ERROR_BAD_CERT_STATUS_RESPONSE_ALERT + SSL_ERROR_BAD_CERT_HASH_VALUE_ALERT + + - New TLS cipher suites (see https://mxr.mozilla.org/security/sour...SSLSocket.java): + + - TLS_RSA_WITH_CAMELLIA_128_CBC_SHA + TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA + TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA + TLS_RSA_WITH_CAMELLIA_256_CBC_SHA + TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA + TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA + + - Note: the following TLS cipher suites are declared but are not yet implemented: + + - TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA + TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA + TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA + TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA + TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA + TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA + TLS_ECDH_anon_WITH_NULL_SHA + TLS_ECDH_anon_WITH_RC4_128_SHA + TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA + TLS_ECDH_anon_WITH_AES_128_CBC_SHA + TLS_ECDH_anon_WITH_AES_256_CBC_SHA + + + +`Distribution Information <#distribution_information>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - JSS is checked into ``mozilla/security/jss/``. + - The CVS tag for the JSS 4.3 release is ``JSS_4_3_RTM``. + - Source tarballs are available from + https://archive.mozilla.org/pub/security/jss/releases/JSS_4_3_RTM/src/jss-4.3.tar.bz2 + - Binary releases are no longer available on mozilla. JSS is a JNI library we provide the + jss4.jar but expect you to build the JSS's matching JNI shared library. We provide the + jss4.jar in case you do not want to obtain your own JCE code signing certificate. JSS is a + JCE provider and therefore the jss4.jar must be signed. + https://archive.mozilla.org/pub/security/jss/releases/JSS_4_3_RTM/ + + -------------- + +`Documentation <#documentation>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Documentation for JSS 4.3 is available as follows: + + - `Build Instructions for JSS 4.3 `__ + - Javadoc `[online] `__ + `[zipped] `__ + - Read the instructions on `using JSS `__. + - Source may be viewed with a browser (via the MXR tool) at + http://mxr.mozilla.org/mozilla/source/security/jss/ + - The RUN TIME behavior of JSS can be affected by the + :ref:`mozilla_projects_nss_reference_nss_environment_variables`. + +.. _platform_information: + +`Platform Information <#platform_information>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - JSS 4.3 works with JDK versions 4 or higher we suggest the latest. + - JSS 4.3 requires `NSS + 3.12 `__ + or higher. + - JSS 4.3 requires `NSPR 4.7.1 `__ or + higher. + - JSS only supports the native threading model (no green threads). + + -------------- + +.. _known_bugs_and_issues: + +`Known Bugs and Issues <#known_bugs_and_issues>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - For a list of reported bugs that have not yet been fixed, `click + here. `__ + Note that some bugs may have been fixed since JSS 4.3 was released. + + -------------- + +`Compatibility <#compatibility>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - JSS 4.3 is backwards compatible with JSS 4.2. Applications compiled against JSS 4.2 will work + with JSS 4.3. + - The 4.3 version of libjss4.so/jss4.dll must only be used with jss4.jar. In general, a JSS JAR + file must be used with the JSS shared library from the exact same release. + - To obtain the version info from the jar file use, + "System.out.println(org.mozilla.jss.CryptoManager.JAR_JSS_VERSION)" and to check the shared + library: strings libjss4.so \| grep -i header + + -------------- + +`Feedback <#feedback>`__ +~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - Bugs discovered should be reported by filing a bug report with + `bugzilla `__. + - You can also give feedback directly to the developers on the Mozilla Cryptography forums... + + - `Mailing list `__ + - `Newsgroup `__ + - `RSS feed `__ \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/jss/build_instructions_for_jss_4.3.x/index.rst b/security/nss/doc/rst/legacy/jss/build_instructions_for_jss_4.3.x/index.rst new file mode 100644 index 0000000000..a864a452ee --- /dev/null +++ b/security/nss/doc/rst/legacy/jss/build_instructions_for_jss_4.3.x/index.rst @@ -0,0 +1,99 @@ +.. _mozilla_projects_nss_jss_build_instructions_for_jss_4_3_x: + +Build instructions for JSS 4.3.x +================================ + +.. _build_instructions_for_jss_4.3.x: + +`Build Instructions for JSS 4.3.x <#build_instructions_for_jss_4.3.x>`__ +------------------------------------------------------------------------ + +.. container:: + + Newsgroup: `mozilla.dev.tech.crypto `__ + + Before building JSS, you need to set up your system as follows: + + #. Build NSPR/NSS by following the + :ref:`mozilla_projects_nss_reference_building_and_installing_nss_build_instructions`, + #. To check that NSS built correctly, run ``all.sh`` (in ``mozilla/security/nss/tests``) and + examine the results (in + ``mozilla/test_results/security/``\ *computername*.#\ ``/results.html``. + #. Install a Java compiler and runtime. JSS supports Java version 1.5 or later. We suggest you + use the latest. + #. You must have Perl version 5.005 or later. + + Now you are ready to build JSS. Follow these steps: + + #. Switch to the appropriate directory and check out JSS from the root of your source tree. + + .. code:: + + cvs co -r JSS_4_3_1_RTM mozilla/security/jss + + or + + .. code:: + + cvs co -r JSS_4_3_RTM mozilla/security/jss + + #. Setup environment variables needed for compiling Java source. The ``JAVA_HOME`` variable + indicates the directory containing your Java SDK installation. Note, on Windows platforms it + is best to have JAVA_HOME set to a directory path that doest not have spaces. + + **Unix** + + .. code:: + + setenv JAVA_HOME /usr/local/jdk1.5.0 (or wherever your JDK is installed) + + **Windows** + + .. code:: + + set JAVA_HOME=c:\programs\jdk1.5.0 (or wherever your JDK is installed) + + **Windows (Cygnus)** + + .. code:: + + JAVA_HOME=/cygdrive/c/programs/jdk1.5.0 (or wherever your JDK is installed) + export JAVA_HOME + + | **Windows build Configurations WINNT vs WIN95** + + .. code:: + + As of NSS 3.15.4, NSPR/NSS/JSS build generates a "WIN95" configuration by default on Windows. + We recommend most applications use the "WIN95" configuration. If you want JSS to be used + with your applet and the Firefox browser than you must build WIN95. (See JSS FAQ) + The "WIN95" configuration supports all versions of Windows. The "WIN95" name is historical; + it should have been named "WIN32". + To generate a "WINNT" configuration, set OS_TARGET=WINNT and build NSPR/NSS/JSS WIN95. + + | Mac OS X + | It has been recently reported that special build instructions are necessary to succeed + building JSS on OSX. Please + see `HOWTO_successfully_compile_JSS_and_NSS_for_32_and_64_bits_on_OSX_10.6_(10.6.7) `__ + for contributed instructions. + | + + #. Build JSS. + + .. code:: + + cd mozilla/security/jss + gmake + + #. Sign the JSS jar. + + .. code:: + + If you're intention is to modify and build the JSS source you + need to Apply for your own JCE code-signing certificate + + If you made no changes and your goal is to build JSS you can use the + signed binary release of the jss4.jar from ftp.mozilla.org. + with your built jss4 JNI shared library. + + Next, you should read the instructions on `using JSS `__. \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/jss/build_instructions_for_jss_4.4.x/index.rst b/security/nss/doc/rst/legacy/jss/build_instructions_for_jss_4.4.x/index.rst new file mode 100644 index 0000000000..bdbea81953 --- /dev/null +++ b/security/nss/doc/rst/legacy/jss/build_instructions_for_jss_4.4.x/index.rst @@ -0,0 +1,19 @@ +.. _mozilla_projects_nss_jss_build_instructions_for_jss_4_4_x: + +Build instructions for JSS 4.4.x +================================ + +.. _build_instructions_for_jss_4.4.x: + +`Build Instructions for JSS 4.4.x <#build_instructions_for_jss_4.4.x>`__ +------------------------------------------------------------------------ + +.. container:: + + Newsgroup: `mozilla.dev.tech.crypto `__ + + To build JSS see `Upstream JSS Build/Test + Instructions `__ + + `Next, you should read the instructions + on `__ `using JSS `__. \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/jss/index.rst b/security/nss/doc/rst/legacy/jss/index.rst new file mode 100644 index 0000000000..c09374dbc6 --- /dev/null +++ b/security/nss/doc/rst/legacy/jss/index.rst @@ -0,0 +1,165 @@ +.. _mozilla_projects_nss_jss: + +JSS +=== + +`Documentation <#documentation>`__ +---------------------------------- + +.. container:: + + .. warning:: + + **The JSS project has been relocated!** + + As of April 6, 2018, JSS has been migrated from Mercurial on Mozilla to Git on Github. + + JSS source should now be checked out from the Github: + + - git clone git@github.com:dogtagpki/jss.git + -- OR -- + - git clone https://github.com/dogtagpki/jss.git + + All future upstream enquiries to JSS should now use the Pagure Issue Tracker system: + + - https://pagure.io/jss/issues + + Documentation regarding the JSS project should now be viewed at: + + - http://www.dogtagpki.org/wiki/JSS + + **NOTE: As much of the JSS documentation is sorely out-of-date, updated information will be a + work in progress, and many portions of any legacy documentation will be re-written over the + course of time. Stay tuned!** + + Legacy JSS information can still be found at: + + - SOURCE: https://hg.mozilla.org/projects/jss + - ISSUES: https://bugzilla.mozilla.org/buglist.cgi?product=JSS + - WIKI: :ref:`mozilla_projects_nss_jss` + + Network Security Services for Java (JSS) is a Java interface to + `NSS `__. JSS supports most of the security + standards and encryption technologies supported by :ref:`mozilla_projects_nss_reference`. JSS + also provides a pure Java interface for ASN.1 types and BER/DER encoding. + + JSS offers a implementation of Java SSL sockets that uses NSS's SSL/TLS implementation rather + than Sun's JSSE implementation. You might want to use JSS's own `SSL + classes `__ if you want to use some + of the capabilities found in NSS's SSL/TLS library but not found in JSSE. + + NSS is the cryptographic module where all cryptographic operations are performed. JSS essentially + provides a Java JNI bridge to NSS C shared libraries. When NSS is put in FIPS mode, JSS ensures + FIPS compliance by ensuring that all cryptographic operations are performed by the NSS + cryptographic module. + + JSS offers a JCE provider, `"Mozilla-JSS" JCA Provider notes `__. + + JSS, jss4.jar, is still built with JDK 1.4.2. While JDK 1.4.2 is EOL'd and all new product + development should be using the latest + `JavaSE `__, legacy business products that must + use JDK 1.4 or 1.5 can continue to add NSS/JSS security fixes/enhancements. + + JSS is used by Red Hat and Sun products that do crypto in Java. JSS is available under the + Mozilla Public License, the GNU General Public License, and the GNU Lesser General Public + License. JSS requires `NSPR `__ and + `NSS `__. + + Java provides a JCE provider called SunPKCS11 (see `Java PKCS#11 Reference + Guide `__.) SunPKCS11 + can be configured to use the NSS module as the crytographic provider. If you are planning to just + use JSS JCE provider as a bridge to NSS's FIPS validated PKCS#11 module, then the SunPKCS11 JCE + provider may do all that you need. Note that Java 1.5 claimed no FIPS compliance, and `Java + 1.6 `__ or higher + needs to be used. A current limitation to the configured SunPKCS11-NSS bridge configuration is if + you add a PKCS#11 module to the NSS database such as for a smartcard, you won't be able to access + that smartcard through the SunPKCS11-NSS bridge. If you use JSS, you can easily get lists of + modules and tokens that are configured in the NSS DB and freely access all of it. + + +-------------------------------------------------+-------------------------------------------------+ + | Before you use JSS, you should have a good | .. rubric:: Community | + | understanding of the crypto technologies it | :name: Community | + | uses. You might want to read these documents: | | + | | - View Mozilla Cryptography forums... | + | - `Introduction to Public-Key | | + | Crypt | - `Mailing | + | ography `__. | /lists.mozilla.org/listinfo/dev-tech-crypto>`__ | + | Explains the basic concepts of public-key | - `Newsgroup `__ | + | - `Introduction to | - `RSS | + | SSL `__. | gle.com/group/mozilla.dev.tech.crypto/feeds>`__ | + | Introduces the SSL protocol, including | | + | information about cryptographic ciphers | .. rubric:: Related Topics | + | supported by SSL and the steps involved in | :name: Related_Topics | + | the SSL handshake. | | + | | - `Security `__ | + | see `NSS sources building | | + | testing `__\ `. `__ | | + | | | + | Read `Using JSS `__ to get you | | + | started with development after you've built and | | + | downloaded it. | | + | | | + | .. rubric:: Release Notes | | + | :name: Release_Notes | | + | | | + | - `4.3.1 Release | | + | Notes `__ | | + | - `4.3 Release | | + | Notes `__ | | + | - `Older Release | | + | Notes `__ | | + | | | + | .. rubric:: Build Instructions | | + | :name: Build_Instructions | | + | | | + | - :re | | + | f:`mozilla_projects_nss_jss_build_instructions_ | | + | for_jss_4_4_x#build_instructions_for_jss_4_4_x` | | + | - `Building JSS | | + | 4.3.x `__ | | + | - `Older Build | | + | Instructions `__ | | + | | | + | .. rubric:: Download or View Source | | + | :name: Download_or_View_Source | | + | | | + | - `Download binaries, source, and | | + | javadoc `__ | | + | - `View the source | | + | online `__ | | + | | | + | .. rubric:: Testing | | + | :name: Testing | | + | | | + | - `JSS | | + | tests `__ | | + | | | + | .. rubric:: Frequently Asked Questions | | + | :name: Frequently_Asked_Questions | | + | | | + | - `JSS FAQ `__ | | + | | | + | Information on JSS planning can be found at | | + | `wik | | + | i.mozilla.org `__, | | + | including: | | + | | | + | - `NSS FIPS | | + | Validati | | + | on `__ | | + | - `NSS Roadmap | | + | | | + | page `__ | | + +-------------------------------------------------+-------------------------------------------------+ \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/jss/jss_faq/index.rst b/security/nss/doc/rst/legacy/jss/jss_faq/index.rst new file mode 100644 index 0000000000..d419586452 --- /dev/null +++ b/security/nss/doc/rst/legacy/jss/jss_faq/index.rst @@ -0,0 +1,217 @@ +.. _mozilla_projects_nss_jss_jss_faq: + +JSS FAQ +======= + +.. _jss_frequently_asked_questions: + +`JSS Frequently Asked Questions <#jss_frequently_asked_questions>`__ +-------------------------------------------------------------------- + +.. container:: + + Newsgroup: `mozilla.dev.tech.crypto `__ + + **Content:** + + - `What versions of JDK and JCE do you suggest? <#jdkjce1>`__ + - `Does JSS have 64 bit support? <#64bit>`__ + - `Is JSS FIPS Compliant? <#fips>`__ + - `Is there any sample code and documentation? <#sample>`__ + - `If I don't call setCipherPolicy, is the DOMESTIC policy used by + default? <#setcipherpolicy>`__ + - `My SSL connection is hanging on Windows? <#ssl_hanging>`__ + - `How can I tell which SSL/TLS ciphers JSS supports? <#ssltls_cipher>`__ + - `How can I debug my SSL connection? <#ssl_debug>`__ + - `Can you explain JSS SSL certificate approval callbacks? <#ssl_callback>`__ + - `Can I have multiple JSS instances reading separate db's? <#jss_instance>`__ + - `Once JSS initialized, I can't get anymore instances with + CertificateFactory.getInstance(X.509)? <#jss_init>`__ + - `Is it possible to sign data in Java with JSS? <#sign_date>`__ + - `How do I convert org.mozilla.jss.crypto.X509Certificate to + org.mozilla.jss.pkix.cert.Certificate? <#convertx509>`__ + - `How do I convert org.mozilla.jss.pkix.cert to + org.mozilla.jss.crypto.X509Certificate? <#convertpkix>`__ + - `Is it possible to use JSS to access cipher functionality from pkcs11 modules? <#pkc11>`__ + - `Can you explain token names and keys with regards to JSS? <#token_name>`__ + - `JSS 3.2 has JCA support. When will JSS have JSSE support? <#jssjsse>`__ + + **What versions of JDK and JRE do you suggest?** + + - JSS 3.x works with JDK versions 1.2 or higher, except version 1.3.0. Most attention for future + development and bug fixing will go to JDK 1.4 and later, so use that if you can. If you are + using JDK 1.3.x, you will need to use at least version 1.3.1--see `bug + 113808 `__. JSS only supports the native + threading model (no green threads). For JSS 3.2 and higher, if you use JDK 1.4 or higher you + will not need to install the JCE, but if you using an earlier version of the JDK then you will + also have to install JCE 1.2.1. See also the document `Using JSS `__. + + **Does JSS have 64 bit support?** + + - Yes, JSS 3.2 and higher supports 64 bit. You will need JDK 1.4 or higher and all the 64 bit + versions of NSPR, and NSS. As well you must use the java flag -d64 to specify the 64-bit data + model. + + **Is JSS FIPS Compliant?** + + - NSS is a FIPS-certified software library. JSS is considered a FIPS-compliant software library + since it only uses NSS for any and all crypto routines. + + **Is there any sample code and documentation?** + + - The `Using JSS `__ document describes how to set up your environment to run JSS. + The only other documentation is the + `Javadoc `__. + + JSS example code is essentially developer test code; with that understanding, the best + directory to look for sample code is in the org/mozilla/jss/tests directory: + + http://lxr.mozilla.org/mozilla/source/security/jss/org/mozilla/jss/tests + + | `org/mozilla/jss/tests/CloseDBs.java `__ + | `org/mozilla/jss/tests/KeyFactoryTest.java `__ + | `org/mozilla/jss/tests/DigestTest.java `__ + | `org/mozilla/jss/tests/JCASigTest.java `__ + | `org/mozilla/jss/tests/KeyWrapping.java `__ + | `org/mozilla/jss/tests/ListCerts.java `__ + | `org/mozilla/jss/tests/PK10Gen.java `__ + | `org/mozilla/jss/tests/SDR.java `__ + | `org/mozilla/jss/tests/SelfTest.java `__ + | `org/mozilla/jss/tests/SetupDBs.java `__ + | `org/mozilla/jss/tests/SigTest.java `__ + | `org/mozilla/jss/tests/SymKeyGen.java `__ + | `org/mozilla/jss/tests/TestKeyGen.java `__ + | `org/mozilla/jss/tests/SSLClientAuth.java `__ + | `org/mozilla/jss/tests/ListCACerts.java `__ + | `org/mozilla/jss/tests/KeyStoreTest.java `__ + | `org/mozilla/jss/tests/VerifyCert.java `__ + + SSL examples: + + | `org/mozilla/jss/tests/SSLClientAuth.java `__ + | `org/mozilla/jss/ssl/SSLClient.java `__ + | `org/mozilla/jss/ssl/SSLServer.java `__ + | `org/mozilla/jss/ssl/SSLTest.java `__ + + Other test code that may prove useful: + + | `org/mozilla/jss/asn1/INTEGER.java `__ + | `org/mozilla/jss/asn1/SEQUENCE.java `__ + | `org/mozilla/jss/asn1/SET.java `__ + | `org/mozilla/jss/pkcs10/CertificationRequest.java `__ + | `org/mozilla/jss/pkcs12/PFX.java `__ + | `org/mozilla/jss/pkix/cert/Certificate.java `__ + | `org/mozilla/jss/pkix/cmmf/CertRepContent.java `__ + | `org/mozilla/jss/pkix/crmf/CertReqMsg.java `__ + | `org/mozilla/jss/pkix/crmf/CertTemplate.java `__ + | `org/mozilla/jss/pkix/primitive/Name.java `__ + | `org/mozilla/jss/provider/javax/crypto/JSSSecretKeyFactorySpi.java `__ + | `org/mozilla/jss/util/UTF8Converter.java `__ + | `org/mozilla/jss/util/Base64InputStream.java `__ + | `jss/samples/PQGGen.java `__ + | `jss/samples/pkcs12.java `__ + + **If I don't call setCipherPolicy, is the DOMESTIC policy used by default?** + + - Yes, domestic is the default because we call NSS_SetDomesticPolicy() during + CryptoManager.initialize(). setCipherPolicy does not need to be called by a JSS app unless + that app wants to limit itself to export-allowed cipher suites. + + **My SSL connection is hanging on Windows?** + + - NSPR makes use of NT vs. Windows distinction and provides different NT and Windows builds. + Many Netscape products, including NSS, have NT and Windows builds that are essentially the + same except one difference: one is linked with the NT version of NSPR and the other is linked + with the Windows version of NSPR. The NT fiber problem affects applications that call blocking + system calls from the primordial thread. Either use the WIN 95 version of NSPR/NSS/JSS + components (essentially all non-fiber builds) or set the environment variable + NSPR_NATIVE_THREADS_ONLY=1. You can find more information in bugzilla bug + `102251 `__ SSL session cache locking + issue with NT fibers + + **How can I tell which SSL/TLS ciphers JSS supports?** + + - Check + http://lxr.mozilla.org/mozilla/source/security/jss/org/mozilla/jss/ssl/SSLSocket.java#730 + + **How can I debug my SSL connection?** + + - By using the NSS tool :ref:`mozilla_projects_nss_tools_ssltap` + + **Can you explain JSS SSL certificate approval callbacks?** + + - NSS has three callbacks related to certificates. JSS has two. But JSS combines two of the NSS + callbacks into one. + + - NSS's three SSL cert callbacks are: + + #. SSL_AuthCertificateHook sets a callback to authenticate the peer's certificate. It is + called instead of NSS's routine for authenticating certificates. + #. SSL_BadCertHook sets a callback that is called when NSS's routine fails to authenticate the + certificate. + #. SSL_GetClientAuthDataHook sets a callback to return the local certificate for SSL client + auth. + + JSS's two callbacks are: + + #. SSLCertificateApprovalCallback is a combination of SSL_AuthCertificateHook and + SSL_BadCertHook. It runs NSS's cert authentication check, then calls the callback + regardless of whether the cert passed or failed. The callback is told whether the cert + passed, and then can do anything extra that it wants to do before making a final decision. + #. SSLClientCertificateSelectionCallback is analogous to SSL_GetClientAuthDataHook. + + | + | **Can I have multiple JSS instances reading separate db's?** + + - No, you can only have one initialized instance of JSS for each database. + + **Once JSS initialized, I can't get anymore instances with + CertificateFactory.getInstance("X.509")?** + + - In version previous to JSS 3.1, JSS removes the default SUN provider on startup. Upgrade to + the latest JSS, or, in the ``CryptoManager.InitializationValues`` object you pass to + ``CryptoManager.initialize()``, set ``removeSunProivider=true``. + + **Is it possible to sign data in Java with JSS? What I am trying to do is write a Java applet + that will access the Netscape certificate store, retrieve a X509 certificate and then sign some + data.** + + - The best way to do this is with the PKCS #7 signedData type. Check out the + `javadoc `__. + + **How do I convert org.mozilla.jss.crypto.X509Certificate to + org.mozilla.jss.pkix.cert.Certificate?** + + - .. code:: + + import java.io.ByteArrayInputStream; + + [...] + + Certificate cert = (Certificate) ASN1Util.decode( + Certificate.getTemplate(),x509Cert.getEncoded() ); + + **How do I convert org.mozilla.jss.pkix.cert to org.mozilla.jss.crypto.X509Certificate?** + + - `Cryptomanager.importCertPackage() `__ + + **Is it possible to use JSS to acces cipher functionality from pkcs11 modules?** + + - Yes. Before JSS 3.2 you would use CryptoManager to obtain the CryptoToken you want to use, + then call CryptoToken.getCipherContext() to get an encryption engine. But as of JSS 3.2 you + would use the `JSS JCA provider `__. + + **Can you explain token names and keys with regards to JSS?** + + - The token name is different depending on which application you are running. In JSS, the token + is called "Internal Key Storage Token". You can look it up by name using + CryptoManager.getTokenByName(), but a better way is to call + CryptoManager.getInternalKeyStorageToken(), which works no matter what the token is named. In + general, a key is a handle to an underlying object on a PKCS #11 token, not merely a Java + object residing in memory. Symmetric Key usage: basically encrypt/decrypt is for data and + wrap/unwrap is for keys. + + J\ **SS 3.2 has JCA support. When will JSS have JSSE support?** + + - Not in the near future due to pluggability is disabled in the JSSE version included in J2SE + 1.4.x for export control reasons. \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/jss/jss_provider_notes/index.rst b/security/nss/doc/rst/legacy/jss/jss_provider_notes/index.rst new file mode 100644 index 0000000000..9db0654c2c --- /dev/null +++ b/security/nss/doc/rst/legacy/jss/jss_provider_notes/index.rst @@ -0,0 +1,489 @@ +.. _mozilla_projects_nss_jss_jss_provider_notes: + +JSS Provider Notes +================== + +.. container:: + + .. warning:: + + This page has been moved to http://www.dogtagpki.org/wiki/JSS_Provider. + +.. _the_mozilla-jss_jca_provider: + +`The Mozilla-JSS JCA Provider <#the_mozilla-jss_jca_provider>`__ +---------------------------------------------------------------- + +.. container:: + + Newsgroup: `mozilla.dev.tech.crypto `__ + +`Overview <#overview>`__ +~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + This document describes the JCA Provider shipped with JSS. The provider's name is "Mozilla-JSS". + It implements cryptographic operations in native code using the `NSS <../nss>`__ libraries. + +`Contents <#contents>`__ +~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - `Signed JAR file <#signed-jar>`__ + - `Installing the Provider <#installing-provider>`__ + - `Specifying the CryptoToken <#specifying-token>`__ + - `Supported Classes <#supported-classes>`__ + - `What's Not Supported <#not-supported>`__ + + -------------- + +.. _signed_jar_file: + +`Signed JAR file <#signed_jar_file>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - JSS 3.2 implements several JCE (Java Cryptography Extension) algorithms. These algorithms have + at various times been export-controlled by the US government. Sun therefore requires that JAR + files implementing JCE algorithms be digitally signed by an approved organization. Netscape + has this approval and signs the official builds of ``jss32.jar``. At runtime, the JRE + automatically verifies this signature whenever a JSS class is loaded that implements a JCE + algorithm. The verification is transparent to the application (unless it fails and throws an + exception). If you are curious, you can verify the signature on the JAR file using the + ``jarsigner`` tool, which is distributed with the JDK. + + If you build JSS yourself from source instead of using binaries downloaded from mozilla.org, + your JAR file will not have a valid signature. This means you will not be able to use the JSS + provider for JCE algorithms. You have two choices. + + #. Use the binary release of JSS from mozilla.org. + #. Apply for your own JCE code-signing certificate following the procedure at `How to + Implement a Provider for the Java\ TM Cryptography + Extension `__. + Then you can sign your own JSS JAR file. + +.. _installing_the_provider: + +`Installing the Provider <#installing_the_provider>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - In order to use any part of JSS, including the JCA provider, you must first call + ``CryptoManager.initialize()``. By default, the JCA provider will be installed in the list of + providers maintained by the ``java.security.Security`` class. If you do not wish the provider + to be installed, create a + :ref:`mozilla_projects_nss_jss_cryptomanager_cryptomanager_initializationvalues` object, set + its ``installJSSProvider`` field to ``false``, and pass the ``InitializationValues`` object to + ``CryptoManager.initialize()``. + +.. _specifying_the_cryptotoken: + +`Specifying the CryptoToken <#specifying_the_cryptotoken>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - All cryptographic operations in JSS and NSS occur on a particular PKCS #11 token, implemented + in software or hardware. There is no clean way to specify this token through the JCA API. By + default, the JSS provider carries out all operations except MessageDigest on the Internal Key + Storage Token, a software token included in JSS/NSS. MessageDigest operations take place by + default on the Internal Crypto Token, another internal software token in JSS/NSS. There is no + good design reason for this difference, but it is necessitated by a quirk in the NSS + implementation. + + In order to use a different token, use ``CryptoManager.setThreadToken()``. This sets the token + to be used by the JSS JCA provider in the current thread. When you call ``getInstance()`` on a + JCA class, the JSS provider checks the current per-thread default token (by calling + ``CryptoManager.getThreadToken()``) and instructs the new object to use that token for + cryptographic operations. The per-thread default token setting is only consulted inside + ``getInstance()``. Once a JCA object has been created it will continue to use the same token, + even if the application later changes the per-thread default token. + + Whenever a new thread is created, its token is initialized to the default, the Internal Key + Storage Token. Thus, the thread token is not inherited from the parent thread. + + The following example shows how you can specify which token is used for various JCA + operations: + + .. code:: + + // Lookup PKCS #11 tokens + CryptoManager manager = CryptoManager.getInstance(); + CryptoToken tokenA = manager.getTokenByName("TokenA"); + CryptoToken tokenB = manager.getTokenByName("TokenB"); + + // Create an RSA KeyPairGenerator using TokenA + manager.setThreadToken(tokenA); + KeyPairGenerator rsaKpg = KeyPairGenerator.getInstance("RSA", "Mozilla-JSS"); + + // Create a DSA KeyPairGenerator using TokenB + manager.setThreadToken(tokenB); + KeyPairGenerator dsaKpg = KeyPairGenerator.getInstance("DSA", "Mozilla-JSS"); + + // Generate an RSA KeyPair. This will happen on TokenA because TokenA + // was the per-thread default token when rsaKpg was created. + rsaKpg.initialize(1024); + KeyPair rsaPair = rsaKpg.generateKeyPair(); + + // Generate a DSA KeyPair. This will happen on TokenB because TokenB + // was the per-thread default token when dsaKpg was created. + dsaKpg.initialize(1024); + KeyPair dsaPair = dsaKpg.generateKeyPair(); + +.. _supported_classes: + +`Supported Classes <#supported_classes>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - `Cipher <#cipher>`__ + + - `DSAPrivateKey <#dsaprivatekey>`__ + + - DSAPublicKey + + - `KeyFactory <#keyfactory>`__ + + - `KeyGenerator <#keygenerator>`__ + + - `KeyPairGenerator <#keypairgenerator>`__ + + - `Mac <#mac>`__ + + - `MessageDigest <#messagedigest>`__ + + - `RSAPrivateKey <#rsaprivatekey>`__ + + - RSAPublicKey + + - `SecretKeyFactory <#secretkeyfactory>`__ + + - `SecretKey <#secretkey>`__ + + - `SecureRandom <#securerandom>`__ + + - `Signature <#signature>`__ + + .. rubric:: What's Not Supported + :name: What's_Not_Supported + + - The following classes don't work very well: + + - **KeyStore:** There are many serious problems mapping the JCA keystore interface onto + NSS's model of PKCS #11 modules. The current implementation is almost useless. Since + these problems lie deep in the NSS design and implementation, there is no clear + timeframe for fixing them. Meanwhile, the ``org.mozilla.jss.crypto.CryptoStore`` class + can be used for some of this functionality. + +.. rubric:: Cipher + :name: Cipher_2 + +.. rubric:: Supported Algorithms + :name: supported_algorithms + +.. rubric:: Notes + :name: notes + +- + + - AES + - DES + - DESede (*DES3* ) + - RC2 + - RC4 + - RSA + + - The following modes and padding schemes are supported: + + + +------------------------------+------------------------------+------------------------------+ + | Algorithm | Mode | Padding | + +------------------------------+------------------------------+------------------------------+ + | DES | ECB | NoPadding | + +------------------------------+------------------------------+------------------------------+ + | | CBC | NoPadding | + +------------------------------+------------------------------+------------------------------+ + | | | PKCS5 Padding | + +------------------------------+------------------------------+------------------------------+ + | DESede | ECB | NoPadding | + | *DES3* | | | + +------------------------------+------------------------------+------------------------------+ + | | CBC | NoPadding | + +------------------------------+------------------------------+------------------------------+ + | | | PKCS5 Padding | + +------------------------------+------------------------------+------------------------------+ + | AES | ECB | NoPadding | + +------------------------------+------------------------------+------------------------------+ + | | CBC | NoPadding | + +------------------------------+------------------------------+------------------------------+ + | | | PKCS5 Padding | + +------------------------------+------------------------------+------------------------------+ + | RC4 | *None* | *None* | + +------------------------------+------------------------------+------------------------------+ + | RC2 | CBC | NoPadding | + +------------------------------+------------------------------+------------------------------+ + | | | PKCS5Padding | + +------------------------------+------------------------------+------------------------------+ + + - The SecureRandom argument passed to ``initSign()`` and ``initVerify()`` is ignored, because + NSS does not support specifying an external source of randomness. + +.. rubric:: DSAPrivateKey + :name: DSAPrivateKey_2 + +- ``getX()`` is not supported because NSS does not support extracting data from private keys. + +.. rubric:: KeyFactory + :name: KeyFactory_2 + +.. rubric:: Supported Algorithms + :name: supported_algorithms_2 + +.. rubric:: Notes + :name: notes_2 + +- + + - DSA + - RSA + + - The following transformations are supported for ``generatePublic()`` and + ``generatePrivate()``: + + + +----------------------------------------------+----------------------------------------------+ + | From | To | + +----------------------------------------------+----------------------------------------------+ + | ``RSAPublicKeySpec`` | ``RSAPublicKey`` | + +----------------------------------------------+----------------------------------------------+ + | ``DSAPublicKeySpec`` | ``DSAPublicKey`` | + +----------------------------------------------+----------------------------------------------+ + | ``X509EncodedKeySpec`` | ``RSAPublicKey`` | + | | ``DSAPublicKey`` | + +----------------------------------------------+----------------------------------------------+ + | ``RSAPrivateCrtKeySpec`` | ``RSAPrivateKey`` | + +----------------------------------------------+----------------------------------------------+ + | ``DSAPrivateKeySpec`` | ``DSAPrivateKey`` | + +----------------------------------------------+----------------------------------------------+ + | ``PKCS8EncodedKeySpec`` | ``RSAPrivateKey`` | + | | ``DSAPrivateKey`` | + +----------------------------------------------+----------------------------------------------+ + + - ``getKeySpec()`` is not supported. This method exports key material in plaintext and is + therefore insecure. Note that a public key's data can be accessed directly from the key. + - ``translateKey()`` simply gets the encoded form of the given key and then tries to import + it by calling ``generatePublic()`` or ``generatePrivate()``. Only ``X509EncodedKeySpec`` is + supported for public keys, and only ``PKCS8EncodedKeySpec`` is supported for private keys. + +.. rubric:: KeyGenerator + :name: KeyGenerator_2 + +.. rubric:: Supported Algorithms + :name: supported_algorithms_3 + +.. rubric:: Notes + :name: notes_3 + +- + + - AES + - DES + - DESede (*DES3* ) + - RC4 + + - The SecureRandom argument passed to ``init()`` is ignored, because NSS does not support + specifying an external source of randomness. + - None of the key generation algorithms accepts an ``AlgorithmParameterSpec``. + +.. rubric:: KeyPairGenerator + :name: KeyPairGenerator_2 + +.. rubric:: Supported Algorithms + :name: supported_algorithms_4 + +.. rubric:: Notes + :name: notes_4 + +- + + - DSA + - RSA + + - The SecureRandom argument passed to initialize() is ignored, because NSS does not support + specifying an external source of randomness. + +.. rubric:: Mac + :name: Mac_2 + +.. rubric:: Supported Algorithms + :name: supported_algorithms_5 + +.. rubric:: Notes + :name: notes_5 + +- + + - HmacSHA1 (*Hmac-SHA1* ) + + - Any secret key type (AES, DES, etc.) can be used as the MAC key, but it must be a JSS key. + That is, it must be an ``instanceof org.mozilla.jss.crypto.SecretKeyFacade``. + - The params passed to ``init()`` are ignored. + +.. rubric:: MessageDigest + :name: MessageDigest_2 + +.. rubric:: Supported Algorithms + :name: supported_algorithms_6 + +- + + - MD5 + - MD2 + - SHA-1 (*SHA1, SHA* ) + +.. rubric:: RSAPrivateKey + :name: RSAPrivateKey_2 + +.. rubric:: Notes + :name: notes_6 + +- + + - ``getModulus()`` is not supported because NSS does not support extracting data from private + keys. + - ``getPrivateExponent()`` is not supported because NSS does not support extracting data from + private keys. + +.. rubric:: SecretKeyFactory + :name: SecretKeyFactory_2 + +.. rubric:: Supported Algorithms + :name: supported_algorithms_7 + +.. rubric:: Notes + :name: notes_7 + +- + + - AES + - DES + - DESede (*DES3* ) + - PBAHmacSHA1 + - PBEWithMD5AndDES + - PBEWithSHA1AndDES + - PBEWithSHA1AndDESede (*PBEWithSHA1AndDES3* ) + - PBEWithSHA1And128RC4 + - RC4 + + - ``generateSecret`` supports the following transformations: + + + +----------------------------------------------+----------------------------------------------+ + | KeySpec Class | Key Algorithm | + +----------------------------------------------+----------------------------------------------+ + | PBEKeySpec | *Using the appropriate PBE algorithm:* | + | org.mozilla.jss.crypto.PBEKeyGenParams | DES | + | | DESede | + | | RC4 | + +----------------------------------------------+----------------------------------------------+ + | DESedeKeySpec | DESede | + +----------------------------------------------+----------------------------------------------+ + | DESKeySpec | DES | + +----------------------------------------------+----------------------------------------------+ + | SecretKeySpec | AES | + | | DES | + | | DESede | + | | RC4 | + +----------------------------------------------+----------------------------------------------+ + + - ``getKeySpec`` supports the following transformations: + + + +----------------------------------------------+----------------------------------------------+ + | Key Algorithm | KeySpec Class | + +----------------------------------------------+----------------------------------------------+ + | DESede | DESedeKeySpec | + +----------------------------------------------+----------------------------------------------+ + | DES | DESKeySpec | + +----------------------------------------------+----------------------------------------------+ + | DESede | SecretKeySpec | + | DES | | + | AES | | + | RC4 | | + +----------------------------------------------+----------------------------------------------+ + + - For increased security, some SecretKeys may not be extractable from their PKCS #11 token. + In this case, the key should be wrapped (encrypted with another key), and then the + encrypted key might be extractable from the token. This policy varies across PKCS #11 + tokens. + - ``translateKey`` tries two approaches to copying keys. First, it tries to copy the key + material directly using NSS calls to PKCS #11. If that fails, it calls ``getEncoded()`` on + the source key, and then tries to create a new key on the target token from the encoded + bits. Both of these operations will fail if the source key is not extractable. + - The class ``java.security.spec.PBEKeySpec`` in JDK versions earlier than 1.4 does not + contain the salt and iteration fields, which are necessary for PBE key generation. These + fields were added in JDK 1.4. If you are using a JDK (or JRE) version earlier than 1.4, you + cannot use class ``java.security.spec.PBEKeySpec``. Instead, you can use + ``org.mozilla.jss.crypto.PBEKeyGenParams``. If you are using JDK (or JRE) 1.4 or later, you + can use ``java.security.spec.PBEKeySpec`` or ``org.mozilla.jss.crypto.PBEKeyGenParams``. + +.. rubric:: SecretKey + :name: SecretKey_2 + +.. rubric:: Supported Algorithms + :name: supported_algorithms_8 + +.. rubric:: Notes + :name: notes_8 + +- + + - AES + - DES + - DESede (*DES3* ) + - HmacSHA1 + - RC2 + - RC4 + + - ``SecretKey`` is implemented by the class ``org.mozilla.jss.crypto.SecretKeyFacade``, which + acts as a wrapper around the JSS class ``SymmetricKey``. Any ``SecretKeys`` handled by JSS + will actually be ``SecretKeyFacades``. This should usually be transparent. + +.. rubric:: SecureRandom + :name: SecureRandom_2 + +.. rubric:: Supported Algorithms + :name: supported_algorithms_9 + +.. rubric:: Notes + :name: notes_9 + +- + + - pkcs11prng + + - This invokes the NSS internal pseudorandom number generator. + +.. rubric:: Signature + :name: Signature_2 + +.. rubric:: Supported Algorithms + :name: supported_algorithms_10 + +.. rubric:: Notes + :name: notes_10 + +- + + - SHA1withDSA (*DSA, DSS, SHA/DSA, SHA-1/DSA, SHA1/DSA, DSAWithSHA1, SHAwithDSA* ) + - SHA-1/RSA (*SHA1/RSA, SHA1withRSA* ) + - MD5/RSA (*MD5withRSA* ) + - MD2/RSA + + - The ``SecureRandom`` argument passed to ``initSign()`` and ``initVerify()`` is ignored, + because NSS does not support specifying an external source of randomness. diff --git a/security/nss/doc/rst/legacy/jss/mozilla-jss_jca_provider_notes/index.rst b/security/nss/doc/rst/legacy/jss/mozilla-jss_jca_provider_notes/index.rst new file mode 100644 index 0000000000..f8edb0953c --- /dev/null +++ b/security/nss/doc/rst/legacy/jss/mozilla-jss_jca_provider_notes/index.rst @@ -0,0 +1,472 @@ +.. _mozilla_projects_nss_jss_mozilla-jss_jca_provider_notes: + +Mozilla-JSS JCA Provider notes +============================== + +.. _the_mozilla-jss_jca_provider: + +`The Mozilla-JSS JCA Provider <#the_mozilla-jss_jca_provider>`__ +---------------------------------------------------------------- + +.. container:: + + *Newsgroup:*\ `mozilla.dev.tech.crypto `__ + +`Overview <#overview>`__ +~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + This document describes the JCA Provider shipped with JSS. The provider's name is "Mozilla-JSS". + It implements cryptographic operations in native code using the + `NSS `__ libraries. + +`Contents <#contents>`__ +~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - `Signed JAR + file `__ + - `Installing the + Provider `__ + - `Specifying the + CryptoToken `__ + - `Supported + Classes `__ + - `What's Not + Supported `__ + +.. _signed_jar_file: + +`Signed JAR file <#signed_jar_file>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + JSS implements several JCE (Java Cryptography Extension) algorithms. These algorithms have at + various times been export-controlled by the US government. JRE therefore requires that JAR files + implementing JCE algorithms be digitally signed by an approved organization. The maintainers of + JSS, Sun, Red Hat, and Mozilla, have this approval and signs the official builds of ``jss4.jar``. + At runtime, the JRE automatically verifies this signature whenever a JSS class is loaded that + implements a JCE algorithm. The verification is transparent to the application (unless it fails + and throws an exception). If you are curious, you can verify the signature on the JAR file using + the ``jarsigner`` tool, which is distributed with the JDK. + + If you build JSS yourself from source instead of using binaries downloaded from mozilla.org, your + JAR file will not have a valid signature. This means you will not be able to use the JSS provider + for JCE algorithms. You have two choices. + + #. Use the binary release of JSS from mozilla.org. + #. Apply for your own JCE code-signing certificate following the procedure at `How to Implement a + Provider for the Java\ TM Cryptography + Extension `__. + Then you can sign your own JSS JAR file. + +.. _installing_the_provider: + +`Installing the Provider <#installing_the_provider>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + In order to use any part of JSS, including the JCA provider, you must first call + ``CryptoManager.initialize()``. By default, the JCA provider will be installed in the list of + providers maintained by the ``java.security.Security`` class. If you do not wish the provider to + be installed, create a + ```CryptoManager.InitializationValues`` `__ + object, set its ``installJSSProvider`` field to ``false``, and pass the ``InitializationValues`` + object to ``CryptoManager.initialize()``. + +.. _specifying_the_cryptotoken: + +`Specifying the CryptoToken <#specifying_the_cryptotoken>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + All cryptographic operations in JSS and NSS occur on a particular PKCS #11 token, implemented in + software or hardware. There is no clean way to specify this token through the JCA API. By + default, the JSS provider carries out all operations except MessageDigest on the Internal Key + Storage Token, a software token included in JSS/NSS. MessageDigest operations take place by + default on the Internal Crypto Token, another internal software token in JSS/NSS. There is no + good design reason for this difference, but it is necessitated by a quirk in the NSS + implementation. + + In order to use a different token, use ``CryptoManager.setThreadToken()``. This sets the token to + be used by the JSS JCA provider in the current thread. When you call ``getInstance()`` on a JCA + class, the JSS provider checks the current per-thread default token (by calling + ``CryptoManager.getThreadToken()``) and instructs the new object to use that token for + cryptographic operations. The per-thread default token setting is only consulted inside + ``getInstance()``. Once a JCA object has been created it will continue to use the same token, + even if the application later changes the per-thread default token. + + Whenever a new thread is created, its token is initialized to the default, the Internal Key + Storage Token. Thus, the thread token is not inherited from the parent thread. + + The following example shows how you can specify which token is used for various JCA operations: + + .. code:: + + // Lookup PKCS #11 tokens + CryptoManager manager = CryptoManager.getInstance(); + CryptoToken tokenA = manager.getTokenByName("TokenA"); + CryptoToken tokenB = manager.getTokenByName("TokenB"); + + // Create an RSA KeyPairGenerator using TokenA + manager.setThreadToken(tokenA); + KeyPairGenerator rsaKpg = KeyPairGenerator.getInstance("Mozilla-JSS", "RSA"); + + // Create a DSA KeyPairGenerator using TokenB + manager.setThreadToken(tokenB); + KeyPairGenerator dsaKpg = KeyPairGenerator.getInstance("Mozilla-JSS", "DSA"); + + // Generate an RSA KeyPair. This will happen on TokenA because TokenA + // was the per-thread default token when rsaKpg was created. + rsaKpg.initialize(1024); + KeyPair rsaPair = rsaKpg.generateKeyPair(); + + // Generate a DSA KeyPair. This will happen on TokenB because TokenB + // was the per-thread default token when dsaKpg was created. + dsaKpg.initialize(1024); + KeyPair dsaPair = dsaKpg.generateKeyPair(); + +.. _supported_classes: + +`Supported Classes <#supported_classes>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - `Cipher `__ + - `DSAPrivateKey `__ + - DSAPublicKey + - `KeyFactory `__ + - `KeyGenerator `__ + - `KeyPairGenerator `__ + - `Mac `__ + - `MessageDigest `__ + - `RSAPrivateKey `__ + - RSAPublicKey + - `SecretKeyFactory `__ + - `SecretKey `__ + - `SecureRandom `__ + - `Signature `__ + +`Cipher <#cipher>`__ +~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. rubric:: Supported Algorithms + :name: supported_algorithms + + .. rubric:: Notes + :name: notes + + - AES + - DES + - DESede (*DES3*) + - RC2 + - RC4 + - RSA + + - The following modes and padding schemes are supported: + + +--------------------------------+--------------------------------+--------------------------------+ + | Algorithm | Mode | Padding | + +--------------------------------+--------------------------------+--------------------------------+ + | DES | ECB | NoPadding | + +--------------------------------+--------------------------------+--------------------------------+ + | | CBC | NoPadding | + +--------------------------------+--------------------------------+--------------------------------+ + | | | PKCS5 Padding | + +--------------------------------+--------------------------------+--------------------------------+ + | DESede | ECB | NoPadding | + | *DES3* | | | + +--------------------------------+--------------------------------+--------------------------------+ + | | CBC | NoPadding | + +--------------------------------+--------------------------------+--------------------------------+ + | | | PKCS5 Padding | + +--------------------------------+--------------------------------+--------------------------------+ + | AES | ECB | NoPadding | + +--------------------------------+--------------------------------+--------------------------------+ + | | CBC | NoPadding | + +--------------------------------+--------------------------------+--------------------------------+ + | | | PKCS5 Padding | + +--------------------------------+--------------------------------+--------------------------------+ + | RC4 | *None* | *None* | + +--------------------------------+--------------------------------+--------------------------------+ + | RC2 | CBC | NoPadding | + +--------------------------------+--------------------------------+--------------------------------+ + | | | PKCS5Padding | + +--------------------------------+--------------------------------+--------------------------------+ + + - The SecureRandom argument passed to ``initSign()`` and ``initVerify()`` is ignored, because + NSS does not support specifying an external source of randomness. + +`DSAPrivateKey <#dsaprivatekey>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - ``getX()`` is not supported because NSS does not support extracting data from private keys. + +`KeyFactory <#keyfactory>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. rubric:: Supported Algorithms + :name: supported_algorithms_2 + + .. rubric:: Notes + :name: notes_2 + + - DSA + - RSA + - The following transformations are supported for ``generatePublic()`` and + ``generatePrivate()``: + + +-------------------------------------------------+-------------------------------------------------+ + | From | To | + +-------------------------------------------------+-------------------------------------------------+ + | ``RSAPublicKeySpec`` | ``RSAPublicKey`` | + +-------------------------------------------------+-------------------------------------------------+ + | ``DSAPublicKeySpec`` | ``DSAPublicKey`` | + +-------------------------------------------------+-------------------------------------------------+ + | ``X509EncodedKeySpec`` | ``RSAPublicKey`` | + | | ``DSAPublicKey`` | + +-------------------------------------------------+-------------------------------------------------+ + | ``RSAPrivateCrtKeySpec`` | ``RSAPrivateKey`` | + +-------------------------------------------------+-------------------------------------------------+ + | ``DSAPrivateKeySpec`` | ``DSAPrivateKey`` | + +-------------------------------------------------+-------------------------------------------------+ + | ``PKCS8EncodedKeySpec`` | ``RSAPrivateKey`` | + | | ``DSAPrivateKey`` | + +-------------------------------------------------+-------------------------------------------------+ + + - ``getKeySpec()`` is not supported. This method exports key material in plaintext and is + therefore insecure. Note that a public key's data can be accessed directly from the key. + - ``translateKey()`` simply gets the encoded form of the given key and then tries to import it + by calling ``generatePublic()`` or ``generatePrivate()``. Only ``X509EncodedKeySpec`` is + supported for public keys, and only ``PKCS8EncodedKeySpec`` is supported for private keys. + +`KeyGenerator <#keygenerator>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. rubric:: Supported Algorithms + :name: supported_algorithms_3 + + .. rubric:: Notes + :name: notes_3 + + - AES + - DES + - DESede (*DES3*) + - RC4 + - The SecureRandom argument passed to ``init()`` is ignored, because NSS does not support + specifying an external source of randomness. + - None of the key generation algorithms accepts an ``AlgorithmParameterSpec``. + +`KeyPairGenerator <#keypairgenerator>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. rubric:: Supported Algorithms + :name: supported_algorithms_4 + + .. rubric:: Notes + :name: notes_4 + + - DSA + - RSA + + - The SecureRandom argument passed to initialize() is ignored, because NSS does not support + specifying an external source of randomness. + +`Mac <#mac>`__ +~~~~~~~~~~~~~~ + +.. container:: + + .. rubric:: Supported Algorithms + :name: supported_algorithms_5 + + .. rubric:: Notes + :name: notes_5 + + - HmacSHA1 (*Hmac-SHA1*) + + - Any secret key type (AES, DES, etc.) can be used as the MAC key, but it must be a JSS key. + That is, it must be an ``instanceof org.mozilla.jss.crypto.SecretKeyFacade``. + - The params passed to ``init()`` are ignored. + +`MessageDigest <#messagedigest>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. rubric:: Supported Algorithms + :name: supported_algorithms_6 + + - MD5 + - MD2 + - SHA-1 (*SHA1, SHA*) + +`RSAPrivateKey <#rsaprivatekey>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. rubric:: Notes + :name: notes_6 + + - ``getModulus()`` is not supported because NSS does not support extracting data from private + keys. + - ``getPrivateExponent()`` is not supported because NSS does not support extracting data from + private keys. + +`SecretKeyFactory <#secretkeyfactory>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. rubric:: Supported Algorithms + :name: supported_algorithms_7 + + .. rubric:: Notes + :name: notes_7 + + - AES + - DES + - DESede (*DES3*) + - PBAHmacSHA1 + - PBEWithMD5AndDES + - PBEWithSHA1AndDES + - PBEWithSHA1AndDESede (*PBEWithSHA1AndDES3*) + - PBEWithSHA1And128RC4 + - RC4 + + - ``generateSecret`` supports the following transformations: + + +-------------------------------------------------+-------------------------------------------------+ + | KeySpec Class | Key Algorithm | + +-------------------------------------------------+-------------------------------------------------+ + | PBEKeySpec | *Using the appropriate PBE algorithm:* | + | org.mozilla.jss.crypto.PBEKeyGenParams | DES | + | | DESede | + | | RC4 | + +-------------------------------------------------+-------------------------------------------------+ + | DESedeKeySpec | DESede | + +-------------------------------------------------+-------------------------------------------------+ + | DESKeySpec | DES | + +-------------------------------------------------+-------------------------------------------------+ + | SecretKeySpec | AES | + | | DES | + | | DESede | + | | RC4 | + +-------------------------------------------------+-------------------------------------------------+ + + - ``getKeySpec`` supports the following transformations: + + +-------------------------------------------------+-------------------------------------------------+ + | Key Algorithm | KeySpec Class | + +-------------------------------------------------+-------------------------------------------------+ + | DESede | DESedeKeySpec | + +-------------------------------------------------+-------------------------------------------------+ + | DES | DESKeySpec | + +-------------------------------------------------+-------------------------------------------------+ + | DESede | SecretKeySpec | + | DES | | + | AES | | + | RC4 | | + +-------------------------------------------------+-------------------------------------------------+ + + - For increased security, some SecretKeys may not be extractable from their PKCS #11 token. In + this case, the key should be wrapped (encrypted with another key), and then the encrypted key + might be extractable from the token. This policy varies across PKCS #11 tokens. + - ``translateKey`` tries two approaches to copying keys. First, it tries to copy the key + material directly using NSS calls to PKCS #11. If that fails, it calls ``getEncoded()`` on the + source key, and then tries to create a new key on the target token from the encoded bits. Both + of these operations will fail if the source key is not extractable. + - The class ``java.security.spec.PBEKeySpec`` in JDK versions earlier than 1.4 does not contain + the salt and iteration fields, which are necessary for PBE key generation. These fields were + added in JDK 1.4. If you are using a JDK (or JRE) version earlier than 1.4, you cannot use + class ``java.security.spec.PBEKeySpec``. Instead, you can use + ``org.mozilla.jss.crypto.PBEKeyGenParams``. If you are using JDK (or JRE) 1.4 or later, you + can use ``java.security.spec.PBEKeySpec`` or ``org.mozilla.jss.crypto.PBEKeyGenParams``. + +`SecretKey <#secretkey>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. rubric:: Supported Algorithms + :name: supported_algorithms_8 + + .. rubric:: Notes + :name: notes_8 + + - AES + - DES + - DESede (*DES3*) + - HmacSHA1 + - RC2 + - RC4 + + - ``SecretKey`` is implemented by the class ``org.mozilla.jss.crypto.SecretKeyFacade``, which + acts as a wrapper around the JSS class ``SymmetricKey``. Any ``SecretKeys`` handled by JSS + will actually be ``SecretKeyFacades``. This should usually be transparent. + +`SecureRandom <#securerandom>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. rubric:: Supported Algorithms + :name: supported_algorithms_9 + + .. rubric:: Notes + :name: notes_9 + + - pkcs11prng + + - This invokes the NSS internal pseudorandom number generator. + +`Signature <#signature>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. rubric:: Supported Algorithms + :name: supported_algorithms_10 + + .. rubric:: Notes + :name: notes_10 + + - SHA1withDSA (*DSA, DSS, SHA/DSA, SHA-1/DSA, SHA1/DSA, DSAWithSHA1, SHAwithDSA*) + - SHA-1/RSA (*SHA1/RSA, SHA1withRSA*) + - MD5/RSA (*MD5withRSA*) + - MD2/RSA + + - The SecureRandom argument passed to ``initSign()`` and ``initVerify()`` is ignored, because + NSS does not support specifying an external source of randomness. + +.. _what's_not_supported: + +`What's Not Supported <#what's_not_supported>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + The following classes don't work very well: + + - **KeyStore:** There are many serious problems mapping the JCA keystore interface onto NSS's + model of PKCS #11 modules. The current implementation is almost useless. Since these problems + lie deep in the NSS design and implementation, there is no clear timeframe for fixing them. + Meanwhile, the ``org.mozilla.jss.crypto.CryptoStore`` class can be used for some of this + functionality. \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/jss/using_jss/index.rst b/security/nss/doc/rst/legacy/jss/using_jss/index.rst new file mode 100644 index 0000000000..3a5f19f9c7 --- /dev/null +++ b/security/nss/doc/rst/legacy/jss/using_jss/index.rst @@ -0,0 +1,152 @@ +.. _mozilla_projects_nss_jss_using_jss: + +Using JSS +========= + +.. _using_jss: + +`Using JSS <#using_jss>`__ +-------------------------- + +.. container:: + + *Newsgroup:*\ `mozilla.dev.tech.crypto `__ + + If you have already `built + JSS `__, or if you + are planning to use a binary release of JSS, here's how to get JSS working with your code. + + | `Gather Components <#components>`__ + | `Setup your runtime environment <#runtime>`__ + | `Initialize JSS in your application <#init>`__ + +.. _gather_components: + +`Gather components <#gather_components>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + #. You need the JSS classes and the NSPR, NSS, and JSS shared libraries. + + #. **NSPR and NSS Shared Libraries** + + JSS uses the NSPR and NSS libraries for I/O and crypto. JSS version 3.0 linked statically with + NSS, so it only required NSPR. JSS versions 3.1 and later link dynamically with NSS, so they + also require the NSS shared libraries. + + The exact library names vary according to the convention for each platform. For example, the + NSPR library is called ``nspr4.dll`` or ``libnspr4.dll`` on Windows and ``libnspr4.so`` on + Solaris. The following table gives the core names of the libraries, omitting the + platform-specific prefix and suffix. + + +-------------------+-------------------------------------+--------------------------------------+ + | JSS Dependencies | | | + +-------------------+-------------------------------------+--------------------------------------+ + | Core Library Name | Description | Binary Release Location | + +-------------------+-------------------------------------+--------------------------------------+ + | nspr4 | NSPR OS abstraction layer | `htt | + | | | p://ftp.mozilla.org/pub/mozilla.org/ | + | | | nspr/releases `__ | + +-------------------+-------------------------------------+--------------------------------------+ + | plc4 | | NSPR standard C library replacement | + | | | functions | + +-------------------+-------------------------------------+--------------------------------------+ + | plds4 | | NSPR data structure types | + +-------------------+-------------------------------------+--------------------------------------+ + | nss3 | NSS crypto, PKCS #11, and utilities | `http://ftp.mozilla. | + | | | org/pub/mozilla.org/security/nss/rel | + | | | eases `__ | + +-------------------+-------------------------------------+--------------------------------------+ + | ssl3 | | NSS SSL library | + +-------------------+-------------------------------------+--------------------------------------+ + | smime3 | | NSS S/MIME functions and types | + +-------------------+-------------------------------------+--------------------------------------+ + | nssckbi | | PKCS #11 module containing built-in | + | | | root CA certificates. Optional. | + +-------------------+-------------------------------------+--------------------------------------+ + | freebl_\* | | Processor-specific optimized | + | | | big-number arithmetic library. Not | + | | | present on all platforms. | + | | | :ref:`mozilla_projects_nss_introd | + | | | uction_to_network_security_services` | + +-------------------+-------------------------------------+--------------------------------------+ + | fort | | FORTEZZA support. Optional | + +-------------------+-------------------------------------+--------------------------------------+ + | swft | | PKCS #11 module implementing | + | | | FORTEZZA in software. Optional. | + +-------------------+-------------------------------------+--------------------------------------+ + + If you built JSS from source, you have these libraries in the ``mozilla/dist//lib`` + directory of your build tree. If you are downloading binaries, get them from the binary + release locations in the above table. You need to select the right version of the components, + based on the version of JSS you are using. Generally, it is safe to use a later version of a + component than what JSS was tested with. For example, although JSS 4.2 was tested with NSS + 3.11. + + ================== ========= ============== + Component Versions + JSS Version Component Tested Version + JSS 4.2 NSPR 4.6.4 + \ NSS 3.11.4 + JSS 3.4 NSPR 4.2.2 + \ NSS 3.7.3 + JSS 3.3 NSPR 4.2.2 + \ NSS 3.6.1 or 3.7 + JSS 3.2 NSPR 4.2 or 4.1.2 + \ NSS 3.4.2 + JSS 3.1.1 NSPR 4.1.2 + \ NSS 3.3.1 + JSS 3.1 NSPR 4.1.2 + \ NSS 3.3 + JSS 3.0 NSPR 3.5.1 + ================== ========= ============== + + #. **JSS Shared Library** + + The JSS shared library is ``jss4.dll`` (Windows) or ``libjss4.so`` (Unix). If you built JSS + from source, it is in ``mozilla/dist//lib``. If you are downloading binaries, get it + from http://ftp.mozilla.org/pub/mozilla.org/security/jss/releases/. + + #. **JSS classes** + + If you built JSS from source, the compiled JSS classes are in ``mozilla/dist/classes[_dbg]``. + You can put this directory in your classpath to run applications locally; or, you can package + the class files into a JAR file for easier distribution: + + .. code:: + + cd mozilla/dist/classes[_dbg] + zip -r ../jss42.jar . + + If you are downloading binaries, get jss42.jar + from http://ftp.mozilla.org/pub/mozilla.org/security/jss/releases/. + +.. _setup_your_runtime_environment: + +`Setup your runtime environment <#setup_your_runtime_environment>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + You need to set some environment variables before building and running Java applications with + JSS. + + ``CLASSPATH`` + Include the path containing the JSS classes you built, or the path to ``jss42.jar``. (The path + to ``jss34.jar`` ends with the string "/jss42.jar". It is not just the directory that contains + ``jss42.jar``.) + ``LD_LIBRARY_PATH`` (Unix) / ``PATH`` (Windows) + Include the path to the NSPR, NSS, and JSS shared libraries. + +.. _initialize_jss_in_your_application: + +`Initialize JSS in your application <#initialize_jss_in_your_application>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Before calling any JSS methods, you must initialize JSS by calling one of the + ``CryptoManager.initialize`` methods. See the `javadoc `__ for more details. \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/key_log_format/index.rst b/security/nss/doc/rst/legacy/key_log_format/index.rst new file mode 100644 index 0000000000..99bdf87e1d --- /dev/null +++ b/security/nss/doc/rst/legacy/key_log_format/index.rst @@ -0,0 +1,61 @@ +.. _mozilla_projects_nss_key_log_format: + +NSS Key Log Format +================== + +.. container:: + + Key logs can be written by NSS so that external programs can decrypt TLS connections. Wireshark + 1.6.0 and above can use these log files to decrypt packets. You can tell Wireshark where to find + the key file via *Edit→Preferences→Protocols→TLS→(Pre)-Master-Secret log filename*. + + Key logging is enabled by setting the environment variable ``SSLKEYLOGFILE`` to point to a file. + Note: starting with :ref:`mozilla_projects_nss_nss_3_24_release_notes` (used by Firefox 48 and 49 + only), the ``SSLKEYLOGFILE`` approach is disabled by default for optimized builds using the + Makefile (those using gyp via ``build.sh`` are *not* affected). Distributors can re-enable it at + compile time though (using the ``NSS_ALLOW_SSLKEYLOGFILE=1`` make variable) which is done for the + official Firefox binaries. (See `bug + 1188657 `__.) Notably, Debian does not have + this option enabled, see `Debian bug + 842292 `__. + + This key log file is a series of lines. Comment lines begin with a sharp character ('#') and are + ignored. Secrets follow the format ``