summaryrefslogtreecommitdiffstats
path: root/security/nss/doc/rst/legacy/index
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 19:33:14 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 19:33:14 +0000
commit36d22d82aa202bb199967e9512281e9a53db42c9 (patch)
tree105e8c98ddea1c1e4784a60a5a6410fa416be2de /security/nss/doc/rst/legacy/index
parentInitial commit. (diff)
downloadfirefox-esr-36d22d82aa202bb199967e9512281e9a53db42c9.tar.xz
firefox-esr-36d22d82aa202bb199967e9512281e9a53db42c9.zip
Adding upstream version 115.7.0esr.upstream/115.7.0esr
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'security/nss/doc/rst/legacy/index')
-rw-r--r--security/nss/doc/rst/legacy/index/index.rst11751
1 files changed, 11751 insertions, 0 deletions
diff --git a/security/nss/doc/rst/legacy/index/index.rst b/security/nss/doc/rst/legacy/index/index.rst
new file mode 100644
index 0000000000..a592015264
--- /dev/null
+++ b/security/nss/doc/rst/legacy/index/index.rst
@@ -0,0 +1,11751 @@
+.. _mozilla_projects_nss_index:
+
+Index
+=====
+
+.. container::
+
+ **Found 361 pages:**
+
+ +--------------------------------+--------------------------------+--------------------------------+
+ | # | Page | Tags and summary |
+ +================================+================================+================================+
+ | 1 | :ref:`mozilla_projects_nss` | **JSS, NSS, NeedsMigration** |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | **Network Security Services** |
+ | | | (**NSS**) is a set of |
+ | | | libraries designed to support |
+ | | | cross-platform development of |
+ | | | security-enabled client and |
+ | | | server applications. |
+ | | | Applications built with NSS |
+ | | | can support SSL v3, TLS, PKCS |
+ | | | #5, PKCS #7, PKCS #11, PKCS |
+ | | | #12, S/MIME, X.509 v3 |
+ | | | certificates, and other |
+ | | | security standards. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 2 | :ref:`mozilla_projects_nss | **API, Intermediate, Intro, |
+ | | _an_overview_of_nss_internals` | NSS, Tools** |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | A High-Level Overview to the |
+ | | | Internals of `Network Security |
+ | | | Services |
+ | | | (NSS) <https://developer. |
+ | | | mozilla.org/en-US/docs/NSS>`__ |
+ | | | Software developed by the |
+ | | | Mozilla.org projects |
+ | | | traditionally used its own |
+ | | | implementation of security |
+ | | | protocols and cryptographic |
+ | | | algorithms, originally called |
+ | | | Netscape Security Services, |
+ | | | nowadays called Network |
+ | | | Security Services (NSS). NSS |
+ | | | is a library written in the C |
+ | | | programming language. It's |
+ | | | free and open source software, |
+ | | | and many other software |
+ | | | projects have decided to use |
+ | | | it. In order to support |
+ | | | multiple operating systems |
+ | | | (OS), it is based on a cross |
+ | | | platform portability layer, |
+ | | | called the Netscape Portable |
+ | | | Runtime (NSPR), which provides |
+ | | | cross platform application |
+ | | | programming interfaces (APIs) |
+ | | | for OS specific APIs like file |
+ | | | system access, memory |
+ | | | management, network |
+ | | | communication, and |
+ | | | multithreaded programming. |
+ | | | NSS offers lots of |
+ | | | functionality; we'll walk |
+ | | | through the list of modules, |
+ | | | design principles, and |
+ | | | important relevant standards. |
+ | | | In order to allow |
+ | | | interoperability between |
+ | | | software and devices that |
+ | | | perform cryptographic |
+ | | | operations, NSS conforms to a |
+ | | | standard called PKCS#11. (Note |
+ | | | that it's important to look at |
+ | | | the number 11, as there are |
+ | | | other PKCS standards with |
+ | | | different numbers that define |
+ | | | quite different topics.) |
+ | | | A software or hardware module |
+ | | | conforming to the PKCS#11 |
+ | | | standard implements an |
+ | | | interface of C calls, which |
+ | | | allow querying the |
+ | | | characteristics and offered |
+ | | | services of the module. |
+ | | | Multiple elements of NSS's own |
+ | | | modules have been implemented |
+ | | | with this interface, and NSS |
+ | | | makes use of this interface |
+ | | | when talking to those modules. |
+ | | | This strategy allows NSS to |
+ | | | work with many hardware |
+ | | | devices (e.g., to speed up the |
+ | | | calculations required for |
+ | | | cryptographic operations, or |
+ | | | to access smartcards that |
+ | | | securely protect a secret key) |
+ | | | and software modules (e.g., to |
+ | | | allow to load such modules as |
+ | | | a plugin that provides |
+ | | | additional algorithms or |
+ | | | stores key or trust |
+ | | | information) that implement |
+ | | | the PKCS#11 interface. |
+ | | | A core element of NSS is |
+ | | | FreeBL, a base library |
+ | | | providing hash functions, big |
+ | | | number calculations, and |
+ | | | cryptographic algorithms. |
+ | | | Softoken is an NSS module that |
+ | | | exposes most FreeBL |
+ | | | functionality as a PKCS#11 |
+ | | | module. |
+ | | | Some cryptography uses the |
+ | | | same secret key for both |
+ | | | encrypting and decrypting, for |
+ | | | example password based |
+ | | | encryption (PBE). This is |
+ | | | often sufficient if you |
+ | | | encrypt data for yourself, but |
+ | | | as soon as you need to |
+ | | | exchange signed/encrypted data |
+ | | | with communication partners, |
+ | | | using public key encryption |
+ | | | simplifies the key management. |
+ | | | The environment that describes |
+ | | | how to use public key |
+ | | | encryption is called Public |
+ | | | Key Infrastructure (PKI). The |
+ | | | public keys that are exchanged |
+ | | | between parties are |
+ | | | transported using a container; |
+ | | | the container is called a |
+ | | | certificate, following |
+ | | | standard X.509 version 3. A |
+ | | | certificate contains lots of |
+ | | | other details; for example, it |
+ | | | contains a signature by a |
+ | | | third party that expresses |
+ | | | trust in the ownership |
+ | | | relationship for the |
+ | | | certificate. The trust |
+ | | | assigned by the third party |
+ | | | might be restricted to certain |
+ | | | uses, which are listed in |
+ | | | certificate extensions that |
+ | | | are contained in the |
+ | | | certificate. |
+ | | | Many (if not most) of the |
+ | | | operations performed by NSS |
+ | | | involve the use of X.509 |
+ | | | certificates (often |
+ | | | abbreviated as “cert”, |
+ | | | unfortunately making it easy |
+ | | | to confuse with the term |
+ | | | “computer emergency response |
+ | | | team“). |
+ | | | When checking whether a |
+ | | | certificate is trusted or not, |
+ | | | it's necessary to find a |
+ | | | relevant trust anchor (root |
+ | | | certificate) that represents |
+ | | | the signing capability of a |
+ | | | trusted third party, usually |
+ | | | called a Certificate Authority |
+ | | | (CA). A trust anchor is just |
+ | | | another X.509 certificate that |
+ | | | is already known and has been |
+ | | | deliberately marked as trusted |
+ | | | by a software vendor, |
+ | | | administrators inside an |
+ | | | organizational infrastructure, |
+ | | | or the software user. NSS |
+ | | | ships a predefined set of CA |
+ | | | certificates. This set, |
+ | | | including their trust |
+ | | | assignments, is provided by |
+ | | | NSS as a software module, |
+ | | | called CKBI (“built-in root |
+ | | | certificates”), which also |
+ | | | implements the PKCS#11 |
+ | | | interface. On an |
+ | | | organizational level the |
+ | | | contents of the set are |
+ | | | managed according to the |
+ | | | Mozilla CA policy. On a |
+ | | | technical level the set is a |
+ | | | binary software module. |
+ | | | A cryptographic transaction, |
+ | | | such as encryption or |
+ | | | decryption related to a data |
+ | | | exchange, usually involves |
+ | | | working with the X.509 certs |
+ | | | of your communication partners |
+ | | | (peer). It's also required |
+ | | | that you safely keep your own |
+ | | | secret keys that belong to |
+ | | | your own certificates. You |
+ | | | might want to protect the |
+ | | | storage of your secret keys |
+ | | | with PBE. You might decide to |
+ | | | modify the default trust |
+ | | | provided by NSS. All of this |
+ | | | requires storing, looking up, |
+ | | | and retrieving data. NSS |
+ | | | simplifies performing these |
+ | | | operations by offering storage |
+ | | | and management APIs. NSS |
+ | | | doesn't require the programmer |
+ | | | to manage individual files |
+ | | | containing individual |
+ | | | certificates or keys. Instead, |
+ | | | NSS offers to use its own |
+ | | | database(s). Once you have |
+ | | | imported certificates and keys |
+ | | | into the NSS database, you can |
+ | | | easily look them up and use |
+ | | | them again. |
+ | | | Because of NSS's expectation |
+ | | | to operate with an NSS |
+ | | | database, it's mandatory that |
+ | | | you perform an initialization |
+ | | | call, where you tell NSS which |
+ | | | database you will be using. In |
+ | | | the most simple scenario, the |
+ | | | programmer will provide a |
+ | | | directory on your filesystem |
+ | | | as a parameter to the init |
+ | | | function, and NSS is designed |
+ | | | to do the rest. It will detect |
+ | | | and open an existing database, |
+ | | | or it can create a new one. |
+ | | | Alternatively, should you |
+ | | | decide that you don't want to |
+ | | | work with any persistent |
+ | | | recording of certificates, you |
+ | | | may initialize NSS in a |
+ | | | no-database mode. Usually, NSS |
+ | | | will flush all data to disk as |
+ | | | soon as new data has been |
+ | | | added to permanent storage. |
+ | | | Storage consists of multiple |
+ | | | files: a key database file, |
+ | | | which contains your secret |
+ | | | keys, and a certificate |
+ | | | database file which contains |
+ | | | the public portion of your own |
+ | | | certificates, the certificates |
+ | | | of peers or CAs, and a list of |
+ | | | trust decisions (such as to |
+ | | | not trust a built-in CA, or to |
+ | | | explicitly trust other CAs). |
+ | | | Examples for the database |
+ | | | files are key3.db and |
+ | | | cert8.db, where the numbers |
+ | | | are file version numbers. A |
+ | | | third file contains the list |
+ | | | of external PKCS#11 modules |
+ | | | that have been registered to |
+ | | | be used by NSS. The file could |
+ | | | be named secmod.db, but in |
+ | | | newer database generations a |
+ | | | file named pkcs11.txt is used. |
+ | | | Only NSS is allowed to access |
+ | | | and manipulate these database |
+ | | | files directly; a programmer |
+ | | | using NSS must go through the |
+ | | | APIs offered by NSS to |
+ | | | manipulate the data stored in |
+ | | | these files. The programmer's |
+ | | | task is to initialize NSS with |
+ | | | the required parameters (such |
+ | | | as a database), and NSS will |
+ | | | then transparently manage the |
+ | | | database files. |
+ | | | Most of the time certificates |
+ | | | and keys are supposed to be |
+ | | | stored in the NSS database. |
+ | | | Therefore, after initial |
+ | | | import or creation, the |
+ | | | programmer usually doesn't |
+ | | | deal with their raw bytes. |
+ | | | Instead, the programmer will |
+ | | | use lookup functions, and NSS |
+ | | | will provide an access handle |
+ | | | that will be subsequently used |
+ | | | by the application's code. |
+ | | | Those handles are reference |
+ | | | counted. NSS will usually |
+ | | | create an in-memory (RAM) |
+ | | | presentation of certificates, |
+ | | | once a certificate has been |
+ | | | received from the network, |
+ | | | read from disk, or looked up |
+ | | | from the database, and prepare |
+ | | | in-memory data structures that |
+ | | | contain the certificate's |
+ | | | properties, as well as |
+ | | | providing a handle for the |
+ | | | programmer to use. Once the |
+ | | | application is done with a |
+ | | | handle, it should be released, |
+ | | | allowing NSS to free the |
+ | | | associated resources. When |
+ | | | working with handles to |
+ | | | private keys it's usually |
+ | | | difficult (and undesired) that |
+ | | | an application gets access to |
+ | | | the raw key data; therefore it |
+ | | | may be difficult to extract |
+ | | | such data from NSS. The usual |
+ | | | minimum requirement is that |
+ | | | private keys must be wrapped |
+ | | | using a protective layer (such |
+ | | | as password-based encryption). |
+ | | | The intention is to make it |
+ | | | easier to review code for |
+ | | | security. The less code that |
+ | | | has access to raw secret keys, |
+ | | | the less code that must be |
+ | | | reviewed. |
+ | | | NSS has only limited |
+ | | | functionality to look up raw |
+ | | | keys. The preferred approach |
+ | | | is to use certificates, and to |
+ | | | look up certificates by |
+ | | | properties such as the |
+ | | | contained subject name |
+ | | | (information that describes |
+ | | | the owner of the certificate). |
+ | | | For example, while NSS |
+ | | | supports random calculation |
+ | | | (creation) of a new |
+ | | | public/private key pair, it's |
+ | | | difficult to work with such a |
+ | | | raw key pair. The usual |
+ | | | approach is to create a |
+ | | | certificate signing request |
+ | | | (CSR) as soon as an |
+ | | | application is done with the |
+ | | | creation step, which will have |
+ | | | created a handle to the key |
+ | | | pair, and which can be used |
+ | | | for the necessary related |
+ | | | operations, like producing a |
+ | | | proof-of-ownership of the |
+ | | | private key, which is usually |
+ | | | required when submitting the |
+ | | | public key with a CSR to a CA. |
+ | | | The usual follow up action is |
+ | | | receiving a signed certificate |
+ | | | from a CA. (However, it's also |
+ | | | possible to use NSS |
+ | | | functionality to create a |
+ | | | self-signed certificate, |
+ | | | which, however, usually won't |
+ | | | be trusted by other parties.) |
+ | | | Once received, it's sufficient |
+ | | | to tell NSS to import such a |
+ | | | new certificate into the NSS |
+ | | | database, and NSS will |
+ | | | automatically perform a lookup |
+ | | | of the embedded public key, be |
+ | | | able to find the associated |
+ | | | private key, and subsequently |
+ | | | be able to treat it as a |
+ | | | personal certificate. (A |
+ | | | personal certificate is a |
+ | | | certificate for which the |
+ | | | private key is in possession, |
+ | | | and which could be used for |
+ | | | signing data or for decrypting |
+ | | | data.) A unique nickname |
+ | | | can/should be assigned to the |
+ | | | certificate at the time of |
+ | | | import, which can later be |
+ | | | used to easily identify and |
+ | | | retrieve it. |
+ | | | It's important to note that |
+ | | | NSS requires strict cleanup |
+ | | | for all handles returned by |
+ | | | NSS. The application should |
+ | | | always call the appropriate |
+ | | | dereference (destroy) |
+ | | | functions once a handle is no |
+ | | | longer needed. This is |
+ | | | particularly important for |
+ | | | applications that might need |
+ | | | to close a database and |
+ | | | reinitialize NSS using a |
+ | | | different one, without |
+ | | | restarting. Such an operation |
+ | | | might fail at runtime if data |
+ | | | elements are still being |
+ | | | referenced. |
+ | | | In addition to the FreeBL, |
+ | | | Softoken, and CKBI modules, |
+ | | | there is an utility library |
+ | | | for general operations (e.g., |
+ | | | encoding/decoding between data |
+ | | | formats, a list of |
+ | | | standardized object |
+ | | | identifiers (OID)). NSS has an |
+ | | | SSL/TLS module that implements |
+ | | | the Secure Sockets |
+ | | | Layer/Transport Layer Security |
+ | | | network protocols, an S/MIME |
+ | | | module that implements CMS |
+ | | | messaging used by secure email |
+ | | | and some instant messaging |
+ | | | implementations, a DBM library |
+ | | | that implements the classic |
+ | | | database storage, and finally |
+ | | | a core NSS library for the big |
+ | | | set of “everything else”. |
+ | | | Newer generations of the |
+ | | | database use the SQLite |
+ | | | database to allow concurrent |
+ | | | access by multiple |
+ | | | applications. |
+ | | | All of the above are provided |
+ | | | as shared libraries. The CRMF |
+ | | | library, which is used to |
+ | | | produce certain kinds of |
+ | | | certificate requests, is |
+ | | | available as a library for |
+ | | | static linking only. |
+ | | | When dealing with certificates |
+ | | | (X.509), file formats such as |
+ | | | PKCS#12 (certificates and |
+ | | | keys), PKCS#7 (signed data), |
+ | | | and message formats as CMS, we |
+ | | | should mention ASN.1, which is |
+ | | | a syntax for storing |
+ | | | structured data in a very |
+ | | | efficient (small sized) |
+ | | | presentation. It was |
+ | | | originally developed for |
+ | | | telecommunication systems at |
+ | | | times where it was critical to |
+ | | | minimize data as much as |
+ | | | possible (although it still |
+ | | | makes sense to use that |
+ | | | principle today for good |
+ | | | performance). In order to |
+ | | | process data available in the |
+ | | | ASN.1 format, the usual |
+ | | | approach is to parse it and |
+ | | | transfer it to a presentation |
+ | | | that requires more space but |
+ | | | is easier to work with, such |
+ | | | as (nested) C data structures. |
+ | | | Over the time NSS has received |
+ | | | three different ASN.1 parser |
+ | | | implementations, each having |
+ | | | their own specific properties, |
+ | | | advantages and disadvantages, |
+ | | | which is why all of them are |
+ | | | still being used (nobody has |
+ | | | yet dared to replace the older |
+ | | | with the newer ones because of |
+ | | | risks for side effects). When |
+ | | | using the ASN.1 parser(s), a |
+ | | | template definition is passed |
+ | | | to the parser, which will |
+ | | | analyze the ASN.1 data stream |
+ | | | accordingly. The templates are |
+ | | | usually closely aligned to |
+ | | | definitions found in RFC |
+ | | | documents. |
+ | | | A data block described as DER |
+ | | | is usually in ASN.1 format. |
+ | | | You must know which data you |
+ | | | are expecting, and use the |
+ | | | correct template for parsing, |
+ | | | based on the context of your |
+ | | | software's interaction. Data |
+ | | | described as PEM is a base64 |
+ | | | encoded presentation of DER, |
+ | | | usually wrapped between human |
+ | | | readable BEGIN/END lines. NSS |
+ | | | prefers the binary |
+ | | | presentation, but is often |
+ | | | capable to use base64 or ASCII |
+ | | | presentations, especially when |
+ | | | importing data from files. A |
+ | | | recent development adds |
+ | | | support for loading external |
+ | | | PEM files that contain private |
+ | | | keys, in a software library |
+ | | | called nss-pem, which is |
+ | | | separately available, but |
+ | | | should eventually become a |
+ | | | core part of NSS. |
+ | | | Looking at the code level, NSS |
+ | | | deals with blocks of raw data |
+ | | | all the time. The common |
+ | | | structure to store such an |
+ | | | untyped block is SECItem, |
+ | | | which contains a size and an |
+ | | | untyped C pointer variable. |
+ | | | When dealing with memory, NSS |
+ | | | makes use of arenas, which are |
+ | | | an attempt to simplify |
+ | | | management with the limited |
+ | | | offerings of C (because there |
+ | | | are no destructors). The idea |
+ | | | is to group multiple memory |
+ | | | allocations in order to |
+ | | | simplify cleanup. Performing |
+ | | | an operation often involves |
+ | | | allocating many individual |
+ | | | data items, and the code might |
+ | | | be required to abort a task at |
+ | | | many positions in the logic. |
+ | | | An arena is requested once |
+ | | | processing of a task starts, |
+ | | | and all memory allocations |
+ | | | that are logically associated |
+ | | | to that task are requested |
+ | | | from the associated arena. The |
+ | | | implementation of arenas makes |
+ | | | sure that all individual |
+ | | | memory blocks are tracked. |
+ | | | Once a task is done, |
+ | | | regardless whether it |
+ | | | completed or was aborted, the |
+ | | | programmer simply needs to |
+ | | | release the arena, and all |
+ | | | individually allocated blocks |
+ | | | will be released |
+ | | | automatically. Often freeing |
+ | | | is combined with immediately |
+ | | | erasing (zeroing, zfree) the |
+ | | | memory associated to the |
+ | | | arena, in order to make it |
+ | | | more difficult for attackers |
+ | | | to extract keys from a memory |
+ | | | dump. |
+ | | | NSS uses many C data |
+ | | | structures. Often NSS has |
+ | | | multiple implementations for |
+ | | | the same or similar concepts. |
+ | | | For example, there are |
+ | | | multiple presentations of |
+ | | | certificates, and the NSS |
+ | | | internals (and sometimes even |
+ | | | the application using NSS) |
+ | | | might have to convert between |
+ | | | them. |
+ | | | Key responsibilites of NSS are |
+ | | | verification of signatures and |
+ | | | certificates. In order to |
+ | | | verify a digital signature, we |
+ | | | have to look at the |
+ | | | application data (e.g., a |
+ | | | document that was signed), the |
+ | | | signature data block (the |
+ | | | digital signature), and a |
+ | | | public key (as found in a |
+ | | | certificate that is believed |
+ | | | to be the signer, e.g., |
+ | | | identified by metadata |
+ | | | received together with the |
+ | | | signature). The signature is |
+ | | | verified if it can be shown |
+ | | | that the signature data block |
+ | | | must have been produced by the |
+ | | | owner of the public key |
+ | | | (because only that owner has |
+ | | | the associated private key). |
+ | | | Verifying a certificate (A) |
+ | | | requires some additional |
+ | | | steps. First, you must |
+ | | | identify the potential signer |
+ | | | (B) of a certificate (A). This |
+ | | | is done by reading the “issuer |
+ | | | name” attribute of a |
+ | | | certificate (A), and trying to |
+ | | | find that issuer certificate |
+ | | | (B) (by looking for a |
+ | | | certificate that uses that |
+ | | | name as its “subject name”). |
+ | | | Then you attempt to verify the |
+ | | | signature found in (A) using |
+ | | | the public key found in (B). |
+ | | | It might be necessary to try |
+ | | | multiple certificates (B1, B2, |
+ | | | ...) each having the same |
+ | | | subject name. |
+ | | | After succeeding, it might be |
+ | | | necessary to repeat this |
+ | | | procedure recursively. The |
+ | | | goal is to eventually find a |
+ | | | certificate B (or C or ...) |
+ | | | that has an appropriate trust |
+ | | | assigned (e.g., because it can |
+ | | | be found in the CKBI module |
+ | | | and the user hasn't made any |
+ | | | overriding trust decisions, or |
+ | | | it can be found in a NSS |
+ | | | database file managed by the |
+ | | | user or by the local |
+ | | | environment). |
+ | | | After having successfully |
+ | | | verified the signatures in a |
+ | | | (chain of) issuer |
+ | | | certificate(s), we're still |
+ | | | not done with verifying the |
+ | | | certificate A. In a PKI it's |
+ | | | suggested/required to perform |
+ | | | additional checks. For |
+ | | | example: Certificates were |
+ | | | valid at the time the |
+ | | | signature was made, name in |
+ | | | certificates matches the |
+ | | | expected signer (check subject |
+ | | | name, common name, email, |
+ | | | based on application), the |
+ | | | trust restrictions recorded |
+ | | | inside the certificate |
+ | | | (extensions) permit the use |
+ | | | (e.g., encryption might be |
+ | | | allowed, but not signing), and |
+ | | | based on |
+ | | | environment/application policy |
+ | | | it might be required to |
+ | | | perform a revocation check |
+ | | | (OCSP or CRL), that asks the |
+ | | | issuer(s) of the certificates |
+ | | | whether there have been events |
+ | | | that made it necessary to |
+ | | | revoke the trust (revoke the |
+ | | | validity of the cert). |
+ | | | Trust anchors contained in the |
+ | | | CKBI module are usually self |
+ | | | signed, which is defined as |
+ | | | having identical subject name |
+ | | | and issuer name fields. If a |
+ | | | self-signed certificate is |
+ | | | marked as explicitly trusted, |
+ | | | NSS will skip checking the |
+ | | | self-signature for validity. |
+ | | | NSS has multiple APIs to |
+ | | | perform verification of |
+ | | | certificates. There is a |
+ | | | classic engine that is very |
+ | | | stable and works fine in all |
+ | | | simple scenarios, for example |
+ | | | if all (B) candidate issuer |
+ | | | certificates have the same |
+ | | | subject and issuer names and |
+ | | | differ by validity period; |
+ | | | however, it works only in a |
+ | | | limited amount of more |
+ | | | advanced scenarios. |
+ | | | Unfortunately, the world of |
+ | | | certificates has become more |
+ | | | complex in the recent past. |
+ | | | New Certificate Authorities |
+ | | | enter the global PKI market, |
+ | | | and in order to get started |
+ | | | with their business, they |
+ | | | might make deals with |
+ | | | established CAs and receive |
+ | | | so-called |
+ | | | cross-signing-certificates. As |
+ | | | a result, when searching for a |
+ | | | trust path from (A) to a |
+ | | | trusted anchor (root) |
+ | | | certificate (Z), the set of |
+ | | | candidate issuer certificates |
+ | | | might have different issuer |
+ | | | names (referring to the second |
+ | | | or higher issuer level). As a |
+ | | | consequence, it will be |
+ | | | necessary to try multiple |
+ | | | different alternative routes |
+ | | | while searching for (Z), in a |
+ | | | recursive manner. Only the |
+ | | | newer verification engine |
+ | | | (internally named libPKIX) is |
+ | | | capable of doing that |
+ | | | properly. |
+ | | | It's worth mentioning the |
+ | | | Extended Validation (EV) |
+ | | | principle, which is an effort |
+ | | | by software vendors and CAs to |
+ | | | define a stricter set of rules |
+ | | | for issuing certificates for |
+ | | | web site certificates. Instead |
+ | | | of simply verifying that the |
+ | | | requester of a certificate is |
+ | | | in control of an |
+ | | | administrative email address |
+ | | | at the desired web site's |
+ | | | domain, it's required that the |
+ | | | CA performs a verification of |
+ | | | real world identity documents |
+ | | | (such as a company |
+ | | | registration document with the |
+ | | | country's authority), and it's |
+ | | | also required that a browser |
+ | | | software performs a revocation |
+ | | | check with the CA, prior to |
+ | | | granting validity to the |
+ | | | certificate. In order to |
+ | | | distinguish an EV certificate, |
+ | | | CAs will embed a policy OID in |
+ | | | the certificate, and the |
+ | | | browser is expected to verify |
+ | | | that a trust chain permits the |
+ | | | end entity (EE) certificate to |
+ | | | make use of the policy. Only |
+ | | | the APIs of the newer libPKIX |
+ | | | engine are capable of |
+ | | | performing a policy |
+ | | | verification. |
+ | | | That's a good opportunity to |
+ | | | talk about SSL/TLS connections |
+ | | | to servers in general (not |
+ | | | just EV, not just websites). |
+ | | | Whenever this document |
+ | | | mentions SSL, it refers to |
+ | | | either SSL or TLS. (TLS is a |
+ | | | newer version of SSL with |
+ | | | enhanced features.) |
+ | | | When establishing an SSL |
+ | | | connection to a server, (at |
+ | | | least) a server certificate |
+ | | | (and its trust chain) is |
+ | | | exchanged from the server to |
+ | | | the client (e.g., the |
+ | | | browser), and the client |
+ | | | verifies that the certificate |
+ | | | can be verified (including |
+ | | | matching the name of the |
+ | | | expected destination server). |
+ | | | Another part of the handshake |
+ | | | between both parties is a key |
+ | | | exchange. Because public key |
+ | | | encryption is more expensive |
+ | | | (more calculations required) |
+ | | | than symmetric encryption |
+ | | | (where both parties use the |
+ | | | same key), a key agreement |
+ | | | protocol will be executed, |
+ | | | where the public and private |
+ | | | keys are used to proof and |
+ | | | verify the exchanged initial |
+ | | | information. Once the key |
+ | | | agreement is done, a symmetric |
+ | | | encryption will be used (until |
+ | | | a potential re-handshake on an |
+ | | | existing channel). The |
+ | | | combination of the hash and |
+ | | | encryption algorithms used for |
+ | | | a SSL connection is called a |
+ | | | cipher suite. |
+ | | | NSS ships with a set of cipher |
+ | | | suites that it supports at a |
+ | | | technical level. In addition, |
+ | | | NSS ships with a default |
+ | | | policy that defines which |
+ | | | cipher suites are enabled by |
+ | | | default. An application is |
+ | | | able to modify the policy used |
+ | | | at program runtime, by using |
+ | | | function calls to modify the |
+ | | | set of enabled cipher suites. |
+ | | | If a programmer wants to |
+ | | | influence how NSS verifies |
+ | | | certificates or how NSS |
+ | | | verifies the data presented in |
+ | | | a SSL connection handshake, it |
+ | | | is possible to register |
+ | | | application-defined callback |
+ | | | functions which will be called |
+ | | | by NSS at the appropriate |
+ | | | point of time, and which can |
+ | | | be used to override the |
+ | | | decisions made by NSS. |
+ | | | If you would like to use NSS |
+ | | | as a toolkit that implements |
+ | | | SSL, remember that you must |
+ | | | init NSS first. But if you |
+ | | | don't care about modifying the |
+ | | | default trust permanently |
+ | | | (recorded on disk), you can |
+ | | | use the no-database init |
+ | | | calls. When creating the |
+ | | | network socket for data |
+ | | | exchange, note that you must |
+ | | | use the operating system |
+ | | | independent APIs provided by |
+ | | | NSPR and NSS. It might be |
+ | | | interesting to mention a |
+ | | | property of the NSPR file |
+ | | | descriptors, which are stacked |
+ | | | in layers. This means you can |
+ | | | define multiple layers that |
+ | | | are involved in data |
+ | | | processing. A file descriptor |
+ | | | has a pointer to the first |
+ | | | layer handling the data. That |
+ | | | layer has a pointer to a |
+ | | | potential second layer, which |
+ | | | might have another pointer to |
+ | | | a third layer, etc. Each layer |
+ | | | defines its own functions for |
+ | | | the |
+ | | | ope |
+ | | | n/close/read/write/poll/select |
+ | | | (etc.) functions. When using |
+ | | | an SSL network connection, |
+ | | | you'll already have two |
+ | | | layers, the basic NSPR layer |
+ | | | and an SSL library layer. The |
+ | | | Mozilla applications define a |
+ | | | third layer where application |
+ | | | specific processing is |
+ | | | performed. You can find more |
+ | | | details in the NSPR reference |
+ | | | documents. |
+ | | | NSS occassionally has to |
+ | | | create outbound network |
+ | | | connections, in addition to |
+ | | | the connections requested by |
+ | | | the application. Examples are |
+ | | | retrieving OCSP (Online |
+ | | | Certificate Status Protocol) |
+ | | | information or downloading a |
+ | | | CRL (Certificate Revocation |
+ | | | List). However, NSS doesn't |
+ | | | have an implementation to work |
+ | | | with network proxies. If you |
+ | | | must support proxies in your |
+ | | | application, you are able to |
+ | | | register your own |
+ | | | implementation of an http |
+ | | | request callback interface, |
+ | | | and NSS can use your |
+ | | | application code that supports |
+ | | | proxies. |
+ | | | When using hashing, |
+ | | | encryption, and decryption |
+ | | | functions, it is possible to |
+ | | | stream data (as opposed to |
+ | | | operating on a large buffer). |
+ | | | Create a context handle while |
+ | | | providing all the parameters |
+ | | | required for the operation, |
+ | | | then call an “update” function |
+ | | | multiple times to pass subsets |
+ | | | of the input to NSS. The data |
+ | | | will be processed and either |
+ | | | returned directly or sent to a |
+ | | | callback function registered |
+ | | | in the context. When done, you |
+ | | | call a finalization function |
+ | | | that will flush out any |
+ | | | pending data and free the |
+ | | | resources. |
+ | | | This line is a placeholder for |
+ | | | future sections that should |
+ | | | explain how libpkix works and |
+ | | | is designed. |
+ | | | If you want to work with NSS, |
+ | | | it's often helpful to use the |
+ | | | command line utilities that |
+ | | | are provided by the NSS |
+ | | | developers. There are tools |
+ | | | for managing NSS databases, |
+ | | | for dumping or verifying |
+ | | | certificates, for registering |
+ | | | PKCS#11 modules with a |
+ | | | database, for processing CMS |
+ | | | encrypted/signed messages, |
+ | | | etc. |
+ | | | For example, if you wanted to |
+ | | | create your own pair of keys |
+ | | | and request a new certificate |
+ | | | from a CA, you could use |
+ | | | certutil to create an empty |
+ | | | database, then use certutil to |
+ | | | operate on your database and |
+ | | | create a certificate request |
+ | | | (which involves creating the |
+ | | | desired key pair) and export |
+ | | | it to a file, submit the |
+ | | | request file to the CA, |
+ | | | receive the file from the CA, |
+ | | | and import the certificate |
+ | | | into your database. You should |
+ | | | assign a good nickname to a |
+ | | | certificate when importing it, |
+ | | | making it easier for you to |
+ | | | refer to it later. |
+ | | | It should be noted that the |
+ | | | first database format that can |
+ | | | be accessed simultaneously by |
+ | | | multiple applications is |
+ | | | key4.db/cert9.db – database |
+ | | | files with lower numbers will |
+ | | | most likely experience |
+ | | | unrecoverable corruption if |
+ | | | you access them with multiple |
+ | | | applications at the same time. |
+ | | | In other words, if your |
+ | | | browser or your server |
+ | | | operates on an older NSS |
+ | | | database format, don't use the |
+ | | | NSS tools to operate on it |
+ | | | while the other software is |
+ | | | executing. At the time of |
+ | | | writing NSS and the Mozilla |
+ | | | applications still use the |
+ | | | older database file format by |
+ | | | default, where each |
+ | | | application has its own NSS |
+ | | | database. |
+ | | | If you require a copy of a |
+ | | | certificate stored in an NSS |
+ | | | database, including its |
+ | | | private key, you can use |
+ | | | pk12util to export it to the |
+ | | | PKCS#12 file format. If you |
+ | | | require it in PEM format, you |
+ | | | could use the openssl pkcs12 |
+ | | | command (that's not NSS) to |
+ | | | convert the PKCS#12 file to |
+ | | | PEM. |
+ | | | This line is a placeholder for |
+ | | | how to prepare a database, how |
+ | | | to dump a cert, and how to |
+ | | | convert data. |
+ | | | You might have been motivated |
+ | | | to work with NSS because it is |
+ | | | used by the Mozilla |
+ | | | applications such as Firefox, |
+ | | | Thunderbird, etc. If you build |
+ | | | the Mozilla application, it |
+ | | | will automatically build the |
+ | | | NSS library, too. However, if |
+ | | | you want to work with the NSS |
+ | | | command line tools, you will |
+ | | | have to follow the standalone |
+ | | | NSS build instructions, and |
+ | | | build NSS outside of the |
+ | | | Mozilla application sources. |
+ | | | The key database file will |
+ | | | contain at least one symmetric |
+ | | | key, which NSS will |
+ | | | automatically create on |
+ | | | demand, and which will be used |
+ | | | to protect your secret |
+ | | | (private) keys. The symmetric |
+ | | | key can be protected with PBE |
+ | | | by setting a master password |
+ | | | on the database. As soon as |
+ | | | you set a master password, an |
+ | | | attacker stealing your key |
+ | | | database will no longer be |
+ | | | able to get access to your |
+ | | | private key, unless the |
+ | | | attacker would also succeed in |
+ | | | stealing the master password. |
+ | | | Now you might be interest in |
+ | | | how to get the |
+ | | | :ref:`mozilla_projects_nss |
+ | | | _nss_sources_building_testing` |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 3 | :ref:`mozill | **NSS** |
+ | | a_projects_nss_blank_function` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | One-line description of what |
+ | | | the function does (more than |
+ | | | just what it returns). |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 4 | :ref:` | **Guide, NSS, Security** |
+ | | mozilla_projects_nss_building` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | This page has detailed |
+ | | | information on how to build |
+ | | | NSS. Because NSS is a |
+ | | | cross-platform library that |
+ | | | builds on many different |
+ | | | platforms and has many |
+ | | | options, it may be complex to |
+ | | | build. Please read these |
+ | | | instructions carefully before |
+ | | | attempting to build. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 5 | :ref:`mozilla_projec | **NSS** |
+ | | ts_nss_cert_findcertbydercert` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Find a certificate in the |
+ | | | database that matches a |
+ | | | DER-encoded certificate. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 6 | :ref:`mozilla_projects_n | **NSS** |
+ | | ss_cert_findcertbyissuerandsn` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Find a certificate in the |
+ | | | database with the given issuer |
+ | | | and serial number. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 7 | :r | **NSS** |
+ | | ef:`mozilla_projects_nss_certi | |
+ | | ficate_download_specification` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | This document describes the |
+ | | | data formats used by NSS 3.x |
+ | | | for installing certificates. |
+ | | | This document is currently |
+ | | | being revised and has not yet |
+ | | | been reviewed for accuracy. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 8 | :ref:`mozilla_proje | **NSS** |
+ | | cts_nss_certificate_functions` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The public functions listed |
+ | | | here are used to interact with |
+ | | | certificate databases. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 9 | :ref:`mozill | **NSS** |
+ | | a_projects_nss_certverify_log` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | All the NSS verify functions |
+ | | | except, the \*VerifyNow() |
+ | | | functions, take a parameter |
+ | | | called 'CERTVerifyLog'. If you |
+ | | | supply the log parameter, NSS |
+ | | | will continue chain validation |
+ | | | after each error . The log |
+ | | | tells you what the problem was |
+ | | | with the chain and what |
+ | | | certificate in the chain |
+ | | | failed. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 10 | :ref:`mozil | **NSS** |
+ | | la_projects_nss_code_coverage` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | *No summary!* |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 11 | :ref:`mozilla_projec | **NSS** |
+ | | ts_nss_cryptography_functions` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The public functions listed |
+ | | | here perform cryptographic |
+ | | | operations based on the PKCS |
+ | | | #11 interface. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 12 | :ref:`mozilla_projects | **NSS** |
+ | | _nss_deprecated_ssl_functions` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The following SSL functions |
+ | | | have been replaced with newer |
+ | | | versions. The deprecated |
+ | | | functions are not supported by |
+ | | | the new SSL shared libraries. |
+ | | | Applications that want to use |
+ | | | the SSL shared libraries must |
+ | | | convert to calling the new |
+ | | | replacement functions listed |
+ | | | below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 13 | :ref:`mozil | **Decrypt, Encryption, |
+ | | la_projects_nss_encrypt_decryp | Example, NSS, Sample code** |
+ | | t_mac_keys_as_session_objects` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Generates encryption/mac keys |
+ | | | and uses session objects. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 14 | :ref:`mozilla_projects_nss_en | **Example, Intermediate, |
+ | | crypt_decrypt_mac_using_token` | Mozilla, NSS** |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Generates encryption/mac keys |
+ | | | and uses token for storing. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 15 | : | **NSS, NeedsUpdate** |
+ | | ref:`mozilla_projects_nss_faq` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | NSS is set of libraries, APIs, |
+ | | | utilities, and documentation |
+ | | | designed to support |
+ | | | cross-platform development of |
+ | | | security-enabled client and |
+ | | | server applications. It |
+ | | | provides a complete |
+ | | | open-source implementation of |
+ | | | the crypto libraries used by |
+ | | | Mozilla and other companies in |
+ | | | the Firefox browser, AOL |
+ | | | Instant Messenger (AIM), |
+ | | | server products from Red Hat, |
+ | | | and other products. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 16 | :ref:`mozilla_projects_n | **NSS** |
+ | | ss_fips_mode_-_an_explanation` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | NSS has a "FIPS Mode" that can |
+ | | | be enabled when NSS is |
+ | | | compiled in a specific way. |
+ | | | (Note: Mozilla does not |
+ | | | distribute a "FIPS Mode"-ready |
+ | | | NSS with Firefox.) This page |
+ | | | attempts to provide an |
+ | | | informal explanation of what |
+ | | | it is, who would use it, and |
+ | | | why. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 17 | :ref:`mozilla_projects | **Samples WIP** |
+ | | _nss_getting_started_with_nss` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) is a base library for |
+ | | | cryptographic algorithms and |
+ | | | secure network protocols used |
+ | | | by Mozilla software. |
+ | | | Would you like to get involved |
+ | | | and help us to improve the |
+ | | | core security of Mozilla |
+ | | | Firefox and other applications |
+ | | | that make use of NSS? We are |
+ | | | looking forward to your |
+ | | | contributions! |
+ | | | We have a large list of tasks |
+ | | | waiting for attention, and we |
+ | | | are happy to assist you in |
+ | | | identifying areas that match |
+ | | | your interest or skills. You |
+ | | | can find us on `Mozilla |
+ | | | IRC <https://developer.mo |
+ | | | zilla.org/en-US/docs/Mozilla/Q |
+ | | | A/Getting_Started_with_IRC>`__ |
+ | | | in channel |
+ | | | `#nss < |
+ | | | https://chat.mozilla.org/#/room/#nss:mozilla.org>`__ |
+ | | | or you could ask your |
+ | | | questions on the |
+ | | | `mozilla.dev.tech.cry |
+ | | | pto <https://lists.mozilla.org |
+ | | | /listinfo/dev-tech-crypto/>`__ |
+ | | | newsgroup. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 18 | :ref:`mozilla_proje | **Advanced, Guide, NSS** |
+ | | cts_nss_http_delegation_clone` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Up to version 3.11, |
+ | | | :ref:`mozilla_projects_nss` |
+ | | | connects directly over |
+ | | | `HTTP <https://developer.mozil |
+ | | | la.org/en-US/docs/Web/HTTP>`__ |
+ | | | to an OCSP responder to make |
+ | | | the request and fetch the |
+ | | | response. It does so in a |
+ | | | blocking fashion, and also |
+ | | | directly to the responder, |
+ | | | ignoring any proxy the |
+ | | | application may wish to use. |
+ | | | This causes OCSP requests to |
+ | | | fail if the network |
+ | | | environment requires the use |
+ | | | of a proxy. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 19 | :ref:`mozilla | **Advanced, Guide, NSS** |
+ | | _projects_nss_http_delegation` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Up to version 3.11, |
+ | | | :ref:`mozilla_projects_nss` |
+ | | | connects directly over |
+ | | | `HTTP <https://developer.mozil |
+ | | | la.org/en-US/docs/Web/HTTP>`__ |
+ | | | to an OCSP responder to make |
+ | | | the request and fetch the |
+ | | | response. It does so in a |
+ | | | blocking fashion, and also |
+ | | | directly to the responder, |
+ | | | ignoring any proxy the |
+ | | | application may wish to use. |
+ | | | This causes OCSP requests to |
+ | | | fail if the network |
+ | | | environment requires the use |
+ | | | of a proxy. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 20 | :ref:`moz | **Introduction, Mozilla, NSS** |
+ | | illa_projects_nss_introduction | |
+ | | _to_network_security_services` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | **Network Security Services |
+ | | | (NSS)** is a set of libraries |
+ | | | designed to support |
+ | | | cross-platform development of |
+ | | | communications applications |
+ | | | that support SSL, S/MIME, and |
+ | | | other Internet security |
+ | | | standards. For a general |
+ | | | overview of NSS and the |
+ | | | standards it supports, see |
+ | | | :ref:`m |
+ | | | ozilla_projects_nss_overview`. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 21 | :ref:`mozilla_project | **D** |
+ | | s_nss_jss_4_4_0_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The Java Security Services |
+ | | | (JSS) team has released JSS |
+ | | | 4.4.0, which is a minor |
+ | | | release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 22 | : | **Guide, JSS, NSS, |
+ | | ref:`mozilla_projects_nss_jss` | NeedsMigration** |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | **The JSS project has been |
+ | | | relocated!** |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 23 | :ref:`mozilla_proj | **JSS, NSS** |
+ | | ects_nss_jss_4_3_releasenotes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services for |
+ | | | Java (JSS) 4.3 is a minor |
+ | | | release with the following new |
+ | | | features: |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 24 | :ref:`mozilla_project | **JSS, NSPR, NSS** |
+ | | s_nss_jss_4_3_1_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services for |
+ | | | Java (JSS) 4.3.1 is a minor |
+ | | | release with the following new |
+ | | | features: |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 25 | :ref | **JSS** |
+ | | :`mozilla_projects_nss_jss_bui | |
+ | | ld_instructions_for_jss_4_3_x` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Newsgroup: |
+ | | | `mozilla.dev.tech |
+ | | | .crypto <news://news.mozilla.o |
+ | | | rg/mozilla.dev.tech.crypto>`__ |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 26 | :ref | **JSS** |
+ | | :`mozilla_projects_nss_jss_bui | |
+ | | ld_instructions_for_jss_4_4_x` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Newsgroup: |
+ | | | `mozilla.dev.tech |
+ | | | .crypto <news://news.mozilla.o |
+ | | | rg/mozilla.dev.tech.crypto>`__ |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 27 | :ref:`moz | **JSS** |
+ | | illa_projects_nss_jss_jss_faq` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Newsgroup: |
+ | | | `mozilla.dev.tech.cry |
+ | | | pto <news://news.mozilla.org:1 |
+ | | | 19/mozilla.dev.tech.crypto>`__ |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 28 | :ref:`mozilla_projec | **Crypto, JSS, Security** |
+ | | ts_nss_jss_jss_provider_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | This page has been moved to |
+ | | | http://www.do |
+ | | | gtagpki.org/wiki/JSS_Provider. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 29 | :r | |
+ | | ef:`mozilla_projects_nss_jss_m | |
+ | | ozilla-jss_jca_provider_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | * |
+ | | | Newsgroup:*\ `mozilla.dev.tech |
+ | | | .crypto <news://news.mozilla.o |
+ | | | rg/mozilla.dev.tech.crypto>`__ |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 30 | :ref:`mozil | **JSS** |
+ | | la_projects_nss_jss_using_jss` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | *News |
+ | | | group:*\ `mozilla.dev.tech.cry |
+ | | | pto <news://news.mozilla.org:1 |
+ | | | 19/mozilla.dev.tech.crypto>`__ |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 31 | :ref:`mozill | |
+ | | a_projects_nss_key_log_format` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Key logs can be written by NSS |
+ | | | so that external programs can |
+ | | | decrypt TLS connections. |
+ | | | Wireshark 1.6.0 and above can |
+ | | | use these log files to decrypt |
+ | | | packets. You can tell |
+ | | | Wireshark where to find the |
+ | | | key file via |
+ | | | *Edit→Preferences→Pro |
+ | | | tocols→TLS→(Pre)-Master-Secret |
+ | | | log filename*. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 32 | :ref:`mozilla_p | **NSS** |
+ | | rojects_nss_memory_allocation` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | NSS makes extensive use of |
+ | | | NSPR's PLArenaPools for memory |
+ | | | allocation. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 33 | :ref:`mozilla_pr | |
+ | | ojects_nss_modutil-tasks_html` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | *No summary!* |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 34 | :ref:`mozilla | **Example** |
+ | | _projects_nss_new_nss_samples` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | This collection of sample code |
+ | | | demonstrates how NSS can be |
+ | | | used for cryptographic |
+ | | | operations, certificate |
+ | | | handling, SSL, etc. It also |
+ | | | demonstrates some best |
+ | | | practices in the application |
+ | | | of cryptography. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 35 | :ref:`moz | **Gecko, NSS, Security** |
+ | | illa_projects_nss_notes_on_tls | |
+ | | _-_ssl_3_0_intolerant_servers` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | A number of Netscape 6.x/7.x |
+ | | | and Mozilla users have |
+ | | | reported that some secure |
+ | | | sites -- typically sites |
+ | | | featuring online transactions |
+ | | | or online banking over the |
+ | | | HTTPS protocol -- do not |
+ | | | display any content at all. |
+ | | | The connection seems |
+ | | | terminated and a blank page is |
+ | | | displayed. This is the main |
+ | | | symptom of the problem when |
+ | | | Mozilla based browsers |
+ | | | encounter TLS/SSL 3.0 |
+ | | | intolerant servers. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 36 | :ref:`mozilla_projects_nss_n | |
+ | | ss_3_11_10_release_notes_html` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Newsgroup: <ahref="news: |
+ | | | mozilla.dev.tech.crypto"="" |
+ | | | news.mozilla.org="">mozilla. |
+ | | | dev.tech.crypto</ahref="news:> |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 37 | :ref:`mozilla_projects_ns | |
+ | | s_nss_3_12_release_notes_html` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Newsgroup: |
+ | | | `mozilla.dev.tech |
+ | | | .crypto <news://news.mozilla.o |
+ | | | rg/mozilla.dev.tech.crypto>`__ |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 38 | :ref:`mozilla_projects_nss_ | |
+ | | nss_3_12_1_release_notes_html` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Newsgroup: |
+ | | | `mozilla.dev.tech |
+ | | | .crypto <news://news.mozilla.o |
+ | | | rg/mozilla.dev.tech.crypto>`__ |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 39 | :ref:`mozilla_projects_nss_ | |
+ | | nss_3_12_2_release_notes_html` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Newsgroup: |
+ | | | `mozilla.dev.tech |
+ | | | .crypto <news://news.mozilla.o |
+ | | | rg/mozilla.dev.tech.crypto>`__ |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 40 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_12_3_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Newsgroup: |
+ | | | `mozilla.dev.tech |
+ | | | .crypto <news://news.mozilla.o |
+ | | | rg/mozilla.dev.tech.crypto>`__ |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 41 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_12_4_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.12.4 is a patch |
+ | | | release for NSS 3.12. The bug |
+ | | | fixes in NSS 3.12.4 are |
+ | | | described in the "`Bugs |
+ | | | Fixed <#bugsfixed>`__" section |
+ | | | below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 42 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_12_5_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.12.5 is a patch |
+ | | | release for NSS 3.12. The bug |
+ | | | fixes in NSS 3.12.5 are |
+ | | | described in the "`Bugs |
+ | | | Fixed <https |
+ | | | ://dev.mozilla.jp/localmdc/loc |
+ | | | almdc_5125.html#bugsfixed>`__" |
+ | | | section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 43 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_12_6_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.12.6 is a patch |
+ | | | release for NSS 3.12. The bug |
+ | | | fixes in NSS 3.12.6 are |
+ | | | described in the "`Bugs |
+ | | | Fixed <http://md |
+ | | | n.beonex.com/en/NSS_3.12.6_rel |
+ | | | ease_notes.html#bugsfixed>`__" |
+ | | | section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 44 | :ref:`mozilla_projects | **NSS** |
+ | | _nss_nss_3_12_9_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.12.9 is a patch |
+ | | | release for NSS 3.12. The bug |
+ | | | fixes in NSS 3.12.9 are |
+ | | | described in the "\ `Bugs |
+ | | | Fixed <#bugsfixed>`__" section |
+ | | | below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 45 | :ref:`mozilla_projec | |
+ | | ts_nss_nss_3_14_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The NSS team has released |
+ | | | Network Security Services |
+ | | | (NSS) 3.14, which is a minor |
+ | | | release with the following new |
+ | | | features: |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 46 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_14_1_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.14.1 is a patch |
+ | | | release for NSS 3.14. The bug |
+ | | | fixes in NSS 3.14.1 are |
+ | | | described in the "Bugs Fixed" |
+ | | | section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 47 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_14_2_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.14.2 is a patch |
+ | | | release for NSS 3.14. The bug |
+ | | | fixes in NSS 3.14.2 are |
+ | | | described in the "Bugs Fixed" |
+ | | | section below. NSS 3.14.2 |
+ | | | should be used with NSPR 4.9.5 |
+ | | | or newer. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 48 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_14_3_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.14.3 is a patch |
+ | | | release for NSS 3.14. The bug |
+ | | | fixes in NSS 3.14.3 are |
+ | | | described in the "Bugs Fixed" |
+ | | | section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 49 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_14_4_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.14.4 is a patch |
+ | | | release for NSS 3.14. The bug |
+ | | | fixes in NSS 3.14.4 are |
+ | | | described in the "Bugs Fixed" |
+ | | | section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 50 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_14_5_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.14.5 is a patch |
+ | | | release for NSS 3.14. The bug |
+ | | | fixes in NSS 3.14.5 are |
+ | | | described in the "Bugs Fixed" |
+ | | | section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 51 | :ref:`mozilla_projec | |
+ | | ts_nss_nss_3_15_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The NSS team has released |
+ | | | Network Security Services |
+ | | | (NSS) 3.15, which is a minor |
+ | | | release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 52 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_15_1_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.15.1 is a patch |
+ | | | release for NSS 3.15. The bug |
+ | | | fixes in NSS 3.15.1 are |
+ | | | described in the "Bugs Fixed" |
+ | | | section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 53 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_15_2_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.15.2 is a patch |
+ | | | release for NSS 3.15. The bug |
+ | | | fixes in NSS 3.15.2 are |
+ | | | described in the "Bugs Fixed" |
+ | | | section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 54 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_15_3_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.15.3 is a patch |
+ | | | release for NSS 3.15. The bug |
+ | | | fixes in NSS 3.15.3 are |
+ | | | described in the "Bugs Fixed" |
+ | | | section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 55 | :ref:`mozilla_projects_n | |
+ | | ss_nss_3_15_3_1_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.15.3.1 is a patch |
+ | | | release for NSS 3.15. The bug |
+ | | | fixes in NSS 3.15.3.1 are |
+ | | | described in the "Bugs Fixed" |
+ | | | section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 56 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_15_4_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.15.4 is a patch |
+ | | | release for NSS 3.15. The bug |
+ | | | fixes in NSS 3.15.4 are |
+ | | | described in the "Bugs Fixed" |
+ | | | section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 57 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_15_5_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.15.5 is a patch |
+ | | | release for NSS 3.15. The bug |
+ | | | fixes in NSS 3.15.5 are |
+ | | | described in the "Bugs Fixed" |
+ | | | section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 58 | :ref:`mozilla_projec | |
+ | | ts_nss_nss_3_16_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The NSS team has released |
+ | | | Network Security Services |
+ | | | (NSS) 3.16, which is a minor |
+ | | | release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 59 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_16_1_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.16.1 is a patch |
+ | | | release for NSS 3.16. The bug |
+ | | | fixes in NSS 3.16.1 are |
+ | | | described in the "Bugs Fixed" |
+ | | | section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 60 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_16_2_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.16.2 is a patch |
+ | | | release for NSS 3.16. The bug |
+ | | | fixes in NSS 3.16.2 are |
+ | | | described in the "Bugs Fixed" |
+ | | | section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 61 | :ref:`mozilla_projects_n | **Reference, Security** |
+ | | ss_nss_3_16_2_1_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.16.2.1 is a patch |
+ | | | release for NSS 3.16, based on |
+ | | | the NSS 3.16.2 release. The |
+ | | | bug fixes in NSS 3.16.2.1 are |
+ | | | described in the "Bugs Fixed" |
+ | | | section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 62 | :ref:`mozilla_projects_n | **Reference, Security** |
+ | | ss_nss_3_16_2_2_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.16.2.2 is a patch |
+ | | | release for NSS 3.16. The bug |
+ | | | fixes in NSS 3.16.2.2 are |
+ | | | described in the "Bugs Fixed" |
+ | | | section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 63 | :ref:`mozilla_projects_n | **Reference, Security** |
+ | | ss_nss_3_16_2_3_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.16.2.3 is a patch |
+ | | | release for NSS 3.16. The bug |
+ | | | fixes in NSS 3.16.2.3 are |
+ | | | described in the "Bugs Fixed" |
+ | | | section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 64 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_16_3_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.16.3 is a patch |
+ | | | release for NSS 3.16. The bug |
+ | | | fixes in NSS 3.16.3 are |
+ | | | described in the "Bugs Fixed" |
+ | | | section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 65 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_16_4_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.16.4 is a patch |
+ | | | release for NSS 3.16. The bug |
+ | | | fixes in NSS 3.16.4 are |
+ | | | described in the "Bugs Fixed" |
+ | | | section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 66 | :ref:`mozilla_projects | **Reference, Security** |
+ | | _nss_nss_3_16_5_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.16.5 is a patch |
+ | | | release for NSS 3.16. The bug |
+ | | | fixes in NSS 3.16.5 are |
+ | | | described in the "Bugs Fixed" |
+ | | | section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 67 | :ref:`mozilla_projects | **Reference, Security** |
+ | | _nss_nss_3_16_6_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.16.6 is a patch |
+ | | | release for NSS 3.16. The bug |
+ | | | fixes in NSS 3.16.6 are |
+ | | | described in the "Bugs Fixed" |
+ | | | section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 68 | :ref:`mozilla_projec | |
+ | | ts_nss_nss_3_17_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The NSS team has released |
+ | | | Network Security Services |
+ | | | (NSS) 3.17, which is a minor |
+ | | | release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 69 | :ref:`mozilla_projects | **Reference, Security** |
+ | | _nss_nss_3_17_1_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.17.1 is a patch |
+ | | | release for NSS 3.17. The bug |
+ | | | fixes in NSS 3.17.1 are |
+ | | | described in the "Bugs Fixed" |
+ | | | section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 70 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_17_2_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.17.2 is a patch |
+ | | | release for NSS 3.17. The bug |
+ | | | fixes in NSS 3.17.2 are |
+ | | | described in the "Bugs Fixed" |
+ | | | section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 71 | :ref:`mozilla_projects | **Guide, NSS, Security** |
+ | | _nss_nss_3_17_3_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.17.3 is a patch |
+ | | | release for NSS 3.17. The bug |
+ | | | fixes in NSS 3.17.3 are |
+ | | | described in the "Bugs Fixed" |
+ | | | section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 72 | :ref:`mozilla_projects | **Guide, NSS, Security** |
+ | | _nss_nss_3_17_4_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.17.4 is a patch |
+ | | | release for NSS 3.17. The bug |
+ | | | fixes in NSS 3.17.4 are |
+ | | | described in the "Bugs Fixed" |
+ | | | section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 73 | :ref:`mozilla_projec | **Guide, NSS, NeedsContent, |
+ | | ts_nss_nss_3_18_release_notes` | Security** |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The NSS team has released |
+ | | | Network Security Services |
+ | | | (NSS) 3.18, which is a minor |
+ | | | release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 74 | :ref:`mozilla_projects | **Networking, Security** |
+ | | _nss_nss_3_18_1_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.18.1 is a patch |
+ | | | release for NSS 3.18. The bug |
+ | | | fixes in NSS 3.18.1 are |
+ | | | described in the "Bugs Fixed" |
+ | | | section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 75 | :ref:`mozilla_projec | |
+ | | ts_nss_nss_3_19_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The NSS team has released |
+ | | | Network Security Services |
+ | | | (NSS) 3.19, which is a minor |
+ | | | security release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 76 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_19_1_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.19.1 is a security |
+ | | | release for NSS 3.19. The bug |
+ | | | fixes in NSS 3.19.1 are |
+ | | | described in the "Bugs Fixed" |
+ | | | section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 77 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_19_2_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.19.2 is a patch |
+ | | | release for NSS 3.19 that |
+ | | | addresses compatibility issues |
+ | | | in NSS 3.19.1. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 78 | :ref:`mozilla_projects_n | |
+ | | ss_nss_3_19_2_1_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.19.2.1 is a patch |
+ | | | release for NSS 3.19.2. The |
+ | | | bug fixes in NSS 3.19.2.1 are |
+ | | | described in the "Security |
+ | | | Advisories" section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 79 | :ref:`mozilla_projects_n | |
+ | | ss_nss_3_19_2_2_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.19.2.2 is a security |
+ | | | patch release for NSS 3.19.2. |
+ | | | The bug fixes in NSS 3.19.2.2 |
+ | | | are described in the "Security |
+ | | | Fixes" section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 80 | :ref:`mozilla_projects_n | |
+ | | ss_nss_3_19_2_3_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.19.2.3 is a security |
+ | | | patch release for NSS 3.19.2. |
+ | | | The bug fixes in NSS 3.19.2.3 |
+ | | | are described in the "Security |
+ | | | Fixes" section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 81 | :ref:`mozilla_projects_n | **NSS** |
+ | | ss_nss_3_19_2_4_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.19.2.4 is a security |
+ | | | patch release for NSS 3.19.2. |
+ | | | The bug fixed in NSS 3.19.2.4 |
+ | | | have been described in the |
+ | | | "Security Fixes" section |
+ | | | below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 82 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_19_3_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.19.3 is a patch |
+ | | | release for NSS 3.19. The bug |
+ | | | fixes in NSS 3.19.3 are |
+ | | | described in the "Bugs Fixed" |
+ | | | section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 83 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_19_4_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.19.4 is a patch |
+ | | | release for NSS 3.19. The bug |
+ | | | fixes in NSS 3.19.4 are |
+ | | | described in the "Security |
+ | | | Advisories" section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 84 | :ref:`mozilla_projec | |
+ | | ts_nss_nss_3_20_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The NSS team has released |
+ | | | Network Security Services |
+ | | | (NSS) 3.20, which is a minor |
+ | | | release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 85 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_20_1_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.20.1 is a patch |
+ | | | release for NSS 3.20. The bug |
+ | | | fixes in NSS 3.20.1 are |
+ | | | described in the "Security |
+ | | | Advisories" section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 86 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_20_2_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.20.2 is a security |
+ | | | patch release for NSS 3.20. |
+ | | | The bug fixes in NSS 3.20.2 |
+ | | | are described in the "Security |
+ | | | Fixes" section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 87 | :ref:`mozilla_projec | |
+ | | ts_nss_nss_3_21_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | 2016-01-07, this page has been |
+ | | | updated to include additional |
+ | | | information about the release. |
+ | | | The sections "Security Fixes" |
+ | | | and "Acknowledgements" have |
+ | | | been added. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 88 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_21_1_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.21.1 is a security |
+ | | | patch release for NSS 3.21. |
+ | | | The bug fixes in NSS 3.21.1 |
+ | | | are described in the "Security |
+ | | | Fixes" section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 89 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_21_2_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.21.2 is a security |
+ | | | patch release for NSS 3.21.1. |
+ | | | The bug fixes in NSS 3.21.2 |
+ | | | are described in the "Security |
+ | | | Fixes" section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 90 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_21_3_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.21.3 is a security |
+ | | | patch release for NSS 3.21.2. |
+ | | | The bug fixes in NSS 3.21.3 |
+ | | | are described in the "Security |
+ | | | Fixes" section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 91 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_21_4_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.21.4 is a security |
+ | | | patch release for NSS 3.21. |
+ | | | The bug fixes in NSS 3.21.4 |
+ | | | are described in the "Bugs |
+ | | | Fixed" section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 92 | :ref:`mozilla_projec | |
+ | | ts_nss_nss_3_22_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The NSS team has released |
+ | | | Network Security Services |
+ | | | (NSS) 3.22, which is a minor |
+ | | | release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 93 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_22_1_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.22.1 is a patch |
+ | | | release for NSS 3.22. The bug |
+ | | | fixes in NSS 3.22.1 are |
+ | | | described in the "Notable |
+ | | | Changes" section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 94 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_22_2_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.22.2 is a security |
+ | | | patch release for NSS 3.22. |
+ | | | The bug fixes in NSS 3.22.2 |
+ | | | are described in the "Security |
+ | | | Fixes" section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 95 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_22_3_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.22.3 is a patch |
+ | | | release for NSS 3.22. The bug |
+ | | | fixes in NSS 3.22.3 are |
+ | | | described in the "Bugs fixed" |
+ | | | section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 96 | :ref:`mozilla_projec | **Networking, Security** |
+ | | ts_nss_nss_3_23_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The NSS team has released |
+ | | | Network Security Services |
+ | | | (NSS) 3.23, which is a minor |
+ | | | release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 97 | :ref:`mozilla_projec | **NSS, Release Notes** |
+ | | ts_nss_nss_3_24_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The Network Security Services |
+ | | | (NSS) team has released NSS |
+ | | | 3.24, which is a minor |
+ | | | release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 98 | :ref:`mozilla_projec | **NSS, Release Notes** |
+ | | ts_nss_nss_3_25_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The Network Security Services |
+ | | | (NSS) team has released NSS |
+ | | | 3.25, which is a minor |
+ | | | release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 99 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_25_1_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.25.1 is a patch |
+ | | | release for NSS 3.25. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 100 | :ref:`mozilla_projec | **NSS, Release Notes** |
+ | | ts_nss_nss_3_26_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The Network Security Services |
+ | | | (NSS) team has released NSS |
+ | | | 3.26, which is a minor |
+ | | | release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 101 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_26_2_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.26.2 is a patch |
+ | | | release for NSS 3.26. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 102 | :ref:`mozilla_projec | |
+ | | ts_nss_nss_3_27_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The Network Security Services |
+ | | | (NSS) team has released NSS |
+ | | | 3.27, which is a minor |
+ | | | release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 103 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_27_1_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.27.1 is a patch |
+ | | | release for NSS 3.27. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 104 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_27_2_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.27.2 is a patch |
+ | | | release for NSS 3.27. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 105 | :ref:`mozilla_projec | |
+ | | ts_nss_nss_3_28_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The Network Security Services |
+ | | | (NSS) team has released NSS |
+ | | | 3.28, which is a minor |
+ | | | release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 106 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_28_1_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.28.1 is a patch |
+ | | | release for NSS 3.28. The bug |
+ | | | fixes in NSS 3.28.1 are |
+ | | | described in the "Bugs Fixed" |
+ | | | section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 107 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_28_2_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.28.2 is a patch |
+ | | | release for NSS 3.28. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 108 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_28_3_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.28.3 is a patch |
+ | | | release for NSS 3.28. The bug |
+ | | | fixes in NSS 3.28.3 are |
+ | | | described in the "Bugs Fixed" |
+ | | | section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 109 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_28_4_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.28.4 is a security |
+ | | | patch release for NSS 3.28. |
+ | | | The bug fixes in NSS 3.28.4 |
+ | | | are described in the "Bugs |
+ | | | Fixed" section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 110 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_28_5_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.28.5 is a patch |
+ | | | release for NSS 3.28. The bug |
+ | | | fixes in NSS 3.28.5 are |
+ | | | described in the "Bugs Fixed" |
+ | | | section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 111 | :ref:`mozilla_projec | |
+ | | ts_nss_nss_3_29_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The Network Security Services |
+ | | | (NSS) team has released NSS |
+ | | | 3.29, which is a minor |
+ | | | release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 112 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_29_1_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.29.1 is a patch |
+ | | | release for NSS 3.29. The bug |
+ | | | fixes in NSS 3.29.1 are |
+ | | | described in the "Bugs Fixed" |
+ | | | section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 113 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_29_2_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.29.2 is a patch |
+ | | | release for NSS 3.29. The bug |
+ | | | fixes in NSS 3.29.2 are |
+ | | | described in the "Bugs Fixed" |
+ | | | section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 114 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_29_3_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.29.3 is a patch |
+ | | | release for NSS 3.29. The bug |
+ | | | fixes in NSS 3.29.3 are |
+ | | | described in the "Bugs Fixed" |
+ | | | section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 115 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_29_5_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.29.5 is a security |
+ | | | patch release for NSS 3.29. |
+ | | | The bug fixes in NSS 3.29.5 |
+ | | | are described in the "Bugs |
+ | | | Fixed" section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 116 | :ref:`mozilla_projec | |
+ | | ts_nss_nss_3_30_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The Network Security Services |
+ | | | (NSS) team has released NSS |
+ | | | 3.30, which is a minor |
+ | | | release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 117 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_30_1_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.30.1 is a security |
+ | | | patch release for NSS 3.30. |
+ | | | The bug fixes in NSS 3.30.1 |
+ | | | are described in the "Bugs |
+ | | | Fixed" section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 118 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_30_2_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.30.2 is a patch |
+ | | | release for NSS 3.30. The bug |
+ | | | fixes in NSS 3.30.2 are |
+ | | | described in the "Bugs Fixed" |
+ | | | section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 119 | :ref:`mozilla_projec | |
+ | | ts_nss_nss_3_31_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The Network Security Services |
+ | | | (NSS) team has released NSS |
+ | | | 3.31, which is a minor |
+ | | | release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 120 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_31_1_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The Network Security Services |
+ | | | (NSS) team has released NSS |
+ | | | 3.31.1, which is a patch |
+ | | | release for NSS 3.31. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 121 | :ref:`mozilla_projec | |
+ | | ts_nss_nss_3_32_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The Network Security Services |
+ | | | (NSS) team has released NSS |
+ | | | 3.32, which is a minor |
+ | | | release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 122 | :ref:`mozilla_projec | |
+ | | ts_nss_nss_3_33_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The Network Security Services |
+ | | | (NSS) team has released NSS |
+ | | | 3.33, which is a minor |
+ | | | release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 123 | :ref:`mozilla_projec | |
+ | | ts_nss_nss_3_34_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The Network Security Services |
+ | | | (NSS) team has released NSS |
+ | | | 3.34, which is a minor |
+ | | | release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 124 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_34_1_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The Network Security Services |
+ | | | (NSS) team has released NSS |
+ | | | 3.34.1, which is a minor |
+ | | | release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 125 | :ref:`mozilla_projec | |
+ | | ts_nss_nss_3_35_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The NSS team has released |
+ | | | Network Security Services |
+ | | | (NSS) 3.35, which is a minor |
+ | | | release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 126 | :ref:`mozilla_projec | |
+ | | ts_nss_nss_3_36_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The NSS team has released |
+ | | | Network Security Services |
+ | | | (NSS) 3.36, which is a minor |
+ | | | release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 127 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_36_1_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.36.1 is a patch |
+ | | | release for NSS 3.36. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 128 | :ref:`mozilla_projects | **NSS, Release Notes** |
+ | | _nss_nss_3_36_2_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.36.2 is a patch |
+ | | | release for NSS 3.36. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 129 | :ref:`mozilla_projects | **NSS, Release Notes** |
+ | | _nss_nss_3_36_4_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.36.4 is a patch |
+ | | | release for NSS 3.36. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 130 | :ref:`mozilla_projects | **Mozilla, NSS, Release |
+ | | _nss_nss_3_36_5_release_notes` | Notes** |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.36.5 is a patch |
+ | | | release for NSS 3.36. The bug |
+ | | | fixes in NSS 3.36.5 are |
+ | | | described in the "Bugs Fixed" |
+ | | | section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 131 | :ref:`mozilla_projects | **Mozilla, NSS, Release |
+ | | _nss_nss_3_36_6_release_notes` | Notes** |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.36.6 is a patch |
+ | | | release for NSS 3.36. The bug |
+ | | | fixes in NSS 3.36.6 are |
+ | | | described in the "Bugs Fixed" |
+ | | | section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 132 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_36_7_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.36.7 is a patch |
+ | | | release for NSS 3.36. The bug |
+ | | | fixes in NSS 3.36.7 are |
+ | | | described in the "Bugs Fixed" |
+ | | | section below. It was released |
+ | | | on 19 January 2019. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 133 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_36_8_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.36.8 is a patch |
+ | | | release for NSS 3.36. The bug |
+ | | | fixes in NSS 3.36.8 are |
+ | | | described in the "Bugs Fixed" |
+ | | | section below. It was released |
+ | | | on 21 June 2019. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 134 | :ref:`mozilla_projec | |
+ | | ts_nss_nss_3_37_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The NSS team has released |
+ | | | Network Security Services |
+ | | | (NSS) 3.37, which is a minor |
+ | | | release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 135 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_37_1_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.37.1 is a patch |
+ | | | release for NSS 3.37. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 136 | :ref:`mozilla_project | |
+ | | s_nss_nss_3_37_3release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.37.3 is a patch |
+ | | | release for NSS 3.37. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 137 | :ref:`mozilla_projec | **Mozilla, NSS, Release |
+ | | ts_nss_nss_3_38_release_notes` | Notes** |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The NSS team has released |
+ | | | Network Security Services |
+ | | | (NSS) 3.38, which is a minor |
+ | | | release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 138 | :ref:`mozilla_projec | |
+ | | ts_nss_nss_3_39_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The NSS team has released |
+ | | | Network Security Services |
+ | | | (NSS) 3.39, which is a minor |
+ | | | release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 139 | :ref:`mozilla_projec | |
+ | | ts_nss_nss_3_40_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The NSS team has released |
+ | | | Network Security Services |
+ | | | (NSS) 3.40, which is a minor |
+ | | | release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 140 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_40_1_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The NSS team has released |
+ | | | Network Security Services |
+ | | | (NSS) 3.40.1, which is a patch |
+ | | | release for NSS 3.40 |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 141 | :ref:`mozilla_projec | |
+ | | ts_nss_nss_3_41_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The NSS team has released |
+ | | | Network Security Services |
+ | | | (NSS) 3.41 on 7 December 2018, |
+ | | | which is a minor release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 142 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_41_1_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.41.1 is a patch |
+ | | | release for NSS 3.41. The bug |
+ | | | fixes in NSS 3.41.1 are |
+ | | | described in the "Bugs Fixed" |
+ | | | section below. It was released |
+ | | | on 22 January 2019. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 143 | :ref:`mozilla_projec | |
+ | | ts_nss_nss_3_42_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The NSS team has released |
+ | | | Network Security Services |
+ | | | (NSS) 3.42 on 25 January 2019, |
+ | | | which is a minor release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 144 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_42_1_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The NSS team has released |
+ | | | Network Security Services |
+ | | | (NSS) 3.42.1 on 31 January |
+ | | | 2019, which is a patch |
+ | | | release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 145 | :ref:`mozilla_projec | |
+ | | ts_nss_nss_3_43_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The NSS team has released |
+ | | | Network Security Services |
+ | | | (NSS) 3.43 on 16 March 2019, |
+ | | | which is a minor release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 146 | :ref:`mozilla_projec | |
+ | | ts_nss_nss_3_44_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The NSS team has released |
+ | | | Network Security Services |
+ | | | (NSS) 3.44 on 10 May 2019, |
+ | | | which is a minor release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 147 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_44_1_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.44.1 is a patch |
+ | | | release for NSS 3.44. The bug |
+ | | | fixes in NSS 3.44.1 are |
+ | | | described in the "Bugs Fixed" |
+ | | | section below. It was released |
+ | | | on 21 June 2019. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 148 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_44_2_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.44.2 is a patch |
+ | | | release for NSS 3.44. The bug |
+ | | | fixes in NSS 3.44.2 are |
+ | | | described in the "Bugs Fixed" |
+ | | | section below. It was released |
+ | | | on 2 October 2019. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 149 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_44_3_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.44.3 is a patch |
+ | | | release for NSS 3.44. The bug |
+ | | | fixes in NSS 3.44.3 are |
+ | | | described in the "Bugs Fixed" |
+ | | | section below. It was released |
+ | | | on 19 November 2019. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 150 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_44_4_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The NSS team has released |
+ | | | Network Security Services |
+ | | | (NSS) 3.44.4 on **19 May |
+ | | | 2020**. This is a security |
+ | | | patch release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 151 | :ref:`mozilla_projec | |
+ | | ts_nss_nss_3_45_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The NSS team has released |
+ | | | Network Security Services |
+ | | | (NSS) 3.45 on **5 July 2019**, |
+ | | | which is a minor release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 152 | :ref:`mozilla_projec | |
+ | | ts_nss_nss_3_46_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The NSS team has released |
+ | | | Network Security Services |
+ | | | (NSS) 3.46 on **30 August |
+ | | | 2019**, which is a minor |
+ | | | release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 153 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_46_1_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.46.1 is a patch |
+ | | | release for NSS 3.46. The bug |
+ | | | fixes in NSS 3.46.1 are |
+ | | | described in the "Bugs Fixed" |
+ | | | section below. It was released |
+ | | | on 2 October 2019. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 154 | :ref:`mozilla_projec | |
+ | | ts_nss_nss_3_47_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The NSS team has released |
+ | | | Network Security Services |
+ | | | (NSS) 3.47 on **18 October |
+ | | | 2019**, which is a minor |
+ | | | release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 155 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_47_1_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.47.1 is a patch |
+ | | | release for NSS 3.47. The bug |
+ | | | fixes in NSS 3.47.1 are |
+ | | | described in the "Bugs Fixed" |
+ | | | section below. It was released |
+ | | | on 19 November 2019. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 156 | :ref:`mozilla_projec | |
+ | | ts_nss_nss_3_48_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The NSS team has released |
+ | | | Network Security Services |
+ | | | (NSS) 3.48 on **5 December |
+ | | | 2019**, which is a minor |
+ | | | release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 157 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_48_1_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.48.1 is a patch |
+ | | | release for NSS 3.48. The bug |
+ | | | fixes in NSS 3.48.1 are |
+ | | | described in the "Bugs Fixed" |
+ | | | section below. It was released |
+ | | | on **13 January 2020**. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 158 | :ref:`mozilla_projec | |
+ | | ts_nss_nss_3_49_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The NSS team has released |
+ | | | Network Security Services |
+ | | | (NSS) 3.49 on **3 January |
+ | | | 2020**, which is a minor |
+ | | | release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 159 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_49_1_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.49.1 is a patch |
+ | | | release for NSS 3.49. The bug |
+ | | | fixes in NSS 3.49.1 are |
+ | | | described in the "Bugs Fixed" |
+ | | | section below. It was released |
+ | | | on **13 January 2020**. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 160 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_49_2_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.49.2 is a patch |
+ | | | release for NSS 3.49. The bug |
+ | | | fixes in NSS 3.49.2 are |
+ | | | described in the "Bugs Fixed" |
+ | | | section below. It was released |
+ | | | on **23 January 2020**. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 161 | :ref:`mozilla_projec | |
+ | | ts_nss_nss_3_50_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The NSS team has released |
+ | | | Network Security Services |
+ | | | (NSS) 3.50 on **7 February |
+ | | | 2020**, which is a minor |
+ | | | release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 162 | :ref:`mozilla_projec | |
+ | | ts_nss_nss_3_51_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The NSS team has released |
+ | | | Network Security Services |
+ | | | (NSS) 3.51 on **6 March |
+ | | | 2020**, which is a minor |
+ | | | release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 163 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_51_1_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The NSS team has released |
+ | | | Network Security Services |
+ | | | (NSS) 3.51.1 on **3 April |
+ | | | 2020**. This is a minor |
+ | | | release focusing on functional |
+ | | | bug fixes and low-risk patches |
+ | | | only. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 164 | :ref:`mozilla_projec | |
+ | | ts_nss_nss_3_52_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The NSS team has released |
+ | | | Network Security Services |
+ | | | (NSS) 3.52 on **1 May 2020**. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 165 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_52_1_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The NSS team has released |
+ | | | Network Security Services |
+ | | | (NSS) 3.52.1 on **19 May |
+ | | | 2020**. This is a security |
+ | | | patch release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 166 | :ref:`mozilla_projec | |
+ | | ts_nss_nss_3_53_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The NSS team released Network |
+ | | | Security Services (NSS) 3.53 |
+ | | | on **29 May 2020**. NSS 3.53 |
+ | | | will be a long-term support |
+ | | | release, supporting Firefox 78 |
+ | | | ESR. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 167 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_53_1_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The NSS team has released |
+ | | | Network Security Services |
+ | | | (NSS) 3.53.1 on **16 June |
+ | | | 2020**. This is a security |
+ | | | patch release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 168 | :ref:`mozilla_projec | |
+ | | ts_nss_nss_3_54_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The NSS team has released |
+ | | | Network Security Services |
+ | | | (NSS) 3.54 on **26 June |
+ | | | 2020**, which is a minor |
+ | | | release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 169 | :ref:`mozilla_projec | |
+ | | ts_nss_nss_3_55_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The NSS team has released |
+ | | | Network Security Services |
+ | | | (NSS) 3.55 on **24 July |
+ | | | 2020**, which is a minor |
+ | | | release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 170 | :ref:`mozilla_projec | |
+ | | ts_nss_nss_3_56_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The NSS team has released |
+ | | | Network Security Services |
+ | | | (NSS) 3.56 on **21 August |
+ | | | 2020**, which is a minor |
+ | | | release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 171 | :ref:`mozilla_projec | |
+ | | ts_nss_nss_3_57_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The NSS team has released |
+ | | | Network Security Services |
+ | | | (NSS) 3.57 on **18 September |
+ | | | 2020**, which is a minor |
+ | | | release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 172 | :ref:`mozilla_projec | |
+ | | ts_nss_nss_3_58_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The NSS team has released |
+ | | | Network Security Services |
+ | | | (NSS) 3.58 on **16 October |
+ | | | 2020**, which is a minor |
+ | | | release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 173 | :ref:`mozilla_projec | |
+ | | ts_nss_nss_3_59_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The NSS team has released |
+ | | | Network Security Services |
+ | | | (NSS) 3.59 on **13 November |
+ | | | 2020**, which is a minor |
+ | | | release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 174 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_59_1_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The NSS team has released |
+ | | | Network Security Services |
+ | | | (NSS) 3.59.1 on **18 December |
+ | | | 2020**, which is a patch |
+ | | | release for NSS 3.59. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 175 | :ref:`mozilla_projec | |
+ | | ts_nss_nss_3_60_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The NSS team has released |
+ | | | Network Security Services |
+ | | | (NSS) 3.60 on **11 December |
+ | | | 2020**, which is a minor |
+ | | | release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 176 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_60_1_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The NSS team released Network |
+ | | | Security Services (NSS) 3.60.1 |
+ | | | on **4 January 2021**, which |
+ | | | is a patch release for NSS |
+ | | | 3.60. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 177 | :ref:`mozilla_projec | |
+ | | ts_nss_nss_3_61_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The NSS team released Network |
+ | | | Security Services (NSS) 3.61 |
+ | | | on **22 January 2021**, which |
+ | | | is a minor release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 178 | :ref:`mozilla_projec | |
+ | | ts_nss_nss_3_62_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The NSS team released Network |
+ | | | Security Services (NSS) 3.62 |
+ | | | on **19 February 2021**, which |
+ | | | is a minor release. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 179 | :ref:`mozilla_projec | |
+ | | ts_nss_nss_3_63_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.63 was released on |
+ | | | **18 March 2021**. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 180 | :ref:`mozilla_projects | |
+ | | _nss_nss_3_63_1_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.63.1 was released on |
+ | | | **6 April 2021**. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 181 | :ref:`mozilla_projec | |
+ | | ts_nss_nss_3_64_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Network Security Services |
+ | | | (NSS) 3.64 was released on |
+ | | | **15 April 2021**. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 182 | :ref:`mozilla_pr | |
+ | | ojects_nss_nss_api_guidelines` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Newsgroup: |
+ | | | `mozilla.dev.tech |
+ | | | .crypto <news://news.mozilla.o |
+ | | | rg/mozilla.dev.tech.crypto>`__ |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 183 | :ref:`mozilla_pr | |
+ | | ojects_nss_nss_config_options` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The specified ciphers will be |
+ | | | allowed by policy, but an |
+ | | | application may allow more by |
+ | | | policy explicitly: |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 184 | :ref:`mozilla_projec | **NSS, Tutorial** |
+ | | ts_nss_nss_developer_tutorial` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | **Line length** should not |
+ | | | exceed 80 characters. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 185 | :ref:`mozilla_projects_n | |
+ | | ss_nss_release_notes_template` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The NSS team has released |
+ | | | Network Security Services |
+ | | | (NSS) 3.XX, which is a minor |
+ | | | release. |
+ | | | or |
+ | | | Network Security Services |
+ | | | (NSS) 3.XX.y is a patch |
+ | | | release for NSS 3.XX. The bug |
+ | | | fixes in NSS 3.XX.y are |
+ | | | described in the "Bugs Fixed" |
+ | | | section below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 186 | :ref:`mozi | **Landing, Mozilla, NSS, |
+ | | lla_projects_nss_nss_releases` | Networking, Project, Release |
+ | | | Notes, Security** |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The current **Stable** release |
+ | | | of NSS is 3.64, which was |
+ | | | released on **15 April 2021**. |
+ | | | (:ref:`mozilla_project |
+ | | | s_nss_nss_3_64_release_notes`) |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 187 | :ref:`mozilla | **Example** |
+ | | _projects_nss_nss_sample_code` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The collection of sample code |
+ | | | here demonstrates how NSS can |
+ | | | be used for cryptographic |
+ | | | operations, certificate |
+ | | | handling, SSL, etc. It also |
+ | | | demonstrates some best |
+ | | | practices in the application |
+ | | | of cryptography. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 188 | :ref:`mozilla_projec | |
+ | | ts_nss_nss_sample_code_enc_dec | |
+ | | _mac_output_plblic_key_as_csr` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Generates encryption/mac keys |
+ | | | and outputs public key as |
+ | | | certificate signing request |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 189 | :ref:`mozilla_projects_nss_ns | |
+ | | s_sample_code_enc_dec_mac_usin | |
+ | | g_key_wrap_certreq_pkcs10_csr` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Generates encryption/mac keys |
+ | | | and outputs public key as |
+ | | | pkcs11 certificate signing |
+ | | | request |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 190 | :ref:`mozilla_p | |
+ | | rojects_nss_nss_sample_code_en | |
+ | | crypt_decrypt_mac_using_token` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Generates encryption/mac keys |
+ | | | and uses token for storing. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 191 | :ref:`mozilla_pr | **Examples, NSS, Security** |
+ | | ojects_nss_nss_sample_code_nss | |
+ | | _sample_code_sample_1_hashing` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | This is an example program |
+ | | | that demonstrates how to |
+ | | | compute the hash of a file and |
+ | | | save it to another file. This |
+ | | | program illustrates the use of |
+ | | | NSS message APIs. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 192 | :ref:`mozilla_projects_nss_nss | **Examples, NSS, Security** |
+ | | _sample_code_nss_sample_code_s | |
+ | | ample_2_initialization_of_nss` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | This example program |
+ | | | demonstrates how to initialize |
+ | | | the NSS Database. This |
+ | | | program illustrates password |
+ | | | handling. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 193 | :ref | **Examples, NSS, Security** |
+ | | :`mozilla_projects_nss_nss_sam | |
+ | | ple_code_nss_sample_code_sampl | |
+ | | e_3_basic_encryption_and_maci` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | This example program |
+ | | | demonstrates how to encrypt |
+ | | | and MAC a file. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 194 | :ref:`m | |
+ | | ozilla_projects_nss_nss_sample | |
+ | | _code_nss_sample_code_sample1` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | This is an example program |
+ | | | that demonstrates how to do |
+ | | | key generation and transport |
+ | | | between cooperating servers. |
+ | | | This program shows the |
+ | | | following: |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 195 | :ref:`m | |
+ | | ozilla_projects_nss_nss_sample | |
+ | | _code_nss_sample_code_sample2` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | *No summary!* |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 196 | :ref:`m | |
+ | | ozilla_projects_nss_nss_sample | |
+ | | _code_nss_sample_code_sample3` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | *No summary!* |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 197 | :ref:`m | |
+ | | ozilla_projects_nss_nss_sample | |
+ | | _code_nss_sample_code_sample4` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | *No summary!* |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 198 | :ref:`m | |
+ | | ozilla_projects_nss_nss_sample | |
+ | | _code_nss_sample_code_sample5` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | *No summary!* |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 199 | :ref:`m | |
+ | | ozilla_projects_nss_nss_sample | |
+ | | _code_nss_sample_code_sample6` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | *No summary!* |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 200 | :ref:`mozil | **Examples, NSS, Security** |
+ | | la_projects_nss_nss_sample_cod | |
+ | | e_nss_sample_code_utililies_1` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | This is a library of utilities |
+ | | | used by many of the samples. |
+ | | | This code shows the following: |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 201 | : | **HTML, Hashing Sample, |
+ | | ref:`mozilla_projects_nss_nss_ | JavaScript, NSS, Web |
+ | | sample_code_sample1_-_hashing` | Development, hashing** |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The NSS same code below |
+ | | | computes the hash of a file |
+ | | | and saves it to another file, |
+ | | | this illustrates the use of |
+ | | | NSS message APIs. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 202 | :ref:`mozilla_project | **Example, NSS** |
+ | | s_nss_nss_sample_code_sample1` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | 1. A program to compute the |
+ | | | hash of a file and save it to |
+ | | | another file. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 203 | :ref:`mozilla_pro | **HTML, JavaScript, NSS, NSS |
+ | | jects_nss_nss_sample_code_samp | Article, NSS Initialization, |
+ | | le2_-_initialize_nss_database` | Web Development** |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The NSS sample code below |
+ | | | demonstrates how to initialize |
+ | | | the NSS database. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 204 | :ref:`mozilla_project | |
+ | | s_nss_nss_sample_code_sample2` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | *No summary!* |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 205 | :ref:`mozilla_projects | **EncDeCMac, HTML, NCC, NCC |
+ | | _nss_nss_sample_code_sample3_- | Article, Web, Web |
+ | | _encdecmac_using_token_object` | Development** |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Computes the hash of a file |
+ | | | and saves it to another file, |
+ | | | illustrates the use of NSS |
+ | | | message APIs. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 206 | :ref:`moz | |
+ | | illa_projects_nss_nss_sample_c | |
+ | | ode_utiltiies_for_nss_samples` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | These utility functions are |
+ | | | adapted from those found in |
+ | | | the sectool library used by |
+ | | | the NSS security tools and |
+ | | | other NSS test applications. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 207 | :ref:`mozilla_projects_nss | **Build documentation, Guide, |
+ | | _nss_sources_building_testing` | NSS, Security** |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Getting the source code of |
+ | | | :ref:`mozilla_projects_nss`, |
+ | | | how to build it, and how to |
+ | | | run its test suite. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 208 | :ref:`mozill | **NSS** |
+ | | a_projects_nss_nss_tech_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Newsgroup: |
+ | | | `mozilla.dev.tech |
+ | | | .crypto <news://news.mozilla.o |
+ | | | rg/mozilla.dev.tech.crypto>`__ |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 209 | :ref:`mozilla_projects_nss_ | |
+ | | nss_tech_notes_nss_tech_note1` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The main non-streaming APIs |
+ | | | for these two decoders have an |
+ | | | identical prototype : |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 210 | :ref:`mozilla_projects_nss_ | |
+ | | nss_tech_notes_nss_tech_note2` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The logger displays all |
+ | | | activity between NSS and a |
+ | | | specified PKCS #11 module. It |
+ | | | works by inserting a special |
+ | | | set of entry points between |
+ | | | NSS and the module. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 211 | :ref:`mozilla_projects_nss_ | |
+ | | nss_tech_notes_nss_tech_note3` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | *No summary!* |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 212 | :ref:`mozilla_projects_nss_ | |
+ | | nss_tech_notes_nss_tech_note4` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | *No summary!* |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 213 | :ref:`mozilla_projects_nss_ | |
+ | | nss_tech_notes_nss_tech_note5` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | **Note:** AES encryption, a |
+ | | | fixed blocksize of 16 bytes is |
+ | | | used. The Rijndael algorithm |
+ | | | permits 3 blocksizes (16, 24, |
+ | | | 32 bytes), but the AES |
+ | | | standard requires the |
+ | | | blocksize to be 16 bytes. The |
+ | | | keysize can vary and these |
+ | | | keysizes are permitted: 16, |
+ | | | 24, 32 bytes. |
+ | | | You can also look at a `sample |
+ | | | program <. |
+ | | | ./sample-code/sample2.html>`__ |
+ | | | illustrating encryption |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 214 | :ref:`mozilla_projects_nss_ | |
+ | | nss_tech_notes_nss_tech_note6` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The following applies to NSS |
+ | | | 3.8 through 3.10 : |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 215 | :ref:`mozilla_projects_nss_ | |
+ | | nss_tech_notes_nss_tech_note7` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | This technical note explains |
+ | | | how to use NSS to perform RSA |
+ | | | signing and encryption. The |
+ | | | industry standard for RSA |
+ | | | signing and encryption is |
+ | | | `PKCS |
+ | | | #1 <http://www.rsasecurity.com |
+ | | | /rsalabs/node.asp?id=2125>`__. |
+ | | | NSS supports PKCS #1 v1.5. NSS |
+ | | | doesn't yet support PKCS #1 |
+ | | | v2.0 and v2.1, in particular |
+ | | | OAEP, but OAEP support is on |
+ | | | our `to-do |
+ | | | li |
+ | | | st <https://bugzilla.mozilla.o |
+ | | | rg/show_bug.cgi?id=158747>`__. |
+ | | | Your contribution is welcome. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 216 | :ref:`mozilla_projects_nss_ | |
+ | | nss_tech_notes_nss_tech_note8` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | *No summary!* |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 217 | :ref:`mozilla_proj | **NSS, Security, Third-Party |
+ | | ects_nss_nss_third-party_code` | Code** |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | This is a list of third-party |
+ | | | code included in the NSS |
+ | | | repository, broken into two |
+ | | | lists: Code that can be |
+ | | | compiled into the NSS |
+ | | | libraries, and code that is |
+ | | | only used for testing. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 218 | :ref:`mozilla_proje | |
+ | | cts_nss_nss_tools_sslstrength` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | 2) sslstrength hostname[:port] |
+ | | | [ciphers=xyz] [debug] |
+ | | | [verbose] |
+ | | | [policy=export|domestic] |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 219 | :ref:` | **NSS** |
+ | | mozilla_projects_nss_overview` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | If you want to add support for |
+ | | | SSL, S/MIME, or other Internet |
+ | | | security standards to your |
+ | | | application, you can use |
+ | | | Network Security Services |
+ | | | (NSS) to implement all your |
+ | | | security features. NSS |
+ | | | provides a complete |
+ | | | open-source implementation of |
+ | | | the crypto libraries used by |
+ | | | AOL, Red Hat, Google, and |
+ | | | other companies in a variety |
+ | | | of products, including the |
+ | | | following: |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 220 | :ref:`mozilla_p | **NSS** |
+ | | rojects_nss_pkcs_12_functions` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The public functions listed |
+ | | | here perform PKCS #12 |
+ | | | operations required by some of |
+ | | | the NSS tools and other |
+ | | | applications. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 221 | :ref:`mozilla_ | **NSS** |
+ | | projects_nss_pkcs_7_functions` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The public functions listed |
+ | | | here perform PKCS #7 |
+ | | | operations required by mail |
+ | | | and news applications and by |
+ | | | some of the NSS tools. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 222 | :ref:`mozilla_ | **NSS** |
+ | | projects_nss_pkcs11_functions` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | This chapter describes the |
+ | | | core PKCS #11 functions that |
+ | | | an application needs for |
+ | | | communicating with |
+ | | | cryptographic modules. In |
+ | | | particular, these functions |
+ | | | are used for obtaining |
+ | | | certificates, keys, and |
+ | | | passwords. This was converted |
+ | | | from `"Chapter 7: PKCS #11 |
+ | | | Functions" <https://www.m |
+ | | | ozilla.org/projects/security/p |
+ | | | ki/nss/ref/ssl/pkfnc.html>`__. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 223 | :ref:`mozilla_ | |
+ | | projects_nss_pkcs11_implement` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | **NOTE:** This document was |
+ | | | originally for the Netscape |
+ | | | Security Library that came |
+ | | | with Netscape Communicator |
+ | | | 4.0. This note will be removed |
+ | | | once the document is updated |
+ | | | for the current version of |
+ | | | NSS. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 224 | :ref | **NSS, Security** |
+ | | :`mozilla_projects_nss_pkcs11` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | PKCS #11 information for |
+ | | | implementors of cryptographic |
+ | | | modules: |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 225 | :ref:`mo | **NSS, Security** |
+ | | zilla_projects_nss_pkcs11_faq` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | NSS searches all the installed |
+ | | | PKCS #11 modules when looking |
+ | | | for certificates. Once you've |
+ | | | installed the module, the |
+ | | | module's certificates simply |
+ | | | appear in the list of |
+ | | | certificates displayed in the |
+ | | | Certificate window. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 226 | :ref:`mozilla_projects_n | **Authentication, Biometric, |
+ | | ss_pkcs11_module_installation` | Mozilla, NSS, PKCS #11, |
+ | | | Projects, Security, Smart |
+ | | | Card, Smart-card, Smartcard, |
+ | | | pkcs11** |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | `PKCS #11 </en-US/PKCS11>`__ |
+ | | | modules are external modules |
+ | | | which add to Firefox support |
+ | | | for smartcard readers, |
+ | | | biometric security devices, |
+ | | | and external certificate |
+ | | | stores. This article covers |
+ | | | the two methods for installing |
+ | | | PKCS #11 modules into Firefox. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 227 | :ref:`mozilla_pro | **NSS** |
+ | | jects_nss_pkcs11_module_specs` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The following is a proposal to |
+ | | | the |
+ | | | `PKCS <https:// |
+ | | | en.wikipedia.org/wiki/PKCS>`__ |
+ | | | #11 working group made in |
+ | | | August 2001 for configuring |
+ | | | PKCS #11 modules. NSS |
+ | | | currently implements this |
+ | | | proposal internally. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 228 | :ref:`mozilla_projec | |
+ | | ts_nss_python_binding_for_nss` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | python-nss is a Python binding |
+ | | | for NSS (Network Security |
+ | | | Services) and NSPR (Netscape |
+ | | | Portable Runtime). NSS |
+ | | | provides cryptography services |
+ | | | supporting SSL, TLS, PKI, |
+ | | | PKIX, X509, PKCS*, etc. NSS is |
+ | | | an alternative to OpenSSL and |
+ | | | used extensively by major |
+ | | | software projects. NSS is |
+ | | | FIPS-140 certified. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 229 | :ref:`m | **NSS** |
+ | | ozilla_projects_nss_reference` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Based on |
+ | | | :ref:`mozilla_projec |
+ | | | ts_nss_ssl_functions_sslintro` |
+ | | | in the SSL Reference. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 230 | :ref: | **NSS** |
+ | | `mozilla_projects_nss_referenc | |
+ | | e_building_and_installing_nss` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | This chapter describes how to |
+ | | | build and install NSS. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 231 | :ref:`mozilla_projects_n | **NSS** |
+ | | ss_reference_building_and_inst | |
+ | | alling_nss_build_instructions` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Numerous optional features of |
+ | | | NSS builds are controlled |
+ | | | through make variables. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 232 | :ref:`mozilla_projects_n | **NSS** |
+ | | ss_reference_building_and_inst | |
+ | | alling_nss_installation_guide` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The build system of NSS |
+ | | | originated from Netscape's |
+ | | | build system, which predated |
+ | | | the "configure; make; make |
+ | | | test; make install" sequence |
+ | | | that we're familiar with now. |
+ | | | Our makefiles also have an |
+ | | | "install" target, but it has a |
+ | | | different meaning: our |
+ | | | "install" means installing the |
+ | | | headers, libraries, and |
+ | | | programs in the appropriate |
+ | | | directories under |
+ | | | mozilla/dist. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 233 | :ref:`mozilla_project | |
+ | | s_nss_reference_building_and_i | |
+ | | nstalling_nss_migration_to_hg` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The NSPR, NSS and related |
+ | | | projects have stopped using |
+ | | | Mozilla'a CVS server, but have |
+ | | | migrated to |
+ | | | Mozilla's HG (Mercurial) |
+ | | | server. |
+ | | | Each project now lives in its |
+ | | | own separate space, they can |
+ | | | be found at: |
+ | | | https:/ |
+ | | | /hg.mozilla.org/projects/nspr/ |
+ | | | https: |
+ | | | //hg.mozilla.org/projects/nss/ |
+ | | | https: |
+ | | | //hg.mozilla.org/projects/jss/ |
+ | | | |
+ | | | https://hg.mo |
+ | | | zilla.org/projects/python-nss/ |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 234 | :r | **NSS** |
+ | | ef:`mozilla_projects_nss_refer | |
+ | | ence_building_and_installing_n | |
+ | | ss_sample_manual_installation` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The NSS build system does not |
+ | | | include a target to install |
+ | | | header files and shared |
+ | | | libraries in the system |
+ | | | directories, so this needs to |
+ | | | be done manually. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 235 | :ref:`mozilla_projects_ns | **NSS** |
+ | | s_reference_fc_cancelfunction` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_CancelFunction - cancel a |
+ | | | function running in parallel |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 236 | :ref:`mozilla_projects_nss_ | **NSS** |
+ | | reference_fc_closeallsessions` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_CloseAllSessions - close |
+ | | | all sessions between an |
+ | | | application and a token. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 237 | :ref:`mozilla_projects_ | **NSS** |
+ | | nss_reference_fc_closesession` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_CloseSession - close a |
+ | | | session opened between an |
+ | | | application and a token. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 238 | :ref:`mozilla_project | **NSS** |
+ | | s_nss_reference_fc_copyobject` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_CopyObject - create a copy |
+ | | | of an object. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 239 | :ref:`mozilla_projects_ | **NSS** |
+ | | nss_reference_fc_createobject` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_CreateObject - create a new |
+ | | | object. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 240 | :ref:`mozilla_proj | **NSS** |
+ | | ects_nss_reference_fc_decrypt` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_Decrypt - Decrypt a block |
+ | | | of data. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 241 | :ref:`mozilla_projects_nss_ref | **NSS** |
+ | | erence_fc_decryptdigestupdate` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_DecryptDigestUpdate - |
+ | | | continue a multi-part decrypt |
+ | | | and digest operation |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 242 | :ref:`mozilla_projects_ | **NSS** |
+ | | nss_reference_fc_decryptfinal` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_DecryptFinal - finish a |
+ | | | multi-part decryption |
+ | | | operation. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 243 | :ref:`mozilla_projects | **NSS** |
+ | | _nss_reference_fc_decryptinit` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_DecryptInit - initialize a |
+ | | | decryption operation. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 244 | :ref:`mozilla_projects_n | **NSS** |
+ | | ss_reference_fc_decryptupdate` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_DecryptUpdate - decrypt a |
+ | | | block of a multi-part |
+ | | | encryption operation. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 245 | :ref:`mozilla_projects_nss_ref | **NSS** |
+ | | erence_fc_decryptverifyupdate` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_DecryptVerifyUpdate - |
+ | | | continue a multi-part decrypt |
+ | | | and verify operation |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 246 | :ref:`mozilla_projec | **NSS** |
+ | | ts_nss_reference_fc_derivekey` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_DeriveKey - derive a key |
+ | | | from a base key |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 247 | :ref:`mozilla_projects_n | **NSS** |
+ | | ss_reference_fc_destroyobject` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_DestroyObject - destroy an |
+ | | | object. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 248 | :ref:`mozilla_pro | **NSS** |
+ | | jects_nss_reference_fc_digest` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_Digest - digest a block of |
+ | | | data. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 249 | :ref:`mozilla_projects_nss_ref | **NSS** |
+ | | erence_fc_digestencryptupdate` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_DigestEncryptUpdate - |
+ | | | continue a multi-part digest |
+ | | | and encryption operation |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 250 | :ref:`mozilla_projects | **NSS** |
+ | | _nss_reference_fc_digestfinal` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_DigestFinal - finish a |
+ | | | multi-part digest operation. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 251 | :ref:`mozilla_project | **NSS** |
+ | | s_nss_reference_fc_digestinit` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_DigestInit - initialize a |
+ | | | message-digest operation. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 252 | :ref:`mozilla_projec | **NSS** |
+ | | ts_nss_reference_fc_digestkey` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_DigestKey - add the digest |
+ | | | of a key to a multi-part |
+ | | | digest operation. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 253 | :ref:`mozilla_projects_ | **NSS** |
+ | | nss_reference_fc_digestupdate` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_DigestUpdate - process the |
+ | | | next block of a multi-part |
+ | | | digest operation. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 254 | :ref:`mozilla_proj | **NSS** |
+ | | ects_nss_reference_fc_encrypt` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_Encrypt - Encrypt a block |
+ | | | of data. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 255 | :ref:`mozilla_projects_ | **NSS** |
+ | | nss_reference_fc_encryptfinal` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_EncryptFinal - finish a |
+ | | | multi-part encryption |
+ | | | operation. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 256 | :ref:`mozilla_projects | **NSS** |
+ | | _nss_reference_fc_encryptinit` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_EncryptInit - initialize an |
+ | | | encryption operation. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 257 | :ref:`mozilla_projects_n | **NSS** |
+ | | ss_reference_fc_encryptupdate` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_EncryptUpdate - encrypt a |
+ | | | block of a multi-part |
+ | | | encryption operation. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 258 | :ref:`mozilla_proje | **NSS** |
+ | | cts_nss_reference_fc_finalize` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_Finalize - indicate that an |
+ | | | application is done with the |
+ | | | PKCS #11 library. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 259 | :ref:`mozilla_projects | **NSS** |
+ | | _nss_reference_fc_findobjects` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_FindObjects - Search for |
+ | | | one or more objects |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 260 | :ref:`mozilla_projects_nss_ | **NSS** |
+ | | reference_fc_findobjectsfinal` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_FindObjectsFinal - |
+ | | | terminate an object search. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 261 | :ref:`mozilla_projects_nss | **NSS** |
+ | | _reference_fc_findobjectsinit` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_FindObjectsInit - |
+ | | | initialize the parameters for |
+ | | | an object search. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 262 | :ref:`mozilla_projects | **NSS** |
+ | | _nss_reference_fc_generatekey` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_GenerateKey - generate a |
+ | | | new key |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 263 | :ref:`mozilla_projects_nss | **NSS** |
+ | | _reference_fc_generatekeypair` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_GenerateKeyPair - generate |
+ | | | a new public/private key pair |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 264 | :ref:`mozilla_projects_ns | **NSS** |
+ | | s_reference_fc_generaterandom` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_GenerateRandom - generate a |
+ | | | random number. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 265 | :ref:`mozilla_projects_nss_r | **NSS** |
+ | | eference_fc_getattributevalue` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_GetAttributeValue - get the |
+ | | | value of attributes of an |
+ | | | object. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 266 | :ref:`mozilla_projects_nss | **NSS** |
+ | | _reference_fc_getfunctionlist` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_GetFunctionList - get a |
+ | | | pointer to the list of |
+ | | | function pointers in the FIPS |
+ | | | mode of operation. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 267 | :ref:`mozilla_projects_nss_r | **NSS** |
+ | | eference_fc_getfunctionstatus` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_GetFunctionStatus - get the |
+ | | | status of a function running |
+ | | | in parallel |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 268 | :ref:`mozilla_proj | **NSS** |
+ | | ects_nss_reference_fc_getinfo` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_GetInfo - return general |
+ | | | information about the PKCS #11 |
+ | | | library. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 269 | :ref:`mozilla_projects_nss_ | **NSS** |
+ | | reference_fc_getmechanisminfo` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_GetMechanismInfo - get |
+ | | | information on a particular |
+ | | | mechanism. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 270 | :ref:`mozilla_projects_nss_ | **NSS** |
+ | | reference_fc_getmechanismlist` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_GetMechanismList - get a |
+ | | | list of mechanism types |
+ | | | supported by a token. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 271 | :ref:`mozilla_projects_n | **NSS** |
+ | | ss_reference_fc_getobjectsize` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_GetObjectSize - create a |
+ | | | copy of an object. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 272 | :ref:`mozilla_projects_nss_r | **NSS** |
+ | | eference_fc_getoperationstate` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_GetOperationState - get the |
+ | | | cryptographic operation state |
+ | | | of a session. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 273 | :ref:`mozilla_projects_ns | **NSS** |
+ | | s_reference_fc_getsessioninfo` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_GetSessionInfo - obtain |
+ | | | information about a session. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 274 | :ref:`mozilla_projects | **NSS** |
+ | | _nss_reference_fc_getslotinfo` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_GetSlotInfo - get |
+ | | | information about a particular |
+ | | | slot in the system. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 275 | :ref:`mozilla_projects | **NSS** |
+ | | _nss_reference_fc_getslotlist` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_GetSlotList - Obtain a list |
+ | | | of slots in the system. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 276 | :ref:`mozilla_projects_ | **NSS** |
+ | | nss_reference_fc_gettokeninfo` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_GetTokenInfo - obtain |
+ | | | information about a particular |
+ | | | token in the system. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 277 | :ref:`mozilla_project | **NSS** |
+ | | s_nss_reference_fc_initialize` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_Initialize - initialize the |
+ | | | PKCS #11 library. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 278 | :ref:`mozilla_proj | **NSS** |
+ | | ects_nss_reference_fc_initpin` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | ``FC_InitPIN()`` - Initialize |
+ | | | the user's PIN. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 279 | :ref:`mozilla_projec | **NSS** |
+ | | ts_nss_reference_fc_inittoken` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | ``FC_InitToken()`` - |
+ | | | initialize or re-initialize a |
+ | | | token. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 280 | :ref:`mozilla_pr | **NSS** |
+ | | ojects_nss_reference_fc_login` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | ``FC_Login()`` - log a user |
+ | | | into a token. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 281 | :ref:`mozilla_pro | **NSS** |
+ | | jects_nss_reference_fc_logout` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_Logout - log a user out |
+ | | | from a token. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 282 | :ref:`mozilla_projects | **NSS** |
+ | | _nss_reference_fc_opensession` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_OpenSession - open a |
+ | | | session between an application |
+ | | | and a token. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 283 | :ref:`mozilla_project | **NSS** |
+ | | s_nss_reference_fc_seedrandom` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | ``FC_SeedRandom()`` - mix |
+ | | | additional seed material into |
+ | | | the random number generator. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 284 | :ref:`mozilla_projects_nss_r | **NSS** |
+ | | eference_fc_setattributevalue` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_SetAttributeValue - set the |
+ | | | values of attributes of an |
+ | | | object. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 285 | :ref:`mozilla_projects_nss_r | **NSS** |
+ | | eference_fc_setoperationstate` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_SetOperationState - restore |
+ | | | the cryptographic operation |
+ | | | state of a session. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 286 | :ref:`mozilla_pro | **NSS** |
+ | | jects_nss_reference_fc_setpin` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_SetPIN - Modify the user's |
+ | | | PIN. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 287 | :ref:`mozilla_p | **NSS** |
+ | | rojects_nss_reference_fc_sign` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_Sign - sign a block of |
+ | | | data. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 288 | :ref:`mozilla_projects_nss_r | **NSS** |
+ | | eference_fc_signencryptupdate` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_SignEncryptUpdate - |
+ | | | continue a multi-part signing |
+ | | | and encryption operation |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 289 | :ref:`mozilla_projec | **NSS** |
+ | | ts_nss_reference_fc_signfinal` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_SignFinal - finish a |
+ | | | multi-part signing operation. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 290 | :ref:`mozilla_proje | **NSS** |
+ | | cts_nss_reference_fc_signinit` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_SignInit - initialize a |
+ | | | signing operation. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 291 | :ref:`mozilla_projects | **NSS** |
+ | | _nss_reference_fc_signrecover` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_SignRecover - Sign data in |
+ | | | a single recoverable |
+ | | | operation. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 292 | :ref:`mozilla_projects_nss | **NSS** |
+ | | _reference_fc_signrecoverinit` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_SignRecoverInit - |
+ | | | initialize a sign recover |
+ | | | operation. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 293 | :ref:`mozilla_project | **NSS** |
+ | | s_nss_reference_fc_signupdate` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_SignUpdate - process the |
+ | | | next block of a multi-part |
+ | | | signing operation. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 294 | :ref:`mozilla_projec | **NSS** |
+ | | ts_nss_reference_fc_unwrapkey` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_UnwrapKey - unwrap a key |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 295 | :ref:`mozilla_pro | **NSS** |
+ | | jects_nss_reference_fc_verify` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_Verify - sign a block of |
+ | | | data. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 296 | :ref:`mozilla_projects | **NSS** |
+ | | _nss_reference_fc_verifyfinal` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_VerifyFinal - finish a |
+ | | | multi-part verify operation. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 297 | :ref:`mozilla_project | **NSS** |
+ | | s_nss_reference_fc_verifyinit` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_VerifyInit - initialize a |
+ | | | verification operation. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 298 | :ref:`mozilla_projects_n | **NSS** |
+ | | ss_reference_fc_verifyrecover` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_VerifyRecover - Verify data |
+ | | | in a single recoverable |
+ | | | operation. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 299 | :ref:`mozilla_projects_nss_r | **NSS** |
+ | | eference_fc_verifyrecoverinit` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_VerifyRecoverInit - |
+ | | | initialize a verification |
+ | | | operation where data is |
+ | | | recoverable. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 300 | :ref:`mozilla_projects_ | **NSS** |
+ | | nss_reference_fc_verifyupdate` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_VerifyUpdate - process the |
+ | | | next block of a multi-part |
+ | | | verify operation. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 301 | :ref:`mozilla_projects_nss_ | **NSS** |
+ | | reference_fc_waitforslotevent` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_WaitForSlotEvent - waits |
+ | | | for a slot event, such as |
+ | | | token insertion or token |
+ | | | removal, to occur. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 302 | :ref:`mozilla_proj | **NSS** |
+ | | ects_nss_reference_fc_wrapkey` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | FC_WrapKey - wrap a key |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 303 | :ref:`mozilla_project | **NSS** |
+ | | s_nss_reference_nsc_inittoken` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | ``NSC_InitToken()`` - |
+ | | | initialize or re-initialize a |
+ | | | token. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 304 | :ref:`mozilla_pro | **NSS** |
+ | | jects_nss_reference_nsc_login` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | ``NSC_Login()`` - log a user |
+ | | | into a token. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 305 | :ref:`mozilla_projects | |
+ | | _nss_reference_nspr_functions` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | `NSPR <https://www. |
+ | | | mozilla.org/projects/nspr/>`__ |
+ | | | is a platform abstraction |
+ | | | library that provides a |
+ | | | cross-platform API to common |
+ | | | OS services. NSS uses NSPR |
+ | | | internally as the porting |
+ | | | layer. However, a small |
+ | | | number of NSPR functions are |
+ | | | required for using the |
+ | | | certificate verification and |
+ | | | SSL functions in NSS. These |
+ | | | NSPR functions are listed in |
+ | | | this section. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 306 | :re | **NSS** |
+ | | f:`mozilla_projects_nss_refere | |
+ | | nce_nss_certificate_functions` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | This chapter describes the |
+ | | | functions and related types |
+ | | | used to work with a |
+ | | | certificate database such as |
+ | | | the cert8.db database provided |
+ | | | with NSS. This was converted |
+ | | | from `"Chapter 5: Certificate |
+ | | | Functions" <https://www.mo |
+ | | | zilla.org/projects/security/pk |
+ | | | i/nss/ref/ssl/sslcrt.html>`__. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 307 | :r | **NSS** |
+ | | ef:`mozilla_projects_nss_refer | |
+ | | ence_nss_cryptographic_module` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | This chapter describes the |
+ | | | data types and functions that |
+ | | | one can use to perform |
+ | | | cryptographic operations with |
+ | | | the NSS cryptographic module. |
+ | | | The NSS cryptographic module |
+ | | | uses the industry standard |
+ | | | `PKCS |
+ | | | #11 <http://www.rsasecurity.co |
+ | | | m/rsalabs/node.asp?id=2133>`__ |
+ | | | v2.20 as its API with some |
+ | | | extensions. Therefore, an |
+ | | | application that supports PKCS |
+ | | | #11 cryptographic tokens can |
+ | | | be easily modified to use the |
+ | | | NSS cryptographic module. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 308 | :ref:`mozilla_projects_ns | **NSS** |
+ | | s_reference_nss_cryptographic_ | |
+ | | module_fips_mode_of_operation` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | These functions manage |
+ | | | certificates and keys. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 309 | :re | **NSS** |
+ | | f:`mozilla_projects_nss_refere | |
+ | | nce_nss_environment_variables` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | These environment variables |
+ | | | affect the RUN TIME behavior |
+ | | | of NSS shared libraries. There |
+ | | | is a separate set of |
+ | | | environment variables that |
+ | | | affect how NSS is built, |
+ | | | documented below. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 310 | :ref:`mozilla_project | **NSS** |
+ | | s_nss_reference_nss_functions` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | This page lists all exported |
+ | | | functions in NSS 3.11.7 It was |
+ | | | ported from |
+ | | | `here <http://www-archive.mozi |
+ | | | lla.org/projects/security/pki/ |
+ | | | nss/ref/nssfunctions.html>`__. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 311 | :ref:`mozilla_projects | |
+ | | _nss_reference_nss_initialize` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | NSS_Initialize - initialize |
+ | | | NSS. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 312 | :ref:`mozilla_projects_ns | **NSS** |
+ | | s_reference_nss_key_functions` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | This chapter describes two |
+ | | | functions used to manipulate |
+ | | | private keys and key databases |
+ | | | such as the key3.db database |
+ | | | provided with NSS. This was |
+ | | | converted from `"Chapter 6: |
+ | | | Key |
+ | | | Functions" <https://develop |
+ | | | er.mozilla.org/en-US/docs/NSS/ |
+ | | | SSL_functions/sslkey.html>`__. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 313 | :ref:`mozilla_projects_nss_r | |
+ | | eference_nss_tools_:_certutil` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Name |
+ | | | certutil — Manage keys and |
+ | | | certificate in both NSS |
+ | | | databases and other NSS tokens |
+ | | | Synopsis |
+ | | | certutil [options] |
+ | | | [[arguments]] |
+ | | | Description |
+ | | | The Certificate Database |
+ | | | Tool, certutil, is a |
+ | | | command-line utility |
+ | | | that can create and modify |
+ | | | certificate and key databases. |
+ | | | It can specifically list, |
+ | | | generate, modify, or delete |
+ | | | certificates, create or |
+ | | | change the password, |
+ | | | generate new public and |
+ | | | private key pairs, |
+ | | | display the contents of the |
+ | | | key database, or delete key |
+ | | | pairs within the key |
+ | | | database. |
+ | | | Certificate issuance, part |
+ | | | of the key and certificate |
+ | | | management process, requires |
+ | | | that |
+ | | | keys and certificates be |
+ | | | created in the key database. |
+ | | | This document discusses |
+ | | | certificate |
+ | | | and key database |
+ | | | management. For information on |
+ | | | the security module database |
+ | | | management, |
+ | | | see the modutil manpage. |
+ | | | Options and Arguments |
+ | | | Running certutil always |
+ | | | requires one and only one |
+ | | | command option to |
+ | | | specify the type of |
+ | | | certificate operation. Each |
+ | | | option may take arguments, |
+ | | | anywhere from none to |
+ | | | multiple arguments. The |
+ | | | command option -H will list |
+ | | | all the command options |
+ | | | available and their relevant |
+ | | | arguments. |
+ | | | Command Options |
+ | | | -A |
+ | | | Add an existing |
+ | | | certificate to a certificate |
+ | | | database. |
+ | | | The certificate |
+ | | | database should already exist; |
+ | | | if one is |
+ | | | not present, this |
+ | | | command option will initialize |
+ | | | one by default. |
+ | | | -B |
+ | | | Run a series of |
+ | | | commands from the specified |
+ | | | batch file. |
+ | | | This requires the -i |
+ | | | argument. |
+ | | | -C |
+ | | | Create a new binary |
+ | | | certificate file from a binary |
+ | | | certificate request |
+ | | | file. Use the -i argument to |
+ | | | specify |
+ | | | the certificate |
+ | | | request file. If this argument |
+ | | | is not |
+ | | | used, certutil |
+ | | | prompts for a filename. |
+ | | | -D |
+ | | | Delete a certificate |
+ | | | from the certificate database. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 314 | :ref:`mozilla_projects_nss_ | |
+ | | reference_nss_tools_:_cmsutil` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Name |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 315 | :ref:`mozilla_projects_nss_ | **Reference** |
+ | | reference_nss_tools_:_crlutil` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Name |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 316 | :ref:`mozilla_projects_nss_ | **Mozilla, NSS, Reference, |
+ | | reference_nss_tools_:_modutil` | Security, Tools, Utilities, |
+ | | | modutil** |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Name |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 317 | :ref:`mozilla_projects_nss_r | |
+ | | eference_nss_tools_:_pk12util` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | NSS tools : pk12util |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 318 | :ref:`mozilla_projects_nss | |
+ | | _reference_nss_tools_:_ssltab` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Name |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 319 | :ref:`mozilla_projects_nss | |
+ | | _reference_nss_tools_:_ssltap` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Name |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 320 | :ref:`mozilla_projects_nss_r | |
+ | | eference_nss_tools_:_vfychain` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Name |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 321 | :ref:`mozilla_projects_nss_ | |
+ | | reference_nss_tools_:_vfyserv` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Name |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 322 | :ref:`mozilla_pro | |
+ | | jects_nss_reference_nss_tools` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | certutil |
+ | | | :ref:`mozilla_projects_nss_r |
+ | | | eference_nss_tools_:_certutil` |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 323 | :ref:`mozilla_projec | |
+ | | ts_nss_reference_troubleshoot` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Newsgroup: |
+ | | | `mozilla.dev.tech |
+ | | | .crypto <nntp://news.mozilla.o |
+ | | | rg/mozilla.dev.tech.crypto>`__ |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 324 | :ref:`mozil | |
+ | | la_projects_nss_release_notes` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | This page lists release notes |
+ | | | for older versions of NSS. |
+ | | | See :ref:`mozi |
+ | | | lla_projects_nss_nss_releases` |
+ | | | :ref:`mozi |
+ | | | lla_projects_nss_nss_releases` |
+ | | | for recent release notes. The |
+ | | | links below are provided for |
+ | | | historical information. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 325 | :ref:`mozilla_ | **NSS** |
+ | | projects_nss_s_mime_functions` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The public functions listed |
+ | | | here perform S/MIME operations |
+ | | | using the `S/MIME |
+ | | | Toolkit <http://w |
+ | | | ww-archive.mozilla.org/project |
+ | | | s/security/pki/nss/smime/>`__. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 326 | :ref:`mozil | **NSS** |
+ | | la_projects_nss_ssl_functions` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The public functions listed |
+ | | | here are used to configure |
+ | | | sockets for communication via |
+ | | | the SSL and TLS protocols. In |
+ | | | addition to the functions |
+ | | | listed here, applications that |
+ | | | support SSL use some of the |
+ | | | Certificate functions, Crypto |
+ | | | functions, and Utility |
+ | | | functions described below on |
+ | | | this page. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 327 | :ref:`mozilla_pro | |
+ | | jects_nss_ssl_functions_gtstd` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | This chapter describes how to |
+ | | | set up your environment, |
+ | | | including certificate and key |
+ | | | databases. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 328 | :ref:`mozilla_projects_nss_ss | **NSS** |
+ | | l_functions_old_ssl_reference` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | *New |
+ | | | sgroup:*\ `mozilla.dev.tech.cr |
+ | | | ypto <news://news.mozilla.org/ |
+ | | | mozilla.dev.tech.crypto>`__\ * |
+ | | | Writer: Sean Cotter |
+ | | | Manager: Wan-Teh Chang* |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 329 | :ref:`mozilla_pro | |
+ | | jects_nss_ssl_functions_pkfnc` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 330 | :ref:`mozilla_proj | |
+ | | ects_nss_ssl_functions_sslcrt` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 331 | :ref:`mozilla_proj | |
+ | | ects_nss_ssl_functions_sslerr` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 332 | :ref:`mozilla_proj | |
+ | | ects_nss_ssl_functions_sslfnc` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 333 | :ref:`mozilla_projec | |
+ | | ts_nss_ssl_functions_sslintro` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | SSL and related APIs allow |
+ | | | compliant applications to |
+ | | | configure sockets for |
+ | | | authenticated, tamper-proof, |
+ | | | and encrypted communications. |
+ | | | This chapter introduces some |
+ | | | of the basic SSL functions. |
+ | | | `Chapter 2, "Getting Started |
+ | | | With |
+ | | | SSL" <gtstd.html#1005439>`__ |
+ | | | illustrates their use in |
+ | | | sample client and server |
+ | | | applications. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 334 | :ref:`mozilla_proj | |
+ | | ects_nss_ssl_functions_sslkey` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 335 | :ref:`mozilla_proj | |
+ | | ects_nss_ssl_functions_ssltyp` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 336 | :ref:`mozilla_projects_n | **NSS** |
+ | | ss_tls_cipher_suite_discovery` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | In order to communicate |
+ | | | securely, an TLS client and |
+ | | | TLS server must agree on the |
+ | | | cryptographic algorithms and |
+ | | | keys that they will both use |
+ | | | on the secured connection. |
+ | | | They must agree on these |
+ | | | items: |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 337 | :re | **NSS** |
+ | | f:`mozilla_projects_nss_tools` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Newsgroup: |
+ | | | `mozilla.dev.tech |
+ | | | .crypto <news://news.mozilla.o |
+ | | | rg/mozilla.dev.tech.crypto>`__ |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 338 | :ref:`mozill | |
+ | | a_projects_nss_tools_certutil` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Name |
+ | | | certutil — Manage keys and |
+ | | | certificate in the NSS |
+ | | | database. |
+ | | | Synopsis |
+ | | | certutil [options] |
+ | | | `arguments <arguments>`__ |
+ | | | Description |
+ | | | The Certificate Database |
+ | | | Tool, certutil, is a |
+ | | | command-line utility that |
+ | | | can create and modify |
+ | | | certificate and key database |
+ | | | files. It can also |
+ | | | list, generate, modify, or |
+ | | | delete certificates within the |
+ | | | database, create |
+ | | | or change the password, |
+ | | | generate new public and |
+ | | | private key pairs, display |
+ | | | the contents of the key |
+ | | | database, or delete key pairs |
+ | | | within the key |
+ | | | database. |
+ | | | The key and certificate |
+ | | | management process generally |
+ | | | begins with creating |
+ | | | keys in the key database, |
+ | | | then generating and managing |
+ | | | certificates in the |
+ | | | certificate database. This |
+ | | | document discusses certificate |
+ | | | and key database |
+ | | | management. For information |
+ | | | security module database |
+ | | | management, see the |
+ | | | modutil manpages. |
+ | | | Options and Arguments |
+ | | | Running certutil always |
+ | | | requires one (and only one) |
+ | | | option to specify the |
+ | | | type of certificate |
+ | | | operation. Each option may |
+ | | | take arguments, anywhere |
+ | | | from none to multiple |
+ | | | arguments. Run the command |
+ | | | option and -H to see the |
+ | | | arguments available for |
+ | | | each command option. |
+ | | | Options |
+ | | | Options specify an action |
+ | | | and are uppercase. |
+ | | | -A |
+ | | | Add an existing |
+ | | | certificate to a certificate |
+ | | | database. The |
+ | | | certificate |
+ | | | database should already exist; |
+ | | | if one is not present, |
+ | | | this option will |
+ | | | initialize one by default. |
+ | | | -B |
+ | | | Run a series of |
+ | | | commands from the specified |
+ | | | batch file. This |
+ | | | requires the -i |
+ | | | argument. |
+ | | | -C |
+ | | | Create a new binary |
+ | | | certificate file from a binary |
+ | | | certificate |
+ | | | request file. Use |
+ | | | the -i argument to specify the |
+ | | | certificate |
+ | | | request file. If |
+ | | | this argument is not used, |
+ | | | certutil prompts for a |
+ | | | filename. |
+ | | | -D |
+ | | | Delete a |
+ | | | certificate from the |
+ | | | certificate database. |
+ | | | -E |
+ | | | Add an email |
+ | | | certificate to the certificate |
+ | | | database. |
+ | | | -F |
+ | | | Delete a private |
+ | | | key from a key database. |
+ | | | Specify the key to |
+ | | | delete with the -n |
+ | | | argument. Specify the database |
+ | | | from which to |
+ | | | delete the key with |
+ | | | the -d argument. Use the -k |
+ | | | argument to |
+ | | | specify explicitly |
+ | | | whether to delete a DSA, RSA, |
+ | | | or ECC key. If |
+ | | | you don't use the |
+ | | | -k argument, the option looks |
+ | | | for an RSA key |
+ | | | matching the |
+ | | | specified nickname. |
+ | | | When you delete |
+ | | | keys, be sure to also remove |
+ | | | any certificates |
+ | | | associated with |
+ | | | those keys from the |
+ | | | certificate database, by using |
+ | | | -D. Some smart |
+ | | | cards (for example, the |
+ | | | Litronic card) do not let |
+ | | | you remove a public |
+ | | | key you have generated. In |
+ | | | such a case, only |
+ | | | the private key is |
+ | | | deleted from the key pair. You |
+ | | | can display the |
+ | | | public key with the |
+ | | | command certutil -K -h |
+ | | | tokenname. |
+ | | | -G |
+ | | | Generate a new |
+ | | | public and private key pair |
+ | | | within a key database. |
+ | | | The key database |
+ | | | should already exist; if one |
+ | | | is not present, this |
+ | | | option will |
+ | | | initialize one by default. |
+ | | | Some smart cards (for |
+ | | | example, the |
+ | | | Litronic card) can store only |
+ | | | one key pair. If you |
+ | | | create a new key |
+ | | | pair for such a card, the |
+ | | | previous pair is |
+ | | | overwritten. |
+ | | | -H |
+ | | | Display a list of |
+ | | | the options and arguments used |
+ | | | by the |
+ | | | Certificate |
+ | | | Database Tool. |
+ | | | -K |
+ | | | List the key ID of |
+ | | | keys in the key database. A |
+ | | | key ID is the |
+ | | | modulus of the RSA |
+ | | | key or the publicValue of the |
+ | | | DSA key. IDs are |
+ | | | displayed in |
+ | | | hexadecimal ("0x" is not |
+ | | | shown). |
+ | | | -L |
+ | | | List all the |
+ | | | certificates, or display |
+ | | | information about a named |
+ | | | certificate, in a |
+ | | | certificate database. Use the |
+ | | | -h tokenname |
+ | | | argument to specify |
+ | | | the certificate database on a |
+ | | | particular |
+ | | | hardware or |
+ | | | software token. |
+ | | | -M |
+ | | | Modify a |
+ | | | certificate's trust attributes |
+ | | | using the values of the -t |
+ | | | argument. |
+ | | | -N |
+ | | | Create new |
+ | | | certificate and key databases. |
+ | | | -O |
+ | | | Print the |
+ | | | certificate chain. |
+ | | | -R |
+ | | | Create a |
+ | | | certificate request file that |
+ | | | can be submitted to a |
+ | | | Certificate |
+ | | | Authority (CA) for processing |
+ | | | into a finished |
+ | | | certificate. Output |
+ | | | defaults to standard out |
+ | | | unless you use -o |
+ | | | output-file |
+ | | | argument. Use the -a argument |
+ | | | to specify ASCII output. |
+ | | | -S |
+ | | | Create an |
+ | | | individual certificate and add |
+ | | | it to a certificate |
+ | | | database. |
+ | | | -T |
+ | | | Reset the key |
+ | | | database or token. |
+ | | | -U |
+ | | | List all available |
+ | | | modules or print a single |
+ | | | named module. |
+ | | | -V |
+ | | | Check the validity |
+ | | | of a certificate and its |
+ | | | attributes. |
+ | | | -W |
+ | | | Change the password |
+ | | | to a key database. |
+ | | | --merge |
+ | | | Merge a source |
+ | | | database into the target |
+ | | | database. This is used to |
+ | | | merge legacy NSS |
+ | | | databases (cert8.db and |
+ | | | key3.db) into the newer |
+ | | | SQLite databases |
+ | | | (cert9.db and key4.db). |
+ | | | --upgrade-merge |
+ | | | Upgrade an old |
+ | | | database and merge it into a |
+ | | | new database. This is |
+ | | | used to migrate |
+ | | | legacy NSS databases (cert8.db |
+ | | | and key3.db) into |
+ | | | the newer SQLite |
+ | | | databases (cert9.db and |
+ | | | key4.db). |
+ | | | Arguments |
+ | | | Option arguments modify an |
+ | | | action and are lowercase. |
+ | | | -a |
+ | | | Use ASCII format or |
+ | | | allow the use of ASCII format |
+ | | | for input or |
+ | | | output. This |
+ | | | formatting follows RFC 1113. |
+ | | | For certificate |
+ | | | requests, ASCII |
+ | | | output defaults to standard |
+ | | | output unless |
+ | | | redirected. |
+ | | | -b validity-time |
+ | | | Specify a time at |
+ | | | which a certificate is |
+ | | | required to be valid. Use |
+ | | | when checking |
+ | | | certificate validity with the |
+ | | | -V option. The format |
+ | | | of the |
+ | | | validity-time argument is |
+ | | | YYMMDDHHMMSS[+HHMM|-HHMM|Z], |
+ | | | which allows |
+ | | | offsets to be set relative to |
+ | | | the validity end time. |
+ | | | Specifying seconds |
+ | | | (SS) is optional. When |
+ | | | specifying an explicit |
+ | | | time, use a Z at |
+ | | | the end of the term, |
+ | | | YYMMDDHHMMSSZ, to close it. |
+ | | | When specifying an |
+ | | | offset time, use |
+ | | | YYMMDDHHMMSS+HHMM or |
+ | | | YYMMDDHHMMSS-HHMM |
+ | | | for adding or subtracting |
+ | | | time, respectively. |
+ | | | If this option is |
+ | | | not used, the validity check |
+ | | | defaults to the |
+ | | | current system |
+ | | | time. |
+ | | | -c issuer |
+ | | | Identify the |
+ | | | certificate of the CA from |
+ | | | which a new certificate |
+ | | | will derive its |
+ | | | authenticity. Use the exact |
+ | | | nickname or alias of |
+ | | | the CA certificate, |
+ | | | or use the CA's email address. |
+ | | | Bracket the |
+ | | | issuer string with |
+ | | | quotation marks if it contains |
+ | | | spaces. |
+ | | | -d [sql:]directory |
+ | | | Specify the |
+ | | | database directory containing |
+ | | | the certificate and key |
+ | | | database files. |
+ | | | certutil supports |
+ | | | two types of databases: the |
+ | | | legacy security |
+ | | | databases |
+ | | | (cert8.db, key3.db, and |
+ | | | secmod.db) and new SQLite |
+ | | | databases |
+ | | | (cert9.db, key4.db, and |
+ | | | pkcs11.txt). If the prefix |
+ | | | sql: |
+ | | | is not used, then |
+ | | | the tool assumes that the |
+ | | | given databases are in |
+ | | | the old format. |
+ | | | -e |
+ | | | Check a |
+ | | | certificate's signature during |
+ | | | the process of validating a |
+ | | | certificate. |
+ | | | -f password-file |
+ | | | Specify a file that |
+ | | | will automatically supply the |
+ | | | password to |
+ | | | include in a |
+ | | | certificate or to access a |
+ | | | certificate database. This |
+ | | | is a plain-text |
+ | | | file containing one password. |
+ | | | Be sure to prevent |
+ | | | unauthorized access |
+ | | | to this file. |
+ | | | -g keysize |
+ | | | Set a key size to |
+ | | | use when generating new public |
+ | | | and private key |
+ | | | pairs. The minimum |
+ | | | is 512 bits and the maximum is |
+ | | | 8192 bits. The |
+ | | | default is 1024 |
+ | | | bits. Any size between the |
+ | | | minimum and maximum is |
+ | | | allowed. |
+ | | | -h tokenname |
+ | | | Specify the name of |
+ | | | a token to use or act on. |
+ | | | Unless specified |
+ | | | otherwise the |
+ | | | default token is an internal |
+ | | | slot (specifically, |
+ | | | internal slot 2). |
+ | | | This slot can also be |
+ | | | explicitly named with the |
+ | | | string "internal". |
+ | | | An internal slots is a virtual |
+ | | | slot maintained |
+ | | | in software, rather |
+ | | | than a hardware device. |
+ | | | Internal slot 2 is |
+ | | | used by key and |
+ | | | certificate services. Internal |
+ | | | slot 1 is used by |
+ | | | cryptographic |
+ | | | services. |
+ | | | -i input_file |
+ | | | Pass an input file |
+ | | | to the command. Depending on |
+ | | | the command |
+ | | | option, an input |
+ | | | file can be a specific |
+ | | | certificate, a certificate |
+ | | | request file, or a |
+ | | | batch file of commands. |
+ | | | -k rsa|dsa|ec|all |
+ | | | Specify the type of |
+ | | | a key. The valid options are |
+ | | | RSA, DSA, ECC, or |
+ | | | all. The default |
+ | | | value is rsa. Specifying the |
+ | | | type of key can |
+ | | | avoid mistakes |
+ | | | caused by duplicate nicknames. |
+ | | | -k key-type-or-id |
+ | | | Specify the type or |
+ | | | specific ID of a key. Giving a |
+ | | | key type |
+ | | | generates a new key |
+ | | | pair; giving the ID of an |
+ | | | existing key reuses |
+ | | | that key pair |
+ | | | (which is required to renew |
+ | | | certificates). |
+ | | | -l |
+ | | | Display detailed |
+ | | | information when validating a |
+ | | | certificate with |
+ | | | the -V option. |
+ | | | -m serial-number |
+ | | | Assign a unique |
+ | | | serial number to a certificate |
+ | | | being created. This |
+ | | | operation should be |
+ | | | performed by a CA. The default |
+ | | | serial number |
+ | | | is 0 (zero). Serial |
+ | | | numbers are limited to |
+ | | | integers. |
+ | | | -n nickname |
+ | | | Specify the |
+ | | | nickname of a certificate or |
+ | | | key to list, create, add |
+ | | | to a database, |
+ | | | modify, or validate. Bracket |
+ | | | the nickname string |
+ | | | with quotation |
+ | | | marks if it contains spaces. |
+ | | | -o output-file |
+ | | | Specify the output |
+ | | | file name for new certificates |
+ | | | or binary |
+ | | | certificate |
+ | | | requests. Bracket the |
+ | | | output-file string with |
+ | | | quotation marks if |
+ | | | it contains spaces. If this |
+ | | | argument is not |
+ | | | used the output |
+ | | | destination defaults to |
+ | | | standard output. |
+ | | | -P dbPrefix |
+ | | | Specify the prefix |
+ | | | used on the certificate and |
+ | | | key database file. |
+ | | | This option is |
+ | | | provided as a special case. |
+ | | | Changing the names of |
+ | | | the certificate and |
+ | | | key databases is not |
+ | | | recommended. |
+ | | | -p phone |
+ | | | Specify a contact |
+ | | | telephone number to include in |
+ | | | new certificates |
+ | | | or certificate |
+ | | | requests. Bracket this string |
+ | | | with quotation marks |
+ | | | if it contains |
+ | | | spaces. |
+ | | | -q pqgfile |
+ | | | Read an alternate |
+ | | | PQG value from the specified |
+ | | | file when |
+ | | | generating DSA key |
+ | | | pairs. If this argument is not |
+ | | | used, certutil |
+ | | | generates its own |
+ | | | PQG value. PQG files are |
+ | | | created with a separate |
+ | | | DSA utility. |
+ | | | -q curve-name |
+ | | | Set the elliptic |
+ | | | curve name to use when |
+ | | | generating ECC key pairs. |
+ | | | A complete list of |
+ | | | ECC curves is given in the |
+ | | | help (-H). |
+ | | | -r |
+ | | | Display a |
+ | | | certificate's binary DER |
+ | | | encoding when listing |
+ | | | information about |
+ | | | that certificate with the -L |
+ | | | option. |
+ | | | -s subject |
+ | | | Identify a |
+ | | | particular certificate owner |
+ | | | for new certificates or |
+ | | | certificate |
+ | | | requests. Bracket this string |
+ | | | with quotation marks if |
+ | | | it contains spaces. |
+ | | | The subject identification |
+ | | | format follows RFC |
+ | | | #1485. |
+ | | | -t trustargs |
+ | | | Specify the trust |
+ | | | attributes to modify in an |
+ | | | existing certificate |
+ | | | or to apply to a |
+ | | | certificate when creating it |
+ | | | or adding it to a |
+ | | | database. There are |
+ | | | three available trust |
+ | | | categories for each |
+ | | | certificate, |
+ | | | expressed in the order SSL, |
+ | | | email, object signing for |
+ | | | each trust setting. |
+ | | | In each category position, use |
+ | | | none, any, or |
+ | | | all of the |
+ | | | attribute codes: |
+ | | | o p - Valid peer |
+ | | | o P - Trusted |
+ | | | peer (implies p) |
+ | | | o c - Valid CA |
+ | | | o T - Trusted CA |
+ | | | to issue client certificates |
+ | | | (implies c) |
+ | | | o C - Trusted CA |
+ | | | to issue server certificates |
+ | | | (SSL only) |
+ | | | (implies c) |
+ | | | o u - |
+ | | | Certificate can be used for |
+ | | | authentication or signing |
+ | | | o w - Send |
+ | | | warning (use with other |
+ | | | attributes to include a |
+ | | | warning when |
+ | | | the certificate is used in |
+ | | | that context) |
+ | | | The attribute codes |
+ | | | for the categories are |
+ | | | separated by commas, |
+ | | | and the entire set |
+ | | | of attributes enclosed by |
+ | | | quotation marks. For |
+ | | | example: |
+ | | | -t "TCu,Cu,Tuw" |
+ | | | Use the -L option |
+ | | | to see a list of the current |
+ | | | certificates and |
+ | | | trust attributes in |
+ | | | a certificate database. |
+ | | | -u certusage |
+ | | | Specify a usage |
+ | | | context to apply when |
+ | | | validating a certificate |
+ | | | with the -V option. |
+ | | | The contexts are |
+ | | | the following: |
+ | | | o C (as an SSL |
+ | | | client) |
+ | | | o V (as an SSL |
+ | | | server) |
+ | | | o S (as an email |
+ | | | signer) |
+ | | | o R (as an email |
+ | | | recipient) |
+ | | | o O (as an OCSP |
+ | | | status responder) |
+ | | | o J (as an |
+ | | | object signer) |
+ | | | -v valid-months |
+ | | | Set the number of |
+ | | | months a new certificate will |
+ | | | be valid. The |
+ | | | validity period |
+ | | | begins at the current system |
+ | | | time unless an offset |
+ | | | is added or |
+ | | | subtracted with the -w option. |
+ | | | If this argument is not |
+ | | | used, the default |
+ | | | validity period is three |
+ | | | months. When this |
+ | | | argument is used, |
+ | | | the default three-month period |
+ | | | is automatically |
+ | | | added to any value |
+ | | | given in the valid-month |
+ | | | argument. For example, |
+ | | | using this option |
+ | | | to set a value of 3 would |
+ | | | cause 3 to be added to |
+ | | | the three-month |
+ | | | default, creating a validity |
+ | | | period of six months. |
+ | | | You can use |
+ | | | negative values to reduce the |
+ | | | default period. For |
+ | | | example, setting a |
+ | | | value of -2 would subtract 2 |
+ | | | from the default |
+ | | | and create a |
+ | | | validity period of one month. |
+ | | | -w offset-months |
+ | | | Set an offset from |
+ | | | the current system time, in |
+ | | | months, for the |
+ | | | beginning of a |
+ | | | certificate's validity period. |
+ | | | Use when creating |
+ | | | the certificate or |
+ | | | adding it to a database. |
+ | | | Express the offset in |
+ | | | integers, using a |
+ | | | minus sign (-) to indicate a |
+ | | | negative offset. If |
+ | | | this argument is |
+ | | | not used, the validity period |
+ | | | begins at the |
+ | | | current system |
+ | | | time. The length of the |
+ | | | validity period is set with |
+ | | | the -v argument. |
+ | | | -X |
+ | | | Force the key and |
+ | | | certificate database to open |
+ | | | in read-write mode. |
+ | | | This is used with |
+ | | | the -U and -L command options. |
+ | | | -x |
+ | | | Use certutil to |
+ | | | generate the signature for a |
+ | | | certificate being |
+ | | | created or added to |
+ | | | a database, rather than |
+ | | | obtaining a signature |
+ | | | from a separate CA. |
+ | | | -y exp |
+ | | | Set an alternate |
+ | | | exponent value to use in |
+ | | | generating a new RSA |
+ | | | public key for the |
+ | | | database, instead of the |
+ | | | default value of |
+ | | | 65537. The |
+ | | | available alternate values are |
+ | | | 3 and 17. |
+ | | | -z noise-file |
+ | | | Read a seed value |
+ | | | from the specified file to |
+ | | | generate a new |
+ | | | private and public |
+ | | | key pair. This argument makes |
+ | | | it possible to |
+ | | | use |
+ | | | hardware-generated seed values |
+ | | | or manually create a value |
+ | | | from |
+ | | | the keyboard. The |
+ | | | minimum file size is 20 bytes. |
+ | | | -0 SSO_password |
+ | | | Set a site security |
+ | | | officer password on a token. |
+ | | | -1 \| --keyUsage |
+ | | | keyword,keyword |
+ | | | Set a Netscape |
+ | | | Certificate Type Extension in |
+ | | | the certificate. |
+ | | | There are several |
+ | | | available keywords: |
+ | | | o digital |
+ | | | signature |
+ | | | o nonRepudiation |
+ | | | |
+ | | | o keyEncipherment |
+ | | | |
+ | | | o dataEncipherment |
+ | | | o keyAgreement |
+ | | | o certSigning |
+ | | | o crlSigning |
+ | | | o critical |
+ | | | -2 |
+ | | | Add a basic |
+ | | | constraint extension to a |
+ | | | certificate that is being |
+ | | | created or added to |
+ | | | a database. This extension |
+ | | | supports the |
+ | | | certificate chain |
+ | | | verification process. certutil |
+ | | | prompts for the |
+ | | | certificate |
+ | | | constraint extension to |
+ | | | select. |
+ | | | X.509 certificate |
+ | | | extensions are described in |
+ | | | RFC 5280. |
+ | | | -3 |
+ | | | Add an authority |
+ | | | key ID extension to a |
+ | | | certificate that is being |
+ | | | created or added to |
+ | | | a database. This extension |
+ | | | supports the |
+ | | | identification of a |
+ | | | particular certificate, from |
+ | | | among multiple |
+ | | | certificates |
+ | | | associated with one subject |
+ | | | name, as the correct |
+ | | | issuer of a |
+ | | | certificate. The Certificate |
+ | | | Database Tool will prompt |
+ | | | you to select the |
+ | | | authority key ID extension. |
+ | | | X.509 certificate |
+ | | | extensions are described in |
+ | | | RFC 5280. |
+ | | | -4 |
+ | | | Add a CRL |
+ | | | distribution point extension |
+ | | | to a certificate that is |
+ | | | being created or |
+ | | | added to a database. This |
+ | | | extension identifies |
+ | | | the URL of a |
+ | | | certificate's associated |
+ | | | certificate revocation list |
+ | | | (CRL). certutil |
+ | | | prompts for the URL. |
+ | | | X.509 certificate |
+ | | | extensions are described in |
+ | | | RFC 5280. |
+ | | | -5 \| --nsCertType |
+ | | | keyword,keyword |
+ | | | Add a Netscape |
+ | | | certificate type extension to |
+ | | | a certificate that is |
+ | | | being created or |
+ | | | added to the database. There |
+ | | | are several |
+ | | | available keywords: |
+ | | | o sslClient |
+ | | | o sslServer |
+ | | | o smime |
+ | | | o objectSigning |
+ | | | o sslCA |
+ | | | o smimeCA |
+ | | | |
+ | | | o objectSigningCA |
+ | | | o critical |
+ | | | X.509 certificate |
+ | | | extensions are described in |
+ | | | RFC 5280. |
+ | | | -6 \| --extKeyUsage |
+ | | | keyword,keyword |
+ | | | Add an extended key |
+ | | | usage extension to a |
+ | | | certificate that is being |
+ | | | created or added to |
+ | | | the database. Several keywords |
+ | | | are available: |
+ | | | o serverAuth |
+ | | | o clientAuth |
+ | | | o codeSigning |
+ | | | |
+ | | | o emailProtection |
+ | | | o timeStamp |
+ | | | o ocspResponder |
+ | | | o stepUp |
+ | | | o critical |
+ | | | X.509 certificate |
+ | | | extensions are described in |
+ | | | RFC 5280. |
+ | | | -7 emailAddrs |
+ | | | Add a |
+ | | | comma-separated list of email |
+ | | | addresses to the subject |
+ | | | alternative name |
+ | | | extension of a certificate or |
+ | | | certificate request |
+ | | | that is being |
+ | | | created or added to the |
+ | | | database. Subject |
+ | | | alternative name |
+ | | | extensions are described in |
+ | | | Section 4.2.1.7 of |
+ | | | RFC 3280. |
+ | | | -8 dns-names |
+ | | | Add a |
+ | | | comma-separated list of DNS |
+ | | | names to the subject |
+ | | | alternative |
+ | | | name extension of a |
+ | | | certificate or certificate |
+ | | | request that is |
+ | | | being created or |
+ | | | added to the database. Subject |
+ | | | alternative name |
+ | | | extensions are |
+ | | | described in Section 4.2.1.7 |
+ | | | of RFC 3280. |
+ | | | --extAIA |
+ | | | Add the Authority |
+ | | | Information Access extension |
+ | | | to the certificate. |
+ | | | X.509 certificate |
+ | | | extensions are described in |
+ | | | RFC 5280. |
+ | | | --extSIA |
+ | | | Add the Subject |
+ | | | Information Access extension |
+ | | | to the certificate. |
+ | | | X.509 certificate |
+ | | | extensions are described in |
+ | | | RFC 5280. |
+ | | | --extCP |
+ | | | Add the Certificate |
+ | | | Policies extension to the |
+ | | | certificate. X.509 |
+ | | | certificate |
+ | | | extensions are described in |
+ | | | RFC 5280. |
+ | | | --extPM |
+ | | | Add the Policy |
+ | | | Mappings extension to the |
+ | | | certificate. X.509 |
+ | | | certificate |
+ | | | extensions are described in |
+ | | | RFC 5280. |
+ | | | --extPC |
+ | | | Add the Policy |
+ | | | Constraints extension to the |
+ | | | certificate. X.509 |
+ | | | certificate |
+ | | | extensions are described in |
+ | | | RFC 5280. |
+ | | | --extIA |
+ | | | Add the Inhibit Any |
+ | | | Policy Access extension to the |
+ | | | certificate. |
+ | | | X.509 certificate |
+ | | | extensions are described in |
+ | | | RFC 5280. |
+ | | | --extSKID |
+ | | | Add the Subject Key |
+ | | | ID extension to the |
+ | | | certificate. X.509 |
+ | | | certificate |
+ | | | extensions are described in |
+ | | | RFC 5280. |
+ | | | --source-dir certdir |
+ | | | Identify the |
+ | | | certificate database directory |
+ | | | to upgrade. |
+ | | | --source-prefix certdir |
+ | | | Give the prefix of |
+ | | | the certificate and key |
+ | | | databases to upgrade. |
+ | | | --upgrade-id uniqueID |
+ | | | Give the unique ID |
+ | | | of the database to upgrade. |
+ | | | --upgrade-token-name name |
+ | | | Set the name of the |
+ | | | token to use while it is being |
+ | | | upgraded. |
+ | | | -@ pwfile |
+ | | | Give the name of a |
+ | | | password file to use for the |
+ | | | database being |
+ | | | upgraded. |
+ | | | Usage and Examples |
+ | | | Most of the command options |
+ | | | in the examples listed here |
+ | | | have more |
+ | | | arguments available. The |
+ | | | arguments included in these |
+ | | | examples are the most |
+ | | | common ones or are used to |
+ | | | illustrate a specific |
+ | | | scenario. Use the -H |
+ | | | option to show the complete |
+ | | | list of arguments for each |
+ | | | command option. |
+ | | | Creating New Security |
+ | | | Databases |
+ | | | Certificates, keys, and |
+ | | | security modules related to |
+ | | | managing certificates |
+ | | | are stored in three related |
+ | | | databases: |
+ | | | o cert8.db or cert9.db |
+ | | | o key3.db or key4.db |
+ | | | o secmod.db or pkcs11.txt |
+ | | | These databases must be |
+ | | | created before certificates or |
+ | | | keys can be |
+ | | | generated. |
+ | | | certutil -N -d |
+ | | | [sql:]directory |
+ | | | Creating a Certificate |
+ | | | Request |
+ | | | A certificate request |
+ | | | contains most or all of the |
+ | | | information that is used |
+ | | | to generate the final |
+ | | | certificate. This request is |
+ | | | submitted separately to |
+ | | | a certificate authority and |
+ | | | is then approved by some |
+ | | | mechanism |
+ | | | (automatically or by human |
+ | | | review). Once the request is |
+ | | | approved, then the |
+ | | | certificate is generated. |
+ | | | $ certutil -R -k |
+ | | | key-type-or-id [-q |
+ | | | pqgfile|curve-name] -g |
+ | | | key-size -s subject [-h |
+ | | | tokenname] -d [sql:]directory |
+ | | | [-p phone] [-o output-file] |
+ | | | [-a] |
+ | | | The -R command options |
+ | | | requires four arguments: |
+ | | | o -k to specify either |
+ | | | the key type to generate or, |
+ | | | when renewing a |
+ | | | certificate, the |
+ | | | existing key pair to use |
+ | | | o -g to set the keysize |
+ | | | of the key to generate |
+ | | | o -s to set the subject |
+ | | | name of the certificate |
+ | | | o -d to give the security |
+ | | | database directory |
+ | | | The new certificate request |
+ | | | can be output in ASCII format |
+ | | | (-a) or can be |
+ | | | written to a specified file |
+ | | | (-o). |
+ | | | For example: |
+ | | | $ certutil -R -k ec -q |
+ | | | nistb409 -g 512 -s "CN=John |
+ | | | Smith,O=Example |
+ | | | Corp,L=Mountain |
+ | | | View,ST=California,C=US" -d |
+ | | | sql:/home/my/sharednssdb -p |
+ | | | 650-555-0123 -a -o cert.cer |
+ | | | Generating key. This may |
+ | | | take a few moments... |
+ | | | Certificate request generated |
+ | | | by Netscape |
+ | | | Phone: 650-555-0123 |
+ | | | Common Name: John Smith |
+ | | | Email: (not ed) |
+ | | | Organization: Example Corp |
+ | | | State: California |
+ | | | Country: US |
+ | | | -----BEGIN NEW CERTIFICATE |
+ | | | REQUEST----- |
+ | | | MIIB |
+ | | | IDCBywIBADBmMQswCQYDVQQGEwJVUz |
+ | | | ETMBEGA1UECBMKQ2FsaWZvcm5pYTEW |
+ | | | MBQG |
+ | | | A1UEBxMNTW91bnRhaW4gVmlldzEVMB |
+ | | | MGA1UEChMMRXhhbXBsZSBDb3JwMRMw |
+ | | | EQYD |
+ | | | VQQDEwpKb2huIFNtaXRoMFwwDQYJKo |
+ | | | ZIhvcNAQEBBQADSwAwSAJBAMVUpDOZ |
+ | | | KmHn |
+ | | | Ox7reP8Cc0Lk+fFWEuYIDX9W5K/Bio |
+ | | | QOKvEjXyQZhit9aThzBVMoSf1Y1S8J |
+ | | | CzdU |
+ | | | bCg1+IbnXaECAwEAAaAAMA0GCSqGSI |
+ | | | b3DQEBBQUAA0EAryqZvpYrUtQ486Ny |
+ | | | qmty |
+ | | | QNjIi1F8c1Z+TL4uFYlMg8z6LG/J/u |
+ | | | 1E5t1QqB5e9Q4+BhRbrQjRR1JZx3tB |
+ | | | 1hP9Gg== |
+ | | | -----END NEW CERTIFICATE |
+ | | | REQUEST----- |
+ | | | Creating a Certificate |
+ | | | A valid certificate must be |
+ | | | issued by a trusted CA. This |
+ | | | can be done by |
+ | | | specifying a CA certificate |
+ | | | (-c) that is stored in the |
+ | | | certificate |
+ | | | database. If a CA key pair |
+ | | | is not available, you can |
+ | | | create a self-signed |
+ | | | certificate using the -x |
+ | | | argument with the -S command |
+ | | | option. |
+ | | | $ certutil -S -k rsa|dsa|ec |
+ | | | -n certname -s subject [-c |
+ | | | issuer \|-x] -t trustargs -d |
+ | | | [sql:]directory [-m |
+ | | | serial-number] [-v |
+ | | | valid-months] [-w |
+ | | | offset-months] [-p phone] [-1] |
+ | | | [-2] [-3] [-4] [-5 keyword] |
+ | | | [-6 keyword] [-7 emailAddress] |
+ | | | [-8 dns-names] [--extAIA] |
+ | | | [--extSIA] [--extCP] [--extPM] |
+ | | | [--extPC] [--extIA] |
+ | | | [--extSKID] |
+ | | | The series of numbers and |
+ | | | --ext\* options set |
+ | | | certificate extensions that |
+ | | | can be added to the |
+ | | | certificate when it is |
+ | | | generated by the CA. |
+ | | | For example, this creates a |
+ | | | self-signed certificate: |
+ | | | $ certutil -S -s "CN=Example |
+ | | | CA" -n my-ca-cert -x -t |
+ | | | "C,C,C" -1 -2 -5 -m 3650 |
+ | | | From there, new |
+ | | | certificates can reference the |
+ | | | self-signed certificate: |
+ | | | $ certutil -S -s "CN=My |
+ | | | Server Cert" -n my-server-cert |
+ | | | -c "my-ca-cert" -t "u,u,u" -1 |
+ | | | -5 -6 -8 -m 730 |
+ | | | Generating a Certificate |
+ | | | from a Certificate Request |
+ | | | When a certificate request |
+ | | | is created, a certificate can |
+ | | | be generated by |
+ | | | using the request and then |
+ | | | referencing a certificate |
+ | | | authority signing |
+ | | | certificate (the issuer |
+ | | | specified in the -c argument). |
+ | | | The issuing |
+ | | | certificate must be in the |
+ | | | certificate database in the |
+ | | | specified |
+ | | | directory. |
+ | | | certutil -C -c issuer -i |
+ | | | cert-request-file -o |
+ | | | output-file [-m serial-number] |
+ | | | [-v valid-months] [-w |
+ | | | offset-months] -d |
+ | | | [sql:]directory [-1] [-2] [-3] |
+ | | | [-4] [-5 keyword] [-6 keyword] |
+ | | | [-7 emailAddress] [-8 |
+ | | | dns-names] |
+ | | | For example: |
+ | | | $ certutil -C -c "my-ca-cert" |
+ | | | -i /home/certs/cert.req -o |
+ | | | cert.cer -m 010 -v 12 -w 1 -d |
+ | | | sql:/home/my/sharednssdb -1 |
+ | | | n |
+ | | | onRepudiation,dataEncipherment |
+ | | | -5 sslClient -6 clientAuth -7 |
+ | | | jsmith@example.com |
+ | | | Generating Key Pairs |
+ | | | Key pairs are generated |
+ | | | automatically with a |
+ | | | certificate request or |
+ | | | certificate, but they can |
+ | | | also be generated |
+ | | | independently using the -G |
+ | | | command option. |
+ | | | certutil -G -d |
+ | | | [sql:]directory \| -h |
+ | | | tokenname -k key-type -g |
+ | | | key-size [-y exponent-value] |
+ | | | -q pqgfile|curve-name |
+ | | | For example: |
+ | | | $ certutil -G -h lunasa -k ec |
+ | | | -g 256 -q sect193r2 |
+ | | | Listing Certificates |
+ | | | The -L command option lists |
+ | | | all of the certificates listed |
+ | | | in the |
+ | | | certificate database. The |
+ | | | path to the directory (-d) is |
+ | | | required. |
+ | | | $ certutil -L -d |
+ | | | sql:/home/my/sharednssdb |
+ | | | Certificate |
+ | | | Nickname |
+ | | | |
+ | | | Trust Attributes |
+ | | | |
+ | | | |
+ | | | |
+ | | | SSL,S/MIME,JAR/XPI |
+ | | | CA Administrator of Instance |
+ | | | pki-ca1's Example Domain |
+ | | | ID u,u,u |
+ | | | TPS Administrator's Example |
+ | | | Domain |
+ | | | ID |
+ | | | u,u,u |
+ | | | Google Internet |
+ | | | Authority |
+ | | | |
+ | | | ,, |
+ | | | Certificate Authority - |
+ | | | Example |
+ | | | Domain |
+ | | | CT,C,C |
+ | | | Using additional arguments |
+ | | | with -L can return and print |
+ | | | the information |
+ | | | for a single, specific |
+ | | | certificate. For example, the |
+ | | | -n argument passes |
+ | | | the certificate name, while |
+ | | | the -a argument prints the |
+ | | | certificate in |
+ | | | ASCII format: |
+ | | | $ certutil -L -d |
+ | | | sql:/home/my/sharednssdb -a -n |
+ | | | "Certificate Authority - |
+ | | | Example Domain" |
+ | | | -----BEGIN CERTIFICATE----- |
+ | | | MIID |
+ | | | mTCCAoGgAwIBAgIBATANBgkqhkiG9w |
+ | | | 0BAQUFADA5MRcwFQYDVQQKEw5FeGFt |
+ | | | cGxl |
+ | | | IERvbWFpbjEeMBwGA1UEAxMVQ2VydG |
+ | | | lmaWNhdGUgQXV0aG9yaXR5MB4XDTEw |
+ | | | MDQy |
+ | | | OTIxNTY1OFoXDTEyMDQxODIxNTY1OF |
+ | | | owOTEXMBUGA1UEChMORXhhbXBsZSBE |
+ | | | b21h |
+ | | | aW4xHjAcBgNVBAMTFUNlcnRpZmljYX |
+ | | | RlIEF1dGhvcml0eTCCASIwDQYJKoZI |
+ | | | hvcN |
+ | | | AQEBBQADggEPADCCAQoCggEBAO/bqU |
+ | | | li2KwqXFKmMMG93KN1SANzNTXA/Vlf |
+ | | | Tmri |
+ | | | h3hQgjvR1ktIY9aG6cB7DSKWmtHp/+ |
+ | | | p4PUCMqL4ZrSGt901qxkePyZ2dYmM2 |
+ | | | Rnel |
+ | | | K+SEUIPiUtoZaDhNdiYsE/yuDE8vQW |
+ | | | j0vHCVL0w72qFUcSQ/WZT7FCrnUIUI |
+ | | | udeW |
+ | | | noPSUn70gLhcj/lvxl7K9BHyD4Sq5C |
+ | | | zktwYtFWLiiwV+ZY/Fl6JgbGaQyQB2 |
+ | | | bP4i |
+ | | | RMfloGqsxGuB1evWVDF1haGpFDSPgM |
+ | | | nEPSLg3/3dXn+HDJbZ29EU8/xKzQEb |
+ | | | 3V0A |
+ | | | HKbu80zGllLEt2Zx/WDIrgJEN9yMfg |
+ | | | KFpcmL+BvIRsmh0VsCAwEAAaOBqzCB |
+ | | | qDAf |
+ | | | BgNVHSMEGDAWgBQATgxHQyRUfKIZtd |
+ | | | p55bZlFr+tFzAPBgNVHRMBAf8EBTAD |
+ | | | AQH/ |
+ | | | MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ |
+ | | | 4EFgQUAE4MR0MkVHyiGbXaeeW2ZRa/ |
+ | | | rRcw |
+ | | | RQYIKwYBBQUHAQEEOTA3MDUGCCsGAQ |
+ | | | UFBzABhilodHRwOi8vbG9jYWxob3N0 |
+ | | | Lmxv |
+ | | | Y2FsZG9tYWluOjkxODAvY2Evb2NzcD |
+ | | | ANBgkqhkiG9w0BAQUFAAOCAQEAi8Gk |
+ | | | L3XO |
+ | | | 43u7/TDOeEsWPmq+jZsDZ3GZ85Ajt3 |
+ | | | KROLWeKVZZZa2E2Hnsvf2uXbk5amKe |
+ | | | lRxd |
+ | | | SeRH9g85pv4KY7Z8xZ71NrI3+K3uwm |
+ | | | nqkc6t0hhYb1mw/gx8OAAoluQx3biX |
+ | | | JBDx |
+ | | | jI73Cf7XUopplHBjjiwyGIJUO8BEZJ |
+ | | | 5L+TF4P38MJz1snLtzZpEAX5bl0U76 |
+ | | | bfu/ |
+ | | | tZFWBbE8YAWYtkCtMcalBPj6jn2WD3 |
+ | | | M01kGozW4mmbvsj1cRB9HnsGsqyHCu |
+ | | | U0uj |
+ | | | lL1H/RWcjn607+CTeKH9jLMUqCIqPJ |
+ | | | NOa+kq/6F7NhNRRiuzASIbZc30BZ5a |
+ | | | nI7q5n1USM3eWQlVXw== |
+ | | | -----END CERTIFICATE----- |
+ | | | Listing Keys |
+ | | | Keys are the original |
+ | | | material used to encrypt |
+ | | | certificate data. The keys |
+ | | | generated for certificates |
+ | | | are stored separately, in the |
+ | | | key database. |
+ | | | To list all keys in the |
+ | | | database, use the -K command |
+ | | | option and the |
+ | | | (required) -d argument to |
+ | | | give the path to the |
+ | | | directory. |
+ | | | $ certutil -K -d |
+ | | | sql:/home/my/sharednssdb |
+ | | | certutil: Checking token "NSS |
+ | | | Certificate DB" in slot "NSS |
+ | | | User Private Key and |
+ | | | Certificate |
+ | | | Services " |
+ | | | < 0> rsa |
+ | | | 455a6673bde9 |
+ | | | 375c2887ec8bf8016b3f9f35861d |
+ | | | Thawte Freemail Member's |
+ | | | Thawte Consulting (Pty) Ltd. |
+ | | | ID |
+ | | | < 1> rsa |
+ | | | 40defeeb522a |
+ | | | de11090eacebaaf1196a172127df |
+ | | | Example Domain Administrator |
+ | | | Cert |
+ | | | < 2> rsa |
+ | | | 1d0b06f44f6c |
+ | | | 03842f7d4f4a1dc78b3bcd1b85a5 |
+ | | | John Smith user cert |
+ | | | There are ways to narrow |
+ | | | the keys listed in the search |
+ | | | results: |
+ | | | o To return a specific |
+ | | | key, use the -n name argument |
+ | | | with the name of |
+ | | | the key. |
+ | | | o If there are multiple |
+ | | | security devices loaded, then |
+ | | | the -h tokenname |
+ | | | argument can search a |
+ | | | specific token or all tokens. |
+ | | | o If there are multiple |
+ | | | key types available, then the |
+ | | | -k key-type |
+ | | | argument can search a |
+ | | | specific type of key, like |
+ | | | RSA, DSA, or ECC. |
+ | | | Listing Security Modules |
+ | | | The devices that can be |
+ | | | used to store certificates -- |
+ | | | both internal |
+ | | | databases and external |
+ | | | devices like smart cards -- |
+ | | | are recognized and used |
+ | | | by loading security |
+ | | | modules. The -U command option |
+ | | | lists all of the |
+ | | | security modules listed in |
+ | | | the secmod.db database. The |
+ | | | path to the |
+ | | | directory (-d) is required. |
+ | | | $ certutil -U -d |
+ | | | sql:/home/my/sharednssdb |
+ | | | slot: NSS User Private |
+ | | | Key and Certificate Services |
+ | | | token: NSS Certificate DB |
+ | | | slot: NSS Internal |
+ | | | Cryptographic Services |
+ | | | token: NSS Generic Crypto |
+ | | | Services |
+ | | | Adding Certificates to the |
+ | | | Database |
+ | | | Existing certificates or |
+ | | | certificate requests can be |
+ | | | added manually to the |
+ | | | certificate database, even |
+ | | | if they were generated |
+ | | | elsewhere. This uses the |
+ | | | -A command option. |
+ | | | certutil -A -n certname -t |
+ | | | trustargs -d [sql:]directory |
+ | | | [-a] [-i input-file] |
+ | | | For example: |
+ | | | $ certutil -A -n "CN=My SSL |
+ | | | Certificate" -t "u,u,u" -d |
+ | | | sql:/home/my/sharednssdb -i |
+ | | | /home/example-certs/cert.cer |
+ | | | A related command option, |
+ | | | -E, is used specifically to |
+ | | | add email |
+ | | | certificates to the |
+ | | | certificate database. The -E |
+ | | | command has the same |
+ | | | arguments as the -A |
+ | | | command. The trust arguments |
+ | | | for certificates have the |
+ | | | format |
+ | | | SSL,S/MIME,Code-signing, so |
+ | | | the middle trust settings |
+ | | | relate most |
+ | | | to email certificates |
+ | | | (though the others can be |
+ | | | set). For example: |
+ | | | $ certutil -E -n "CN=John |
+ | | | Smith Email Cert" -t ",Pu," -d |
+ | | | sql:/home/my/sharednssdb -i |
+ | | | /home/example-certs/email.cer |
+ | | | Deleting Certificates to |
+ | | | the Database |
+ | | | Certificates can be deleted |
+ | | | from a database using the -D |
+ | | | option. The only |
+ | | | required options are to |
+ | | | give the security database |
+ | | | directory and to |
+ | | | identify the certificate |
+ | | | nickname. |
+ | | | certutil -D -d |
+ | | | [sql:]directory -n "nickname" |
+ | | | For example: |
+ | | | $ certutil -D -d |
+ | | | sql:/home/my/sharednssdb -n |
+ | | | "my-ssl-cert" |
+ | | | Validating Certificates |
+ | | | A certificate contains an |
+ | | | expiration date in itself, and |
+ | | | expired |
+ | | | certificates are easily |
+ | | | rejected. However, |
+ | | | certificates can also be |
+ | | | revoked before they hit |
+ | | | their expiration date. |
+ | | | Checking whether a |
+ | | | certificate has been |
+ | | | revoked requires validating |
+ | | | the certificate. |
+ | | | Validation can also be used |
+ | | | to ensure that the certificate |
+ | | | is only used |
+ | | | for the purposes it was |
+ | | | initially issued for. |
+ | | | Validation is carried out by |
+ | | | the -V command option. |
+ | | | certutil -V -n |
+ | | | certificate-name [-b time] |
+ | | | [-e] [-u cert-usage] -d |
+ | | | [sql:]directory |
+ | | | For example, to validate an |
+ | | | email certificate: |
+ | | | $ certutil -V -n "John |
+ | | | Smith's Email Cert" -e -u S,R |
+ | | | -d sql:/home/my/sharednssdb |
+ | | | Modifying Certificate Trust |
+ | | | Settings |
+ | | | The trust settings (which |
+ | | | relate to the operations that |
+ | | | a certificate is |
+ | | | allowed to be used for) can |
+ | | | be changed after a certificate |
+ | | | is created or |
+ | | | added to the database. This |
+ | | | is especially useful for CA |
+ | | | certificates, but |
+ | | | it can be performed for any |
+ | | | type of certificate. |
+ | | | certutil -M -n |
+ | | | certificate-name -t trust-args |
+ | | | -d [sql:]directory |
+ | | | For example: |
+ | | | $ certutil -M -n "My CA |
+ | | | Certificate" -d |
+ | | | sql:/home/my/sharednssdb -t |
+ | | | "CTu,CTu,CTu" |
+ | | | Printing the Certificate |
+ | | | Chain |
+ | | | Certificates can be issued |
+ | | | in chains because every |
+ | | | certificate authority |
+ | | | itself has a certificate; |
+ | | | when a CA issues a |
+ | | | certificate, it essentially |
+ | | | stamps that certificate |
+ | | | with its own fingerprint. The |
+ | | | -O prints the full |
+ | | | chain of a certificate, |
+ | | | going from the initial CA (the |
+ | | | root CA) through |
+ | | | ever intermediary CA to the |
+ | | | actual certificate. For |
+ | | | example, for an email |
+ | | | certificate with two CAs in |
+ | | | the chain: |
+ | | | $ certutil -d |
+ | | | sql:/home/my/sharednssdb -O -n |
+ | | | "jsmith@example.com" |
+ | | | "Builtin Object Token:Thawte |
+ | | | Personal Freemail CA" |
+ | | | [E=personal |
+ | | | -freemail@thawte.com,CN=Thawte |
+ | | | Personal Freemail |
+ | | | CA,OU=Certification Services |
+ | | | Division,O=Thawte |
+ | | | Consulting,L=Cape |
+ | | | Town,ST=Western Cape,C=ZA] |
+ | | | "Thawte Personal Freemail |
+ | | | Issuing CA - Thawte |
+ | | | Consulting" [CN=Thawte |
+ | | | Personal Freemail Issuing |
+ | | | CA,O=Thawte Consulting (Pty) |
+ | | | Ltd.,C=ZA] |
+ | | | "(null)" |
+ | | | [ |
+ | | | E=jsmith@example.com,CN=Thawte |
+ | | | Freemail Member] |
+ | | | Resetting a Token |
+ | | | The device which stores |
+ | | | certificates -- both external |
+ | | | hardware devices and |
+ | | | internal software databases |
+ | | | -- can be blanked and reused. |
+ | | | This operation |
+ | | | is performed on the device |
+ | | | which stores the data, not |
+ | | | directly on the |
+ | | | security databases, so the |
+ | | | location must be referenced |
+ | | | through the token |
+ | | | name (-h) as well as any |
+ | | | directory path. If there is no |
+ | | | external token |
+ | | | used, the default value is |
+ | | | internal. |
+ | | | certutil -T -d |
+ | | | [sql:]directory -h token-name |
+ | | | -0 security-officer-password |
+ | | | Many networks have |
+ | | | dedicated personnel who handle |
+ | | | changes to security |
+ | | | tokens (the security |
+ | | | officer). This person must |
+ | | | supply the password to |
+ | | | access the specified token. |
+ | | | For example: |
+ | | | $ certutil -T -d |
+ | | | sql:/home/my/sharednssdb -h |
+ | | | nethsm -0 secret |
+ | | | Upgrading or Merging the |
+ | | | Security Databases |
+ | | | Many networks or |
+ | | | applications may be using |
+ | | | older BerkeleyDB versions of |
+ | | | the certificate database |
+ | | | (cert8.db). Databases can be |
+ | | | upgraded to the new |
+ | | | SQLite version of the |
+ | | | database (cert9.db) using the |
+ | | | --upgrade-merge |
+ | | | command option or existing |
+ | | | databases can be merged with |
+ | | | the new cert9.db |
+ | | | databases using the |
+ | | | ---merge command. |
+ | | | The --upgrade-merge command |
+ | | | must give information about |
+ | | | the original |
+ | | | database and then use the |
+ | | | standard arguments (like -d) |
+ | | | to give the |
+ | | | information about the new |
+ | | | databases. The command also |
+ | | | requires information |
+ | | | that the tool uses for the |
+ | | | process to upgrade and write |
+ | | | over the original |
+ | | | database. |
+ | | | certutil --upgrade-merge -d |
+ | | | [sql:]directory [-P dbprefix] |
+ | | | --source-dir directory |
+ | | | --source-prefix dbprefix |
+ | | | --upgrade-id id |
+ | | | --upgrade-token-name name [-@ |
+ | | | password-file] |
+ | | | For example: |
+ | | | $ certutil --upgrade-merge -d |
+ | | | sql:/home/my/sharednssdb |
+ | | | --source-dir |
+ | | | /opt/my-app/alias/ |
+ | | | --source-prefix serverapp- |
+ | | | --upgrade-id 1 |
+ | | | --upgrade-token-name internal |
+ | | | The --merge command only |
+ | | | requires information about the |
+ | | | location of the |
+ | | | original database; since it |
+ | | | doesn't change the format of |
+ | | | the database, it |
+ | | | can write over information |
+ | | | without performing interim |
+ | | | step. |
+ | | | certutil --merge -d |
+ | | | [sql:]directory [-P dbprefix] |
+ | | | --source-dir directory |
+ | | | --source-prefix dbprefix [-@ |
+ | | | password-file] |
+ | | | For example: |
+ | | | $ certutil --merge -d |
+ | | | sql:/home/my/sharednssdb |
+ | | | --source-dir |
+ | | | /opt/my-app/alias/ |
+ | | | --source-prefix serverapp- |
+ | | | Running certutil Commands |
+ | | | from a Batch File |
+ | | | A series of commands can be |
+ | | | run sequentially from a text |
+ | | | file with the -B |
+ | | | command option. The only |
+ | | | argument for this specifies |
+ | | | the input file. |
+ | | | $ certutil -B -i |
+ | | | /path/to/batch-file |
+ | | | NSS Database Types |
+ | | | NSS originally used |
+ | | | BerkeleyDB databases to store |
+ | | | security information. |
+ | | | The last versions of these |
+ | | | legacy databases are: |
+ | | | o cert8.db for |
+ | | | certificates |
+ | | | o key3.db for keys |
+ | | | o secmod.db for PKCS #11 |
+ | | | module information |
+ | | | BerkeleyDB has performance |
+ | | | limitations, though, which |
+ | | | prevent it from |
+ | | | being easily used by |
+ | | | multiple applications |
+ | | | simultaneously. NSS has some |
+ | | | flexibility that allows |
+ | | | applications to use their own, |
+ | | | independent |
+ | | | database engine while |
+ | | | keeping a shared database and |
+ | | | working around the |
+ | | | access issues. Still, NSS |
+ | | | requires more flexibility to |
+ | | | provide a truly |
+ | | | shared security database. |
+ | | | In 2009, NSS introduced a |
+ | | | new set of databases that are |
+ | | | SQLite databases |
+ | | | rather than BerkleyDB. |
+ | | | These new databases provide |
+ | | | more accessibility and |
+ | | | performance: |
+ | | | o cert9.db for |
+ | | | certificates |
+ | | | o key4.db for keys |
+ | | | o pkcs11.txt, which is |
+ | | | listing of all of the PKCS #11 |
+ | | | modules contained |
+ | | | in a new subdirectory |
+ | | | in the security databases |
+ | | | directory |
+ | | | Because the SQLite |
+ | | | databases are designed to be |
+ | | | shared, these are the |
+ | | | shared database type. The |
+ | | | shared database type is |
+ | | | preferred; the legacy |
+ | | | format is included for |
+ | | | backward compatibility. |
+ | | | By default, the tools |
+ | | | (certutil, pk12util, modutil) |
+ | | | assume that the given |
+ | | | security databases follow |
+ | | | the more common legacy type. |
+ | | | Using the SQLite |
+ | | | databases must be manually |
+ | | | specified by using the sql: |
+ | | | prefix with the |
+ | | | given security directory. |
+ | | | For example: |
+ | | | $ certutil -L -d |
+ | | | sql:/home/my/sharednssdb |
+ | | | To set the shared database |
+ | | | type as the default type for |
+ | | | the tools, set the |
+ | | | NSS_DEFAULT_DB_TYPE |
+ | | | environment variable to sql: |
+ | | | export |
+ | | | NSS_DEFAULT_DB_TYPE="sql" |
+ | | | This line can be set added |
+ | | | to the ~/.bashrc file to make |
+ | | | the change |
+ | | | permanent. |
+ | | | Most applications do not |
+ | | | use the shared database by |
+ | | | default, but they can |
+ | | | be configured to use them. |
+ | | | For example, this how-to |
+ | | | article covers how to |
+ | | | configure Firefox and |
+ | | | Thunderbird to use the new |
+ | | | shared NSS databases: |
+ | | | |
+ | | | o https://wiki.m |
+ | | | ozilla.org/NSS_Shared_DB_Howto |
+ | | | For an engineering draft on |
+ | | | the changes in the shared NSS |
+ | | | databases, see |
+ | | | the NSS project wiki: |
+ | | | |
+ | | | o https:// |
+ | | | wiki.mozilla.org/NSS_Shared_DB |
+ | | | See Also |
+ | | | pk12util (1) |
+ | | | modutil (1) |
+ | | | certutil has arguments or |
+ | | | operations that use features |
+ | | | defined in several |
+ | | | IETF RFCs. |
+ | | | |
+ | | | o `http://tools.ietf.org/htm |
+ | | | l/rfc5280 <https://datatracker |
+ | | | .ietf.org/doc/html/rfc5280>`__ |
+ | | | |
+ | | | o `http://tools.ietf.org/htm |
+ | | | l/rfc1113 <https://datatracker |
+ | | | .ietf.org/doc/html/rfc1113>`__ |
+ | | | |
+ | | | o `http://tools.ietf.org/htm |
+ | | | l/rfc1485 <https://datatracker |
+ | | | .ietf.org/doc/html/rfc1485>`__ |
+ | | | The NSS wiki has |
+ | | | information on the new |
+ | | | database design and how to |
+ | | | configure applications to |
+ | | | use it. |
+ | | | |
+ | | | o https://wiki.m |
+ | | | ozilla.org/NSS_Shared_DB_Howto |
+ | | | |
+ | | | o https:// |
+ | | | wiki.mozilla.org/NSS_Shared_DB |
+ | | | Additional Resources |
+ | | | For information about NSS |
+ | | | and other tools related to NSS |
+ | | | (like JSS), check |
+ | | | out the NSS project wiki at |
+ | | | |
+ | | | [1]\ `http://www.mozil |
+ | | | la.org/projects/security/pki/n |
+ | | | ss/ <https://www.mozilla.org/p |
+ | | | rojects/security/pki/nss/>`__. |
+ | | | The NSS site relates |
+ | | | directly to NSS code |
+ | | | changes and releases. |
+ | | | Mailing lists: |
+ | | | https://lists.mozill |
+ | | | a.org/listinfo/dev-tech-crypto |
+ | | | IRC: Freenode at |
+ | | | #dogtag-pki |
+ | | | Authors |
+ | | | The NSS tools were written |
+ | | | and maintained by developers |
+ | | | with Netscape, Red |
+ | | | Hat, and Sun. |
+ | | | Authors: Elio Maldonado |
+ | | | <emaldona@redhat.com>, Deon |
+ | | | Lackey |
+ | | | <dlackey@redhat.com>. |
+ | | | Copyright |
+ | | | (c) 2010, Red Hat, Inc. |
+ | | | Licensed under the GNU Public |
+ | | | License version 2. |
+ | | | References |
+ | | | Visible links |
+ | | | 1. |
+ | | | `http://www.mozi |
+ | | | lla.org/projects/security/pki/ |
+ | | | nss/ <https://www.mozilla.org/ |
+ | | | projects/security/pki/nss/>`__ |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 339 | :ref:`mozil | |
+ | | la_projects_nss_tools_cmsutil` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Name |
+ | | | cmsutil — Performs basic |
+ | | | cryptograpic operations, such |
+ | | | as encryption and |
+ | | | decryption, on |
+ | | | Cryptographic Message Syntax |
+ | | | (CMS) messages. |
+ | | | Synopsis |
+ | | | cmsutil [options] |
+ | | | `arguments <arguments>`__ |
+ | | | Description |
+ | | | The cmsutil command-line |
+ | | | uses the S/MIME Toolkit to |
+ | | | perform basic |
+ | | | operations, such as |
+ | | | encryption and decryption, on |
+ | | | Cryptographic Message |
+ | | | Syntax (CMS) messages. |
+ | | | To run cmsutil, type the |
+ | | | command cmsutil option |
+ | | | [arguments] where option |
+ | | | and arguments are |
+ | | | combinations of the options |
+ | | | and arguments listed in the |
+ | | | following section. Each |
+ | | | command takes one option. Each |
+ | | | option may take |
+ | | | zero or more arguments. To |
+ | | | see a usage string, issue the |
+ | | | command without |
+ | | | options. |
+ | | | Options and Arguments |
+ | | | Options |
+ | | | Options specify an action. |
+ | | | Option arguments modify an |
+ | | | action. The options |
+ | | | and arguments for the |
+ | | | cmsutil command are defined as |
+ | | | follows: |
+ | | | -D |
+ | | | Decode a message. |
+ | | | -C |
+ | | | Encrypt a message. |
+ | | | -E |
+ | | | Envelope a message. |
+ | | | -O |
+ | | | Create a |
+ | | | certificates-only message. |
+ | | | -S |
+ | | | Sign a message. |
+ | | | Arguments |
+ | | | Option arguments modify an |
+ | | | action and are lowercase. |
+ | | | -c content |
+ | | | Use this detached |
+ | | | content (decode only). |
+ | | | -d dbdir |
+ | | | Specify the |
+ | | | key/certificate database |
+ | | | directory (default is ".") |
+ | | | -e envfile |
+ | | | Specify a file |
+ | | | containing an enveloped |
+ | | | message for a set of |
+ | | | recipients to which |
+ | | | you would like to send an |
+ | | | encrypted message. |
+ | | | If this is the |
+ | | | first encrypted message for |
+ | | | that set of recipients, |
+ | | | a new enveloped |
+ | | | message will be created that |
+ | | | you can then use for |
+ | | | future messages |
+ | | | (encrypt only). |
+ | | | -G |
+ | | | Include a signing |
+ | | | time attribute (sign only). |
+ | | | -h num |
+ | | | Generate email |
+ | | | headers with info about CMS |
+ | | | message (decode only). |
+ | | | -i infile |
+ | | | Use infile as a |
+ | | | source of data (default is |
+ | | | stdin). |
+ | | | -N nickname |
+ | | | Specify nickname of |
+ | | | certificate to sign with (sign |
+ | | | only). |
+ | | | -n |
+ | | | Suppress output of |
+ | | | contents (decode only). |
+ | | | -o outfile |
+ | | | Use outfile as a |
+ | | | destination of data (default |
+ | | | is stdout). |
+ | | | -P |
+ | | | Include an S/MIME |
+ | | | capabilities attribute. |
+ | | | -p password |
+ | | | Use password as key |
+ | | | database password. |
+ | | | -r recipient1,recipient2, |
+ | | | ... |
+ | | | Specify list of |
+ | | | recipients (email addresses) |
+ | | | for an encrypted or |
+ | | | enveloped message. |
+ | | | For certificates-only message, |
+ | | | list of |
+ | | | certificates to |
+ | | | send. |
+ | | | -T |
+ | | | Suppress content in |
+ | | | CMS message (sign only). |
+ | | | -u certusage |
+ | | | Set type of cert |
+ | | | usage (default is |
+ | | | certUsageEmailSigner). |
+ | | | -Y ekprefnick |
+ | | | Specify an |
+ | | | encryption key preference by |
+ | | | nickname. |
+ | | | Usage |
+ | | | Encrypt Example |
+ | | | cmsutil -C [-i infile] [-o |
+ | | | outfile] [-d dbdir] [-p |
+ | | | password] -r |
+ | | | "recipient1,recipient2, . . ." |
+ | | | -e envfile |
+ | | | Decode Example |
+ | | | cmsutil -D [-i infile] [-o |
+ | | | outfile] [-d dbdir] [-p |
+ | | | password] [-c content] [-n] |
+ | | | [-h num] |
+ | | | Envelope Example |
+ | | | cmsutil -E [-i infile] [-o |
+ | | | outfile] [-d dbdir] [-p |
+ | | | password] -r |
+ | | | "recipient1,recipient2, ..." |
+ | | | Certificate-only Example |
+ | | | cmsutil -O [-i infile] [-o |
+ | | | outfile] [-d dbdir] [-p |
+ | | | password] -r "cert1,cert2, . . |
+ | | | ." |
+ | | | Sign Message Example |
+ | | | cmsutil -S [-i infile] [-o |
+ | | | outfile] [-d dbdir] [-p |
+ | | | password] -N nickname[-TGP] |
+ | | | [-Y ekprefnick] |
+ | | | See also |
+ | | | certutil(1) |
+ | | | See Also |
+ | | | Additional Resources |
+ | | | NSS is maintained in |
+ | | | conjunction with PKI and |
+ | | | security-related projects |
+ | | | through Mozilla dn Fedora. |
+ | | | The most closely-related |
+ | | | project is Dogtag PKI, |
+ | | | with a project wiki at |
+ | | | [1]\ http: |
+ | | | //pki.fedoraproject.org/wiki/. |
+ | | | For information |
+ | | | specifically about NSS, the |
+ | | | NSS project wiki is located at |
+ | | | |
+ | | | [2]\ `http://www.mozil |
+ | | | la.org/projects/security/pki/n |
+ | | | ss/ <https://www.mozilla.org/p |
+ | | | rojects/security/pki/nss/>`__. |
+ | | | The NSS site relates |
+ | | | directly to NSS code |
+ | | | changes and releases. |
+ | | | Mailing lists: |
+ | | | pki-devel@redhat.com and |
+ | | | pki-users@redhat.com |
+ | | | IRC: Freenode at |
+ | | | #dogtag-pki |
+ | | | Authors |
+ | | | The NSS tools were written |
+ | | | and maintained by developers |
+ | | | with Netscape and |
+ | | | now with Red Hat. |
+ | | | Authors: Elio Maldonado |
+ | | | <emaldona@redhat.com>, Deon |
+ | | | Lackey |
+ | | | <dlackey@redhat.com>. |
+ | | | Copyright |
+ | | | (c) 2010, Red Hat, Inc. |
+ | | | Licensed under the GNU Public |
+ | | | License version 2. |
+ | | | References |
+ | | | Visible links |
+ | | | 1. |
+ | | | http |
+ | | | ://pki.fedoraproject.org/wiki/ |
+ | | | 2. |
+ | | | `http://www.mozi |
+ | | | lla.org/projects/security/pki/ |
+ | | | nss/ <https://www.mozilla.org/ |
+ | | | projects/security/pki/nss/>`__ |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 340 | :ref:`mozil | |
+ | | la_projects_nss_tools_crlutil` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Name |
+ | | | crlutil — List, generate, |
+ | | | modify, or delete CRLs within |
+ | | | the NSS security |
+ | | | database file(s) and list, |
+ | | | create, modify or delete |
+ | | | certificates entries |
+ | | | in a particular CRL. |
+ | | | Synopsis |
+ | | | crlutil [options] |
+ | | | `arguments <arguments>`__ |
+ | | | Description |
+ | | | The Certificate Revocation |
+ | | | List (CRL) Management Tool, |
+ | | | crlutil, is a |
+ | | | command-line utility that |
+ | | | can list, generate, modify, or |
+ | | | delete CRLs |
+ | | | within the NSS security |
+ | | | database file(s) and list, |
+ | | | create, modify or |
+ | | | delete certificates entries |
+ | | | in a particular CRL. |
+ | | | The key and certificate |
+ | | | management process generally |
+ | | | begins with creating |
+ | | | keys in the key database, |
+ | | | then generating and managing |
+ | | | certificates in the |
+ | | | certificate database(see |
+ | | | certutil tool) and continues |
+ | | | with certificates |
+ | | | expiration or revocation. |
+ | | | This document discusses |
+ | | | certificate revocation list |
+ | | | management. For |
+ | | | information on security |
+ | | | module database management, |
+ | | | see Using the Security |
+ | | | Module Database Tool. For |
+ | | | information on certificate and |
+ | | | key database |
+ | | | management, see Using the |
+ | | | Certificate Database Tool. |
+ | | | To run the Certificate |
+ | | | Revocation List Management |
+ | | | Tool, type the command |
+ | | | crlutil option [arguments] |
+ | | | where options and arguments |
+ | | | are combinations of the |
+ | | | options and arguments |
+ | | | listed in the following |
+ | | | section. Each command takes |
+ | | | one option. Each |
+ | | | option may take zero or |
+ | | | more arguments. To see a usage |
+ | | | string, issue the |
+ | | | command without options, or |
+ | | | with the -H option. |
+ | | | Options and Arguments |
+ | | | Options |
+ | | | Options specify an action. |
+ | | | Option arguments modify an |
+ | | | action. The options |
+ | | | and arguments for the |
+ | | | crlutil command are defined as |
+ | | | follows: |
+ | | | -G |
+ | | | Create new |
+ | | | Certificate Revocation |
+ | | | List(CRL). |
+ | | | -D |
+ | | | Delete Certificate |
+ | | | Revocation List from cert |
+ | | | database. |
+ | | | -I |
+ | | | Import a CRL to the |
+ | | | cert database |
+ | | | -E |
+ | | | Erase all CRLs of |
+ | | | specified type from the cert |
+ | | | database |
+ | | | -L |
+ | | | List existing CRL |
+ | | | located in cert database file. |
+ | | | -M |
+ | | | Modify existing CRL |
+ | | | which can be located in cert |
+ | | | db or in |
+ | | | arbitrary file. If |
+ | | | located in file it should be |
+ | | | encoded in ASN.1 |
+ | | | encode format. |
+ | | | -G |
+ | | | Arguments |
+ | | | Option arguments modify an |
+ | | | action and are lowercase. |
+ | | | -B |
+ | | | Bypass CA signature |
+ | | | checks. |
+ | | | -P dbprefix |
+ | | | Specify the prefix |
+ | | | used on the NSS security |
+ | | | database files (for |
+ | | | example, |
+ | | | my_cert8.db and my_key3.db). |
+ | | | This option is provided as a |
+ | | | special case. |
+ | | | Changing the names of the |
+ | | | certificate and key |
+ | | | databases is not |
+ | | | recommended. |
+ | | | -a |
+ | | | Use ASCII format or |
+ | | | allow the use of ASCII format |
+ | | | for input and |
+ | | | output. This |
+ | | | formatting follows RFC #1113. |
+ | | | -c crl-gen-file |
+ | | | Specify script file |
+ | | | that will be used to control |
+ | | | crl |
+ | | | |
+ | | | generation/modification. See |
+ | | | crl-cript-file format below. |
+ | | | If |
+ | | | options -M|-G is |
+ | | | used and -c crl-script-file is |
+ | | | not specified, |
+ | | | crlutil will read |
+ | | | script data from standard |
+ | | | input. |
+ | | | -d directory |
+ | | | Specify the |
+ | | | database directory containing |
+ | | | the certificate and key |
+ | | | database files. On |
+ | | | Unix the Certificate Database |
+ | | | Tool defaults to |
+ | | | $HOME/.netscape |
+ | | | (that is, ~/.netscape). On |
+ | | | Windows NT the default |
+ | | | is the current |
+ | | | directory. |
+ | | | The NSS database |
+ | | | files must reside in the same |
+ | | | directory. |
+ | | | -i crl-import-file |
+ | | | Specify the file |
+ | | | which contains the CRL to |
+ | | | import |
+ | | | -f password-file |
+ | | | Specify a file that |
+ | | | will automatically supply the |
+ | | | password to |
+ | | | include in a |
+ | | | certificate or to access a |
+ | | | certificate database. This |
+ | | | is a plain-text |
+ | | | file containing one password. |
+ | | | Be sure to prevent |
+ | | | unauthorized access |
+ | | | to this file. |
+ | | | -l algorithm-name |
+ | | | Specify a specific |
+ | | | signature algorithm. List of |
+ | | | possible |
+ | | | algorithms: MD2 \| |
+ | | | MD4 \| MD5 \| SHA1 \| SHA256 |
+ | | | \| SHA384 \| SHA512 |
+ | | | -n nickname |
+ | | | Specify the |
+ | | | nickname of a certificate or |
+ | | | key to list, create, add |
+ | | | to a database, |
+ | | | modify, or validate. Bracket |
+ | | | the nickname string |
+ | | | with quotation |
+ | | | marks if it contains spaces. |
+ | | | -o output-file |
+ | | | Specify the output |
+ | | | file name for new CRL. Bracket |
+ | | | the output-file |
+ | | | string with |
+ | | | quotation marks if it contains |
+ | | | spaces. If this |
+ | | | argument is not |
+ | | | used the output destination |
+ | | | defaults to standard |
+ | | | output. |
+ | | | -t crl-type |
+ | | | Specify type of |
+ | | | CRL. possible types are: 0 - |
+ | | | SEC_KRL_TYPE, 1 - |
+ | | | SEC_CRL_TYPE. This |
+ | | | option is obsolete |
+ | | | -u url |
+ | | | Specify the url. |
+ | | | CRL Generation script syntax |
+ | | | CRL generation script file |
+ | | | has the following syntax: |
+ | | | \* Line with comments |
+ | | | should have # as a first |
+ | | | symbol of a line |
+ | | | \* Set "this update" or |
+ | | | "next update" CRL fields: |
+ | | | update=YYYYMMDDhhmmssZ |
+ | | | nextupdate=YYYYMMDDhhmmssZ |
+ | | | Field "next update" is |
+ | | | optional. Time should be in |
+ | | | GeneralizedTime format |
+ | | | (YYYYMMDDhhmmssZ). For |
+ | | | example: 20050204153000Z |
+ | | | \* Add an extension to a |
+ | | | CRL or a crl certificate |
+ | | | entry: |
+ | | | addext extension-name |
+ | | | critical/non-critical |
+ | | | [arg1[arg2 ...]] |
+ | | | Where: |
+ | | | extension-name: string |
+ | | | value of a name of known |
+ | | | extensions. |
+ | | | critical/non-critical: is 1 |
+ | | | when extension is critical and |
+ | | | 0 otherwise. |
+ | | | arg1, arg2: specific to |
+ | | | extension type extension |
+ | | | parameters |
+ | | | addext uses the range that |
+ | | | was set earlier by addcert and |
+ | | | will install an |
+ | | | extension to every cert |
+ | | | entries within the range. |
+ | | | \* Add certificate |
+ | | | entries(s) to CRL: |
+ | | | addcert range date |
+ | | | range: two integer values |
+ | | | separated by dash: range of |
+ | | | certificates that |
+ | | | will be added by this |
+ | | | command. dash is used as a |
+ | | | delimiter. Only one cert |
+ | | | will be added if there is |
+ | | | no delimiter. date: revocation |
+ | | | date of a cert. |
+ | | | Date should be represented |
+ | | | in GeneralizedTime format |
+ | | | (YYYYMMDDhhmmssZ). |
+ | | | \* Remove certificate |
+ | | | entry(s) from CRL |
+ | | | rmcert range |
+ | | | Where: |
+ | | | range: two integer values |
+ | | | separated by dash: range of |
+ | | | certificates that |
+ | | | will be added by this |
+ | | | command. dash is used as a |
+ | | | delimiter. Only one cert |
+ | | | will be added if there is |
+ | | | no delimiter. |
+ | | | \* Change range of |
+ | | | certificate entry(s) in CRL |
+ | | | range new-range |
+ | | | Where: |
+ | | | new-range: two integer |
+ | | | values separated by dash: |
+ | | | range of certificates |
+ | | | that will be added by this |
+ | | | command. dash is used as a |
+ | | | delimiter. Only one |
+ | | | cert will be added if there |
+ | | | is no delimiter. |
+ | | | Implemented Extensions |
+ | | | The extensions defined for |
+ | | | CRL provide methods for |
+ | | | associating additional |
+ | | | attributes with CRLs of |
+ | | | theirs entries. For more |
+ | | | information see RFC #3280 |
+ | | | \* Add The Authority Key |
+ | | | Identifier extension: |
+ | | | The authority key |
+ | | | identifier extension provides |
+ | | | a means of identifying the |
+ | | | public key corresponding to |
+ | | | the private key used to sign a |
+ | | | CRL. |
+ | | | authKeyId critical [key-id |
+ | | | \| dn cert-serial] |
+ | | | Where: |
+ | | | authKeyIdent: identifies |
+ | | | the name of an extension |
+ | | | critical: value of 1 of |
+ | | | 0. Should be set to 1 if |
+ | | | this extension is critical or |
+ | | | 0 otherwise. |
+ | | | key-id: key identifier |
+ | | | represented in octet string. |
+ | | | dn:: is a CA |
+ | | | distinguished name |
+ | | | cert-serial: authority |
+ | | | certificate serial number. |
+ | | | \* Add Issuer Alternative |
+ | | | Name extension: |
+ | | | The issuer alternative |
+ | | | names extension allows |
+ | | | additional identities to be |
+ | | | associated with the issuer |
+ | | | of the CRL. Defined options |
+ | | | include an rfc822 |
+ | | | name (electronic mail |
+ | | | address), a DNS name, an IP |
+ | | | address, and a URI. |
+ | | | issuerAltNames non-critical |
+ | | | name-list |
+ | | | Where: |
+ | | | subjAltNames: identifies |
+ | | | the name of an extension |
+ | | | should be set to 0 since |
+ | | | this is non-critical |
+ | | | extension name-list: comma |
+ | | | separated list of names |
+ | | | \* Add CRL Number |
+ | | | extension: |
+ | | | The CRL number is a |
+ | | | non-critical CRL extension |
+ | | | which conveys a |
+ | | | monotonically increasing |
+ | | | sequence number for a given |
+ | | | CRL scope and CRL |
+ | | | issuer. This extension |
+ | | | allows users to easily |
+ | | | determine when a particular |
+ | | | CRL supersedes another CRL |
+ | | | crlNumber non-critical |
+ | | | number |
+ | | | Where: |
+ | | | crlNumber: identifies the |
+ | | | name of an extension critical: |
+ | | | should be set to |
+ | | | 0 since this is |
+ | | | non-critical extension number: |
+ | | | value of long which |
+ | | | identifies the sequential |
+ | | | number of a CRL. |
+ | | | \* Add Revocation Reason |
+ | | | Code extension: |
+ | | | The reasonCode is a |
+ | | | non-critical CRL entry |
+ | | | extension that identifies the |
+ | | | reason for the certificate |
+ | | | revocation. |
+ | | | reasonCode non-critical |
+ | | | code |
+ | | | Where: |
+ | | | reasonCode: identifies the |
+ | | | name of an extension |
+ | | | non-critical: should be |
+ | | | set to 0 since this is |
+ | | | non-critical extension code: |
+ | | | the following codes |
+ | | | are available: |
+ | | | unspecified (0), |
+ | | | keyCompromise (1), |
+ | | | cACompromise (2), |
+ | | | affiliationChanged |
+ | | | (3), superseded (4), |
+ | | | cessationOfOperation (5), |
+ | | | certificateHold (6), |
+ | | | removeFromCRL (8), |
+ | | | privilegeWithdrawn (9), |
+ | | | aACompromise (10) |
+ | | | \* Add Invalidity Date |
+ | | | extension: |
+ | | | The invalidity date is a |
+ | | | non-critical CRL entry |
+ | | | extension that provides |
+ | | | the date on which it is |
+ | | | known or suspected that the |
+ | | | private key was |
+ | | | compromised or that the |
+ | | | certificate otherwise became |
+ | | | invalid. |
+ | | | invalidityDate non-critical |
+ | | | date |
+ | | | Where: |
+ | | | crlNumber: identifies the |
+ | | | name of an extension |
+ | | | non-critical: should be set |
+ | | | to 0 since this is |
+ | | | non-critical extension date: |
+ | | | invalidity date of a cert. |
+ | | | Date should be represented |
+ | | | in GeneralizedTime format |
+ | | | (YYYYMMDDhhmmssZ). |
+ | | | Usage |
+ | | | The Certificate Revocation |
+ | | | List Management Tool's |
+ | | | capabilities are grouped |
+ | | | as follows, using these |
+ | | | combinations of options and |
+ | | | arguments. Options and |
+ | | | arguments in square |
+ | | | brackets are optional, those |
+ | | | without square brackets |
+ | | | are required. |
+ | | | See "Implemented |
+ | | | extensions" for more |
+ | | | information regarding |
+ | | | extensions and |
+ | | | their parameters. |
+ | | | \* Creating or modifying a |
+ | | | CRL: |
+ | | | crlutil -G|-M -c crl-gen-file |
+ | | | -n nickname [-i crl] [-u url] |
+ | | | [-d keydir] [-P dbprefix] [-l |
+ | | | alg] [-a] [-B] |
+ | | | \* Listing all CRls or a |
+ | | | named CRL: |
+ | | | crlutil -L [-n |
+ | | | crl-name] [-d krydir] |
+ | | | \* Deleting CRL from db: |
+ | | | crlutil -D -n |
+ | | | nickname [-d keydir] [-P |
+ | | | dbprefix] |
+ | | | \* Erasing CRLs from db: |
+ | | | crlutil -E [-d |
+ | | | keydir] [-P dbprefix] |
+ | | | \* Deleting CRL from db: |
+ | | | crlutil -D -n |
+ | | | nickname [-d keydir] [-P |
+ | | | dbprefix] |
+ | | | \* Erasing CRLs from db: |
+ | | | crlutil -E [-d |
+ | | | keydir] [-P dbprefix] |
+ | | | \* Import CRL from file: |
+ | | | crlutil -I -i crl |
+ | | | [-t crlType] [-u url] [-d |
+ | | | keydir] [-P dbprefix] [-B] |
+ | | | See also |
+ | | | certutil(1) |
+ | | | See Also |
+ | | | Additional Resources |
+ | | | NSS is maintained in |
+ | | | conjunction with PKI and |
+ | | | security-related projects |
+ | | | through Mozilla dn Fedora. |
+ | | | The most closely-related |
+ | | | project is Dogtag PKI, |
+ | | | with a project wiki at |
+ | | | [1]\ http: |
+ | | | //pki.fedoraproject.org/wiki/. |
+ | | | For information |
+ | | | specifically about NSS, the |
+ | | | NSS project wiki is located at |
+ | | | |
+ | | | [2]\ `http://www.mozil |
+ | | | la.org/projects/security/pki/n |
+ | | | ss/ <https://www.mozilla.org/p |
+ | | | rojects/security/pki/nss/>`__. |
+ | | | The NSS site relates |
+ | | | directly to NSS code |
+ | | | changes and releases. |
+ | | | Mailing lists: |
+ | | | pki-devel@redhat.com and |
+ | | | pki-users@redhat.com |
+ | | | IRC: Freenode at |
+ | | | #dogtag-pki |
+ | | | Authors |
+ | | | The NSS tools were written |
+ | | | and maintained by developers |
+ | | | with Netscape and |
+ | | | now with Red Hat. |
+ | | | Authors: Elio Maldonado |
+ | | | <emaldona@redhat.com>, Deon |
+ | | | Lackey |
+ | | | <dlackey@redhat.com>. |
+ | | | Copyright |
+ | | | (c) 2010, Red Hat, Inc. |
+ | | | Licensed under the GNU Public |
+ | | | License version 2. |
+ | | | References |
+ | | | Visible links |
+ | | | 1. |
+ | | | http |
+ | | | ://pki.fedoraproject.org/wiki/ |
+ | | | 2. |
+ | | | `http://www.mozi |
+ | | | lla.org/projects/security/pki/ |
+ | | | nss/ <https://www.mozilla.org/ |
+ | | | projects/security/pki/nss/>`__ |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 341 | :ref:`mozil | |
+ | | la_projects_nss_tools_modutil` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Name |
+ | | | modutil — Manage PKCS #11 |
+ | | | module information within the |
+ | | | security module |
+ | | | database. |
+ | | | Synopsis |
+ | | | modutil [options] |
+ | | | `arguments <arguments>`__ |
+ | | | Description |
+ | | | The Security Module |
+ | | | Database Tool, modutil, is a |
+ | | | command-line utility for |
+ | | | managing PKCS #11 module |
+ | | | information both within |
+ | | | secmod.db files and |
+ | | | within hardware tokens. |
+ | | | modutil can add and delete |
+ | | | PKCS #11 modules, |
+ | | | change passwords on |
+ | | | security databases, set |
+ | | | defaults, list module |
+ | | | contents, enable or disable |
+ | | | slots, enable or disable FIPS |
+ | | | 140-2 |
+ | | | compliance, and assign |
+ | | | default providers for |
+ | | | cryptographic operations. |
+ | | | This tool can also create |
+ | | | certificate, key, and module |
+ | | | security database |
+ | | | files. |
+ | | | The tasks associated with |
+ | | | security module database |
+ | | | management are part of |
+ | | | a process that typically |
+ | | | also involves managing key |
+ | | | databases and |
+ | | | certificate databases. |
+ | | | Options |
+ | | | Running modutil always |
+ | | | requires one (and only one) |
+ | | | option to specify the |
+ | | | type of module operation. |
+ | | | Each option may take |
+ | | | arguments, anywhere from |
+ | | | none to multiple arguments. |
+ | | | Options |
+ | | | -add modulename |
+ | | | Add the named PKCS |
+ | | | #11 module to the database. |
+ | | | Use this option |
+ | | | with the -libfile, |
+ | | | -ciphers, and -mechanisms |
+ | | | arguments. |
+ | | | -changepw tokenname |
+ | | | Change the password |
+ | | | on the named token. If the |
+ | | | token has not been |
+ | | | initialized, this |
+ | | | option initializes the |
+ | | | password. Use this option |
+ | | | with the -pwfile |
+ | | | and -newpwfile arguments. A |
+ | | | password is |
+ | | | equivalent to a |
+ | | | personal identification number |
+ | | | (PIN). |
+ | | | -chkfips |
+ | | | Verify whether the |
+ | | | module is in the given FIPS |
+ | | | mode. true means to |
+ | | | verify that the |
+ | | | module is in FIPS mode, while |
+ | | | false means to |
+ | | | verify that the |
+ | | | module is not in FIPS mode. |
+ | | | -create |
+ | | | Create new |
+ | | | certificate, key, and module |
+ | | | databases. Use the -dbdir |
+ | | | directory argument |
+ | | | to specify a directory. If any |
+ | | | of these |
+ | | | databases already |
+ | | | exist in a specified |
+ | | | directory, modutil returns |
+ | | | an error message. |
+ | | | -default modulename |
+ | | | Specify the |
+ | | | security mechanisms for which |
+ | | | the named module will be |
+ | | | a default provider. |
+ | | | The security mechanisms are |
+ | | | specified with the |
+ | | | -mechanisms |
+ | | | argument. |
+ | | | -delete modulename |
+ | | | Delete the named |
+ | | | module. The default NSS PKCS |
+ | | | #11 module cannot be |
+ | | | deleted. |
+ | | | -disable modulename |
+ | | | Disable all slots |
+ | | | on the named module. Use the |
+ | | | -slot argument to |
+ | | | disable a specific |
+ | | | slot. |
+ | | | -enable modulename |
+ | | | Enable all slots on |
+ | | | the named module. Use the |
+ | | | -slot argument to |
+ | | | enable a specific |
+ | | | slot. |
+ | | | -fips [true \| false] |
+ | | | Enable (true) or |
+ | | | disable (false) FIPS 140-2 |
+ | | | compliance for the |
+ | | | default NSS module. |
+ | | | -force |
+ | | | Disable modutil's |
+ | | | interactive prompts so it can |
+ | | | be run from a |
+ | | | script. Use this |
+ | | | option only after manually |
+ | | | testing each planned |
+ | | | operation to check |
+ | | | for warnings and to ensure |
+ | | | that bypassing the |
+ | | | prompts will cause |
+ | | | no security lapses or loss of |
+ | | | database |
+ | | | integrity. |
+ | | | -jar JAR-file |
+ | | | Add a new PKCS #11 |
+ | | | module to the database using |
+ | | | the named JAR |
+ | | | file. Use this |
+ | | | command with the -installdir |
+ | | | and -tempdir |
+ | | | arguments. The JAR |
+ | | | file uses the NSS PKCS #11 JAR |
+ | | | format to |
+ | | | identify all the |
+ | | | files to be installed, the |
+ | | | module's name, the |
+ | | | mechanism flags, |
+ | | | and the cipher flags, as well |
+ | | | as any files to be |
+ | | | installed on the |
+ | | | target machine, including the |
+ | | | PKCS #11 module |
+ | | | library file and |
+ | | | other files such as |
+ | | | documentation. This is |
+ | | | covered in the JAR |
+ | | | installation file section in |
+ | | | the man page, |
+ | | | which details the |
+ | | | special script needed to |
+ | | | perform an installation |
+ | | | through a server or |
+ | | | with modutil. |
+ | | | -list [modulename] |
+ | | | Display basic |
+ | | | information about the contents |
+ | | | of the secmod.db |
+ | | | file. Specifying a |
+ | | | modulename displays detailed |
+ | | | information about |
+ | | | a particular module |
+ | | | and its slots and tokens. |
+ | | | -rawadd |
+ | | | Add the module spec |
+ | | | string to the secmod.db |
+ | | | database. |
+ | | | -rawlist |
+ | | | Display the module |
+ | | | specs for a specified module |
+ | | | or for all |
+ | | | loadable modules. |
+ | | | -undefault modulename |
+ | | | Specify the |
+ | | | security mechanisms for which |
+ | | | the named module will |
+ | | | not be a default |
+ | | | provider. The security |
+ | | | mechanisms are specified |
+ | | | with the |
+ | | | -mechanisms argument. |
+ | | | Arguments |
+ | | | MODULE |
+ | | | Give the security |
+ | | | module to access. |
+ | | | MODULESPEC |
+ | | | Give the security |
+ | | | module spec to load into the |
+ | | | security database. |
+ | | | -ciphers cipher-enable-list |
+ | | | Enable specific |
+ | | | ciphers in a module that is |
+ | | | being added to the |
+ | | | database. The |
+ | | | cipher-enable-list is a |
+ | | | colon-delimited list of |
+ | | | cipher names. |
+ | | | Enclose this list in quotation |
+ | | | marks if it contains |
+ | | | spaces. |
+ | | | -dbdir [sql:]directory |
+ | | | Specify the |
+ | | | database directory in which to |
+ | | | access or create |
+ | | | security module |
+ | | | database files. |
+ | | | modutil supports |
+ | | | two types of databases: the |
+ | | | legacy security |
+ | | | databases |
+ | | | (cert8.db, key3.db, and |
+ | | | secmod.db) and new SQLite |
+ | | | databases |
+ | | | (cert9.db, key4.db, and |
+ | | | pkcs11.txt). If the prefix |
+ | | | sql: |
+ | | | is not used, then |
+ | | | the tool assumes that the |
+ | | | given databases are in |
+ | | | the old format. |
+ | | | --dbprefix prefix |
+ | | | Specify the prefix |
+ | | | used on the database files, |
+ | | | such as my\_ for |
+ | | | my_cert8.db. This |
+ | | | option is provided as a |
+ | | | special case. Changing |
+ | | | the names of the |
+ | | | certificate and key databases |
+ | | | is not recommended. |
+ | | | -installdir |
+ | | | root-installation-directory |
+ | | | Specify the root |
+ | | | installation directory |
+ | | | relative to which files |
+ | | | will be installed |
+ | | | by the -jar option. This |
+ | | | directory should be one |
+ | | | below which it is |
+ | | | appropriate to store dynamic |
+ | | | library files, such |
+ | | | as a server's root |
+ | | | directory. |
+ | | | -libfile library-file |
+ | | | Specify a path to a |
+ | | | library file containing the |
+ | | | implementation of |
+ | | | the PKCS #11 |
+ | | | interface module that is being |
+ | | | added to the database. |
+ | | | -mechanisms mechanism-list |
+ | | | Specify the |
+ | | | security mechanisms for which |
+ | | | a particular module will |
+ | | | be flagged as a |
+ | | | default provider. The |
+ | | | mechanism-list is a |
+ | | | colon-delimited |
+ | | | list of mechanism names. |
+ | | | Enclose this list in |
+ | | | quotation marks if |
+ | | | it contains spaces. |
+ | | | The module becomes |
+ | | | a default provider for the |
+ | | | listed mechanisms |
+ | | | when those |
+ | | | mechanisms are enabled. If |
+ | | | more than one module claims |
+ | | | to be a particular |
+ | | | mechanism's default provider, |
+ | | | that mechanism's |
+ | | | default provider is |
+ | | | undefined. |
+ | | | modutil supports |
+ | | | several mechanisms: RSA, DSA, |
+ | | | RC2, RC4, RC5, AES, |
+ | | | DES, DH, SHA1, |
+ | | | SHA256, SHA512, SSL, TLS, MD5, |
+ | | | MD2, RANDOM (for |
+ | | | random number |
+ | | | generation), and FRIENDLY |
+ | | | (meaning certificates are |
+ | | | publicly readable). |
+ | | | -newpwfile |
+ | | | new-password-file |
+ | | | Specify a text file |
+ | | | containing a token's new or |
+ | | | replacement |
+ | | | password so that a |
+ | | | password can be entered |
+ | | | automatically with the |
+ | | | -changepw option. |
+ | | | -nocertdb |
+ | | | Do not open the |
+ | | | certificate or key databases. |
+ | | | This has several |
+ | | | effects: |
+ | | | o With the |
+ | | | -create command, only a module |
+ | | | security file is |
+ | | | created; |
+ | | | certificate and key databases |
+ | | | are not created. |
+ | | | o With the -jar |
+ | | | command, signatures on the JAR |
+ | | | file are not |
+ | | | checked. |
+ | | | o With the |
+ | | | -changepw command, the |
+ | | | password on the NSS internal |
+ | | | module cannot |
+ | | | be set or changed, since this |
+ | | | password is |
+ | | | stored in the |
+ | | | key database. |
+ | | | -pwfile old-password-file |
+ | | | Specify a text file |
+ | | | containing a token's existing |
+ | | | password so that |
+ | | | a password can be |
+ | | | entered automatically when the |
+ | | | -changepw option |
+ | | | is used to change |
+ | | | passwords. |
+ | | | -secmod secmodname |
+ | | | Give the name of |
+ | | | the security module database |
+ | | | (like secmod.db) to |
+ | | | load. |
+ | | | -slot slotname |
+ | | | Specify a |
+ | | | particular slot to be enabled |
+ | | | or disabled with the |
+ | | | -enable or -disable |
+ | | | options. |
+ | | | -string CONFIG_STRING |
+ | | | Pass a |
+ | | | configuration string for the |
+ | | | module being added to the |
+ | | | database. |
+ | | | -tempdir |
+ | | | temporary-directory |
+ | | | Give a directory |
+ | | | location where temporary files |
+ | | | are created during |
+ | | | the installation by |
+ | | | the -jar option. If no |
+ | | | temporary directory is |
+ | | | specified, the |
+ | | | current directory is used. |
+ | | | Usage and Examples |
+ | | | Creating Database Files |
+ | | | Before any operations can |
+ | | | be performed, there must be a |
+ | | | set of security |
+ | | | databases available. |
+ | | | modutil can be used to create |
+ | | | these files. The only |
+ | | | required argument is the |
+ | | | database that where the |
+ | | | databases will be |
+ | | | located. |
+ | | | modutil -create -dbdir |
+ | | | [sql:]directory |
+ | | | Adding a Cryptographic |
+ | | | Module |
+ | | | Adding a PKCS #11 module |
+ | | | means submitting a supporting |
+ | | | library file, |
+ | | | enabling its ciphers, and |
+ | | | setting default provider |
+ | | | status for various |
+ | | | security mechanisms. This |
+ | | | can be done by supplying all |
+ | | | of the information |
+ | | | through modutil directly or |
+ | | | by running a JAR file and |
+ | | | install script. For |
+ | | | the most basic case, simply |
+ | | | upload the library: |
+ | | | modutil -add modulename |
+ | | | -libfile library-file |
+ | | | [-ciphers cipher-enable-list] |
+ | | | [-mechanisms mechanism-list] |
+ | | | For example: |
+ | | | modutil -dbdir |
+ | | | sql:/home/my/sharednssdb -add |
+ | | | "Example PKCS #11 Module" |
+ | | | -libfile "/tmp/crypto.so" |
+ | | | -mechanisms RSA:DSA:RC2:RANDOM |
+ | | | Using database directory ... |
+ | | | Module "Example PKCS #11 |
+ | | | Module" added to database. |
+ | | | Installing a Cryptographic |
+ | | | Module from a JAR File |
+ | | | PKCS #11 modules can also |
+ | | | be loaded using a JAR file, |
+ | | | which contains all |
+ | | | of the required libraries |
+ | | | and an installation script |
+ | | | that describes how to |
+ | | | install the module. The JAR |
+ | | | install script is described in |
+ | | | more detail in |
+ | | | [1]the section called “JAR |
+ | | | Installation File Format”. |
+ | | | The JAR installation script |
+ | | | defines the setup information |
+ | | | for each |
+ | | | platform that the module |
+ | | | can be installed on. For |
+ | | | example: |
+ | | | Platforms { |
+ | | | Linux:5.4.08:x86 { |
+ | | | ModuleName { "Example |
+ | | | PKCS #11 Module" } |
+ | | | ModuleFile { crypto.so |
+ | | | } |
+ | | | |
+ | | | DefaultMechanismFlags{0x0000} |
+ | | | |
+ | | | CipherEnableFlags{0x0000} |
+ | | | Files { |
+ | | | crypto.so { |
+ | | | Path{ |
+ | | | /tmp/crypto.so } |
+ | | | } |
+ | | | setup.sh { |
+ | | | Executable |
+ | | | Path{ |
+ | | | /tmp/setup.sh } |
+ | | | } |
+ | | | } |
+ | | | } |
+ | | | Linux:6.0.0:x86 { |
+ | | | EquivalentPlatform { |
+ | | | Linux:5.4.08:x86 } |
+ | | | } |
+ | | | } |
+ | | | Both the install script and |
+ | | | the required libraries must be |
+ | | | bundled in a |
+ | | | JAR file, which is |
+ | | | specified with the -jar |
+ | | | argument. |
+ | | | modutil -dbdir |
+ | | | sql:/home/mt |
+ | | | "jar-install-filey/sharednssdb |
+ | | | -jar install.jar -installdir |
+ | | | sql:/home/my/sharednssdb |
+ | | | This installation JAR file |
+ | | | was signed by: |
+ | | | ---------------- |
+ | | | ------------------------------ |
+ | | | **SUBJECT NAME*\* |
+ | | | C=US, ST=California, |
+ | | | L=Mountain View, |
+ | | | CN=Cryptorific Inc., |
+ | | | OU=Digital ID |
+ | | | Class 3 - Netscape Object |
+ | | | Signing, |
+ | | | OU="w |
+ | | | ww.verisign.com/repository/CPS |
+ | | | Incorp. by Ref.,LIAB.LTD(c)9 |
+ | | | 6", OU=www.verisign.com/CPS |
+ | | | Incorp.by Ref |
+ | | | . LIABILITY LTD.(c)97 |
+ | | | VeriSign, OU=VeriSign Object |
+ | | | Signing CA - Class 3 |
+ | | | Organization, OU="VeriSign, |
+ | | | Inc.", O=VeriSign Trust |
+ | | | Network \**ISSUER |
+ | | | NAME**, |
+ | | | OU=www.verisign.com/CPS |
+ | | | Incorp.by Ref. LIABILITY |
+ | | | LTD.(c)97 |
+ | | | VeriSign, OU=VeriSign Object |
+ | | | Signing CA - Class 3 |
+ | | | Organization, |
+ | | | OU="VeriSign, Inc.", |
+ | | | O=VeriSign Trust Network |
+ | | | ---------------- |
+ | | | ------------------------------ |
+ | | | Do you wish to continue this |
+ | | | installation? (y/n) y |
+ | | | Using installer script |
+ | | | "installer_script" |
+ | | | Successfully parsed |
+ | | | installation script |
+ | | | Current platform is |
+ | | | Linux:5.4.08:x86 |
+ | | | Using installation parameters |
+ | | | for platform Linux:5.4.08:x86 |
+ | | | Installed file crypto.so to |
+ | | | /tmp/crypto.so |
+ | | | Installed file setup.sh to |
+ | | | ./pk11inst.dir/setup.sh |
+ | | | Executing |
+ | | | "./pk11inst.dir/setup.sh"... |
+ | | | "./pk11inst.dir/setup.sh" |
+ | | | executed successfully |
+ | | | Installed module "Example |
+ | | | PKCS #11 Module" into module |
+ | | | database |
+ | | | Installation completed |
+ | | | successfully |
+ | | | Adding Module Spec |
+ | | | Each module has information |
+ | | | stored in the security |
+ | | | database about its |
+ | | | configuration and |
+ | | | parameters. These can be added |
+ | | | or edited using the |
+ | | | -rawadd command. For the |
+ | | | current settings or to see the |
+ | | | format of the |
+ | | | module spec in the |
+ | | | database, use the -rawlist |
+ | | | option. |
+ | | | modutil -rawadd modulespec |
+ | | | Deleting a Module |
+ | | | A specific PKCS #11 module |
+ | | | can be deleted from the |
+ | | | secmod.db database: |
+ | | | modutil -delete modulename |
+ | | | -dbdir [sql:]directory |
+ | | | Displaying Module |
+ | | | Information |
+ | | | The secmod.db database |
+ | | | contains information about the |
+ | | | PKCS #11 modules |
+ | | | that are available to an |
+ | | | application or server to use. |
+ | | | The list of all |
+ | | | modules, information about |
+ | | | specific modules, and database |
+ | | | configuration |
+ | | | specs for modules can all |
+ | | | be viewed. |
+ | | | To simply get a list of |
+ | | | modules in the database, use |
+ | | | the -list command. |
+ | | | modutil -list [modulename] |
+ | | | -dbdir [sql:]directory |
+ | | | Listing the modules shows |
+ | | | the module name, their status, |
+ | | | and other |
+ | | | associated security |
+ | | | databases for certificates and |
+ | | | keys. For example: |
+ | | | modutil -list -dbdir |
+ | | | sql:/home/my/sharednssdb |
+ | | | Listing of PKCS #11 Modules |
+ | | | ----------------------------- |
+ | | | ------------------------------ |
+ | | | 1. NSS Internal PKCS #11 |
+ | | | Module |
+ | | | slots: 2 slots |
+ | | | attached |
+ | | | status: loaded |
+ | | | slot: NSS Internal |
+ | | | Cryptographic Services |
+ | | | token: NSS Generic |
+ | | | Crypto Services |
+ | | | slot: NSS User |
+ | | | Private Key and Certificate |
+ | | | Services |
+ | | | token: NSS |
+ | | | Certificate DB |
+ | | | ----------------------------- |
+ | | | ------------------------------ |
+ | | | Passing a specific module |
+ | | | name with the -list returns |
+ | | | details information |
+ | | | about the module itself, |
+ | | | like supported cipher |
+ | | | mechanisms, version |
+ | | | numbers, serial numbers, |
+ | | | and other information about |
+ | | | the module and the |
+ | | | token it is loaded on. For |
+ | | | example: |
+ | | | modutil -list "NSS Internal |
+ | | | PKCS #11 Module" -dbdir |
+ | | | sql:/home/my/sharednssdb |
+ | | | ----------------------------- |
+ | | | ------------------------------ |
+ | | | Name: NSS Internal PKCS #11 |
+ | | | Module |
+ | | | Library file: \**Internal |
+ | | | ONLY module*\* |
+ | | | Manufacturer: Mozilla |
+ | | | Foundation |
+ | | | Description: NSS Internal |
+ | | | Crypto Services |
+ | | | PKCS #11 Version 2.20 |
+ | | | Library Version: 3.11 |
+ | | | Cipher Enable Flags: None |
+ | | | Default Mechanism Flags: |
+ | | | RSA:RC2:RC4:D |
+ | | | ES:DH:SHA1:MD5:MD2:SSL:TLS:AES |
+ | | | Slot: NSS Internal |
+ | | | Cryptographic Services |
+ | | | Slot Mechanism Flags: |
+ | | | RSA:RC2:RC4:D |
+ | | | ES:DH:SHA1:MD5:MD2:SSL:TLS:AES |
+ | | | Manufacturer: Mozilla |
+ | | | Foundation |
+ | | | Type: Software |
+ | | | Version Number: 3.11 |
+ | | | Firmware Version: 0.0 |
+ | | | Status: Enabled |
+ | | | Token Name: NSS Generic |
+ | | | Crypto Services |
+ | | | Token Manufacturer: Mozilla |
+ | | | Foundation |
+ | | | Token Model: NSS 3 |
+ | | | Token Serial Number: |
+ | | | 0000000000000000 |
+ | | | Token Version: 4.0 |
+ | | | Token Firmware Version: 0.0 |
+ | | | Access: Write Protected |
+ | | | Login Type: Public (no |
+ | | | login required) |
+ | | | User Pin: NOT Initialized |
+ | | | Slot: NSS User Private Key |
+ | | | and Certificate Services |
+ | | | Slot Mechanism Flags: None |
+ | | | Manufacturer: Mozilla |
+ | | | Foundation |
+ | | | Type: Software |
+ | | | Version Number: 3.11 |
+ | | | Firmware Version: 0.0 |
+ | | | Status: Enabled |
+ | | | Token Name: NSS Certificate |
+ | | | DB |
+ | | | Token Manufacturer: Mozilla |
+ | | | Foundation |
+ | | | Token Model: NSS 3 |
+ | | | Token Serial Number: |
+ | | | 0000000000000000 |
+ | | | Token Version: 8.3 |
+ | | | Token Firmware Version: 0.0 |
+ | | | Access: NOT Write Protected |
+ | | | Login Type: Login required |
+ | | | User Pin: Initialized |
+ | | | A related command, -rawlist |
+ | | | returns information about the |
+ | | | database |
+ | | | configuration for the |
+ | | | modules. (This information can |
+ | | | be edited by loading |
+ | | | new specs using the -rawadd |
+ | | | command.) |
+ | | | modutil -rawlist -dbdir |
+ | | | sql:/home/my/sharednssdb |
+ | | | name="NSS Internal PKCS #11 |
+ | | | Module" |
+ | | | parameters="configdir=. |
+ | | | certPrefix= keyPrefix= |
+ | | | secmod=secmod.db |
+ | | | flags=readOnly " |
+ | | | NSS="trustOrder=75 |
+ | | | cipherOrder=100 |
+ | | | slotParams={0x00000001=[ |
+ | | | slotFlags=RSA,RC4,RC2,DES,DH,S |
+ | | | HA1,MD5,MD2,SSL,TLS,AES,RANDOM |
+ | | | askpw=any timeout=30 ] } |
+ | | | Flags=internal,critical" |
+ | | | Setting a Default Provider |
+ | | | for Security Mechanisms |
+ | | | Multiple security modules |
+ | | | may provide support for the |
+ | | | same security |
+ | | | mechanisms. It is possible |
+ | | | to set a specific security |
+ | | | module as the |
+ | | | default provider for a |
+ | | | specific security mechanism |
+ | | | (or, conversely, to |
+ | | | prohibit a provider from |
+ | | | supplying those mechanisms). |
+ | | | modutil -default modulename |
+ | | | -mechanisms mechanism-list |
+ | | | To set a module as the |
+ | | | default provider for |
+ | | | mechanisms, use the -default |
+ | | | command with a |
+ | | | colon-separated list of |
+ | | | mechanisms. The available |
+ | | | mechanisms depend on the |
+ | | | module; NSS supplies almost |
+ | | | all common |
+ | | | mechanisms. For example: |
+ | | | modutil -default "NSS |
+ | | | Internal PKCS #11 Module" |
+ | | | -dbdir -mechanisms RSA:DSA:RC2 |
+ | | | Using database directory |
+ | | | c:\databases... |
+ | | | Successfully changed |
+ | | | defaults. |
+ | | | Clearing the default |
+ | | | provider has the same format: |
+ | | | modutil -undefault "NSS |
+ | | | Internal PKCS #11 Module" |
+ | | | -dbdir -mechanisms MD2:MD5 |
+ | | | Enabling and Disabling |
+ | | | Modules and Slots |
+ | | | Modules, and specific slots |
+ | | | on modules, can be selectively |
+ | | | enabled or |
+ | | | disabled using modutil. |
+ | | | Both commands have the same |
+ | | | format: |
+ | | | modutil -enable|-disable |
+ | | | modulename [-slot slotname] |
+ | | | For example: |
+ | | | modutil -enable "NSS Internal |
+ | | | PKCS #11 Module" -slot "NSS |
+ | | | Internal Cryptographic |
+ | | | Servi |
+ | | | ces |
+ | | | " -dbdir . |
+ | | | Slot "NSS Internal |
+ | | | Cryptographic |
+ | | | Servi |
+ | | | ces |
+ | | | " enabled. |
+ | | | Be sure that the |
+ | | | appropriate amount of trailing |
+ | | | whitespace is after the |
+ | | | slot name. Some slot names |
+ | | | have a significant amount of |
+ | | | whitespace that |
+ | | | must be included, or the |
+ | | | operation will fail. |
+ | | | Enabling and Verifying FIPS |
+ | | | Compliance |
+ | | | The NSS modules can have |
+ | | | FIPS 140-2 compliance enabled |
+ | | | or disabled using |
+ | | | modutil with the -fips |
+ | | | option. For example: |
+ | | | modutil -fips true -dbdir |
+ | | | sql:/home/my/sharednssdb/ |
+ | | | FIPS mode enabled. |
+ | | | To verify that status of |
+ | | | FIPS mode, run the -chkfips |
+ | | | command with either a |
+ | | | true or false flag (it |
+ | | | doesn't matter which). The |
+ | | | tool returns the current |
+ | | | FIPS setting. |
+ | | | modutil -chkfips false -dbdir |
+ | | | sql:/home/my/sharednssdb/ |
+ | | | FIPS mode enabled. |
+ | | | Changing the Password on a |
+ | | | Token |
+ | | | Initializing or changing a |
+ | | | token's password: |
+ | | | modutil -changepw tokenname |
+ | | | [-pwfile old-password-file] |
+ | | | [-newpwfile new-password-file] |
+ | | | modutil -dbdir |
+ | | | sql:/home/my/sharednssdb |
+ | | | -changepw "NSS Certificate DB" |
+ | | | Enter old password: |
+ | | | Incorrect password, try |
+ | | | again... |
+ | | | Enter old password: |
+ | | | Enter new password: |
+ | | | Re-enter new password: |
+ | | | Token "Communicator |
+ | | | Certificate DB" password |
+ | | | changed successfully. |
+ | | | JAR Installation File Format |
+ | | | When a JAR file is run by a |
+ | | | server, by modutil, or by any |
+ | | | program that |
+ | | | does not interpret |
+ | | | JavaScript, a special |
+ | | | information file must be |
+ | | | included |
+ | | | to install the libraries. |
+ | | | There are several things to |
+ | | | keep in mind with |
+ | | | this file: |
+ | | | o It must be declared in |
+ | | | the JAR archive's manifest |
+ | | | file. |
+ | | | o The script can have any |
+ | | | name. |
+ | | | o The metainfo tag for |
+ | | | this is Pkcs11_install_script. |
+ | | | To declare |
+ | | | meta-information in the |
+ | | | manifest file, put it in a |
+ | | | file that is passed |
+ | | | to signtool. |
+ | | | Sample Script |
+ | | | For example, the PKCS #11 |
+ | | | installer script could be in |
+ | | | the file |
+ | | | pk11install. If so, the |
+ | | | metainfo file for signtool |
+ | | | includes a line such as |
+ | | | this: |
+ | | | + Pkcs11_install_script: |
+ | | | pk11install |
+ | | | The script must define the |
+ | | | platform and version number, |
+ | | | the module name |
+ | | | and file, and any optional |
+ | | | information like supported |
+ | | | ciphers and |
+ | | | mechanisms. Multiple |
+ | | | platforms can be defined in a |
+ | | | single install file. |
+ | | | ForwardCompatible { |
+ | | | IRIX:6.2:mips |
+ | | | SUNOS:5.5.1:sparc } |
+ | | | Platforms { |
+ | | | WINNT::x86 { |
+ | | | ModuleName { "Example |
+ | | | Module" } |
+ | | | ModuleFile { |
+ | | | win32/fort32.dll } |
+ | | | |
+ | | | DefaultMechanismFlags{0x0001} |
+ | | | |
+ | | | DefaultCipherFlags{0x0001} |
+ | | | Files { |
+ | | | win32/setup.exe { |
+ | | | Executable |
+ | | | RelativePath { |
+ | | | %temp%/setup.exe } |
+ | | | } |
+ | | | win32/setup.hlp { |
+ | | | RelativePath { |
+ | | | %temp%/setup.hlp } |
+ | | | } |
+ | | | win32/setup.cab { |
+ | | | RelativePath { |
+ | | | %temp%/setup.cab } |
+ | | | } |
+ | | | } |
+ | | | } |
+ | | | WIN95::x86 { |
+ | | | EquivalentPlatform |
+ | | | {WINNT::x86} |
+ | | | } |
+ | | | SUNOS:5.5.1:sparc { |
+ | | | ModuleName { "Example |
+ | | | UNIX Module" } |
+ | | | ModuleFile { |
+ | | | unix/fort.so } |
+ | | | |
+ | | | DefaultMechanismFlags{0x0001} |
+ | | | |
+ | | | CipherEnableFlags{0x0001} |
+ | | | Files { |
+ | | | unix/fort.so { |
+ | | | |
+ | | | Re |
+ | | | lativePath{%root%/lib/fort.so} |
+ | | | |
+ | | | AbsolutePath{/u |
+ | | | sr/local/netscape/lib/fort.so} |
+ | | | |
+ | | | FilePermissions{555} |
+ | | | } |
+ | | | xplat/instr.html { |
+ | | | |
+ | | | Relat |
+ | | | ivePath{%root%/docs/inst.html} |
+ | | | |
+ | | | AbsolutePath{/usr/ |
+ | | | local/netscape/docs/inst.html} |
+ | | | |
+ | | | FilePermissions{555} |
+ | | | } |
+ | | | } |
+ | | | } |
+ | | | IRIX:6.2:mips { |
+ | | | EquivalentPlatform { |
+ | | | SUNOS:5.5.1:sparc } |
+ | | | } |
+ | | | } |
+ | | | Script Grammar |
+ | | | The script is basic Java, |
+ | | | allowing lists, key-value |
+ | | | pairs, strings, and |
+ | | | combinations of all of |
+ | | | them. |
+ | | | --> valuelist |
+ | | | valuelist --> value valuelist |
+ | | | <null> |
+ | | | value ---> key_value_pair |
+ | | | string |
+ | | | key_value_pair --> key { |
+ | | | valuelist } |
+ | | | key --> string |
+ | | | string --> simple_string |
+ | | | "complex_string" |
+ | | | simple_string --> [^ |
+ | | | \\t\n\""{""}"]+ |
+ | | | complex_string --> |
+ | | | ([^\"\\\r\n]|(\\\")|(\\\\))+ |
+ | | | Quotes and backslashes must |
+ | | | be escaped with a backslash. A |
+ | | | complex string |
+ | | | must not include newlines |
+ | | | or carriage returns.Outside of |
+ | | | complex strings, |
+ | | | all white space (for |
+ | | | example, spaces, tabs, and |
+ | | | carriage returns) is |
+ | | | considered equal and is |
+ | | | used only to delimit tokens. |
+ | | | Keys |
+ | | | The Java install file uses |
+ | | | keys to define the platform |
+ | | | and module |
+ | | | information. |
+ | | | ForwardCompatible gives a |
+ | | | list of platforms that are |
+ | | | forward compatible. |
+ | | | If the current platform |
+ | | | cannot be found in the list of |
+ | | | supported |
+ | | | platforms, then the |
+ | | | ForwardCompatible list is |
+ | | | checked for any platforms |
+ | | | that have the same OS and |
+ | | | architecture in an earlier |
+ | | | version. If one is |
+ | | | found, its attributes are |
+ | | | used for the current platform. |
+ | | | Platforms (required) Gives |
+ | | | a list of platforms. Each |
+ | | | entry in the list is |
+ | | | itself a key-value pair: |
+ | | | the key is the name of the |
+ | | | platform and the value |
+ | | | list contains various |
+ | | | attributes of the platform. |
+ | | | The platform string is |
+ | | | in the format system |
+ | | | name:OS release:architecture. |
+ | | | The installer obtains |
+ | | | these values from NSPR. OS |
+ | | | release is an empty string on |
+ | | | non-Unix |
+ | | | operating systems. NSPR |
+ | | | supports these platforms: |
+ | | | o AIX (rs6000) |
+ | | | o BSDI (x86) |
+ | | | o FREEBSD (x86) |
+ | | | o HPUX (hppa1.1) |
+ | | | o IRIX (mips) |
+ | | | o LINUX (ppc, alpha, x86) |
+ | | | o MacOS (PowerPC) |
+ | | | o NCR (x86) |
+ | | | o NEC (mips) |
+ | | | o OS2 (x86) |
+ | | | o OSF (alpha) |
+ | | | o ReliantUNIX (mips) |
+ | | | o SCO (x86) |
+ | | | o SOLARIS (sparc) |
+ | | | o SONY (mips) |
+ | | | o SUNOS (sparc) |
+ | | | o UnixWare (x86) |
+ | | | o WIN16 (x86) |
+ | | | o WIN95 (x86) |
+ | | | o WINNT (x86) |
+ | | | For example: |
+ | | | IRIX:6.2:mips |
+ | | | SUNOS:5.5.1:sparc |
+ | | | Linux:2.0.32:x86 |
+ | | | WIN95::x86 |
+ | | | The module information is |
+ | | | defined independently for each |
+ | | | platform in the |
+ | | | ModuleName, ModuleFile, and |
+ | | | Files attributes. These |
+ | | | attributes must be |
+ | | | given unless an |
+ | | | EquivalentPlatform attribute |
+ | | | is specified. |
+ | | | Per-Platform Keys |
+ | | | Per-platform keys have |
+ | | | meaning only within the value |
+ | | | list of an entry in |
+ | | | the Platforms list. |
+ | | | ModuleName (required) gives |
+ | | | the common name for the |
+ | | | module. This name is |
+ | | | used to reference the |
+ | | | module by servers and by the |
+ | | | modutil tool. |
+ | | | ModuleFile (required) names |
+ | | | the PKCS #11 module file for |
+ | | | this platform. |
+ | | | The name is given as the |
+ | | | relative path of the file |
+ | | | within the JAR archive. |
+ | | | Files (required) lists the |
+ | | | files that need to be |
+ | | | installed for this |
+ | | | module. Each entry in the |
+ | | | file list is a key-value pair. |
+ | | | The key is the |
+ | | | path of the file in the JAR |
+ | | | archive, and the value list |
+ | | | contains |
+ | | | attributes of the file. At |
+ | | | least RelativePath or |
+ | | | AbsolutePath must be |
+ | | | specified for each file. |
+ | | | DefaultMechanismFlags |
+ | | | specifies mechanisms for which |
+ | | | this module is the |
+ | | | default provider; this is |
+ | | | equivalent to the -mechanism |
+ | | | option with the |
+ | | | -add command. This |
+ | | | key-value pair is a bitstring |
+ | | | specified in hexadecimal |
+ | | | (0x) format. It is |
+ | | | constructed as a bitwise OR. |
+ | | | If the |
+ | | | DefaultMechanismFlags entry |
+ | | | is omitted, the value defaults |
+ | | | to 0x0. |
+ | | | RSA: |
+ | | | 0x00000001 |
+ | | | DSA: |
+ | | | 0x00000002 |
+ | | | RC2: |
+ | | | 0x00000004 |
+ | | | RC4: |
+ | | | 0x00000008 |
+ | | | DES: |
+ | | | 0x00000010 |
+ | | | DH: |
+ | | | 0x00000020 |
+ | | | FORTEZZA: |
+ | | | 0x00000040 |
+ | | | RC5: |
+ | | | 0x00000080 |
+ | | | SHA1: |
+ | | | 0x00000100 |
+ | | | MD5: |
+ | | | 0x00000200 |
+ | | | MD2: |
+ | | | 0x00000400 |
+ | | | RANDOM: |
+ | | | 0x08000000 |
+ | | | FRIENDLY: |
+ | | | 0x10000000 |
+ | | | OWN_PW_DEFAULTS: |
+ | | | 0x20000000 |
+ | | | DISABLE: |
+ | | | 0x40000000 |
+ | | | CipherEnableFlags specifies |
+ | | | ciphers that this module |
+ | | | provides that NSS |
+ | | | does not provide (so that |
+ | | | the module enables those |
+ | | | ciphers for NSS). This |
+ | | | is equivalent to the |
+ | | | -cipher argument with the -add |
+ | | | command. This key is a |
+ | | | bitstring specified in |
+ | | | hexadecimal (0x) format. It is |
+ | | | constructed as a |
+ | | | bitwise OR. If the |
+ | | | CipherEnableFlags entry is |
+ | | | omitted, the value defaults |
+ | | | to 0x0. |
+ | | | EquivalentPlatform |
+ | | | specifies that the attributes |
+ | | | of the named platform |
+ | | | should also be used for the |
+ | | | current platform. This makes |
+ | | | it easier when |
+ | | | more than one platform uses |
+ | | | the same settings. |
+ | | | Per-File Keys |
+ | | | Some keys have meaning only |
+ | | | within the value list of an |
+ | | | entry in a Files |
+ | | | list. |
+ | | | Each file requires a path |
+ | | | key the identifies where the |
+ | | | file is. Either |
+ | | | RelativePath or |
+ | | | AbsolutePath must be |
+ | | | specified. If both are |
+ | | | specified, the |
+ | | | relative path is tried |
+ | | | first, and the absolute path |
+ | | | is used only if no |
+ | | | relative root directory is |
+ | | | provided by the installer |
+ | | | program. |
+ | | | RelativePath specifies the |
+ | | | destination directory of the |
+ | | | file, relative to |
+ | | | some directory decided at |
+ | | | install time. Two variables |
+ | | | can be used in the |
+ | | | relative path: %root% and |
+ | | | %temp%. %root% is replaced at |
+ | | | run time with the |
+ | | | directory relative to which |
+ | | | files should be installed; for |
+ | | | example, it may |
+ | | | be the server's root |
+ | | | directory. The %temp% |
+ | | | directory is created at the |
+ | | | beginning of the |
+ | | | installation and destroyed at |
+ | | | the end. The purpose of |
+ | | | %temp% is to hold |
+ | | | executable files (such as |
+ | | | setup programs) or files that |
+ | | | are used by these programs. |
+ | | | Files destined for the |
+ | | | temporary directory are |
+ | | | guaranteed to be in place |
+ | | | before any executable file is |
+ | | | run; they are not |
+ | | | deleted until all |
+ | | | executable files have |
+ | | | finished. |
+ | | | AbsolutePath specifies the |
+ | | | destination directory of the |
+ | | | file as an |
+ | | | absolute path. |
+ | | | Executable specifies that |
+ | | | the file is to be executed |
+ | | | during the course of |
+ | | | the installation. |
+ | | | Typically, this string is used |
+ | | | for a setup program |
+ | | | provided by a module |
+ | | | vendor, such as a |
+ | | | self-extracting setup |
+ | | | executable. |
+ | | | More than one file can be |
+ | | | specified as executable, in |
+ | | | which case the files |
+ | | | are run in the order in |
+ | | | which they are specified in |
+ | | | the script file. |
+ | | | FilePermissions sets |
+ | | | permissions on any referenced |
+ | | | files in a string of |
+ | | | octal digits, according to |
+ | | | the standard Unix format. This |
+ | | | string is a |
+ | | | bitwise OR. |
+ | | | user read: |
+ | | | 0400 |
+ | | | user write: |
+ | | | 0200 |
+ | | | user execute: |
+ | | | 0100 |
+ | | | group read: |
+ | | | 0040 |
+ | | | group write: |
+ | | | 0020 |
+ | | | group execute: |
+ | | | 0010 |
+ | | | other read: |
+ | | | 0004 |
+ | | | other write: |
+ | | | 0002 |
+ | | | other execute: 0001 |
+ | | | Some platforms may not |
+ | | | understand these permissions. |
+ | | | They are applied only |
+ | | | insofar as they make sense |
+ | | | for the current platform. If |
+ | | | this attribute is |
+ | | | omitted, a default of 777 |
+ | | | is assumed. |
+ | | | NSS Database Types |
+ | | | NSS originally used |
+ | | | BerkeleyDB databases to store |
+ | | | security information. |
+ | | | The last versions of these |
+ | | | legacy databases are: |
+ | | | o cert8.db for |
+ | | | certificates |
+ | | | o key3.db for keys |
+ | | | o secmod.db for PKCS #11 |
+ | | | module information |
+ | | | BerkeleyDB has performance |
+ | | | limitations, though, which |
+ | | | prevent it from |
+ | | | being easily used by |
+ | | | multiple applications |
+ | | | simultaneously. NSS has some |
+ | | | flexibility that allows |
+ | | | applications to use their own, |
+ | | | independent |
+ | | | database engine while |
+ | | | keeping a shared database and |
+ | | | working around the |
+ | | | access issues. Still, NSS |
+ | | | requires more flexibility to |
+ | | | provide a truly |
+ | | | shared security database. |
+ | | | In 2009, NSS introduced a |
+ | | | new set of databases that are |
+ | | | SQLite databases |
+ | | | rather than BerkleyDB. |
+ | | | These new databases provide |
+ | | | more accessibility and |
+ | | | performance: |
+ | | | o cert9.db for |
+ | | | certificates |
+ | | | o key4.db for keys |
+ | | | o pkcs11.txt, which is |
+ | | | listing of all of the PKCS #11 |
+ | | | modules contained |
+ | | | in a new subdirectory |
+ | | | in the security databases |
+ | | | directory |
+ | | | Because the SQLite |
+ | | | databases are designed to be |
+ | | | shared, these are the |
+ | | | shared database type. The |
+ | | | shared database type is |
+ | | | preferred; the legacy |
+ | | | format is included for |
+ | | | backward compatibility. |
+ | | | By default, the tools |
+ | | | (certutil, pk12util, modutil) |
+ | | | assume that the given |
+ | | | security databases follow |
+ | | | the more common legacy type. |
+ | | | Using the SQLite |
+ | | | databases must be manually |
+ | | | specified by using the sql: |
+ | | | prefix with the |
+ | | | given security directory. |
+ | | | For example: |
+ | | | modutil -create -dbdir |
+ | | | sql:/home/my/sharednssdb |
+ | | | To set the shared database |
+ | | | type as the default type for |
+ | | | the tools, set the |
+ | | | NSS_DEFAULT_DB_TYPE |
+ | | | environment variable to sql: |
+ | | | export |
+ | | | NSS_DEFAULT_DB_TYPE="sql" |
+ | | | This line can be set added |
+ | | | to the ~/.bashrc file to make |
+ | | | the change |
+ | | | permanent. |
+ | | | Most applications do not |
+ | | | use the shared database by |
+ | | | default, but they can |
+ | | | be configured to use them. |
+ | | | For example, this how-to |
+ | | | article covers how to |
+ | | | configure Firefox and |
+ | | | Thunderbird to use the new |
+ | | | shared NSS databases: |
+ | | | |
+ | | | o https://wiki.m |
+ | | | ozilla.org/NSS_Shared_DB_Howto |
+ | | | For an engineering draft on |
+ | | | the changes in the shared NSS |
+ | | | databases, see |
+ | | | the NSS project wiki: |
+ | | | |
+ | | | o https:// |
+ | | | wiki.mozilla.org/NSS_Shared_DB |
+ | | | See Also |
+ | | | certutil (1) |
+ | | | pk12util (1) |
+ | | | signtool (1) |
+ | | | The NSS wiki has |
+ | | | information on the new |
+ | | | database design and how to |
+ | | | configure applications to |
+ | | | use it. |
+ | | | |
+ | | | o https://wiki.m |
+ | | | ozilla.org/NSS_Shared_DB_Howto |
+ | | | |
+ | | | o https:// |
+ | | | wiki.mozilla.org/NSS_Shared_DB |
+ | | | Additional Resources |
+ | | | For information about NSS |
+ | | | and other tools related to NSS |
+ | | | (like JSS), check |
+ | | | out the NSS project wiki at |
+ | | | |
+ | | | [2]\ `http://www.mozil |
+ | | | la.org/projects/security/pki/n |
+ | | | ss/ <https://www.mozilla.org/p |
+ | | | rojects/security/pki/nss/>`__. |
+ | | | The NSS site relates |
+ | | | directly to NSS code |
+ | | | changes and releases. |
+ | | | Mailing lists: |
+ | | | https://lists.mozill |
+ | | | a.org/listinfo/dev-tech-crypto |
+ | | | IRC: Freenode at |
+ | | | #dogtag-pki |
+ | | | Authors |
+ | | | The NSS tools were written |
+ | | | and maintained by developers |
+ | | | with Netscape, Red |
+ | | | Hat, and Sun. |
+ | | | Authors: Elio Maldonado |
+ | | | <emaldona@redhat.com>, Deon |
+ | | | Lackey |
+ | | | <dlackey@redhat.com>. |
+ | | | Copyright |
+ | | | (c) 2010, Red Hat, Inc. |
+ | | | Licensed under the GNU Public |
+ | | | License version 2. |
+ | | | References |
+ | | | Visible links |
+ | | | 1. JAR Installation File |
+ | | | Format |
+ | | | |
+ | | | ``file:///tmp/xmlto.6gGxS0/ |
+ | | | modutil.pro...r-install-file`` |
+ | | | 2. |
+ | | | https://www.mozilla. |
+ | | | org/projects/security/pki/nss/ |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 342 | :ref:`mozilla_projects_nss_t | |
+ | | ools_nss_tools_certutil-tasks` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Newsgroup: |
+ | | | `mozilla.dev.tech |
+ | | | .crypto <news://news.mozilla.o |
+ | | | rg/mozilla.dev.tech.crypto>`__ |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 343 | :ref:`mozilla_projects | **certificates, x509v3** |
+ | | _nss_tools_nss_tools_certutil` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The Certificate Database Tool |
+ | | | is a command-line utility that |
+ | | | can create and modify the |
+ | | | Netscape Communicator |
+ | | | ``cert8.db`` and |
+ | | | ``key3.db``\ database files. |
+ | | | It can also list, generate, |
+ | | | modify, or delete certificates |
+ | | | within the ``cert8.db``\ file |
+ | | | and create or change the |
+ | | | password, generate new public |
+ | | | and private key pairs, display |
+ | | | the contents of the key |
+ | | | database, or delete key pairs |
+ | | | within the ``key3.db`` file. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 344 | :ref:`mozilla_project | |
+ | | s_nss_tools_nss_tools_cmsutil` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The cmsutil command-line |
+ | | | utility uses the `S/MIME |
+ | | | Toolkit <../smime/>`__ to |
+ | | | perform basic operations, such |
+ | | | as encryption and decryption, |
+ | | | on `Cryptographic Message |
+ | | | Syntax (CMS) <http://ww |
+ | | | w.ietf.org/rfc/rfc2630.txt>`__ |
+ | | | messages. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 345 | :ref:`mozilla_project | |
+ | | s_nss_tools_nss_tools_crlutil` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Newsgroup: |
+ | | | `mozilla.dev.tech |
+ | | | .crypto <news://news.mozilla.o |
+ | | | rg/mozilla.dev.tech.crypto>`__ |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 346 | :ref:`mozilla_projects_n | |
+ | | ss_tools_nss_tools_dbck-tasks` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Newsgroup: |
+ | | | `mozilla.dev.tech |
+ | | | .crypto <news://news.mozilla.o |
+ | | | rg/mozilla.dev.tech.crypto>`__ |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 347 | :ref:`mozilla_projects_nss_ | |
+ | | tools_nss_tools_modutil-tasks` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Newsgroup: |
+ | | | `mozilla.dev.tech |
+ | | | .crypto <news://news.mozilla.o |
+ | | | rg/mozilla.dev.tech.crypto>`__ |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 348 | :ref:`mozilla_project | |
+ | | s_nss_tools_nss_tools_modutil` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The Security Module Database |
+ | | | Tool is a command-line utility |
+ | | | for managing PKCS #11 module |
+ | | | information within |
+ | | | ``secmod.db`` files or within |
+ | | | hardware tokens. You can use |
+ | | | the tool to add and delete |
+ | | | PKCS #11 modules, change |
+ | | | passwords, set defaults, list |
+ | | | module contents, enable or |
+ | | | disable slots, enable or |
+ | | | disable FIPS 140-2 compliance, |
+ | | | and assign default providers |
+ | | | for cryptographic operations. |
+ | | | This tool can also create |
+ | | | ``key3.db``, ``cert8.db``, and |
+ | | | ``secmod.db`` security |
+ | | | database files. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 349 | :ref:`mozilla_projects_nss_t | |
+ | | ools_nss_tools_pk12util-tasks` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Newsgroup: |
+ | | | `mozilla.dev.tech |
+ | | | .crypto <news://news.mozilla.o |
+ | | | rg/mozilla.dev.tech.crypto>`__ |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 350 | :ref:`mozilla_projects | |
+ | | _nss_tools_nss_tools_pk12util` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The PKCS #12 utility makes |
+ | | | sharing of certificates among |
+ | | | Enterprise server 3.x and any |
+ | | | server (Netscape products or |
+ | | | non-Netscape products) that |
+ | | | supports PKCS#12 possible. The |
+ | | | tool allows you to import |
+ | | | certificates and keys from |
+ | | | pkcs #12 files into NSS or |
+ | | | export them and also list |
+ | | | certificates and keys in such |
+ | | | files. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 351 | :ref:`mozilla_projects_nss_ | |
+ | | tools_nss_tools_signver-tasks` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | *No summary!* |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 352 | :ref:`mozilla_projects_ns | |
+ | | s_tools_nss_tools_sslstrength` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | A simple command-line client |
+ | | | which connects to an |
+ | | | SSL-server, and reports back |
+ | | | the encryption cipher and |
+ | | | strength used. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 353 | :ref:`mozilla_projec | |
+ | | ts_nss_tools_nss_tools_ssltap` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The SSL Debugging Tool is an |
+ | | | SSL-aware command-line proxy. |
+ | | | It watches TCP connections and |
+ | | | displays the data going by. If |
+ | | | a connection is SSL, the data |
+ | | | display includes interpreted |
+ | | | SSL records and handshaking. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 354 | :ref:`mozill | |
+ | | a_projects_nss_tools_pk12util` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Name |
+ | | | pk12util — Export and |
+ | | | import keys and certificate to |
+ | | | or from a PKCS #12 |
+ | | | file and the NSS database |
+ | | | Synopsis |
+ | | | pk12util [-i p12File [-h |
+ | | | tokenname] [-v] |
+ | | | [common-options] ] [ -l |
+ | | | p12File |
+ | | | [-h tokenname] [-r] |
+ | | | [common-options] ] [ -o |
+ | | | p12File -n certname [-c |
+ | | | keyCipher] [-C certCipher] |
+ | | | [-m|--key_len keyLen] |
+ | | | [-n|--cert_key_len |
+ | | | certKeyLen] |
+ | | | [common-options] ] [ |
+ | | | common-options are: [-d |
+ | | | [sql:]directory] |
+ | | | [-P dbprefix] [-k |
+ | | | slotPasswordFile|-K |
+ | | | slotPassword] [-w |
+ | | | p12filePasswordFile|-W |
+ | | | p12filePassword] ] |
+ | | | Description |
+ | | | The PKCS #12 utility, |
+ | | | pk12util, enables sharing |
+ | | | certificates among any |
+ | | | server that supports |
+ | | | PKCS#12. The tool can import |
+ | | | certificates and keys |
+ | | | from PKCS#12 files into |
+ | | | security databases, export |
+ | | | certificates, and list |
+ | | | certificates and keys. |
+ | | | Options and Arguments |
+ | | | Options |
+ | | | -i p12file |
+ | | | Import keys and |
+ | | | certificates from a PKCS#12 |
+ | | | file into a security |
+ | | | database. |
+ | | | -l p12file |
+ | | | List the keys and |
+ | | | certificates in PKCS#12 file. |
+ | | | -o p12file |
+ | | | Export keys and |
+ | | | certificates from the security |
+ | | | database to a |
+ | | | PKCS#12 file. |
+ | | | Arguments |
+ | | | -n certname |
+ | | | Specify the |
+ | | | nickname of the cert and |
+ | | | private key to export. |
+ | | | -d [sql:]directory |
+ | | | Specify the |
+ | | | database directory into which |
+ | | | to import to or export |
+ | | | from certificates |
+ | | | and keys. |
+ | | | pk12util supports |
+ | | | two types of databases: the |
+ | | | legacy security |
+ | | | databases |
+ | | | (cert8.db, key3.db, and |
+ | | | secmod.db) and new SQLite |
+ | | | databases |
+ | | | (cert9.db, key4.db, and |
+ | | | pkcs11.txt). If the prefix |
+ | | | sql: |
+ | | | is not used, then |
+ | | | the tool assumes that the |
+ | | | given databases are in |
+ | | | the old format. |
+ | | | -P prefix |
+ | | | Specify the prefix |
+ | | | used on the certificate and |
+ | | | key databases. This |
+ | | | option is provided |
+ | | | as a special case. Changing |
+ | | | the names of the |
+ | | | certificate and key |
+ | | | databases is not recommended. |
+ | | | -h tokenname |
+ | | | Specify the name of |
+ | | | the token to import into or |
+ | | | export from. |
+ | | | -v |
+ | | | Enable debug |
+ | | | logging when importing. |
+ | | | -k slotPasswordFile |
+ | | | Specify the text |
+ | | | file containing the slot's |
+ | | | password. |
+ | | | -K slotPassword |
+ | | | Specify the slot's |
+ | | | password. |
+ | | | -w p12filePasswordFile |
+ | | | Specify the text |
+ | | | file containing the pkcs #12 |
+ | | | file password. |
+ | | | -W p12filePassword |
+ | | | Specify the pkcs |
+ | | | #12 file password. |
+ | | | -c keyCipher |
+ | | | Specify the key |
+ | | | encryption algorithm. |
+ | | | -C certCipher |
+ | | | Specify the key |
+ | | | cert (overall package) |
+ | | | encryption algorithm. |
+ | | | -m \| --key-len keyLength |
+ | | | Specify the desired |
+ | | | length of the symmetric key to |
+ | | | be used to |
+ | | | encrypt the private |
+ | | | key. |
+ | | | -n \| --cert-key-len |
+ | | | certKeyLength |
+ | | | Specify the desired |
+ | | | length of the symmetric key to |
+ | | | be used to |
+ | | | encrypt the |
+ | | | certificates and other |
+ | | | meta-data. |
+ | | | -r |
+ | | | Dumps all of the |
+ | | | data in raw (binary) form. |
+ | | | This must be saved as |
+ | | | a DER file. The |
+ | | | default is to return |
+ | | | information in a pretty-print |
+ | | | ASCII format, which |
+ | | | displays the information about |
+ | | | the |
+ | | | certificates and |
+ | | | public keys in the p12 file. |
+ | | | Return Codes |
+ | | | o 0 - No error |
+ | | | o 1 - User Cancelled |
+ | | | o 2 - Usage error |
+ | | | o 6 - NLS init error |
+ | | | o 8 - Certificate DB open |
+ | | | error |
+ | | | o 9 - Key DB open error |
+ | | | o 10 - File |
+ | | | initialization error |
+ | | | o 11 - Unicode conversion |
+ | | | error |
+ | | | o 12 - Temporary file |
+ | | | creation error |
+ | | | o 13 - PKCS11 get slot |
+ | | | error |
+ | | | o 14 - PKCS12 decoder |
+ | | | start error |
+ | | | o 15 - error read from |
+ | | | import file |
+ | | | o 16 - pkcs12 decode |
+ | | | error |
+ | | | o 17 - pkcs12 decoder |
+ | | | verify error |
+ | | | o 18 - pkcs12 decoder |
+ | | | validate bags error |
+ | | | o 19 - pkcs12 decoder |
+ | | | import bags error |
+ | | | o 20 - key db conversion |
+ | | | version 3 to version 2 error |
+ | | | o 21 - cert db conversion |
+ | | | version 7 to version 5 error |
+ | | | o 22 - cert and key dbs |
+ | | | patch error |
+ | | | o 23 - get default cert |
+ | | | db error |
+ | | | o 24 - find cert by |
+ | | | nickname error |
+ | | | o 25 - create export |
+ | | | context error |
+ | | | o 26 - PKCS12 add |
+ | | | password itegrity error |
+ | | | o 27 - cert and key Safes |
+ | | | creation error |
+ | | | o 28 - PKCS12 add cert |
+ | | | and key error |
+ | | | o 29 - PKCS12 encode |
+ | | | error |
+ | | | Examples |
+ | | | Importing Keys and |
+ | | | Certificates |
+ | | | The most basic usage of |
+ | | | pk12util for importing a |
+ | | | certificate or key is the |
+ | | | PKCS#12 input file (-i) and |
+ | | | some way to specify the |
+ | | | security database |
+ | | | being accessed (either -d |
+ | | | for a directory or -h for a |
+ | | | token). |
+ | | | pk12util -i p12File [-h |
+ | | | tokenname] [-v] [-d |
+ | | | [sql:]directory] [-P dbprefix] |
+ | | | [-k slotPasswordFile|-K |
+ | | | slotPassword] [-w |
+ | | | p12filePasswordFile|-W |
+ | | | p12filePassword] |
+ | | | For example: |
+ | | | # pk12util -i |
+ | | | /tmp/cert-files/users.p12 -d |
+ | | | sql:/home/my/sharednssdb |
+ | | | Enter a password which will |
+ | | | be used to encrypt your keys. |
+ | | | The password should be at |
+ | | | least 8 characters long, |
+ | | | and should contain at least |
+ | | | one non-alphabetic character. |
+ | | | Enter new password: |
+ | | | Re-enter password: |
+ | | | Enter password for PKCS12 |
+ | | | file: |
+ | | | pk12util: PKCS12 IMPORT |
+ | | | SUCCESSFUL |
+ | | | Exporting Keys and |
+ | | | Certificates |
+ | | | Using the pk12util command |
+ | | | to export certificates and |
+ | | | keys requires both |
+ | | | the name of the certificate |
+ | | | to extract from the database |
+ | | | (-n) and the |
+ | | | PKCS#12-formatted output |
+ | | | file to write to. There are |
+ | | | optional parameters |
+ | | | that can be used to encrypt |
+ | | | the file to protect the |
+ | | | certificate material. |
+ | | | pk12util -o p12File -n |
+ | | | certname [-c keyCipher] [-C |
+ | | | certCipher] [-m|--key_len |
+ | | | keyLen] [-n|--cert_key_len |
+ | | | certKeyLen] [-d |
+ | | | [sql:]directory] [-P dbprefix] |
+ | | | [-k slotPasswordFile|-K |
+ | | | slotPassword] [-w |
+ | | | p12filePasswordFile|-W |
+ | | | p12filePassword] |
+ | | | For example: |
+ | | | # pk12util -o certs.p12 -n |
+ | | | Server-Cert -d |
+ | | | sql:/home/my/sharednssdb |
+ | | | Enter password for PKCS12 |
+ | | | file: |
+ | | | Re-enter password: |
+ | | | Listing Keys and |
+ | | | Certificates |
+ | | | The information in a .p12 |
+ | | | file are not human-readable. |
+ | | | The certificates |
+ | | | and keys in the file can be |
+ | | | printed (listed) in a |
+ | | | human-readable |
+ | | | pretty-print format that |
+ | | | shows information for every |
+ | | | certificate and any |
+ | | | public keys in the .p12 |
+ | | | file. |
+ | | | pk12util -l p12File [-h |
+ | | | tokenname] [-r] [-d |
+ | | | [sql:]directory] [-P dbprefix] |
+ | | | [-k slotPasswordFile|-K |
+ | | | slotPassword] [-w |
+ | | | p12filePasswordFile|-W |
+ | | | p12filePassword] |
+ | | | For example, this prints |
+ | | | the default ASCII output: |
+ | | | # pk12util -l certs.p12 |
+ | | | Enter password for PKCS12 |
+ | | | file: |
+ | | | Key(shrouded): |
+ | | | Friendly Name: Thawte |
+ | | | Freemail Member's Thawte |
+ | | | Consulting (Pty) Ltd. ID |
+ | | | Encryption algorithm: |
+ | | | PKCS #12 V2 PBE With SHA-1 And |
+ | | | 3KEY Triple DES-CBC |
+ | | | Parameters: |
+ | | | Salt: |
+ | | | |
+ | | | 45:2e:6a:a0:03:4d |
+ | | | :7b:a1:63:3c:15:ea:67:37:62:1f |
+ | | | Iteration Count: |
+ | | | 1 (0x1) |
+ | | | Certificate: |
+ | | | Data: |
+ | | | Version: 3 (0x2) |
+ | | | Serial Number: 13 |
+ | | | (0xd) |
+ | | | Signature Algorithm: |
+ | | | PKCS #1 SHA-1 With RSA |
+ | | | Encryption |
+ | | | Issuer: |
+ | | | "E=personal |
+ | | | -freemail@thawte.com,CN=Thawte |
+ | | | Personal Freemail C |
+ | | | |
+ | | | A,OU=Certification Services |
+ | | | Division,O=Thawte |
+ | | | Consulting,L=Cape T |
+ | | | own,ST=Western |
+ | | | Cape,C=ZA" |
+ | | | .... |
+ | | | Alternatively, the -r |
+ | | | prints the certificates and |
+ | | | then exports them into |
+ | | | separate DER binary files. |
+ | | | This allows the certificates |
+ | | | to be fed to |
+ | | | another application that |
+ | | | supports .p12 files. Each |
+ | | | certificate is written |
+ | | | to a sequentially-number |
+ | | | file, beginning with |
+ | | | file0001.der and continuing |
+ | | | through file000N.der, |
+ | | | incrementing the number for |
+ | | | every certificate: |
+ | | | # pk12util -l test.p12 -r |
+ | | | Enter password for PKCS12 |
+ | | | file: |
+ | | | Key(shrouded): |
+ | | | Friendly Name: Thawte |
+ | | | Freemail Member's Thawte |
+ | | | Consulting (Pty) Ltd. ID |
+ | | | Encryption algorithm: |
+ | | | PKCS #12 V2 PBE With SHA-1 And |
+ | | | 3KEY Triple DES-CBC |
+ | | | Parameters: |
+ | | | Salt: |
+ | | | |
+ | | | 45:2e:6a:a0:03:4d |
+ | | | :7b:a1:63:3c:15:ea:67:37:62:1f |
+ | | | Iteration Count: |
+ | | | 1 (0x1) |
+ | | | Certificate Friendly Name: |
+ | | | Thawte Personal Freemail |
+ | | | Issuing CA - Thawte Consulting |
+ | | | Certificate Friendly Name: |
+ | | | Thawte Freemail Member's |
+ | | | Thawte Consulting (Pty) Ltd. |
+ | | | ID |
+ | | | Password Encryption |
+ | | | PKCS#12 provides for not |
+ | | | only the protection of the |
+ | | | private keys but also |
+ | | | the certificate and |
+ | | | meta-data associated with the |
+ | | | keys. Password-based |
+ | | | encryption is used to |
+ | | | protect private keys on export |
+ | | | to a PKCS#12 file |
+ | | | and, optionally, the entire |
+ | | | package. If no algorithm is |
+ | | | specified, the |
+ | | | tool defaults to using |
+ | | | PKCS12 V2 PBE with SHA1 and |
+ | | | 3KEY Triple DES-cbc for |
+ | | | private key encryption. |
+ | | | PKCS12 V2 PBE with SHA1 and 40 |
+ | | | Bit RC4 is the |
+ | | | default for the overall |
+ | | | package encryption when not in |
+ | | | FIPS mode. When in |
+ | | | FIPS mode, there is no |
+ | | | package encryption. |
+ | | | The private key is always |
+ | | | protected with strong |
+ | | | encryption by default. |
+ | | | Several types of ciphers |
+ | | | are supported. |
+ | | | Symmetric CBC ciphers for |
+ | | | PKCS#5 V2 |
+ | | | DES_CBC |
+ | | | o RC2-CBC |
+ | | | o RC5-CBCPad |
+ | | | o DES-EDE3-CBC |
+ | | | (the default for key |
+ | | | encryption) |
+ | | | o AES-128-CBC |
+ | | | o AES-192-CBC |
+ | | | o AES-256-CBC |
+ | | | |
+ | | | o CAMELLIA-128-CBC |
+ | | | |
+ | | | o CAMELLIA-192-CBC |
+ | | | |
+ | | | o CAMELLIA-256-CBC |
+ | | | PKCS#12 PBE ciphers |
+ | | | PKCS #12 PBE with |
+ | | | Sha1 and 128 Bit RC4 |
+ | | | o PKCS #12 PBE |
+ | | | with Sha1 and 40 Bit RC4 |
+ | | | o PKCS #12 PBE |
+ | | | with Sha1 and Triple DES CBC |
+ | | | o PKCS #12 PBE |
+ | | | with Sha1 and 128 Bit RC2 CBC |
+ | | | o PKCS #12 PBE |
+ | | | with Sha1 and 40 Bit RC2 CBC |
+ | | | o PKCS12 V2 PBE |
+ | | | with SHA1 and 128 Bit RC4 |
+ | | | o PKCS12 V2 PBE |
+ | | | with SHA1 and 40 Bit RC4 (the |
+ | | | default for |
+ | | | non-FIPS mode) |
+ | | | o PKCS12 V2 PBE |
+ | | | with SHA1 and 3KEY Triple |
+ | | | DES-cbc |
+ | | | o PKCS12 V2 PBE |
+ | | | with SHA1 and 2KEY Triple |
+ | | | DES-cbc |
+ | | | o PKCS12 V2 PBE |
+ | | | with SHA1 and 128 Bit RC2 CBC |
+ | | | o PKCS12 V2 PBE |
+ | | | with SHA1 and 40 Bit RC2 CBC |
+ | | | PKCS#5 PBE ciphers |
+ | | | PKCS #5 Password |
+ | | | Based Encryption with MD2 and |
+ | | | DES CBC |
+ | | | o PKCS #5 |
+ | | | Password Based Encryption with |
+ | | | MD5 and DES CBC |
+ | | | o PKCS #5 |
+ | | | Password Based Encryption with |
+ | | | SHA1 and DES CBC |
+ | | | With PKCS#12, the crypto |
+ | | | provider may be the soft token |
+ | | | module or an |
+ | | | external hardware module. |
+ | | | If the cryptographic module |
+ | | | does not support the |
+ | | | requested algorithm, then |
+ | | | the next best fit will be |
+ | | | selected (usually the |
+ | | | default). If no suitable |
+ | | | replacement for the desired |
+ | | | algorithm can be |
+ | | | found, the tool returns the |
+ | | | error no security module can |
+ | | | perform the |
+ | | | requested operation. |
+ | | | NSS Database Types |
+ | | | NSS originally used |
+ | | | BerkeleyDB databases to store |
+ | | | security information. |
+ | | | The last versions of these |
+ | | | legacy databases are: |
+ | | | o cert8.db for |
+ | | | certificates |
+ | | | o key3.db for keys |
+ | | | o secmod.db for PKCS #11 |
+ | | | module information |
+ | | | BerkeleyDB has performance |
+ | | | limitations, though, which |
+ | | | prevent it from |
+ | | | being easily used by |
+ | | | multiple applications |
+ | | | simultaneously. NSS has some |
+ | | | flexibility that allows |
+ | | | applications to use their own, |
+ | | | independent |
+ | | | database engine while |
+ | | | keeping a shared database and |
+ | | | working around the |
+ | | | access issues. Still, NSS |
+ | | | requires more flexibility to |
+ | | | provide a truly |
+ | | | shared security database. |
+ | | | In 2009, NSS introduced a |
+ | | | new set of databases that are |
+ | | | SQLite databases |
+ | | | rather than BerkleyDB. |
+ | | | These new databases provide |
+ | | | more accessibility and |
+ | | | performance: |
+ | | | o cert9.db for |
+ | | | certificates |
+ | | | o key4.db for keys |
+ | | | o pkcs11.txt, which is |
+ | | | listing of all of the PKCS #11 |
+ | | | modules contained |
+ | | | in a new subdirectory |
+ | | | in the security databases |
+ | | | directory |
+ | | | Because the SQLite |
+ | | | databases are designed to be |
+ | | | shared, these are the |
+ | | | shared database type. The |
+ | | | shared database type is |
+ | | | preferred; the legacy |
+ | | | format is included for |
+ | | | backward compatibility. |
+ | | | By default, the tools |
+ | | | (certutil, pk12util, modutil) |
+ | | | assume that the given |
+ | | | security databases follow |
+ | | | the more common legacy type. |
+ | | | Using the SQLite |
+ | | | databases must be manually |
+ | | | specified by using the sql: |
+ | | | prefix with the |
+ | | | given security directory. |
+ | | | For example: |
+ | | | # pk12util -i |
+ | | | /tmp/cert-files/users.p12 -d |
+ | | | sql:/home/my/sharednssdb |
+ | | | To set the shared database |
+ | | | type as the default type for |
+ | | | the tools, set the |
+ | | | NSS_DEFAULT_DB_TYPE |
+ | | | environment variable to sql: |
+ | | | export |
+ | | | NSS_DEFAULT_DB_TYPE="sql" |
+ | | | This line can be set added |
+ | | | to the ~/.bashrc file to make |
+ | | | the change |
+ | | | permanent. |
+ | | | Most applications do not |
+ | | | use the shared database by |
+ | | | default, but they can |
+ | | | be configured to use them. |
+ | | | For example, this how-to |
+ | | | article covers how to |
+ | | | configure Firefox and |
+ | | | Thunderbird to use the new |
+ | | | shared NSS databases: |
+ | | | |
+ | | | o https://wiki.m |
+ | | | ozilla.org/NSS_Shared_DB_Howto |
+ | | | For an engineering draft on |
+ | | | the changes in the shared NSS |
+ | | | databases, see |
+ | | | the NSS project wiki: |
+ | | | |
+ | | | o https:// |
+ | | | wiki.mozilla.org/NSS_Shared_DB |
+ | | | See Also |
+ | | | certutil (1) |
+ | | | modutil (1) |
+ | | | The NSS wiki has |
+ | | | information on the new |
+ | | | database design and how to |
+ | | | configure applications to |
+ | | | use it. |
+ | | | |
+ | | | o https://wiki.m |
+ | | | ozilla.org/NSS_Shared_DB_Howto |
+ | | | |
+ | | | o https:// |
+ | | | wiki.mozilla.org/NSS_Shared_DB |
+ | | | Additional Resources |
+ | | | For information about NSS |
+ | | | and other tools related to NSS |
+ | | | (like JSS), check |
+ | | | out the NSS project wiki at |
+ | | | |
+ | | | [1]\ `http://www.mozil |
+ | | | la.org/projects/security/pki/n |
+ | | | ss/ <https://www.mozilla.org/p |
+ | | | rojects/security/pki/nss/>`__. |
+ | | | The NSS site relates |
+ | | | directly to NSS code |
+ | | | changes and releases. |
+ | | | Mailing lists: |
+ | | | https://lists.mozill |
+ | | | a.org/listinfo/dev-tech-crypto |
+ | | | IRC: Freenode at |
+ | | | #dogtag-pki |
+ | | | Authors |
+ | | | The NSS tools were written |
+ | | | and maintained by developers |
+ | | | with Netscape, Red |
+ | | | Hat, and Sun. |
+ | | | Authors: Elio Maldonado |
+ | | | <emaldona@redhat.com>, Deon |
+ | | | Lackey |
+ | | | <dlackey@redhat.com>. |
+ | | | Copyright |
+ | | | (c) 2010, Red Hat, Inc. |
+ | | | Licensed under the GNU Public |
+ | | | License version 2. |
+ | | | References |
+ | | | Visible links |
+ | | | 1. |
+ | | | `http://www.mozi |
+ | | | lla.org/projects/security/pki/ |
+ | | | nss/ <https://www.mozilla.org/ |
+ | | | projects/security/pki/nss/>`__ |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 355 | :ref:`mozill | |
+ | | a_projects_nss_tools_signtool` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Name |
+ | | | signtool — Digitally sign |
+ | | | objects and files. |
+ | | | Synopsis |
+ | | | signtool [-k keyName] |
+ | | | `-h <-h>`__ `-H <-H>`__ |
+ | | | `-l <-l>`__ `-L <-L>`__ |
+ | | | `-M <-M>`__ `-v <-v>`__ |
+ | | | `-w <-w>`__ |
+ | | | `-G |
+ | | | nickname <-G_nickname>`__ `-s |
+ | | | size <--keysize>`__ `-b |
+ | | | basename <-b_basename>`__ [[-c |
+ | | | Compression |
+ | | | Level] ] [[-d cert-dir] ] |
+ | | | [[-i installer script] ] [[-m |
+ | | | metafile] ] [[-x |
+ | | | name] ] [[-f filename] ] |
+ | | | [[-t|--token tokenname] ] [[-e |
+ | | | extension] ] [[-o] |
+ | | | ] [[-z] ] [[-X] ] |
+ | | | [[--outfile] ] [[--verbose |
+ | | | value] ] [[--norecurse] ] |
+ | | | [[--leavearc] ] [[-j |
+ | | | directory] ] [[-Z jarfile] ] |
+ | | | [[-O] ] [[-p password] ] |
+ | | | [directory-tree] [archive] |
+ | | | Description |
+ | | | The Signing Tool, signtool, |
+ | | | creates digital signatures and |
+ | | | uses a Java |
+ | | | Archive (JAR) file to |
+ | | | associate the signatures with |
+ | | | files in a directory. |
+ | | | Electronic software |
+ | | | distribution over any network |
+ | | | involves potential |
+ | | | security problems. To help |
+ | | | address some of these |
+ | | | problems, you can |
+ | | | associate digital |
+ | | | signatures with the files in a |
+ | | | JAR archive. Digital |
+ | | | signatures allow |
+ | | | SSL-enabled clients to perform |
+ | | | two important operations: |
+ | | | \* Confirm the identity of |
+ | | | the individual, company, or |
+ | | | other entity whose |
+ | | | digital signature is |
+ | | | associated with the files |
+ | | | \* Check whether the files |
+ | | | have been tampered with since |
+ | | | being signed |
+ | | | If you have a signing |
+ | | | certificate, you can use |
+ | | | Netscape Signing Tool to |
+ | | | digitally sign files and |
+ | | | package them as a JAR file. An |
+ | | | object-signing |
+ | | | certificate is a special |
+ | | | kind of certificate that |
+ | | | allows you to associate |
+ | | | your digital signature with |
+ | | | one or more files. |
+ | | | An individual file can |
+ | | | potentially be signed with |
+ | | | multiple digital |
+ | | | signatures. For example, a |
+ | | | commercial software developer |
+ | | | might sign the |
+ | | | files that constitute a |
+ | | | software product to prove that |
+ | | | the files are |
+ | | | indeed from a particular |
+ | | | company. A network |
+ | | | administrator manager might |
+ | | | sign the same files with an |
+ | | | additional digital signature |
+ | | | based on a |
+ | | | company-generated |
+ | | | certificate to indicate that |
+ | | | the product is approved for |
+ | | | use within the company. |
+ | | | The significance of a |
+ | | | digital signature is |
+ | | | comparable to the significance |
+ | | | of a handwritten signature. |
+ | | | Once you have signed a file, |
+ | | | it is difficult |
+ | | | to claim later that you |
+ | | | didn't sign it. In some |
+ | | | situations, a digital |
+ | | | signature may be considered |
+ | | | as legally binding as a |
+ | | | handwritten signature. |
+ | | | Therefore, you should take |
+ | | | great care to ensure that you |
+ | | | can stand behind |
+ | | | any file you sign and |
+ | | | distribute. |
+ | | | For example, if you are a |
+ | | | software developer, you should |
+ | | | test your code to |
+ | | | make sure it is virus-free |
+ | | | before signing it. Similarly, |
+ | | | if you are a |
+ | | | network administrator, you |
+ | | | should make sure, before |
+ | | | signing any code, that |
+ | | | it comes from a reliable |
+ | | | source and will run correctly |
+ | | | with the software |
+ | | | installed on the machines |
+ | | | to which you are distributing |
+ | | | it. |
+ | | | Before you can use Netscape |
+ | | | Signing Tool to sign files, |
+ | | | you must have an |
+ | | | object-signing certificate, |
+ | | | which is a special certificate |
+ | | | whose |
+ | | | associated private key is |
+ | | | used to create digital |
+ | | | signatures. For testing |
+ | | | purposes only, you can |
+ | | | create an object-signing |
+ | | | certificate with Netscape |
+ | | | Signing Tool 1.3. When |
+ | | | testing is finished and you |
+ | | | are ready to |
+ | | | disitribute your software, |
+ | | | you should obtain an |
+ | | | object-signing certificate |
+ | | | from one of two kinds of |
+ | | | sources: |
+ | | | \* An independent |
+ | | | certificate authority (CA) |
+ | | | that authenticates your |
+ | | | identity and charges you a |
+ | | | fee. You typically get a |
+ | | | certificate from an |
+ | | | independent CA if you want |
+ | | | to sign software that will be |
+ | | | distributed over |
+ | | | the Internet. |
+ | | | \* CA server software |
+ | | | running on your corporate |
+ | | | intranet or extranet. |
+ | | | Netscape Certificate |
+ | | | Management System provides a |
+ | | | complete management |
+ | | | solution for creating, |
+ | | | deploying, and managing |
+ | | | certificates, including CAs |
+ | | | that issue object-signing |
+ | | | certificates. |
+ | | | You must also have a |
+ | | | certificate for the CA that |
+ | | | issues your signing |
+ | | | certificate before you can |
+ | | | sign files. If the certificate |
+ | | | authority's |
+ | | | certificate isn't already |
+ | | | installed in your copy of |
+ | | | Communicator, you |
+ | | | typically install it by |
+ | | | clicking the appropriate link |
+ | | | on the certificate |
+ | | | authority's web site, for |
+ | | | example on the page from which |
+ | | | you initiated |
+ | | | enrollment for your signing |
+ | | | certificate. This is the case |
+ | | | for some test |
+ | | | certificates, as well as |
+ | | | certificates issued by |
+ | | | Netscape Certificate |
+ | | | Management System: you must |
+ | | | download the CA certificate in |
+ | | | addition to |
+ | | | obtaining your own signing |
+ | | | certificate. CA certificates |
+ | | | for several |
+ | | | certificate authorities are |
+ | | | preinstalled in the |
+ | | | Communicator certificate |
+ | | | database. |
+ | | | When you receive an |
+ | | | object-signing certificate for |
+ | | | your own use, it is |
+ | | | automatically installed in |
+ | | | your copy of the Communicator |
+ | | | client software. |
+ | | | Communicator supports the |
+ | | | public-key cryptography |
+ | | | standard known as PKCS |
+ | | | #12, which governs key |
+ | | | portability. You can, for |
+ | | | example, move an |
+ | | | object-signing certificate |
+ | | | and its associated private key |
+ | | | from one |
+ | | | computer to another on a |
+ | | | credit-card-sized device |
+ | | | called a smart card. |
+ | | | Options |
+ | | | -b basename |
+ | | | Specifies the base |
+ | | | filename for the .rsa and .sf |
+ | | | files in the |
+ | | | META-INF directory |
+ | | | to conform with the JAR |
+ | | | format. For example, -b |
+ | | | signatures causes |
+ | | | the files to be named |
+ | | | signatures.rsa and |
+ | | | signatures.sf. The |
+ | | | default is signtool. |
+ | | | -c# |
+ | | | Specifies the |
+ | | | compression level for the -J |
+ | | | or -Z option. The |
+ | | | symbol # represents |
+ | | | a number from 0 to 9, where 0 |
+ | | | means no |
+ | | | compression and 9 |
+ | | | means maximum compression. The |
+ | | | higher the level |
+ | | | of compression, the |
+ | | | smaller the output but the |
+ | | | longer the |
+ | | | operation takes. If |
+ | | | the -c# option is not used |
+ | | | with either the -J |
+ | | | or the -Z option, |
+ | | | the default compression value |
+ | | | used by both the |
+ | | | -J and -Z options |
+ | | | is 6. |
+ | | | -d certdir |
+ | | | Specifies your |
+ | | | certificate database |
+ | | | directory; that is, the |
+ | | | directory in which |
+ | | | you placed your key3.db and |
+ | | | cert7.db files. To |
+ | | | specify the current |
+ | | | directory, use "-d." |
+ | | | (including the period). |
+ | | | The Unix version of |
+ | | | signtool assumes ~/.netscape |
+ | | | unless told |
+ | | | otherwise. The NT |
+ | | | version of signtool always |
+ | | | requires the use of |
+ | | | the -d option to |
+ | | | specify where the database |
+ | | | files are located. |
+ | | | -e extension |
+ | | | Tells signtool to |
+ | | | sign only files with the given |
+ | | | extension; for |
+ | | | example, use |
+ | | | -e".class" to sign only Java |
+ | | | class files. Note that |
+ | | | with Netscape |
+ | | | Signing Tool version 1.1 and |
+ | | | later this option can |
+ | | | appear multiple |
+ | | | times on one command line, |
+ | | | making it possible to |
+ | | | specify multiple |
+ | | | file types or classes to |
+ | | | include. |
+ | | | -f commandfile |
+ | | | Specifies a text |
+ | | | file containing Netscape |
+ | | | Signing Tool options and |
+ | | | arguments in |
+ | | | keyword=value format. All |
+ | | | options and arguments can |
+ | | | be expressed |
+ | | | through this file. For more |
+ | | | information about the |
+ | | | syntax used with |
+ | | | this file, see "Tips and |
+ | | | Techniques". |
+ | | | -i scriptname |
+ | | | Specifies the name |
+ | | | of an installer script for |
+ | | | SmartUpdate. This |
+ | | | script installs |
+ | | | files from the JAR archive in |
+ | | | the local system |
+ | | | after SmartUpdate |
+ | | | has validated the digital |
+ | | | signature. For more |
+ | | | details, see the |
+ | | | description of -m that |
+ | | | follows. The -i option |
+ | | | provides a |
+ | | | straightforward way to provide |
+ | | | this information if you |
+ | | | don't need to |
+ | | | specify any metadata other |
+ | | | than an installer script. |
+ | | | -j directory |
+ | | | Specifies a special |
+ | | | JavaScript directory. This |
+ | | | option causes the |
+ | | | specified directory |
+ | | | to be signed and tags its |
+ | | | entries as inline |
+ | | | JavaScript. This |
+ | | | special type of entry does not |
+ | | | have to appear in |
+ | | | the JAR file |
+ | | | itself. Instead, it is located |
+ | | | in the HTML page |
+ | | | containing the |
+ | | | inline scripts. When you use |
+ | | | signtool -v, these |
+ | | | entries are |
+ | | | displayed with the string NOT |
+ | | | PRESENT. |
+ | | | -k key ... directory |
+ | | | Specifies the |
+ | | | nickname (key) of the |
+ | | | certificate you want to sign |
+ | | | with and signs the |
+ | | | files in the specified |
+ | | | directory. The directory |
+ | | | to sign is always |
+ | | | specified as the last |
+ | | | command-line argument. |
+ | | | Thus, it is |
+ | | | possible to write signtool -k |
+ | | | MyCert -d . signdir You |
+ | | | may have trouble if |
+ | | | the nickname contains a single |
+ | | | quotation mark. |
+ | | | To avoid problems, |
+ | | | escape the quotation mark |
+ | | | using the escape |
+ | | | conventions for |
+ | | | your platform. It's also |
+ | | | possible to use the -k |
+ | | | option without |
+ | | | signing any files or |
+ | | | specifying a directory. For |
+ | | | example, you can |
+ | | | use it with the -l option to |
+ | | | get detailed |
+ | | | information about a |
+ | | | particular signing |
+ | | | certificate. |
+ | | | -G nickname |
+ | | | Generates a new |
+ | | | private-public key pair and |
+ | | | corresponding |
+ | | | object-signing |
+ | | | certificate with the given |
+ | | | nickname. The newly |
+ | | | generated keys and |
+ | | | certificate are installed into |
+ | | | the key and |
+ | | | certificate |
+ | | | databases in the directory |
+ | | | specified by the -d option. |
+ | | | With the NT version |
+ | | | of Netscape Signing Tool, you |
+ | | | must use the -d |
+ | | | option with the -G |
+ | | | option. With the Unix version |
+ | | | of Netscape |
+ | | | Signing Tool, |
+ | | | omitting the -d option causes |
+ | | | the tool to install |
+ | | | the keys and |
+ | | | certificate in the |
+ | | | Communicator key and |
+ | | | certificate |
+ | | | databases. If you |
+ | | | are installing the keys and |
+ | | | certificate in the |
+ | | | Communicator |
+ | | | databases, you must exit |
+ | | | Communicator before using |
+ | | | this option; |
+ | | | otherwise, you risk corrupting |
+ | | | the databases. In all |
+ | | | cases, the |
+ | | | certificate is also output to |
+ | | | a file named x509.cacert, |
+ | | | which has the |
+ | | | MIME-type |
+ | | | application/x-x509-ca-cert. |
+ | | | Unlike |
+ | | | certificates |
+ | | | normally used to sign finished |
+ | | | code to be distributed |
+ | | | over a network, a |
+ | | | test certificate created with |
+ | | | -G is not signed |
+ | | | by a recognized |
+ | | | certificate authority. |
+ | | | Instead, it is self-signed. |
+ | | | In addition, a |
+ | | | single test signing |
+ | | | certificate functions as both |
+ | | | an object-signing |
+ | | | certificate and a CA. When you |
+ | | | are using it to |
+ | | | sign objects, it |
+ | | | behaves like an object-signing |
+ | | | certificate. When |
+ | | | it is imported into |
+ | | | browser software such as |
+ | | | Communicator, it |
+ | | | behaves like an |
+ | | | object-signing CA and cannot |
+ | | | be used to sign |
+ | | | objects. The -G |
+ | | | option is available in |
+ | | | Netscape Signing Tool 1.0 |
+ | | | and later versions |
+ | | | only. By default, it produces |
+ | | | only RSA |
+ | | | certificates with |
+ | | | 1024-byte keys in the internal |
+ | | | token. However, |
+ | | | you can use the -s |
+ | | | option specify the required |
+ | | | key size and the -t |
+ | | | option to specify |
+ | | | the token. For more |
+ | | | information about the use of |
+ | | | the -G option, see |
+ | | | "Generating Test |
+ | | | Object-Signing |
+ | | | |
+ | | | Certificates""Generating Test |
+ | | | Object-Signing Certificates" |
+ | | | on page |
+ | | | 1241. |
+ | | | -l |
+ | | | Lists signing |
+ | | | certificates, including |
+ | | | issuing CAs. If any of your |
+ | | | certificates are |
+ | | | expired or invalid, the list |
+ | | | will so specify. |
+ | | | This option can be |
+ | | | used with the -k option to |
+ | | | list detailed |
+ | | | information about a |
+ | | | particular signing |
+ | | | certificate. The -l option |
+ | | | is available in |
+ | | | Netscape Signing Tool 1.0 and |
+ | | | later versions only. |
+ | | | -J |
+ | | | Signs a directory |
+ | | | of HTML files containing |
+ | | | JavaScript and creates |
+ | | | as many archive |
+ | | | files as are specified in the |
+ | | | HTML tags. Even if |
+ | | | signtool creates |
+ | | | more than one archive file, |
+ | | | you need to supply |
+ | | | the key database |
+ | | | password only once. The -J |
+ | | | option is available |
+ | | | only in Netscape |
+ | | | Signing Tool 1.0 and later |
+ | | | versions. The -J |
+ | | | option cannot be |
+ | | | used at the same time as the |
+ | | | -Z option. If the |
+ | | | -c# option is not |
+ | | | used with the -J option, the |
+ | | | default compression |
+ | | | value is 6. Note |
+ | | | that versions 1.1 and later of |
+ | | | Netscape Signing |
+ | | | Tool correctly |
+ | | | recognizes the CODEBASE |
+ | | | attribute, allows paths to |
+ | | | be expressed for |
+ | | | the CLASS and SRC attributes |
+ | | | instead of filenames |
+ | | | only, processes |
+ | | | LINK tags and parses HTML |
+ | | | correctly, and offers |
+ | | | clearer error |
+ | | | messages. |
+ | | | -L |
+ | | | Lists the |
+ | | | certificates in your database. |
+ | | | An asterisk appears to |
+ | | | the left of the |
+ | | | nickname for any certificate |
+ | | | that can be used to |
+ | | | sign objects with |
+ | | | signtool. |
+ | | | --leavearc |
+ | | | Retains the |
+ | | | temporary .arc (archive) |
+ | | | directories that the -J |
+ | | | option creates. |
+ | | | These directories are |
+ | | | automatically erased by |
+ | | | default. Retaining |
+ | | | the temporary directories can |
+ | | | be an aid to |
+ | | | debugging. |
+ | | | -m metafile |
+ | | | Specifies the name |
+ | | | of a metadata control file. |
+ | | | Metadata is signed |
+ | | | information |
+ | | | attached either to the JAR |
+ | | | archive itself or to files |
+ | | | within the archive. |
+ | | | This metadata can be any ASCII |
+ | | | string, but is |
+ | | | used mainly for |
+ | | | specifying an installer |
+ | | | script. The metadata file |
+ | | | contains one entry |
+ | | | per line, each with three |
+ | | | fields: field #1: |
+ | | | file specification, |
+ | | | or + if you want to specify |
+ | | | global metadata |
+ | | | (that is, metadata |
+ | | | about the JAR archive itself |
+ | | | or all entries in |
+ | | | the archive) field |
+ | | | #2: the name of the data you |
+ | | | are specifying; |
+ | | | for example: |
+ | | | Install-Script field #3: data |
+ | | | corresponding to the |
+ | | | name in field #2 |
+ | | | For example, the -i option |
+ | | | uses the equivalent of |
+ | | | this line: + |
+ | | | Install-Script: script.js This |
+ | | | example associates a |
+ | | | MIME type with a |
+ | | | file: movie.qt MIME-Type: |
+ | | | video/quicktime For |
+ | | | information about |
+ | | | the way installer script |
+ | | | information appears in |
+ | | | the manifest file |
+ | | | for a JAR archive, see The JAR |
+ | | | Format on |
+ | | | Netscape DevEdge. |
+ | | | -M |
+ | | | Lists the PKCS #11 |
+ | | | modules available to signtool, |
+ | | | including smart |
+ | | | cards. The -M |
+ | | | option is available in |
+ | | | Netscape Signing Tool 1.0 and |
+ | | | later versions |
+ | | | only. For information on using |
+ | | | Netscape Signing |
+ | | | Tool with smart |
+ | | | cards, see "Using Netscape |
+ | | | Signing Tool with Smart |
+ | | | Cards". For |
+ | | | information on using the -M |
+ | | | option to verify |
+ | | | FIPS-140-1 |
+ | | | validated mode, see "Netscape |
+ | | | Signing Tool and |
+ | | | FIPS-140-1". |
+ | | | --norecurse |
+ | | | Blocks recursion |
+ | | | into subdirectories when |
+ | | | signing a directory's |
+ | | | contents or when |
+ | | | parsing HTML. |
+ | | | -o |
+ | | | Optimizes the |
+ | | | archive for size. Use this |
+ | | | only if you are signing |
+ | | | very large archives |
+ | | | containing hundreds of files. |
+ | | | This option |
+ | | | makes the manifest |
+ | | | files (required by the JAR |
+ | | | format) considerably |
+ | | | smaller, but they |
+ | | | contain slightly less |
+ | | | information. |
+ | | | --outfile outputfile |
+ | | | Specifies a file to |
+ | | | receive redirected output from |
+ | | | Netscape |
+ | | | Signing Tool. |
+ | | | -p password |
+ | | | Specifies a |
+ | | | password for the private-key |
+ | | | database. Note that the |
+ | | | password entered on |
+ | | | the command line is displayed |
+ | | | as plain text. |
+ | | | -s keysize |
+ | | | Specifies the size |
+ | | | of the key for generated |
+ | | | certificate. Use the |
+ | | | -M option to find |
+ | | | out what tokens are available. |
+ | | | The -s option can |
+ | | | be used with the -G |
+ | | | option only. |
+ | | | -t token |
+ | | | Specifies which |
+ | | | available token should |
+ | | | generate the key and |
+ | | | receive the |
+ | | | certificate. Use the -M option |
+ | | | to find out what tokens |
+ | | | are available. The |
+ | | | -t option can be used with the |
+ | | | -G option only. |
+ | | | -v archive |
+ | | | Displays the |
+ | | | contents of an archive and |
+ | | | verifies the cryptographic |
+ | | | integrity of the |
+ | | | digital signatures it contains |
+ | | | and the files with |
+ | | | which they are |
+ | | | associated. This includes |
+ | | | checking that the |
+ | | | certificate for the |
+ | | | issuer of the object-signing |
+ | | | certificate is |
+ | | | listed in the |
+ | | | certificate database, that the |
+ | | | CA's digital |
+ | | | signature on the |
+ | | | object-signing certificate is |
+ | | | valid, that the |
+ | | | relevant |
+ | | | certificates have not expired, |
+ | | | and so on. |
+ | | | --verbosity value |
+ | | | Sets the quantity |
+ | | | of information Netscape |
+ | | | Signing Tool generates |
+ | | | in operation. A |
+ | | | value of 0 (zero) is the |
+ | | | default and gives full |
+ | | | information. A |
+ | | | value of -1 suppresses most |
+ | | | messages, but not error |
+ | | | messages. |
+ | | | -w archive |
+ | | | Displays the names |
+ | | | of signers of any files in the |
+ | | | archive. |
+ | | | -x directory |
+ | | | Excludes the |
+ | | | specified directory from |
+ | | | signing. Note that with |
+ | | | Netscape Signing |
+ | | | Tool version 1.1 and later |
+ | | | this option can appear |
+ | | | multiple times on |
+ | | | one command line, making it |
+ | | | possible to specify |
+ | | | several particular |
+ | | | directories to exclude. |
+ | | | -z |
+ | | | Tells signtool not |
+ | | | to store the signing time in |
+ | | | the digital |
+ | | | signature. This |
+ | | | option is useful if you want |
+ | | | the expiration date |
+ | | | of the signature |
+ | | | checked against the current |
+ | | | date and time rather |
+ | | | than the time the |
+ | | | files were signed. |
+ | | | -Z jarfile |
+ | | | Creates a JAR file |
+ | | | with the specified name. You |
+ | | | must specify this |
+ | | | option if you want |
+ | | | signtool to create the JAR |
+ | | | file; it does not do |
+ | | | so automatically. |
+ | | | If you don't specify -Z, you |
+ | | | must use an |
+ | | | external ZIP tool |
+ | | | to create the JAR file. The -Z |
+ | | | option cannot be |
+ | | | used at the same |
+ | | | time as the -J option. If the |
+ | | | -c# option is not |
+ | | | used with the -Z |
+ | | | option, the default |
+ | | | compression value is 6. |
+ | | | The Command File Format |
+ | | | Entries in a Netscape |
+ | | | Signing Tool command file have |
+ | | | this general format: |
+ | | | keyword=value Everything |
+ | | | before the = sign on a single |
+ | | | line is a keyword, |
+ | | | and everything from the = |
+ | | | sign to the end of line is a |
+ | | | value. The value |
+ | | | may include = signs; only |
+ | | | the first = sign on a line is |
+ | | | interpreted. Blank |
+ | | | lines are ignored, but |
+ | | | white space on a line with |
+ | | | keywords and values is |
+ | | | assumed to be part of the |
+ | | | keyword (if it comes before |
+ | | | the equal sign) or |
+ | | | part of the value (if it |
+ | | | comes after the first equal |
+ | | | sign). Keywords are |
+ | | | case insensitive, values |
+ | | | are generally case sensitive. |
+ | | | Since the = sign |
+ | | | and newline delimit the |
+ | | | value, it should not be |
+ | | | quoted. |
+ | | | Subsection |
+ | | | basename |
+ | | | Same as -b option. |
+ | | | compression |
+ | | | Same as -c option. |
+ | | | certdir |
+ | | | Same as -d option. |
+ | | | extension |
+ | | | Same as -e option. |
+ | | | generate |
+ | | | Same as -G option. |
+ | | | installscript |
+ | | | Same as -i option. |
+ | | | javascriptdir |
+ | | | Same as -j option. |
+ | | | htmldir |
+ | | | Same as -J option. |
+ | | | certname |
+ | | | Nickname of |
+ | | | certificate, as with -k and -l |
+ | | | -k options. |
+ | | | signdir |
+ | | | The directory to be |
+ | | | signed, as with -k option. |
+ | | | list |
+ | | | Same as -l option. |
+ | | | Value is ignored, but = sign |
+ | | | must be present. |
+ | | | listall |
+ | | | Same as -L option. |
+ | | | Value is ignored, but = sign |
+ | | | must be present. |
+ | | | metafile |
+ | | | Same as -m option. |
+ | | | modules |
+ | | | Same as -M option. |
+ | | | Value is ignored, but = sign |
+ | | | must be present. |
+ | | | optimize |
+ | | | Same as -o option. |
+ | | | Value is ignored, but = sign |
+ | | | must be present. |
+ | | | password |
+ | | | Same as -p option. |
+ | | | keysize |
+ | | | Same as -s option. |
+ | | | token |
+ | | | Same as -t option. |
+ | | | verify |
+ | | | Same as -v option. |
+ | | | who |
+ | | | Same as -w option. |
+ | | | exclude |
+ | | | Same as -x option. |
+ | | | notime |
+ | | | Same as -z option. |
+ | | | value is ignored, but = sign |
+ | | | must be present. |
+ | | | jarfile |
+ | | | Same as -Z option. |
+ | | | outfile |
+ | | | Name of a file to |
+ | | | which output and error |
+ | | | messages will be |
+ | | | redirected. This |
+ | | | option has no command-line |
+ | | | equivalent. |
+ | | | Extended Examples |
+ | | | The following example will |
+ | | | do this and that |
+ | | | Listing Available Signing |
+ | | | Certificates |
+ | | | You use the -L option to |
+ | | | list the nicknames for all |
+ | | | available certificates |
+ | | | and check which ones are |
+ | | | signing certificates. |
+ | | | signtool -L |
+ | | | using certificate directory: |
+ | | | /u/jsmith/.netscape |
+ | | | S Certificates |
+ | | | - ------------ |
+ | | | BBN Certificate Services CA |
+ | | | Root 1 |
+ | | | IBM World Registry CA |
+ | | | VeriSign Class 1 CA - |
+ | | | Individual Subscriber - |
+ | | | VeriSign, Inc. |
+ | | | GTE CyberTrust Root CA |
+ | | | Uptime Group Plc. Class 4 |
+ | | | CA |
+ | | | \* Verisign Object Signing |
+ | | | Cert |
+ | | | Integrion CA |
+ | | | GTE CyberTrust Secure |
+ | | | Server CA |
+ | | | AT&T Directory Services |
+ | | | \* test object signing cert |
+ | | | Uptime Group Plc. Class 1 |
+ | | | CA |
+ | | | VeriSign Class 1 Primary CA |
+ | | | - ------------ |
+ | | | Certificates that can be used |
+ | | | to sign objects have \*'s to |
+ | | | their left. |
+ | | | Two signing certificates |
+ | | | are displayed: Verisign Object |
+ | | | Signing Cert and |
+ | | | test object signing cert. |
+ | | | You use the -l option to |
+ | | | get a list of signing |
+ | | | certificates only, |
+ | | | including the signing CA |
+ | | | for each. |
+ | | | signtool -l |
+ | | | using certificate directory: |
+ | | | /u/jsmith/.netscape |
+ | | | Object signing certificates |
+ | | | --------- |
+ | | | ------------------------------ |
+ | | | Verisign Object Signing Cert |
+ | | | Issued by: VeriSign, Inc. |
+ | | | - Verisign, Inc. |
+ | | | Expires: Tue May 19, 1998 |
+ | | | test object signing cert |
+ | | | Issued by: test object |
+ | | | signing cert (Signtool 1.0 |
+ | | | Testing |
+ | | | Certificate (960187691)) |
+ | | | Expires: Sun May 17, 1998 |
+ | | | --------- |
+ | | | ------------------------------ |
+ | | | For a list including CAs, |
+ | | | use the -L option. |
+ | | | Signing a File |
+ | | | 1. Create an empty |
+ | | | directory. |
+ | | | mkdir signdir |
+ | | | 2. Put some file into it. |
+ | | | echo boo > signdir/test.f |
+ | | | 3. Specify the name of your |
+ | | | object-signing certificate and |
+ | | | sign the |
+ | | | directory. |
+ | | | signtool -k MySignCert -Z |
+ | | | testjar.jar signdir |
+ | | | using key "MySignCert" |
+ | | | using certificate directory: |
+ | | | /u/jsmith/.netscape |
+ | | | Generating |
+ | | | signdir/META-INF/manifest.mf |
+ | | | file.. |
+ | | | --> test.f |
+ | | | adding signdir/test.f to |
+ | | | testjar.jar |
+ | | | Generating signtool.sf file.. |
+ | | | Enter Password or Pin for |
+ | | | "Communicator Certificate DB": |
+ | | | adding |
+ | | | signdir/META-INF/manifest.mf |
+ | | | to testjar.jar |
+ | | | adding |
+ | | | signdir/META-INF/signtool.sf |
+ | | | to testjar.jar |
+ | | | adding |
+ | | | signdir/META-INF/signtool.rsa |
+ | | | to testjar.jar |
+ | | | tree "signdir" signed |
+ | | | successfully |
+ | | | 4. Test the archive you |
+ | | | just created. |
+ | | | signtool -v testjar.jar |
+ | | | using certificate directory: |
+ | | | /u/jsmith/.netscape |
+ | | | archive "testjar.jar" has |
+ | | | passed crypto verification. |
+ | | | status path |
+ | | | ------------ |
+ | | | ------------------- |
+ | | | verified test.f |
+ | | | Using Netscape Signing Tool |
+ | | | with a ZIP Utility |
+ | | | To use Netscape Signing |
+ | | | Tool with a ZIP utility, you |
+ | | | must have the utility |
+ | | | in your path environment |
+ | | | variable. You should use the |
+ | | | zip.exe utility |
+ | | | rather than pkzip.exe, |
+ | | | which cannot handle long |
+ | | | filenames. You can use a |
+ | | | ZIP utility instead of the |
+ | | | -Z option to package a signed |
+ | | | archive into a |
+ | | | JAR file after you have |
+ | | | signed it: |
+ | | | cd signdir |
+ | | | zip -r ../myjar.jar \* |
+ | | | adding: META-INF/ (stored |
+ | | | 0%) |
+ | | | adding: |
+ | | | META-INF/manifest.mf (deflated |
+ | | | 15%) |
+ | | | adding: |
+ | | | META-INF/signtool.sf (deflated |
+ | | | 28%) |
+ | | | adding: |
+ | | | META-INF/signtool.rsa (stored |
+ | | | 0%) |
+ | | | adding: text.txt (stored |
+ | | | 0%) |
+ | | | Generating the Keys and |
+ | | | Certificate |
+ | | | The signtool option -G |
+ | | | generates a new public-private |
+ | | | key pair and |
+ | | | certificate. It takes the |
+ | | | nickname of the new |
+ | | | certificate as an argument. |
+ | | | The newly generated keys |
+ | | | and certificate are installed |
+ | | | into the key and |
+ | | | certificate databases in |
+ | | | the directory specified by the |
+ | | | -d option. With |
+ | | | the NT version of Netscape |
+ | | | Signing Tool, you must use the |
+ | | | -d option with |
+ | | | the -G option. With the |
+ | | | Unix version of Netscape |
+ | | | Signing Tool, omitting |
+ | | | the -d option causes the |
+ | | | tool to install the keys and |
+ | | | certificate in the |
+ | | | Communicator key and |
+ | | | certificate databases. In all |
+ | | | cases, the certificate |
+ | | | is also output to a file |
+ | | | named x509.cacert, which has |
+ | | | the MIME-type |
+ | | | application/x-x509-ca-cert. |
+ | | | Certificates contain |
+ | | | standard information about the |
+ | | | entity they identify, |
+ | | | such as the common name and |
+ | | | organization name. Netscape |
+ | | | Signing Tool |
+ | | | prompts you for this |
+ | | | information when you run the |
+ | | | command with the -G |
+ | | | option. However, all of the |
+ | | | requested fields are optional |
+ | | | for test |
+ | | | certificates. If you do not |
+ | | | enter a common name, the tool |
+ | | | provides a |
+ | | | default name. In the |
+ | | | following example, the user |
+ | | | input is in boldface: |
+ | | | signtool -G MyTestCert |
+ | | | using certificate directory: |
+ | | | /u/someuser/.netscape |
+ | | | Enter certificate |
+ | | | information. All fields are |
+ | | | optional. Acceptable |
+ | | | characters are numbers, |
+ | | | letters, spaces, and |
+ | | | apostrophes. |
+ | | | certificate common name: Test |
+ | | | Object Signing Certificate |
+ | | | organization: Netscape |
+ | | | Communications Corp. |
+ | | | organization unit: Server |
+ | | | Products Division |
+ | | | state or province: California |
+ | | | country (must be exactly 2 |
+ | | | characters): US |
+ | | | username: someuser |
+ | | | email address: |
+ | | | someuser@netscape.com |
+ | | | Enter Password or Pin for |
+ | | | "Communicator Certificate DB": |
+ | | | [Password will not echo] |
+ | | | generated public/private key |
+ | | | pair |
+ | | | certificate request generated |
+ | | | certificate has been signed |
+ | | | certificate "MyTestCert" |
+ | | | added to database |
+ | | | Exported certificate to |
+ | | | x509.raw and x509.cacert. |
+ | | | The certificate information |
+ | | | is read from standard input. |
+ | | | Therefore, the |
+ | | | information can be read |
+ | | | from a file using the |
+ | | | redirection operator (<) in |
+ | | | some operating systems. To |
+ | | | create a file for this |
+ | | | purpose, enter each of |
+ | | | the seven input fields, in |
+ | | | order, on a separate line. |
+ | | | Make sure there is a |
+ | | | newline character at the |
+ | | | end of the last line. Then run |
+ | | | signtool with |
+ | | | standard input redirected |
+ | | | from your file as follows: |
+ | | | signtool -G MyTestCert |
+ | | | inputfile |
+ | | | The prompts show up on the |
+ | | | screen, but the responses will |
+ | | | be automatically |
+ | | | read from the file. The |
+ | | | password will still be read |
+ | | | from the console |
+ | | | unless you use the -p |
+ | | | option to give the password on |
+ | | | the command line. |
+ | | | Using the -M Option to List |
+ | | | Smart Cards |
+ | | | You can use the -M option |
+ | | | to list the PKCS #11 modules, |
+ | | | including smart |
+ | | | cards, that are available |
+ | | | to signtool: |
+ | | | signtool -d |
+ | | | "c:\netscape\users\jsmith" -M |
+ | | | using certificate directory: |
+ | | | c:\netscape\users\username |
+ | | | Listing of PKCS11 modules |
+ | | | ----------------- |
+ | | | ------------------------------ |
+ | | | 1. Netscape Internal |
+ | | | PKCS #11 Module |
+ | | | |
+ | | | (this module is internally |
+ | | | loaded) |
+ | | | |
+ | | | slots: 2 slots attached |
+ | | | |
+ | | | status: loaded |
+ | | | slot: Communicator |
+ | | | Internal Cryptographic |
+ | | | Services Version 4.0 |
+ | | | token: Communicator |
+ | | | Generic Crypto Svcs |
+ | | | slot: Communicator |
+ | | | User Private Key and |
+ | | | Certificate Services |
+ | | | token: Communicator |
+ | | | Certificate DB |
+ | | | 2. CryptOS |
+ | | | |
+ | | | (this is an external module) |
+ | | | DLL name: core32 |
+ | | | slots: 1 slots |
+ | | | attached |
+ | | | status: loaded |
+ | | | slot: Litronic 210 |
+ | | | token: |
+ | | | |
+ | | | ----------------- |
+ | | | ------------------------------ |
+ | | | Using Netscape Signing Tool |
+ | | | and a Smart Card to Sign Files |
+ | | | The signtool command |
+ | | | normally takes an argument of |
+ | | | the -k option to |
+ | | | specify a signing |
+ | | | certificate. To sign with a |
+ | | | smart card, you supply only |
+ | | | the fully qualified name of |
+ | | | the certificate. |
+ | | | To see fully qualified |
+ | | | certificate names when you run |
+ | | | Communicator, click |
+ | | | the Security button in |
+ | | | Navigator, then click Yours |
+ | | | under Certificates in |
+ | | | the left frame. Fully |
+ | | | qualified names are of the |
+ | | | format smart |
+ | | | card:certificate, for |
+ | | | example "MyCard:My Signing |
+ | | | Cert". You use this name |
+ | | | with the -k argument as |
+ | | | follows: |
+ | | | signtool -k "MyCard:My |
+ | | | Signing Cert" directory |
+ | | | Verifying FIPS Mode |
+ | | | Use the -M option to verify |
+ | | | that you are using the |
+ | | | FIPS-140-1 module. |
+ | | | signtool -d |
+ | | | "c:\netscape\users\jsmith" -M |
+ | | | using certificate directory: |
+ | | | c:\netscape\users\jsmith |
+ | | | Listing of PKCS11 modules |
+ | | | ----------------- |
+ | | | ------------------------------ |
+ | | | 1. Netscape Internal PKCS |
+ | | | #11 Module |
+ | | | (this module is |
+ | | | internally loaded) |
+ | | | slots: 2 slots |
+ | | | attached |
+ | | | status: loaded |
+ | | | slot: Communicator |
+ | | | Internal Cryptographic |
+ | | | Services Version 4.0 |
+ | | | token: Communicator |
+ | | | Generic Crypto Svcs |
+ | | | slot: Communicator User |
+ | | | Private Key and Certificate |
+ | | | Services |
+ | | | token: Communicator |
+ | | | Certificate DB |
+ | | | ----------------- |
+ | | | ------------------------------ |
+ | | | This Unix example shows |
+ | | | that Netscape Signing Tool is |
+ | | | using a FIPS-140-1 |
+ | | | module: |
+ | | | signtool -d |
+ | | | "c:\netscape\users\jsmith" -M |
+ | | | using certificate directory: |
+ | | | c:\netscape\users\jsmith |
+ | | | Enter Password or Pin for |
+ | | | "Communicator Certificate DB": |
+ | | | [password will not echo] |
+ | | | Listing of PKCS11 modules |
+ | | | ----------------- |
+ | | | ------------------------------ |
+ | | | 1. Netscape Internal FIPS |
+ | | | PKCS #11 Module |
+ | | | (this module is internally |
+ | | | loaded) |
+ | | | slots: 1 slots attached |
+ | | | status: loaded |
+ | | | slot: Netscape Internal |
+ | | | FIPS-140-1 Cryptographic |
+ | | | Services |
+ | | | token: Communicator |
+ | | | Certificate DB |
+ | | | ----------------- |
+ | | | ------------------------------ |
+ | | | See Also |
+ | | | signver (1) |
+ | | | The NSS wiki has |
+ | | | information on the new |
+ | | | database design and how to |
+ | | | configure applications to |
+ | | | use it. |
+ | | | |
+ | | | o https://wiki.m |
+ | | | ozilla.org/NSS_Shared_DB_Howto |
+ | | | |
+ | | | o https:// |
+ | | | wiki.mozilla.org/NSS_Shared_DB |
+ | | | Additional Resources |
+ | | | For information about NSS |
+ | | | and other tools related to NSS |
+ | | | (like JSS), check |
+ | | | out the NSS project wiki at |
+ | | | |
+ | | | [1]\ `http://www.mozil |
+ | | | la.org/projects/security/pki/n |
+ | | | ss/ <https://www.mozilla.org/p |
+ | | | rojects/security/pki/nss/>`__. |
+ | | | The NSS site relates |
+ | | | directly to NSS code |
+ | | | changes and releases. |
+ | | | Mailing lists: |
+ | | | https://lists.mozill |
+ | | | a.org/listinfo/dev-tech-crypto |
+ | | | IRC: Freenode at |
+ | | | #dogtag-pki |
+ | | | Authors |
+ | | | The NSS tools were written |
+ | | | and maintained by developers |
+ | | | with Netscape, Red |
+ | | | Hat, and Sun. |
+ | | | Authors: Elio Maldonado |
+ | | | <emaldona@redhat.com>, Deon |
+ | | | Lackey |
+ | | | <dlackey@redhat.com>. |
+ | | | Copyright |
+ | | | (c) 2010, Red Hat, Inc. |
+ | | | Licensed under the GNU Public |
+ | | | License version 2. |
+ | | | References |
+ | | | Visible links |
+ | | | 1. |
+ | | | `http://www.mozi |
+ | | | lla.org/projects/security/pki/ |
+ | | | nss/ <https://www.mozilla.org/ |
+ | | | projects/security/pki/nss/>`__ |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 356 | :ref:`mozil | |
+ | | la_projects_nss_tools_signver` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Name |
+ | | | signver — Verify a detached |
+ | | | PKCS#7 signature for a file. |
+ | | | Synopsis |
+ | | | signtool -A \| -V -d |
+ | | | directory [-a] [-i input_file] |
+ | | | [-o output_file] [-s |
+ | | | signature_file] [-v] |
+ | | | Description |
+ | | | The Signature Verification |
+ | | | Tool, signver, is a simple |
+ | | | command-line utility |
+ | | | that unpacks a |
+ | | | base-64-encoded PKCS#7 signed |
+ | | | object and verifies the |
+ | | | digital signature using |
+ | | | standard cryptographic |
+ | | | techniques. The Signature |
+ | | | Verification Tool can also |
+ | | | display the contents of the |
+ | | | signed object. |
+ | | | Options |
+ | | | -A |
+ | | | Displays all of the |
+ | | | information in the PKCS#7 |
+ | | | signature. |
+ | | | -V |
+ | | | Verifies the |
+ | | | digital signature. |
+ | | | -d [sql:]directory |
+ | | | Specify the |
+ | | | database directory which |
+ | | | contains the certificates and |
+ | | | keys. |
+ | | | signver supports |
+ | | | two types of databases: the |
+ | | | legacy security |
+ | | | databases |
+ | | | (cert8.db, key3.db, and |
+ | | | secmod.db) and new SQLite |
+ | | | databases |
+ | | | (cert9.db, key4.db, and |
+ | | | pkcs11.txt). If the prefix |
+ | | | sql: |
+ | | | is not used, then |
+ | | | the tool assumes that the |
+ | | | given databases are in |
+ | | | the old format. |
+ | | | -a |
+ | | | Sets that the given |
+ | | | signature file is in ASCII |
+ | | | format. |
+ | | | -i input_file |
+ | | | Gives the input |
+ | | | file for the object with |
+ | | | signed data. |
+ | | | -o output_file |
+ | | | Gives the output |
+ | | | file to which to write the |
+ | | | results. |
+ | | | -s signature_file |
+ | | | Gives the input |
+ | | | file for the digital |
+ | | | signature. |
+ | | | -v |
+ | | | Enables verbose |
+ | | | output. |
+ | | | Extended Examples |
+ | | | Verifying a Signature |
+ | | | The -V option verifies that |
+ | | | the signature in a given |
+ | | | signature file is |
+ | | | valid when used to sign the |
+ | | | given object (from the input |
+ | | | file). |
+ | | | signver -V -s signature_file |
+ | | | -i signed_file -d |
+ | | | sql:/home/my/sharednssdb |
+ | | | signatureValid=yes |
+ | | | Printing Signature Data |
+ | | | The -A option prints all of |
+ | | | the information contained in a |
+ | | | signature file. |
+ | | | Using the -o option prints |
+ | | | the signature file information |
+ | | | to the given |
+ | | | output file rather than |
+ | | | stdout. |
+ | | | signver -A -s signature_file |
+ | | | -o output_file |
+ | | | NSS Database Types |
+ | | | NSS originally used |
+ | | | BerkeleyDB databases to store |
+ | | | security information. |
+ | | | The last versions of these |
+ | | | legacy databases are: |
+ | | | o cert8.db for |
+ | | | certificates |
+ | | | o key3.db for keys |
+ | | | o secmod.db for PKCS #11 |
+ | | | module information |
+ | | | BerkeleyDB has performance |
+ | | | limitations, though, which |
+ | | | prevent it from |
+ | | | being easily used by |
+ | | | multiple applications |
+ | | | simultaneously. NSS has some |
+ | | | flexibility that allows |
+ | | | applications to use their own, |
+ | | | independent |
+ | | | database engine while |
+ | | | keeping a shared database and |
+ | | | working around the |
+ | | | access issues. Still, NSS |
+ | | | requires more flexibility to |
+ | | | provide a truly |
+ | | | shared security database. |
+ | | | In 2009, NSS introduced a |
+ | | | new set of databases that are |
+ | | | SQLite databases |
+ | | | rather than BerkleyDB. |
+ | | | These new databases provide |
+ | | | more accessibility and |
+ | | | performance: |
+ | | | o cert9.db for |
+ | | | certificates |
+ | | | o key4.db for keys |
+ | | | o pkcs11.txt, which is |
+ | | | listing of all of the PKCS #11 |
+ | | | modules contained |
+ | | | in a new subdirectory |
+ | | | in the security databases |
+ | | | directory |
+ | | | Because the SQLite |
+ | | | databases are designed to be |
+ | | | shared, these are the |
+ | | | shared database type. The |
+ | | | shared database type is |
+ | | | preferred; the legacy |
+ | | | format is included for |
+ | | | backward compatibility. |
+ | | | By default, the tools |
+ | | | (certutil, pk12util, modutil) |
+ | | | assume that the given |
+ | | | security databases follow |
+ | | | the more common legacy type. |
+ | | | Using the SQLite |
+ | | | databases must be manually |
+ | | | specified by using the sql: |
+ | | | prefix with the |
+ | | | given security directory. |
+ | | | For example: |
+ | | | # signver -A -s signature -d |
+ | | | sql:/home/my/sharednssdb |
+ | | | To set the shared database |
+ | | | type as the default type for |
+ | | | the tools, set the |
+ | | | NSS_DEFAULT_DB_TYPE |
+ | | | environment variable to sql: |
+ | | | export |
+ | | | NSS_DEFAULT_DB_TYPE="sql" |
+ | | | This line can be set added |
+ | | | to the ~/.bashrc file to make |
+ | | | the change |
+ | | | permanent. |
+ | | | Most applications do not |
+ | | | use the shared database by |
+ | | | default, but they can |
+ | | | be configured to use them. |
+ | | | For example, this how-to |
+ | | | article covers how to |
+ | | | configure Firefox and |
+ | | | Thunderbird to use the new |
+ | | | shared NSS databases: |
+ | | | |
+ | | | o https://wiki.m |
+ | | | ozilla.org/NSS_Shared_DB_Howto |
+ | | | For an engineering draft on |
+ | | | the changes in the shared NSS |
+ | | | databases, see |
+ | | | the NSS project wiki: |
+ | | | |
+ | | | o https:// |
+ | | | wiki.mozilla.org/NSS_Shared_DB |
+ | | | See Also |
+ | | | signtool (1) |
+ | | | The NSS wiki has |
+ | | | information on the new |
+ | | | database design and how to |
+ | | | configure applications to |
+ | | | use it. |
+ | | | o Setting up the shared |
+ | | | NSS database |
+ | | | |
+ | | | https://wiki.m |
+ | | | ozilla.org/NSS_Shared_DB_Howto |
+ | | | o Engineering and |
+ | | | technical information about |
+ | | | the shared NSS database |
+ | | | |
+ | | | https:// |
+ | | | wiki.mozilla.org/NSS_Shared_DB |
+ | | | Additional Resources |
+ | | | For information about NSS |
+ | | | and other tools related to NSS |
+ | | | (like JSS), check |
+ | | | out the NSS project wiki at |
+ | | | |
+ | | | [1]\ `http://www.mozil |
+ | | | la.org/projects/security/pki/n |
+ | | | ss/ <https://www.mozilla.org/p |
+ | | | rojects/security/pki/nss/>`__. |
+ | | | The NSS site relates |
+ | | | directly to NSS code |
+ | | | changes and releases. |
+ | | | Mailing lists: |
+ | | | https://lists.mozill |
+ | | | a.org/listinfo/dev-tech-crypto |
+ | | | IRC: Freenode at |
+ | | | #dogtag-pki |
+ | | | Authors |
+ | | | The NSS tools were written |
+ | | | and maintained by developers |
+ | | | with Netscape, Red |
+ | | | Hat, and Sun. |
+ | | | Authors: Elio Maldonado |
+ | | | <emaldona@redhat.com>, Deon |
+ | | | Lackey |
+ | | | <dlackey@redhat.com>. |
+ | | | Copyright |
+ | | | (c) 2010, Red Hat, Inc. |
+ | | | Licensed under the GNU Public |
+ | | | License version 2. |
+ | | | References |
+ | | | Visible links |
+ | | | 1. |
+ | | | `http://www.mozi |
+ | | | lla.org/projects/security/pki/ |
+ | | | nss/ <https://www.mozilla.org/ |
+ | | | projects/security/pki/nss/>`__ |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 357 | :ref:`mozi | |
+ | | lla_projects_nss_tools_ssltap` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Name |
+ | | | ssltap — Tap into SSL |
+ | | | connections and display the |
+ | | | data going by |
+ | | | Synopsis |
+ | | | libssltap [-vhfsxl] [-p |
+ | | | port] [hostname:port] |
+ | | | Description |
+ | | | The SSL Debugging Tool |
+ | | | ssltap is an SSL-aware |
+ | | | command-line proxy. It |
+ | | | watches TCP connections and |
+ | | | displays the data going by. If |
+ | | | a connection is |
+ | | | SSL, the data display |
+ | | | includes interpreted SSL |
+ | | | records and handshaking |
+ | | | Options |
+ | | | -v |
+ | | | Print a version |
+ | | | string for the tool. |
+ | | | -h |
+ | | | Turn on hex/ASCII |
+ | | | printing. Instead of |
+ | | | outputting raw data, the |
+ | | | command interprets |
+ | | | each record as a numbered line |
+ | | | of hex values, |
+ | | | followed by the |
+ | | | same data as ASCII characters. |
+ | | | The two parts are |
+ | | | separated by a |
+ | | | vertical bar. Nonprinting |
+ | | | characters are replaced |
+ | | | by dots. |
+ | | | -f |
+ | | | Turn on fancy |
+ | | | printing. Output is printed in |
+ | | | colored HTML. Data |
+ | | | sent from the |
+ | | | client to the server is in |
+ | | | blue; the server's reply |
+ | | | is in red. When |
+ | | | used with looping mode, the |
+ | | | different connections |
+ | | | are separated with |
+ | | | horizontal lines. You can use |
+ | | | this option to |
+ | | | upload the output |
+ | | | into a browser. |
+ | | | -s |
+ | | | Turn on SSL parsing |
+ | | | and decoding. The tool does |
+ | | | not automatically |
+ | | | detect SSL |
+ | | | sessions. If you are |
+ | | | intercepting an SSL |
+ | | | connection, |
+ | | | use this option so |
+ | | | that the tool can detect and |
+ | | | decode SSL |
+ | | | structures. |
+ | | | If the tool detects |
+ | | | a certificate chain, it saves |
+ | | | the DER-encoded |
+ | | | certificates into |
+ | | | files in the current |
+ | | | directory. The files are |
+ | | | named cert.0x, |
+ | | | where x is the sequence number |
+ | | | of the certificate. |
+ | | | If the -s option is |
+ | | | used with -h, two separate |
+ | | | parts are printed |
+ | | | for each record: |
+ | | | the plain hex/ASCII output, |
+ | | | and the parsed SSL |
+ | | | output. |
+ | | | -x |
+ | | | Turn on hex/ASCII |
+ | | | printing of undecoded data |
+ | | | inside parsed SSL |
+ | | | records. Used only |
+ | | | with the -s option. This |
+ | | | option uses the same |
+ | | | output format as |
+ | | | the -h option. |
+ | | | -l prefix |
+ | | | Turn on looping; |
+ | | | that is, continue to accept |
+ | | | connections rather |
+ | | | than stopping after |
+ | | | the first connection is |
+ | | | complete. |
+ | | | -p port |
+ | | | Change the default |
+ | | | rendezvous port (1924) to |
+ | | | another port. |
+ | | | The following are |
+ | | | well-known port numbers: |
+ | | | \* HTTP 80 |
+ | | | \* HTTPS 443 |
+ | | | \* SMTP 25 |
+ | | | \* FTP 21 |
+ | | | \* IMAP 143 |
+ | | | \* IMAPS 993 (IMAP |
+ | | | over SSL) |
+ | | | \* NNTP 119 |
+ | | | \* NNTPS 563 (NNTP |
+ | | | over SSL) |
+ | | | Usage and Examples |
+ | | | You can use the SSL |
+ | | | Debugging Tool to intercept |
+ | | | any connection |
+ | | | information. Although you |
+ | | | can run the tool at its most |
+ | | | basic by issuing |
+ | | | the ssltap command with no |
+ | | | options other than |
+ | | | hostname:port, the |
+ | | | information you get in this |
+ | | | way is not very useful. For |
+ | | | example, assume |
+ | | | your development machine is |
+ | | | called intercept. The simplest |
+ | | | way to use the |
+ | | | debugging tool is to |
+ | | | execute the following command |
+ | | | from a command shell: |
+ | | | $ ssltap www.netscape.com |
+ | | | The program waits for an |
+ | | | incoming connection on the |
+ | | | default port 1924. In |
+ | | | your browser window, enter |
+ | | | the URL http://intercept:1924. |
+ | | | The browser |
+ | | | retrieves the requested |
+ | | | page from the server at |
+ | | | www.netscape.com, but the |
+ | | | page is intercepted and |
+ | | | passed on to the browser by |
+ | | | the debugging tool on |
+ | | | intercept. On its way to |
+ | | | the browser, the data is |
+ | | | printed to the command |
+ | | | shell from which you issued |
+ | | | the command. Data sent from |
+ | | | the client to the |
+ | | | server is surrounded by the |
+ | | | following symbols: --> [ data |
+ | | | ] Data sent from |
+ | | | the server to the client is |
+ | | | surrounded by the following |
+ | | | symbols: "left |
+ | | | arrow"-- [ data ] The raw |
+ | | | data stream is sent to |
+ | | | standard output and is |
+ | | | not interpreted in any way. |
+ | | | This can result in peculiar |
+ | | | effects, such as |
+ | | | sounds, flashes, and even |
+ | | | crashes of the command shell |
+ | | | window. To output a |
+ | | | basic, printable |
+ | | | interpretation of the data, |
+ | | | use the -h option, or, if you |
+ | | | are looking at an SSL |
+ | | | connection, the -s option. You |
+ | | | will notice that the |
+ | | | page you retrieved looks |
+ | | | incomplete in the browser. |
+ | | | This is because, by |
+ | | | default, the tool closes |
+ | | | down after the first |
+ | | | connection is complete, so |
+ | | | the browser is not able to |
+ | | | load images. To make the tool |
+ | | | continue to |
+ | | | accept connections, switch |
+ | | | on looping mode with the -l |
+ | | | option. The |
+ | | | following examples show the |
+ | | | output from commonly used |
+ | | | combinations of |
+ | | | options. |
+ | | | Example 1 |
+ | | | $ ssltap.exe -sx -p 444 |
+ | | | interzone.mcom.com:443 > |
+ | | | sx.txt |
+ | | | Output |
+ | | | Connected to |
+ | | | interzone.mcom.com:443 |
+ | | | -->; [ |
+ | | | alloclen = 66 bytes |
+ | | | [ssl2] ClientHelloV2 { |
+ | | | version = {0x03, |
+ | | | 0x00} |
+ | | | |
+ | | | cipher-specs-length = 39 |
+ | | | (0x27) |
+ | | | sid-length = 0 |
+ | | | (0x00) |
+ | | | challenge-length |
+ | | | = 16 (0x10) |
+ | | | cipher-suites = { |
+ | | | (0x010080) |
+ | | | SSL2/RSA/RC4-128/MD5 |
+ | | | (0x020080) |
+ | | | SSL2/RSA/RC4-40/MD5 |
+ | | | (0x030080) |
+ | | | SSL2/RSA/RC2CBC128/MD5 |
+ | | | (0x040080) |
+ | | | SSL2/RSA/RC2CBC40/MD5 |
+ | | | (0x060040) |
+ | | | SSL2/RSA/DES64CBC/MD5 |
+ | | | (0x0700c0) |
+ | | | SSL2/RSA/3DES192EDE-CBC/MD5 |
+ | | | (0x000004) |
+ | | | SSL3/RSA/RC4-128/MD5 |
+ | | | (0x00ffe0) |
+ | | | SS |
+ | | | L3/RSA-FIPS/3DES192EDE-CBC/SHA |
+ | | | (0x00000a) |
+ | | | SSL3/RSA/3DES192EDE-CBC/SHA |
+ | | | (0x00ffe1) |
+ | | | SSL3/RSA-FIPS/DES64CBC/SHA |
+ | | | (0x000009) |
+ | | | SSL3/RSA/DES64CBC/SHA |
+ | | | (0x000003) |
+ | | | SSL3/RSA/RC4-40/MD5 |
+ | | | (0x000006) |
+ | | | SSL3/RSA/RC2CBC40/MD5 |
+ | | | } |
+ | | | session-id = { } |
+ | | | challenge = { |
+ | | | 0xec5d 0x8edb 0x37c9 0xb5c9 |
+ | | | 0x7b70 0x8fe9 0xd1d3 |
+ | | | 0x2592 } |
+ | | | } |
+ | | | ] |
+ | | | <-- [ |
+ | | | SSLRecord { |
+ | | | 0: 16 03 00 03 |
+ | | | e5 |
+ | | | |
+ | | | \|..... |
+ | | | type = 22 (handshake) |
+ | | | version = { 3,0 } |
+ | | | length = 997 (0x3e5) |
+ | | | handshake { |
+ | | | 0: 02 00 00 |
+ | | | 46 |
+ | | | |
+ | | | \|...F |
+ | | | type = 2 (server_hello) |
+ | | | length = 70 (0x000046) |
+ | | | ServerHello { |
+ | | | server_version = |
+ | | | {3, 0} |
+ | | | random = {...} |
+ | | | 0: 77 8c 6e 26 6c 0c ec |
+ | | | c0 d9 58 4f 47 d3 2d 01 45 |
+ | | | \| |
+ | | | wn&l.ì..XOG.-.E |
+ | | | 10: 5c 17 75 43 a7 4c 88 |
+ | | | c7 88 64 3c 50 41 48 4f 7f |
+ | | | \| |
+ | | | \.uC§L.Ç.d<PAHO. |
+ | | | session ID |
+ | | | = { |
+ | | | length = 32 |
+ | | | contents = |
+ | | | {..} |
+ | | | 0: 14 11 07 a8 2a 31 91 |
+ | | | 29 11 94 40 37 57 10 a7 32 |
+ | | | \| ...¨*1.)..@7W.§2 |
+ | | | 10: 56 6f 52 62 fe 3d b3 |
+ | | | 65 b1 e4 13 0f 52 a3 c8 f6 |
+ | | | \| VoRbþ=³e±...R£È. |
+ | | | } |
+ | | | cipher_suite = |
+ | | | (0x0003) SSL3/RSA/RC4-40/MD5 |
+ | | | } |
+ | | | 0: 0b 00 02 |
+ | | | c5 |
+ | | | |
+ | | | \|...Å |
+ | | | type = 11 (certificate) |
+ | | | length = 709 (0x0002c5) |
+ | | | CertificateChain |
+ | | | { |
+ | | | chainlength = 706 |
+ | | | (0x02c2) |
+ | | | Certificate { |
+ | | | size = 703 |
+ | | | (0x02bf) |
+ | | | data = { saved |
+ | | | in file 'cert.001' } |
+ | | | } |
+ | | | } |
+ | | | 0: 0c 00 00 |
+ | | | ca |
+ | | | |
+ | | | \|.... |
+ | | | type = 12 |
+ | | | (server_key_exchange) |
+ | | | length = 202 |
+ | | | (0x0000ca) |
+ | | | 0: 0e 00 00 |
+ | | | 00 |
+ | | | |
+ | | | \|.... |
+ | | | type = 14 |
+ | | | (server_hello_done) |
+ | | | length = 0 |
+ | | | (0x000000) |
+ | | | } |
+ | | | } |
+ | | | ] |
+ | | | --> [ |
+ | | | SSLRecord { |
+ | | | 0: 16 03 00 00 |
+ | | | 44 |
+ | | | |
+ | | | \|....D |
+ | | | type = 22 (handshake) |
+ | | | version = { 3,0 } |
+ | | | length = 68 (0x44) |
+ | | | handshake { |
+ | | | 0: 10 00 00 |
+ | | | 40 |
+ | | | |
+ | | | \|...@ |
+ | | | type = 16 |
+ | | | (client_key_exchange) |
+ | | | length = 64 (0x000040) |
+ | | | ClientKeyExchange { |
+ | | | message = {...} |
+ | | | } |
+ | | | } |
+ | | | } |
+ | | | ] |
+ | | | --> [ |
+ | | | SSLRecord { |
+ | | | 0: 14 03 00 00 |
+ | | | 01 |
+ | | | |
+ | | | \|..... |
+ | | | type = 20 |
+ | | | (change_cipher_spec) |
+ | | | version = { 3,0 } |
+ | | | length = 1 (0x1) |
+ | | | 0: |
+ | | | 01 |
+ | | | |
+ | | | \|. |
+ | | | } |
+ | | | SSLRecord { |
+ | | | 0: 16 03 00 00 |
+ | | | 38 |
+ | | | |
+ | | | \|....8 |
+ | | | type = 22 (handshake) |
+ | | | version = { 3,0 } |
+ | | | length = 56 (0x38) |
+ | | | < encrypted > |
+ | | | } |
+ | | | ] |
+ | | | <-- [ |
+ | | | SSLRecord { |
+ | | | 0: 14 03 00 00 |
+ | | | 01 |
+ | | | |
+ | | | \|..... |
+ | | | type = 20 |
+ | | | (change_cipher_spec) |
+ | | | version = { 3,0 } |
+ | | | length = 1 (0x1) |
+ | | | 0: |
+ | | | 01 |
+ | | | |
+ | | | \|. |
+ | | | } |
+ | | | ] |
+ | | | <-- [ |
+ | | | SSLRecord { |
+ | | | 0: 16 03 00 00 |
+ | | | 38 |
+ | | | |
+ | | | \|....8 |
+ | | | type = 22 (handshake) |
+ | | | version = { 3,0 } |
+ | | | length = 56 (0x38) |
+ | | | < encrypted |
+ | | | > |
+ | | | } |
+ | | | ] |
+ | | | --> [ |
+ | | | SSLRecord { |
+ | | | 0: 17 03 00 01 |
+ | | | 1f |
+ | | | |
+ | | | \|..... |
+ | | | type = 23 |
+ | | | (application_data) |
+ | | | version = { 3,0 } |
+ | | | length = 287 (0x11f) |
+ | | | < encrypted > |
+ | | | } |
+ | | | ] |
+ | | | <-- [ |
+ | | | SSLRecord { |
+ | | | 0: 17 03 00 00 |
+ | | | a0 |
+ | | | |
+ | | | \|.... |
+ | | | type = 23 |
+ | | | (application_data) |
+ | | | version = { 3,0 } |
+ | | | length = 160 (0xa0) |
+ | | | < encrypted > |
+ | | | } |
+ | | | ] |
+ | | | <-- [ |
+ | | | SSLRecord { |
+ | | | 0: 17 03 00 00 |
+ | | | df |
+ | | | |
+ | | | \|....ß |
+ | | | type = 23 |
+ | | | (application_data) |
+ | | | version = { 3,0 } |
+ | | | length = 223 (0xdf) |
+ | | | < encrypted > |
+ | | | } |
+ | | | SSLRecord { |
+ | | | 0: 15 03 00 00 |
+ | | | 12 |
+ | | | |
+ | | | \|..... |
+ | | | type = 21 (alert) |
+ | | | version = { 3,0 } |
+ | | | length = 18 (0x12) |
+ | | | < encrypted > |
+ | | | } |
+ | | | ] |
+ | | | Server socket closed. |
+ | | | Example 2 |
+ | | | The -s option turns on SSL |
+ | | | parsing. Because the -x option |
+ | | | is not used in |
+ | | | this example, undecoded |
+ | | | values are output as raw data. |
+ | | | The output is |
+ | | | routed to a text file. |
+ | | | $ ssltap -s -p 444 |
+ | | | interzone.mcom.com:443 > s.txt |
+ | | | Output |
+ | | | Connected to |
+ | | | interzone.mcom.com:443 |
+ | | | --> [ |
+ | | | alloclen = 63 bytes |
+ | | | [ssl2] ClientHelloV2 { |
+ | | | version = {0x03, |
+ | | | 0x00} |
+ | | | |
+ | | | cipher-specs-length = 36 |
+ | | | (0x24) |
+ | | | sid-length = 0 |
+ | | | (0x00) |
+ | | | challenge-length |
+ | | | = 16 (0x10) |
+ | | | cipher-suites = { |
+ | | | (0x010080) |
+ | | | SSL2/RSA/RC4-128/MD5 |
+ | | | (0x020080) |
+ | | | SSL2/RSA/RC4-40/MD5 |
+ | | | (0x030080) |
+ | | | SSL2/RSA/RC2CBC128/MD5 |
+ | | | (0x060040) |
+ | | | SSL2/RSA/DES64CBC/MD5 |
+ | | | (0x0700c0) |
+ | | | SSL2/RSA/3DES192EDE-CBC/MD5 |
+ | | | (0x000004) |
+ | | | SSL3/RSA/RC4-128/MD5 |
+ | | | (0x00ffe0) |
+ | | | SS |
+ | | | L3/RSA-FIPS/3DES192EDE-CBC/SHA |
+ | | | (0x00000a) |
+ | | | SSL3/RSA/3DES192EDE-CBC/SHA |
+ | | | (0x00ffe1) |
+ | | | SSL3/RSA-FIPS/DES64CBC/SHA |
+ | | | (0x000009) |
+ | | | SSL3/RSA/DES64CBC/SHA |
+ | | | (0x000003) |
+ | | | SSL3/RSA/RC4-40/MD5 |
+ | | | } |
+ | | | session-id = { |
+ | | | } |
+ | | | challenge = { |
+ | | | 0x713c 0x9338 0x30e1 0xf8d6 |
+ | | | 0xb934 0x7351 0x200c |
+ | | | 0x3fd0 } |
+ | | | ] |
+ | | | >-- [ |
+ | | | SSLRecord { |
+ | | | type = 22 (handshake) |
+ | | | version = { 3,0 } |
+ | | | length = 997 (0x3e5) |
+ | | | handshake { |
+ | | | type = 2 |
+ | | | (server_hello) |
+ | | | length = 70 |
+ | | | (0x000046) |
+ | | | ServerHello { |
+ | | | server_version = |
+ | | | {3, 0} |
+ | | | random = {...} |
+ | | | session ID = { |
+ | | | length = 32 |
+ | | | contents = |
+ | | | {..} |
+ | | | } |
+ | | | cipher_suite = |
+ | | | (0x0003) SSL3/RSA/RC4-40/MD5 |
+ | | | } |
+ | | | type = 11 |
+ | | | (certificate) |
+ | | | length = 709 |
+ | | | (0x0002c5) |
+ | | | CertificateChain |
+ | | | { |
+ | | | chainlength = |
+ | | | 706 (0x02c2) |
+ | | | Certificate { |
+ | | | size = 703 |
+ | | | (0x02bf) |
+ | | | data = { |
+ | | | saved in file 'cert.001' } |
+ | | | } |
+ | | | } |
+ | | | type = 12 |
+ | | | (server_key_exchange) |
+ | | | length = 202 |
+ | | | (0x0000ca) |
+ | | | type = 14 |
+ | | | (server_hello_done) |
+ | | | length = 0 |
+ | | | (0x000000) |
+ | | | } |
+ | | | } |
+ | | | ] |
+ | | | --> [ |
+ | | | SSLRecord { |
+ | | | type = 22 (handshake) |
+ | | | version = { 3,0 } |
+ | | | length = 68 (0x44) |
+ | | | handshake { |
+ | | | type = 16 |
+ | | | (client_key_exchange) |
+ | | | length = 64 |
+ | | | (0x000040) |
+ | | | ClientKeyExchange |
+ | | | { |
+ | | | message = |
+ | | | {...} |
+ | | | } |
+ | | | } |
+ | | | } |
+ | | | ] |
+ | | | --> [ |
+ | | | SSLRecord { |
+ | | | type = 20 |
+ | | | (change_cipher_spec) |
+ | | | version = { 3,0 } |
+ | | | length = 1 (0x1) |
+ | | | } |
+ | | | SSLRecord { |
+ | | | type = 22 (handshake) |
+ | | | version = { 3,0 } |
+ | | | length = 56 (0x38) |
+ | | | > encrypted > |
+ | | | } |
+ | | | ] |
+ | | | >-- [ |
+ | | | SSLRecord { |
+ | | | type = 20 |
+ | | | (change_cipher_spec) |
+ | | | version = { 3,0 } |
+ | | | length = 1 (0x1) |
+ | | | } |
+ | | | ] |
+ | | | >-- [ |
+ | | | SSLRecord { |
+ | | | type = 22 (handshake) |
+ | | | version = { 3,0 } |
+ | | | length = 56 (0x38) |
+ | | | > encrypted > |
+ | | | } |
+ | | | ] |
+ | | | --> [ |
+ | | | SSLRecord { |
+ | | | type = 23 |
+ | | | (application_data) |
+ | | | version = { 3,0 } |
+ | | | length = 287 (0x11f) |
+ | | | > encrypted > |
+ | | | } |
+ | | | ] |
+ | | | [ |
+ | | | SSLRecord { |
+ | | | type = 23 |
+ | | | (application_data) |
+ | | | version = { 3,0 } |
+ | | | length = 160 (0xa0) |
+ | | | > encrypted > |
+ | | | } |
+ | | | ] |
+ | | | >-- [ |
+ | | | SSLRecord { |
+ | | | type = 23 |
+ | | | (application_data) |
+ | | | version = { 3,0 } |
+ | | | length = 223 (0xdf) |
+ | | | > encrypted > |
+ | | | } |
+ | | | SSLRecord { |
+ | | | type = 21 (alert) |
+ | | | version = { 3,0 } |
+ | | | length = 18 (0x12) |
+ | | | > encrypted > |
+ | | | } |
+ | | | ] |
+ | | | Server socket closed. |
+ | | | Example 3 |
+ | | | In this example, the -h |
+ | | | option turns hex/ASCII format. |
+ | | | There is no SSL |
+ | | | parsing or decoding. The |
+ | | | output is routed to a text |
+ | | | file. |
+ | | | $ ssltap -h -p 444 |
+ | | | interzone.mcom.com:443 > h.txt |
+ | | | Output |
+ | | | Connected to |
+ | | | interzone.mcom.com:443 |
+ | | | --> [ |
+ | | | 0: 80 40 01 03 00 00 27 |
+ | | | 00 00 00 10 01 00 80 02 00 |
+ | | | \| .@....'......... |
+ | | | 10: 80 03 00 80 04 00 80 |
+ | | | 06 00 40 07 00 c0 00 00 04 |
+ | | | \| .........@...... |
+ | | | 20: 00 ff e0 00 00 0a 00 |
+ | | | ff e1 00 00 09 00 00 03 00 |
+ | | | \| ........á....... |
+ | | | 30: 00 06 9b fe 5b 56 96 |
+ | | | 49 1f 9f ca dd d5 ba b9 52 |
+ | | | \| ..þ[V.I.\xd9 ...º¹R |
+ | | | 40: 6f |
+ | | | 2d |
+ | | | |
+ | | | \|o- |
+ | | | ] |
+ | | | <-- [ |
+ | | | 0: 16 03 00 03 e5 02 00 |
+ | | | 00 46 03 00 7f e5 0d 1b 1d |
+ | | | \| ........F....... |
+ | | | 10: 68 7f 3a 79 60 d5 17 |
+ | | | 3c 1d 9c 96 b3 88 d2 69 3b |
+ | | | \| h.:y`..<..³.Òi; |
+ | | | 20: 78 e2 4b 8b a6 52 12 |
+ | | | 4b 46 e8 c2 20 14 11 89 05 |
+ | | | \| x.K.¦R.KFè. ... |
+ | | | 30: 4d 52 91 fd 93 e0 51 |
+ | | | 48 91 90 08 96 c1 b6 76 77 |
+ | | | \| MR.ý..QH.....¶vw |
+ | | | 40: 2a f4 00 08 a1 06 61 |
+ | | | a2 64 1f 2e 9b 00 03 00 0b |
+ | | | \| \*ô..¡.a¢d...... |
+ | | | 50: 00 02 c5 00 02 c2 00 |
+ | | | 02 bf 30 82 02 bb 30 82 02 |
+ | | | \| ..Å......0...0.. |
+ | | | 60: 24 a0 03 02 01 02 02 |
+ | | | 02 01 36 30 0d 06 09 2a 86 |
+ | | | \| $ .......60...*. |
+ | | | 70: 48 86 f7 0d 01 01 04 |
+ | | | 05 00 30 77 31 0b 30 09 06 |
+ | | | \| H.÷......0w1.0.. |
+ | | | 80: 03 55 04 06 13 02 55 |
+ | | | 53 31 2c 30 2a 06 03 55 04 |
+ | | | \| .U....US1,0*..U. |
+ | | | 90: 0a 13 23 4e 65 74 73 |
+ | | | 63 61 70 65 20 43 6f 6d 6d |
+ | | | \| ..#Netscape Comm |
+ | | | a0: 75 6e 69 63 61 74 69 |
+ | | | 6f 6e 73 20 43 6f 72 70 6f |
+ | | | \| unications Corpo |
+ | | | b0: 72 61 74 69 6f 6e 31 |
+ | | | 11 30 0f 06 03 55 04 0b 13 |
+ | | | \| ration1.0...U... |
+ | | | c0: 08 48 61 72 64 63 6f |
+ | | | 72 65 31 27 30 25 06 03 55 |
+ | | | \| .Hardcore1'0%..U |
+ | | | d0: 04 03 13 1e 48 61 72 |
+ | | | 64 63 6f 72 65 20 43 65 72 |
+ | | | \| ....Hardcore Cer |
+ | | | e0: 74 69 66 69 63 61 74 |
+ | | | 65 20 53 65 72 76 65 72 20 |
+ | | | \| tificate Server |
+ | | | f0: 49 49 30 1e 17 0d 39 |
+ | | | 38 30 35 31 36 30 31 30 33 |
+ | | | \| II0...9805160103 |
+ | | | <additional data lines> |
+ | | | ] |
+ | | | <additional records in same |
+ | | | format> |
+ | | | Server socket closed. |
+ | | | Example 4 |
+ | | | In this example, the -s |
+ | | | option turns on SSL parsing, |
+ | | | and the -h option |
+ | | | turns on hex/ASCII format. |
+ | | | Both formats are shown for |
+ | | | each record. The |
+ | | | output is routed to a text |
+ | | | file. |
+ | | | $ ssltap -hs -p 444 |
+ | | | interzone.mcom.com:443 > |
+ | | | hs.txt |
+ | | | Output |
+ | | | Connected to |
+ | | | interzone.mcom.com:443 |
+ | | | --> [ |
+ | | | 0: 80 3d 01 03 00 00 24 |
+ | | | 00 00 00 10 01 00 80 02 00 |
+ | | | \| .=....$......... |
+ | | | 10: 80 03 00 80 04 00 80 |
+ | | | 06 00 40 07 00 c0 00 00 04 |
+ | | | \| .........@...... |
+ | | | 20: 00 ff e0 00 00 0a 00 |
+ | | | ff e1 00 00 09 00 00 03 03 |
+ | | | \| ........á....... |
+ | | | 30: 55 e6 e4 99 79 c7 d7 |
+ | | | 2c 86 78 96 5d b5 cf e9 |
+ | | | \|U..yÇ\xb0 ,.x.]µÏé |
+ | | | alloclen = 63 bytes |
+ | | | [ssl2] ClientHelloV2 { |
+ | | | version = {0x03, |
+ | | | 0x00} |
+ | | | |
+ | | | cipher-specs-length = 36 |
+ | | | (0x24) |
+ | | | sid-length = 0 |
+ | | | (0x00) |
+ | | | challenge-length |
+ | | | = 16 (0x10) |
+ | | | cipher-suites = { |
+ | | | (0x010080) |
+ | | | SSL2/RSA/RC4-128/MD5 |
+ | | | (0x020080) |
+ | | | SSL2/RSA/RC4-40/MD5 |
+ | | | (0x030080) |
+ | | | SSL2/RSA/RC2CBC128/MD5 |
+ | | | (0x040080) |
+ | | | SSL2/RSA/RC2CBC40/MD5 |
+ | | | (0x060040) |
+ | | | SSL2/RSA/DES64CBC/MD5 |
+ | | | (0x0700c0) |
+ | | | SSL2/RSA/3DES192EDE-CBC/MD5 |
+ | | | (0x000004) |
+ | | | SSL3/RSA/RC4-128/MD5 |
+ | | | (0x00ffe0) |
+ | | | SS |
+ | | | L3/RSA-FIPS/3DES192EDE-CBC/SHA |
+ | | | (0x00000a) |
+ | | | SSL3/RSA/3DES192EDE-CBC/SHA |
+ | | | (0x00ffe1) |
+ | | | SSL3/RSA-FIPS/DES64CBC/SHA |
+ | | | (0x000009) |
+ | | | SSL3/RSA/DES64CBC/SHA |
+ | | | (0x000003) |
+ | | | SSL3/RSA/RC4-40/MD5 |
+ | | | } |
+ | | | session-id = { } |
+ | | | challenge = { |
+ | | | 0x0355 0xe6e4 0x9979 0xc7d7 |
+ | | | 0x2c86 0x7896 0x5db |
+ | | | 0xcfe9 } |
+ | | | } |
+ | | | ] |
+ | | | <additional records in same |
+ | | | formats> |
+ | | | Server socket closed. |
+ | | | Usage Tips |
+ | | | When SSL restarts a |
+ | | | previous session, it makes use |
+ | | | of cached information |
+ | | | to do a partial handshake. |
+ | | | If you wish to capture a full |
+ | | | SSL handshake, |
+ | | | restart the browser to |
+ | | | clear the session id cache. |
+ | | | If you run the tool on a |
+ | | | machine other than the SSL |
+ | | | server to which you |
+ | | | are trying to connect, the |
+ | | | browser will complain that the |
+ | | | host name you |
+ | | | are trying to connect to is |
+ | | | different from the |
+ | | | certificate. If you are |
+ | | | using the default BadCert |
+ | | | callback, you can still |
+ | | | connect through a |
+ | | | dialog. If you are not |
+ | | | using the default BadCert |
+ | | | callback, the one you |
+ | | | supply must allow for this |
+ | | | possibility. |
+ | | | See Also |
+ | | | The NSS Security Tools are |
+ | | | also documented at |
+ | | | |
+ | | | [1]\ `http://www.mozil |
+ | | | la.org/projects/security/pki/n |
+ | | | ss/ <https://www.mozilla.org/p |
+ | | | rojects/security/pki/nss/>`__. |
+ | | | Additional Resources |
+ | | | NSS is maintained in |
+ | | | conjunction with PKI and |
+ | | | security-related projects |
+ | | | through Mozilla dn Fedora. |
+ | | | The most closely-related |
+ | | | project is Dogtag PKI, |
+ | | | with a project wiki at |
+ | | | [2]\ http: |
+ | | | //pki.fedoraproject.org/wiki/. |
+ | | | For information |
+ | | | specifically about NSS, the |
+ | | | NSS project wiki is located at |
+ | | | |
+ | | | [3]\ `http://www.mozil |
+ | | | la.org/projects/security/pki/n |
+ | | | ss/ <https://www.mozilla.org/p |
+ | | | rojects/security/pki/nss/>`__. |
+ | | | The NSS site relates |
+ | | | directly to NSS code |
+ | | | changes and releases. |
+ | | | Mailing lists: |
+ | | | pki-devel@redhat.com and |
+ | | | pki-users@redhat.com |
+ | | | IRC: Freenode at |
+ | | | #dogtag-pki |
+ | | | Authors |
+ | | | The NSS tools were written |
+ | | | and maintained by developers |
+ | | | with Netscape and |
+ | | | now with Red Hat and Sun. |
+ | | | Authors: Elio Maldonado |
+ | | | <emaldona@redhat.com>, Deon |
+ | | | Lackey |
+ | | | <dlackey@redhat.com>. |
+ | | | Copyright |
+ | | | (c) 2010, Red Hat, Inc. |
+ | | | Licensed under the GNU Public |
+ | | | License version 2. |
+ | | | References |
+ | | | Visible links |
+ | | | 1. |
+ | | | `http://www.mozilla.org/p |
+ | | | rojects/secu.../pki/nss/tools |
+ | | | <https://www.mozilla.org/proje |
+ | | | cts/security/pki/nss/tools>`__ |
+ | | | 2. |
+ | | | http |
+ | | | ://pki.fedoraproject.org/wiki/ |
+ | | | 3. |
+ | | | `http://www.mozi |
+ | | | lla.org/projects/security/pki/ |
+ | | | nss/ <https://www.mozilla.org/ |
+ | | | projects/security/pki/nss/>`__ |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 358 | :ref:`mozill | |
+ | | a_projects_nss_tools_vfychain` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Name |
+ | | | vfychain — vfychain |
+ | | | [options] [revocation options] |
+ | | | certfile [[options] |
+ | | | certfile] ... |
+ | | | Synopsis |
+ | | | vfychain |
+ | | | Description |
+ | | | The verification Tool, |
+ | | | vfychain, verifies certificate |
+ | | | chains. modutil can |
+ | | | add and delete PKCS #11 |
+ | | | modules, change passwords on |
+ | | | security databases, |
+ | | | set defaults, list module |
+ | | | contents, enable or disable |
+ | | | slots, enable or |
+ | | | disable FIPS 140-2 |
+ | | | compliance, and assign default |
+ | | | providers for |
+ | | | cryptographic operations. |
+ | | | This tool can also create |
+ | | | certificate, key, and |
+ | | | module security database |
+ | | | files. |
+ | | | The tasks associated with |
+ | | | security module database |
+ | | | management are part of |
+ | | | a process that typically |
+ | | | also involves managing key |
+ | | | databases and |
+ | | | certificate databases. |
+ | | | Options |
+ | | | -a |
+ | | | the following |
+ | | | certfile is base64 encoded |
+ | | | -b YYMMDDHHMMZ |
+ | | | Validate date |
+ | | | (default: now) |
+ | | | -d directory |
+ | | | database directory |
+ | | | -f |
+ | | | Enable cert |
+ | | | fetching from AIA URL |
+ | | | -o oid |
+ | | | Set policy OID for |
+ | | | cert validation(Format |
+ | | | OID.1.2.3) |
+ | | | -p |
+ | | | Use PKIX Library to |
+ | | | validate certificate by |
+ | | | calling: |
+ | | | \* |
+ | | | CERT_VerifyCertificate if |
+ | | | specified once, |
+ | | | \* |
+ | | | CERT_PKIXVerifyCert if |
+ | | | specified twice and more. |
+ | | | -r |
+ | | | Following certfile |
+ | | | is raw binary DER (default) |
+ | | | -t |
+ | | | Following cert is |
+ | | | explicitly trusted (overrides |
+ | | | db trust) |
+ | | | -u usage |
+ | | | 0=SSL client, 1=SSL |
+ | | | server, 2=SSL StepUp, 3=SSL |
+ | | | CA, 4=Email |
+ | | | signer, 5=Email |
+ | | | recipient, 6=Object signer, |
+ | | | |
+ | | | 9=ProtectedObjectSigner, |
+ | | | 10=OCSP responder, 11=Any CA |
+ | | | -v |
+ | | | Verbose mode. |
+ | | | Prints root cert |
+ | | | subject(double the argument |
+ | | | for |
+ | | | whole root cert |
+ | | | info) |
+ | | | -w password |
+ | | | Database password |
+ | | | -W pwfile |
+ | | | Password file |
+ | | | Revocation options |
+ | | | for PKIX API (invoked with -pp |
+ | | | options) is a |
+ | | | collection of the |
+ | | | following flags: [-g type [-h |
+ | | | flags] [-m type |
+ | | | [-s flags]] ...] |
+ | | | ... |
+ | | | Where: |
+ | | | -g test-type |
+ | | | Sets status |
+ | | | checking test type. Possible |
+ | | | values are "leaf" or |
+ | | | "chain" |
+ | | | -g test type |
+ | | | Sets status |
+ | | | checking test type. Possible |
+ | | | values are "leaf" or |
+ | | | "chain". |
+ | | | -h test flags |
+ | | | Sets revocation |
+ | | | flags for the test type it |
+ | | | follows. Possible |
+ | | | flags: |
+ | | | "testLocalInfoFirst" and |
+ | | | "requireFreshInfo". |
+ | | | -m method type |
+ | | | Sets method type |
+ | | | for the test type it follows. |
+ | | | Possible types are |
+ | | | "crl" and "ocsp". |
+ | | | -s method flags |
+ | | | Sets revocation |
+ | | | flags for the method it |
+ | | | follows. Possible types |
+ | | | are "doNotUse", |
+ | | | "forbidFetching", |
+ | | | "ignoreDefaultSrc", |
+ | | | "requireInfo" and |
+ | | | "failIfNoInfo". |
+ | | | Additional Resources |
+ | | | For information about NSS |
+ | | | and other tools related to NSS |
+ | | | (like JSS), check |
+ | | | out the NSS project wiki at |
+ | | | |
+ | | | [1]\ `http://www.mozil |
+ | | | la.org/projects/security/pki/n |
+ | | | ss/ <https://www.mozilla.org/p |
+ | | | rojects/security/pki/nss/>`__. |
+ | | | The NSS site relates |
+ | | | directly to NSS code |
+ | | | changes and releases. |
+ | | | Mailing lists: |
+ | | | https://lists.mozill |
+ | | | a.org/listinfo/dev-tech-crypto |
+ | | | IRC: Freenode at |
+ | | | #dogtag-pki |
+ | | | Authors |
+ | | | The NSS tools were written |
+ | | | and maintained by developers |
+ | | | with Netscape, Red |
+ | | | Hat, and Sun. |
+ | | | Authors: Elio Maldonado |
+ | | | <emaldona@redhat.com>, Deon |
+ | | | Lackey |
+ | | | <dlackey@redhat.com>. |
+ | | | Copyright |
+ | | | (c) 2010, Red Hat, Inc. |
+ | | | Licensed under the GNU Public |
+ | | | License version 2. |
+ | | | References |
+ | | | Visible links |
+ | | | 1. |
+ | | | `http://www.mozi |
+ | | | lla.org/projects/security/pki/ |
+ | | | nss/ <https://www.mozilla.org/ |
+ | | | projects/security/pki/nss/>`__ |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 359 | :ref:`mozil | |
+ | | la_projects_nss_tools_vfyserv` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | Coming soon |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 360 | :ref:`mozilla | **NSS** |
+ | | _projects_nss_troubleshooting` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | On this page, let's collect |
+ | | | information on how to |
+ | | | troubleshoot NSS at runtime. |
+ | | | Debugging tips, how to enable |
+ | | | tracing of the various |
+ | | | modules, etc. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | 361 | :ref:`mozilla_p | **NSS** |
+ | | rojects_nss_utility_functions` | |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | The public functions listed |
+ | | | here perform initialization |
+ | | | tasks and other services. |
+ +--------------------------------+--------------------------------+--------------------------------+
+ | | | |
+ +--------------------------------+--------------------------------+--------------------------------+ \ No newline at end of file