From 26a029d407be480d791972afb5975cf62c9360a6 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Fri, 19 Apr 2024 02:47:55 +0200 Subject: Adding upstream version 124.0.1. Signed-off-by: Daniel Baumann --- security/nss/doc/Makefile | 69 + security/nss/doc/README | 7 + security/nss/doc/certutil.xml | 1298 +++++++ security/nss/doc/cmsutil.xml | 299 ++ security/nss/doc/crlutil.xml | 525 +++ security/nss/doc/derdump.xml | 96 + security/nss/doc/html/certutil.html | 371 ++ security/nss/doc/html/cmsutil.html | 27 + security/nss/doc/html/crlutil.html | 204 ++ security/nss/doc/html/derdump.html | 5 + security/nss/doc/html/modutil.html | 252 ++ security/nss/doc/html/pk12util.html | 77 + security/nss/doc/html/pp.html | 7 + security/nss/doc/html/signtool.html | 284 ++ security/nss/doc/html/signver.html | 33 + security/nss/doc/html/ssltap.html | 417 +++ security/nss/doc/html/vfychain.html | 26 + security/nss/doc/html/vfyserv.html | 5 + security/nss/doc/modutil.xml | 762 +++++ security/nss/doc/nroff/certutil.1 | 2165 ++++++++++++ security/nss/doc/nroff/cmsutil.1 | 271 ++ security/nss/doc/nroff/crlutil.1 | 389 +++ security/nss/doc/nroff/derdump.1 | 92 + security/nss/doc/nroff/modutil.1 | 1452 ++++++++ security/nss/doc/nroff/pk12util.1 | 872 +++++ security/nss/doc/nroff/pp.1 | 108 + security/nss/doc/nroff/signtool.1 | 681 ++++ security/nss/doc/nroff/signver.1 | 318 ++ security/nss/doc/nroff/ssltap.1 | 609 ++++ security/nss/doc/nroff/vfychain.1 | 169 + security/nss/doc/nroff/vfyserv.1 | 70 + security/nss/doc/nss-policy-check.xml | 97 + security/nss/doc/pk12util.xml | 474 +++ security/nss/doc/pp.xml | 123 + security/nss/doc/rst/build.rst | 230 ++ security/nss/doc/rst/build_artifacts.rst | 176 + security/nss/doc/rst/community.rst | 70 + security/nss/doc/rst/getting_started.rst | 60 + security/nss/doc/rst/index.rst | 142 + .../legacy/an_overview_of_nss_internals/index.rst | 302 ++ .../nss/doc/rst/legacy/blank_function/index.rst | 70 + security/nss/doc/rst/legacy/building/index.rst | 159 + .../rst/legacy/cert_findcertbydercert/index.rst | 64 + .../legacy/cert_findcertbyissuerandsn/index.rst | 82 + .../certificate_download_specification/index.rst | 186 + .../doc/rst/legacy/certificate_functions/index.rst | 410 +++ .../nss/doc/rst/legacy/certverify_log/index.rst | 55 + .../nss/doc/rst/legacy/code_coverage/index.rst | 73 + .../rst/legacy/cryptography_functions/index.rst | 500 +++ .../rst/legacy/deprecated_ssl_functions/index.rst | 34 + .../index.rst | 1206 +++++++ .../encrypt_decrypt_mac_using_token/index.rst | 1206 +++++++ security/nss/doc/rst/legacy/faq/index.rst | 280 ++ .../legacy/fips_mode_-_an_explanation/index.rst | 129 + .../nss/doc/rst/legacy/http_delegation/index.rst | 105 + .../doc/rst/legacy/http_delegation_clone/index.rst | 105 + security/nss/doc/rst/legacy/index.rst | 178 + .../index.rst | 162 + .../rst/legacy/jss/4.3.1_release_notes/index.rst | 174 + .../doc/rst/legacy/jss/4_3_releasenotes/index.rst | 175 + .../jss/build_instructions_for_jss_4.3.x/index.rst | 99 + .../jss/build_instructions_for_jss_4.4.x/index.rst | 19 + security/nss/doc/rst/legacy/jss/index.rst | 165 + security/nss/doc/rst/legacy/jss/jss_faq/index.rst | 217 ++ .../rst/legacy/jss/jss_provider_notes/index.rst | 489 +++ .../jss/mozilla-jss_jca_provider_notes/index.rst | 472 +++ .../nss/doc/rst/legacy/jss/using_jss/index.rst | 152 + .../nss/doc/rst/legacy/key_log_format/index.rst | 61 + .../nss/doc/rst/legacy/memory_allocation/index.rst | 52 + .../doc/rst/legacy/modutil-tasks.html/index.rst | 24 + security/nss/doc/rst/legacy/more_docs.rst | 10 + .../nss/doc/rst/legacy/new_nss_samples/index.rst | 41 + .../index.rst | 172 + security/nss/doc/rst/legacy/nroff/certutil.1 | 2165 ++++++++++++ security/nss/doc/rst/legacy/nroff/cmsutil.1 | 271 ++ security/nss/doc/rst/legacy/nroff/crlutil.1 | 389 +++ security/nss/doc/rst/legacy/nroff/derdump.1 | 92 + security/nss/doc/rst/legacy/nroff/modutil.1 | 1452 ++++++++ security/nss/doc/rst/legacy/nroff/pk12util.1 | 872 +++++ security/nss/doc/rst/legacy/nroff/pp.1 | 108 + security/nss/doc/rst/legacy/nroff/signtool.1 | 681 ++++ security/nss/doc/rst/legacy/nroff/signver.1 | 318 ++ security/nss/doc/rst/legacy/nroff/ssltap.1 | 609 ++++ security/nss/doc/rst/legacy/nroff/vfychain.1 | 169 + security/nss/doc/rst/legacy/nroff/vfyserv.1 | 70 + .../nss_3.11.10_release_notes.html/index.rst | 174 + .../legacy/nss_3.12.1_release_notes.html/index.rst | 255 ++ .../legacy/nss_3.12.2_release_notes.html/index.rst | 217 ++ .../legacy/nss_3.12_release_notes.html/index.rst | 919 +++++ .../rst/legacy/nss_3.37.3release_notes/index.rst | 72 + .../doc/rst/legacy/nss_api_guidelines/index.rst | 882 +++++ .../doc/rst/legacy/nss_config_options/index.rst | 217 ++ .../rst/legacy/nss_developer_tutorial/index.rst | 277 ++ .../legacy/nss_release_notes_template/index.rst | 126 + security/nss/doc/rst/legacy/nss_releases/index.rst | 161 + .../nss_releases/jss_4.4.0_release_notes/index.rst | 109 + .../nss_3.12.3_release_notes/index.rst | 432 +++ .../nss_3.12.4_release_notes/index.rst | 327 ++ .../nss_3.12.5_release_notes/index.rst | 285 ++ .../nss_3.12.6_release_notes/index.rst | 318 ++ .../nss_3.12.9_release_notes/index.rst | 144 + .../nss_3.14.1_release_notes/index.rst | 127 + .../nss_3.14.2_release_notes/index.rst | 103 + .../nss_3.14.3_release_notes/index.rst | 132 + .../nss_3.14.4_release_notes/index.rst | 82 + .../nss_3.14.5_release_notes/index.rst | 82 + .../nss_releases/nss_3.14_release_notes/index.rst | 174 + .../nss_3.15.1_release_notes/index.rst | 131 + .../nss_3.15.2_release_notes/index.rst | 126 + .../nss_3.15.3.1_release_notes/index.rst | 89 + .../nss_3.15.3_release_notes/index.rst | 94 + .../nss_3.15.4_release_notes/index.rst | 137 + .../nss_3.15.5_release_notes/index.rst | 93 + .../nss_releases/nss_3.15_release_notes/index.rst | 157 + .../nss_3.16.1_release_notes/index.rst | 97 + .../nss_3.16.2.1_release_notes/index.rst | 99 + .../nss_3.16.2.2_release_notes/index.rst | 81 + .../nss_3.16.2.3_release_notes/index.rst | 110 + .../nss_3.16.2_release_notes/index.rst | 113 + .../nss_3.16.3_release_notes/index.rst | 171 + .../nss_3.16.4_release_notes/index.rst | 75 + .../nss_3.16.5_release_notes/index.rst | 98 + .../nss_3.16.6_release_notes/index.rst | 81 + .../nss_releases/nss_3.16_release_notes/index.rst | 98 + .../nss_3.17.1_release_notes/index.rst | 132 + .../nss_3.17.2_release_notes/index.rst | 88 + .../nss_3.17.3_release_notes/index.rst | 134 + .../nss_3.17.4_release_notes/index.rst | 90 + .../nss_releases/nss_3.17_release_notes/index.rst | 72 + .../nss_3.18.1_release_notes/index.rst | 105 + .../nss_releases/nss_3.18_release_notes/index.rst | 169 + .../nss_3.19.1_release_notes/index.rst | 113 + .../nss_3.19.2.1_release_notes/index.rst | 88 + .../nss_3.19.2.2_release_notes/index.rst | 84 + .../nss_3.19.2.3_release_notes/index.rst | 84 + .../nss_3.19.2.4_release_notes/index.rst | 82 + .../nss_3.19.2_release_notes/index.rst | 94 + .../nss_3.19.3_release_notes/index.rst | 117 + .../nss_3.19.4_release_notes/index.rst | 88 + .../nss_releases/nss_3.19_release_notes/index.rst | 119 + .../nss_3.20.1_release_notes/index.rst | 88 + .../nss_3.20.2_release_notes/index.rst | 80 + .../nss_releases/nss_3.20_release_notes/index.rst | 140 + .../nss_3.21.1_release_notes/index.rst | 80 + .../nss_3.21.2_release_notes/index.rst | 70 + .../nss_3.21.3_release_notes/index.rst | 78 + .../nss_3.21.4_release_notes/index.rst | 75 + .../nss_releases/nss_3.21_release_notes/index.rst | 277 ++ .../nss_3.22.1_release_notes/index.rst | 69 + .../nss_3.22.2_release_notes/index.rst | 90 + .../nss_3.22.3_release_notes/index.rst | 70 + .../nss_releases/nss_3.22_release_notes/index.rst | 194 ++ .../nss_releases/nss_3.23_release_notes/index.rst | 192 ++ .../nss_releases/nss_3.24_release_notes/index.rst | 201 ++ .../nss_3.25.1_release_notes/index.rst | 80 + .../nss_releases/nss_3.25_release_notes/index.rst | 140 + .../nss_3.26.2_release_notes/index.rst | 80 + .../nss_releases/nss_3.26_release_notes/index.rst | 91 + .../nss_3.27.1_release_notes/index.rst | 92 + .../nss_3.27.2_release_notes/index.rst | 84 + .../nss_releases/nss_3.27_release_notes/index.rst | 149 + .../nss_3.28.1_release_notes/index.rst | 148 + .../nss_3.28.2_release_notes/index.rst | 79 + .../nss_3.28.3_release_notes/index.rst | 95 + .../nss_3.28.4_release_notes/index.rst | 77 + .../nss_3.28.5_release_notes/index.rst | 116 + .../nss_releases/nss_3.28_release_notes/index.rst | 170 + .../nss_3.29.1_release_notes/index.rst | 94 + .../nss_3.29.2_release_notes/index.rst | 71 + .../nss_3.29.3_release_notes/index.rst | 73 + .../nss_3.29.5_release_notes/index.rst | 75 + .../nss_releases/nss_3.29_release_notes/index.rst | 68 + .../nss_3.30.1_release_notes/index.rst | 73 + .../nss_3.30.2_release_notes/index.rst | 115 + .../nss_releases/nss_3.30_release_notes/index.rst | 125 + .../nss_3.31.1_release_notes/index.rst | 71 + .../nss_releases/nss_3.31_release_notes/index.rst | 129 + .../nss_releases/nss_3.32_release_notes/index.rst | 143 + .../nss_releases/nss_3.33_release_notes/index.rst | 115 + .../nss_3.34.1_release_notes/index.rst | 94 + .../nss_releases/nss_3.34_release_notes/index.rst | 215 ++ .../nss_releases/nss_3.35_release_notes/index.rst | 273 ++ .../nss_3.36.1_release_notes/index.rst | 84 + .../nss_3.36.2_release_notes/index.rst | 75 + .../nss_3.36.4_release_notes/index.rst | 68 + .../nss_3.36.5_release_notes/index.rst | 69 + .../nss_3.36.6_release_notes/index.rst | 73 + .../nss_3.36.7_release_notes/index.rst | 74 + .../nss_3.36.8_release_notes/index.rst | 90 + .../nss_releases/nss_3.36_release_notes/index.rst | 78 + .../nss_3.37.1_release_notes/index.rst | 75 + .../nss_releases/nss_3.37_release_notes/index.rst | 112 + .../nss_releases/nss_3.38_release_notes/index.rst | 106 + .../nss_releases/nss_3.39_release_notes/index.rst | 149 + .../nss_3.40.1_release_notes/index.rst | 81 + .../nss_releases/nss_3.40_release_notes/index.rst | 102 + .../nss_3.41.1_release_notes/index.rst | 76 + .../nss_releases/nss_3.41_release_notes/index.rst | 163 + .../nss_3.42.1_release_notes/index.rst | 65 + .../nss_releases/nss_3.42_release_notes/index.rst | 143 + .../nss_releases/nss_3.43_release_notes/index.rst | 151 + .../nss_3.44.1_release_notes/index.rst | 140 + .../nss_3.44.2_release_notes/index.rst | 72 + .../nss_3.44.3_release_notes/index.rst | 76 + .../nss_3.44.4_release_notes/index.rst | 69 + .../nss_releases/nss_3.44_release_notes/index.rst | 146 + .../nss_releases/nss_3.45_release_notes/index.rst | 224 ++ .../nss_3.46.1_release_notes/index.rst | 72 + .../nss_releases/nss_3.46_release_notes/index.rst | 219 ++ .../nss_3.47.1_release_notes/index.rst | 78 + .../nss_releases/nss_3.47_release_notes/index.rst | 179 + .../nss_3.48.1_release_notes/index.rst | 71 + .../nss_releases/nss_3.48_release_notes/index.rst | 178 + .../nss_3.49.1_release_notes/index.rst | 71 + .../nss_3.49.2_release_notes/index.rst | 76 + .../nss_releases/nss_3.49_release_notes/index.rst | 103 + .../nss_releases/nss_3.50_release_notes/index.rst | 120 + .../nss_3.51.1_release_notes/index.rst | 79 + .../nss_releases/nss_3.51_release_notes/index.rst | 103 + .../nss_3.52.1_release_notes/index.rst | 69 + .../nss_releases/nss_3.52_release_notes/index.rst | 158 + .../nss_3.53.1_release_notes/index.rst | 69 + .../nss_releases/nss_3.53_release_notes/index.rst | 128 + .../nss_releases/nss_3.54_release_notes/index.rst | 184 + .../nss_releases/nss_3.55_release_notes/index.rst | 135 + .../nss_releases/nss_3.56_release_notes/index.rst | 98 + .../nss_releases/nss_3.57_release_notes/index.rst | 151 + .../nss_releases/nss_3.58_release_notes/index.rst | 76 + .../nss_3.59.1_release_notes/index.rst | 57 + .../nss_releases/nss_3.59_release_notes/index.rst | 108 + .../nss_3.60.1_release_notes/index.rst | 58 + .../nss_releases/nss_3.60_release_notes/index.rst | 144 + .../nss_releases/nss_3.61_release_notes/index.rst | 65 + .../nss_releases/nss_3.62_release_notes/index.rst | 84 + .../nss_3.63.1_release_notes/index.rst | 66 + .../nss_releases/nss_3.63_release_notes/index.rst | 90 + .../nss_releases/nss_3.64_release_notes/index.rst | 69 + .../enc_dec_mac_output_plblic_key_as_csr/index.rst | 1697 +++++++++ .../index.rst | 2090 ++++++++++++ .../encrypt_decrypt_mac_using_token/index.rst | 1206 +++++++ .../nss/doc/rst/legacy/nss_sample_code/index.rst | 31 + .../nss_sample_code_sample1/index.rst | 713 ++++ .../nss_sample_code_sample2/index.rst | 166 + .../nss_sample_code_sample3/index.rst | 169 + .../nss_sample_code_sample4/index.rst | 158 + .../nss_sample_code_sample5/index.rst | 174 + .../nss_sample_code_sample6/index.rst | 153 + .../nss_sample_code_sample_1_hashing/index.rst | 253 ++ .../index.rst | 257 ++ .../index.rst | 1221 +++++++ .../nss_sample_code_utililies_1/index.rst | 553 +++ .../rst/legacy/nss_sample_code/sample1/index.rst | 230 ++ .../nss_sample_code/sample1_-_hashing/index.rst | 257 ++ .../rst/legacy/nss_sample_code/sample2/index.rst | 12 + .../sample2_-_initialize_nss_database/index.rst | 250 ++ .../index.rst | 30 + .../utiltiies_for_nss_samples/index.rst | 747 ++++ .../legacy/nss_sources_building_testing/index.rst | 123 + .../nss/doc/rst/legacy/nss_tech_notes/index.rst | 23 + .../legacy/nss_tech_notes/nss_tech_note1/index.rst | 196 ++ .../legacy/nss_tech_notes/nss_tech_note2/index.rst | 167 + .../legacy/nss_tech_notes/nss_tech_note3/index.rst | 234 ++ .../legacy/nss_tech_notes/nss_tech_note4/index.rst | 221 ++ .../legacy/nss_tech_notes/nss_tech_note5/index.rst | 659 ++++ .../legacy/nss_tech_notes/nss_tech_note6/index.rst | 104 + .../legacy/nss_tech_notes/nss_tech_note7/index.rst | 189 + .../legacy/nss_tech_notes/nss_tech_note8/index.rst | 130 + .../doc/rst/legacy/nss_third-party_code/index.rst | 45 + .../doc/rst/legacy/nss_tools_sslstrength/index.rst | 81 + security/nss/doc/rst/legacy/overview/index.rst | 167 + security/nss/doc/rst/legacy/pkcs11/faq/index.rst | 390 +++ security/nss/doc/rst/legacy/pkcs11/index.rst | 14 + .../legacy/pkcs11/module_installation/index.rst | 56 + .../doc/rst/legacy/pkcs11/module_specs/index.rst | 365 ++ .../nss/doc/rst/legacy/pkcs11_functions/index.rst | 554 +++ .../nss/doc/rst/legacy/pkcs11_implement/index.rst | 477 +++ .../nss/doc/rst/legacy/pkcs_12_functions/index.rst | 37 + .../nss/doc/rst/legacy/pkcs_7_functions/index.rst | 55 + .../rst/legacy/python_binding_for_nss/index.rst | 1795 ++++++++++ .../build_instructions/index.rst | 152 + .../building_and_installing_nss/index.rst | 12 + .../installation_guide/index.rst | 50 + .../migration_to_hg/index.rst | 49 + .../sample_manual_installation/index.rst | 27 + .../legacy/reference/fc_cancelfunction/index.rst | 61 + .../legacy/reference/fc_closeallsessions/index.rst | 66 + .../rst/legacy/reference/fc_closesession/index.rst | 60 + .../rst/legacy/reference/fc_copyobject/index.rst | 74 + .../rst/legacy/reference/fc_createobject/index.rst | 70 + .../doc/rst/legacy/reference/fc_decrypt/index.rst | 73 + .../reference/fc_decryptdigestupdate/index.rst | 76 + .../rst/legacy/reference/fc_decryptfinal/index.rst | 67 + .../rst/legacy/reference/fc_decryptinit/index.rst | 66 + .../legacy/reference/fc_decryptupdate/index.rst | 74 + .../reference/fc_decryptverifyupdate/index.rst | 76 + .../rst/legacy/reference/fc_derivekey/index.rst | 77 + .../legacy/reference/fc_destroyobject/index.rst | 64 + .../doc/rst/legacy/reference/fc_digest/index.rst | 74 + .../reference/fc_digestencryptupdate/index.rst | 76 + .../rst/legacy/reference/fc_digestfinal/index.rst | 69 + .../rst/legacy/reference/fc_digestinit/index.rst | 63 + .../rst/legacy/reference/fc_digestkey/index.rst | 66 + .../rst/legacy/reference/fc_digestupdate/index.rst | 70 + .../doc/rst/legacy/reference/fc_encrypt/index.rst | 73 + .../rst/legacy/reference/fc_encryptfinal/index.rst | 68 + .../rst/legacy/reference/fc_encryptinit/index.rst | 71 + .../legacy/reference/fc_encryptupdate/index.rst | 74 + .../doc/rst/legacy/reference/fc_finalize/index.rst | 88 + .../rst/legacy/reference/fc_findobjects/index.rst | 70 + .../legacy/reference/fc_findobjectsfinal/index.rst | 59 + .../legacy/reference/fc_findobjectsinit/index.rst | 70 + .../rst/legacy/reference/fc_generatekey/index.rst | 73 + .../legacy/reference/fc_generatekeypair/index.rst | 83 + .../legacy/reference/fc_generaterandom/index.rst | 67 + .../reference/fc_getattributevalue/index.rst | 70 + .../legacy/reference/fc_getfunctionlist/index.rst | 79 + .../reference/fc_getfunctionstatus/index.rst | 60 + .../doc/rst/legacy/reference/fc_getinfo/index.rst | 110 + .../legacy/reference/fc_getmechanisminfo/index.rst | 72 + .../legacy/reference/fc_getmechanismlist/index.rst | 70 + .../legacy/reference/fc_getobjectsize/index.rst | 67 + .../reference/fc_getoperationstate/index.rst | 69 + .../legacy/reference/fc_getsessioninfo/index.rst | 76 + .../rst/legacy/reference/fc_getslotinfo/index.rst | 71 + .../rst/legacy/reference/fc_getslotlist/index.rst | 69 + .../rst/legacy/reference/fc_gettokeninfo/index.rst | 106 + .../rst/legacy/reference/fc_initialize/index.rst | 131 + .../doc/rst/legacy/reference/fc_initpin/index.rst | 78 + .../rst/legacy/reference/fc_inittoken/index.rst | 110 + .../doc/rst/legacy/reference/fc_login/index.rst | 88 + .../doc/rst/legacy/reference/fc_logout/index.rst | 58 + .../rst/legacy/reference/fc_opensession/index.rst | 78 + .../rst/legacy/reference/fc_seedrandom/index.rst | 70 + .../reference/fc_setattributevalue/index.rst | 70 + .../reference/fc_setoperationstate/index.rst | 76 + .../doc/rst/legacy/reference/fc_setpin/index.rst | 75 + .../nss/doc/rst/legacy/reference/fc_sign/index.rst | 74 + .../reference/fc_signencryptupdate/index.rst | 75 + .../rst/legacy/reference/fc_signfinal/index.rst | 68 + .../doc/rst/legacy/reference/fc_signinit/index.rst | 68 + .../rst/legacy/reference/fc_signrecover/index.rst | 75 + .../legacy/reference/fc_signrecoverinit/index.rst | 68 + .../rst/legacy/reference/fc_signupdate/index.rst | 69 + .../rst/legacy/reference/fc_unwrapkey/index.rst | 83 + .../doc/rst/legacy/reference/fc_verify/index.rst | 75 + .../rst/legacy/reference/fc_verifyfinal/index.rst | 67 + .../rst/legacy/reference/fc_verifyinit/index.rst | 67 + .../legacy/reference/fc_verifyrecover/index.rst | 75 + .../reference/fc_verifyrecoverinit/index.rst | 68 + .../rst/legacy/reference/fc_verifyupdate/index.rst | 70 + .../legacy/reference/fc_waitforslotevent/index.rst | 61 + .../doc/rst/legacy/reference/fc_wrapkey/index.rst | 77 + security/nss/doc/rst/legacy/reference/index.rst | 340 ++ .../rst/legacy/reference/nsc_inittoken/index.rst | 113 + .../doc/rst/legacy/reference/nsc_login/index.rst | 88 + .../rst/legacy/reference/nspr_functions/index.rst | 126 + .../reference/nss_certificate_functions/index.rst | 609 ++++ .../fips_mode_of_operation/index.rst | 190 ++ .../reference/nss_cryptographic_module/index.rst | 29 + .../reference/nss_environment_variables/index.rst | 515 +++ .../rst/legacy/reference/nss_functions/index.rst | 105 + .../rst/legacy/reference/nss_initialize/index.rst | 113 + .../legacy/reference/nss_key_functions/index.rst | 60 + .../doc/rst/legacy/reference/nss_tools/index.rst | 26 + .../reference/nss_tools__colon__certutil/index.rst | 845 +++++ .../reference/nss_tools__colon__cmsutil/index.rst | 192 ++ .../reference/nss_tools__colon__crlutil/index.rst | 379 +++ .../reference/nss_tools__colon__modutil/index.rst | 901 +++++ .../reference/nss_tools__colon__pk12util/index.rst | 442 +++ .../reference/nss_tools__colon__ssltab/index.rst | 573 ++++ .../reference/nss_tools__colon__ssltap/index.rst | 573 ++++ .../reference/nss_tools__colon__vfychain/index.rst | 132 + .../reference/nss_tools__colon__vfyserv/index.rst | 50 + .../rst/legacy/reference/troubleshoot/index.rst | 78 + .../nss/doc/rst/legacy/release_notes/index.rst | 138 + .../nss/doc/rst/legacy/s_mime_functions/index.rst | 111 + .../doc/rst/legacy/ssl_functions/gtstd/index.rst | 264 ++ .../nss/doc/rst/legacy/ssl_functions/index.rst | 83 + .../ssl_functions/old_ssl_reference/index.rst | 269 ++ .../doc/rst/legacy/ssl_functions/pkfnc/index.rst | 439 +++ .../doc/rst/legacy/ssl_functions/sslcrt/index.rst | 632 ++++ .../doc/rst/legacy/ssl_functions/sslerr/index.rst | 1434 ++++++++ .../doc/rst/legacy/ssl_functions/sslfnc/index.rst | 3595 ++++++++++++++++++++ .../rst/legacy/ssl_functions/sslintro/index.rst | 291 ++ .../doc/rst/legacy/ssl_functions/sslkey/index.rst | 107 + .../doc/rst/legacy/ssl_functions/ssltyp/index.rst | 343 ++ .../legacy/tls_cipher_suite_discovery/index.rst | 114 + .../nss/doc/rst/legacy/tools/certutil/index.rst | 702 ++++ .../nss/doc/rst/legacy/tools/cmsutil/index.rst | 111 + .../nss/doc/rst/legacy/tools/crlutil/index.rst | 229 ++ security/nss/doc/rst/legacy/tools/index.rst | 125 + .../nss/doc/rst/legacy/tools/modutil/index.rst | 640 ++++ .../tools/nss_tools_certutil-tasks/index.rst | 32 + .../rst/legacy/tools/nss_tools_certutil/index.rst | 666 ++++ .../rst/legacy/tools/nss_tools_cmsutil/index.rst | 119 + .../rst/legacy/tools/nss_tools_crlutil/index.rst | 441 +++ .../legacy/tools/nss_tools_dbck-tasks/index.rst | 28 + .../legacy/tools/nss_tools_modutil-tasks/index.rst | 24 + .../rst/legacy/tools/nss_tools_modutil/index.rst | 912 +++++ .../tools/nss_tools_pk12util-tasks/index.rst | 23 + .../rst/legacy/tools/nss_tools_pk12util/index.rst | 217 ++ .../legacy/tools/nss_tools_signver-tasks/index.rst | 22 + .../legacy/tools/nss_tools_sslstrength/index.rst | 87 + .../rst/legacy/tools/nss_tools_ssltap/index.rst | 621 ++++ .../nss/doc/rst/legacy/tools/pk12util/index.rst | 282 ++ .../nss/doc/rst/legacy/tools/signtool/index.rst | 547 +++ .../nss/doc/rst/legacy/tools/signver/index.rst | 118 + security/nss/doc/rst/legacy/tools/ssltap/index.rst | 495 +++ .../nss/doc/rst/legacy/tools/vfychain/index.rst | 92 + .../nss/doc/rst/legacy/tools/vfyserv/index.rst | 8 + .../nss/doc/rst/legacy/troubleshooting/index.rst | 11 + .../nss/doc/rst/legacy/utility_functions/index.rst | 427 +++ security/nss/doc/rst/more.rst | 153 + security/nss/doc/rst/releases/index.rst | 99 + security/nss/doc/rst/releases/nss_3_64.rst | 69 + security/nss/doc/rst/releases/nss_3_65.rst | 77 + security/nss/doc/rst/releases/nss_3_66.rst | 79 + security/nss/doc/rst/releases/nss_3_67.rst | 70 + security/nss/doc/rst/releases/nss_3_68.rst | 61 + security/nss/doc/rst/releases/nss_3_68_1.rst | 62 + security/nss/doc/rst/releases/nss_3_68_2.rst | 57 + security/nss/doc/rst/releases/nss_3_68_3.rst | 72 + security/nss/doc/rst/releases/nss_3_68_4.rst | 59 + security/nss/doc/rst/releases/nss_3_69.rst | 64 + security/nss/doc/rst/releases/nss_3_69_1.rst | 76 + security/nss/doc/rst/releases/nss_3_70.rst | 68 + security/nss/doc/rst/releases/nss_3_71.rst | 63 + security/nss/doc/rst/releases/nss_3_72.rst | 60 + security/nss/doc/rst/releases/nss_3_72_1.rst | 57 + security/nss/doc/rst/releases/nss_3_73.rst | 65 + security/nss/doc/rst/releases/nss_3_73_1.rst | 57 + security/nss/doc/rst/releases/nss_3_74.rst | 77 + security/nss/doc/rst/releases/nss_3_75.rst | 89 + security/nss/doc/rst/releases/nss_3_76.rst | 63 + security/nss/doc/rst/releases/nss_3_76_1.rst | 68 + security/nss/doc/rst/releases/nss_3_77.rst | 92 + security/nss/doc/rst/releases/nss_3_78.rst | 64 + security/nss/doc/rst/releases/nss_3_78_1.rst | 59 + security/nss/doc/rst/releases/nss_3_79.rst | 70 + security/nss/doc/rst/releases/nss_3_79_1.rst | 62 + security/nss/doc/rst/releases/nss_3_79_2.rst | 59 + security/nss/doc/rst/releases/nss_3_79_3.rst | 58 + security/nss/doc/rst/releases/nss_3_79_4.rst | 58 + security/nss/doc/rst/releases/nss_3_80.rst | 75 + security/nss/doc/rst/releases/nss_3_81.rst | 60 + security/nss/doc/rst/releases/nss_3_82.rst | 61 + security/nss/doc/rst/releases/nss_3_83.rst | 74 + security/nss/doc/rst/releases/nss_3_84.rst | 58 + security/nss/doc/rst/releases/nss_3_85.rst | 72 + security/nss/doc/rst/releases/nss_3_86.rst | 72 + security/nss/doc/rst/releases/nss_3_87.rst | 68 + security/nss/doc/rst/releases/nss_3_87_1.rst | 57 + security/nss/doc/rst/releases/nss_3_88.rst | 82 + security/nss/doc/rst/releases/nss_3_88_1.rst | 58 + security/nss/doc/rst/releases/nss_3_89.rst | 83 + security/nss/doc/rst/releases/nss_3_89_1.rst | 59 + security/nss/doc/rst/releases/nss_3_90.rst | 89 + security/nss/doc/rst/releases/nss_3_90_1.rst | 59 + security/nss/doc/rst/releases/nss_3_90_2.rst | 56 + security/nss/doc/rst/releases/nss_3_91.rst | 70 + security/nss/doc/rst/releases/nss_3_92.rst | 66 + security/nss/doc/rst/releases/nss_3_93.rst | 59 + security/nss/doc/rst/releases/nss_3_94.rst | 65 + security/nss/doc/rst/releases/nss_3_95.rst | 70 + security/nss/doc/rst/releases/nss_3_96.rst | 17 + security/nss/doc/rst/releases/nss_3_96_1.rst | 58 + security/nss/doc/rst/releases/nss_3_97.rst | 68 + security/nss/doc/rst/releases/nss_3_98.rst | 76 + security/nss/doc/signtool.xml | 681 ++++ security/nss/doc/signver.xml | 229 ++ security/nss/doc/ssltap.xml | 579 ++++ security/nss/doc/vfychain.xml | 232 ++ security/nss/doc/vfyserv.xml | 85 + 473 files changed, 96491 insertions(+) create mode 100644 security/nss/doc/Makefile create mode 100644 security/nss/doc/README create mode 100644 security/nss/doc/certutil.xml create mode 100644 security/nss/doc/cmsutil.xml create mode 100644 security/nss/doc/crlutil.xml create mode 100644 security/nss/doc/derdump.xml create mode 100644 security/nss/doc/html/certutil.html create mode 100644 security/nss/doc/html/cmsutil.html create mode 100644 security/nss/doc/html/crlutil.html create mode 100644 security/nss/doc/html/derdump.html create mode 100644 security/nss/doc/html/modutil.html create mode 100644 security/nss/doc/html/pk12util.html create mode 100644 security/nss/doc/html/pp.html create mode 100644 security/nss/doc/html/signtool.html create mode 100644 security/nss/doc/html/signver.html create mode 100644 security/nss/doc/html/ssltap.html create mode 100644 security/nss/doc/html/vfychain.html create mode 100644 security/nss/doc/html/vfyserv.html create mode 100644 security/nss/doc/modutil.xml create mode 100644 security/nss/doc/nroff/certutil.1 create mode 100644 security/nss/doc/nroff/cmsutil.1 create mode 100644 security/nss/doc/nroff/crlutil.1 create mode 100644 security/nss/doc/nroff/derdump.1 create mode 100644 security/nss/doc/nroff/modutil.1 create mode 100644 security/nss/doc/nroff/pk12util.1 create mode 100644 security/nss/doc/nroff/pp.1 create mode 100644 security/nss/doc/nroff/signtool.1 create mode 100644 security/nss/doc/nroff/signver.1 create mode 100644 security/nss/doc/nroff/ssltap.1 create mode 100644 security/nss/doc/nroff/vfychain.1 create mode 100644 security/nss/doc/nroff/vfyserv.1 create mode 100644 security/nss/doc/nss-policy-check.xml create mode 100644 security/nss/doc/pk12util.xml create mode 100644 security/nss/doc/pp.xml create mode 100644 security/nss/doc/rst/build.rst create mode 100644 security/nss/doc/rst/build_artifacts.rst create mode 100644 security/nss/doc/rst/community.rst create mode 100644 security/nss/doc/rst/getting_started.rst create mode 100644 security/nss/doc/rst/index.rst create mode 100644 security/nss/doc/rst/legacy/an_overview_of_nss_internals/index.rst create mode 100644 security/nss/doc/rst/legacy/blank_function/index.rst create mode 100644 security/nss/doc/rst/legacy/building/index.rst create mode 100644 security/nss/doc/rst/legacy/cert_findcertbydercert/index.rst create mode 100644 security/nss/doc/rst/legacy/cert_findcertbyissuerandsn/index.rst create mode 100644 security/nss/doc/rst/legacy/certificate_download_specification/index.rst create mode 100644 security/nss/doc/rst/legacy/certificate_functions/index.rst create mode 100644 security/nss/doc/rst/legacy/certverify_log/index.rst create mode 100644 security/nss/doc/rst/legacy/code_coverage/index.rst create mode 100644 security/nss/doc/rst/legacy/cryptography_functions/index.rst create mode 100644 security/nss/doc/rst/legacy/deprecated_ssl_functions/index.rst create mode 100644 security/nss/doc/rst/legacy/encrypt_decrypt_mac_keys_as_session_objects/index.rst create mode 100644 security/nss/doc/rst/legacy/encrypt_decrypt_mac_using_token/index.rst create mode 100644 security/nss/doc/rst/legacy/faq/index.rst create mode 100644 security/nss/doc/rst/legacy/fips_mode_-_an_explanation/index.rst create mode 100644 security/nss/doc/rst/legacy/http_delegation/index.rst create mode 100644 security/nss/doc/rst/legacy/http_delegation_clone/index.rst create mode 100644 security/nss/doc/rst/legacy/index.rst create mode 100644 security/nss/doc/rst/legacy/introduction_to_network_security_services/index.rst create mode 100644 security/nss/doc/rst/legacy/jss/4.3.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/jss/4_3_releasenotes/index.rst create mode 100644 security/nss/doc/rst/legacy/jss/build_instructions_for_jss_4.3.x/index.rst create mode 100644 security/nss/doc/rst/legacy/jss/build_instructions_for_jss_4.4.x/index.rst create mode 100644 security/nss/doc/rst/legacy/jss/index.rst create mode 100644 security/nss/doc/rst/legacy/jss/jss_faq/index.rst create mode 100644 security/nss/doc/rst/legacy/jss/jss_provider_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/jss/mozilla-jss_jca_provider_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/jss/using_jss/index.rst create mode 100644 security/nss/doc/rst/legacy/key_log_format/index.rst create mode 100644 security/nss/doc/rst/legacy/memory_allocation/index.rst create mode 100644 security/nss/doc/rst/legacy/modutil-tasks.html/index.rst create mode 100644 security/nss/doc/rst/legacy/more_docs.rst create mode 100644 security/nss/doc/rst/legacy/new_nss_samples/index.rst create mode 100644 security/nss/doc/rst/legacy/notes_on_tls_-_ssl_3.0_intolerant_servers/index.rst create mode 100644 security/nss/doc/rst/legacy/nroff/certutil.1 create mode 100644 security/nss/doc/rst/legacy/nroff/cmsutil.1 create mode 100644 security/nss/doc/rst/legacy/nroff/crlutil.1 create mode 100644 security/nss/doc/rst/legacy/nroff/derdump.1 create mode 100644 security/nss/doc/rst/legacy/nroff/modutil.1 create mode 100644 security/nss/doc/rst/legacy/nroff/pk12util.1 create mode 100644 security/nss/doc/rst/legacy/nroff/pp.1 create mode 100644 security/nss/doc/rst/legacy/nroff/signtool.1 create mode 100644 security/nss/doc/rst/legacy/nroff/signver.1 create mode 100644 security/nss/doc/rst/legacy/nroff/ssltap.1 create mode 100644 security/nss/doc/rst/legacy/nroff/vfychain.1 create mode 100644 security/nss/doc/rst/legacy/nroff/vfyserv.1 create mode 100644 security/nss/doc/rst/legacy/nss_3.11.10_release_notes.html/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_3.12.1_release_notes.html/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_3.12.2_release_notes.html/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_3.12_release_notes.html/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_3.37.3release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_api_guidelines/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_config_options/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_developer_tutorial/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_release_notes_template/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/jss_4.4.0_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.12.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.12.4_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.12.5_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.12.6_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.12.9_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.14.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.14.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.14.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.14.4_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.14.5_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.14_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.15.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.15.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.15.3.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.15.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.15.4_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.15.5_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.15_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.16.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.16.2.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.16.2.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.16.2.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.16.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.16.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.16.4_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.16.5_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.16.6_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.16_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.17.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.17.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.17.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.17.4_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.17_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.18.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.18_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.19.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.19.2.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.19.2.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.19.2.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.19.2.4_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.19.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.19.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.19.4_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.19_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.20.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.20.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.20_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.21.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.21.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.21.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.21.4_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.21_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.22.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.22.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.22.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.22_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.23_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.24_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.25.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.25_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.26.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.26_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.27.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.27.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.27_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.28.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.28.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.28.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.28.4_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.28.5_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.28_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.29.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.29.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.29.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.29.5_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.29_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.30.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.30.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.30_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.31.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.31_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.32_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.33_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.34.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.34_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.35_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.36.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.36.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.36.4_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.36.5_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.36.6_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.36.7_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.36.8_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.36_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.37.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.37_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.38_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.39_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.40.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.40_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.41.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.41_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.42.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.42_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.43_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.44.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.44.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.44.3_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.44.4_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.44_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.45_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.46.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.46_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.47.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.47_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.48.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.48_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.49.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.49.2_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.49_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.50_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.51.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.51_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.52.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.52_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.53.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.53_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.54_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.55_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.56_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.57_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.58_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.59.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.59_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.60.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.60_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.61_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.62_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.63.1_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.63_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_releases/nss_3.64_release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/enc_dec_mac_output_plblic_key_as_csr/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/enc_dec_mac_using_key_wrap_certreq_pkcs10_csr/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/encrypt_decrypt_mac_using_token/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/nss_sample_code_sample1/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/nss_sample_code_sample2/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/nss_sample_code_sample3/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/nss_sample_code_sample4/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/nss_sample_code_sample5/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/nss_sample_code_sample6/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/nss_sample_code_sample_1_hashing/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/nss_sample_code_sample_2_initialization_of_nss/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/nss_sample_code_sample_3_basic_encryption_and_maci/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/nss_sample_code_utililies_1/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/sample1/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/sample1_-_hashing/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/sample2/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/sample2_-_initialize_nss_database/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/sample3_-_encdecmac_using_token_object/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sample_code/utiltiies_for_nss_samples/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_sources_building_testing/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_tech_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_tech_notes/nss_tech_note1/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_tech_notes/nss_tech_note2/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_tech_notes/nss_tech_note3/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_tech_notes/nss_tech_note4/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_tech_notes/nss_tech_note5/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_tech_notes/nss_tech_note6/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_tech_notes/nss_tech_note7/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_tech_notes/nss_tech_note8/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_third-party_code/index.rst create mode 100644 security/nss/doc/rst/legacy/nss_tools_sslstrength/index.rst create mode 100644 security/nss/doc/rst/legacy/overview/index.rst create mode 100644 security/nss/doc/rst/legacy/pkcs11/faq/index.rst create mode 100644 security/nss/doc/rst/legacy/pkcs11/index.rst create mode 100644 security/nss/doc/rst/legacy/pkcs11/module_installation/index.rst create mode 100644 security/nss/doc/rst/legacy/pkcs11/module_specs/index.rst create mode 100644 security/nss/doc/rst/legacy/pkcs11_functions/index.rst create mode 100644 security/nss/doc/rst/legacy/pkcs11_implement/index.rst create mode 100644 security/nss/doc/rst/legacy/pkcs_12_functions/index.rst create mode 100644 security/nss/doc/rst/legacy/pkcs_7_functions/index.rst create mode 100644 security/nss/doc/rst/legacy/python_binding_for_nss/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/building_and_installing_nss/build_instructions/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/building_and_installing_nss/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/building_and_installing_nss/installation_guide/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/building_and_installing_nss/migration_to_hg/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/building_and_installing_nss/sample_manual_installation/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_cancelfunction/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_closeallsessions/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_closesession/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_copyobject/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_createobject/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_decrypt/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_decryptdigestupdate/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_decryptfinal/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_decryptinit/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_decryptupdate/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_decryptverifyupdate/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_derivekey/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_destroyobject/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_digest/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_digestencryptupdate/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_digestfinal/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_digestinit/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_digestkey/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_digestupdate/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_encrypt/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_encryptfinal/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_encryptinit/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_encryptupdate/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_finalize/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_findobjects/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_findobjectsfinal/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_findobjectsinit/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_generatekey/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_generatekeypair/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_generaterandom/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_getattributevalue/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_getfunctionlist/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_getfunctionstatus/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_getinfo/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_getmechanisminfo/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_getmechanismlist/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_getobjectsize/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_getoperationstate/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_getsessioninfo/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_getslotinfo/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_getslotlist/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_gettokeninfo/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_initialize/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_initpin/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_inittoken/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_login/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_logout/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_opensession/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_seedrandom/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_setattributevalue/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_setoperationstate/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_setpin/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_sign/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_signencryptupdate/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_signfinal/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_signinit/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_signrecover/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_signrecoverinit/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_signupdate/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_unwrapkey/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_verify/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_verifyfinal/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_verifyinit/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_verifyrecover/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_verifyrecoverinit/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_verifyupdate/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_waitforslotevent/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/fc_wrapkey/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nsc_inittoken/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nsc_login/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nspr_functions/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_certificate_functions/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_cryptographic_module/fips_mode_of_operation/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_cryptographic_module/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_environment_variables/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_functions/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_initialize/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_key_functions/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_tools/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_tools__colon__certutil/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_tools__colon__cmsutil/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_tools__colon__crlutil/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_tools__colon__modutil/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_tools__colon__pk12util/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_tools__colon__ssltab/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_tools__colon__ssltap/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_tools__colon__vfychain/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/nss_tools__colon__vfyserv/index.rst create mode 100644 security/nss/doc/rst/legacy/reference/troubleshoot/index.rst create mode 100644 security/nss/doc/rst/legacy/release_notes/index.rst create mode 100644 security/nss/doc/rst/legacy/s_mime_functions/index.rst create mode 100644 security/nss/doc/rst/legacy/ssl_functions/gtstd/index.rst create mode 100644 security/nss/doc/rst/legacy/ssl_functions/index.rst create mode 100644 security/nss/doc/rst/legacy/ssl_functions/old_ssl_reference/index.rst create mode 100644 security/nss/doc/rst/legacy/ssl_functions/pkfnc/index.rst create mode 100644 security/nss/doc/rst/legacy/ssl_functions/sslcrt/index.rst create mode 100644 security/nss/doc/rst/legacy/ssl_functions/sslerr/index.rst create mode 100644 security/nss/doc/rst/legacy/ssl_functions/sslfnc/index.rst create mode 100644 security/nss/doc/rst/legacy/ssl_functions/sslintro/index.rst create mode 100644 security/nss/doc/rst/legacy/ssl_functions/sslkey/index.rst create mode 100644 security/nss/doc/rst/legacy/ssl_functions/ssltyp/index.rst create mode 100644 security/nss/doc/rst/legacy/tls_cipher_suite_discovery/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/certutil/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/cmsutil/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/crlutil/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/modutil/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/nss_tools_certutil-tasks/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/nss_tools_certutil/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/nss_tools_cmsutil/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/nss_tools_crlutil/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/nss_tools_dbck-tasks/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/nss_tools_modutil-tasks/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/nss_tools_modutil/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/nss_tools_pk12util-tasks/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/nss_tools_pk12util/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/nss_tools_signver-tasks/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/nss_tools_sslstrength/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/nss_tools_ssltap/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/pk12util/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/signtool/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/signver/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/ssltap/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/vfychain/index.rst create mode 100644 security/nss/doc/rst/legacy/tools/vfyserv/index.rst create mode 100644 security/nss/doc/rst/legacy/troubleshooting/index.rst create mode 100644 security/nss/doc/rst/legacy/utility_functions/index.rst create mode 100644 security/nss/doc/rst/more.rst create mode 100644 security/nss/doc/rst/releases/index.rst create mode 100644 security/nss/doc/rst/releases/nss_3_64.rst create mode 100644 security/nss/doc/rst/releases/nss_3_65.rst create mode 100644 security/nss/doc/rst/releases/nss_3_66.rst create mode 100644 security/nss/doc/rst/releases/nss_3_67.rst create mode 100644 security/nss/doc/rst/releases/nss_3_68.rst create mode 100644 security/nss/doc/rst/releases/nss_3_68_1.rst create mode 100644 security/nss/doc/rst/releases/nss_3_68_2.rst create mode 100644 security/nss/doc/rst/releases/nss_3_68_3.rst create mode 100644 security/nss/doc/rst/releases/nss_3_68_4.rst create mode 100644 security/nss/doc/rst/releases/nss_3_69.rst create mode 100644 security/nss/doc/rst/releases/nss_3_69_1.rst create mode 100644 security/nss/doc/rst/releases/nss_3_70.rst create mode 100644 security/nss/doc/rst/releases/nss_3_71.rst create mode 100644 security/nss/doc/rst/releases/nss_3_72.rst create mode 100644 security/nss/doc/rst/releases/nss_3_72_1.rst create mode 100644 security/nss/doc/rst/releases/nss_3_73.rst create mode 100644 security/nss/doc/rst/releases/nss_3_73_1.rst create mode 100644 security/nss/doc/rst/releases/nss_3_74.rst create mode 100644 security/nss/doc/rst/releases/nss_3_75.rst create mode 100644 security/nss/doc/rst/releases/nss_3_76.rst create mode 100644 security/nss/doc/rst/releases/nss_3_76_1.rst create mode 100644 security/nss/doc/rst/releases/nss_3_77.rst create mode 100644 security/nss/doc/rst/releases/nss_3_78.rst create mode 100644 security/nss/doc/rst/releases/nss_3_78_1.rst create mode 100644 security/nss/doc/rst/releases/nss_3_79.rst create mode 100644 security/nss/doc/rst/releases/nss_3_79_1.rst create mode 100644 security/nss/doc/rst/releases/nss_3_79_2.rst create mode 100644 security/nss/doc/rst/releases/nss_3_79_3.rst create mode 100644 security/nss/doc/rst/releases/nss_3_79_4.rst create mode 100644 security/nss/doc/rst/releases/nss_3_80.rst create mode 100644 security/nss/doc/rst/releases/nss_3_81.rst create mode 100644 security/nss/doc/rst/releases/nss_3_82.rst create mode 100644 security/nss/doc/rst/releases/nss_3_83.rst create mode 100644 security/nss/doc/rst/releases/nss_3_84.rst create mode 100644 security/nss/doc/rst/releases/nss_3_85.rst create mode 100644 security/nss/doc/rst/releases/nss_3_86.rst create mode 100644 security/nss/doc/rst/releases/nss_3_87.rst create mode 100644 security/nss/doc/rst/releases/nss_3_87_1.rst create mode 100644 security/nss/doc/rst/releases/nss_3_88.rst create mode 100644 security/nss/doc/rst/releases/nss_3_88_1.rst create mode 100644 security/nss/doc/rst/releases/nss_3_89.rst create mode 100644 security/nss/doc/rst/releases/nss_3_89_1.rst create mode 100644 security/nss/doc/rst/releases/nss_3_90.rst create mode 100644 security/nss/doc/rst/releases/nss_3_90_1.rst create mode 100644 security/nss/doc/rst/releases/nss_3_90_2.rst create mode 100644 security/nss/doc/rst/releases/nss_3_91.rst create mode 100644 security/nss/doc/rst/releases/nss_3_92.rst create mode 100644 security/nss/doc/rst/releases/nss_3_93.rst create mode 100644 security/nss/doc/rst/releases/nss_3_94.rst create mode 100644 security/nss/doc/rst/releases/nss_3_95.rst create mode 100644 security/nss/doc/rst/releases/nss_3_96.rst create mode 100644 security/nss/doc/rst/releases/nss_3_96_1.rst create mode 100644 security/nss/doc/rst/releases/nss_3_97.rst create mode 100644 security/nss/doc/rst/releases/nss_3_98.rst create mode 100644 security/nss/doc/signtool.xml create mode 100644 security/nss/doc/signver.xml create mode 100644 security/nss/doc/ssltap.xml create mode 100644 security/nss/doc/vfychain.xml create mode 100644 security/nss/doc/vfyserv.xml (limited to 'security/nss/doc') diff --git a/security/nss/doc/Makefile b/security/nss/doc/Makefile new file mode 100644 index 0000000000..a4d85a69ce --- /dev/null +++ b/security/nss/doc/Makefile @@ -0,0 +1,69 @@ +#! gmake +# +# Creates man pages for the NSS security tools +# +# pk12util, certutil, modutil, ssltap, +# signtool, signver, cmsutil, crlutil, +# derdump, pp, vfychain, vfyserv +# + +.SUFFIXES: .html .txt .1 .xml + +COMPILE.1 = xmlto -o nroff man +COMPILE.html = xmlto -o html html + +# the name of the tar ball +name = nss-man +date = `date +"%Y%m%d"` + +all: prepare all-man all-html + +prepare: date-and-version + mkdir -p html + mkdir -p nroff + +clean: + rm -f date.xml version.xml *.tar.bz2 + rm -f html/*.proc + rm -fr $(name) ascii + +date-and-version: date.xml version.xml + +date.xml: + date +"%e %B %Y" | tr -d '\n' > $@ + +version.xml: + echo -n ${VERSION} > $@ + +.PHONY : $(MANPAGES) +.PHONY : $(HTMLPAGES) +.PHONY : $(TXTPAGES) + +#-------------------------------------------------------- +# manpages +#-------------------------------------------------------- + +nroff/%.1 : %.xml + $(COMPILE.1) $< + +MANPAGES = \ +nroff/certutil.1 nroff/cmsutil.1 nroff/crlutil.1 nroff/pk12util.1 \ +nroff/modutil.1 nroff/ssltap.1 nroff/derdump.1 nroff/signtool.1 nroff/signver.1 \ +nroff/pp.1 nroff/vfychain.1 nroff/vfyserv.1 nroff/nss-policy-check.1 + +all-man: prepare $(MANPAGES) + +#-------------------------------------------------------- +# html pages +#-------------------------------------------------------- + +html/%.html : %.xml + $(COMPILE.html) $< + mv html/index.html $@ + +HTMLPAGES = \ +html/certutil.html html/cmsutil.html html/crlutil.html html/pk12util.html html/modutil.html \ +html/ssltap.html html/derdump.html html/signtool.html html/signver.html html/pp.html \ +html/vfychain.html html/vfyserv.html html/nss-policy-check.html + +all-html: prepare $(HTMLPAGES) diff --git a/security/nss/doc/README b/security/nss/doc/README new file mode 100644 index 0000000000..a579a2fbd3 --- /dev/null +++ b/security/nss/doc/README @@ -0,0 +1,7 @@ +A convenient tool to edit these files is + https://sourceforge.net/projects/xml-copy-editor/ + +Assuming the documentation text will remain plain US-ASCII, +please disable the option + "Save UTF-8 byte order mark". + diff --git a/security/nss/doc/certutil.xml b/security/nss/doc/certutil.xml new file mode 100644 index 0000000000..13e49d8647 --- /dev/null +++ b/security/nss/doc/certutil.xml @@ -0,0 +1,1298 @@ + + + +]> + + + + + &date; + NSS Security Tools + nss-tools + &version; + + + + CERTUTIL + 1 + + + + certutil + Manage keys and certificate in both NSS databases and other NSS tokens + + + + + certutil + options + [arguments] + + + + + STATUS + This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 + + + + + Description + + The Certificate Database Tool, certutil, is a command-line utility that can create and modify certificate and key databases. It can specifically list, generate, modify, or delete certificates, create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key database. + Certificate issuance, part of the key and certificate management process, requires that keys and certificates be created in the key database. This document discusses certificate and key database management. For information on the security module database management, see the modutil manpage. + + + + + Command Options and Arguments + Running certutil always requires one and only one command option to specify the type of certificate operation. Each command option may take zero or more arguments. The command option will list all the command options and their relevant arguments. + Command Options + + + + -A + Add an existing certificate to a certificate database. The certificate database should already exist; if one is not present, this command option will initialize one by default. + + + + -B + Run a series of commands from the specified batch file. This requires the argument. + + + + -C + Create a new binary certificate file from a binary certificate request file. Use the argument to specify the certificate request file. If this argument is not used, certutil prompts for a filename. + + + + -D + Delete a certificate from the certificate database. + + + + --rename + Change the database nickname of a certificate. + + + + -E + Add an email certificate to the certificate database. + + + + -F + Delete a private key and the associated certificate from a database. Specify the key to delete with the -n argument or the -k argument. Specify the database from which to delete the key with the + argument. + + +Some smart cards do not let you remove a public key you have generated. In such a case, only the private key is deleted from the key pair. + + + + -G + Generate a new public and private key pair within a key database. The key database should already exist; if one is not present, this command option will initialize one by default. Some smart cards can store only one key pair. If you create a new key pair for such a card, the previous pair is overwritten. + + + + -H + Display a list of the command options and arguments. + + + + -K + List the key ID of keys in the key database. A key ID is the modulus of the RSA key or the publicValue of the DSA key. IDs are displayed in hexadecimal ("0x" is not shown). + + + + -L + List all the certificates, or display information about a named certificate, in a certificate database. +Use the -h tokenname argument to specify the certificate database on a particular hardware or software token. + + + + -M + Modify a certificate's trust attributes using the values of the -t argument. + + + + -N + Create new certificate and key databases. + + + + -O + Print the certificate chain. + + + + -R + Create a certificate request file that can be submitted to a Certificate Authority (CA) for processing into a finished certificate. Output defaults to standard out unless you use -o output-file argument. + +Use the -a argument to specify ASCII output. + + + + -S + Create an individual certificate and add it to a certificate database. + + + + -T + Reset the key database or token. + + + + -U + List all available modules or print a single named module. + + + + -V + Check the validity of a certificate and its attributes. + + + + -W + Change the password to a key database. + + + + --merge + Merge two databases into one. + + + + --upgrade-merge + Upgrade an old database and merge it into a new database. This is used to migrate legacy NSS databases (cert8.db and key3.db) into the newer SQLite databases (cert9.db and key4.db). + + + + Arguments + Arguments modify a command option and are usually lower case, numbers, or symbols. + + + -a + Use ASCII format or allow the use of ASCII format for input or output. This formatting follows RFC 1113. +For certificate requests, ASCII output defaults to standard output unless redirected. + + + + --simple-self-signed + When printing the certificate chain, don't search for a chain if issuer name equals to subject name. + + + -b validity-time + Specify a time at which a certificate is required to be valid. Use when checking certificate validity with the option. The format of the validity-time argument is YYMMDDHHMMSS[+HHMM|-HHMM|Z], which allows offsets to be set relative to the validity end time. Specifying seconds (SS) is optional. When specifying an explicit time, use a Z at the end of the term, YYMMDDHHMMSSZ, to close it. When specifying an offset time, use YYMMDDHHMMSS+HHMM or YYMMDDHHMMSS-HHMM for adding or subtracting time, respectively. + + +If this option is not used, the validity check defaults to the current system time. + + + + -c issuer + Identify the certificate of the CA from which a new certificate will derive its authenticity. + Use the exact nickname or alias of the CA certificate, or use the CA's email address. Bracket the issuer string + with quotation marks if it contains spaces. + + + + -d [prefix]directory + + Specify the database directory containing the certificate and key database files. + certutil supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt). + NSS recognizes the following prefixes: + + sql: requests the newer database + dbm: requests the legacy database + + If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE. If NSS_DEFAULT_DB_TYPE is not set then sql: is the default. + + + + + --dump-ext-val OID + For single cert, print binary DER encoding of extension OID. + + + + -e + Check a certificate's signature during the process of validating a certificate. + + + + --email email-address + Specify the email address of a certificate to list. Used with the -L command option. + + + + --extGeneric OID:critical-flag:filename[,OID:critical-flag:filename]... + + +Add one or multiple extensions that certutil cannot encode yet, by loading their encodings from external files. + + + +OID (example): 1.2.3.4 + + +critical-flag: critical or not-critical + + +filename: full path to a file containing an encoded extension + + + + + + + -f password-file + Specify a file that will automatically supply the password to include in a certificate + or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent + unauthorized access to this file. + + + + -g keysize + Set a key size to use when generating new public and private key pairs. The minimum is 512 bits and the maximum is 16384 bits. The default is 2048 bits. Any size between the minimum and maximum is allowed. + + + + + -h tokenname + Specify the name of a token to use or act on. If not specified the default token is the internal database slot. + The name can also be a PKCS #11 URI. For example, the NSS internal certificate store can be unambiguously specified as "pkcs11:token=NSS%20Certificate%20DB". For details about the format, see RFC 7512. + + + + -i input_file + Pass an input file to the command. Depending on the command option, an input file can be a specific certificate, a certificate request file, or a batch file of commands. + + + + -k key-type-or-id + + Specify the type or specific ID of a key. + + The valid key type options are rsa, dsa, ec, or all. The default + value is rsa. Specifying the type of key can avoid mistakes caused by + duplicate nicknames. Giving a key type generates a new key pair; + giving the ID of an existing key reuses that key pair (which is + required to renew certificates). + + + + + + -l + Display detailed information when validating a certificate with the -V option. + + + + -m serial-number + Assign a unique serial number to a certificate being created. This operation should be performed by a CA. If no serial number is provided a default serial number is made from the current time. Serial numbers are limited to integers + + + + -n nickname + Specify the nickname of a certificate or key to list, create, add to a database, modify, or validate. Bracket the nickname string with quotation marks if it contains spaces. + The nickname can also be a PKCS #11 URI. For example, if you have a certificate named "my-server-cert" on the internal certificate store, it can be unambiguously specified as "pkcs11:token=NSS%20Certificate%20DB;object=my-server-cert". For details about the format, see RFC 7512. + + + + -o output-file + Specify the output file name for new certificates or binary certificate requests. Bracket the output-file string with quotation marks if it contains spaces. If this argument is not used the output destination defaults to standard output. + + + + -P dbPrefix + Specify the prefix used on the certificate and key database file. This argument is provided to support legacy servers. Most applications do not use a database prefix. + + + + -p phone + Specify a contact telephone number to include in new certificates or certificate requests. Bracket this string with quotation marks if it contains spaces. + + + + -q pqgfile or curve-name + + Read an alternate PQG value from the specified file when generating DSA key pairs. If this argument is not used, certutil generates its own PQG value. PQG files are created with a separate DSA utility. + Elliptic curve name is one of the ones from nistp256, nistp384, nistp521, curve25519. + + If a token is available that supports more curves, the foolowing curves are supported as well: + sect163k1, nistk163, sect163r1, sect163r2, + nistb163, sect193r1, sect193r2, sect233k1, nistk233, + sect233r1, nistb233, sect239k1, sect283k1, nistk283, + sect283r1, nistb283, sect409k1, nistk409, sect409r1, + nistb409, sect571k1, nistk571, sect571r1, nistb571, + secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, + nistp192, secp224k1, secp224r1, nistp224, secp256k1, + secp256r1, secp384r1, secp521r1, + prime192v1, prime192v2, prime192v3, + prime239v1, prime239v2, prime239v3, c2pnb163v1, + c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1, + c2tnb191v2, c2tnb191v3, + c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3, + c2pnb272w1, c2pnb304w1, + c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1, + secp112r2, secp128r1, secp128r2, sect113r1, sect113r2, + sect131r1, sect131r2 + + + + + + + -r + Display a certificate's binary DER encoding when listing information about that certificate with the -L option. + + + + -s subject + Identify a particular certificate owner for new certificates or certificate requests. Bracket this string with quotation marks if it contains spaces. The subject identification format follows RFC #1485. + + + + -t trustargs + Specify the trust attributes to modify in an existing certificate or to apply to a certificate when creating it or adding it to a database. There are three available trust categories for each certificate, expressed in the order SSL, email, object signing for each trust setting. In each category position, use none, any, or all +of the attribute codes: + + + + + p - Valid peer + + + + + P - Trusted peer (implies p) + + + + + c - Valid CA + + + + + C - Trusted CA (implies c) + + + + + T - trusted CA for client authentication (ssl server only) + + + + + The attribute codes for the categories are separated by commas, and the entire set of attributes enclosed by quotation marks. For example: + +-t "TC,C,T" + + Use the -L option to see a list of the current certificates and trust attributes in a certificate database. + + Note that the output of the -L option may include "u" flag, which means that there is a private key associated with the certificate. It is a dynamic flag and you cannot set it with certutil. + + + + -u certusage + Specify a usage context to apply when validating a certificate with the -V option.The contexts are the following: + + +C (as an SSL client) + + +V (as an SSL server) + + +L (as an SSL CA) + + +A (as Any CA) + + +Y (Verify CA) + + +S (as an email signer) + + +R (as an email recipient) + + +O (as an OCSP status responder) + + +J (as an object signer) + + +I (as an IPSEC user) + + + + + + -v valid-months + Set the number of months a new certificate will be valid. The validity period begins at the current system time unless an offset is added or subtracted with the option. If this argument is not used, the default validity period is three months. + + + + -w offset-months + Set an offset from the current system time, in months, + for the beginning of a certificate's validity period. Use when creating + the certificate or adding it to a database. Express the offset in integers, + using a minus sign (-) to indicate a negative offset. If this argument is + not used, the validity period begins at the current system time. The length + of the validity period is set with the -v argument. + + + + -X + Force the key and certificate database to open in read-write mode. This is used with the and command options. + + + + -x + Use certutil to generate the signature for a certificate being created or added to a database, rather than obtaining a signature from a separate CA. + + + + -y exp + Set an alternate exponent value to use in generating a new RSA public key for the database, instead of the default value of 65537. The available alternate values are 3 and 17. + + + + --pss + Restrict the generated certificate (with the option) or certificate request (with the option) to be used with the RSA-PSS signature scheme. This only works when the private key of the certificate or certificate request is RSA. + + + + --pss-sign + Sign the generated certificate with the RSA-PSS signature scheme (with the or option). This only works when the private key of the signer's certificate is RSA. If the signer's certificate is restricted to RSA-PSS, it is not necessary to specify this option. + + + + -z noise-file + Read a seed value from the specified file to generate a new private and public key pair. This argument makes it possible to use hardware-generated seed values or manually create a value from the keyboard. The minimum file size is 20 bytes. + + + + -Z hashAlg + + Specify the hash algorithm to use with the -C, -S or -R command options. Possible keywords: + + MD2 + MD4 + MD5 + SHA1 + SHA224 + SHA256 + SHA384 + SHA512 + + + + + + -0 SSO_password + Set a site security officer password on a token. + + + + -1 | --keyUsage keyword,keyword + Set an X.509 V3 Certificate Type Extension in the certificate. There are several available keywords: + + + + digitalSignature + + + + + nonRepudiation + + + + + keyEncipherment + + + + + dataEncipherment + + + + + keyAgreement + + + + + certSigning + + + + + crlSigning + + + + + critical + + + + + + + + -2 + Add a basic constraint extension to a certificate that is being created or added to a database. This extension supports the certificate chain verification process. certutil prompts for the certificate constraint extension to select. +X.509 certificate extensions are described in RFC 5280. + + + + -3 + Add an authority key ID extension to a certificate that is being created or added to a database. This extension supports the identification of a particular certificate, from among multiple certificates associated with one subject name, as the correct issuer of a certificate. The Certificate Database Tool will prompt you to select the authority key ID extension. +X.509 certificate extensions are described in RFC 5280. + + + + -4 + Add a CRL distribution point extension to a certificate that is being created or added to a database. This extension identifies the URL of a certificate's associated certificate revocation list (CRL). certutil prompts for the URL. +X.509 certificate extensions are described in RFC 5280. + + + + -5 | --nsCertType keyword,keyword + Add an X.509 V3 certificate type extension to a certificate that is being created or added to the database. There are several available keywords: + + + + sslClient + + + + + sslServer + + + + + smime + + + + + objectSigning + + + + + sslCA + + + + + smimeCA + + + + + objectSigningCA + + + + + critical + + + + +X.509 certificate extensions are described in RFC 5280. + + + + -6 | --extKeyUsage keyword,keyword + Add an extended key usage extension to a certificate that is being created or added to the database. Several keywords are available: + + + + serverAuth + + + + + clientAuth + + + + + codeSigning + + + + + emailProtection + + + + + timeStamp + + + + + ocspResponder + + + + + stepUp + + + + + msTrustListSign + + + + + critical + + + + + x509Any + + + + + ipsecIKE + + + + + ipsecIKEEnd + + + + + ipsecIKEIntermediate + + + + + ipsecEnd + + + + + ipsecTunnel + + + + + ipsecUser + + + +X.509 certificate extensions are described in RFC 5280. + + + + -7 emailAddrs + Add a comma-separated list of email addresses to the subject alternative name extension of a certificate or certificate request that is being created or added to the database. Subject alternative name extensions are described in Section 4.2.1.7 of RFC 3280. + + + + -8 dns-names + Add a comma-separated list of DNS names to the subject alternative name extension of a certificate or certificate request that is being created or added to the database. Subject alternative name extensions are described in Section 4.2.1.7 of RFC 3280. + + + + --extAIA + Add the Authority Information Access extension to the certificate. X.509 certificate extensions are described in RFC 5280. + + + + --extSIA + Add the Subject Information Access extension to the certificate. X.509 certificate extensions are described in RFC 5280. + + + + --extCP + Add the Certificate Policies extension to the certificate. X.509 certificate extensions are described in RFC 5280. + + + + --extPM + Add the Policy Mappings extension to the certificate. X.509 certificate extensions are described in RFC 5280. + + + + --extPC + Add the Policy Constraints extension to the certificate. X.509 certificate extensions are described in RFC 5280. + + + + --extIA + Add the Inhibit Any Policy Access extension to the certificate. X.509 certificate extensions are described in RFC 5280. + + + + --extSKID + Add the Subject Key ID extension to the certificate. X.509 certificate extensions are described in RFC 5280. + + + + --extNC + Add a Name Constraint extension to the certificate. X.509 certificate extensions are described in RFC 5280. + + + + --extSAN type:name[,type:name]... + +Create a Subject Alt Name extension with one or multiple names. + + +-type: directory, dn, dns, edi, ediparty, email, ip, ipaddr, other, registerid, rfc822, uri, x400, x400addr + + + + + + --empty-password + Use empty password when creating new certificate database with -N. + + + + --keyAttrFlags attrflags + +PKCS #11 key Attributes. Comma separated list of key attribute flags, selected from the following list of choices: {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable} + + + + --keyOpFlagsOn opflags + --keyOpFlagsOff opflags + +PKCS #11 key Operation Flags. +Comma separated list of one or more of the following: +{token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable} + + + + + --new-n nickname + A new nickname, used when renaming a certificate. + + + + --source-dir certdir + Identify the certificate database directory to upgrade. + + + + --source-prefix certdir + Give the prefix of the certificate and key databases to upgrade. + + + + --upgrade-id uniqueID + Give the unique ID of the database to upgrade. + + + + --upgrade-token-name name + Set the name of the token to use while it is being upgraded. + + + + -@ pwfile + Give the name of a password file to use for the database being upgraded. + + + + + + + Usage and Examples + + Most of the command options in the examples listed here have more arguments available. The arguments included in these examples are the most common ones or are used to illustrate a specific scenario. Use the option to show the complete list of arguments for each command option. + + Creating New Security Databases + + Certificates, keys, and security modules related to managing certificates are stored in three related databases: + + + + + cert8.db or cert9.db + + + + + key3.db or key4.db + + + + + secmod.db or pkcs11.txt + + + + + These databases must be created before certificates or keys can be generated. + +certutil -N -d directory + + Creating a Certificate Request + + A certificate request contains most or all of the information that is used to generate the final certificate. This request is submitted separately to a certificate authority and is then approved by some mechanism (automatically or by human review). Once the request is approved, then the certificate is generated. + +$ certutil -R -k key-type-or-id [-q pqgfile|curve-name] -g key-size -s subject [-h tokenname] -d directory [-p phone] [-o output-file] [-a] + + The command options requires four arguments: + + + + + to specify either the key type to generate or, when renewing a certificate, the existing key pair to use + + + + + to set the keysize of the key to generate + + + + + to set the subject name of the certificate + + + + + to give the security database directory + + + + + The new certificate request can be output in ASCII format () or can be written to a specified file (). + + + For example: + +$ certutil -R -k rsa -g 1024 -s "CN=John Smith,O=Example Corp,L=Mountain View,ST=California,C=US" -d $HOME/nssdb -p 650-555-0123 -a -o cert.cer + +Generating key. This may take a few moments... + + + + Creating a Certificate + + A valid certificate must be issued by a trusted CA. This can be done by specifying a CA certificate () that is stored in the certificate database. If a CA key pair is not available, you can create a self-signed certificate using the argument with the command option. + +$ certutil -S -k rsa|dsa|ec -n certname -s subject [-c issuer |-x] -t trustargs -d directory [-m serial-number] [-v valid-months] [-w offset-months] [-p phone] [-1] [-2] [-3] [-4] [-5 keyword] [-6 keyword] [-7 emailAddress] [-8 dns-names] [--extAIA] [--extSIA] [--extCP] [--extPM] [--extPC] [--extIA] [--extSKID] + + The series of numbers and options set certificate extensions that can be added to the certificate when it is generated by the CA. Interactive prompts will result. + + + For example, this creates a self-signed certificate: + +$ certutil -S -s "CN=Example CA" -n my-ca-cert -x -t "C,C,C" -1 -2 -5 -m 3650 + +The interative prompts for key usage and whether any extensions are critical and responses have been ommitted for brevity. + + + From there, new certificates can reference the self-signed certificate: + +$ certutil -S -s "CN=My Server Cert" -n my-server-cert -c "my-ca-cert" -t ",," -1 -5 -6 -8 -m 730 + + Generating a Certificate from a Certificate Request + + When a certificate request is created, a certificate can be generated by using the request and then referencing a certificate authority signing certificate (the issuer specified in the argument). The issuing certificate must be in the certificate database in the specified directory. + +certutil -C -c issuer -i cert-request-file -o output-file [-m serial-number] [-v valid-months] [-w offset-months] -d directory [-1] [-2] [-3] [-4] [-5 keyword] [-6 keyword] [-7 emailAddress] [-8 dns-names] + + For example: + +$ certutil -C -c "my-ca-cert" -i /home/certs/cert.req -o cert.cer -m 010 -v 12 -w 1 -d $HOME/nssdb -1 nonRepudiation,dataEncipherment -5 sslClient -6 clientAuth -7 jsmith@example.com + + Listing Certificates + + The command option lists all of the certificates listed in the certificate database. The path to the directory () is required. + +$ certutil -L -d /home/my/sharednssdb + +Certificate Nickname Trust Attributes + SSL,S/MIME,JAR/XPI + +CA Administrator of Instance pki-ca1's Example Domain ID u,u,u +TPS Administrator's Example Domain ID u,u,u +Google Internet Authority ,, +Certificate Authority - Example Domain CT,C,C + + Using additional arguments with can return and print the information for a single, specific certificate. For example, the argument passes the certificate name, while the argument prints the certificate in ASCII format: + + +$ certutil -L -d $HOME/nssdb -a -n my-ca-cert +-----BEGIN CERTIFICATE----- +MIIB1DCCAT2gAwIBAgICDkIwDQYJKoZIhvcNAQEFBQAwFTETMBEGA1UEAxMKRXhh +bXBsZSBDQTAeFw0xMzAzMTMxOTEwMjlaFw0xMzA2MTMxOTEwMjlaMBUxEzARBgNV +BAMTCkV4YW1wbGUgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ4Kzqvz +JyBVgFqDXRYSyTBNw1DrxUU/3GvWA/ngjAwHEv0Cul/6sO/gsCvnABHiH6unns6x +XRzPORlC2WY3gkk7vmlsLvYpyecNazAi/NAwVnU/66HOsaoVFWE+gBQo99UrN2yk +0BiK/GMFlLm5dXQROgA9ZKKyFdI0LIXtf6SbAgMBAAGjMzAxMBEGCWCGSAGG+EIB +AQQEAwIHADAMBgNVHRMEBTADAQH/MA4GA1UdDwEB/wQEAwICBDANBgkqhkiG9w0B +AQUFAAOBgQA6chkzkACN281d1jKMrc+RHG2UMaQyxiteaLVZO+Ro1nnRUvseDf09 +XKYFwPMJjWCihVku6bw/ihZfuMHhxK22Nue6inNQ6eDu7WmrqL8z3iUrQwxs+WiF +ob2rb8XRVVJkzXdXxlk4uo3UtNvw8sAz7sWD71qxKaIHU5q49zijfg== +-----END CERTIFICATE----- + +For a human-readable display +$ certutil -L -d $HOME/nssdb -n my-ca-cert +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3650 (0xe42) + Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption + Issuer: "CN=Example CA" + Validity: + Not Before: Wed Mar 13 19:10:29 2013 + Not After : Thu Jun 13 19:10:29 2013 + Subject: "CN=Example CA" + Subject Public Key Info: + Public Key Algorithm: PKCS #1 RSA Encryption + RSA Public Key: + Modulus: + 9e:0a:ce:ab:f3:27:20:55:80:5a:83:5d:16:12:c9:30: + 4d:c3:50:eb:c5:45:3f:dc:6b:d6:03:f9:e0:8c:0c:07: + 12:fd:02:ba:5f:fa:b0:ef:e0:b0:2b:e7:00:11:e2:1f: + ab:a7:9e:ce:b1:5d:1c:cf:39:19:42:d9:66:37:82:49: + 3b:be:69:6c:2e:f6:29:c9:e7:0d:6b:30:22:fc:d0:30: + 56:75:3f:eb:a1:ce:b1:aa:15:15:61:3e:80:14:28:f7: + d5:2b:37:6c:a4:d0:18:8a:fc:63:05:94:b9:b9:75:74: + 11:3a:00:3d:64:a2:b2:15:d2:34:2c:85:ed:7f:a4:9b + Exponent: 65537 (0x10001) + Signed Extensions: + Name: Certificate Type + Data: none + + Name: Certificate Basic Constraints + Data: Is a CA with no maximum path length. + + Name: Certificate Key Usage + Critical: True + Usages: Certificate Signing + + Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption + Signature: + 3a:72:19:33:90:00:8d:db:cd:5d:d6:32:8c:ad:cf:91: + 1c:6d:94:31:a4:32:c6:2b:5e:68:b5:59:3b:e4:68:d6: + 79:d1:52:fb:1e:0d:fd:3d:5c:a6:05:c0:f3:09:8d:60: + a2:85:59:2e:e9:bc:3f:8a:16:5f:b8:c1:e1:c4:ad:b6: + 36:e7:ba:8a:73:50:e9:e0:ee:ed:69:ab:a8:bf:33:de: + 25:2b:43:0c:6c:f9:68:85:a1:bd:ab:6f:c5:d1:55:52: + 64:cd:77:57:c6:59:38:ba:8d:d4:b4:db:f0:f2:c0:33: + ee:c5:83:ef:5a:b1:29:a2:07:53:9a:b8:f7:38:a3:7e + Fingerprint (MD5): + 86:D8:A5:8B:8A:26:BE:9E:17:A8:7B:66:10:6B:27:80 + Fingerprint (SHA1): + 48:78:09:EF:C5:D4:0C:BD:D2:64:45:59:EB:03:13:15:F7:A9:D6:F7 + + Certificate Trust Flags: + SSL Flags: + Valid CA + Trusted CA + User + Email Flags: + Valid CA + Trusted CA + User + Object Signing Flags: + Valid CA + Trusted CA + User + + + + Listing Keys + + Keys are the original material used to encrypt certificate data. The keys generated for certificates are stored separately, in the key database. + + + To list all keys in the database, use the command option and the (required) argument to give the path to the directory. + +$ certutil -K -d $HOME/nssdb +certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services " +< 0> rsa 455a6673bde9375c2887ec8bf8016b3f9f35861d Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID +< 1> rsa 40defeeb522ade11090eacebaaf1196a172127df Example Domain Administrator Cert +< 2> rsa 1d0b06f44f6c03842f7d4f4a1dc78b3bcd1b85a5 John Smith user cert + + There are ways to narrow the keys listed in the search results: + + + + + To return a specific key, use the name argument with the name of the key. + + + + + If there are multiple security devices loaded, then the tokenname argument can search a specific token or all tokens. + + + + + If there are multiple key types available, then the key-type argument can search a specific type of key, like RSA, DSA, or ECC. + + + + + Listing Security Modules + + The devices that can be used to store certificates -- both internal databases and external devices like smart cards -- are recognized and used by loading security modules. The command option lists all of the security modules listed in the secmod.db database. The path to the directory () is required. + +$ certutil -U -d /home/my/sharednssdb + + slot: NSS User Private Key and Certificate Services + token: NSS Certificate DB + uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203 + + slot: NSS Internal Cryptographic Services + token: NSS Generic Crypto Services + uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203 + + Adding Certificates to the Database + + Existing certificates or certificate requests can be added manually to the certificate database, even if they were generated elsewhere. This uses the command option. + +certutil -A -n certname -t trustargs -d directory [-a] [-i input-file] + + For example: + +$ certutil -A -n "CN=My SSL Certificate" -t ",," -d /home/my/sharednssdb -i /home/example-certs/cert.cer + + A related command option, , is used specifically to add email certificates to the certificate database. The command has the same arguments as the command. The trust arguments for certificates have the format SSL,S/MIME,Code-signing, so the middle trust settings relate most to email certificates (though the others can be set). For example: + +$ certutil -E -n "CN=John Smith Email Cert" -t ",P," -d /home/my/sharednssdb -i /home/example-certs/email.cer + + Deleting Certificates to the Database + + Certificates can be deleted from a database using the option. The only required options are to give the security database directory and to identify the certificate nickname. + +certutil -D -d directory -n "nickname" + + For example: + +$ certutil -D -d /home/my/sharednssdb -n "my-ssl-cert" + + Validating Certificates + + A certificate contains an expiration date in itself, and expired certificates are easily rejected. However, certificates can also be revoked before they hit their expiration date. Checking whether a certificate has been revoked requires validating the certificate. Validation can also be used to ensure that the certificate is only used for the purposes it was initially issued for. Validation is carried out by the command option. + +certutil -V -n certificate-name [-b time] [-e] [-u cert-usage] -d directory + + For example, to validate an email certificate: + +$ certutil -V -n "John Smith's Email Cert" -e -u S,R -d /home/my/sharednssdb + + Modifying Certificate Trust Settings + + The trust settings (which relate to the operations that a certificate is allowed to be used for) can be changed after a certificate is created or added to the database. This is especially useful for CA certificates, but it can be performed for any type of certificate. + +certutil -M -n certificate-name -t trust-args -d directory + + For example: + +$ certutil -M -n "My CA Certificate" -d /home/my/sharednssdb -t "CT,CT,CT" + + Printing the Certificate Chain + + Certificates can be issued in chains because every certificate authority itself has a certificate; when a CA issues a certificate, it essentially stamps that certificate with its own fingerprint. The prints the full chain of a certificate, going from the initial CA (the root CA) through ever intermediary CA to the actual certificate. For example, for an email certificate with two CAs in the chain: + +$ certutil -d /home/my/sharednssdb -O -n "jsmith@example.com" +"Builtin Object Token:Thawte Personal Freemail CA" [E=personal-freemail@thawte.com,CN=Thawte Personal Freemail CA,OU=Certification Services Division,O=Thawte Consulting,L=Cape Town,ST=Western Cape,C=ZA] + + "Thawte Personal Freemail Issuing CA - Thawte Consulting" [CN=Thawte Personal Freemail Issuing CA,O=Thawte Consulting (Pty) Ltd.,C=ZA] + + "(null)" [E=jsmith@example.com,CN=Thawte Freemail Member] + + Resetting a Token + + The device which stores certificates -- both external hardware devices and internal software databases -- can be blanked and reused. This operation is performed on the device which stores the data, not directly on the security databases, so the location must be referenced through the token name () as well as any directory path. If there is no external token used, the default value is internal. + +certutil -T -d directory -h token-name -0 security-officer-password + + Many networks have dedicated personnel who handle changes to security tokens (the security officer). This person must supply the password to access the specified token. For example: + +$ certutil -T -d /home/my/sharednssdb -h nethsm -0 secret + + Upgrading or Merging the Security Databases + + Many networks or applications may be using older BerkeleyDB versions of the certificate database (cert8.db). Databases can be upgraded to the new SQLite version of the database (cert9.db) using the command option or existing databases can be merged with the new cert9.db databases using the command. + + + The command must give information about the original database and then use the standard arguments (like ) to give the information about the new databases. The command also requires information that the tool uses for the process to upgrade and write over the original database. + +certutil --upgrade-merge -d directory [-P dbprefix] --source-dir directory --source-prefix dbprefix --upgrade-id id --upgrade-token-name name [-@ password-file] + + For example: + +$ certutil --upgrade-merge -d /home/my/sharednssdb --source-dir /opt/my-app/alias/ --source-prefix serverapp- --upgrade-id 1 --upgrade-token-name internal + + The command only requires information about the location of the original database; since it doesn't change the format of the database, it can write over information without performing interim step. + +certutil --merge -d directory [-P dbprefix] --source-dir directory --source-prefix dbprefix [-@ password-file] + + For example: + +$ certutil --merge -d /home/my/sharednssdb --source-dir /opt/my-app/alias/ --source-prefix serverapp- + + Running certutil Commands from a Batch File + + A series of commands can be run sequentially from a text file with the command option. The only argument for this specifies the input file. + +$ certutil -B -i /path/to/batch-file + + +NSS Database Types +NSS originally used BerkeleyDB databases to store security information. +The last versions of these legacy databases are: + + + + cert8.db for certificates + + + + + key3.db for keys + + + + + secmod.db for PKCS #11 module information + + + + +BerkeleyDB has performance limitations, though, which prevent it from being easily used by multiple applications simultaneously. NSS has +some flexibility that allows applications to use their own, independent database engine while keeping a shared database and working around the access issues. Still, NSS +requires more flexibility to provide a truly shared security database. + +In 2009, NSS introduced a new set of databases that are SQLite databases rather than +BerkeleyDB. These new databases provide more accessibility and performance: + + + + cert9.db for certificates + + + + + key4.db for keys + + + + + pkcs11.txt, a listing of all of the PKCS #11 modules, contained in a new subdirectory in the security databases directory + + + + +Because the SQLite databases are designed to be shared, these are the shared database type. The shared database type is preferred; the legacy format is included for backward compatibility. + +By default, the tools (certutil, pk12util, modutil) assume that the given security databases use the SQLite type. +Using the legacy databases must be manually specified by using the dbm: prefix with the given security directory. For example: + +$ certutil -L -d dbm:/home/my/sharednssdb + +To set the legacy database type as the default type for the tools, set the NSS_DEFAULT_DB_TYPE environment variable to dbm: +export NSS_DEFAULT_DB_TYPE="dbm" + +This line can be set added to the ~/.bashrc file to make the change permanent. + + + + + https://wiki.mozilla.org/NSS_Shared_DB_Howto + + +For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki: + + + + https://wiki.mozilla.org/NSS_Shared_DB + + + + + + + + See Also + pk12util (1) + modutil (1) + certutil has arguments or operations that use features defined in several IETF RFCs. + + + + http://tools.ietf.org/html/rfc5280 + + + + + http://tools.ietf.org/html/rfc1113 + + + + + http://tools.ietf.org/html/rfc1485 + + + + + The NSS wiki has information on the new database design and how to configure applications to use it. + + + + https://wiki.mozilla.org/NSS_Shared_DB_Howto + + + + https://wiki.mozilla.org/NSS_Shared_DB + + + + + + + + Additional Resources + For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases. + Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto + IRC: Freenode at #dogtag-pki + + + + + Authors + The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google. + + Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. + + + + + + LICENSE + Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. + + + + diff --git a/security/nss/doc/cmsutil.xml b/security/nss/doc/cmsutil.xml new file mode 100644 index 0000000000..c7d2408d32 --- /dev/null +++ b/security/nss/doc/cmsutil.xml @@ -0,0 +1,299 @@ + + + +]> + + + + + &date; + NSS Security Tools + nss-tools + &version; + + + + CMSUTIL + 1 + + + + cmsutil + Performs basic cryptograpic operations, such as encryption and decryption, on Cryptographic Message Syntax (CMS) messages. + + + + + cmsutil + options + [arguments] + + + + + STATUS + This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 + + + + + Description + + The cmsutil command-line uses the S/MIME Toolkit to perform basic operations, such as encryption and decryption, on Cryptographic Message Syntax (CMS) messages. + + +To run cmsutil, type the command cmsutil option [arguments] where option and arguments are combinations of the options and arguments listed in the following section. +Each command takes one option. Each option may take zero or more arguments. +To see a usage string, issue the command without options. + + + + + + Options and Arguments + + + Options + +Options specify an action. Option arguments modify an action. +The options and arguments for the cmsutil command are defined as follows: + + + + -C + Encrypt a message. + + + + -D + Decode a message. + + + + -E + Envelope a message. + + + + -O + Create a certificates-only message. + + + + -S + Sign a message. + + + + + Arguments + Option arguments modify an action. + + + -b + + Decode a batch of files named in infile. + + + + + -c content + + Use this detached content (decode only). + + + + + -d dbdir + + Specify the key/certificate database directory (default is ".") + + + + + -e envfile + + Specify a file containing an enveloped message for a set of recipients to which you would like to send an encrypted message. If this is the first encrypted message for that set of recipients, a new enveloped message will be created that you can then use for future messages (encrypt only). + + + + + -f pwfile + + Use password file to set password on all PKCS#11 tokens. + + + + + -G + + Include a signing time attribute (sign only). + + + + + -H hash + + Use specified hash algorithm (default:SHA1). + + + + + -h num + + Generate email headers with info about CMS message (decode only). + + + + + -i infile + + Use infile as a source of data (default is stdin). + + + + + -k + + Keep decoded encryption certs in permanent cert db. + + + + + -N nickname + + Specify nickname of certificate to sign with (sign only). + + + + + -n + + Suppress output of contents (decode only). + + + + + -o outfile + + Use outfile as a destination of data (default is stdout). + + + + + -P + + Include an S/MIME capabilities attribute. + + + + + -p password + + Use password as key database password. + + + + + -r recipient1,recipient2, ... + + +Specify list of recipients (email addresses) for an encrypted or enveloped message. +For certificates-only message, list of certificates to send. + + + + + + -T + + Suppress content in CMS message (sign only). + + + + + -u certusage + + Set type of cert usage (default is certUsageEmailSigner). + + + + + -v + + Print debugging information. + + + + + -Y ekprefnick + + Specify an encryption key preference by nickname. + + + + + + + + + Usage + Encrypt Example + +cmsutil -C [-i infile] [-o outfile] [-d dbdir] [-p password] -r "recipient1,recipient2, . . ." -e envfile + + + Decode Example + +cmsutil -D [-i infile] [-o outfile] [-d dbdir] [-p password] [-c content] [-n] [-h num] + + + Envelope Example + +cmsutil -E [-i infile] [-o outfile] [-d dbdir] [-p password] -r "recipient1,recipient2, ..." + + + Certificate-only Example + +cmsutil -O [-i infile] [-o outfile] [-d dbdir] [-p password] -r "cert1,cert2, . . ." + + + Sign Message Example + +cmsutil -S [-i infile] [-o outfile] [-d dbdir] [-p password] -N nickname[-TGP] [-Y ekprefnick] + + + + + + See also + certutil(1) + + + + + Additional Resources + For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases. + Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto + IRC: Freenode at #dogtag-pki + + + + + Authors + The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google. + + Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. + + + + + + LICENSE + Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. + + + + diff --git a/security/nss/doc/crlutil.xml b/security/nss/doc/crlutil.xml new file mode 100644 index 0000000000..e77570e2da --- /dev/null +++ b/security/nss/doc/crlutil.xml @@ -0,0 +1,525 @@ + + + +]> + + + + + &date; + NSS Security Tools + nss-tools + &version; + + + + CRLUTIL + 1 + + + + crlutil + +List, generate, modify, or delete CRLs within the NSS security database file(s) and list, create, modify or delete certificates entries in a particular CRL. + + + + + + crlutil + options + [arguments] + + + + + STATUS + This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 + + + + + Description + + The Certificate Revocation List (CRL) Management Tool, crlutil, is a command-line utility that can list, generate, modify, or delete CRLs within the NSS security database file(s) and list, create, modify or delete certificates entries in a particular CRL. + + +The key and certificate management process generally begins with creating keys in the key database, then generating and managing certificates in the certificate database(see certutil tool) and continues with certificates expiration or revocation. + + +This document discusses certificate revocation list management. For information on security module database management, see Using the Security Module Database Tool. For information on certificate and key database management, see Using the Certificate Database Tool. + + + +To run the Certificate Revocation List Management Tool, type the command + + +crlutil option [arguments] + + +where options and arguments are combinations of the options and arguments listed in the following section. Each command takes one option. Each option may take zero or more arguments. To see a usage string, issue the command without options, or with the -H option. + + + + + + Options and Arguments + + + Options + +Options specify an action. Option arguments modify an action. +The options and arguments for the crlutil command are defined as follows: + + + + + -D + + +Delete Certificate Revocation List from cert database. + + + + + + -E + + +Erase all CRLs of specified type from the cert database + + + + + + -G + + +Create new Certificate Revocation List (CRL). + + + + + + -I + + +Import a CRL to the cert database + + + + + + -L + + +List existing CRL located in cert database file. + + + + + + -M + + +Modify existing CRL which can be located in cert db or in arbitrary file. If located in file it should be encoded in ASN.1 encode format. + + + + + + -S + + +Show contents of a CRL file which isn't stored in the database. + + + + + + Arguments + Option arguments modify an action. + + + + + -a + + +Use ASCII format or allow the use of ASCII format for input and output. This formatting follows RFC #1113. + + + + + + -B + + +Bypass CA signature checks. + + + + + + -c crl-gen-file + + +Specify script file that will be used to control crl generation/modification. See crl-cript-file format below. If options -M|-G is used and -c crl-script-file is not specified, crlutil will read script data from standard input. + + + + + + -d directory + + +Specify the database directory containing the certificate and key database files. On Unix the Certificate Database Tool defaults to $HOME/.netscape (that is, ~/.netscape). On Windows NT the default is the current directory. + + +The NSS database files must reside in the same directory. + + + + + + -f password-file + + +Specify a file that will automatically supply the password to include in a certificate or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent unauthorized access to this file. + + + + + + -i crl-file + + +Specify the file which contains the CRL to import or show. + + + + + + -l algorithm-name + + +Specify a specific signature algorithm. List of possible algorithms: MD2 | MD4 | MD5 | SHA1 | SHA256 | SHA384 | SHA512 + + + + + + -n nickname + + +Specify the nickname of a certificate or key to list, create, add to a database, modify, or validate. Bracket the nickname string with quotation marks if it contains spaces. + + + + + + -o output-file + + +Specify the output file name for new CRL. Bracket the output-file string with quotation marks if it contains spaces. If this argument is not used the output destination defaults to standard output. + + + + + + -P dbprefix + + +Specify the prefix used on the NSS security database files (for example, my_cert8.db and my_key3.db). This option is provided as a special case. Changing the names of the certificate and key databases is not recommended. + + + + + + -t crl-type + + +Specify type of CRL. possible types are: 0 - SEC_KRL_TYPE, 1 - SEC_CRL_TYPE. This option is obsolete + + + + + + -u url + + +Specify the url. + + + + + + -w pwd-string + + Provide db password in command line. + + + + + -Z algorithm + + Specify the hash algorithm to use for signing the CRL. + + + + + + + + CRL Generation script syntax + CRL generation script file has the following syntax: + + * Line with comments should have # as a first symbol of a line + + * Set "this update" or "next update" CRL fields: + + + update=YYYYMMDDhhmmssZ + nextupdate=YYYYMMDDhhmmssZ + + + Field "next update" is optional. Time should be in GeneralizedTime format (YYYYMMDDhhmmssZ). + For example: 20050204153000Z + + + * Add an extension to a CRL or a crl certificate entry: + addext extension-name critical/non-critical [arg1[arg2 ...]] + Where: + + extension-name: string value of a name of known extensions. + critical/non-critical: is 1 when extension is critical and 0 otherwise. + arg1, arg2: specific to extension type extension parameters + + + addext uses the range that was set earlier by addcert and will install an extension to every cert entries within the range. + + + * Add certificate entries(s) to CRL: + + + addcert range date + + + range: two integer values separated by dash: range of certificates that will be added by this command. dash is used as a delimiter. Only one cert will be added if there is no delimiter. + date: revocation date of a cert. Date should be represented in GeneralizedTime format (YYYYMMDDhhmmssZ). + + + * Remove certificate entry(s) from CRL + + + rmcert range + + + Where: + + + range: two integer values separated by dash: range of certificates that will be added by this command. dash is used as a delimiter. Only one cert will be added if there is no delimiter. + + + * Change range of certificate entry(s) in CRL + + + range new-range + + + Where: + + + new-range: two integer values separated by dash: range of certificates that will be added by this command. dash is used as a delimiter. Only one cert will be added if there is no delimiter. + + +Implemented Extensions + + + The extensions defined for CRL provide methods for associating additional attributes with CRLs of theirs entries. For more information see RFC #3280 + + + * Add The Authority Key Identifier extension: + + +The authority key identifier extension provides a means of identifying the public key corresponding to the private key used to sign a CRL. + + + authKeyId critical [key-id | dn cert-serial] + + + Where: + + + authKeyIdent: identifies the name of an extension + critical: value of 1 of 0. Should be set to 1 if this extension is critical or 0 otherwise. + key-id: key identifier represented in octet string. dn:: is a CA distinguished name cert-serial: authority certificate serial number. + + + * Add Issuer Alternative Name extension: + + + The issuer alternative names extension allows additional identities to be associated with the issuer of the CRL. Defined options include an rfc822 name (electronic mail address), a DNS name, an IP address, and a URI. + + + issuerAltNames non-critical name-list + + + Where: + + + subjAltNames: identifies the name of an extension + should be set to 0 since this is non-critical extension + name-list: comma separated list of names + + + * Add CRL Number extension: + + + The CRL number is a non-critical CRL extension which conveys a monotonically increasing sequence number for a given CRL scope and CRL issuer. This extension allows users to easily determine when a particular CRL supersedes another CRL + + + crlNumber non-critical number + + + Where: + + + crlNumber: identifies the name of an extension + critical: should be set to 0 since this is non-critical extension + number: value of long which identifies the sequential number of a CRL. + + + * Add Revocation Reason Code extension: + + + The reasonCode is a non-critical CRL entry extension that identifies the reason for the certificate revocation. + + + reasonCode non-critical code + + + Where: + + + reasonCode: identifies the name of an extension + non-critical: should be set to 0 since this is non-critical extension + code: the following codes are available: + + + unspecified (0), + keyCompromise (1), + cACompromise (2), + affiliationChanged (3), + superseded (4), + cessationOfOperation (5), + certificateHold (6), + removeFromCRL (8), + privilegeWithdrawn (9), + aACompromise (10) + + + * Add Invalidity Date extension: + + + The invalidity date is a non-critical CRL entry extension that provides the date on which it is known or suspected that the private key was compromised or that the certificate otherwise became invalid. + + + invalidityDate non-critical date + + + Where: + + + crlNumber: identifies the name of an extension + non-critical: should be set to 0 since this is non-critical extension date: invalidity date of a cert. Date should be represented in GeneralizedTime format (YYYYMMDDhhmmssZ). + + + + + Usage + +The Certificate Revocation List Management Tool's capabilities are grouped as follows, using these combinations of options and arguments. Options and arguments in square brackets are optional, those without square brackets are required. + + See "Implemented extensions" for more information regarding extensions and their parameters. + + * Creating or modifying a CRL: + + +crlutil -G|-M -c crl-gen-file -n nickname [-i crl] [-u url] [-d keydir] [-P dbprefix] [-l alg] [-a] [-B] + + + * Listing all CRls or a named CRL: + + + crlutil -L [-n crl-name] [-d krydir] + + + + * Deleting CRL from db: + + + crlutil -D -n nickname [-d keydir] [-P dbprefix] + + + + * Erasing CRLs from db: + + + crlutil -E [-d keydir] [-P dbprefix] + + + + * Deleting CRL from db: + + + crlutil -D -n nickname [-d keydir] [-P dbprefix] + + + + * Erasing CRLs from db: + + + crlutil -E [-d keydir] [-P dbprefix] + + + + * Import CRL from file: + + + crlutil -I -i crl [-t crlType] [-u url] [-d keydir] [-P dbprefix] [-B] + + + + + See Also + certutil(1) + + + + + Additional Resources + For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases. + Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto + IRC: Freenode at #dogtag-pki + + + + + Authors + The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google. + + Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. + + + + + + LICENSE + Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. + + + + diff --git a/security/nss/doc/derdump.xml b/security/nss/doc/derdump.xml new file mode 100644 index 0000000000..4e4a62a503 --- /dev/null +++ b/security/nss/doc/derdump.xml @@ -0,0 +1,96 @@ + + + +]> + + + + + &date; + NSS Security Tools + nss-tools + &version; + + + + DERDUMP + 1 + + + + derdump + Dumps C-sequence strings from a DER encoded certificate file + + + + + derdump + + + + + + + + STATUS + This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 + + + + + Description + + derdump dumps C-sequence strings from a DER encode certificate file + + + + + Options + + + + + + For formatted items, dump raw bytes as well + + + + DER encoded file + Define an input file to use (default is stdin) + + + + output file + Define an output file to use (default is stdout). + + + + + + + Additional Resources + NSS is maintained in conjunction with PKI and security-related projects through Mozilla dn Fedora. The most closely-related project is Dogtag PKI, with a project wiki at PKI Wiki. + For information specifically about NSS, the NSS project wiki is located at Mozilla NSS site. The NSS site relates directly to NSS code changes and releases. + Mailing lists: pki-devel@redhat.com and pki-users@redhat.com + IRC: Freenode at #dogtag-pki + + + + + Authors + The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google. + + Authors: Gerhardus Geldenhuis <gerhardus.geldenhuis@gmail.com>. Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com> + + + + + + LICENSE + Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. + + + + diff --git a/security/nss/doc/html/certutil.html b/security/nss/doc/html/certutil.html new file mode 100644 index 0000000000..fb70ad2f0c --- /dev/null +++ b/security/nss/doc/html/certutil.html @@ -0,0 +1,371 @@ +CERTUTIL
CERTUTIL

Name

certutil — Manage keys and certificate in both NSS databases and other NSS tokens

Synopsis

certutil [options] [[arguments]]

STATUS

This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 +

Description

The Certificate Database Tool, certutil, is a command-line utility that can create and modify certificate and key databases. It can specifically list, generate, modify, or delete certificates, create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key database.

Certificate issuance, part of the key and certificate management process, requires that keys and certificates be created in the key database. This document discusses certificate and key database management. For information on the security module database management, see the modutil manpage.

Command Options and Arguments

Running certutil always requires one and only one command option to specify the type of certificate operation. Each command option may take zero or more arguments. The command option -H will list all the command options and their relevant arguments.

Command Options

-A

Add an existing certificate to a certificate database. The certificate database should already exist; if one is not present, this command option will initialize one by default.

-B

Run a series of commands from the specified batch file. This requires the -i argument.

-C

Create a new binary certificate file from a binary certificate request file. Use the -i argument to specify the certificate request file. If this argument is not used, certutil prompts for a filename.

-D

Delete a certificate from the certificate database.

--rename

Change the database nickname of a certificate.

-E

Add an email certificate to the certificate database.

-F

Delete a private key and the associated certificate from a database. Specify the key to delete with the -n argument or the -k argument. Specify the database from which to delete the key with the +-d argument. +

+Some smart cards do not let you remove a public key you have generated. In such a case, only the private key is deleted from the key pair.

-G

Generate a new public and private key pair within a key database. The key database should already exist; if one is not present, this command option will initialize one by default. Some smart cards can store only one key pair. If you create a new key pair for such a card, the previous pair is overwritten.

-H

Display a list of the command options and arguments.

-K

List the key ID of keys in the key database. A key ID is the modulus of the RSA key or the publicValue of the DSA key. IDs are displayed in hexadecimal ("0x" is not shown).

-L

List all the certificates, or display information about a named certificate, in a certificate database. +Use the -h tokenname argument to specify the certificate database on a particular hardware or software token.

-M

Modify a certificate's trust attributes using the values of the -t argument.

-N

Create new certificate and key databases.

-O

Print the certificate chain.

-R

Create a certificate request file that can be submitted to a Certificate Authority (CA) for processing into a finished certificate. Output defaults to standard out unless you use -o output-file argument. + +Use the -a argument to specify ASCII output.

-S

Create an individual certificate and add it to a certificate database.

-T

Reset the key database or token.

-U

List all available modules or print a single named module.

-V

Check the validity of a certificate and its attributes.

-W

Change the password to a key database.

--merge

Merge two databases into one.

--upgrade-merge

Upgrade an old database and merge it into a new database. This is used to migrate legacy NSS databases (cert8.db and key3.db) into the newer SQLite databases (cert9.db and key4.db).

Arguments

Arguments modify a command option and are usually lower case, numbers, or symbols.

-a

Use ASCII format or allow the use of ASCII format for input or output. This formatting follows RFC 1113. +For certificate requests, ASCII output defaults to standard output unless redirected.

--simple-self-signed

When printing the certificate chain, don't search for a chain if issuer name equals to subject name.

-b validity-time

Specify a time at which a certificate is required to be valid. Use when checking certificate validity with the -V option. The format of the validity-time argument is YYMMDDHHMMSS[+HHMM|-HHMM|Z], which allows offsets to be set relative to the validity end time. Specifying seconds (SS) is optional. When specifying an explicit time, use a Z at the end of the term, YYMMDDHHMMSSZ, to close it. When specifying an offset time, use YYMMDDHHMMSS+HHMM or YYMMDDHHMMSS-HHMM for adding or subtracting time, respectively. +

+If this option is not used, the validity check defaults to the current system time.

-c issuer

Identify the certificate of the CA from which a new certificate will derive its authenticity. + Use the exact nickname or alias of the CA certificate, or use the CA's email address. Bracket the issuer string + with quotation marks if it contains spaces.

-d [prefix]directory

Specify the database directory containing the certificate and key database files.

certutil supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt).

NSS recognizes the following prefixes:

  • sql: requests the newer database

  • dbm: requests the legacy database

If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE. If NSS_DEFAULT_DB_TYPE is not set then sql: is the default.

--dump-ext-val OID

For single cert, print binary DER encoding of extension OID.

-e

Check a certificate's signature during the process of validating a certificate.

--email email-address

Specify the email address of a certificate to list. Used with the -L command option.

--extGeneric OID:critical-flag:filename[,OID:critical-flag:filename]...

+Add one or multiple extensions that certutil cannot encode yet, by loading their encodings from external files. +

  • OID (example): 1.2.3.4

  • critical-flag: critical or not-critical

  • filename: full path to a file containing an encoded extension

-f password-file

Specify a file that will automatically supply the password to include in a certificate + or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent + unauthorized access to this file.

-g keysize

Set a key size to use when generating new public and private key pairs. The minimum is 512 bits and the maximum is 16384 bits. The default is 2048 bits. Any size between the minimum and maximum is allowed.

-h tokenname

Specify the name of a token to use or act on. If not specified the default token is the internal database slot.

The name can also be a PKCS #11 URI. For example, the NSS internal certificate store can be unambiguously specified as "pkcs11:token=NSS%20Certificate%20DB". For details about the format, see RFC 7512.

-i input_file

Pass an input file to the command. Depending on the command option, an input file can be a specific certificate, a certificate request file, or a batch file of commands.

-k key-type-or-id

Specify the type or specific ID of a key.

+ The valid key type options are rsa, dsa, ec, or all. The default + value is rsa. Specifying the type of key can avoid mistakes caused by + duplicate nicknames. Giving a key type generates a new key pair; + giving the ID of an existing key reuses that key pair (which is + required to renew certificates). +

-l

Display detailed information when validating a certificate with the -V option.

-m serial-number

Assign a unique serial number to a certificate being created. This operation should be performed by a CA. If no serial number is provided a default serial number is made from the current time. Serial numbers are limited to integers

-n nickname

Specify the nickname of a certificate or key to list, create, add to a database, modify, or validate. Bracket the nickname string with quotation marks if it contains spaces.

The nickname can also be a PKCS #11 URI. For example, if you have a certificate named "my-server-cert" on the internal certificate store, it can be unambiguously specified as "pkcs11:token=NSS%20Certificate%20DB;object=my-server-cert". For details about the format, see RFC 7512.

-o output-file

Specify the output file name for new certificates or binary certificate requests. Bracket the output-file string with quotation marks if it contains spaces. If this argument is not used the output destination defaults to standard output.

-P dbPrefix

Specify the prefix used on the certificate and key database file. This argument is provided to support legacy servers. Most applications do not use a database prefix.

-p phone

Specify a contact telephone number to include in new certificates or certificate requests. Bracket this string with quotation marks if it contains spaces.

-q pqgfile or curve-name

Read an alternate PQG value from the specified file when generating DSA key pairs. If this argument is not used, certutil generates its own PQG value. PQG files are created with a separate DSA utility.

Elliptic curve name is one of the ones from nistp256, nistp384, nistp521, curve25519.

+ If a token is available that supports more curves, the foolowing curves are supported as well: + sect163k1, nistk163, sect163r1, sect163r2, + nistb163, sect193r1, sect193r2, sect233k1, nistk233, + sect233r1, nistb233, sect239k1, sect283k1, nistk283, + sect283r1, nistb283, sect409k1, nistk409, sect409r1, + nistb409, sect571k1, nistk571, sect571r1, nistb571, + secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, + nistp192, secp224k1, secp224r1, nistp224, secp256k1, + secp256r1, secp384r1, secp521r1, + prime192v1, prime192v2, prime192v3, + prime239v1, prime239v2, prime239v3, c2pnb163v1, + c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1, + c2tnb191v2, c2tnb191v3, + c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3, + c2pnb272w1, c2pnb304w1, + c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1, + secp112r2, secp128r1, secp128r2, sect113r1, sect113r2, + sect131r1, sect131r2 +

-r

Display a certificate's binary DER encoding when listing information about that certificate with the -L option.

-s subject

Identify a particular certificate owner for new certificates or certificate requests. Bracket this string with quotation marks if it contains spaces. The subject identification format follows RFC #1485.

-t trustargs

Specify the trust attributes to modify in an existing certificate or to apply to a certificate when creating it or adding it to a database. There are three available trust categories for each certificate, expressed in the order SSL, email, object signing for each trust setting. In each category position, use none, any, or all +of the attribute codes: +

  • + p - Valid peer +

  • + P - Trusted peer (implies p) +

  • + c - Valid CA +

  • + C - Trusted CA (implies c) +

  • + T - trusted CA for client authentication (ssl server only) +

+ The attribute codes for the categories are separated by commas, and the entire set of attributes enclosed by quotation marks. For example: +

-t "TC,C,T"

+ Use the -L option to see a list of the current certificates and trust attributes in a certificate database.

+ Note that the output of the -L option may include "u" flag, which means that there is a private key associated with the certificate. It is a dynamic flag and you cannot set it with certutil.

-u certusage

Specify a usage context to apply when validating a certificate with the -V option.

The contexts are the following:

  • C (as an SSL client)

  • V (as an SSL server)

  • L (as an SSL CA)

  • A (as Any CA)

  • Y (Verify CA)

  • S (as an email signer)

  • R (as an email recipient)

  • O (as an OCSP status responder)

  • J (as an object signer)

  • I (as an IPSEC user)

-v valid-months

Set the number of months a new certificate will be valid. The validity period begins at the current system time unless an offset is added or subtracted with the -w option. If this argument is not used, the default validity period is three months.

-w offset-months

Set an offset from the current system time, in months, + for the beginning of a certificate's validity period. Use when creating + the certificate or adding it to a database. Express the offset in integers, + using a minus sign (-) to indicate a negative offset. If this argument is + not used, the validity period begins at the current system time. The length + of the validity period is set with the -v argument.

-X

Force the key and certificate database to open in read-write mode. This is used with the -U and -L command options.

-x

Use certutil to generate the signature for a certificate being created or added to a database, rather than obtaining a signature from a separate CA.

-y exp

Set an alternate exponent value to use in generating a new RSA public key for the database, instead of the default value of 65537. The available alternate values are 3 and 17.

--pss

Restrict the generated certificate (with the -S option) or certificate request (with the -R option) to be used with the RSA-PSS signature scheme. This only works when the private key of the certificate or certificate request is RSA.

--pss-sign

Sign the generated certificate with the RSA-PSS signature scheme (with the -C or -S option). This only works when the private key of the signer's certificate is RSA. If the signer's certificate is restricted to RSA-PSS, it is not necessary to specify this option.

-z noise-file

Read a seed value from the specified file to generate a new private and public key pair. This argument makes it possible to use hardware-generated seed values or manually create a value from the keyboard. The minimum file size is 20 bytes.

-Z hashAlg

Specify the hash algorithm to use with the -C, -S or -R command options. Possible keywords:

  • MD2

  • MD4

  • MD5

  • SHA1

  • SHA224

  • SHA256

  • SHA384

  • SHA512

-0 SSO_password

Set a site security officer password on a token.

-1 | --keyUsage keyword,keyword

Set an X.509 V3 Certificate Type Extension in the certificate. There are several available keywords:

  • + digitalSignature +

  • + nonRepudiation +

  • + keyEncipherment +

  • + dataEncipherment +

  • + keyAgreement +

  • + certSigning +

  • + crlSigning +

  • + critical +

-2

Add a basic constraint extension to a certificate that is being created or added to a database. This extension supports the certificate chain verification process. certutil prompts for the certificate constraint extension to select.

X.509 certificate extensions are described in RFC 5280.

-3

Add an authority key ID extension to a certificate that is being created or added to a database. This extension supports the identification of a particular certificate, from among multiple certificates associated with one subject name, as the correct issuer of a certificate. The Certificate Database Tool will prompt you to select the authority key ID extension.

X.509 certificate extensions are described in RFC 5280.

-4

Add a CRL distribution point extension to a certificate that is being created or added to a database. This extension identifies the URL of a certificate's associated certificate revocation list (CRL). certutil prompts for the URL.

X.509 certificate extensions are described in RFC 5280.

-5 | --nsCertType keyword,keyword

Add an X.509 V3 certificate type extension to a certificate that is being created or added to the database. There are several available keywords:

  • + sslClient +

  • + sslServer +

  • + smime +

  • + objectSigning +

  • + sslCA +

  • + smimeCA +

  • + objectSigningCA +

  • + critical +

X.509 certificate extensions are described in RFC 5280.

-6 | --extKeyUsage keyword,keyword

Add an extended key usage extension to a certificate that is being created or added to the database. Several keywords are available:

  • + serverAuth +

  • + clientAuth +

  • + codeSigning +

  • + emailProtection +

  • + timeStamp +

  • + ocspResponder +

  • + stepUp +

  • + msTrustListSign +

  • + critical +

  • + x509Any +

  • + ipsecIKE +

  • + ipsecIKEEnd +

  • + ipsecIKEIntermediate +

  • + ipsecEnd +

  • + ipsecTunnel +

  • + ipsecUser +

X.509 certificate extensions are described in RFC 5280.

-7 emailAddrs

Add a comma-separated list of email addresses to the subject alternative name extension of a certificate or certificate request that is being created or added to the database. Subject alternative name extensions are described in Section 4.2.1.7 of RFC 3280.

-8 dns-names

Add a comma-separated list of DNS names to the subject alternative name extension of a certificate or certificate request that is being created or added to the database. Subject alternative name extensions are described in Section 4.2.1.7 of RFC 3280.

--extAIA

Add the Authority Information Access extension to the certificate. X.509 certificate extensions are described in RFC 5280.

--extSIA

Add the Subject Information Access extension to the certificate. X.509 certificate extensions are described in RFC 5280.

--extCP

Add the Certificate Policies extension to the certificate. X.509 certificate extensions are described in RFC 5280.

--extPM

Add the Policy Mappings extension to the certificate. X.509 certificate extensions are described in RFC 5280.

--extPC

Add the Policy Constraints extension to the certificate. X.509 certificate extensions are described in RFC 5280.

--extIA

Add the Inhibit Any Policy Access extension to the certificate. X.509 certificate extensions are described in RFC 5280.

--extSKID

Add the Subject Key ID extension to the certificate. X.509 certificate extensions are described in RFC 5280.

--extNC

Add a Name Constraint extension to the certificate. X.509 certificate extensions are described in RFC 5280.

--extSAN type:name[,type:name]...

+Create a Subject Alt Name extension with one or multiple names. +

+-type: directory, dn, dns, edi, ediparty, email, ip, ipaddr, other, registerid, rfc822, uri, x400, x400addr +

--empty-password

Use empty password when creating new certificate database with -N.

--keyAttrFlags attrflags

+PKCS #11 key Attributes. Comma separated list of key attribute flags, selected from the following list of choices: {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable}

--keyOpFlagsOn opflags, --keyOpFlagsOff opflags

+PKCS #11 key Operation Flags. +Comma separated list of one or more of the following: +{token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable} +

--new-n nickname

A new nickname, used when renaming a certificate.

--source-dir certdir

Identify the certificate database directory to upgrade.

--source-prefix certdir

Give the prefix of the certificate and key databases to upgrade.

--upgrade-id uniqueID

Give the unique ID of the database to upgrade.

--upgrade-token-name name

Set the name of the token to use while it is being upgraded.

-@ pwfile

Give the name of a password file to use for the database being upgraded.

Usage and Examples

+ Most of the command options in the examples listed here have more arguments available. The arguments included in these examples are the most common ones or are used to illustrate a specific scenario. Use the -H option to show the complete list of arguments for each command option. +

Creating New Security Databases

+ Certificates, keys, and security modules related to managing certificates are stored in three related databases: +

  • + cert8.db or cert9.db +

  • + key3.db or key4.db +

  • + secmod.db or pkcs11.txt +

+ These databases must be created before certificates or keys can be generated. + 

certutil -N -d directory

Creating a Certificate Request

+ A certificate request contains most or all of the information that is used to generate the final certificate. This request is submitted separately to a certificate authority and is then approved by some mechanism (automatically or by human review). Once the request is approved, then the certificate is generated. + 

$ certutil -R -k key-type-or-id [-q pqgfile|curve-name] -g key-size -s subject [-h tokenname] -d directory [-p phone] [-o output-file] [-a]

+ The -R command options requires four arguments: +

  • + -k to specify either the key type to generate or, when renewing a certificate, the existing key pair to use +

  • + -g to set the keysize of the key to generate +

  • + -s to set the subject name of the certificate +

  • + -d to give the security database directory +

+ The new certificate request can be output in ASCII format (-a) or can be written to a specified file (-o). +

+ For example: + 

$ certutil -R -k rsa -g 1024 -s "CN=John Smith,O=Example Corp,L=Mountain View,ST=California,C=US" -d $HOME/nssdb -p 650-555-0123 -a -o cert.cer
+
+Generating key.  This may take a few moments...
+
+

Creating a Certificate

+ A valid certificate must be issued by a trusted CA. This can be done by specifying a CA certificate (-c) that is stored in the certificate database. If a CA key pair is not available, you can create a self-signed certificate using the -x argument with the -S command option. + 

$ certutil -S -k rsa|dsa|ec -n certname -s subject [-c issuer |-x] -t trustargs -d directory [-m serial-number] [-v valid-months] [-w offset-months] [-p phone] [-1] [-2] [-3] [-4] [-5 keyword] [-6 keyword] [-7 emailAddress] [-8 dns-names] [--extAIA] [--extSIA] [--extCP] [--extPM] [--extPC] [--extIA] [--extSKID]

+ The series of numbers and --ext* options set certificate extensions that can be added to the certificate when it is generated by the CA. Interactive prompts will result. +

+ For example, this creates a self-signed certificate: + 

$ certutil -S -s "CN=Example CA" -n my-ca-cert -x -t "C,C,C" -1 -2 -5 -m 3650

+The interative prompts for key usage and whether any extensions are critical and responses have been ommitted for brevity. +

+ From there, new certificates can reference the self-signed certificate: + 

$ certutil -S -s "CN=My Server Cert" -n my-server-cert -c "my-ca-cert" -t ",," -1 -5 -6 -8 -m 730

Generating a Certificate from a Certificate Request

+ When a certificate request is created, a certificate can be generated by using the request and then referencing a certificate authority signing certificate (the issuer specified in the -c argument). The issuing certificate must be in the certificate database in the specified directory. + 

certutil -C -c issuer -i cert-request-file -o output-file [-m serial-number] [-v valid-months] [-w offset-months] -d directory [-1] [-2] [-3] [-4] [-5 keyword] [-6 keyword] [-7 emailAddress] [-8 dns-names]

+ For example: + 

$ certutil -C -c "my-ca-cert" -i /home/certs/cert.req -o cert.cer -m 010 -v 12 -w 1 -d $HOME/nssdb -1 nonRepudiation,dataEncipherment -5 sslClient -6 clientAuth -7 jsmith@example.com

Listing Certificates

+ The -L command option lists all of the certificates listed in the certificate database. The path to the directory (-d) is required. + 

$ certutil -L -d /home/my/sharednssdb
+
+Certificate Nickname                                         Trust Attributes
+                                                             SSL,S/MIME,JAR/XPI
+
+CA Administrator of Instance pki-ca1's Example Domain ID     u,u,u
+TPS Administrator's Example Domain ID                        u,u,u
+Google Internet Authority                                    ,,   
+Certificate Authority - Example Domain                       CT,C,C

+ Using additional arguments with -L can return and print the information for a single, specific certificate. For example, the -n argument passes the certificate name, while the -a argument prints the certificate in ASCII format: + 

+$ certutil -L -d $HOME/nssdb -a -n my-ca-cert
+-----BEGIN CERTIFICATE-----
+MIIB1DCCAT2gAwIBAgICDkIwDQYJKoZIhvcNAQEFBQAwFTETMBEGA1UEAxMKRXhh
+bXBsZSBDQTAeFw0xMzAzMTMxOTEwMjlaFw0xMzA2MTMxOTEwMjlaMBUxEzARBgNV
+BAMTCkV4YW1wbGUgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ4Kzqvz
+JyBVgFqDXRYSyTBNw1DrxUU/3GvWA/ngjAwHEv0Cul/6sO/gsCvnABHiH6unns6x
+XRzPORlC2WY3gkk7vmlsLvYpyecNazAi/NAwVnU/66HOsaoVFWE+gBQo99UrN2yk
+0BiK/GMFlLm5dXQROgA9ZKKyFdI0LIXtf6SbAgMBAAGjMzAxMBEGCWCGSAGG+EIB
+AQQEAwIHADAMBgNVHRMEBTADAQH/MA4GA1UdDwEB/wQEAwICBDANBgkqhkiG9w0B
+AQUFAAOBgQA6chkzkACN281d1jKMrc+RHG2UMaQyxiteaLVZO+Ro1nnRUvseDf09
+XKYFwPMJjWCihVku6bw/ihZfuMHhxK22Nue6inNQ6eDu7WmrqL8z3iUrQwxs+WiF
+ob2rb8XRVVJkzXdXxlk4uo3UtNvw8sAz7sWD71qxKaIHU5q49zijfg==
+-----END CERTIFICATE-----
+

For a human-readable display

$ certutil -L -d $HOME/nssdb -n my-ca-cert
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 3650 (0xe42)
+        Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
+        Issuer: "CN=Example CA"
+        Validity:
+            Not Before: Wed Mar 13 19:10:29 2013
+            Not After : Thu Jun 13 19:10:29 2013
+        Subject: "CN=Example CA"
+        Subject Public Key Info:
+            Public Key Algorithm: PKCS #1 RSA Encryption
+            RSA Public Key:
+                Modulus:
+                    9e:0a:ce:ab:f3:27:20:55:80:5a:83:5d:16:12:c9:30:
+                    4d:c3:50:eb:c5:45:3f:dc:6b:d6:03:f9:e0:8c:0c:07:
+                    12:fd:02:ba:5f:fa:b0:ef:e0:b0:2b:e7:00:11:e2:1f:
+                    ab:a7:9e:ce:b1:5d:1c:cf:39:19:42:d9:66:37:82:49:
+                    3b:be:69:6c:2e:f6:29:c9:e7:0d:6b:30:22:fc:d0:30:
+                    56:75:3f:eb:a1:ce:b1:aa:15:15:61:3e:80:14:28:f7:
+                    d5:2b:37:6c:a4:d0:18:8a:fc:63:05:94:b9:b9:75:74:
+                    11:3a:00:3d:64:a2:b2:15:d2:34:2c:85:ed:7f:a4:9b
+                Exponent: 65537 (0x10001)
+        Signed Extensions:
+            Name: Certificate Type
+            Data: none
+
+            Name: Certificate Basic Constraints
+            Data: Is a CA with no maximum path length.
+
+            Name: Certificate Key Usage
+            Critical: True
+            Usages: Certificate Signing
+
+    Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
+    Signature:
+        3a:72:19:33:90:00:8d:db:cd:5d:d6:32:8c:ad:cf:91:
+        1c:6d:94:31:a4:32:c6:2b:5e:68:b5:59:3b:e4:68:d6:
+        79:d1:52:fb:1e:0d:fd:3d:5c:a6:05:c0:f3:09:8d:60:
+        a2:85:59:2e:e9:bc:3f:8a:16:5f:b8:c1:e1:c4:ad:b6:
+        36:e7:ba:8a:73:50:e9:e0:ee:ed:69:ab:a8:bf:33:de:
+        25:2b:43:0c:6c:f9:68:85:a1:bd:ab:6f:c5:d1:55:52:
+        64:cd:77:57:c6:59:38:ba:8d:d4:b4:db:f0:f2:c0:33:
+        ee:c5:83:ef:5a:b1:29:a2:07:53:9a:b8:f7:38:a3:7e
+    Fingerprint (MD5):
+        86:D8:A5:8B:8A:26:BE:9E:17:A8:7B:66:10:6B:27:80
+    Fingerprint (SHA1):
+        48:78:09:EF:C5:D4:0C:BD:D2:64:45:59:EB:03:13:15:F7:A9:D6:F7
+
+    Certificate Trust Flags:
+        SSL Flags:
+            Valid CA
+            Trusted CA
+            User
+        Email Flags:
+            Valid CA
+            Trusted CA
+            User
+        Object Signing Flags:
+            Valid CA
+            Trusted CA
+            User
+
+

Listing Keys

+ Keys are the original material used to encrypt certificate data. The keys generated for certificates are stored separately, in the key database. +

+ To list all keys in the database, use the -K command option and the (required) -d argument to give the path to the directory. + 

$ certutil -K -d $HOME/nssdb
+certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services                  "
+< 0> rsa      455a6673bde9375c2887ec8bf8016b3f9f35861d   Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID
+< 1> rsa      40defeeb522ade11090eacebaaf1196a172127df   Example Domain Administrator Cert
+< 2> rsa      1d0b06f44f6c03842f7d4f4a1dc78b3bcd1b85a5   John Smith user cert

+ There are ways to narrow the keys listed in the search results: +

  • + To return a specific key, use the -n name argument with the name of the key. +

  • + If there are multiple security devices loaded, then the -h tokenname argument can search a specific token or all tokens. +

  • + If there are multiple key types available, then the -k key-type argument can search a specific type of key, like RSA, DSA, or ECC. +

Listing Security Modules

+ The devices that can be used to store certificates -- both internal databases and external devices like smart cards -- are recognized and used by loading security modules. The -U command option lists all of the security modules listed in the secmod.db database. The path to the directory (-d) is required. + 

$ certutil -U -d /home/my/sharednssdb
+
+    slot: NSS User Private Key and Certificate Services                  
+   token: NSS Certificate DB
+     uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
+
+    slot: NSS Internal Cryptographic Services                            
+   token: NSS Generic Crypto Services
+     uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203

Adding Certificates to the Database

+ Existing certificates or certificate requests can be added manually to the certificate database, even if they were generated elsewhere. This uses the -A command option. + 

certutil -A -n certname -t trustargs -d directory [-a] [-i input-file]

+ For example: + 

$ certutil -A -n "CN=My SSL Certificate" -t ",," -d /home/my/sharednssdb -i /home/example-certs/cert.cer

+ A related command option, -E, is used specifically to add email certificates to the certificate database. The -E command has the same arguments as the -A command. The trust arguments for certificates have the format SSL,S/MIME,Code-signing, so the middle trust settings relate most to email certificates (though the others can be set). For example: + 

$ certutil -E -n "CN=John Smith Email Cert" -t ",P," -d /home/my/sharednssdb -i /home/example-certs/email.cer

Deleting Certificates to the Database

+ Certificates can be deleted from a database using the -D option. The only required options are to give the security database directory and to identify the certificate nickname. + 

certutil -D -d directory -n "nickname"

+ For example: + 

$ certutil -D -d /home/my/sharednssdb -n "my-ssl-cert"

Validating Certificates

+ A certificate contains an expiration date in itself, and expired certificates are easily rejected. However, certificates can also be revoked before they hit their expiration date. Checking whether a certificate has been revoked requires validating the certificate. Validation can also be used to ensure that the certificate is only used for the purposes it was initially issued for. Validation is carried out by the -V command option. + 

certutil -V -n certificate-name [-b time] [-e] [-u cert-usage] -d directory

+ For example, to validate an email certificate: + 

$ certutil -V -n "John Smith's Email Cert" -e -u S,R -d /home/my/sharednssdb

Modifying Certificate Trust Settings

+ The trust settings (which relate to the operations that a certificate is allowed to be used for) can be changed after a certificate is created or added to the database. This is especially useful for CA certificates, but it can be performed for any type of certificate. + 

certutil -M -n certificate-name -t trust-args -d directory

+ For example: + 

$ certutil -M -n "My CA Certificate" -d /home/my/sharednssdb -t "CT,CT,CT"

Printing the Certificate Chain

+ Certificates can be issued in chains because every certificate authority itself has a certificate; when a CA issues a certificate, it essentially stamps that certificate with its own fingerprint. The -O prints the full chain of a certificate, going from the initial CA (the root CA) through ever intermediary CA to the actual certificate. For example, for an email certificate with two CAs in the chain: + 

$ certutil -d /home/my/sharednssdb -O -n "jsmith@example.com"
+"Builtin Object Token:Thawte Personal Freemail CA" [E=personal-freemail@thawte.com,CN=Thawte Personal Freemail CA,OU=Certification Services Division,O=Thawte Consulting,L=Cape Town,ST=Western Cape,C=ZA]
+
+  "Thawte Personal Freemail Issuing CA - Thawte Consulting" [CN=Thawte Personal Freemail Issuing CA,O=Thawte Consulting (Pty) Ltd.,C=ZA]
+
+    "(null)" [E=jsmith@example.com,CN=Thawte Freemail Member]

Resetting a Token

+ The device which stores certificates -- both external hardware devices and internal software databases -- can be blanked and reused. This operation is performed on the device which stores the data, not directly on the security databases, so the location must be referenced through the token name (-h) as well as any directory path. If there is no external token used, the default value is internal. + 

certutil -T -d directory -h token-name -0 security-officer-password

+ Many networks have dedicated personnel who handle changes to security tokens (the security officer). This person must supply the password to access the specified token. For example: + 

$ certutil -T -d /home/my/sharednssdb -h nethsm -0 secret

Upgrading or Merging the Security Databases

+ Many networks or applications may be using older BerkeleyDB versions of the certificate database (cert8.db). Databases can be upgraded to the new SQLite version of the database (cert9.db) using the --upgrade-merge command option or existing databases can be merged with the new cert9.db databases using the ---merge command. +

+ The --upgrade-merge command must give information about the original database and then use the standard arguments (like -d) to give the information about the new databases. The command also requires information that the tool uses for the process to upgrade and write over the original database. + 

certutil --upgrade-merge -d directory [-P dbprefix] --source-dir directory --source-prefix dbprefix --upgrade-id id --upgrade-token-name name [-@ password-file]

+ For example: + 

$ certutil --upgrade-merge -d /home/my/sharednssdb --source-dir /opt/my-app/alias/ --source-prefix serverapp- --upgrade-id 1 --upgrade-token-name internal

+ The --merge command only requires information about the location of the original database; since it doesn't change the format of the database, it can write over information without performing interim step. + 

certutil --merge -d directory [-P dbprefix] --source-dir directory --source-prefix dbprefix [-@ password-file]

+ For example: + 

$ certutil --merge -d /home/my/sharednssdb --source-dir /opt/my-app/alias/ --source-prefix serverapp-

Running certutil Commands from a Batch File

+ A series of commands can be run sequentially from a text file with the -B command option. The only argument for this specifies the input file. + 

$ certutil -B -i /path/to/batch-file

NSS Database Types

NSS originally used BerkeleyDB databases to store security information. +The last versions of these legacy databases are:

  • + cert8.db for certificates +

  • + key3.db for keys +

  • + secmod.db for PKCS #11 module information +

BerkeleyDB has performance limitations, though, which prevent it from being easily used by multiple applications simultaneously. NSS has +some flexibility that allows applications to use their own, independent database engine while keeping a shared database and working around the access issues. Still, NSS +requires more flexibility to provide a truly shared security database.

In 2009, NSS introduced a new set of databases that are SQLite databases rather than +BerkeleyDB. These new databases provide more accessibility and performance:

  • + cert9.db for certificates +

  • + key4.db for keys +

  • + pkcs11.txt, a listing of all of the PKCS #11 modules, contained in a new subdirectory in the security databases directory +

Because the SQLite databases are designed to be shared, these are the shared database type. The shared database type is preferred; the legacy format is included for backward compatibility.

By default, the tools (certutil, pk12util, modutil) assume that the given security databases use the SQLite type. +Using the legacy databases must be manually specified by using the dbm: prefix with the given security directory. For example:

$ certutil -L -d dbm:/home/my/sharednssdb

To set the legacy database type as the default type for the tools, set the NSS_DEFAULT_DB_TYPE environment variable to dbm:

export NSS_DEFAULT_DB_TYPE="dbm"

This line can be set added to the ~/.bashrc file to make the change permanent.

  • + https://wiki.mozilla.org/NSS_Shared_DB_Howto

For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki:

  • + https://wiki.mozilla.org/NSS_Shared_DB +

See Also

pk12util (1)

modutil (1)

certutil has arguments or operations that use features defined in several IETF RFCs.

  • + http://tools.ietf.org/html/rfc5280 +

  • + http://tools.ietf.org/html/rfc1113 +

  • + http://tools.ietf.org/html/rfc1485 +

The NSS wiki has information on the new database design and how to configure applications to use it.

  • + https://wiki.mozilla.org/NSS_Shared_DB_Howto

  • + https://wiki.mozilla.org/NSS_Shared_DB +

Additional Resources

For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases.

Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto

IRC: Freenode at #dogtag-pki

Authors

The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.

+ Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. +

LICENSE

Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. +

diff --git a/security/nss/doc/html/cmsutil.html b/security/nss/doc/html/cmsutil.html new file mode 100644 index 0000000000..1bed3fe6f9 --- /dev/null +++ b/security/nss/doc/html/cmsutil.html @@ -0,0 +1,27 @@ +CMSUTIL
CMSUTIL

Name

cmsutil — Performs basic cryptograpic operations, such as encryption and decryption, on Cryptographic Message Syntax (CMS) messages.

Synopsis

cmsutil [options] [[arguments]]

STATUS

This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 +

Description

The cmsutil command-line uses the S/MIME Toolkit to perform basic operations, such as encryption and decryption, on Cryptographic Message Syntax (CMS) messages. +

+To run cmsutil, type the command cmsutil option [arguments] where option and arguments are combinations of the options and arguments listed in the following section. +Each command takes one option. Each option may take zero or more arguments. +To see a usage string, issue the command without options. +

Options and Arguments

+

Options

+Options specify an action. Option arguments modify an action. +The options and arguments for the cmsutil command are defined as follows: +

-C

Encrypt a message.

-D

Decode a message.

-E

Envelope a message.

-O

Create a certificates-only message.

-S

Sign a message.

Arguments

Option arguments modify an action.

-b

Decode a batch of files named in infile.

-c content

Use this detached content (decode only).

-d dbdir

Specify the key/certificate database directory (default is ".")

-e envfile

Specify a file containing an enveloped message for a set of recipients to which you would like to send an encrypted message. If this is the first encrypted message for that set of recipients, a new enveloped message will be created that you can then use for future messages (encrypt only).

-f pwfile

Use password file to set password on all PKCS#11 tokens.

-G

Include a signing time attribute (sign only).

-H hash

Use specified hash algorithm (default:SHA1).

-h num

Generate email headers with info about CMS message (decode only).

-i infile

Use infile as a source of data (default is stdin).

-k

Keep decoded encryption certs in permanent cert db.

-N nickname

Specify nickname of certificate to sign with (sign only).

-n

Suppress output of contents (decode only).

-o outfile

Use outfile as a destination of data (default is stdout).

-P

Include an S/MIME capabilities attribute.

-p password

Use password as key database password.

-r recipient1,recipient2, ...

+Specify list of recipients (email addresses) for an encrypted or enveloped message. +For certificates-only message, list of certificates to send. +

-T

Suppress content in CMS message (sign only).

-u certusage

Set type of cert usage (default is certUsageEmailSigner).

-v

Print debugging information.

-Y ekprefnick

Specify an encryption key preference by nickname.

Usage

Encrypt Example

+cmsutil -C [-i infile] [-o outfile] [-d dbdir] [-p password] -r "recipient1,recipient2, . . ." -e envfile
+

Decode Example

+cmsutil -D [-i infile] [-o outfile] [-d dbdir] [-p password] [-c content] [-n] [-h num]
+

Envelope Example

+cmsutil -E [-i infile] [-o outfile] [-d dbdir] [-p password] -r "recipient1,recipient2, ..."
+

Certificate-only Example

+cmsutil -O [-i infile] [-o outfile] [-d dbdir] [-p password] -r "cert1,cert2, . . ."
+

Sign Message Example

+cmsutil -S [-i infile] [-o outfile] [-d dbdir] [-p password] -N nickname[-TGP] [-Y ekprefnick]
+

See also

certutil(1)

Additional Resources

For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases.

Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto

IRC: Freenode at #dogtag-pki

Authors

The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.

+ Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. +

LICENSE

Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. +

diff --git a/security/nss/doc/html/crlutil.html b/security/nss/doc/html/crlutil.html new file mode 100644 index 0000000000..c27a06e78a --- /dev/null +++ b/security/nss/doc/html/crlutil.html @@ -0,0 +1,204 @@ +CRLUTIL
CRLUTIL

Name

crlutil — +List, generate, modify, or delete CRLs within the NSS security database file(s) and list, create, modify or delete certificates entries in a particular CRL. +

Synopsis

crlutil [options] [[arguments]]

STATUS

This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 +

Description

The Certificate Revocation List (CRL) Management Tool, crlutil, is a command-line utility that can list, generate, modify, or delete CRLs within the NSS security database file(s) and list, create, modify or delete certificates entries in a particular CRL. +

+The key and certificate management process generally begins with creating keys in the key database, then generating and managing certificates in the certificate database(see certutil tool) and continues with certificates expiration or revocation. +

+This document discusses certificate revocation list management. For information on security module database management, see Using the Security Module Database Tool. For information on certificate and key database management, see Using the Certificate Database Tool. +

+To run the Certificate Revocation List Management Tool, type the command +

+crlutil option [arguments] +

+where options and arguments are combinations of the options and arguments listed in the following section. Each command takes one option. Each option may take zero or more arguments. To see a usage string, issue the command without options, or with the -H option. +

Options and Arguments

+

Options

+Options specify an action. Option arguments modify an action. +The options and arguments for the crlutil command are defined as follows: +

-D

+Delete Certificate Revocation List from cert database. +

-E

+Erase all CRLs of specified type from the cert database +

-G

+Create new Certificate Revocation List (CRL). +

-I

+Import a CRL to the cert database +

-L

+List existing CRL located in cert database file. +

-M

+Modify existing CRL which can be located in cert db or in arbitrary file. If located in file it should be encoded in ASN.1 encode format. +

-S

+Show contents of a CRL file which isn't stored in the database. +

Arguments

Option arguments modify an action.

-a

+Use ASCII format or allow the use of ASCII format for input and output. This formatting follows RFC #1113. +

-B

+Bypass CA signature checks. +

-c crl-gen-file

+Specify script file that will be used to control crl generation/modification. See crl-cript-file format below. If options -M|-G is used and -c crl-script-file is not specified, crlutil will read script data from standard input. +

-d directory

+Specify the database directory containing the certificate and key database files. On Unix the Certificate Database Tool defaults to $HOME/.netscape (that is, ~/.netscape). On Windows NT the default is the current directory. +

+The NSS database files must reside in the same directory. +

-f password-file

+Specify a file that will automatically supply the password to include in a certificate or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent unauthorized access to this file. +

-i crl-file

+Specify the file which contains the CRL to import or show. +

-l algorithm-name

+Specify a specific signature algorithm. List of possible algorithms: MD2 | MD4 | MD5 | SHA1 | SHA256 | SHA384 | SHA512 +

-n nickname

+Specify the nickname of a certificate or key to list, create, add to a database, modify, or validate. Bracket the nickname string with quotation marks if it contains spaces. +

-o output-file

+Specify the output file name for new CRL. Bracket the output-file string with quotation marks if it contains spaces. If this argument is not used the output destination defaults to standard output. +

-P dbprefix

+Specify the prefix used on the NSS security database files (for example, my_cert8.db and my_key3.db). This option is provided as a special case. Changing the names of the certificate and key databases is not recommended. +

-t crl-type

+Specify type of CRL. possible types are: 0 - SEC_KRL_TYPE, 1 - SEC_CRL_TYPE. This option is obsolete +

-u url

+Specify the url. +

-w pwd-string

Provide db password in command line.

-Z algorithm

Specify the hash algorithm to use for signing the CRL.

CRL Generation script syntax

CRL generation script file has the following syntax:

+ * Line with comments should have # as a first symbol of a line

+ * Set "this update" or "next update" CRL fields: +

+ update=YYYYMMDDhhmmssZ + nextupdate=YYYYMMDDhhmmssZ +

+ Field "next update" is optional. Time should be in GeneralizedTime format (YYYYMMDDhhmmssZ). + For example: 20050204153000Z +

* Add an extension to a CRL or a crl certificate entry:

addext extension-name critical/non-critical [arg1[arg2 ...]]

Where:

+ extension-name: string value of a name of known extensions. + critical/non-critical: is 1 when extension is critical and 0 otherwise. + arg1, arg2: specific to extension type extension parameters +

+ addext uses the range that was set earlier by addcert and will install an extension to every cert entries within the range. +

+ * Add certificate entries(s) to CRL: +

+ addcert range date +

+ range: two integer values separated by dash: range of certificates that will be added by this command. dash is used as a delimiter. Only one cert will be added if there is no delimiter. + date: revocation date of a cert. Date should be represented in GeneralizedTime format (YYYYMMDDhhmmssZ). +

+ * Remove certificate entry(s) from CRL +

+ rmcert range +

+ Where: +

+ range: two integer values separated by dash: range of certificates that will be added by this command. dash is used as a delimiter. Only one cert will be added if there is no delimiter. +

+ * Change range of certificate entry(s) in CRL +

+ range new-range +

+ Where: +

+ new-range: two integer values separated by dash: range of certificates that will be added by this command. dash is used as a delimiter. Only one cert will be added if there is no delimiter. +

+Implemented Extensions +

+ The extensions defined for CRL provide methods for associating additional attributes with CRLs of theirs entries. For more information see RFC #3280 +

+ * Add The Authority Key Identifier extension: +

+The authority key identifier extension provides a means of identifying the public key corresponding to the private key used to sign a CRL. +

+ authKeyId critical [key-id | dn cert-serial] +

+ Where: +

+ authKeyIdent: identifies the name of an extension + critical: value of 1 of 0. Should be set to 1 if this extension is critical or 0 otherwise. + key-id: key identifier represented in octet string. dn:: is a CA distinguished name cert-serial: authority certificate serial number. +

+ * Add Issuer Alternative Name extension: +

+ The issuer alternative names extension allows additional identities to be associated with the issuer of the CRL. Defined options include an rfc822 name (electronic mail address), a DNS name, an IP address, and a URI. +

+ issuerAltNames non-critical name-list +

+ Where: +

+ subjAltNames: identifies the name of an extension + should be set to 0 since this is non-critical extension + name-list: comma separated list of names +

+ * Add CRL Number extension: +

+ The CRL number is a non-critical CRL extension which conveys a monotonically increasing sequence number for a given CRL scope and CRL issuer. This extension allows users to easily determine when a particular CRL supersedes another CRL +

+ crlNumber non-critical number +

+ Where: +

+ crlNumber: identifies the name of an extension + critical: should be set to 0 since this is non-critical extension + number: value of long which identifies the sequential number of a CRL. +

+ * Add Revocation Reason Code extension: +

+ The reasonCode is a non-critical CRL entry extension that identifies the reason for the certificate revocation. +

+ reasonCode non-critical code +

+ Where: +

+ reasonCode: identifies the name of an extension + non-critical: should be set to 0 since this is non-critical extension + code: the following codes are available: +

+ unspecified (0), + keyCompromise (1), + cACompromise (2), + affiliationChanged (3), + superseded (4), + cessationOfOperation (5), + certificateHold (6), + removeFromCRL (8), + privilegeWithdrawn (9), + aACompromise (10) +

+ * Add Invalidity Date extension: +

+ The invalidity date is a non-critical CRL entry extension that provides the date on which it is known or suspected that the private key was compromised or that the certificate otherwise became invalid. +

+ invalidityDate non-critical date +

+ Where: +

+ crlNumber: identifies the name of an extension + non-critical: should be set to 0 since this is non-critical extension date: invalidity date of a cert. Date should be represented in GeneralizedTime format (YYYYMMDDhhmmssZ). +

Usage

+The Certificate Revocation List Management Tool's capabilities are grouped as follows, using these combinations of options and arguments. Options and arguments in square brackets are optional, those without square brackets are required. +

See "Implemented extensions" for more information regarding extensions and their parameters.

+ * Creating or modifying a CRL: + 

+crlutil -G|-M -c crl-gen-file -n nickname [-i crl] [-u url] [-d keydir] [-P dbprefix] [-l alg] [-a] [-B] 
+

+ * Listing all CRls or a named CRL: + 

+	crlutil -L [-n crl-name] [-d krydir] 
+

+ * Deleting CRL from db: + 

+	crlutil -D -n nickname [-d keydir] [-P dbprefix] 
+

+ * Erasing CRLs from db: + 

+	crlutil -E [-d keydir] [-P dbprefix] 
+

+ * Deleting CRL from db: + 

+          crlutil -D -n nickname [-d keydir] [-P dbprefix]
+

+ * Erasing CRLs from db: + 

+          crlutil -E [-d keydir] [-P dbprefix] 
+

+ * Import CRL from file: + 

+          crlutil -I -i crl [-t crlType] [-u url] [-d keydir] [-P dbprefix] [-B] 
+

See Also

certutil(1)

Additional Resources

For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases.

Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto

IRC: Freenode at #dogtag-pki

Authors

The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.

+ Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. +

LICENSE

Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. +

diff --git a/security/nss/doc/html/derdump.html b/security/nss/doc/html/derdump.html new file mode 100644 index 0000000000..0d66fc8747 --- /dev/null +++ b/security/nss/doc/html/derdump.html @@ -0,0 +1,5 @@ +DERDUMP
DERDUMP

Name

derdump — Dumps C-sequence strings from a DER encoded certificate file

Synopsis

derdump [-r] [-i input-file] [-o output-file]

STATUS

This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 +

Description

derdump dumps C-sequence strings from a DER encode certificate file

Options

-r
For formatted items, dump raw bytes as well
-i DER encoded file
Define an input file to use (default is stdin)
-o output file
Define an output file to use (default is stdout).

Additional Resources

NSS is maintained in conjunction with PKI and security-related projects through Mozilla dn Fedora. The most closely-related project is Dogtag PKI, with a project wiki at PKI Wiki.

For information specifically about NSS, the NSS project wiki is located at Mozilla NSS site. The NSS site relates directly to NSS code changes and releases.

Mailing lists: pki-devel@redhat.com and pki-users@redhat.com

IRC: Freenode at #dogtag-pki

Authors

The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.

+ Authors: Gerhardus Geldenhuis <gerhardus.geldenhuis@gmail.com>. Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com> +

LICENSE

Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. +

diff --git a/security/nss/doc/html/modutil.html b/security/nss/doc/html/modutil.html new file mode 100644 index 0000000000..79faf38a15 --- /dev/null +++ b/security/nss/doc/html/modutil.html @@ -0,0 +1,252 @@ +MODUTIL
MODUTIL

Name

modutil — Manage PKCS #11 module information within the security module database.

Synopsis

modutil [options] [[arguments]]

STATUS

This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 +

Description

The Security Module Database Tool, modutil, is a command-line utility for managing PKCS #11 module information both within secmod.db files and within hardware tokens. modutil can add and delete PKCS #11 modules, change passwords on security databases, set defaults, list module contents, enable or disable slots, enable or disable FIPS 140-2 compliance, and assign default providers for cryptographic operations. This tool can also create certificate, key, and module security database files.

The tasks associated with security module database management are part of a process that typically also involves managing key databases and certificate databases.

Options

+ Running modutil always requires one (and only one) option to specify the type of module operation. Each option may take arguments, anywhere from none to multiple arguments. +

Options

-add modulename

Add the named PKCS #11 module to the database. Use this option with the -libfile, -ciphers, and -mechanisms arguments.

-changepw tokenname

Change the password on the named token. If the token has not been initialized, this option initializes the password. Use this option with the -pwfile and -newpwfile arguments. A password is equivalent to a personal identification number (PIN).

-chkfips

Verify whether the module is in the given FIPS mode. true means to verify that the module is in FIPS mode, while false means to verify that the module is not in FIPS mode.

-create

Create new certificate, key, and module databases. Use the -dbdir directory argument to specify a directory. If any of these databases already exist in a specified directory, modutil returns an error message.

-default modulename

Specify the security mechanisms for which the named module will be a default provider. The security mechanisms are specified with the -mechanisms argument.

-delete modulename

Delete the named module. The default NSS PKCS #11 module cannot be deleted.

-disable modulename

Disable all slots on the named module. Use the -slot argument to disable a specific slot.

The internal NSS PKCS #11 module cannot be disabled.

-enable modulename

Enable all slots on the named module. Use the -slot argument to enable a specific slot.

-fips [true | false]

Enable (true) or disable (false) FIPS 140-2 compliance for the default NSS module.

-force

Disable modutil's interactive prompts so it can be run from a script. Use this option only after manually testing each planned operation to check for warnings and to ensure that bypassing the prompts will cause no security lapses or loss of database integrity.

-jar JAR-file

Add a new PKCS #11 module to the database using the named JAR file. Use this command with the -installdir and -tempdir arguments. The JAR file uses the NSS PKCS #11 JAR format to identify all the files to be installed, the module's name, the mechanism flags, and the cipher flags, as well as any files to be installed on the target machine, including the PKCS #11 module library file and other files such as documentation. This is covered in the JAR installation file section in the man page, which details the special script needed to perform an installation through a server or with modutil.

-list [modulename]

Display basic information about the contents of the secmod.db file. Specifying a modulename displays detailed information about a particular module and its slots and tokens.

-rawadd

Add the module spec string to the secmod.db database.

-rawlist

Display the module specs for a specified module or for all loadable modules.

-undefault modulename

Specify the security mechanisms for which the named module will not be a default provider. The security mechanisms are specified with the -mechanisms argument.

Arguments

MODULE

Give the security module to access.

MODULESPEC

Give the security module spec to load into the security database.

-ciphers cipher-enable-list

Enable specific ciphers in a module that is being added to the database. The cipher-enable-list is a colon-delimited list of cipher names. Enclose this list in quotation marks if it contains spaces.

-dbdir directory

Specify the database directory in which to access or create security module database files.

modutil supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and SQLite databases (cert9.db, key4.db, and pkcs11.txt). If the prefix dbm: is not used, then the tool assumes that the given databases are in SQLite format.

--dbprefix prefix

Specify the prefix used on the database files, such as my_ for my_cert9.db. This option is provided as a special case. Changing the names of the certificate and key databases is not recommended.

-installdir root-installation-directory

Specify the root installation directory relative to which files will be installed by the -jar option. This directory should be one below which it is appropriate to store dynamic library files, such as a server's root directory.

-libfile library-file

Specify a path to a library file containing the implementation of the PKCS #11 interface module that is being added to the database.

-mechanisms mechanism-list

Specify the security mechanisms for which a particular module will be flagged as a default provider. The mechanism-list is a colon-delimited list of mechanism names. Enclose this list in quotation marks if it contains spaces.

The module becomes a default provider for the listed mechanisms when those mechanisms are enabled. If more than one module claims to be a particular mechanism's default provider, that mechanism's default provider is undefined.

modutil supports several mechanisms: RSA, DSA, RC2, RC4, RC5, AES, DES, DH, SHA1, SHA256, SHA512, SSL, TLS, MD5, MD2, RANDOM (for random number generation), and FRIENDLY (meaning certificates are publicly readable).

-newpwfile new-password-file

Specify a text file containing a token's new or replacement password so that a password can be entered automatically with the -changepw option.

-nocertdb

Do not open the certificate or key databases. This has several effects:

  • With the -create command, only a module security file is created; certificate and key databases are not created.

  • With the -jar command, signatures on the JAR file are not checked.

  • With the -changepw command, the password on the NSS internal module cannot be set or changed, since this password is stored in the key database.

-pwfile old-password-file

Specify a text file containing a token's existing password so that a password can be entered automatically when the -changepw option is used to change passwords.

-secmod secmodname

Give the name of the security module database (like secmod.db) to load.

-slot slotname

Specify a particular slot to be enabled or disabled with the -enable or -disable options.

-string CONFIG_STRING

Pass a configuration string for the module being added to the database.

-tempdir temporary-directory

Give a directory location where temporary files are created during the installation by the -jar option. If no temporary directory is specified, the current directory is used.

Usage and Examples

Creating Database Files

Before any operations can be performed, there must be a set of security databases available. modutil can be used to create these files. The only required argument is the database that where the databases will be located.

modutil -create -dbdir directory

Adding a Cryptographic Module

Adding a PKCS #11 module means submitting a supporting library file, enabling its ciphers, and setting default provider status for various security mechanisms. This can be done by supplying all of the information through modutil directly or by running a JAR file and install script. For the most basic case, simply upload the library:

modutil -add modulename -libfile library-file [-ciphers cipher-enable-list] [-mechanisms mechanism-list]

For example: +

modutil -dbdir /home/my/sharednssdb -add "Example PKCS #11 Module" -libfile "/tmp/crypto.so" -mechanisms RSA:DSA:RC2:RANDOM 
+
+Using database directory ... 
+Module "Example PKCS #11 Module" added to database.

+

Installing a Cryptographic Module from a JAR File

PKCS #11 modules can also be loaded using a JAR file, which contains all of the required libraries and an installation script that describes how to install the module. The JAR install script is described in more detail in the section called “JAR Installation File Format”.

The JAR installation script defines the setup information for each platform that the module can be installed on. For example:

Platforms { 
+   Linux:5.4.08:x86 { 
+      ModuleName { "Example PKCS #11 Module" } 
+      ModuleFile { crypto.so } 
+      DefaultMechanismFlags{0x0000} 
+      CipherEnableFlags{0x0000} 
+      Files { 
+         crypto.so { 
+            Path{ /tmp/crypto.so } 
+         } 
+         setup.sh { 
+            Executable 
+            Path{ /tmp/setup.sh } 
+         } 
+      } 
+   } 
+   Linux:6.0.0:x86 { 
+      EquivalentPlatform { Linux:5.4.08:x86 } 
+   } 
+}

Both the install script and the required libraries must be bundled in a JAR file, which is specified with the -jar argument.

modutil -dbdir /home/mt"jar-install-filey/sharednssdb -jar install.jar -installdir /home/my/sharednssdb
+
+This installation JAR file was signed by: 
+---------------------------------------------- 
+
+**SUBJECT NAME** 
+
+C=US, ST=California, L=Mountain View, CN=Cryptorific Inc., OU=Digital ID
+Class 3 - Netscape Object Signing, OU="www.verisign.com/repository/CPS
+Incorp. by Ref.,LIAB.LTD(c)9 6", OU=www.verisign.com/CPS Incorp.by Ref
+. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign Object Signing CA - Class 3
+Organization, OU="VeriSign, Inc.", O=VeriSign Trust Network **ISSUER
+NAME**, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97
+VeriSign, OU=VeriSign Object Signing CA - Class 3 Organization,
+OU="VeriSign, Inc.", O=VeriSign Trust Network 
+---------------------------------------------- 
+
+Do you wish to continue this installation? (y/n) y 
+Using installer script "installer_script" 
+Successfully parsed installation script 
+Current platform is Linux:5.4.08:x86 
+Using installation parameters for platform Linux:5.4.08:x86 
+Installed file crypto.so to /tmp/crypto.so
+Installed file setup.sh to ./pk11inst.dir/setup.sh 
+Executing "./pk11inst.dir/setup.sh"... 
+"./pk11inst.dir/setup.sh" executed successfully 
+Installed module "Example PKCS #11 Module" into module database 
+
+Installation completed successfully

Adding Module Spec

Each module has information stored in the security database about its configuration and parameters. These can be added or edited using the -rawadd command. For the current settings or to see the format of the module spec in the database, use the -rawlist option.

modutil -rawadd modulespec

Deleting a Module

A specific PKCS #11 module can be deleted from the secmod.db database:

modutil -delete modulename -dbdir directory

Displaying Module Information

The secmod.db database contains information about the PKCS #11 modules that are available to an application or server to use. The list of all modules, information about specific modules, and database configuration specs for modules can all be viewed.

To simply get a list of modules in the database, use the -list command.

modutil -list [modulename] -dbdir directory

Listing the modules shows the module name, their status, and other associated security databases for certificates and keys. For example:

modutil -list -dbdir /home/my/sharednssdb 
+
+Listing of PKCS #11 Modules
+-----------------------------------------------------------
+  1. NSS Internal PKCS #11 Module
+         slots: 2 slots attached
+        status: loaded
+
+         slot: NSS Internal Cryptographic Services                            
+        token: NSS Generic Crypto Services
+	  uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
+
+         slot: NSS User Private Key and Certificate Services                  
+        token: NSS Certificate DB
+	  uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
+-----------------------------------------------------------

Passing a specific module name with the -list returns details information about the module itself, like supported cipher mechanisms, version numbers, serial numbers, and other information about the module and the token it is loaded on. For example:

 modutil -list "NSS Internal PKCS #11 Module" -dbdir /home/my/sharednssdb
+
+-----------------------------------------------------------
+Name: NSS Internal PKCS #11 Module
+Library file: **Internal ONLY module**
+Manufacturer: Mozilla Foundation              
+Description: NSS Internal Crypto Services    
+PKCS #11 Version 2.20
+Library Version: 3.11
+Cipher Enable Flags: None
+Default Mechanism Flags: RSA:RC2:RC4:DES:DH:SHA1:MD5:MD2:SSL:TLS:AES
+
+  Slot: NSS Internal Cryptographic Services                            
+  Slot Mechanism Flags: RSA:RC2:RC4:DES:DH:SHA1:MD5:MD2:SSL:TLS:AES
+  Manufacturer: Mozilla Foundation              
+  Type: Software
+  Version Number: 3.11
+  Firmware Version: 0.0
+  Status: Enabled
+  Token Name: NSS Generic Crypto Services     
+  Token Manufacturer: Mozilla Foundation              
+  Token Model: NSS 3           
+  Token Serial Number: 0000000000000000
+  Token Version: 4.0
+  Token Firmware Version: 0.0
+  Access: Write Protected
+  Login Type: Public (no login required)
+  User Pin: NOT Initialized
+
+  Slot: NSS User Private Key and Certificate Services                  
+  Slot Mechanism Flags: None
+  Manufacturer: Mozilla Foundation              
+  Type: Software
+  Version Number: 3.11
+  Firmware Version: 0.0
+  Status: Enabled
+  Token Name: NSS Certificate DB              
+  Token Manufacturer: Mozilla Foundation              
+  Token Model: NSS 3           
+  Token Serial Number: 0000000000000000
+  Token Version: 8.3
+  Token Firmware Version: 0.0
+  Access: NOT Write Protected
+  Login Type: Login required
+  User Pin: Initialized

A related command, -rawlist returns information about the database configuration for the modules. (This information can be edited by loading new specs using the -rawadd command.)

 modutil -rawlist -dbdir /home/my/sharednssdb
+ name="NSS Internal PKCS #11 Module" parameters="configdir=. certPrefix= keyPrefix= secmod=secmod.db flags=readOnly " NSS="trustOrder=75 cipherOrder=100 slotParams={0x00000001=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM askpw=any timeout=30 ] }  Flags=internal,critical"

Setting a Default Provider for Security Mechanisms

Multiple security modules may provide support for the same security mechanisms. It is possible to set a specific security module as the default provider for a specific security mechanism (or, conversely, to prohibit a provider from supplying those mechanisms).

modutil -default modulename -mechanisms mechanism-list

To set a module as the default provider for mechanisms, use the -default command with a colon-separated list of mechanisms. The available mechanisms depend on the module; NSS supplies almost all common mechanisms. For example:

modutil -default "NSS Internal PKCS #11 Module" -dbdir -mechanisms RSA:DSA:RC2 
+
+Using database directory c:\databases...
+
+Successfully changed defaults.

Clearing the default provider has the same format:

modutil -undefault "NSS Internal PKCS #11 Module" -dbdir -mechanisms MD2:MD5

Enabling and Disabling Modules and Slots

Modules, and specific slots on modules, can be selectively enabled or disabled using modutil. Both commands have the same format:

modutil -enable|-disable modulename [-slot slotname]

For example:

modutil -enable "NSS Internal PKCS #11 Module" -slot "NSS Internal Cryptographic Services                            " -dbdir .
+
+Slot "NSS Internal Cryptographic Services                            " enabled.

Be sure that the appropriate amount of trailing whitespace is after the slot name. Some slot names have a significant amount of whitespace that must be included, or the operation will fail.

Enabling and Verifying FIPS Compliance

The NSS modules can have FIPS 140-2 compliance enabled or disabled using modutil with the -fips option. For example:

modutil -fips true -dbdir /home/my/sharednssdb/
+
+FIPS mode enabled.

To verify that status of FIPS mode, run the -chkfips command with either a true or false flag (it doesn't matter which). The tool returns the current FIPS setting.

modutil -chkfips false -dbdir /home/my/sharednssdb/
+
+FIPS mode enabled.

Changing the Password on a Token

Initializing or changing a token's password:

modutil -changepw tokenname [-pwfile old-password-file] [-newpwfile new-password-file] 
modutil -dbdir /home/my/sharednssdb -changepw "NSS Certificate DB" 
+
+Enter old password: 
+Incorrect password, try again... 
+Enter old password: 
+Enter new password: 
+Re-enter new password: 
+Token "Communicator Certificate DB" password changed successfully.

JAR Installation File Format

When a JAR file is run by a server, by modutil, or by any program that does not interpret JavaScript, a special information file must be included to install the libraries. There are several things to keep in mind with this file:

  • + It must be declared in the JAR archive's manifest file. +

  • + The script can have any name. +

  • + The metainfo tag for this is Pkcs11_install_script. To declare meta-information in the manifest file, put it in a file that is passed to signtool.

Sample Script

For example, the PKCS #11 installer script could be in the file pk11install. If so, the metainfo file for signtool includes a line such as this:

+ Pkcs11_install_script: pk11install

The script must define the platform and version number, the module name and file, and any optional information like supported ciphers and mechanisms. Multiple platforms can be defined in a single install file.

ForwardCompatible { IRIX:6.2:mips SUNOS:5.5.1:sparc }
+Platforms {
+   WINNT::x86 {
+      ModuleName { "Example Module" }
+      ModuleFile { win32/fort32.dll }
+      DefaultMechanismFlags{0x0001}
+      DefaultCipherFlags{0x0001}
+      Files {
+         win32/setup.exe {
+            Executable
+            RelativePath { %temp%/setup.exe }
+         }
+         win32/setup.hlp {
+            RelativePath { %temp%/setup.hlp }
+         }
+         win32/setup.cab {
+            RelativePath { %temp%/setup.cab }
+         }
+      }
+   }
+   WIN95::x86 {
+      EquivalentPlatform {WINNT::x86}
+   }
+   SUNOS:5.5.1:sparc {
+      ModuleName { "Example UNIX Module" }
+      ModuleFile { unix/fort.so }
+      DefaultMechanismFlags{0x0001}
+      CipherEnableFlags{0x0001}
+      Files {
+         unix/fort.so {
+            RelativePath{%root%/lib/fort.so}
+            AbsolutePath{/usr/local/netscape/lib/fort.so}
+            FilePermissions{555}
+         }
+         xplat/instr.html {
+            RelativePath{%root%/docs/inst.html}
+            AbsolutePath{/usr/local/netscape/docs/inst.html}
+            FilePermissions{555}
+         }
+      }
+   }
+   IRIX:6.2:mips {
+      EquivalentPlatform { SUNOS:5.5.1:sparc }
+   }
+}

Script Grammar

The script is basic Java, allowing lists, key-value pairs, strings, and combinations of all of them.

--> valuelist
+
+valuelist --> value valuelist
+               <null>
+
+value ---> key_value_pair
+            string
+
+key_value_pair --> key { valuelist }
+
+key --> string
+
+string --> simple_string
+            "complex_string"
+
+simple_string --> [^ \t\n\""{""}"]+ 
+
+complex_string --> ([^\"\\\r\n]|(\\\")|(\\\\))+

Quotes and backslashes must be escaped with a backslash. A complex string must not include newlines or carriage returns.Outside of complex strings, all white space (for example, spaces, tabs, and carriage returns) is considered equal and is used only to delimit tokens.

Keys

The Java install file uses keys to define the platform and module information.

ForwardCompatible gives a list of platforms that are forward compatible. If the current platform cannot be found in the list of supported platforms, then the ForwardCompatible list is checked for any platforms that have the same OS and architecture in an earlier version. If one is found, its attributes are used for the current platform.

Platforms (required) Gives a list of platforms. Each entry in the list is itself a key-value pair: the key is the name of the platform and the value list contains various attributes of the platform. The platform string is in the format system name:OS release:architecture. The installer obtains these values from NSPR. OS release is an empty string on non-Unix operating systems. NSPR supports these platforms:

  • AIX (rs6000)

  • BSDI (x86)

  • FREEBSD (x86)

  • HPUX (hppa1.1)

  • IRIX (mips)

  • LINUX (ppc, alpha, x86)

  • MacOS (PowerPC)

  • NCR (x86)

  • NEC (mips)

  • OS2 (x86)

  • OSF (alpha)

  • ReliantUNIX (mips)

  • SCO (x86)

  • SOLARIS (sparc)

  • SONY (mips)

  • SUNOS (sparc)

  • UnixWare (x86)

  • WIN16 (x86)

  • WIN95 (x86)

  • WINNT (x86)

For example:

IRIX:6.2:mips
+SUNOS:5.5.1:sparc
+Linux:2.0.32:x86
+WIN95::x86

The module information is defined independently for each platform in the ModuleName, ModuleFile, and Files attributes. These attributes must be given unless an EquivalentPlatform attribute is specified.

Per-Platform Keys

Per-platform keys have meaning only within the value list of an entry in the Platforms list.

ModuleName (required) gives the common name for the module. This name is used to reference the module by servers and by the modutil tool.

ModuleFile (required) names the PKCS #11 module file for this platform. The name is given as the relative path of the file within the JAR archive.

Files (required) lists the files that need to be installed for this module. Each entry in the file list is a key-value pair. The key is the path of the file in the JAR archive, and the value list contains attributes of the file. At least RelativePath or AbsolutePath must be specified for each file.

DefaultMechanismFlags specifies mechanisms for which this module is the default provider; this is equivalent to the -mechanism option with the -add command. This key-value pair is a bitstring specified in hexadecimal (0x) format. It is constructed as a bitwise OR. If the DefaultMechanismFlags entry is omitted, the value defaults to 0x0.

RSA:                   0x00000001
+DSA:                   0x00000002
+RC2:                   0x00000004
+RC4:                   0x00000008
+DES:                   0x00000010
+DH:                    0x00000020
+FORTEZZA:              0x00000040
+RC5:                   0x00000080
+SHA1:                  0x00000100
+MD5:                   0x00000200
+MD2:                   0x00000400
+RANDOM:                0x08000000
+FRIENDLY:              0x10000000
+OWN_PW_DEFAULTS:       0x20000000
+DISABLE:               0x40000000

CipherEnableFlags specifies ciphers that this module provides that NSS does not provide (so that the module enables those ciphers for NSS). This is equivalent to the -cipher argument with the -add command. This key is a bitstring specified in hexadecimal (0x) format. It is constructed as a bitwise OR. If the CipherEnableFlags entry is omitted, the value defaults to 0x0.

EquivalentPlatform specifies that the attributes of the named platform should also be used for the current platform. This makes it easier when more than one platform uses the same settings.

Per-File Keys

Some keys have meaning only within the value list of an entry in a Files list.

Each file requires a path key the identifies where the file is. Either RelativePath or AbsolutePath must be specified. If both are specified, the relative path is tried first, and the absolute path is used only if no relative root directory is provided by the installer program.

RelativePath specifies the destination directory of the file, relative to some directory decided at install time. Two variables can be used in the relative path: %root% and %temp%. %root% is replaced at run time with the directory relative to which files should be installed; for example, it may be the server's root directory. The %temp% directory is created at the beginning of the installation and destroyed at the end. The purpose of %temp% is to hold executable files (such as setup programs) or files that are used by these programs. Files destined for the temporary directory are guaranteed to be in place before any executable file is run; they are not deleted until all executable files have finished.

AbsolutePath specifies the destination directory of the file as an absolute path.

Executable specifies that the file is to be executed during the course of the installation. Typically, this string is used for a setup program provided by a module vendor, such as a self-extracting setup executable. More than one file can be specified as executable, in which case the files are run in the order in which they are specified in the script file.

FilePermissions sets permissions on any referenced files in a string of octal digits, according to the standard Unix format. This string is a bitwise OR.

+user read:                0400
+user write:               0200
+user execute:             0100
+group read:               0040
+group write:              0020
+group execute:            0010
+other read:               0004
+other write:              0002
+other execute:            0001
+

Some platforms may not understand these permissions. They are applied only insofar as they make sense for the current platform. If this attribute is omitted, a default of 777 is assumed.

NSS Database Types

NSS originally used BerkeleyDB databases to store security information. +The last versions of these legacy databases are:

  • + cert8.db for certificates +

  • + key3.db for keys +

  • + secmod.db for PKCS #11 module information +

BerkeleyDB has performance limitations, though, which prevent it from being easily used by multiple applications simultaneously. NSS has +some flexibility that allows applications to use their own, independent database engine while keeping a shared database and working around the access issues. Still, NSS +requires more flexibility to provide a truly shared security database.

In 2009, NSS introduced a new set of databases that are SQLite databases rather than +BerkleyDB. These new databases provide more accessibility and performance:

  • + cert9.db for certificates +

  • + key4.db for keys +

  • + pkcs11.txt, which is listing of all of the PKCS #11 modules contained in a new subdirectory in the security databases directory +

Because the SQLite databases are designed to be shared, these are the shared database type. The shared database type is preferred; the legacy format is included for backward compatibility.

By default, the tools (certutil, pk12util, modutil) assume that the given security databases use the SQLite type. +Using the legacy databases must be manually specified by using the dbm: prefix with the given security directory. For example:

modutil -create -dbdir dbm:/home/my/sharednssdb

To set the legacy database type as the default type for the tools, set the NSS_DEFAULT_DB_TYPE environment variable to dbm:

export NSS_DEFAULT_DB_TYPE="dbm"

This line can be added to the ~/.bashrc file to make the change permanent for the user.

  • + https://wiki.mozilla.org/NSS_Shared_DB_Howto

For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki:

  • + https://wiki.mozilla.org/NSS_Shared_DB +

See Also

certutil (1)

pk12util (1)

signtool (1)

The NSS wiki has information on the new database design and how to configure applications to use it.

  • + https://wiki.mozilla.org/NSS_Shared_DB_Howto

  • + https://wiki.mozilla.org/NSS_Shared_DB +

Additional Resources

For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases.

Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto

IRC: Freenode at #dogtag-pki

Authors

The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.

+ Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. +

LICENSE

Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. +

diff --git a/security/nss/doc/html/pk12util.html b/security/nss/doc/html/pk12util.html new file mode 100644 index 0000000000..70f3ee44f4 --- /dev/null +++ b/security/nss/doc/html/pk12util.html @@ -0,0 +1,77 @@ +PK12UTIL
PK12UTIL

Name

pk12util — Export and import keys and certificate to or from a PKCS #12 file and the NSS database

Synopsis

pk12util [-i p12File|-l p12File|-o p12File] [-c keyCipher] [-C certCipher] [-d directory] [-h tokenname] [-m | --key-len keyLength] [-M hashAlg] [-n certname] [-P dbprefix] [-r] [-v] [--cert-key-len certKeyLength] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]

STATUS

This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 +

Description

The PKCS #12 utility, pk12util, enables sharing certificates among any server that supports PKCS #12. The tool can import certificates and keys from PKCS #12 files into security databases, export certificates, and list certificates and keys.

Options and Arguments

Options

-i p12file

Import keys and certificates from a PKCS #12 file into a security database.

-l p12file

List the keys and certificates in PKCS #12 file.

-o p12file

Export keys and certificates from the security database to a PKCS #12 file.

Arguments

-c keyCipher

Specify the key encryption algorithm.

-C certCipher

Specify the certiticate encryption algorithm.

-d directory

Specify the database directory into which to import to or export from certificates and keys.

pk12util supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt). If the prefix dbm: is not used, then the tool assumes that the given databases are in the SQLite format.

-h tokenname

Specify the name of the token to import into or export from.

-k slotPasswordFile

Specify the text file containing the slot's password.

-K slotPassword

Specify the slot's password.

-m | --key-len keyLength

Specify the desired length of the symmetric key to be used to encrypt the private key.

-M hashAlg

Specify the hash algorithm used in the pkcs #12 mac. This algorithm also specifies the HMAC used in the prf when using pkcs #5 v2.

--cert-key-len certKeyLength

Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data.

-n certname

Specify the nickname of the cert and private key to export.

The nickname can also be a PKCS #11 URI. For example, if you have a certificate named "my-server-cert" on the internal certificate store, it can be unambiguously specified as "pkcs11:token=NSS%20Certificate%20DB;object=my-server-cert". For details about the format, see RFC 7512.

-P prefix

Specify the prefix used on the certificate and key databases. This option is provided as a special case. + Changing the names of the certificate and key databases is not recommended.

-r

Dumps all of the data in raw (binary) form. This must be saved as a DER file. The default is to return information in a pretty-print ASCII format, which displays the information about the certificates and public keys in the p12 file.

-v

Enable debug logging when importing.

-w p12filePasswordFile

Specify the text file containing the pkcs #12 file password.

-W p12filePassword

Specify the pkcs #12 file password.

Return Codes

  • 0 - No error

  • 1 - User Cancelled

  • 2 - Usage error

  • 6 - NLS init error

  • 8 - Certificate DB open error

  • 9 - Key DB open error

  • 10 - File initialization error

  • 11 - Unicode conversion error

  • 12 - Temporary file creation error

  • 13 - PKCS11 get slot error

  • 14 - PKCS12 decoder start error

  • 15 - error read from import file

  • 16 - pkcs12 decode error

  • 17 - pkcs12 decoder verify error

  • 18 - pkcs12 decoder validate bags error

  • 19 - pkcs12 decoder import bags error

  • 20 - key db conversion version 3 to version 2 error

  • 21 - cert db conversion version 7 to version 5 error

  • 22 - cert and key dbs patch error

  • 23 - get default cert db error

  • 24 - find cert by nickname error

  • 25 - create export context error

  • 26 - PKCS12 add password itegrity error

  • 27 - cert and key Safes creation error

  • 28 - PKCS12 add cert and key error

  • 29 - PKCS12 encode error

Examples

Importing Keys and Certificates

The most basic usage of pk12util for importing a certificate or key is the PKCS #12 input file (-i) and some way to specify the security database being accessed (either -d for a directory or -h for a token). +

+ pk12util -i p12File [-h tokenname] [-v] [-d directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword] +

For example:

# pk12util -i /tmp/cert-files/users.p12 -d /home/my/sharednssdb
+
+Enter a password which will be used to encrypt your keys.
+The password should be at least 8 characters long,
+and should contain at least one non-alphabetic character.
+
+Enter new password: 
+Re-enter password: 
+Enter password for PKCS12 file: 
+pk12util: PKCS12 IMPORT SUCCESSFUL

Exporting Keys and Certificates

Using the pk12util command to export certificates and keys requires both the name of the certificate to extract from the database (-n) and the PKCS #12-formatted output file to write to. There are optional parameters that can be used to encrypt the file to protect the certificate material. +

pk12util -o p12File -n certname [-c keyCipher] [-C certCipher] [-m|--key_len keyLen] [-n|--cert_key_len certKeyLen] [-d directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]

For example:

# pk12util -o certs.p12 -n Server-Cert -d /home/my/sharednssdb
+Enter password for PKCS12 file: 
+Re-enter password:

Listing Keys and Certificates

The information in a .p12 file are not human-readable. The certificates and keys in the file can be printed (listed) in a human-readable pretty-print format that shows information for every certificate and any public keys in the .p12 file. +

pk12util -l p12File [-h tokenname] [-r] [-d directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]

For example, this prints the default ASCII output:

# pk12util -l certs.p12
+
+Enter password for PKCS12 file: 
+Key(shrouded):
+    Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID
+
+    Encryption algorithm: PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC
+        Parameters:
+            Salt:
+                45:2e:6a:a0:03:4d:7b:a1:63:3c:15:ea:67:37:62:1f
+            Iteration Count: 1 (0x1)
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 13 (0xd)
+        Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
+        Issuer: "E=personal-freemail@thawte.com,CN=Thawte Personal Freemail C
+            A,OU=Certification Services Division,O=Thawte Consulting,L=Cape T
+            own,ST=Western Cape,C=ZA"
+

Alternatively, the -r prints the certificates and then exports them into separate DER binary files. This allows the certificates to be fed to another application that supports .p12 files. Each certificate is written to a sequentially-number file, beginning with file0001.der and continuing through file000N.der, incrementing the number for every certificate:

pk12util -l test.p12 -r
+Enter password for PKCS12 file: 
+Key(shrouded):
+    Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID
+
+    Encryption algorithm: PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC
+        Parameters:
+            Salt:
+                45:2e:6a:a0:03:4d:7b:a1:63:3c:15:ea:67:37:62:1f
+            Iteration Count: 1 (0x1)
+Certificate    Friendly Name: Thawte Personal Freemail Issuing CA - Thawte Consulting
+
+Certificate    Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID
+

Password Encryption

PKCS #12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS #12 file and, optionally, the associated certificates. If no algorithm is specified, the tool defaults to using PKCS #12 SHA-1 and 3-key triple DES for private key encryption. When not in FIPS mode, PKCS #12 SHA-1 and 40-bit RC4 is used for certificate encryption. When in FIPS mode, there is no certificate encryption. If certificate encryption is not wanted, specify "NONE" as the argument of the -C option.

The private key is always protected with strong encryption by default.

Several types of ciphers are supported.

PKCS #5 password-based encryption

  • PBES2 with AES-CBC-Pad as underlying encryption scheme ("AES-128-CBC", "AES-192-CBC", and "AES-256-CBC")

PKCS #12 password-based encryption

  • SHA-1 and 128-bit RC4 ("PKCS #12 V2 PBE With SHA-1 And 128 Bit RC4" or "RC4")

  • SHA-1 and 40-bit RC4 ("PKCS #12 V2 PBE With SHA-1 And 40 Bit RC4") (used by default for certificate encryption in non-FIPS mode)

  • SHA-1 and 3-key triple-DES ("PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC" or "DES-EDE3-CBC")

  • SHA-1 and 128-bit RC2 ("PKCS #12 V2 PBE With SHA-1 And 128 Bit RC2 CBC" or "RC2-CBC")

  • SHA-1 and 40-bit RC2 ("PKCS #12 V2 PBE With SHA-1 And 40 Bit RC2 CBC")

With PKCS #12, the crypto provider may be the soft token module or an external hardware module. If the cryptographic module does not support the requested algorithm, then the next best fit will be selected (usually the default). If no suitable replacement for the desired algorithm can be found, the tool returns the error no security module can perform the requested operation.

NSS Database Types

NSS originally used BerkeleyDB databases to store security information. +The last versions of these legacy databases are:

  • + cert8.db for certificates +

  • + key3.db for keys +

  • + secmod.db for PKCS #11 module information +

BerkeleyDB has performance limitations, though, which prevent it from being easily used by multiple applications simultaneously. NSS has +some flexibility that allows applications to use their own, independent database engine while keeping a shared database and working around the access issues. Still, NSS +requires more flexibility to provide a truly shared security database.

In 2009, NSS introduced a new set of databases that are SQLite databases rather than +BerkleyDB. These new databases provide more accessibility and performance:

  • + cert9.db for certificates +

  • + key4.db for keys +

  • + pkcs11.txt, which is listing of all of the PKCS #11 modules contained in a new subdirectory in the security databases directory +

Because the SQLite databases are designed to be shared, these are the shared database type. The shared database type is preferred; the legacy format is included for backward compatibility.

By default, the tools (certutil, pk12util, modutil) assume that the given security databases use the SQLite type +Using the legacy databases must be manually specified by using the dbm: prefix with the given security directory. For example:

# pk12util -i /tmp/cert-files/users.p12 -d dbm:/home/my/sharednssdb

To set the legacy database type as the default type for the tools, set the NSS_DEFAULT_DB_TYPE environment variable to dbm:

export NSS_DEFAULT_DB_TYPE="dbm"

This line can be set added to the ~/.bashrc file to make the change permanent.

  • + https://wiki.mozilla.org/NSS_Shared_DB_Howto

For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki:

  • + https://wiki.mozilla.org/NSS_Shared_DB +

Compatibility Notes

The exporting behavior of pk12util has changed over time, while importing files exported with older versions of NSS is still supported.

Until the 3.30 release, pk12util used the UTF-16 encoding for the PKCS #5 password-based encryption schemes, while the recommendation is to encode passwords in UTF-8 if the used encryption scheme is defined outside of the PKCS #12 standard.

Until the 3.31 release, even when "AES-128-CBC" or "AES-192-CBC" is given from the command line, pk12util always used 256-bit AES as the underlying encryption scheme.

For historical reasons, pk12util accepts password-based encryption schemes not listed in this document. However, those schemes are not officially supported and may have issues in interoperability with other tools.

See Also

certutil (1)

modutil (1)

The NSS wiki has information on the new database design and how to configure applications to use it.

  • + https://wiki.mozilla.org/NSS_Shared_DB_Howto

  • + https://wiki.mozilla.org/NSS_Shared_DB +

Additional Resources

For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases.

Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto

IRC: Freenode at #dogtag-pki

Authors

The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.

+ Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. +

LICENSE

Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. +

diff --git a/security/nss/doc/html/pp.html b/security/nss/doc/html/pp.html new file mode 100644 index 0000000000..fcb6cca630 --- /dev/null +++ b/security/nss/doc/html/pp.html @@ -0,0 +1,7 @@ +PP
PP

Name

pp — Prints certificates, keys, crls, and pkcs7 files

Synopsis

pp -t type [-a] [-i input] [-o output] [-u] [-w]

STATUS

This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 +

Description

pp pretty-prints private and public key, certificate, certificate-request, + pkcs7, pkcs12 or crl files +

Options

-t type

specify the input, one of {private-key | public-key | certificate | certificate-request | pkcs7 | pkcs12 | crl | name}

-a
Input is in ascii encoded form (RFC1113)
-i inputfile
Define an input file to use (default is stdin)
-o outputfile
Define an output file to use (default is stdout)
-u
Use UTF-8 (default is to show non-ascii as .)
-w
Don't wrap long output lines

Additional Resources

NSS is maintained in conjunction with PKI and security-related projects through Mozilla and Fedora. The most closely-related project is Dogtag PKI, with a project wiki at PKI Wiki.

For information specifically about NSS, the NSS project wiki is located at Mozilla NSS site. The NSS site relates directly to NSS code changes and releases.

Mailing lists: pki-devel@redhat.com and pki-users@redhat.com

IRC: Freenode at #dogtag-pki

Authors

The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.

+ Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. +

LICENSE

Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. +

diff --git a/security/nss/doc/html/signtool.html b/security/nss/doc/html/signtool.html new file mode 100644 index 0000000000..84568e17c7 --- /dev/null +++ b/security/nss/doc/html/signtool.html @@ -0,0 +1,284 @@ +signtool
signtool

Name

signtool — Digitally sign objects and files.

Synopsis

signtool [[-b basename]] [[-c Compression Level] ] [[-d cert-dir] ] [[-e extension] ] [[-f filename] ] [[-i installer script] ] [[-h]] [[-H]] [[-v]] [[-w]] [[-G nickname]] [[-J]] [[-j directory] ] [-k keyName] [[--keysize | -s size]] [[-l]] [[-L]] [[-M]] [[-m metafile] ] [[--norecurse] ] [[-O] ] [[-o] ] [[--outfile] ] [[-p password] ] [[-t|--token tokenname] ] [[-z] ] [[-X] ] [[-x name] ] [[--verbose value] ] [[--leavearc] ] [[-Z jarfile] ] [directory-tree] [archive]

STATUS

This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 +

Description

The Signing Tool, signtool, creates digital signatures and uses a Java Archive (JAR) file to associate the signatures with files in a directory. Electronic software distribution over any network involves potential security problems. To help address some of these problems, you can associate digital signatures with the files in a JAR archive. Digital signatures allow SSL-enabled clients to perform two important operations:

* Confirm the identity of the individual, company, or other entity whose digital signature is associated with the files

* Check whether the files have been tampered with since being signed

If you have a signing certificate, you can use Netscape Signing Tool to digitally sign files and package them as a JAR file. An object-signing certificate is a special kind of certificate that allows you to associate your digital signature with one or more files.

An individual file can potentially be signed with multiple digital signatures. For example, a commercial software developer might sign the files that constitute a software product to prove that the files are indeed from a particular company. A network administrator manager might sign the same files with an additional digital signature based on a company-generated certificate to indicate that the product is approved for use within the company.

The significance of a digital signature is comparable to the significance of a handwritten signature. Once you have signed a file, it is difficult to claim later that you didn't sign it. In some situations, a digital signature may be considered as legally binding as a handwritten signature. Therefore, you should take great care to ensure that you can stand behind any file you sign and distribute.

For example, if you are a software developer, you should test your code to make sure it is virus-free before signing it. Similarly, if you are a network administrator, you should make sure, before signing any code, that it comes from a reliable source and will run correctly with the software installed on the machines to which you are distributing it.

Before you can use Netscape Signing Tool to sign files, you must have an object-signing certificate, which is a special certificate whose associated private key is used to create digital signatures. For testing purposes only, you can create an object-signing certificate with Netscape Signing Tool 1.3. When testing is finished and you are ready to disitribute your software, you should obtain an object-signing certificate from one of two kinds of sources:

* An independent certificate authority (CA) that authenticates your identity and charges you a fee. You typically get a certificate from an independent CA if you want to sign software that will be distributed over the Internet.

* CA server software running on your corporate intranet or extranet. Netscape Certificate Management System provides a complete management solution for creating, deploying, and managing certificates, including CAs that issue object-signing certificates.

You must also have a certificate for the CA that issues your signing certificate before you can sign files. If the certificate authority's certificate isn't already installed in your copy of Communicator, you typically install it by clicking the appropriate link on the certificate authority's web site, for example on the page from which you initiated enrollment for your signing certificate. This is the case for some test certificates, as well as certificates issued by Netscape Certificate Management System: you must download the the CA certificate in addition to obtaining your own signing certificate. CA certificates for several certificate authorities are preinstalled in the Communicator certificate database.

When you receive an object-signing certificate for your own use, it is automatically installed in your copy of the Communicator client software. Communicator supports the public-key cryptography standard known as PKCS #12, which governs key portability. You can, for example, move an object-signing certificate and its associated private key from one computer to another on a credit-card-sized device called a smart card.

Options

-b basename

Specifies the base filename for the .rsa and .sf files in the META-INF directory to conform with the JAR format. For example, -b signatures causes the files to be named signatures.rsa and signatures.sf. The default is signtool.

-c#

+ Specifies the compression level for the -J or -Z option. The symbol # represents a number from 0 to 9, where 0 means no compression and 9 means maximum compression. The higher the level of compression, the smaller the output but the longer the operation takes. + +If the -c# option is not used with either the -J or the -Z option, the default compression value used by both the -J and -Z options is 6. +

-d certdir

+ Specifies your certificate database directory; that is, the directory in which you placed your key3.db and cert7.db files. To specify the current directory, use "-d." (including the period). + +The Unix version of signtool assumes ~/.netscape unless told otherwise. The NT version of signtool always requires the use of the -d option to specify where the database files are located. +

-e extension

+ Tells signtool to sign only files with the given extension; for example, use -e".class" to sign only Java class files. Note that with Netscape Signing Tool version 1.1 and later this option can appear multiple times on one command line, making it possible to specify multiple file types or classes to include. +

-f commandfile

+ Specifies a text file containing Netscape Signing Tool options and arguments in keyword=value format. All options and arguments can be expressed through this file. For more information about the syntax used with this file, see "Tips and Techniques". +

-G nickname

+ Generates a new private-public key pair and corresponding object-signing certificate with the given nickname. + +The newly generated keys and certificate are installed into the key and certificate databases in the directory specified by the -d option. With the NT version of Netscape Signing Tool, you must use the -d option with the -G option. With the Unix version of Netscape Signing Tool, omitting the -d option causes the tool to install the keys and certificate in the Communicator key and certificate databases. If you are installing the keys and certificate in the Communicator databases, you must exit Communicator before using this option; otherwise, you risk corrupting the databases. In all cases, the certificate is also output to a file named x509.cacert, which has the MIME-type application/x-x509-ca-cert. + +Unlike certificates normally used to sign finished code to be distributed over a network, a test certificate created with -G is not signed by a recognized certificate authority. Instead, it is self-signed. In addition, a single test signing certificate functions as both an object-signing certificate and a CA. When you are using it to sign objects, it behaves like an object-signing certificate. When it is imported into browser software such as Communicator, it behaves like an object-signing CA and cannot be used to sign objects. + +The -G option is available in Netscape Signing Tool 1.0 and later versions only. By default, it produces only RSA certificates with 1024-byte keys in the internal token. However, you can use the -s option specify the required key size and the -t option to specify the token. +

-i scriptname

+Specifies the name of an installer script for SmartUpdate. This script installs files from the JAR archive in the local system after SmartUpdate has validated the digital signature. For more details, see the description of -m that follows. The -i option provides a straightforward way to provide this information if you don't need to specify any metadata other than an installer script. +

-J

+Signs a directory of HTML files containing JavaScript and creates as many archive files as are specified in the HTML tags. Even if signtool creates more than one archive file, you need to supply the key database password only once. + +The -J option is available only in Netscape Signing Tool 1.0 and later versions. The -J option cannot be used at the same time as the -Z option. + +If the -c# option is not used with the -J option, the default compression value is 6. + +Note that versions 1.1 and later of Netscape Signing Tool correctly recognizes the CODEBASE attribute, allows paths to be expressed for the CLASS and SRC attributes instead of filenames only, processes LINK tags and parses HTML correctly, and offers clearer error messages. +

-j directory

+ Specifies a special JavaScript directory. This option causes the specified directory to be signed and tags its entries as inline JavaScript. This special type of entry does not have to appear in the JAR file itself. Instead, it is located in the HTML page containing the inline scripts. When you use signtool -v, these entries are displayed with the string NOT PRESENT. +

-k key ... directory

+ Specifies the nickname (key) of the certificate you want to sign with and signs the files in the specified directory. The directory to sign is always specified as the last command-line argument. Thus, it is possible to write + +signtool -k MyCert -d . signdir + +You may have trouble if the nickname contains a single quotation mark. To avoid problems, escape the quotation mark using the escape conventions for your platform. + +It's also possible to use the -k option without signing any files or specifying a directory. For example, you can use it with the -l option to get detailed information about a particular signing certificate. +

-l

+ Lists signing certificates, including issuing CAs. If any of your certificates are expired or invalid, the list will so specify. This option can be used with the -k option to list detailed information about a particular signing certificate. + +The -l option is available in Netscape Signing Tool 1.0 and later versions only. +

-L

+ Lists the certificates in your database. An asterisk appears to the left of the nickname for any certificate that can be used to sign objects with signtool. +

--leavearc

+ Retains the temporary .arc (archive) directories that the -J option creates. These directories are automatically erased by default. Retaining the temporary directories can be an aid to debugging. +

-m metafile

+ Specifies the name of a metadata control file. Metadata is signed information attached either to the JAR archive itself or to files within the archive. This metadata can be any ASCII string, but is used mainly for specifying an installer script. + +The metadata file contains one entry per line, each with three fields: + +field #1: file specification, or + if you want to specify global metadata (that is, metadata about the JAR archive itself or all entries in the archive) +field #2: the name of the data you are specifying; for example: Install-Script +field #3: data corresponding to the name in field #2 + +For example, the -i option uses the equivalent of this line: + ++ Install-Script: script.js + + +This example associates a MIME type with a file: + +movie.qt MIME-Type: video/quicktime + +For information about the way installer script information appears in the manifest file for a JAR archive, see The JAR Format on Netscape DevEdge. +

-M

+ Lists the PKCS #11 modules available to signtool, including smart cards. + +The -M option is available in Netscape Signing Tool 1.0 and later versions only. + +For information on using Netscape Signing Tool with smart cards, see "Using Netscape Signing Tool with Smart Cards". + +For information on using the -M option to verify FIPS-140-1 validated mode, see "Netscape Signing Tool and FIPS-140-1". +

--norecurse

+ Blocks recursion into subdirectories when signing a directory's contents or when parsing HTML. +

-o

+ Optimizes the archive for size. Use this only if you are signing very large archives containing hundreds of files. This option makes the manifest files (required by the JAR format) considerably smaller, but they contain slightly less information. +

--outfile outputfile

+ Specifies a file to receive redirected output from Netscape Signing Tool. +

-p password

+ Specifies a password for the private-key database. Note that the password entered on the command line is displayed as plain text. +

-s keysize

+ Specifies the size of the key for generated certificate. Use the -M option to find out what tokens are available. + +The -s option can be used with the -G option only. +

-t token

+ Specifies which available token should generate the key and receive the certificate. Use the -M option to find out what tokens are available. + +The -t option can be used with the -G option only. +

-v archive

+ Displays the contents of an archive and verifies the cryptographic integrity of the digital signatures it contains and the files with which they are associated. This includes checking that the certificate for the issuer of the object-signing certificate is listed in the certificate database, that the CA's digital signature on the object-signing certificate is valid, that the relevant certificates have not expired, and so on. +

--verbosity value

+ Sets the quantity of information Netscape Signing Tool generates in operation. A value of 0 (zero) is the default and gives full information. A value of -1 suppresses most messages, but not error messages. +

-w archive

+ Displays the names of signers of any files in the archive. +

-x directory

+ Excludes the specified directory from signing. Note that with Netscape Signing Tool version 1.1 and later this option can appear multiple times on one command line, making it possible to specify several particular directories to exclude. +

-z

+ Tells signtool not to store the signing time in the digital signature. This option is useful if you want the expiration date of the signature checked against the current date and time rather than the time the files were signed. +

-Z jarfile

+ Creates a JAR file with the specified name. You must specify this option if you want signtool to create the JAR file; it does not do so automatically. If you don't specify -Z, you must use an external ZIP tool to create the JAR file. + +The -Z option cannot be used at the same time as the -J option. + +If the -c# option is not used with the -Z option, the default compression value is 6.

The Command File Format

Entries in a Netscape Signing Tool command file have this general format: +keyword=value + +Everything before the = sign on a single line is a keyword, and everything from the = sign to the end of line is a value. The value may include = signs; only the first = sign on a line is interpreted. Blank lines are ignored, but white space on a line with keywords and values is assumed to be part of the keyword (if it comes before the equal sign) or part of the value (if it comes after the first equal sign). Keywords are case insensitive, values are generally case sensitive. Since the = sign and newline delimit the value, it should not be quoted.

Subsection

basename

Same as -b option.

compression

+ Same as -c option. +

certdir

+ Same as -d option. +

extension

+ Same as -e option. +

generate

+ Same as -G option. +

installscript

+ Same as -i option. +

javascriptdir

+ Same as -j option. +

htmldir

+ Same as -J option. +

certname

+ Nickname of certificate, as with -k and -l -k options. +

signdir

+ The directory to be signed, as with -k option. +

list

+ Same as -l option. Value is ignored, but = sign must be present. +

listall

+ Same as -L option. Value is ignored, but = sign must be present. +

metafile

+ Same as -m option. +

modules

+ Same as -M option. Value is ignored, but = sign must be present. +

optimize

+ Same as -o option. Value is ignored, but = sign must be present. +

password

+ Same as -p option. +

keysize

+ Same as -s option. +

token

+ Same as -t option. +

verify

+ Same as -v option. +

who

+ Same as -w option. +

exclude

+ Same as -x option. +

notime

+ Same as -z option. value is ignored, but = sign must be present. +

jarfile

+ Same as -Z option. +

outfile

+ Name of a file to which output and error messages will be redirected. This option has no command-line equivalent. +

Extended Examples

The following example will do this and that +

Listing Available Signing Certificates

You use the -L option to list the nicknames for all available certificates and check which ones are signing certificates.

signtool -L 
+
+using certificate directory: /u/jsmith/.netscape 
+S Certificates 
+- ------------ 
+  BBN Certificate Services CA Root 1 
+  IBM World Registry CA 
+  VeriSign Class 1 CA - Individual Subscriber - VeriSign, Inc. 
+  GTE CyberTrust Root CA 
+  Uptime Group Plc. Class 4 CA 
+* Verisign Object Signing Cert 
+  Integrion CA 
+  GTE CyberTrust Secure Server CA 
+  AT&T Directory Services 
+* test object signing cert 
+  Uptime Group Plc. Class 1 CA 
+  VeriSign Class 1 Primary CA 
+- ------------
+
+Certificates that can be used to sign objects have *'s to their left.

Two signing certificates are displayed: Verisign Object Signing Cert and test object signing cert.

You use the -l option to get a list of signing certificates only, including the signing CA for each.

signtool -l
+
+using certificate directory: /u/jsmith/.netscape
+Object signing certificates
+---------------------------------------
+
+Verisign Object Signing Cert
+    Issued by: VeriSign, Inc. - Verisign, Inc.
+    Expires: Tue May 19, 1998
+test object signing cert
+    Issued by: test object signing cert (Signtool 1.0 Testing 
+Certificate (960187691))
+    Expires: Sun May 17, 1998
+---------------------------------------

For a list including CAs, use the -L option.

Signing a File

1. Create an empty directory.

mkdir signdir

2. Put some file into it.

echo boo > signdir/test.f

3. Specify the name of your object-signing certificate and sign the directory.

signtool -k MySignCert -Z testjar.jar signdir
+
+using key "MySignCert"
+using certificate directory: /u/jsmith/.netscape
+Generating signdir/META-INF/manifest.mf file..
+--> test.f
+adding signdir/test.f to testjar.jar
+Generating signtool.sf file..
+Enter Password or Pin for "Communicator Certificate DB":
+
+adding signdir/META-INF/manifest.mf to testjar.jar
+adding signdir/META-INF/signtool.sf to testjar.jar
+adding signdir/META-INF/signtool.rsa to testjar.jar
+
+tree "signdir" signed successfully

4. Test the archive you just created.

signtool -v testjar.jar
+
+using certificate directory: /u/jsmith/.netscape
+archive "testjar.jar" has passed crypto verification.
+           status   path
+     ------------   -------------------
+         verified   test.f

Using Netscape Signing Tool with a ZIP Utility

To use Netscape Signing Tool with a ZIP utility, you must have the utility in your path environment variable. You should use the zip.exe utility rather than pkzip.exe, which cannot handle long filenames. You can use a ZIP utility instead of the -Z option to package a signed archive into a JAR file after you have signed it:

cd signdir 
+
+  zip -r ../myjar.jar * 
+  adding: META-INF/ (stored 0%) 
+  adding: META-INF/manifest.mf (deflated 15%) 
+  adding: META-INF/signtool.sf (deflated 28%) 
+  adding: META-INF/signtool.rsa (stored 0%) 
+  adding: text.txt (stored 0%)

Generating the Keys and Certificate

The signtool option -G generates a new public-private key pair and certificate. It takes the nickname of the new certificate as an argument. The newly generated keys and certificate are installed into the key and certificate databases in the directory specified by the -d option. With the NT version of Netscape Signing Tool, you must use the -d option with the -G option. With the Unix version of Netscape Signing Tool, omitting the -d option causes the tool to install the keys and certificate in the Communicator key and certificate databases. In all cases, the certificate is also output to a file named x509.cacert, which has the MIME-type application/x-x509-ca-cert.

Certificates contain standard information about the entity they identify, such as the common name and organization name. Netscape Signing Tool prompts you for this information when you run the command with the -G option. However, all of the requested fields are optional for test certificates. If you do not enter a common name, the tool provides a default name. In the following example, the user input is in boldface:

signtool -G MyTestCert
+
+using certificate directory: /u/someuser/.netscape
+Enter certificate information. All fields are optional. Acceptable
+characters are numbers, letters, spaces, and apostrophes.
+certificate common name: Test Object Signing Certificate
+organization: Netscape Communications Corp.
+organization unit: Server Products Division
+state or province: California
+country (must be exactly 2 characters): US
+username: someuser
+email address: someuser@netscape.com
+Enter Password or Pin for "Communicator Certificate DB": [Password will not echo]
+generated public/private key pair
+certificate request generated
+certificate has been signed
+certificate "MyTestCert" added to database
+Exported certificate to x509.raw and x509.cacert.

The certificate information is read from standard input. Therefore, the information can be read from a file using the redirection operator (<) in some operating systems. To create a file for this purpose, enter each of the seven input fields, in order, on a separate line. Make sure there is a newline character at the end of the last line. Then run signtool with standard input redirected from your file as follows:

signtool -G MyTestCert inputfile

The prompts show up on the screen, but the responses will be automatically read from the file. The password will still be read from the console unless you use the -p option to give the password on the command line.

Using the -M Option to List Smart Cards

You can use the -M option to list the PKCS #11 modules, including smart cards, that are available to signtool:

signtool -d "c:\netscape\users\jsmith" -M
+
+using certificate directory: c:\netscape\users\username
+Listing of PKCS11 modules 
+----------------------------------------------- 
+	1. Netscape Internal PKCS #11 Module 
+			  (this module is internally loaded) 
+			  slots: 2 slots attached 
+			  status: loaded 
+	  slot: Communicator Internal Cryptographic Services Version 4.0 
+	 token: Communicator Generic Crypto Svcs 
+	  slot: Communicator User Private Key and Certificate Services 
+	 token: Communicator Certificate DB 
+	2. CryptOS 
+			  (this is an external module) 
+ DLL name: core32 
+	 slots: 1 slots attached 
+	status: loaded 
+	  slot: Litronic 210 
+	 token: 
+	-----------------------------------------------

Using Netscape Signing Tool and a Smart Card to Sign Files

The signtool command normally takes an argument of the -k option to specify a signing certificate. To sign with a smart card, you supply only the fully qualified name of the certificate.

To see fully qualified certificate names when you run Communicator, click the Security button in Navigator, then click Yours under Certificates in the left frame. Fully qualified names are of the format smart card:certificate, for example "MyCard:My Signing Cert". You use this name with the -k argument as follows:

signtool -k "MyCard:My Signing Cert" directory

Verifying FIPS Mode

Use the -M option to verify that you are using the FIPS-140-1 module.

signtool -d "c:\netscape\users\jsmith" -M
+
+using certificate directory: c:\netscape\users\jsmith
+Listing of PKCS11 modules
+-----------------------------------------------
+  1. Netscape Internal PKCS #11 Module
+          (this module is internally loaded)
+          slots: 2 slots attached
+          status: loaded
+    slot: Communicator Internal Cryptographic Services Version 4.0
+   token: Communicator Generic Crypto Svcs
+    slot: Communicator User Private Key and Certificate Services
+   token: Communicator Certificate DB
+-----------------------------------------------

This Unix example shows that Netscape Signing Tool is using a FIPS-140-1 module:

signtool -d "c:\netscape\users\jsmith" -M
+using certificate directory: c:\netscape\users\jsmith
+Enter Password or Pin for "Communicator Certificate DB": [password will not echo]
+Listing of PKCS11 modules
+-----------------------------------------------
+1. Netscape Internal FIPS PKCS #11 Module
+(this module is internally loaded)
+slots: 1 slots attached
+status: loaded
+slot: Netscape Internal FIPS-140-1 Cryptographic Services
+token: Communicator Certificate DB
+-----------------------------------------------

See Also

signver (1)

The NSS wiki has information on the new database design and how to configure applications to use it.

  • + https://wiki.mozilla.org/NSS_Shared_DB_Howto

  • + https://wiki.mozilla.org/NSS_Shared_DB +

Additional Resources

For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases.

Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto

IRC: Freenode at #dogtag-pki

Authors

The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.

+ Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. +

LICENSE

Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. +

diff --git a/security/nss/doc/html/signver.html b/security/nss/doc/html/signver.html new file mode 100644 index 0000000000..c2263f8eca --- /dev/null +++ b/security/nss/doc/html/signver.html @@ -0,0 +1,33 @@ +SIGNVER
SIGNVER

Name

signver — Verify a detached PKCS#7 signature for a file.

Synopsis

signtool -A | -V -d directory [-a] [-i input_file] [-o output_file] [-s signature_file] [-v]

STATUS

This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 +

Description

The Signature Verification Tool, signver, is a simple command-line utility that unpacks a base-64-encoded PKCS#7 signed object and verifies the digital signature using standard cryptographic techniques. The Signature Verification Tool can also display the contents of the signed object.

Options

-A

Displays all of the information in the PKCS#7 signature.

-V

Verifies the digital signature.

-d directory

Specify the database directory which contains the certificates and keys.

signver supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt). If the prefix dbm: is not used, then the tool assumes that the given databases are in the SQLite format.

-a

Sets that the given signature file is in ASCII format.

-i input_file

Gives the input file for the object with signed data.

-o output_file

Gives the output file to which to write the results.

-s signature_file

Gives the input file for the digital signature.

-v

Enables verbose output.

Extended Examples

Verifying a Signature

The -V option verifies that the signature in a given signature file is valid when used to sign the given object (from the input file).

signver -V -s signature_file -i signed_file -d /home/my/sharednssdb
+
+signatureValid=yes

Printing Signature Data

+ The -A option prints all of the information contained in a signature file. Using the -o option prints the signature file information to the given output file rather than stdout. + 

signver -A -s signature_file -o output_file

NSS Database Types

NSS originally used BerkeleyDB databases to store security information. +The last versions of these legacy databases are:

  • + cert8.db for certificates +

  • + key3.db for keys +

  • + secmod.db for PKCS #11 module information +

BerkeleyDB has performance limitations, though, which prevent it from being easily used by multiple applications simultaneously. NSS has +some flexibility that allows applications to use their own, independent database engine while keeping a shared database and working around the access issues. Still, NSS +requires more flexibility to provide a truly shared security database.

In 2009, NSS introduced a new set of databases that are SQLite databases rather than +BerkleyDB. These new databases provide more accessibility and performance:

  • + cert9.db for certificates +

  • + key4.db for keys +

  • + pkcs11.txt, which is listing of all of the PKCS #11 modules contained in a new subdirectory in the security databases directory +

Because the SQLite databases are designed to be shared, these are the shared database type. The shared database type is preferred; the legacy format is included for backward compatibility.

By default, the tools (certutil, pk12util, modutil) assume that the given security databases use the SQLite type +Using the legacy databases must be manually specified by using the dbm: prefix with the given security directory. For example:

# signver -A -s signature -d dbm:/home/my/sharednssdb

To set the legacy database type as the default type for the tools, set the NSS_DEFAULT_DB_TYPE environment variable to dbm:

export NSS_DEFAULT_DB_TYPE="dbm"

This line can be added to the ~/.bashrc file to make the change permanent for the user.

  • + https://wiki.mozilla.org/NSS_Shared_DB_Howto

For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki:

  • + https://wiki.mozilla.org/NSS_Shared_DB +

See Also

signtool (1)

The NSS wiki has information on the new database design and how to configure applications to use it.

  • Setting up the shared NSS database

    https://wiki.mozilla.org/NSS_Shared_DB_Howto

  • + Engineering and technical information about the shared NSS database +

    + https://wiki.mozilla.org/NSS_Shared_DB +

Additional Resources

For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases.

Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto

IRC: Freenode at #dogtag-pki

Authors

The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.

+ Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. +

LICENSE

Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. +

diff --git a/security/nss/doc/html/ssltap.html b/security/nss/doc/html/ssltap.html new file mode 100644 index 0000000000..12629dcb24 --- /dev/null +++ b/security/nss/doc/html/ssltap.html @@ -0,0 +1,417 @@ +SSLTAP
SSLTAP

Name

ssltap — Tap into SSL connections and display the data going by

Synopsis

ssltap [-fhlsvx] [-p port] [hostname:port]

STATUS

This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 +

Description

The SSL Debugging Tool ssltap is an SSL-aware command-line proxy. It watches TCP connections and displays the data going by. If a connection is SSL, the data display includes interpreted SSL records and handshaking

Options

-f

+Turn on fancy printing. Output is printed in colored HTML. Data sent from the client to the server is in blue; the server's reply is in red. When used with looping mode, the different connections are separated with horizontal lines. You can use this option to upload the output into a browser. +

-h

+Turn on hex/ASCII printing. Instead of outputting raw data, the command interprets each record as a numbered line of hex values, followed by the same data as ASCII characters. The two parts are separated by a vertical bar. Nonprinting characters are replaced by dots. +

-l prefix

+Turn on looping; that is, continue to accept connections rather than stopping after the first connection is complete. +

-p port

Change the default rendezvous port (1924) to another port.

The following are well-known port numbers:

+ * HTTP 80 +

+ * HTTPS 443 +

+ * SMTP 25 +

+ * FTP 21 +

+ * IMAP 143 +

+ * IMAPS 993 (IMAP over SSL) +

+ * NNTP 119 +

+ * NNTPS 563 (NNTP over SSL) +

-s

+Turn on SSL parsing and decoding. The tool does not automatically detect SSL sessions. If you are intercepting an SSL connection, use this option so that the tool can detect and decode SSL structures. +

+If the tool detects a certificate chain, it saves the DER-encoded certificates into files in the current directory. The files are named cert.0x, where x is the sequence number of the certificate. +

+If the -s option is used with -h, two separate parts are printed for each record: the plain hex/ASCII output, and the parsed SSL output. +

-v

Print a version string for the tool.

-x

Turn on extra SSL hex dumps.

Usage and Examples

+You can use the SSL Debugging Tool to intercept any connection information. Although you can run the tool at its most basic by issuing the ssltap command with no options other than hostname:port, the information you get in this way is not very useful. For example, assume your development machine is called intercept. The simplest way to use the debugging tool is to execute the following command from a command shell: + 

$ ssltap www.netscape.com

+The program waits for an incoming connection on the default port 1924. In your browser window, enter the URL http://intercept:1924. The browser retrieves the requested page from the server at www.netscape.com, but the page is intercepted and passed on to the browser by the debugging tool on intercept. On its way to the browser, the data is printed to the command shell from which you issued the command. Data sent from the client to the server is surrounded by the following symbols: --> [ data ] Data sent from the server to the client is surrounded by the following symbols: +"left arrow"-- [ data ] The raw data stream is sent to standard output and is not interpreted in any way. This can result in peculiar effects, such as sounds, flashes, and even crashes of the command shell window. To output a basic, printable interpretation of the data, use the -h option, or, if you are looking at an SSL connection, the -s option. You will notice that the page you retrieved looks incomplete in the browser. This is because, by default, the tool closes down after the first connection is complete, so the browser is not able to load images. To make the tool +continue to accept connections, switch on looping mode with the -l option. The following examples show the output from commonly used combinations of options. +

Example 1 

$ ssltap.exe -sx -p 444 interzone.mcom.com:443 > sx.txt

Output 

+Connected to interzone.mcom.com:443
+-->; [
+alloclen = 66 bytes
+   [ssl2]  ClientHelloV2 {
+            version = {0x03, 0x00}
+            cipher-specs-length = 39 (0x27)
+            sid-length = 0 (0x00)
+            challenge-length = 16 (0x10)
+            cipher-suites = {
+
+                (0x010080) SSL2/RSA/RC4-128/MD5
+                  (0x020080) SSL2/RSA/RC4-40/MD5
+                  (0x030080) SSL2/RSA/RC2CBC128/MD5
+                  (0x040080) SSL2/RSA/RC2CBC40/MD5
+                  (0x060040) SSL2/RSA/DES64CBC/MD5
+                  (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5
+                  (0x000004) SSL3/RSA/RC4-128/MD5
+                  (0x00ffe0) SSL3/RSA-FIPS/3DES192EDE-CBC/SHA
+                  (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
+                  (0x00ffe1) SSL3/RSA-FIPS/DES64CBC/SHA
+                  (0x000009) SSL3/RSA/DES64CBC/SHA
+                  (0x000003) SSL3/RSA/RC4-40/MD5
+                  (0x000006) SSL3/RSA/RC2CBC40/MD5
+                  }
+            session-id = { }
+            challenge = { 0xec5d 0x8edb 0x37c9 0xb5c9 0x7b70 0x8fe9 0xd1d3
+
+0x2592 }
+}
+]
+<-- [
+SSLRecord {
+   0: 16 03 00 03  e5                                   |.....
+   type    = 22 (handshake)
+   version = { 3,0 }
+   length  = 997 (0x3e5)
+   handshake {
+   0: 02 00 00 46                                      |...F
+      type = 2 (server_hello)
+      length = 70 (0x000046)
+            ServerHello {
+            server_version = {3, 0}
+            random = {...}
+   0: 77 8c 6e 26  6c 0c ec c0  d9 58 4f 47  d3 2d 01 45  |
+wn&l.ì..XOG.-.E
+   10: 5c 17 75 43  a7 4c 88 c7  88 64 3c 50  41 48 4f 7f  |
+
+\.uC§L.Ç.d<PAHO.
+                  session ID = {
+                  length = 32
+
+                contents = {..}
+   0: 14 11 07 a8  2a 31 91 29  11 94 40 37  57 10 a7 32  | ...¨*1.)..@7W.§2
+   10: 56 6f 52 62  fe 3d b3 65  b1 e4 13 0f  52 a3 c8 f6  | VoRbþ=³e±...R£È.
+         }
+               cipher_suite = (0x0003) SSL3/RSA/RC4-40/MD5
+         }
+   0: 0b 00 02 c5                                      |...Å
+      type = 11 (certificate)
+      length = 709 (0x0002c5)
+            CertificateChain {
+            chainlength = 706 (0x02c2)
+               Certificate {
+            size = 703 (0x02bf)
+               data = { saved in file 'cert.001' }
+            }
+         }
+   0: 0c 00 00 ca                                      |....
+         type = 12 (server_key_exchange)
+         length = 202 (0x0000ca)
+   0: 0e 00 00 00                                      |....
+         type = 14 (server_hello_done)
+         length = 0 (0x000000)
+   }
+}
+]
+--> [
+SSLRecord {
+   0: 16 03 00 00  44                                   |....D
+   type    = 22 (handshake)
+   version = { 3,0 }
+   length  = 68 (0x44)
+   handshake {
+   0: 10 00 00 40                                      |...@
+   type = 16 (client_key_exchange)
+   length = 64 (0x000040)
+         ClientKeyExchange {
+            message = {...}
+         }
+   }
+}
+]
+--> [
+SSLRecord {
+   0: 14 03 00 00  01                                   |.....
+   type    = 20 (change_cipher_spec)
+   version = { 3,0 }
+   length  = 1 (0x1)
+   0: 01                                               |.
+}
+SSLRecord {
+   0: 16 03 00 00  38                                   |....8
+   type    = 22 (handshake)
+   version = { 3,0 }
+   length  = 56 (0x38)
+               < encrypted >
+
+}
+]
+<-- [
+SSLRecord {
+   0: 14 03 00 00  01                                   |.....
+   type    = 20 (change_cipher_spec)
+   version = { 3,0 }
+   length  = 1 (0x1)
+   0: 01                                               |.
+}
+]
+<-- [
+SSLRecord {
+   0: 16 03 00 00  38                                   |....8
+   type    = 22 (handshake)
+   version = { 3,0 }
+   length  = 56 (0x38)
+                  < encrypted >
+
+}
+]
+--> [
+SSLRecord {
+   0: 17 03 00 01  1f                                   |.....
+   type    = 23 (application_data)
+   version = { 3,0 }
+   length  = 287 (0x11f)
+               < encrypted >
+}
+]
+<-- [
+SSLRecord {
+   0: 17 03 00 00  a0                                   |....
+   type    = 23 (application_data)
+   version = { 3,0 }
+   length  = 160 (0xa0)
+               < encrypted >
+
+}
+]
+<-- [
+SSLRecord {
+0: 17 03 00 00  df                                   |....ß
+   type    = 23 (application_data)
+   version = { 3,0 }
+   length  = 223 (0xdf)
+               < encrypted >
+
+}
+SSLRecord {
+   0: 15 03 00 00  12                                   |.....
+   type    = 21 (alert)
+   version = { 3,0 }
+   length  = 18 (0x12)
+               < encrypted >
+}
+]
+Server socket closed.
+

Example 2

+The -s option turns on SSL parsing. Because the -x option is not used in this example, undecoded values are output as raw data. The output is routed to a text file. + 

$ ssltap -s  -p 444 interzone.mcom.com:443 > s.txt

Output 

+Connected to interzone.mcom.com:443
+--> [
+alloclen = 63 bytes
+   [ssl2]  ClientHelloV2 {
+            version = {0x03, 0x00}
+            cipher-specs-length = 36 (0x24)
+            sid-length = 0 (0x00)
+            challenge-length = 16 (0x10)
+            cipher-suites = {
+                  (0x010080) SSL2/RSA/RC4-128/MD5
+                  (0x020080) SSL2/RSA/RC4-40/MD5
+                  (0x030080) SSL2/RSA/RC2CBC128/MD5
+                  (0x060040) SSL2/RSA/DES64CBC/MD5
+                  (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5
+                  (0x000004) SSL3/RSA/RC4-128/MD5
+                  (0x00ffe0) SSL3/RSA-FIPS/3DES192EDE-CBC/SHA
+                  (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
+                  (0x00ffe1) SSL3/RSA-FIPS/DES64CBC/SHA
+                  (0x000009) SSL3/RSA/DES64CBC/SHA
+                  (0x000003) SSL3/RSA/RC4-40/MD5
+                  }
+               session-id = { }
+            challenge = { 0x713c 0x9338 0x30e1 0xf8d6 0xb934 0x7351 0x200c
+0x3fd0 }
+]
+>-- [
+SSLRecord {
+   type    = 22 (handshake)
+   version = { 3,0 }
+   length  = 997 (0x3e5)
+   handshake {
+         type = 2 (server_hello)
+         length = 70 (0x000046)
+            ServerHello {
+            server_version = {3, 0}
+            random = {...}
+            session ID = {
+               length = 32
+               contents = {..}
+               }
+               cipher_suite = (0x0003) SSL3/RSA/RC4-40/MD5
+            }
+         type = 11 (certificate)
+         length = 709 (0x0002c5)
+            CertificateChain {
+               chainlength = 706 (0x02c2)
+               Certificate {
+                  size = 703 (0x02bf)
+                  data = { saved in file 'cert.001' }
+               }
+            }
+         type = 12 (server_key_exchange)
+         length = 202 (0x0000ca)
+         type = 14 (server_hello_done)
+         length = 0 (0x000000)
+   }
+}
+]
+--> [
+SSLRecord {
+   type    = 22 (handshake)
+   version = { 3,0 }
+   length  = 68 (0x44)
+   handshake {
+         type = 16 (client_key_exchange)
+         length = 64 (0x000040)
+            ClientKeyExchange {
+               message = {...}
+            }
+   }
+}
+]
+--> [
+SSLRecord {
+   type    = 20 (change_cipher_spec)
+   version = { 3,0 }
+   length  = 1 (0x1)
+}
+SSLRecord {
+   type    = 22 (handshake)
+   version = { 3,0 }
+   length  = 56 (0x38)
+               > encrypted >
+}
+]
+>-- [
+SSLRecord {
+   type    = 20 (change_cipher_spec)
+   version = { 3,0 }
+   length  = 1 (0x1)
+}
+]
+>-- [
+SSLRecord {
+   type    = 22 (handshake)
+   version = { 3,0 }
+   length  = 56 (0x38)
+               > encrypted >
+}
+]
+--> [
+SSLRecord {
+   type    = 23 (application_data)
+   version = { 3,0 }
+   length  = 287 (0x11f)
+               > encrypted >
+}
+]
+[
+SSLRecord {
+   type    = 23 (application_data)
+   version = { 3,0 }
+   length  = 160 (0xa0)
+               > encrypted >
+}
+]
+>-- [
+SSLRecord {
+   type    = 23 (application_data)
+   version = { 3,0 }
+   length  = 223 (0xdf)
+               > encrypted >
+}
+SSLRecord {
+   type    = 21 (alert)
+   version = { 3,0 }
+   length  = 18 (0x12)
+               > encrypted >
+}
+]
+Server socket closed.
+

Example 3

+In this example, the -h option turns hex/ASCII format. There is no SSL parsing or decoding. The output is routed to a text file. + 

$ ssltap -h  -p 444 interzone.mcom.com:443 > h.txt

Output 

+Connected to interzone.mcom.com:443
+--> [
+   0: 80 40 01 03  00 00 27 00  00 00 10 01  00 80 02 00  | .@....'.........
+   10: 80 03 00 80  04 00 80 06  00 40 07 00  c0 00 00 04  | .........@......
+   20: 00 ff e0 00  00 0a 00 ff  e1 00 00 09  00 00 03 00  | ........á.......
+   30: 00 06 9b fe  5b 56 96 49  1f 9f ca dd  d5 ba b9 52  | ..þ[V.I.\xd9 ...º¹R
+   40: 6f 2d                                            |o-
+]
+<-- [
+   0: 16 03 00 03  e5 02 00 00  46 03 00 7f  e5 0d 1b 1d  | ........F.......
+   10: 68 7f 3a 79  60 d5 17 3c  1d 9c 96 b3  88 d2 69 3b  | h.:y`..<..³.Òi;
+   20: 78 e2 4b 8b  a6 52 12 4b  46 e8 c2 20  14 11 89 05  | x.K.¦R.KFè. ...
+   30: 4d 52 91 fd  93 e0 51 48  91 90 08 96  c1 b6 76 77  | MR.ý..QH.....¶vw
+   40: 2a f4 00 08  a1 06 61 a2  64 1f 2e 9b  00 03 00 0b  | *ô..¡.a¢d......
+   50: 00 02 c5 00  02 c2 00 02  bf 30 82 02  bb 30 82 02  | ..Å......0...0..
+   60: 24 a0 03 02  01 02 02 02  01 36 30 0d  06 09 2a 86  | $ .......60...*.
+   70: 48 86 f7 0d  01 01 04 05  00 30 77 31  0b 30 09 06  | H.÷......0w1.0..
+   80: 03 55 04 06  13 02 55 53  31 2c 30 2a  06 03 55 04  | .U....US1,0*..U.
+   90: 0a 13 23 4e  65 74 73 63  61 70 65 20  43 6f 6d 6d  | ..#Netscape Comm
+   a0: 75 6e 69 63  61 74 69 6f  6e 73 20 43  6f 72 70 6f  | unications Corpo
+   b0: 72 61 74 69  6f 6e 31 11  30 0f 06 03  55 04 0b 13  | ration1.0...U...
+   c0: 08 48 61 72  64 63 6f 72  65 31 27 30  25 06 03 55  | .Hardcore1'0%..U
+   d0: 04 03 13 1e  48 61 72 64  63 6f 72 65  20 43 65 72  | ....Hardcore Cer
+   e0: 74 69 66 69  63 61 74 65  20 53 65 72  76 65 72 20  | tificate Server
+   f0: 49 49 30 1e  17 0d 39 38  30 35 31 36  30 31 30 33  | II0...9805160103
+<additional data lines>
+]
+<additional records in same format>
+Server socket closed.
+

Example 4

+In this example, the -s option turns on SSL parsing, and the -h option turns on hex/ASCII format. +Both formats are shown for each record. The output is routed to a text file. + 

$ ssltap -hs -p 444 interzone.mcom.com:443 > hs.txt

Output 

+Connected to interzone.mcom.com:443
+--> [
+   0: 80 3d 01 03  00 00 24 00  00 00 10 01  00 80 02 00  | .=....$.........
+   10: 80 03 00 80  04 00 80 06  00 40 07 00  c0 00 00 04  | .........@......
+   20: 00 ff e0 00  00 0a 00 ff  e1 00 00 09  00 00 03 03  | ........á.......
+   30: 55 e6 e4 99  79 c7 d7 2c  86 78 96 5d  b5 cf e9     |U..yÇ\xb0 ,.x.]µÏé
+alloclen = 63 bytes
+   [ssl2]  ClientHelloV2 {
+            version = {0x03, 0x00}
+            cipher-specs-length = 36 (0x24)
+            sid-length = 0 (0x00)
+            challenge-length = 16 (0x10)
+            cipher-suites = {
+                  (0x010080) SSL2/RSA/RC4-128/MD5
+                  (0x020080) SSL2/RSA/RC4-40/MD5
+                  (0x030080) SSL2/RSA/RC2CBC128/MD5
+                  (0x040080) SSL2/RSA/RC2CBC40/MD5
+                  (0x060040) SSL2/RSA/DES64CBC/MD5
+                  (0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5
+                  (0x000004) SSL3/RSA/RC4-128/MD5
+                  (0x00ffe0) SSL3/RSA-FIPS/3DES192EDE-CBC/SHA
+                  (0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
+                  (0x00ffe1) SSL3/RSA-FIPS/DES64CBC/SHA
+                  (0x000009) SSL3/RSA/DES64CBC/SHA
+                  (0x000003) SSL3/RSA/RC4-40/MD5
+                  }
+            session-id = { }
+            challenge = { 0x0355 0xe6e4 0x9979 0xc7d7 0x2c86 0x7896 0x5db
+
+0xcfe9 }
+}
+]
+<additional records in same formats>
+Server socket closed.
+

Usage Tips

+When SSL restarts a previous session, it makes use of cached information to do a partial handshake. +If you wish to capture a full SSL handshake, restart the browser to clear the session id cache. +

+If you run the tool on a machine other than the SSL server to which you are trying to connect, +the browser will complain that the host name you are trying to connect to is different from the certificate. +If you are using the default BadCert callback, you can still connect through a dialog. If you are not using +the default BadCert callback, the one you supply must allow for this possibility. +

See Also

The NSS Security Tools are also documented at http://www.mozilla.org/projects/security/pki/nss/.

Additional Resources

For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases.

Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto

IRC: Freenode at #dogtag-pki

Authors

The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.

+ Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. +

LICENSE

Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. +

diff --git a/security/nss/doc/html/vfychain.html b/security/nss/doc/html/vfychain.html new file mode 100644 index 0000000000..a360836f55 --- /dev/null +++ b/security/nss/doc/html/vfychain.html @@ -0,0 +1,26 @@ +VFYCHAIN
VFYCHAIN

Name

vfychain — vfychain [options] [revocation options] certfile [[options] certfile] ...

Synopsis

vfychain

STATUS

This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 +

Description

The verification Tool, vfychain, verifies certificate chains. modutil can add and delete PKCS #11 modules, change passwords on security databases, set defaults, list module contents, enable or disable slots, enable or disable FIPS 140-2 compliance, and assign default providers for cryptographic operations. This tool can also create certificate, key, and module security database files.

The tasks associated with security module database management are part of a process that typically also involves managing key databases and certificate databases.

Options

-a
the following certfile is base64 encoded
-b YYMMDDHHMMZ
Validate date (default: now)
-d directory
database directory
-f
Enable cert fetching from AIA URL
-o oid
Set policy OID for cert validation(Format OID.1.2.3)
-p

Use PKIX Library to validate certificate by calling:

* CERT_VerifyCertificate if specified once,

* CERT_PKIXVerifyCert if specified twice and more.

-r
Following certfile is raw binary DER (default)
-t
Following cert is explicitly trusted (overrides db trust)
-u usage

+ 0=SSL client, 1=SSL server, 2=SSL StepUp, 3=SSL CA, + 4=Email signer, 5=Email recipient, 6=Object signer, + 9=ProtectedObjectSigner, 10=OCSP responder, 11=Any CA +

-T
Trust both explicit trust anchors (-t) and the database. (Without this option, the default is to only trust certificates marked -t, if there are any, or to trust the database if there are certificates marked -t.) +
-v
Verbose mode. Prints root cert subject(double the + argument for whole root cert info) +
-w password
Database password
-W pwfile
Password file

Revocation options for PKIX API (invoked with -pp options) is a + collection of the following flags: + [-g type [-h flags] [-m type [-s flags]] ...] ...

Where:

-g test-type
Sets status checking test type. Possible values + are "leaf" or "chain" +
-g test type
Sets status checking test type. Possible values + are "leaf" or "chain". +
-h test flags
Sets revocation flags for the test type it + follows. Possible flags: "testLocalInfoFirst" and + "requireFreshInfo". +
-m method type
Sets method type for the test type it follows. + Possible types are "crl" and "ocsp". +
-s method flags
Sets revocation flags for the method it follows. + Possible types are "doNotUse", "forbidFetching", + "ignoreDefaultSrc", "requireInfo" and "failIfNoInfo". +

Additional Resources

For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases.

Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto

IRC: Freenode at #dogtag-pki

Authors

The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.

+ Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. +

LICENSE

Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. +

diff --git a/security/nss/doc/html/vfyserv.html b/security/nss/doc/html/vfyserv.html new file mode 100644 index 0000000000..dec6dcb3ac --- /dev/null +++ b/security/nss/doc/html/vfyserv.html @@ -0,0 +1,5 @@ +VFYSERV
VFYSERV

Name

vfyserv — TBD

Synopsis

vfyserv

STATUS

This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 +

Description

The vfyserv tool verifies a certificate chain

Options

Additional Resources

For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases.

Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto

IRC: Freenode at #dogtag-pki

Authors

The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.

+ Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. +

LICENSE

Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. +

diff --git a/security/nss/doc/modutil.xml b/security/nss/doc/modutil.xml new file mode 100644 index 0000000000..583adcfc3f --- /dev/null +++ b/security/nss/doc/modutil.xml @@ -0,0 +1,762 @@ + + + +]> + + + + + &date; + NSS Security Tools + nss-tools + &version; + + + + MODUTIL + 1 + + + + modutil + Manage PKCS #11 module information within the security module database. + + + + + modutil + options + [arguments] + + + + + STATUS + This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 + + + + + Description + The Security Module Database Tool, modutil, is a command-line utility for managing PKCS #11 module information both within secmod.db files and within hardware tokens. modutil can add and delete PKCS #11 modules, change passwords on security databases, set defaults, list module contents, enable or disable slots, enable or disable FIPS 140-2 compliance, and assign default providers for cryptographic operations. This tool can also create certificate, key, and module security database files. + + The tasks associated with security module database management are part of a process that typically also involves managing key databases and certificate databases. + + + + Options + + Running modutil always requires one (and only one) option to specify the type of module operation. Each option may take arguments, anywhere from none to multiple arguments. + + Options + + + + + -add modulename + Add the named PKCS #11 module to the database. Use this option with the , , and arguments. + + + + -changepw tokenname + Change the password on the named token. If the token has not been initialized, this option initializes the password. Use this option with the and arguments. A password is equivalent to a personal identification number (PIN). + + + + -chkfips + Verify whether the module is in the given FIPS mode. true means to verify that the module is in FIPS mode, while false means to verify that the module is not in FIPS mode. + + + + -create + Create new certificate, key, and module databases. Use the directory argument to specify a directory. If any of these databases already exist in a specified directory, modutil returns an error message. + + + + -default modulename + Specify the security mechanisms for which the named module will be a default provider. The security mechanisms are specified with the argument. + + + + -delete modulename + Delete the named module. The default NSS PKCS #11 module cannot be deleted. + + + + -disable modulename + Disable all slots on the named module. Use the argument to disable a specific slot.The internal NSS PKCS #11 module cannot be disabled. + + + + -enable modulename + Enable all slots on the named module. Use the argument to enable a specific slot. + + + + -fips [true | false] + Enable (true) or disable (false) FIPS 140-2 compliance for the default NSS module. + + + + -force + Disable modutil's interactive prompts so it can be run from a script. Use this option only after manually testing each planned operation to check for warnings and to ensure that bypassing the prompts will cause no security lapses or loss of database integrity. + + + + -jar JAR-file + Add a new PKCS #11 module to the database using the named JAR file. Use this command with the and arguments. The JAR file uses the NSS PKCS #11 JAR format to identify all the files to be installed, the module's name, the mechanism flags, and the cipher flags, as well as any files to be installed on the target machine, including the PKCS #11 module library file and other files such as documentation. This is covered in the JAR installation file section in the man page, which details the special script needed to perform an installation through a server or with modutil. + + + + -list [modulename] + Display basic information about the contents of the secmod.db file. Specifying a modulename displays detailed information about a particular module and its slots and tokens. + + + + -rawadd + Add the module spec string to the secmod.db database. + + + + -rawlist + Display the module specs for a specified module or for all loadable modules. + + + + -undefault modulename + Specify the security mechanisms for which the named module will not be a default provider. The security mechanisms are specified with the argument. + + + + Arguments + + + + MODULE + Give the security module to access. + + + + MODULESPEC + Give the security module spec to load into the security database. + + + + -ciphers cipher-enable-list + Enable specific ciphers in a module that is being added to the database. The cipher-enable-list is a colon-delimited list of cipher names. Enclose this list in quotation marks if it contains spaces. + + + + -dbdir directory + Specify the database directory in which to access or create security module database files. + modutil supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and SQLite databases (cert9.db, key4.db, and pkcs11.txt). If the prefix dbm: is not used, then the tool assumes that the given databases are in SQLite format. + + + + --dbprefix prefix + Specify the prefix used on the database files, such as my_ for my_cert9.db. This option is provided as a special case. Changing the names of the certificate and key databases is not recommended. + + + + -installdir root-installation-directory + Specify the root installation directory relative to which files will be installed by the option. This directory should be one below which it is appropriate to store dynamic library files, such as a server's root directory. + + + + -libfile library-file + Specify a path to a library file containing the implementation of the PKCS #11 interface module that is being added to the database. + + + + -mechanisms mechanism-list + Specify the security mechanisms for which a particular module will be flagged as a default provider. The mechanism-list is a colon-delimited list of mechanism names. Enclose this list in quotation marks if it contains spaces. + The module becomes a default provider for the listed mechanisms when those mechanisms are enabled. If more than one module claims to be a particular mechanism's default provider, that mechanism's default provider is undefined. + modutil supports several mechanisms: RSA, DSA, RC2, RC4, RC5, AES, DES, DH, SHA1, SHA256, SHA512, SSL, TLS, MD5, MD2, RANDOM (for random number generation), and FRIENDLY (meaning certificates are publicly readable). + + + + -newpwfile new-password-file + Specify a text file containing a token's new or replacement password so that a password can be entered automatically with the option. + + + + -nocertdb + Do not open the certificate or key databases. This has several effects: + + + With the command, only a module security file is created; certificate and key databases are not created. + + + With the command, signatures on the JAR file are not checked. + + + With the command, the password on the NSS internal module cannot be set or changed, since this password is stored in the key database. + + + + + + -pwfile old-password-file + Specify a text file containing a token's existing password so that a password can be entered automatically when the option is used to change passwords. + + + + -secmod secmodname + Give the name of the security module database (like secmod.db) to load. + + + + -slot slotname + Specify a particular slot to be enabled or disabled with the or options. + + + + -string CONFIG_STRING + Pass a configuration string for the module being added to the database. + + + + -tempdir temporary-directory + Give a directory location where temporary files are created during the installation by the option. If no temporary directory is specified, the current directory is used. + + + + + + Usage and Examples + + Creating Database Files + Before any operations can be performed, there must be a set of security databases available. modutil can be used to create these files. The only required argument is the database that where the databases will be located. +modutil -create -dbdir directory + + Adding a Cryptographic Module + Adding a PKCS #11 module means submitting a supporting library file, enabling its ciphers, and setting default provider status for various security mechanisms. This can be done by supplying all of the information through modutil directly or by running a JAR file and install script. For the most basic case, simply upload the library: +modutil -add modulename -libfile library-file [-ciphers cipher-enable-list] [-mechanisms mechanism-list] + For example: +modutil -dbdir /home/my/sharednssdb -add "Example PKCS #11 Module" -libfile "/tmp/crypto.so" -mechanisms RSA:DSA:RC2:RANDOM + +Using database directory ... +Module "Example PKCS #11 Module" added to database. + + + + Installing a Cryptographic Module from a JAR File + PKCS #11 modules can also be loaded using a JAR file, which contains all of the required libraries and an installation script that describes how to install the module. The JAR install script is described in more detail in . + The JAR installation script defines the setup information for each platform that the module can be installed on. For example: +Platforms { + Linux:5.4.08:x86 { + ModuleName { "Example PKCS #11 Module" } + ModuleFile { crypto.so } + DefaultMechanismFlags{0x0000} + CipherEnableFlags{0x0000} + Files { + crypto.so { + Path{ /tmp/crypto.so } + } + setup.sh { + Executable + Path{ /tmp/setup.sh } + } + } + } + Linux:6.0.0:x86 { + EquivalentPlatform { Linux:5.4.08:x86 } + } +} + Both the install script and the required libraries must be bundled in a JAR file, which is specified with the argument. + +modutil -dbdir /home/mt"jar-install-filey/sharednssdb -jar install.jar -installdir /home/my/sharednssdb + +This installation JAR file was signed by: +---------------------------------------------- + +**SUBJECT NAME** + +C=US, ST=California, L=Mountain View, CN=Cryptorific Inc., OU=Digital ID +Class 3 - Netscape Object Signing, OU="www.verisign.com/repository/CPS +Incorp. by Ref.,LIAB.LTD(c)9 6", OU=www.verisign.com/CPS Incorp.by Ref +. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign Object Signing CA - Class 3 +Organization, OU="VeriSign, Inc.", O=VeriSign Trust Network **ISSUER +NAME**, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 +VeriSign, OU=VeriSign Object Signing CA - Class 3 Organization, +OU="VeriSign, Inc.", O=VeriSign Trust Network +---------------------------------------------- + +Do you wish to continue this installation? (y/n) y +Using installer script "installer_script" +Successfully parsed installation script +Current platform is Linux:5.4.08:x86 +Using installation parameters for platform Linux:5.4.08:x86 +Installed file crypto.so to /tmp/crypto.so +Installed file setup.sh to ./pk11inst.dir/setup.sh +Executing "./pk11inst.dir/setup.sh"... +"./pk11inst.dir/setup.sh" executed successfully +Installed module "Example PKCS #11 Module" into module database + +Installation completed successfully + + Adding Module Spec + Each module has information stored in the security database about its configuration and parameters. These can be added or edited using the command. For the current settings or to see the format of the module spec in the database, use the option. +modutil -rawadd modulespec + + + Deleting a Module + A specific PKCS #11 module can be deleted from the secmod.db database: +modutil -delete modulename -dbdir directory + + Displaying Module Information + The secmod.db database contains information about the PKCS #11 modules that are available to an application or server to use. The list of all modules, information about specific modules, and database configuration specs for modules can all be viewed. + To simply get a list of modules in the database, use the command. +modutil -list [modulename] -dbdir directory + Listing the modules shows the module name, their status, and other associated security databases for certificates and keys. For example: + +modutil -list -dbdir /home/my/sharednssdb + +Listing of PKCS #11 Modules +----------------------------------------------------------- + 1. NSS Internal PKCS #11 Module + slots: 2 slots attached + status: loaded + + slot: NSS Internal Cryptographic Services + token: NSS Generic Crypto Services + uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203 + + slot: NSS User Private Key and Certificate Services + token: NSS Certificate DB + uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203 +----------------------------------------------------------- + Passing a specific module name with the returns details information about the module itself, like supported cipher mechanisms, version numbers, serial numbers, and other information about the module and the token it is loaded on. For example: + modutil -list "NSS Internal PKCS #11 Module" -dbdir /home/my/sharednssdb + +----------------------------------------------------------- +Name: NSS Internal PKCS #11 Module +Library file: **Internal ONLY module** +Manufacturer: Mozilla Foundation +Description: NSS Internal Crypto Services +PKCS #11 Version 2.20 +Library Version: 3.11 +Cipher Enable Flags: None +Default Mechanism Flags: RSA:RC2:RC4:DES:DH:SHA1:MD5:MD2:SSL:TLS:AES + + Slot: NSS Internal Cryptographic Services + Slot Mechanism Flags: RSA:RC2:RC4:DES:DH:SHA1:MD5:MD2:SSL:TLS:AES + Manufacturer: Mozilla Foundation + Type: Software + Version Number: 3.11 + Firmware Version: 0.0 + Status: Enabled + Token Name: NSS Generic Crypto Services + Token Manufacturer: Mozilla Foundation + Token Model: NSS 3 + Token Serial Number: 0000000000000000 + Token Version: 4.0 + Token Firmware Version: 0.0 + Access: Write Protected + Login Type: Public (no login required) + User Pin: NOT Initialized + + Slot: NSS User Private Key and Certificate Services + Slot Mechanism Flags: None + Manufacturer: Mozilla Foundation + Type: Software + Version Number: 3.11 + Firmware Version: 0.0 + Status: Enabled + Token Name: NSS Certificate DB + Token Manufacturer: Mozilla Foundation + Token Model: NSS 3 + Token Serial Number: 0000000000000000 + Token Version: 8.3 + Token Firmware Version: 0.0 + Access: NOT Write Protected + Login Type: Login required + User Pin: Initialized + A related command, returns information about the database configuration for the modules. (This information can be edited by loading new specs using the command.) + modutil -rawlist -dbdir /home/my/sharednssdb + name="NSS Internal PKCS #11 Module" parameters="configdir=. certPrefix= keyPrefix= secmod=secmod.db flags=readOnly " NSS="trustOrder=75 cipherOrder=100 slotParams={0x00000001=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM askpw=any timeout=30 ] } Flags=internal,critical" + + Setting a Default Provider for Security Mechanisms + Multiple security modules may provide support for the same security mechanisms. It is possible to set a specific security module as the default provider for a specific security mechanism (or, conversely, to prohibit a provider from supplying those mechanisms). +modutil -default modulename -mechanisms mechanism-list + To set a module as the default provider for mechanisms, use the command with a colon-separated list of mechanisms. The available mechanisms depend on the module; NSS supplies almost all common mechanisms. For example: +modutil -default "NSS Internal PKCS #11 Module" -dbdir -mechanisms RSA:DSA:RC2 + +Using database directory c:\databases... + +Successfully changed defaults. + + Clearing the default provider has the same format: +modutil -undefault "NSS Internal PKCS #11 Module" -dbdir -mechanisms MD2:MD5 + + Enabling and Disabling Modules and Slots + Modules, and specific slots on modules, can be selectively enabled or disabled using modutil. Both commands have the same format: +modutil -enable|-disable modulename [-slot slotname] + + For example: +modutil -enable "NSS Internal PKCS #11 Module" -slot "NSS Internal Cryptographic Services " -dbdir . + +Slot "NSS Internal Cryptographic Services " enabled. + Be sure that the appropriate amount of trailing whitespace is after the slot name. Some slot names have a significant amount of whitespace that must be included, or the operation will fail. + + Enabling and Verifying FIPS Compliance + The NSS modules can have FIPS 140-2 compliance enabled or disabled using modutil with the option. For example: +modutil -fips true -dbdir /home/my/sharednssdb/ + +FIPS mode enabled. + To verify that status of FIPS mode, run the command with either a true or false flag (it doesn't matter which). The tool returns the current FIPS setting. +modutil -chkfips false -dbdir /home/my/sharednssdb/ + +FIPS mode enabled. + + Changing the Password on a Token + + Initializing or changing a token's password: +modutil -changepw tokenname [-pwfile old-password-file] [-newpwfile new-password-file] +modutil -dbdir /home/my/sharednssdb -changepw "NSS Certificate DB" + +Enter old password: +Incorrect password, try again... +Enter old password: +Enter new password: +Re-enter new password: +Token "Communicator Certificate DB" password changed successfully. + + + JAR Installation File Format + When a JAR file is run by a server, by modutil, or by any program that does not interpret JavaScript, a special information file must be included to install the libraries. There are several things to keep in mind with this file: + + + + It must be declared in the JAR archive's manifest file. + + + + + The script can have any name. + + + + + The metainfo tag for this is Pkcs11_install_script. To declare meta-information in the manifest file, put it in a file that is passed to signtool. + + + + Sample Script + For example, the PKCS #11 installer script could be in the file pk11install. If so, the metainfo file for signtool includes a line such as this: ++ Pkcs11_install_script: pk11install + + The script must define the platform and version number, the module name and file, and any optional information like supported ciphers and mechanisms. Multiple platforms can be defined in a single install file. +ForwardCompatible { IRIX:6.2:mips SUNOS:5.5.1:sparc } +Platforms { + WINNT::x86 { + ModuleName { "Example Module" } + ModuleFile { win32/fort32.dll } + DefaultMechanismFlags{0x0001} + DefaultCipherFlags{0x0001} + Files { + win32/setup.exe { + Executable + RelativePath { %temp%/setup.exe } + } + win32/setup.hlp { + RelativePath { %temp%/setup.hlp } + } + win32/setup.cab { + RelativePath { %temp%/setup.cab } + } + } + } + WIN95::x86 { + EquivalentPlatform {WINNT::x86} + } + SUNOS:5.5.1:sparc { + ModuleName { "Example UNIX Module" } + ModuleFile { unix/fort.so } + DefaultMechanismFlags{0x0001} + CipherEnableFlags{0x0001} + Files { + unix/fort.so { + RelativePath{%root%/lib/fort.so} + AbsolutePath{/usr/local/netscape/lib/fort.so} + FilePermissions{555} + } + xplat/instr.html { + RelativePath{%root%/docs/inst.html} + AbsolutePath{/usr/local/netscape/docs/inst.html} + FilePermissions{555} + } + } + } + IRIX:6.2:mips { + EquivalentPlatform { SUNOS:5.5.1:sparc } + } +} + + Script Grammar + The script is basic Java, allowing lists, key-value pairs, strings, and combinations of all of them. +--> valuelist + +valuelist --> value valuelist + <null> + +value ---> key_value_pair + string + +key_value_pair --> key { valuelist } + +key --> string + +string --> simple_string + "complex_string" + +simple_string --> [^ \t\n\""{""}"]+ + +complex_string --> ([^\"\\\r\n]|(\\\")|(\\\\))+ + + Quotes and backslashes must be escaped with a backslash. A complex string must not include newlines or carriage returns.Outside of complex strings, all white space (for example, spaces, tabs, and carriage returns) is considered equal and is used only to delimit tokens. + + Keys + The Java install file uses keys to define the platform and module information. + ForwardCompatible gives a list of platforms that are forward compatible. If the current platform cannot be found in the list of supported platforms, then the ForwardCompatible list is checked for any platforms that have the same OS and architecture in an earlier version. If one is found, its attributes are used for the current platform. + Platforms (required) Gives a list of platforms. Each entry in the list is itself a key-value pair: the key is the name of the platform and the value list contains various attributes of the platform. The platform string is in the format system name:OS release:architecture. The installer obtains these values from NSPR. OS release is an empty string on non-Unix operating systems. NSPR supports these platforms: + + + AIX (rs6000) + + + BSDI (x86) + + + FREEBSD (x86) + + + HPUX (hppa1.1) + + + IRIX (mips) + + + LINUX (ppc, alpha, x86) + + + MacOS (PowerPC) + + + NCR (x86) + + + NEC (mips) + + + OS2 (x86) + + + OSF (alpha) + + + ReliantUNIX (mips) + + + SCO (x86) + + + SOLARIS (sparc) + + + SONY (mips) + + + SUNOS (sparc) + + + UnixWare (x86) + + + WIN16 (x86) + + + WIN95 (x86) + + + WINNT (x86) + + + + For example: +IRIX:6.2:mips +SUNOS:5.5.1:sparc +Linux:2.0.32:x86 +WIN95::x86 + The module information is defined independently for each platform in the ModuleName, ModuleFile, and Files attributes. These attributes must be given unless an EquivalentPlatform attribute is specified. + + Per-Platform Keys + Per-platform keys have meaning only within the value list of an entry in the Platforms list. + ModuleName (required) gives the common name for the module. This name is used to reference the module by servers and by the modutil tool. + ModuleFile (required) names the PKCS #11 module file for this platform. The name is given as the relative path of the file within the JAR archive. + Files (required) lists the files that need to be installed for this module. Each entry in the file list is a key-value pair. The key is the path of the file in the JAR archive, and the value list contains attributes of the file. At least RelativePath or AbsolutePath must be specified for each file. + DefaultMechanismFlags specifies mechanisms for which this module is the default provider; this is equivalent to the option with the command. This key-value pair is a bitstring specified in hexadecimal (0x) format. It is constructed as a bitwise OR. If the DefaultMechanismFlags entry is omitted, the value defaults to 0x0. + +RSA: 0x00000001 +DSA: 0x00000002 +RC2: 0x00000004 +RC4: 0x00000008 +DES: 0x00000010 +DH: 0x00000020 +FORTEZZA: 0x00000040 +RC5: 0x00000080 +SHA1: 0x00000100 +MD5: 0x00000200 +MD2: 0x00000400 +RANDOM: 0x08000000 +FRIENDLY: 0x10000000 +OWN_PW_DEFAULTS: 0x20000000 +DISABLE: 0x40000000 + + CipherEnableFlags specifies ciphers that this module provides that NSS does not provide (so that the module enables those ciphers for NSS). This is equivalent to the argument with the command. This key is a bitstring specified in hexadecimal (0x) format. It is constructed as a bitwise OR. If the CipherEnableFlags entry is omitted, the value defaults to 0x0. + + EquivalentPlatform specifies that the attributes of the named platform should also be used for the current platform. This makes it easier when more than one platform uses the same settings. + + Per-File Keys + Some keys have meaning only within the value list of an entry in a Files list. + Each file requires a path key the identifies where the file is. Either RelativePath or AbsolutePath must be specified. If both are specified, the relative path is tried first, and the absolute path is used only if no relative root directory is provided by the installer program. + RelativePath specifies the destination directory of the file, relative to some directory decided at install time. Two variables can be used in the relative path: %root% and %temp%. %root% is replaced at run time with the directory relative to which files should be installed; for example, it may be the server's root directory. The %temp% directory is created at the beginning of the installation and destroyed at the end. The purpose of %temp% is to hold executable files (such as setup programs) or files that are used by these programs. Files destined for the temporary directory are guaranteed to be in place before any executable file is run; they are not deleted until all executable files have finished. + AbsolutePath specifies the destination directory of the file as an absolute path. + Executable specifies that the file is to be executed during the course of the installation. Typically, this string is used for a setup program provided by a module vendor, such as a self-extracting setup executable. More than one file can be specified as executable, in which case the files are run in the order in which they are specified in the script file. + FilePermissions sets permissions on any referenced files in a string of octal digits, according to the standard Unix format. This string is a bitwise OR. + + +user read: 0400 +user write: 0200 +user execute: 0100 +group read: 0040 +group write: 0020 +group execute: 0010 +other read: 0004 +other write: 0002 +other execute: 0001 + + +Some platforms may not understand these permissions. They are applied only insofar as they make sense for the current platform. If this attribute is omitted, a default of 777 is assumed. + + +NSS Database Types +NSS originally used BerkeleyDB databases to store security information. +The last versions of these legacy databases are: + + + + cert8.db for certificates + + + + + key3.db for keys + + + + + secmod.db for PKCS #11 module information + + + + +BerkeleyDB has performance limitations, though, which prevent it from being easily used by multiple applications simultaneously. NSS has +some flexibility that allows applications to use their own, independent database engine while keeping a shared database and working around the access issues. Still, NSS +requires more flexibility to provide a truly shared security database. + +In 2009, NSS introduced a new set of databases that are SQLite databases rather than +BerkleyDB. These new databases provide more accessibility and performance: + + + + cert9.db for certificates + + + + + key4.db for keys + + + + + pkcs11.txt, which is listing of all of the PKCS #11 modules contained in a new subdirectory in the security databases directory + + + + +Because the SQLite databases are designed to be shared, these are the shared database type. The shared database type is preferred; the legacy format is included for backward compatibility. + +By default, the tools (certutil, pk12util, modutil) assume that the given security databases use the SQLite type. +Using the legacy databases must be manually specified by using the dbm: prefix with the given security directory. For example: + +modutil -create -dbdir dbm:/home/my/sharednssdb + +To set the legacy database type as the default type for the tools, set the NSS_DEFAULT_DB_TYPE environment variable to dbm: +export NSS_DEFAULT_DB_TYPE="dbm" + +This line can be added to the ~/.bashrc file to make the change permanent for the user. + + + + + https://wiki.mozilla.org/NSS_Shared_DB_Howto + + +For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki: + + + + https://wiki.mozilla.org/NSS_Shared_DB + + + + + + + See Also + certutil (1) + pk12util (1) + signtool (1) + + The NSS wiki has information on the new database design and how to configure applications to use it. + + + + https://wiki.mozilla.org/NSS_Shared_DB_Howto + + + + https://wiki.mozilla.org/NSS_Shared_DB + + + + + + + + Additional Resources + For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases. + Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto + IRC: Freenode at #dogtag-pki + + + + + Authors + The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google. + + Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. + + + + + + LICENSE + Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. + + + + diff --git a/security/nss/doc/nroff/certutil.1 b/security/nss/doc/nroff/certutil.1 new file mode 100644 index 0000000000..9ff62f2f9e --- /dev/null +++ b/security/nss/doc/nroff/certutil.1 @@ -0,0 +1,2165 @@ +'\" t +.\" Title: CERTUTIL +.\" Author: [see the "Authors" section] +.\" Generator: DocBook XSL Stylesheets vsnapshot +.\" Date: 19 May 2021 +.\" Manual: NSS Security Tools +.\" Source: nss-tools +.\" Language: English +.\" +.TH "CERTUTIL" "1" "19 May 2021" "nss-tools" "NSS Security Tools" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +certutil \- Manage keys and certificate in both NSS databases and other NSS tokens +.SH "SYNOPSIS" +.HP \w'\fBcertutil\fR\ 'u +\fBcertutil\fR [\fIoptions\fR] [[\fIarguments\fR]] +.SH "STATUS" +.PP +This documentation is still work in progress\&. Please contribute to the initial review in +\m[blue]\fBMozilla NSS bug 836477\fR\m[]\&\s-2\u[1]\d\s+2 +.SH "DESCRIPTION" +.PP +The Certificate Database Tool, +\fBcertutil\fR, is a command\-line utility that can create and modify certificate and key databases\&. It can specifically list, generate, modify, or delete certificates, create or change the password, generate new public and private key pairs, display the contents of the key database, or delete key pairs within the key database\&. +.PP +Certificate issuance, part of the key and certificate management process, requires that keys and certificates be created in the key database\&. This document discusses certificate and key database management\&. For information on the security module database management, see the +\fBmodutil\fR +manpage\&. +.SH "COMMAND OPTIONS AND ARGUMENTS" +.PP +Running +\fBcertutil\fR +always requires one and only one command option to specify the type of certificate operation\&. Each command option may take zero or more arguments\&. The command option +\fB\-H\fR +will list all the command options and their relevant arguments\&. +.PP +\fBCommand Options\fR +.PP +\-A +.RS 4 +Add an existing certificate to a certificate database\&. The certificate database should already exist; if one is not present, this command option will initialize one by default\&. +.RE +.PP +\-B +.RS 4 +Run a series of commands from the specified batch file\&. This requires the +\fB\-i\fR +argument\&. +.RE +.PP +\-C +.RS 4 +Create a new binary certificate file from a binary certificate request file\&. Use the +\fB\-i\fR +argument to specify the certificate request file\&. If this argument is not used, +\fBcertutil\fR +prompts for a filename\&. +.RE +.PP +\-D +.RS 4 +Delete a certificate from the certificate database\&. +.RE +.PP +\-\-rename +.RS 4 +Change the database nickname of a certificate\&. +.RE +.PP +\-E +.RS 4 +Add an email certificate to the certificate database\&. +.RE +.PP +\-F +.RS 4 +Delete a private key and the associated certificate from a database\&. Specify the key to delete with the \-n argument or the \-k argument\&. Specify the database from which to delete the key with the +\fB\-d\fR +argument\&. +.sp +Some smart cards do not let you remove a public key you have generated\&. In such a case, only the private key is deleted from the key pair\&. +.RE +.PP +\-G +.RS 4 +Generate a new public and private key pair within a key database\&. The key database should already exist; if one is not present, this command option will initialize one by default\&. Some smart cards can store only one key pair\&. If you create a new key pair for such a card, the previous pair is overwritten\&. +.RE +.PP +\-H +.RS 4 +Display a list of the command options and arguments\&. +.RE +.PP +\-K +.RS 4 +List the key ID of keys in the key database\&. A key ID is the modulus of the RSA key or the publicValue of the DSA key\&. IDs are displayed in hexadecimal ("0x" is not shown)\&. +.RE +.PP +\-L +.RS 4 +List all the certificates, or display information about a named certificate, in a certificate database\&. Use the \-h tokenname argument to specify the certificate database on a particular hardware or software token\&. +.RE +.PP +\-M +.RS 4 +Modify a certificate\*(Aqs trust attributes using the values of the \-t argument\&. +.RE +.PP +\-N +.RS 4 +Create new certificate and key databases\&. +.RE +.PP +\-O +.RS 4 +Print the certificate chain\&. +.RE +.PP +\-R +.RS 4 +Create a certificate request file that can be submitted to a Certificate Authority (CA) for processing into a finished certificate\&. Output defaults to standard out unless you use \-o output\-file argument\&. Use the \-a argument to specify ASCII output\&. +.RE +.PP +\-S +.RS 4 +Create an individual certificate and add it to a certificate database\&. +.RE +.PP +\-T +.RS 4 +Reset the key database or token\&. +.RE +.PP +\-U +.RS 4 +List all available modules or print a single named module\&. +.RE +.PP +\-V +.RS 4 +Check the validity of a certificate and its attributes\&. +.RE +.PP +\-W +.RS 4 +Change the password to a key database\&. +.RE +.PP +\-\-merge +.RS 4 +Merge two databases into one\&. +.RE +.PP +\-\-upgrade\-merge +.RS 4 +Upgrade an old database and merge it into a new database\&. This is used to migrate legacy NSS databases (cert8\&.db +and +key3\&.db) into the newer SQLite databases (cert9\&.db +and +key4\&.db)\&. +.RE +.PP +\fBArguments\fR +.PP +Arguments modify a command option and are usually lower case, numbers, or symbols\&. +.PP +\-a +.RS 4 +Use ASCII format or allow the use of ASCII format for input or output\&. This formatting follows RFC 1113\&. For certificate requests, ASCII output defaults to standard output unless redirected\&. +.RE +.PP +\-\-simple\-self\-signed +.RS 4 +When printing the certificate chain, don\*(Aqt search for a chain if issuer name equals to subject name\&. +.RE +.PP +\-b validity\-time +.RS 4 +Specify a time at which a certificate is required to be valid\&. Use when checking certificate validity with the +\fB\-V\fR +option\&. The format of the +\fIvalidity\-time\fR +argument is +\fIYYMMDDHHMMSS[+HHMM|\-HHMM|Z]\fR, which allows offsets to be set relative to the validity end time\&. Specifying seconds (\fISS\fR) is optional\&. When specifying an explicit time, use a Z at the end of the term, +\fIYYMMDDHHMMSSZ\fR, to close it\&. When specifying an offset time, use +\fIYYMMDDHHMMSS+HHMM\fR +or +\fIYYMMDDHHMMSS\-HHMM\fR +for adding or subtracting time, respectively\&. +.sp +If this option is not used, the validity check defaults to the current system time\&. +.RE +.PP +\-c issuer +.RS 4 +Identify the certificate of the CA from which a new certificate will derive its authenticity\&. Use the exact nickname or alias of the CA certificate, or use the CA\*(Aqs email address\&. Bracket the issuer string with quotation marks if it contains spaces\&. +.RE +.PP +\-d [prefix]directory +.RS 4 +Specify the database directory containing the certificate and key database files\&. +.sp +\fBcertutil\fR +supports two types of databases: the legacy security databases (cert8\&.db, +key3\&.db, and +secmod\&.db) and new SQLite databases (cert9\&.db, +key4\&.db, and +pkcs11\&.txt)\&. +.sp +NSS recognizes the following prefixes: +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +\fBsql:\fR +requests the newer database +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +\fBdbm:\fR +requests the legacy database +.RE +.sp +If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE\&. If NSS_DEFAULT_DB_TYPE is not set then +\fBsql:\fR +is the default\&. +.RE +.PP +\-\-dump\-ext\-val OID +.RS 4 +For single cert, print binary DER encoding of extension OID\&. +.RE +.PP +\-e +.RS 4 +Check a certificate\*(Aqs signature during the process of validating a certificate\&. +.RE +.PP +\-\-email email\-address +.RS 4 +Specify the email address of a certificate to list\&. Used with the \-L command option\&. +.RE +.PP +\-\-extGeneric OID:critical\-flag:filename[,OID:critical\-flag:filename]\&.\&.\&. +.RS 4 +Add one or multiple extensions that certutil cannot encode yet, by loading their encodings from external files\&. +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +OID (example): 1\&.2\&.3\&.4 +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +critical\-flag: critical or not\-critical +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +filename: full path to a file containing an encoded extension +.RE +.RE +.PP +\-f password\-file +.RS 4 +Specify a file that will automatically supply the password to include in a certificate or to access a certificate database\&. This is a plain\-text file containing one password\&. Be sure to prevent unauthorized access to this file\&. +.RE +.PP +\-g keysize +.RS 4 +Set a key size to use when generating new public and private key pairs\&. The minimum is 512 bits and the maximum is 16384 bits\&. The default is 2048 bits\&. Any size between the minimum and maximum is allowed\&. +.RE +.PP +\-h tokenname +.RS 4 +Specify the name of a token to use or act on\&. If not specified the default token is the internal database slot\&. +.sp +The name can also be a PKCS #11 URI\&. For example, the NSS internal certificate store can be unambiguously specified as "pkcs11:token=NSS%20Certificate%20DB"\&. For details about the format, see RFC 7512\&. +.RE +.PP +\-i input_file +.RS 4 +Pass an input file to the command\&. Depending on the command option, an input file can be a specific certificate, a certificate request file, or a batch file of commands\&. +.RE +.PP +\-k key\-type\-or\-id +.RS 4 +Specify the type or specific ID of a key\&. +.sp +The valid key type options are rsa, dsa, ec, or all\&. The default value is rsa\&. Specifying the type of key can avoid mistakes caused by duplicate nicknames\&. Giving a key type generates a new key pair; giving the ID of an existing key reuses that key pair (which is required to renew certificates)\&. +.RE +.PP +\-l +.RS 4 +Display detailed information when validating a certificate with the \-V option\&. +.RE +.PP +\-m serial\-number +.RS 4 +Assign a unique serial number to a certificate being created\&. This operation should be performed by a CA\&. If no serial number is provided a default serial number is made from the current time\&. Serial numbers are limited to integers +.RE +.PP +\-n nickname +.RS 4 +Specify the nickname of a certificate or key to list, create, add to a database, modify, or validate\&. Bracket the nickname string with quotation marks if it contains spaces\&. +.sp +The nickname can also be a PKCS #11 URI\&. For example, if you have a certificate named "my\-server\-cert" on the internal certificate store, it can be unambiguously specified as "pkcs11:token=NSS%20Certificate%20DB;object=my\-server\-cert"\&. For details about the format, see RFC 7512\&. +.RE +.PP +\-o output\-file +.RS 4 +Specify the output file name for new certificates or binary certificate requests\&. Bracket the output\-file string with quotation marks if it contains spaces\&. If this argument is not used the output destination defaults to standard output\&. +.RE +.PP +\-P dbPrefix +.RS 4 +Specify the prefix used on the certificate and key database file\&. This argument is provided to support legacy servers\&. Most applications do not use a database prefix\&. +.RE +.PP +\-p phone +.RS 4 +Specify a contact telephone number to include in new certificates or certificate requests\&. Bracket this string with quotation marks if it contains spaces\&. +.RE +.PP +\-q pqgfile or curve\-name +.RS 4 +Read an alternate PQG value from the specified file when generating DSA key pairs\&. If this argument is not used, +\fBcertutil\fR +generates its own PQG value\&. PQG files are created with a separate DSA utility\&. +.sp +Elliptic curve name is one of the ones from nistp256, nistp384, nistp521, curve25519\&. +.sp +If a token is available that supports more curves, the foolowing curves are supported as well: sect163k1, nistk163, sect163r1, sect163r2, nistb163, sect193r1, sect193r2, sect233k1, nistk233, sect233r1, nistb233, sect239k1, sect283k1, nistk283, sect283r1, nistb283, sect409k1, nistk409, sect409r1, nistb409, sect571k1, nistk571, sect571r1, nistb571, secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, nistp192, secp224k1, secp224r1, nistp224, secp256k1, secp256r1, secp384r1, secp521r1, prime192v1, prime192v2, prime192v3, prime239v1, prime239v2, prime239v3, c2pnb163v1, c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1, c2tnb191v2, c2tnb191v3, c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3, c2pnb272w1, c2pnb304w1, c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1, secp112r2, secp128r1, secp128r2, sect113r1, sect113r2, sect131r1, sect131r2 +.RE +.PP +\-r +.RS 4 +Display a certificate\*(Aqs binary DER encoding when listing information about that certificate with the \-L option\&. +.RE +.PP +\-s subject +.RS 4 +Identify a particular certificate owner for new certificates or certificate requests\&. Bracket this string with quotation marks if it contains spaces\&. The subject identification format follows RFC #1485\&. +.RE +.PP +\-t trustargs +.RS 4 +Specify the trust attributes to modify in an existing certificate or to apply to a certificate when creating it or adding it to a database\&. There are three available trust categories for each certificate, expressed in the order +\fISSL, email, object signing\fR +for each trust setting\&. In each category position, use none, any, or all of the attribute codes: +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +\fBp\fR +\- Valid peer +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +\fBP\fR +\- Trusted peer (implies p) +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +\fBc\fR +\- Valid CA +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +\fBC\fR +\- Trusted CA (implies c) +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +\fBT\fR +\- trusted CA for client authentication (ssl server only) +.RE +.sp +The attribute codes for the categories are separated by commas, and the entire set of attributes enclosed by quotation marks\&. For example: +.sp +\fB\-t "TC,C,T"\fR +.sp +Use the \-L option to see a list of the current certificates and trust attributes in a certificate database\&. +.sp +Note that the output of the \-L option may include "u" flag, which means that there is a private key associated with the certificate\&. It is a dynamic flag and you cannot set it with certutil\&. +.RE +.PP +\-u certusage +.RS 4 +Specify a usage context to apply when validating a certificate with the \-V option\&. +.sp +The contexts are the following: +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +\fBC\fR +(as an SSL client) +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +\fBV\fR +(as an SSL server) +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +\fBL\fR +(as an SSL CA) +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +\fBA\fR +(as Any CA) +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +\fBY\fR +(Verify CA) +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +\fBS\fR +(as an email signer) +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +\fBR\fR +(as an email recipient) +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +\fBO\fR +(as an OCSP status responder) +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +\fBJ\fR +(as an object signer) +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +\fBI\fR +(as an IPSEC user) +.RE +.RE +.PP +\-v valid\-months +.RS 4 +Set the number of months a new certificate will be valid\&. The validity period begins at the current system time unless an offset is added or subtracted with the +\fB\-w\fR +option\&. If this argument is not used, the default validity period is three months\&. +.RE +.PP +\-w offset\-months +.RS 4 +Set an offset from the current system time, in months, for the beginning of a certificate\*(Aqs validity period\&. Use when creating the certificate or adding it to a database\&. Express the offset in integers, using a minus sign (\-) to indicate a negative offset\&. If this argument is not used, the validity period begins at the current system time\&. The length of the validity period is set with the \-v argument\&. +.RE +.PP +\-X +.RS 4 +Force the key and certificate database to open in read\-write mode\&. This is used with the +\fB\-U\fR +and +\fB\-L\fR +command options\&. +.RE +.PP +\-x +.RS 4 +Use +\fBcertutil\fR +to generate the signature for a certificate being created or added to a database, rather than obtaining a signature from a separate CA\&. +.RE +.PP +\-y exp +.RS 4 +Set an alternate exponent value to use in generating a new RSA public key for the database, instead of the default value of 65537\&. The available alternate values are 3 and 17\&. +.RE +.PP +\-\-pss +.RS 4 +Restrict the generated certificate (with the +\fB\-S\fR +option) or certificate request (with the +\fB\-R\fR +option) to be used with the RSA\-PSS signature scheme\&. This only works when the private key of the certificate or certificate request is RSA\&. +.RE +.PP +\-\-pss\-sign +.RS 4 +Sign the generated certificate with the RSA\-PSS signature scheme (with the +\fB\-C\fR +or +\fB\-S\fR +option)\&. This only works when the private key of the signer\*(Aqs certificate is RSA\&. If the signer\*(Aqs certificate is restricted to RSA\-PSS, it is not necessary to specify this option\&. +.RE +.PP +\-z noise\-file +.RS 4 +Read a seed value from the specified file to generate a new private and public key pair\&. This argument makes it possible to use hardware\-generated seed values or manually create a value from the keyboard\&. The minimum file size is 20 bytes\&. +.RE +.PP +\-Z hashAlg +.RS 4 +Specify the hash algorithm to use with the \-C, \-S or \-R command options\&. Possible keywords: +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +MD2 +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +MD4 +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +MD5 +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +SHA1 +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +SHA224 +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +SHA256 +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +SHA384 +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +SHA512 +.RE +.RE +.PP +\-0 SSO_password +.RS 4 +Set a site security officer password on a token\&. +.RE +.PP +\-1 | \-\-keyUsage keyword,keyword +.RS 4 +Set an X\&.509 V3 Certificate Type Extension in the certificate\&. There are several available keywords: +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +digitalSignature +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +nonRepudiation +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +keyEncipherment +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +dataEncipherment +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +keyAgreement +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +certSigning +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +crlSigning +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +critical +.RE +.RE +.PP +\-2 +.RS 4 +Add a basic constraint extension to a certificate that is being created or added to a database\&. This extension supports the certificate chain verification process\&. +\fBcertutil\fR +prompts for the certificate constraint extension to select\&. +.sp +X\&.509 certificate extensions are described in RFC 5280\&. +.RE +.PP +\-3 +.RS 4 +Add an authority key ID extension to a certificate that is being created or added to a database\&. This extension supports the identification of a particular certificate, from among multiple certificates associated with one subject name, as the correct issuer of a certificate\&. The Certificate Database Tool will prompt you to select the authority key ID extension\&. +.sp +X\&.509 certificate extensions are described in RFC 5280\&. +.RE +.PP +\-4 +.RS 4 +Add a CRL distribution point extension to a certificate that is being created or added to a database\&. This extension identifies the URL of a certificate\*(Aqs associated certificate revocation list (CRL)\&. +\fBcertutil\fR +prompts for the URL\&. +.sp +X\&.509 certificate extensions are described in RFC 5280\&. +.RE +.PP +\-5 | \-\-nsCertType keyword,keyword +.RS 4 +Add an X\&.509 V3 certificate type extension to a certificate that is being created or added to the database\&. There are several available keywords: +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +sslClient +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +sslServer +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +smime +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +objectSigning +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +sslCA +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +smimeCA +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +objectSigningCA +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +critical +.RE +.sp +X\&.509 certificate extensions are described in RFC 5280\&. +.RE +.PP +\-6 | \-\-extKeyUsage keyword,keyword +.RS 4 +Add an extended key usage extension to a certificate that is being created or added to the database\&. Several keywords are available: +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +serverAuth +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +clientAuth +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +codeSigning +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +emailProtection +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +timeStamp +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +ocspResponder +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +stepUp +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +msTrustListSign +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +critical +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +x509Any +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +ipsecIKE +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +ipsecIKEEnd +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +ipsecIKEIntermediate +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +ipsecEnd +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +ipsecTunnel +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +ipsecUser +.RE +.sp +X\&.509 certificate extensions are described in RFC 5280\&. +.RE +.PP +\-7 emailAddrs +.RS 4 +Add a comma\-separated list of email addresses to the subject alternative name extension of a certificate or certificate request that is being created or added to the database\&. Subject alternative name extensions are described in Section 4\&.2\&.1\&.7 of RFC 3280\&. +.RE +.PP +\-8 dns\-names +.RS 4 +Add a comma\-separated list of DNS names to the subject alternative name extension of a certificate or certificate request that is being created or added to the database\&. Subject alternative name extensions are described in Section 4\&.2\&.1\&.7 of RFC 3280\&. +.RE +.PP +\-\-extAIA +.RS 4 +Add the Authority Information Access extension to the certificate\&. X\&.509 certificate extensions are described in RFC 5280\&. +.RE +.PP +\-\-extSIA +.RS 4 +Add the Subject Information Access extension to the certificate\&. X\&.509 certificate extensions are described in RFC 5280\&. +.RE +.PP +\-\-extCP +.RS 4 +Add the Certificate Policies extension to the certificate\&. X\&.509 certificate extensions are described in RFC 5280\&. +.RE +.PP +\-\-extPM +.RS 4 +Add the Policy Mappings extension to the certificate\&. X\&.509 certificate extensions are described in RFC 5280\&. +.RE +.PP +\-\-extPC +.RS 4 +Add the Policy Constraints extension to the certificate\&. X\&.509 certificate extensions are described in RFC 5280\&. +.RE +.PP +\-\-extIA +.RS 4 +Add the Inhibit Any Policy Access extension to the certificate\&. X\&.509 certificate extensions are described in RFC 5280\&. +.RE +.PP +\-\-extSKID +.RS 4 +Add the Subject Key ID extension to the certificate\&. X\&.509 certificate extensions are described in RFC 5280\&. +.RE +.PP +\-\-extNC +.RS 4 +Add a Name Constraint extension to the certificate\&. X\&.509 certificate extensions are described in RFC 5280\&. +.RE +.PP +\-\-extSAN type:name[,type:name]\&.\&.\&. +.RS 4 +Create a Subject Alt Name extension with one or multiple names\&. +.sp +\-type: directory, dn, dns, edi, ediparty, email, ip, ipaddr, other, registerid, rfc822, uri, x400, x400addr +.RE +.PP +\-\-empty\-password +.RS 4 +Use empty password when creating new certificate database with \-N\&. +.RE +.PP +\-\-keyAttrFlags attrflags +.RS 4 +PKCS #11 key Attributes\&. Comma separated list of key attribute flags, selected from the following list of choices: {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable} +.RE +.PP +\-\-keyOpFlagsOn opflags, \-\-keyOpFlagsOff opflags +.RS 4 +PKCS #11 key Operation Flags\&. Comma separated list of one or more of the following: {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable} +.RE +.PP +\-\-new\-n nickname +.RS 4 +A new nickname, used when renaming a certificate\&. +.RE +.PP +\-\-source\-dir certdir +.RS 4 +Identify the certificate database directory to upgrade\&. +.RE +.PP +\-\-source\-prefix certdir +.RS 4 +Give the prefix of the certificate and key databases to upgrade\&. +.RE +.PP +\-\-upgrade\-id uniqueID +.RS 4 +Give the unique ID of the database to upgrade\&. +.RE +.PP +\-\-upgrade\-token\-name name +.RS 4 +Set the name of the token to use while it is being upgraded\&. +.RE +.PP +\-@ pwfile +.RS 4 +Give the name of a password file to use for the database being upgraded\&. +.RE +.SH "USAGE AND EXAMPLES" +.PP +Most of the command options in the examples listed here have more arguments available\&. The arguments included in these examples are the most common ones or are used to illustrate a specific scenario\&. Use the +\fB\-H\fR +option to show the complete list of arguments for each command option\&. +.PP +\fBCreating New Security Databases\fR +.PP +Certificates, keys, and security modules related to managing certificates are stored in three related databases: +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +cert8\&.db or cert9\&.db +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +key3\&.db or key4\&.db +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +secmod\&.db or pkcs11\&.txt +.RE +.PP +These databases must be created before certificates or keys can be generated\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf +certutil \-N \-d directory +.fi +.if n \{\ +.RE +.\} +.PP +\fBCreating a Certificate Request\fR +.PP +A certificate request contains most or all of the information that is used to generate the final certificate\&. This request is submitted separately to a certificate authority and is then approved by some mechanism (automatically or by human review)\&. Once the request is approved, then the certificate is generated\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf +$ certutil \-R \-k key\-type\-or\-id [\-q pqgfile|curve\-name] \-g key\-size \-s subject [\-h tokenname] \-d directory [\-p phone] [\-o output\-file] [\-a] +.fi +.if n \{\ +.RE +.\} +.PP +The +\fB\-R\fR +command options requires four arguments: +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +\fB\-k\fR +to specify either the key type to generate or, when renewing a certificate, the existing key pair to use +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +\fB\-g\fR +to set the keysize of the key to generate +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +\fB\-s\fR +to set the subject name of the certificate +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +\fB\-d\fR +to give the security database directory +.RE +.PP +The new certificate request can be output in ASCII format (\fB\-a\fR) or can be written to a specified file (\fB\-o\fR)\&. +.PP +For example: +.sp +.if n \{\ +.RS 4 +.\} +.nf +$ certutil \-R \-k rsa \-g 1024 \-s "CN=John Smith,O=Example Corp,L=Mountain View,ST=California,C=US" \-d $HOME/nssdb \-p 650\-555\-0123 \-a \-o cert\&.cer + +Generating key\&. This may take a few moments\&.\&.\&. + +.fi +.if n \{\ +.RE +.\} +.PP +\fBCreating a Certificate\fR +.PP +A valid certificate must be issued by a trusted CA\&. This can be done by specifying a CA certificate (\fB\-c\fR) that is stored in the certificate database\&. If a CA key pair is not available, you can create a self\-signed certificate using the +\fB\-x\fR +argument with the +\fB\-S\fR +command option\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf +$ certutil \-S \-k rsa|dsa|ec \-n certname \-s subject [\-c issuer |\-x] \-t trustargs \-d directory [\-m serial\-number] [\-v valid\-months] [\-w offset\-months] [\-p phone] [\-1] [\-2] [\-3] [\-4] [\-5 keyword] [\-6 keyword] [\-7 emailAddress] [\-8 dns\-names] [\-\-extAIA] [\-\-extSIA] [\-\-extCP] [\-\-extPM] [\-\-extPC] [\-\-extIA] [\-\-extSKID] +.fi +.if n \{\ +.RE +.\} +.PP +The series of numbers and +\fB\-\-ext*\fR +options set certificate extensions that can be added to the certificate when it is generated by the CA\&. Interactive prompts will result\&. +.PP +For example, this creates a self\-signed certificate: +.sp +.if n \{\ +.RS 4 +.\} +.nf +$ certutil \-S \-s "CN=Example CA" \-n my\-ca\-cert \-x \-t "C,C,C" \-1 \-2 \-5 \-m 3650 +.fi +.if n \{\ +.RE +.\} +.PP +The interative prompts for key usage and whether any extensions are critical and responses have been ommitted for brevity\&. +.PP +From there, new certificates can reference the self\-signed certificate: +.sp +.if n \{\ +.RS 4 +.\} +.nf +$ certutil \-S \-s "CN=My Server Cert" \-n my\-server\-cert \-c "my\-ca\-cert" \-t ",," \-1 \-5 \-6 \-8 \-m 730 +.fi +.if n \{\ +.RE +.\} +.PP +\fBGenerating a Certificate from a Certificate Request\fR +.PP +When a certificate request is created, a certificate can be generated by using the request and then referencing a certificate authority signing certificate (the +\fIissuer\fR +specified in the +\fB\-c\fR +argument)\&. The issuing certificate must be in the certificate database in the specified directory\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf +certutil \-C \-c issuer \-i cert\-request\-file \-o output\-file [\-m serial\-number] [\-v valid\-months] [\-w offset\-months] \-d directory [\-1] [\-2] [\-3] [\-4] [\-5 keyword] [\-6 keyword] [\-7 emailAddress] [\-8 dns\-names] +.fi +.if n \{\ +.RE +.\} +.PP +For example: +.sp +.if n \{\ +.RS 4 +.\} +.nf +$ certutil \-C \-c "my\-ca\-cert" \-i /home/certs/cert\&.req \-o cert\&.cer \-m 010 \-v 12 \-w 1 \-d $HOME/nssdb \-1 nonRepudiation,dataEncipherment \-5 sslClient \-6 clientAuth \-7 jsmith@example\&.com +.fi +.if n \{\ +.RE +.\} +.PP +\fBListing Certificates\fR +.PP +The +\fB\-L\fR +command option lists all of the certificates listed in the certificate database\&. The path to the directory (\fB\-d\fR) is required\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf +$ certutil \-L \-d /home/my/sharednssdb + +Certificate Nickname Trust Attributes + SSL,S/MIME,JAR/XPI + +CA Administrator of Instance pki\-ca1\*(Aqs Example Domain ID u,u,u +TPS Administrator\*(Aqs Example Domain ID u,u,u +Google Internet Authority ,, +Certificate Authority \- Example Domain CT,C,C +.fi +.if n \{\ +.RE +.\} +.PP +Using additional arguments with +\fB\-L\fR +can return and print the information for a single, specific certificate\&. For example, the +\fB\-n\fR +argument passes the certificate name, while the +\fB\-a\fR +argument prints the certificate in ASCII format: +.sp +.if n \{\ +.RS 4 +.\} +.nf +$ certutil \-L \-d $HOME/nssdb \-a \-n my\-ca\-cert +\-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\- +MIIB1DCCAT2gAwIBAgICDkIwDQYJKoZIhvcNAQEFBQAwFTETMBEGA1UEAxMKRXhh +bXBsZSBDQTAeFw0xMzAzMTMxOTEwMjlaFw0xMzA2MTMxOTEwMjlaMBUxEzARBgNV +BAMTCkV4YW1wbGUgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ4Kzqvz +JyBVgFqDXRYSyTBNw1DrxUU/3GvWA/ngjAwHEv0Cul/6sO/gsCvnABHiH6unns6x +XRzPORlC2WY3gkk7vmlsLvYpyecNazAi/NAwVnU/66HOsaoVFWE+gBQo99UrN2yk +0BiK/GMFlLm5dXQROgA9ZKKyFdI0LIXtf6SbAgMBAAGjMzAxMBEGCWCGSAGG+EIB +AQQEAwIHADAMBgNVHRMEBTADAQH/MA4GA1UdDwEB/wQEAwICBDANBgkqhkiG9w0B +AQUFAAOBgQA6chkzkACN281d1jKMrc+RHG2UMaQyxiteaLVZO+Ro1nnRUvseDf09 +XKYFwPMJjWCihVku6bw/ihZfuMHhxK22Nue6inNQ6eDu7WmrqL8z3iUrQwxs+WiF +ob2rb8XRVVJkzXdXxlk4uo3UtNvw8sAz7sWD71qxKaIHU5q49zijfg== +\-\-\-\-\-END CERTIFICATE\-\-\-\-\- +.fi +.if n \{\ +.RE +.\} +.PP +For a human\-readable display +.sp +.if n \{\ +.RS 4 +.\} +.nf +$ certutil \-L \-d $HOME/nssdb \-n my\-ca\-cert +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3650 (0xe42) + Signature Algorithm: PKCS #1 SHA\-1 With RSA Encryption + Issuer: "CN=Example CA" + Validity: + Not Before: Wed Mar 13 19:10:29 2013 + Not After : Thu Jun 13 19:10:29 2013 + Subject: "CN=Example CA" + Subject Public Key Info: + Public Key Algorithm: PKCS #1 RSA Encryption + RSA Public Key: + Modulus: + 9e:0a:ce:ab:f3:27:20:55:80:5a:83:5d:16:12:c9:30: + 4d:c3:50:eb:c5:45:3f:dc:6b:d6:03:f9:e0:8c:0c:07: + 12:fd:02:ba:5f:fa:b0:ef:e0:b0:2b:e7:00:11:e2:1f: + ab:a7:9e:ce:b1:5d:1c:cf:39:19:42:d9:66:37:82:49: + 3b:be:69:6c:2e:f6:29:c9:e7:0d:6b:30:22:fc:d0:30: + 56:75:3f:eb:a1:ce:b1:aa:15:15:61:3e:80:14:28:f7: + d5:2b:37:6c:a4:d0:18:8a:fc:63:05:94:b9:b9:75:74: + 11:3a:00:3d:64:a2:b2:15:d2:34:2c:85:ed:7f:a4:9b + Exponent: 65537 (0x10001) + Signed Extensions: + Name: Certificate Type + Data: none + + Name: Certificate Basic Constraints + Data: Is a CA with no maximum path length\&. + + Name: Certificate Key Usage + Critical: True + Usages: Certificate Signing + + Signature Algorithm: PKCS #1 SHA\-1 With RSA Encryption + Signature: + 3a:72:19:33:90:00:8d:db:cd:5d:d6:32:8c:ad:cf:91: + 1c:6d:94:31:a4:32:c6:2b:5e:68:b5:59:3b:e4:68:d6: + 79:d1:52:fb:1e:0d:fd:3d:5c:a6:05:c0:f3:09:8d:60: + a2:85:59:2e:e9:bc:3f:8a:16:5f:b8:c1:e1:c4:ad:b6: + 36:e7:ba:8a:73:50:e9:e0:ee:ed:69:ab:a8:bf:33:de: + 25:2b:43:0c:6c:f9:68:85:a1:bd:ab:6f:c5:d1:55:52: + 64:cd:77:57:c6:59:38:ba:8d:d4:b4:db:f0:f2:c0:33: + ee:c5:83:ef:5a:b1:29:a2:07:53:9a:b8:f7:38:a3:7e + Fingerprint (MD5): + 86:D8:A5:8B:8A:26:BE:9E:17:A8:7B:66:10:6B:27:80 + Fingerprint (SHA1): + 48:78:09:EF:C5:D4:0C:BD:D2:64:45:59:EB:03:13:15:F7:A9:D6:F7 + + Certificate Trust Flags: + SSL Flags: + Valid CA + Trusted CA + User + Email Flags: + Valid CA + Trusted CA + User + Object Signing Flags: + Valid CA + Trusted CA + User + +.fi +.if n \{\ +.RE +.\} +.PP +\fBListing Keys\fR +.PP +Keys are the original material used to encrypt certificate data\&. The keys generated for certificates are stored separately, in the key database\&. +.PP +To list all keys in the database, use the +\fB\-K\fR +command option and the (required) +\fB\-d\fR +argument to give the path to the directory\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf +$ certutil \-K \-d $HOME/nssdb +certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services " +< 0> rsa 455a6673bde9375c2887ec8bf8016b3f9f35861d Thawte Freemail Member\*(Aqs Thawte Consulting (Pty) Ltd\&. ID +< 1> rsa 40defeeb522ade11090eacebaaf1196a172127df Example Domain Administrator Cert +< 2> rsa 1d0b06f44f6c03842f7d4f4a1dc78b3bcd1b85a5 John Smith user cert +.fi +.if n \{\ +.RE +.\} +.PP +There are ways to narrow the keys listed in the search results: +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +To return a specific key, use the +\fB\-n\fR +\fIname\fR +argument with the name of the key\&. +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +If there are multiple security devices loaded, then the +\fB\-h\fR +\fItokenname\fR +argument can search a specific token or all tokens\&. +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +If there are multiple key types available, then the +\fB\-k\fR +\fIkey\-type\fR +argument can search a specific type of key, like RSA, DSA, or ECC\&. +.RE +.PP +\fBListing Security Modules\fR +.PP +The devices that can be used to store certificates \-\- both internal databases and external devices like smart cards \-\- are recognized and used by loading security modules\&. The +\fB\-U\fR +command option lists all of the security modules listed in the +secmod\&.db +database\&. The path to the directory (\fB\-d\fR) is required\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf +$ certutil \-U \-d /home/my/sharednssdb + + slot: NSS User Private Key and Certificate Services + token: NSS Certificate DB + uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203 + + slot: NSS Internal Cryptographic Services + token: NSS Generic Crypto Services + uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203 +.fi +.if n \{\ +.RE +.\} +.PP +\fBAdding Certificates to the Database\fR +.PP +Existing certificates or certificate requests can be added manually to the certificate database, even if they were generated elsewhere\&. This uses the +\fB\-A\fR +command option\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf +certutil \-A \-n certname \-t trustargs \-d directory [\-a] [\-i input\-file] +.fi +.if n \{\ +.RE +.\} +.PP +For example: +.sp +.if n \{\ +.RS 4 +.\} +.nf +$ certutil \-A \-n "CN=My SSL Certificate" \-t ",," \-d /home/my/sharednssdb \-i /home/example\-certs/cert\&.cer +.fi +.if n \{\ +.RE +.\} +.PP +A related command option, +\fB\-E\fR, is used specifically to add email certificates to the certificate database\&. The +\fB\-E\fR +command has the same arguments as the +\fB\-A\fR +command\&. The trust arguments for certificates have the format +\fISSL,S/MIME,Code\-signing\fR, so the middle trust settings relate most to email certificates (though the others can be set)\&. For example: +.sp +.if n \{\ +.RS 4 +.\} +.nf +$ certutil \-E \-n "CN=John Smith Email Cert" \-t ",P," \-d /home/my/sharednssdb \-i /home/example\-certs/email\&.cer +.fi +.if n \{\ +.RE +.\} +.PP +\fBDeleting Certificates to the Database\fR +.PP +Certificates can be deleted from a database using the +\fB\-D\fR +option\&. The only required options are to give the security database directory and to identify the certificate nickname\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf +certutil \-D \-d directory \-n "nickname" +.fi +.if n \{\ +.RE +.\} +.PP +For example: +.sp +.if n \{\ +.RS 4 +.\} +.nf +$ certutil \-D \-d /home/my/sharednssdb \-n "my\-ssl\-cert" +.fi +.if n \{\ +.RE +.\} +.PP +\fBValidating Certificates\fR +.PP +A certificate contains an expiration date in itself, and expired certificates are easily rejected\&. However, certificates can also be revoked before they hit their expiration date\&. Checking whether a certificate has been revoked requires validating the certificate\&. Validation can also be used to ensure that the certificate is only used for the purposes it was initially issued for\&. Validation is carried out by the +\fB\-V\fR +command option\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf +certutil \-V \-n certificate\-name [\-b time] [\-e] [\-u cert\-usage] \-d directory +.fi +.if n \{\ +.RE +.\} +.PP +For example, to validate an email certificate: +.sp +.if n \{\ +.RS 4 +.\} +.nf +$ certutil \-V \-n "John Smith\*(Aqs Email Cert" \-e \-u S,R \-d /home/my/sharednssdb +.fi +.if n \{\ +.RE +.\} +.PP +\fBModifying Certificate Trust Settings\fR +.PP +The trust settings (which relate to the operations that a certificate is allowed to be used for) can be changed after a certificate is created or added to the database\&. This is especially useful for CA certificates, but it can be performed for any type of certificate\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf +certutil \-M \-n certificate\-name \-t trust\-args \-d directory +.fi +.if n \{\ +.RE +.\} +.PP +For example: +.sp +.if n \{\ +.RS 4 +.\} +.nf +$ certutil \-M \-n "My CA Certificate" \-d /home/my/sharednssdb \-t "CT,CT,CT" +.fi +.if n \{\ +.RE +.\} +.PP +\fBPrinting the Certificate Chain\fR +.PP +Certificates can be issued in +\fIchains\fR +because every certificate authority itself has a certificate; when a CA issues a certificate, it essentially stamps that certificate with its own fingerprint\&. The +\fB\-O\fR +prints the full chain of a certificate, going from the initial CA (the root CA) through ever intermediary CA to the actual certificate\&. For example, for an email certificate with two CAs in the chain: +.sp +.if n \{\ +.RS 4 +.\} +.nf +$ certutil \-d /home/my/sharednssdb \-O \-n "jsmith@example\&.com" +"Builtin Object Token:Thawte Personal Freemail CA" [E=personal\-freemail@thawte\&.com,CN=Thawte Personal Freemail CA,OU=Certification Services Division,O=Thawte Consulting,L=Cape Town,ST=Western Cape,C=ZA] + + "Thawte Personal Freemail Issuing CA \- Thawte Consulting" [CN=Thawte Personal Freemail Issuing CA,O=Thawte Consulting (Pty) Ltd\&.,C=ZA] + + "(null)" [E=jsmith@example\&.com,CN=Thawte Freemail Member] +.fi +.if n \{\ +.RE +.\} +.PP +\fBResetting a Token\fR +.PP +The device which stores certificates \-\- both external hardware devices and internal software databases \-\- can be blanked and reused\&. This operation is performed on the device which stores the data, not directly on the security databases, so the location must be referenced through the token name (\fB\-h\fR) as well as any directory path\&. If there is no external token used, the default value is internal\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf +certutil \-T \-d directory \-h token\-name \-0 security\-officer\-password +.fi +.if n \{\ +.RE +.\} +.PP +Many networks have dedicated personnel who handle changes to security tokens (the security officer)\&. This person must supply the password to access the specified token\&. For example: +.sp +.if n \{\ +.RS 4 +.\} +.nf +$ certutil \-T \-d /home/my/sharednssdb \-h nethsm \-0 secret +.fi +.if n \{\ +.RE +.\} +.PP +\fBUpgrading or Merging the Security Databases\fR +.PP +Many networks or applications may be using older BerkeleyDB versions of the certificate database (cert8\&.db)\&. Databases can be upgraded to the new SQLite version of the database (cert9\&.db) using the +\fB\-\-upgrade\-merge\fR +command option or existing databases can be merged with the new +cert9\&.db +databases using the +\fB\-\-\-merge\fR +command\&. +.PP +The +\fB\-\-upgrade\-merge\fR +command must give information about the original database and then use the standard arguments (like +\fB\-d\fR) to give the information about the new databases\&. The command also requires information that the tool uses for the process to upgrade and write over the original database\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf +certutil \-\-upgrade\-merge \-d directory [\-P dbprefix] \-\-source\-dir directory \-\-source\-prefix dbprefix \-\-upgrade\-id id \-\-upgrade\-token\-name name [\-@ password\-file] +.fi +.if n \{\ +.RE +.\} +.PP +For example: +.sp +.if n \{\ +.RS 4 +.\} +.nf +$ certutil \-\-upgrade\-merge \-d /home/my/sharednssdb \-\-source\-dir /opt/my\-app/alias/ \-\-source\-prefix serverapp\- \-\-upgrade\-id 1 \-\-upgrade\-token\-name internal +.fi +.if n \{\ +.RE +.\} +.PP +The +\fB\-\-merge\fR +command only requires information about the location of the original database; since it doesn\*(Aqt change the format of the database, it can write over information without performing interim step\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf +certutil \-\-merge \-d directory [\-P dbprefix] \-\-source\-dir directory \-\-source\-prefix dbprefix [\-@ password\-file] +.fi +.if n \{\ +.RE +.\} +.PP +For example: +.sp +.if n \{\ +.RS 4 +.\} +.nf +$ certutil \-\-merge \-d /home/my/sharednssdb \-\-source\-dir /opt/my\-app/alias/ \-\-source\-prefix serverapp\- +.fi +.if n \{\ +.RE +.\} +.PP +\fBRunning certutil Commands from a Batch File\fR +.PP +A series of commands can be run sequentially from a text file with the +\fB\-B\fR +command option\&. The only argument for this specifies the input file\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf +$ certutil \-B \-i /path/to/batch\-file +.fi +.if n \{\ +.RE +.\} +.SH "NSS DATABASE TYPES" +.PP +NSS originally used BerkeleyDB databases to store security information\&. The last versions of these +\fIlegacy\fR +databases are: +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +cert8\&.db for certificates +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +key3\&.db for keys +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +secmod\&.db for PKCS #11 module information +.RE +.PP +BerkeleyDB has performance limitations, though, which prevent it from being easily used by multiple applications simultaneously\&. NSS has some flexibility that allows applications to use their own, independent database engine while keeping a shared database and working around the access issues\&. Still, NSS requires more flexibility to provide a truly shared security database\&. +.PP +In 2009, NSS introduced a new set of databases that are SQLite databases rather than BerkeleyDB\&. These new databases provide more accessibility and performance: +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +cert9\&.db for certificates +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +key4\&.db for keys +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +pkcs11\&.txt, a listing of all of the PKCS #11 modules, contained in a new subdirectory in the security databases directory +.RE +.PP +Because the SQLite databases are designed to be shared, these are the +\fIshared\fR +database type\&. The shared database type is preferred; the legacy format is included for backward compatibility\&. +.PP +By default, the tools (\fBcertutil\fR, +\fBpk12util\fR, +\fBmodutil\fR) assume that the given security databases use the SQLite type\&. Using the legacy databases must be manually specified by using the +\fBdbm:\fR +prefix with the given security directory\&. For example: +.sp +.if n \{\ +.RS 4 +.\} +.nf +$ certutil \-L \-d dbm:/home/my/sharednssdb +.fi +.if n \{\ +.RE +.\} +.PP +To set the legacy database type as the default type for the tools, set the +\fBNSS_DEFAULT_DB_TYPE\fR +environment variable to +\fBdbm\fR: +.sp +.if n \{\ +.RS 4 +.\} +.nf +export NSS_DEFAULT_DB_TYPE="dbm" +.fi +.if n \{\ +.RE +.\} +.PP +This line can be set added to the +~/\&.bashrc +file to make the change permanent\&. +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +https://wiki\&.mozilla\&.org/NSS_Shared_DB_Howto +.RE +.PP +For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki: +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +https://wiki\&.mozilla\&.org/NSS_Shared_DB +.RE +.SH "SEE ALSO" +.PP +pk12util (1) +.PP +modutil (1) +.PP +\fBcertutil\fR +has arguments or operations that use features defined in several IETF RFCs\&. +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +http://tools\&.ietf\&.org/html/rfc5280 +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +http://tools\&.ietf\&.org/html/rfc1113 +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +http://tools\&.ietf\&.org/html/rfc1485 +.RE +.PP +The NSS wiki has information on the new database design and how to configure applications to use it\&. +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +https://wiki\&.mozilla\&.org/NSS_Shared_DB_Howto +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +https://wiki\&.mozilla\&.org/NSS_Shared_DB +.RE +.SH "ADDITIONAL RESOURCES" +.PP +For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at +\m[blue]\fBhttp://www\&.mozilla\&.org/projects/security/pki/nss/\fR\m[]\&. The NSS site relates directly to NSS code changes and releases\&. +.PP +Mailing lists: https://lists\&.mozilla\&.org/listinfo/dev\-tech\-crypto +.PP +IRC: Freenode at #dogtag\-pki +.SH "AUTHORS" +.PP +The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google\&. +.PP +Authors: Elio Maldonado , Deon Lackey \&. +.SH "LICENSE" +.PP +Licensed under the Mozilla Public License, v\&. 2\&.0\&. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla\&.org/MPL/2\&.0/\&. +.SH "NOTES" +.IP " 1." 4 +Mozilla NSS bug 836477 +.RS 4 +\%https://bugzilla.mozilla.org/show_bug.cgi?id=836477 +.RE diff --git a/security/nss/doc/nroff/cmsutil.1 b/security/nss/doc/nroff/cmsutil.1 new file mode 100644 index 0000000000..9c0bb48e98 --- /dev/null +++ b/security/nss/doc/nroff/cmsutil.1 @@ -0,0 +1,271 @@ +'\" t +.\" Title: CMSUTIL +.\" Author: [see the "Authors" section] +.\" Generator: DocBook XSL Stylesheets v1.78.1 +.\" Date: 5 June 2014 +.\" Manual: NSS Security Tools +.\" Source: nss-tools +.\" Language: English +.\" +.TH "CMSUTIL" "1" "5 June 2014" "nss-tools" "NSS Security Tools" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +cmsutil \- Performs basic cryptograpic operations, such as encryption and decryption, on Cryptographic Message Syntax (CMS) messages\&. +.SH "SYNOPSIS" +.HP \w'\fBcmsutil\fR\ 'u +\fBcmsutil\fR [\fIoptions\fR] [[\fIarguments\fR]] +.SH "STATUS" +.PP +This documentation is still work in progress\&. Please contribute to the initial review in +\m[blue]\fBMozilla NSS bug 836477\fR\m[]\&\s-2\u[1]\d\s+2 +.SH "DESCRIPTION" +.PP +The +\fBcmsutil\fR +command\-line uses the S/MIME Toolkit to perform basic operations, such as encryption and decryption, on Cryptographic Message Syntax (CMS) messages\&. +.PP +To run cmsutil, type the command cmsutil option [arguments] where option and arguments are combinations of the options and arguments listed in the following section\&. Each command takes one option\&. Each option may take zero or more arguments\&. To see a usage string, issue the command without options\&. +.SH "OPTIONS AND ARGUMENTS" +.PP +.PP +\fBOptions\fR +.PP +Options specify an action\&. Option arguments modify an action\&. The options and arguments for the cmsutil command are defined as follows: +.PP +\-C +.RS 4 +Encrypt a message\&. +.RE +.PP +\-D +.RS 4 +Decode a message\&. +.RE +.PP +\-E +.RS 4 +Envelope a message\&. +.RE +.PP +\-O +.RS 4 +Create a certificates\-only message\&. +.RE +.PP +\-S +.RS 4 +Sign a message\&. +.RE +.PP +\fBArguments\fR +.PP +Option arguments modify an action\&. +.PP +\-b +.RS 4 +Decode a batch of files named in infile\&. +.RE +.PP +\-c content +.RS 4 +Use this detached content (decode only)\&. +.RE +.PP +\-d dbdir +.RS 4 +Specify the key/certificate database directory (default is "\&.") +.RE +.PP +\-e envfile +.RS 4 +Specify a file containing an enveloped message for a set of recipients to which you would like to send an encrypted message\&. If this is the first encrypted message for that set of recipients, a new enveloped message will be created that you can then use for future messages (encrypt only)\&. +.RE +.PP +\-f pwfile +.RS 4 +Use password file to set password on all PKCS#11 tokens\&. +.RE +.PP +\-G +.RS 4 +Include a signing time attribute (sign only)\&. +.RE +.PP +\-H hash +.RS 4 +Use specified hash algorithm (default:SHA1)\&. +.RE +.PP +\-h num +.RS 4 +Generate email headers with info about CMS message (decode only)\&. +.RE +.PP +\-i infile +.RS 4 +Use infile as a source of data (default is stdin)\&. +.RE +.PP +\-k +.RS 4 +Keep decoded encryption certs in permanent cert db\&. +.RE +.PP +\-N nickname +.RS 4 +Specify nickname of certificate to sign with (sign only)\&. +.RE +.PP +\-n +.RS 4 +Suppress output of contents (decode only)\&. +.RE +.PP +\-o outfile +.RS 4 +Use outfile as a destination of data (default is stdout)\&. +.RE +.PP +\-P +.RS 4 +Include an S/MIME capabilities attribute\&. +.RE +.PP +\-p password +.RS 4 +Use password as key database password\&. +.RE +.PP +\-r recipient1,recipient2, \&.\&.\&. +.RS 4 +Specify list of recipients (email addresses) for an encrypted or enveloped message\&. For certificates\-only message, list of certificates to send\&. +.RE +.PP +\-T +.RS 4 +Suppress content in CMS message (sign only)\&. +.RE +.PP +\-u certusage +.RS 4 +Set type of cert usage (default is certUsageEmailSigner)\&. +.RE +.PP +\-v +.RS 4 +Print debugging information\&. +.RE +.PP +\-Y ekprefnick +.RS 4 +Specify an encryption key preference by nickname\&. +.RE +.SH "USAGE" +.PP +Encrypt Example +.sp +.if n \{\ +.RS 4 +.\} +.nf +cmsutil \-C [\-i infile] [\-o outfile] [\-d dbdir] [\-p password] \-r "recipient1,recipient2, \&. \&. \&." \-e envfile + +.fi +.if n \{\ +.RE +.\} +.PP +Decode Example +.sp +.if n \{\ +.RS 4 +.\} +.nf +cmsutil \-D [\-i infile] [\-o outfile] [\-d dbdir] [\-p password] [\-c content] [\-n] [\-h num] + +.fi +.if n \{\ +.RE +.\} +.PP +Envelope Example +.sp +.if n \{\ +.RS 4 +.\} +.nf +cmsutil \-E [\-i infile] [\-o outfile] [\-d dbdir] [\-p password] \-r "recipient1,recipient2, \&.\&.\&." + +.fi +.if n \{\ +.RE +.\} +.PP +Certificate\-only Example +.sp +.if n \{\ +.RS 4 +.\} +.nf +cmsutil \-O [\-i infile] [\-o outfile] [\-d dbdir] [\-p password] \-r "cert1,cert2, \&. \&. \&." + +.fi +.if n \{\ +.RE +.\} +.PP +Sign Message Example +.sp +.if n \{\ +.RS 4 +.\} +.nf +cmsutil \-S [\-i infile] [\-o outfile] [\-d dbdir] [\-p password] \-N nickname[\-TGP] [\-Y ekprefnick] + +.fi +.if n \{\ +.RE +.\} +.SH "SEE ALSO" +.PP +certutil(1) +.SH "ADDITIONAL RESOURCES" +.PP +For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at +\m[blue]\fBhttp://www\&.mozilla\&.org/projects/security/pki/nss/\fR\m[]\&. The NSS site relates directly to NSS code changes and releases\&. +.PP +Mailing lists: https://lists\&.mozilla\&.org/listinfo/dev\-tech\-crypto +.PP +IRC: Freenode at #dogtag\-pki +.SH "AUTHORS" +.PP +The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google\&. +.PP +Authors: Elio Maldonado , Deon Lackey \&. +.SH "LICENSE" +.PP +Licensed under the Mozilla Public License, v\&. 2\&.0\&. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla\&.org/MPL/2\&.0/\&. +.SH "NOTES" +.IP " 1." 4 +Mozilla NSS bug 836477 +.RS 4 +\%https://bugzilla.mozilla.org/show_bug.cgi?id=836477 +.RE diff --git a/security/nss/doc/nroff/crlutil.1 b/security/nss/doc/nroff/crlutil.1 new file mode 100644 index 0000000000..e895f28750 --- /dev/null +++ b/security/nss/doc/nroff/crlutil.1 @@ -0,0 +1,389 @@ +'\" t +.\" Title: CRLUTIL +.\" Author: [see the "Authors" section] +.\" Generator: DocBook XSL Stylesheets vsnapshot +.\" Date: 19 May 2021 +.\" Manual: NSS Security Tools +.\" Source: nss-tools +.\" Language: English +.\" +.TH "CRLUTIL" "1" "19 May 2021" "nss-tools" "NSS Security Tools" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +crlutil \- List, generate, modify, or delete CRLs within the NSS security database file(s) and list, create, modify or delete certificates entries in a particular CRL\&. +.SH "SYNOPSIS" +.HP \w'\fBcrlutil\fR\ 'u +\fBcrlutil\fR [\fIoptions\fR] [[\fIarguments\fR]] +.SH "STATUS" +.PP +This documentation is still work in progress\&. Please contribute to the initial review in +\m[blue]\fBMozilla NSS bug 836477\fR\m[]\&\s-2\u[1]\d\s+2 +.SH "DESCRIPTION" +.PP +The Certificate Revocation List (CRL) Management Tool, +\fBcrlutil\fR, is a command\-line utility that can list, generate, modify, or delete CRLs within the NSS security database file(s) and list, create, modify or delete certificates entries in a particular CRL\&. +.PP +The key and certificate management process generally begins with creating keys in the key database, then generating and managing certificates in the certificate database(see certutil tool) and continues with certificates expiration or revocation\&. +.PP +This document discusses certificate revocation list management\&. For information on security module database management, see Using the Security Module Database Tool\&. For information on certificate and key database management, see Using the Certificate Database Tool\&. +.PP +To run the Certificate Revocation List Management Tool, type the command +.PP +crlutil option [arguments] +.PP +where options and arguments are combinations of the options and arguments listed in the following section\&. Each command takes one option\&. Each option may take zero or more arguments\&. To see a usage string, issue the command without options, or with the \-H option\&. +.SH "OPTIONS AND ARGUMENTS" +.PP +.PP +\fBOptions\fR +.PP +Options specify an action\&. Option arguments modify an action\&. The options and arguments for the crlutil command are defined as follows: +.PP +\-D +.RS 4 +Delete Certificate Revocation List from cert database\&. +.RE +.PP +\-E +.RS 4 +Erase all CRLs of specified type from the cert database +.RE +.PP +\-G +.RS 4 +Create new Certificate Revocation List (CRL)\&. +.RE +.PP +\-I +.RS 4 +Import a CRL to the cert database +.RE +.PP +\-L +.RS 4 +List existing CRL located in cert database file\&. +.RE +.PP +\-M +.RS 4 +Modify existing CRL which can be located in cert db or in arbitrary file\&. If located in file it should be encoded in ASN\&.1 encode format\&. +.RE +.PP +\-S +.RS 4 +Show contents of a CRL file which isn\*(Aqt stored in the database\&. +.RE +.PP +\fBArguments\fR +.PP +Option arguments modify an action\&. +.PP +\-a +.RS 4 +Use ASCII format or allow the use of ASCII format for input and output\&. This formatting follows RFC #1113\&. +.RE +.PP +\-B +.RS 4 +Bypass CA signature checks\&. +.RE +.PP +\-c crl\-gen\-file +.RS 4 +Specify script file that will be used to control crl generation/modification\&. See crl\-cript\-file format below\&. If options \-M|\-G is used and \-c crl\-script\-file is not specified, crlutil will read script data from standard input\&. +.RE +.PP +\-d directory +.RS 4 +Specify the database directory containing the certificate and key database files\&. On Unix the Certificate Database Tool defaults to $HOME/\&.netscape (that is, ~/\&.netscape)\&. On Windows NT the default is the current directory\&. +.sp +The NSS database files must reside in the same directory\&. +.RE +.PP +\-f password\-file +.RS 4 +Specify a file that will automatically supply the password to include in a certificate or to access a certificate database\&. This is a plain\-text file containing one password\&. Be sure to prevent unauthorized access to this file\&. +.RE +.PP +\-i crl\-file +.RS 4 +Specify the file which contains the CRL to import or show\&. +.RE +.PP +\-l algorithm\-name +.RS 4 +Specify a specific signature algorithm\&. List of possible algorithms: MD2 | MD4 | MD5 | SHA1 | SHA256 | SHA384 | SHA512 +.RE +.PP +\-n nickname +.RS 4 +Specify the nickname of a certificate or key to list, create, add to a database, modify, or validate\&. Bracket the nickname string with quotation marks if it contains spaces\&. +.RE +.PP +\-o output\-file +.RS 4 +Specify the output file name for new CRL\&. Bracket the output\-file string with quotation marks if it contains spaces\&. If this argument is not used the output destination defaults to standard output\&. +.RE +.PP +\-P dbprefix +.RS 4 +Specify the prefix used on the NSS security database files (for example, my_cert8\&.db and my_key3\&.db)\&. This option is provided as a special case\&. Changing the names of the certificate and key databases is not recommended\&. +.RE +.PP +\-t crl\-type +.RS 4 +Specify type of CRL\&. possible types are: 0 \- SEC_KRL_TYPE, 1 \- SEC_CRL_TYPE\&. This option is obsolete +.RE +.PP +\-u url +.RS 4 +Specify the url\&. +.RE +.PP +\-w pwd\-string +.RS 4 +Provide db password in command line\&. +.RE +.PP +\-Z algorithm +.RS 4 +Specify the hash algorithm to use for signing the CRL\&. +.RE +.SH "CRL GENERATION SCRIPT SYNTAX" +.PP +CRL generation script file has the following syntax: +.PP +* Line with comments should have # as a first symbol of a line +.PP +* Set "this update" or "next update" CRL fields: +.PP +update=YYYYMMDDhhmmssZ nextupdate=YYYYMMDDhhmmssZ +.PP +Field "next update" is optional\&. Time should be in GeneralizedTime format (YYYYMMDDhhmmssZ)\&. For example: 20050204153000Z +.PP +* Add an extension to a CRL or a crl certificate entry: +.PP +addext extension\-name critical/non\-critical [arg1[arg2 \&.\&.\&.]] +.PP +Where: +.PP +extension\-name: string value of a name of known extensions\&. critical/non\-critical: is 1 when extension is critical and 0 otherwise\&. arg1, arg2: specific to extension type extension parameters +.PP +addext uses the range that was set earlier by addcert and will install an extension to every cert entries within the range\&. +.PP +* Add certificate entries(s) to CRL: +.PP +addcert range date +.PP +range: two integer values separated by dash: range of certificates that will be added by this command\&. dash is used as a delimiter\&. Only one cert will be added if there is no delimiter\&. date: revocation date of a cert\&. Date should be represented in GeneralizedTime format (YYYYMMDDhhmmssZ)\&. +.PP +* Remove certificate entry(s) from CRL +.PP +rmcert range +.PP +Where: +.PP +range: two integer values separated by dash: range of certificates that will be added by this command\&. dash is used as a delimiter\&. Only one cert will be added if there is no delimiter\&. +.PP +* Change range of certificate entry(s) in CRL +.PP +range new\-range +.PP +Where: +.PP +new\-range: two integer values separated by dash: range of certificates that will be added by this command\&. dash is used as a delimiter\&. Only one cert will be added if there is no delimiter\&. +.PP +Implemented Extensions +.PP +The extensions defined for CRL provide methods for associating additional attributes with CRLs of theirs entries\&. For more information see RFC #3280 +.PP +* Add The Authority Key Identifier extension: +.PP +The authority key identifier extension provides a means of identifying the public key corresponding to the private key used to sign a CRL\&. +.PP +authKeyId critical [key\-id | dn cert\-serial] +.PP +Where: +.PP +authKeyIdent: identifies the name of an extension critical: value of 1 of 0\&. Should be set to 1 if this extension is critical or 0 otherwise\&. key\-id: key identifier represented in octet string\&. dn:: is a CA distinguished name cert\-serial: authority certificate serial number\&. +.PP +* Add Issuer Alternative Name extension: +.PP +The issuer alternative names extension allows additional identities to be associated with the issuer of the CRL\&. Defined options include an rfc822 name (electronic mail address), a DNS name, an IP address, and a URI\&. +.PP +issuerAltNames non\-critical name\-list +.PP +Where: +.PP +subjAltNames: identifies the name of an extension should be set to 0 since this is non\-critical extension name\-list: comma separated list of names +.PP +* Add CRL Number extension: +.PP +The CRL number is a non\-critical CRL extension which conveys a monotonically increasing sequence number for a given CRL scope and CRL issuer\&. This extension allows users to easily determine when a particular CRL supersedes another CRL +.PP +crlNumber non\-critical number +.PP +Where: +.PP +crlNumber: identifies the name of an extension critical: should be set to 0 since this is non\-critical extension number: value of long which identifies the sequential number of a CRL\&. +.PP +* Add Revocation Reason Code extension: +.PP +The reasonCode is a non\-critical CRL entry extension that identifies the reason for the certificate revocation\&. +.PP +reasonCode non\-critical code +.PP +Where: +.PP +reasonCode: identifies the name of an extension non\-critical: should be set to 0 since this is non\-critical extension code: the following codes are available: +.PP +unspecified (0), keyCompromise (1), cACompromise (2), affiliationChanged (3), superseded (4), cessationOfOperation (5), certificateHold (6), removeFromCRL (8), privilegeWithdrawn (9), aACompromise (10) +.PP +* Add Invalidity Date extension: +.PP +The invalidity date is a non\-critical CRL entry extension that provides the date on which it is known or suspected that the private key was compromised or that the certificate otherwise became invalid\&. +.PP +invalidityDate non\-critical date +.PP +Where: +.PP +crlNumber: identifies the name of an extension non\-critical: should be set to 0 since this is non\-critical extension date: invalidity date of a cert\&. Date should be represented in GeneralizedTime format (YYYYMMDDhhmmssZ)\&. +.SH "USAGE" +.PP +The Certificate Revocation List Management Tool\*(Aqs capabilities are grouped as follows, using these combinations of options and arguments\&. Options and arguments in square brackets are optional, those without square brackets are required\&. +.PP +See "Implemented extensions" for more information regarding extensions and their parameters\&. +.PP +* Creating or modifying a CRL: +.sp +.if n \{\ +.RS 4 +.\} +.nf +crlutil \-G|\-M \-c crl\-gen\-file \-n nickname [\-i crl] [\-u url] [\-d keydir] [\-P dbprefix] [\-l alg] [\-a] [\-B] + +.fi +.if n \{\ +.RE +.\} +.PP +* Listing all CRls or a named CRL: +.sp +.if n \{\ +.RS 4 +.\} +.nf + crlutil \-L [\-n crl\-name] [\-d krydir] + +.fi +.if n \{\ +.RE +.\} +.PP +* Deleting CRL from db: +.sp +.if n \{\ +.RS 4 +.\} +.nf + crlutil \-D \-n nickname [\-d keydir] [\-P dbprefix] + +.fi +.if n \{\ +.RE +.\} +.PP +* Erasing CRLs from db: +.sp +.if n \{\ +.RS 4 +.\} +.nf + crlutil \-E [\-d keydir] [\-P dbprefix] + +.fi +.if n \{\ +.RE +.\} +.PP +* Deleting CRL from db: +.sp +.if n \{\ +.RS 4 +.\} +.nf + crlutil \-D \-n nickname [\-d keydir] [\-P dbprefix] + +.fi +.if n \{\ +.RE +.\} +.PP +* Erasing CRLs from db: +.sp +.if n \{\ +.RS 4 +.\} +.nf + crlutil \-E [\-d keydir] [\-P dbprefix] + +.fi +.if n \{\ +.RE +.\} +.PP +* Import CRL from file: +.sp +.if n \{\ +.RS 4 +.\} +.nf + crlutil \-I \-i crl [\-t crlType] [\-u url] [\-d keydir] [\-P dbprefix] [\-B] + +.fi +.if n \{\ +.RE +.\} +.SH "SEE ALSO" +.PP +certutil(1) +.SH "ADDITIONAL RESOURCES" +.PP +For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at +\m[blue]\fBhttp://www\&.mozilla\&.org/projects/security/pki/nss/\fR\m[]\&. The NSS site relates directly to NSS code changes and releases\&. +.PP +Mailing lists: https://lists\&.mozilla\&.org/listinfo/dev\-tech\-crypto +.PP +IRC: Freenode at #dogtag\-pki +.SH "AUTHORS" +.PP +The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google\&. +.PP +Authors: Elio Maldonado , Deon Lackey \&. +.SH "LICENSE" +.PP +Licensed under the Mozilla Public License, v\&. 2\&.0\&. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla\&.org/MPL/2\&.0/\&. +.SH "NOTES" +.IP " 1." 4 +Mozilla NSS bug 836477 +.RS 4 +\%https://bugzilla.mozilla.org/show_bug.cgi?id=836477 +.RE diff --git a/security/nss/doc/nroff/derdump.1 b/security/nss/doc/nroff/derdump.1 new file mode 100644 index 0000000000..18f3974c74 --- /dev/null +++ b/security/nss/doc/nroff/derdump.1 @@ -0,0 +1,92 @@ +'\" t +.\" Title: DERDUMP +.\" Author: [see the "Authors" section] +.\" Generator: DocBook XSL Stylesheets vsnapshot +.\" Date: 19 May 2021 +.\" Manual: NSS Security Tools +.\" Source: nss-tools +.\" Language: English +.\" +.TH "DERDUMP" "1" "19 May 2021" "nss-tools" "NSS Security Tools" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +derdump_ \- Dumps C\-sequence strings from a DER encoded certificate file +.SH "SYNOPSIS" +.HP \w'\fBderdump\fR\ 'u +\fBderdump\fR [\fB\-r\fR] [\fB\-i\ \fR\fB\fIinput\-file\fR\fR] [\fB\-o\ \fR\fB\fIoutput\-file\fR\fR] +.SH "STATUS" +.PP +This documentation is still work in progress\&. Please contribute to the initial review in +\m[blue]\fBMozilla NSS bug 836477\fR\m[]\&\s-2\u[1]\d\s+2 +.SH "DESCRIPTION" +.PP +\fBderdump \fRdumps C\-sequence strings from a DER encode certificate file +.SH "OPTIONS" +.PP +\fB\-r \fR +.RS 4 +For formatted items, dump raw bytes as well +.RE +.PP +\fB\-i \fR \fIDER encoded file\fR +.RS 4 +Define an input file to use (default is stdin) +.RE +.PP +\fB\-o \fR \fIoutput file\fR +.RS 4 +Define an output file to use (default is stdout)\&. +.RE +.SH "ADDITIONAL RESOURCES" +.PP +NSS is maintained in conjunction with PKI and security\-related projects through Mozilla dn Fedora\&. The most closely\-related project is Dogtag PKI, with a project wiki at +\m[blue]\fBPKI Wiki\fR\m[]\&\s-2\u[2]\d\s+2\&. +.PP +For information specifically about NSS, the NSS project wiki is located at +\m[blue]\fBMozilla NSS site\fR\m[]\&\s-2\u[3]\d\s+2\&. The NSS site relates directly to NSS code changes and releases\&. +.PP +Mailing lists: pki\-devel@redhat\&.com and pki\-users@redhat\&.com +.PP +IRC: Freenode at #dogtag\-pki +.SH "AUTHORS" +.PP +The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google\&. +.PP +Authors: Gerhardus Geldenhuis \&. Elio Maldonado , Deon Lackey +.SH "LICENSE" +.PP +Licensed under the Mozilla Public License, v\&. 2\&.0\&. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla\&.org/MPL/2\&.0/\&. +.SH "NOTES" +.IP " 1." 4 +Mozilla NSS bug 836477 +.RS 4 +\%https://bugzilla.mozilla.org/show_bug.cgi?id=836477 +.RE +.IP " 2." 4 +PKI Wiki +.RS 4 +\%http://pki.fedoraproject.org/wiki/ +.RE +.IP " 3." 4 +Mozilla NSS site +.RS 4 +\%http://www.mozilla.org/projects/security/pki/nss/ +.RE diff --git a/security/nss/doc/nroff/modutil.1 b/security/nss/doc/nroff/modutil.1 new file mode 100644 index 0000000000..05c04946fe --- /dev/null +++ b/security/nss/doc/nroff/modutil.1 @@ -0,0 +1,1452 @@ +'\" t +.\" Title: MODUTIL +.\" Author: [see the "Authors" section] +.\" Generator: DocBook XSL Stylesheets vsnapshot +.\" Date: 19 May 2021 +.\" Manual: NSS Security Tools +.\" Source: nss-tools +.\" Language: English +.\" +.TH "MODUTIL" "1" "19 May 2021" "nss-tools" "NSS Security Tools" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +modutil \- Manage PKCS #11 module information within the security module database\&. +.SH "SYNOPSIS" +.HP \w'\fBmodutil\fR\ 'u +\fBmodutil\fR [\fIoptions\fR] [[\fIarguments\fR]] +.SH "STATUS" +.PP +This documentation is still work in progress\&. Please contribute to the initial review in +\m[blue]\fBMozilla NSS bug 836477\fR\m[]\&\s-2\u[1]\d\s+2 +.SH "DESCRIPTION" +.PP +The Security Module Database Tool, +\fBmodutil\fR, is a command\-line utility for managing PKCS #11 module information both within +secmod\&.db +files and within hardware tokens\&. +\fBmodutil\fR +can add and delete PKCS #11 modules, change passwords on security databases, set defaults, list module contents, enable or disable slots, enable or disable FIPS 140\-2 compliance, and assign default providers for cryptographic operations\&. This tool can also create certificate, key, and module security database files\&. +.PP +The tasks associated with security module database management are part of a process that typically also involves managing key databases and certificate databases\&. +.SH "OPTIONS" +.PP +Running +\fBmodutil\fR +always requires one (and only one) option to specify the type of module operation\&. Each option may take arguments, anywhere from none to multiple arguments\&. +.PP +\fBOptions\fR +.PP +\-add modulename +.RS 4 +Add the named PKCS #11 module to the database\&. Use this option with the +\fB\-libfile\fR, +\fB\-ciphers\fR, and +\fB\-mechanisms\fR +arguments\&. +.RE +.PP +\-changepw tokenname +.RS 4 +Change the password on the named token\&. If the token has not been initialized, this option initializes the password\&. Use this option with the +\fB\-pwfile\fR +and +\fB\-newpwfile\fR +arguments\&. A +\fIpassword\fR +is equivalent to a personal identification number (PIN)\&. +.RE +.PP +\-chkfips +.RS 4 +Verify whether the module is in the given FIPS mode\&. +\fBtrue\fR +means to verify that the module is in FIPS mode, while +\fBfalse\fR +means to verify that the module is not in FIPS mode\&. +.RE +.PP +\-create +.RS 4 +Create new certificate, key, and module databases\&. Use the +\fB\-dbdir\fR +directory argument to specify a directory\&. If any of these databases already exist in a specified directory, +\fBmodutil\fR +returns an error message\&. +.RE +.PP +\-default modulename +.RS 4 +Specify the security mechanisms for which the named module will be a default provider\&. The security mechanisms are specified with the +\fB\-mechanisms\fR +argument\&. +.RE +.PP +\-delete modulename +.RS 4 +Delete the named module\&. The default NSS PKCS #11 module cannot be deleted\&. +.RE +.PP +\-disable modulename +.RS 4 +Disable all slots on the named module\&. Use the +\fB\-slot\fR +argument to disable a specific slot\&. +.sp +The internal NSS PKCS #11 module cannot be disabled\&. +.RE +.PP +\-enable modulename +.RS 4 +Enable all slots on the named module\&. Use the +\fB\-slot\fR +argument to enable a specific slot\&. +.RE +.PP +\-fips [true | false] +.RS 4 +Enable (true) or disable (false) FIPS 140\-2 compliance for the default NSS module\&. +.RE +.PP +\-force +.RS 4 +Disable +\fBmodutil\fR\*(Aqs interactive prompts so it can be run from a script\&. Use this option only after manually testing each planned operation to check for warnings and to ensure that bypassing the prompts will cause no security lapses or loss of database integrity\&. +.RE +.PP +\-jar JAR\-file +.RS 4 +Add a new PKCS #11 module to the database using the named JAR file\&. Use this command with the +\fB\-installdir\fR +and +\fB\-tempdir\fR +arguments\&. The JAR file uses the NSS PKCS #11 JAR format to identify all the files to be installed, the module\*(Aqs name, the mechanism flags, and the cipher flags, as well as any files to be installed on the target machine, including the PKCS #11 module library file and other files such as documentation\&. This is covered in the JAR installation file section in the man page, which details the special script needed to perform an installation through a server or with +\fBmodutil\fR\&. +.RE +.PP +\-list [modulename] +.RS 4 +Display basic information about the contents of the +secmod\&.db +file\&. Specifying a +\fImodulename\fR +displays detailed information about a particular module and its slots and tokens\&. +.RE +.PP +\-rawadd +.RS 4 +Add the module spec string to the +secmod\&.db +database\&. +.RE +.PP +\-rawlist +.RS 4 +Display the module specs for a specified module or for all loadable modules\&. +.RE +.PP +\-undefault modulename +.RS 4 +Specify the security mechanisms for which the named module will not be a default provider\&. The security mechanisms are specified with the +\fB\-mechanisms\fR +argument\&. +.RE +.PP +\fBArguments\fR +.PP +MODULE +.RS 4 +Give the security module to access\&. +.RE +.PP +MODULESPEC +.RS 4 +Give the security module spec to load into the security database\&. +.RE +.PP +\-ciphers cipher\-enable\-list +.RS 4 +Enable specific ciphers in a module that is being added to the database\&. The +\fIcipher\-enable\-list\fR +is a colon\-delimited list of cipher names\&. Enclose this list in quotation marks if it contains spaces\&. +.RE +.PP +\-dbdir directory +.RS 4 +Specify the database directory in which to access or create security module database files\&. +.sp +\fBmodutil\fR +supports two types of databases: the legacy security databases (cert8\&.db, +key3\&.db, and +secmod\&.db) and SQLite databases (cert9\&.db, +key4\&.db, and +pkcs11\&.txt)\&. If the prefix +\fBdbm:\fR +is not used, then the tool assumes that the given databases are in SQLite format\&. +.RE +.PP +\-\-dbprefix prefix +.RS 4 +Specify the prefix used on the database files, such as +my_ +for +my_cert9\&.db\&. This option is provided as a special case\&. Changing the names of the certificate and key databases is not recommended\&. +.RE +.PP +\-installdir root\-installation\-directory +.RS 4 +Specify the root installation directory relative to which files will be installed by the +\fB\-jar\fR +option\&. This directory should be one below which it is appropriate to store dynamic library files, such as a server\*(Aqs root directory\&. +.RE +.PP +\-libfile library\-file +.RS 4 +Specify a path to a library file containing the implementation of the PKCS #11 interface module that is being added to the database\&. +.RE +.PP +\-mechanisms mechanism\-list +.RS 4 +Specify the security mechanisms for which a particular module will be flagged as a default provider\&. The +\fImechanism\-list\fR +is a colon\-delimited list of mechanism names\&. Enclose this list in quotation marks if it contains spaces\&. +.sp +The module becomes a default provider for the listed mechanisms when those mechanisms are enabled\&. If more than one module claims to be a particular mechanism\*(Aqs default provider, that mechanism\*(Aqs default provider is undefined\&. +.sp +\fBmodutil\fR +supports several mechanisms: RSA, DSA, RC2, RC4, RC5, AES, DES, DH, SHA1, SHA256, SHA512, SSL, TLS, MD5, MD2, RANDOM (for random number generation), and FRIENDLY (meaning certificates are publicly readable)\&. +.RE +.PP +\-newpwfile new\-password\-file +.RS 4 +Specify a text file containing a token\*(Aqs new or replacement password so that a password can be entered automatically with the +\fB\-changepw\fR +option\&. +.RE +.PP +\-nocertdb +.RS 4 +Do not open the certificate or key databases\&. This has several effects: +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +With the +\fB\-create\fR +command, only a module security file is created; certificate and key databases are not created\&. +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +With the +\fB\-jar\fR +command, signatures on the JAR file are not checked\&. +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +With the +\fB\-changepw\fR +command, the password on the NSS internal module cannot be set or changed, since this password is stored in the key database\&. +.RE +.RE +.PP +\-pwfile old\-password\-file +.RS 4 +Specify a text file containing a token\*(Aqs existing password so that a password can be entered automatically when the +\fB\-changepw\fR +option is used to change passwords\&. +.RE +.PP +\-secmod secmodname +.RS 4 +Give the name of the security module database (like +secmod\&.db) to load\&. +.RE +.PP +\-slot slotname +.RS 4 +Specify a particular slot to be enabled or disabled with the +\fB\-enable\fR +or +\fB\-disable\fR +options\&. +.RE +.PP +\-string CONFIG_STRING +.RS 4 +Pass a configuration string for the module being added to the database\&. +.RE +.PP +\-tempdir temporary\-directory +.RS 4 +Give a directory location where temporary files are created during the installation by the +\fB\-jar\fR +option\&. If no temporary directory is specified, the current directory is used\&. +.RE +.SH "USAGE AND EXAMPLES" +.PP +\fBCreating Database Files\fR +.PP +Before any operations can be performed, there must be a set of security databases available\&. +\fBmodutil\fR +can be used to create these files\&. The only required argument is the database that where the databases will be located\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf +modutil \-create \-dbdir directory +.fi +.if n \{\ +.RE +.\} +.PP +\fBAdding a Cryptographic Module\fR +.PP +Adding a PKCS #11 module means submitting a supporting library file, enabling its ciphers, and setting default provider status for various security mechanisms\&. This can be done by supplying all of the information through +\fBmodutil\fR +directly or by running a JAR file and install script\&. For the most basic case, simply upload the library: +.sp +.if n \{\ +.RS 4 +.\} +.nf +modutil \-add modulename \-libfile library\-file [\-ciphers cipher\-enable\-list] [\-mechanisms mechanism\-list] +.fi +.if n \{\ +.RE +.\} +.PP +For example: +.sp +.if n \{\ +.RS 4 +.\} +.nf +modutil \-dbdir /home/my/sharednssdb \-add "Example PKCS #11 Module" \-libfile "/tmp/crypto\&.so" \-mechanisms RSA:DSA:RC2:RANDOM + +Using database directory \&.\&.\&. +Module "Example PKCS #11 Module" added to database\&. +.fi +.if n \{\ +.RE +.\} +.PP +\fBInstalling a Cryptographic Module from a JAR File\fR +.PP +PKCS #11 modules can also be loaded using a JAR file, which contains all of the required libraries and an installation script that describes how to install the module\&. The JAR install script is described in more detail in +the section called \(lqJAR INSTALLATION FILE FORMAT\(rq\&. +.PP +The JAR installation script defines the setup information for each platform that the module can be installed on\&. For example: +.sp +.if n \{\ +.RS 4 +.\} +.nf +Platforms { + Linux:5\&.4\&.08:x86 { + ModuleName { "Example PKCS #11 Module" } + ModuleFile { crypto\&.so } + DefaultMechanismFlags{0x0000} + CipherEnableFlags{0x0000} + Files { + crypto\&.so { + Path{ /tmp/crypto\&.so } + } + setup\&.sh { + Executable + Path{ /tmp/setup\&.sh } + } + } + } + Linux:6\&.0\&.0:x86 { + EquivalentPlatform { Linux:5\&.4\&.08:x86 } + } +} +.fi +.if n \{\ +.RE +.\} +.PP +Both the install script and the required libraries must be bundled in a JAR file, which is specified with the +\fB\-jar\fR +argument\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf +modutil \-dbdir /home/mt"jar\-install\-filey/sharednssdb \-jar install\&.jar \-installdir /home/my/sharednssdb + +This installation JAR file was signed by: +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\- + +**SUBJECT NAME** + +C=US, ST=California, L=Mountain View, CN=Cryptorific Inc\&., OU=Digital ID +Class 3 \- Netscape Object Signing, OU="www\&.verisign\&.com/repository/CPS +Incorp\&. by Ref\&.,LIAB\&.LTD(c)9 6", OU=www\&.verisign\&.com/CPS Incorp\&.by Ref +\&. LIABILITY LTD\&.(c)97 VeriSign, OU=VeriSign Object Signing CA \- Class 3 +Organization, OU="VeriSign, Inc\&.", O=VeriSign Trust Network **ISSUER +NAME**, OU=www\&.verisign\&.com/CPS Incorp\&.by Ref\&. LIABILITY LTD\&.(c)97 +VeriSign, OU=VeriSign Object Signing CA \- Class 3 Organization, +OU="VeriSign, Inc\&.", O=VeriSign Trust Network +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\- + +Do you wish to continue this installation? (y/n) y +Using installer script "installer_script" +Successfully parsed installation script +Current platform is Linux:5\&.4\&.08:x86 +Using installation parameters for platform Linux:5\&.4\&.08:x86 +Installed file crypto\&.so to /tmp/crypto\&.so +Installed file setup\&.sh to \&./pk11inst\&.dir/setup\&.sh +Executing "\&./pk11inst\&.dir/setup\&.sh"\&.\&.\&. +"\&./pk11inst\&.dir/setup\&.sh" executed successfully +Installed module "Example PKCS #11 Module" into module database + +Installation completed successfully +.fi +.if n \{\ +.RE +.\} +.PP +\fBAdding Module Spec\fR +.PP +Each module has information stored in the security database about its configuration and parameters\&. These can be added or edited using the +\fB\-rawadd\fR +command\&. For the current settings or to see the format of the module spec in the database, use the +\fB\-rawlist\fR +option\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf +modutil \-rawadd modulespec +.fi +.if n \{\ +.RE +.\} +.PP +\fBDeleting a Module\fR +.PP +A specific PKCS #11 module can be deleted from the +secmod\&.db +database: +.sp +.if n \{\ +.RS 4 +.\} +.nf +modutil \-delete modulename \-dbdir directory +.fi +.if n \{\ +.RE +.\} +.PP +\fBDisplaying Module Information\fR +.PP +The +secmod\&.db +database contains information about the PKCS #11 modules that are available to an application or server to use\&. The list of all modules, information about specific modules, and database configuration specs for modules can all be viewed\&. +.PP +To simply get a list of modules in the database, use the +\fB\-list\fR +command\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf +modutil \-list [modulename] \-dbdir directory +.fi +.if n \{\ +.RE +.\} +.PP +Listing the modules shows the module name, their status, and other associated security databases for certificates and keys\&. For example: +.sp +.if n \{\ +.RS 4 +.\} +.nf +modutil \-list \-dbdir /home/my/sharednssdb + +Listing of PKCS #11 Modules +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\- + 1\&. NSS Internal PKCS #11 Module + slots: 2 slots attached + status: loaded + + slot: NSS Internal Cryptographic Services + token: NSS Generic Crypto Services + uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203 + + slot: NSS User Private Key and Certificate Services + token: NSS Certificate DB + uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203 +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\- +.fi +.if n \{\ +.RE +.\} +.PP +Passing a specific module name with the +\fB\-list\fR +returns details information about the module itself, like supported cipher mechanisms, version numbers, serial numbers, and other information about the module and the token it is loaded on\&. For example: +.sp +.if n \{\ +.RS 4 +.\} +.nf + modutil \-list "NSS Internal PKCS #11 Module" \-dbdir /home/my/sharednssdb + +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\- +Name: NSS Internal PKCS #11 Module +Library file: **Internal ONLY module** +Manufacturer: Mozilla Foundation +Description: NSS Internal Crypto Services +PKCS #11 Version 2\&.20 +Library Version: 3\&.11 +Cipher Enable Flags: None +Default Mechanism Flags: RSA:RC2:RC4:DES:DH:SHA1:MD5:MD2:SSL:TLS:AES + + Slot: NSS Internal Cryptographic Services + Slot Mechanism Flags: RSA:RC2:RC4:DES:DH:SHA1:MD5:MD2:SSL:TLS:AES + Manufacturer: Mozilla Foundation + Type: Software + Version Number: 3\&.11 + Firmware Version: 0\&.0 + Status: Enabled + Token Name: NSS Generic Crypto Services + Token Manufacturer: Mozilla Foundation + Token Model: NSS 3 + Token Serial Number: 0000000000000000 + Token Version: 4\&.0 + Token Firmware Version: 0\&.0 + Access: Write Protected + Login Type: Public (no login required) + User Pin: NOT Initialized + + Slot: NSS User Private Key and Certificate Services + Slot Mechanism Flags: None + Manufacturer: Mozilla Foundation + Type: Software + Version Number: 3\&.11 + Firmware Version: 0\&.0 + Status: Enabled + Token Name: NSS Certificate DB + Token Manufacturer: Mozilla Foundation + Token Model: NSS 3 + Token Serial Number: 0000000000000000 + Token Version: 8\&.3 + Token Firmware Version: 0\&.0 + Access: NOT Write Protected + Login Type: Login required + User Pin: Initialized +.fi +.if n \{\ +.RE +.\} +.PP +A related command, +\fB\-rawlist\fR +returns information about the database configuration for the modules\&. (This information can be edited by loading new specs using the +\fB\-rawadd\fR +command\&.) +.sp +.if n \{\ +.RS 4 +.\} +.nf + modutil \-rawlist \-dbdir /home/my/sharednssdb + name="NSS Internal PKCS #11 Module" parameters="configdir=\&. certPrefix= keyPrefix= secmod=secmod\&.db flags=readOnly " NSS="trustOrder=75 cipherOrder=100 slotParams={0x00000001=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM askpw=any timeout=30 ] } Flags=internal,critical" +.fi +.if n \{\ +.RE +.\} +.PP +\fBSetting a Default Provider for Security Mechanisms\fR +.PP +Multiple security modules may provide support for the same security mechanisms\&. It is possible to set a specific security module as the default provider for a specific security mechanism (or, conversely, to prohibit a provider from supplying those mechanisms)\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf +modutil \-default modulename \-mechanisms mechanism\-list +.fi +.if n \{\ +.RE +.\} +.PP +To set a module as the default provider for mechanisms, use the +\fB\-default\fR +command with a colon\-separated list of mechanisms\&. The available mechanisms depend on the module; NSS supplies almost all common mechanisms\&. For example: +.sp +.if n \{\ +.RS 4 +.\} +.nf +modutil \-default "NSS Internal PKCS #11 Module" \-dbdir \-mechanisms RSA:DSA:RC2 + +Using database directory c:\edatabases\&.\&.\&. + +Successfully changed defaults\&. +.fi +.if n \{\ +.RE +.\} +.PP +Clearing the default provider has the same format: +.sp +.if n \{\ +.RS 4 +.\} +.nf +modutil \-undefault "NSS Internal PKCS #11 Module" \-dbdir \-mechanisms MD2:MD5 +.fi +.if n \{\ +.RE +.\} +.PP +\fBEnabling and Disabling Modules and Slots\fR +.PP +Modules, and specific slots on modules, can be selectively enabled or disabled using +\fBmodutil\fR\&. Both commands have the same format: +.sp +.if n \{\ +.RS 4 +.\} +.nf +modutil \-enable|\-disable modulename [\-slot slotname] +.fi +.if n \{\ +.RE +.\} +.PP +For example: +.sp +.if n \{\ +.RS 4 +.\} +.nf +modutil \-enable "NSS Internal PKCS #11 Module" \-slot "NSS Internal Cryptographic Services " \-dbdir \&. + +Slot "NSS Internal Cryptographic Services " enabled\&. +.fi +.if n \{\ +.RE +.\} +.PP +Be sure that the appropriate amount of trailing whitespace is after the slot name\&. Some slot names have a significant amount of whitespace that must be included, or the operation will fail\&. +.PP +\fBEnabling and Verifying FIPS Compliance\fR +.PP +The NSS modules can have FIPS 140\-2 compliance enabled or disabled using +\fBmodutil\fR +with the +\fB\-fips\fR +option\&. For example: +.sp +.if n \{\ +.RS 4 +.\} +.nf +modutil \-fips true \-dbdir /home/my/sharednssdb/ + +FIPS mode enabled\&. +.fi +.if n \{\ +.RE +.\} +.PP +To verify that status of FIPS mode, run the +\fB\-chkfips\fR +command with either a true or false flag (it doesn\*(Aqt matter which)\&. The tool returns the current FIPS setting\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf +modutil \-chkfips false \-dbdir /home/my/sharednssdb/ + +FIPS mode enabled\&. +.fi +.if n \{\ +.RE +.\} +.PP +\fBChanging the Password on a Token\fR +.PP +Initializing or changing a token\*(Aqs password: +.sp +.if n \{\ +.RS 4 +.\} +.nf +modutil \-changepw tokenname [\-pwfile old\-password\-file] [\-newpwfile new\-password\-file] +.fi +.if n \{\ +.RE +.\} +.sp +.if n \{\ +.RS 4 +.\} +.nf +modutil \-dbdir /home/my/sharednssdb \-changepw "NSS Certificate DB" + +Enter old password: +Incorrect password, try again\&.\&.\&. +Enter old password: +Enter new password: +Re\-enter new password: +Token "Communicator Certificate DB" password changed successfully\&. +.fi +.if n \{\ +.RE +.\} +.SH "JAR INSTALLATION FILE FORMAT" +.PP +When a JAR file is run by a server, by +\fBmodutil\fR, or by any program that does not interpret JavaScript, a special information file must be included to install the libraries\&. There are several things to keep in mind with this file: +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +It must be declared in the JAR archive\*(Aqs manifest file\&. +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +The script can have any name\&. +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +The metainfo tag for this is +\fBPkcs11_install_script\fR\&. To declare meta\-information in the manifest file, put it in a file that is passed to +\fBsigntool\fR\&. +.RE +.PP +\fBSample Script\fR +.PP +For example, the PKCS #11 installer script could be in the file pk11install\&. If so, the metainfo file for +\fBsigntool\fR +includes a line such as this: +.sp +.if n \{\ +.RS 4 +.\} +.nf ++ Pkcs11_install_script: pk11install +.fi +.if n \{\ +.RE +.\} +.PP +The script must define the platform and version number, the module name and file, and any optional information like supported ciphers and mechanisms\&. Multiple platforms can be defined in a single install file\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf +ForwardCompatible { IRIX:6\&.2:mips SUNOS:5\&.5\&.1:sparc } +Platforms { + WINNT::x86 { + ModuleName { "Example Module" } + ModuleFile { win32/fort32\&.dll } + DefaultMechanismFlags{0x0001} + DefaultCipherFlags{0x0001} + Files { + win32/setup\&.exe { + Executable + RelativePath { %temp%/setup\&.exe } + } + win32/setup\&.hlp { + RelativePath { %temp%/setup\&.hlp } + } + win32/setup\&.cab { + RelativePath { %temp%/setup\&.cab } + } + } + } + WIN95::x86 { + EquivalentPlatform {WINNT::x86} + } + SUNOS:5\&.5\&.1:sparc { + ModuleName { "Example UNIX Module" } + ModuleFile { unix/fort\&.so } + DefaultMechanismFlags{0x0001} + CipherEnableFlags{0x0001} + Files { + unix/fort\&.so { + RelativePath{%root%/lib/fort\&.so} + AbsolutePath{/usr/local/netscape/lib/fort\&.so} + FilePermissions{555} + } + xplat/instr\&.html { + RelativePath{%root%/docs/inst\&.html} + AbsolutePath{/usr/local/netscape/docs/inst\&.html} + FilePermissions{555} + } + } + } + IRIX:6\&.2:mips { + EquivalentPlatform { SUNOS:5\&.5\&.1:sparc } + } +} +.fi +.if n \{\ +.RE +.\} +.PP +\fBScript Grammar\fR +.PP +The script is basic Java, allowing lists, key\-value pairs, strings, and combinations of all of them\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf +\-\-> valuelist + +valuelist \-\-> value valuelist + + +value \-\-\-> key_value_pair + string + +key_value_pair \-\-> key { valuelist } + +key \-\-> string + +string \-\-> simple_string + "complex_string" + +simple_string \-\-> [^ \et\en\e""{""}"]+ + +complex_string \-\-> ([^\e"\e\e\er\en]|(\e\e\e")|(\e\e\e\e))+ +.fi +.if n \{\ +.RE +.\} +.PP +Quotes and backslashes must be escaped with a backslash\&. A complex string must not include newlines or carriage returns\&.Outside of complex strings, all white space (for example, spaces, tabs, and carriage returns) is considered equal and is used only to delimit tokens\&. +.PP +\fBKeys\fR +.PP +The Java install file uses keys to define the platform and module information\&. +.PP +\fBForwardCompatible\fR +gives a list of platforms that are forward compatible\&. If the current platform cannot be found in the list of supported platforms, then the +\fBForwardCompatible\fR +list is checked for any platforms that have the same OS and architecture in an earlier version\&. If one is found, its attributes are used for the current platform\&. +.PP +\fBPlatforms\fR +(required) Gives a list of platforms\&. Each entry in the list is itself a key\-value pair: the key is the name of the platform and the value list contains various attributes of the platform\&. The platform string is in the format +\fIsystem name:OS release:architecture\fR\&. The installer obtains these values from NSPR\&. OS release is an empty string on non\-Unix operating systems\&. NSPR supports these platforms: +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +AIX (rs6000) +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +BSDI (x86) +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +FREEBSD (x86) +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +HPUX (hppa1\&.1) +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +IRIX (mips) +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +LINUX (ppc, alpha, x86) +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +MacOS (PowerPC) +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +NCR (x86) +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +NEC (mips) +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +OS2 (x86) +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +OSF (alpha) +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +ReliantUNIX (mips) +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +SCO (x86) +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +SOLARIS (sparc) +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +SONY (mips) +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +SUNOS (sparc) +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +UnixWare (x86) +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +WIN16 (x86) +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +WIN95 (x86) +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +WINNT (x86) +.RE +.PP +For example: +.sp +.if n \{\ +.RS 4 +.\} +.nf +IRIX:6\&.2:mips +SUNOS:5\&.5\&.1:sparc +Linux:2\&.0\&.32:x86 +WIN95::x86 +.fi +.if n \{\ +.RE +.\} +.PP +The module information is defined independently for each platform in the +\fBModuleName\fR, +\fBModuleFile\fR, and +\fBFiles\fR +attributes\&. These attributes must be given unless an +\fBEquivalentPlatform\fR +attribute is specified\&. +.PP +\fBPer\-Platform Keys\fR +.PP +Per\-platform keys have meaning only within the value list of an entry in the +\fBPlatforms\fR +list\&. +.PP +\fBModuleName\fR +(required) gives the common name for the module\&. This name is used to reference the module by servers and by the +\fBmodutil\fR +tool\&. +.PP +\fBModuleFile\fR +(required) names the PKCS #11 module file for this platform\&. The name is given as the relative path of the file within the JAR archive\&. +.PP +\fBFiles\fR +(required) lists the files that need to be installed for this module\&. Each entry in the file list is a key\-value pair\&. The key is the path of the file in the JAR archive, and the value list contains attributes of the file\&. At least +\fBRelativePath\fR +or +\fBAbsolutePath\fR +must be specified for each file\&. +.PP +\fBDefaultMechanismFlags\fR +specifies mechanisms for which this module is the default provider; this is equivalent to the +\fB\-mechanism\fR +option with the +\fB\-add\fR +command\&. This key\-value pair is a bitstring specified in hexadecimal (0x) format\&. It is constructed as a bitwise OR\&. If the DefaultMechanismFlags entry is omitted, the value defaults to 0x0\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf +RSA: 0x00000001 +DSA: 0x00000002 +RC2: 0x00000004 +RC4: 0x00000008 +DES: 0x00000010 +DH: 0x00000020 +FORTEZZA: 0x00000040 +RC5: 0x00000080 +SHA1: 0x00000100 +MD5: 0x00000200 +MD2: 0x00000400 +RANDOM: 0x08000000 +FRIENDLY: 0x10000000 +OWN_PW_DEFAULTS: 0x20000000 +DISABLE: 0x40000000 +.fi +.if n \{\ +.RE +.\} +.PP +\fBCipherEnableFlags\fR +specifies ciphers that this module provides that NSS does not provide (so that the module enables those ciphers for NSS)\&. This is equivalent to the +\fB\-cipher\fR +argument with the +\fB\-add\fR +command\&. This key is a bitstring specified in hexadecimal (0x) format\&. It is constructed as a bitwise OR\&. If the +\fBCipherEnableFlags\fR +entry is omitted, the value defaults to 0x0\&. +.PP +\fBEquivalentPlatform\fR +specifies that the attributes of the named platform should also be used for the current platform\&. This makes it easier when more than one platform uses the same settings\&. +.PP +\fBPer\-File Keys\fR +.PP +Some keys have meaning only within the value list of an entry in a +\fBFiles\fR +list\&. +.PP +Each file requires a path key the identifies where the file is\&. Either +\fBRelativePath\fR +or +\fBAbsolutePath\fR +must be specified\&. If both are specified, the relative path is tried first, and the absolute path is used only if no relative root directory is provided by the installer program\&. +.PP +\fBRelativePath\fR +specifies the destination directory of the file, relative to some directory decided at install time\&. Two variables can be used in the relative path: +\fB%root%\fR +and +\fB%temp%\fR\&. +\fB%root%\fR +is replaced at run time with the directory relative to which files should be installed; for example, it may be the server\*(Aqs root directory\&. The +\fB%temp%\fR +directory is created at the beginning of the installation and destroyed at the end\&. The purpose of +\fB%temp%\fR +is to hold executable files (such as setup programs) or files that are used by these programs\&. Files destined for the temporary directory are guaranteed to be in place before any executable file is run; they are not deleted until all executable files have finished\&. +.PP +\fBAbsolutePath\fR +specifies the destination directory of the file as an absolute path\&. +.PP +\fBExecutable\fR +specifies that the file is to be executed during the course of the installation\&. Typically, this string is used for a setup program provided by a module vendor, such as a self\-extracting setup executable\&. More than one file can be specified as executable, in which case the files are run in the order in which they are specified in the script file\&. +.PP +\fBFilePermissions\fR +sets permissions on any referenced files in a string of octal digits, according to the standard Unix format\&. This string is a bitwise OR\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf +user read: 0400 +user write: 0200 +user execute: 0100 +group read: 0040 +group write: 0020 +group execute: 0010 +other read: 0004 +other write: 0002 +other execute: 0001 +.fi +.if n \{\ +.RE +.\} +.PP +Some platforms may not understand these permissions\&. They are applied only insofar as they make sense for the current platform\&. If this attribute is omitted, a default of 777 is assumed\&. +.SH "NSS DATABASE TYPES" +.PP +NSS originally used BerkeleyDB databases to store security information\&. The last versions of these +\fIlegacy\fR +databases are: +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +cert8\&.db for certificates +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +key3\&.db for keys +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +secmod\&.db for PKCS #11 module information +.RE +.PP +BerkeleyDB has performance limitations, though, which prevent it from being easily used by multiple applications simultaneously\&. NSS has some flexibility that allows applications to use their own, independent database engine while keeping a shared database and working around the access issues\&. Still, NSS requires more flexibility to provide a truly shared security database\&. +.PP +In 2009, NSS introduced a new set of databases that are SQLite databases rather than BerkleyDB\&. These new databases provide more accessibility and performance: +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +cert9\&.db for certificates +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +key4\&.db for keys +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +pkcs11\&.txt, which is listing of all of the PKCS #11 modules contained in a new subdirectory in the security databases directory +.RE +.PP +Because the SQLite databases are designed to be shared, these are the +\fIshared\fR +database type\&. The shared database type is preferred; the legacy format is included for backward compatibility\&. +.PP +By default, the tools (\fBcertutil\fR, +\fBpk12util\fR, +\fBmodutil\fR) assume that the given security databases use the SQLite type\&. Using the legacy databases must be manually specified by using the +\fBdbm:\fR +prefix with the given security directory\&. For example: +.sp +.if n \{\ +.RS 4 +.\} +.nf +modutil \-create \-dbdir dbm:/home/my/sharednssdb +.fi +.if n \{\ +.RE +.\} +.PP +To set the legacy database type as the default type for the tools, set the +\fBNSS_DEFAULT_DB_TYPE\fR +environment variable to +\fBdbm\fR: +.sp +.if n \{\ +.RS 4 +.\} +.nf +export NSS_DEFAULT_DB_TYPE="dbm" +.fi +.if n \{\ +.RE +.\} +.PP +This line can be added to the +~/\&.bashrc +file to make the change permanent for the user\&. +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +https://wiki\&.mozilla\&.org/NSS_Shared_DB_Howto +.RE +.PP +For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki: +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +https://wiki\&.mozilla\&.org/NSS_Shared_DB +.RE +.SH "SEE ALSO" +.PP +certutil (1) +.PP +pk12util (1) +.PP +signtool (1) +.PP +The NSS wiki has information on the new database design and how to configure applications to use it\&. +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +https://wiki\&.mozilla\&.org/NSS_Shared_DB_Howto +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +https://wiki\&.mozilla\&.org/NSS_Shared_DB +.RE +.SH "ADDITIONAL RESOURCES" +.PP +For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at +\m[blue]\fBhttp://www\&.mozilla\&.org/projects/security/pki/nss/\fR\m[]\&. The NSS site relates directly to NSS code changes and releases\&. +.PP +Mailing lists: https://lists\&.mozilla\&.org/listinfo/dev\-tech\-crypto +.PP +IRC: Freenode at #dogtag\-pki +.SH "AUTHORS" +.PP +The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google\&. +.PP +Authors: Elio Maldonado , Deon Lackey \&. +.SH "LICENSE" +.PP +Licensed under the Mozilla Public License, v\&. 2\&.0\&. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla\&.org/MPL/2\&.0/\&. +.SH "NOTES" +.IP " 1." 4 +Mozilla NSS bug 836477 +.RS 4 +\%https://bugzilla.mozilla.org/show_bug.cgi?id=836477 +.RE diff --git a/security/nss/doc/nroff/pk12util.1 b/security/nss/doc/nroff/pk12util.1 new file mode 100644 index 0000000000..9cf7c88906 --- /dev/null +++ b/security/nss/doc/nroff/pk12util.1 @@ -0,0 +1,872 @@ +'\" t +.\" Title: PK12UTIL +.\" Author: [see the "Authors" section] +.\" Generator: DocBook XSL Stylesheets vsnapshot +.\" Date: 19 May 2021 +.\" Manual: NSS Security Tools +.\" Source: nss-tools +.\" Language: English +.\" +.TH "PK12UTIL" "1" "19 May 2021" "nss-tools" "NSS Security Tools" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pk12util \- Export and import keys and certificate to or from a PKCS #12 file and the NSS database +.SH "SYNOPSIS" +.HP \w'\fBpk12util\fR\ 'u +\fBpk12util\fR [\-i\ p12File|\-l\ p12File|\-o\ p12File] [\-c\ keyCipher] [\-C\ certCipher] [\-d\ directory] [\-h\ tokenname] [\-m\ |\ \-\-key\-len\ keyLength] [\-M\ hashAlg] [\-n\ certname] [\-P\ dbprefix] [\-r] [\-v] [\-\-cert\-key\-len\ certKeyLength] [\-k\ slotPasswordFile|\-K\ slotPassword] [\-w\ p12filePasswordFile|\-W\ p12filePassword] +.SH "STATUS" +.PP +This documentation is still work in progress\&. Please contribute to the initial review in +\m[blue]\fBMozilla NSS bug 836477\fR\m[]\&\s-2\u[1]\d\s+2 +.SH "DESCRIPTION" +.PP +The PKCS #12 utility, +\fBpk12util\fR, enables sharing certificates among any server that supports PKCS #12\&. The tool can import certificates and keys from PKCS #12 files into security databases, export certificates, and list certificates and keys\&. +.SH "OPTIONS AND ARGUMENTS" +.PP +\fBOptions\fR +.PP +\-i p12file +.RS 4 +Import keys and certificates from a PKCS #12 file into a security database\&. +.RE +.PP +\-l p12file +.RS 4 +List the keys and certificates in PKCS #12 file\&. +.RE +.PP +\-o p12file +.RS 4 +Export keys and certificates from the security database to a PKCS #12 file\&. +.RE +.PP +\fBArguments\fR +.PP +\-c keyCipher +.RS 4 +Specify the key encryption algorithm\&. +.RE +.PP +\-C certCipher +.RS 4 +Specify the certiticate encryption algorithm\&. +.RE +.PP +\-d directory +.RS 4 +Specify the database directory into which to import to or export from certificates and keys\&. +.sp +\fBpk12util\fR +supports two types of databases: the legacy security databases (cert8\&.db, +key3\&.db, and +secmod\&.db) and new SQLite databases (cert9\&.db, +key4\&.db, and +pkcs11\&.txt)\&. If the prefix +\fBdbm:\fR +is not used, then the tool assumes that the given databases are in the SQLite format\&. +.RE +.PP +\-h tokenname +.RS 4 +Specify the name of the token to import into or export from\&. +.RE +.PP +\-k slotPasswordFile +.RS 4 +Specify the text file containing the slot\*(Aqs password\&. +.RE +.PP +\-K slotPassword +.RS 4 +Specify the slot\*(Aqs password\&. +.RE +.PP +\-m | \-\-key\-len keyLength +.RS 4 +Specify the desired length of the symmetric key to be used to encrypt the private key\&. +.RE +.PP +\-M hashAlg +.RS 4 +Specify the hash algorithm used in the pkcs #12 mac\&. This algorithm also specifies the HMAC used in the prf when using pkcs #5 v2\&. +.RE +.PP +\-\-cert\-key\-len certKeyLength +.RS 4 +Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta\-data\&. +.RE +.PP +\-n certname +.RS 4 +Specify the nickname of the cert and private key to export\&. +.sp +The nickname can also be a PKCS #11 URI\&. For example, if you have a certificate named "my\-server\-cert" on the internal certificate store, it can be unambiguously specified as "pkcs11:token=NSS%20Certificate%20DB;object=my\-server\-cert"\&. For details about the format, see RFC 7512\&. +.RE +.PP +\-P prefix +.RS 4 +Specify the prefix used on the certificate and key databases\&. This option is provided as a special case\&. Changing the names of the certificate and key databases is not recommended\&. +.RE +.PP +\-r +.RS 4 +Dumps all of the data in raw (binary) form\&. This must be saved as a DER file\&. The default is to return information in a pretty\-print ASCII format, which displays the information about the certificates and public keys in the p12 file\&. +.RE +.PP +\-v +.RS 4 +Enable debug logging when importing\&. +.RE +.PP +\-w p12filePasswordFile +.RS 4 +Specify the text file containing the pkcs #12 file password\&. +.RE +.PP +\-W p12filePassword +.RS 4 +Specify the pkcs #12 file password\&. +.RE +.SH "RETURN CODES" +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +0 \- No error +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +1 \- User Cancelled +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +2 \- Usage error +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +6 \- NLS init error +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +8 \- Certificate DB open error +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +9 \- Key DB open error +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +10 \- File initialization error +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +11 \- Unicode conversion error +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +12 \- Temporary file creation error +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +13 \- PKCS11 get slot error +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +14 \- PKCS12 decoder start error +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +15 \- error read from import file +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +16 \- pkcs12 decode error +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +17 \- pkcs12 decoder verify error +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +18 \- pkcs12 decoder validate bags error +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +19 \- pkcs12 decoder import bags error +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +20 \- key db conversion version 3 to version 2 error +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +21 \- cert db conversion version 7 to version 5 error +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +22 \- cert and key dbs patch error +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +23 \- get default cert db error +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +24 \- find cert by nickname error +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +25 \- create export context error +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +26 \- PKCS12 add password itegrity error +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +27 \- cert and key Safes creation error +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +28 \- PKCS12 add cert and key error +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +29 \- PKCS12 encode error +.RE +.SH "EXAMPLES" +.PP +\fBImporting Keys and Certificates\fR +.PP +The most basic usage of +\fBpk12util\fR +for importing a certificate or key is the PKCS #12 input file (\fB\-i\fR) and some way to specify the security database being accessed (either +\fB\-d\fR +for a directory or +\fB\-h\fR +for a token)\&. +.PP +pk12util \-i p12File [\-h tokenname] [\-v] [\-d directory] [\-P dbprefix] [\-k slotPasswordFile|\-K slotPassword] [\-w p12filePasswordFile|\-W p12filePassword] +.PP +For example: +.PP + +.sp +.if n \{\ +.RS 4 +.\} +.nf +# pk12util \-i /tmp/cert\-files/users\&.p12 \-d /home/my/sharednssdb + +Enter a password which will be used to encrypt your keys\&. +The password should be at least 8 characters long, +and should contain at least one non\-alphabetic character\&. + +Enter new password: +Re\-enter password: +Enter password for PKCS12 file: +pk12util: PKCS12 IMPORT SUCCESSFUL +.fi +.if n \{\ +.RE +.\} +.PP +\fBExporting Keys and Certificates\fR +.PP +Using the +\fBpk12util\fR +command to export certificates and keys requires both the name of the certificate to extract from the database (\fB\-n\fR) and the PKCS #12\-formatted output file to write to\&. There are optional parameters that can be used to encrypt the file to protect the certificate material\&. +.PP +pk12util \-o p12File \-n certname [\-c keyCipher] [\-C certCipher] [\-m|\-\-key_len keyLen] [\-n|\-\-cert_key_len certKeyLen] [\-d directory] [\-P dbprefix] [\-k slotPasswordFile|\-K slotPassword] [\-w p12filePasswordFile|\-W p12filePassword] +.PP +For example: +.sp +.if n \{\ +.RS 4 +.\} +.nf +# pk12util \-o certs\&.p12 \-n Server\-Cert \-d /home/my/sharednssdb +Enter password for PKCS12 file: +Re\-enter password: +.fi +.if n \{\ +.RE +.\} +.PP +\fBListing Keys and Certificates\fR +.PP +The information in a +\&.p12 +file are not human\-readable\&. The certificates and keys in the file can be printed (listed) in a human\-readable pretty\-print format that shows information for every certificate and any public keys in the +\&.p12 +file\&. +.PP +pk12util \-l p12File [\-h tokenname] [\-r] [\-d directory] [\-P dbprefix] [\-k slotPasswordFile|\-K slotPassword] [\-w p12filePasswordFile|\-W p12filePassword] +.PP +For example, this prints the default ASCII output: +.sp +.if n \{\ +.RS 4 +.\} +.nf +# pk12util \-l certs\&.p12 + +Enter password for PKCS12 file: +Key(shrouded): + Friendly Name: Thawte Freemail Member\*(Aqs Thawte Consulting (Pty) Ltd\&. ID + + Encryption algorithm: PKCS #12 V2 PBE With SHA\-1 And 3KEY Triple DES\-CBC + Parameters: + Salt: + 45:2e:6a:a0:03:4d:7b:a1:63:3c:15:ea:67:37:62:1f + Iteration Count: 1 (0x1) +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 13 (0xd) + Signature Algorithm: PKCS #1 SHA\-1 With RSA Encryption + Issuer: "E=personal\-freemail@thawte\&.com,CN=Thawte Personal Freemail C + A,OU=Certification Services Division,O=Thawte Consulting,L=Cape T + own,ST=Western Cape,C=ZA" + +.fi +.if n \{\ +.RE +.\} +.PP +Alternatively, the +\fB\-r\fR +prints the certificates and then exports them into separate DER binary files\&. This allows the certificates to be fed to another application that supports +\&.p12 +files\&. Each certificate is written to a sequentially\-number file, beginning with +file0001\&.der +and continuing through +file000N\&.der, incrementing the number for every certificate: +.sp +.if n \{\ +.RS 4 +.\} +.nf +pk12util \-l test\&.p12 \-r +Enter password for PKCS12 file: +Key(shrouded): + Friendly Name: Thawte Freemail Member\*(Aqs Thawte Consulting (Pty) Ltd\&. ID + + Encryption algorithm: PKCS #12 V2 PBE With SHA\-1 And 3KEY Triple DES\-CBC + Parameters: + Salt: + 45:2e:6a:a0:03:4d:7b:a1:63:3c:15:ea:67:37:62:1f + Iteration Count: 1 (0x1) +Certificate Friendly Name: Thawte Personal Freemail Issuing CA \- Thawte Consulting + +Certificate Friendly Name: Thawte Freemail Member\*(Aqs Thawte Consulting (Pty) Ltd\&. ID + +.fi +.if n \{\ +.RE +.\} +.SH "PASSWORD ENCRYPTION" +.PP +PKCS #12 provides for not only the protection of the private keys but also the certificate and meta\-data associated with the keys\&. Password\-based encryption is used to protect private keys on export to a PKCS #12 file and, optionally, the associated certificates\&. If no algorithm is specified, the tool defaults to using PKCS #12 SHA\-1 and 3\-key triple DES for private key encryption\&. When not in FIPS mode, PKCS #12 SHA\-1 and 40\-bit RC4 is used for certificate encryption\&. When in FIPS mode, there is no certificate encryption\&. If certificate encryption is not wanted, specify +\fB"NONE"\fR +as the argument of the +\fB\-C\fR +option\&. +.PP +The private key is always protected with strong encryption by default\&. +.PP +Several types of ciphers are supported\&. +.PP +PKCS #5 password\-based encryption +.RS 4 +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +PBES2 with AES\-CBC\-Pad as underlying encryption scheme (\fB"AES\-128\-CBC"\fR, +\fB"AES\-192\-CBC"\fR, and +\fB"AES\-256\-CBC"\fR) +.RE +.RE +.PP +PKCS #12 password\-based encryption +.RS 4 +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +SHA\-1 and 128\-bit RC4 (\fB"PKCS #12 V2 PBE With SHA\-1 And 128 Bit RC4"\fR +or +\fB"RC4"\fR) +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +SHA\-1 and 40\-bit RC4 (\fB"PKCS #12 V2 PBE With SHA\-1 And 40 Bit RC4"\fR) (used by default for certificate encryption in non\-FIPS mode) +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +SHA\-1 and 3\-key triple\-DES (\fB"PKCS #12 V2 PBE With SHA\-1 And 3KEY Triple DES\-CBC"\fR +or +\fB"DES\-EDE3\-CBC"\fR) +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +SHA\-1 and 128\-bit RC2 (\fB"PKCS #12 V2 PBE With SHA\-1 And 128 Bit RC2 CBC"\fR +or +\fB"RC2\-CBC"\fR) +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +SHA\-1 and 40\-bit RC2 (\fB"PKCS #12 V2 PBE With SHA\-1 And 40 Bit RC2 CBC"\fR) +.RE +.RE +.PP +With PKCS #12, the crypto provider may be the soft token module or an external hardware module\&. If the cryptographic module does not support the requested algorithm, then the next best fit will be selected (usually the default)\&. If no suitable replacement for the desired algorithm can be found, the tool returns the error +\fIno security module can perform the requested operation\fR\&. +.SH "NSS DATABASE TYPES" +.PP +NSS originally used BerkeleyDB databases to store security information\&. The last versions of these +\fIlegacy\fR +databases are: +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +cert8\&.db for certificates +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +key3\&.db for keys +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +secmod\&.db for PKCS #11 module information +.RE +.PP +BerkeleyDB has performance limitations, though, which prevent it from being easily used by multiple applications simultaneously\&. NSS has some flexibility that allows applications to use their own, independent database engine while keeping a shared database and working around the access issues\&. Still, NSS requires more flexibility to provide a truly shared security database\&. +.PP +In 2009, NSS introduced a new set of databases that are SQLite databases rather than BerkleyDB\&. These new databases provide more accessibility and performance: +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +cert9\&.db for certificates +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +key4\&.db for keys +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +pkcs11\&.txt, which is listing of all of the PKCS #11 modules contained in a new subdirectory in the security databases directory +.RE +.PP +Because the SQLite databases are designed to be shared, these are the +\fIshared\fR +database type\&. The shared database type is preferred; the legacy format is included for backward compatibility\&. +.PP +By default, the tools (\fBcertutil\fR, +\fBpk12util\fR, +\fBmodutil\fR) assume that the given security databases use the SQLite type Using the legacy databases must be manually specified by using the +\fBdbm:\fR +prefix with the given security directory\&. For example: +.sp +.if n \{\ +.RS 4 +.\} +.nf +# pk12util \-i /tmp/cert\-files/users\&.p12 \-d dbm:/home/my/sharednssdb +.fi +.if n \{\ +.RE +.\} +.PP +To set the legacy database type as the default type for the tools, set the +\fBNSS_DEFAULT_DB_TYPE\fR +environment variable to +\fBdbm\fR: +.sp +.if n \{\ +.RS 4 +.\} +.nf +export NSS_DEFAULT_DB_TYPE="dbm" +.fi +.if n \{\ +.RE +.\} +.PP +This line can be set added to the +~/\&.bashrc +file to make the change permanent\&. +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +https://wiki\&.mozilla\&.org/NSS_Shared_DB_Howto +.RE +.PP +For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki: +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +https://wiki\&.mozilla\&.org/NSS_Shared_DB +.RE +.SH "COMPATIBILITY NOTES" +.PP +The exporting behavior of +\fBpk12util\fR +has changed over time, while importing files exported with older versions of NSS is still supported\&. +.PP +Until the 3\&.30 release, +\fBpk12util\fR +used the UTF\-16 encoding for the PKCS #5 password\-based encryption schemes, while the recommendation is to encode passwords in UTF\-8 if the used encryption scheme is defined outside of the PKCS #12 standard\&. +.PP +Until the 3\&.31 release, even when +\fB"AES\-128\-CBC"\fR +or +\fB"AES\-192\-CBC"\fR +is given from the command line, +\fBpk12util\fR +always used 256\-bit AES as the underlying encryption scheme\&. +.PP +For historical reasons, +\fBpk12util\fR +accepts password\-based encryption schemes not listed in this document\&. However, those schemes are not officially supported and may have issues in interoperability with other tools\&. +.SH "SEE ALSO" +.PP +certutil (1) +.PP +modutil (1) +.PP +The NSS wiki has information on the new database design and how to configure applications to use it\&. +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +https://wiki\&.mozilla\&.org/NSS_Shared_DB_Howto +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +https://wiki\&.mozilla\&.org/NSS_Shared_DB +.RE +.SH "ADDITIONAL RESOURCES" +.PP +For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at +\m[blue]\fBhttp://www\&.mozilla\&.org/projects/security/pki/nss/\fR\m[]\&. The NSS site relates directly to NSS code changes and releases\&. +.PP +Mailing lists: https://lists\&.mozilla\&.org/listinfo/dev\-tech\-crypto +.PP +IRC: Freenode at #dogtag\-pki +.SH "AUTHORS" +.PP +The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google\&. +.PP +Authors: Elio Maldonado , Deon Lackey \&. +.SH "LICENSE" +.PP +Licensed under the Mozilla Public License, v\&. 2\&.0\&. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla\&.org/MPL/2\&.0/\&. +.SH "NOTES" +.IP " 1." 4 +Mozilla NSS bug 836477 +.RS 4 +\%https://bugzilla.mozilla.org/show_bug.cgi?id=836477 +.RE diff --git a/security/nss/doc/nroff/pp.1 b/security/nss/doc/nroff/pp.1 new file mode 100644 index 0000000000..ce536817ed --- /dev/null +++ b/security/nss/doc/nroff/pp.1 @@ -0,0 +1,108 @@ +'\" t +.\" Title: PP +.\" Author: [see the "Authors" section] +.\" Generator: DocBook XSL Stylesheets vsnapshot +.\" Date: 19 May 2021 +.\" Manual: NSS Security Tools +.\" Source: nss-tools +.\" Language: English +.\" +.TH "PP" "1" "19 May 2021" "nss-tools" "NSS Security Tools" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pp \- Prints certificates, keys, crls, and pkcs7 files +.SH "SYNOPSIS" +.HP \w'\fBpp\ \-t\ type\ [\-a]\ [\-i\ input]\ [\-o\ output]\ [\-u]\ [\-w]\fR\ 'u +\fBpp \-t type [\-a] [\-i input] [\-o output] [\-u] [\-w]\fR +.SH "STATUS" +.PP +This documentation is still work in progress\&. Please contribute to the initial review in +\m[blue]\fBMozilla NSS bug 836477\fR\m[]\&\s-2\u[1]\d\s+2 +.SH "DESCRIPTION" +.PP +\fBpp \fRpretty\-prints private and public key, certificate, certificate\-request, pkcs7, pkcs12 or crl files +.SH "OPTIONS" +.PP +\fB\-t \fR \fItype\fR +.RS 4 +specify the input, one of {private\-key | public\-key | certificate | certificate\-request | pkcs7 | pkcs12 | crl | name} +.sp +.RE +.PP +\fB\-a \fR +.RS 4 +Input is in ascii encoded form (RFC1113) +.RE +.PP +\fB\-i \fR \fIinputfile\fR +.RS 4 +Define an input file to use (default is stdin) +.RE +.PP +\fB\-o \fR \fIoutputfile\fR +.RS 4 +Define an output file to use (default is stdout) +.RE +.PP +\fB\-u \fR +.RS 4 +Use UTF\-8 (default is to show non\-ascii as \&.) +.RE +.PP +\fB\-w \fR +.RS 4 +Don\*(Aqt wrap long output lines +.RE +.SH "ADDITIONAL RESOURCES" +.PP +NSS is maintained in conjunction with PKI and security\-related projects through Mozilla and Fedora\&. The most closely\-related project is Dogtag PKI, with a project wiki at +\m[blue]\fBPKI Wiki\fR\m[]\&\s-2\u[2]\d\s+2\&. +.PP +For information specifically about NSS, the NSS project wiki is located at +\m[blue]\fBMozilla NSS site\fR\m[]\&\s-2\u[3]\d\s+2\&. The NSS site relates directly to NSS code changes and releases\&. +.PP +Mailing lists: pki\-devel@redhat\&.com and pki\-users@redhat\&.com +.PP +IRC: Freenode at #dogtag\-pki +.SH "AUTHORS" +.PP +The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google\&. +.PP +Authors: Elio Maldonado , Deon Lackey \&. +.SH "LICENSE" +.PP +Licensed under the Mozilla Public License, v\&. 2\&.0\&. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla\&.org/MPL/2\&.0/\&. +.SH "NOTES" +.IP " 1." 4 +Mozilla NSS bug 836477 +.RS 4 +\%https://bugzilla.mozilla.org/show_bug.cgi?id=836477 +.RE +.IP " 2." 4 +PKI Wiki +.RS 4 +\%http://pki.fedoraproject.org/wiki/ +.RE +.IP " 3." 4 +Mozilla NSS site +.RS 4 +\%http://www.mozilla.org/projects/security/pki/nss/ +.RE diff --git a/security/nss/doc/nroff/signtool.1 b/security/nss/doc/nroff/signtool.1 new file mode 100644 index 0000000000..1acfd7856a --- /dev/null +++ b/security/nss/doc/nroff/signtool.1 @@ -0,0 +1,681 @@ +'\" t +.\" Title: signtool +.\" Author: [see the "Authors" section] +.\" Generator: DocBook XSL Stylesheets vsnapshot +.\" Date: 19 May 2021 +.\" Manual: NSS Security Tools +.\" Source: nss-tools +.\" Language: English +.\" +.TH "SIGNTOOL" "1" "19 May 2021" "nss-tools" "NSS Security Tools" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +signtool \- Digitally sign objects and files\&. +.SH "SYNOPSIS" +.HP \w'\fBsigntool\fR\ 'u +\fBsigntool\fR [[\-b\ basename]] [[\-c\ Compression\ Level]] [[\-d\ cert\-dir]] [[\-e\ extension]] [[\-f\ filename]] [[\-i\ installer\ script]] [[\-h]] [[\-H]] [[\-v]] [[\-w]] [[\-G\ nickname]] [[\-J]] [[\-j\ directory]] [\-k\ keyName] [[\-\-keysize\ |\ \-s\ size]] [[\-l]] [[\-L]] [[\-M]] [[\-m\ metafile]] [[\-\-norecurse]] [[\-O]] [[\-o]] [[\-\-outfile]] [[\-p\ password]] [[\-t|\-\-token\ tokenname]] [[\-z]] [[\-X]] [[\-x\ name]] [[\-\-verbose\ value]] [[\-\-leavearc]] [[\-Z\ jarfile]] [directory\-tree] [archive] +.SH "STATUS" +.PP +This documentation is still work in progress\&. Please contribute to the initial review in +\m[blue]\fBMozilla NSS bug 836477\fR\m[]\&\s-2\u[1]\d\s+2 +.SH "DESCRIPTION" +.PP +The Signing Tool, +\fBsigntool\fR, creates digital signatures and uses a Java Archive (JAR) file to associate the signatures with files in a directory\&. Electronic software distribution over any network involves potential security problems\&. To help address some of these problems, you can associate digital signatures with the files in a JAR archive\&. Digital signatures allow SSL\-enabled clients to perform two important operations: +.PP +* Confirm the identity of the individual, company, or other entity whose digital signature is associated with the files +.PP +* Check whether the files have been tampered with since being signed +.PP +If you have a signing certificate, you can use Netscape Signing Tool to digitally sign files and package them as a JAR file\&. An object\-signing certificate is a special kind of certificate that allows you to associate your digital signature with one or more files\&. +.PP +An individual file can potentially be signed with multiple digital signatures\&. For example, a commercial software developer might sign the files that constitute a software product to prove that the files are indeed from a particular company\&. A network administrator manager might sign the same files with an additional digital signature based on a company\-generated certificate to indicate that the product is approved for use within the company\&. +.PP +The significance of a digital signature is comparable to the significance of a handwritten signature\&. Once you have signed a file, it is difficult to claim later that you didn\*(Aqt sign it\&. In some situations, a digital signature may be considered as legally binding as a handwritten signature\&. Therefore, you should take great care to ensure that you can stand behind any file you sign and distribute\&. +.PP +For example, if you are a software developer, you should test your code to make sure it is virus\-free before signing it\&. Similarly, if you are a network administrator, you should make sure, before signing any code, that it comes from a reliable source and will run correctly with the software installed on the machines to which you are distributing it\&. +.PP +Before you can use Netscape Signing Tool to sign files, you must have an object\-signing certificate, which is a special certificate whose associated private key is used to create digital signatures\&. For testing purposes only, you can create an object\-signing certificate with Netscape Signing Tool 1\&.3\&. When testing is finished and you are ready to disitribute your software, you should obtain an object\-signing certificate from one of two kinds of sources: +.PP +* An independent certificate authority (CA) that authenticates your identity and charges you a fee\&. You typically get a certificate from an independent CA if you want to sign software that will be distributed over the Internet\&. +.PP +* CA server software running on your corporate intranet or extranet\&. Netscape Certificate Management System provides a complete management solution for creating, deploying, and managing certificates, including CAs that issue object\-signing certificates\&. +.PP +You must also have a certificate for the CA that issues your signing certificate before you can sign files\&. If the certificate authority\*(Aqs certificate isn\*(Aqt already installed in your copy of Communicator, you typically install it by clicking the appropriate link on the certificate authority\*(Aqs web site, for example on the page from which you initiated enrollment for your signing certificate\&. This is the case for some test certificates, as well as certificates issued by Netscape Certificate Management System: you must download the the CA certificate in addition to obtaining your own signing certificate\&. CA certificates for several certificate authorities are preinstalled in the Communicator certificate database\&. +.PP +When you receive an object\-signing certificate for your own use, it is automatically installed in your copy of the Communicator client software\&. Communicator supports the public\-key cryptography standard known as PKCS #12, which governs key portability\&. You can, for example, move an object\-signing certificate and its associated private key from one computer to another on a credit\-card\-sized device called a smart card\&. +.SH "OPTIONS" +.PP +\-b basename +.RS 4 +Specifies the base filename for the \&.rsa and \&.sf files in the META\-INF directory to conform with the JAR format\&. For example, +\fI\-b signatures\fR +causes the files to be named signatures\&.rsa and signatures\&.sf\&. The default is signtool\&. +.RE +.PP +\-c# +.RS 4 +Specifies the compression level for the \-J or \-Z option\&. The symbol # represents a number from 0 to 9, where 0 means no compression and 9 means maximum compression\&. The higher the level of compression, the smaller the output but the longer the operation takes\&. If the \-c# option is not used with either the \-J or the \-Z option, the default compression value used by both the \-J and \-Z options is 6\&. +.RE +.PP +\-d certdir +.RS 4 +Specifies your certificate database directory; that is, the directory in which you placed your key3\&.db and cert7\&.db files\&. To specify the current directory, use "\-d\&." (including the period)\&. The Unix version of signtool assumes ~/\&.netscape unless told otherwise\&. The NT version of signtool always requires the use of the \-d option to specify where the database files are located\&. +.RE +.PP +\-e extension +.RS 4 +Tells signtool to sign only files with the given extension; for example, use \-e"\&.class" to sign only Java class files\&. Note that with Netscape Signing Tool version 1\&.1 and later this option can appear multiple times on one command line, making it possible to specify multiple file types or classes to include\&. +.RE +.PP +\-f commandfile +.RS 4 +Specifies a text file containing Netscape Signing Tool options and arguments in keyword=value format\&. All options and arguments can be expressed through this file\&. For more information about the syntax used with this file, see "Tips and Techniques"\&. +.RE +.PP +\-G nickname +.RS 4 +Generates a new private\-public key pair and corresponding object\-signing certificate with the given nickname\&. The newly generated keys and certificate are installed into the key and certificate databases in the directory specified by the \-d option\&. With the NT version of Netscape Signing Tool, you must use the \-d option with the \-G option\&. With the Unix version of Netscape Signing Tool, omitting the \-d option causes the tool to install the keys and certificate in the Communicator key and certificate databases\&. If you are installing the keys and certificate in the Communicator databases, you must exit Communicator before using this option; otherwise, you risk corrupting the databases\&. In all cases, the certificate is also output to a file named x509\&.cacert, which has the MIME\-type application/x\-x509\-ca\-cert\&. Unlike certificates normally used to sign finished code to be distributed over a network, a test certificate created with \-G is not signed by a recognized certificate authority\&. Instead, it is self\-signed\&. In addition, a single test signing certificate functions as both an object\-signing certificate and a CA\&. When you are using it to sign objects, it behaves like an object\-signing certificate\&. When it is imported into browser software such as Communicator, it behaves like an object\-signing CA and cannot be used to sign objects\&. The \-G option is available in Netscape Signing Tool 1\&.0 and later versions only\&. By default, it produces only RSA certificates with 1024\-byte keys in the internal token\&. However, you can use the \-s option specify the required key size and the \-t option to specify the token\&. +.RE +.PP +\-i scriptname +.RS 4 +Specifies the name of an installer script for SmartUpdate\&. This script installs files from the JAR archive in the local system after SmartUpdate has validated the digital signature\&. For more details, see the description of \-m that follows\&. The \-i option provides a straightforward way to provide this information if you don\*(Aqt need to specify any metadata other than an installer script\&. +.RE +.PP +\-J +.RS 4 +Signs a directory of HTML files containing JavaScript and creates as many archive files as are specified in the HTML tags\&. Even if signtool creates more than one archive file, you need to supply the key database password only once\&. The \-J option is available only in Netscape Signing Tool 1\&.0 and later versions\&. The \-J option cannot be used at the same time as the \-Z option\&. If the \-c# option is not used with the \-J option, the default compression value is 6\&. Note that versions 1\&.1 and later of Netscape Signing Tool correctly recognizes the CODEBASE attribute, allows paths to be expressed for the CLASS and SRC attributes instead of filenames only, processes LINK tags and parses HTML correctly, and offers clearer error messages\&. +.RE +.PP +\-j directory +.RS 4 +Specifies a special JavaScript directory\&. This option causes the specified directory to be signed and tags its entries as inline JavaScript\&. This special type of entry does not have to appear in the JAR file itself\&. Instead, it is located in the HTML page containing the inline scripts\&. When you use signtool \-v, these entries are displayed with the string NOT PRESENT\&. +.RE +.PP +\-k key \&.\&.\&. directory +.RS 4 +Specifies the nickname (key) of the certificate you want to sign with and signs the files in the specified directory\&. The directory to sign is always specified as the last command\-line argument\&. Thus, it is possible to write signtool \-k MyCert \-d \&. signdir You may have trouble if the nickname contains a single quotation mark\&. To avoid problems, escape the quotation mark using the escape conventions for your platform\&. It\*(Aqs also possible to use the \-k option without signing any files or specifying a directory\&. For example, you can use it with the \-l option to get detailed information about a particular signing certificate\&. +.RE +.PP +\-l +.RS 4 +Lists signing certificates, including issuing CAs\&. If any of your certificates are expired or invalid, the list will so specify\&. This option can be used with the \-k option to list detailed information about a particular signing certificate\&. The \-l option is available in Netscape Signing Tool 1\&.0 and later versions only\&. +.RE +.PP +\-L +.RS 4 +Lists the certificates in your database\&. An asterisk appears to the left of the nickname for any certificate that can be used to sign objects with signtool\&. +.RE +.PP +\-\-leavearc +.RS 4 +Retains the temporary \&.arc (archive) directories that the \-J option creates\&. These directories are automatically erased by default\&. Retaining the temporary directories can be an aid to debugging\&. +.RE +.PP +\-m metafile +.RS 4 +Specifies the name of a metadata control file\&. Metadata is signed information attached either to the JAR archive itself or to files within the archive\&. This metadata can be any ASCII string, but is used mainly for specifying an installer script\&. The metadata file contains one entry per line, each with three fields: field #1: file specification, or + if you want to specify global metadata (that is, metadata about the JAR archive itself or all entries in the archive) field #2: the name of the data you are specifying; for example: Install\-Script field #3: data corresponding to the name in field #2 For example, the \-i option uses the equivalent of this line: + Install\-Script: script\&.js This example associates a MIME type with a file: movie\&.qt MIME\-Type: video/quicktime For information about the way installer script information appears in the manifest file for a JAR archive, see The JAR Format on Netscape DevEdge\&. +.RE +.PP +\-M +.RS 4 +Lists the PKCS #11 modules available to signtool, including smart cards\&. The \-M option is available in Netscape Signing Tool 1\&.0 and later versions only\&. For information on using Netscape Signing Tool with smart cards, see "Using Netscape Signing Tool with Smart Cards"\&. For information on using the \-M option to verify FIPS\-140\-1 validated mode, see "Netscape Signing Tool and FIPS\-140\-1"\&. +.RE +.PP +\-\-norecurse +.RS 4 +Blocks recursion into subdirectories when signing a directory\*(Aqs contents or when parsing HTML\&. +.RE +.PP +\-o +.RS 4 +Optimizes the archive for size\&. Use this only if you are signing very large archives containing hundreds of files\&. This option makes the manifest files (required by the JAR format) considerably smaller, but they contain slightly less information\&. +.RE +.PP +\-\-outfile outputfile +.RS 4 +Specifies a file to receive redirected output from Netscape Signing Tool\&. +.RE +.PP +\-p password +.RS 4 +Specifies a password for the private\-key database\&. Note that the password entered on the command line is displayed as plain text\&. +.RE +.PP +\-s keysize +.RS 4 +Specifies the size of the key for generated certificate\&. Use the \-M option to find out what tokens are available\&. The \-s option can be used with the \-G option only\&. +.RE +.PP +\-t token +.RS 4 +Specifies which available token should generate the key and receive the certificate\&. Use the \-M option to find out what tokens are available\&. The \-t option can be used with the \-G option only\&. +.RE +.PP +\-v archive +.RS 4 +Displays the contents of an archive and verifies the cryptographic integrity of the digital signatures it contains and the files with which they are associated\&. This includes checking that the certificate for the issuer of the object\-signing certificate is listed in the certificate database, that the CA\*(Aqs digital signature on the object\-signing certificate is valid, that the relevant certificates have not expired, and so on\&. +.RE +.PP +\-\-verbosity value +.RS 4 +Sets the quantity of information Netscape Signing Tool generates in operation\&. A value of 0 (zero) is the default and gives full information\&. A value of \-1 suppresses most messages, but not error messages\&. +.RE +.PP +\-w archive +.RS 4 +Displays the names of signers of any files in the archive\&. +.RE +.PP +\-x directory +.RS 4 +Excludes the specified directory from signing\&. Note that with Netscape Signing Tool version 1\&.1 and later this option can appear multiple times on one command line, making it possible to specify several particular directories to exclude\&. +.RE +.PP +\-z +.RS 4 +Tells signtool not to store the signing time in the digital signature\&. This option is useful if you want the expiration date of the signature checked against the current date and time rather than the time the files were signed\&. +.RE +.PP +\-Z jarfile +.RS 4 +Creates a JAR file with the specified name\&. You must specify this option if you want signtool to create the JAR file; it does not do so automatically\&. If you don\*(Aqt specify \-Z, you must use an external ZIP tool to create the JAR file\&. The \-Z option cannot be used at the same time as the \-J option\&. If the \-c# option is not used with the \-Z option, the default compression value is 6\&. +.RE +.SH "THE COMMAND FILE FORMAT" +.PP +Entries in a Netscape Signing Tool command file have this general format: keyword=value Everything before the = sign on a single line is a keyword, and everything from the = sign to the end of line is a value\&. The value may include = signs; only the first = sign on a line is interpreted\&. Blank lines are ignored, but white space on a line with keywords and values is assumed to be part of the keyword (if it comes before the equal sign) or part of the value (if it comes after the first equal sign)\&. Keywords are case insensitive, values are generally case sensitive\&. Since the = sign and newline delimit the value, it should not be quoted\&. +.PP +\fBSubsection\fR +.PP +basename +.RS 4 +Same as \-b option\&. +.RE +.PP +compression +.RS 4 +Same as \-c option\&. +.RE +.PP +certdir +.RS 4 +Same as \-d option\&. +.RE +.PP +extension +.RS 4 +Same as \-e option\&. +.RE +.PP +generate +.RS 4 +Same as \-G option\&. +.RE +.PP +installscript +.RS 4 +Same as \-i option\&. +.RE +.PP +javascriptdir +.RS 4 +Same as \-j option\&. +.RE +.PP +htmldir +.RS 4 +Same as \-J option\&. +.RE +.PP +certname +.RS 4 +Nickname of certificate, as with \-k and \-l \-k options\&. +.RE +.PP +signdir +.RS 4 +The directory to be signed, as with \-k option\&. +.RE +.PP +list +.RS 4 +Same as \-l option\&. Value is ignored, but = sign must be present\&. +.RE +.PP +listall +.RS 4 +Same as \-L option\&. Value is ignored, but = sign must be present\&. +.RE +.PP +metafile +.RS 4 +Same as \-m option\&. +.RE +.PP +modules +.RS 4 +Same as \-M option\&. Value is ignored, but = sign must be present\&. +.RE +.PP +optimize +.RS 4 +Same as \-o option\&. Value is ignored, but = sign must be present\&. +.RE +.PP +password +.RS 4 +Same as \-p option\&. +.RE +.PP +keysize +.RS 4 +Same as \-s option\&. +.RE +.PP +token +.RS 4 +Same as \-t option\&. +.RE +.PP +verify +.RS 4 +Same as \-v option\&. +.RE +.PP +who +.RS 4 +Same as \-w option\&. +.RE +.PP +exclude +.RS 4 +Same as \-x option\&. +.RE +.PP +notime +.RS 4 +Same as \-z option\&. value is ignored, but = sign must be present\&. +.RE +.PP +jarfile +.RS 4 +Same as \-Z option\&. +.RE +.PP +outfile +.RS 4 +Name of a file to which output and error messages will be redirected\&. This option has no command\-line equivalent\&. +.RE +.SH "EXTENDED EXAMPLES" +.PP +The following example will do this and that +.PP +\fBListing Available Signing Certificates\fR +.PP +You use the \-L option to list the nicknames for all available certificates and check which ones are signing certificates\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf +signtool \-L + +using certificate directory: /u/jsmith/\&.netscape +S Certificates +\- \-\-\-\-\-\-\-\-\-\-\-\- + BBN Certificate Services CA Root 1 + IBM World Registry CA + VeriSign Class 1 CA \- Individual Subscriber \- VeriSign, Inc\&. + GTE CyberTrust Root CA + Uptime Group Plc\&. Class 4 CA +* Verisign Object Signing Cert + Integrion CA + GTE CyberTrust Secure Server CA + AT&T Directory Services +* test object signing cert + Uptime Group Plc\&. Class 1 CA + VeriSign Class 1 Primary CA +\- \-\-\-\-\-\-\-\-\-\-\-\- + +Certificates that can be used to sign objects have *\*(Aqs to their left\&. +.fi +.if n \{\ +.RE +.\} +.PP +Two signing certificates are displayed: Verisign Object Signing Cert and test object signing cert\&. +.PP +You use the \-l option to get a list of signing certificates only, including the signing CA for each\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf +signtool \-l + +using certificate directory: /u/jsmith/\&.netscape +Object signing certificates +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\- + +Verisign Object Signing Cert + Issued by: VeriSign, Inc\&. \- Verisign, Inc\&. + Expires: Tue May 19, 1998 +test object signing cert + Issued by: test object signing cert (Signtool 1\&.0 Testing +Certificate (960187691)) + Expires: Sun May 17, 1998 +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\- +.fi +.if n \{\ +.RE +.\} +.PP +For a list including CAs, use the +\fB\-L\fR +option\&. +.PP +\fBSigning a File\fR +.PP +1\&. Create an empty directory\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf +mkdir signdir +.fi +.if n \{\ +.RE +.\} +.PP +2\&. Put some file into it\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf +echo boo > signdir/test\&.f +.fi +.if n \{\ +.RE +.\} +.PP +3\&. Specify the name of your object\-signing certificate and sign the directory\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf +signtool \-k MySignCert \-Z testjar\&.jar signdir + +using key "MySignCert" +using certificate directory: /u/jsmith/\&.netscape +Generating signdir/META\-INF/manifest\&.mf file\&.\&. +\-\-> test\&.f +adding signdir/test\&.f to testjar\&.jar +Generating signtool\&.sf file\&.\&. +Enter Password or Pin for "Communicator Certificate DB": + +adding signdir/META\-INF/manifest\&.mf to testjar\&.jar +adding signdir/META\-INF/signtool\&.sf to testjar\&.jar +adding signdir/META\-INF/signtool\&.rsa to testjar\&.jar + +tree "signdir" signed successfully +.fi +.if n \{\ +.RE +.\} +.PP +4\&. Test the archive you just created\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf +signtool \-v testjar\&.jar + +using certificate directory: /u/jsmith/\&.netscape +archive "testjar\&.jar" has passed crypto verification\&. + status path + \-\-\-\-\-\-\-\-\-\-\-\- \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\- + verified test\&.f +.fi +.if n \{\ +.RE +.\} +.PP +\fBUsing Netscape Signing Tool with a ZIP Utility\fR +.PP +To use Netscape Signing Tool with a ZIP utility, you must have the utility in your path environment variable\&. You should use the zip\&.exe utility rather than pkzip\&.exe, which cannot handle long filenames\&. You can use a ZIP utility instead of the \-Z option to package a signed archive into a JAR file after you have signed it: +.sp +.if n \{\ +.RS 4 +.\} +.nf +cd signdir + + zip \-r \&.\&./myjar\&.jar * + adding: META\-INF/ (stored 0%) + adding: META\-INF/manifest\&.mf (deflated 15%) + adding: META\-INF/signtool\&.sf (deflated 28%) + adding: META\-INF/signtool\&.rsa (stored 0%) + adding: text\&.txt (stored 0%) +.fi +.if n \{\ +.RE +.\} +.PP +\fBGenerating the Keys and Certificate\fR +.PP +The signtool option \-G generates a new public\-private key pair and certificate\&. It takes the nickname of the new certificate as an argument\&. The newly generated keys and certificate are installed into the key and certificate databases in the directory specified by the \-d option\&. With the NT version of Netscape Signing Tool, you must use the \-d option with the \-G option\&. With the Unix version of Netscape Signing Tool, omitting the \-d option causes the tool to install the keys and certificate in the Communicator key and certificate databases\&. In all cases, the certificate is also output to a file named x509\&.cacert, which has the MIME\-type application/x\-x509\-ca\-cert\&. +.PP +Certificates contain standard information about the entity they identify, such as the common name and organization name\&. Netscape Signing Tool prompts you for this information when you run the command with the \-G option\&. However, all of the requested fields are optional for test certificates\&. If you do not enter a common name, the tool provides a default name\&. In the following example, the user input is in boldface: +.sp +.if n \{\ +.RS 4 +.\} +.nf +signtool \-G MyTestCert + +using certificate directory: /u/someuser/\&.netscape +Enter certificate information\&. All fields are optional\&. Acceptable +characters are numbers, letters, spaces, and apostrophes\&. +certificate common name: Test Object Signing Certificate +organization: Netscape Communications Corp\&. +organization unit: Server Products Division +state or province: California +country (must be exactly 2 characters): US +username: someuser +email address: someuser@netscape\&.com +Enter Password or Pin for "Communicator Certificate DB": [Password will not echo] +generated public/private key pair +certificate request generated +certificate has been signed +certificate "MyTestCert" added to database +Exported certificate to x509\&.raw and x509\&.cacert\&. +.fi +.if n \{\ +.RE +.\} +.PP +The certificate information is read from standard input\&. Therefore, the information can be read from a file using the redirection operator (<) in some operating systems\&. To create a file for this purpose, enter each of the seven input fields, in order, on a separate line\&. Make sure there is a newline character at the end of the last line\&. Then run signtool with standard input redirected from your file as follows: +.sp +.if n \{\ +.RS 4 +.\} +.nf +signtool \-G MyTestCert inputfile +.fi +.if n \{\ +.RE +.\} +.PP +The prompts show up on the screen, but the responses will be automatically read from the file\&. The password will still be read from the console unless you use the \-p option to give the password on the command line\&. +.PP +\fBUsing the \-M Option to List Smart Cards\fR +.PP +You can use the \-M option to list the PKCS #11 modules, including smart cards, that are available to signtool: +.sp +.if n \{\ +.RS 4 +.\} +.nf +signtool \-d "c:\enetscape\eusers\ejsmith" \-M + +using certificate directory: c:\enetscape\eusers\eusername +Listing of PKCS11 modules +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\- + 1\&. Netscape Internal PKCS #11 Module + (this module is internally loaded) + slots: 2 slots attached + status: loaded + slot: Communicator Internal Cryptographic Services Version 4\&.0 + token: Communicator Generic Crypto Svcs + slot: Communicator User Private Key and Certificate Services + token: Communicator Certificate DB + 2\&. CryptOS + (this is an external module) + DLL name: core32 + slots: 1 slots attached + status: loaded + slot: Litronic 210 + token: + \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\- +.fi +.if n \{\ +.RE +.\} +.PP +\fBUsing Netscape Signing Tool and a Smart Card to Sign Files\fR +.PP +The signtool command normally takes an argument of the \-k option to specify a signing certificate\&. To sign with a smart card, you supply only the fully qualified name of the certificate\&. +.PP +To see fully qualified certificate names when you run Communicator, click the Security button in Navigator, then click Yours under Certificates in the left frame\&. Fully qualified names are of the format smart card:certificate, for example "MyCard:My Signing Cert"\&. You use this name with the \-k argument as follows: +.sp +.if n \{\ +.RS 4 +.\} +.nf +signtool \-k "MyCard:My Signing Cert" directory +.fi +.if n \{\ +.RE +.\} +.PP +\fBVerifying FIPS Mode\fR +.PP +Use the \-M option to verify that you are using the FIPS\-140\-1 module\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf +signtool \-d "c:\enetscape\eusers\ejsmith" \-M + +using certificate directory: c:\enetscape\eusers\ejsmith +Listing of PKCS11 modules +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\- + 1\&. Netscape Internal PKCS #11 Module + (this module is internally loaded) + slots: 2 slots attached + status: loaded + slot: Communicator Internal Cryptographic Services Version 4\&.0 + token: Communicator Generic Crypto Svcs + slot: Communicator User Private Key and Certificate Services + token: Communicator Certificate DB +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\- +.fi +.if n \{\ +.RE +.\} +.PP +This Unix example shows that Netscape Signing Tool is using a FIPS\-140\-1 module: +.sp +.if n \{\ +.RS 4 +.\} +.nf +signtool \-d "c:\enetscape\eusers\ejsmith" \-M +using certificate directory: c:\enetscape\eusers\ejsmith +Enter Password or Pin for "Communicator Certificate DB": [password will not echo] +Listing of PKCS11 modules +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\- +1\&. Netscape Internal FIPS PKCS #11 Module +(this module is internally loaded) +slots: 1 slots attached +status: loaded +slot: Netscape Internal FIPS\-140\-1 Cryptographic Services +token: Communicator Certificate DB +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\- +.fi +.if n \{\ +.RE +.\} +.SH "SEE ALSO" +.PP +signver (1) +.PP +The NSS wiki has information on the new database design and how to configure applications to use it\&. +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +https://wiki\&.mozilla\&.org/NSS_Shared_DB_Howto +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +https://wiki\&.mozilla\&.org/NSS_Shared_DB +.RE +.SH "ADDITIONAL RESOURCES" +.PP +For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at +\m[blue]\fBhttp://www\&.mozilla\&.org/projects/security/pki/nss/\fR\m[]\&. The NSS site relates directly to NSS code changes and releases\&. +.PP +Mailing lists: https://lists\&.mozilla\&.org/listinfo/dev\-tech\-crypto +.PP +IRC: Freenode at #dogtag\-pki +.SH "AUTHORS" +.PP +The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google\&. +.PP +Authors: Elio Maldonado , Deon Lackey \&. +.SH "LICENSE" +.PP +Licensed under the Mozilla Public License, v\&. 2\&.0\&. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla\&.org/MPL/2\&.0/\&. +.SH "NOTES" +.IP " 1." 4 +Mozilla NSS bug 836477 +.RS 4 +\%https://bugzilla.mozilla.org/show_bug.cgi?id=836477 +.RE diff --git a/security/nss/doc/nroff/signver.1 b/security/nss/doc/nroff/signver.1 new file mode 100644 index 0000000000..e42b4a8eee --- /dev/null +++ b/security/nss/doc/nroff/signver.1 @@ -0,0 +1,318 @@ +'\" t +.\" Title: SIGNVER +.\" Author: [see the "Authors" section] +.\" Generator: DocBook XSL Stylesheets vsnapshot +.\" Date: 19 May 2021 +.\" Manual: NSS Security Tools +.\" Source: nss-tools +.\" Language: English +.\" +.TH "SIGNVER" "1" "19 May 2021" "nss-tools" "NSS Security Tools" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +signver \- Verify a detached PKCS#7 signature for a file\&. +.SH "SYNOPSIS" +.HP \w'\fBsigntool\fR\ 'u +\fBsigntool\fR \-A | \-V \-d\ \fIdirectory\fR [\-a] [\-i\ \fIinput_file\fR] [\-o\ \fIoutput_file\fR] [\-s\ \fIsignature_file\fR] [\-v] +.SH "STATUS" +.PP +This documentation is still work in progress\&. Please contribute to the initial review in +\m[blue]\fBMozilla NSS bug 836477\fR\m[]\&\s-2\u[1]\d\s+2 +.SH "DESCRIPTION" +.PP +The Signature Verification Tool, +\fBsignver\fR, is a simple command\-line utility that unpacks a base\-64\-encoded PKCS#7 signed object and verifies the digital signature using standard cryptographic techniques\&. The Signature Verification Tool can also display the contents of the signed object\&. +.SH "OPTIONS" +.PP +\-A +.RS 4 +Displays all of the information in the PKCS#7 signature\&. +.RE +.PP +\-V +.RS 4 +Verifies the digital signature\&. +.RE +.PP +\-d \fIdirectory\fR +.RS 4 +Specify the database directory which contains the certificates and keys\&. +.sp +\fBsignver\fR +supports two types of databases: the legacy security databases (cert8\&.db, +key3\&.db, and +secmod\&.db) and new SQLite databases (cert9\&.db, +key4\&.db, and +pkcs11\&.txt)\&. If the prefix +\fBdbm:\fR +is not used, then the tool assumes that the given databases are in the SQLite format\&. +.RE +.PP +\-a +.RS 4 +Sets that the given signature file is in ASCII format\&. +.RE +.PP +\-i \fIinput_file\fR +.RS 4 +Gives the input file for the object with signed data\&. +.RE +.PP +\-o \fIoutput_file\fR +.RS 4 +Gives the output file to which to write the results\&. +.RE +.PP +\-s \fIsignature_file\fR +.RS 4 +Gives the input file for the digital signature\&. +.RE +.PP +\-v +.RS 4 +Enables verbose output\&. +.RE +.SH "EXTENDED EXAMPLES" +.SS "Verifying a Signature" +.PP +The +\fB\-V\fR +option verifies that the signature in a given signature file is valid when used to sign the given object (from the input file)\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf +signver \-V \-s \fIsignature_file\fR \-i \fIsigned_file\fR \-d /home/my/sharednssdb + +signatureValid=yes +.fi +.if n \{\ +.RE +.\} +.SS "Printing Signature Data" +.PP +The +\fB\-A\fR +option prints all of the information contained in a signature file\&. Using the +\fB\-o\fR +option prints the signature file information to the given output file rather than stdout\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf +signver \-A \-s \fIsignature_file\fR \-o \fIoutput_file\fR +.fi +.if n \{\ +.RE +.\} +.SH "NSS DATABASE TYPES" +.PP +NSS originally used BerkeleyDB databases to store security information\&. The last versions of these +\fIlegacy\fR +databases are: +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +cert8\&.db for certificates +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +key3\&.db for keys +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +secmod\&.db for PKCS #11 module information +.RE +.PP +BerkeleyDB has performance limitations, though, which prevent it from being easily used by multiple applications simultaneously\&. NSS has some flexibility that allows applications to use their own, independent database engine while keeping a shared database and working around the access issues\&. Still, NSS requires more flexibility to provide a truly shared security database\&. +.PP +In 2009, NSS introduced a new set of databases that are SQLite databases rather than BerkleyDB\&. These new databases provide more accessibility and performance: +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +cert9\&.db for certificates +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +key4\&.db for keys +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +pkcs11\&.txt, which is listing of all of the PKCS #11 modules contained in a new subdirectory in the security databases directory +.RE +.PP +Because the SQLite databases are designed to be shared, these are the +\fIshared\fR +database type\&. The shared database type is preferred; the legacy format is included for backward compatibility\&. +.PP +By default, the tools (\fBcertutil\fR, +\fBpk12util\fR, +\fBmodutil\fR) assume that the given security databases use the SQLite type Using the legacy databases must be manually specified by using the +\fBdbm:\fR +prefix with the given security directory\&. For example: +.sp +.if n \{\ +.RS 4 +.\} +.nf +# signver \-A \-s \fIsignature\fR \-d dbm:/home/my/sharednssdb +.fi +.if n \{\ +.RE +.\} +.PP +To set the legacy database type as the default type for the tools, set the +\fBNSS_DEFAULT_DB_TYPE\fR +environment variable to +\fBdbm\fR: +.sp +.if n \{\ +.RS 4 +.\} +.nf +export NSS_DEFAULT_DB_TYPE="dbm" +.fi +.if n \{\ +.RE +.\} +.PP +This line can be added to the +~/\&.bashrc +file to make the change permanent for the user\&. +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +https://wiki\&.mozilla\&.org/NSS_Shared_DB_Howto +.RE +.PP +For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki: +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +https://wiki\&.mozilla\&.org/NSS_Shared_DB +.RE +.SH "SEE ALSO" +.PP +signtool (1) +.PP +The NSS wiki has information on the new database design and how to configure applications to use it\&. +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +Setting up the shared NSS database +.sp +https://wiki\&.mozilla\&.org/NSS_Shared_DB_Howto +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +Engineering and technical information about the shared NSS database +.sp +https://wiki\&.mozilla\&.org/NSS_Shared_DB +.RE +.SH "ADDITIONAL RESOURCES" +.PP +For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at +\m[blue]\fBhttp://www\&.mozilla\&.org/projects/security/pki/nss/\fR\m[]\&. The NSS site relates directly to NSS code changes and releases\&. +.PP +Mailing lists: https://lists\&.mozilla\&.org/listinfo/dev\-tech\-crypto +.PP +IRC: Freenode at #dogtag\-pki +.SH "AUTHORS" +.PP +The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google\&. +.PP +Authors: Elio Maldonado , Deon Lackey \&. +.SH "LICENSE" +.PP +Licensed under the Mozilla Public License, v\&. 2\&.0\&. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla\&.org/MPL/2\&.0/\&. +.SH "NOTES" +.IP " 1." 4 +Mozilla NSS bug 836477 +.RS 4 +\%https://bugzilla.mozilla.org/show_bug.cgi?id=836477 +.RE diff --git a/security/nss/doc/nroff/ssltap.1 b/security/nss/doc/nroff/ssltap.1 new file mode 100644 index 0000000000..d3c15364a1 --- /dev/null +++ b/security/nss/doc/nroff/ssltap.1 @@ -0,0 +1,609 @@ +'\" t +.\" Title: SSLTAP +.\" Author: [see the "Authors" section] +.\" Generator: DocBook XSL Stylesheets vsnapshot +.\" Date: 19 May 2021 +.\" Manual: NSS Security Tools +.\" Source: nss-tools +.\" Language: English +.\" +.TH "SSLTAP" "1" "19 May 2021" "nss-tools" "NSS Security Tools" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +ssltap \- Tap into SSL connections and display the data going by +.SH "SYNOPSIS" +.HP \w'\fBssltap\fR\ 'u +\fBssltap\fR [\-fhlsvx] [\-p\ port] [hostname:port] +.SH "STATUS" +.PP +This documentation is still work in progress\&. Please contribute to the initial review in +\m[blue]\fBMozilla NSS bug 836477\fR\m[]\&\s-2\u[1]\d\s+2 +.SH "DESCRIPTION" +.PP +The SSL Debugging Tool +\fBssltap\fR +is an SSL\-aware command\-line proxy\&. It watches TCP connections and displays the data going by\&. If a connection is SSL, the data display includes interpreted SSL records and handshaking +.SH "OPTIONS" +.PP +\-f +.RS 4 +Turn on fancy printing\&. Output is printed in colored HTML\&. Data sent from the client to the server is in blue; the server\*(Aqs reply is in red\&. When used with looping mode, the different connections are separated with horizontal lines\&. You can use this option to upload the output into a browser\&. +.RE +.PP +\-h +.RS 4 +Turn on hex/ASCII printing\&. Instead of outputting raw data, the command interprets each record as a numbered line of hex values, followed by the same data as ASCII characters\&. The two parts are separated by a vertical bar\&. Nonprinting characters are replaced by dots\&. +.RE +.PP +\-l prefix +.RS 4 +Turn on looping; that is, continue to accept connections rather than stopping after the first connection is complete\&. +.RE +.PP +\-p port +.RS 4 +Change the default rendezvous port (1924) to another port\&. +.sp +The following are well\-known port numbers: +.sp +* HTTP 80 +.sp +* HTTPS 443 +.sp +* SMTP 25 +.sp +* FTP 21 +.sp +* IMAP 143 +.sp +* IMAPS 993 (IMAP over SSL) +.sp +* NNTP 119 +.sp +* NNTPS 563 (NNTP over SSL) +.RE +.PP +\-s +.RS 4 +Turn on SSL parsing and decoding\&. The tool does not automatically detect SSL sessions\&. If you are intercepting an SSL connection, use this option so that the tool can detect and decode SSL structures\&. +.sp +If the tool detects a certificate chain, it saves the DER\-encoded certificates into files in the current directory\&. The files are named cert\&.0x, where x is the sequence number of the certificate\&. +.sp +If the \-s option is used with \-h, two separate parts are printed for each record: the plain hex/ASCII output, and the parsed SSL output\&. +.RE +.PP +\-v +.RS 4 +Print a version string for the tool\&. +.RE +.PP +\-x +.RS 4 +Turn on extra SSL hex dumps\&. +.RE +.SH "USAGE AND EXAMPLES" +.PP +You can use the SSL Debugging Tool to intercept any connection information\&. Although you can run the tool at its most basic by issuing the ssltap command with no options other than hostname:port, the information you get in this way is not very useful\&. For example, assume your development machine is called intercept\&. The simplest way to use the debugging tool is to execute the following command from a command shell: +.sp +.if n \{\ +.RS 4 +.\} +.nf +$ ssltap www\&.netscape\&.com +.fi +.if n \{\ +.RE +.\} +.PP +The program waits for an incoming connection on the default port 1924\&. In your browser window, enter the URL http://intercept:1924\&. The browser retrieves the requested page from the server at www\&.netscape\&.com, but the page is intercepted and passed on to the browser by the debugging tool on intercept\&. On its way to the browser, the data is printed to the command shell from which you issued the command\&. Data sent from the client to the server is surrounded by the following symbols: \-\-> [ data ] Data sent from the server to the client is surrounded by the following symbols: "left arrow"\-\- [ data ] The raw data stream is sent to standard output and is not interpreted in any way\&. This can result in peculiar effects, such as sounds, flashes, and even crashes of the command shell window\&. To output a basic, printable interpretation of the data, use the \-h option, or, if you are looking at an SSL connection, the \-s option\&. You will notice that the page you retrieved looks incomplete in the browser\&. This is because, by default, the tool closes down after the first connection is complete, so the browser is not able to load images\&. To make the tool continue to accept connections, switch on looping mode with the \-l option\&. The following examples show the output from commonly used combinations of options\&. +.PP +Example 1 +.sp +.if n \{\ +.RS 4 +.\} +.nf +$ ssltap\&.exe \-sx \-p 444 interzone\&.mcom\&.com:443 > sx\&.txt +.fi +.if n \{\ +.RE +.\} +.PP +Output +.sp +.if n \{\ +.RS 4 +.\} +.nf +Connected to interzone\&.mcom\&.com:443 +\-\->; [ +alloclen = 66 bytes + [ssl2] ClientHelloV2 { + version = {0x03, 0x00} + cipher\-specs\-length = 39 (0x27) + sid\-length = 0 (0x00) + challenge\-length = 16 (0x10) + cipher\-suites = { + + (0x010080) SSL2/RSA/RC4\-128/MD5 + (0x020080) SSL2/RSA/RC4\-40/MD5 + (0x030080) SSL2/RSA/RC2CBC128/MD5 + (0x040080) SSL2/RSA/RC2CBC40/MD5 + (0x060040) SSL2/RSA/DES64CBC/MD5 + (0x0700c0) SSL2/RSA/3DES192EDE\-CBC/MD5 + (0x000004) SSL3/RSA/RC4\-128/MD5 + (0x00ffe0) SSL3/RSA\-FIPS/3DES192EDE\-CBC/SHA + (0x00000a) SSL3/RSA/3DES192EDE\-CBC/SHA + (0x00ffe1) SSL3/RSA\-FIPS/DES64CBC/SHA + (0x000009) SSL3/RSA/DES64CBC/SHA + (0x000003) SSL3/RSA/RC4\-40/MD5 + (0x000006) SSL3/RSA/RC2CBC40/MD5 + } + session\-id = { } + challenge = { 0xec5d 0x8edb 0x37c9 0xb5c9 0x7b70 0x8fe9 0xd1d3 + +0x2592 } +} +] +<\-\- [ +SSLRecord { + 0: 16 03 00 03 e5 |\&.\&.\&.\&.\&. + type = 22 (handshake) + version = { 3,0 } + length = 997 (0x3e5) + handshake { + 0: 02 00 00 46 |\&.\&.\&.F + type = 2 (server_hello) + length = 70 (0x000046) + ServerHello { + server_version = {3, 0} + random = {\&.\&.\&.} + 0: 77 8c 6e 26 6c 0c ec c0 d9 58 4f 47 d3 2d 01 45 | +wn&l\&.\(`i\&.\&.XOG\&.\-\&.E + 10: 5c 17 75 43 a7 4c 88 c7 88 64 3c 50 41 48 4f 7f | + +\e\&.uC\(scL\&.\(,C\&.d [ +SSLRecord { + 0: 16 03 00 00 44 |\&.\&.\&.\&.D + type = 22 (handshake) + version = { 3,0 } + length = 68 (0x44) + handshake { + 0: 10 00 00 40 |\&.\&.\&.@ + type = 16 (client_key_exchange) + length = 64 (0x000040) + ClientKeyExchange { + message = {\&.\&.\&.} + } + } +} +] +\-\-> [ +SSLRecord { + 0: 14 03 00 00 01 |\&.\&.\&.\&.\&. + type = 20 (change_cipher_spec) + version = { 3,0 } + length = 1 (0x1) + 0: 01 |\&. +} +SSLRecord { + 0: 16 03 00 00 38 |\&.\&.\&.\&.8 + type = 22 (handshake) + version = { 3,0 } + length = 56 (0x38) + < encrypted > + +} +] +<\-\- [ +SSLRecord { + 0: 14 03 00 00 01 |\&.\&.\&.\&.\&. + type = 20 (change_cipher_spec) + version = { 3,0 } + length = 1 (0x1) + 0: 01 |\&. +} +] +<\-\- [ +SSLRecord { + 0: 16 03 00 00 38 |\&.\&.\&.\&.8 + type = 22 (handshake) + version = { 3,0 } + length = 56 (0x38) + < encrypted > + +} +] +\-\-> [ +SSLRecord { + 0: 17 03 00 01 1f |\&.\&.\&.\&.\&. + type = 23 (application_data) + version = { 3,0 } + length = 287 (0x11f) + < encrypted > +} +] +<\-\- [ +SSLRecord { + 0: 17 03 00 00 a0 |\&.\&.\&.\&. + type = 23 (application_data) + version = { 3,0 } + length = 160 (0xa0) + < encrypted > + +} +] +<\-\- [ +SSLRecord { +0: 17 03 00 00 df |\&.\&.\&.\&.\(ss + type = 23 (application_data) + version = { 3,0 } + length = 223 (0xdf) + < encrypted > + +} +SSLRecord { + 0: 15 03 00 00 12 |\&.\&.\&.\&.\&. + type = 21 (alert) + version = { 3,0 } + length = 18 (0x12) + < encrypted > +} +] +Server socket closed\&. +.fi +.if n \{\ +.RE +.\} +.PP +Example 2 +.PP +The \-s option turns on SSL parsing\&. Because the \-x option is not used in this example, undecoded values are output as raw data\&. The output is routed to a text file\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf +$ ssltap \-s \-p 444 interzone\&.mcom\&.com:443 > s\&.txt +.fi +.if n \{\ +.RE +.\} +.PP +Output +.sp +.if n \{\ +.RS 4 +.\} +.nf +Connected to interzone\&.mcom\&.com:443 +\-\-> [ +alloclen = 63 bytes + [ssl2] ClientHelloV2 { + version = {0x03, 0x00} + cipher\-specs\-length = 36 (0x24) + sid\-length = 0 (0x00) + challenge\-length = 16 (0x10) + cipher\-suites = { + (0x010080) SSL2/RSA/RC4\-128/MD5 + (0x020080) SSL2/RSA/RC4\-40/MD5 + (0x030080) SSL2/RSA/RC2CBC128/MD5 + (0x060040) SSL2/RSA/DES64CBC/MD5 + (0x0700c0) SSL2/RSA/3DES192EDE\-CBC/MD5 + (0x000004) SSL3/RSA/RC4\-128/MD5 + (0x00ffe0) SSL3/RSA\-FIPS/3DES192EDE\-CBC/SHA + (0x00000a) SSL3/RSA/3DES192EDE\-CBC/SHA + (0x00ffe1) SSL3/RSA\-FIPS/DES64CBC/SHA + (0x000009) SSL3/RSA/DES64CBC/SHA + (0x000003) SSL3/RSA/RC4\-40/MD5 + } + session\-id = { } + challenge = { 0x713c 0x9338 0x30e1 0xf8d6 0xb934 0x7351 0x200c +0x3fd0 } +] +>\-\- [ +SSLRecord { + type = 22 (handshake) + version = { 3,0 } + length = 997 (0x3e5) + handshake { + type = 2 (server_hello) + length = 70 (0x000046) + ServerHello { + server_version = {3, 0} + random = {\&.\&.\&.} + session ID = { + length = 32 + contents = {\&.\&.} + } + cipher_suite = (0x0003) SSL3/RSA/RC4\-40/MD5 + } + type = 11 (certificate) + length = 709 (0x0002c5) + CertificateChain { + chainlength = 706 (0x02c2) + Certificate { + size = 703 (0x02bf) + data = { saved in file \*(Aqcert\&.001\*(Aq } + } + } + type = 12 (server_key_exchange) + length = 202 (0x0000ca) + type = 14 (server_hello_done) + length = 0 (0x000000) + } +} +] +\-\-> [ +SSLRecord { + type = 22 (handshake) + version = { 3,0 } + length = 68 (0x44) + handshake { + type = 16 (client_key_exchange) + length = 64 (0x000040) + ClientKeyExchange { + message = {\&.\&.\&.} + } + } +} +] +\-\-> [ +SSLRecord { + type = 20 (change_cipher_spec) + version = { 3,0 } + length = 1 (0x1) +} +SSLRecord { + type = 22 (handshake) + version = { 3,0 } + length = 56 (0x38) + > encrypted > +} +] +>\-\- [ +SSLRecord { + type = 20 (change_cipher_spec) + version = { 3,0 } + length = 1 (0x1) +} +] +>\-\- [ +SSLRecord { + type = 22 (handshake) + version = { 3,0 } + length = 56 (0x38) + > encrypted > +} +] +\-\-> [ +SSLRecord { + type = 23 (application_data) + version = { 3,0 } + length = 287 (0x11f) + > encrypted > +} +] +[ +SSLRecord { + type = 23 (application_data) + version = { 3,0 } + length = 160 (0xa0) + > encrypted > +} +] +>\-\- [ +SSLRecord { + type = 23 (application_data) + version = { 3,0 } + length = 223 (0xdf) + > encrypted > +} +SSLRecord { + type = 21 (alert) + version = { 3,0 } + length = 18 (0x12) + > encrypted > +} +] +Server socket closed\&. +.fi +.if n \{\ +.RE +.\} +.PP +Example 3 +.PP +In this example, the \-h option turns hex/ASCII format\&. There is no SSL parsing or decoding\&. The output is routed to a text file\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf +$ ssltap \-h \-p 444 interzone\&.mcom\&.com:443 > h\&.txt +.fi +.if n \{\ +.RE +.\} +.PP +Output +.sp +.if n \{\ +.RS 4 +.\} +.nf +Connected to interzone\&.mcom\&.com:443 +\-\-> [ + 0: 80 40 01 03 00 00 27 00 00 00 10 01 00 80 02 00 | \&.@\&.\&.\&.\&.\*(Aq\&.\&.\&.\&.\&.\&.\&.\&.\&. + 10: 80 03 00 80 04 00 80 06 00 40 07 00 c0 00 00 04 | \&.\&.\&.\&.\&.\&.\&.\&.\&.@\&.\&.\&.\&.\&.\&. + 20: 00 ff e0 00 00 0a 00 ff e1 00 00 09 00 00 03 00 | \&.\&.\&.\&.\&.\&.\&.\&.\('a\&.\&.\&.\&.\&.\&.\&. + 30: 00 06 9b fe 5b 56 96 49 1f 9f ca dd d5 ba b9 52 | \&.\&.\(Tp[V\&.I\&.\exd9 \&.\&.\&.\(Om\(S1R + 40: 6f 2d |o\- +] +<\-\- [ + 0: 16 03 00 03 e5 02 00 00 46 03 00 7f e5 0d 1b 1d | \&.\&.\&.\&.\&.\&.\&.\&.F\&.\&.\&.\&.\&.\&.\&. + 10: 68 7f 3a 79 60 d5 17 3c 1d 9c 96 b3 88 d2 69 3b | h\&.:y`\&.\&.<\&.\&.\(S3\&.\(`Oi; + 20: 78 e2 4b 8b a6 52 12 4b 46 e8 c2 20 14 11 89 05 | x\&.K\&.\(bbR\&.KF\(`e\&. \&.\&.\&. + 30: 4d 52 91 fd 93 e0 51 48 91 90 08 96 c1 b6 76 77 | MR\&.\('y\&.\&.QH\&.\&.\&.\&.\&.\(psvw + 40: 2a f4 00 08 a1 06 61 a2 64 1f 2e 9b 00 03 00 0b | *\(^o\&.\&.\(r!\&.a\(ctd\&.\&.\&.\&.\&.\&. + 50: 00 02 c5 00 02 c2 00 02 bf 30 82 02 bb 30 82 02 | \&.\&.\(oA\&.\&.\&.\&.\&.\&.0\&.\&.\&.0\&.\&. + 60: 24 a0 03 02 01 02 02 02 01 36 30 0d 06 09 2a 86 | $ \&.\&.\&.\&.\&.\&.\&.60\&.\&.\&.*\&. + 70: 48 86 f7 0d 01 01 04 05 00 30 77 31 0b 30 09 06 | H\&.\(di\&.\&.\&.\&.\&.\&.0w1\&.0\&.\&. + 80: 03 55 04 06 13 02 55 53 31 2c 30 2a 06 03 55 04 | \&.U\&.\&.\&.\&.US1,0*\&.\&.U\&. + 90: 0a 13 23 4e 65 74 73 63 61 70 65 20 43 6f 6d 6d | \&.\&.#Netscape Comm + a0: 75 6e 69 63 61 74 69 6f 6e 73 20 43 6f 72 70 6f | unications Corpo + b0: 72 61 74 69 6f 6e 31 11 30 0f 06 03 55 04 0b 13 | ration1\&.0\&.\&.\&.U\&.\&.\&. + c0: 08 48 61 72 64 63 6f 72 65 31 27 30 25 06 03 55 | \&.Hardcore1\*(Aq0%\&.\&.U + d0: 04 03 13 1e 48 61 72 64 63 6f 72 65 20 43 65 72 | \&.\&.\&.\&.Hardcore Cer + e0: 74 69 66 69 63 61 74 65 20 53 65 72 76 65 72 20 | tificate Server + f0: 49 49 30 1e 17 0d 39 38 30 35 31 36 30 31 30 33 | II0\&.\&.\&.9805160103 + +] + +Server socket closed\&. +.fi +.if n \{\ +.RE +.\} +.PP +Example 4 +.PP +In this example, the \-s option turns on SSL parsing, and the \-h option turns on hex/ASCII format\&. Both formats are shown for each record\&. The output is routed to a text file\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf +$ ssltap \-hs \-p 444 interzone\&.mcom\&.com:443 > hs\&.txt +.fi +.if n \{\ +.RE +.\} +.PP +Output +.sp +.if n \{\ +.RS 4 +.\} +.nf +Connected to interzone\&.mcom\&.com:443 +\-\-> [ + 0: 80 3d 01 03 00 00 24 00 00 00 10 01 00 80 02 00 | \&.=\&.\&.\&.\&.$\&.\&.\&.\&.\&.\&.\&.\&.\&. + 10: 80 03 00 80 04 00 80 06 00 40 07 00 c0 00 00 04 | \&.\&.\&.\&.\&.\&.\&.\&.\&.@\&.\&.\&.\&.\&.\&. + 20: 00 ff e0 00 00 0a 00 ff e1 00 00 09 00 00 03 03 | \&.\&.\&.\&.\&.\&.\&.\&.\('a\&.\&.\&.\&.\&.\&.\&. + 30: 55 e6 e4 99 79 c7 d7 2c 86 78 96 5d b5 cf e9 |U\&.\&.y\(,C\exb0 ,\&.x\&.]\(mc\(:I\('e +alloclen = 63 bytes + [ssl2] ClientHelloV2 { + version = {0x03, 0x00} + cipher\-specs\-length = 36 (0x24) + sid\-length = 0 (0x00) + challenge\-length = 16 (0x10) + cipher\-suites = { + (0x010080) SSL2/RSA/RC4\-128/MD5 + (0x020080) SSL2/RSA/RC4\-40/MD5 + (0x030080) SSL2/RSA/RC2CBC128/MD5 + (0x040080) SSL2/RSA/RC2CBC40/MD5 + (0x060040) SSL2/RSA/DES64CBC/MD5 + (0x0700c0) SSL2/RSA/3DES192EDE\-CBC/MD5 + (0x000004) SSL3/RSA/RC4\-128/MD5 + (0x00ffe0) SSL3/RSA\-FIPS/3DES192EDE\-CBC/SHA + (0x00000a) SSL3/RSA/3DES192EDE\-CBC/SHA + (0x00ffe1) SSL3/RSA\-FIPS/DES64CBC/SHA + (0x000009) SSL3/RSA/DES64CBC/SHA + (0x000003) SSL3/RSA/RC4\-40/MD5 + } + session\-id = { } + challenge = { 0x0355 0xe6e4 0x9979 0xc7d7 0x2c86 0x7896 0x5db + +0xcfe9 } +} +] + +Server socket closed\&. +.fi +.if n \{\ +.RE +.\} +.SH "USAGE TIPS" +.PP +When SSL restarts a previous session, it makes use of cached information to do a partial handshake\&. If you wish to capture a full SSL handshake, restart the browser to clear the session id cache\&. +.PP +If you run the tool on a machine other than the SSL server to which you are trying to connect, the browser will complain that the host name you are trying to connect to is different from the certificate\&. If you are using the default BadCert callback, you can still connect through a dialog\&. If you are not using the default BadCert callback, the one you supply must allow for this possibility\&. +.SH "SEE ALSO" +.PP +The NSS Security Tools are also documented at +\m[blue]\fBhttp://www\&.mozilla\&.org/projects/security/pki/nss/\fR\m[]\&\s-2\u[2]\d\s+2\&. +.SH "ADDITIONAL RESOURCES" +.PP +For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at +\m[blue]\fBhttp://www\&.mozilla\&.org/projects/security/pki/nss/\fR\m[]\&. The NSS site relates directly to NSS code changes and releases\&. +.PP +Mailing lists: https://lists\&.mozilla\&.org/listinfo/dev\-tech\-crypto +.PP +IRC: Freenode at #dogtag\-pki +.SH "AUTHORS" +.PP +The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google\&. +.PP +Authors: Elio Maldonado , Deon Lackey \&. +.SH "LICENSE" +.PP +Licensed under the Mozilla Public License, v\&. 2\&.0\&. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla\&.org/MPL/2\&.0/\&. +.SH "NOTES" +.IP " 1." 4 +Mozilla NSS bug 836477 +.RS 4 +\%https://bugzilla.mozilla.org/show_bug.cgi?id=836477 +.RE +.IP " 2." 4 +http://www.mozilla.org/projects/security/pki/nss/ +.RS 4 +\%http://www.mozilla.org/projects/security/pki/nss/tools +.RE diff --git a/security/nss/doc/nroff/vfychain.1 b/security/nss/doc/nroff/vfychain.1 new file mode 100644 index 0000000000..4beba750d5 --- /dev/null +++ b/security/nss/doc/nroff/vfychain.1 @@ -0,0 +1,169 @@ +'\" t +.\" Title: VFYCHAIN +.\" Author: [see the "Authors" section] +.\" Generator: DocBook XSL Stylesheets vsnapshot +.\" Date: 19 May 2021 +.\" Manual: NSS Security Tools +.\" Source: nss-tools +.\" Language: English +.\" +.TH "VFYCHAIN" "1" "19 May 2021" "nss-tools" "NSS Security Tools" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +vfychain_ \- vfychain [options] [revocation options] certfile [[options] certfile] \&.\&.\&. +.SH "SYNOPSIS" +.HP \w'\fBvfychain\fR\ 'u +\fBvfychain\fR +.SH "STATUS" +.PP +This documentation is still work in progress\&. Please contribute to the initial review in +\m[blue]\fBMozilla NSS bug 836477\fR\m[]\&\s-2\u[1]\d\s+2 +.SH "DESCRIPTION" +.PP +The verification Tool, +\fBvfychain\fR, verifies certificate chains\&. +\fBmodutil\fR +can add and delete PKCS #11 modules, change passwords on security databases, set defaults, list module contents, enable or disable slots, enable or disable FIPS 140\-2 compliance, and assign default providers for cryptographic operations\&. This tool can also create certificate, key, and module security database files\&. +.PP +The tasks associated with security module database management are part of a process that typically also involves managing key databases and certificate databases\&. +.SH "OPTIONS" +.PP +\fB\-a\fR +.RS 4 +the following certfile is base64 encoded +.RE +.PP +\fB\-b \fR \fIYYMMDDHHMMZ\fR +.RS 4 +Validate date (default: now) +.RE +.PP +\fB\-d \fR \fIdirectory\fR +.RS 4 +database directory +.RE +.PP +\fB\-f \fR +.RS 4 +Enable cert fetching from AIA URL +.RE +.PP +\fB\-o \fR \fIoid\fR +.RS 4 +Set policy OID for cert validation(Format OID\&.1\&.2\&.3) +.RE +.PP +\fB\-p \fR +.RS 4 +Use PKIX Library to validate certificate by calling: +.sp +* CERT_VerifyCertificate if specified once, +.sp +* CERT_PKIXVerifyCert if specified twice and more\&. +.RE +.PP +\fB\-r \fR +.RS 4 +Following certfile is raw binary DER (default) +.RE +.PP +\fB\-t\fR +.RS 4 +Following cert is explicitly trusted (overrides db trust) +.RE +.PP +\fB\-u \fR \fIusage\fR +.RS 4 +0=SSL client, 1=SSL server, 2=SSL StepUp, 3=SSL CA, 4=Email signer, 5=Email recipient, 6=Object signer, 9=ProtectedObjectSigner, 10=OCSP responder, 11=Any CA +.RE +.PP +\fB\-T \fR +.RS 4 +Trust both explicit trust anchors (\-t) and the database\&. (Without this option, the default is to only trust certificates marked \-t, if there are any, or to trust the database if there are certificates marked \-t\&.) +.RE +.PP +\fB\-v \fR +.RS 4 +Verbose mode\&. Prints root cert subject(double the argument for whole root cert info) +.RE +.PP +\fB\-w \fR \fIpassword\fR +.RS 4 +Database password +.RE +.PP +\fB\-W \fR \fIpwfile\fR +.RS 4 +Password file +.RE +.PP +.RS 4 +Revocation options for PKIX API (invoked with \-pp options) is a collection of the following flags: [\-g type [\-h flags] [\-m type [\-s flags]] \&.\&.\&.] \&.\&.\&. +.sp +Where: +.RE +.PP +\fB\-g \fR \fItest\-type\fR +.RS 4 +Sets status checking test type\&. Possible values are "leaf" or "chain" +.RE +.PP +\fB\-g \fR \fItest type\fR +.RS 4 +Sets status checking test type\&. Possible values are "leaf" or "chain"\&. +.RE +.PP +\fB\-h \fR \fItest flags\fR +.RS 4 +Sets revocation flags for the test type it follows\&. Possible flags: "testLocalInfoFirst" and "requireFreshInfo"\&. +.RE +.PP +\fB\-m \fR \fImethod type\fR +.RS 4 +Sets method type for the test type it follows\&. Possible types are "crl" and "ocsp"\&. +.RE +.PP +\fB\-s \fR \fImethod flags\fR +.RS 4 +Sets revocation flags for the method it follows\&. Possible types are "doNotUse", "forbidFetching", "ignoreDefaultSrc", "requireInfo" and "failIfNoInfo"\&. +.RE +.SH "ADDITIONAL RESOURCES" +.PP +For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at +\m[blue]\fBhttp://www\&.mozilla\&.org/projects/security/pki/nss/\fR\m[]\&. The NSS site relates directly to NSS code changes and releases\&. +.PP +Mailing lists: https://lists\&.mozilla\&.org/listinfo/dev\-tech\-crypto +.PP +IRC: Freenode at #dogtag\-pki +.SH "AUTHORS" +.PP +The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google\&. +.PP +Authors: Elio Maldonado , Deon Lackey \&. +.SH "LICENSE" +.PP +Licensed under the Mozilla Public License, v\&. 2\&.0\&. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla\&.org/MPL/2\&.0/\&. +.SH "NOTES" +.IP " 1." 4 +Mozilla NSS bug 836477 +.RS 4 +\%https://bugzilla.mozilla.org/show_bug.cgi?id=836477 +.RE diff --git a/security/nss/doc/nroff/vfyserv.1 b/security/nss/doc/nroff/vfyserv.1 new file mode 100644 index 0000000000..2983bc477c --- /dev/null +++ b/security/nss/doc/nroff/vfyserv.1 @@ -0,0 +1,70 @@ +'\" t +.\" Title: VFYSERV +.\" Author: [see the "Authors" section] +.\" Generator: DocBook XSL Stylesheets vsnapshot +.\" Date: 19 May 2021 +.\" Manual: NSS Security Tools +.\" Source: nss-tools +.\" Language: English +.\" +.TH "VFYSERV" "1" "19 May 2021" "nss-tools" "NSS Security Tools" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +vfyserv_ \- TBD +.SH "SYNOPSIS" +.HP \w'\fBvfyserv\fR\ 'u +\fBvfyserv\fR +.SH "STATUS" +.PP +This documentation is still work in progress\&. Please contribute to the initial review in +\m[blue]\fBMozilla NSS bug 836477\fR\m[]\&\s-2\u[1]\d\s+2 +.SH "DESCRIPTION" +.PP +The +\fBvfyserv \fR +tool verifies a certificate chain +.SH "OPTIONS" +.PP +.RS 4 +.sp +.RE +.SH "ADDITIONAL RESOURCES" +.PP +For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at +\m[blue]\fBhttp://www\&.mozilla\&.org/projects/security/pki/nss/\fR\m[]\&. The NSS site relates directly to NSS code changes and releases\&. +.PP +Mailing lists: https://lists\&.mozilla\&.org/listinfo/dev\-tech\-crypto +.PP +IRC: Freenode at #dogtag\-pki +.SH "AUTHORS" +.PP +The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google\&. +.PP +Authors: Elio Maldonado , Deon Lackey \&. +.SH "LICENSE" +.PP +Licensed under the Mozilla Public License, v\&. 2\&.0\&. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla\&.org/MPL/2\&.0/\&. +.SH "NOTES" +.IP " 1." 4 +Mozilla NSS bug 836477 +.RS 4 +\%https://bugzilla.mozilla.org/show_bug.cgi?id=836477 +.RE diff --git a/security/nss/doc/nss-policy-check.xml b/security/nss/doc/nss-policy-check.xml new file mode 100644 index 0000000000..1d891b8c3f --- /dev/null +++ b/security/nss/doc/nss-policy-check.xml @@ -0,0 +1,97 @@ + + + +]> + + + + + &date; + NSS Security Tools + nss-tools + &version; + + + + NSS-POLICY-CHECK + 1 + + + + nss-policy-check + nss-policy-check policy-file + + + + + nss-policy-check + + + + + Description + nss-policy-check verifies crypto-policy configuration that controls certain crypto algorithms are allowed/disallowed to use in the NSS library. + + The crypto-policy configuration can be stored in either a system-wide configuration file, specified with the POLICY_PATH and POLICY_FILE build options, or in the pkcs11.txt in NSS database. + + + + Usage and Examples + To check the global crypto-policy configuration in /etc/crypto-policies/back-ends/nss.config: + + $ nss-policy-check /etc/crypto-policies/back-ends/nss.config +NSS-POLICY-INFO: LOADED-SUCCESSFULLY +NSS-POLICY-INFO: PRIME256V1 is enabled for KX +NSS-POLICY-INFO: PRIME256V1 is enabled for CERT-SIGNATURE +NSS-POLICY-INFO: SECP256R1 is enabled for KX +NSS-POLICY-INFO: SECP256R1 is enabled for CERT-SIGNATURE +NSS-POLICY-INFO: SECP384R1 is enabled for KX +NSS-POLICY-INFO: SECP384R1 is enabled for CERT-SIGNATURE +... +NSS-POLICY-INFO: NUMBER-OF-SSL-ALG-KX: 13 +NSS-POLICY-INFO: NUMBER-OF-SSL-ALG: 9 +NSS-POLICY-INFO: NUMBER-OF-CERT-SIG: 9 +... +NSS-POLICY-INFO: ciphersuite TLS_AES_128_GCM_SHA256 is enabled +NSS-POLICY-INFO: ciphersuite TLS_CHACHA20_POLY1305_SHA256 is enabled +NSS-POLICY-INFO: ciphersuite TLS_AES_256_GCM_SHA384 is enabled +... +NSS-POLICY-INFO: NUMBER-OF-CIPHERSUITES: 24 +NSS-POLICY-INFO: NUMBER-OF-TLS-VERSIONS: 3 +NSS-POLICY-INFO: NUMBER-OF-DTLS-VERSIONS: 2 + + If there is a failure or warning, it will be prefixed with + NSS-POLICY-FAIL or NSS-POLICY_WARN. + + nss-policy-check exits with 2 if any + failure is found, 1 if any warning is found, or 0 if no errors are + found. + + + + + Additional Resources + For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases. + Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto + IRC: Freenode at #dogtag-pki + + + + + Authors + The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google. + + Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. + + + + + + LICENSE + Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. + + + + diff --git a/security/nss/doc/pk12util.xml b/security/nss/doc/pk12util.xml new file mode 100644 index 0000000000..ef1547d5d1 --- /dev/null +++ b/security/nss/doc/pk12util.xml @@ -0,0 +1,474 @@ + + + +]> + + + + + &date; + NSS Security Tools + nss-tools + &version; + + + + PK12UTIL + 1 + + + + pk12util + Export and import keys and certificate to or from a PKCS #12 file and the NSS database + + + + + pk12util + -i p12File|-l p12File|-o p12File + -c keyCipher + -C certCipher + -d directory + -h tokenname + -m | --key-len keyLength + -M hashAlg + -n certname + -P dbprefix + -r + -v + --cert-key-len certKeyLength + -k slotPasswordFile|-K slotPassword + -w p12filePasswordFile|-W p12filePassword + + + + + STATUS + This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 + + + + + Description + The PKCS #12 utility, pk12util, enables sharing certificates among any server that supports PKCS #12. The tool can import certificates and keys from PKCS #12 files into security databases, export certificates, and list certificates and keys. + + + + Options and Arguments + Options + + + -i p12file + Import keys and certificates from a PKCS #12 file into a security database. + + + + -l p12file + List the keys and certificates in PKCS #12 file. + + + + -o p12file + Export keys and certificates from the security database to a PKCS #12 file. + + + + Arguments + + + -c keyCipher + Specify the key encryption algorithm. + + + + -C certCipher + Specify the certiticate encryption algorithm. + + + + -d directory + Specify the database directory into which to import to or export from certificates and keys. + pk12util supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt). If the prefix dbm: is not used, then the tool assumes that the given databases are in the SQLite format. + + + + -h tokenname + Specify the name of the token to import into or export from. + + + + -k slotPasswordFile + Specify the text file containing the slot's password. + + + + -K slotPassword + Specify the slot's password. + + + + -m | --key-len keyLength + Specify the desired length of the symmetric key to be used to encrypt the private key. + + + + -M hashAlg + Specify the hash algorithm used in the pkcs #12 mac. This algorithm also specifies the HMAC used in the prf when using pkcs #5 v2. + + + + + --cert-key-len certKeyLength + Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data. + + + + -n certname + Specify the nickname of the cert and private key to export. + The nickname can also be a PKCS #11 URI. For example, if you have a certificate named "my-server-cert" on the internal certificate store, it can be unambiguously specified as "pkcs11:token=NSS%20Certificate%20DB;object=my-server-cert". For details about the format, see RFC 7512. + + + + -P prefix + Specify the prefix used on the certificate and key databases. This option is provided as a special case. + Changing the names of the certificate and key databases is not recommended. + + + + -r + Dumps all of the data in raw (binary) form. This must be saved as a DER file. The default is to return information in a pretty-print ASCII format, which displays the information about the certificates and public keys in the p12 file. + + + + -v + Enable debug logging when importing. + + + + -w p12filePasswordFile + Specify the text file containing the pkcs #12 file password. + + + + -W p12filePassword + Specify the pkcs #12 file password. + + + + + + + Return Codes + + + 0 - No error + + + 1 - User Cancelled + + + 2 - Usage error + + + 6 - NLS init error + + + 8 - Certificate DB open error + + + 9 - Key DB open error + + + 10 - File initialization error + + + 11 - Unicode conversion error + + + 12 - Temporary file creation error + + + 13 - PKCS11 get slot error + + + 14 - PKCS12 decoder start error + + + 15 - error read from import file + + + 16 - pkcs12 decode error + + + 17 - pkcs12 decoder verify error + + + 18 - pkcs12 decoder validate bags error + + + 19 - pkcs12 decoder import bags error + + + 20 - key db conversion version 3 to version 2 error + + + 21 - cert db conversion version 7 to version 5 error + + + 22 - cert and key dbs patch error + + + 23 - get default cert db error + + + 24 - find cert by nickname error + + + 25 - create export context error + + + 26 - PKCS12 add password itegrity error + + + 27 - cert and key Safes creation error + + + 28 - PKCS12 add cert and key error + + + 29 - PKCS12 encode error + + + + + + Examples + Importing Keys and Certificates + The most basic usage of pk12util for importing a certificate or key is the PKCS #12 input file () and some way to specify the security database being accessed (either for a directory or for a token). + + + pk12util -i p12File [-h tokenname] [-v] [-d directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword] + + For example: + + # pk12util -i /tmp/cert-files/users.p12 -d /home/my/sharednssdb + +Enter a password which will be used to encrypt your keys. +The password should be at least 8 characters long, +and should contain at least one non-alphabetic character. + +Enter new password: +Re-enter password: +Enter password for PKCS12 file: +pk12util: PKCS12 IMPORT SUCCESSFUL + + Exporting Keys and Certificates + Using the pk12util command to export certificates and keys requires both the name of the certificate to extract from the database () and the PKCS #12-formatted output file to write to. There are optional parameters that can be used to encrypt the file to protect the certificate material. + + pk12util -o p12File -n certname [-c keyCipher] [-C certCipher] [-m|--key_len keyLen] [-n|--cert_key_len certKeyLen] [-d directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword] + For example: + # pk12util -o certs.p12 -n Server-Cert -d /home/my/sharednssdb +Enter password for PKCS12 file: +Re-enter password: + + Listing Keys and Certificates + The information in a .p12 file are not human-readable. The certificates and keys in the file can be printed (listed) in a human-readable pretty-print format that shows information for every certificate and any public keys in the .p12 file. + + pk12util -l p12File [-h tokenname] [-r] [-d directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword] + For example, this prints the default ASCII output: + # pk12util -l certs.p12 + +Enter password for PKCS12 file: +Key(shrouded): + Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID + + Encryption algorithm: PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC + Parameters: + Salt: + 45:2e:6a:a0:03:4d:7b:a1:63:3c:15:ea:67:37:62:1f + Iteration Count: 1 (0x1) +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 13 (0xd) + Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption + Issuer: "E=personal-freemail@thawte.com,CN=Thawte Personal Freemail C + A,OU=Certification Services Division,O=Thawte Consulting,L=Cape T + own,ST=Western Cape,C=ZA" + + Alternatively, the prints the certificates and then exports them into separate DER binary files. This allows the certificates to be fed to another application that supports .p12 files. Each certificate is written to a sequentially-number file, beginning with file0001.der and continuing through file000N.der, incrementing the number for every certificate: + pk12util -l test.p12 -r +Enter password for PKCS12 file: +Key(shrouded): + Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID + + Encryption algorithm: PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC + Parameters: + Salt: + 45:2e:6a:a0:03:4d:7b:a1:63:3c:15:ea:67:37:62:1f + Iteration Count: 1 (0x1) +Certificate Friendly Name: Thawte Personal Freemail Issuing CA - Thawte Consulting + +Certificate Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID + + + + + Password Encryption + PKCS #12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS #12 file and, optionally, the associated certificates. If no algorithm is specified, the tool defaults to using PKCS #12 SHA-1 and 3-key triple DES for private key encryption. When not in FIPS mode, PKCS #12 SHA-1 and 40-bit RC4 is used for certificate encryption. When in FIPS mode, there is no certificate encryption. If certificate encryption is not wanted, specify "NONE" as the argument of the option. + The private key is always protected with strong encryption by default. + Several types of ciphers are supported. + + + + PKCS #5 password-based encryption + + + PBES2 with AES-CBC-Pad as underlying encryption scheme ("AES-128-CBC", "AES-192-CBC", and "AES-256-CBC") + + + + + + PKCS #12 password-based encryption + + + SHA-1 and 128-bit RC4 ("PKCS #12 V2 PBE With SHA-1 And 128 Bit RC4" or "RC4") + SHA-1 and 40-bit RC4 ("PKCS #12 V2 PBE With SHA-1 And 40 Bit RC4") (used by default for certificate encryption in non-FIPS mode) + SHA-1 and 3-key triple-DES ("PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC" or "DES-EDE3-CBC") + SHA-1 and 128-bit RC2 ("PKCS #12 V2 PBE With SHA-1 And 128 Bit RC2 CBC" or "RC2-CBC") + SHA-1 and 40-bit RC2 ("PKCS #12 V2 PBE With SHA-1 And 40 Bit RC2 CBC") + + + + + With PKCS #12, the crypto provider may be the soft token module or an external hardware module. If the cryptographic module does not support the requested algorithm, then the next best fit will be selected (usually the default). If no suitable replacement for the desired algorithm can be found, the tool returns the error no security module can perform the requested operation. + + +NSS Database Types +NSS originally used BerkeleyDB databases to store security information. +The last versions of these legacy databases are: + + + + cert8.db for certificates + + + + + key3.db for keys + + + + + secmod.db for PKCS #11 module information + + + + +BerkeleyDB has performance limitations, though, which prevent it from being easily used by multiple applications simultaneously. NSS has +some flexibility that allows applications to use their own, independent database engine while keeping a shared database and working around the access issues. Still, NSS +requires more flexibility to provide a truly shared security database. + +In 2009, NSS introduced a new set of databases that are SQLite databases rather than +BerkleyDB. These new databases provide more accessibility and performance: + + + + cert9.db for certificates + + + + + key4.db for keys + + + + + pkcs11.txt, which is listing of all of the PKCS #11 modules contained in a new subdirectory in the security databases directory + + + + +Because the SQLite databases are designed to be shared, these are the shared database type. The shared database type is preferred; the legacy format is included for backward compatibility. + +By default, the tools (certutil, pk12util, modutil) assume that the given security databases use the SQLite type +Using the legacy databases must be manually specified by using the dbm: prefix with the given security directory. For example: + +# pk12util -i /tmp/cert-files/users.p12 -d dbm:/home/my/sharednssdb + +To set the legacy database type as the default type for the tools, set the NSS_DEFAULT_DB_TYPE environment variable to dbm: +export NSS_DEFAULT_DB_TYPE="dbm" + +This line can be set added to the ~/.bashrc file to make the change permanent. + + + + + https://wiki.mozilla.org/NSS_Shared_DB_Howto + + +For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki: + + + + https://wiki.mozilla.org/NSS_Shared_DB + + + + + + + Compatibility Notes + The exporting behavior of pk12util has changed over time, while importing files exported with older versions of NSS is still supported. + Until the 3.30 release, pk12util used the UTF-16 encoding for the PKCS #5 password-based encryption schemes, while the recommendation is to encode passwords in UTF-8 if the used encryption scheme is defined outside of the PKCS #12 standard. + Until the 3.31 release, even when "AES-128-CBC" or "AES-192-CBC" is given from the command line, pk12util always used 256-bit AES as the underlying encryption scheme. + For historical reasons, pk12util accepts password-based encryption schemes not listed in this document. However, those schemes are not officially supported and may have issues in interoperability with other tools. + + + + See Also + certutil (1) + modutil (1) + + The NSS wiki has information on the new database design and how to configure applications to use it. + + + + https://wiki.mozilla.org/NSS_Shared_DB_Howto + + + + https://wiki.mozilla.org/NSS_Shared_DB + + + + + + + + Additional Resources + For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases. + Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto + IRC: Freenode at #dogtag-pki + + + + + Authors + The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google. + + Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. + + + + + + LICENSE + Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. + + + + diff --git a/security/nss/doc/pp.xml b/security/nss/doc/pp.xml new file mode 100644 index 0000000000..8b42367218 --- /dev/null +++ b/security/nss/doc/pp.xml @@ -0,0 +1,123 @@ + + + +]> + + + + + &date; + NSS Security Tools + nss-tools + &version; + + + + PP + 1 + + + + pp + Prints certificates, keys, crls, and pkcs7 files + + + + + pp -t type [-a] [-i input] [-o output] [-u] [-w] + + + + + STATUS + This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 + + + + + Description + + pp pretty-prints private and public key, certificate, certificate-request, + pkcs7, pkcs12 or crl files + + + + + + Options + + + + + type + + specify the input, one of {private-key | public-key | certificate | certificate-request | pkcs7 | pkcs12 | crl | name} + + + + + + + + Input is in ascii encoded form (RFC1113) + + + + + inputfile + + Define an input file to use (default is stdin) + + + + + outputfile + + Define an output file to use (default is stdout) + + + + + + + Use UTF-8 (default is to show non-ascii as .) + + + + + + + Don't wrap long output lines + + + + + + + + Additional Resources + NSS is maintained in conjunction with PKI and security-related projects through Mozilla and Fedora. The most closely-related project is Dogtag PKI, with a project wiki at PKI Wiki. + For information specifically about NSS, the NSS project wiki is located at Mozilla NSS site. The NSS site relates directly to NSS code changes and releases. + Mailing lists: pki-devel@redhat.com and pki-users@redhat.com + IRC: Freenode at #dogtag-pki + + + + + Authors + The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google. + + Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. + + + + + + LICENSE + Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. + + + + diff --git a/security/nss/doc/rst/build.rst b/security/nss/doc/rst/build.rst new file mode 100644 index 0000000000..e07f6971e9 --- /dev/null +++ b/security/nss/doc/rst/build.rst @@ -0,0 +1,230 @@ +.. _mozilla_projects_nss_building: + +Building NSS +============ + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + This page has detailed information on how to build NSS. Because NSS is a + cross-platform library that builds on many different platforms and has many + options, it may be complex to build._ Two build systems are maintained + concurrently: a ``Make`` based and a ``gyp`` based system. + +.. _build_environment: + +`Prerequisites <#build_environment>`__ +------------------------------------------ + +.. container:: + + NSS needs a C and C++ compiler. It has minimal dependencies, including only + standard C and C++ libraries, plus `zlib `__. + For building, you also need `make `__. + Ideally, also install `gyp-next `__ and `ninja + `__ and put them on your path. This is + recommended, as the build is faster and more reliable. + Please, note that we ``gyp`` is currently unmaintained and that our support for + ``gyp-next`` is experimental and might be unstable. + + To install prerequisites on different platforms, one can run the following + commands: + + **On Linux:** + + .. code:: + + sudo apt install mercurial git ninja-build python3-pip + python3 -m pip install gyp-next + + **On MacOS:** + + .. code:: + + brew install mercurial git ninja python3-pip + python3 -m pip install gyp-next + + It is also necessary to make sure that a `python` (not just `python3`) + executable is in the path. + The Homebrew Python installation has the necessary symlink but may require + explicit adding to the PATH variable, for example like this: + + .. code:: + + export PATH="/opt/homebrew/opt/python/libexec/bin:$PATH" + + **On Windows:** + + .. code:: + + + +.. note:: + To retrieve the source code from the project repositories, users will need to + download a release or pull the source code with their favourite Version + Control System (git or Mercurial). Installing a VCS is not necessary to build + an NSS release when downloaded as a compressed archive. + + By default Mozilla uses a Mercurial repository for NSS. If you whish to + contribute to NSS and use ``git`` instead of Mercurial, we encourage you to + install `git-cinnabar `__. + +.. + `Windows <#windows>`__ + ~~~~~~~~~~~~~~~~~~~~~~ + + .. container:: + + NSS compilation on Windows uses the same shared build system as Mozilla + Firefox. You must first install the `Windows Prerequisites + `__, + including **MozillaBuild**. + + You can also build NSS on the Windows Subsystem for Linux, but the resulting binaries aren't + usable by other Windows applications. + +.. _get_the_source: + +`Source code <#get_the_source>`__ +--------------------------------- + +.. container:: + + NSS and NSPR use Mercurial for source control like other Mozilla projects. To + check out the latest sources for NSS and NSPR--which may not be part of a + stable release--use the following commands: + + .. code:: + + hg clone https://hg.mozilla.org/projects/nspr + hg clone https://hg.mozilla.org/projects/nss + + + **To get the source of a specific release, see:** + ref:`mozilla_projects_nss_releases` **.** + + To download the source using ``git-cinnabar`` instead: + + .. code:: + + git clone hg::https://hg.mozilla.org/projects/nspr + git clone hg::https://hg.mozilla.org/projects/nss + + +`Build with gyp and ninja <#build>`__ +------------------------------------- + +.. container:: + + Build NSS and NSPR using our build script from the ``nss`` directory: + + .. code:: + + cd nss + ./build.sh + + This builds both NSPR and NSS in a parent directory called ``dist``. + + Build options are available for this script: ``-o`` will build in **Release** + mode instead of the **Debug** mode and ``-c`` will **clean** the ``dist`` + directory before the build. + + Other build options can be displayed by running ``./build.sh --help`` + +.. _build_with_make: + +`Build with make <#build_with_make>`__ +-------------------------------------- + +.. container:: + + Alternatively, there is a ``make`` target, which produces a similar + result. This supports some alternative options, but can be a lot slower. + + .. code:: + + USE_64=1 make -j + + The make-based build system for NSS uses a variety of variables to control + the build. Below are some of the variables, along with possible values they + may be set to. + +.. csv-table:: + :header: "BUILD_OPT", "" + :widths: 10,50 + + "0", "Build a debug (non-optimized) version of NSS. **This is the default.**" + "1", "Build an optimized (non-debug) version of NSS." + +.. csv-table:: + :header: "USE_64", "" + :widths: 10,50 + + "0", "Build for a 32-bit environment/ABI. **This is the default.**" + "1", "Build for a 64-bit environment/ABI. *This is recommended.*" + +.. csv-table:: + :header: "USE_ASAN", "" + :widths: 10,50 + + "0", "Do not create an `AddressSanitizer + `__ build. **This is the default.**" + "1", "Create an AddressSanitizer build." + + +.. _unit_testing: + +`Unit testing <#unit_testing>`__ +-------------------------------- + +.. container:: + + NSS contains extensive unit tests. Scripts to run these are found in the ``tests`` directory. + Run the standard suite by: + + .. code:: + + HOST=localhost DOMSUF=localdomain USE_64=1 ./tests/all.sh + +.. _unit_test_configuration: + +`Unit test configuration <#unit_test_configuration>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + NSS tests are configured using environment variables. + The scripts will attempt to infer values for ``HOST`` and ``DOMSUF``, but + can fail. Replace ``localhost`` and ``localdomain`` with the hostname and + domain suffix for your host. You need to be able to connect to + ``$HOST.$DOMSUF``. + + If you don't have a domain suffix you can add an entry to ``/etc/hosts`` (on + Windows,\ ``c:\Windows\System32\drivers\etc\hosts``) as follows: + + .. code:: + + 127.0.0.1 localhost.localdomain + + Validate this opening a command shell and typing: ``ping localhost.localdomain``. + + Remove the ``USE_64=1`` override if using a 32-bit build. + +.. _test_results: + +`Test results <#test_results>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Running all tests can take a considerable amount of time. + + Test output is stored in ``tests_results/security/$HOST.$NUMBER/``. The file + ``results.html`` summarizes the results, ``output.log`` captures all the test + output. + + Other subdirectories of ``nss/tests`` contain scripts that run a subset of + the full suite. Those can be run directly instead of ``all.sh``, which might + save some time at the cost of coverage. diff --git a/security/nss/doc/rst/build_artifacts.rst b/security/nss/doc/rst/build_artifacts.rst new file mode 100644 index 0000000000..b55252512e --- /dev/null +++ b/security/nss/doc/rst/build_artifacts.rst @@ -0,0 +1,176 @@ +.. _mozilla_projects_nss_build_artifacts: + +Build artifacts +=============== + +.. container:: + + **Network Security Services (NSS)** is a set of libraries designed to support cross-platform + development of communications applications that support TLS, S/MIME, and other Internet security + standards. For a general overview of NSS and the standards it supports, see + :ref:`mozilla_projects_nss_overview`. + +.. _shared_libraries: + +`Shared libraries <#shared_libraries>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Network Security Services provides both static libraries and shared libraries. Applications that + use the shared libraries must use only the APIs that they export. Three shared libraries export + public functions: + + - The SSL/TLS library supports core TLS operations. + - The S/MIME library supports core S/MIME operations. + - The freebl library supports core crypto operations. + +.. note:: + + We guarantee that applications using the exported APIs will remain compatible with future + versions of those libraries until deprecated. + +.. container:: + + .. + For a complete list of public functions exported by these shared + libraries in NSS 3.2, see :ref:`mozilla_projects_nss_reference_nss_functions`. + + .. + For information on which static libraries in NSS 3.1.1 are replaced by each of the above shared + libraries in NSS 3.2 , see `Migration from NSS + 3.1.1 `__. + + .. + Figure 1, below, shows a simplified view of the relationships among the three shared libraries + listed above and NSPR, which provides low-level cross platform support for operations such as + threading and I/O. (Note that NSPR is a separate Mozilla project; see `Netscape Portable + Runtime `__ for details.) + + .. image:: /en-US/docs/Mozilla/Projects/NSS/Introduction_to_Network_Security_Services/nss.gif + :alt: Diagram showing the relationships among core NSS libraries and NSPR. + :width: 429px + :height: 196px + +.. _naming_conventions_and_special_libraries: + +`Naming conventions <#naming_conventions_and_special_libraries>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Windows and Unix use different naming conventions for static and dynamic + libraries: + + ======= ======== =============================== + Windows Unix + static ``.lib`` ``.a`` + dynamic ``.dll`` ``.so`` or ``.dylib`` or ``.sl`` + ======= ======== =============================== + + In addition, Windows has "import" libraries that bind to dynamic + libraries. So the NSS library has the following forms: + + - ``libnss3.so`` - Linux shared library + - ``libnss3.dylib`` - MacOS shared library + - ``libnss3.sl`` - HP-UX shared library + - ``libnss.a`` - Unix static library + - ``nss3.dll`` - Windows shared library + - ``nss3.lib`` - Windows import library binding to ``nss3.dll`` + - ``nss.lib`` - Windows static library + + NSS, SSL, and S/MIME have all of the above forms. + + The following static libraries aren't included in any shared libraries + + - ``libcrmf.a``/``crmf.lib`` provides an API for CRMF operations. + - ``libjar.a``/``jar.lib`` provides an API for creating JAR files. + + The following static libraries are included only in external loadable PKCS + #11 modules: + + - ``libnssckfw.a``/``nssckfw.lib`` provides an API for writing PKCS #11 modules. + - ``libswfci.a``/``swfci.lib`` provides support for software FORTEZZA. + + The following shared libraries are standalone loadable modules, not meant to + be linked with directly: + + - ``libfort.so``/``libfort.sl``/``fort32.dll`` provides support for hardware FORTEZZA. + - ``libswft.so``/``libswft.sl``/``swft32.dll`` provides support for software FORTEZZA. + - ``libnssckbi.so``/``libnssckbi.sl``/``nssckbi.dll`` defines the default set + of trusted root certificates. + +.. + .. _support_for_ilp32: + + `Support for ILP32 <#support_for_ilp32>`__ + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + .. container:: + + In NSS 3.2 and later versions, there are two new shared libraries for the platforms HP-UX for + PARisc CPUs and Solaris for (Ultra)Sparc (not x86) CPUs. These HP and Solaris platforms allow + programs that use the ILP32 program model to run on both 32-bit CPUs and 64-bit CPUs. The two + libraries exist to provide optimal performance on each of the two types of CPUs. + + These two extra shared libraries are not supplied on any other platforms. The names of these + libraries are platform-dependent, as shown in the following table. + + ================================== ============================ ============================ + Platform for 32-bit CPUs for 64-bit CPUs + Solaris/Sparc ``libfreebl_pure32_3.so`` ``libfreebl_hybrid_3.so`` + HPUX/PARisc ``libfreebl_pure32_3.sl`` ``libfreebl_hybrid_3.sl`` + AIX (planned for a future release) ``libfreebl_pure32_3_shr.a`` ``libfreebl_hybrid_3_shr.a`` + ================================== ============================ ============================ + + An application should not link against these libraries, because they are dynamically loaded by + NSS at run time. Linking the application against one or the other of these libraries may produce + an application program that can only run on one type of CPU (e.g. only on 64-bit CPUs, not on + 32-bit CPUs) or that doesn't use the more efficient 64-bit code on 64-bit CPUs, which defeats the + purpose of having these shared libraries. + + On platforms for which these shared libraries exist, NSS 3.2 will fail if these shared libs are + not present. So, an application must include these files in its distribution of NSS shared + libraries. These shared libraries should be installed in the same directory where the other NSS + shared libraries (such as ``libnss3.so``) are installed. Both shared libs should always be + installed whether the target system has a 32-bit CPU or a 64-bit CPU. NSS will pick the right one + for the local system at run time. + + Note that NSS 3.x is also available in the LP64 model for these platforms, but the LP64 model of + NSS 3.x does not have these two extra shared libraries. + +.. + .. _what_you_should_already_know: + + `What you should already know <#what_you_should_already_know>`__ + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + .. container:: + + Before using NSS, you should be familiar with the following topics: + + - Concepts and techniques of public-key cryptography + - The Secure Sockets Layer (SSL) protocol + - The PKCS #11 standard for cryptographic token interfaces + - Cross-platform development issues and techniques + + .. _where_to_find_more_information: + + `Where to find more information <#where_to_find_more_information>`__ + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + .. container:: + + For information about PKI and SSL that you should understand before using NSS, see the following: + + - `Introduction to Public-Key + Cryptography `__ + - `Introduction to + SSL `__ + + For links to API documentation, build instructions, and other useful information, see the + :ref:`mozilla_projects_nss`. + + As mentioned above, NSS is built on top of NSPR. The API documentation for NSPR is available at + `NSPR API + Reference `__. diff --git a/security/nss/doc/rst/community.rst b/security/nss/doc/rst/community.rst new file mode 100644 index 0000000000..02dad97509 --- /dev/null +++ b/security/nss/doc/rst/community.rst @@ -0,0 +1,70 @@ +.. _mozilla_projects_nss_community: + +Community +--------- + +Network Security Services (NSS) is maintained by a group of engineers and researchers, +mainly RedHat and Mozilla. + +.. warning:: + + While the NSS team focuses mainly on supporting platforms and features needded by + Firefox and RHEL, we are happy to take contributions. + +Contributors can reach out the the core team and follow NSS related news through the +following mailing list, Google group and Element/Matrix channel: + +.. note:: + + Mailing list: `https://groups.google.com/a/mozilla.org/g/dev-tech-crypto `__ + + Matrix/Element: `https://app.element.io/#/room/#nss:mozilla.org `__ + +.. + - View Mozilla Security forums... + + - `Mailing list `__ + - `Newsgroup `__ + - `RSS feed `__ + +.. _how_to_contribute: + +`How to Contribute <#how_to_contribute>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Start by opening a **Bugzilla** account at `bugzilla.mozilla.org `__ if you don't have one. + + ``NSS :: Libraries`` is the component for issues you'd like to work on. + We maintain a list of `NSS bugs marked with a keyword "good-first-bug" `__. + +.. _creating_your_patch: + +`Creating your Patch <#creating_your_patch>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + See our section on :ref:`mozilla_projects_nss_nss_sources_building_testing` to get started + making your patch. When you're satisfied with it, you'll need code review. + +.. _code_review: + +`Code Review <#code_review>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + `http://phabricator.services.mozilla.com/ `__ is our + code review tool, which uses your Bugzilla account. + + Use our `Phabricator user instructions `__ to upload patches for review. + Some items that will be evaluated during code review are `listed in checklist form on + Github. `__ + + After passing review, your patch can be landed by a member of the NSS team. Note that we don't land code that isn't both reviewed and tested. + +.. warning:: + + Please reach out to the team before engaging in a lot of work to make ensure we are willing to accept your contributions. diff --git a/security/nss/doc/rst/getting_started.rst b/security/nss/doc/rst/getting_started.rst new file mode 100644 index 0000000000..4505f4a60b --- /dev/null +++ b/security/nss/doc/rst/getting_started.rst @@ -0,0 +1,60 @@ +.. _mozilla_projects_nss_getting_started: + +.. warning:: + This NSS documentation was just imported from our legacy MDN repository. It currently is very deprecated and likely incorrect or broken in many places. + +Getting Started +=============== + +.. _how_to_get_involved_with_nss: + +`How to get involved with NSS <#how_to_get_involved_with_nss>`__ +---------------------------------------------------------------- + +.. container:: + + | Network Security Services (NSS) is a base library for cryptographic algorithms and secure + network protocols used by Mozilla software. + | Would you like to get involved and help us to improve the core security of Mozilla Firefox and + other applications that make use of NSS? We are looking forward to your contributions! + + .. note:: + + We have a large list of tasks waiting for attention, and we are happy to assist you in + identifying areas that match your interest or skills. You can find us on `chat.mozilla.org` + in channel `#nss `__ or you could ask your + questions on the `mozilla.dev.tech.crypto `__ newsgroup. + + + The NSS library and its supporting command line tools are written in the C programming language. + Its build system and the automated tests are based on makefiles and bash scripts. + + Over time, many documents have been produced that describe various aspects of NSS. You can start + with: + + - the current `primary NSS documentation page `__ + from which we link to other documentation. + - a `General Overview `__ of the + applications that use NSS and the features it provides. + - a high level :ref:`mozilla_projects_nss_an_overview_of_nss_internals`. + - learn about getting the :ref:`mozilla_projects_nss_nss_sources_building_testing` + - `Old documentation `__ that is on + the archived mozilla.org website. + + .. _nss_sample_code: + + `NSS Sample Code <#nss_sample_code>`__ + -------------------------------------- + + .. container:: + + A good place to start learning how to write NSS applications are the command line tools that are + maintained by the NSS developers. You can find them in subdirectory mozilla/security/nss/cmd + + Or have a look at some basic :ref:`mozilla_projects_nss_nss_sample_code`. + + A new set of samples is currently under development and review, see `Create new NSS + samples `__. + + You are welcome to download the samples via: hg clone https://hg.mozilla.org/projects/nss; cd + nss; hg update SAMPLES_BRANCH diff --git a/security/nss/doc/rst/index.rst b/security/nss/doc/rst/index.rst new file mode 100644 index 0000000000..bfbb1fab9e --- /dev/null +++ b/security/nss/doc/rst/index.rst @@ -0,0 +1,142 @@ +.. _mozilla_projects_nss: + +Network Security Services (NSS) +=============================== + +.. toctree:: + :maxdepth: 2 + :glob: + :hidden: + + build.rst + build_artifacts.rst + releases/index.rst + community.rst + +.. warning:: + This NSS documentation was just imported from our legacy MDN repository. It + currently is very deprecated and likely incorrect or broken in many places. + +.. container:: + + **Network Security Services** (**NSS**) is a set of libraries designed to + support cross-platform development of security-enabled client and server + applications. Applications built with NSS can support SSL v3, TLS, PKCS #5, + PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other + security standards. + + NSS is available under the Mozilla Public License v2 (MPLv2). + + If you're a developer and would like to contribute to NSS, you might want to + read the documents: + + .. rubric:: Getting Started + :name: Getting_Started + + :ref:`mozilla_projects_nss_building` + This page contains information how to download, build and test NSS. + + :ref:`mozilla_projects_nss_releases` + This page contains information about recent releases of NSS. + + :ref:`mozilla_projects_nss_nss_releases` + This page contains information about older releases of NSS. + + :ref:`mozilla_projects_nss_community` + This page contains information about the community and how to reach out. + + +.. warning:: + References below this point are part of the deprecated documentation and will + be ported in the future. You can contribute to refreshing this documentation + by submitting changes directly in the NSS repository (``nss/doc/rst``). + + .. rubric:: NSS APIs + :name: NSS_APIs + + :ref:`mozilla_projects_nss_introduction_to_network_security_services` + Provides an overview of the NSS libraries and what you need to know to use them. + :ref:`mozilla_projects_nss_ssl_functions` + Summarizes the SSL APIs exported by the NSS shared libraries. + :ref:`mozilla_projects_nss_reference` + API used to invoke SSL operations. + :ref:`mozilla_projects_nss_nss_api_guidelines` + Explains how the libraries and code are organized, and guidelines for developing code (naming + conventions, error handling, thread safety, etc.) + :ref:`mozilla_projects_nss_nss_tech_notes` + Links to NSS technical notes, which provide latest information about new NSS features and + supplementary documentation for advanced topics in programming with NSS. + + .. rubric:: Tools, testing, and other technical details + :name: Tools_testing_and_other_technical_details + + :ref:`mozilla_projects_nss_nss_developer_tutorial` + How to make changes in NSS. Coding style, maintaining ABI compatibility. + + :ref:`mozilla_projects_nss_tools` + Tools for developing, debugging, and managing applications that use NSS. + :ref:`mozilla_projects_nss_nss_sample_code` + Demonstrates how NSS can be used for cryptographic operations, certificate handling, SSL, etc. + :ref:`mozilla_projects_nss_nss_third-party_code` + A list of third-party code included in the NSS library. + `NSS 3.2 Test Suite `__ + **Archived version.** Describes how to run the standard NSS tests. + `NSS Performance Reports `__ + **Archived version.** Links to performance reports for NSS 3.2 and later releases. + `Encryption Technologies Available in NSS 3.11 `__ + **Archived version.** Lists the cryptographic algorithms used by NSS 3.11. + `NSS 3.1 Loadable Root Certificates `__ + **Archived version.** Describes the scheme for loading root CA certificates. + `cert7.db `__ + **Archived version.** General format of the cert7.db database. + + .. rubric:: PKCS #11 information + :name: PKCS_11_information + + - :ref:`mozilla_projects_nss_pkcs11` + - :ref:`mozilla_projects_nss_pkcs11_implement` + - :ref:`mozilla_projects_nss_pkcs11_module_specs` + - :ref:`mozilla_projects_nss_pkcs11_faq` + - `Using the JAR Installation Manager to Install a PKCS #11 Cryptographic + Module `__ + - `PKCS #11 Conformance Testing - Archived + version `__ + + .. rubric:: CA certificates pre-loaded into NSS + :name: CA_certificates_pre-loaded_into_NSS + + - `Mozilla CA certificate policy `__ + - `List of pre-loaded CA certificates `__ + + - Consumers of this list must consider the trust bit setting for each included root + certificate. `More + Information `__, `Extracting + roots and their trust bits `__ + + .. rubric:: NSS is built on top of Netscape Portable Runtime (NSPR) + :name: NSS_is_built_on_top_of_Netscape_Portable_Runtime_NSPR + + - :ref:`NSPR` - NSPR project page. + - :ref:`NSPR API Reference` - NSPR API documentation. + + .. rubric:: Additional Information + :name: Additional_Information + + - `Using the window.crypto object from + JavaScript `__ + - :ref:`mozilla_projects_nss_http_delegation` + - :ref:`mozilla_projects_nss_tls_cipher_suite_discovery` + - :ref:`mozilla_projects_nss_certificate_download_specification` + - :ref:`mozilla_projects_nss_fips_mode_-_an_explanation` + - :ref:`mozilla_projects_nss_key_log_format` + + .. rubric:: Planning + :name: Planning + + Information on NSS planning can be found at `wiki.mozilla.org `__, + including: + + - `FIPS Validation `__ + - `NSS Roadmap page `__ + - `NSS Improvement + Project `__ diff --git a/security/nss/doc/rst/legacy/an_overview_of_nss_internals/index.rst b/security/nss/doc/rst/legacy/an_overview_of_nss_internals/index.rst new file mode 100644 index 0000000000..7d705198a8 --- /dev/null +++ b/security/nss/doc/rst/legacy/an_overview_of_nss_internals/index.rst @@ -0,0 +1,302 @@ +.. _mozilla_projects_nss_an_overview_of_nss_internals: + +An overview of NSS Internals +============================ + +.. container:: + + | A High-Level Overview to the Internals of `Network Security Services + (NSS) `__ + | Software developed by the Mozilla.org projects traditionally used its own implementation of + security protocols and cryptographic algorithms, originally called Netscape Security Services, + nowadays called Network Security Services (NSS). NSS is a library written in the C programming + language. It's free and open source software, and many other software projects have decided to + use it. In order to support multiple operating systems (OS), it is based on a cross platform + portability layer, called the Netscape Portable Runtime (NSPR), which provides cross platform + application programming interfaces (APIs) for OS specific APIs like file system access, memory + management, network communication, and multithreaded programming. + | NSS offers lots of functionality; we'll walk through the list of modules, design principles, + and important relevant standards. + | In order to allow interoperability between software and devices that perform cryptographic + operations, NSS conforms to a standard called PKCS#11. (Note that it's important to look at the + number 11, as there are other PKCS standards with different numbers that define quite different + topics.) + | A software or hardware module conforming to the PKCS#11 standard implements an interface of C + calls, which allow querying the characteristics and offered services of the module. Multiple + elements of NSS's own modules have been implemented with this interface, and NSS makes use of + this interface when talking to those modules. This strategy allows NSS to work with many + hardware devices (e.g., to speed up the calculations required for cryptographic operations, or + to access smartcards that securely protect a secret key) and software modules (e.g., to allow + to load such modules as a plugin that provides additional algorithms or stores key or trust + information) that implement the PKCS#11 interface. + | A core element of NSS is FreeBL, a base library providing hash functions, big number + calculations, and cryptographic algorithms. + | Softoken is an NSS module that exposes most FreeBL functionality as a PKCS#11 module. + | Some cryptography uses the same secret key for both encrypting and decrypting, for example + password based encryption (PBE). This is often sufficient if you encrypt data for yourself, but + as soon as you need to exchange signed/encrypted data with communication partners, using public + key encryption simplifies the key management. The environment that describes how to use public + key encryption is called Public Key Infrastructure (PKI). The public keys that are exchanged + between parties are transported using a container; the container is called a certificate, + following standard X.509 version 3. A certificate contains lots of other details; for example, + it contains a signature by a third party that expresses trust in the ownership relationship for + the certificate. The trust assigned by the third party might be restricted to certain uses, + which are listed in certificate extensions that are contained in the certificate. + | Many (if not most) of the operations performed by NSS involve the use of X.509 certificates + (often abbreviated as “cert”, unfortunately making it easy to confuse with the term “computer + emergency response team“). + | When checking whether a certificate is trusted or not, it's necessary to find a relevant trust + anchor (root certificate) that represents the signing capability of a trusted third party, + usually called a Certificate Authority (CA). A trust anchor is just another X.509 certificate + that is already known and has been deliberately marked as trusted by a software vendor, + administrators inside an organizational infrastructure, or the software user. NSS ships a + predefined set of CA certificates. This set, including their trust assignments, is provided by + NSS as a software module, called CKBI (“built-in root certificates”), which also implements the + PKCS#11 interface. On an organizational level the contents of the set are managed according to + the Mozilla CA policy. On a technical level the set is a binary software module. + | A cryptographic transaction, such as encryption or decryption related to a data exchange, + usually involves working with the X.509 certs of your communication partners (peer). It's also + required that you safely keep your own secret keys that belong to your own certificates. You + might want to protect the storage of your secret keys with PBE. You might decide to modify the + default trust provided by NSS. All of this requires storing, looking up, and retrieving data. + NSS simplifies performing these operations by offering storage and management APIs. NSS doesn't + require the programmer to manage individual files containing individual certificates or keys. + Instead, NSS offers to use its own database(s). Once you have imported certificates and keys + into the NSS database, you can easily look them up and use them again. + | Because of NSS's expectation to operate with an NSS database, it's mandatory that you perform + an initialization call, where you tell NSS which database you will be using. In the most simple + scenario, the programmer will provide a directory on your filesystem as a parameter to the init + function, and NSS is designed to do the rest. It will detect and open an existing database, or + it can create a new one. Alternatively, should you decide that you don't want to work with any + persistent recording of certificates, you may initialize NSS in a no-database mode. Usually, + NSS will flush all data to disk as soon as new data has been added to permanent storage. + Storage consists of multiple files: a key database file, which contains your secret keys, and a + certificate database file which contains the public portion of your own certificates, the + certificates of peers or CAs, and a list of trust decisions (such as to not trust a built-in + CA, or to explicitly trust other CAs). Examples for the database files are key3.db and + cert8.db, where the numbers are file version numbers. A third file contains the list of + external PKCS#11 modules that have been registered to be used by NSS. The file could be named + secmod.db, but in newer database generations a file named pkcs11.txt is used. + | Only NSS is allowed to access and manipulate these database files directly; a programmer using + NSS must go through the APIs offered by NSS to manipulate the data stored in these files. The + programmer's task is to initialize NSS with the required parameters (such as a database), and + NSS will then transparently manage the database files. + | Most of the time certificates and keys are supposed to be stored in the NSS database. + Therefore, after initial import or creation, the programmer usually doesn't deal with their raw + bytes. Instead, the programmer will use lookup functions, and NSS will provide an access handle + that will be subsequently used by the application's code. Those handles are reference counted. + NSS will usually create an in-memory (RAM) presentation of certificates, once a certificate has + been received from the network, read from disk, or looked up from the database, and prepare + in-memory data structures that contain the certificate's properties, as well as providing a + handle for the programmer to use. Once the application is done with a handle, it should be + released, allowing NSS to free the associated resources. When working with handles to private + keys it's usually difficult (and undesired) that an application gets access to the raw key + data; therefore it may be difficult to extract such data from NSS. The usual minimum + requirement is that private keys must be wrapped using a protective layer (such as + password-based encryption). The intention is to make it easier to review code for security. The + less code that has access to raw secret keys, the less code that must be reviewed. + | NSS has only limited functionality to look up raw keys. The preferred approach is to use + certificates, and to look up certificates by properties such as the contained subject name + (information that describes the owner of the certificate). For example, while NSS supports + random calculation (creation) of a new public/private key pair, it's difficult to work with + such a raw key pair. The usual approach is to create a certificate signing request (CSR) as + soon as an application is done with the creation step, which will have created a handle to the + key pair, and which can be used for the necessary related operations, like producing a + proof-of-ownership of the private key, which is usually required when submitting the public key + with a CSR to a CA. The usual follow up action is receiving a signed certificate from a CA. + (However, it's also possible to use NSS functionality to create a self-signed certificate, + which, however, usually won't be trusted by other parties.) Once received, it's sufficient to + tell NSS to import such a new certificate into the NSS database, and NSS will automatically + perform a lookup of the embedded public key, be able to find the associated private key, and + subsequently be able to treat it as a personal certificate. (A personal certificate is a + certificate for which the private key is in possession, and which could be used for signing + data or for decrypting data.) A unique nickname can/should be assigned to the certificate at + the time of import, which can later be used to easily identify and retrieve it. + | It's important to note that NSS requires strict cleanup for all handles returned by NSS. The + application should always call the appropriate dereference (destroy) functions once a handle is + no longer needed. This is particularly important for applications that might need to close a + database and reinitialize NSS using a different one, without restarting. Such an operation + might fail at runtime if data elements are still being referenced. + | In addition to the FreeBL, Softoken, and CKBI modules, there is an utility library for general + operations (e.g., encoding/decoding between data formats, a list of standardized object + identifiers (OID)). NSS has an SSL/TLS module that implements the Secure Sockets + Layer/Transport Layer Security network protocols, an S/MIME module that implements CMS + messaging used by secure email and some instant messaging implementations, a DBM library that + implements the classic database storage, and finally a core NSS library for the big set of + “everything else”. Newer generations of the database use the SQLite database to allow + concurrent access by multiple applications. + | All of the above are provided as shared libraries. The CRMF library, which is used to produce + certain kinds of certificate requests, is available as a library for static linking only. + | When dealing with certificates (X.509), file formats such as PKCS#12 (certificates and keys), + PKCS#7 (signed data), and message formats as CMS, we should mention ASN.1, which is a syntax + for storing structured data in a very efficient (small sized) presentation. It was originally + developed for telecommunication systems at times where it was critical to minimize data as much + as possible (although it still makes sense to use that principle today for good performance). + In order to process data available in the ASN.1 format, the usual approach is to parse it and + transfer it to a presentation that requires more space but is easier to work with, such as + (nested) C data structures. Over the time NSS has received three different ASN.1 parser + implementations, each having their own specific properties, advantages and disadvantages, which + is why all of them are still being used (nobody has yet dared to replace the older with the + newer ones because of risks for side effects). When using the ASN.1 parser(s), a template + definition is passed to the parser, which will analyze the ASN.1 data stream accordingly. The + templates are usually closely aligned to definitions found in RFC documents. + | A data block described as DER is usually in ASN.1 format. You must know which data you are + expecting, and use the correct template for parsing, based on the context of your software's + interaction. Data described as PEM is a base64 encoded presentation of DER, usually wrapped + between human readable BEGIN/END lines. NSS prefers the binary presentation, but is often + capable to use base64 or ASCII presentations, especially when importing data from files. A + recent development adds support for loading external PEM files that contain private keys, in a + software library called nss-pem, which is separately available, but should eventually become a + core part of NSS. + | Looking at the code level, NSS deals with blocks of raw data all the time. The common structure + to store such an untyped block is SECItem, which contains a size and an untyped C pointer + variable. + | When dealing with memory, NSS makes use of arenas, which are an attempt to simplify management + with the limited offerings of C (because there are no destructors). The idea is to group + multiple memory allocations in order to simplify cleanup. Performing an operation often + involves allocating many individual data items, and the code might be required to abort a task + at many positions in the logic. An arena is requested once processing of a task starts, and all + memory allocations that are logically associated to that task are requested from the associated + arena. The implementation of arenas makes sure that all individual memory blocks are tracked. + Once a task is done, regardless whether it completed or was aborted, the programmer simply + needs to release the arena, and all individually allocated blocks will be released + automatically. Often freeing is combined with immediately erasing (zeroing, zfree) the memory + associated to the arena, in order to make it more difficult for attackers to extract keys from + a memory dump. + | NSS uses many C data structures. Often NSS has multiple implementations for the same or similar + concepts. For example, there are multiple presentations of certificates, and the NSS internals + (and sometimes even the application using NSS) might have to convert between them. + | Key responsibilites of NSS are verification of signatures and certificates. In order to verify + a digital signature, we have to look at the application data (e.g., a document that was + signed), the signature data block (the digital signature), and a public key (as found in a + certificate that is believed to be the signer, e.g., identified by metadata received together + with the signature). The signature is verified if it can be shown that the signature data block + must have been produced by the owner of the public key (because only that owner has the + associated private key). + | Verifying a certificate (A) requires some additional steps. First, you must identify the + potential signer (B) of a certificate (A). This is done by reading the “issuer name” attribute + of a certificate (A), and trying to find that issuer certificate (B) (by looking for a + certificate that uses that name as its “subject name”). Then you attempt to verify the + signature found in (A) using the public key found in (B). It might be necessary to try multiple + certificates (B1, B2, ...) each having the same subject name. + | After succeeding, it might be necessary to repeat this procedure recursively. The goal is to + eventually find a certificate B (or C or ...) that has an appropriate trust assigned (e.g., + because it can be found in the CKBI module and the user hasn't made any overriding trust + decisions, or it can be found in a NSS database file managed by the user or by the local + environment). + | After having successfully verified the signatures in a (chain of) issuer certificate(s), we're + still not done with verifying the certificate A. In a PKI it's suggested/required to perform + additional checks. For example: Certificates were valid at the time the signature was made, + name in certificates matches the expected signer (check subject name, common name, email, based + on application), the trust restrictions recorded inside the certificate (extensions) permit the + use (e.g., encryption might be allowed, but not signing), and based on environment/application + policy it might be required to perform a revocation check (OCSP or CRL), that asks the + issuer(s) of the certificates whether there have been events that made it necessary to revoke + the trust (revoke the validity of the cert). + | Trust anchors contained in the CKBI module are usually self signed, which is defined as having + identical subject name and issuer name fields. If a self-signed certificate is marked as + explicitly trusted, NSS will skip checking the self-signature for validity. + | NSS has multiple APIs to perform verification of certificates. There is a classic engine that + is very stable and works fine in all simple scenarios, for example if all (B) candidate issuer + certificates have the same subject and issuer names and differ by validity period; however, it + works only in a limited amount of more advanced scenarios. Unfortunately, the world of + certificates has become more complex in the recent past. New Certificate Authorities enter the + global PKI market, and in order to get started with their business, they might make deals with + established CAs and receive so-called cross-signing-certificates. As a result, when searching + for a trust path from (A) to a trusted anchor (root) certificate (Z), the set of candidate + issuer certificates might have different issuer names (referring to the second or higher issuer + level). As a consequence, it will be necessary to try multiple different alternative routes + while searching for (Z), in a recursive manner. Only the newer verification engine (internally + named libPKIX) is capable of doing that properly. + | It's worth mentioning the Extended Validation (EV) principle, which is an effort by software + vendors and CAs to define a stricter set of rules for issuing certificates for web site + certificates. Instead of simply verifying that the requester of a certificate is in control of + an administrative email address at the desired web site's domain, it's required that the CA + performs a verification of real world identity documents (such as a company registration + document with the country's authority), and it's also required that a browser software performs + a revocation check with the CA, prior to granting validity to the certificate. In order to + distinguish an EV certificate, CAs will embed a policy OID in the certificate, and the browser + is expected to verify that a trust chain permits the end entity (EE) certificate to make use of + the policy. Only the APIs of the newer libPKIX engine are capable of performing a policy + verification. + | That's a good opportunity to talk about SSL/TLS connections to servers in general (not just EV, + not just websites). Whenever this document mentions SSL, it refers to either SSL or TLS. (TLS + is a newer version of SSL with enhanced features.) + | When establishing an SSL connection to a server, (at least) a server certificate (and its trust + chain) is exchanged from the server to the client (e.g., the browser), and the client verifies + that the certificate can be verified (including matching the name of the expected destination + server). Another part of the handshake between both parties is a key exchange. Because public + key encryption is more expensive (more calculations required) than symmetric encryption (where + both parties use the same key), a key agreement protocol will be executed, where the public and + private keys are used to proof and verify the exchanged initial information. Once the key + agreement is done, a symmetric encryption will be used (until a potential re-handshake on an + existing channel). The combination of the hash and encryption algorithms used for a SSL + connection is called a cipher suite. + | NSS ships with a set of cipher suites that it supports at a technical level. In addition, NSS + ships with a default policy that defines which cipher suites are enabled by default. An + application is able to modify the policy used at program runtime, by using function calls to + modify the set of enabled cipher suites. + | If a programmer wants to influence how NSS verifies certificates or how NSS verifies the data + presented in a SSL connection handshake, it is possible to register application-defined + callback functions which will be called by NSS at the appropriate point of time, and which can + be used to override the decisions made by NSS. + | If you would like to use NSS as a toolkit that implements SSL, remember that you must init NSS + first. But if you don't care about modifying the default trust permanently (recorded on disk), + you can use the no-database init calls. When creating the network socket for data exchange, + note that you must use the operating system independent APIs provided by NSPR and NSS. It might + be interesting to mention a property of the NSPR file descriptors, which are stacked in layers. + This means you can define multiple layers that are involved in data processing. A file + descriptor has a pointer to the first layer handling the data. That layer has a pointer to a + potential second layer, which might have another pointer to a third layer, etc. Each layer + defines its own functions for the open/close/read/write/poll/select (etc.) functions. When + using an SSL network connection, you'll already have two layers, the basic NSPR layer and an + SSL library layer. The Mozilla applications define a third layer where application specific + processing is performed. You can find more details in the NSPR reference documents. + | NSS occassionally has to create outbound network connections, in addition to the connections + requested by the application. Examples are retrieving OCSP (Online Certificate Status Protocol) + information or downloading a CRL (Certificate Revocation List). However, NSS doesn't have an + implementation to work with network proxies. If you must support proxies in your application, + you are able to register your own implementation of an http request callback interface, and NSS + can use your application code that supports proxies. + | When using hashing, encryption, and decryption functions, it is possible to stream data (as + opposed to operating on a large buffer). Create a context handle while providing all the + parameters required for the operation, then call an “update” function multiple times to pass + subsets of the input to NSS. The data will be processed and either returned directly or sent to + a callback function registered in the context. When done, you call a finalization function that + will flush out any pending data and free the resources. + | This line is a placeholder for future sections that should explain how libpkix works and is + designed. + | If you want to work with NSS, it's often helpful to use the command line utilities that are + provided by the NSS developers. There are tools for managing NSS databases, for dumping or + verifying certificates, for registering PKCS#11 modules with a database, for processing CMS + encrypted/signed messages, etc. + | For example, if you wanted to create your own pair of keys and request a new certificate from a + CA, you could use certutil to create an empty database, then use certutil to operate on your + database and create a certificate request (which involves creating the desired key pair) and + export it to a file, submit the request file to the CA, receive the file from the CA, and + import the certificate into your database. You should assign a good nickname to a certificate + when importing it, making it easier for you to refer to it later. + | It should be noted that the first database format that can be accessed simultaneously by + multiple applications is key4.db/cert9.db – database files with lower numbers will most likely + experience unrecoverable corruption if you access them with multiple applications at the same + time. In other words, if your browser or your server operates on an older NSS database format, + don't use the NSS tools to operate on it while the other software is executing. At the time of + writing NSS and the Mozilla applications still use the older database file format by default, + where each application has its own NSS database. + | If you require a copy of a certificate stored in an NSS database, including its private key, + you can use pk12util to export it to the PKCS#12 file format. If you require it in PEM format, + you could use the openssl pkcs12 command (that's not NSS) to convert the PKCS#12 file to PEM. + | This line is a placeholder for how to prepare a database, how to dump a cert, and how to + convert data. + | You might have been motivated to work with NSS because it is used by the Mozilla applications + such as Firefox, Thunderbird, etc. If you build the Mozilla application, it will automatically + build the NSS library, too. However, if you want to work with the NSS command line tools, you + will have to follow the standalone NSS build instructions, and build NSS outside of the Mozilla + application sources. + | The key database file will contain at least one symmetric key, which NSS will automatically + create on demand, and which will be used to protect your secret (private) keys. The symmetric + key can be protected with PBE by setting a master password on the database. As soon as you set + a master password, an attacker stealing your key database will no longer be able to get access + to your private key, unless the attacker would also succeed in stealing the master password. + | Now you might be interest in how to get the + :ref:`mozilla_projects_nss_nss_sources_building_testing` \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/blank_function/index.rst b/security/nss/doc/rst/legacy/blank_function/index.rst new file mode 100644 index 0000000000..5541bf1a69 --- /dev/null +++ b/security/nss/doc/rst/legacy/blank_function/index.rst @@ -0,0 +1,70 @@ +.. _mozilla_projects_nss_blank_function: + +Function_Name +============= + +.. container:: + + One-line description of what the function does (more than just what it returns). + +`Syntax <#syntax>`__ +~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. code:: + + #include + ReturnType Function_Name( + + ParamType ParamName, + ParamType ParamName, ); + +`Parameters <#parameters>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + +---------------+---------------------------------------------------------------------------------+ + | ``ParamName`` | Sample: *in* pointer to a `CERTCertDBHandle `__ | + | | representing the certificate database to look in | + +---------------+---------------------------------------------------------------------------------+ + | ``ParamName`` | Sample: *in* pointer to an `SECItem `__ whose ``type`` must | + | | be ``siDERCertBuffer`` and whose ``data`` contains a DER-encoded certificate | + +---------------+---------------------------------------------------------------------------------+ + +`Description <#description>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Long description of this function, what it does, and why you would use it. Describe all + side-effects on "out" parameters. Avoid describing the return until the next section, for + example: + + This function looks in the NSSCryptoContext and the NSSTrustDomain to find the certificate that + matches the DER-encoded certificate. A match is found when the issuer and serial number of the + DER-encoded certificate are found on a certificate in the certificate database. + +`Returns <#returns>`__ +~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Full description of the return value, for example: + + A pointer to a `CERTCertificate `__ representing the certificate in + the database that matched the ``derCert``, or ``NULL`` if none was found. The certificate is a + shallow copy, use `CERT_DestroyCertificate `__ to decrement + the reference count on the certificate instance. + +.. _see_also: + +`See Also <#see_also>`__ +~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Copy of the MXR link, with the following text + + Occurrences of ``Function_Name`` in the current NSS source code (generated by MXR). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/building/index.rst b/security/nss/doc/rst/legacy/building/index.rst new file mode 100644 index 0000000000..153166e904 --- /dev/null +++ b/security/nss/doc/rst/legacy/building/index.rst @@ -0,0 +1,159 @@ +.. _mozilla_projects_nss_building_ported: + +Building NSS +============ + +`Introduction <#introduction>`__ +-------------------------------- + +.. container:: + + This page has detailed information on how to build NSS. Because NSS is a cross-platform library + that builds on many different platforms and has many options, it may be complex to build. Please + read these instructions carefully before attempting to build. + +.. _build_environment: + +`Build environment <#build_environment>`__ +------------------------------------------ + +.. container:: + + NSS needs a C and C++ compiler. It has minimal dependencies, including only standard C and C++ + libraries, plus `zlib `__. + + For building, you also need `make `__. Ideally, also install + `gyp `__ and `ninja `__ and put them on your + path. This is recommended, as the build is faster and more reliable. + +`Windows <#windows>`__ +~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + NSS compilation on Windows uses the same shared build system as Mozilla Firefox. You must first + install the `Windows + Prerequisites `__, + including **MozillaBuild**. + + You can also build NSS on the Windows Subsystem for Linux, but the resulting binaries aren't + usable by other Windows applications. + +.. _get_the_source: + +`Get the source <#get_the_source>`__ +------------------------------------ + +.. container:: + + NSS and NSPR use Mercurial for source control like other Mozilla projects. To check out the + latest sources for NSS and NSPR--which may not be part of a stable release--use the following + commands: + + .. code:: + + hg clone https://hg.mozilla.org/projects/nspr + hg clone https://hg.mozilla.org/projects/nss + + To get the source of a specific release, see :ref:`mozilla_projects_nss_nss_releases`. + +`Build <#build>`__ +------------------ + +.. container:: + + Build NSS using our build script: + + .. code:: + + nss/build.sh + + This builds both NSPR and NSS. + +.. _build_with_make: + +`Build with make <#build_with_make>`__ +-------------------------------------- + +.. container:: + + Alternatively, there is a ``make`` target called "nss_build_all", which produces a similar + result. This supports some alternative options, but can be a lot slower. + + .. code:: + + make -C nss nss_build_all USE_64=1 + + The make-based build system for NSS uses a variety of variables to control the build. Below are + some of the variables, along with possible values they may be set to. + + BUILD_OPT + 0 + Build a debug (non-optimized) version of NSS. *This is the default.* + 1 + Build an optimized (non-debug) version of NSS. + + USE_64 + 0 + Build for a 32-bit environment/ABI. *This is the default.* + 1 + Build for a 64-bit environment/ABI. *This is recommended.* + + USE_ASAN + 0 + Do not create an `AddressSanitizer `__ + build. *This is the default.* + 1 + Create an AddressSanitizer build. + +.. _unit_testing: + +`Unit testing <#unit_testing>`__ +-------------------------------- + +.. container:: + + NSS contains extensive unit tests. Scripts to run these are found in the ``tests`` directory. + Run the standard suite by: + + .. code:: + + HOST=localhost DOMSUF=localdomain USE_64=1 nss/tests/all.sh + +.. _unit_test_configuration: + +`Unit test configuration <#unit_test_configuration>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + | NSS tests are configured using environment variables. + | The scripts will attempt to infer values for ``HOST`` and ``DOMSUF``, but can fail. Replace + ``localhost`` and ``localdomain`` with the hostname and domain suffix for your host. You need + to be able to connect to ``$HOST.$DOMSUF``. + + If you don't have a domain suffix you can add an entry to ``/etc/hosts`` (on + Windows,\ ``c:\Windows\System32\drivers\etc\hosts``) as follows: + + .. code:: + + 127.0.0.1 localhost.localdomain + + Validate this opening a command shell and typing: ``ping localhost.localdomain``. + + Remove the ``USE_64=1`` override if using a 32-bit build. + +.. _test_results: + +`Test results <#test_results>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Running all tests can take a considerable amount of time. + + Test output is stored in ``tests_results/security/$HOST.$NUMBER/``. The file ``results.html`` + summarizes the results, ``output.log`` captures all the test output. + + Other subdirectories of ``nss/tests`` contain scripts that run a subset of the full suite. Those + can be run directly instead of ``all.sh``, which might save some time at the cost of coverage. diff --git a/security/nss/doc/rst/legacy/cert_findcertbydercert/index.rst b/security/nss/doc/rst/legacy/cert_findcertbydercert/index.rst new file mode 100644 index 0000000000..7e297a2df5 --- /dev/null +++ b/security/nss/doc/rst/legacy/cert_findcertbydercert/index.rst @@ -0,0 +1,64 @@ +.. _mozilla_projects_nss_cert_findcertbydercert: + +CERT_FindCertByDERCert +====================== + +.. container:: + + Find a certificate in the database that matches a DER-encoded certificate. + +`Syntax <#syntax>`__ +~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. code:: + + #include + CERTCertificate *CERT_FindCertByDERCert( + + CERTCertDBHandle *handle, + SECItem *derCert ); + +`Parameters <#parameters>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + +-------------+-----------------------------------------------------------------------------------+ + | ``handle`` | *in* pointer to a `CERTCertDBHandle `__ representing | + | | the certificate database to look in | + +-------------+-----------------------------------------------------------------------------------+ + | ``derCert`` | *in* pointer to an `SECItem `__ whose ``type`` must be | + | | ``siDERCertBuffer`` and whose ``data`` contains a DER-encoded certificate | + +-------------+-----------------------------------------------------------------------------------+ + +`Description <#description>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + This function looks in the ?NSSCryptoContext? and the ?NSSTrustDomain? to find the certificate + that matches the DER-encoded certificate. A match is found when the issuer and serial number of + the DER-encoded certificate are found on a certificate in the certificate database. + +`Returns <#returns>`__ +~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + A pointer to a `CERTCertificate `__ representing the certificate in + the database that matched the ``derCert``, or ``NULL`` if none was found. The certificate is a + shallow copy, use `CERT_DestroyCertificate `__ to decrement + the reference count on the certificate instance. + +.. _see_also: + +`See Also <#see_also>`__ +~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Occurrences of + ```CERT_FindCertByDERCert`` `__ + in the current NSS source code (generated by `LXR `__). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/cert_findcertbyissuerandsn/index.rst b/security/nss/doc/rst/legacy/cert_findcertbyissuerandsn/index.rst new file mode 100644 index 0000000000..933fff206c --- /dev/null +++ b/security/nss/doc/rst/legacy/cert_findcertbyissuerandsn/index.rst @@ -0,0 +1,82 @@ +.. _mozilla_projects_nss_cert_findcertbyissuerandsn: + +CERT_FindCertByIssuerAndSN +========================== + +.. container:: + + Find a certificate in the database with the given issuer and serial number. + +`Syntax <#syntax>`__ +~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. code:: + + #include + CERTCertificate *CERT_FindCertByIssuerAndSN ( + + CERTCertDBHandle *handle, + CERTIssuerAndSN *issuerAndSN ); + +`Parameters <#parameters>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + +-----------------+-------------------------------------------------------------------------------+ + | ``handle`` | *in* pointer to a `CERTCertDBHandle `__ | + | | representing the certificate database to look in | + +-----------------+-------------------------------------------------------------------------------+ + | ``issuerAndSN`` | *in* pointer to a `CERTIssuerAndSN `__ that must | + | | be properly formed to contain the issuer name and the serial number (see | + | | [Example]) | + +-----------------+-------------------------------------------------------------------------------+ + +`Description <#description>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + This function creates a certificate key using the ``issuerAndSN`` and it then uses the key to + find the matching certificate in the database. + +`Returns <#returns>`__ +~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + A pointer to a `CERTCertificate `__ representing the certificate in + the database that matched the issuer and serial number, or ``NULL`` if none was found. The + certificate is a shallow copy, use + `CERT_DestroyCertificate `__ to decrement the reference count + on the certificate instance. + +`Example <#example>`__ +~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. code:: + + CERTIssuerAndSN issuerSN; + issuerSN.derIssuer.data = caName->data; + issuerSN.derIssuer.len = caName->len; + issuerSN.serialNumber.data = authorityKeyID->authCertSerialNumber.data; + issuerSN.serialNumber.len = authorityKeyID->authCertSerialNumber.len; + issuerCert = CERT_FindCertByIssuerAndSN(cert->dbhandle, &issuerSN); + if ( issuerCert == NULL ) { + PORT_SetError (SEC_ERROR_UNKNOWN_ISSUER); + } + +.. _see_also: + +`See Also <#see_also>`__ +~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Occurrences of + ```CERT_FindCertByIssuerAndSN`` `__ + in the current NSS source code (generated by `LXR `__). \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/certificate_download_specification/index.rst b/security/nss/doc/rst/legacy/certificate_download_specification/index.rst new file mode 100644 index 0000000000..5fe98aa6b9 --- /dev/null +++ b/security/nss/doc/rst/legacy/certificate_download_specification/index.rst @@ -0,0 +1,186 @@ +.. _mozilla_projects_nss_certificate_download_specification: + +NSS Certificate Download Specification +====================================== + +.. container:: + + This document describes the data formats used by NSS 3.x for installing certificates. This + document is currently being revised and has not yet been reviewed for accuracy. + +.. _data_formats: + +`Data Formats <#data_formats>`__ +-------------------------------- + +.. container:: + + NSS can accept certificates in several formats. In all cases the certificates are X509 version 1, + 2, or 3. + +.. _binary_formats: + +`Binary Formats <#binary_formats>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + NSS's certificate loader will recognize several binary formats. They are: + + - **DER encoded certificate:** This is a single binary DER encoded certificate. + - **PKCS#7 certificate chain:** This is a single + `PKCS#7 `__ ``SignedData`` object. The only + significant field in the ``SignedData`` object is the ``certificates`` field, which may + contain multiple certificates to be imported together. The contents of the ``version``, + ``digestAlgorithms``, ``contentInfo``, ``crls``, and ``signerInfos`` fields are ignored. + - **Netscape Certificate Sequence:** This is another + `PKCS#7 `__ object format, and like the + ``SignedData`` format, it allows multiple certificates to be imported together. This format is + simpler than the `PKCS#7 `__ ``SignedData`` + object format. It consists of a `PKCS#7 `__ + ``ContentInfo`` structure, wrapping a sequence of certificates. The ``contentType`` field OID + must be ``netscape-cert-sequence`` (see + :ref:`mozilla_projects_nss_certificate_download_specification#object_identifiers`). The + ``content`` field is the following ASN.1 structure: + + .. code:: + + CertificateSequence ::= SEQUENCE OF Certificate + + See the section below on + :ref:`mozilla_projects_nss_certificate_download_specification#importing_certificate_chains` for + more information about how multiple certificates are handled. + +.. _text_formats: + +`Text Formats <#text_formats>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Any of the above :ref:`mozilla_projects_nss_certificate_download_specification#binary_formats` + can also be imported in text form. The text form begins with the following line: + + .. code:: + + -----BEGIN CERTIFICATE----- + + Following this line should be the certificate data, which can be in any of the + :ref:`mozilla_projects_nss_certificate_download_specification#binary_formats` described above. + This data must be base64 encoded as described by `RFC + 1113 `__. Following the data should be the + following line: + + .. code:: + + -----END CERTIFICATE----- + + In a text format download, NSS ignores any text before the first ``BEGIN CERTIFICATE`` line, and + ignores any text after the first ``END CERTIFICATE`` line. Between those two lines, there must be + exactly ONE item of any of the supported binary formats described above, and that one item must + be base64 encoded. Regardless of which of the supported binary formats is used, the ``BEGIN`` and + ``END`` lines must say ``CERTIFICATE``, and not any other word (such as ``KEY``). The ``BEGIN`` + and ``END`` lines must begin and end with 5 dashes, with no extra leading or trailing white space + (excluding the End Of Line characters). + +.. _importing_certificate_chains: + +`Importing Certificate Chains <#importing_certificate_chains>`__ +---------------------------------------------------------------- + +.. container:: + + Several of the formats described above can contain several certificates. When NSS's certificate + decoder encounters one of these collections of multiple certificates they are handled in the + following way: + + - The first certificate is processed in a context specific manner, depending upon how it is + being imported. For Mozilla browsers, this handling will depend upon the mime ``Content-Type`` + that is used on the object being downloaded. For NSS-based servers it will depend upon the + options selected in the server's administration interface. + + - Subsequent certificates are all treated the same. If the certificates contain a + ``BasicConstraints`` certificate extension that indicates they are CA certificates, and do not + already exist in the local certificate database, they are added as untrusted CAs. In this way + they may be used for certificate chain validation, as long as there is a trusted CA somewhere + along the chain. + +.. _importing_certificates_into_mozilla_browsers: + +`Importing Certificates into Mozilla browsers <#importing_certificates_into_mozilla_browsers>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Mozilla browsers import certificates found in HTTP protocol responses. There are several mime + content types that are used to indicate to the browser what type of certificate is being + imported. These mime types are: + + - **``application/x-x509-user-cert``** The certificate being downloaded is a user certificate + belonging to the user operating the browser. If the private key associated with the + certificate does not exist in the user's local key database, then an error dialog is generated + and the certificate is not imported. If a certificate chain is being imported then the first + certificate in the chain must be the user certificate, and any subsequent certificates will be + added as untrusted CA certificates to the local database. + - **``application/x-x509-ca-cert``** The certificate being downloaded represents a Certificate + Authority. When it is downloaded the user will be shown a sequence of dialogs that will guide + them through the process of accepting the Certificate Authority and deciding if they wish to + trust sites certified by the CA. If a certificate chain is being imported then the first + certificate in the chain must be the CA certificate, and any subsequent certificates will be + added as untrusted CA certificates to the local database. + - **``application/x-x509-email-cert``** The certificate being downloaded is a user certificate + belonging to another user for use with S/MIME. If a certificate chain is being imported then + the first certificate in the chain must be the user certificate, and any subsequent + certificates will be added as untrusted CA certificates to the local database. This is + intended to allow people or CAs to post their e-mail certificates on web pages for download by + other users who want to send them encrypted mail. + + Note: the browser checks that the size of the object being downloaded matches the size of the + encoded certificates. Therefore it is important to ensure that no extra characters, such as NULLs + or LineFeeds are added at the end of the object. + +.. _importing_certificates_into_nss-based_servers: + +`Importing Certificates into NSS-based servers <#importing_certificates_into_nss-based_servers>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Consult your server's administration guide for the most accurate information. For some NSS-base + servers, the following information is correct. + + Server certificates are imported via the server admin interface. Certificates are pasted into a + text input field in an HTML form, and then the form is submitted to the admin server. Since the + certificates are pasted into text fields, only the + :ref:`mozilla_projects_nss_certificate_download_specification#text_formats` described above are + supported for servers. The type of certificate being imported (e.g. server or CA or cert chain) + is specified by the server administrator by selections made on the admin pages. If a certificate + chain is being imported then the first certificate in the chain must be the server or CA + certificate, and any subsequent certificates will be added as untrusted CA certificates to the + local database. + +.. _object_identifiers: + +`Object Identifiers <#object_identifiers>`__ +-------------------------------------------- + +.. container:: + + The base of all Netscape object ids is: + + .. code:: + + netscape OBJECT IDENTIFIER ::= { 2 16 840 1 113730 } + + The hexadecimal byte value of this OID when DER encoded is: + + .. code:: + + 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42 + + The following OIDs are mentioned in this document: + + .. code:: + + netscape-data-type OBJECT IDENTIFIER :: = { netscape 2 } + netscape-cert-sequence OBJECT IDENTIFIER :: = { netscape-data-type 5 } \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/certificate_functions/index.rst b/security/nss/doc/rst/legacy/certificate_functions/index.rst new file mode 100644 index 0000000000..c1fc801c58 --- /dev/null +++ b/security/nss/doc/rst/legacy/certificate_functions/index.rst @@ -0,0 +1,410 @@ +.. _mozilla_projects_nss_certificate_functions: + +Certificate functions +===================== + +.. container:: + + The public functions listed here are used to interact with certificate databases. + + If documentation is available for a function listed below, the function name is linked to either + its MDC wiki page or its entry in the + :ref:`mozilla_projects_nss_ssl_functions_old_ssl_reference`. The `Mozilla Cross + Reference `__ (MXR) link for each function provides access to the + function definition, prototype definition, and source code references. The NSS version column + indicates which versions of NSS support the function. + + +-----------------------------------------+-------------+-----------------------------------------+ + | Function name/documentation | Source code | NSS versions | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_AddCertToListTail`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_AddExtension`` | MXR | 3.5 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_AddOCSPAcceptableResponses`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_AddOKDomainName`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_AddRDN`` | MXR | 3.2.1 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_AsciiToName`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CacheCRL`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_ClearOCSPCache`` | MXR | 3.11.7 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CertChainFromCert`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CertListFromCert`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CertTimesValid`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_ChangeCertTrust`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | 3.2 and later | + | jects_nss_ssl_functions_sslcrt#1056662` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CheckNameSpace`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CheckCertUsage`` | MXR | 3.3 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CompareName`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CompareValidityTimes`` | MXR | 3.11 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CompleteCRLDecodeEntries`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_ConvertAndDecodeCertificate`` | MXR | 3.9.3 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CopyName`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CopyRDN`` | MXR | 3.5 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CreateAVA`` | MXR | 3.2.1 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CreateCertificate`` | MXR | 3.5 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CreateCertificateRequest`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CreateName`` | MXR | 3.2.1 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CreateOCSPCertID`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CreateOCSPRequest`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CreateRDN`` | MXR | 3.2.1 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CreateSubjectCertList`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CreateValidity`` | MXR | 3.5 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_CRLCacheRefreshIssuer`` | MXR | 3.7 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DecodeAltNameExtension`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DecodeAuthInfoAccessExtension`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DecodeAuthKeyID`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DecodeAVAValue`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DecodeBasicConstraintValue`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DecodeCertFromPackage`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CE | MXR | 3.2 and later | + | RT_DecodeCertificatePoliciesExtension`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DecodeCertPackage`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DecodeCRLDistributionPoints`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DecodeDERCrl`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DecodeDERCrlWithFlags`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DecodeGeneralName`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DecodeNameConstraintsExtension`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DecodeOCSPResponse`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DecodeOidSequence`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``C | MXR | 3.10 and later | + | ERT_DecodePrivKeyUsagePeriodExtension`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DecodeTrustString`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DecodeUserNotice`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DerNameToAscii`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DestroyCertArray`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | 3.2 and later | + | jects_nss_ssl_functions_sslcrt#1050532` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DestroyCertificateList`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CER | MXR | 3.2 and later | + | T_DestroyCertificatePoliciesExtension`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DestroyCertificateRequest`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DestroyCertList`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DestroyName`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DestroyOCSPCertID`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DestroyOCSPRequest`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DestroyOCSPResponse`` | MXR | 3.7 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DestroyOidSequence`` | MXR | 3.9 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DestroyUserNotice`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DestroyValidity`` | MXR | 3.5 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | 3.2 and later | + | jects_nss_ssl_functions_sslcrt#1058344` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_DupCertList`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_EnableOCSPChecking`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_EncodeAltNameExtension`` | MXR | 3.7 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_EncodeAndAddBitStrExtension`` | MXR | 3.5 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_EncodeAuthKeyID`` | MXR | 3.5 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_EncodeBasicConstraintValue`` | MXR | 3.5 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_EncodeCertPoliciesExtension`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_EncodeCRLDistributionPoints`` | MXR | 3.5 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_EncodeGeneralName`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_EncodeInfoAccessExtension`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_EncodeInhibitAnyExtension`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_EncodeNoticeReference`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_EncodeOCSPRequest`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | `` | MXR | 3.12 and later | + | CERT_EncodePolicyConstraintsExtension`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_EncodePolicyMappingExtension`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_EncodeSubjectKeyID`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_EncodeUserNotice`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_ExtractPublicKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FindCertByName`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FindCRLEntryReasonExten`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FindCRLNumberExten`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FindNameConstraintsExten`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FilterCertListByCANames`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FilterCertListByUsage`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FilterCertListForUserCerts`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozil | MXR | 3.2 and later | + | la_projects_nss_cert_findcertbydercert` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_p | MXR | 3.2 and later | + | rojects_nss_cert_findcertbyissuerandsn` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FindCertByNickname`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FindCertByNicknameOrEmailAddr`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FindCertBySubjectKeyID`` | MXR | 3.7 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FindCertExtension`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FindCertIssuer`` | MXR | 3.3 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FindKeyUsageExtension`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FindSMimeProfile`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FindSubjectKeyIDExtension`` | MXR | 3.7 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FindUserCertByUsage`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FindUserCertsByUsage`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CE | MXR | 3.10 and later | + | RT_FinishCertificateRequestAttributes`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FinishExtensions`` | MXR | 3.5 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FormatName`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_FreeDistNames`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | 3.2 and later | + | jects_nss_ssl_functions_sslcrt#1050349` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetAVATag`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetCertChainFromCert`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetCertEmailAddress`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetCertificateNames`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ` | MXR | 3.10 and later | + | `CERT_GetCertificateRequestExtensions`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetCertIssuerAndSN`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | 3.2 and later | + | jects_nss_ssl_functions_sslcrt#1050346` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetCertTrust`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetCertUid`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetClassicOCSPDisabledPolicy`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_G | MXR | 3.12 and later | + | etClassicOCSPEnabledHardFailurePolicy`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_G | MXR | 3.12 and later | + | etClassicOCSPEnabledSoftFailurePolicy`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetCommonName`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetCountryName`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetDBContentVersion`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | 3.2 and later | + | jects_nss_ssl_functions_sslcrt#1052308` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetDomainComponentName`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetFirstEmailAddress`` | MXR | 3.7 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetLocalityName`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetNextEmailAddress`` | MXR | 3.7 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetNextGeneralName`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetNextNameConstraint`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetOCSPResponseStatus`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetOCSPStatusForCertID`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetOidString`` | MXR | 3.9 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetOrgName`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetOrgUnitName`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CE | MXR | 3.4 and later | + | RT_GetOCSPAuthorityInfoAccessLocation`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``C | MXR | 3.12 and later | + | ERT_GetPKIXVerifyNistRevocationPolicy`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetPrevGeneralName`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetPrevNameConstraint`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetSlopTime`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetSSLCACerts`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetStateName`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetUsePKIXForValidation`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GetValidDNSPatternsFromCert`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_GenTime2FormattedAscii`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_Hexify`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_ImportCAChain`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_ImportCerts`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_IsRootDERCert`` | MXR | 3.8 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_IsUserCert`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_KeyFromDERCrl`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_MakeCANickname`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_MergeExtensions`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_NameToAscii`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_NewCertList`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_NewTempCertificate`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_NicknameStringsFromCertList`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_OpenCertDBFilename`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_OCSPCacheSettings`` | MXR | 3.11.7 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_PKIXVerifyCert`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_RemoveCertListNode`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_RFC1485_EscapeAndQuote`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_SaveSMimeProfile`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_SetSlopTime`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_SetOCSPFailureMode`` | MXR | 3.11.7 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_SetOCSPTimeout`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_SetUsePKIXForValidation`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_StartCertExtensions`` | MXR | 3.5 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``C | MXR | 3.10 and later | + | ERT_StartCertificateRequestAttributes`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_StartCRLEntryExtensions`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_StartCRLExtensions`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_UncacheCRL`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | 3.2 and later | + | jects_nss_ssl_functions_sslcrt#1050342` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_VerifyCACertForUsage`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_VerifyCert`` | MXR | 3.2 and later. If you need to verify | + | | | for multiple usages use | + | | | CERT_VerifyCertificate | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_VerifyCertificate`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_VerifyCertificateNow`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | 3.2 and later. If you need to verify | + | jects_nss_ssl_functions_sslcrt#1058011` | | for multiple usages use | + | | | CERT_VerifyCertificateNow | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_VerifyOCSPResponseSignature`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_VerifySignedData`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``CERT_VerifySignedDataWithPublicKey`` | MXR | 3.7 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``C | MXR | 3.7 and later | + | ERT_VerifySignedDataWithPublicKeyInfo`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | 3.2 and later | + | jects_nss_ssl_functions_sslcrt#1056760` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | 3.2 and later | + | jects_nss_ssl_functions_sslcrt#1056950` | | | + +-----------------------------------------+-------------+-----------------------------------------+ \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/certverify_log/index.rst b/security/nss/doc/rst/legacy/certverify_log/index.rst new file mode 100644 index 0000000000..7c1288e0a4 --- /dev/null +++ b/security/nss/doc/rst/legacy/certverify_log/index.rst @@ -0,0 +1,55 @@ +.. _mozilla_projects_nss_certverify_log: + +NSS CERTVerify Log +================== + +`CERTVerifyLog <#certverifylog>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + All the NSS verify functions except, the \*VerifyNow() functions, take a parameter called + 'CERTVerifyLog'. If you supply the log parameter, NSS will continue chain validation after each + error . The log tells you what the problem was with the chain and what certificate in the chain + failed. + + To create a log: + + .. code:: + + #include "secport.h" + #include "certt.h" + + CERTVerifyLog *log; + + arena = PORT_NewArena(512); + log = PORT_ArenaZNew(arena,log); + log->arena = arena; + + You can then pass this log into your favorite cert verify function. On return: + + - log->count is the number of entries. + - log->head is the first entry; + - log->tail is the last entry. + + Each entry is a CERTVerifyLogNode. Defined in certt.h: + + .. code:: + + /* + * This structure is used to keep a log of errors when verifying + * a cert chain. This allows multiple errors to be reported all at + * once. + */ + struct CERTVerifyLogNodeStr { + CERTCertificate *cert; /* what cert had the error */ + long error; /* what error was it? */ + unsigned int depth; /* how far up the chain are we */ + void *arg; /* error specific argument */ + struct CERTVerifyLogNodeStr *next; /* next in the list */ + struct CERTVerifyLogNodeStr *prev; /* next in the list */ + }; + + The list is a doubly linked NULL terminated list sorted from low to high based on depth into the + cert chain. When you are through, you will need to walk the list and free all the cert entries, + then free the arena. \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/code_coverage/index.rst b/security/nss/doc/rst/legacy/code_coverage/index.rst new file mode 100644 index 0000000000..1bafb3f6c1 --- /dev/null +++ b/security/nss/doc/rst/legacy/code_coverage/index.rst @@ -0,0 +1,73 @@ +.. _mozilla_projects_nss_code_coverage: + +NSS Code Coverage +================= + +.. _nss_-_code_coverage: + +`NSS - Code Coverage <#nss_-_code_coverage>`__ +---------------------------------------------- + +.. _results_link: + +`Results link <#results_link>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - `2007-08-14 - Solaris/Sparc + platform `__ + +.. _results_explanation: + +`Results explanation <#results_explanation>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. rubric:: Files + :name: files + + - Results from every C file are on new line. + - If file was tested, link points to annotated source file (in TCOV directory), otherwise to + original source file (CVS directory). + + .. rubric:: Colors + :name: colors + + - Green: 70-100% of blocks tested. + - Yellow: 40-70% of blocks tested. + - Orange: 0-40% of blocks tested. + - Red: file not tested. File is not part of any binary or library used by test suite. + + .. rubric:: Numbers in tested files + :name: numbers_in_tested_files + + - Example: 72.69% (165/227/731) + + - 72.69% - ratio of tested blocks and total blocks in file (generated by TCOV). + - 165 - tested blocks in file (generated by TCOV). + - 227 - total blocks in file (generated by TCOV). + - 31 - total lines in file (by wc -l command). + + .. rubric:: Numbers in not tested files + :name: numbers_in_not_tested_files + + - Example: Not tested (0/?/878). + + - 0 - tested blocks in file (always 0). + - ? - total blocks in file (there is no trivial method to get this number without TCOV). + - 878 - total lines in file (by wc -l command). + + .. rubric:: Numbers in total count + :name: numbers_in_total_count + + - Example: Total: 42% (574/1351). + + - 42% - ratio of tested blocks and total blocks in file. + - 165 - tested blocks in all files in directory (sum of numbers generated by TCOV). + - 227 - total blocks in all files in directory (sum of numbers generated by TCOV). + + - These numbers doesn't count blocks in files which are not tested (marked with red color), + because we don't know number of blocks there. + - Total count at the end of report counts blocks in all tested files in all directories. \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/cryptography_functions/index.rst b/security/nss/doc/rst/legacy/cryptography_functions/index.rst new file mode 100644 index 0000000000..ca3fb8601a --- /dev/null +++ b/security/nss/doc/rst/legacy/cryptography_functions/index.rst @@ -0,0 +1,500 @@ +.. _mozilla_projects_nss_cryptography_functions: + +Cryptography functions +====================== + +.. container:: + + The public functions listed here perform cryptographic operations based on the PKCS #11 + interface. + + If documentation is available for a function listed below, the function name is linked to either + its MDC wiki page or its entry in the + :ref:`mozilla_projects_nss_ssl_functions_old_ssl_reference`. The `Mozilla Cross + Reference `__ (MXR) link for each function provides access to the + function definition, prototype definition, and source code references. The NSS version column + indicates which versions of NSS support the function. + + +-----------------------------------------+-------------+-----------------------------------------+ + | Function name/documentation | Source code | NSS versions | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_AlgtagToMechanism`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_Authenticate`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_BlockData`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ChangePW`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_CheckUserPassword`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_CipherOp`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_CloneContext`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ConfigurePKCS11`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK1 | MXR | 3.6 and later | + | 1_ConvertSessionPrivKeyToTokenPrivKey`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``P | MXR | 3.6 and later | + | K11_ConvertSessionSymKeyToTokenSymKey`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | `` | MXR | 3.11 and later | + | PK11_CopyTokenPrivKeyToSessionPrivKey`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_CreateContextBySymKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_CreateDigestContext`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_CreateGenericObject`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_CreateMergeLog`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_CreatePBEAlgorithmID`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_CreatePBEV2AlgorithmID`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_DeleteTokenPrivateKey`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_DeleteTokenPublicKey`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_DeleteTokenSymKey`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_Derive`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_DeriveWithFlags`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_DeriveWithFlagsPerm`` | MXR | 3.9 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_DestroyContext`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_DestroyGenericObject`` | MXR | 3.9.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_DestroyGenericObjects`` | MXR | 3.9.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_DestroyMergeLog`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_DestroyObject`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_DestroyTokenObject`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_DigestBegin`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_DigestKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_DigestOp`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_DigestFinal`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_DoesMechanism`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ExportEncryptedPrivateKeyInfo`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ExportEncryptedPrivKeyInfo`` | MXR | 3.9 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ExportPrivateKeyInfo`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_Finalize`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FindBestKEAMatch`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FindCertAndKeyByRecipientList`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | `` | MXR | 3.2 and later | + | PK11_FindCertAndKeyByRecipientListNew`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FindCertByIssuerAndSN`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FindCertFromDERCert`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pr | MXR | 3.2 and later | + | ojects_nss_ssl_functions_pkfnc#1035673` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FindCertInSlot`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FindGenericObjects`` | MXR | 3.9.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FindFixedKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pr | MXR | 3.2 and later | + | ojects_nss_ssl_functions_pkfnc#1026891` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FindKeyByDERCert`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FindPrivateKeyFromCert`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FindSlotByName`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FindSlotsByNames`` | MXR | 3.9 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FortezzaHasKEA`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FortezzaMapSig`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FreeSlot`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FreeSlotList`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FreeSlotListElement`` | MXR | 3.11 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_FreeSymKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GenerateFortezzaIV`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GenerateKeyPair`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GenerateKeyPairWithFlags`` | MXR | 3.10.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GenerateKeyPairWithOpFlags`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GenerateNewParam`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GenerateRandom`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GenerateRandomOnSlot`` | MXR | 3.11 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetAllTokens`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetAllSlotsForCert`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetBestKeyLength`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetBestSlot`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetBestSlotMultiple`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetBestWrapMechanism`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetBlockSize`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetCertFromPrivateKey`` | MXR | 3.9.3 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetCurrentWrapIndex`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetDefaultArray`` | MXR | 3.8 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetDefaultFlags`` | MXR | 3.8 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetDisabledReason`` | MXR | 3.8 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetFirstSafe`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetInternalKeySlot`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetInternalSlot`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetKeyGen`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetKeyLength`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetKeyStrength`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetMechanism`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetMinimumPwdLength`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetModInfo`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetModule`` | MXR | 3.3 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetModuleID`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetNextGenericObject`` | MXR | 3.9.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetNextSafe`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetNextSymKey`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetPadMechanism`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetPBECryptoMechanism`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetPBEIV`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetPQGParamsFromPrivateKey`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetPrevGenericObject`` | MXR | 3.9.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetPrivateKeyNickname`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetPrivateModulusLen`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetPublicKeyNickname`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetSlotFromKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetSlotFromPrivateKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetSlotID`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetSlotInfo`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pr | MXR | 3.2 and later | + | ojects_nss_ssl_functions_pkfnc#1030779` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetSlotSeries`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetSymKeyNickname`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetSymKeyType`` | MXR | 3.9 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetSymKeyUserData`` | MXR | 3.11 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetTokenInfo`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | 3.2 and later | + | jects_nss_ssl_functions_sslcrt#1026964` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetWindow`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_GetWrapKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_HashBuf`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_HasRootCerts`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ImportCert`` | MXR | 3.5 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ImportCertForKeyToSlot`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ImportCRL`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ImportDERCert`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK1 | MXR | 3.4 and later | + | 1_ImportDERPrivateKeyInfoAndReturnKey`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ImportEncryptedPrivateKeyInfo`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ImportPrivateKeyInfo`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | `` | MXR | 3.4 and later | + | PK11_ImportPrivateKeyInfoAndReturnKey`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ImportPublicKey`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ImportSymKeyWithFlags`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_InitPin`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_IsFIPS`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_IsDisabled`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_IsFriendly`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pr | MXR | 3.2 and later | + | ojects_nss_ssl_functions_pkfnc#1026762` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_IsInternal`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | 3.2 and later | + | jects_nss_ssl_functions_sslcrt#1026762` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pr | MXR | 3.2 and later | + | ojects_nss_ssl_functions_pkfnc#1022991` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_IsRemovable`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_IVFromParam`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_KeyGen`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_LinkGenericObject`` | MXR | 3.9.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ListCerts`` | MXR | 3.2 and later. Updated 3.8 with new | + | | | options. See bug | + | | | `215186 `__ | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ListFixedKeysInSlot`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ListPrivKeysInSlot`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ListPublicKeysInSlot`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_LoadPrivKey`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_LogoutAll`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_MakeKEAPubKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | `` | MXR | 3.2 and later | + | PK11_MapPBEMechanismToCryptoMechanism`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_MapSignKeyType`` | MXR | 3.11 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_MechanismToAlgtag`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_MergeTokens`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_MoveSymKey`` | MXR | 3.9 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_NeedLogin`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_NeedUserInit`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ParamFromIV`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ParamFromAlgid`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ParamToAlgid`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_PBEKeyGen`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_PrivDecryptPKCS1`` | MXR | 3.9.3 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ProtectedAuthenticationPath`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_PubDecryptRaw`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_PubDerive`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_PubDeriveWithKDF`` | MXR | 3.9 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_PubEncryptPKCS1`` | MXR | 3.9.3 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_PubEncryptRaw`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_PubUnwrapSymKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_PubUnwrapSymKeyWithFlags`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_PubUnwrapSymKeyWithFlagsPerm`` | MXR | 3.9 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_PubWrapSymKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_RandomUpdate`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ReadRawAttribute`` | MXR | 3.9.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ReferenceSymKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_ResetToken`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_RestoreContext`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_SaveContext`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_SaveContextAlloc`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_SetFortezzaHack`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pr | MXR | 3.2 and later | + | ojects_nss_ssl_functions_pkfnc#1023128` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_SetPrivateKeyNickname`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_SetPublicKeyNickname`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_SetSlotPWValues`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_SetSymKeyNickname`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_SetSymKeyUserData`` | MXR | 3.11 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_SetWrapKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_Sign`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_SignatureLen`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_SymKeyFromHandle`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_TokenExists`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_TokenKeyGen`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_TokenKeyGenWithFlags`` | MXR | 3.10.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_TokenRefresh`` | MXR | 3.7.1 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_TraverseCertsForNicknameInSlot`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_TraverseCertsForSubjectInSlot`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_TraverseSlotCerts`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_UnlinkGenericObject`` | MXR | 3.9.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_UnwrapSymKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_UnwrapSymKeyWithFlags`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_UnwrapSymKeyWithFlagsPerm`` | MXR | 3.9 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_UpdateSlotAttribute`` | MXR | 3.8 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_UserEnableSlot`` | MXR | 3.8 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_UserDisableSlot`` | MXR | 3.8 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_Verify`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_VerifyKeyOK`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_WaitForTokenEvent`` | MXR | 3.7 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_WrapSymKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11_WriteRawAttribute`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11SDR_Encrypt`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``PK11SDR_Decrypt`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SEC_DeletePermCertificate`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SEC_DeletePermCRL`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SEC_DerSignData`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SEC_DestroyCrl`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SEC_FindCrlByDERCert`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SEC_FindCrlByName`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SEC_LookupCrls`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SEC_NewCrl`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SEC_QuickDERDecodeItem`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SECKEY_CacheStaticFlags`` | MXR | 3.10 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SECKEY_ConvertToPublicKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SECKEY_CopyPrivateKey`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SECKEY_CopyPublicKey`` | MXR | 3.6 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SECKEY_CopySubjectPublicKeyInfo`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SECKEY_CreateDHPrivateKey`` | MXR | 3.3 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SECKEY_CreateECPrivateKey`` | MXR | 3.8 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SECKEY_CreateSubjectPublicKeyInfo`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ` | MXR | 3.4 and later | + | `SECKEY_DecodeDERSubjectPublicKeyInfo`` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | 3.2 and later | + | jects_nss_ssl_functions_sslkey#1051017` | | | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SECKEY_ECParamsToBasePointOrderLen`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SECKEY_ECParamsToKeySize`` | MXR | 3.12 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SECKEY_DestroyPublicKeyList`` | MXR | 3.4 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SECKEY_DestroySubjectPublicKeyInfo`` | MXR | 3.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SECKEY_GetPublicKeyType`` | MXR | 3.3 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SECKEY_PublicKeyStrengthInBits`` | MXR | 3.8 and later | + +-----------------------------------------+-------------+-----------------------------------------+ + | ``SECKEY_SignatureLen`` | MXR | 3.11.2 and later | + +-----------------------------------------+-------------+-----------------------------------------+ \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/deprecated_ssl_functions/index.rst b/security/nss/doc/rst/legacy/deprecated_ssl_functions/index.rst new file mode 100644 index 0000000000..3db5071502 --- /dev/null +++ b/security/nss/doc/rst/legacy/deprecated_ssl_functions/index.rst @@ -0,0 +1,34 @@ +.. _mozilla_projects_nss_deprecated_ssl_functions: + +Deprecated SSL functions +======================== + +.. container:: + + The following SSL functions have been replaced with newer versions. The deprecated functions are + not supported by the new SSL shared libraries. Applications that want to use the SSL shared + libraries must convert to calling the new replacement functions listed below. + + Each function name is linked to its entry in the + :ref:`mozilla_projects_nss_ssl_functions_old_ssl_reference`. The `Mozilla Cross + Reference `__ (MXR) link for each function provides access to the + function definition, prototype definition, and source code references. + + +-----------------------------------------+-------------+-----------------------------------------+ + | Function name/documentation | Source code | Replacement in NSS 3.2 | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | :ref:`mozilla_pro | + | jects_nss_ssl_functions_sslfnc#1220189` | | jects_nss_ssl_functions_sslfnc#1086543` | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | :ref:`mozilla_pro | + | jects_nss_ssl_functions_sslfnc#1207298` | | jects_nss_ssl_functions_sslfnc#1084747` | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | :ref:`mozilla_pro | + | jects_nss_ssl_functions_sslfnc#1206365` | | jects_nss_ssl_functions_sslfnc#1068466` | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | :ref:`mozilla_pro | + | jects_nss_ssl_functions_sslfnc#1231825` | | jects_nss_ssl_functions_sslfnc#1232052` | + +-----------------------------------------+-------------+-----------------------------------------+ + | :ref:`mozilla_pro | MXR | :ref:`mozilla_pro | + | jects_nss_ssl_functions_sslfnc#1207350` | | jects_nss_ssl_functions_sslfnc#1104647` | + +-----------------------------------------+-------------+-----------------------------------------+ \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/encrypt_decrypt_mac_keys_as_session_objects/index.rst b/security/nss/doc/rst/legacy/encrypt_decrypt_mac_keys_as_session_objects/index.rst new file mode 100644 index 0000000000..4d6d09bcf0 --- /dev/null +++ b/security/nss/doc/rst/legacy/encrypt_decrypt_mac_keys_as_session_objects/index.rst @@ -0,0 +1,1206 @@ +.. _mozilla_projects_nss_encrypt_decrypt_mac_keys_as_session_objects: + +Encrypt Decrypt MAC Keys As Session Objects +=========================================== + +.. _nss_sample_code_4_encryptiondecryption_and_mac_keys_using_session.: + +`NSS Sample Code 4: Encryption/Decryption and MAC Keys Using Session. <#nss_sample_code_4_encryptiondecryption_and_mac_keys_using_session.>`__ +---------------------------------------------------------------------------------------------------------------------------------------------- + +.. container:: + + Generates encryption/mac keys and uses session objects. + + .. code:: c + + /* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at https://mozilla.org/MPL/2.0/. */ + + /* NSPR Headers */ + #include + #include + #include + #include + #include + #include + #include + + /* NSS headers */ + #include + #include + + /* our samples utilities */ + #include "util.h" + + #define BUFFERSIZE 80 + #define DIGESTSIZE 16 + #define PTEXT_MAC_BUFFER_SIZE 96 + #define CIPHERSIZE 96 + #define BLOCKSIZE 32 + + #define CIPHER_HEADER "-----BEGIN CIPHER-----" + #define CIPHER_TRAILER "-----END CIPHER-----" + #define ENCKEY_HEADER "-----BEGIN AESKEY CKAID-----" + #define ENCKEY_TRAILER "-----END AESKEY CKAID-----" + #define MACKEY_HEADER "-----BEGIN MACKEY CKAID-----" + #define MACKEY_TRAILER "-----END MACKEY CKAID-----" + #define IV_HEADER "-----BEGIN IV-----" + #define IV_TRAILER "-----END IV-----" + #define MAC_HEADER "-----BEGIN MAC-----" + #define MAC_TRAILER "-----END MAC-----" + #define PAD_HEADER "-----BEGIN PAD-----" + #define PAD_TRAILER "-----END PAD-----" + + typedef enum { + ENCRYPT, + DECRYPT, + UNKNOWN + } CommandType; + + typedef enum { + SYMKEY = 0, + MACKEY = 1, + IV = 2, + MAC = 3, + PAD = 4 + } HeaderType; + + + /* + * Print usage message and exit + */ + static void + Usage(const char *progName) + { + fprintf(stderr, "\nUsage: %s -c -d [-z ] " + "[-p | -f ] -i -o \n\n", + progName); + fprintf(stderr, "%-20s Specify 'a' for encrypt operation\n\n", + "-c "); + fprintf(stderr, "%-20s Specify 'b' for decrypt operation\n\n", + " "); + fprintf(stderr, "%-20s Specify db directory path\n\n", + "-d "); + fprintf(stderr, "%-20s Specify db password [optional]\n\n", + "-p "); + fprintf(stderr, "%-20s Specify db password file [optional]\n\n", + "-f "); + fprintf(stderr, "%-20s Specify noise file name [optional]\n\n", + "-z "); + fprintf(stderr, "%-21s Specify an input file name\n\n", + "-i "); + fprintf(stderr, "%-21s Specify an output file name\n\n", + "-o "); + fprintf(stderr, "%-7s For encrypt, it takes as an input file and produces\n", + "Note :"); + fprintf(stderr, "%-7s .enc and .header as intermediate output files.\n\n", + ""); + fprintf(stderr, "%-7s For decrypt, it takes .enc and .header\n", + ""); + fprintf(stderr, "%-7s as input files and produces as a final output file.\n\n", + ""); + exit(-1); + } + + /* + * Gather a CKA_ID + */ + SECStatus + GatherCKA_ID(PK11SymKey* key, SECItem* buf) + { + SECStatus rv = PK11_ReadRawAttribute(PK11_TypeSymKey, key, CKA_ID, buf); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "PK11_ReadRawAttribute returned (%d)\n", rv); + PR_fprintf(PR_STDERR, "Could not read SymKey CKA_ID attribute\n"); + return rv; + } + return rv; + } + + /* + * Generate a Symmetric Key + */ + PK11SymKey * + GenerateSYMKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE mechanism, + int keySize, SECItem *keyID, secuPWData *pwdata) + { + SECStatus rv; + PK11SymKey *key; + + if (PK11_NeedLogin(slot)) { + rv = PK11_Authenticate(slot, PR_TRUE, pwdata); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Could not authenticate to token %s.\n", + PK11_GetTokenName(slot)); + return NULL; + } + } + + /* Generate the symmetric key */ + key = PK11_TokenKeyGen(slot, mechanism, + NULL, keySize, keyID, PR_TRUE, pwdata); + + if (!key) { + PR_fprintf(PR_STDERR, "Symmetric Key Generation Failed \n"); + } + + return key; + } + + /* + * MacInit + */ + SECStatus + MacInit(PK11Context *ctx) + { + SECStatus rv = PK11_DigestBegin(ctx); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Compute MAC Failed : PK11_DigestBegin()\n"); + } + return rv; + } + + /* + * MacUpdate + */ + SECStatus + MacUpdate(PK11Context *ctx, + unsigned char *msg, unsigned int msgLen) + { + SECStatus rv = PK11_DigestOp(ctx, msg, msgLen); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Compute MAC Failed : DigestOp()\n"); + } + return rv; + } + + /* + * Finalize MACing + */ + SECStatus + MacFinal(PK11Context *ctx, + unsigned char *mac, unsigned int *macLen, unsigned int maxLen) + { + SECStatus rv = PK11_DigestFinal(ctx, mac, macLen, maxLen); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Compute MAC Failed : PK11_DigestFinal()\n"); + } + return SECSuccess; + } + + /* + * Compute Mac + */ + SECStatus + ComputeMac(PK11Context *ctxmac, + unsigned char *ptext, unsigned int ptextLen, + unsigned char *mac, unsigned int *macLen, + unsigned int maxLen) + { + SECStatus rv = MacInit(ctxmac); + if (rv != SECSuccess) return rv; + rv = MacUpdate(ctxmac, ptext, ptextLen); + if (rv != SECSuccess) return rv; + rv = MacFinal(ctxmac, mac, macLen, maxLen); + return rv; + } + + /* + * WriteToHeaderFile + */ + SECStatus + WriteToHeaderFile(const char *buf, unsigned int len, HeaderType type, + PRFileDesc *outFile) + { + SECStatus rv; + char header[40]; + char trailer[40]; + char *outString = NULL; + + switch (type) { + case SYMKEY: + strcpy(header, ENCKEY_HEADER); + strcpy(trailer, ENCKEY_TRAILER); + break; + case MACKEY: + strcpy(header, MACKEY_HEADER); + strcpy(trailer, MACKEY_TRAILER); + break; + case IV: + strcpy(header, IV_HEADER); + strcpy(trailer, IV_TRAILER); + break; + case MAC: + strcpy(header, MAC_HEADER); + strcpy(trailer, MAC_TRAILER); + break; + case PAD: + strcpy(header, PAD_HEADER); + strcpy(trailer, PAD_TRAILER); + break; + } + + PR_fprintf(outFile, "%s\n", header); + PrintAsHex(outFile, buf, len); + PR_fprintf(outFile, "%s\n\n", trailer); + return SECSuccess; + } + + /* + * Initialize for encryption or decryption - common code + */ + PK11Context * + CryptInit(PK11SymKey *key, + unsigned char *iv, unsigned int ivLen, + CK_MECHANISM_TYPE type, CK_ATTRIBUTE_TYPE operation) + { + SECItem ivItem = { siBuffer, iv, ivLen }; + PK11Context *ctx = NULL; + + SECItem *secParam = PK11_ParamFromIV(CKM_AES_CBC, &ivItem); + if (secParam == NULL) { + PR_fprintf(PR_STDERR, "Crypt Failed : secParam NULL\n"); + return NULL; + } + ctx = PK11_CreateContextBySymKey(CKM_AES_CBC, operation, key, secParam); + if (ctx == NULL) { + PR_fprintf(PR_STDERR, "Crypt Failed : can't create a context\n"); + goto cleanup; + + } + cleanup: + if (secParam) { + SECITEM_FreeItem(secParam, PR_TRUE); + } + return ctx; + } + + /* + * Common encryption and decryption code + */ + SECStatus + Crypt(PK11Context *ctx, + unsigned char *out, unsigned int *outLen, unsigned int maxOut, + unsigned char *in, unsigned int inLen) + { + SECStatus rv; + + rv = PK11_CipherOp(ctx, out, outLen, maxOut, in, inLen); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Crypt Failed : PK11_CipherOp returned %d\n", rv); + goto cleanup; + } + + cleanup: + if (rv != SECSuccess) { + return rv; + } + return SECSuccess; + } + + /* + * Decrypt + */ + SECStatus + Decrypt(PK11Context *ctx, + unsigned char *out, unsigned int *outLen, unsigned int maxout, + unsigned char *in, unsigned int inLen) + { + return Crypt(ctx, out, outLen, maxout, in, inLen); + } + + /* + * Encrypt + */ + SECStatus + Encrypt(PK11Context* ctx, + unsigned char *out, unsigned int *outLen, unsigned int maxout, + unsigned char *in, unsigned int inLen) + { + return Crypt(ctx, out, outLen, maxout, in, inLen); + } + + /* + * EncryptInit + */ + PK11Context * + EncryptInit(PK11SymKey *ek, unsigned char *iv, unsigned int ivLen, + CK_MECHANISM_TYPE type) + { + return CryptInit(ek, iv, ivLen, type, CKA_ENCRYPT); + } + + /* + * DecryptInit + */ + PK11Context * + DecryptInit(PK11SymKey *dk, unsigned char *iv, unsigned int ivLen, + CK_MECHANISM_TYPE type) + { + return CryptInit(dk, iv, ivLen, type, CKA_DECRYPT); + } + + /* + * Read cryptographic parameters from the header file + */ + SECStatus + ReadFromHeaderFile(const char *fileName, HeaderType type, + SECItem *item, PRBool isHexData) + { + SECStatus rv; + PRFileDesc* file; + SECItem filedata; + SECItem outbuf; + unsigned char *nonbody; + unsigned char *body; + char header[40]; + char trailer[40]; + + outbuf.type = siBuffer; + file = PR_Open(fileName, PR_RDONLY, 0); + if (!file) { + PR_fprintf(PR_STDERR, "Failed to open %s\n", fileName); + return SECFailure; + } + switch (type) { + case SYMKEY: + strcpy(header, ENCKEY_HEADER); + strcpy(trailer, ENCKEY_TRAILER); + break; + case MACKEY: + strcpy(header, MACKEY_HEADER); + strcpy(trailer, MACKEY_TRAILER); + break; + case IV: + strcpy(header, IV_HEADER); + strcpy(trailer, IV_TRAILER); + break; + case MAC: + strcpy(header, MAC_HEADER); + strcpy(trailer, MAC_TRAILER); + break; + case PAD: + strcpy(header, PAD_HEADER); + strcpy(trailer, PAD_TRAILER); + break; + } + + rv = FileToItem(&filedata, file); + nonbody = (char *)filedata.data; + if (!nonbody) { + PR_fprintf(PR_STDERR, "unable to read data from input file\n"); + rv = SECFailure; + goto cleanup; + } + + /* check for headers and trailers and remove them */ + if ((body = strstr(nonbody, header)) != NULL) { + char *trail = NULL; + nonbody = body; + body = PORT_Strchr(body, '\n'); + if (!body) + body = PORT_Strchr(nonbody, '\r'); /* maybe this is a MAC file */ + if (body) + trail = strstr(++body, trailer); + if (trail != NULL) { + *trail = '\0'; + } else { + PR_fprintf(PR_STDERR, "input has header but no trailer\n"); + PORT_Free(filedata.data); + return SECFailure; + } + } else { + body = nonbody; + } + + cleanup: + PR_Close(file); + HexToBuf(body, item, isHexData); + return SECSuccess; + } + + /* + * EncryptAndMac + */ + SECStatus + EncryptAndMac(PRFileDesc *inFile, + PRFileDesc *headerFile, + PRFileDesc *encFile, + PK11SymKey *ek, + PK11SymKey *mk, + unsigned char *iv, unsigned int ivLen, + PRBool ascii) + { + SECStatus rv; + unsigned char ptext[BLOCKSIZE]; + unsigned int ptextLen; + unsigned char mac[DIGESTSIZE]; + unsigned int macLen; + unsigned int nwritten; + unsigned char encbuf[BLOCKSIZE]; + unsigned int encbufLen; + SECItem noParams = { siBuffer, NULL, 0 }; + PK11Context *ctxmac = NULL; + PK11Context *ctxenc = NULL; + unsigned int pad[1]; + SECItem padItem; + unsigned int paddingLength; + + static unsigned int firstTime = 1; + int j; + + ctxmac = PK11_CreateContextBySymKey(CKM_MD5_HMAC, CKA_SIGN, mk, &noParams); + if (ctxmac == NULL) { + PR_fprintf(PR_STDERR, "Can't create MAC context\n"); + rv = SECFailure; + goto cleanup; + } + rv = MacInit(ctxmac); + if (rv != SECSuccess) { + goto cleanup; + } + + ctxenc = EncryptInit(ek, iv, ivLen, CKM_AES_CBC); + + /* read a buffer of plaintext from input file */ + while ((ptextLen = PR_Read(inFile, ptext, sizeof(ptext))) > 0) { + + /* Encrypt using it using CBC, using previously created IV */ + if (ptextLen != BLOCKSIZE) { + paddingLength = BLOCKSIZE - ptextLen; + for ( j=0; j < paddingLength; j++) { + ptext[ptextLen+j] = (unsigned char)paddingLength; + } + ptextLen = BLOCKSIZE; + } + rv = Encrypt(ctxenc, + encbuf, &encbufLen, sizeof(encbuf), + ptext, ptextLen); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Encrypt Failure\n"); + goto cleanup; + } + + /* save the last block of ciphertext as the next IV */ + iv = encbuf; + ivLen = encbufLen; + + /* write the cipher text to intermediate file */ + nwritten = PR_Write(encFile, encbuf, encbufLen); + /*PR_Assert(nwritten == encbufLen);*/ + + rv = MacUpdate(ctxmac, ptext, ptextLen); + } + + rv = MacFinal(ctxmac, mac, &macLen, DIGESTSIZE); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "MacFinal Failure\n"); + goto cleanup; + } + if (macLen == 0) { + PR_fprintf(PR_STDERR, "Bad MAC length\n"); + rv = SECFailure; + goto cleanup; + } + WriteToHeaderFile(mac, macLen, MAC, headerFile); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Write MAC Failure\n"); + goto cleanup; + } + + pad[0] = paddingLength; + padItem.type = siBuffer; + padItem.data = (unsigned char *)pad; + padItem.len = sizeof(pad[0]); + + WriteToHeaderFile(padItem.data, padItem.len, PAD, headerFile); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Write PAD Failure\n"); + goto cleanup; + } + + rv = SECSuccess; + + cleanup: + if (ctxmac != NULL) { + PK11_DestroyContext(ctxmac, PR_TRUE); + } + if (ctxenc != NULL) { + PK11_DestroyContext(ctxenc, PR_TRUE); + } + + return rv; + } + + /* + * Find the Key for the given mechanism + */ + PK11SymKey* + FindKey(PK11SlotInfo *slot, + CK_MECHANISM_TYPE mechanism, + SECItem *keyBuf, secuPWData *pwdata) + { + SECStatus rv; + PK11SymKey *key; + + if (PK11_NeedLogin(slot)) { + rv = PK11_Authenticate(slot, PR_TRUE, pwdata); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, + "Could not authenticate to token %s.\n", + PK11_GetTokenName(slot)); + if (slot) { + PK11_FreeSlot(slot); + } + return NULL; + } + } + + key = PK11_FindFixedKey(slot, mechanism, keyBuf, 0); + if (!key) { + PR_fprintf(PR_STDERR, + "PK11_FindFixedKey failed (err %d)\n", + PR_GetError()); + PK11_FreeSlot(slot); + return NULL; + } + return key; + } + + /* + * Decrypt and Verify MAC + */ + SECStatus + DecryptAndVerifyMac(const char* outFileName, + char *encryptedFileName, + SECItem *cItem, SECItem *macItem, + PK11SymKey* ek, PK11SymKey* mk, SECItem *ivItem, SECItem *padItem) + { + SECStatus rv; + PRFileDesc* inFile; + PRFileDesc* outFile; + + unsigned char decbuf[64]; + unsigned int decbufLen; + + unsigned char ptext[BLOCKSIZE]; + unsigned int ptextLen = 0; + unsigned char ctext[64]; + unsigned int ctextLen; + unsigned char newmac[DIGESTSIZE]; + unsigned int newmacLen = 0; + unsigned int newptextLen = 0; + unsigned int count = 0; + unsigned int temp = 0; + unsigned int blockNumber = 0; + SECItem noParams = { siBuffer, NULL, 0 }; + PK11Context *ctxmac = NULL; + PK11Context *ctxenc = NULL; + + unsigned char iv[BLOCKSIZE]; + unsigned int ivLen = ivItem->len; + unsigned int fileLength; + unsigned int paddingLength; + int j; + + memcpy(iv, ivItem->data, ivItem->len); + paddingLength = (unsigned int)padItem->data[0]; + + ctxmac = PK11_CreateContextBySymKey(CKM_MD5_HMAC, CKA_SIGN, mk, &noParams); + if (ctxmac == NULL) { + PR_fprintf(PR_STDERR, "Can't create MAC context\n"); + rv = SECFailure; + goto cleanup; + } + + /* Open the input file. */ + inFile = PR_Open(encryptedFileName, PR_RDONLY , 0); + if (!inFile) { + PR_fprintf(PR_STDERR, + "Unable to open \"%s\" for writing.\n", + encryptedFileName); + return SECFailure; + } + /* Open the output file. */ + outFile = PR_Open(outFileName, + PR_CREATE_FILE | PR_TRUNCATE | PR_RDWR , 00660); + if (!outFile) { + PR_fprintf(PR_STDERR, + "Unable to open \"%s\" for writing.\n", + outFileName); + return SECFailure; + } + + rv = MacInit(ctxmac); + if (rv != SECSuccess) goto cleanup; + + ctxenc = DecryptInit(ek, iv, ivLen, CKM_AES_CBC); + fileLength = FileSize(encryptedFileName); + + while ((ctextLen = PR_Read(inFile, ctext, sizeof(ctext))) > 0) { + + count += ctextLen; + + /* decrypt cipher text buffer using CBC and IV */ + + rv = Decrypt(ctxenc, decbuf, &decbufLen, sizeof(decbuf), + ctext, ctextLen); + + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Decrypt Failure\n"); + goto cleanup; + } + + if (decbufLen == 0) break; + + rv = MacUpdate(ctxmac, decbuf, decbufLen); + if (rv != SECSuccess) { goto cleanup; } + if (count == fileLength) { + decbufLen = decbufLen-paddingLength; + } + + /* write the plain text to out file */ + temp = PR_Write(outFile, decbuf, decbufLen); + if (temp != decbufLen) { + PR_fprintf(PR_STDERR, "write error\n"); + rv = SECFailure; + break; + } + + /* save last block of ciphertext */ + memcpy(iv, decbuf, decbufLen); + ivLen = decbufLen; + blockNumber++; + } + + if (rv != SECSuccess) { goto cleanup; } + + rv = MacFinal(ctxmac, newmac, &newmacLen, sizeof(newmac)); + if (rv != SECSuccess) { goto cleanup; } + + if (PORT_Memcmp(macItem->data, newmac, newmacLen) == 0) { + rv = SECSuccess; + } else { + PR_fprintf(PR_STDERR, "Check MAC : Failure\n"); + PR_fprintf(PR_STDERR, "Extracted : "); + PrintAsHex(PR_STDERR, macItem->data, macItem->len); + PR_fprintf(PR_STDERR, "Computed : "); + PrintAsHex(PR_STDERR, newmac, newmacLen); + rv = SECFailure; + } + cleanup: + if (ctxmac) { + PK11_DestroyContext(ctxmac, PR_TRUE); + } + if (ctxenc) { + PK11_DestroyContext(ctxenc, PR_TRUE); + } + if (outFile) { + PR_Close(outFile); + } + + return rv; + } + + /* + * Gets IV and CKAIDS From Header File + */ + SECStatus + GetIVandCKAIDSFromHeader(const char *cipherFileName, + SECItem *ivItem, SECItem *encKeyItem, SECItem *macKeyItem) + { + SECStatus rv; + + /* open intermediate file, read in header, get IV and CKA_IDs of two keys + * from it + */ + rv = ReadFromHeaderFile(cipherFileName, IV, ivItem, PR_TRUE); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Could not retrieve IV from cipher file\n"); + goto cleanup; + } + + rv = ReadFromHeaderFile(cipherFileName, SYMKEY, encKeyItem, PR_TRUE); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, + "Could not retrieve AES CKA_ID from cipher file\n"); + goto cleanup; + } + rv = ReadFromHeaderFile(cipherFileName, MACKEY, macKeyItem, PR_TRUE); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, + "Could not retrieve MAC CKA_ID from cipher file\n"); + goto cleanup; + } + cleanup: + return rv; + } + + /* + * DecryptFile + */ + SECStatus + DecryptFile(PK11SlotInfo *slot, + const char *dbdir, + const char *outFileName, + const char *headerFileName, + char *encryptedFileName, + secuPWData *pwdata, + PRBool ascii) + { + /* + * The DB is open read only and we have authenticated to it + * open input file, read in header, get IV and CKA_IDs of two keys from it + * find those keys in the DB token + * Open output file + * loop until EOF(input): + * read a buffer of ciphertext from input file, + * Save last block of ciphertext + * decrypt ciphertext buffer using CBC and IV, + * compute and check MAC, then remove MAC from plaintext + * replace IV with saved last block of ciphertext + * write the plain text to output file + * close files + * report success + */ + + SECStatus rv; + SECItem ivItem; + SECItem encKeyItem; + SECItem macKeyItem; + SECItem cipherItem; + SECItem macItem; + SECItem padItem; + PK11SymKey *encKey = NULL; + PK11SymKey *macKey = NULL; + + + /* open intermediate file, read in header, get IV and CKA_IDs of two keys + * from it + */ + rv = GetIVandCKAIDSFromHeader(headerFileName, + &ivItem, &encKeyItem, &macKeyItem); + if (rv != SECSuccess) { + goto cleanup; + } + + /* find those keys in the DB token */ + encKey = FindKey(slot, CKM_AES_CBC, &encKeyItem, pwdata); + if (encKey == NULL) { + PR_fprintf(PR_STDERR, "Can't find the encryption key\n"); + rv = SECFailure; + goto cleanup; + } + /* CKM_MD5_HMAC or CKM_EXTRACT_KEY_FROM_KEY */ + macKey = FindKey(slot, CKM_MD5_HMAC, &macKeyItem, pwdata); + if (macKey == NULL) { + rv = SECFailure; + goto cleanup; + } + + /* Read in the Mac into item from the intermediate file */ + rv = ReadFromHeaderFile(headerFileName, MAC, &macItem, PR_TRUE); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, + "Could not retrieve MAC from cipher file\n"); + goto cleanup; + } + if (macItem.data == NULL) { + PR_fprintf(PR_STDERR, "MAC has NULL data\n"); + rv = SECFailure; + goto cleanup; + } + if (macItem.len == 0) { + PR_fprintf(PR_STDERR, "MAC has data has 0 length\n"); + /*rv = SECFailure; + goto cleanup;*/ + } + + rv = ReadFromHeaderFile(headerFileName, PAD, &padItem, PR_TRUE); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, + "Could not retrieve PAD detail from header file\n"); + goto cleanup; + } + + if (rv == SECSuccess) { + /* Decrypt and Remove Mac */ + rv = DecryptAndVerifyMac(outFileName, encryptedFileName, + &cipherItem, &macItem, encKey, macKey, &ivItem, &padItem); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Failed while decrypting and removing MAC\n"); + } + } + + cleanup: + if (slot) { + PK11_FreeSlot(slot); + } + if (encKey) { + PK11_FreeSymKey(encKey); + } + if (macKey) { + PK11_FreeSymKey(macKey); + } + + return rv; + } + + /* + * EncryptFile + */ + SECStatus + EncryptFile(PK11SlotInfo *slot, + const char *dbdir, + const char *inFileName, + const char *headerFileName, + const char *encryptedFileName, + const char *noiseFileName, + secuPWData *pwdata, + PRBool ascii) + { + /* + * The DB is open for read/write and we have authenticated to it. + * generate a symmetric AES key as a token object. + * generate a second key to use for MACing, also a token object. + * get their CKA_IDs + * generate a random value to use as IV for AES CBC + * open an input file and an output file, + * write a header to the output that identifies the two keys by + * their CKA_IDs, May include original file name and length. + * loop until EOF(input) + * read a buffer of plaintext from input file, + * MAC it, append the MAC to the plaintext + * encrypt it using CBC, using previously created IV, + * store the last block of ciphertext as the new IV, + * write the cipher text to intermediate file + * close files + * report success + */ + SECStatus rv; + PRFileDesc *inFile; + PRFileDesc *headerFile; + PRFileDesc *encFile; + + unsigned char *encKeyId = (unsigned char *) "Encrypt Key"; + unsigned char *macKeyId = (unsigned char *) "MAC Key"; + SECItem encKeyID = { siAsciiString, encKeyId, PL_strlen(encKeyId) }; + SECItem macKeyID = { siAsciiString, macKeyId, PL_strlen(macKeyId) }; + + SECItem encCKAID; + SECItem macCKAID; + unsigned char iv[BLOCKSIZE]; + SECItem ivItem; + PK11SymKey *encKey = NULL; + PK11SymKey *macKey = NULL; + SECItem temp; + unsigned char c; + + /* generate a symmetric AES key as a token object. */ + encKey = GenerateSYMKey(slot, CKM_AES_KEY_GEN, 128/8, &encKeyID, pwdata); + if (encKey == NULL) { + PR_fprintf(PR_STDERR, "GenerateSYMKey for AES returned NULL.\n"); + rv = SECFailure; + goto cleanup; + } + + /* generate a second key to use for MACing, also a token object. */ + macKey = GenerateSYMKey(slot, CKM_GENERIC_SECRET_KEY_GEN, 160/8, + &macKeyID, pwdata); + if (macKey == NULL) { + PR_fprintf(PR_STDERR, "GenerateSYMKey for MACing returned NULL.\n"); + rv = SECFailure; + goto cleanup; + } + + /* get the encrypt key CKA_ID */ + rv = GatherCKA_ID(encKey, &encCKAID); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Error while wrapping encrypt key\n"); + goto cleanup; + } + + /* get the MAC key CKA_ID */ + rv = GatherCKA_ID(macKey, &macCKAID); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Can't get the MAC key CKA_ID.\n"); + goto cleanup; + } + + if (noiseFileName) { + rv = SeedFromNoiseFile(noiseFileName); + if (rv != SECSuccess) { + PORT_SetError(PR_END_OF_FILE_ERROR); + return SECFailure; + } + rv = PK11_GenerateRandom(iv, BLOCKSIZE); + if (rv != SECSuccess) { + goto cleanup; + } + + } else { + /* generate a random value to use as IV for AES CBC */ + GenerateRandom(iv, BLOCKSIZE); + } + + headerFile = PR_Open(headerFileName, + PR_CREATE_FILE | PR_TRUNCATE | PR_RDWR, 00660); + if (!headerFile) { + PR_fprintf(PR_STDERR, + "Unable to open \"%s\" for writing.\n", + headerFileName); + return SECFailure; + } + encFile = PR_Open(encryptedFileName, + PR_CREATE_FILE | PR_TRUNCATE | PR_RDWR, 00660); + if (!encFile) { + PR_fprintf(PR_STDERR, + "Unable to open \"%s\" for writing.\n", + encryptedFileName); + return SECFailure; + } + /* write to a header file the IV and the CKA_IDs + * identifying the two keys + */ + ivItem.type = siBuffer; + ivItem.data = iv; + ivItem.len = BLOCKSIZE; + + rv = WriteToHeaderFile(iv, BLOCKSIZE, IV, headerFile); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Error writing IV to cipher file - %s\n", + headerFileName); + goto cleanup; + } + + rv = WriteToHeaderFile(encCKAID.data, encCKAID.len, SYMKEY, headerFile); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Error writing AES CKA_ID to cipher file - %s\n", + encryptedFileName); + goto cleanup; + } + rv = WriteToHeaderFile(macCKAID.data, macCKAID.len, MACKEY, headerFile); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Error writing MAC CKA_ID to cipher file - %s\n", + headerFileName); + goto cleanup; + } + + /* Open the input file. */ + inFile = PR_Open(inFileName, PR_RDONLY, 0); + if (!inFile) { + PR_fprintf(PR_STDERR, "Unable to open \"%s\" for reading.\n", + inFileName); + return SECFailure; + } + + /* Macing and Encryption */ + if (rv == SECSuccess) { + rv = EncryptAndMac(inFile, headerFile, encFile, + encKey, macKey, ivItem.data, ivItem.len, ascii); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Failed : Macing and Encryption\n"); + goto cleanup; + } + } + + cleanup: + if (inFile) { + PR_Close(inFile); + } + if (headerFile) { + PR_Close(headerFile); + } + if (encFile) { + PR_Close(encFile); + } + if (slot) { + PK11_FreeSlot(slot); + } + if (encKey) { + PK11_FreeSymKey(encKey); + } + if (macKey) { + PK11_FreeSymKey(macKey); + } + + return rv; + } + + /* + * This example illustrates basic encryption/decryption and MACing + * Generates the encryption/mac keys and uses token for storing. + * Encrypts the input file and appends MAC before storing in intermediate + * header file. + * Writes the CKA_IDs of the encryption keys into intermediate header file. + * Reads the intermediate headerfile for CKA_IDs and encrypted + * contents and decrypts into output file. + */ + int + main(int argc, char **argv) + { + SECStatus rv; + SECStatus rvShutdown; + PK11SlotInfo *slot = NULL; + PLOptState *optstate; + PLOptStatus status; + char headerFileName[50]; + char encryptedFileName[50]; + PRFileDesc *inFile; + PRFileDesc *outFile; + PRBool ascii = PR_FALSE; + CommandType cmd = UNKNOWN; + const char *command = NULL; + const char *dbdir = NULL; + const char *inFileName = NULL; + const char *outFileName = NULL; + const char *noiseFileName = NULL; + secuPWData pwdata = { PW_NONE, 0 }; + + char * progName = strrchr(argv[0], '/'); + progName = progName ? progName + 1 : argv[0]; + + /* Parse command line arguments */ + optstate = PL_CreateOptState(argc, argv, "c:d:i:o:f:p:z:a"); + while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) { + switch (optstate->option) { + case 'a': + ascii = PR_TRUE; + break; + case 'c': + command = strdup(optstate->value); + break; + case 'd': + dbdir = strdup(optstate->value); + break; + case 'f': + pwdata.source = PW_FROMFILE; + pwdata.data = strdup(optstate->value); + break; + case 'p': + pwdata.source = PW_PLAINTEXT; + pwdata.data = strdup(optstate->value); + break; + case 'i': + inFileName = strdup(optstate->value); + break; + case 'o': + outFileName = strdup(optstate->value); + break; + case 'z': + noiseFileName = strdup(optstate->value); + break; + default: + Usage(progName); + break; + } + } + PL_DestroyOptState(optstate); + + if (!command || !dbdir || !inFileName || !outFileName) + Usage(progName); + if (PL_strlen(command)==0) + Usage(progName); + + cmd = command[0] == 'a' ? ENCRYPT : command[0] == 'b' ? DECRYPT : UNKNOWN; + + /* Open the input file. */ + inFile = PR_Open(inFileName, PR_RDONLY, 0); + if (!inFile) { + PR_fprintf(PR_STDERR, "Unable to open \"%s\" for reading.\n", + inFileName); + return SECFailure; + } + PR_Close(inFile); + + /* For intermediate header file, choose filename as inputfile name + with extension ".header" */ + strcpy(headerFileName, inFileName); + strcat(headerFileName, ".header"); + + /* For intermediate encrypted file, choose filename as inputfile name + with extension ".enc" */ + strcpy(encryptedFileName, inFileName); + strcat(encryptedFileName, ".enc"); + + PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0); + + switch (cmd) { + case ENCRYPT: + /* If the intermediate header file already exists, delete it */ + if (PR_Access(headerFileName, PR_ACCESS_EXISTS) == PR_SUCCESS) { + PR_Delete(headerFileName); + } + /* If the intermediate encrypted already exists, delete it */ + if (PR_Access(encryptedFileName, PR_ACCESS_EXISTS) == PR_SUCCESS) { + PR_Delete(encryptedFileName); + } + + /* Open DB for read/write and authenticate to it. */ + rv = NSS_InitReadWrite(dbdir); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "NSS_InitReadWrite Failed\n"); + goto cleanup; + } + + PK11_SetPasswordFunc(GetModulePassword); + slot = PK11_GetInternalKeySlot(); + if (PK11_NeedLogin(slot)) { + rv = PK11_Authenticate(slot, PR_TRUE, &pwdata); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Could not authenticate to token %s.\n", + PK11_GetTokenName(slot)); + goto cleanup; + } + } + rv = EncryptFile(slot, dbdir, + inFileName, headerFileName, encryptedFileName, + noiseFileName, &pwdata, ascii); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "EncryptFile : Failed\n"); + return SECFailure; + } + break; + case DECRYPT: + /* Open DB read only, authenticate to it */ + PK11_SetPasswordFunc(GetModulePassword); + + rv = NSS_Init(dbdir); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "NSS_Init Failed\n"); + return SECFailure; + } + + slot = PK11_GetInternalKeySlot(); + if (PK11_NeedLogin(slot)) { + rv = PK11_Authenticate(slot, PR_TRUE, &pwdata); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Could not authenticate to token %s.\n", + PK11_GetTokenName(slot)); + goto cleanup; + } + } + + rv = DecryptFile(slot, dbdir, + outFileName, headerFileName, + encryptedFileName, &pwdata, ascii); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "DecryptFile : Failed\n"); + return SECFailure; + } + break; + } + + cleanup: + rvShutdown = NSS_Shutdown(); + if (rvShutdown != SECSuccess) { + PR_fprintf(PR_STDERR, "Failed : NSS_Shutdown()\n"); + rv = SECFailure; + } + + PR_Cleanup(); + + return rv; + } \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/encrypt_decrypt_mac_using_token/index.rst b/security/nss/doc/rst/legacy/encrypt_decrypt_mac_using_token/index.rst new file mode 100644 index 0000000000..e2f399166b --- /dev/null +++ b/security/nss/doc/rst/legacy/encrypt_decrypt_mac_using_token/index.rst @@ -0,0 +1,1206 @@ +.. _mozilla_projects_nss_encrypt_decrypt_mac_using_token: + +Encrypt and decrypt MAC using token +=================================== + +.. _nss_sample_code_3_encryptiondecryption_and_mac_using_token_object.: + +`NSS sample code 3: encryption/decryption and MAC using token object. <#nss_sample_code_3_encryptiondecryption_and_mac_using_token_object.>`__ +---------------------------------------------------------------------------------------------------------------------------------------------- + +.. container:: + + Generates encryption/mac keys and uses token for storing. + + .. code:: c + + /* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at https://mozilla.org/MPL/2.0/. */ + + /* NSPR Headers */ + #include + #include + #include + #include + #include + #include + #include + + /* NSS headers */ + #include + #include + + /* our samples utilities */ + #include "util.h" + + #define BUFFERSIZE 80 + #define DIGESTSIZE 16 + #define PTEXT_MAC_BUFFER_SIZE 96 + #define CIPHERSIZE 96 + #define BLOCKSIZE 32 + + #define CIPHER_HEADER "-----BEGIN CIPHER-----" + #define CIPHER_TRAILER "-----END CIPHER-----" + #define ENCKEY_HEADER "-----BEGIN AESKEY CKAID-----" + #define ENCKEY_TRAILER "-----END AESKEY CKAID-----" + #define MACKEY_HEADER "-----BEGIN MACKEY CKAID-----" + #define MACKEY_TRAILER "-----END MACKEY CKAID-----" + #define IV_HEADER "-----BEGIN IV-----" + #define IV_TRAILER "-----END IV-----" + #define MAC_HEADER "-----BEGIN MAC-----" + #define MAC_TRAILER "-----END MAC-----" + #define PAD_HEADER "-----BEGIN PAD-----" + #define PAD_TRAILER "-----END PAD-----" + + typedef enum { + ENCRYPT, + DECRYPT, + UNKNOWN + } CommandType; + + typedef enum { + SYMKEY = 0, + MACKEY = 1, + IV = 2, + MAC = 3, + PAD = 4 + } HeaderType; + + + /* + * Print usage message and exit + */ + static void + Usage(const char *progName) + { + fprintf(stderr, "\nUsage: %s -c -d [-z ] " + "[-p | -f ] -i -o \n\n", + progName); + fprintf(stderr, "%-20s Specify 'a' for encrypt operation\n\n", + "-c "); + fprintf(stderr, "%-20s Specify 'b' for decrypt operation\n\n", + " "); + fprintf(stderr, "%-20s Specify db directory path\n\n", + "-d "); + fprintf(stderr, "%-20s Specify db password [optional]\n\n", + "-p "); + fprintf(stderr, "%-20s Specify db password file [optional]\n\n", + "-f "); + fprintf(stderr, "%-20s Specify noise file name [optional]\n\n", + "-z "); + fprintf(stderr, "%-21s Specify an input file name\n\n", + "-i "); + fprintf(stderr, "%-21s Specify an output file name\n\n", + "-o "); + fprintf(stderr, "%-7s For encrypt, it takes as an input file and produces\n", + "Note :"); + fprintf(stderr, "%-7s .enc and .header as intermediate output files.\n\n", + ""); + fprintf(stderr, "%-7s For decrypt, it takes .enc and .header\n", + ""); + fprintf(stderr, "%-7s as input files and produces as a final output file.\n\n", + ""); + exit(-1); + } + + /* + * Gather a CKA_ID + */ + SECStatus + GatherCKA_ID(PK11SymKey* key, SECItem* buf) + { + SECStatus rv = PK11_ReadRawAttribute(PK11_TypeSymKey, key, CKA_ID, buf); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "PK11_ReadRawAttribute returned (%d)\n", rv); + PR_fprintf(PR_STDERR, "Could not read SymKey CKA_ID attribute\n"); + return rv; + } + return rv; + } + + /* + * Generate a Symmetric Key + */ + PK11SymKey * + GenerateSYMKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE mechanism, + int keySize, SECItem *keyID, secuPWData *pwdata) + { + SECStatus rv; + PK11SymKey *key; + + if (PK11_NeedLogin(slot)) { + rv = PK11_Authenticate(slot, PR_TRUE, pwdata); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Could not authenticate to token %s.\n", + PK11_GetTokenName(slot)); + return NULL; + } + } + + /* Generate the symmetric key */ + key = PK11_TokenKeyGen(slot, mechanism, + NULL, keySize, keyID, PR_TRUE, pwdata); + + if (!key) { + PR_fprintf(PR_STDERR, "Symmetric Key Generation Failed \n"); + } + + return key; + } + + /* + * MacInit + */ + SECStatus + MacInit(PK11Context *ctx) + { + SECStatus rv = PK11_DigestBegin(ctx); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Compute MAC Failed : PK11_DigestBegin()\n"); + } + return rv; + } + + /* + * MacUpdate + */ + SECStatus + MacUpdate(PK11Context *ctx, + unsigned char *msg, unsigned int msgLen) + { + SECStatus rv = PK11_DigestOp(ctx, msg, msgLen); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Compute MAC Failed : DigestOp()\n"); + } + return rv; + } + + /* + * Finalize MACing + */ + SECStatus + MacFinal(PK11Context *ctx, + unsigned char *mac, unsigned int *macLen, unsigned int maxLen) + { + SECStatus rv = PK11_DigestFinal(ctx, mac, macLen, maxLen); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Compute MAC Failed : PK11_DigestFinal()\n"); + } + return SECSuccess; + } + + /* + * Compute Mac + */ + SECStatus + ComputeMac(PK11Context *ctxmac, + unsigned char *ptext, unsigned int ptextLen, + unsigned char *mac, unsigned int *macLen, + unsigned int maxLen) + { + SECStatus rv = MacInit(ctxmac); + if (rv != SECSuccess) return rv; + rv = MacUpdate(ctxmac, ptext, ptextLen); + if (rv != SECSuccess) return rv; + rv = MacFinal(ctxmac, mac, macLen, maxLen); + return rv; + } + + /* + * WriteToHeaderFile + */ + SECStatus + WriteToHeaderFile(const char *buf, unsigned int len, HeaderType type, + PRFileDesc *outFile) + { + SECStatus rv; + char header[40]; + char trailer[40]; + char *outString = NULL; + + switch (type) { + case SYMKEY: + strcpy(header, ENCKEY_HEADER); + strcpy(trailer, ENCKEY_TRAILER); + break; + case MACKEY: + strcpy(header, MACKEY_HEADER); + strcpy(trailer, MACKEY_TRAILER); + break; + case IV: + strcpy(header, IV_HEADER); + strcpy(trailer, IV_TRAILER); + break; + case MAC: + strcpy(header, MAC_HEADER); + strcpy(trailer, MAC_TRAILER); + break; + case PAD: + strcpy(header, PAD_HEADER); + strcpy(trailer, PAD_TRAILER); + break; + } + + PR_fprintf(outFile, "%s\n", header); + PrintAsHex(outFile, buf, len); + PR_fprintf(outFile, "%s\n\n", trailer); + return SECSuccess; + } + + /* + * Initialize for encryption or decryption - common code + */ + PK11Context * + CryptInit(PK11SymKey *key, + unsigned char *iv, unsigned int ivLen, + CK_MECHANISM_TYPE type, CK_ATTRIBUTE_TYPE operation) + { + SECItem ivItem = { siBuffer, iv, ivLen }; + PK11Context *ctx = NULL; + + SECItem *secParam = PK11_ParamFromIV(CKM_AES_CBC, &ivItem); + if (secParam == NULL) { + PR_fprintf(PR_STDERR, "Crypt Failed : secParam NULL\n"); + return NULL; + } + ctx = PK11_CreateContextBySymKey(CKM_AES_CBC, operation, key, secParam); + if (ctx == NULL) { + PR_fprintf(PR_STDERR, "Crypt Failed : can't create a context\n"); + goto cleanup; + + } + cleanup: + if (secParam) { + SECITEM_FreeItem(secParam, PR_TRUE); + } + return ctx; + } + + /* + * Common encryption and decryption code + */ + SECStatus + Crypt(PK11Context *ctx, + unsigned char *out, unsigned int *outLen, unsigned int maxOut, + unsigned char *in, unsigned int inLen) + { + SECStatus rv; + + rv = PK11_CipherOp(ctx, out, outLen, maxOut, in, inLen); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Crypt Failed : PK11_CipherOp returned %d\n", rv); + goto cleanup; + } + + cleanup: + if (rv != SECSuccess) { + return rv; + } + return SECSuccess; + } + + /* + * Decrypt + */ + SECStatus + Decrypt(PK11Context *ctx, + unsigned char *out, unsigned int *outLen, unsigned int maxout, + unsigned char *in, unsigned int inLen) + { + return Crypt(ctx, out, outLen, maxout, in, inLen); + } + + /* + * Encrypt + */ + SECStatus + Encrypt(PK11Context* ctx, + unsigned char *out, unsigned int *outLen, unsigned int maxout, + unsigned char *in, unsigned int inLen) + { + return Crypt(ctx, out, outLen, maxout, in, inLen); + } + + /* + * EncryptInit + */ + PK11Context * + EncryptInit(PK11SymKey *ek, unsigned char *iv, unsigned int ivLen, + CK_MECHANISM_TYPE type) + { + return CryptInit(ek, iv, ivLen, type, CKA_ENCRYPT); + } + + /* + * DecryptInit + */ + PK11Context * + DecryptInit(PK11SymKey *dk, unsigned char *iv, unsigned int ivLen, + CK_MECHANISM_TYPE type) + { + return CryptInit(dk, iv, ivLen, type, CKA_DECRYPT); + } + + /* + * Read cryptographic parameters from the header file + */ + SECStatus + ReadFromHeaderFile(const char *fileName, HeaderType type, + SECItem *item, PRBool isHexData) + { + SECStatus rv; + PRFileDesc* file; + SECItem filedata; + SECItem outbuf; + unsigned char *nonbody; + unsigned char *body; + char header[40]; + char trailer[40]; + + outbuf.type = siBuffer; + file = PR_Open(fileName, PR_RDONLY, 0); + if (!file) { + PR_fprintf(PR_STDERR, "Failed to open %s\n", fileName); + return SECFailure; + } + switch (type) { + case SYMKEY: + strcpy(header, ENCKEY_HEADER); + strcpy(trailer, ENCKEY_TRAILER); + break; + case MACKEY: + strcpy(header, MACKEY_HEADER); + strcpy(trailer, MACKEY_TRAILER); + break; + case IV: + strcpy(header, IV_HEADER); + strcpy(trailer, IV_TRAILER); + break; + case MAC: + strcpy(header, MAC_HEADER); + strcpy(trailer, MAC_TRAILER); + break; + case PAD: + strcpy(header, PAD_HEADER); + strcpy(trailer, PAD_TRAILER); + break; + } + + rv = FileToItem(&filedata, file); + nonbody = (char *)filedata.data; + if (!nonbody) { + PR_fprintf(PR_STDERR, "unable to read data from input file\n"); + rv = SECFailure; + goto cleanup; + } + + /* check for headers and trailers and remove them */ + if ((body = strstr(nonbody, header)) != NULL) { + char *trail = NULL; + nonbody = body; + body = PORT_Strchr(body, '\n'); + if (!body) + body = PORT_Strchr(nonbody, '\r'); /* maybe this is a MAC file */ + if (body) + trail = strstr(++body, trailer); + if (trail != NULL) { + *trail = '\0'; + } else { + PR_fprintf(PR_STDERR, "input has header but no trailer\n"); + PORT_Free(filedata.data); + return SECFailure; + } + } else { + body = nonbody; + } + + cleanup: + PR_Close(file); + HexToBuf(body, item, isHexData); + return SECSuccess; + } + + /* + * EncryptAndMac + */ + SECStatus + EncryptAndMac(PRFileDesc *inFile, + PRFileDesc *headerFile, + PRFileDesc *encFile, + PK11SymKey *ek, + PK11SymKey *mk, + unsigned char *iv, unsigned int ivLen, + PRBool ascii) + { + SECStatus rv; + unsigned char ptext[BLOCKSIZE]; + unsigned int ptextLen; + unsigned char mac[DIGESTSIZE]; + unsigned int macLen; + unsigned int nwritten; + unsigned char encbuf[BLOCKSIZE]; + unsigned int encbufLen; + SECItem noParams = { siBuffer, NULL, 0 }; + PK11Context *ctxmac = NULL; + PK11Context *ctxenc = NULL; + unsigned int pad[1]; + SECItem padItem; + unsigned int paddingLength; + + static unsigned int firstTime = 1; + int j; + + ctxmac = PK11_CreateContextBySymKey(CKM_MD5_HMAC, CKA_SIGN, mk, &noParams); + if (ctxmac == NULL) { + PR_fprintf(PR_STDERR, "Can't create MAC context\n"); + rv = SECFailure; + goto cleanup; + } + rv = MacInit(ctxmac); + if (rv != SECSuccess) { + goto cleanup; + } + + ctxenc = EncryptInit(ek, iv, ivLen, CKM_AES_CBC); + + /* read a buffer of plaintext from input file */ + while ((ptextLen = PR_Read(inFile, ptext, sizeof(ptext))) > 0) { + + /* Encrypt using it using CBC, using previously created IV */ + if (ptextLen != BLOCKSIZE) { + paddingLength = BLOCKSIZE - ptextLen; + for ( j=0; j < paddingLength; j++) { + ptext[ptextLen+j] = (unsigned char)paddingLength; + } + ptextLen = BLOCKSIZE; + } + rv = Encrypt(ctxenc, + encbuf, &encbufLen, sizeof(encbuf), + ptext, ptextLen); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Encrypt Failure\n"); + goto cleanup; + } + + /* save the last block of ciphertext as the next IV */ + iv = encbuf; + ivLen = encbufLen; + + /* write the cipher text to intermediate file */ + nwritten = PR_Write(encFile, encbuf, encbufLen); + /*PR_Assert(nwritten == encbufLen);*/ + + rv = MacUpdate(ctxmac, ptext, ptextLen); + } + + rv = MacFinal(ctxmac, mac, &macLen, DIGESTSIZE); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "MacFinal Failure\n"); + goto cleanup; + } + if (macLen == 0) { + PR_fprintf(PR_STDERR, "Bad MAC length\n"); + rv = SECFailure; + goto cleanup; + } + WriteToHeaderFile(mac, macLen, MAC, headerFile); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Write MAC Failure\n"); + goto cleanup; + } + + pad[0] = paddingLength; + padItem.type = siBuffer; + padItem.data = (unsigned char *)pad; + padItem.len = sizeof(pad[0]); + + WriteToHeaderFile(padItem.data, padItem.len, PAD, headerFile); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Write PAD Failure\n"); + goto cleanup; + } + + rv = SECSuccess; + + cleanup: + if (ctxmac != NULL) { + PK11_DestroyContext(ctxmac, PR_TRUE); + } + if (ctxenc != NULL) { + PK11_DestroyContext(ctxenc, PR_TRUE); + } + + return rv; + } + + /* + * Find the Key for the given mechanism + */ + PK11SymKey* + FindKey(PK11SlotInfo *slot, + CK_MECHANISM_TYPE mechanism, + SECItem *keyBuf, secuPWData *pwdata) + { + SECStatus rv; + PK11SymKey *key; + + if (PK11_NeedLogin(slot)) { + rv = PK11_Authenticate(slot, PR_TRUE, pwdata); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, + "Could not authenticate to token %s.\n", + PK11_GetTokenName(slot)); + if (slot) { + PK11_FreeSlot(slot); + } + return NULL; + } + } + + key = PK11_FindFixedKey(slot, mechanism, keyBuf, 0); + if (!key) { + PR_fprintf(PR_STDERR, + "PK11_FindFixedKey failed (err %d)\n", + PR_GetError()); + PK11_FreeSlot(slot); + return NULL; + } + return key; + } + + /* + * Decrypt and Verify MAC + */ + SECStatus + DecryptAndVerifyMac(const char* outFileName, + char *encryptedFileName, + SECItem *cItem, SECItem *macItem, + PK11SymKey* ek, PK11SymKey* mk, SECItem *ivItem, SECItem *padItem) + { + SECStatus rv; + PRFileDesc* inFile; + PRFileDesc* outFile; + + unsigned char decbuf[64]; + unsigned int decbufLen; + + unsigned char ptext[BLOCKSIZE]; + unsigned int ptextLen = 0; + unsigned char ctext[64]; + unsigned int ctextLen; + unsigned char newmac[DIGESTSIZE]; + unsigned int newmacLen = 0; + unsigned int newptextLen = 0; + unsigned int count = 0; + unsigned int temp = 0; + unsigned int blockNumber = 0; + SECItem noParams = { siBuffer, NULL, 0 }; + PK11Context *ctxmac = NULL; + PK11Context *ctxenc = NULL; + + unsigned char iv[BLOCKSIZE]; + unsigned int ivLen = ivItem->len; + unsigned int fileLength; + unsigned int paddingLength; + int j; + + memcpy(iv, ivItem->data, ivItem->len); + paddingLength = (unsigned int)padItem->data[0]; + + ctxmac = PK11_CreateContextBySymKey(CKM_MD5_HMAC, CKA_SIGN, mk, &noParams); + if (ctxmac == NULL) { + PR_fprintf(PR_STDERR, "Can't create MAC context\n"); + rv = SECFailure; + goto cleanup; + } + + /* Open the input file. */ + inFile = PR_Open(encryptedFileName, PR_RDONLY , 0); + if (!inFile) { + PR_fprintf(PR_STDERR, + "Unable to open \"%s\" for writing.\n", + encryptedFileName); + return SECFailure; + } + /* Open the output file. */ + outFile = PR_Open(outFileName, + PR_CREATE_FILE | PR_TRUNCATE | PR_RDWR , 00660); + if (!outFile) { + PR_fprintf(PR_STDERR, + "Unable to open \"%s\" for writing.\n", + outFileName); + return SECFailure; + } + + rv = MacInit(ctxmac); + if (rv != SECSuccess) goto cleanup; + + ctxenc = DecryptInit(ek, iv, ivLen, CKM_AES_CBC); + fileLength = FileSize(encryptedFileName); + + while ((ctextLen = PR_Read(inFile, ctext, sizeof(ctext))) > 0) { + + count += ctextLen; + + /* decrypt cipher text buffer using CBC and IV */ + + rv = Decrypt(ctxenc, decbuf, &decbufLen, sizeof(decbuf), + ctext, ctextLen); + + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Decrypt Failure\n"); + goto cleanup; + } + + if (decbufLen == 0) break; + + rv = MacUpdate(ctxmac, decbuf, decbufLen); + if (rv != SECSuccess) { goto cleanup; } + if (count == fileLength) { + decbufLen = decbufLen-paddingLength; + } + + /* write the plain text to out file */ + temp = PR_Write(outFile, decbuf, decbufLen); + if (temp != decbufLen) { + PR_fprintf(PR_STDERR, "write error\n"); + rv = SECFailure; + break; + } + + /* save last block of ciphertext */ + memcpy(iv, decbuf, decbufLen); + ivLen = decbufLen; + blockNumber++; + } + + if (rv != SECSuccess) { goto cleanup; } + + rv = MacFinal(ctxmac, newmac, &newmacLen, sizeof(newmac)); + if (rv != SECSuccess) { goto cleanup; } + + if (PORT_Memcmp(macItem->data, newmac, newmacLen) == 0) { + rv = SECSuccess; + } else { + PR_fprintf(PR_STDERR, "Check MAC : Failure\n"); + PR_fprintf(PR_STDERR, "Extracted : "); + PrintAsHex(PR_STDERR, macItem->data, macItem->len); + PR_fprintf(PR_STDERR, "Computed : "); + PrintAsHex(PR_STDERR, newmac, newmacLen); + rv = SECFailure; + } + cleanup: + if (ctxmac) { + PK11_DestroyContext(ctxmac, PR_TRUE); + } + if (ctxenc) { + PK11_DestroyContext(ctxenc, PR_TRUE); + } + if (outFile) { + PR_Close(outFile); + } + + return rv; + } + + /* + * Gets IV and CKAIDS From Header File + */ + SECStatus + GetIVandCKAIDSFromHeader(const char *cipherFileName, + SECItem *ivItem, SECItem *encKeyItem, SECItem *macKeyItem) + { + SECStatus rv; + + /* open intermediate file, read in header, get IV and CKA_IDs of two keys + * from it + */ + rv = ReadFromHeaderFile(cipherFileName, IV, ivItem, PR_TRUE); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Could not retrieve IV from cipher file\n"); + goto cleanup; + } + + rv = ReadFromHeaderFile(cipherFileName, SYMKEY, encKeyItem, PR_TRUE); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, + "Could not retrieve AES CKA_ID from cipher file\n"); + goto cleanup; + } + rv = ReadFromHeaderFile(cipherFileName, MACKEY, macKeyItem, PR_TRUE); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, + "Could not retrieve MAC CKA_ID from cipher file\n"); + goto cleanup; + } + cleanup: + return rv; + } + + /* + * DecryptFile + */ + SECStatus + DecryptFile(PK11SlotInfo *slot, + const char *dbdir, + const char *outFileName, + const char *headerFileName, + char *encryptedFileName, + secuPWData *pwdata, + PRBool ascii) + { + /* + * The DB is open read only and we have authenticated to it + * open input file, read in header, get IV and CKA_IDs of two keys from it + * find those keys in the DB token + * Open output file + * loop until EOF(input): + * read a buffer of ciphertext from input file, + * Save last block of ciphertext + * decrypt ciphertext buffer using CBC and IV, + * compute and check MAC, then remove MAC from plaintext + * replace IV with saved last block of ciphertext + * write the plain text to output file + * close files + * report success + */ + + SECStatus rv; + SECItem ivItem; + SECItem encKeyItem; + SECItem macKeyItem; + SECItem cipherItem; + SECItem macItem; + SECItem padItem; + PK11SymKey *encKey = NULL; + PK11SymKey *macKey = NULL; + + + /* open intermediate file, read in header, get IV and CKA_IDs of two keys + * from it + */ + rv = GetIVandCKAIDSFromHeader(headerFileName, + &ivItem, &encKeyItem, &macKeyItem); + if (rv != SECSuccess) { + goto cleanup; + } + + /* find those keys in the DB token */ + encKey = FindKey(slot, CKM_AES_CBC, &encKeyItem, pwdata); + if (encKey == NULL) { + PR_fprintf(PR_STDERR, "Can't find the encryption key\n"); + rv = SECFailure; + goto cleanup; + } + /* CKM_MD5_HMAC or CKM_EXTRACT_KEY_FROM_KEY */ + macKey = FindKey(slot, CKM_MD5_HMAC, &macKeyItem, pwdata); + if (macKey == NULL) { + rv = SECFailure; + goto cleanup; + } + + /* Read in the Mac into item from the intermediate file */ + rv = ReadFromHeaderFile(headerFileName, MAC, &macItem, PR_TRUE); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, + "Could not retrieve MAC from cipher file\n"); + goto cleanup; + } + if (macItem.data == NULL) { + PR_fprintf(PR_STDERR, "MAC has NULL data\n"); + rv = SECFailure; + goto cleanup; + } + if (macItem.len == 0) { + PR_fprintf(PR_STDERR, "MAC has data has 0 length\n"); + /*rv = SECFailure; + goto cleanup;*/ + } + + rv = ReadFromHeaderFile(headerFileName, PAD, &padItem, PR_TRUE); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, + "Could not retrieve PAD detail from header file\n"); + goto cleanup; + } + + if (rv == SECSuccess) { + /* Decrypt and Remove Mac */ + rv = DecryptAndVerifyMac(outFileName, encryptedFileName, + &cipherItem, &macItem, encKey, macKey, &ivItem, &padItem); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Failed while decrypting and removing MAC\n"); + } + } + + cleanup: + if (slot) { + PK11_FreeSlot(slot); + } + if (encKey) { + PK11_FreeSymKey(encKey); + } + if (macKey) { + PK11_FreeSymKey(macKey); + } + + return rv; + } + + /* + * EncryptFile + */ + SECStatus + EncryptFile(PK11SlotInfo *slot, + const char *dbdir, + const char *inFileName, + const char *headerFileName, + const char *encryptedFileName, + const char *noiseFileName, + secuPWData *pwdata, + PRBool ascii) + { + /* + * The DB is open for read/write and we have authenticated to it. + * generate a symmetric AES key as a token object. + * generate a second key to use for MACing, also a token object. + * get their CKA_IDs + * generate a random value to use as IV for AES CBC + * open an input file and an output file, + * write a header to the output that identifies the two keys by + * their CKA_IDs, May include original file name and length. + * loop until EOF(input) + * read a buffer of plaintext from input file, + * MAC it, append the MAC to the plaintext + * encrypt it using CBC, using previously created IV, + * store the last block of ciphertext as the new IV, + * write the cipher text to intermediate file + * close files + * report success + */ + SECStatus rv; + PRFileDesc *inFile; + PRFileDesc *headerFile; + PRFileDesc *encFile; + + unsigned char *encKeyId = (unsigned char *) "Encrypt Key"; + unsigned char *macKeyId = (unsigned char *) "MAC Key"; + SECItem encKeyID = { siAsciiString, encKeyId, PL_strlen(encKeyId) }; + SECItem macKeyID = { siAsciiString, macKeyId, PL_strlen(macKeyId) }; + + SECItem encCKAID; + SECItem macCKAID; + unsigned char iv[BLOCKSIZE]; + SECItem ivItem; + PK11SymKey *encKey = NULL; + PK11SymKey *macKey = NULL; + SECItem temp; + unsigned char c; + + /* generate a symmetric AES key as a token object. */ + encKey = GenerateSYMKey(slot, CKM_AES_KEY_GEN, 128/8, &encKeyID, pwdata); + if (encKey == NULL) { + PR_fprintf(PR_STDERR, "GenerateSYMKey for AES returned NULL.\n"); + rv = SECFailure; + goto cleanup; + } + + /* generate a second key to use for MACing, also a token object. */ + macKey = GenerateSYMKey(slot, CKM_GENERIC_SECRET_KEY_GEN, 160/8, + &macKeyID, pwdata); + if (macKey == NULL) { + PR_fprintf(PR_STDERR, "GenerateSYMKey for MACing returned NULL.\n"); + rv = SECFailure; + goto cleanup; + } + + /* get the encrypt key CKA_ID */ + rv = GatherCKA_ID(encKey, &encCKAID); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Error while wrapping encrypt key\n"); + goto cleanup; + } + + /* get the MAC key CKA_ID */ + rv = GatherCKA_ID(macKey, &macCKAID); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Can't get the MAC key CKA_ID.\n"); + goto cleanup; + } + + if (noiseFileName) { + rv = SeedFromNoiseFile(noiseFileName); + if (rv != SECSuccess) { + PORT_SetError(PR_END_OF_FILE_ERROR); + return SECFailure; + } + rv = PK11_GenerateRandom(iv, BLOCKSIZE); + if (rv != SECSuccess) { + goto cleanup; + } + + } else { + /* generate a random value to use as IV for AES CBC */ + GenerateRandom(iv, BLOCKSIZE); + } + + headerFile = PR_Open(headerFileName, + PR_CREATE_FILE | PR_TRUNCATE | PR_RDWR, 00660); + if (!headerFile) { + PR_fprintf(PR_STDERR, + "Unable to open \"%s\" for writing.\n", + headerFileName); + return SECFailure; + } + encFile = PR_Open(encryptedFileName, + PR_CREATE_FILE | PR_TRUNCATE | PR_RDWR, 00660); + if (!encFile) { + PR_fprintf(PR_STDERR, + "Unable to open \"%s\" for writing.\n", + encryptedFileName); + return SECFailure; + } + /* write to a header file the IV and the CKA_IDs + * identifying the two keys + */ + ivItem.type = siBuffer; + ivItem.data = iv; + ivItem.len = BLOCKSIZE; + + rv = WriteToHeaderFile(iv, BLOCKSIZE, IV, headerFile); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Error writing IV to cipher file - %s\n", + headerFileName); + goto cleanup; + } + + rv = WriteToHeaderFile(encCKAID.data, encCKAID.len, SYMKEY, headerFile); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Error writing AES CKA_ID to cipher file - %s\n", + encryptedFileName); + goto cleanup; + } + rv = WriteToHeaderFile(macCKAID.data, macCKAID.len, MACKEY, headerFile); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Error writing MAC CKA_ID to cipher file - %s\n", + headerFileName); + goto cleanup; + } + + /* Open the input file. */ + inFile = PR_Open(inFileName, PR_RDONLY, 0); + if (!inFile) { + PR_fprintf(PR_STDERR, "Unable to open \"%s\" for reading.\n", + inFileName); + return SECFailure; + } + + /* Macing and Encryption */ + if (rv == SECSuccess) { + rv = EncryptAndMac(inFile, headerFile, encFile, + encKey, macKey, ivItem.data, ivItem.len, ascii); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Failed : Macing and Encryption\n"); + goto cleanup; + } + } + + cleanup: + if (inFile) { + PR_Close(inFile); + } + if (headerFile) { + PR_Close(headerFile); + } + if (encFile) { + PR_Close(encFile); + } + if (slot) { + PK11_FreeSlot(slot); + } + if (encKey) { + PK11_FreeSymKey(encKey); + } + if (macKey) { + PK11_FreeSymKey(macKey); + } + + return rv; + } + + /* + * This example illustrates basic encryption/decryption and MACing + * Generates the encryption/mac keys and uses token for storing. + * Encrypts the input file and appends MAC before storing in intermediate + * header file. + * Writes the CKA_IDs of the encryption keys into intermediate header file. + * Reads the intermediate headerfile for CKA_IDs and encrypted + * contents and decrypts into output file. + */ + int + main(int argc, char **argv) + { + SECStatus rv; + SECStatus rvShutdown; + PK11SlotInfo *slot = NULL; + PLOptState *optstate; + PLOptStatus status; + char headerFileName[50]; + char encryptedFileName[50]; + PRFileDesc *inFile; + PRFileDesc *outFile; + PRBool ascii = PR_FALSE; + CommandType cmd = UNKNOWN; + const char *command = NULL; + const char *dbdir = NULL; + const char *inFileName = NULL; + const char *outFileName = NULL; + const char *noiseFileName = NULL; + secuPWData pwdata = { PW_NONE, 0 }; + + char * progName = strrchr(argv[0], '/'); + progName = progName ? progName + 1 : argv[0]; + + /* Parse command line arguments */ + optstate = PL_CreateOptState(argc, argv, "c:d:i:o:f:p:z:a"); + while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) { + switch (optstate->option) { + case 'a': + ascii = PR_TRUE; + break; + case 'c': + command = strdup(optstate->value); + break; + case 'd': + dbdir = strdup(optstate->value); + break; + case 'f': + pwdata.source = PW_FROMFILE; + pwdata.data = strdup(optstate->value); + break; + case 'p': + pwdata.source = PW_PLAINTEXT; + pwdata.data = strdup(optstate->value); + break; + case 'i': + inFileName = strdup(optstate->value); + break; + case 'o': + outFileName = strdup(optstate->value); + break; + case 'z': + noiseFileName = strdup(optstate->value); + break; + default: + Usage(progName); + break; + } + } + PL_DestroyOptState(optstate); + + if (!command || !dbdir || !inFileName || !outFileName) + Usage(progName); + if (PL_strlen(command)==0) + Usage(progName); + + cmd = command[0] == 'a' ? ENCRYPT : command[0] == 'b' ? DECRYPT : UNKNOWN; + + /* Open the input file. */ + inFile = PR_Open(inFileName, PR_RDONLY, 0); + if (!inFile) { + PR_fprintf(PR_STDERR, "Unable to open \"%s\" for reading.\n", + inFileName); + return SECFailure; + } + PR_Close(inFile); + + /* For intermediate header file, choose filename as inputfile name + with extension ".header" */ + strcpy(headerFileName, inFileName); + strcat(headerFileName, ".header"); + + /* For intermediate encrypted file, choose filename as inputfile name + with extension ".enc" */ + strcpy(encryptedFileName, inFileName); + strcat(encryptedFileName, ".enc"); + + PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0); + + switch (cmd) { + case ENCRYPT: + /* If the intermediate header file already exists, delete it */ + if (PR_Access(headerFileName, PR_ACCESS_EXISTS) == PR_SUCCESS) { + PR_Delete(headerFileName); + } + /* If the intermediate encrypted already exists, delete it */ + if (PR_Access(encryptedFileName, PR_ACCESS_EXISTS) == PR_SUCCESS) { + PR_Delete(encryptedFileName); + } + + /* Open DB for read/write and authenticate to it. */ + rv = NSS_InitReadWrite(dbdir); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "NSS_InitReadWrite Failed\n"); + goto cleanup; + } + + PK11_SetPasswordFunc(GetModulePassword); + slot = PK11_GetInternalKeySlot(); + if (PK11_NeedLogin(slot)) { + rv = PK11_Authenticate(slot, PR_TRUE, &pwdata); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Could not authenticate to token %s.\n", + PK11_GetTokenName(slot)); + goto cleanup; + } + } + rv = EncryptFile(slot, dbdir, + inFileName, headerFileName, encryptedFileName, + noiseFileName, &pwdata, ascii); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "EncryptFile : Failed\n"); + return SECFailure; + } + break; + case DECRYPT: + /* Open DB read only, authenticate to it */ + PK11_SetPasswordFunc(GetModulePassword); + + rv = NSS_Init(dbdir); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "NSS_Init Failed\n"); + return SECFailure; + } + + slot = PK11_GetInternalKeySlot(); + if (PK11_NeedLogin(slot)) { + rv = PK11_Authenticate(slot, PR_TRUE, &pwdata); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "Could not authenticate to token %s.\n", + PK11_GetTokenName(slot)); + goto cleanup; + } + } + + rv = DecryptFile(slot, dbdir, + outFileName, headerFileName, + encryptedFileName, &pwdata, ascii); + if (rv != SECSuccess) { + PR_fprintf(PR_STDERR, "DecryptFile : Failed\n"); + return SECFailure; + } + break; + } + + cleanup: + rvShutdown = NSS_Shutdown(); + if (rvShutdown != SECSuccess) { + PR_fprintf(PR_STDERR, "Failed : NSS_Shutdown()\n"); + rv = SECFailure; + } + + PR_Cleanup(); + + return rv; + } \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/faq/index.rst b/security/nss/doc/rst/legacy/faq/index.rst new file mode 100644 index 0000000000..6c022e7ff1 --- /dev/null +++ b/security/nss/doc/rst/legacy/faq/index.rst @@ -0,0 +1,280 @@ +.. _mozilla_projects_nss_faq: + +NSS FAQ +======= + +.. _general_questions: + +`General Questions <#general_questions>`__ +------------------------------------------ + +.. _what_is_network_security_services_.28nss.29: + +`What is Network Security Services (NSS) <#what_is_network_security_services_.28nss.29>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + NSS is set of libraries, APIs, utilities, and documentation designed to support cross-platform + development of security-enabled client and server applications. It provides a complete + open-source implementation of the crypto libraries used by Mozilla and other companies in the + Firefox browser, AOL Instant Messenger (AIM), server products from Red Hat, and other products. + + For an overview of NSS, see :ref:`mozilla_projects_nss_overview`. For detailed information on the + open-source NSS project, see `NSS Project Page `__. + +.. _what_can_i_do_with_nss.3f_is_nss_appropriate_for_my_application.3f: + +`What can I do with NSS? Is NSS appropriate for my application? <#what_can_i_do_with_nss.3f_is_nss_appropriate_for_my_application.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + If you want add support for SSL, S/MIME, or other Internet security standards to your + application, you can use Network Security Services (NSS) to do so. Because NSS provides complete + support for all versions of SSL and TLS, it is particularly well-suited for applications that + need to communicate with the many clients and servers that already support the SSL protocol. + + The PKCS #11 interface included in NSS means that your application can use `hardware + accelerators <#what_hardware_accelerators_are_supported.3f>`__ on the server and + :ref:`mozilla_projects_nss_faq#how_do_i_integrate_smart_cards_into_my_application_using_nss_3f` + for two-factor authentication. + +.. _how_does_nss_compare_to_openssl.3f: + +`How does NSS compare to OpenSSL? <#how_does_nss_compare_to_openssl.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + `OpenSSL `__ is an open source project that implements server-side SSL, + TLS, and a general-purpose cryptography library. It does not support PKCS #11. It is based on the + SSLeay library developed by Eric A. Young and Tim J. Hudson. OpenSSL is widely used in Apache + servers and is licensed under an Apache-style licence. + + NSS supports both server and client applications as well as + :ref:`mozilla_projects_nss_pkcs11_faq` and S/MIME. To permit its use in as many contexts as + possible, NSS is licensed under the `Mozilla Public License `__, + version 2. + +.. _how_does_nss_compare_to_sslref.3f: + +`How does NSS compare to SSLRef? <#how_does_nss_compare_to_sslref.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + SSLRef was an early reference implementation of the SSL protocol. It contains bugs that were + never fixed, doesn't support TLS or the new 56-bit export cipher suites, and does not contain the + fix to the Bleichenbacher attack on PKCS#1. + + Netscape no longer maintains SSLRef or makes it available. It was built as an example of an SSL + implementation, not for creating production applications. + + NSS was designed from the ground up for use by commercial developers. It provides a complete + software development kit that uses the same architecture used to support security features in + many client and server products from Netscape and other companies. + +.. _what_platforms_and_development_environments_are_supported.3f: + +`What platforms and development environments are supported? <#what_platforms_and_development_environments_are_supported.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. warning:: + + This section is out of date + + iPlanet E-Commerce Solutions has certified NSS 3.1 on 18 platforms, including AIX 4.3, HP-UX + 11.0, Red Hat Linux 6.0, Solaris (2.6 or later), Windows NT (4.0 or later), and Windows 2000. + Other contributors are in the process of certifying additional platforms. The NSS 3.1 API + requires C or C++ development environments. + + For the latest NSS release notes and detailed platform information, see `Project + Information `__. + +.. _what_cryptography_standards_are_supported.3f: + +`What cryptography standards are supported? <#what_cryptography_standards_are_supported.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + NSS supports `SSL v2 and v3 `__, + `TLS `__, `PKCS + #5 `__, `PKCS + #7 `__, `PKCS + #11 `__, `PKCS + #12 `__, + `S/MIME `__, and + `X.509 v3 `__ + certificates. For complete details, see `Encryption Technologies Available in NSS + 3.11 `__ + +.. _what_is_the_relationship_between_nss_and_psm.3f: + +`What is the relationship between NSS and PSM? <#what_is_the_relationship_between_nss_and_psm.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Personal Security Manager (PSM) is built on top of NSS. It consists of libraries and a daemon + designed to support cross-platform development of security-enabled client applications. The PSM + binary provides a client module that performs cryptographic operations on behalf of applications. + Netscape Personal Security Manager ships with Netscape 6 and the Gateway Connected Touch Pad with + Instant AOL, and is also available for use with Communicator 4.7x. + +.. _where_can_i_get_the_source.3f: + +`Where can I get the source? <#where_can_i_get_the_source.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + For instructions on how to check out and build the NSS source code, see + :ref:`mozilla_projects_nss_nss_sources_building_testing`. + +.. _how_much_does_it_cost.3f: + +`How much does it cost? <#how_much_does_it_cost.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + NSS source code and binaries (when they become available) are completely free. No license fees, + no royalty fees, no subscription fees. + +.. _developer_questions: + +`Developer Questions <#developer_questions>`__ +---------------------------------------------- + +.. _what_hardware_accelerators_are_supported.3f: + +`What hardware accelerators are supported? <#what_hardware_accelerators_are_supported.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + NSS supports the PKCS #11 interface for hardware acceleration. Since leading accelerator vendors + such as Chrysalis-IT, nCipher, and Rainbow Technologies also support this interface, NSS-enabled + applications can support a wide variety of hardware accelerators. + +.. _how_do_i_integrate_smart_cards_into_my_application_using_nss.3f: + +`How do I integrate smart cards into my application using NSS? <#how_do_i_integrate_smart_cards_into_my_application_using_nss.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + NSS supports the PKCS #11 interface for smart card integration. Applications that use the PKCS + #11 interface provided by NSS will therefore support smart cards from leading vendors such as + ActiveCard, Litronic, SafeNet, and SecureID Technologies that also support the PKCS #11 + interface. + +.. _does_nss_require_netscape_portable_runtime_.28nspr.29.3f: + +`Does NSS require Netscape Portable Runtime (NSPR)? <#does_nss_require_netscape_portable_runtime_.28nspr.29.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. rubric:: To provide cross-platform support, NSS utilizes Netscape Portable Runtime (NSPR) + libraries as a portability interface and implementation that provides consistent + cross-platform semantics for network I/O and threading models. You can use NSPR throughout + your application or only in the portion that calls into NSS. Mozilla strongly recommends that + multithreaded applications use the NSPR or native OS threading model. (In recent NSPR + releases, the NSPR threading model is compatible with the native threading model if the OS has + native threads.) Alternatively, you can adapt the open-source NSPR implementation to be + compatible with your existing application's threading models. More information about NSPR may + be found at `Netscape Portable + Runtime `__. + :name: to_provide_cross-platform_support_nss_utilizes_netscape_portable_runtime_nspr_libraries_as_a_portability_interface_and_implementation_that_provides_consistent_cross-platform_semantics_for_network_io_and_threading_models._you_can_use_nspr_throughout_your_application_or_only_in_the_portion_that_calls_into_nss._mozilla_strongly_recommends_that_multithreaded_applications_use_the_nspr_or_native_os_threading_model._in_recent_nspr_releases_the_nspr_threading_model_is_compatible_with_the_native_threading_model_if_the_os_has_native_threads._alternatively_you_can_adapt_the_open-source_nspr_implementation_to_be_compatible_with_your_existing_applications_threading_models._more_information_about_nspr_may_be_found_at_netscape_portable_runtime. + +.. _can_i_use_nss_even_if_my_application_protocol_isn.27t_http.3f: + +`Can I use NSS even if my application protocol isn't HTTP? <#can_i_use_nss_even_if_my_application_protocol_isn.27t_http.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Yes, TLS is independent of application protocols. It works with common Internet standard + application protocols (HTTP, POP3, FTP, SMTP, etc.) as well as custom application protocols using + TCP/IP. + +.. _how_long_does_it_take_to_integrate_nss_into_my_application.3f: + +`How long does it take to integrate NSS into my application? <#how_long_does_it_take_to_integrate_nss_into_my_application.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + The integration effort depends on an number of factors, such as developer skill set, application + complexity, and the level of security required for your application. NSS includes detailed + documentation of the SSL API and sample code that demonstrates basic SSL functionality (setting + up an encrypted session, server authentication, and client authentication) to help jump start the + integration process. However, there is little or no documentation currently available for the + rest of the NSS API. If your application requires sophisticated certificate management, smart + card support, or hardware acceleration, your integration effort will be more extensive. + +.. _where_can_i_download_the_nss_tools.3f: + +`Where can I download the NSS tools? <#where_can_i_download_the_nss_tools.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Binary builds of NSS for several platforms including the command-line tools can be downloaded + from + `http://ftp.mozilla.org/pub/mozilla.o...y/nss/releases/ `__. + NSPR, which you will need as well, can be downloaded from + http://ftp.mozilla.org/pub/mozilla.org/nspr/releases/. + +.. _how_can_i_learn_more_about_ssl.3f: + +`How can I learn more about TLS? <#how_can_i_learn_more_about_ssl.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + See https://developer.mozilla.org/en-US/docs/Glossary/TLS. + +.. _licensing_questions: + +`Licensing Questions <#licensing_questions>`__ +---------------------------------------------- + +.. _how_is_nss_licensed.3f: + +`How is NSS licensed? <#how_is_nss_licensed.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + NSS is available under the `Mozilla Public License `__, version 2. + +.. _is_nss_available_outside_the_united_states.3f: + +`Is NSS available outside the United States? <#is_nss_available_outside_the_united_states.3f>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. warning:: + + This section is out of date + + Yes; see `Build Instructions for NSS + 3.1. `__ and + ftp://ftp.mozilla.org/pub/mozilla.org/security/. However, NSS source code is subject to the U.S. + Export Administration Regulations and other U.S. law, and may not be exported or re-exported to + certain countries (Cuba, Iran, Iraq, Libya, North Korea, Serbia, Sudan, Syria, and + Taleban-controlled areas of Afghanistan as of January 2000) or to persons or entities prohibited + from receiving U.S. exports (including those (a) on the Bureau of Industry and Security Denied + Parties List or Entity List, (b) on the Office of Foreign Assets Control list of Specially + Designated Nationals and Blocked Persons, and (c) involved with missile technology or nuclear, + chemical or biological weapons). + + For more information about U.S. export controls on encryption software, see the `Mozilla Crypto + FAQ `__. \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/fips_mode_-_an_explanation/index.rst b/security/nss/doc/rst/legacy/fips_mode_-_an_explanation/index.rst new file mode 100644 index 0000000000..3e141cca5d --- /dev/null +++ b/security/nss/doc/rst/legacy/fips_mode_-_an_explanation/index.rst @@ -0,0 +1,129 @@ +.. _mozilla_projects_nss_fips_mode_-_an_explanation: + +FIPS Mode - an explanation +========================== + +.. container:: + + NSS has a "FIPS Mode" that can be enabled when NSS is compiled in a specific way. (Note: Mozilla + does not distribute a "FIPS Mode"-ready NSS with Firefox.) This page attempts to provide an + informal explanation of what it is, who would use it, and why. + +.. _what's_a_fips: + +`What's a FIPS? <#what's_a_fips>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + The United States government defines many (several hundred) "Federal Information Processing + Standard" (FIPS) documents. (FIPS sounds plural, but is singular; one FIPS document is a FIPS, + not a FIP.) FIPS documents define rules, regulations, and standards for many aspects of handling + of information by computers and by people. They apply to all US government employees and + personnel, including soldiers in the armed forces. Generally speaking, any use of a computer by + US government personnel must conform to all the relevant FIPS regulations. If you're a + US government worker, and you want to use a Mozilla software product such as Firefox, or any + product that uses NSS, you will want to use it in a way that is fully conformant with all the + relevant FIPS regulations. Some other governments have also adopted many of the FIPS + regulations, so their applicability is somewhat wider than just the US government's personnel. + +.. _what_is_fips_mode: + +`What is "FIPS Mode"? <#what_is_fips_mode>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + One of the FIPS regulations, FIPS 140, governs the use of encryption and cryptographic services. + It requires that ALL cryptography done by US government personnel MUST be done in "devices" that + have been independently tested, and certified by NIST, to meet the extensive requirements of that + document. These devices may be hardware or software, but either way, they must function and + behave as prescribed. So, in order for Mozilla Firefox and Thunderbird to be usable by people + who are subject to the FIPS regulations, Mozilla's cryptographic software must be able to operate + in a mode that is fully compliant with FIPS 140. To that end, Mozilla products can function in a + "FIPS Mode", which is really "FIPS 140 Mode", when paired with a compliant copy of NSS. (Note, + the current version of FIPS 140 is revision 2, a.k.a. FIPS 140-2. FIPS 140-3 is being devised by + NIST now for adoption in the future.) Users who are subject to the FIPS regulations must ensure + that they have Mozilla's FIPS Mode enabled when they use Mozilla software, in order to be fully + conformant. Instructions for how to configure Firefox into FIPS mode may be found on + `support.mozilla.com `__. + +.. _is_nss_fips-140_compliant: + +`Is NSS FIPS-140 compliant? <#is_nss_fips-140_compliant>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Mozilla's NSS cryptographic software has been tested by government-approved independent testing + labs and certified by NIST as being FIPS 140 compliant *when operated in FIPS mode* on 4 previous + occasions. As of this writing, NSS is now being retested to be recertified for the fifth time. + NSS was the first open source cryptographic library to be FIPS certified. + +.. _what_is_fips_mode_all_about: + +`What is FIPS Mode all about? <#what_is_fips_mode_all_about>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + A FIPS-140 compliant application must do ALL of its cryptography in a FIPS-140 certified + "device". Whether it is hardware or software, that device will have all the cryptographic + engines in it, and also will stores keys and perhaps certificates inside. The device must have a + way for users to authenticate to it (to "login" to it), to prove to it that they are authorized + to use the cryptographic engines and keys it contains. It may not do ANY cryptographic + operations that involve the use of cryptographic keys, nor allow ANY of the keys or certificates + it holds to be seen or used, except when a user has successfully authenticated to it. If users + authenticate to it with a password, it must ensure that their passwords are strong passwords. It + must implement the US government standard algorithms (also specified in other FIPS documents) + such as AES, triple-DES, SHA-1 and SHA-256, that are needed to do whatever job the application + wants it to perform. It must generate or derive cryptographic keys and store them internally. + Except for "public keys", it must not allow any keys to leave it (to get outside of it) unless + they are encrypted ("wrapped") in a special way. This makes it difficult to move keys from one + device to another, and consequently, all crypto engines and key storage must be in a single + device rather than being split up into several devices. + +.. _how_does_this_affect_firefox_users: + +`How does this affect Firefox users? <#how_does_this_affect_firefox_users>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + These requirements have several implications for users. In FIPS Mode, every user must have a + good strong "master password", and must enter it each time they start or restart Firefox before + they can visit any web sites that use cryptography (https). Firefox can only use the latest + version of SSL, known as "TLS", and not the older SSL 2 or SSL 3.0 protocols, and Firefox can + only talk to those servers that use FIPS standard encryption algorithms such as AES or + triple-DES. Servers that can only use non-FIPS-approved encryption, such as RC4, cannot be used + in FIPS mode. + +.. _how_is_fips_mode_different_from_normal_non-fips_mode: + +`How is FIPS Mode different from normal non-FIPS Mode? <#how_is_fips_mode_different_from_normal_non-fips_mode>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + In normal non-FIPS Mode, the "master password" is optional and is allowed to be a weak short + password. The user is only required to enter his master password to use his own private keys (if + he has any) or to access his stored web-site passwords. The user is not required to enter the + master password to visit ordinary https servers, nor to view certificates he has previously + stored. In non-FIPS mode, NSS is willing and able to use popular non-FIPS approved cryptographic + algorithms, such as RC4 and MD5, to communicate with older https servers. NSS divides its + operations up into two "devices" rather than just one. One device does all the operations that + may be done without needing to authenticate, and the other device stores the user's certificates + and private keys and performs operations that use those private keys. + +.. _how_do_i_put_firefox_into_fips_mode: + +`How do I put Firefox into FIPS Mode? <#how_do_i_put_firefox_into_fips_mode>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Instructions for how to configure Firefox into FIPS mode may be found on + `support.mozilla.com `__. + Some third-parties distribute Firefox ready for FIPS mode, `a partial list can be found at the + NSS + wiki `__. \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/http_delegation/index.rst b/security/nss/doc/rst/legacy/http_delegation/index.rst new file mode 100644 index 0000000000..f0288507d9 --- /dev/null +++ b/security/nss/doc/rst/legacy/http_delegation/index.rst @@ -0,0 +1,105 @@ +.. _mozilla_projects_nss_http_delegation: + +HTTP delegation +=============== + +`Background <#background>`__ +---------------------------- + +.. container:: + + Up to version 3.11, :ref:`mozilla_projects_nss` connects directly over + `HTTP `__ to an OCSP responder to make the + request and fetch the response. It does so in a blocking fashion, and also directly to the + responder, ignoring any proxy the application may wish to use. This causes OCSP requests to fail + if the network environment requires the use of a proxy. + + There are two possible solutions to this limitation. Instead of improving the simple HTTP client + in NSS, the NSS team has decided to provide an NSS API to register application callback + functions. If provided by the application, NSS will use the registered HTTP client for querying + an OSCP responder. + + This NSS feature is currently targeted to first appear in NSS version 3.11.1. More details can be + found in `bug 152426 `__. + + In order to use the HTTP Delegation feature in your NSS-based application, you need to implement + several callback functions. Your callback functions might be a full implementation of a HTTP + client. Or you might choose to leverage an existing HTTP client library and implement the + callback functions as a thin layer that forwards requests from NSS to the HTTP client library. + + To learn about all the details, please read the documentation contained in the NSS C header + files. Look for function SEC_RegisterDefaultHttpClient and all functions having names that start + with SEC_Http. + + To find an example implementation, you may look at + `bug 111384 `__, which tracks the + implementation in Mozilla client applications. + +.. _instructions_for_specifying_an_ocsp_proxy: + +`Specifying an OCSP proxy <#instructions_for_specifying_an_ocsp_proxy>`__ +------------------------------------------------------------------------- + +.. container:: + + The remainder of this document is a short HOWTO. + + One might expect the API defines a simple function that accepts the URI and data to be sent, and + returns the result data. But there is no such simple interface. + + The API should allow NSS to use the HTTP client either asynchronously or synchronously. In + addition, during an application session with OCSP enabled, a large number of OCSP requests might + have to be sent. Therefore the API should allow for keep-alive (persistent) HTTP connections. + + HTTP URIs consist of host:port and a path, e.g. + http://ocsp.provider.com:80/cgi-bin/ocsp-responder + + If NSS needs to access a HTTP server, it will request that an "http server session object" be + created (SEC_HttpServer_CreateSessionFcn). + + The http server session object is logically associated with host and port destination + information, in our example this is "host ocsp.provider.com port 80". The object may be used by + the application to associate it with a physical network connection. + + (NSS might choose to be smart, and only create a single http server session object for each + server encountered. NSS might also choose to be simple, and request multiple objects for the same + server. The application must support both strategies.) + + The logical http server session object is expected to remain valid until explicitly destroyed + (SEC_HttpServer_FreeSessionFcn). Should the application be unable to keep a physical connection + alive all the time, the application is expected to create new connections automatically. + + NSS may choose to repeatedly call a "network connection keep alive" function + (SEC_HttpServer_KeepAliveSessionFcn) on the server session object, giving application code a + chance to do whatever is required. + + For each individual HTTP request, NSS will request the creation of a "http request object" + (SEC_HttpRequest_CreateFcn). No full URI is provided as a parameter. Instead, the parameters are + a server session object (that carries host and port information already) and the request path. In + our example the path is "/cgi-bin/ocsp-responder". (When issueing GET requests, the + "?query-string=data" portion should already be appended to the request path) + + After creation, NSS might call functions to provide additional details of the HTTP request (e.g. + SEC_HttpRequest_SetPostDataFcn). The application is expected to collect the details for later + use. + + Once NSS is finished providing all details, it will request to initiate the actual network + communication (SEC_HttpRequest_TrySendAndReceiveFcn). The application should try to reuse + existing network connections associated with the server session object. + + Once the HTTP response has been obtained from the HTTP server, the function will provide the + results in its "out parameters". + + Please read the source code documentation to learn how to use this API synchronously or + asynchronously. + + Now that we have explained the interaction between NSS, the callback functions and the + application, let's look at the steps required by the application to initially register the + callbacks. + + Make sure you have completed the NSS initialization before you attempt to register the callbacks. + + Look at SEC_HttpClientFcn, which is a (versioned) table of function pointers. Create an instance + of this type and supply a pointer to your implementation for each entry in the function table. + + Finally register your HTTP client implementation with a call to SEC_RegisterDefaultHttpClient. \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/http_delegation_clone/index.rst b/security/nss/doc/rst/legacy/http_delegation_clone/index.rst new file mode 100644 index 0000000000..ac305b2dd3 --- /dev/null +++ b/security/nss/doc/rst/legacy/http_delegation_clone/index.rst @@ -0,0 +1,105 @@ +.. _mozilla_projects_nss_http_delegation_clone: + +HTTP delegation +=============== + +`Background <#background>`__ +---------------------------- + +.. container:: + + Up to version 3.11, :ref:`mozilla_projects_nss` connects directly over + `HTTP `__ to an OCSP responder to make the + request and fetch the response. It does so in a blocking fashion, and also directly to the + responder, ignoring any proxy the application may wish to use. This causes OCSP requests to fail + if the network environment requires the use of a proxy. + + There are two possible solutions to this limitation. Instead of improving the simple HTTP client + in NSS, the NSS team has decided to provide an NSS API to register application callback + functions. If provided by the application, NSS will use the registered HTTP client for querying + an OSCP responder. + + This NSS feature is currently targeted to first appear in NSS version 3.11.1. More details can be + found in `bug 152426 `__. + + In order to use the HTTP Delegation feature in your NSS-based application, you need to implement + several callback functions. Your callback functions might be a full implementation of a HTTP + client. Or you might choose to leverage an existing HTTP client library and implement the + callback functions as a thin layer that forwards requests from NSS to the HTTP client library. + + To learn about all the details, please read the documentation contained in the NSS C header + files. Look for function SEC_RegisterDefaultHttpClient and all functions having names that start + with SEC_Http. + + To find an example implementation, you may look at + `bug 111384 `__, which tracks the + implementation in Mozilla client applications. + +.. _instructions_for_specifying_an_ocsp_proxy: + +`Specifying an OCSP proxy <#instructions_for_specifying_an_ocsp_proxy>`__ +------------------------------------------------------------------------- + +.. container:: + + The remainder of this document is a short HOWTO. + + One might expect the API defines a simple function that accepts the URI and data to be sent, and + returns the result data. But there is no such simple interface. + + The API should allow NSS to use the HTTP client either asynchronously or synchronously. In + addition, during an application session with OCSP enabled, a large number of OCSP requests might + have to be sent. Therefore the API should allow for keep-alive (persistent) HTTP connections. + + HTTP URIs consist of host:port and a path, e.g. + http://ocsp.provider.com:80/cgi-bin/ocsp-responder + + If NSS needs to access a HTTP server, it will request that an "http server session object" be + created (SEC_HttpServer_CreateSessionFcn). + + The http server session object is logically associated with host and port destination + information, in our example this is "host ocsp.provider.com port 80". The object may be used by + the application to associate it with a physical network connection. + + (NSS might choose to be smart, and only create a single http server session object for each + server encountered. NSS might also choose to be simple, and request multiple objects for the same + server. The application must support both strategies.) + + The logical http server session object is expected to remain valid until explicitly destroyed + (SEC_HttpServer_FreeSessionFcn). Should the application be unable to keep a physical connection + alive all the time, the application is expected to create new connections automatically. + + NSS may choose to repeatedly call a "network connection keep alive" function + (SEC_HttpServer_KeepAliveSessionFcn) on the server session object, giving application code a + chance to do whatever is required. + + For each individual HTTP request, NSS will request the creation of a "http request object" + (SEC_HttpRequest_CreateFcn). No full URI is provided as a parameter. Instead, the parameters are + a server session object (that carries host and port information already) and the request path. In + our example the path is "/cgi-bin/ocsp-responder". (When issuing GET requests, the + "?query-string=data" portion should already be appended to the request path) + + After creation, NSS might call functions to provide additional details of the HTTP request (e.g. + SEC_HttpRequest_SetPostDataFcn). The application is expected to collect the details for later + use. + + Once NSS is finished providing all details, it will request to initiate the actual network + communication (SEC_HttpRequest_TrySendAndReceiveFcn). The application should try to reuse + existing network connections associated with the server session object. + + Once the HTTP response has been obtained from the HTTP server, the function will provide the + results in its "out parameters". + + Please read the source code documentation to learn how to use this API synchronously or + asynchronously. + + Now that we have explained the interaction between NSS, the callback functions and the + application, let's look at the steps required by the application to initially register the + callbacks. + + Make sure you have completed the NSS initialization before you attempt to register the callbacks. + + Look at SEC_HttpClientFcn, which is a (versioned) table of function pointers. Create an instance + of this type and supply a pointer to your implementation for each entry in the function table. + + Finally register your HTTP client implementation with a call to SEC_RegisterDefaultHttpClient. \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/index.rst b/security/nss/doc/rst/legacy/index.rst new file mode 100644 index 0000000000..fd55e1ac10 --- /dev/null +++ b/security/nss/doc/rst/legacy/index.rst @@ -0,0 +1,178 @@ +.. _mozilla_projects_nss: + +Legacy documentation +==================== + +.. toctree:: + :maxdepth: 2 + :glob: + :hidden: + + getting_started_with_nss/index.rst + introduction_to_network_security_services/index.rst + More documentation + +.. warning:: + This NSS documentation was just imported from our legacy MDN repository. It currently is very deprecated and likely incorrect or broken in many places. + +Legacy Documentation +-------------------- + +.. container:: + + **Network Security Services** (**NSS**) is a set of libraries designed to support cross-platform + development of security-enabled client and server applications. Applications built with NSS can + support SSL v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and + other security standards. + + For detailed information on standards supported, see :ref:`mozilla_projects_nss_overview`. For a + list of frequently asked questions, see the :ref:`mozilla_projects_nss_faq`. + + NSS is available under the Mozilla Public License. For information on downloading NSS releases as + tar files, see :ref:`mozilla_projects_nss_nss_sources_building_testing`. + + If you're a developer and would like to contribute to NSS, you might want to read the documents + :ref:`mozilla_projects_nss_an_overview_of_nss_internals` and + :ref:`mozilla_projects_nss_getting_started_with_nss`. + + .. rubric:: Background Information + :name: Background_Information + + :ref:`mozilla_projects_nss_overview` + Provides a brief summary of NSS and its capabilities. + :ref:`mozilla_projects_nss_faq` + Answers basic questions about NSS. + `Introduction to Public-Key Cryptography `__ + Explains the basic concepts of public-key cryptography that underlie NSS. + `Introduction to SSL `__ + Introduces the SSL protocol, including information about cryptographic ciphers supported by + SSL and the steps involved in the SSL handshake. + + .. rubric:: Getting Started + :name: Getting_Started + + :ref:`mozilla_projects_nss_nss_releases` + This page contains information about the current and past releases of NSS. + :ref:`mozilla_projects_nss_nss_sources_building_testing` + Instructions on how to build NSS on the different supported platforms. + `Get Mozilla Source Code Using Mercurial `__ + Information about with working with Mercurial. + `Get Mozilla Source Code Using CVS (deprecated) `__ + Old deprecated CVS documentation. + + .. rubric:: NSS APIs + :name: NSS_APIs + + :ref:`mozilla_projects_nss_introduction_to_network_security_services` + Provides an overview of the NSS libraries and what you need to know to use them. + :ref:`mozilla_projects_nss_ssl_functions` + Summarizes the SSL APIs exported by the NSS shared libraries. + :ref:`mozilla_projects_nss_reference` + API used to invoke SSL operations. + :ref:`mozilla_projects_nss_nss_api_guidelines` + Explains how the libraries and code are organized, and guidelines for developing code (naming + conventions, error handling, thread safety, etc.) + :ref:`mozilla_projects_nss_nss_tech_notes` + Links to NSS technical notes, which provide latest information about new NSS features and + supplementary documentation for advanced topics in programming with NSS. + + .. rubric:: Tools, testing, and other technical details + :name: Tools_testing_and_other_technical_details + + :ref:`mozilla_projects_nss_building` + Describe how to check out and build NSS releases. + + :ref:`mozilla_projects_nss_nss_developer_tutorial` + How to make changes in NSS. Coding style, maintaining ABI compatibility. + + :ref:`mozilla_projects_nss_tools` + Tools for developing, debugging, and managing applications that use NSS. + :ref:`mozilla_projects_nss_nss_sample_code` + Demonstrates how NSS can be used for cryptographic operations, certificate handling, SSL, etc. + :ref:`mozilla_projects_nss_nss_third-party_code` + A list of third-party code included in the NSS library. + `NSS 3.2 Test Suite `__ + **Archived version.** Describes how to run the standard NSS tests. + `NSS Performance Reports `__ + **Archived version.** Links to performance reports for NSS 3.2 and later releases. + `Encryption Technologies Available in NSS 3.11 `__ + **Archived version.** Lists the cryptographic algorithms used by NSS 3.11. + `NSS 3.1 Loadable Root Certificates `__ + **Archived version.** Describes the scheme for loading root CA certificates. + `cert7.db `__ + **Archived version.** General format of the cert7.db database. + + .. rubric:: PKCS #11 information + :name: PKCS_11_information + + - :ref:`mozilla_projects_nss_pkcs11` + - :ref:`mozilla_projects_nss_pkcs11_implement` + - :ref:`mozilla_projects_nss_pkcs11_module_specs` + - :ref:`mozilla_projects_nss_pkcs11_faq` + - `Using the JAR Installation Manager to Install a PKCS #11 Cryptographic + Module `__ + - `PKCS #11 Conformance Testing - Archived + version `__ + + .. rubric:: CA certificates pre-loaded into NSS + :name: CA_certificates_pre-loaded_into_NSS + + - `Mozilla CA certificate policy `__ + - `List of pre-loaded CA certificates `__ + + - Consumers of this list must consider the trust bit setting for each included root + certificate. `More + Information `__, `Extracting + roots and their trust bits `__ + + .. rubric:: NSS is built on top of Netscape Portable Runtime (NSPR) + :name: NSS_is_built_on_top_of_Netscape_Portable_Runtime_NSPR + + `Netscape Portable Runtime `__ + NSPR project page. + `NSPR Reference `__ + NSPR API documentation. + + .. rubric:: Additional Information + :name: Additional_Information + + - `Using the window.crypto object from + JavaScript `__ + - :ref:`mozilla_projects_nss_http_delegation` + - :ref:`mozilla_projects_nss_tls_cipher_suite_discovery` + - :ref:`mozilla_projects_nss_certificate_download_specification` + - :ref:`mozilla_projects_nss_fips_mode_-_an_explanation` + - :ref:`mozilla_projects_nss_key_log_format` + + .. rubric:: Planning + :name: Planning + + Information on NSS planning can be found at `wiki.mozilla.org `__, + including: + + - `FIPS Validation `__ + - `NSS Roadmap page `__ + - `NSS Improvement + Project `__ + +Community +~~~~~~~~~ + +- View Mozilla Security forums... + +- `Mailing list `__ +- `Newsgroup `__ +- `RSS feed `__ + +- View Mozilla Cryptography forums... + +- `Mailing list `__ +- `Newsgroup `__ +- `RSS feed `__ + + +Related Topics +~~~~~~~~~~~~~~ + +- `Security `__ + diff --git a/security/nss/doc/rst/legacy/introduction_to_network_security_services/index.rst b/security/nss/doc/rst/legacy/introduction_to_network_security_services/index.rst new file mode 100644 index 0000000000..b2010de17b --- /dev/null +++ b/security/nss/doc/rst/legacy/introduction_to_network_security_services/index.rst @@ -0,0 +1,162 @@ +.. _mozilla_projects_nss_introduction_to_network_security_services: + +Introduction to Network Security Services +========================================= + +.. container:: + + **Network Security Services (NSS)** is a set of libraries designed to support cross-platform + development of communications applications that support SSL, S/MIME, and other Internet security + standards. For a general overview of NSS and the standards it supports, see + :ref:`mozilla_projects_nss_overview`. + +.. _shared_libraries: + +`Shared libraries <#shared_libraries>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Network Security Services provides both static libraries and shared libraries. Applications that + use the shared libraries must use only the APIs that they export. Three shared libraries export + public functions: + + - The SSL library supports core SSL operations. + - The S/MIME library supports core S/MIME operations. + - The NSS library supports core crypto operations. + + We guarantee that applications using the exported APIs will remain compatible with future + versions of those libraries. For a complete list of public functions exported by these shared + libraries in NSS 3.2, see :ref:`mozilla_projects_nss_reference_nss_functions`. + + For information on which static libraries in NSS 3.1.1 are replaced by each of the above shared + libraries in NSS 3.2 , see `Migration from NSS + 3.1.1 `__. + + Figure 1, below, shows a simplified view of the relationships among the three shared libraries + listed above and NSPR, which provides low-level cross platform support for operations such as + threading and I/O. (Note that NSPR is a separate Mozilla project; see `Netscape Portable + Runtime `__ for details.) + + .. image:: /en-US/docs/Mozilla/Projects/NSS/Introduction_to_Network_Security_Services/nss.gif + :alt: Diagram showing the relationships among core NSS libraries and NSPR. + :width: 429px + :height: 196px + +.. _naming_conventions_and_special_libraries: + +`Naming conventions and special libraries <#naming_conventions_and_special_libraries>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Windows and Unix use different naming conventions for static and dynamic libraries: + + ======= ======== ================== + Windows Unix + static ``.lib`` ``.a`` + dynamic ``.dll`` ``.so`` or ``.sl`` + ======= ======== ================== + + In addition, Windows has "import" libraries that bind to dynamic libraries. So the NSS library + has the following forms: + + - ``libnss3.so`` - Unix shared library + - ``libnss3.sl`` - HP-UX shared library + - ``libnss.a`` - Unix static library + - ``nss3.dll`` - Windows shared library + - ``nss3.lib`` - Windows import library binding to ``nss3.dll`` + - ``nss.lib`` - Windows static library + + NSS, SSL, and S/MIME have all of the above forms. + + The following static libraries aren't included in any shared libraries + + - ``libcrmf.a``/``crmf.lib`` provides an API for CRMF operations. + - ``libjar.a``/``jar.lib`` provides an API for creating JAR files. + + The following static libraries are included only in external loadable PKCS #11 modules: + + - ``libnssckfw.a``/``nssckfw.lib`` provides an API for writing PKCS #11 modules. + - ``libswfci.a``/``swfci.lib`` provides support for software FORTEZZA. + + The following shared libraries are standalone loadable modules, not meant to be linked with + directly: + + - ``libfort.so``/``libfort.sl``/``fort32.dll`` provides support for hardware FORTEZZA. + - ``libswft.so``/``libswft.sl``/``swft32.dll`` provides support for software FORTEZZA. + - ``libnssckbi.so``/``libnssckbi.sl``/``nssckbi.dll`` defines the default set of trusted root + certificates. + +.. _support_for_ilp32: + +`Support for ILP32 <#support_for_ilp32>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + In NSS 3.2 and later versions, there are two new shared libraries for the platforms HP-UX for + PARisc CPUs and Solaris for (Ultra)Sparc (not x86) CPUs. These HP and Solaris platforms allow + programs that use the ILP32 program model to run on both 32-bit CPUs and 64-bit CPUs. The two + libraries exist to provide optimal performance on each of the two types of CPUs. + + These two extra shared libraries are not supplied on any other platforms. The names of these + libraries are platform-dependent, as shown in the following table. + + ================================== ============================ ============================ + Platform for 32-bit CPUs for 64-bit CPUs + Solaris/Sparc ``libfreebl_pure32_3.so`` ``libfreebl_hybrid_3.so`` + HPUX/PARisc ``libfreebl_pure32_3.sl`` ``libfreebl_hybrid_3.sl`` + AIX (planned for a future release) ``libfreebl_pure32_3_shr.a`` ``libfreebl_hybrid_3_shr.a`` + ================================== ============================ ============================ + + An application should not link against these libraries, because they are dynamically loaded by + NSS at run time. Linking the application against one or the other of these libraries may produce + an application program that can only run on one type of CPU (e.g. only on 64-bit CPUs, not on + 32-bit CPUs) or that doesn't use the more efficient 64-bit code on 64-bit CPUs, which defeats the + purpose of having these shared libraries. + + On platforms for which these shared libraries exist, NSS 3.2 will fail if these shared libs are + not present. So, an application must include these files in its distribution of NSS shared + libraries. These shared libraries should be installed in the same directory where the other NSS + shared libraries (such as ``libnss3.so``) are installed. Both shared libs should always be + installed whether the target system has a 32-bit CPU or a 64-bit CPU. NSS will pick the right one + for the local system at run time. + + Note that NSS 3.x is also available in the LP64 model for these platforms, but the LP64 model of + NSS 3.x does not have these two extra shared libraries. + +.. _what_you_should_already_know: + +`What you should already know <#what_you_should_already_know>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Before using NSS, you should be familiar with the following topics: + + - Concepts and techniques of public-key cryptography + - The Secure Sockets Layer (SSL) protocol + - The PKCS #11 standard for cryptographic token interfaces + - Cross-platform development issues and techniques + +.. _where_to_find_more_information: + +`Where to find more information <#where_to_find_more_information>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + For information about PKI and SSL that you should understand before using NSS, see the following: + + - `Introduction to Public-Key + Cryptography `__ + - `Introduction to + SSL `__ + + For links to API documentation, build instructions, and other useful information, see the + :ref:`mozilla_projects_nss`. + + As mentioned above, NSS is built on top of NSPR. The API documentation for NSPR is available at + `NSPR API + Reference `__. \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/jss/4.3.1_release_notes/index.rst b/security/nss/doc/rst/legacy/jss/4.3.1_release_notes/index.rst new file mode 100644 index 0000000000..68c920c63b --- /dev/null +++ b/security/nss/doc/rst/legacy/jss/4.3.1_release_notes/index.rst @@ -0,0 +1,174 @@ +.. _mozilla_projects_nss_jss_4_3_1_release_notes: + +4.3.1 Release Notes +=================== + +.. _release_date_2009-12-02: + +`Release Date: 2009-12-02 <#release_date_2009-12-02>`__ +------------------------------------------------------- + +.. container:: + +`Introduction <#introduction>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Network Security Services for Java (JSS) 4.3.1 is a minor release with the following new + features: + + - Support for SSL3 & TLS Renegotiation Vulnerability + - Support to explicitly set the key usage for the generated private key + + JSS 4.3.1 is `tri-licensed `__ under MPL 1.1/GPL 2.0/LGPL 2.1. + +.. _new_in_jss_4.3.1: + +`New in JSS 4.3.1 <#new_in_jss_4.3.1>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + A list of bug fixes and enhancement requests were implemented in this release can be obtained by + running this `bugzilla + query `__ + + **JSS 4.3.1 requires :ref:`mozilla_projects_nss_3_12_5_release_notes` or higher.** + + .. rubric:: SSL3 & TLS Renegotiation Vulnerability + :name: ssl3_tls_renegotiation_vulnerability + + See `CVE-2009-3555 `__ and `US-CERT + VU#120541 `__ for more information about this security + vulnerability. + + All SSL/TLS renegotiation is disabled by default in NSS 3.12.5 and therefore will be disabled by + default with JSS 4.3.1. This will cause programs that attempt to perform renegotiation to + experience failures where they formerly experienced successes, and is necessary for them to not + be vulnerable, until such time as a new safe renegotiation scheme is standardized by the IETF. + + If an application depends on renegotiation feature, it can be enabled by setting the environment + variable NSS_SSL_ENABLE_RENEGOTIATION to 1. By setting this environmental variable, the fix + provided by these patches will have no effect and the application may become vulnerable to the + issue. + + This default setting can also be changed within the application by using the following JSS + methods: + + - SSLServerSocket.enableRenegotiation(int mode) + - SSLSocket.enableRenegotiation(int mode) + - SSLSocket.enableRenegotiationDefault(int mode) + + The mode of renegotiation that the peer must use can be set to the following: + + - SSLSocket.SSL_RENEGOTIATE_NEVER - Never renegotiate at all. (Default) + - SSLSocket.SSL_RENEGOTIATE_UNRESTRICTED - Renegotiate without + restriction, whether or not the peer's client hello bears the + renegotiation info extension (like we always did in the past). + - SSLSocket.SSL_RENEGOTIATE_REQUIRES_XTN - NOT YET IMPLEMENTED + + .. rubric:: Explicitly set the key usage for the generated private key + :name: explicitly_set_the_key_usage_for_the_generated_private_key + + | In PKCS #11, each keypair can be marked with the operations it will + | be used to perform. Some tokens require that a key be marked for + | an operation before the key can be used to perform that operation; + | other tokens don't care. NSS/JSS provides a way to specify a set of + | flags and a corresponding mask for these flags. + + - see generateECKeyPairWithOpFlags + - see generateRSAKeyPairWithOpFlags + - see generateDSAKeyPairWithOpFlags + + + +`Distribution Information <#distribution_information>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - JSS is checked into ``mozilla/security/jss/``. + - The CVS tag for the JSS 4.3.1 release is ``JSS_4_3_1_RTM``. + - Source tarballs are available from + `ftp://ftp.mozilla.org/pub/mozilla.or...-4.3.1.tar.bz2 `__ + - Binary releases are no longer available on mozilla. JSS is a JNI library we provide the + jss4.jar but expect you to build the JSS's matching JNI shared library. We provide the + jss4.jar in case you do not want to obtain your own JCE code signing certificate. JSS is a + JCE provider and therefore the jss4.jar must be signed. + `ftp://ftp.mozilla.org/pub/mozilla.org/security/jss/releases/JSS_4_3_1_RTM `__. + +`Documentation <#documentation>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Documentation for JSS 4.3.1 is available as follows: + + - `Build Instructions for JSS 4.3.1 `__ + - Javadoc `[online] `__ + `[zipped] `__ + - Read the instructions on `using JSS `__. + - Source may be viewed with a browser (via the MXR tool) at + http://mxr.mozilla.org/mozilla/source/security/jss/ + - The RUN TIME behavior of JSS can be affected by the + :ref:`mozilla_projects_nss_reference_nss_environment_variables`. + +.. _platform_information: + +`Platform Information <#platform_information>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - You can check out the source from CVS by + + .. note:: + + cvs co -r JSS_4_3_1_RTM JSS + + - JSS 4.3.1 works with JDK versions 4 or higher we suggest the latest. + + - JSS 4.3.1 requires :ref:`mozilla_projects_nss_3_12_5` or higher. + + - JSS 4.3.1 requires `NSPR 4.7.1 `__ or + higher. + + - JSS only supports the native threading model (no green threads). + +.. _known_bugs_and_issues: + +`Known Bugs and Issues <#known_bugs_and_issues>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - For a list of reported bugs that have not yet been fixed, `click + here. `__ + Note that some bugs may have been fixed since JSS 4.3.1 was released. + +`Compatibility <#compatibility>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - JSS 4.3.1 is backwards compatible with JSS 4.2. Applications compiled against JSS 4.2 will + work with JSS 4.3.1. + - The 4.3.1 version of libjss4.so/jss4.dll must only be used with jss4.jar. In general, a JSS + JAR file must be used with the JSS shared library from the exact same release. + - To obtain the version info from the jar file use, + "System.out.println(org.mozilla.jss.CryptoManager.JAR_JSS_VERSION)" and to check the shared + library: strings libjss4.so \| grep -i header + +`Feedback <#feedback>`__ +~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - Bugs discovered should be reported by filing a bug report with + `bugzilla `__. + - You can also give feedback directly to the developers on the Mozilla Cryptography forums... + + - `Mailing list `__ + - `Newsgroup `__ + - `RSS feed `__ \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/jss/4_3_releasenotes/index.rst b/security/nss/doc/rst/legacy/jss/4_3_releasenotes/index.rst new file mode 100644 index 0000000000..7f65d1d4ed --- /dev/null +++ b/security/nss/doc/rst/legacy/jss/4_3_releasenotes/index.rst @@ -0,0 +1,175 @@ +.. _mozilla_projects_nss_jss_4_3_releasenotes: + +4.3 Release Notes +================= + +.. _release_date_01_april_2009: + +`Release Date: 01 April 2009 <#release_date_01_april_2009>`__ +------------------------------------------------------------- + +.. container:: + +`Introduction <#introduction>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Network Security Services for Java (JSS) 4.3 is a minor release with the following new features: + + - SQLite-Based Shareable Certificate and Key Databases + - libpkix: an RFC 3280 Compliant Certificate Path Validation Library + - PKCS11 needsLogin method + - support HmacSHA256, HmacSHA384, and HmacSHA512 + - support for all NSS 3.12 initialization options + + JSS 4.3 is `tri-licensed `__ under MPL 1.1/GPL 2.0/LGPL 2.1. + +.. _new_in_jss_4.3: + +`New in JSS 4.3 <#new_in_jss_4.3>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + A list of bug fixes and enhancement requests were implemented in this release can be obtained by + running this `bugzilla + query `__ + + **JSS 4.3 requires**\ `NSS + 3.12 `__\ **or + higher.** + + - New `SQLite-Based Shareable Certificate and Key + Databases `__ by prepending the string "sql:" to the + directory path passed to configdir parameter for Crypomanager.initialize method or using the + NSS environment variable :ref:`mozilla_projects_nss_reference_nss_environment_variables`. + - Libpkix: an RFC 3280 Compliant Certificate Path Validation Library (see + `PKIXVerify `__) + - PK11Token.needsLogin method (see needsLogin) + - support HmacSHA256, HmacSHA384, and HmacSHA512 (see + `HMACTest.java `__) + - support for all NSS 3.12 initialization options (see InitializationValues) + - New SSL error codes (see https://mxr.mozilla.org/security/sour...util/SSLerrs.h) + + - SSL_ERROR_UNSUPPORTED_EXTENSION_ALERT + SSL_ERROR_CERTIFICATE_UNOBTAINABLE_ALERT + SSL_ERROR_UNRECOGNIZED_NAME_ALERT + SSL_ERROR_BAD_CERT_STATUS_RESPONSE_ALERT + SSL_ERROR_BAD_CERT_HASH_VALUE_ALERT + + - New TLS cipher suites (see https://mxr.mozilla.org/security/sour...SSLSocket.java): + + - TLS_RSA_WITH_CAMELLIA_128_CBC_SHA + TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA + TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA + TLS_RSA_WITH_CAMELLIA_256_CBC_SHA + TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA + TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA + + - Note: the following TLS cipher suites are declared but are not yet implemented: + + - TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA + TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA + TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA + TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA + TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA + TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA + TLS_ECDH_anon_WITH_NULL_SHA + TLS_ECDH_anon_WITH_RC4_128_SHA + TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA + TLS_ECDH_anon_WITH_AES_128_CBC_SHA + TLS_ECDH_anon_WITH_AES_256_CBC_SHA + + + +`Distribution Information <#distribution_information>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - JSS is checked into ``mozilla/security/jss/``. + - The CVS tag for the JSS 4.3 release is ``JSS_4_3_RTM``. + - Source tarballs are available from + https://archive.mozilla.org/pub/security/jss/releases/JSS_4_3_RTM/src/jss-4.3.tar.bz2 + - Binary releases are no longer available on mozilla. JSS is a JNI library we provide the + jss4.jar but expect you to build the JSS's matching JNI shared library. We provide the + jss4.jar in case you do not want to obtain your own JCE code signing certificate. JSS is a + JCE provider and therefore the jss4.jar must be signed. + https://archive.mozilla.org/pub/security/jss/releases/JSS_4_3_RTM/ + + -------------- + +`Documentation <#documentation>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Documentation for JSS 4.3 is available as follows: + + - `Build Instructions for JSS 4.3 `__ + - Javadoc `[online] `__ + `[zipped] `__ + - Read the instructions on `using JSS `__. + - Source may be viewed with a browser (via the MXR tool) at + http://mxr.mozilla.org/mozilla/source/security/jss/ + - The RUN TIME behavior of JSS can be affected by the + :ref:`mozilla_projects_nss_reference_nss_environment_variables`. + +.. _platform_information: + +`Platform Information <#platform_information>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - JSS 4.3 works with JDK versions 4 or higher we suggest the latest. + - JSS 4.3 requires `NSS + 3.12 `__ + or higher. + - JSS 4.3 requires `NSPR 4.7.1 `__ or + higher. + - JSS only supports the native threading model (no green threads). + + -------------- + +.. _known_bugs_and_issues: + +`Known Bugs and Issues <#known_bugs_and_issues>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - For a list of reported bugs that have not yet been fixed, `click + here. `__ + Note that some bugs may have been fixed since JSS 4.3 was released. + + -------------- + +`Compatibility <#compatibility>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - JSS 4.3 is backwards compatible with JSS 4.2. Applications compiled against JSS 4.2 will work + with JSS 4.3. + - The 4.3 version of libjss4.so/jss4.dll must only be used with jss4.jar. In general, a JSS JAR + file must be used with the JSS shared library from the exact same release. + - To obtain the version info from the jar file use, + "System.out.println(org.mozilla.jss.CryptoManager.JAR_JSS_VERSION)" and to check the shared + library: strings libjss4.so \| grep -i header + + -------------- + +`Feedback <#feedback>`__ +~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - Bugs discovered should be reported by filing a bug report with + `bugzilla `__. + - You can also give feedback directly to the developers on the Mozilla Cryptography forums... + + - `Mailing list `__ + - `Newsgroup `__ + - `RSS feed `__ \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/jss/build_instructions_for_jss_4.3.x/index.rst b/security/nss/doc/rst/legacy/jss/build_instructions_for_jss_4.3.x/index.rst new file mode 100644 index 0000000000..a864a452ee --- /dev/null +++ b/security/nss/doc/rst/legacy/jss/build_instructions_for_jss_4.3.x/index.rst @@ -0,0 +1,99 @@ +.. _mozilla_projects_nss_jss_build_instructions_for_jss_4_3_x: + +Build instructions for JSS 4.3.x +================================ + +.. _build_instructions_for_jss_4.3.x: + +`Build Instructions for JSS 4.3.x <#build_instructions_for_jss_4.3.x>`__ +------------------------------------------------------------------------ + +.. container:: + + Newsgroup: `mozilla.dev.tech.crypto `__ + + Before building JSS, you need to set up your system as follows: + + #. Build NSPR/NSS by following the + :ref:`mozilla_projects_nss_reference_building_and_installing_nss_build_instructions`, + #. To check that NSS built correctly, run ``all.sh`` (in ``mozilla/security/nss/tests``) and + examine the results (in + ``mozilla/test_results/security/``\ *computername*.#\ ``/results.html``. + #. Install a Java compiler and runtime. JSS supports Java version 1.5 or later. We suggest you + use the latest. + #. You must have Perl version 5.005 or later. + + Now you are ready to build JSS. Follow these steps: + + #. Switch to the appropriate directory and check out JSS from the root of your source tree. + + .. code:: + + cvs co -r JSS_4_3_1_RTM mozilla/security/jss + + or + + .. code:: + + cvs co -r JSS_4_3_RTM mozilla/security/jss + + #. Setup environment variables needed for compiling Java source. The ``JAVA_HOME`` variable + indicates the directory containing your Java SDK installation. Note, on Windows platforms it + is best to have JAVA_HOME set to a directory path that doest not have spaces. + + **Unix** + + .. code:: + + setenv JAVA_HOME /usr/local/jdk1.5.0 (or wherever your JDK is installed) + + **Windows** + + .. code:: + + set JAVA_HOME=c:\programs\jdk1.5.0 (or wherever your JDK is installed) + + **Windows (Cygnus)** + + .. code:: + + JAVA_HOME=/cygdrive/c/programs/jdk1.5.0 (or wherever your JDK is installed) + export JAVA_HOME + + | **Windows build Configurations WINNT vs WIN95** + + .. code:: + + As of NSS 3.15.4, NSPR/NSS/JSS build generates a "WIN95" configuration by default on Windows. + We recommend most applications use the "WIN95" configuration. If you want JSS to be used + with your applet and the Firefox browser than you must build WIN95. (See JSS FAQ) + The "WIN95" configuration supports all versions of Windows. The "WIN95" name is historical; + it should have been named "WIN32". + To generate a "WINNT" configuration, set OS_TARGET=WINNT and build NSPR/NSS/JSS WIN95. + + | Mac OS X + | It has been recently reported that special build instructions are necessary to succeed + building JSS on OSX. Please + see `HOWTO_successfully_compile_JSS_and_NSS_for_32_and_64_bits_on_OSX_10.6_(10.6.7) `__ + for contributed instructions. + | + + #. Build JSS. + + .. code:: + + cd mozilla/security/jss + gmake + + #. Sign the JSS jar. + + .. code:: + + If you're intention is to modify and build the JSS source you + need to Apply for your own JCE code-signing certificate + + If you made no changes and your goal is to build JSS you can use the + signed binary release of the jss4.jar from ftp.mozilla.org. + with your built jss4 JNI shared library. + + Next, you should read the instructions on `using JSS `__. \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/jss/build_instructions_for_jss_4.4.x/index.rst b/security/nss/doc/rst/legacy/jss/build_instructions_for_jss_4.4.x/index.rst new file mode 100644 index 0000000000..bdbea81953 --- /dev/null +++ b/security/nss/doc/rst/legacy/jss/build_instructions_for_jss_4.4.x/index.rst @@ -0,0 +1,19 @@ +.. _mozilla_projects_nss_jss_build_instructions_for_jss_4_4_x: + +Build instructions for JSS 4.4.x +================================ + +.. _build_instructions_for_jss_4.4.x: + +`Build Instructions for JSS 4.4.x <#build_instructions_for_jss_4.4.x>`__ +------------------------------------------------------------------------ + +.. container:: + + Newsgroup: `mozilla.dev.tech.crypto `__ + + To build JSS see `Upstream JSS Build/Test + Instructions `__ + + `Next, you should read the instructions + on `__ `using JSS `__. \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/jss/index.rst b/security/nss/doc/rst/legacy/jss/index.rst new file mode 100644 index 0000000000..c09374dbc6 --- /dev/null +++ b/security/nss/doc/rst/legacy/jss/index.rst @@ -0,0 +1,165 @@ +.. _mozilla_projects_nss_jss: + +JSS +=== + +`Documentation <#documentation>`__ +---------------------------------- + +.. container:: + + .. warning:: + + **The JSS project has been relocated!** + + As of April 6, 2018, JSS has been migrated from Mercurial on Mozilla to Git on Github. + + JSS source should now be checked out from the Github: + + - git clone git@github.com:dogtagpki/jss.git + -- OR -- + - git clone https://github.com/dogtagpki/jss.git + + All future upstream enquiries to JSS should now use the Pagure Issue Tracker system: + + - https://pagure.io/jss/issues + + Documentation regarding the JSS project should now be viewed at: + + - http://www.dogtagpki.org/wiki/JSS + + **NOTE: As much of the JSS documentation is sorely out-of-date, updated information will be a + work in progress, and many portions of any legacy documentation will be re-written over the + course of time. Stay tuned!** + + Legacy JSS information can still be found at: + + - SOURCE: https://hg.mozilla.org/projects/jss + - ISSUES: https://bugzilla.mozilla.org/buglist.cgi?product=JSS + - WIKI: :ref:`mozilla_projects_nss_jss` + + Network Security Services for Java (JSS) is a Java interface to + `NSS `__. JSS supports most of the security + standards and encryption technologies supported by :ref:`mozilla_projects_nss_reference`. JSS + also provides a pure Java interface for ASN.1 types and BER/DER encoding. + + JSS offers a implementation of Java SSL sockets that uses NSS's SSL/TLS implementation rather + than Sun's JSSE implementation. You might want to use JSS's own `SSL + classes `__ if you want to use some + of the capabilities found in NSS's SSL/TLS library but not found in JSSE. + + NSS is the cryptographic module where all cryptographic operations are performed. JSS essentially + provides a Java JNI bridge to NSS C shared libraries. When NSS is put in FIPS mode, JSS ensures + FIPS compliance by ensuring that all cryptographic operations are performed by the NSS + cryptographic module. + + JSS offers a JCE provider, `"Mozilla-JSS" JCA Provider notes `__. + + JSS, jss4.jar, is still built with JDK 1.4.2. While JDK 1.4.2 is EOL'd and all new product + development should be using the latest + `JavaSE `__, legacy business products that must + use JDK 1.4 or 1.5 can continue to add NSS/JSS security fixes/enhancements. + + JSS is used by Red Hat and Sun products that do crypto in Java. JSS is available under the + Mozilla Public License, the GNU General Public License, and the GNU Lesser General Public + License. JSS requires `NSPR `__ and + `NSS `__. + + Java provides a JCE provider called SunPKCS11 (see `Java PKCS#11 Reference + Guide `__.) SunPKCS11 + can be configured to use the NSS module as the crytographic provider. If you are planning to just + use JSS JCE provider as a bridge to NSS's FIPS validated PKCS#11 module, then the SunPKCS11 JCE + provider may do all that you need. Note that Java 1.5 claimed no FIPS compliance, and `Java + 1.6 `__ or higher + needs to be used. A current limitation to the configured SunPKCS11-NSS bridge configuration is if + you add a PKCS#11 module to the NSS database such as for a smartcard, you won't be able to access + that smartcard through the SunPKCS11-NSS bridge. If you use JSS, you can easily get lists of + modules and tokens that are configured in the NSS DB and freely access all of it. + + +-------------------------------------------------+-------------------------------------------------+ + | Before you use JSS, you should have a good | .. rubric:: Community | + | understanding of the crypto technologies it | :name: Community | + | uses. You might want to read these documents: | | + | | - View Mozilla Cryptography forums... | + | - `Introduction to Public-Key | | + | Crypt | - `Mailing | + | ography `__. | /lists.mozilla.org/listinfo/dev-tech-crypto>`__ | + | Explains the basic concepts of public-key | - `Newsgroup `__ | + | - `Introduction to | - `RSS | + | SSL `__. | gle.com/group/mozilla.dev.tech.crypto/feeds>`__ | + | Introduces the SSL protocol, including | | + | information about cryptographic ciphers | .. rubric:: Related Topics | + | supported by SSL and the steps involved in | :name: Related_Topics | + | the SSL handshake. | | + | | - `Security `__ | + | see `NSS sources building | | + | testing `__\ `. `__ | | + | | | + | Read `Using JSS `__ to get you | | + | started with development after you've built and | | + | downloaded it. | | + | | | + | .. rubric:: Release Notes | | + | :name: Release_Notes | | + | | | + | - `4.3.1 Release | | + | Notes `__ | | + | - `4.3 Release | | + | Notes `__ | | + | - `Older Release | | + | Notes `__ | | + | | | + | .. rubric:: Build Instructions | | + | :name: Build_Instructions | | + | | | + | - :re | | + | f:`mozilla_projects_nss_jss_build_instructions_ | | + | for_jss_4_4_x#build_instructions_for_jss_4_4_x` | | + | - `Building JSS | | + | 4.3.x `__ | | + | - `Older Build | | + | Instructions `__ | | + | | | + | .. rubric:: Download or View Source | | + | :name: Download_or_View_Source | | + | | | + | - `Download binaries, source, and | | + | javadoc `__ | | + | - `View the source | | + | online `__ | | + | | | + | .. rubric:: Testing | | + | :name: Testing | | + | | | + | - `JSS | | + | tests `__ | | + | | | + | .. rubric:: Frequently Asked Questions | | + | :name: Frequently_Asked_Questions | | + | | | + | - `JSS FAQ `__ | | + | | | + | Information on JSS planning can be found at | | + | `wik | | + | i.mozilla.org `__, | | + | including: | | + | | | + | - `NSS FIPS | | + | Validati | | + | on `__ | | + | - `NSS Roadmap | | + | | | + | page `__ | | + +-------------------------------------------------+-------------------------------------------------+ \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/jss/jss_faq/index.rst b/security/nss/doc/rst/legacy/jss/jss_faq/index.rst new file mode 100644 index 0000000000..d419586452 --- /dev/null +++ b/security/nss/doc/rst/legacy/jss/jss_faq/index.rst @@ -0,0 +1,217 @@ +.. _mozilla_projects_nss_jss_jss_faq: + +JSS FAQ +======= + +.. _jss_frequently_asked_questions: + +`JSS Frequently Asked Questions <#jss_frequently_asked_questions>`__ +-------------------------------------------------------------------- + +.. container:: + + Newsgroup: `mozilla.dev.tech.crypto `__ + + **Content:** + + - `What versions of JDK and JCE do you suggest? <#jdkjce1>`__ + - `Does JSS have 64 bit support? <#64bit>`__ + - `Is JSS FIPS Compliant? <#fips>`__ + - `Is there any sample code and documentation? <#sample>`__ + - `If I don't call setCipherPolicy, is the DOMESTIC policy used by + default? <#setcipherpolicy>`__ + - `My SSL connection is hanging on Windows? <#ssl_hanging>`__ + - `How can I tell which SSL/TLS ciphers JSS supports? <#ssltls_cipher>`__ + - `How can I debug my SSL connection? <#ssl_debug>`__ + - `Can you explain JSS SSL certificate approval callbacks? <#ssl_callback>`__ + - `Can I have multiple JSS instances reading separate db's? <#jss_instance>`__ + - `Once JSS initialized, I can't get anymore instances with + CertificateFactory.getInstance(X.509)? <#jss_init>`__ + - `Is it possible to sign data in Java with JSS? <#sign_date>`__ + - `How do I convert org.mozilla.jss.crypto.X509Certificate to + org.mozilla.jss.pkix.cert.Certificate? <#convertx509>`__ + - `How do I convert org.mozilla.jss.pkix.cert to + org.mozilla.jss.crypto.X509Certificate? <#convertpkix>`__ + - `Is it possible to use JSS to access cipher functionality from pkcs11 modules? <#pkc11>`__ + - `Can you explain token names and keys with regards to JSS? <#token_name>`__ + - `JSS 3.2 has JCA support. When will JSS have JSSE support? <#jssjsse>`__ + + **What versions of JDK and JRE do you suggest?** + + - JSS 3.x works with JDK versions 1.2 or higher, except version 1.3.0. Most attention for future + development and bug fixing will go to JDK 1.4 and later, so use that if you can. If you are + using JDK 1.3.x, you will need to use at least version 1.3.1--see `bug + 113808 `__. JSS only supports the native + threading model (no green threads). For JSS 3.2 and higher, if you use JDK 1.4 or higher you + will not need to install the JCE, but if you using an earlier version of the JDK then you will + also have to install JCE 1.2.1. See also the document `Using JSS `__. + + **Does JSS have 64 bit support?** + + - Yes, JSS 3.2 and higher supports 64 bit. You will need JDK 1.4 or higher and all the 64 bit + versions of NSPR, and NSS. As well you must use the java flag -d64 to specify the 64-bit data + model. + + **Is JSS FIPS Compliant?** + + - NSS is a FIPS-certified software library. JSS is considered a FIPS-compliant software library + since it only uses NSS for any and all crypto routines. + + **Is there any sample code and documentation?** + + - The `Using JSS `__ document describes how to set up your environment to run JSS. + The only other documentation is the + `Javadoc `__. + + JSS example code is essentially developer test code; with that understanding, the best + directory to look for sample code is in the org/mozilla/jss/tests directory: + + http://lxr.mozilla.org/mozilla/source/security/jss/org/mozilla/jss/tests + + | `org/mozilla/jss/tests/CloseDBs.java `__ + | `org/mozilla/jss/tests/KeyFactoryTest.java `__ + | `org/mozilla/jss/tests/DigestTest.java `__ + | `org/mozilla/jss/tests/JCASigTest.java `__ + | `org/mozilla/jss/tests/KeyWrapping.java `__ + | `org/mozilla/jss/tests/ListCerts.java `__ + | `org/mozilla/jss/tests/PK10Gen.java `__ + | `org/mozilla/jss/tests/SDR.java `__ + | `org/mozilla/jss/tests/SelfTest.java `__ + | `org/mozilla/jss/tests/SetupDBs.java `__ + | `org/mozilla/jss/tests/SigTest.java `__ + | `org/mozilla/jss/tests/SymKeyGen.java `__ + | `org/mozilla/jss/tests/TestKeyGen.java `__ + | `org/mozilla/jss/tests/SSLClientAuth.java `__ + | `org/mozilla/jss/tests/ListCACerts.java `__ + | `org/mozilla/jss/tests/KeyStoreTest.java `__ + | `org/mozilla/jss/tests/VerifyCert.java `__ + + SSL examples: + + | `org/mozilla/jss/tests/SSLClientAuth.java `__ + | `org/mozilla/jss/ssl/SSLClient.java `__ + | `org/mozilla/jss/ssl/SSLServer.java `__ + | `org/mozilla/jss/ssl/SSLTest.java `__ + + Other test code that may prove useful: + + | `org/mozilla/jss/asn1/INTEGER.java `__ + | `org/mozilla/jss/asn1/SEQUENCE.java `__ + | `org/mozilla/jss/asn1/SET.java `__ + | `org/mozilla/jss/pkcs10/CertificationRequest.java `__ + | `org/mozilla/jss/pkcs12/PFX.java `__ + | `org/mozilla/jss/pkix/cert/Certificate.java `__ + | `org/mozilla/jss/pkix/cmmf/CertRepContent.java `__ + | `org/mozilla/jss/pkix/crmf/CertReqMsg.java `__ + | `org/mozilla/jss/pkix/crmf/CertTemplate.java `__ + | `org/mozilla/jss/pkix/primitive/Name.java `__ + | `org/mozilla/jss/provider/javax/crypto/JSSSecretKeyFactorySpi.java `__ + | `org/mozilla/jss/util/UTF8Converter.java `__ + | `org/mozilla/jss/util/Base64InputStream.java `__ + | `jss/samples/PQGGen.java `__ + | `jss/samples/pkcs12.java `__ + + **If I don't call setCipherPolicy, is the DOMESTIC policy used by default?** + + - Yes, domestic is the default because we call NSS_SetDomesticPolicy() during + CryptoManager.initialize(). setCipherPolicy does not need to be called by a JSS app unless + that app wants to limit itself to export-allowed cipher suites. + + **My SSL connection is hanging on Windows?** + + - NSPR makes use of NT vs. Windows distinction and provides different NT and Windows builds. + Many Netscape products, including NSS, have NT and Windows builds that are essentially the + same except one difference: one is linked with the NT version of NSPR and the other is linked + with the Windows version of NSPR. The NT fiber problem affects applications that call blocking + system calls from the primordial thread. Either use the WIN 95 version of NSPR/NSS/JSS + components (essentially all non-fiber builds) or set the environment variable + NSPR_NATIVE_THREADS_ONLY=1. You can find more information in bugzilla bug + `102251 `__ SSL session cache locking + issue with NT fibers + + **How can I tell which SSL/TLS ciphers JSS supports?** + + - Check + http://lxr.mozilla.org/mozilla/source/security/jss/org/mozilla/jss/ssl/SSLSocket.java#730 + + **How can I debug my SSL connection?** + + - By using the NSS tool :ref:`mozilla_projects_nss_tools_ssltap` + + **Can you explain JSS SSL certificate approval callbacks?** + + - NSS has three callbacks related to certificates. JSS has two. But JSS combines two of the NSS + callbacks into one. + + - NSS's three SSL cert callbacks are: + + #. SSL_AuthCertificateHook sets a callback to authenticate the peer's certificate. It is + called instead of NSS's routine for authenticating certificates. + #. SSL_BadCertHook sets a callback that is called when NSS's routine fails to authenticate the + certificate. + #. SSL_GetClientAuthDataHook sets a callback to return the local certificate for SSL client + auth. + + JSS's two callbacks are: + + #. SSLCertificateApprovalCallback is a combination of SSL_AuthCertificateHook and + SSL_BadCertHook. It runs NSS's cert authentication check, then calls the callback + regardless of whether the cert passed or failed. The callback is told whether the cert + passed, and then can do anything extra that it wants to do before making a final decision. + #. SSLClientCertificateSelectionCallback is analogous to SSL_GetClientAuthDataHook. + + | + | **Can I have multiple JSS instances reading separate db's?** + + - No, you can only have one initialized instance of JSS for each database. + + **Once JSS initialized, I can't get anymore instances with + CertificateFactory.getInstance("X.509")?** + + - In version previous to JSS 3.1, JSS removes the default SUN provider on startup. Upgrade to + the latest JSS, or, in the ``CryptoManager.InitializationValues`` object you pass to + ``CryptoManager.initialize()``, set ``removeSunProivider=true``. + + **Is it possible to sign data in Java with JSS? What I am trying to do is write a Java applet + that will access the Netscape certificate store, retrieve a X509 certificate and then sign some + data.** + + - The best way to do this is with the PKCS #7 signedData type. Check out the + `javadoc `__. + + **How do I convert org.mozilla.jss.crypto.X509Certificate to + org.mozilla.jss.pkix.cert.Certificate?** + + - .. code:: + + import java.io.ByteArrayInputStream; + + [...] + + Certificate cert = (Certificate) ASN1Util.decode( + Certificate.getTemplate(),x509Cert.getEncoded() ); + + **How do I convert org.mozilla.jss.pkix.cert to org.mozilla.jss.crypto.X509Certificate?** + + - `Cryptomanager.importCertPackage() `__ + + **Is it possible to use JSS to acces cipher functionality from pkcs11 modules?** + + - Yes. Before JSS 3.2 you would use CryptoManager to obtain the CryptoToken you want to use, + then call CryptoToken.getCipherContext() to get an encryption engine. But as of JSS 3.2 you + would use the `JSS JCA provider `__. + + **Can you explain token names and keys with regards to JSS?** + + - The token name is different depending on which application you are running. In JSS, the token + is called "Internal Key Storage Token". You can look it up by name using + CryptoManager.getTokenByName(), but a better way is to call + CryptoManager.getInternalKeyStorageToken(), which works no matter what the token is named. In + general, a key is a handle to an underlying object on a PKCS #11 token, not merely a Java + object residing in memory. Symmetric Key usage: basically encrypt/decrypt is for data and + wrap/unwrap is for keys. + + J\ **SS 3.2 has JCA support. When will JSS have JSSE support?** + + - Not in the near future due to pluggability is disabled in the JSSE version included in J2SE + 1.4.x for export control reasons. \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/jss/jss_provider_notes/index.rst b/security/nss/doc/rst/legacy/jss/jss_provider_notes/index.rst new file mode 100644 index 0000000000..9db0654c2c --- /dev/null +++ b/security/nss/doc/rst/legacy/jss/jss_provider_notes/index.rst @@ -0,0 +1,489 @@ +.. _mozilla_projects_nss_jss_jss_provider_notes: + +JSS Provider Notes +================== + +.. container:: + + .. warning:: + + This page has been moved to http://www.dogtagpki.org/wiki/JSS_Provider. + +.. _the_mozilla-jss_jca_provider: + +`The Mozilla-JSS JCA Provider <#the_mozilla-jss_jca_provider>`__ +---------------------------------------------------------------- + +.. container:: + + Newsgroup: `mozilla.dev.tech.crypto `__ + +`Overview <#overview>`__ +~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + This document describes the JCA Provider shipped with JSS. The provider's name is "Mozilla-JSS". + It implements cryptographic operations in native code using the `NSS <../nss>`__ libraries. + +`Contents <#contents>`__ +~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - `Signed JAR file <#signed-jar>`__ + - `Installing the Provider <#installing-provider>`__ + - `Specifying the CryptoToken <#specifying-token>`__ + - `Supported Classes <#supported-classes>`__ + - `What's Not Supported <#not-supported>`__ + + -------------- + +.. _signed_jar_file: + +`Signed JAR file <#signed_jar_file>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - JSS 3.2 implements several JCE (Java Cryptography Extension) algorithms. These algorithms have + at various times been export-controlled by the US government. Sun therefore requires that JAR + files implementing JCE algorithms be digitally signed by an approved organization. Netscape + has this approval and signs the official builds of ``jss32.jar``. At runtime, the JRE + automatically verifies this signature whenever a JSS class is loaded that implements a JCE + algorithm. The verification is transparent to the application (unless it fails and throws an + exception). If you are curious, you can verify the signature on the JAR file using the + ``jarsigner`` tool, which is distributed with the JDK. + + If you build JSS yourself from source instead of using binaries downloaded from mozilla.org, + your JAR file will not have a valid signature. This means you will not be able to use the JSS + provider for JCE algorithms. You have two choices. + + #. Use the binary release of JSS from mozilla.org. + #. Apply for your own JCE code-signing certificate following the procedure at `How to + Implement a Provider for the Java\ TM Cryptography + Extension `__. + Then you can sign your own JSS JAR file. + +.. _installing_the_provider: + +`Installing the Provider <#installing_the_provider>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - In order to use any part of JSS, including the JCA provider, you must first call + ``CryptoManager.initialize()``. By default, the JCA provider will be installed in the list of + providers maintained by the ``java.security.Security`` class. If you do not wish the provider + to be installed, create a + :ref:`mozilla_projects_nss_jss_cryptomanager_cryptomanager_initializationvalues` object, set + its ``installJSSProvider`` field to ``false``, and pass the ``InitializationValues`` object to + ``CryptoManager.initialize()``. + +.. _specifying_the_cryptotoken: + +`Specifying the CryptoToken <#specifying_the_cryptotoken>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - All cryptographic operations in JSS and NSS occur on a particular PKCS #11 token, implemented + in software or hardware. There is no clean way to specify this token through the JCA API. By + default, the JSS provider carries out all operations except MessageDigest on the Internal Key + Storage Token, a software token included in JSS/NSS. MessageDigest operations take place by + default on the Internal Crypto Token, another internal software token in JSS/NSS. There is no + good design reason for this difference, but it is necessitated by a quirk in the NSS + implementation. + + In order to use a different token, use ``CryptoManager.setThreadToken()``. This sets the token + to be used by the JSS JCA provider in the current thread. When you call ``getInstance()`` on a + JCA class, the JSS provider checks the current per-thread default token (by calling + ``CryptoManager.getThreadToken()``) and instructs the new object to use that token for + cryptographic operations. The per-thread default token setting is only consulted inside + ``getInstance()``. Once a JCA object has been created it will continue to use the same token, + even if the application later changes the per-thread default token. + + Whenever a new thread is created, its token is initialized to the default, the Internal Key + Storage Token. Thus, the thread token is not inherited from the parent thread. + + The following example shows how you can specify which token is used for various JCA + operations: + + .. code:: + + // Lookup PKCS #11 tokens + CryptoManager manager = CryptoManager.getInstance(); + CryptoToken tokenA = manager.getTokenByName("TokenA"); + CryptoToken tokenB = manager.getTokenByName("TokenB"); + + // Create an RSA KeyPairGenerator using TokenA + manager.setThreadToken(tokenA); + KeyPairGenerator rsaKpg = KeyPairGenerator.getInstance("RSA", "Mozilla-JSS"); + + // Create a DSA KeyPairGenerator using TokenB + manager.setThreadToken(tokenB); + KeyPairGenerator dsaKpg = KeyPairGenerator.getInstance("DSA", "Mozilla-JSS"); + + // Generate an RSA KeyPair. This will happen on TokenA because TokenA + // was the per-thread default token when rsaKpg was created. + rsaKpg.initialize(1024); + KeyPair rsaPair = rsaKpg.generateKeyPair(); + + // Generate a DSA KeyPair. This will happen on TokenB because TokenB + // was the per-thread default token when dsaKpg was created. + dsaKpg.initialize(1024); + KeyPair dsaPair = dsaKpg.generateKeyPair(); + +.. _supported_classes: + +`Supported Classes <#supported_classes>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - `Cipher <#cipher>`__ + + - `DSAPrivateKey <#dsaprivatekey>`__ + + - DSAPublicKey + + - `KeyFactory <#keyfactory>`__ + + - `KeyGenerator <#keygenerator>`__ + + - `KeyPairGenerator <#keypairgenerator>`__ + + - `Mac <#mac>`__ + + - `MessageDigest <#messagedigest>`__ + + - `RSAPrivateKey <#rsaprivatekey>`__ + + - RSAPublicKey + + - `SecretKeyFactory <#secretkeyfactory>`__ + + - `SecretKey <#secretkey>`__ + + - `SecureRandom <#securerandom>`__ + + - `Signature <#signature>`__ + + .. rubric:: What's Not Supported + :name: What's_Not_Supported + + - The following classes don't work very well: + + - **KeyStore:** There are many serious problems mapping the JCA keystore interface onto + NSS's model of PKCS #11 modules. The current implementation is almost useless. Since + these problems lie deep in the NSS design and implementation, there is no clear + timeframe for fixing them. Meanwhile, the ``org.mozilla.jss.crypto.CryptoStore`` class + can be used for some of this functionality. + +.. rubric:: Cipher + :name: Cipher_2 + +.. rubric:: Supported Algorithms + :name: supported_algorithms + +.. rubric:: Notes + :name: notes + +- + + - AES + - DES + - DESede (*DES3* ) + - RC2 + - RC4 + - RSA + + - The following modes and padding schemes are supported: + + + +------------------------------+------------------------------+------------------------------+ + | Algorithm | Mode | Padding | + +------------------------------+------------------------------+------------------------------+ + | DES | ECB | NoPadding | + +------------------------------+------------------------------+------------------------------+ + | | CBC | NoPadding | + +------------------------------+------------------------------+------------------------------+ + | | | PKCS5 Padding | + +------------------------------+------------------------------+------------------------------+ + | DESede | ECB | NoPadding | + | *DES3* | | | + +------------------------------+------------------------------+------------------------------+ + | | CBC | NoPadding | + +------------------------------+------------------------------+------------------------------+ + | | | PKCS5 Padding | + +------------------------------+------------------------------+------------------------------+ + | AES | ECB | NoPadding | + +------------------------------+------------------------------+------------------------------+ + | | CBC | NoPadding | + +------------------------------+------------------------------+------------------------------+ + | | | PKCS5 Padding | + +------------------------------+------------------------------+------------------------------+ + | RC4 | *None* | *None* | + +------------------------------+------------------------------+------------------------------+ + | RC2 | CBC | NoPadding | + +------------------------------+------------------------------+------------------------------+ + | | | PKCS5Padding | + +------------------------------+------------------------------+------------------------------+ + + - The SecureRandom argument passed to ``initSign()`` and ``initVerify()`` is ignored, because + NSS does not support specifying an external source of randomness. + +.. rubric:: DSAPrivateKey + :name: DSAPrivateKey_2 + +- ``getX()`` is not supported because NSS does not support extracting data from private keys. + +.. rubric:: KeyFactory + :name: KeyFactory_2 + +.. rubric:: Supported Algorithms + :name: supported_algorithms_2 + +.. rubric:: Notes + :name: notes_2 + +- + + - DSA + - RSA + + - The following transformations are supported for ``generatePublic()`` and + ``generatePrivate()``: + + + +----------------------------------------------+----------------------------------------------+ + | From | To | + +----------------------------------------------+----------------------------------------------+ + | ``RSAPublicKeySpec`` | ``RSAPublicKey`` | + +----------------------------------------------+----------------------------------------------+ + | ``DSAPublicKeySpec`` | ``DSAPublicKey`` | + +----------------------------------------------+----------------------------------------------+ + | ``X509EncodedKeySpec`` | ``RSAPublicKey`` | + | | ``DSAPublicKey`` | + +----------------------------------------------+----------------------------------------------+ + | ``RSAPrivateCrtKeySpec`` | ``RSAPrivateKey`` | + +----------------------------------------------+----------------------------------------------+ + | ``DSAPrivateKeySpec`` | ``DSAPrivateKey`` | + +----------------------------------------------+----------------------------------------------+ + | ``PKCS8EncodedKeySpec`` | ``RSAPrivateKey`` | + | | ``DSAPrivateKey`` | + +----------------------------------------------+----------------------------------------------+ + + - ``getKeySpec()`` is not supported. This method exports key material in plaintext and is + therefore insecure. Note that a public key's data can be accessed directly from the key. + - ``translateKey()`` simply gets the encoded form of the given key and then tries to import + it by calling ``generatePublic()`` or ``generatePrivate()``. Only ``X509EncodedKeySpec`` is + supported for public keys, and only ``PKCS8EncodedKeySpec`` is supported for private keys. + +.. rubric:: KeyGenerator + :name: KeyGenerator_2 + +.. rubric:: Supported Algorithms + :name: supported_algorithms_3 + +.. rubric:: Notes + :name: notes_3 + +- + + - AES + - DES + - DESede (*DES3* ) + - RC4 + + - The SecureRandom argument passed to ``init()`` is ignored, because NSS does not support + specifying an external source of randomness. + - None of the key generation algorithms accepts an ``AlgorithmParameterSpec``. + +.. rubric:: KeyPairGenerator + :name: KeyPairGenerator_2 + +.. rubric:: Supported Algorithms + :name: supported_algorithms_4 + +.. rubric:: Notes + :name: notes_4 + +- + + - DSA + - RSA + + - The SecureRandom argument passed to initialize() is ignored, because NSS does not support + specifying an external source of randomness. + +.. rubric:: Mac + :name: Mac_2 + +.. rubric:: Supported Algorithms + :name: supported_algorithms_5 + +.. rubric:: Notes + :name: notes_5 + +- + + - HmacSHA1 (*Hmac-SHA1* ) + + - Any secret key type (AES, DES, etc.) can be used as the MAC key, but it must be a JSS key. + That is, it must be an ``instanceof org.mozilla.jss.crypto.SecretKeyFacade``. + - The params passed to ``init()`` are ignored. + +.. rubric:: MessageDigest + :name: MessageDigest_2 + +.. rubric:: Supported Algorithms + :name: supported_algorithms_6 + +- + + - MD5 + - MD2 + - SHA-1 (*SHA1, SHA* ) + +.. rubric:: RSAPrivateKey + :name: RSAPrivateKey_2 + +.. rubric:: Notes + :name: notes_6 + +- + + - ``getModulus()`` is not supported because NSS does not support extracting data from private + keys. + - ``getPrivateExponent()`` is not supported because NSS does not support extracting data from + private keys. + +.. rubric:: SecretKeyFactory + :name: SecretKeyFactory_2 + +.. rubric:: Supported Algorithms + :name: supported_algorithms_7 + +.. rubric:: Notes + :name: notes_7 + +- + + - AES + - DES + - DESede (*DES3* ) + - PBAHmacSHA1 + - PBEWithMD5AndDES + - PBEWithSHA1AndDES + - PBEWithSHA1AndDESede (*PBEWithSHA1AndDES3* ) + - PBEWithSHA1And128RC4 + - RC4 + + - ``generateSecret`` supports the following transformations: + + + +----------------------------------------------+----------------------------------------------+ + | KeySpec Class | Key Algorithm | + +----------------------------------------------+----------------------------------------------+ + | PBEKeySpec | *Using the appropriate PBE algorithm:* | + | org.mozilla.jss.crypto.PBEKeyGenParams | DES | + | | DESede | + | | RC4 | + +----------------------------------------------+----------------------------------------------+ + | DESedeKeySpec | DESede | + +----------------------------------------------+----------------------------------------------+ + | DESKeySpec | DES | + +----------------------------------------------+----------------------------------------------+ + | SecretKeySpec | AES | + | | DES | + | | DESede | + | | RC4 | + +----------------------------------------------+----------------------------------------------+ + + - ``getKeySpec`` supports the following transformations: + + + +----------------------------------------------+----------------------------------------------+ + | Key Algorithm | KeySpec Class | + +----------------------------------------------+----------------------------------------------+ + | DESede | DESedeKeySpec | + +----------------------------------------------+----------------------------------------------+ + | DES | DESKeySpec | + +----------------------------------------------+----------------------------------------------+ + | DESede | SecretKeySpec | + | DES | | + | AES | | + | RC4 | | + +----------------------------------------------+----------------------------------------------+ + + - For increased security, some SecretKeys may not be extractable from their PKCS #11 token. + In this case, the key should be wrapped (encrypted with another key), and then the + encrypted key might be extractable from the token. This policy varies across PKCS #11 + tokens. + - ``translateKey`` tries two approaches to copying keys. First, it tries to copy the key + material directly using NSS calls to PKCS #11. If that fails, it calls ``getEncoded()`` on + the source key, and then tries to create a new key on the target token from the encoded + bits. Both of these operations will fail if the source key is not extractable. + - The class ``java.security.spec.PBEKeySpec`` in JDK versions earlier than 1.4 does not + contain the salt and iteration fields, which are necessary for PBE key generation. These + fields were added in JDK 1.4. If you are using a JDK (or JRE) version earlier than 1.4, you + cannot use class ``java.security.spec.PBEKeySpec``. Instead, you can use + ``org.mozilla.jss.crypto.PBEKeyGenParams``. If you are using JDK (or JRE) 1.4 or later, you + can use ``java.security.spec.PBEKeySpec`` or ``org.mozilla.jss.crypto.PBEKeyGenParams``. + +.. rubric:: SecretKey + :name: SecretKey_2 + +.. rubric:: Supported Algorithms + :name: supported_algorithms_8 + +.. rubric:: Notes + :name: notes_8 + +- + + - AES + - DES + - DESede (*DES3* ) + - HmacSHA1 + - RC2 + - RC4 + + - ``SecretKey`` is implemented by the class ``org.mozilla.jss.crypto.SecretKeyFacade``, which + acts as a wrapper around the JSS class ``SymmetricKey``. Any ``SecretKeys`` handled by JSS + will actually be ``SecretKeyFacades``. This should usually be transparent. + +.. rubric:: SecureRandom + :name: SecureRandom_2 + +.. rubric:: Supported Algorithms + :name: supported_algorithms_9 + +.. rubric:: Notes + :name: notes_9 + +- + + - pkcs11prng + + - This invokes the NSS internal pseudorandom number generator. + +.. rubric:: Signature + :name: Signature_2 + +.. rubric:: Supported Algorithms + :name: supported_algorithms_10 + +.. rubric:: Notes + :name: notes_10 + +- + + - SHA1withDSA (*DSA, DSS, SHA/DSA, SHA-1/DSA, SHA1/DSA, DSAWithSHA1, SHAwithDSA* ) + - SHA-1/RSA (*SHA1/RSA, SHA1withRSA* ) + - MD5/RSA (*MD5withRSA* ) + - MD2/RSA + + - The ``SecureRandom`` argument passed to ``initSign()`` and ``initVerify()`` is ignored, + because NSS does not support specifying an external source of randomness. diff --git a/security/nss/doc/rst/legacy/jss/mozilla-jss_jca_provider_notes/index.rst b/security/nss/doc/rst/legacy/jss/mozilla-jss_jca_provider_notes/index.rst new file mode 100644 index 0000000000..f8edb0953c --- /dev/null +++ b/security/nss/doc/rst/legacy/jss/mozilla-jss_jca_provider_notes/index.rst @@ -0,0 +1,472 @@ +.. _mozilla_projects_nss_jss_mozilla-jss_jca_provider_notes: + +Mozilla-JSS JCA Provider notes +============================== + +.. _the_mozilla-jss_jca_provider: + +`The Mozilla-JSS JCA Provider <#the_mozilla-jss_jca_provider>`__ +---------------------------------------------------------------- + +.. container:: + + *Newsgroup:*\ `mozilla.dev.tech.crypto `__ + +`Overview <#overview>`__ +~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + This document describes the JCA Provider shipped with JSS. The provider's name is "Mozilla-JSS". + It implements cryptographic operations in native code using the + `NSS `__ libraries. + +`Contents <#contents>`__ +~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - `Signed JAR + file `__ + - `Installing the + Provider `__ + - `Specifying the + CryptoToken `__ + - `Supported + Classes `__ + - `What's Not + Supported `__ + +.. _signed_jar_file: + +`Signed JAR file <#signed_jar_file>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + JSS implements several JCE (Java Cryptography Extension) algorithms. These algorithms have at + various times been export-controlled by the US government. JRE therefore requires that JAR files + implementing JCE algorithms be digitally signed by an approved organization. The maintainers of + JSS, Sun, Red Hat, and Mozilla, have this approval and signs the official builds of ``jss4.jar``. + At runtime, the JRE automatically verifies this signature whenever a JSS class is loaded that + implements a JCE algorithm. The verification is transparent to the application (unless it fails + and throws an exception). If you are curious, you can verify the signature on the JAR file using + the ``jarsigner`` tool, which is distributed with the JDK. + + If you build JSS yourself from source instead of using binaries downloaded from mozilla.org, your + JAR file will not have a valid signature. This means you will not be able to use the JSS provider + for JCE algorithms. You have two choices. + + #. Use the binary release of JSS from mozilla.org. + #. Apply for your own JCE code-signing certificate following the procedure at `How to Implement a + Provider for the Java\ TM Cryptography + Extension `__. + Then you can sign your own JSS JAR file. + +.. _installing_the_provider: + +`Installing the Provider <#installing_the_provider>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + In order to use any part of JSS, including the JCA provider, you must first call + ``CryptoManager.initialize()``. By default, the JCA provider will be installed in the list of + providers maintained by the ``java.security.Security`` class. If you do not wish the provider to + be installed, create a + ```CryptoManager.InitializationValues`` `__ + object, set its ``installJSSProvider`` field to ``false``, and pass the ``InitializationValues`` + object to ``CryptoManager.initialize()``. + +.. _specifying_the_cryptotoken: + +`Specifying the CryptoToken <#specifying_the_cryptotoken>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + All cryptographic operations in JSS and NSS occur on a particular PKCS #11 token, implemented in + software or hardware. There is no clean way to specify this token through the JCA API. By + default, the JSS provider carries out all operations except MessageDigest on the Internal Key + Storage Token, a software token included in JSS/NSS. MessageDigest operations take place by + default on the Internal Crypto Token, another internal software token in JSS/NSS. There is no + good design reason for this difference, but it is necessitated by a quirk in the NSS + implementation. + + In order to use a different token, use ``CryptoManager.setThreadToken()``. This sets the token to + be used by the JSS JCA provider in the current thread. When you call ``getInstance()`` on a JCA + class, the JSS provider checks the current per-thread default token (by calling + ``CryptoManager.getThreadToken()``) and instructs the new object to use that token for + cryptographic operations. The per-thread default token setting is only consulted inside + ``getInstance()``. Once a JCA object has been created it will continue to use the same token, + even if the application later changes the per-thread default token. + + Whenever a new thread is created, its token is initialized to the default, the Internal Key + Storage Token. Thus, the thread token is not inherited from the parent thread. + + The following example shows how you can specify which token is used for various JCA operations: + + .. code:: + + // Lookup PKCS #11 tokens + CryptoManager manager = CryptoManager.getInstance(); + CryptoToken tokenA = manager.getTokenByName("TokenA"); + CryptoToken tokenB = manager.getTokenByName("TokenB"); + + // Create an RSA KeyPairGenerator using TokenA + manager.setThreadToken(tokenA); + KeyPairGenerator rsaKpg = KeyPairGenerator.getInstance("Mozilla-JSS", "RSA"); + + // Create a DSA KeyPairGenerator using TokenB + manager.setThreadToken(tokenB); + KeyPairGenerator dsaKpg = KeyPairGenerator.getInstance("Mozilla-JSS", "DSA"); + + // Generate an RSA KeyPair. This will happen on TokenA because TokenA + // was the per-thread default token when rsaKpg was created. + rsaKpg.initialize(1024); + KeyPair rsaPair = rsaKpg.generateKeyPair(); + + // Generate a DSA KeyPair. This will happen on TokenB because TokenB + // was the per-thread default token when dsaKpg was created. + dsaKpg.initialize(1024); + KeyPair dsaPair = dsaKpg.generateKeyPair(); + +.. _supported_classes: + +`Supported Classes <#supported_classes>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - `Cipher `__ + - `DSAPrivateKey `__ + - DSAPublicKey + - `KeyFactory `__ + - `KeyGenerator `__ + - `KeyPairGenerator `__ + - `Mac `__ + - `MessageDigest `__ + - `RSAPrivateKey `__ + - RSAPublicKey + - `SecretKeyFactory `__ + - `SecretKey `__ + - `SecureRandom `__ + - `Signature `__ + +`Cipher <#cipher>`__ +~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. rubric:: Supported Algorithms + :name: supported_algorithms + + .. rubric:: Notes + :name: notes + + - AES + - DES + - DESede (*DES3*) + - RC2 + - RC4 + - RSA + + - The following modes and padding schemes are supported: + + +--------------------------------+--------------------------------+--------------------------------+ + | Algorithm | Mode | Padding | + +--------------------------------+--------------------------------+--------------------------------+ + | DES | ECB | NoPadding | + +--------------------------------+--------------------------------+--------------------------------+ + | | CBC | NoPadding | + +--------------------------------+--------------------------------+--------------------------------+ + | | | PKCS5 Padding | + +--------------------------------+--------------------------------+--------------------------------+ + | DESede | ECB | NoPadding | + | *DES3* | | | + +--------------------------------+--------------------------------+--------------------------------+ + | | CBC | NoPadding | + +--------------------------------+--------------------------------+--------------------------------+ + | | | PKCS5 Padding | + +--------------------------------+--------------------------------+--------------------------------+ + | AES | ECB | NoPadding | + +--------------------------------+--------------------------------+--------------------------------+ + | | CBC | NoPadding | + +--------------------------------+--------------------------------+--------------------------------+ + | | | PKCS5 Padding | + +--------------------------------+--------------------------------+--------------------------------+ + | RC4 | *None* | *None* | + +--------------------------------+--------------------------------+--------------------------------+ + | RC2 | CBC | NoPadding | + +--------------------------------+--------------------------------+--------------------------------+ + | | | PKCS5Padding | + +--------------------------------+--------------------------------+--------------------------------+ + + - The SecureRandom argument passed to ``initSign()`` and ``initVerify()`` is ignored, because + NSS does not support specifying an external source of randomness. + +`DSAPrivateKey <#dsaprivatekey>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + - ``getX()`` is not supported because NSS does not support extracting data from private keys. + +`KeyFactory <#keyfactory>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. rubric:: Supported Algorithms + :name: supported_algorithms_2 + + .. rubric:: Notes + :name: notes_2 + + - DSA + - RSA + - The following transformations are supported for ``generatePublic()`` and + ``generatePrivate()``: + + +-------------------------------------------------+-------------------------------------------------+ + | From | To | + +-------------------------------------------------+-------------------------------------------------+ + | ``RSAPublicKeySpec`` | ``RSAPublicKey`` | + +-------------------------------------------------+-------------------------------------------------+ + | ``DSAPublicKeySpec`` | ``DSAPublicKey`` | + +-------------------------------------------------+-------------------------------------------------+ + | ``X509EncodedKeySpec`` | ``RSAPublicKey`` | + | | ``DSAPublicKey`` | + +-------------------------------------------------+-------------------------------------------------+ + | ``RSAPrivateCrtKeySpec`` | ``RSAPrivateKey`` | + +-------------------------------------------------+-------------------------------------------------+ + | ``DSAPrivateKeySpec`` | ``DSAPrivateKey`` | + +-------------------------------------------------+-------------------------------------------------+ + | ``PKCS8EncodedKeySpec`` | ``RSAPrivateKey`` | + | | ``DSAPrivateKey`` | + +-------------------------------------------------+-------------------------------------------------+ + + - ``getKeySpec()`` is not supported. This method exports key material in plaintext and is + therefore insecure. Note that a public key's data can be accessed directly from the key. + - ``translateKey()`` simply gets the encoded form of the given key and then tries to import it + by calling ``generatePublic()`` or ``generatePrivate()``. Only ``X509EncodedKeySpec`` is + supported for public keys, and only ``PKCS8EncodedKeySpec`` is supported for private keys. + +`KeyGenerator <#keygenerator>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. rubric:: Supported Algorithms + :name: supported_algorithms_3 + + .. rubric:: Notes + :name: notes_3 + + - AES + - DES + - DESede (*DES3*) + - RC4 + - The SecureRandom argument passed to ``init()`` is ignored, because NSS does not support + specifying an external source of randomness. + - None of the key generation algorithms accepts an ``AlgorithmParameterSpec``. + +`KeyPairGenerator <#keypairgenerator>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. rubric:: Supported Algorithms + :name: supported_algorithms_4 + + .. rubric:: Notes + :name: notes_4 + + - DSA + - RSA + + - The SecureRandom argument passed to initialize() is ignored, because NSS does not support + specifying an external source of randomness. + +`Mac <#mac>`__ +~~~~~~~~~~~~~~ + +.. container:: + + .. rubric:: Supported Algorithms + :name: supported_algorithms_5 + + .. rubric:: Notes + :name: notes_5 + + - HmacSHA1 (*Hmac-SHA1*) + + - Any secret key type (AES, DES, etc.) can be used as the MAC key, but it must be a JSS key. + That is, it must be an ``instanceof org.mozilla.jss.crypto.SecretKeyFacade``. + - The params passed to ``init()`` are ignored. + +`MessageDigest <#messagedigest>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. rubric:: Supported Algorithms + :name: supported_algorithms_6 + + - MD5 + - MD2 + - SHA-1 (*SHA1, SHA*) + +`RSAPrivateKey <#rsaprivatekey>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. rubric:: Notes + :name: notes_6 + + - ``getModulus()`` is not supported because NSS does not support extracting data from private + keys. + - ``getPrivateExponent()`` is not supported because NSS does not support extracting data from + private keys. + +`SecretKeyFactory <#secretkeyfactory>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. rubric:: Supported Algorithms + :name: supported_algorithms_7 + + .. rubric:: Notes + :name: notes_7 + + - AES + - DES + - DESede (*DES3*) + - PBAHmacSHA1 + - PBEWithMD5AndDES + - PBEWithSHA1AndDES + - PBEWithSHA1AndDESede (*PBEWithSHA1AndDES3*) + - PBEWithSHA1And128RC4 + - RC4 + + - ``generateSecret`` supports the following transformations: + + +-------------------------------------------------+-------------------------------------------------+ + | KeySpec Class | Key Algorithm | + +-------------------------------------------------+-------------------------------------------------+ + | PBEKeySpec | *Using the appropriate PBE algorithm:* | + | org.mozilla.jss.crypto.PBEKeyGenParams | DES | + | | DESede | + | | RC4 | + +-------------------------------------------------+-------------------------------------------------+ + | DESedeKeySpec | DESede | + +-------------------------------------------------+-------------------------------------------------+ + | DESKeySpec | DES | + +-------------------------------------------------+-------------------------------------------------+ + | SecretKeySpec | AES | + | | DES | + | | DESede | + | | RC4 | + +-------------------------------------------------+-------------------------------------------------+ + + - ``getKeySpec`` supports the following transformations: + + +-------------------------------------------------+-------------------------------------------------+ + | Key Algorithm | KeySpec Class | + +-------------------------------------------------+-------------------------------------------------+ + | DESede | DESedeKeySpec | + +-------------------------------------------------+-------------------------------------------------+ + | DES | DESKeySpec | + +-------------------------------------------------+-------------------------------------------------+ + | DESede | SecretKeySpec | + | DES | | + | AES | | + | RC4 | | + +-------------------------------------------------+-------------------------------------------------+ + + - For increased security, some SecretKeys may not be extractable from their PKCS #11 token. In + this case, the key should be wrapped (encrypted with another key), and then the encrypted key + might be extractable from the token. This policy varies across PKCS #11 tokens. + - ``translateKey`` tries two approaches to copying keys. First, it tries to copy the key + material directly using NSS calls to PKCS #11. If that fails, it calls ``getEncoded()`` on the + source key, and then tries to create a new key on the target token from the encoded bits. Both + of these operations will fail if the source key is not extractable. + - The class ``java.security.spec.PBEKeySpec`` in JDK versions earlier than 1.4 does not contain + the salt and iteration fields, which are necessary for PBE key generation. These fields were + added in JDK 1.4. If you are using a JDK (or JRE) version earlier than 1.4, you cannot use + class ``java.security.spec.PBEKeySpec``. Instead, you can use + ``org.mozilla.jss.crypto.PBEKeyGenParams``. If you are using JDK (or JRE) 1.4 or later, you + can use ``java.security.spec.PBEKeySpec`` or ``org.mozilla.jss.crypto.PBEKeyGenParams``. + +`SecretKey <#secretkey>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. rubric:: Supported Algorithms + :name: supported_algorithms_8 + + .. rubric:: Notes + :name: notes_8 + + - AES + - DES + - DESede (*DES3*) + - HmacSHA1 + - RC2 + - RC4 + + - ``SecretKey`` is implemented by the class ``org.mozilla.jss.crypto.SecretKeyFacade``, which + acts as a wrapper around the JSS class ``SymmetricKey``. Any ``SecretKeys`` handled by JSS + will actually be ``SecretKeyFacades``. This should usually be transparent. + +`SecureRandom <#securerandom>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. rubric:: Supported Algorithms + :name: supported_algorithms_9 + + .. rubric:: Notes + :name: notes_9 + + - pkcs11prng + + - This invokes the NSS internal pseudorandom number generator. + +`Signature <#signature>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + .. rubric:: Supported Algorithms + :name: supported_algorithms_10 + + .. rubric:: Notes + :name: notes_10 + + - SHA1withDSA (*DSA, DSS, SHA/DSA, SHA-1/DSA, SHA1/DSA, DSAWithSHA1, SHAwithDSA*) + - SHA-1/RSA (*SHA1/RSA, SHA1withRSA*) + - MD5/RSA (*MD5withRSA*) + - MD2/RSA + + - The SecureRandom argument passed to ``initSign()`` and ``initVerify()`` is ignored, because + NSS does not support specifying an external source of randomness. + +.. _what's_not_supported: + +`What's Not Supported <#what's_not_supported>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + The following classes don't work very well: + + - **KeyStore:** There are many serious problems mapping the JCA keystore interface onto NSS's + model of PKCS #11 modules. The current implementation is almost useless. Since these problems + lie deep in the NSS design and implementation, there is no clear timeframe for fixing them. + Meanwhile, the ``org.mozilla.jss.crypto.CryptoStore`` class can be used for some of this + functionality. \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/jss/using_jss/index.rst b/security/nss/doc/rst/legacy/jss/using_jss/index.rst new file mode 100644 index 0000000000..3a5f19f9c7 --- /dev/null +++ b/security/nss/doc/rst/legacy/jss/using_jss/index.rst @@ -0,0 +1,152 @@ +.. _mozilla_projects_nss_jss_using_jss: + +Using JSS +========= + +.. _using_jss: + +`Using JSS <#using_jss>`__ +-------------------------- + +.. container:: + + *Newsgroup:*\ `mozilla.dev.tech.crypto `__ + + If you have already `built + JSS `__, or if you + are planning to use a binary release of JSS, here's how to get JSS working with your code. + + | `Gather Components <#components>`__ + | `Setup your runtime environment <#runtime>`__ + | `Initialize JSS in your application <#init>`__ + +.. _gather_components: + +`Gather components <#gather_components>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + #. You need the JSS classes and the NSPR, NSS, and JSS shared libraries. + + #. **NSPR and NSS Shared Libraries** + + JSS uses the NSPR and NSS libraries for I/O and crypto. JSS version 3.0 linked statically with + NSS, so it only required NSPR. JSS versions 3.1 and later link dynamically with NSS, so they + also require the NSS shared libraries. + + The exact library names vary according to the convention for each platform. For example, the + NSPR library is called ``nspr4.dll`` or ``libnspr4.dll`` on Windows and ``libnspr4.so`` on + Solaris. The following table gives the core names of the libraries, omitting the + platform-specific prefix and suffix. + + +-------------------+-------------------------------------+--------------------------------------+ + | JSS Dependencies | | | + +-------------------+-------------------------------------+--------------------------------------+ + | Core Library Name | Description | Binary Release Location | + +-------------------+-------------------------------------+--------------------------------------+ + | nspr4 | NSPR OS abstraction layer | `htt | + | | | p://ftp.mozilla.org/pub/mozilla.org/ | + | | | nspr/releases `__ | + +-------------------+-------------------------------------+--------------------------------------+ + | plc4 | | NSPR standard C library replacement | + | | | functions | + +-------------------+-------------------------------------+--------------------------------------+ + | plds4 | | NSPR data structure types | + +-------------------+-------------------------------------+--------------------------------------+ + | nss3 | NSS crypto, PKCS #11, and utilities | `http://ftp.mozilla. | + | | | org/pub/mozilla.org/security/nss/rel | + | | | eases `__ | + +-------------------+-------------------------------------+--------------------------------------+ + | ssl3 | | NSS SSL library | + +-------------------+-------------------------------------+--------------------------------------+ + | smime3 | | NSS S/MIME functions and types | + +-------------------+-------------------------------------+--------------------------------------+ + | nssckbi | | PKCS #11 module containing built-in | + | | | root CA certificates. Optional. | + +-------------------+-------------------------------------+--------------------------------------+ + | freebl_\* | | Processor-specific optimized | + | | | big-number arithmetic library. Not | + | | | present on all platforms. | + | | | :ref:`mozilla_projects_nss_introd | + | | | uction_to_network_security_services` | + +-------------------+-------------------------------------+--------------------------------------+ + | fort | | FORTEZZA support. Optional | + +-------------------+-------------------------------------+--------------------------------------+ + | swft | | PKCS #11 module implementing | + | | | FORTEZZA in software. Optional. | + +-------------------+-------------------------------------+--------------------------------------+ + + If you built JSS from source, you have these libraries in the ``mozilla/dist//lib`` + directory of your build tree. If you are downloading binaries, get them from the binary + release locations in the above table. You need to select the right version of the components, + based on the version of JSS you are using. Generally, it is safe to use a later version of a + component than what JSS was tested with. For example, although JSS 4.2 was tested with NSS + 3.11. + + ================== ========= ============== + Component Versions + JSS Version Component Tested Version + JSS 4.2 NSPR 4.6.4 + \ NSS 3.11.4 + JSS 3.4 NSPR 4.2.2 + \ NSS 3.7.3 + JSS 3.3 NSPR 4.2.2 + \ NSS 3.6.1 or 3.7 + JSS 3.2 NSPR 4.2 or 4.1.2 + \ NSS 3.4.2 + JSS 3.1.1 NSPR 4.1.2 + \ NSS 3.3.1 + JSS 3.1 NSPR 4.1.2 + \ NSS 3.3 + JSS 3.0 NSPR 3.5.1 + ================== ========= ============== + + #. **JSS Shared Library** + + The JSS shared library is ``jss4.dll`` (Windows) or ``libjss4.so`` (Unix). If you built JSS + from source, it is in ``mozilla/dist//lib``. If you are downloading binaries, get it + from http://ftp.mozilla.org/pub/mozilla.org/security/jss/releases/. + + #. **JSS classes** + + If you built JSS from source, the compiled JSS classes are in ``mozilla/dist/classes[_dbg]``. + You can put this directory in your classpath to run applications locally; or, you can package + the class files into a JAR file for easier distribution: + + .. code:: + + cd mozilla/dist/classes[_dbg] + zip -r ../jss42.jar . + + If you are downloading binaries, get jss42.jar + from http://ftp.mozilla.org/pub/mozilla.org/security/jss/releases/. + +.. _setup_your_runtime_environment: + +`Setup your runtime environment <#setup_your_runtime_environment>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + You need to set some environment variables before building and running Java applications with + JSS. + + ``CLASSPATH`` + Include the path containing the JSS classes you built, or the path to ``jss42.jar``. (The path + to ``jss34.jar`` ends with the string "/jss42.jar". It is not just the directory that contains + ``jss42.jar``.) + ``LD_LIBRARY_PATH`` (Unix) / ``PATH`` (Windows) + Include the path to the NSPR, NSS, and JSS shared libraries. + +.. _initialize_jss_in_your_application: + +`Initialize JSS in your application <#initialize_jss_in_your_application>`__ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. container:: + + Before calling any JSS methods, you must initialize JSS by calling one of the + ``CryptoManager.initialize`` methods. See the `javadoc `__ for more details. \ No newline at end of file diff --git a/security/nss/doc/rst/legacy/key_log_format/index.rst b/security/nss/doc/rst/legacy/key_log_format/index.rst new file mode 100644 index 0000000000..99bdf87e1d --- /dev/null +++ b/security/nss/doc/rst/legacy/key_log_format/index.rst @@ -0,0 +1,61 @@ +.. _mozilla_projects_nss_key_log_format: + +NSS Key Log Format +================== + +.. container:: + + Key logs can be written by NSS so that external programs can decrypt TLS connections. Wireshark + 1.6.0 and above can use these log files to decrypt packets. You can tell Wireshark where to find + the key file via *Edit→Preferences→Protocols→TLS→(Pre)-Master-Secret log filename*. + + Key logging is enabled by setting the environment variable ``SSLKEYLOGFILE`` to point to a file. + Note: starting with :ref:`mozilla_projects_nss_nss_3_24_release_notes` (used by Firefox 48 and 49 + only), the ``SSLKEYLOGFILE`` approach is disabled by default for optimized builds using the + Makefile (those using gyp via ``build.sh`` are *not* affected). Distributors can re-enable it at + compile time though (using the ``NSS_ALLOW_SSLKEYLOGFILE=1`` make variable) which is done for the + official Firefox binaries. (See `bug + 1188657 `__.) Notably, Debian does not have + this option enabled, see `Debian bug + 842292 `__. + + This key log file is a series of lines. Comment lines begin with a sharp character ('#') and are + ignored. Secrets follow the format ``