diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 19:33:14 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 19:33:14 +0000 |
commit | 36d22d82aa202bb199967e9512281e9a53db42c9 (patch) | |
tree | 105e8c98ddea1c1e4784a60a5a6410fa416be2de /security/nss/doc/rst/legacy/index | |
parent | Initial commit. (diff) | |
download | firefox-esr-36d22d82aa202bb199967e9512281e9a53db42c9.tar.xz firefox-esr-36d22d82aa202bb199967e9512281e9a53db42c9.zip |
Adding upstream version 115.7.0esr.upstream/115.7.0esr
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'security/nss/doc/rst/legacy/index')
-rw-r--r-- | security/nss/doc/rst/legacy/index/index.rst | 11751 |
1 files changed, 11751 insertions, 0 deletions
diff --git a/security/nss/doc/rst/legacy/index/index.rst b/security/nss/doc/rst/legacy/index/index.rst new file mode 100644 index 0000000000..a592015264 --- /dev/null +++ b/security/nss/doc/rst/legacy/index/index.rst @@ -0,0 +1,11751 @@ +.. _mozilla_projects_nss_index: + +Index +===== + +.. container:: + + **Found 361 pages:** + + +--------------------------------+--------------------------------+--------------------------------+ + | # | Page | Tags and summary | + +================================+================================+================================+ + | 1 | :ref:`mozilla_projects_nss` | **JSS, NSS, NeedsMigration** | + +--------------------------------+--------------------------------+--------------------------------+ + | | | **Network Security Services** | + | | | (**NSS**) is a set of | + | | | libraries designed to support | + | | | cross-platform development of | + | | | security-enabled client and | + | | | server applications. | + | | | Applications built with NSS | + | | | can support SSL v3, TLS, PKCS | + | | | #5, PKCS #7, PKCS #11, PKCS | + | | | #12, S/MIME, X.509 v3 | + | | | certificates, and other | + | | | security standards. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 2 | :ref:`mozilla_projects_nss | **API, Intermediate, Intro, | + | | _an_overview_of_nss_internals` | NSS, Tools** | + +--------------------------------+--------------------------------+--------------------------------+ + | | | A High-Level Overview to the | + | | | Internals of `Network Security | + | | | Services | + | | | (NSS) <https://developer. | + | | | mozilla.org/en-US/docs/NSS>`__ | + | | | Software developed by the | + | | | Mozilla.org projects | + | | | traditionally used its own | + | | | implementation of security | + | | | protocols and cryptographic | + | | | algorithms, originally called | + | | | Netscape Security Services, | + | | | nowadays called Network | + | | | Security Services (NSS). NSS | + | | | is a library written in the C | + | | | programming language. It's | + | | | free and open source software, | + | | | and many other software | + | | | projects have decided to use | + | | | it. In order to support | + | | | multiple operating systems | + | | | (OS), it is based on a cross | + | | | platform portability layer, | + | | | called the Netscape Portable | + | | | Runtime (NSPR), which provides | + | | | cross platform application | + | | | programming interfaces (APIs) | + | | | for OS specific APIs like file | + | | | system access, memory | + | | | management, network | + | | | communication, and | + | | | multithreaded programming. | + | | | NSS offers lots of | + | | | functionality; we'll walk | + | | | through the list of modules, | + | | | design principles, and | + | | | important relevant standards. | + | | | In order to allow | + | | | interoperability between | + | | | software and devices that | + | | | perform cryptographic | + | | | operations, NSS conforms to a | + | | | standard called PKCS#11. (Note | + | | | that it's important to look at | + | | | the number 11, as there are | + | | | other PKCS standards with | + | | | different numbers that define | + | | | quite different topics.) | + | | | A software or hardware module | + | | | conforming to the PKCS#11 | + | | | standard implements an | + | | | interface of C calls, which | + | | | allow querying the | + | | | characteristics and offered | + | | | services of the module. | + | | | Multiple elements of NSS's own | + | | | modules have been implemented | + | | | with this interface, and NSS | + | | | makes use of this interface | + | | | when talking to those modules. | + | | | This strategy allows NSS to | + | | | work with many hardware | + | | | devices (e.g., to speed up the | + | | | calculations required for | + | | | cryptographic operations, or | + | | | to access smartcards that | + | | | securely protect a secret key) | + | | | and software modules (e.g., to | + | | | allow to load such modules as | + | | | a plugin that provides | + | | | additional algorithms or | + | | | stores key or trust | + | | | information) that implement | + | | | the PKCS#11 interface. | + | | | A core element of NSS is | + | | | FreeBL, a base library | + | | | providing hash functions, big | + | | | number calculations, and | + | | | cryptographic algorithms. | + | | | Softoken is an NSS module that | + | | | exposes most FreeBL | + | | | functionality as a PKCS#11 | + | | | module. | + | | | Some cryptography uses the | + | | | same secret key for both | + | | | encrypting and decrypting, for | + | | | example password based | + | | | encryption (PBE). This is | + | | | often sufficient if you | + | | | encrypt data for yourself, but | + | | | as soon as you need to | + | | | exchange signed/encrypted data | + | | | with communication partners, | + | | | using public key encryption | + | | | simplifies the key management. | + | | | The environment that describes | + | | | how to use public key | + | | | encryption is called Public | + | | | Key Infrastructure (PKI). The | + | | | public keys that are exchanged | + | | | between parties are | + | | | transported using a container; | + | | | the container is called a | + | | | certificate, following | + | | | standard X.509 version 3. A | + | | | certificate contains lots of | + | | | other details; for example, it | + | | | contains a signature by a | + | | | third party that expresses | + | | | trust in the ownership | + | | | relationship for the | + | | | certificate. The trust | + | | | assigned by the third party | + | | | might be restricted to certain | + | | | uses, which are listed in | + | | | certificate extensions that | + | | | are contained in the | + | | | certificate. | + | | | Many (if not most) of the | + | | | operations performed by NSS | + | | | involve the use of X.509 | + | | | certificates (often | + | | | abbreviated as “cert”, | + | | | unfortunately making it easy | + | | | to confuse with the term | + | | | “computer emergency response | + | | | team“). | + | | | When checking whether a | + | | | certificate is trusted or not, | + | | | it's necessary to find a | + | | | relevant trust anchor (root | + | | | certificate) that represents | + | | | the signing capability of a | + | | | trusted third party, usually | + | | | called a Certificate Authority | + | | | (CA). A trust anchor is just | + | | | another X.509 certificate that | + | | | is already known and has been | + | | | deliberately marked as trusted | + | | | by a software vendor, | + | | | administrators inside an | + | | | organizational infrastructure, | + | | | or the software user. NSS | + | | | ships a predefined set of CA | + | | | certificates. This set, | + | | | including their trust | + | | | assignments, is provided by | + | | | NSS as a software module, | + | | | called CKBI (“built-in root | + | | | certificates”), which also | + | | | implements the PKCS#11 | + | | | interface. On an | + | | | organizational level the | + | | | contents of the set are | + | | | managed according to the | + | | | Mozilla CA policy. On a | + | | | technical level the set is a | + | | | binary software module. | + | | | A cryptographic transaction, | + | | | such as encryption or | + | | | decryption related to a data | + | | | exchange, usually involves | + | | | working with the X.509 certs | + | | | of your communication partners | + | | | (peer). It's also required | + | | | that you safely keep your own | + | | | secret keys that belong to | + | | | your own certificates. You | + | | | might want to protect the | + | | | storage of your secret keys | + | | | with PBE. You might decide to | + | | | modify the default trust | + | | | provided by NSS. All of this | + | | | requires storing, looking up, | + | | | and retrieving data. NSS | + | | | simplifies performing these | + | | | operations by offering storage | + | | | and management APIs. NSS | + | | | doesn't require the programmer | + | | | to manage individual files | + | | | containing individual | + | | | certificates or keys. Instead, | + | | | NSS offers to use its own | + | | | database(s). Once you have | + | | | imported certificates and keys | + | | | into the NSS database, you can | + | | | easily look them up and use | + | | | them again. | + | | | Because of NSS's expectation | + | | | to operate with an NSS | + | | | database, it's mandatory that | + | | | you perform an initialization | + | | | call, where you tell NSS which | + | | | database you will be using. In | + | | | the most simple scenario, the | + | | | programmer will provide a | + | | | directory on your filesystem | + | | | as a parameter to the init | + | | | function, and NSS is designed | + | | | to do the rest. It will detect | + | | | and open an existing database, | + | | | or it can create a new one. | + | | | Alternatively, should you | + | | | decide that you don't want to | + | | | work with any persistent | + | | | recording of certificates, you | + | | | may initialize NSS in a | + | | | no-database mode. Usually, NSS | + | | | will flush all data to disk as | + | | | soon as new data has been | + | | | added to permanent storage. | + | | | Storage consists of multiple | + | | | files: a key database file, | + | | | which contains your secret | + | | | keys, and a certificate | + | | | database file which contains | + | | | the public portion of your own | + | | | certificates, the certificates | + | | | of peers or CAs, and a list of | + | | | trust decisions (such as to | + | | | not trust a built-in CA, or to | + | | | explicitly trust other CAs). | + | | | Examples for the database | + | | | files are key3.db and | + | | | cert8.db, where the numbers | + | | | are file version numbers. A | + | | | third file contains the list | + | | | of external PKCS#11 modules | + | | | that have been registered to | + | | | be used by NSS. The file could | + | | | be named secmod.db, but in | + | | | newer database generations a | + | | | file named pkcs11.txt is used. | + | | | Only NSS is allowed to access | + | | | and manipulate these database | + | | | files directly; a programmer | + | | | using NSS must go through the | + | | | APIs offered by NSS to | + | | | manipulate the data stored in | + | | | these files. The programmer's | + | | | task is to initialize NSS with | + | | | the required parameters (such | + | | | as a database), and NSS will | + | | | then transparently manage the | + | | | database files. | + | | | Most of the time certificates | + | | | and keys are supposed to be | + | | | stored in the NSS database. | + | | | Therefore, after initial | + | | | import or creation, the | + | | | programmer usually doesn't | + | | | deal with their raw bytes. | + | | | Instead, the programmer will | + | | | use lookup functions, and NSS | + | | | will provide an access handle | + | | | that will be subsequently used | + | | | by the application's code. | + | | | Those handles are reference | + | | | counted. NSS will usually | + | | | create an in-memory (RAM) | + | | | presentation of certificates, | + | | | once a certificate has been | + | | | received from the network, | + | | | read from disk, or looked up | + | | | from the database, and prepare | + | | | in-memory data structures that | + | | | contain the certificate's | + | | | properties, as well as | + | | | providing a handle for the | + | | | programmer to use. Once the | + | | | application is done with a | + | | | handle, it should be released, | + | | | allowing NSS to free the | + | | | associated resources. When | + | | | working with handles to | + | | | private keys it's usually | + | | | difficult (and undesired) that | + | | | an application gets access to | + | | | the raw key data; therefore it | + | | | may be difficult to extract | + | | | such data from NSS. The usual | + | | | minimum requirement is that | + | | | private keys must be wrapped | + | | | using a protective layer (such | + | | | as password-based encryption). | + | | | The intention is to make it | + | | | easier to review code for | + | | | security. The less code that | + | | | has access to raw secret keys, | + | | | the less code that must be | + | | | reviewed. | + | | | NSS has only limited | + | | | functionality to look up raw | + | | | keys. The preferred approach | + | | | is to use certificates, and to | + | | | look up certificates by | + | | | properties such as the | + | | | contained subject name | + | | | (information that describes | + | | | the owner of the certificate). | + | | | For example, while NSS | + | | | supports random calculation | + | | | (creation) of a new | + | | | public/private key pair, it's | + | | | difficult to work with such a | + | | | raw key pair. The usual | + | | | approach is to create a | + | | | certificate signing request | + | | | (CSR) as soon as an | + | | | application is done with the | + | | | creation step, which will have | + | | | created a handle to the key | + | | | pair, and which can be used | + | | | for the necessary related | + | | | operations, like producing a | + | | | proof-of-ownership of the | + | | | private key, which is usually | + | | | required when submitting the | + | | | public key with a CSR to a CA. | + | | | The usual follow up action is | + | | | receiving a signed certificate | + | | | from a CA. (However, it's also | + | | | possible to use NSS | + | | | functionality to create a | + | | | self-signed certificate, | + | | | which, however, usually won't | + | | | be trusted by other parties.) | + | | | Once received, it's sufficient | + | | | to tell NSS to import such a | + | | | new certificate into the NSS | + | | | database, and NSS will | + | | | automatically perform a lookup | + | | | of the embedded public key, be | + | | | able to find the associated | + | | | private key, and subsequently | + | | | be able to treat it as a | + | | | personal certificate. (A | + | | | personal certificate is a | + | | | certificate for which the | + | | | private key is in possession, | + | | | and which could be used for | + | | | signing data or for decrypting | + | | | data.) A unique nickname | + | | | can/should be assigned to the | + | | | certificate at the time of | + | | | import, which can later be | + | | | used to easily identify and | + | | | retrieve it. | + | | | It's important to note that | + | | | NSS requires strict cleanup | + | | | for all handles returned by | + | | | NSS. The application should | + | | | always call the appropriate | + | | | dereference (destroy) | + | | | functions once a handle is no | + | | | longer needed. This is | + | | | particularly important for | + | | | applications that might need | + | | | to close a database and | + | | | reinitialize NSS using a | + | | | different one, without | + | | | restarting. Such an operation | + | | | might fail at runtime if data | + | | | elements are still being | + | | | referenced. | + | | | In addition to the FreeBL, | + | | | Softoken, and CKBI modules, | + | | | there is an utility library | + | | | for general operations (e.g., | + | | | encoding/decoding between data | + | | | formats, a list of | + | | | standardized object | + | | | identifiers (OID)). NSS has an | + | | | SSL/TLS module that implements | + | | | the Secure Sockets | + | | | Layer/Transport Layer Security | + | | | network protocols, an S/MIME | + | | | module that implements CMS | + | | | messaging used by secure email | + | | | and some instant messaging | + | | | implementations, a DBM library | + | | | that implements the classic | + | | | database storage, and finally | + | | | a core NSS library for the big | + | | | set of “everything else”. | + | | | Newer generations of the | + | | | database use the SQLite | + | | | database to allow concurrent | + | | | access by multiple | + | | | applications. | + | | | All of the above are provided | + | | | as shared libraries. The CRMF | + | | | library, which is used to | + | | | produce certain kinds of | + | | | certificate requests, is | + | | | available as a library for | + | | | static linking only. | + | | | When dealing with certificates | + | | | (X.509), file formats such as | + | | | PKCS#12 (certificates and | + | | | keys), PKCS#7 (signed data), | + | | | and message formats as CMS, we | + | | | should mention ASN.1, which is | + | | | a syntax for storing | + | | | structured data in a very | + | | | efficient (small sized) | + | | | presentation. It was | + | | | originally developed for | + | | | telecommunication systems at | + | | | times where it was critical to | + | | | minimize data as much as | + | | | possible (although it still | + | | | makes sense to use that | + | | | principle today for good | + | | | performance). In order to | + | | | process data available in the | + | | | ASN.1 format, the usual | + | | | approach is to parse it and | + | | | transfer it to a presentation | + | | | that requires more space but | + | | | is easier to work with, such | + | | | as (nested) C data structures. | + | | | Over the time NSS has received | + | | | three different ASN.1 parser | + | | | implementations, each having | + | | | their own specific properties, | + | | | advantages and disadvantages, | + | | | which is why all of them are | + | | | still being used (nobody has | + | | | yet dared to replace the older | + | | | with the newer ones because of | + | | | risks for side effects). When | + | | | using the ASN.1 parser(s), a | + | | | template definition is passed | + | | | to the parser, which will | + | | | analyze the ASN.1 data stream | + | | | accordingly. The templates are | + | | | usually closely aligned to | + | | | definitions found in RFC | + | | | documents. | + | | | A data block described as DER | + | | | is usually in ASN.1 format. | + | | | You must know which data you | + | | | are expecting, and use the | + | | | correct template for parsing, | + | | | based on the context of your | + | | | software's interaction. Data | + | | | described as PEM is a base64 | + | | | encoded presentation of DER, | + | | | usually wrapped between human | + | | | readable BEGIN/END lines. NSS | + | | | prefers the binary | + | | | presentation, but is often | + | | | capable to use base64 or ASCII | + | | | presentations, especially when | + | | | importing data from files. A | + | | | recent development adds | + | | | support for loading external | + | | | PEM files that contain private | + | | | keys, in a software library | + | | | called nss-pem, which is | + | | | separately available, but | + | | | should eventually become a | + | | | core part of NSS. | + | | | Looking at the code level, NSS | + | | | deals with blocks of raw data | + | | | all the time. The common | + | | | structure to store such an | + | | | untyped block is SECItem, | + | | | which contains a size and an | + | | | untyped C pointer variable. | + | | | When dealing with memory, NSS | + | | | makes use of arenas, which are | + | | | an attempt to simplify | + | | | management with the limited | + | | | offerings of C (because there | + | | | are no destructors). The idea | + | | | is to group multiple memory | + | | | allocations in order to | + | | | simplify cleanup. Performing | + | | | an operation often involves | + | | | allocating many individual | + | | | data items, and the code might | + | | | be required to abort a task at | + | | | many positions in the logic. | + | | | An arena is requested once | + | | | processing of a task starts, | + | | | and all memory allocations | + | | | that are logically associated | + | | | to that task are requested | + | | | from the associated arena. The | + | | | implementation of arenas makes | + | | | sure that all individual | + | | | memory blocks are tracked. | + | | | Once a task is done, | + | | | regardless whether it | + | | | completed or was aborted, the | + | | | programmer simply needs to | + | | | release the arena, and all | + | | | individually allocated blocks | + | | | will be released | + | | | automatically. Often freeing | + | | | is combined with immediately | + | | | erasing (zeroing, zfree) the | + | | | memory associated to the | + | | | arena, in order to make it | + | | | more difficult for attackers | + | | | to extract keys from a memory | + | | | dump. | + | | | NSS uses many C data | + | | | structures. Often NSS has | + | | | multiple implementations for | + | | | the same or similar concepts. | + | | | For example, there are | + | | | multiple presentations of | + | | | certificates, and the NSS | + | | | internals (and sometimes even | + | | | the application using NSS) | + | | | might have to convert between | + | | | them. | + | | | Key responsibilites of NSS are | + | | | verification of signatures and | + | | | certificates. In order to | + | | | verify a digital signature, we | + | | | have to look at the | + | | | application data (e.g., a | + | | | document that was signed), the | + | | | signature data block (the | + | | | digital signature), and a | + | | | public key (as found in a | + | | | certificate that is believed | + | | | to be the signer, e.g., | + | | | identified by metadata | + | | | received together with the | + | | | signature). The signature is | + | | | verified if it can be shown | + | | | that the signature data block | + | | | must have been produced by the | + | | | owner of the public key | + | | | (because only that owner has | + | | | the associated private key). | + | | | Verifying a certificate (A) | + | | | requires some additional | + | | | steps. First, you must | + | | | identify the potential signer | + | | | (B) of a certificate (A). This | + | | | is done by reading the “issuer | + | | | name” attribute of a | + | | | certificate (A), and trying to | + | | | find that issuer certificate | + | | | (B) (by looking for a | + | | | certificate that uses that | + | | | name as its “subject name”). | + | | | Then you attempt to verify the | + | | | signature found in (A) using | + | | | the public key found in (B). | + | | | It might be necessary to try | + | | | multiple certificates (B1, B2, | + | | | ...) each having the same | + | | | subject name. | + | | | After succeeding, it might be | + | | | necessary to repeat this | + | | | procedure recursively. The | + | | | goal is to eventually find a | + | | | certificate B (or C or ...) | + | | | that has an appropriate trust | + | | | assigned (e.g., because it can | + | | | be found in the CKBI module | + | | | and the user hasn't made any | + | | | overriding trust decisions, or | + | | | it can be found in a NSS | + | | | database file managed by the | + | | | user or by the local | + | | | environment). | + | | | After having successfully | + | | | verified the signatures in a | + | | | (chain of) issuer | + | | | certificate(s), we're still | + | | | not done with verifying the | + | | | certificate A. In a PKI it's | + | | | suggested/required to perform | + | | | additional checks. For | + | | | example: Certificates were | + | | | valid at the time the | + | | | signature was made, name in | + | | | certificates matches the | + | | | expected signer (check subject | + | | | name, common name, email, | + | | | based on application), the | + | | | trust restrictions recorded | + | | | inside the certificate | + | | | (extensions) permit the use | + | | | (e.g., encryption might be | + | | | allowed, but not signing), and | + | | | based on | + | | | environment/application policy | + | | | it might be required to | + | | | perform a revocation check | + | | | (OCSP or CRL), that asks the | + | | | issuer(s) of the certificates | + | | | whether there have been events | + | | | that made it necessary to | + | | | revoke the trust (revoke the | + | | | validity of the cert). | + | | | Trust anchors contained in the | + | | | CKBI module are usually self | + | | | signed, which is defined as | + | | | having identical subject name | + | | | and issuer name fields. If a | + | | | self-signed certificate is | + | | | marked as explicitly trusted, | + | | | NSS will skip checking the | + | | | self-signature for validity. | + | | | NSS has multiple APIs to | + | | | perform verification of | + | | | certificates. There is a | + | | | classic engine that is very | + | | | stable and works fine in all | + | | | simple scenarios, for example | + | | | if all (B) candidate issuer | + | | | certificates have the same | + | | | subject and issuer names and | + | | | differ by validity period; | + | | | however, it works only in a | + | | | limited amount of more | + | | | advanced scenarios. | + | | | Unfortunately, the world of | + | | | certificates has become more | + | | | complex in the recent past. | + | | | New Certificate Authorities | + | | | enter the global PKI market, | + | | | and in order to get started | + | | | with their business, they | + | | | might make deals with | + | | | established CAs and receive | + | | | so-called | + | | | cross-signing-certificates. As | + | | | a result, when searching for a | + | | | trust path from (A) to a | + | | | trusted anchor (root) | + | | | certificate (Z), the set of | + | | | candidate issuer certificates | + | | | might have different issuer | + | | | names (referring to the second | + | | | or higher issuer level). As a | + | | | consequence, it will be | + | | | necessary to try multiple | + | | | different alternative routes | + | | | while searching for (Z), in a | + | | | recursive manner. Only the | + | | | newer verification engine | + | | | (internally named libPKIX) is | + | | | capable of doing that | + | | | properly. | + | | | It's worth mentioning the | + | | | Extended Validation (EV) | + | | | principle, which is an effort | + | | | by software vendors and CAs to | + | | | define a stricter set of rules | + | | | for issuing certificates for | + | | | web site certificates. Instead | + | | | of simply verifying that the | + | | | requester of a certificate is | + | | | in control of an | + | | | administrative email address | + | | | at the desired web site's | + | | | domain, it's required that the | + | | | CA performs a verification of | + | | | real world identity documents | + | | | (such as a company | + | | | registration document with the | + | | | country's authority), and it's | + | | | also required that a browser | + | | | software performs a revocation | + | | | check with the CA, prior to | + | | | granting validity to the | + | | | certificate. In order to | + | | | distinguish an EV certificate, | + | | | CAs will embed a policy OID in | + | | | the certificate, and the | + | | | browser is expected to verify | + | | | that a trust chain permits the | + | | | end entity (EE) certificate to | + | | | make use of the policy. Only | + | | | the APIs of the newer libPKIX | + | | | engine are capable of | + | | | performing a policy | + | | | verification. | + | | | That's a good opportunity to | + | | | talk about SSL/TLS connections | + | | | to servers in general (not | + | | | just EV, not just websites). | + | | | Whenever this document | + | | | mentions SSL, it refers to | + | | | either SSL or TLS. (TLS is a | + | | | newer version of SSL with | + | | | enhanced features.) | + | | | When establishing an SSL | + | | | connection to a server, (at | + | | | least) a server certificate | + | | | (and its trust chain) is | + | | | exchanged from the server to | + | | | the client (e.g., the | + | | | browser), and the client | + | | | verifies that the certificate | + | | | can be verified (including | + | | | matching the name of the | + | | | expected destination server). | + | | | Another part of the handshake | + | | | between both parties is a key | + | | | exchange. Because public key | + | | | encryption is more expensive | + | | | (more calculations required) | + | | | than symmetric encryption | + | | | (where both parties use the | + | | | same key), a key agreement | + | | | protocol will be executed, | + | | | where the public and private | + | | | keys are used to proof and | + | | | verify the exchanged initial | + | | | information. Once the key | + | | | agreement is done, a symmetric | + | | | encryption will be used (until | + | | | a potential re-handshake on an | + | | | existing channel). The | + | | | combination of the hash and | + | | | encryption algorithms used for | + | | | a SSL connection is called a | + | | | cipher suite. | + | | | NSS ships with a set of cipher | + | | | suites that it supports at a | + | | | technical level. In addition, | + | | | NSS ships with a default | + | | | policy that defines which | + | | | cipher suites are enabled by | + | | | default. An application is | + | | | able to modify the policy used | + | | | at program runtime, by using | + | | | function calls to modify the | + | | | set of enabled cipher suites. | + | | | If a programmer wants to | + | | | influence how NSS verifies | + | | | certificates or how NSS | + | | | verifies the data presented in | + | | | a SSL connection handshake, it | + | | | is possible to register | + | | | application-defined callback | + | | | functions which will be called | + | | | by NSS at the appropriate | + | | | point of time, and which can | + | | | be used to override the | + | | | decisions made by NSS. | + | | | If you would like to use NSS | + | | | as a toolkit that implements | + | | | SSL, remember that you must | + | | | init NSS first. But if you | + | | | don't care about modifying the | + | | | default trust permanently | + | | | (recorded on disk), you can | + | | | use the no-database init | + | | | calls. When creating the | + | | | network socket for data | + | | | exchange, note that you must | + | | | use the operating system | + | | | independent APIs provided by | + | | | NSPR and NSS. It might be | + | | | interesting to mention a | + | | | property of the NSPR file | + | | | descriptors, which are stacked | + | | | in layers. This means you can | + | | | define multiple layers that | + | | | are involved in data | + | | | processing. A file descriptor | + | | | has a pointer to the first | + | | | layer handling the data. That | + | | | layer has a pointer to a | + | | | potential second layer, which | + | | | might have another pointer to | + | | | a third layer, etc. Each layer | + | | | defines its own functions for | + | | | the | + | | | ope | + | | | n/close/read/write/poll/select | + | | | (etc.) functions. When using | + | | | an SSL network connection, | + | | | you'll already have two | + | | | layers, the basic NSPR layer | + | | | and an SSL library layer. The | + | | | Mozilla applications define a | + | | | third layer where application | + | | | specific processing is | + | | | performed. You can find more | + | | | details in the NSPR reference | + | | | documents. | + | | | NSS occassionally has to | + | | | create outbound network | + | | | connections, in addition to | + | | | the connections requested by | + | | | the application. Examples are | + | | | retrieving OCSP (Online | + | | | Certificate Status Protocol) | + | | | information or downloading a | + | | | CRL (Certificate Revocation | + | | | List). However, NSS doesn't | + | | | have an implementation to work | + | | | with network proxies. If you | + | | | must support proxies in your | + | | | application, you are able to | + | | | register your own | + | | | implementation of an http | + | | | request callback interface, | + | | | and NSS can use your | + | | | application code that supports | + | | | proxies. | + | | | When using hashing, | + | | | encryption, and decryption | + | | | functions, it is possible to | + | | | stream data (as opposed to | + | | | operating on a large buffer). | + | | | Create a context handle while | + | | | providing all the parameters | + | | | required for the operation, | + | | | then call an “update” function | + | | | multiple times to pass subsets | + | | | of the input to NSS. The data | + | | | will be processed and either | + | | | returned directly or sent to a | + | | | callback function registered | + | | | in the context. When done, you | + | | | call a finalization function | + | | | that will flush out any | + | | | pending data and free the | + | | | resources. | + | | | This line is a placeholder for | + | | | future sections that should | + | | | explain how libpkix works and | + | | | is designed. | + | | | If you want to work with NSS, | + | | | it's often helpful to use the | + | | | command line utilities that | + | | | are provided by the NSS | + | | | developers. There are tools | + | | | for managing NSS databases, | + | | | for dumping or verifying | + | | | certificates, for registering | + | | | PKCS#11 modules with a | + | | | database, for processing CMS | + | | | encrypted/signed messages, | + | | | etc. | + | | | For example, if you wanted to | + | | | create your own pair of keys | + | | | and request a new certificate | + | | | from a CA, you could use | + | | | certutil to create an empty | + | | | database, then use certutil to | + | | | operate on your database and | + | | | create a certificate request | + | | | (which involves creating the | + | | | desired key pair) and export | + | | | it to a file, submit the | + | | | request file to the CA, | + | | | receive the file from the CA, | + | | | and import the certificate | + | | | into your database. You should | + | | | assign a good nickname to a | + | | | certificate when importing it, | + | | | making it easier for you to | + | | | refer to it later. | + | | | It should be noted that the | + | | | first database format that can | + | | | be accessed simultaneously by | + | | | multiple applications is | + | | | key4.db/cert9.db – database | + | | | files with lower numbers will | + | | | most likely experience | + | | | unrecoverable corruption if | + | | | you access them with multiple | + | | | applications at the same time. | + | | | In other words, if your | + | | | browser or your server | + | | | operates on an older NSS | + | | | database format, don't use the | + | | | NSS tools to operate on it | + | | | while the other software is | + | | | executing. At the time of | + | | | writing NSS and the Mozilla | + | | | applications still use the | + | | | older database file format by | + | | | default, where each | + | | | application has its own NSS | + | | | database. | + | | | If you require a copy of a | + | | | certificate stored in an NSS | + | | | database, including its | + | | | private key, you can use | + | | | pk12util to export it to the | + | | | PKCS#12 file format. If you | + | | | require it in PEM format, you | + | | | could use the openssl pkcs12 | + | | | command (that's not NSS) to | + | | | convert the PKCS#12 file to | + | | | PEM. | + | | | This line is a placeholder for | + | | | how to prepare a database, how | + | | | to dump a cert, and how to | + | | | convert data. | + | | | You might have been motivated | + | | | to work with NSS because it is | + | | | used by the Mozilla | + | | | applications such as Firefox, | + | | | Thunderbird, etc. If you build | + | | | the Mozilla application, it | + | | | will automatically build the | + | | | NSS library, too. However, if | + | | | you want to work with the NSS | + | | | command line tools, you will | + | | | have to follow the standalone | + | | | NSS build instructions, and | + | | | build NSS outside of the | + | | | Mozilla application sources. | + | | | The key database file will | + | | | contain at least one symmetric | + | | | key, which NSS will | + | | | automatically create on | + | | | demand, and which will be used | + | | | to protect your secret | + | | | (private) keys. The symmetric | + | | | key can be protected with PBE | + | | | by setting a master password | + | | | on the database. As soon as | + | | | you set a master password, an | + | | | attacker stealing your key | + | | | database will no longer be | + | | | able to get access to your | + | | | private key, unless the | + | | | attacker would also succeed in | + | | | stealing the master password. | + | | | Now you might be interest in | + | | | how to get the | + | | | :ref:`mozilla_projects_nss | + | | | _nss_sources_building_testing` | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 3 | :ref:`mozill | **NSS** | + | | a_projects_nss_blank_function` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | One-line description of what | + | | | the function does (more than | + | | | just what it returns). | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 4 | :ref:` | **Guide, NSS, Security** | + | | mozilla_projects_nss_building` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | This page has detailed | + | | | information on how to build | + | | | NSS. Because NSS is a | + | | | cross-platform library that | + | | | builds on many different | + | | | platforms and has many | + | | | options, it may be complex to | + | | | build. Please read these | + | | | instructions carefully before | + | | | attempting to build. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 5 | :ref:`mozilla_projec | **NSS** | + | | ts_nss_cert_findcertbydercert` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Find a certificate in the | + | | | database that matches a | + | | | DER-encoded certificate. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 6 | :ref:`mozilla_projects_n | **NSS** | + | | ss_cert_findcertbyissuerandsn` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Find a certificate in the | + | | | database with the given issuer | + | | | and serial number. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 7 | :r | **NSS** | + | | ef:`mozilla_projects_nss_certi | | + | | ficate_download_specification` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | This document describes the | + | | | data formats used by NSS 3.x | + | | | for installing certificates. | + | | | This document is currently | + | | | being revised and has not yet | + | | | been reviewed for accuracy. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 8 | :ref:`mozilla_proje | **NSS** | + | | cts_nss_certificate_functions` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The public functions listed | + | | | here are used to interact with | + | | | certificate databases. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 9 | :ref:`mozill | **NSS** | + | | a_projects_nss_certverify_log` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | All the NSS verify functions | + | | | except, the \*VerifyNow() | + | | | functions, take a parameter | + | | | called 'CERTVerifyLog'. If you | + | | | supply the log parameter, NSS | + | | | will continue chain validation | + | | | after each error . The log | + | | | tells you what the problem was | + | | | with the chain and what | + | | | certificate in the chain | + | | | failed. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 10 | :ref:`mozil | **NSS** | + | | la_projects_nss_code_coverage` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | *No summary!* | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 11 | :ref:`mozilla_projec | **NSS** | + | | ts_nss_cryptography_functions` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The public functions listed | + | | | here perform cryptographic | + | | | operations based on the PKCS | + | | | #11 interface. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 12 | :ref:`mozilla_projects | **NSS** | + | | _nss_deprecated_ssl_functions` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The following SSL functions | + | | | have been replaced with newer | + | | | versions. The deprecated | + | | | functions are not supported by | + | | | the new SSL shared libraries. | + | | | Applications that want to use | + | | | the SSL shared libraries must | + | | | convert to calling the new | + | | | replacement functions listed | + | | | below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 13 | :ref:`mozil | **Decrypt, Encryption, | + | | la_projects_nss_encrypt_decryp | Example, NSS, Sample code** | + | | t_mac_keys_as_session_objects` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Generates encryption/mac keys | + | | | and uses session objects. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 14 | :ref:`mozilla_projects_nss_en | **Example, Intermediate, | + | | crypt_decrypt_mac_using_token` | Mozilla, NSS** | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Generates encryption/mac keys | + | | | and uses token for storing. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 15 | : | **NSS, NeedsUpdate** | + | | ref:`mozilla_projects_nss_faq` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | NSS is set of libraries, APIs, | + | | | utilities, and documentation | + | | | designed to support | + | | | cross-platform development of | + | | | security-enabled client and | + | | | server applications. It | + | | | provides a complete | + | | | open-source implementation of | + | | | the crypto libraries used by | + | | | Mozilla and other companies in | + | | | the Firefox browser, AOL | + | | | Instant Messenger (AIM), | + | | | server products from Red Hat, | + | | | and other products. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 16 | :ref:`mozilla_projects_n | **NSS** | + | | ss_fips_mode_-_an_explanation` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | NSS has a "FIPS Mode" that can | + | | | be enabled when NSS is | + | | | compiled in a specific way. | + | | | (Note: Mozilla does not | + | | | distribute a "FIPS Mode"-ready | + | | | NSS with Firefox.) This page | + | | | attempts to provide an | + | | | informal explanation of what | + | | | it is, who would use it, and | + | | | why. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 17 | :ref:`mozilla_projects | **Samples WIP** | + | | _nss_getting_started_with_nss` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) is a base library for | + | | | cryptographic algorithms and | + | | | secure network protocols used | + | | | by Mozilla software. | + | | | Would you like to get involved | + | | | and help us to improve the | + | | | core security of Mozilla | + | | | Firefox and other applications | + | | | that make use of NSS? We are | + | | | looking forward to your | + | | | contributions! | + | | | We have a large list of tasks | + | | | waiting for attention, and we | + | | | are happy to assist you in | + | | | identifying areas that match | + | | | your interest or skills. You | + | | | can find us on `Mozilla | + | | | IRC <https://developer.mo | + | | | zilla.org/en-US/docs/Mozilla/Q | + | | | A/Getting_Started_with_IRC>`__ | + | | | in channel | + | | | `#nss < | + | | | https://chat.mozilla.org/#/room/#nss:mozilla.org>`__ | + | | | or you could ask your | + | | | questions on the | + | | | `mozilla.dev.tech.cry | + | | | pto <https://lists.mozilla.org | + | | | /listinfo/dev-tech-crypto/>`__ | + | | | newsgroup. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 18 | :ref:`mozilla_proje | **Advanced, Guide, NSS** | + | | cts_nss_http_delegation_clone` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Up to version 3.11, | + | | | :ref:`mozilla_projects_nss` | + | | | connects directly over | + | | | `HTTP <https://developer.mozil | + | | | la.org/en-US/docs/Web/HTTP>`__ | + | | | to an OCSP responder to make | + | | | the request and fetch the | + | | | response. It does so in a | + | | | blocking fashion, and also | + | | | directly to the responder, | + | | | ignoring any proxy the | + | | | application may wish to use. | + | | | This causes OCSP requests to | + | | | fail if the network | + | | | environment requires the use | + | | | of a proxy. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 19 | :ref:`mozilla | **Advanced, Guide, NSS** | + | | _projects_nss_http_delegation` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Up to version 3.11, | + | | | :ref:`mozilla_projects_nss` | + | | | connects directly over | + | | | `HTTP <https://developer.mozil | + | | | la.org/en-US/docs/Web/HTTP>`__ | + | | | to an OCSP responder to make | + | | | the request and fetch the | + | | | response. It does so in a | + | | | blocking fashion, and also | + | | | directly to the responder, | + | | | ignoring any proxy the | + | | | application may wish to use. | + | | | This causes OCSP requests to | + | | | fail if the network | + | | | environment requires the use | + | | | of a proxy. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 20 | :ref:`moz | **Introduction, Mozilla, NSS** | + | | illa_projects_nss_introduction | | + | | _to_network_security_services` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | **Network Security Services | + | | | (NSS)** is a set of libraries | + | | | designed to support | + | | | cross-platform development of | + | | | communications applications | + | | | that support SSL, S/MIME, and | + | | | other Internet security | + | | | standards. For a general | + | | | overview of NSS and the | + | | | standards it supports, see | + | | | :ref:`m | + | | | ozilla_projects_nss_overview`. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 21 | :ref:`mozilla_project | **D** | + | | s_nss_jss_4_4_0_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The Java Security Services | + | | | (JSS) team has released JSS | + | | | 4.4.0, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 22 | : | **Guide, JSS, NSS, | + | | ref:`mozilla_projects_nss_jss` | NeedsMigration** | + +--------------------------------+--------------------------------+--------------------------------+ + | | | **The JSS project has been | + | | | relocated!** | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 23 | :ref:`mozilla_proj | **JSS, NSS** | + | | ects_nss_jss_4_3_releasenotes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services for | + | | | Java (JSS) 4.3 is a minor | + | | | release with the following new | + | | | features: | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 24 | :ref:`mozilla_project | **JSS, NSPR, NSS** | + | | s_nss_jss_4_3_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services for | + | | | Java (JSS) 4.3.1 is a minor | + | | | release with the following new | + | | | features: | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 25 | :ref | **JSS** | + | | :`mozilla_projects_nss_jss_bui | | + | | ld_instructions_for_jss_4_3_x` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Newsgroup: | + | | | `mozilla.dev.tech | + | | | .crypto <news://news.mozilla.o | + | | | rg/mozilla.dev.tech.crypto>`__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 26 | :ref | **JSS** | + | | :`mozilla_projects_nss_jss_bui | | + | | ld_instructions_for_jss_4_4_x` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Newsgroup: | + | | | `mozilla.dev.tech | + | | | .crypto <news://news.mozilla.o | + | | | rg/mozilla.dev.tech.crypto>`__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 27 | :ref:`moz | **JSS** | + | | illa_projects_nss_jss_jss_faq` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Newsgroup: | + | | | `mozilla.dev.tech.cry | + | | | pto <news://news.mozilla.org:1 | + | | | 19/mozilla.dev.tech.crypto>`__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 28 | :ref:`mozilla_projec | **Crypto, JSS, Security** | + | | ts_nss_jss_jss_provider_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | This page has been moved to | + | | | http://www.do | + | | | gtagpki.org/wiki/JSS_Provider. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 29 | :r | | + | | ef:`mozilla_projects_nss_jss_m | | + | | ozilla-jss_jca_provider_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | * | + | | | Newsgroup:*\ `mozilla.dev.tech | + | | | .crypto <news://news.mozilla.o | + | | | rg/mozilla.dev.tech.crypto>`__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 30 | :ref:`mozil | **JSS** | + | | la_projects_nss_jss_using_jss` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | *News | + | | | group:*\ `mozilla.dev.tech.cry | + | | | pto <news://news.mozilla.org:1 | + | | | 19/mozilla.dev.tech.crypto>`__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 31 | :ref:`mozill | | + | | a_projects_nss_key_log_format` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Key logs can be written by NSS | + | | | so that external programs can | + | | | decrypt TLS connections. | + | | | Wireshark 1.6.0 and above can | + | | | use these log files to decrypt | + | | | packets. You can tell | + | | | Wireshark where to find the | + | | | key file via | + | | | *Edit→Preferences→Pro | + | | | tocols→TLS→(Pre)-Master-Secret | + | | | log filename*. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 32 | :ref:`mozilla_p | **NSS** | + | | rojects_nss_memory_allocation` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | NSS makes extensive use of | + | | | NSPR's PLArenaPools for memory | + | | | allocation. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 33 | :ref:`mozilla_pr | | + | | ojects_nss_modutil-tasks_html` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | *No summary!* | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 34 | :ref:`mozilla | **Example** | + | | _projects_nss_new_nss_samples` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | This collection of sample code | + | | | demonstrates how NSS can be | + | | | used for cryptographic | + | | | operations, certificate | + | | | handling, SSL, etc. It also | + | | | demonstrates some best | + | | | practices in the application | + | | | of cryptography. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 35 | :ref:`moz | **Gecko, NSS, Security** | + | | illa_projects_nss_notes_on_tls | | + | | _-_ssl_3_0_intolerant_servers` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | A number of Netscape 6.x/7.x | + | | | and Mozilla users have | + | | | reported that some secure | + | | | sites -- typically sites | + | | | featuring online transactions | + | | | or online banking over the | + | | | HTTPS protocol -- do not | + | | | display any content at all. | + | | | The connection seems | + | | | terminated and a blank page is | + | | | displayed. This is the main | + | | | symptom of the problem when | + | | | Mozilla based browsers | + | | | encounter TLS/SSL 3.0 | + | | | intolerant servers. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 36 | :ref:`mozilla_projects_nss_n | | + | | ss_3_11_10_release_notes_html` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Newsgroup: <ahref="news: | + | | | mozilla.dev.tech.crypto"="" | + | | | news.mozilla.org="">mozilla. | + | | | dev.tech.crypto</ahref="news:> | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 37 | :ref:`mozilla_projects_ns | | + | | s_nss_3_12_release_notes_html` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Newsgroup: | + | | | `mozilla.dev.tech | + | | | .crypto <news://news.mozilla.o | + | | | rg/mozilla.dev.tech.crypto>`__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 38 | :ref:`mozilla_projects_nss_ | | + | | nss_3_12_1_release_notes_html` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Newsgroup: | + | | | `mozilla.dev.tech | + | | | .crypto <news://news.mozilla.o | + | | | rg/mozilla.dev.tech.crypto>`__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 39 | :ref:`mozilla_projects_nss_ | | + | | nss_3_12_2_release_notes_html` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Newsgroup: | + | | | `mozilla.dev.tech | + | | | .crypto <news://news.mozilla.o | + | | | rg/mozilla.dev.tech.crypto>`__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 40 | :ref:`mozilla_projects | | + | | _nss_nss_3_12_3_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Newsgroup: | + | | | `mozilla.dev.tech | + | | | .crypto <news://news.mozilla.o | + | | | rg/mozilla.dev.tech.crypto>`__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 41 | :ref:`mozilla_projects | | + | | _nss_nss_3_12_4_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.12.4 is a patch | + | | | release for NSS 3.12. The bug | + | | | fixes in NSS 3.12.4 are | + | | | described in the "`Bugs | + | | | Fixed <#bugsfixed>`__" section | + | | | below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 42 | :ref:`mozilla_projects | | + | | _nss_nss_3_12_5_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.12.5 is a patch | + | | | release for NSS 3.12. The bug | + | | | fixes in NSS 3.12.5 are | + | | | described in the "`Bugs | + | | | Fixed <https | + | | | ://dev.mozilla.jp/localmdc/loc | + | | | almdc_5125.html#bugsfixed>`__" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 43 | :ref:`mozilla_projects | | + | | _nss_nss_3_12_6_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.12.6 is a patch | + | | | release for NSS 3.12. The bug | + | | | fixes in NSS 3.12.6 are | + | | | described in the "`Bugs | + | | | Fixed <http://md | + | | | n.beonex.com/en/NSS_3.12.6_rel | + | | | ease_notes.html#bugsfixed>`__" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 44 | :ref:`mozilla_projects | **NSS** | + | | _nss_nss_3_12_9_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.12.9 is a patch | + | | | release for NSS 3.12. The bug | + | | | fixes in NSS 3.12.9 are | + | | | described in the "\ `Bugs | + | | | Fixed <#bugsfixed>`__" section | + | | | below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 45 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_14_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.14, which is a minor | + | | | release with the following new | + | | | features: | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 46 | :ref:`mozilla_projects | | + | | _nss_nss_3_14_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.14.1 is a patch | + | | | release for NSS 3.14. The bug | + | | | fixes in NSS 3.14.1 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 47 | :ref:`mozilla_projects | | + | | _nss_nss_3_14_2_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.14.2 is a patch | + | | | release for NSS 3.14. The bug | + | | | fixes in NSS 3.14.2 are | + | | | described in the "Bugs Fixed" | + | | | section below. NSS 3.14.2 | + | | | should be used with NSPR 4.9.5 | + | | | or newer. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 48 | :ref:`mozilla_projects | | + | | _nss_nss_3_14_3_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.14.3 is a patch | + | | | release for NSS 3.14. The bug | + | | | fixes in NSS 3.14.3 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 49 | :ref:`mozilla_projects | | + | | _nss_nss_3_14_4_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.14.4 is a patch | + | | | release for NSS 3.14. The bug | + | | | fixes in NSS 3.14.4 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 50 | :ref:`mozilla_projects | | + | | _nss_nss_3_14_5_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.14.5 is a patch | + | | | release for NSS 3.14. The bug | + | | | fixes in NSS 3.14.5 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 51 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_15_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.15, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 52 | :ref:`mozilla_projects | | + | | _nss_nss_3_15_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.15.1 is a patch | + | | | release for NSS 3.15. The bug | + | | | fixes in NSS 3.15.1 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 53 | :ref:`mozilla_projects | | + | | _nss_nss_3_15_2_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.15.2 is a patch | + | | | release for NSS 3.15. The bug | + | | | fixes in NSS 3.15.2 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 54 | :ref:`mozilla_projects | | + | | _nss_nss_3_15_3_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.15.3 is a patch | + | | | release for NSS 3.15. The bug | + | | | fixes in NSS 3.15.3 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 55 | :ref:`mozilla_projects_n | | + | | ss_nss_3_15_3_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.15.3.1 is a patch | + | | | release for NSS 3.15. The bug | + | | | fixes in NSS 3.15.3.1 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 56 | :ref:`mozilla_projects | | + | | _nss_nss_3_15_4_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.15.4 is a patch | + | | | release for NSS 3.15. The bug | + | | | fixes in NSS 3.15.4 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 57 | :ref:`mozilla_projects | | + | | _nss_nss_3_15_5_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.15.5 is a patch | + | | | release for NSS 3.15. The bug | + | | | fixes in NSS 3.15.5 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 58 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_16_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.16, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 59 | :ref:`mozilla_projects | | + | | _nss_nss_3_16_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.16.1 is a patch | + | | | release for NSS 3.16. The bug | + | | | fixes in NSS 3.16.1 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 60 | :ref:`mozilla_projects | | + | | _nss_nss_3_16_2_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.16.2 is a patch | + | | | release for NSS 3.16. The bug | + | | | fixes in NSS 3.16.2 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 61 | :ref:`mozilla_projects_n | **Reference, Security** | + | | ss_nss_3_16_2_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.16.2.1 is a patch | + | | | release for NSS 3.16, based on | + | | | the NSS 3.16.2 release. The | + | | | bug fixes in NSS 3.16.2.1 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 62 | :ref:`mozilla_projects_n | **Reference, Security** | + | | ss_nss_3_16_2_2_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.16.2.2 is a patch | + | | | release for NSS 3.16. The bug | + | | | fixes in NSS 3.16.2.2 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 63 | :ref:`mozilla_projects_n | **Reference, Security** | + | | ss_nss_3_16_2_3_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.16.2.3 is a patch | + | | | release for NSS 3.16. The bug | + | | | fixes in NSS 3.16.2.3 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 64 | :ref:`mozilla_projects | | + | | _nss_nss_3_16_3_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.16.3 is a patch | + | | | release for NSS 3.16. The bug | + | | | fixes in NSS 3.16.3 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 65 | :ref:`mozilla_projects | | + | | _nss_nss_3_16_4_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.16.4 is a patch | + | | | release for NSS 3.16. The bug | + | | | fixes in NSS 3.16.4 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 66 | :ref:`mozilla_projects | **Reference, Security** | + | | _nss_nss_3_16_5_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.16.5 is a patch | + | | | release for NSS 3.16. The bug | + | | | fixes in NSS 3.16.5 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 67 | :ref:`mozilla_projects | **Reference, Security** | + | | _nss_nss_3_16_6_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.16.6 is a patch | + | | | release for NSS 3.16. The bug | + | | | fixes in NSS 3.16.6 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 68 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_17_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.17, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 69 | :ref:`mozilla_projects | **Reference, Security** | + | | _nss_nss_3_17_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.17.1 is a patch | + | | | release for NSS 3.17. The bug | + | | | fixes in NSS 3.17.1 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 70 | :ref:`mozilla_projects | | + | | _nss_nss_3_17_2_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.17.2 is a patch | + | | | release for NSS 3.17. The bug | + | | | fixes in NSS 3.17.2 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 71 | :ref:`mozilla_projects | **Guide, NSS, Security** | + | | _nss_nss_3_17_3_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.17.3 is a patch | + | | | release for NSS 3.17. The bug | + | | | fixes in NSS 3.17.3 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 72 | :ref:`mozilla_projects | **Guide, NSS, Security** | + | | _nss_nss_3_17_4_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.17.4 is a patch | + | | | release for NSS 3.17. The bug | + | | | fixes in NSS 3.17.4 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 73 | :ref:`mozilla_projec | **Guide, NSS, NeedsContent, | + | | ts_nss_nss_3_18_release_notes` | Security** | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.18, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 74 | :ref:`mozilla_projects | **Networking, Security** | + | | _nss_nss_3_18_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.18.1 is a patch | + | | | release for NSS 3.18. The bug | + | | | fixes in NSS 3.18.1 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 75 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_19_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.19, which is a minor | + | | | security release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 76 | :ref:`mozilla_projects | | + | | _nss_nss_3_19_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.19.1 is a security | + | | | release for NSS 3.19. The bug | + | | | fixes in NSS 3.19.1 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 77 | :ref:`mozilla_projects | | + | | _nss_nss_3_19_2_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.19.2 is a patch | + | | | release for NSS 3.19 that | + | | | addresses compatibility issues | + | | | in NSS 3.19.1. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 78 | :ref:`mozilla_projects_n | | + | | ss_nss_3_19_2_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.19.2.1 is a patch | + | | | release for NSS 3.19.2. The | + | | | bug fixes in NSS 3.19.2.1 are | + | | | described in the "Security | + | | | Advisories" section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 79 | :ref:`mozilla_projects_n | | + | | ss_nss_3_19_2_2_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.19.2.2 is a security | + | | | patch release for NSS 3.19.2. | + | | | The bug fixes in NSS 3.19.2.2 | + | | | are described in the "Security | + | | | Fixes" section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 80 | :ref:`mozilla_projects_n | | + | | ss_nss_3_19_2_3_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.19.2.3 is a security | + | | | patch release for NSS 3.19.2. | + | | | The bug fixes in NSS 3.19.2.3 | + | | | are described in the "Security | + | | | Fixes" section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 81 | :ref:`mozilla_projects_n | **NSS** | + | | ss_nss_3_19_2_4_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.19.2.4 is a security | + | | | patch release for NSS 3.19.2. | + | | | The bug fixed in NSS 3.19.2.4 | + | | | have been described in the | + | | | "Security Fixes" section | + | | | below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 82 | :ref:`mozilla_projects | | + | | _nss_nss_3_19_3_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.19.3 is a patch | + | | | release for NSS 3.19. The bug | + | | | fixes in NSS 3.19.3 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 83 | :ref:`mozilla_projects | | + | | _nss_nss_3_19_4_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.19.4 is a patch | + | | | release for NSS 3.19. The bug | + | | | fixes in NSS 3.19.4 are | + | | | described in the "Security | + | | | Advisories" section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 84 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_20_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.20, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 85 | :ref:`mozilla_projects | | + | | _nss_nss_3_20_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.20.1 is a patch | + | | | release for NSS 3.20. The bug | + | | | fixes in NSS 3.20.1 are | + | | | described in the "Security | + | | | Advisories" section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 86 | :ref:`mozilla_projects | | + | | _nss_nss_3_20_2_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.20.2 is a security | + | | | patch release for NSS 3.20. | + | | | The bug fixes in NSS 3.20.2 | + | | | are described in the "Security | + | | | Fixes" section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 87 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_21_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | 2016-01-07, this page has been | + | | | updated to include additional | + | | | information about the release. | + | | | The sections "Security Fixes" | + | | | and "Acknowledgements" have | + | | | been added. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 88 | :ref:`mozilla_projects | | + | | _nss_nss_3_21_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.21.1 is a security | + | | | patch release for NSS 3.21. | + | | | The bug fixes in NSS 3.21.1 | + | | | are described in the "Security | + | | | Fixes" section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 89 | :ref:`mozilla_projects | | + | | _nss_nss_3_21_2_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.21.2 is a security | + | | | patch release for NSS 3.21.1. | + | | | The bug fixes in NSS 3.21.2 | + | | | are described in the "Security | + | | | Fixes" section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 90 | :ref:`mozilla_projects | | + | | _nss_nss_3_21_3_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.21.3 is a security | + | | | patch release for NSS 3.21.2. | + | | | The bug fixes in NSS 3.21.3 | + | | | are described in the "Security | + | | | Fixes" section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 91 | :ref:`mozilla_projects | | + | | _nss_nss_3_21_4_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.21.4 is a security | + | | | patch release for NSS 3.21. | + | | | The bug fixes in NSS 3.21.4 | + | | | are described in the "Bugs | + | | | Fixed" section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 92 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_22_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.22, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 93 | :ref:`mozilla_projects | | + | | _nss_nss_3_22_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.22.1 is a patch | + | | | release for NSS 3.22. The bug | + | | | fixes in NSS 3.22.1 are | + | | | described in the "Notable | + | | | Changes" section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 94 | :ref:`mozilla_projects | | + | | _nss_nss_3_22_2_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.22.2 is a security | + | | | patch release for NSS 3.22. | + | | | The bug fixes in NSS 3.22.2 | + | | | are described in the "Security | + | | | Fixes" section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 95 | :ref:`mozilla_projects | | + | | _nss_nss_3_22_3_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.22.3 is a patch | + | | | release for NSS 3.22. The bug | + | | | fixes in NSS 3.22.3 are | + | | | described in the "Bugs fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 96 | :ref:`mozilla_projec | **Networking, Security** | + | | ts_nss_nss_3_23_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.23, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 97 | :ref:`mozilla_projec | **NSS, Release Notes** | + | | ts_nss_nss_3_24_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The Network Security Services | + | | | (NSS) team has released NSS | + | | | 3.24, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 98 | :ref:`mozilla_projec | **NSS, Release Notes** | + | | ts_nss_nss_3_25_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The Network Security Services | + | | | (NSS) team has released NSS | + | | | 3.25, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 99 | :ref:`mozilla_projects | | + | | _nss_nss_3_25_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.25.1 is a patch | + | | | release for NSS 3.25. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 100 | :ref:`mozilla_projec | **NSS, Release Notes** | + | | ts_nss_nss_3_26_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The Network Security Services | + | | | (NSS) team has released NSS | + | | | 3.26, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 101 | :ref:`mozilla_projects | | + | | _nss_nss_3_26_2_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.26.2 is a patch | + | | | release for NSS 3.26. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 102 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_27_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The Network Security Services | + | | | (NSS) team has released NSS | + | | | 3.27, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 103 | :ref:`mozilla_projects | | + | | _nss_nss_3_27_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.27.1 is a patch | + | | | release for NSS 3.27. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 104 | :ref:`mozilla_projects | | + | | _nss_nss_3_27_2_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.27.2 is a patch | + | | | release for NSS 3.27. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 105 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_28_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The Network Security Services | + | | | (NSS) team has released NSS | + | | | 3.28, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 106 | :ref:`mozilla_projects | | + | | _nss_nss_3_28_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.28.1 is a patch | + | | | release for NSS 3.28. The bug | + | | | fixes in NSS 3.28.1 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 107 | :ref:`mozilla_projects | | + | | _nss_nss_3_28_2_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.28.2 is a patch | + | | | release for NSS 3.28. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 108 | :ref:`mozilla_projects | | + | | _nss_nss_3_28_3_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.28.3 is a patch | + | | | release for NSS 3.28. The bug | + | | | fixes in NSS 3.28.3 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 109 | :ref:`mozilla_projects | | + | | _nss_nss_3_28_4_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.28.4 is a security | + | | | patch release for NSS 3.28. | + | | | The bug fixes in NSS 3.28.4 | + | | | are described in the "Bugs | + | | | Fixed" section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 110 | :ref:`mozilla_projects | | + | | _nss_nss_3_28_5_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.28.5 is a patch | + | | | release for NSS 3.28. The bug | + | | | fixes in NSS 3.28.5 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 111 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_29_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The Network Security Services | + | | | (NSS) team has released NSS | + | | | 3.29, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 112 | :ref:`mozilla_projects | | + | | _nss_nss_3_29_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.29.1 is a patch | + | | | release for NSS 3.29. The bug | + | | | fixes in NSS 3.29.1 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 113 | :ref:`mozilla_projects | | + | | _nss_nss_3_29_2_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.29.2 is a patch | + | | | release for NSS 3.29. The bug | + | | | fixes in NSS 3.29.2 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 114 | :ref:`mozilla_projects | | + | | _nss_nss_3_29_3_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.29.3 is a patch | + | | | release for NSS 3.29. The bug | + | | | fixes in NSS 3.29.3 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 115 | :ref:`mozilla_projects | | + | | _nss_nss_3_29_5_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.29.5 is a security | + | | | patch release for NSS 3.29. | + | | | The bug fixes in NSS 3.29.5 | + | | | are described in the "Bugs | + | | | Fixed" section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 116 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_30_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The Network Security Services | + | | | (NSS) team has released NSS | + | | | 3.30, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 117 | :ref:`mozilla_projects | | + | | _nss_nss_3_30_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.30.1 is a security | + | | | patch release for NSS 3.30. | + | | | The bug fixes in NSS 3.30.1 | + | | | are described in the "Bugs | + | | | Fixed" section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 118 | :ref:`mozilla_projects | | + | | _nss_nss_3_30_2_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.30.2 is a patch | + | | | release for NSS 3.30. The bug | + | | | fixes in NSS 3.30.2 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 119 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_31_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The Network Security Services | + | | | (NSS) team has released NSS | + | | | 3.31, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 120 | :ref:`mozilla_projects | | + | | _nss_nss_3_31_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The Network Security Services | + | | | (NSS) team has released NSS | + | | | 3.31.1, which is a patch | + | | | release for NSS 3.31. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 121 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_32_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The Network Security Services | + | | | (NSS) team has released NSS | + | | | 3.32, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 122 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_33_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The Network Security Services | + | | | (NSS) team has released NSS | + | | | 3.33, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 123 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_34_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The Network Security Services | + | | | (NSS) team has released NSS | + | | | 3.34, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 124 | :ref:`mozilla_projects | | + | | _nss_nss_3_34_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The Network Security Services | + | | | (NSS) team has released NSS | + | | | 3.34.1, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 125 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_35_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.35, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 126 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_36_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.36, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 127 | :ref:`mozilla_projects | | + | | _nss_nss_3_36_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.36.1 is a patch | + | | | release for NSS 3.36. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 128 | :ref:`mozilla_projects | **NSS, Release Notes** | + | | _nss_nss_3_36_2_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.36.2 is a patch | + | | | release for NSS 3.36. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 129 | :ref:`mozilla_projects | **NSS, Release Notes** | + | | _nss_nss_3_36_4_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.36.4 is a patch | + | | | release for NSS 3.36. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 130 | :ref:`mozilla_projects | **Mozilla, NSS, Release | + | | _nss_nss_3_36_5_release_notes` | Notes** | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.36.5 is a patch | + | | | release for NSS 3.36. The bug | + | | | fixes in NSS 3.36.5 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 131 | :ref:`mozilla_projects | **Mozilla, NSS, Release | + | | _nss_nss_3_36_6_release_notes` | Notes** | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.36.6 is a patch | + | | | release for NSS 3.36. The bug | + | | | fixes in NSS 3.36.6 are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 132 | :ref:`mozilla_projects | | + | | _nss_nss_3_36_7_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.36.7 is a patch | + | | | release for NSS 3.36. The bug | + | | | fixes in NSS 3.36.7 are | + | | | described in the "Bugs Fixed" | + | | | section below. It was released | + | | | on 19 January 2019. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 133 | :ref:`mozilla_projects | | + | | _nss_nss_3_36_8_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.36.8 is a patch | + | | | release for NSS 3.36. The bug | + | | | fixes in NSS 3.36.8 are | + | | | described in the "Bugs Fixed" | + | | | section below. It was released | + | | | on 21 June 2019. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 134 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_37_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.37, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 135 | :ref:`mozilla_projects | | + | | _nss_nss_3_37_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.37.1 is a patch | + | | | release for NSS 3.37. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 136 | :ref:`mozilla_project | | + | | s_nss_nss_3_37_3release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.37.3 is a patch | + | | | release for NSS 3.37. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 137 | :ref:`mozilla_projec | **Mozilla, NSS, Release | + | | ts_nss_nss_3_38_release_notes` | Notes** | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.38, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 138 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_39_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.39, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 139 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_40_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.40, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 140 | :ref:`mozilla_projects | | + | | _nss_nss_3_40_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.40.1, which is a patch | + | | | release for NSS 3.40 | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 141 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_41_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.41 on 7 December 2018, | + | | | which is a minor release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 142 | :ref:`mozilla_projects | | + | | _nss_nss_3_41_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.41.1 is a patch | + | | | release for NSS 3.41. The bug | + | | | fixes in NSS 3.41.1 are | + | | | described in the "Bugs Fixed" | + | | | section below. It was released | + | | | on 22 January 2019. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 143 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_42_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.42 on 25 January 2019, | + | | | which is a minor release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 144 | :ref:`mozilla_projects | | + | | _nss_nss_3_42_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.42.1 on 31 January | + | | | 2019, which is a patch | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 145 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_43_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.43 on 16 March 2019, | + | | | which is a minor release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 146 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_44_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.44 on 10 May 2019, | + | | | which is a minor release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 147 | :ref:`mozilla_projects | | + | | _nss_nss_3_44_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.44.1 is a patch | + | | | release for NSS 3.44. The bug | + | | | fixes in NSS 3.44.1 are | + | | | described in the "Bugs Fixed" | + | | | section below. It was released | + | | | on 21 June 2019. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 148 | :ref:`mozilla_projects | | + | | _nss_nss_3_44_2_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.44.2 is a patch | + | | | release for NSS 3.44. The bug | + | | | fixes in NSS 3.44.2 are | + | | | described in the "Bugs Fixed" | + | | | section below. It was released | + | | | on 2 October 2019. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 149 | :ref:`mozilla_projects | | + | | _nss_nss_3_44_3_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.44.3 is a patch | + | | | release for NSS 3.44. The bug | + | | | fixes in NSS 3.44.3 are | + | | | described in the "Bugs Fixed" | + | | | section below. It was released | + | | | on 19 November 2019. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 150 | :ref:`mozilla_projects | | + | | _nss_nss_3_44_4_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.44.4 on **19 May | + | | | 2020**. This is a security | + | | | patch release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 151 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_45_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.45 on **5 July 2019**, | + | | | which is a minor release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 152 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_46_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.46 on **30 August | + | | | 2019**, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 153 | :ref:`mozilla_projects | | + | | _nss_nss_3_46_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.46.1 is a patch | + | | | release for NSS 3.46. The bug | + | | | fixes in NSS 3.46.1 are | + | | | described in the "Bugs Fixed" | + | | | section below. It was released | + | | | on 2 October 2019. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 154 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_47_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.47 on **18 October | + | | | 2019**, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 155 | :ref:`mozilla_projects | | + | | _nss_nss_3_47_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.47.1 is a patch | + | | | release for NSS 3.47. The bug | + | | | fixes in NSS 3.47.1 are | + | | | described in the "Bugs Fixed" | + | | | section below. It was released | + | | | on 19 November 2019. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 156 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_48_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.48 on **5 December | + | | | 2019**, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 157 | :ref:`mozilla_projects | | + | | _nss_nss_3_48_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.48.1 is a patch | + | | | release for NSS 3.48. The bug | + | | | fixes in NSS 3.48.1 are | + | | | described in the "Bugs Fixed" | + | | | section below. It was released | + | | | on **13 January 2020**. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 158 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_49_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.49 on **3 January | + | | | 2020**, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 159 | :ref:`mozilla_projects | | + | | _nss_nss_3_49_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.49.1 is a patch | + | | | release for NSS 3.49. The bug | + | | | fixes in NSS 3.49.1 are | + | | | described in the "Bugs Fixed" | + | | | section below. It was released | + | | | on **13 January 2020**. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 160 | :ref:`mozilla_projects | | + | | _nss_nss_3_49_2_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.49.2 is a patch | + | | | release for NSS 3.49. The bug | + | | | fixes in NSS 3.49.2 are | + | | | described in the "Bugs Fixed" | + | | | section below. It was released | + | | | on **23 January 2020**. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 161 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_50_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.50 on **7 February | + | | | 2020**, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 162 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_51_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.51 on **6 March | + | | | 2020**, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 163 | :ref:`mozilla_projects | | + | | _nss_nss_3_51_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.51.1 on **3 April | + | | | 2020**. This is a minor | + | | | release focusing on functional | + | | | bug fixes and low-risk patches | + | | | only. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 164 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_52_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.52 on **1 May 2020**. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 165 | :ref:`mozilla_projects | | + | | _nss_nss_3_52_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.52.1 on **19 May | + | | | 2020**. This is a security | + | | | patch release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 166 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_53_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team released Network | + | | | Security Services (NSS) 3.53 | + | | | on **29 May 2020**. NSS 3.53 | + | | | will be a long-term support | + | | | release, supporting Firefox 78 | + | | | ESR. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 167 | :ref:`mozilla_projects | | + | | _nss_nss_3_53_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.53.1 on **16 June | + | | | 2020**. This is a security | + | | | patch release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 168 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_54_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.54 on **26 June | + | | | 2020**, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 169 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_55_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.55 on **24 July | + | | | 2020**, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 170 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_56_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.56 on **21 August | + | | | 2020**, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 171 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_57_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.57 on **18 September | + | | | 2020**, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 172 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_58_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.58 on **16 October | + | | | 2020**, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 173 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_59_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.59 on **13 November | + | | | 2020**, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 174 | :ref:`mozilla_projects | | + | | _nss_nss_3_59_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.59.1 on **18 December | + | | | 2020**, which is a patch | + | | | release for NSS 3.59. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 175 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_60_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.60 on **11 December | + | | | 2020**, which is a minor | + | | | release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 176 | :ref:`mozilla_projects | | + | | _nss_nss_3_60_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team released Network | + | | | Security Services (NSS) 3.60.1 | + | | | on **4 January 2021**, which | + | | | is a patch release for NSS | + | | | 3.60. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 177 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_61_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team released Network | + | | | Security Services (NSS) 3.61 | + | | | on **22 January 2021**, which | + | | | is a minor release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 178 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_62_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team released Network | + | | | Security Services (NSS) 3.62 | + | | | on **19 February 2021**, which | + | | | is a minor release. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 179 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_63_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.63 was released on | + | | | **18 March 2021**. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 180 | :ref:`mozilla_projects | | + | | _nss_nss_3_63_1_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.63.1 was released on | + | | | **6 April 2021**. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 181 | :ref:`mozilla_projec | | + | | ts_nss_nss_3_64_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Network Security Services | + | | | (NSS) 3.64 was released on | + | | | **15 April 2021**. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 182 | :ref:`mozilla_pr | | + | | ojects_nss_nss_api_guidelines` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Newsgroup: | + | | | `mozilla.dev.tech | + | | | .crypto <news://news.mozilla.o | + | | | rg/mozilla.dev.tech.crypto>`__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 183 | :ref:`mozilla_pr | | + | | ojects_nss_nss_config_options` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The specified ciphers will be | + | | | allowed by policy, but an | + | | | application may allow more by | + | | | policy explicitly: | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 184 | :ref:`mozilla_projec | **NSS, Tutorial** | + | | ts_nss_nss_developer_tutorial` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | **Line length** should not | + | | | exceed 80 characters. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 185 | :ref:`mozilla_projects_n | | + | | ss_nss_release_notes_template` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS team has released | + | | | Network Security Services | + | | | (NSS) 3.XX, which is a minor | + | | | release. | + | | | or | + | | | Network Security Services | + | | | (NSS) 3.XX.y is a patch | + | | | release for NSS 3.XX. The bug | + | | | fixes in NSS 3.XX.y are | + | | | described in the "Bugs Fixed" | + | | | section below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 186 | :ref:`mozi | **Landing, Mozilla, NSS, | + | | lla_projects_nss_nss_releases` | Networking, Project, Release | + | | | Notes, Security** | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The current **Stable** release | + | | | of NSS is 3.64, which was | + | | | released on **15 April 2021**. | + | | | (:ref:`mozilla_project | + | | | s_nss_nss_3_64_release_notes`) | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 187 | :ref:`mozilla | **Example** | + | | _projects_nss_nss_sample_code` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The collection of sample code | + | | | here demonstrates how NSS can | + | | | be used for cryptographic | + | | | operations, certificate | + | | | handling, SSL, etc. It also | + | | | demonstrates some best | + | | | practices in the application | + | | | of cryptography. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 188 | :ref:`mozilla_projec | | + | | ts_nss_nss_sample_code_enc_dec | | + | | _mac_output_plblic_key_as_csr` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Generates encryption/mac keys | + | | | and outputs public key as | + | | | certificate signing request | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 189 | :ref:`mozilla_projects_nss_ns | | + | | s_sample_code_enc_dec_mac_usin | | + | | g_key_wrap_certreq_pkcs10_csr` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Generates encryption/mac keys | + | | | and outputs public key as | + | | | pkcs11 certificate signing | + | | | request | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 190 | :ref:`mozilla_p | | + | | rojects_nss_nss_sample_code_en | | + | | crypt_decrypt_mac_using_token` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Generates encryption/mac keys | + | | | and uses token for storing. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 191 | :ref:`mozilla_pr | **Examples, NSS, Security** | + | | ojects_nss_nss_sample_code_nss | | + | | _sample_code_sample_1_hashing` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | This is an example program | + | | | that demonstrates how to | + | | | compute the hash of a file and | + | | | save it to another file. This | + | | | program illustrates the use of | + | | | NSS message APIs. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 192 | :ref:`mozilla_projects_nss_nss | **Examples, NSS, Security** | + | | _sample_code_nss_sample_code_s | | + | | ample_2_initialization_of_nss` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | This example program | + | | | demonstrates how to initialize | + | | | the NSS Database. This | + | | | program illustrates password | + | | | handling. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 193 | :ref | **Examples, NSS, Security** | + | | :`mozilla_projects_nss_nss_sam | | + | | ple_code_nss_sample_code_sampl | | + | | e_3_basic_encryption_and_maci` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | This example program | + | | | demonstrates how to encrypt | + | | | and MAC a file. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 194 | :ref:`m | | + | | ozilla_projects_nss_nss_sample | | + | | _code_nss_sample_code_sample1` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | This is an example program | + | | | that demonstrates how to do | + | | | key generation and transport | + | | | between cooperating servers. | + | | | This program shows the | + | | | following: | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 195 | :ref:`m | | + | | ozilla_projects_nss_nss_sample | | + | | _code_nss_sample_code_sample2` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | *No summary!* | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 196 | :ref:`m | | + | | ozilla_projects_nss_nss_sample | | + | | _code_nss_sample_code_sample3` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | *No summary!* | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 197 | :ref:`m | | + | | ozilla_projects_nss_nss_sample | | + | | _code_nss_sample_code_sample4` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | *No summary!* | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 198 | :ref:`m | | + | | ozilla_projects_nss_nss_sample | | + | | _code_nss_sample_code_sample5` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | *No summary!* | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 199 | :ref:`m | | + | | ozilla_projects_nss_nss_sample | | + | | _code_nss_sample_code_sample6` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | *No summary!* | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 200 | :ref:`mozil | **Examples, NSS, Security** | + | | la_projects_nss_nss_sample_cod | | + | | e_nss_sample_code_utililies_1` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | This is a library of utilities | + | | | used by many of the samples. | + | | | This code shows the following: | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 201 | : | **HTML, Hashing Sample, | + | | ref:`mozilla_projects_nss_nss_ | JavaScript, NSS, Web | + | | sample_code_sample1_-_hashing` | Development, hashing** | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS same code below | + | | | computes the hash of a file | + | | | and saves it to another file, | + | | | this illustrates the use of | + | | | NSS message APIs. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 202 | :ref:`mozilla_project | **Example, NSS** | + | | s_nss_nss_sample_code_sample1` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | 1. A program to compute the | + | | | hash of a file and save it to | + | | | another file. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 203 | :ref:`mozilla_pro | **HTML, JavaScript, NSS, NSS | + | | jects_nss_nss_sample_code_samp | Article, NSS Initialization, | + | | le2_-_initialize_nss_database` | Web Development** | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS sample code below | + | | | demonstrates how to initialize | + | | | the NSS database. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 204 | :ref:`mozilla_project | | + | | s_nss_nss_sample_code_sample2` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | *No summary!* | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 205 | :ref:`mozilla_projects | **EncDeCMac, HTML, NCC, NCC | + | | _nss_nss_sample_code_sample3_- | Article, Web, Web | + | | _encdecmac_using_token_object` | Development** | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Computes the hash of a file | + | | | and saves it to another file, | + | | | illustrates the use of NSS | + | | | message APIs. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 206 | :ref:`moz | | + | | illa_projects_nss_nss_sample_c | | + | | ode_utiltiies_for_nss_samples` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | These utility functions are | + | | | adapted from those found in | + | | | the sectool library used by | + | | | the NSS security tools and | + | | | other NSS test applications. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 207 | :ref:`mozilla_projects_nss | **Build documentation, Guide, | + | | _nss_sources_building_testing` | NSS, Security** | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Getting the source code of | + | | | :ref:`mozilla_projects_nss`, | + | | | how to build it, and how to | + | | | run its test suite. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 208 | :ref:`mozill | **NSS** | + | | a_projects_nss_nss_tech_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Newsgroup: | + | | | `mozilla.dev.tech | + | | | .crypto <news://news.mozilla.o | + | | | rg/mozilla.dev.tech.crypto>`__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 209 | :ref:`mozilla_projects_nss_ | | + | | nss_tech_notes_nss_tech_note1` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The main non-streaming APIs | + | | | for these two decoders have an | + | | | identical prototype : | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 210 | :ref:`mozilla_projects_nss_ | | + | | nss_tech_notes_nss_tech_note2` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The logger displays all | + | | | activity between NSS and a | + | | | specified PKCS #11 module. It | + | | | works by inserting a special | + | | | set of entry points between | + | | | NSS and the module. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 211 | :ref:`mozilla_projects_nss_ | | + | | nss_tech_notes_nss_tech_note3` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | *No summary!* | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 212 | :ref:`mozilla_projects_nss_ | | + | | nss_tech_notes_nss_tech_note4` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | *No summary!* | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 213 | :ref:`mozilla_projects_nss_ | | + | | nss_tech_notes_nss_tech_note5` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | **Note:** AES encryption, a | + | | | fixed blocksize of 16 bytes is | + | | | used. The Rijndael algorithm | + | | | permits 3 blocksizes (16, 24, | + | | | 32 bytes), but the AES | + | | | standard requires the | + | | | blocksize to be 16 bytes. The | + | | | keysize can vary and these | + | | | keysizes are permitted: 16, | + | | | 24, 32 bytes. | + | | | You can also look at a `sample | + | | | program <. | + | | | ./sample-code/sample2.html>`__ | + | | | illustrating encryption | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 214 | :ref:`mozilla_projects_nss_ | | + | | nss_tech_notes_nss_tech_note6` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The following applies to NSS | + | | | 3.8 through 3.10 : | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 215 | :ref:`mozilla_projects_nss_ | | + | | nss_tech_notes_nss_tech_note7` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | This technical note explains | + | | | how to use NSS to perform RSA | + | | | signing and encryption. The | + | | | industry standard for RSA | + | | | signing and encryption is | + | | | `PKCS | + | | | #1 <http://www.rsasecurity.com | + | | | /rsalabs/node.asp?id=2125>`__. | + | | | NSS supports PKCS #1 v1.5. NSS | + | | | doesn't yet support PKCS #1 | + | | | v2.0 and v2.1, in particular | + | | | OAEP, but OAEP support is on | + | | | our `to-do | + | | | li | + | | | st <https://bugzilla.mozilla.o | + | | | rg/show_bug.cgi?id=158747>`__. | + | | | Your contribution is welcome. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 216 | :ref:`mozilla_projects_nss_ | | + | | nss_tech_notes_nss_tech_note8` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | *No summary!* | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 217 | :ref:`mozilla_proj | **NSS, Security, Third-Party | + | | ects_nss_nss_third-party_code` | Code** | + +--------------------------------+--------------------------------+--------------------------------+ + | | | This is a list of third-party | + | | | code included in the NSS | + | | | repository, broken into two | + | | | lists: Code that can be | + | | | compiled into the NSS | + | | | libraries, and code that is | + | | | only used for testing. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 218 | :ref:`mozilla_proje | | + | | cts_nss_nss_tools_sslstrength` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | 2) sslstrength hostname[:port] | + | | | [ciphers=xyz] [debug] | + | | | [verbose] | + | | | [policy=export|domestic] | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 219 | :ref:` | **NSS** | + | | mozilla_projects_nss_overview` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | If you want to add support for | + | | | SSL, S/MIME, or other Internet | + | | | security standards to your | + | | | application, you can use | + | | | Network Security Services | + | | | (NSS) to implement all your | + | | | security features. NSS | + | | | provides a complete | + | | | open-source implementation of | + | | | the crypto libraries used by | + | | | AOL, Red Hat, Google, and | + | | | other companies in a variety | + | | | of products, including the | + | | | following: | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 220 | :ref:`mozilla_p | **NSS** | + | | rojects_nss_pkcs_12_functions` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The public functions listed | + | | | here perform PKCS #12 | + | | | operations required by some of | + | | | the NSS tools and other | + | | | applications. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 221 | :ref:`mozilla_ | **NSS** | + | | projects_nss_pkcs_7_functions` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The public functions listed | + | | | here perform PKCS #7 | + | | | operations required by mail | + | | | and news applications and by | + | | | some of the NSS tools. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 222 | :ref:`mozilla_ | **NSS** | + | | projects_nss_pkcs11_functions` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | This chapter describes the | + | | | core PKCS #11 functions that | + | | | an application needs for | + | | | communicating with | + | | | cryptographic modules. In | + | | | particular, these functions | + | | | are used for obtaining | + | | | certificates, keys, and | + | | | passwords. This was converted | + | | | from `"Chapter 7: PKCS #11 | + | | | Functions" <https://www.m | + | | | ozilla.org/projects/security/p | + | | | ki/nss/ref/ssl/pkfnc.html>`__. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 223 | :ref:`mozilla_ | | + | | projects_nss_pkcs11_implement` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | **NOTE:** This document was | + | | | originally for the Netscape | + | | | Security Library that came | + | | | with Netscape Communicator | + | | | 4.0. This note will be removed | + | | | once the document is updated | + | | | for the current version of | + | | | NSS. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 224 | :ref | **NSS, Security** | + | | :`mozilla_projects_nss_pkcs11` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | PKCS #11 information for | + | | | implementors of cryptographic | + | | | modules: | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 225 | :ref:`mo | **NSS, Security** | + | | zilla_projects_nss_pkcs11_faq` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | NSS searches all the installed | + | | | PKCS #11 modules when looking | + | | | for certificates. Once you've | + | | | installed the module, the | + | | | module's certificates simply | + | | | appear in the list of | + | | | certificates displayed in the | + | | | Certificate window. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 226 | :ref:`mozilla_projects_n | **Authentication, Biometric, | + | | ss_pkcs11_module_installation` | Mozilla, NSS, PKCS #11, | + | | | Projects, Security, Smart | + | | | Card, Smart-card, Smartcard, | + | | | pkcs11** | + +--------------------------------+--------------------------------+--------------------------------+ + | | | `PKCS #11 </en-US/PKCS11>`__ | + | | | modules are external modules | + | | | which add to Firefox support | + | | | for smartcard readers, | + | | | biometric security devices, | + | | | and external certificate | + | | | stores. This article covers | + | | | the two methods for installing | + | | | PKCS #11 modules into Firefox. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 227 | :ref:`mozilla_pro | **NSS** | + | | jects_nss_pkcs11_module_specs` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The following is a proposal to | + | | | the | + | | | `PKCS <https:// | + | | | en.wikipedia.org/wiki/PKCS>`__ | + | | | #11 working group made in | + | | | August 2001 for configuring | + | | | PKCS #11 modules. NSS | + | | | currently implements this | + | | | proposal internally. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 228 | :ref:`mozilla_projec | | + | | ts_nss_python_binding_for_nss` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | python-nss is a Python binding | + | | | for NSS (Network Security | + | | | Services) and NSPR (Netscape | + | | | Portable Runtime). NSS | + | | | provides cryptography services | + | | | supporting SSL, TLS, PKI, | + | | | PKIX, X509, PKCS*, etc. NSS is | + | | | an alternative to OpenSSL and | + | | | used extensively by major | + | | | software projects. NSS is | + | | | FIPS-140 certified. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 229 | :ref:`m | **NSS** | + | | ozilla_projects_nss_reference` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Based on | + | | | :ref:`mozilla_projec | + | | | ts_nss_ssl_functions_sslintro` | + | | | in the SSL Reference. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 230 | :ref: | **NSS** | + | | `mozilla_projects_nss_referenc | | + | | e_building_and_installing_nss` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | This chapter describes how to | + | | | build and install NSS. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 231 | :ref:`mozilla_projects_n | **NSS** | + | | ss_reference_building_and_inst | | + | | alling_nss_build_instructions` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Numerous optional features of | + | | | NSS builds are controlled | + | | | through make variables. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 232 | :ref:`mozilla_projects_n | **NSS** | + | | ss_reference_building_and_inst | | + | | alling_nss_installation_guide` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The build system of NSS | + | | | originated from Netscape's | + | | | build system, which predated | + | | | the "configure; make; make | + | | | test; make install" sequence | + | | | that we're familiar with now. | + | | | Our makefiles also have an | + | | | "install" target, but it has a | + | | | different meaning: our | + | | | "install" means installing the | + | | | headers, libraries, and | + | | | programs in the appropriate | + | | | directories under | + | | | mozilla/dist. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 233 | :ref:`mozilla_project | | + | | s_nss_reference_building_and_i | | + | | nstalling_nss_migration_to_hg` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSPR, NSS and related | + | | | projects have stopped using | + | | | Mozilla'a CVS server, but have | + | | | migrated to | + | | | Mozilla's HG (Mercurial) | + | | | server. | + | | | Each project now lives in its | + | | | own separate space, they can | + | | | be found at: | + | | | https:/ | + | | | /hg.mozilla.org/projects/nspr/ | + | | | https: | + | | | //hg.mozilla.org/projects/nss/ | + | | | https: | + | | | //hg.mozilla.org/projects/jss/ | + | | | | + | | | https://hg.mo | + | | | zilla.org/projects/python-nss/ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 234 | :r | **NSS** | + | | ef:`mozilla_projects_nss_refer | | + | | ence_building_and_installing_n | | + | | ss_sample_manual_installation` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The NSS build system does not | + | | | include a target to install | + | | | header files and shared | + | | | libraries in the system | + | | | directories, so this needs to | + | | | be done manually. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 235 | :ref:`mozilla_projects_ns | **NSS** | + | | s_reference_fc_cancelfunction` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_CancelFunction - cancel a | + | | | function running in parallel | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 236 | :ref:`mozilla_projects_nss_ | **NSS** | + | | reference_fc_closeallsessions` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_CloseAllSessions - close | + | | | all sessions between an | + | | | application and a token. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 237 | :ref:`mozilla_projects_ | **NSS** | + | | nss_reference_fc_closesession` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_CloseSession - close a | + | | | session opened between an | + | | | application and a token. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 238 | :ref:`mozilla_project | **NSS** | + | | s_nss_reference_fc_copyobject` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_CopyObject - create a copy | + | | | of an object. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 239 | :ref:`mozilla_projects_ | **NSS** | + | | nss_reference_fc_createobject` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_CreateObject - create a new | + | | | object. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 240 | :ref:`mozilla_proj | **NSS** | + | | ects_nss_reference_fc_decrypt` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_Decrypt - Decrypt a block | + | | | of data. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 241 | :ref:`mozilla_projects_nss_ref | **NSS** | + | | erence_fc_decryptdigestupdate` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_DecryptDigestUpdate - | + | | | continue a multi-part decrypt | + | | | and digest operation | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 242 | :ref:`mozilla_projects_ | **NSS** | + | | nss_reference_fc_decryptfinal` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_DecryptFinal - finish a | + | | | multi-part decryption | + | | | operation. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 243 | :ref:`mozilla_projects | **NSS** | + | | _nss_reference_fc_decryptinit` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_DecryptInit - initialize a | + | | | decryption operation. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 244 | :ref:`mozilla_projects_n | **NSS** | + | | ss_reference_fc_decryptupdate` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_DecryptUpdate - decrypt a | + | | | block of a multi-part | + | | | encryption operation. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 245 | :ref:`mozilla_projects_nss_ref | **NSS** | + | | erence_fc_decryptverifyupdate` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_DecryptVerifyUpdate - | + | | | continue a multi-part decrypt | + | | | and verify operation | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 246 | :ref:`mozilla_projec | **NSS** | + | | ts_nss_reference_fc_derivekey` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_DeriveKey - derive a key | + | | | from a base key | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 247 | :ref:`mozilla_projects_n | **NSS** | + | | ss_reference_fc_destroyobject` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_DestroyObject - destroy an | + | | | object. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 248 | :ref:`mozilla_pro | **NSS** | + | | jects_nss_reference_fc_digest` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_Digest - digest a block of | + | | | data. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 249 | :ref:`mozilla_projects_nss_ref | **NSS** | + | | erence_fc_digestencryptupdate` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_DigestEncryptUpdate - | + | | | continue a multi-part digest | + | | | and encryption operation | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 250 | :ref:`mozilla_projects | **NSS** | + | | _nss_reference_fc_digestfinal` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_DigestFinal - finish a | + | | | multi-part digest operation. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 251 | :ref:`mozilla_project | **NSS** | + | | s_nss_reference_fc_digestinit` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_DigestInit - initialize a | + | | | message-digest operation. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 252 | :ref:`mozilla_projec | **NSS** | + | | ts_nss_reference_fc_digestkey` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_DigestKey - add the digest | + | | | of a key to a multi-part | + | | | digest operation. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 253 | :ref:`mozilla_projects_ | **NSS** | + | | nss_reference_fc_digestupdate` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_DigestUpdate - process the | + | | | next block of a multi-part | + | | | digest operation. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 254 | :ref:`mozilla_proj | **NSS** | + | | ects_nss_reference_fc_encrypt` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_Encrypt - Encrypt a block | + | | | of data. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 255 | :ref:`mozilla_projects_ | **NSS** | + | | nss_reference_fc_encryptfinal` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_EncryptFinal - finish a | + | | | multi-part encryption | + | | | operation. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 256 | :ref:`mozilla_projects | **NSS** | + | | _nss_reference_fc_encryptinit` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_EncryptInit - initialize an | + | | | encryption operation. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 257 | :ref:`mozilla_projects_n | **NSS** | + | | ss_reference_fc_encryptupdate` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_EncryptUpdate - encrypt a | + | | | block of a multi-part | + | | | encryption operation. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 258 | :ref:`mozilla_proje | **NSS** | + | | cts_nss_reference_fc_finalize` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_Finalize - indicate that an | + | | | application is done with the | + | | | PKCS #11 library. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 259 | :ref:`mozilla_projects | **NSS** | + | | _nss_reference_fc_findobjects` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_FindObjects - Search for | + | | | one or more objects | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 260 | :ref:`mozilla_projects_nss_ | **NSS** | + | | reference_fc_findobjectsfinal` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_FindObjectsFinal - | + | | | terminate an object search. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 261 | :ref:`mozilla_projects_nss | **NSS** | + | | _reference_fc_findobjectsinit` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_FindObjectsInit - | + | | | initialize the parameters for | + | | | an object search. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 262 | :ref:`mozilla_projects | **NSS** | + | | _nss_reference_fc_generatekey` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_GenerateKey - generate a | + | | | new key | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 263 | :ref:`mozilla_projects_nss | **NSS** | + | | _reference_fc_generatekeypair` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_GenerateKeyPair - generate | + | | | a new public/private key pair | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 264 | :ref:`mozilla_projects_ns | **NSS** | + | | s_reference_fc_generaterandom` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_GenerateRandom - generate a | + | | | random number. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 265 | :ref:`mozilla_projects_nss_r | **NSS** | + | | eference_fc_getattributevalue` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_GetAttributeValue - get the | + | | | value of attributes of an | + | | | object. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 266 | :ref:`mozilla_projects_nss | **NSS** | + | | _reference_fc_getfunctionlist` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_GetFunctionList - get a | + | | | pointer to the list of | + | | | function pointers in the FIPS | + | | | mode of operation. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 267 | :ref:`mozilla_projects_nss_r | **NSS** | + | | eference_fc_getfunctionstatus` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_GetFunctionStatus - get the | + | | | status of a function running | + | | | in parallel | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 268 | :ref:`mozilla_proj | **NSS** | + | | ects_nss_reference_fc_getinfo` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_GetInfo - return general | + | | | information about the PKCS #11 | + | | | library. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 269 | :ref:`mozilla_projects_nss_ | **NSS** | + | | reference_fc_getmechanisminfo` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_GetMechanismInfo - get | + | | | information on a particular | + | | | mechanism. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 270 | :ref:`mozilla_projects_nss_ | **NSS** | + | | reference_fc_getmechanismlist` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_GetMechanismList - get a | + | | | list of mechanism types | + | | | supported by a token. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 271 | :ref:`mozilla_projects_n | **NSS** | + | | ss_reference_fc_getobjectsize` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_GetObjectSize - create a | + | | | copy of an object. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 272 | :ref:`mozilla_projects_nss_r | **NSS** | + | | eference_fc_getoperationstate` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_GetOperationState - get the | + | | | cryptographic operation state | + | | | of a session. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 273 | :ref:`mozilla_projects_ns | **NSS** | + | | s_reference_fc_getsessioninfo` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_GetSessionInfo - obtain | + | | | information about a session. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 274 | :ref:`mozilla_projects | **NSS** | + | | _nss_reference_fc_getslotinfo` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_GetSlotInfo - get | + | | | information about a particular | + | | | slot in the system. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 275 | :ref:`mozilla_projects | **NSS** | + | | _nss_reference_fc_getslotlist` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_GetSlotList - Obtain a list | + | | | of slots in the system. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 276 | :ref:`mozilla_projects_ | **NSS** | + | | nss_reference_fc_gettokeninfo` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_GetTokenInfo - obtain | + | | | information about a particular | + | | | token in the system. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 277 | :ref:`mozilla_project | **NSS** | + | | s_nss_reference_fc_initialize` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_Initialize - initialize the | + | | | PKCS #11 library. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 278 | :ref:`mozilla_proj | **NSS** | + | | ects_nss_reference_fc_initpin` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | ``FC_InitPIN()`` - Initialize | + | | | the user's PIN. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 279 | :ref:`mozilla_projec | **NSS** | + | | ts_nss_reference_fc_inittoken` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | ``FC_InitToken()`` - | + | | | initialize or re-initialize a | + | | | token. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 280 | :ref:`mozilla_pr | **NSS** | + | | ojects_nss_reference_fc_login` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | ``FC_Login()`` - log a user | + | | | into a token. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 281 | :ref:`mozilla_pro | **NSS** | + | | jects_nss_reference_fc_logout` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_Logout - log a user out | + | | | from a token. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 282 | :ref:`mozilla_projects | **NSS** | + | | _nss_reference_fc_opensession` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_OpenSession - open a | + | | | session between an application | + | | | and a token. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 283 | :ref:`mozilla_project | **NSS** | + | | s_nss_reference_fc_seedrandom` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | ``FC_SeedRandom()`` - mix | + | | | additional seed material into | + | | | the random number generator. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 284 | :ref:`mozilla_projects_nss_r | **NSS** | + | | eference_fc_setattributevalue` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_SetAttributeValue - set the | + | | | values of attributes of an | + | | | object. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 285 | :ref:`mozilla_projects_nss_r | **NSS** | + | | eference_fc_setoperationstate` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_SetOperationState - restore | + | | | the cryptographic operation | + | | | state of a session. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 286 | :ref:`mozilla_pro | **NSS** | + | | jects_nss_reference_fc_setpin` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_SetPIN - Modify the user's | + | | | PIN. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 287 | :ref:`mozilla_p | **NSS** | + | | rojects_nss_reference_fc_sign` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_Sign - sign a block of | + | | | data. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 288 | :ref:`mozilla_projects_nss_r | **NSS** | + | | eference_fc_signencryptupdate` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_SignEncryptUpdate - | + | | | continue a multi-part signing | + | | | and encryption operation | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 289 | :ref:`mozilla_projec | **NSS** | + | | ts_nss_reference_fc_signfinal` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_SignFinal - finish a | + | | | multi-part signing operation. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 290 | :ref:`mozilla_proje | **NSS** | + | | cts_nss_reference_fc_signinit` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_SignInit - initialize a | + | | | signing operation. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 291 | :ref:`mozilla_projects | **NSS** | + | | _nss_reference_fc_signrecover` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_SignRecover - Sign data in | + | | | a single recoverable | + | | | operation. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 292 | :ref:`mozilla_projects_nss | **NSS** | + | | _reference_fc_signrecoverinit` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_SignRecoverInit - | + | | | initialize a sign recover | + | | | operation. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 293 | :ref:`mozilla_project | **NSS** | + | | s_nss_reference_fc_signupdate` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_SignUpdate - process the | + | | | next block of a multi-part | + | | | signing operation. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 294 | :ref:`mozilla_projec | **NSS** | + | | ts_nss_reference_fc_unwrapkey` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_UnwrapKey - unwrap a key | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 295 | :ref:`mozilla_pro | **NSS** | + | | jects_nss_reference_fc_verify` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_Verify - sign a block of | + | | | data. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 296 | :ref:`mozilla_projects | **NSS** | + | | _nss_reference_fc_verifyfinal` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_VerifyFinal - finish a | + | | | multi-part verify operation. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 297 | :ref:`mozilla_project | **NSS** | + | | s_nss_reference_fc_verifyinit` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_VerifyInit - initialize a | + | | | verification operation. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 298 | :ref:`mozilla_projects_n | **NSS** | + | | ss_reference_fc_verifyrecover` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_VerifyRecover - Verify data | + | | | in a single recoverable | + | | | operation. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 299 | :ref:`mozilla_projects_nss_r | **NSS** | + | | eference_fc_verifyrecoverinit` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_VerifyRecoverInit - | + | | | initialize a verification | + | | | operation where data is | + | | | recoverable. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 300 | :ref:`mozilla_projects_ | **NSS** | + | | nss_reference_fc_verifyupdate` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_VerifyUpdate - process the | + | | | next block of a multi-part | + | | | verify operation. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 301 | :ref:`mozilla_projects_nss_ | **NSS** | + | | reference_fc_waitforslotevent` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_WaitForSlotEvent - waits | + | | | for a slot event, such as | + | | | token insertion or token | + | | | removal, to occur. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 302 | :ref:`mozilla_proj | **NSS** | + | | ects_nss_reference_fc_wrapkey` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | FC_WrapKey - wrap a key | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 303 | :ref:`mozilla_project | **NSS** | + | | s_nss_reference_nsc_inittoken` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | ``NSC_InitToken()`` - | + | | | initialize or re-initialize a | + | | | token. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 304 | :ref:`mozilla_pro | **NSS** | + | | jects_nss_reference_nsc_login` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | ``NSC_Login()`` - log a user | + | | | into a token. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 305 | :ref:`mozilla_projects | | + | | _nss_reference_nspr_functions` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | `NSPR <https://www. | + | | | mozilla.org/projects/nspr/>`__ | + | | | is a platform abstraction | + | | | library that provides a | + | | | cross-platform API to common | + | | | OS services. NSS uses NSPR | + | | | internally as the porting | + | | | layer. However, a small | + | | | number of NSPR functions are | + | | | required for using the | + | | | certificate verification and | + | | | SSL functions in NSS. These | + | | | NSPR functions are listed in | + | | | this section. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 306 | :re | **NSS** | + | | f:`mozilla_projects_nss_refere | | + | | nce_nss_certificate_functions` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | This chapter describes the | + | | | functions and related types | + | | | used to work with a | + | | | certificate database such as | + | | | the cert8.db database provided | + | | | with NSS. This was converted | + | | | from `"Chapter 5: Certificate | + | | | Functions" <https://www.mo | + | | | zilla.org/projects/security/pk | + | | | i/nss/ref/ssl/sslcrt.html>`__. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 307 | :r | **NSS** | + | | ef:`mozilla_projects_nss_refer | | + | | ence_nss_cryptographic_module` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | This chapter describes the | + | | | data types and functions that | + | | | one can use to perform | + | | | cryptographic operations with | + | | | the NSS cryptographic module. | + | | | The NSS cryptographic module | + | | | uses the industry standard | + | | | `PKCS | + | | | #11 <http://www.rsasecurity.co | + | | | m/rsalabs/node.asp?id=2133>`__ | + | | | v2.20 as its API with some | + | | | extensions. Therefore, an | + | | | application that supports PKCS | + | | | #11 cryptographic tokens can | + | | | be easily modified to use the | + | | | NSS cryptographic module. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 308 | :ref:`mozilla_projects_ns | **NSS** | + | | s_reference_nss_cryptographic_ | | + | | module_fips_mode_of_operation` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | These functions manage | + | | | certificates and keys. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 309 | :re | **NSS** | + | | f:`mozilla_projects_nss_refere | | + | | nce_nss_environment_variables` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | These environment variables | + | | | affect the RUN TIME behavior | + | | | of NSS shared libraries. There | + | | | is a separate set of | + | | | environment variables that | + | | | affect how NSS is built, | + | | | documented below. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 310 | :ref:`mozilla_project | **NSS** | + | | s_nss_reference_nss_functions` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | This page lists all exported | + | | | functions in NSS 3.11.7 It was | + | | | ported from | + | | | `here <http://www-archive.mozi | + | | | lla.org/projects/security/pki/ | + | | | nss/ref/nssfunctions.html>`__. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 311 | :ref:`mozilla_projects | | + | | _nss_reference_nss_initialize` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | NSS_Initialize - initialize | + | | | NSS. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 312 | :ref:`mozilla_projects_ns | **NSS** | + | | s_reference_nss_key_functions` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | This chapter describes two | + | | | functions used to manipulate | + | | | private keys and key databases | + | | | such as the key3.db database | + | | | provided with NSS. This was | + | | | converted from `"Chapter 6: | + | | | Key | + | | | Functions" <https://develop | + | | | er.mozilla.org/en-US/docs/NSS/ | + | | | SSL_functions/sslkey.html>`__. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 313 | :ref:`mozilla_projects_nss_r | | + | | eference_nss_tools_:_certutil` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Name | + | | | certutil — Manage keys and | + | | | certificate in both NSS | + | | | databases and other NSS tokens | + | | | Synopsis | + | | | certutil [options] | + | | | [[arguments]] | + | | | Description | + | | | The Certificate Database | + | | | Tool, certutil, is a | + | | | command-line utility | + | | | that can create and modify | + | | | certificate and key databases. | + | | | It can specifically list, | + | | | generate, modify, or delete | + | | | certificates, create or | + | | | change the password, | + | | | generate new public and | + | | | private key pairs, | + | | | display the contents of the | + | | | key database, or delete key | + | | | pairs within the key | + | | | database. | + | | | Certificate issuance, part | + | | | of the key and certificate | + | | | management process, requires | + | | | that | + | | | keys and certificates be | + | | | created in the key database. | + | | | This document discusses | + | | | certificate | + | | | and key database | + | | | management. For information on | + | | | the security module database | + | | | management, | + | | | see the modutil manpage. | + | | | Options and Arguments | + | | | Running certutil always | + | | | requires one and only one | + | | | command option to | + | | | specify the type of | + | | | certificate operation. Each | + | | | option may take arguments, | + | | | anywhere from none to | + | | | multiple arguments. The | + | | | command option -H will list | + | | | all the command options | + | | | available and their relevant | + | | | arguments. | + | | | Command Options | + | | | -A | + | | | Add an existing | + | | | certificate to a certificate | + | | | database. | + | | | The certificate | + | | | database should already exist; | + | | | if one is | + | | | not present, this | + | | | command option will initialize | + | | | one by default. | + | | | -B | + | | | Run a series of | + | | | commands from the specified | + | | | batch file. | + | | | This requires the -i | + | | | argument. | + | | | -C | + | | | Create a new binary | + | | | certificate file from a binary | + | | | certificate request | + | | | file. Use the -i argument to | + | | | specify | + | | | the certificate | + | | | request file. If this argument | + | | | is not | + | | | used, certutil | + | | | prompts for a filename. | + | | | -D | + | | | Delete a certificate | + | | | from the certificate database. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 314 | :ref:`mozilla_projects_nss_ | | + | | reference_nss_tools_:_cmsutil` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Name | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 315 | :ref:`mozilla_projects_nss_ | **Reference** | + | | reference_nss_tools_:_crlutil` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Name | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 316 | :ref:`mozilla_projects_nss_ | **Mozilla, NSS, Reference, | + | | reference_nss_tools_:_modutil` | Security, Tools, Utilities, | + | | | modutil** | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Name | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 317 | :ref:`mozilla_projects_nss_r | | + | | eference_nss_tools_:_pk12util` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | NSS tools : pk12util | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 318 | :ref:`mozilla_projects_nss | | + | | _reference_nss_tools_:_ssltab` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Name | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 319 | :ref:`mozilla_projects_nss | | + | | _reference_nss_tools_:_ssltap` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Name | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 320 | :ref:`mozilla_projects_nss_r | | + | | eference_nss_tools_:_vfychain` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Name | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 321 | :ref:`mozilla_projects_nss_ | | + | | reference_nss_tools_:_vfyserv` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Name | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 322 | :ref:`mozilla_pro | | + | | jects_nss_reference_nss_tools` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | certutil | + | | | :ref:`mozilla_projects_nss_r | + | | | eference_nss_tools_:_certutil` | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 323 | :ref:`mozilla_projec | | + | | ts_nss_reference_troubleshoot` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Newsgroup: | + | | | `mozilla.dev.tech | + | | | .crypto <nntp://news.mozilla.o | + | | | rg/mozilla.dev.tech.crypto>`__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 324 | :ref:`mozil | | + | | la_projects_nss_release_notes` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | This page lists release notes | + | | | for older versions of NSS. | + | | | See :ref:`mozi | + | | | lla_projects_nss_nss_releases` | + | | | :ref:`mozi | + | | | lla_projects_nss_nss_releases` | + | | | for recent release notes. The | + | | | links below are provided for | + | | | historical information. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 325 | :ref:`mozilla_ | **NSS** | + | | projects_nss_s_mime_functions` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The public functions listed | + | | | here perform S/MIME operations | + | | | using the `S/MIME | + | | | Toolkit <http://w | + | | | ww-archive.mozilla.org/project | + | | | s/security/pki/nss/smime/>`__. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 326 | :ref:`mozil | **NSS** | + | | la_projects_nss_ssl_functions` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The public functions listed | + | | | here are used to configure | + | | | sockets for communication via | + | | | the SSL and TLS protocols. In | + | | | addition to the functions | + | | | listed here, applications that | + | | | support SSL use some of the | + | | | Certificate functions, Crypto | + | | | functions, and Utility | + | | | functions described below on | + | | | this page. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 327 | :ref:`mozilla_pro | | + | | jects_nss_ssl_functions_gtstd` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | This chapter describes how to | + | | | set up your environment, | + | | | including certificate and key | + | | | databases. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 328 | :ref:`mozilla_projects_nss_ss | **NSS** | + | | l_functions_old_ssl_reference` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | *New | + | | | sgroup:*\ `mozilla.dev.tech.cr | + | | | ypto <news://news.mozilla.org/ | + | | | mozilla.dev.tech.crypto>`__\ * | + | | | Writer: Sean Cotter | + | | | Manager: Wan-Teh Chang* | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 329 | :ref:`mozilla_pro | | + | | jects_nss_ssl_functions_pkfnc` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 330 | :ref:`mozilla_proj | | + | | ects_nss_ssl_functions_sslcrt` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 331 | :ref:`mozilla_proj | | + | | ects_nss_ssl_functions_sslerr` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 332 | :ref:`mozilla_proj | | + | | ects_nss_ssl_functions_sslfnc` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 333 | :ref:`mozilla_projec | | + | | ts_nss_ssl_functions_sslintro` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | SSL and related APIs allow | + | | | compliant applications to | + | | | configure sockets for | + | | | authenticated, tamper-proof, | + | | | and encrypted communications. | + | | | This chapter introduces some | + | | | of the basic SSL functions. | + | | | `Chapter 2, "Getting Started | + | | | With | + | | | SSL" <gtstd.html#1005439>`__ | + | | | illustrates their use in | + | | | sample client and server | + | | | applications. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 334 | :ref:`mozilla_proj | | + | | ects_nss_ssl_functions_sslkey` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 335 | :ref:`mozilla_proj | | + | | ects_nss_ssl_functions_ssltyp` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 336 | :ref:`mozilla_projects_n | **NSS** | + | | ss_tls_cipher_suite_discovery` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | In order to communicate | + | | | securely, an TLS client and | + | | | TLS server must agree on the | + | | | cryptographic algorithms and | + | | | keys that they will both use | + | | | on the secured connection. | + | | | They must agree on these | + | | | items: | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 337 | :re | **NSS** | + | | f:`mozilla_projects_nss_tools` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Newsgroup: | + | | | `mozilla.dev.tech | + | | | .crypto <news://news.mozilla.o | + | | | rg/mozilla.dev.tech.crypto>`__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 338 | :ref:`mozill | | + | | a_projects_nss_tools_certutil` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Name | + | | | certutil — Manage keys and | + | | | certificate in the NSS | + | | | database. | + | | | Synopsis | + | | | certutil [options] | + | | | `arguments <arguments>`__ | + | | | Description | + | | | The Certificate Database | + | | | Tool, certutil, is a | + | | | command-line utility that | + | | | can create and modify | + | | | certificate and key database | + | | | files. It can also | + | | | list, generate, modify, or | + | | | delete certificates within the | + | | | database, create | + | | | or change the password, | + | | | generate new public and | + | | | private key pairs, display | + | | | the contents of the key | + | | | database, or delete key pairs | + | | | within the key | + | | | database. | + | | | The key and certificate | + | | | management process generally | + | | | begins with creating | + | | | keys in the key database, | + | | | then generating and managing | + | | | certificates in the | + | | | certificate database. This | + | | | document discusses certificate | + | | | and key database | + | | | management. For information | + | | | security module database | + | | | management, see the | + | | | modutil manpages. | + | | | Options and Arguments | + | | | Running certutil always | + | | | requires one (and only one) | + | | | option to specify the | + | | | type of certificate | + | | | operation. Each option may | + | | | take arguments, anywhere | + | | | from none to multiple | + | | | arguments. Run the command | + | | | option and -H to see the | + | | | arguments available for | + | | | each command option. | + | | | Options | + | | | Options specify an action | + | | | and are uppercase. | + | | | -A | + | | | Add an existing | + | | | certificate to a certificate | + | | | database. The | + | | | certificate | + | | | database should already exist; | + | | | if one is not present, | + | | | this option will | + | | | initialize one by default. | + | | | -B | + | | | Run a series of | + | | | commands from the specified | + | | | batch file. This | + | | | requires the -i | + | | | argument. | + | | | -C | + | | | Create a new binary | + | | | certificate file from a binary | + | | | certificate | + | | | request file. Use | + | | | the -i argument to specify the | + | | | certificate | + | | | request file. If | + | | | this argument is not used, | + | | | certutil prompts for a | + | | | filename. | + | | | -D | + | | | Delete a | + | | | certificate from the | + | | | certificate database. | + | | | -E | + | | | Add an email | + | | | certificate to the certificate | + | | | database. | + | | | -F | + | | | Delete a private | + | | | key from a key database. | + | | | Specify the key to | + | | | delete with the -n | + | | | argument. Specify the database | + | | | from which to | + | | | delete the key with | + | | | the -d argument. Use the -k | + | | | argument to | + | | | specify explicitly | + | | | whether to delete a DSA, RSA, | + | | | or ECC key. If | + | | | you don't use the | + | | | -k argument, the option looks | + | | | for an RSA key | + | | | matching the | + | | | specified nickname. | + | | | When you delete | + | | | keys, be sure to also remove | + | | | any certificates | + | | | associated with | + | | | those keys from the | + | | | certificate database, by using | + | | | -D. Some smart | + | | | cards (for example, the | + | | | Litronic card) do not let | + | | | you remove a public | + | | | key you have generated. In | + | | | such a case, only | + | | | the private key is | + | | | deleted from the key pair. You | + | | | can display the | + | | | public key with the | + | | | command certutil -K -h | + | | | tokenname. | + | | | -G | + | | | Generate a new | + | | | public and private key pair | + | | | within a key database. | + | | | The key database | + | | | should already exist; if one | + | | | is not present, this | + | | | option will | + | | | initialize one by default. | + | | | Some smart cards (for | + | | | example, the | + | | | Litronic card) can store only | + | | | one key pair. If you | + | | | create a new key | + | | | pair for such a card, the | + | | | previous pair is | + | | | overwritten. | + | | | -H | + | | | Display a list of | + | | | the options and arguments used | + | | | by the | + | | | Certificate | + | | | Database Tool. | + | | | -K | + | | | List the key ID of | + | | | keys in the key database. A | + | | | key ID is the | + | | | modulus of the RSA | + | | | key or the publicValue of the | + | | | DSA key. IDs are | + | | | displayed in | + | | | hexadecimal ("0x" is not | + | | | shown). | + | | | -L | + | | | List all the | + | | | certificates, or display | + | | | information about a named | + | | | certificate, in a | + | | | certificate database. Use the | + | | | -h tokenname | + | | | argument to specify | + | | | the certificate database on a | + | | | particular | + | | | hardware or | + | | | software token. | + | | | -M | + | | | Modify a | + | | | certificate's trust attributes | + | | | using the values of the -t | + | | | argument. | + | | | -N | + | | | Create new | + | | | certificate and key databases. | + | | | -O | + | | | Print the | + | | | certificate chain. | + | | | -R | + | | | Create a | + | | | certificate request file that | + | | | can be submitted to a | + | | | Certificate | + | | | Authority (CA) for processing | + | | | into a finished | + | | | certificate. Output | + | | | defaults to standard out | + | | | unless you use -o | + | | | output-file | + | | | argument. Use the -a argument | + | | | to specify ASCII output. | + | | | -S | + | | | Create an | + | | | individual certificate and add | + | | | it to a certificate | + | | | database. | + | | | -T | + | | | Reset the key | + | | | database or token. | + | | | -U | + | | | List all available | + | | | modules or print a single | + | | | named module. | + | | | -V | + | | | Check the validity | + | | | of a certificate and its | + | | | attributes. | + | | | -W | + | | | Change the password | + | | | to a key database. | + | | | --merge | + | | | Merge a source | + | | | database into the target | + | | | database. This is used to | + | | | merge legacy NSS | + | | | databases (cert8.db and | + | | | key3.db) into the newer | + | | | SQLite databases | + | | | (cert9.db and key4.db). | + | | | --upgrade-merge | + | | | Upgrade an old | + | | | database and merge it into a | + | | | new database. This is | + | | | used to migrate | + | | | legacy NSS databases (cert8.db | + | | | and key3.db) into | + | | | the newer SQLite | + | | | databases (cert9.db and | + | | | key4.db). | + | | | Arguments | + | | | Option arguments modify an | + | | | action and are lowercase. | + | | | -a | + | | | Use ASCII format or | + | | | allow the use of ASCII format | + | | | for input or | + | | | output. This | + | | | formatting follows RFC 1113. | + | | | For certificate | + | | | requests, ASCII | + | | | output defaults to standard | + | | | output unless | + | | | redirected. | + | | | -b validity-time | + | | | Specify a time at | + | | | which a certificate is | + | | | required to be valid. Use | + | | | when checking | + | | | certificate validity with the | + | | | -V option. The format | + | | | of the | + | | | validity-time argument is | + | | | YYMMDDHHMMSS[+HHMM|-HHMM|Z], | + | | | which allows | + | | | offsets to be set relative to | + | | | the validity end time. | + | | | Specifying seconds | + | | | (SS) is optional. When | + | | | specifying an explicit | + | | | time, use a Z at | + | | | the end of the term, | + | | | YYMMDDHHMMSSZ, to close it. | + | | | When specifying an | + | | | offset time, use | + | | | YYMMDDHHMMSS+HHMM or | + | | | YYMMDDHHMMSS-HHMM | + | | | for adding or subtracting | + | | | time, respectively. | + | | | If this option is | + | | | not used, the validity check | + | | | defaults to the | + | | | current system | + | | | time. | + | | | -c issuer | + | | | Identify the | + | | | certificate of the CA from | + | | | which a new certificate | + | | | will derive its | + | | | authenticity. Use the exact | + | | | nickname or alias of | + | | | the CA certificate, | + | | | or use the CA's email address. | + | | | Bracket the | + | | | issuer string with | + | | | quotation marks if it contains | + | | | spaces. | + | | | -d [sql:]directory | + | | | Specify the | + | | | database directory containing | + | | | the certificate and key | + | | | database files. | + | | | certutil supports | + | | | two types of databases: the | + | | | legacy security | + | | | databases | + | | | (cert8.db, key3.db, and | + | | | secmod.db) and new SQLite | + | | | databases | + | | | (cert9.db, key4.db, and | + | | | pkcs11.txt). If the prefix | + | | | sql: | + | | | is not used, then | + | | | the tool assumes that the | + | | | given databases are in | + | | | the old format. | + | | | -e | + | | | Check a | + | | | certificate's signature during | + | | | the process of validating a | + | | | certificate. | + | | | -f password-file | + | | | Specify a file that | + | | | will automatically supply the | + | | | password to | + | | | include in a | + | | | certificate or to access a | + | | | certificate database. This | + | | | is a plain-text | + | | | file containing one password. | + | | | Be sure to prevent | + | | | unauthorized access | + | | | to this file. | + | | | -g keysize | + | | | Set a key size to | + | | | use when generating new public | + | | | and private key | + | | | pairs. The minimum | + | | | is 512 bits and the maximum is | + | | | 8192 bits. The | + | | | default is 1024 | + | | | bits. Any size between the | + | | | minimum and maximum is | + | | | allowed. | + | | | -h tokenname | + | | | Specify the name of | + | | | a token to use or act on. | + | | | Unless specified | + | | | otherwise the | + | | | default token is an internal | + | | | slot (specifically, | + | | | internal slot 2). | + | | | This slot can also be | + | | | explicitly named with the | + | | | string "internal". | + | | | An internal slots is a virtual | + | | | slot maintained | + | | | in software, rather | + | | | than a hardware device. | + | | | Internal slot 2 is | + | | | used by key and | + | | | certificate services. Internal | + | | | slot 1 is used by | + | | | cryptographic | + | | | services. | + | | | -i input_file | + | | | Pass an input file | + | | | to the command. Depending on | + | | | the command | + | | | option, an input | + | | | file can be a specific | + | | | certificate, a certificate | + | | | request file, or a | + | | | batch file of commands. | + | | | -k rsa|dsa|ec|all | + | | | Specify the type of | + | | | a key. The valid options are | + | | | RSA, DSA, ECC, or | + | | | all. The default | + | | | value is rsa. Specifying the | + | | | type of key can | + | | | avoid mistakes | + | | | caused by duplicate nicknames. | + | | | -k key-type-or-id | + | | | Specify the type or | + | | | specific ID of a key. Giving a | + | | | key type | + | | | generates a new key | + | | | pair; giving the ID of an | + | | | existing key reuses | + | | | that key pair | + | | | (which is required to renew | + | | | certificates). | + | | | -l | + | | | Display detailed | + | | | information when validating a | + | | | certificate with | + | | | the -V option. | + | | | -m serial-number | + | | | Assign a unique | + | | | serial number to a certificate | + | | | being created. This | + | | | operation should be | + | | | performed by a CA. The default | + | | | serial number | + | | | is 0 (zero). Serial | + | | | numbers are limited to | + | | | integers. | + | | | -n nickname | + | | | Specify the | + | | | nickname of a certificate or | + | | | key to list, create, add | + | | | to a database, | + | | | modify, or validate. Bracket | + | | | the nickname string | + | | | with quotation | + | | | marks if it contains spaces. | + | | | -o output-file | + | | | Specify the output | + | | | file name for new certificates | + | | | or binary | + | | | certificate | + | | | requests. Bracket the | + | | | output-file string with | + | | | quotation marks if | + | | | it contains spaces. If this | + | | | argument is not | + | | | used the output | + | | | destination defaults to | + | | | standard output. | + | | | -P dbPrefix | + | | | Specify the prefix | + | | | used on the certificate and | + | | | key database file. | + | | | This option is | + | | | provided as a special case. | + | | | Changing the names of | + | | | the certificate and | + | | | key databases is not | + | | | recommended. | + | | | -p phone | + | | | Specify a contact | + | | | telephone number to include in | + | | | new certificates | + | | | or certificate | + | | | requests. Bracket this string | + | | | with quotation marks | + | | | if it contains | + | | | spaces. | + | | | -q pqgfile | + | | | Read an alternate | + | | | PQG value from the specified | + | | | file when | + | | | generating DSA key | + | | | pairs. If this argument is not | + | | | used, certutil | + | | | generates its own | + | | | PQG value. PQG files are | + | | | created with a separate | + | | | DSA utility. | + | | | -q curve-name | + | | | Set the elliptic | + | | | curve name to use when | + | | | generating ECC key pairs. | + | | | A complete list of | + | | | ECC curves is given in the | + | | | help (-H). | + | | | -r | + | | | Display a | + | | | certificate's binary DER | + | | | encoding when listing | + | | | information about | + | | | that certificate with the -L | + | | | option. | + | | | -s subject | + | | | Identify a | + | | | particular certificate owner | + | | | for new certificates or | + | | | certificate | + | | | requests. Bracket this string | + | | | with quotation marks if | + | | | it contains spaces. | + | | | The subject identification | + | | | format follows RFC | + | | | #1485. | + | | | -t trustargs | + | | | Specify the trust | + | | | attributes to modify in an | + | | | existing certificate | + | | | or to apply to a | + | | | certificate when creating it | + | | | or adding it to a | + | | | database. There are | + | | | three available trust | + | | | categories for each | + | | | certificate, | + | | | expressed in the order SSL, | + | | | email, object signing for | + | | | each trust setting. | + | | | In each category position, use | + | | | none, any, or | + | | | all of the | + | | | attribute codes: | + | | | o p - Valid peer | + | | | o P - Trusted | + | | | peer (implies p) | + | | | o c - Valid CA | + | | | o T - Trusted CA | + | | | to issue client certificates | + | | | (implies c) | + | | | o C - Trusted CA | + | | | to issue server certificates | + | | | (SSL only) | + | | | (implies c) | + | | | o u - | + | | | Certificate can be used for | + | | | authentication or signing | + | | | o w - Send | + | | | warning (use with other | + | | | attributes to include a | + | | | warning when | + | | | the certificate is used in | + | | | that context) | + | | | The attribute codes | + | | | for the categories are | + | | | separated by commas, | + | | | and the entire set | + | | | of attributes enclosed by | + | | | quotation marks. For | + | | | example: | + | | | -t "TCu,Cu,Tuw" | + | | | Use the -L option | + | | | to see a list of the current | + | | | certificates and | + | | | trust attributes in | + | | | a certificate database. | + | | | -u certusage | + | | | Specify a usage | + | | | context to apply when | + | | | validating a certificate | + | | | with the -V option. | + | | | The contexts are | + | | | the following: | + | | | o C (as an SSL | + | | | client) | + | | | o V (as an SSL | + | | | server) | + | | | o S (as an email | + | | | signer) | + | | | o R (as an email | + | | | recipient) | + | | | o O (as an OCSP | + | | | status responder) | + | | | o J (as an | + | | | object signer) | + | | | -v valid-months | + | | | Set the number of | + | | | months a new certificate will | + | | | be valid. The | + | | | validity period | + | | | begins at the current system | + | | | time unless an offset | + | | | is added or | + | | | subtracted with the -w option. | + | | | If this argument is not | + | | | used, the default | + | | | validity period is three | + | | | months. When this | + | | | argument is used, | + | | | the default three-month period | + | | | is automatically | + | | | added to any value | + | | | given in the valid-month | + | | | argument. For example, | + | | | using this option | + | | | to set a value of 3 would | + | | | cause 3 to be added to | + | | | the three-month | + | | | default, creating a validity | + | | | period of six months. | + | | | You can use | + | | | negative values to reduce the | + | | | default period. For | + | | | example, setting a | + | | | value of -2 would subtract 2 | + | | | from the default | + | | | and create a | + | | | validity period of one month. | + | | | -w offset-months | + | | | Set an offset from | + | | | the current system time, in | + | | | months, for the | + | | | beginning of a | + | | | certificate's validity period. | + | | | Use when creating | + | | | the certificate or | + | | | adding it to a database. | + | | | Express the offset in | + | | | integers, using a | + | | | minus sign (-) to indicate a | + | | | negative offset. If | + | | | this argument is | + | | | not used, the validity period | + | | | begins at the | + | | | current system | + | | | time. The length of the | + | | | validity period is set with | + | | | the -v argument. | + | | | -X | + | | | Force the key and | + | | | certificate database to open | + | | | in read-write mode. | + | | | This is used with | + | | | the -U and -L command options. | + | | | -x | + | | | Use certutil to | + | | | generate the signature for a | + | | | certificate being | + | | | created or added to | + | | | a database, rather than | + | | | obtaining a signature | + | | | from a separate CA. | + | | | -y exp | + | | | Set an alternate | + | | | exponent value to use in | + | | | generating a new RSA | + | | | public key for the | + | | | database, instead of the | + | | | default value of | + | | | 65537. The | + | | | available alternate values are | + | | | 3 and 17. | + | | | -z noise-file | + | | | Read a seed value | + | | | from the specified file to | + | | | generate a new | + | | | private and public | + | | | key pair. This argument makes | + | | | it possible to | + | | | use | + | | | hardware-generated seed values | + | | | or manually create a value | + | | | from | + | | | the keyboard. The | + | | | minimum file size is 20 bytes. | + | | | -0 SSO_password | + | | | Set a site security | + | | | officer password on a token. | + | | | -1 \| --keyUsage | + | | | keyword,keyword | + | | | Set a Netscape | + | | | Certificate Type Extension in | + | | | the certificate. | + | | | There are several | + | | | available keywords: | + | | | o digital | + | | | signature | + | | | o nonRepudiation | + | | | | + | | | o keyEncipherment | + | | | | + | | | o dataEncipherment | + | | | o keyAgreement | + | | | o certSigning | + | | | o crlSigning | + | | | o critical | + | | | -2 | + | | | Add a basic | + | | | constraint extension to a | + | | | certificate that is being | + | | | created or added to | + | | | a database. This extension | + | | | supports the | + | | | certificate chain | + | | | verification process. certutil | + | | | prompts for the | + | | | certificate | + | | | constraint extension to | + | | | select. | + | | | X.509 certificate | + | | | extensions are described in | + | | | RFC 5280. | + | | | -3 | + | | | Add an authority | + | | | key ID extension to a | + | | | certificate that is being | + | | | created or added to | + | | | a database. This extension | + | | | supports the | + | | | identification of a | + | | | particular certificate, from | + | | | among multiple | + | | | certificates | + | | | associated with one subject | + | | | name, as the correct | + | | | issuer of a | + | | | certificate. The Certificate | + | | | Database Tool will prompt | + | | | you to select the | + | | | authority key ID extension. | + | | | X.509 certificate | + | | | extensions are described in | + | | | RFC 5280. | + | | | -4 | + | | | Add a CRL | + | | | distribution point extension | + | | | to a certificate that is | + | | | being created or | + | | | added to a database. This | + | | | extension identifies | + | | | the URL of a | + | | | certificate's associated | + | | | certificate revocation list | + | | | (CRL). certutil | + | | | prompts for the URL. | + | | | X.509 certificate | + | | | extensions are described in | + | | | RFC 5280. | + | | | -5 \| --nsCertType | + | | | keyword,keyword | + | | | Add a Netscape | + | | | certificate type extension to | + | | | a certificate that is | + | | | being created or | + | | | added to the database. There | + | | | are several | + | | | available keywords: | + | | | o sslClient | + | | | o sslServer | + | | | o smime | + | | | o objectSigning | + | | | o sslCA | + | | | o smimeCA | + | | | | + | | | o objectSigningCA | + | | | o critical | + | | | X.509 certificate | + | | | extensions are described in | + | | | RFC 5280. | + | | | -6 \| --extKeyUsage | + | | | keyword,keyword | + | | | Add an extended key | + | | | usage extension to a | + | | | certificate that is being | + | | | created or added to | + | | | the database. Several keywords | + | | | are available: | + | | | o serverAuth | + | | | o clientAuth | + | | | o codeSigning | + | | | | + | | | o emailProtection | + | | | o timeStamp | + | | | o ocspResponder | + | | | o stepUp | + | | | o critical | + | | | X.509 certificate | + | | | extensions are described in | + | | | RFC 5280. | + | | | -7 emailAddrs | + | | | Add a | + | | | comma-separated list of email | + | | | addresses to the subject | + | | | alternative name | + | | | extension of a certificate or | + | | | certificate request | + | | | that is being | + | | | created or added to the | + | | | database. Subject | + | | | alternative name | + | | | extensions are described in | + | | | Section 4.2.1.7 of | + | | | RFC 3280. | + | | | -8 dns-names | + | | | Add a | + | | | comma-separated list of DNS | + | | | names to the subject | + | | | alternative | + | | | name extension of a | + | | | certificate or certificate | + | | | request that is | + | | | being created or | + | | | added to the database. Subject | + | | | alternative name | + | | | extensions are | + | | | described in Section 4.2.1.7 | + | | | of RFC 3280. | + | | | --extAIA | + | | | Add the Authority | + | | | Information Access extension | + | | | to the certificate. | + | | | X.509 certificate | + | | | extensions are described in | + | | | RFC 5280. | + | | | --extSIA | + | | | Add the Subject | + | | | Information Access extension | + | | | to the certificate. | + | | | X.509 certificate | + | | | extensions are described in | + | | | RFC 5280. | + | | | --extCP | + | | | Add the Certificate | + | | | Policies extension to the | + | | | certificate. X.509 | + | | | certificate | + | | | extensions are described in | + | | | RFC 5280. | + | | | --extPM | + | | | Add the Policy | + | | | Mappings extension to the | + | | | certificate. X.509 | + | | | certificate | + | | | extensions are described in | + | | | RFC 5280. | + | | | --extPC | + | | | Add the Policy | + | | | Constraints extension to the | + | | | certificate. X.509 | + | | | certificate | + | | | extensions are described in | + | | | RFC 5280. | + | | | --extIA | + | | | Add the Inhibit Any | + | | | Policy Access extension to the | + | | | certificate. | + | | | X.509 certificate | + | | | extensions are described in | + | | | RFC 5280. | + | | | --extSKID | + | | | Add the Subject Key | + | | | ID extension to the | + | | | certificate. X.509 | + | | | certificate | + | | | extensions are described in | + | | | RFC 5280. | + | | | --source-dir certdir | + | | | Identify the | + | | | certificate database directory | + | | | to upgrade. | + | | | --source-prefix certdir | + | | | Give the prefix of | + | | | the certificate and key | + | | | databases to upgrade. | + | | | --upgrade-id uniqueID | + | | | Give the unique ID | + | | | of the database to upgrade. | + | | | --upgrade-token-name name | + | | | Set the name of the | + | | | token to use while it is being | + | | | upgraded. | + | | | -@ pwfile | + | | | Give the name of a | + | | | password file to use for the | + | | | database being | + | | | upgraded. | + | | | Usage and Examples | + | | | Most of the command options | + | | | in the examples listed here | + | | | have more | + | | | arguments available. The | + | | | arguments included in these | + | | | examples are the most | + | | | common ones or are used to | + | | | illustrate a specific | + | | | scenario. Use the -H | + | | | option to show the complete | + | | | list of arguments for each | + | | | command option. | + | | | Creating New Security | + | | | Databases | + | | | Certificates, keys, and | + | | | security modules related to | + | | | managing certificates | + | | | are stored in three related | + | | | databases: | + | | | o cert8.db or cert9.db | + | | | o key3.db or key4.db | + | | | o secmod.db or pkcs11.txt | + | | | These databases must be | + | | | created before certificates or | + | | | keys can be | + | | | generated. | + | | | certutil -N -d | + | | | [sql:]directory | + | | | Creating a Certificate | + | | | Request | + | | | A certificate request | + | | | contains most or all of the | + | | | information that is used | + | | | to generate the final | + | | | certificate. This request is | + | | | submitted separately to | + | | | a certificate authority and | + | | | is then approved by some | + | | | mechanism | + | | | (automatically or by human | + | | | review). Once the request is | + | | | approved, then the | + | | | certificate is generated. | + | | | $ certutil -R -k | + | | | key-type-or-id [-q | + | | | pqgfile|curve-name] -g | + | | | key-size -s subject [-h | + | | | tokenname] -d [sql:]directory | + | | | [-p phone] [-o output-file] | + | | | [-a] | + | | | The -R command options | + | | | requires four arguments: | + | | | o -k to specify either | + | | | the key type to generate or, | + | | | when renewing a | + | | | certificate, the | + | | | existing key pair to use | + | | | o -g to set the keysize | + | | | of the key to generate | + | | | o -s to set the subject | + | | | name of the certificate | + | | | o -d to give the security | + | | | database directory | + | | | The new certificate request | + | | | can be output in ASCII format | + | | | (-a) or can be | + | | | written to a specified file | + | | | (-o). | + | | | For example: | + | | | $ certutil -R -k ec -q | + | | | nistb409 -g 512 -s "CN=John | + | | | Smith,O=Example | + | | | Corp,L=Mountain | + | | | View,ST=California,C=US" -d | + | | | sql:/home/my/sharednssdb -p | + | | | 650-555-0123 -a -o cert.cer | + | | | Generating key. This may | + | | | take a few moments... | + | | | Certificate request generated | + | | | by Netscape | + | | | Phone: 650-555-0123 | + | | | Common Name: John Smith | + | | | Email: (not ed) | + | | | Organization: Example Corp | + | | | State: California | + | | | Country: US | + | | | -----BEGIN NEW CERTIFICATE | + | | | REQUEST----- | + | | | MIIB | + | | | IDCBywIBADBmMQswCQYDVQQGEwJVUz | + | | | ETMBEGA1UECBMKQ2FsaWZvcm5pYTEW | + | | | MBQG | + | | | A1UEBxMNTW91bnRhaW4gVmlldzEVMB | + | | | MGA1UEChMMRXhhbXBsZSBDb3JwMRMw | + | | | EQYD | + | | | VQQDEwpKb2huIFNtaXRoMFwwDQYJKo | + | | | ZIhvcNAQEBBQADSwAwSAJBAMVUpDOZ | + | | | KmHn | + | | | Ox7reP8Cc0Lk+fFWEuYIDX9W5K/Bio | + | | | QOKvEjXyQZhit9aThzBVMoSf1Y1S8J | + | | | CzdU | + | | | bCg1+IbnXaECAwEAAaAAMA0GCSqGSI | + | | | b3DQEBBQUAA0EAryqZvpYrUtQ486Ny | + | | | qmty | + | | | QNjIi1F8c1Z+TL4uFYlMg8z6LG/J/u | + | | | 1E5t1QqB5e9Q4+BhRbrQjRR1JZx3tB | + | | | 1hP9Gg== | + | | | -----END NEW CERTIFICATE | + | | | REQUEST----- | + | | | Creating a Certificate | + | | | A valid certificate must be | + | | | issued by a trusted CA. This | + | | | can be done by | + | | | specifying a CA certificate | + | | | (-c) that is stored in the | + | | | certificate | + | | | database. If a CA key pair | + | | | is not available, you can | + | | | create a self-signed | + | | | certificate using the -x | + | | | argument with the -S command | + | | | option. | + | | | $ certutil -S -k rsa|dsa|ec | + | | | -n certname -s subject [-c | + | | | issuer \|-x] -t trustargs -d | + | | | [sql:]directory [-m | + | | | serial-number] [-v | + | | | valid-months] [-w | + | | | offset-months] [-p phone] [-1] | + | | | [-2] [-3] [-4] [-5 keyword] | + | | | [-6 keyword] [-7 emailAddress] | + | | | [-8 dns-names] [--extAIA] | + | | | [--extSIA] [--extCP] [--extPM] | + | | | [--extPC] [--extIA] | + | | | [--extSKID] | + | | | The series of numbers and | + | | | --ext\* options set | + | | | certificate extensions that | + | | | can be added to the | + | | | certificate when it is | + | | | generated by the CA. | + | | | For example, this creates a | + | | | self-signed certificate: | + | | | $ certutil -S -s "CN=Example | + | | | CA" -n my-ca-cert -x -t | + | | | "C,C,C" -1 -2 -5 -m 3650 | + | | | From there, new | + | | | certificates can reference the | + | | | self-signed certificate: | + | | | $ certutil -S -s "CN=My | + | | | Server Cert" -n my-server-cert | + | | | -c "my-ca-cert" -t "u,u,u" -1 | + | | | -5 -6 -8 -m 730 | + | | | Generating a Certificate | + | | | from a Certificate Request | + | | | When a certificate request | + | | | is created, a certificate can | + | | | be generated by | + | | | using the request and then | + | | | referencing a certificate | + | | | authority signing | + | | | certificate (the issuer | + | | | specified in the -c argument). | + | | | The issuing | + | | | certificate must be in the | + | | | certificate database in the | + | | | specified | + | | | directory. | + | | | certutil -C -c issuer -i | + | | | cert-request-file -o | + | | | output-file [-m serial-number] | + | | | [-v valid-months] [-w | + | | | offset-months] -d | + | | | [sql:]directory [-1] [-2] [-3] | + | | | [-4] [-5 keyword] [-6 keyword] | + | | | [-7 emailAddress] [-8 | + | | | dns-names] | + | | | For example: | + | | | $ certutil -C -c "my-ca-cert" | + | | | -i /home/certs/cert.req -o | + | | | cert.cer -m 010 -v 12 -w 1 -d | + | | | sql:/home/my/sharednssdb -1 | + | | | n | + | | | onRepudiation,dataEncipherment | + | | | -5 sslClient -6 clientAuth -7 | + | | | jsmith@example.com | + | | | Generating Key Pairs | + | | | Key pairs are generated | + | | | automatically with a | + | | | certificate request or | + | | | certificate, but they can | + | | | also be generated | + | | | independently using the -G | + | | | command option. | + | | | certutil -G -d | + | | | [sql:]directory \| -h | + | | | tokenname -k key-type -g | + | | | key-size [-y exponent-value] | + | | | -q pqgfile|curve-name | + | | | For example: | + | | | $ certutil -G -h lunasa -k ec | + | | | -g 256 -q sect193r2 | + | | | Listing Certificates | + | | | The -L command option lists | + | | | all of the certificates listed | + | | | in the | + | | | certificate database. The | + | | | path to the directory (-d) is | + | | | required. | + | | | $ certutil -L -d | + | | | sql:/home/my/sharednssdb | + | | | Certificate | + | | | Nickname | + | | | | + | | | Trust Attributes | + | | | | + | | | | + | | | | + | | | SSL,S/MIME,JAR/XPI | + | | | CA Administrator of Instance | + | | | pki-ca1's Example Domain | + | | | ID u,u,u | + | | | TPS Administrator's Example | + | | | Domain | + | | | ID | + | | | u,u,u | + | | | Google Internet | + | | | Authority | + | | | | + | | | ,, | + | | | Certificate Authority - | + | | | Example | + | | | Domain | + | | | CT,C,C | + | | | Using additional arguments | + | | | with -L can return and print | + | | | the information | + | | | for a single, specific | + | | | certificate. For example, the | + | | | -n argument passes | + | | | the certificate name, while | + | | | the -a argument prints the | + | | | certificate in | + | | | ASCII format: | + | | | $ certutil -L -d | + | | | sql:/home/my/sharednssdb -a -n | + | | | "Certificate Authority - | + | | | Example Domain" | + | | | -----BEGIN CERTIFICATE----- | + | | | MIID | + | | | mTCCAoGgAwIBAgIBATANBgkqhkiG9w | + | | | 0BAQUFADA5MRcwFQYDVQQKEw5FeGFt | + | | | cGxl | + | | | IERvbWFpbjEeMBwGA1UEAxMVQ2VydG | + | | | lmaWNhdGUgQXV0aG9yaXR5MB4XDTEw | + | | | MDQy | + | | | OTIxNTY1OFoXDTEyMDQxODIxNTY1OF | + | | | owOTEXMBUGA1UEChMORXhhbXBsZSBE | + | | | b21h | + | | | aW4xHjAcBgNVBAMTFUNlcnRpZmljYX | + | | | RlIEF1dGhvcml0eTCCASIwDQYJKoZI | + | | | hvcN | + | | | AQEBBQADggEPADCCAQoCggEBAO/bqU | + | | | li2KwqXFKmMMG93KN1SANzNTXA/Vlf | + | | | Tmri | + | | | h3hQgjvR1ktIY9aG6cB7DSKWmtHp/+ | + | | | p4PUCMqL4ZrSGt901qxkePyZ2dYmM2 | + | | | Rnel | + | | | K+SEUIPiUtoZaDhNdiYsE/yuDE8vQW | + | | | j0vHCVL0w72qFUcSQ/WZT7FCrnUIUI | + | | | udeW | + | | | noPSUn70gLhcj/lvxl7K9BHyD4Sq5C | + | | | zktwYtFWLiiwV+ZY/Fl6JgbGaQyQB2 | + | | | bP4i | + | | | RMfloGqsxGuB1evWVDF1haGpFDSPgM | + | | | nEPSLg3/3dXn+HDJbZ29EU8/xKzQEb | + | | | 3V0A | + | | | HKbu80zGllLEt2Zx/WDIrgJEN9yMfg | + | | | KFpcmL+BvIRsmh0VsCAwEAAaOBqzCB | + | | | qDAf | + | | | BgNVHSMEGDAWgBQATgxHQyRUfKIZtd | + | | | p55bZlFr+tFzAPBgNVHRMBAf8EBTAD | + | | | AQH/ | + | | | MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ | + | | | 4EFgQUAE4MR0MkVHyiGbXaeeW2ZRa/ | + | | | rRcw | + | | | RQYIKwYBBQUHAQEEOTA3MDUGCCsGAQ | + | | | UFBzABhilodHRwOi8vbG9jYWxob3N0 | + | | | Lmxv | + | | | Y2FsZG9tYWluOjkxODAvY2Evb2NzcD | + | | | ANBgkqhkiG9w0BAQUFAAOCAQEAi8Gk | + | | | L3XO | + | | | 43u7/TDOeEsWPmq+jZsDZ3GZ85Ajt3 | + | | | KROLWeKVZZZa2E2Hnsvf2uXbk5amKe | + | | | lRxd | + | | | SeRH9g85pv4KY7Z8xZ71NrI3+K3uwm | + | | | nqkc6t0hhYb1mw/gx8OAAoluQx3biX | + | | | JBDx | + | | | jI73Cf7XUopplHBjjiwyGIJUO8BEZJ | + | | | 5L+TF4P38MJz1snLtzZpEAX5bl0U76 | + | | | bfu/ | + | | | tZFWBbE8YAWYtkCtMcalBPj6jn2WD3 | + | | | M01kGozW4mmbvsj1cRB9HnsGsqyHCu | + | | | U0uj | + | | | lL1H/RWcjn607+CTeKH9jLMUqCIqPJ | + | | | NOa+kq/6F7NhNRRiuzASIbZc30BZ5a | + | | | nI7q5n1USM3eWQlVXw== | + | | | -----END CERTIFICATE----- | + | | | Listing Keys | + | | | Keys are the original | + | | | material used to encrypt | + | | | certificate data. The keys | + | | | generated for certificates | + | | | are stored separately, in the | + | | | key database. | + | | | To list all keys in the | + | | | database, use the -K command | + | | | option and the | + | | | (required) -d argument to | + | | | give the path to the | + | | | directory. | + | | | $ certutil -K -d | + | | | sql:/home/my/sharednssdb | + | | | certutil: Checking token "NSS | + | | | Certificate DB" in slot "NSS | + | | | User Private Key and | + | | | Certificate | + | | | Services " | + | | | < 0> rsa | + | | | 455a6673bde9 | + | | | 375c2887ec8bf8016b3f9f35861d | + | | | Thawte Freemail Member's | + | | | Thawte Consulting (Pty) Ltd. | + | | | ID | + | | | < 1> rsa | + | | | 40defeeb522a | + | | | de11090eacebaaf1196a172127df | + | | | Example Domain Administrator | + | | | Cert | + | | | < 2> rsa | + | | | 1d0b06f44f6c | + | | | 03842f7d4f4a1dc78b3bcd1b85a5 | + | | | John Smith user cert | + | | | There are ways to narrow | + | | | the keys listed in the search | + | | | results: | + | | | o To return a specific | + | | | key, use the -n name argument | + | | | with the name of | + | | | the key. | + | | | o If there are multiple | + | | | security devices loaded, then | + | | | the -h tokenname | + | | | argument can search a | + | | | specific token or all tokens. | + | | | o If there are multiple | + | | | key types available, then the | + | | | -k key-type | + | | | argument can search a | + | | | specific type of key, like | + | | | RSA, DSA, or ECC. | + | | | Listing Security Modules | + | | | The devices that can be | + | | | used to store certificates -- | + | | | both internal | + | | | databases and external | + | | | devices like smart cards -- | + | | | are recognized and used | + | | | by loading security | + | | | modules. The -U command option | + | | | lists all of the | + | | | security modules listed in | + | | | the secmod.db database. The | + | | | path to the | + | | | directory (-d) is required. | + | | | $ certutil -U -d | + | | | sql:/home/my/sharednssdb | + | | | slot: NSS User Private | + | | | Key and Certificate Services | + | | | token: NSS Certificate DB | + | | | slot: NSS Internal | + | | | Cryptographic Services | + | | | token: NSS Generic Crypto | + | | | Services | + | | | Adding Certificates to the | + | | | Database | + | | | Existing certificates or | + | | | certificate requests can be | + | | | added manually to the | + | | | certificate database, even | + | | | if they were generated | + | | | elsewhere. This uses the | + | | | -A command option. | + | | | certutil -A -n certname -t | + | | | trustargs -d [sql:]directory | + | | | [-a] [-i input-file] | + | | | For example: | + | | | $ certutil -A -n "CN=My SSL | + | | | Certificate" -t "u,u,u" -d | + | | | sql:/home/my/sharednssdb -i | + | | | /home/example-certs/cert.cer | + | | | A related command option, | + | | | -E, is used specifically to | + | | | add email | + | | | certificates to the | + | | | certificate database. The -E | + | | | command has the same | + | | | arguments as the -A | + | | | command. The trust arguments | + | | | for certificates have the | + | | | format | + | | | SSL,S/MIME,Code-signing, so | + | | | the middle trust settings | + | | | relate most | + | | | to email certificates | + | | | (though the others can be | + | | | set). For example: | + | | | $ certutil -E -n "CN=John | + | | | Smith Email Cert" -t ",Pu," -d | + | | | sql:/home/my/sharednssdb -i | + | | | /home/example-certs/email.cer | + | | | Deleting Certificates to | + | | | the Database | + | | | Certificates can be deleted | + | | | from a database using the -D | + | | | option. The only | + | | | required options are to | + | | | give the security database | + | | | directory and to | + | | | identify the certificate | + | | | nickname. | + | | | certutil -D -d | + | | | [sql:]directory -n "nickname" | + | | | For example: | + | | | $ certutil -D -d | + | | | sql:/home/my/sharednssdb -n | + | | | "my-ssl-cert" | + | | | Validating Certificates | + | | | A certificate contains an | + | | | expiration date in itself, and | + | | | expired | + | | | certificates are easily | + | | | rejected. However, | + | | | certificates can also be | + | | | revoked before they hit | + | | | their expiration date. | + | | | Checking whether a | + | | | certificate has been | + | | | revoked requires validating | + | | | the certificate. | + | | | Validation can also be used | + | | | to ensure that the certificate | + | | | is only used | + | | | for the purposes it was | + | | | initially issued for. | + | | | Validation is carried out by | + | | | the -V command option. | + | | | certutil -V -n | + | | | certificate-name [-b time] | + | | | [-e] [-u cert-usage] -d | + | | | [sql:]directory | + | | | For example, to validate an | + | | | email certificate: | + | | | $ certutil -V -n "John | + | | | Smith's Email Cert" -e -u S,R | + | | | -d sql:/home/my/sharednssdb | + | | | Modifying Certificate Trust | + | | | Settings | + | | | The trust settings (which | + | | | relate to the operations that | + | | | a certificate is | + | | | allowed to be used for) can | + | | | be changed after a certificate | + | | | is created or | + | | | added to the database. This | + | | | is especially useful for CA | + | | | certificates, but | + | | | it can be performed for any | + | | | type of certificate. | + | | | certutil -M -n | + | | | certificate-name -t trust-args | + | | | -d [sql:]directory | + | | | For example: | + | | | $ certutil -M -n "My CA | + | | | Certificate" -d | + | | | sql:/home/my/sharednssdb -t | + | | | "CTu,CTu,CTu" | + | | | Printing the Certificate | + | | | Chain | + | | | Certificates can be issued | + | | | in chains because every | + | | | certificate authority | + | | | itself has a certificate; | + | | | when a CA issues a | + | | | certificate, it essentially | + | | | stamps that certificate | + | | | with its own fingerprint. The | + | | | -O prints the full | + | | | chain of a certificate, | + | | | going from the initial CA (the | + | | | root CA) through | + | | | ever intermediary CA to the | + | | | actual certificate. For | + | | | example, for an email | + | | | certificate with two CAs in | + | | | the chain: | + | | | $ certutil -d | + | | | sql:/home/my/sharednssdb -O -n | + | | | "jsmith@example.com" | + | | | "Builtin Object Token:Thawte | + | | | Personal Freemail CA" | + | | | [E=personal | + | | | -freemail@thawte.com,CN=Thawte | + | | | Personal Freemail | + | | | CA,OU=Certification Services | + | | | Division,O=Thawte | + | | | Consulting,L=Cape | + | | | Town,ST=Western Cape,C=ZA] | + | | | "Thawte Personal Freemail | + | | | Issuing CA - Thawte | + | | | Consulting" [CN=Thawte | + | | | Personal Freemail Issuing | + | | | CA,O=Thawte Consulting (Pty) | + | | | Ltd.,C=ZA] | + | | | "(null)" | + | | | [ | + | | | E=jsmith@example.com,CN=Thawte | + | | | Freemail Member] | + | | | Resetting a Token | + | | | The device which stores | + | | | certificates -- both external | + | | | hardware devices and | + | | | internal software databases | + | | | -- can be blanked and reused. | + | | | This operation | + | | | is performed on the device | + | | | which stores the data, not | + | | | directly on the | + | | | security databases, so the | + | | | location must be referenced | + | | | through the token | + | | | name (-h) as well as any | + | | | directory path. If there is no | + | | | external token | + | | | used, the default value is | + | | | internal. | + | | | certutil -T -d | + | | | [sql:]directory -h token-name | + | | | -0 security-officer-password | + | | | Many networks have | + | | | dedicated personnel who handle | + | | | changes to security | + | | | tokens (the security | + | | | officer). This person must | + | | | supply the password to | + | | | access the specified token. | + | | | For example: | + | | | $ certutil -T -d | + | | | sql:/home/my/sharednssdb -h | + | | | nethsm -0 secret | + | | | Upgrading or Merging the | + | | | Security Databases | + | | | Many networks or | + | | | applications may be using | + | | | older BerkeleyDB versions of | + | | | the certificate database | + | | | (cert8.db). Databases can be | + | | | upgraded to the new | + | | | SQLite version of the | + | | | database (cert9.db) using the | + | | | --upgrade-merge | + | | | command option or existing | + | | | databases can be merged with | + | | | the new cert9.db | + | | | databases using the | + | | | ---merge command. | + | | | The --upgrade-merge command | + | | | must give information about | + | | | the original | + | | | database and then use the | + | | | standard arguments (like -d) | + | | | to give the | + | | | information about the new | + | | | databases. The command also | + | | | requires information | + | | | that the tool uses for the | + | | | process to upgrade and write | + | | | over the original | + | | | database. | + | | | certutil --upgrade-merge -d | + | | | [sql:]directory [-P dbprefix] | + | | | --source-dir directory | + | | | --source-prefix dbprefix | + | | | --upgrade-id id | + | | | --upgrade-token-name name [-@ | + | | | password-file] | + | | | For example: | + | | | $ certutil --upgrade-merge -d | + | | | sql:/home/my/sharednssdb | + | | | --source-dir | + | | | /opt/my-app/alias/ | + | | | --source-prefix serverapp- | + | | | --upgrade-id 1 | + | | | --upgrade-token-name internal | + | | | The --merge command only | + | | | requires information about the | + | | | location of the | + | | | original database; since it | + | | | doesn't change the format of | + | | | the database, it | + | | | can write over information | + | | | without performing interim | + | | | step. | + | | | certutil --merge -d | + | | | [sql:]directory [-P dbprefix] | + | | | --source-dir directory | + | | | --source-prefix dbprefix [-@ | + | | | password-file] | + | | | For example: | + | | | $ certutil --merge -d | + | | | sql:/home/my/sharednssdb | + | | | --source-dir | + | | | /opt/my-app/alias/ | + | | | --source-prefix serverapp- | + | | | Running certutil Commands | + | | | from a Batch File | + | | | A series of commands can be | + | | | run sequentially from a text | + | | | file with the -B | + | | | command option. The only | + | | | argument for this specifies | + | | | the input file. | + | | | $ certutil -B -i | + | | | /path/to/batch-file | + | | | NSS Database Types | + | | | NSS originally used | + | | | BerkeleyDB databases to store | + | | | security information. | + | | | The last versions of these | + | | | legacy databases are: | + | | | o cert8.db for | + | | | certificates | + | | | o key3.db for keys | + | | | o secmod.db for PKCS #11 | + | | | module information | + | | | BerkeleyDB has performance | + | | | limitations, though, which | + | | | prevent it from | + | | | being easily used by | + | | | multiple applications | + | | | simultaneously. NSS has some | + | | | flexibility that allows | + | | | applications to use their own, | + | | | independent | + | | | database engine while | + | | | keeping a shared database and | + | | | working around the | + | | | access issues. Still, NSS | + | | | requires more flexibility to | + | | | provide a truly | + | | | shared security database. | + | | | In 2009, NSS introduced a | + | | | new set of databases that are | + | | | SQLite databases | + | | | rather than BerkleyDB. | + | | | These new databases provide | + | | | more accessibility and | + | | | performance: | + | | | o cert9.db for | + | | | certificates | + | | | o key4.db for keys | + | | | o pkcs11.txt, which is | + | | | listing of all of the PKCS #11 | + | | | modules contained | + | | | in a new subdirectory | + | | | in the security databases | + | | | directory | + | | | Because the SQLite | + | | | databases are designed to be | + | | | shared, these are the | + | | | shared database type. The | + | | | shared database type is | + | | | preferred; the legacy | + | | | format is included for | + | | | backward compatibility. | + | | | By default, the tools | + | | | (certutil, pk12util, modutil) | + | | | assume that the given | + | | | security databases follow | + | | | the more common legacy type. | + | | | Using the SQLite | + | | | databases must be manually | + | | | specified by using the sql: | + | | | prefix with the | + | | | given security directory. | + | | | For example: | + | | | $ certutil -L -d | + | | | sql:/home/my/sharednssdb | + | | | To set the shared database | + | | | type as the default type for | + | | | the tools, set the | + | | | NSS_DEFAULT_DB_TYPE | + | | | environment variable to sql: | + | | | export | + | | | NSS_DEFAULT_DB_TYPE="sql" | + | | | This line can be set added | + | | | to the ~/.bashrc file to make | + | | | the change | + | | | permanent. | + | | | Most applications do not | + | | | use the shared database by | + | | | default, but they can | + | | | be configured to use them. | + | | | For example, this how-to | + | | | article covers how to | + | | | configure Firefox and | + | | | Thunderbird to use the new | + | | | shared NSS databases: | + | | | | + | | | o https://wiki.m | + | | | ozilla.org/NSS_Shared_DB_Howto | + | | | For an engineering draft on | + | | | the changes in the shared NSS | + | | | databases, see | + | | | the NSS project wiki: | + | | | | + | | | o https:// | + | | | wiki.mozilla.org/NSS_Shared_DB | + | | | See Also | + | | | pk12util (1) | + | | | modutil (1) | + | | | certutil has arguments or | + | | | operations that use features | + | | | defined in several | + | | | IETF RFCs. | + | | | | + | | | o `http://tools.ietf.org/htm | + | | | l/rfc5280 <https://datatracker | + | | | .ietf.org/doc/html/rfc5280>`__ | + | | | | + | | | o `http://tools.ietf.org/htm | + | | | l/rfc1113 <https://datatracker | + | | | .ietf.org/doc/html/rfc1113>`__ | + | | | | + | | | o `http://tools.ietf.org/htm | + | | | l/rfc1485 <https://datatracker | + | | | .ietf.org/doc/html/rfc1485>`__ | + | | | The NSS wiki has | + | | | information on the new | + | | | database design and how to | + | | | configure applications to | + | | | use it. | + | | | | + | | | o https://wiki.m | + | | | ozilla.org/NSS_Shared_DB_Howto | + | | | | + | | | o https:// | + | | | wiki.mozilla.org/NSS_Shared_DB | + | | | Additional Resources | + | | | For information about NSS | + | | | and other tools related to NSS | + | | | (like JSS), check | + | | | out the NSS project wiki at | + | | | | + | | | [1]\ `http://www.mozil | + | | | la.org/projects/security/pki/n | + | | | ss/ <https://www.mozilla.org/p | + | | | rojects/security/pki/nss/>`__. | + | | | The NSS site relates | + | | | directly to NSS code | + | | | changes and releases. | + | | | Mailing lists: | + | | | https://lists.mozill | + | | | a.org/listinfo/dev-tech-crypto | + | | | IRC: Freenode at | + | | | #dogtag-pki | + | | | Authors | + | | | The NSS tools were written | + | | | and maintained by developers | + | | | with Netscape, Red | + | | | Hat, and Sun. | + | | | Authors: Elio Maldonado | + | | | <emaldona@redhat.com>, Deon | + | | | Lackey | + | | | <dlackey@redhat.com>. | + | | | Copyright | + | | | (c) 2010, Red Hat, Inc. | + | | | Licensed under the GNU Public | + | | | License version 2. | + | | | References | + | | | Visible links | + | | | 1. | + | | | `http://www.mozi | + | | | lla.org/projects/security/pki/ | + | | | nss/ <https://www.mozilla.org/ | + | | | projects/security/pki/nss/>`__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 339 | :ref:`mozil | | + | | la_projects_nss_tools_cmsutil` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Name | + | | | cmsutil — Performs basic | + | | | cryptograpic operations, such | + | | | as encryption and | + | | | decryption, on | + | | | Cryptographic Message Syntax | + | | | (CMS) messages. | + | | | Synopsis | + | | | cmsutil [options] | + | | | `arguments <arguments>`__ | + | | | Description | + | | | The cmsutil command-line | + | | | uses the S/MIME Toolkit to | + | | | perform basic | + | | | operations, such as | + | | | encryption and decryption, on | + | | | Cryptographic Message | + | | | Syntax (CMS) messages. | + | | | To run cmsutil, type the | + | | | command cmsutil option | + | | | [arguments] where option | + | | | and arguments are | + | | | combinations of the options | + | | | and arguments listed in the | + | | | following section. Each | + | | | command takes one option. Each | + | | | option may take | + | | | zero or more arguments. To | + | | | see a usage string, issue the | + | | | command without | + | | | options. | + | | | Options and Arguments | + | | | Options | + | | | Options specify an action. | + | | | Option arguments modify an | + | | | action. The options | + | | | and arguments for the | + | | | cmsutil command are defined as | + | | | follows: | + | | | -D | + | | | Decode a message. | + | | | -C | + | | | Encrypt a message. | + | | | -E | + | | | Envelope a message. | + | | | -O | + | | | Create a | + | | | certificates-only message. | + | | | -S | + | | | Sign a message. | + | | | Arguments | + | | | Option arguments modify an | + | | | action and are lowercase. | + | | | -c content | + | | | Use this detached | + | | | content (decode only). | + | | | -d dbdir | + | | | Specify the | + | | | key/certificate database | + | | | directory (default is ".") | + | | | -e envfile | + | | | Specify a file | + | | | containing an enveloped | + | | | message for a set of | + | | | recipients to which | + | | | you would like to send an | + | | | encrypted message. | + | | | If this is the | + | | | first encrypted message for | + | | | that set of recipients, | + | | | a new enveloped | + | | | message will be created that | + | | | you can then use for | + | | | future messages | + | | | (encrypt only). | + | | | -G | + | | | Include a signing | + | | | time attribute (sign only). | + | | | -h num | + | | | Generate email | + | | | headers with info about CMS | + | | | message (decode only). | + | | | -i infile | + | | | Use infile as a | + | | | source of data (default is | + | | | stdin). | + | | | -N nickname | + | | | Specify nickname of | + | | | certificate to sign with (sign | + | | | only). | + | | | -n | + | | | Suppress output of | + | | | contents (decode only). | + | | | -o outfile | + | | | Use outfile as a | + | | | destination of data (default | + | | | is stdout). | + | | | -P | + | | | Include an S/MIME | + | | | capabilities attribute. | + | | | -p password | + | | | Use password as key | + | | | database password. | + | | | -r recipient1,recipient2, | + | | | ... | + | | | Specify list of | + | | | recipients (email addresses) | + | | | for an encrypted or | + | | | enveloped message. | + | | | For certificates-only message, | + | | | list of | + | | | certificates to | + | | | send. | + | | | -T | + | | | Suppress content in | + | | | CMS message (sign only). | + | | | -u certusage | + | | | Set type of cert | + | | | usage (default is | + | | | certUsageEmailSigner). | + | | | -Y ekprefnick | + | | | Specify an | + | | | encryption key preference by | + | | | nickname. | + | | | Usage | + | | | Encrypt Example | + | | | cmsutil -C [-i infile] [-o | + | | | outfile] [-d dbdir] [-p | + | | | password] -r | + | | | "recipient1,recipient2, . . ." | + | | | -e envfile | + | | | Decode Example | + | | | cmsutil -D [-i infile] [-o | + | | | outfile] [-d dbdir] [-p | + | | | password] [-c content] [-n] | + | | | [-h num] | + | | | Envelope Example | + | | | cmsutil -E [-i infile] [-o | + | | | outfile] [-d dbdir] [-p | + | | | password] -r | + | | | "recipient1,recipient2, ..." | + | | | Certificate-only Example | + | | | cmsutil -O [-i infile] [-o | + | | | outfile] [-d dbdir] [-p | + | | | password] -r "cert1,cert2, . . | + | | | ." | + | | | Sign Message Example | + | | | cmsutil -S [-i infile] [-o | + | | | outfile] [-d dbdir] [-p | + | | | password] -N nickname[-TGP] | + | | | [-Y ekprefnick] | + | | | See also | + | | | certutil(1) | + | | | See Also | + | | | Additional Resources | + | | | NSS is maintained in | + | | | conjunction with PKI and | + | | | security-related projects | + | | | through Mozilla dn Fedora. | + | | | The most closely-related | + | | | project is Dogtag PKI, | + | | | with a project wiki at | + | | | [1]\ http: | + | | | //pki.fedoraproject.org/wiki/. | + | | | For information | + | | | specifically about NSS, the | + | | | NSS project wiki is located at | + | | | | + | | | [2]\ `http://www.mozil | + | | | la.org/projects/security/pki/n | + | | | ss/ <https://www.mozilla.org/p | + | | | rojects/security/pki/nss/>`__. | + | | | The NSS site relates | + | | | directly to NSS code | + | | | changes and releases. | + | | | Mailing lists: | + | | | pki-devel@redhat.com and | + | | | pki-users@redhat.com | + | | | IRC: Freenode at | + | | | #dogtag-pki | + | | | Authors | + | | | The NSS tools were written | + | | | and maintained by developers | + | | | with Netscape and | + | | | now with Red Hat. | + | | | Authors: Elio Maldonado | + | | | <emaldona@redhat.com>, Deon | + | | | Lackey | + | | | <dlackey@redhat.com>. | + | | | Copyright | + | | | (c) 2010, Red Hat, Inc. | + | | | Licensed under the GNU Public | + | | | License version 2. | + | | | References | + | | | Visible links | + | | | 1. | + | | | http | + | | | ://pki.fedoraproject.org/wiki/ | + | | | 2. | + | | | `http://www.mozi | + | | | lla.org/projects/security/pki/ | + | | | nss/ <https://www.mozilla.org/ | + | | | projects/security/pki/nss/>`__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 340 | :ref:`mozil | | + | | la_projects_nss_tools_crlutil` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Name | + | | | crlutil — List, generate, | + | | | modify, or delete CRLs within | + | | | the NSS security | + | | | database file(s) and list, | + | | | create, modify or delete | + | | | certificates entries | + | | | in a particular CRL. | + | | | Synopsis | + | | | crlutil [options] | + | | | `arguments <arguments>`__ | + | | | Description | + | | | The Certificate Revocation | + | | | List (CRL) Management Tool, | + | | | crlutil, is a | + | | | command-line utility that | + | | | can list, generate, modify, or | + | | | delete CRLs | + | | | within the NSS security | + | | | database file(s) and list, | + | | | create, modify or | + | | | delete certificates entries | + | | | in a particular CRL. | + | | | The key and certificate | + | | | management process generally | + | | | begins with creating | + | | | keys in the key database, | + | | | then generating and managing | + | | | certificates in the | + | | | certificate database(see | + | | | certutil tool) and continues | + | | | with certificates | + | | | expiration or revocation. | + | | | This document discusses | + | | | certificate revocation list | + | | | management. For | + | | | information on security | + | | | module database management, | + | | | see Using the Security | + | | | Module Database Tool. For | + | | | information on certificate and | + | | | key database | + | | | management, see Using the | + | | | Certificate Database Tool. | + | | | To run the Certificate | + | | | Revocation List Management | + | | | Tool, type the command | + | | | crlutil option [arguments] | + | | | where options and arguments | + | | | are combinations of the | + | | | options and arguments | + | | | listed in the following | + | | | section. Each command takes | + | | | one option. Each | + | | | option may take zero or | + | | | more arguments. To see a usage | + | | | string, issue the | + | | | command without options, or | + | | | with the -H option. | + | | | Options and Arguments | + | | | Options | + | | | Options specify an action. | + | | | Option arguments modify an | + | | | action. The options | + | | | and arguments for the | + | | | crlutil command are defined as | + | | | follows: | + | | | -G | + | | | Create new | + | | | Certificate Revocation | + | | | List(CRL). | + | | | -D | + | | | Delete Certificate | + | | | Revocation List from cert | + | | | database. | + | | | -I | + | | | Import a CRL to the | + | | | cert database | + | | | -E | + | | | Erase all CRLs of | + | | | specified type from the cert | + | | | database | + | | | -L | + | | | List existing CRL | + | | | located in cert database file. | + | | | -M | + | | | Modify existing CRL | + | | | which can be located in cert | + | | | db or in | + | | | arbitrary file. If | + | | | located in file it should be | + | | | encoded in ASN.1 | + | | | encode format. | + | | | -G | + | | | Arguments | + | | | Option arguments modify an | + | | | action and are lowercase. | + | | | -B | + | | | Bypass CA signature | + | | | checks. | + | | | -P dbprefix | + | | | Specify the prefix | + | | | used on the NSS security | + | | | database files (for | + | | | example, | + | | | my_cert8.db and my_key3.db). | + | | | This option is provided as a | + | | | special case. | + | | | Changing the names of the | + | | | certificate and key | + | | | databases is not | + | | | recommended. | + | | | -a | + | | | Use ASCII format or | + | | | allow the use of ASCII format | + | | | for input and | + | | | output. This | + | | | formatting follows RFC #1113. | + | | | -c crl-gen-file | + | | | Specify script file | + | | | that will be used to control | + | | | crl | + | | | | + | | | generation/modification. See | + | | | crl-cript-file format below. | + | | | If | + | | | options -M|-G is | + | | | used and -c crl-script-file is | + | | | not specified, | + | | | crlutil will read | + | | | script data from standard | + | | | input. | + | | | -d directory | + | | | Specify the | + | | | database directory containing | + | | | the certificate and key | + | | | database files. On | + | | | Unix the Certificate Database | + | | | Tool defaults to | + | | | $HOME/.netscape | + | | | (that is, ~/.netscape). On | + | | | Windows NT the default | + | | | is the current | + | | | directory. | + | | | The NSS database | + | | | files must reside in the same | + | | | directory. | + | | | -i crl-import-file | + | | | Specify the file | + | | | which contains the CRL to | + | | | import | + | | | -f password-file | + | | | Specify a file that | + | | | will automatically supply the | + | | | password to | + | | | include in a | + | | | certificate or to access a | + | | | certificate database. This | + | | | is a plain-text | + | | | file containing one password. | + | | | Be sure to prevent | + | | | unauthorized access | + | | | to this file. | + | | | -l algorithm-name | + | | | Specify a specific | + | | | signature algorithm. List of | + | | | possible | + | | | algorithms: MD2 \| | + | | | MD4 \| MD5 \| SHA1 \| SHA256 | + | | | \| SHA384 \| SHA512 | + | | | -n nickname | + | | | Specify the | + | | | nickname of a certificate or | + | | | key to list, create, add | + | | | to a database, | + | | | modify, or validate. Bracket | + | | | the nickname string | + | | | with quotation | + | | | marks if it contains spaces. | + | | | -o output-file | + | | | Specify the output | + | | | file name for new CRL. Bracket | + | | | the output-file | + | | | string with | + | | | quotation marks if it contains | + | | | spaces. If this | + | | | argument is not | + | | | used the output destination | + | | | defaults to standard | + | | | output. | + | | | -t crl-type | + | | | Specify type of | + | | | CRL. possible types are: 0 - | + | | | SEC_KRL_TYPE, 1 - | + | | | SEC_CRL_TYPE. This | + | | | option is obsolete | + | | | -u url | + | | | Specify the url. | + | | | CRL Generation script syntax | + | | | CRL generation script file | + | | | has the following syntax: | + | | | \* Line with comments | + | | | should have # as a first | + | | | symbol of a line | + | | | \* Set "this update" or | + | | | "next update" CRL fields: | + | | | update=YYYYMMDDhhmmssZ | + | | | nextupdate=YYYYMMDDhhmmssZ | + | | | Field "next update" is | + | | | optional. Time should be in | + | | | GeneralizedTime format | + | | | (YYYYMMDDhhmmssZ). For | + | | | example: 20050204153000Z | + | | | \* Add an extension to a | + | | | CRL or a crl certificate | + | | | entry: | + | | | addext extension-name | + | | | critical/non-critical | + | | | [arg1[arg2 ...]] | + | | | Where: | + | | | extension-name: string | + | | | value of a name of known | + | | | extensions. | + | | | critical/non-critical: is 1 | + | | | when extension is critical and | + | | | 0 otherwise. | + | | | arg1, arg2: specific to | + | | | extension type extension | + | | | parameters | + | | | addext uses the range that | + | | | was set earlier by addcert and | + | | | will install an | + | | | extension to every cert | + | | | entries within the range. | + | | | \* Add certificate | + | | | entries(s) to CRL: | + | | | addcert range date | + | | | range: two integer values | + | | | separated by dash: range of | + | | | certificates that | + | | | will be added by this | + | | | command. dash is used as a | + | | | delimiter. Only one cert | + | | | will be added if there is | + | | | no delimiter. date: revocation | + | | | date of a cert. | + | | | Date should be represented | + | | | in GeneralizedTime format | + | | | (YYYYMMDDhhmmssZ). | + | | | \* Remove certificate | + | | | entry(s) from CRL | + | | | rmcert range | + | | | Where: | + | | | range: two integer values | + | | | separated by dash: range of | + | | | certificates that | + | | | will be added by this | + | | | command. dash is used as a | + | | | delimiter. Only one cert | + | | | will be added if there is | + | | | no delimiter. | + | | | \* Change range of | + | | | certificate entry(s) in CRL | + | | | range new-range | + | | | Where: | + | | | new-range: two integer | + | | | values separated by dash: | + | | | range of certificates | + | | | that will be added by this | + | | | command. dash is used as a | + | | | delimiter. Only one | + | | | cert will be added if there | + | | | is no delimiter. | + | | | Implemented Extensions | + | | | The extensions defined for | + | | | CRL provide methods for | + | | | associating additional | + | | | attributes with CRLs of | + | | | theirs entries. For more | + | | | information see RFC #3280 | + | | | \* Add The Authority Key | + | | | Identifier extension: | + | | | The authority key | + | | | identifier extension provides | + | | | a means of identifying the | + | | | public key corresponding to | + | | | the private key used to sign a | + | | | CRL. | + | | | authKeyId critical [key-id | + | | | \| dn cert-serial] | + | | | Where: | + | | | authKeyIdent: identifies | + | | | the name of an extension | + | | | critical: value of 1 of | + | | | 0. Should be set to 1 if | + | | | this extension is critical or | + | | | 0 otherwise. | + | | | key-id: key identifier | + | | | represented in octet string. | + | | | dn:: is a CA | + | | | distinguished name | + | | | cert-serial: authority | + | | | certificate serial number. | + | | | \* Add Issuer Alternative | + | | | Name extension: | + | | | The issuer alternative | + | | | names extension allows | + | | | additional identities to be | + | | | associated with the issuer | + | | | of the CRL. Defined options | + | | | include an rfc822 | + | | | name (electronic mail | + | | | address), a DNS name, an IP | + | | | address, and a URI. | + | | | issuerAltNames non-critical | + | | | name-list | + | | | Where: | + | | | subjAltNames: identifies | + | | | the name of an extension | + | | | should be set to 0 since | + | | | this is non-critical | + | | | extension name-list: comma | + | | | separated list of names | + | | | \* Add CRL Number | + | | | extension: | + | | | The CRL number is a | + | | | non-critical CRL extension | + | | | which conveys a | + | | | monotonically increasing | + | | | sequence number for a given | + | | | CRL scope and CRL | + | | | issuer. This extension | + | | | allows users to easily | + | | | determine when a particular | + | | | CRL supersedes another CRL | + | | | crlNumber non-critical | + | | | number | + | | | Where: | + | | | crlNumber: identifies the | + | | | name of an extension critical: | + | | | should be set to | + | | | 0 since this is | + | | | non-critical extension number: | + | | | value of long which | + | | | identifies the sequential | + | | | number of a CRL. | + | | | \* Add Revocation Reason | + | | | Code extension: | + | | | The reasonCode is a | + | | | non-critical CRL entry | + | | | extension that identifies the | + | | | reason for the certificate | + | | | revocation. | + | | | reasonCode non-critical | + | | | code | + | | | Where: | + | | | reasonCode: identifies the | + | | | name of an extension | + | | | non-critical: should be | + | | | set to 0 since this is | + | | | non-critical extension code: | + | | | the following codes | + | | | are available: | + | | | unspecified (0), | + | | | keyCompromise (1), | + | | | cACompromise (2), | + | | | affiliationChanged | + | | | (3), superseded (4), | + | | | cessationOfOperation (5), | + | | | certificateHold (6), | + | | | removeFromCRL (8), | + | | | privilegeWithdrawn (9), | + | | | aACompromise (10) | + | | | \* Add Invalidity Date | + | | | extension: | + | | | The invalidity date is a | + | | | non-critical CRL entry | + | | | extension that provides | + | | | the date on which it is | + | | | known or suspected that the | + | | | private key was | + | | | compromised or that the | + | | | certificate otherwise became | + | | | invalid. | + | | | invalidityDate non-critical | + | | | date | + | | | Where: | + | | | crlNumber: identifies the | + | | | name of an extension | + | | | non-critical: should be set | + | | | to 0 since this is | + | | | non-critical extension date: | + | | | invalidity date of a cert. | + | | | Date should be represented | + | | | in GeneralizedTime format | + | | | (YYYYMMDDhhmmssZ). | + | | | Usage | + | | | The Certificate Revocation | + | | | List Management Tool's | + | | | capabilities are grouped | + | | | as follows, using these | + | | | combinations of options and | + | | | arguments. Options and | + | | | arguments in square | + | | | brackets are optional, those | + | | | without square brackets | + | | | are required. | + | | | See "Implemented | + | | | extensions" for more | + | | | information regarding | + | | | extensions and | + | | | their parameters. | + | | | \* Creating or modifying a | + | | | CRL: | + | | | crlutil -G|-M -c crl-gen-file | + | | | -n nickname [-i crl] [-u url] | + | | | [-d keydir] [-P dbprefix] [-l | + | | | alg] [-a] [-B] | + | | | \* Listing all CRls or a | + | | | named CRL: | + | | | crlutil -L [-n | + | | | crl-name] [-d krydir] | + | | | \* Deleting CRL from db: | + | | | crlutil -D -n | + | | | nickname [-d keydir] [-P | + | | | dbprefix] | + | | | \* Erasing CRLs from db: | + | | | crlutil -E [-d | + | | | keydir] [-P dbprefix] | + | | | \* Deleting CRL from db: | + | | | crlutil -D -n | + | | | nickname [-d keydir] [-P | + | | | dbprefix] | + | | | \* Erasing CRLs from db: | + | | | crlutil -E [-d | + | | | keydir] [-P dbprefix] | + | | | \* Import CRL from file: | + | | | crlutil -I -i crl | + | | | [-t crlType] [-u url] [-d | + | | | keydir] [-P dbprefix] [-B] | + | | | See also | + | | | certutil(1) | + | | | See Also | + | | | Additional Resources | + | | | NSS is maintained in | + | | | conjunction with PKI and | + | | | security-related projects | + | | | through Mozilla dn Fedora. | + | | | The most closely-related | + | | | project is Dogtag PKI, | + | | | with a project wiki at | + | | | [1]\ http: | + | | | //pki.fedoraproject.org/wiki/. | + | | | For information | + | | | specifically about NSS, the | + | | | NSS project wiki is located at | + | | | | + | | | [2]\ `http://www.mozil | + | | | la.org/projects/security/pki/n | + | | | ss/ <https://www.mozilla.org/p | + | | | rojects/security/pki/nss/>`__. | + | | | The NSS site relates | + | | | directly to NSS code | + | | | changes and releases. | + | | | Mailing lists: | + | | | pki-devel@redhat.com and | + | | | pki-users@redhat.com | + | | | IRC: Freenode at | + | | | #dogtag-pki | + | | | Authors | + | | | The NSS tools were written | + | | | and maintained by developers | + | | | with Netscape and | + | | | now with Red Hat. | + | | | Authors: Elio Maldonado | + | | | <emaldona@redhat.com>, Deon | + | | | Lackey | + | | | <dlackey@redhat.com>. | + | | | Copyright | + | | | (c) 2010, Red Hat, Inc. | + | | | Licensed under the GNU Public | + | | | License version 2. | + | | | References | + | | | Visible links | + | | | 1. | + | | | http | + | | | ://pki.fedoraproject.org/wiki/ | + | | | 2. | + | | | `http://www.mozi | + | | | lla.org/projects/security/pki/ | + | | | nss/ <https://www.mozilla.org/ | + | | | projects/security/pki/nss/>`__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 341 | :ref:`mozil | | + | | la_projects_nss_tools_modutil` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Name | + | | | modutil — Manage PKCS #11 | + | | | module information within the | + | | | security module | + | | | database. | + | | | Synopsis | + | | | modutil [options] | + | | | `arguments <arguments>`__ | + | | | Description | + | | | The Security Module | + | | | Database Tool, modutil, is a | + | | | command-line utility for | + | | | managing PKCS #11 module | + | | | information both within | + | | | secmod.db files and | + | | | within hardware tokens. | + | | | modutil can add and delete | + | | | PKCS #11 modules, | + | | | change passwords on | + | | | security databases, set | + | | | defaults, list module | + | | | contents, enable or disable | + | | | slots, enable or disable FIPS | + | | | 140-2 | + | | | compliance, and assign | + | | | default providers for | + | | | cryptographic operations. | + | | | This tool can also create | + | | | certificate, key, and module | + | | | security database | + | | | files. | + | | | The tasks associated with | + | | | security module database | + | | | management are part of | + | | | a process that typically | + | | | also involves managing key | + | | | databases and | + | | | certificate databases. | + | | | Options | + | | | Running modutil always | + | | | requires one (and only one) | + | | | option to specify the | + | | | type of module operation. | + | | | Each option may take | + | | | arguments, anywhere from | + | | | none to multiple arguments. | + | | | Options | + | | | -add modulename | + | | | Add the named PKCS | + | | | #11 module to the database. | + | | | Use this option | + | | | with the -libfile, | + | | | -ciphers, and -mechanisms | + | | | arguments. | + | | | -changepw tokenname | + | | | Change the password | + | | | on the named token. If the | + | | | token has not been | + | | | initialized, this | + | | | option initializes the | + | | | password. Use this option | + | | | with the -pwfile | + | | | and -newpwfile arguments. A | + | | | password is | + | | | equivalent to a | + | | | personal identification number | + | | | (PIN). | + | | | -chkfips | + | | | Verify whether the | + | | | module is in the given FIPS | + | | | mode. true means to | + | | | verify that the | + | | | module is in FIPS mode, while | + | | | false means to | + | | | verify that the | + | | | module is not in FIPS mode. | + | | | -create | + | | | Create new | + | | | certificate, key, and module | + | | | databases. Use the -dbdir | + | | | directory argument | + | | | to specify a directory. If any | + | | | of these | + | | | databases already | + | | | exist in a specified | + | | | directory, modutil returns | + | | | an error message. | + | | | -default modulename | + | | | Specify the | + | | | security mechanisms for which | + | | | the named module will be | + | | | a default provider. | + | | | The security mechanisms are | + | | | specified with the | + | | | -mechanisms | + | | | argument. | + | | | -delete modulename | + | | | Delete the named | + | | | module. The default NSS PKCS | + | | | #11 module cannot be | + | | | deleted. | + | | | -disable modulename | + | | | Disable all slots | + | | | on the named module. Use the | + | | | -slot argument to | + | | | disable a specific | + | | | slot. | + | | | -enable modulename | + | | | Enable all slots on | + | | | the named module. Use the | + | | | -slot argument to | + | | | enable a specific | + | | | slot. | + | | | -fips [true \| false] | + | | | Enable (true) or | + | | | disable (false) FIPS 140-2 | + | | | compliance for the | + | | | default NSS module. | + | | | -force | + | | | Disable modutil's | + | | | interactive prompts so it can | + | | | be run from a | + | | | script. Use this | + | | | option only after manually | + | | | testing each planned | + | | | operation to check | + | | | for warnings and to ensure | + | | | that bypassing the | + | | | prompts will cause | + | | | no security lapses or loss of | + | | | database | + | | | integrity. | + | | | -jar JAR-file | + | | | Add a new PKCS #11 | + | | | module to the database using | + | | | the named JAR | + | | | file. Use this | + | | | command with the -installdir | + | | | and -tempdir | + | | | arguments. The JAR | + | | | file uses the NSS PKCS #11 JAR | + | | | format to | + | | | identify all the | + | | | files to be installed, the | + | | | module's name, the | + | | | mechanism flags, | + | | | and the cipher flags, as well | + | | | as any files to be | + | | | installed on the | + | | | target machine, including the | + | | | PKCS #11 module | + | | | library file and | + | | | other files such as | + | | | documentation. This is | + | | | covered in the JAR | + | | | installation file section in | + | | | the man page, | + | | | which details the | + | | | special script needed to | + | | | perform an installation | + | | | through a server or | + | | | with modutil. | + | | | -list [modulename] | + | | | Display basic | + | | | information about the contents | + | | | of the secmod.db | + | | | file. Specifying a | + | | | modulename displays detailed | + | | | information about | + | | | a particular module | + | | | and its slots and tokens. | + | | | -rawadd | + | | | Add the module spec | + | | | string to the secmod.db | + | | | database. | + | | | -rawlist | + | | | Display the module | + | | | specs for a specified module | + | | | or for all | + | | | loadable modules. | + | | | -undefault modulename | + | | | Specify the | + | | | security mechanisms for which | + | | | the named module will | + | | | not be a default | + | | | provider. The security | + | | | mechanisms are specified | + | | | with the | + | | | -mechanisms argument. | + | | | Arguments | + | | | MODULE | + | | | Give the security | + | | | module to access. | + | | | MODULESPEC | + | | | Give the security | + | | | module spec to load into the | + | | | security database. | + | | | -ciphers cipher-enable-list | + | | | Enable specific | + | | | ciphers in a module that is | + | | | being added to the | + | | | database. The | + | | | cipher-enable-list is a | + | | | colon-delimited list of | + | | | cipher names. | + | | | Enclose this list in quotation | + | | | marks if it contains | + | | | spaces. | + | | | -dbdir [sql:]directory | + | | | Specify the | + | | | database directory in which to | + | | | access or create | + | | | security module | + | | | database files. | + | | | modutil supports | + | | | two types of databases: the | + | | | legacy security | + | | | databases | + | | | (cert8.db, key3.db, and | + | | | secmod.db) and new SQLite | + | | | databases | + | | | (cert9.db, key4.db, and | + | | | pkcs11.txt). If the prefix | + | | | sql: | + | | | is not used, then | + | | | the tool assumes that the | + | | | given databases are in | + | | | the old format. | + | | | --dbprefix prefix | + | | | Specify the prefix | + | | | used on the database files, | + | | | such as my\_ for | + | | | my_cert8.db. This | + | | | option is provided as a | + | | | special case. Changing | + | | | the names of the | + | | | certificate and key databases | + | | | is not recommended. | + | | | -installdir | + | | | root-installation-directory | + | | | Specify the root | + | | | installation directory | + | | | relative to which files | + | | | will be installed | + | | | by the -jar option. This | + | | | directory should be one | + | | | below which it is | + | | | appropriate to store dynamic | + | | | library files, such | + | | | as a server's root | + | | | directory. | + | | | -libfile library-file | + | | | Specify a path to a | + | | | library file containing the | + | | | implementation of | + | | | the PKCS #11 | + | | | interface module that is being | + | | | added to the database. | + | | | -mechanisms mechanism-list | + | | | Specify the | + | | | security mechanisms for which | + | | | a particular module will | + | | | be flagged as a | + | | | default provider. The | + | | | mechanism-list is a | + | | | colon-delimited | + | | | list of mechanism names. | + | | | Enclose this list in | + | | | quotation marks if | + | | | it contains spaces. | + | | | The module becomes | + | | | a default provider for the | + | | | listed mechanisms | + | | | when those | + | | | mechanisms are enabled. If | + | | | more than one module claims | + | | | to be a particular | + | | | mechanism's default provider, | + | | | that mechanism's | + | | | default provider is | + | | | undefined. | + | | | modutil supports | + | | | several mechanisms: RSA, DSA, | + | | | RC2, RC4, RC5, AES, | + | | | DES, DH, SHA1, | + | | | SHA256, SHA512, SSL, TLS, MD5, | + | | | MD2, RANDOM (for | + | | | random number | + | | | generation), and FRIENDLY | + | | | (meaning certificates are | + | | | publicly readable). | + | | | -newpwfile | + | | | new-password-file | + | | | Specify a text file | + | | | containing a token's new or | + | | | replacement | + | | | password so that a | + | | | password can be entered | + | | | automatically with the | + | | | -changepw option. | + | | | -nocertdb | + | | | Do not open the | + | | | certificate or key databases. | + | | | This has several | + | | | effects: | + | | | o With the | + | | | -create command, only a module | + | | | security file is | + | | | created; | + | | | certificate and key databases | + | | | are not created. | + | | | o With the -jar | + | | | command, signatures on the JAR | + | | | file are not | + | | | checked. | + | | | o With the | + | | | -changepw command, the | + | | | password on the NSS internal | + | | | module cannot | + | | | be set or changed, since this | + | | | password is | + | | | stored in the | + | | | key database. | + | | | -pwfile old-password-file | + | | | Specify a text file | + | | | containing a token's existing | + | | | password so that | + | | | a password can be | + | | | entered automatically when the | + | | | -changepw option | + | | | is used to change | + | | | passwords. | + | | | -secmod secmodname | + | | | Give the name of | + | | | the security module database | + | | | (like secmod.db) to | + | | | load. | + | | | -slot slotname | + | | | Specify a | + | | | particular slot to be enabled | + | | | or disabled with the | + | | | -enable or -disable | + | | | options. | + | | | -string CONFIG_STRING | + | | | Pass a | + | | | configuration string for the | + | | | module being added to the | + | | | database. | + | | | -tempdir | + | | | temporary-directory | + | | | Give a directory | + | | | location where temporary files | + | | | are created during | + | | | the installation by | + | | | the -jar option. If no | + | | | temporary directory is | + | | | specified, the | + | | | current directory is used. | + | | | Usage and Examples | + | | | Creating Database Files | + | | | Before any operations can | + | | | be performed, there must be a | + | | | set of security | + | | | databases available. | + | | | modutil can be used to create | + | | | these files. The only | + | | | required argument is the | + | | | database that where the | + | | | databases will be | + | | | located. | + | | | modutil -create -dbdir | + | | | [sql:]directory | + | | | Adding a Cryptographic | + | | | Module | + | | | Adding a PKCS #11 module | + | | | means submitting a supporting | + | | | library file, | + | | | enabling its ciphers, and | + | | | setting default provider | + | | | status for various | + | | | security mechanisms. This | + | | | can be done by supplying all | + | | | of the information | + | | | through modutil directly or | + | | | by running a JAR file and | + | | | install script. For | + | | | the most basic case, simply | + | | | upload the library: | + | | | modutil -add modulename | + | | | -libfile library-file | + | | | [-ciphers cipher-enable-list] | + | | | [-mechanisms mechanism-list] | + | | | For example: | + | | | modutil -dbdir | + | | | sql:/home/my/sharednssdb -add | + | | | "Example PKCS #11 Module" | + | | | -libfile "/tmp/crypto.so" | + | | | -mechanisms RSA:DSA:RC2:RANDOM | + | | | Using database directory ... | + | | | Module "Example PKCS #11 | + | | | Module" added to database. | + | | | Installing a Cryptographic | + | | | Module from a JAR File | + | | | PKCS #11 modules can also | + | | | be loaded using a JAR file, | + | | | which contains all | + | | | of the required libraries | + | | | and an installation script | + | | | that describes how to | + | | | install the module. The JAR | + | | | install script is described in | + | | | more detail in | + | | | [1]the section called “JAR | + | | | Installation File Format”. | + | | | The JAR installation script | + | | | defines the setup information | + | | | for each | + | | | platform that the module | + | | | can be installed on. For | + | | | example: | + | | | Platforms { | + | | | Linux:5.4.08:x86 { | + | | | ModuleName { "Example | + | | | PKCS #11 Module" } | + | | | ModuleFile { crypto.so | + | | | } | + | | | | + | | | DefaultMechanismFlags{0x0000} | + | | | | + | | | CipherEnableFlags{0x0000} | + | | | Files { | + | | | crypto.so { | + | | | Path{ | + | | | /tmp/crypto.so } | + | | | } | + | | | setup.sh { | + | | | Executable | + | | | Path{ | + | | | /tmp/setup.sh } | + | | | } | + | | | } | + | | | } | + | | | Linux:6.0.0:x86 { | + | | | EquivalentPlatform { | + | | | Linux:5.4.08:x86 } | + | | | } | + | | | } | + | | | Both the install script and | + | | | the required libraries must be | + | | | bundled in a | + | | | JAR file, which is | + | | | specified with the -jar | + | | | argument. | + | | | modutil -dbdir | + | | | sql:/home/mt | + | | | "jar-install-filey/sharednssdb | + | | | -jar install.jar -installdir | + | | | sql:/home/my/sharednssdb | + | | | This installation JAR file | + | | | was signed by: | + | | | ---------------- | + | | | ------------------------------ | + | | | **SUBJECT NAME*\* | + | | | C=US, ST=California, | + | | | L=Mountain View, | + | | | CN=Cryptorific Inc., | + | | | OU=Digital ID | + | | | Class 3 - Netscape Object | + | | | Signing, | + | | | OU="w | + | | | ww.verisign.com/repository/CPS | + | | | Incorp. by Ref.,LIAB.LTD(c)9 | + | | | 6", OU=www.verisign.com/CPS | + | | | Incorp.by Ref | + | | | . LIABILITY LTD.(c)97 | + | | | VeriSign, OU=VeriSign Object | + | | | Signing CA - Class 3 | + | | | Organization, OU="VeriSign, | + | | | Inc.", O=VeriSign Trust | + | | | Network \**ISSUER | + | | | NAME**, | + | | | OU=www.verisign.com/CPS | + | | | Incorp.by Ref. LIABILITY | + | | | LTD.(c)97 | + | | | VeriSign, OU=VeriSign Object | + | | | Signing CA - Class 3 | + | | | Organization, | + | | | OU="VeriSign, Inc.", | + | | | O=VeriSign Trust Network | + | | | ---------------- | + | | | ------------------------------ | + | | | Do you wish to continue this | + | | | installation? (y/n) y | + | | | Using installer script | + | | | "installer_script" | + | | | Successfully parsed | + | | | installation script | + | | | Current platform is | + | | | Linux:5.4.08:x86 | + | | | Using installation parameters | + | | | for platform Linux:5.4.08:x86 | + | | | Installed file crypto.so to | + | | | /tmp/crypto.so | + | | | Installed file setup.sh to | + | | | ./pk11inst.dir/setup.sh | + | | | Executing | + | | | "./pk11inst.dir/setup.sh"... | + | | | "./pk11inst.dir/setup.sh" | + | | | executed successfully | + | | | Installed module "Example | + | | | PKCS #11 Module" into module | + | | | database | + | | | Installation completed | + | | | successfully | + | | | Adding Module Spec | + | | | Each module has information | + | | | stored in the security | + | | | database about its | + | | | configuration and | + | | | parameters. These can be added | + | | | or edited using the | + | | | -rawadd command. For the | + | | | current settings or to see the | + | | | format of the | + | | | module spec in the | + | | | database, use the -rawlist | + | | | option. | + | | | modutil -rawadd modulespec | + | | | Deleting a Module | + | | | A specific PKCS #11 module | + | | | can be deleted from the | + | | | secmod.db database: | + | | | modutil -delete modulename | + | | | -dbdir [sql:]directory | + | | | Displaying Module | + | | | Information | + | | | The secmod.db database | + | | | contains information about the | + | | | PKCS #11 modules | + | | | that are available to an | + | | | application or server to use. | + | | | The list of all | + | | | modules, information about | + | | | specific modules, and database | + | | | configuration | + | | | specs for modules can all | + | | | be viewed. | + | | | To simply get a list of | + | | | modules in the database, use | + | | | the -list command. | + | | | modutil -list [modulename] | + | | | -dbdir [sql:]directory | + | | | Listing the modules shows | + | | | the module name, their status, | + | | | and other | + | | | associated security | + | | | databases for certificates and | + | | | keys. For example: | + | | | modutil -list -dbdir | + | | | sql:/home/my/sharednssdb | + | | | Listing of PKCS #11 Modules | + | | | ----------------------------- | + | | | ------------------------------ | + | | | 1. NSS Internal PKCS #11 | + | | | Module | + | | | slots: 2 slots | + | | | attached | + | | | status: loaded | + | | | slot: NSS Internal | + | | | Cryptographic Services | + | | | token: NSS Generic | + | | | Crypto Services | + | | | slot: NSS User | + | | | Private Key and Certificate | + | | | Services | + | | | token: NSS | + | | | Certificate DB | + | | | ----------------------------- | + | | | ------------------------------ | + | | | Passing a specific module | + | | | name with the -list returns | + | | | details information | + | | | about the module itself, | + | | | like supported cipher | + | | | mechanisms, version | + | | | numbers, serial numbers, | + | | | and other information about | + | | | the module and the | + | | | token it is loaded on. For | + | | | example: | + | | | modutil -list "NSS Internal | + | | | PKCS #11 Module" -dbdir | + | | | sql:/home/my/sharednssdb | + | | | ----------------------------- | + | | | ------------------------------ | + | | | Name: NSS Internal PKCS #11 | + | | | Module | + | | | Library file: \**Internal | + | | | ONLY module*\* | + | | | Manufacturer: Mozilla | + | | | Foundation | + | | | Description: NSS Internal | + | | | Crypto Services | + | | | PKCS #11 Version 2.20 | + | | | Library Version: 3.11 | + | | | Cipher Enable Flags: None | + | | | Default Mechanism Flags: | + | | | RSA:RC2:RC4:D | + | | | ES:DH:SHA1:MD5:MD2:SSL:TLS:AES | + | | | Slot: NSS Internal | + | | | Cryptographic Services | + | | | Slot Mechanism Flags: | + | | | RSA:RC2:RC4:D | + | | | ES:DH:SHA1:MD5:MD2:SSL:TLS:AES | + | | | Manufacturer: Mozilla | + | | | Foundation | + | | | Type: Software | + | | | Version Number: 3.11 | + | | | Firmware Version: 0.0 | + | | | Status: Enabled | + | | | Token Name: NSS Generic | + | | | Crypto Services | + | | | Token Manufacturer: Mozilla | + | | | Foundation | + | | | Token Model: NSS 3 | + | | | Token Serial Number: | + | | | 0000000000000000 | + | | | Token Version: 4.0 | + | | | Token Firmware Version: 0.0 | + | | | Access: Write Protected | + | | | Login Type: Public (no | + | | | login required) | + | | | User Pin: NOT Initialized | + | | | Slot: NSS User Private Key | + | | | and Certificate Services | + | | | Slot Mechanism Flags: None | + | | | Manufacturer: Mozilla | + | | | Foundation | + | | | Type: Software | + | | | Version Number: 3.11 | + | | | Firmware Version: 0.0 | + | | | Status: Enabled | + | | | Token Name: NSS Certificate | + | | | DB | + | | | Token Manufacturer: Mozilla | + | | | Foundation | + | | | Token Model: NSS 3 | + | | | Token Serial Number: | + | | | 0000000000000000 | + | | | Token Version: 8.3 | + | | | Token Firmware Version: 0.0 | + | | | Access: NOT Write Protected | + | | | Login Type: Login required | + | | | User Pin: Initialized | + | | | A related command, -rawlist | + | | | returns information about the | + | | | database | + | | | configuration for the | + | | | modules. (This information can | + | | | be edited by loading | + | | | new specs using the -rawadd | + | | | command.) | + | | | modutil -rawlist -dbdir | + | | | sql:/home/my/sharednssdb | + | | | name="NSS Internal PKCS #11 | + | | | Module" | + | | | parameters="configdir=. | + | | | certPrefix= keyPrefix= | + | | | secmod=secmod.db | + | | | flags=readOnly " | + | | | NSS="trustOrder=75 | + | | | cipherOrder=100 | + | | | slotParams={0x00000001=[ | + | | | slotFlags=RSA,RC4,RC2,DES,DH,S | + | | | HA1,MD5,MD2,SSL,TLS,AES,RANDOM | + | | | askpw=any timeout=30 ] } | + | | | Flags=internal,critical" | + | | | Setting a Default Provider | + | | | for Security Mechanisms | + | | | Multiple security modules | + | | | may provide support for the | + | | | same security | + | | | mechanisms. It is possible | + | | | to set a specific security | + | | | module as the | + | | | default provider for a | + | | | specific security mechanism | + | | | (or, conversely, to | + | | | prohibit a provider from | + | | | supplying those mechanisms). | + | | | modutil -default modulename | + | | | -mechanisms mechanism-list | + | | | To set a module as the | + | | | default provider for | + | | | mechanisms, use the -default | + | | | command with a | + | | | colon-separated list of | + | | | mechanisms. The available | + | | | mechanisms depend on the | + | | | module; NSS supplies almost | + | | | all common | + | | | mechanisms. For example: | + | | | modutil -default "NSS | + | | | Internal PKCS #11 Module" | + | | | -dbdir -mechanisms RSA:DSA:RC2 | + | | | Using database directory | + | | | c:\databases... | + | | | Successfully changed | + | | | defaults. | + | | | Clearing the default | + | | | provider has the same format: | + | | | modutil -undefault "NSS | + | | | Internal PKCS #11 Module" | + | | | -dbdir -mechanisms MD2:MD5 | + | | | Enabling and Disabling | + | | | Modules and Slots | + | | | Modules, and specific slots | + | | | on modules, can be selectively | + | | | enabled or | + | | | disabled using modutil. | + | | | Both commands have the same | + | | | format: | + | | | modutil -enable|-disable | + | | | modulename [-slot slotname] | + | | | For example: | + | | | modutil -enable "NSS Internal | + | | | PKCS #11 Module" -slot "NSS | + | | | Internal Cryptographic | + | | | Servi | + | | | ces | + | | | " -dbdir . | + | | | Slot "NSS Internal | + | | | Cryptographic | + | | | Servi | + | | | ces | + | | | " enabled. | + | | | Be sure that the | + | | | appropriate amount of trailing | + | | | whitespace is after the | + | | | slot name. Some slot names | + | | | have a significant amount of | + | | | whitespace that | + | | | must be included, or the | + | | | operation will fail. | + | | | Enabling and Verifying FIPS | + | | | Compliance | + | | | The NSS modules can have | + | | | FIPS 140-2 compliance enabled | + | | | or disabled using | + | | | modutil with the -fips | + | | | option. For example: | + | | | modutil -fips true -dbdir | + | | | sql:/home/my/sharednssdb/ | + | | | FIPS mode enabled. | + | | | To verify that status of | + | | | FIPS mode, run the -chkfips | + | | | command with either a | + | | | true or false flag (it | + | | | doesn't matter which). The | + | | | tool returns the current | + | | | FIPS setting. | + | | | modutil -chkfips false -dbdir | + | | | sql:/home/my/sharednssdb/ | + | | | FIPS mode enabled. | + | | | Changing the Password on a | + | | | Token | + | | | Initializing or changing a | + | | | token's password: | + | | | modutil -changepw tokenname | + | | | [-pwfile old-password-file] | + | | | [-newpwfile new-password-file] | + | | | modutil -dbdir | + | | | sql:/home/my/sharednssdb | + | | | -changepw "NSS Certificate DB" | + | | | Enter old password: | + | | | Incorrect password, try | + | | | again... | + | | | Enter old password: | + | | | Enter new password: | + | | | Re-enter new password: | + | | | Token "Communicator | + | | | Certificate DB" password | + | | | changed successfully. | + | | | JAR Installation File Format | + | | | When a JAR file is run by a | + | | | server, by modutil, or by any | + | | | program that | + | | | does not interpret | + | | | JavaScript, a special | + | | | information file must be | + | | | included | + | | | to install the libraries. | + | | | There are several things to | + | | | keep in mind with | + | | | this file: | + | | | o It must be declared in | + | | | the JAR archive's manifest | + | | | file. | + | | | o The script can have any | + | | | name. | + | | | o The metainfo tag for | + | | | this is Pkcs11_install_script. | + | | | To declare | + | | | meta-information in the | + | | | manifest file, put it in a | + | | | file that is passed | + | | | to signtool. | + | | | Sample Script | + | | | For example, the PKCS #11 | + | | | installer script could be in | + | | | the file | + | | | pk11install. If so, the | + | | | metainfo file for signtool | + | | | includes a line such as | + | | | this: | + | | | + Pkcs11_install_script: | + | | | pk11install | + | | | The script must define the | + | | | platform and version number, | + | | | the module name | + | | | and file, and any optional | + | | | information like supported | + | | | ciphers and | + | | | mechanisms. Multiple | + | | | platforms can be defined in a | + | | | single install file. | + | | | ForwardCompatible { | + | | | IRIX:6.2:mips | + | | | SUNOS:5.5.1:sparc } | + | | | Platforms { | + | | | WINNT::x86 { | + | | | ModuleName { "Example | + | | | Module" } | + | | | ModuleFile { | + | | | win32/fort32.dll } | + | | | | + | | | DefaultMechanismFlags{0x0001} | + | | | | + | | | DefaultCipherFlags{0x0001} | + | | | Files { | + | | | win32/setup.exe { | + | | | Executable | + | | | RelativePath { | + | | | %temp%/setup.exe } | + | | | } | + | | | win32/setup.hlp { | + | | | RelativePath { | + | | | %temp%/setup.hlp } | + | | | } | + | | | win32/setup.cab { | + | | | RelativePath { | + | | | %temp%/setup.cab } | + | | | } | + | | | } | + | | | } | + | | | WIN95::x86 { | + | | | EquivalentPlatform | + | | | {WINNT::x86} | + | | | } | + | | | SUNOS:5.5.1:sparc { | + | | | ModuleName { "Example | + | | | UNIX Module" } | + | | | ModuleFile { | + | | | unix/fort.so } | + | | | | + | | | DefaultMechanismFlags{0x0001} | + | | | | + | | | CipherEnableFlags{0x0001} | + | | | Files { | + | | | unix/fort.so { | + | | | | + | | | Re | + | | | lativePath{%root%/lib/fort.so} | + | | | | + | | | AbsolutePath{/u | + | | | sr/local/netscape/lib/fort.so} | + | | | | + | | | FilePermissions{555} | + | | | } | + | | | xplat/instr.html { | + | | | | + | | | Relat | + | | | ivePath{%root%/docs/inst.html} | + | | | | + | | | AbsolutePath{/usr/ | + | | | local/netscape/docs/inst.html} | + | | | | + | | | FilePermissions{555} | + | | | } | + | | | } | + | | | } | + | | | IRIX:6.2:mips { | + | | | EquivalentPlatform { | + | | | SUNOS:5.5.1:sparc } | + | | | } | + | | | } | + | | | Script Grammar | + | | | The script is basic Java, | + | | | allowing lists, key-value | + | | | pairs, strings, and | + | | | combinations of all of | + | | | them. | + | | | --> valuelist | + | | | valuelist --> value valuelist | + | | | <null> | + | | | value ---> key_value_pair | + | | | string | + | | | key_value_pair --> key { | + | | | valuelist } | + | | | key --> string | + | | | string --> simple_string | + | | | "complex_string" | + | | | simple_string --> [^ | + | | | \\t\n\""{""}"]+ | + | | | complex_string --> | + | | | ([^\"\\\r\n]|(\\\")|(\\\\))+ | + | | | Quotes and backslashes must | + | | | be escaped with a backslash. A | + | | | complex string | + | | | must not include newlines | + | | | or carriage returns.Outside of | + | | | complex strings, | + | | | all white space (for | + | | | example, spaces, tabs, and | + | | | carriage returns) is | + | | | considered equal and is | + | | | used only to delimit tokens. | + | | | Keys | + | | | The Java install file uses | + | | | keys to define the platform | + | | | and module | + | | | information. | + | | | ForwardCompatible gives a | + | | | list of platforms that are | + | | | forward compatible. | + | | | If the current platform | + | | | cannot be found in the list of | + | | | supported | + | | | platforms, then the | + | | | ForwardCompatible list is | + | | | checked for any platforms | + | | | that have the same OS and | + | | | architecture in an earlier | + | | | version. If one is | + | | | found, its attributes are | + | | | used for the current platform. | + | | | Platforms (required) Gives | + | | | a list of platforms. Each | + | | | entry in the list is | + | | | itself a key-value pair: | + | | | the key is the name of the | + | | | platform and the value | + | | | list contains various | + | | | attributes of the platform. | + | | | The platform string is | + | | | in the format system | + | | | name:OS release:architecture. | + | | | The installer obtains | + | | | these values from NSPR. OS | + | | | release is an empty string on | + | | | non-Unix | + | | | operating systems. NSPR | + | | | supports these platforms: | + | | | o AIX (rs6000) | + | | | o BSDI (x86) | + | | | o FREEBSD (x86) | + | | | o HPUX (hppa1.1) | + | | | o IRIX (mips) | + | | | o LINUX (ppc, alpha, x86) | + | | | o MacOS (PowerPC) | + | | | o NCR (x86) | + | | | o NEC (mips) | + | | | o OS2 (x86) | + | | | o OSF (alpha) | + | | | o ReliantUNIX (mips) | + | | | o SCO (x86) | + | | | o SOLARIS (sparc) | + | | | o SONY (mips) | + | | | o SUNOS (sparc) | + | | | o UnixWare (x86) | + | | | o WIN16 (x86) | + | | | o WIN95 (x86) | + | | | o WINNT (x86) | + | | | For example: | + | | | IRIX:6.2:mips | + | | | SUNOS:5.5.1:sparc | + | | | Linux:2.0.32:x86 | + | | | WIN95::x86 | + | | | The module information is | + | | | defined independently for each | + | | | platform in the | + | | | ModuleName, ModuleFile, and | + | | | Files attributes. These | + | | | attributes must be | + | | | given unless an | + | | | EquivalentPlatform attribute | + | | | is specified. | + | | | Per-Platform Keys | + | | | Per-platform keys have | + | | | meaning only within the value | + | | | list of an entry in | + | | | the Platforms list. | + | | | ModuleName (required) gives | + | | | the common name for the | + | | | module. This name is | + | | | used to reference the | + | | | module by servers and by the | + | | | modutil tool. | + | | | ModuleFile (required) names | + | | | the PKCS #11 module file for | + | | | this platform. | + | | | The name is given as the | + | | | relative path of the file | + | | | within the JAR archive. | + | | | Files (required) lists the | + | | | files that need to be | + | | | installed for this | + | | | module. Each entry in the | + | | | file list is a key-value pair. | + | | | The key is the | + | | | path of the file in the JAR | + | | | archive, and the value list | + | | | contains | + | | | attributes of the file. At | + | | | least RelativePath or | + | | | AbsolutePath must be | + | | | specified for each file. | + | | | DefaultMechanismFlags | + | | | specifies mechanisms for which | + | | | this module is the | + | | | default provider; this is | + | | | equivalent to the -mechanism | + | | | option with the | + | | | -add command. This | + | | | key-value pair is a bitstring | + | | | specified in hexadecimal | + | | | (0x) format. It is | + | | | constructed as a bitwise OR. | + | | | If the | + | | | DefaultMechanismFlags entry | + | | | is omitted, the value defaults | + | | | to 0x0. | + | | | RSA: | + | | | 0x00000001 | + | | | DSA: | + | | | 0x00000002 | + | | | RC2: | + | | | 0x00000004 | + | | | RC4: | + | | | 0x00000008 | + | | | DES: | + | | | 0x00000010 | + | | | DH: | + | | | 0x00000020 | + | | | FORTEZZA: | + | | | 0x00000040 | + | | | RC5: | + | | | 0x00000080 | + | | | SHA1: | + | | | 0x00000100 | + | | | MD5: | + | | | 0x00000200 | + | | | MD2: | + | | | 0x00000400 | + | | | RANDOM: | + | | | 0x08000000 | + | | | FRIENDLY: | + | | | 0x10000000 | + | | | OWN_PW_DEFAULTS: | + | | | 0x20000000 | + | | | DISABLE: | + | | | 0x40000000 | + | | | CipherEnableFlags specifies | + | | | ciphers that this module | + | | | provides that NSS | + | | | does not provide (so that | + | | | the module enables those | + | | | ciphers for NSS). This | + | | | is equivalent to the | + | | | -cipher argument with the -add | + | | | command. This key is a | + | | | bitstring specified in | + | | | hexadecimal (0x) format. It is | + | | | constructed as a | + | | | bitwise OR. If the | + | | | CipherEnableFlags entry is | + | | | omitted, the value defaults | + | | | to 0x0. | + | | | EquivalentPlatform | + | | | specifies that the attributes | + | | | of the named platform | + | | | should also be used for the | + | | | current platform. This makes | + | | | it easier when | + | | | more than one platform uses | + | | | the same settings. | + | | | Per-File Keys | + | | | Some keys have meaning only | + | | | within the value list of an | + | | | entry in a Files | + | | | list. | + | | | Each file requires a path | + | | | key the identifies where the | + | | | file is. Either | + | | | RelativePath or | + | | | AbsolutePath must be | + | | | specified. If both are | + | | | specified, the | + | | | relative path is tried | + | | | first, and the absolute path | + | | | is used only if no | + | | | relative root directory is | + | | | provided by the installer | + | | | program. | + | | | RelativePath specifies the | + | | | destination directory of the | + | | | file, relative to | + | | | some directory decided at | + | | | install time. Two variables | + | | | can be used in the | + | | | relative path: %root% and | + | | | %temp%. %root% is replaced at | + | | | run time with the | + | | | directory relative to which | + | | | files should be installed; for | + | | | example, it may | + | | | be the server's root | + | | | directory. The %temp% | + | | | directory is created at the | + | | | beginning of the | + | | | installation and destroyed at | + | | | the end. The purpose of | + | | | %temp% is to hold | + | | | executable files (such as | + | | | setup programs) or files that | + | | | are used by these programs. | + | | | Files destined for the | + | | | temporary directory are | + | | | guaranteed to be in place | + | | | before any executable file is | + | | | run; they are not | + | | | deleted until all | + | | | executable files have | + | | | finished. | + | | | AbsolutePath specifies the | + | | | destination directory of the | + | | | file as an | + | | | absolute path. | + | | | Executable specifies that | + | | | the file is to be executed | + | | | during the course of | + | | | the installation. | + | | | Typically, this string is used | + | | | for a setup program | + | | | provided by a module | + | | | vendor, such as a | + | | | self-extracting setup | + | | | executable. | + | | | More than one file can be | + | | | specified as executable, in | + | | | which case the files | + | | | are run in the order in | + | | | which they are specified in | + | | | the script file. | + | | | FilePermissions sets | + | | | permissions on any referenced | + | | | files in a string of | + | | | octal digits, according to | + | | | the standard Unix format. This | + | | | string is a | + | | | bitwise OR. | + | | | user read: | + | | | 0400 | + | | | user write: | + | | | 0200 | + | | | user execute: | + | | | 0100 | + | | | group read: | + | | | 0040 | + | | | group write: | + | | | 0020 | + | | | group execute: | + | | | 0010 | + | | | other read: | + | | | 0004 | + | | | other write: | + | | | 0002 | + | | | other execute: 0001 | + | | | Some platforms may not | + | | | understand these permissions. | + | | | They are applied only | + | | | insofar as they make sense | + | | | for the current platform. If | + | | | this attribute is | + | | | omitted, a default of 777 | + | | | is assumed. | + | | | NSS Database Types | + | | | NSS originally used | + | | | BerkeleyDB databases to store | + | | | security information. | + | | | The last versions of these | + | | | legacy databases are: | + | | | o cert8.db for | + | | | certificates | + | | | o key3.db for keys | + | | | o secmod.db for PKCS #11 | + | | | module information | + | | | BerkeleyDB has performance | + | | | limitations, though, which | + | | | prevent it from | + | | | being easily used by | + | | | multiple applications | + | | | simultaneously. NSS has some | + | | | flexibility that allows | + | | | applications to use their own, | + | | | independent | + | | | database engine while | + | | | keeping a shared database and | + | | | working around the | + | | | access issues. Still, NSS | + | | | requires more flexibility to | + | | | provide a truly | + | | | shared security database. | + | | | In 2009, NSS introduced a | + | | | new set of databases that are | + | | | SQLite databases | + | | | rather than BerkleyDB. | + | | | These new databases provide | + | | | more accessibility and | + | | | performance: | + | | | o cert9.db for | + | | | certificates | + | | | o key4.db for keys | + | | | o pkcs11.txt, which is | + | | | listing of all of the PKCS #11 | + | | | modules contained | + | | | in a new subdirectory | + | | | in the security databases | + | | | directory | + | | | Because the SQLite | + | | | databases are designed to be | + | | | shared, these are the | + | | | shared database type. The | + | | | shared database type is | + | | | preferred; the legacy | + | | | format is included for | + | | | backward compatibility. | + | | | By default, the tools | + | | | (certutil, pk12util, modutil) | + | | | assume that the given | + | | | security databases follow | + | | | the more common legacy type. | + | | | Using the SQLite | + | | | databases must be manually | + | | | specified by using the sql: | + | | | prefix with the | + | | | given security directory. | + | | | For example: | + | | | modutil -create -dbdir | + | | | sql:/home/my/sharednssdb | + | | | To set the shared database | + | | | type as the default type for | + | | | the tools, set the | + | | | NSS_DEFAULT_DB_TYPE | + | | | environment variable to sql: | + | | | export | + | | | NSS_DEFAULT_DB_TYPE="sql" | + | | | This line can be set added | + | | | to the ~/.bashrc file to make | + | | | the change | + | | | permanent. | + | | | Most applications do not | + | | | use the shared database by | + | | | default, but they can | + | | | be configured to use them. | + | | | For example, this how-to | + | | | article covers how to | + | | | configure Firefox and | + | | | Thunderbird to use the new | + | | | shared NSS databases: | + | | | | + | | | o https://wiki.m | + | | | ozilla.org/NSS_Shared_DB_Howto | + | | | For an engineering draft on | + | | | the changes in the shared NSS | + | | | databases, see | + | | | the NSS project wiki: | + | | | | + | | | o https:// | + | | | wiki.mozilla.org/NSS_Shared_DB | + | | | See Also | + | | | certutil (1) | + | | | pk12util (1) | + | | | signtool (1) | + | | | The NSS wiki has | + | | | information on the new | + | | | database design and how to | + | | | configure applications to | + | | | use it. | + | | | | + | | | o https://wiki.m | + | | | ozilla.org/NSS_Shared_DB_Howto | + | | | | + | | | o https:// | + | | | wiki.mozilla.org/NSS_Shared_DB | + | | | Additional Resources | + | | | For information about NSS | + | | | and other tools related to NSS | + | | | (like JSS), check | + | | | out the NSS project wiki at | + | | | | + | | | [2]\ `http://www.mozil | + | | | la.org/projects/security/pki/n | + | | | ss/ <https://www.mozilla.org/p | + | | | rojects/security/pki/nss/>`__. | + | | | The NSS site relates | + | | | directly to NSS code | + | | | changes and releases. | + | | | Mailing lists: | + | | | https://lists.mozill | + | | | a.org/listinfo/dev-tech-crypto | + | | | IRC: Freenode at | + | | | #dogtag-pki | + | | | Authors | + | | | The NSS tools were written | + | | | and maintained by developers | + | | | with Netscape, Red | + | | | Hat, and Sun. | + | | | Authors: Elio Maldonado | + | | | <emaldona@redhat.com>, Deon | + | | | Lackey | + | | | <dlackey@redhat.com>. | + | | | Copyright | + | | | (c) 2010, Red Hat, Inc. | + | | | Licensed under the GNU Public | + | | | License version 2. | + | | | References | + | | | Visible links | + | | | 1. JAR Installation File | + | | | Format | + | | | | + | | | ``file:///tmp/xmlto.6gGxS0/ | + | | | modutil.pro...r-install-file`` | + | | | 2. | + | | | https://www.mozilla. | + | | | org/projects/security/pki/nss/ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 342 | :ref:`mozilla_projects_nss_t | | + | | ools_nss_tools_certutil-tasks` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Newsgroup: | + | | | `mozilla.dev.tech | + | | | .crypto <news://news.mozilla.o | + | | | rg/mozilla.dev.tech.crypto>`__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 343 | :ref:`mozilla_projects | **certificates, x509v3** | + | | _nss_tools_nss_tools_certutil` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The Certificate Database Tool | + | | | is a command-line utility that | + | | | can create and modify the | + | | | Netscape Communicator | + | | | ``cert8.db`` and | + | | | ``key3.db``\ database files. | + | | | It can also list, generate, | + | | | modify, or delete certificates | + | | | within the ``cert8.db``\ file | + | | | and create or change the | + | | | password, generate new public | + | | | and private key pairs, display | + | | | the contents of the key | + | | | database, or delete key pairs | + | | | within the ``key3.db`` file. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 344 | :ref:`mozilla_project | | + | | s_nss_tools_nss_tools_cmsutil` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The cmsutil command-line | + | | | utility uses the `S/MIME | + | | | Toolkit <../smime/>`__ to | + | | | perform basic operations, such | + | | | as encryption and decryption, | + | | | on `Cryptographic Message | + | | | Syntax (CMS) <http://ww | + | | | w.ietf.org/rfc/rfc2630.txt>`__ | + | | | messages. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 345 | :ref:`mozilla_project | | + | | s_nss_tools_nss_tools_crlutil` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Newsgroup: | + | | | `mozilla.dev.tech | + | | | .crypto <news://news.mozilla.o | + | | | rg/mozilla.dev.tech.crypto>`__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 346 | :ref:`mozilla_projects_n | | + | | ss_tools_nss_tools_dbck-tasks` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Newsgroup: | + | | | `mozilla.dev.tech | + | | | .crypto <news://news.mozilla.o | + | | | rg/mozilla.dev.tech.crypto>`__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 347 | :ref:`mozilla_projects_nss_ | | + | | tools_nss_tools_modutil-tasks` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Newsgroup: | + | | | `mozilla.dev.tech | + | | | .crypto <news://news.mozilla.o | + | | | rg/mozilla.dev.tech.crypto>`__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 348 | :ref:`mozilla_project | | + | | s_nss_tools_nss_tools_modutil` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The Security Module Database | + | | | Tool is a command-line utility | + | | | for managing PKCS #11 module | + | | | information within | + | | | ``secmod.db`` files or within | + | | | hardware tokens. You can use | + | | | the tool to add and delete | + | | | PKCS #11 modules, change | + | | | passwords, set defaults, list | + | | | module contents, enable or | + | | | disable slots, enable or | + | | | disable FIPS 140-2 compliance, | + | | | and assign default providers | + | | | for cryptographic operations. | + | | | This tool can also create | + | | | ``key3.db``, ``cert8.db``, and | + | | | ``secmod.db`` security | + | | | database files. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 349 | :ref:`mozilla_projects_nss_t | | + | | ools_nss_tools_pk12util-tasks` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Newsgroup: | + | | | `mozilla.dev.tech | + | | | .crypto <news://news.mozilla.o | + | | | rg/mozilla.dev.tech.crypto>`__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 350 | :ref:`mozilla_projects | | + | | _nss_tools_nss_tools_pk12util` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The PKCS #12 utility makes | + | | | sharing of certificates among | + | | | Enterprise server 3.x and any | + | | | server (Netscape products or | + | | | non-Netscape products) that | + | | | supports PKCS#12 possible. The | + | | | tool allows you to import | + | | | certificates and keys from | + | | | pkcs #12 files into NSS or | + | | | export them and also list | + | | | certificates and keys in such | + | | | files. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 351 | :ref:`mozilla_projects_nss_ | | + | | tools_nss_tools_signver-tasks` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | *No summary!* | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 352 | :ref:`mozilla_projects_ns | | + | | s_tools_nss_tools_sslstrength` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | A simple command-line client | + | | | which connects to an | + | | | SSL-server, and reports back | + | | | the encryption cipher and | + | | | strength used. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 353 | :ref:`mozilla_projec | | + | | ts_nss_tools_nss_tools_ssltap` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The SSL Debugging Tool is an | + | | | SSL-aware command-line proxy. | + | | | It watches TCP connections and | + | | | displays the data going by. If | + | | | a connection is SSL, the data | + | | | display includes interpreted | + | | | SSL records and handshaking. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 354 | :ref:`mozill | | + | | a_projects_nss_tools_pk12util` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Name | + | | | pk12util — Export and | + | | | import keys and certificate to | + | | | or from a PKCS #12 | + | | | file and the NSS database | + | | | Synopsis | + | | | pk12util [-i p12File [-h | + | | | tokenname] [-v] | + | | | [common-options] ] [ -l | + | | | p12File | + | | | [-h tokenname] [-r] | + | | | [common-options] ] [ -o | + | | | p12File -n certname [-c | + | | | keyCipher] [-C certCipher] | + | | | [-m|--key_len keyLen] | + | | | [-n|--cert_key_len | + | | | certKeyLen] | + | | | [common-options] ] [ | + | | | common-options are: [-d | + | | | [sql:]directory] | + | | | [-P dbprefix] [-k | + | | | slotPasswordFile|-K | + | | | slotPassword] [-w | + | | | p12filePasswordFile|-W | + | | | p12filePassword] ] | + | | | Description | + | | | The PKCS #12 utility, | + | | | pk12util, enables sharing | + | | | certificates among any | + | | | server that supports | + | | | PKCS#12. The tool can import | + | | | certificates and keys | + | | | from PKCS#12 files into | + | | | security databases, export | + | | | certificates, and list | + | | | certificates and keys. | + | | | Options and Arguments | + | | | Options | + | | | -i p12file | + | | | Import keys and | + | | | certificates from a PKCS#12 | + | | | file into a security | + | | | database. | + | | | -l p12file | + | | | List the keys and | + | | | certificates in PKCS#12 file. | + | | | -o p12file | + | | | Export keys and | + | | | certificates from the security | + | | | database to a | + | | | PKCS#12 file. | + | | | Arguments | + | | | -n certname | + | | | Specify the | + | | | nickname of the cert and | + | | | private key to export. | + | | | -d [sql:]directory | + | | | Specify the | + | | | database directory into which | + | | | to import to or export | + | | | from certificates | + | | | and keys. | + | | | pk12util supports | + | | | two types of databases: the | + | | | legacy security | + | | | databases | + | | | (cert8.db, key3.db, and | + | | | secmod.db) and new SQLite | + | | | databases | + | | | (cert9.db, key4.db, and | + | | | pkcs11.txt). If the prefix | + | | | sql: | + | | | is not used, then | + | | | the tool assumes that the | + | | | given databases are in | + | | | the old format. | + | | | -P prefix | + | | | Specify the prefix | + | | | used on the certificate and | + | | | key databases. This | + | | | option is provided | + | | | as a special case. Changing | + | | | the names of the | + | | | certificate and key | + | | | databases is not recommended. | + | | | -h tokenname | + | | | Specify the name of | + | | | the token to import into or | + | | | export from. | + | | | -v | + | | | Enable debug | + | | | logging when importing. | + | | | -k slotPasswordFile | + | | | Specify the text | + | | | file containing the slot's | + | | | password. | + | | | -K slotPassword | + | | | Specify the slot's | + | | | password. | + | | | -w p12filePasswordFile | + | | | Specify the text | + | | | file containing the pkcs #12 | + | | | file password. | + | | | -W p12filePassword | + | | | Specify the pkcs | + | | | #12 file password. | + | | | -c keyCipher | + | | | Specify the key | + | | | encryption algorithm. | + | | | -C certCipher | + | | | Specify the key | + | | | cert (overall package) | + | | | encryption algorithm. | + | | | -m \| --key-len keyLength | + | | | Specify the desired | + | | | length of the symmetric key to | + | | | be used to | + | | | encrypt the private | + | | | key. | + | | | -n \| --cert-key-len | + | | | certKeyLength | + | | | Specify the desired | + | | | length of the symmetric key to | + | | | be used to | + | | | encrypt the | + | | | certificates and other | + | | | meta-data. | + | | | -r | + | | | Dumps all of the | + | | | data in raw (binary) form. | + | | | This must be saved as | + | | | a DER file. The | + | | | default is to return | + | | | information in a pretty-print | + | | | ASCII format, which | + | | | displays the information about | + | | | the | + | | | certificates and | + | | | public keys in the p12 file. | + | | | Return Codes | + | | | o 0 - No error | + | | | o 1 - User Cancelled | + | | | o 2 - Usage error | + | | | o 6 - NLS init error | + | | | o 8 - Certificate DB open | + | | | error | + | | | o 9 - Key DB open error | + | | | o 10 - File | + | | | initialization error | + | | | o 11 - Unicode conversion | + | | | error | + | | | o 12 - Temporary file | + | | | creation error | + | | | o 13 - PKCS11 get slot | + | | | error | + | | | o 14 - PKCS12 decoder | + | | | start error | + | | | o 15 - error read from | + | | | import file | + | | | o 16 - pkcs12 decode | + | | | error | + | | | o 17 - pkcs12 decoder | + | | | verify error | + | | | o 18 - pkcs12 decoder | + | | | validate bags error | + | | | o 19 - pkcs12 decoder | + | | | import bags error | + | | | o 20 - key db conversion | + | | | version 3 to version 2 error | + | | | o 21 - cert db conversion | + | | | version 7 to version 5 error | + | | | o 22 - cert and key dbs | + | | | patch error | + | | | o 23 - get default cert | + | | | db error | + | | | o 24 - find cert by | + | | | nickname error | + | | | o 25 - create export | + | | | context error | + | | | o 26 - PKCS12 add | + | | | password itegrity error | + | | | o 27 - cert and key Safes | + | | | creation error | + | | | o 28 - PKCS12 add cert | + | | | and key error | + | | | o 29 - PKCS12 encode | + | | | error | + | | | Examples | + | | | Importing Keys and | + | | | Certificates | + | | | The most basic usage of | + | | | pk12util for importing a | + | | | certificate or key is the | + | | | PKCS#12 input file (-i) and | + | | | some way to specify the | + | | | security database | + | | | being accessed (either -d | + | | | for a directory or -h for a | + | | | token). | + | | | pk12util -i p12File [-h | + | | | tokenname] [-v] [-d | + | | | [sql:]directory] [-P dbprefix] | + | | | [-k slotPasswordFile|-K | + | | | slotPassword] [-w | + | | | p12filePasswordFile|-W | + | | | p12filePassword] | + | | | For example: | + | | | # pk12util -i | + | | | /tmp/cert-files/users.p12 -d | + | | | sql:/home/my/sharednssdb | + | | | Enter a password which will | + | | | be used to encrypt your keys. | + | | | The password should be at | + | | | least 8 characters long, | + | | | and should contain at least | + | | | one non-alphabetic character. | + | | | Enter new password: | + | | | Re-enter password: | + | | | Enter password for PKCS12 | + | | | file: | + | | | pk12util: PKCS12 IMPORT | + | | | SUCCESSFUL | + | | | Exporting Keys and | + | | | Certificates | + | | | Using the pk12util command | + | | | to export certificates and | + | | | keys requires both | + | | | the name of the certificate | + | | | to extract from the database | + | | | (-n) and the | + | | | PKCS#12-formatted output | + | | | file to write to. There are | + | | | optional parameters | + | | | that can be used to encrypt | + | | | the file to protect the | + | | | certificate material. | + | | | pk12util -o p12File -n | + | | | certname [-c keyCipher] [-C | + | | | certCipher] [-m|--key_len | + | | | keyLen] [-n|--cert_key_len | + | | | certKeyLen] [-d | + | | | [sql:]directory] [-P dbprefix] | + | | | [-k slotPasswordFile|-K | + | | | slotPassword] [-w | + | | | p12filePasswordFile|-W | + | | | p12filePassword] | + | | | For example: | + | | | # pk12util -o certs.p12 -n | + | | | Server-Cert -d | + | | | sql:/home/my/sharednssdb | + | | | Enter password for PKCS12 | + | | | file: | + | | | Re-enter password: | + | | | Listing Keys and | + | | | Certificates | + | | | The information in a .p12 | + | | | file are not human-readable. | + | | | The certificates | + | | | and keys in the file can be | + | | | printed (listed) in a | + | | | human-readable | + | | | pretty-print format that | + | | | shows information for every | + | | | certificate and any | + | | | public keys in the .p12 | + | | | file. | + | | | pk12util -l p12File [-h | + | | | tokenname] [-r] [-d | + | | | [sql:]directory] [-P dbprefix] | + | | | [-k slotPasswordFile|-K | + | | | slotPassword] [-w | + | | | p12filePasswordFile|-W | + | | | p12filePassword] | + | | | For example, this prints | + | | | the default ASCII output: | + | | | # pk12util -l certs.p12 | + | | | Enter password for PKCS12 | + | | | file: | + | | | Key(shrouded): | + | | | Friendly Name: Thawte | + | | | Freemail Member's Thawte | + | | | Consulting (Pty) Ltd. ID | + | | | Encryption algorithm: | + | | | PKCS #12 V2 PBE With SHA-1 And | + | | | 3KEY Triple DES-CBC | + | | | Parameters: | + | | | Salt: | + | | | | + | | | 45:2e:6a:a0:03:4d | + | | | :7b:a1:63:3c:15:ea:67:37:62:1f | + | | | Iteration Count: | + | | | 1 (0x1) | + | | | Certificate: | + | | | Data: | + | | | Version: 3 (0x2) | + | | | Serial Number: 13 | + | | | (0xd) | + | | | Signature Algorithm: | + | | | PKCS #1 SHA-1 With RSA | + | | | Encryption | + | | | Issuer: | + | | | "E=personal | + | | | -freemail@thawte.com,CN=Thawte | + | | | Personal Freemail C | + | | | | + | | | A,OU=Certification Services | + | | | Division,O=Thawte | + | | | Consulting,L=Cape T | + | | | own,ST=Western | + | | | Cape,C=ZA" | + | | | .... | + | | | Alternatively, the -r | + | | | prints the certificates and | + | | | then exports them into | + | | | separate DER binary files. | + | | | This allows the certificates | + | | | to be fed to | + | | | another application that | + | | | supports .p12 files. Each | + | | | certificate is written | + | | | to a sequentially-number | + | | | file, beginning with | + | | | file0001.der and continuing | + | | | through file000N.der, | + | | | incrementing the number for | + | | | every certificate: | + | | | # pk12util -l test.p12 -r | + | | | Enter password for PKCS12 | + | | | file: | + | | | Key(shrouded): | + | | | Friendly Name: Thawte | + | | | Freemail Member's Thawte | + | | | Consulting (Pty) Ltd. ID | + | | | Encryption algorithm: | + | | | PKCS #12 V2 PBE With SHA-1 And | + | | | 3KEY Triple DES-CBC | + | | | Parameters: | + | | | Salt: | + | | | | + | | | 45:2e:6a:a0:03:4d | + | | | :7b:a1:63:3c:15:ea:67:37:62:1f | + | | | Iteration Count: | + | | | 1 (0x1) | + | | | Certificate Friendly Name: | + | | | Thawte Personal Freemail | + | | | Issuing CA - Thawte Consulting | + | | | Certificate Friendly Name: | + | | | Thawte Freemail Member's | + | | | Thawte Consulting (Pty) Ltd. | + | | | ID | + | | | Password Encryption | + | | | PKCS#12 provides for not | + | | | only the protection of the | + | | | private keys but also | + | | | the certificate and | + | | | meta-data associated with the | + | | | keys. Password-based | + | | | encryption is used to | + | | | protect private keys on export | + | | | to a PKCS#12 file | + | | | and, optionally, the entire | + | | | package. If no algorithm is | + | | | specified, the | + | | | tool defaults to using | + | | | PKCS12 V2 PBE with SHA1 and | + | | | 3KEY Triple DES-cbc for | + | | | private key encryption. | + | | | PKCS12 V2 PBE with SHA1 and 40 | + | | | Bit RC4 is the | + | | | default for the overall | + | | | package encryption when not in | + | | | FIPS mode. When in | + | | | FIPS mode, there is no | + | | | package encryption. | + | | | The private key is always | + | | | protected with strong | + | | | encryption by default. | + | | | Several types of ciphers | + | | | are supported. | + | | | Symmetric CBC ciphers for | + | | | PKCS#5 V2 | + | | | DES_CBC | + | | | o RC2-CBC | + | | | o RC5-CBCPad | + | | | o DES-EDE3-CBC | + | | | (the default for key | + | | | encryption) | + | | | o AES-128-CBC | + | | | o AES-192-CBC | + | | | o AES-256-CBC | + | | | | + | | | o CAMELLIA-128-CBC | + | | | | + | | | o CAMELLIA-192-CBC | + | | | | + | | | o CAMELLIA-256-CBC | + | | | PKCS#12 PBE ciphers | + | | | PKCS #12 PBE with | + | | | Sha1 and 128 Bit RC4 | + | | | o PKCS #12 PBE | + | | | with Sha1 and 40 Bit RC4 | + | | | o PKCS #12 PBE | + | | | with Sha1 and Triple DES CBC | + | | | o PKCS #12 PBE | + | | | with Sha1 and 128 Bit RC2 CBC | + | | | o PKCS #12 PBE | + | | | with Sha1 and 40 Bit RC2 CBC | + | | | o PKCS12 V2 PBE | + | | | with SHA1 and 128 Bit RC4 | + | | | o PKCS12 V2 PBE | + | | | with SHA1 and 40 Bit RC4 (the | + | | | default for | + | | | non-FIPS mode) | + | | | o PKCS12 V2 PBE | + | | | with SHA1 and 3KEY Triple | + | | | DES-cbc | + | | | o PKCS12 V2 PBE | + | | | with SHA1 and 2KEY Triple | + | | | DES-cbc | + | | | o PKCS12 V2 PBE | + | | | with SHA1 and 128 Bit RC2 CBC | + | | | o PKCS12 V2 PBE | + | | | with SHA1 and 40 Bit RC2 CBC | + | | | PKCS#5 PBE ciphers | + | | | PKCS #5 Password | + | | | Based Encryption with MD2 and | + | | | DES CBC | + | | | o PKCS #5 | + | | | Password Based Encryption with | + | | | MD5 and DES CBC | + | | | o PKCS #5 | + | | | Password Based Encryption with | + | | | SHA1 and DES CBC | + | | | With PKCS#12, the crypto | + | | | provider may be the soft token | + | | | module or an | + | | | external hardware module. | + | | | If the cryptographic module | + | | | does not support the | + | | | requested algorithm, then | + | | | the next best fit will be | + | | | selected (usually the | + | | | default). If no suitable | + | | | replacement for the desired | + | | | algorithm can be | + | | | found, the tool returns the | + | | | error no security module can | + | | | perform the | + | | | requested operation. | + | | | NSS Database Types | + | | | NSS originally used | + | | | BerkeleyDB databases to store | + | | | security information. | + | | | The last versions of these | + | | | legacy databases are: | + | | | o cert8.db for | + | | | certificates | + | | | o key3.db for keys | + | | | o secmod.db for PKCS #11 | + | | | module information | + | | | BerkeleyDB has performance | + | | | limitations, though, which | + | | | prevent it from | + | | | being easily used by | + | | | multiple applications | + | | | simultaneously. NSS has some | + | | | flexibility that allows | + | | | applications to use their own, | + | | | independent | + | | | database engine while | + | | | keeping a shared database and | + | | | working around the | + | | | access issues. Still, NSS | + | | | requires more flexibility to | + | | | provide a truly | + | | | shared security database. | + | | | In 2009, NSS introduced a | + | | | new set of databases that are | + | | | SQLite databases | + | | | rather than BerkleyDB. | + | | | These new databases provide | + | | | more accessibility and | + | | | performance: | + | | | o cert9.db for | + | | | certificates | + | | | o key4.db for keys | + | | | o pkcs11.txt, which is | + | | | listing of all of the PKCS #11 | + | | | modules contained | + | | | in a new subdirectory | + | | | in the security databases | + | | | directory | + | | | Because the SQLite | + | | | databases are designed to be | + | | | shared, these are the | + | | | shared database type. The | + | | | shared database type is | + | | | preferred; the legacy | + | | | format is included for | + | | | backward compatibility. | + | | | By default, the tools | + | | | (certutil, pk12util, modutil) | + | | | assume that the given | + | | | security databases follow | + | | | the more common legacy type. | + | | | Using the SQLite | + | | | databases must be manually | + | | | specified by using the sql: | + | | | prefix with the | + | | | given security directory. | + | | | For example: | + | | | # pk12util -i | + | | | /tmp/cert-files/users.p12 -d | + | | | sql:/home/my/sharednssdb | + | | | To set the shared database | + | | | type as the default type for | + | | | the tools, set the | + | | | NSS_DEFAULT_DB_TYPE | + | | | environment variable to sql: | + | | | export | + | | | NSS_DEFAULT_DB_TYPE="sql" | + | | | This line can be set added | + | | | to the ~/.bashrc file to make | + | | | the change | + | | | permanent. | + | | | Most applications do not | + | | | use the shared database by | + | | | default, but they can | + | | | be configured to use them. | + | | | For example, this how-to | + | | | article covers how to | + | | | configure Firefox and | + | | | Thunderbird to use the new | + | | | shared NSS databases: | + | | | | + | | | o https://wiki.m | + | | | ozilla.org/NSS_Shared_DB_Howto | + | | | For an engineering draft on | + | | | the changes in the shared NSS | + | | | databases, see | + | | | the NSS project wiki: | + | | | | + | | | o https:// | + | | | wiki.mozilla.org/NSS_Shared_DB | + | | | See Also | + | | | certutil (1) | + | | | modutil (1) | + | | | The NSS wiki has | + | | | information on the new | + | | | database design and how to | + | | | configure applications to | + | | | use it. | + | | | | + | | | o https://wiki.m | + | | | ozilla.org/NSS_Shared_DB_Howto | + | | | | + | | | o https:// | + | | | wiki.mozilla.org/NSS_Shared_DB | + | | | Additional Resources | + | | | For information about NSS | + | | | and other tools related to NSS | + | | | (like JSS), check | + | | | out the NSS project wiki at | + | | | | + | | | [1]\ `http://www.mozil | + | | | la.org/projects/security/pki/n | + | | | ss/ <https://www.mozilla.org/p | + | | | rojects/security/pki/nss/>`__. | + | | | The NSS site relates | + | | | directly to NSS code | + | | | changes and releases. | + | | | Mailing lists: | + | | | https://lists.mozill | + | | | a.org/listinfo/dev-tech-crypto | + | | | IRC: Freenode at | + | | | #dogtag-pki | + | | | Authors | + | | | The NSS tools were written | + | | | and maintained by developers | + | | | with Netscape, Red | + | | | Hat, and Sun. | + | | | Authors: Elio Maldonado | + | | | <emaldona@redhat.com>, Deon | + | | | Lackey | + | | | <dlackey@redhat.com>. | + | | | Copyright | + | | | (c) 2010, Red Hat, Inc. | + | | | Licensed under the GNU Public | + | | | License version 2. | + | | | References | + | | | Visible links | + | | | 1. | + | | | `http://www.mozi | + | | | lla.org/projects/security/pki/ | + | | | nss/ <https://www.mozilla.org/ | + | | | projects/security/pki/nss/>`__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 355 | :ref:`mozill | | + | | a_projects_nss_tools_signtool` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Name | + | | | signtool — Digitally sign | + | | | objects and files. | + | | | Synopsis | + | | | signtool [-k keyName] | + | | | `-h <-h>`__ `-H <-H>`__ | + | | | `-l <-l>`__ `-L <-L>`__ | + | | | `-M <-M>`__ `-v <-v>`__ | + | | | `-w <-w>`__ | + | | | `-G | + | | | nickname <-G_nickname>`__ `-s | + | | | size <--keysize>`__ `-b | + | | | basename <-b_basename>`__ [[-c | + | | | Compression | + | | | Level] ] [[-d cert-dir] ] | + | | | [[-i installer script] ] [[-m | + | | | metafile] ] [[-x | + | | | name] ] [[-f filename] ] | + | | | [[-t|--token tokenname] ] [[-e | + | | | extension] ] [[-o] | + | | | ] [[-z] ] [[-X] ] | + | | | [[--outfile] ] [[--verbose | + | | | value] ] [[--norecurse] ] | + | | | [[--leavearc] ] [[-j | + | | | directory] ] [[-Z jarfile] ] | + | | | [[-O] ] [[-p password] ] | + | | | [directory-tree] [archive] | + | | | Description | + | | | The Signing Tool, signtool, | + | | | creates digital signatures and | + | | | uses a Java | + | | | Archive (JAR) file to | + | | | associate the signatures with | + | | | files in a directory. | + | | | Electronic software | + | | | distribution over any network | + | | | involves potential | + | | | security problems. To help | + | | | address some of these | + | | | problems, you can | + | | | associate digital | + | | | signatures with the files in a | + | | | JAR archive. Digital | + | | | signatures allow | + | | | SSL-enabled clients to perform | + | | | two important operations: | + | | | \* Confirm the identity of | + | | | the individual, company, or | + | | | other entity whose | + | | | digital signature is | + | | | associated with the files | + | | | \* Check whether the files | + | | | have been tampered with since | + | | | being signed | + | | | If you have a signing | + | | | certificate, you can use | + | | | Netscape Signing Tool to | + | | | digitally sign files and | + | | | package them as a JAR file. An | + | | | object-signing | + | | | certificate is a special | + | | | kind of certificate that | + | | | allows you to associate | + | | | your digital signature with | + | | | one or more files. | + | | | An individual file can | + | | | potentially be signed with | + | | | multiple digital | + | | | signatures. For example, a | + | | | commercial software developer | + | | | might sign the | + | | | files that constitute a | + | | | software product to prove that | + | | | the files are | + | | | indeed from a particular | + | | | company. A network | + | | | administrator manager might | + | | | sign the same files with an | + | | | additional digital signature | + | | | based on a | + | | | company-generated | + | | | certificate to indicate that | + | | | the product is approved for | + | | | use within the company. | + | | | The significance of a | + | | | digital signature is | + | | | comparable to the significance | + | | | of a handwritten signature. | + | | | Once you have signed a file, | + | | | it is difficult | + | | | to claim later that you | + | | | didn't sign it. In some | + | | | situations, a digital | + | | | signature may be considered | + | | | as legally binding as a | + | | | handwritten signature. | + | | | Therefore, you should take | + | | | great care to ensure that you | + | | | can stand behind | + | | | any file you sign and | + | | | distribute. | + | | | For example, if you are a | + | | | software developer, you should | + | | | test your code to | + | | | make sure it is virus-free | + | | | before signing it. Similarly, | + | | | if you are a | + | | | network administrator, you | + | | | should make sure, before | + | | | signing any code, that | + | | | it comes from a reliable | + | | | source and will run correctly | + | | | with the software | + | | | installed on the machines | + | | | to which you are distributing | + | | | it. | + | | | Before you can use Netscape | + | | | Signing Tool to sign files, | + | | | you must have an | + | | | object-signing certificate, | + | | | which is a special certificate | + | | | whose | + | | | associated private key is | + | | | used to create digital | + | | | signatures. For testing | + | | | purposes only, you can | + | | | create an object-signing | + | | | certificate with Netscape | + | | | Signing Tool 1.3. When | + | | | testing is finished and you | + | | | are ready to | + | | | disitribute your software, | + | | | you should obtain an | + | | | object-signing certificate | + | | | from one of two kinds of | + | | | sources: | + | | | \* An independent | + | | | certificate authority (CA) | + | | | that authenticates your | + | | | identity and charges you a | + | | | fee. You typically get a | + | | | certificate from an | + | | | independent CA if you want | + | | | to sign software that will be | + | | | distributed over | + | | | the Internet. | + | | | \* CA server software | + | | | running on your corporate | + | | | intranet or extranet. | + | | | Netscape Certificate | + | | | Management System provides a | + | | | complete management | + | | | solution for creating, | + | | | deploying, and managing | + | | | certificates, including CAs | + | | | that issue object-signing | + | | | certificates. | + | | | You must also have a | + | | | certificate for the CA that | + | | | issues your signing | + | | | certificate before you can | + | | | sign files. If the certificate | + | | | authority's | + | | | certificate isn't already | + | | | installed in your copy of | + | | | Communicator, you | + | | | typically install it by | + | | | clicking the appropriate link | + | | | on the certificate | + | | | authority's web site, for | + | | | example on the page from which | + | | | you initiated | + | | | enrollment for your signing | + | | | certificate. This is the case | + | | | for some test | + | | | certificates, as well as | + | | | certificates issued by | + | | | Netscape Certificate | + | | | Management System: you must | + | | | download the CA certificate in | + | | | addition to | + | | | obtaining your own signing | + | | | certificate. CA certificates | + | | | for several | + | | | certificate authorities are | + | | | preinstalled in the | + | | | Communicator certificate | + | | | database. | + | | | When you receive an | + | | | object-signing certificate for | + | | | your own use, it is | + | | | automatically installed in | + | | | your copy of the Communicator | + | | | client software. | + | | | Communicator supports the | + | | | public-key cryptography | + | | | standard known as PKCS | + | | | #12, which governs key | + | | | portability. You can, for | + | | | example, move an | + | | | object-signing certificate | + | | | and its associated private key | + | | | from one | + | | | computer to another on a | + | | | credit-card-sized device | + | | | called a smart card. | + | | | Options | + | | | -b basename | + | | | Specifies the base | + | | | filename for the .rsa and .sf | + | | | files in the | + | | | META-INF directory | + | | | to conform with the JAR | + | | | format. For example, -b | + | | | signatures causes | + | | | the files to be named | + | | | signatures.rsa and | + | | | signatures.sf. The | + | | | default is signtool. | + | | | -c# | + | | | Specifies the | + | | | compression level for the -J | + | | | or -Z option. The | + | | | symbol # represents | + | | | a number from 0 to 9, where 0 | + | | | means no | + | | | compression and 9 | + | | | means maximum compression. The | + | | | higher the level | + | | | of compression, the | + | | | smaller the output but the | + | | | longer the | + | | | operation takes. If | + | | | the -c# option is not used | + | | | with either the -J | + | | | or the -Z option, | + | | | the default compression value | + | | | used by both the | + | | | -J and -Z options | + | | | is 6. | + | | | -d certdir | + | | | Specifies your | + | | | certificate database | + | | | directory; that is, the | + | | | directory in which | + | | | you placed your key3.db and | + | | | cert7.db files. To | + | | | specify the current | + | | | directory, use "-d." | + | | | (including the period). | + | | | The Unix version of | + | | | signtool assumes ~/.netscape | + | | | unless told | + | | | otherwise. The NT | + | | | version of signtool always | + | | | requires the use of | + | | | the -d option to | + | | | specify where the database | + | | | files are located. | + | | | -e extension | + | | | Tells signtool to | + | | | sign only files with the given | + | | | extension; for | + | | | example, use | + | | | -e".class" to sign only Java | + | | | class files. Note that | + | | | with Netscape | + | | | Signing Tool version 1.1 and | + | | | later this option can | + | | | appear multiple | + | | | times on one command line, | + | | | making it possible to | + | | | specify multiple | + | | | file types or classes to | + | | | include. | + | | | -f commandfile | + | | | Specifies a text | + | | | file containing Netscape | + | | | Signing Tool options and | + | | | arguments in | + | | | keyword=value format. All | + | | | options and arguments can | + | | | be expressed | + | | | through this file. For more | + | | | information about the | + | | | syntax used with | + | | | this file, see "Tips and | + | | | Techniques". | + | | | -i scriptname | + | | | Specifies the name | + | | | of an installer script for | + | | | SmartUpdate. This | + | | | script installs | + | | | files from the JAR archive in | + | | | the local system | + | | | after SmartUpdate | + | | | has validated the digital | + | | | signature. For more | + | | | details, see the | + | | | description of -m that | + | | | follows. The -i option | + | | | provides a | + | | | straightforward way to provide | + | | | this information if you | + | | | don't need to | + | | | specify any metadata other | + | | | than an installer script. | + | | | -j directory | + | | | Specifies a special | + | | | JavaScript directory. This | + | | | option causes the | + | | | specified directory | + | | | to be signed and tags its | + | | | entries as inline | + | | | JavaScript. This | + | | | special type of entry does not | + | | | have to appear in | + | | | the JAR file | + | | | itself. Instead, it is located | + | | | in the HTML page | + | | | containing the | + | | | inline scripts. When you use | + | | | signtool -v, these | + | | | entries are | + | | | displayed with the string NOT | + | | | PRESENT. | + | | | -k key ... directory | + | | | Specifies the | + | | | nickname (key) of the | + | | | certificate you want to sign | + | | | with and signs the | + | | | files in the specified | + | | | directory. The directory | + | | | to sign is always | + | | | specified as the last | + | | | command-line argument. | + | | | Thus, it is | + | | | possible to write signtool -k | + | | | MyCert -d . signdir You | + | | | may have trouble if | + | | | the nickname contains a single | + | | | quotation mark. | + | | | To avoid problems, | + | | | escape the quotation mark | + | | | using the escape | + | | | conventions for | + | | | your platform. It's also | + | | | possible to use the -k | + | | | option without | + | | | signing any files or | + | | | specifying a directory. For | + | | | example, you can | + | | | use it with the -l option to | + | | | get detailed | + | | | information about a | + | | | particular signing | + | | | certificate. | + | | | -G nickname | + | | | Generates a new | + | | | private-public key pair and | + | | | corresponding | + | | | object-signing | + | | | certificate with the given | + | | | nickname. The newly | + | | | generated keys and | + | | | certificate are installed into | + | | | the key and | + | | | certificate | + | | | databases in the directory | + | | | specified by the -d option. | + | | | With the NT version | + | | | of Netscape Signing Tool, you | + | | | must use the -d | + | | | option with the -G | + | | | option. With the Unix version | + | | | of Netscape | + | | | Signing Tool, | + | | | omitting the -d option causes | + | | | the tool to install | + | | | the keys and | + | | | certificate in the | + | | | Communicator key and | + | | | certificate | + | | | databases. If you | + | | | are installing the keys and | + | | | certificate in the | + | | | Communicator | + | | | databases, you must exit | + | | | Communicator before using | + | | | this option; | + | | | otherwise, you risk corrupting | + | | | the databases. In all | + | | | cases, the | + | | | certificate is also output to | + | | | a file named x509.cacert, | + | | | which has the | + | | | MIME-type | + | | | application/x-x509-ca-cert. | + | | | Unlike | + | | | certificates | + | | | normally used to sign finished | + | | | code to be distributed | + | | | over a network, a | + | | | test certificate created with | + | | | -G is not signed | + | | | by a recognized | + | | | certificate authority. | + | | | Instead, it is self-signed. | + | | | In addition, a | + | | | single test signing | + | | | certificate functions as both | + | | | an object-signing | + | | | certificate and a CA. When you | + | | | are using it to | + | | | sign objects, it | + | | | behaves like an object-signing | + | | | certificate. When | + | | | it is imported into | + | | | browser software such as | + | | | Communicator, it | + | | | behaves like an | + | | | object-signing CA and cannot | + | | | be used to sign | + | | | objects. The -G | + | | | option is available in | + | | | Netscape Signing Tool 1.0 | + | | | and later versions | + | | | only. By default, it produces | + | | | only RSA | + | | | certificates with | + | | | 1024-byte keys in the internal | + | | | token. However, | + | | | you can use the -s | + | | | option specify the required | + | | | key size and the -t | + | | | option to specify | + | | | the token. For more | + | | | information about the use of | + | | | the -G option, see | + | | | "Generating Test | + | | | Object-Signing | + | | | | + | | | Certificates""Generating Test | + | | | Object-Signing Certificates" | + | | | on page | + | | | 1241. | + | | | -l | + | | | Lists signing | + | | | certificates, including | + | | | issuing CAs. If any of your | + | | | certificates are | + | | | expired or invalid, the list | + | | | will so specify. | + | | | This option can be | + | | | used with the -k option to | + | | | list detailed | + | | | information about a | + | | | particular signing | + | | | certificate. The -l option | + | | | is available in | + | | | Netscape Signing Tool 1.0 and | + | | | later versions only. | + | | | -J | + | | | Signs a directory | + | | | of HTML files containing | + | | | JavaScript and creates | + | | | as many archive | + | | | files as are specified in the | + | | | HTML tags. Even if | + | | | signtool creates | + | | | more than one archive file, | + | | | you need to supply | + | | | the key database | + | | | password only once. The -J | + | | | option is available | + | | | only in Netscape | + | | | Signing Tool 1.0 and later | + | | | versions. The -J | + | | | option cannot be | + | | | used at the same time as the | + | | | -Z option. If the | + | | | -c# option is not | + | | | used with the -J option, the | + | | | default compression | + | | | value is 6. Note | + | | | that versions 1.1 and later of | + | | | Netscape Signing | + | | | Tool correctly | + | | | recognizes the CODEBASE | + | | | attribute, allows paths to | + | | | be expressed for | + | | | the CLASS and SRC attributes | + | | | instead of filenames | + | | | only, processes | + | | | LINK tags and parses HTML | + | | | correctly, and offers | + | | | clearer error | + | | | messages. | + | | | -L | + | | | Lists the | + | | | certificates in your database. | + | | | An asterisk appears to | + | | | the left of the | + | | | nickname for any certificate | + | | | that can be used to | + | | | sign objects with | + | | | signtool. | + | | | --leavearc | + | | | Retains the | + | | | temporary .arc (archive) | + | | | directories that the -J | + | | | option creates. | + | | | These directories are | + | | | automatically erased by | + | | | default. Retaining | + | | | the temporary directories can | + | | | be an aid to | + | | | debugging. | + | | | -m metafile | + | | | Specifies the name | + | | | of a metadata control file. | + | | | Metadata is signed | + | | | information | + | | | attached either to the JAR | + | | | archive itself or to files | + | | | within the archive. | + | | | This metadata can be any ASCII | + | | | string, but is | + | | | used mainly for | + | | | specifying an installer | + | | | script. The metadata file | + | | | contains one entry | + | | | per line, each with three | + | | | fields: field #1: | + | | | file specification, | + | | | or + if you want to specify | + | | | global metadata | + | | | (that is, metadata | + | | | about the JAR archive itself | + | | | or all entries in | + | | | the archive) field | + | | | #2: the name of the data you | + | | | are specifying; | + | | | for example: | + | | | Install-Script field #3: data | + | | | corresponding to the | + | | | name in field #2 | + | | | For example, the -i option | + | | | uses the equivalent of | + | | | this line: + | + | | | Install-Script: script.js This | + | | | example associates a | + | | | MIME type with a | + | | | file: movie.qt MIME-Type: | + | | | video/quicktime For | + | | | information about | + | | | the way installer script | + | | | information appears in | + | | | the manifest file | + | | | for a JAR archive, see The JAR | + | | | Format on | + | | | Netscape DevEdge. | + | | | -M | + | | | Lists the PKCS #11 | + | | | modules available to signtool, | + | | | including smart | + | | | cards. The -M | + | | | option is available in | + | | | Netscape Signing Tool 1.0 and | + | | | later versions | + | | | only. For information on using | + | | | Netscape Signing | + | | | Tool with smart | + | | | cards, see "Using Netscape | + | | | Signing Tool with Smart | + | | | Cards". For | + | | | information on using the -M | + | | | option to verify | + | | | FIPS-140-1 | + | | | validated mode, see "Netscape | + | | | Signing Tool and | + | | | FIPS-140-1". | + | | | --norecurse | + | | | Blocks recursion | + | | | into subdirectories when | + | | | signing a directory's | + | | | contents or when | + | | | parsing HTML. | + | | | -o | + | | | Optimizes the | + | | | archive for size. Use this | + | | | only if you are signing | + | | | very large archives | + | | | containing hundreds of files. | + | | | This option | + | | | makes the manifest | + | | | files (required by the JAR | + | | | format) considerably | + | | | smaller, but they | + | | | contain slightly less | + | | | information. | + | | | --outfile outputfile | + | | | Specifies a file to | + | | | receive redirected output from | + | | | Netscape | + | | | Signing Tool. | + | | | -p password | + | | | Specifies a | + | | | password for the private-key | + | | | database. Note that the | + | | | password entered on | + | | | the command line is displayed | + | | | as plain text. | + | | | -s keysize | + | | | Specifies the size | + | | | of the key for generated | + | | | certificate. Use the | + | | | -M option to find | + | | | out what tokens are available. | + | | | The -s option can | + | | | be used with the -G | + | | | option only. | + | | | -t token | + | | | Specifies which | + | | | available token should | + | | | generate the key and | + | | | receive the | + | | | certificate. Use the -M option | + | | | to find out what tokens | + | | | are available. The | + | | | -t option can be used with the | + | | | -G option only. | + | | | -v archive | + | | | Displays the | + | | | contents of an archive and | + | | | verifies the cryptographic | + | | | integrity of the | + | | | digital signatures it contains | + | | | and the files with | + | | | which they are | + | | | associated. This includes | + | | | checking that the | + | | | certificate for the | + | | | issuer of the object-signing | + | | | certificate is | + | | | listed in the | + | | | certificate database, that the | + | | | CA's digital | + | | | signature on the | + | | | object-signing certificate is | + | | | valid, that the | + | | | relevant | + | | | certificates have not expired, | + | | | and so on. | + | | | --verbosity value | + | | | Sets the quantity | + | | | of information Netscape | + | | | Signing Tool generates | + | | | in operation. A | + | | | value of 0 (zero) is the | + | | | default and gives full | + | | | information. A | + | | | value of -1 suppresses most | + | | | messages, but not error | + | | | messages. | + | | | -w archive | + | | | Displays the names | + | | | of signers of any files in the | + | | | archive. | + | | | -x directory | + | | | Excludes the | + | | | specified directory from | + | | | signing. Note that with | + | | | Netscape Signing | + | | | Tool version 1.1 and later | + | | | this option can appear | + | | | multiple times on | + | | | one command line, making it | + | | | possible to specify | + | | | several particular | + | | | directories to exclude. | + | | | -z | + | | | Tells signtool not | + | | | to store the signing time in | + | | | the digital | + | | | signature. This | + | | | option is useful if you want | + | | | the expiration date | + | | | of the signature | + | | | checked against the current | + | | | date and time rather | + | | | than the time the | + | | | files were signed. | + | | | -Z jarfile | + | | | Creates a JAR file | + | | | with the specified name. You | + | | | must specify this | + | | | option if you want | + | | | signtool to create the JAR | + | | | file; it does not do | + | | | so automatically. | + | | | If you don't specify -Z, you | + | | | must use an | + | | | external ZIP tool | + | | | to create the JAR file. The -Z | + | | | option cannot be | + | | | used at the same | + | | | time as the -J option. If the | + | | | -c# option is not | + | | | used with the -Z | + | | | option, the default | + | | | compression value is 6. | + | | | The Command File Format | + | | | Entries in a Netscape | + | | | Signing Tool command file have | + | | | this general format: | + | | | keyword=value Everything | + | | | before the = sign on a single | + | | | line is a keyword, | + | | | and everything from the = | + | | | sign to the end of line is a | + | | | value. The value | + | | | may include = signs; only | + | | | the first = sign on a line is | + | | | interpreted. Blank | + | | | lines are ignored, but | + | | | white space on a line with | + | | | keywords and values is | + | | | assumed to be part of the | + | | | keyword (if it comes before | + | | | the equal sign) or | + | | | part of the value (if it | + | | | comes after the first equal | + | | | sign). Keywords are | + | | | case insensitive, values | + | | | are generally case sensitive. | + | | | Since the = sign | + | | | and newline delimit the | + | | | value, it should not be | + | | | quoted. | + | | | Subsection | + | | | basename | + | | | Same as -b option. | + | | | compression | + | | | Same as -c option. | + | | | certdir | + | | | Same as -d option. | + | | | extension | + | | | Same as -e option. | + | | | generate | + | | | Same as -G option. | + | | | installscript | + | | | Same as -i option. | + | | | javascriptdir | + | | | Same as -j option. | + | | | htmldir | + | | | Same as -J option. | + | | | certname | + | | | Nickname of | + | | | certificate, as with -k and -l | + | | | -k options. | + | | | signdir | + | | | The directory to be | + | | | signed, as with -k option. | + | | | list | + | | | Same as -l option. | + | | | Value is ignored, but = sign | + | | | must be present. | + | | | listall | + | | | Same as -L option. | + | | | Value is ignored, but = sign | + | | | must be present. | + | | | metafile | + | | | Same as -m option. | + | | | modules | + | | | Same as -M option. | + | | | Value is ignored, but = sign | + | | | must be present. | + | | | optimize | + | | | Same as -o option. | + | | | Value is ignored, but = sign | + | | | must be present. | + | | | password | + | | | Same as -p option. | + | | | keysize | + | | | Same as -s option. | + | | | token | + | | | Same as -t option. | + | | | verify | + | | | Same as -v option. | + | | | who | + | | | Same as -w option. | + | | | exclude | + | | | Same as -x option. | + | | | notime | + | | | Same as -z option. | + | | | value is ignored, but = sign | + | | | must be present. | + | | | jarfile | + | | | Same as -Z option. | + | | | outfile | + | | | Name of a file to | + | | | which output and error | + | | | messages will be | + | | | redirected. This | + | | | option has no command-line | + | | | equivalent. | + | | | Extended Examples | + | | | The following example will | + | | | do this and that | + | | | Listing Available Signing | + | | | Certificates | + | | | You use the -L option to | + | | | list the nicknames for all | + | | | available certificates | + | | | and check which ones are | + | | | signing certificates. | + | | | signtool -L | + | | | using certificate directory: | + | | | /u/jsmith/.netscape | + | | | S Certificates | + | | | - ------------ | + | | | BBN Certificate Services CA | + | | | Root 1 | + | | | IBM World Registry CA | + | | | VeriSign Class 1 CA - | + | | | Individual Subscriber - | + | | | VeriSign, Inc. | + | | | GTE CyberTrust Root CA | + | | | Uptime Group Plc. Class 4 | + | | | CA | + | | | \* Verisign Object Signing | + | | | Cert | + | | | Integrion CA | + | | | GTE CyberTrust Secure | + | | | Server CA | + | | | AT&T Directory Services | + | | | \* test object signing cert | + | | | Uptime Group Plc. Class 1 | + | | | CA | + | | | VeriSign Class 1 Primary CA | + | | | - ------------ | + | | | Certificates that can be used | + | | | to sign objects have \*'s to | + | | | their left. | + | | | Two signing certificates | + | | | are displayed: Verisign Object | + | | | Signing Cert and | + | | | test object signing cert. | + | | | You use the -l option to | + | | | get a list of signing | + | | | certificates only, | + | | | including the signing CA | + | | | for each. | + | | | signtool -l | + | | | using certificate directory: | + | | | /u/jsmith/.netscape | + | | | Object signing certificates | + | | | --------- | + | | | ------------------------------ | + | | | Verisign Object Signing Cert | + | | | Issued by: VeriSign, Inc. | + | | | - Verisign, Inc. | + | | | Expires: Tue May 19, 1998 | + | | | test object signing cert | + | | | Issued by: test object | + | | | signing cert (Signtool 1.0 | + | | | Testing | + | | | Certificate (960187691)) | + | | | Expires: Sun May 17, 1998 | + | | | --------- | + | | | ------------------------------ | + | | | For a list including CAs, | + | | | use the -L option. | + | | | Signing a File | + | | | 1. Create an empty | + | | | directory. | + | | | mkdir signdir | + | | | 2. Put some file into it. | + | | | echo boo > signdir/test.f | + | | | 3. Specify the name of your | + | | | object-signing certificate and | + | | | sign the | + | | | directory. | + | | | signtool -k MySignCert -Z | + | | | testjar.jar signdir | + | | | using key "MySignCert" | + | | | using certificate directory: | + | | | /u/jsmith/.netscape | + | | | Generating | + | | | signdir/META-INF/manifest.mf | + | | | file.. | + | | | --> test.f | + | | | adding signdir/test.f to | + | | | testjar.jar | + | | | Generating signtool.sf file.. | + | | | Enter Password or Pin for | + | | | "Communicator Certificate DB": | + | | | adding | + | | | signdir/META-INF/manifest.mf | + | | | to testjar.jar | + | | | adding | + | | | signdir/META-INF/signtool.sf | + | | | to testjar.jar | + | | | adding | + | | | signdir/META-INF/signtool.rsa | + | | | to testjar.jar | + | | | tree "signdir" signed | + | | | successfully | + | | | 4. Test the archive you | + | | | just created. | + | | | signtool -v testjar.jar | + | | | using certificate directory: | + | | | /u/jsmith/.netscape | + | | | archive "testjar.jar" has | + | | | passed crypto verification. | + | | | status path | + | | | ------------ | + | | | ------------------- | + | | | verified test.f | + | | | Using Netscape Signing Tool | + | | | with a ZIP Utility | + | | | To use Netscape Signing | + | | | Tool with a ZIP utility, you | + | | | must have the utility | + | | | in your path environment | + | | | variable. You should use the | + | | | zip.exe utility | + | | | rather than pkzip.exe, | + | | | which cannot handle long | + | | | filenames. You can use a | + | | | ZIP utility instead of the | + | | | -Z option to package a signed | + | | | archive into a | + | | | JAR file after you have | + | | | signed it: | + | | | cd signdir | + | | | zip -r ../myjar.jar \* | + | | | adding: META-INF/ (stored | + | | | 0%) | + | | | adding: | + | | | META-INF/manifest.mf (deflated | + | | | 15%) | + | | | adding: | + | | | META-INF/signtool.sf (deflated | + | | | 28%) | + | | | adding: | + | | | META-INF/signtool.rsa (stored | + | | | 0%) | + | | | adding: text.txt (stored | + | | | 0%) | + | | | Generating the Keys and | + | | | Certificate | + | | | The signtool option -G | + | | | generates a new public-private | + | | | key pair and | + | | | certificate. It takes the | + | | | nickname of the new | + | | | certificate as an argument. | + | | | The newly generated keys | + | | | and certificate are installed | + | | | into the key and | + | | | certificate databases in | + | | | the directory specified by the | + | | | -d option. With | + | | | the NT version of Netscape | + | | | Signing Tool, you must use the | + | | | -d option with | + | | | the -G option. With the | + | | | Unix version of Netscape | + | | | Signing Tool, omitting | + | | | the -d option causes the | + | | | tool to install the keys and | + | | | certificate in the | + | | | Communicator key and | + | | | certificate databases. In all | + | | | cases, the certificate | + | | | is also output to a file | + | | | named x509.cacert, which has | + | | | the MIME-type | + | | | application/x-x509-ca-cert. | + | | | Certificates contain | + | | | standard information about the | + | | | entity they identify, | + | | | such as the common name and | + | | | organization name. Netscape | + | | | Signing Tool | + | | | prompts you for this | + | | | information when you run the | + | | | command with the -G | + | | | option. However, all of the | + | | | requested fields are optional | + | | | for test | + | | | certificates. If you do not | + | | | enter a common name, the tool | + | | | provides a | + | | | default name. In the | + | | | following example, the user | + | | | input is in boldface: | + | | | signtool -G MyTestCert | + | | | using certificate directory: | + | | | /u/someuser/.netscape | + | | | Enter certificate | + | | | information. All fields are | + | | | optional. Acceptable | + | | | characters are numbers, | + | | | letters, spaces, and | + | | | apostrophes. | + | | | certificate common name: Test | + | | | Object Signing Certificate | + | | | organization: Netscape | + | | | Communications Corp. | + | | | organization unit: Server | + | | | Products Division | + | | | state or province: California | + | | | country (must be exactly 2 | + | | | characters): US | + | | | username: someuser | + | | | email address: | + | | | someuser@netscape.com | + | | | Enter Password or Pin for | + | | | "Communicator Certificate DB": | + | | | [Password will not echo] | + | | | generated public/private key | + | | | pair | + | | | certificate request generated | + | | | certificate has been signed | + | | | certificate "MyTestCert" | + | | | added to database | + | | | Exported certificate to | + | | | x509.raw and x509.cacert. | + | | | The certificate information | + | | | is read from standard input. | + | | | Therefore, the | + | | | information can be read | + | | | from a file using the | + | | | redirection operator (<) in | + | | | some operating systems. To | + | | | create a file for this | + | | | purpose, enter each of | + | | | the seven input fields, in | + | | | order, on a separate line. | + | | | Make sure there is a | + | | | newline character at the | + | | | end of the last line. Then run | + | | | signtool with | + | | | standard input redirected | + | | | from your file as follows: | + | | | signtool -G MyTestCert | + | | | inputfile | + | | | The prompts show up on the | + | | | screen, but the responses will | + | | | be automatically | + | | | read from the file. The | + | | | password will still be read | + | | | from the console | + | | | unless you use the -p | + | | | option to give the password on | + | | | the command line. | + | | | Using the -M Option to List | + | | | Smart Cards | + | | | You can use the -M option | + | | | to list the PKCS #11 modules, | + | | | including smart | + | | | cards, that are available | + | | | to signtool: | + | | | signtool -d | + | | | "c:\netscape\users\jsmith" -M | + | | | using certificate directory: | + | | | c:\netscape\users\username | + | | | Listing of PKCS11 modules | + | | | ----------------- | + | | | ------------------------------ | + | | | 1. Netscape Internal | + | | | PKCS #11 Module | + | | | | + | | | (this module is internally | + | | | loaded) | + | | | | + | | | slots: 2 slots attached | + | | | | + | | | status: loaded | + | | | slot: Communicator | + | | | Internal Cryptographic | + | | | Services Version 4.0 | + | | | token: Communicator | + | | | Generic Crypto Svcs | + | | | slot: Communicator | + | | | User Private Key and | + | | | Certificate Services | + | | | token: Communicator | + | | | Certificate DB | + | | | 2. CryptOS | + | | | | + | | | (this is an external module) | + | | | DLL name: core32 | + | | | slots: 1 slots | + | | | attached | + | | | status: loaded | + | | | slot: Litronic 210 | + | | | token: | + | | | | + | | | ----------------- | + | | | ------------------------------ | + | | | Using Netscape Signing Tool | + | | | and a Smart Card to Sign Files | + | | | The signtool command | + | | | normally takes an argument of | + | | | the -k option to | + | | | specify a signing | + | | | certificate. To sign with a | + | | | smart card, you supply only | + | | | the fully qualified name of | + | | | the certificate. | + | | | To see fully qualified | + | | | certificate names when you run | + | | | Communicator, click | + | | | the Security button in | + | | | Navigator, then click Yours | + | | | under Certificates in | + | | | the left frame. Fully | + | | | qualified names are of the | + | | | format smart | + | | | card:certificate, for | + | | | example "MyCard:My Signing | + | | | Cert". You use this name | + | | | with the -k argument as | + | | | follows: | + | | | signtool -k "MyCard:My | + | | | Signing Cert" directory | + | | | Verifying FIPS Mode | + | | | Use the -M option to verify | + | | | that you are using the | + | | | FIPS-140-1 module. | + | | | signtool -d | + | | | "c:\netscape\users\jsmith" -M | + | | | using certificate directory: | + | | | c:\netscape\users\jsmith | + | | | Listing of PKCS11 modules | + | | | ----------------- | + | | | ------------------------------ | + | | | 1. Netscape Internal PKCS | + | | | #11 Module | + | | | (this module is | + | | | internally loaded) | + | | | slots: 2 slots | + | | | attached | + | | | status: loaded | + | | | slot: Communicator | + | | | Internal Cryptographic | + | | | Services Version 4.0 | + | | | token: Communicator | + | | | Generic Crypto Svcs | + | | | slot: Communicator User | + | | | Private Key and Certificate | + | | | Services | + | | | token: Communicator | + | | | Certificate DB | + | | | ----------------- | + | | | ------------------------------ | + | | | This Unix example shows | + | | | that Netscape Signing Tool is | + | | | using a FIPS-140-1 | + | | | module: | + | | | signtool -d | + | | | "c:\netscape\users\jsmith" -M | + | | | using certificate directory: | + | | | c:\netscape\users\jsmith | + | | | Enter Password or Pin for | + | | | "Communicator Certificate DB": | + | | | [password will not echo] | + | | | Listing of PKCS11 modules | + | | | ----------------- | + | | | ------------------------------ | + | | | 1. Netscape Internal FIPS | + | | | PKCS #11 Module | + | | | (this module is internally | + | | | loaded) | + | | | slots: 1 slots attached | + | | | status: loaded | + | | | slot: Netscape Internal | + | | | FIPS-140-1 Cryptographic | + | | | Services | + | | | token: Communicator | + | | | Certificate DB | + | | | ----------------- | + | | | ------------------------------ | + | | | See Also | + | | | signver (1) | + | | | The NSS wiki has | + | | | information on the new | + | | | database design and how to | + | | | configure applications to | + | | | use it. | + | | | | + | | | o https://wiki.m | + | | | ozilla.org/NSS_Shared_DB_Howto | + | | | | + | | | o https:// | + | | | wiki.mozilla.org/NSS_Shared_DB | + | | | Additional Resources | + | | | For information about NSS | + | | | and other tools related to NSS | + | | | (like JSS), check | + | | | out the NSS project wiki at | + | | | | + | | | [1]\ `http://www.mozil | + | | | la.org/projects/security/pki/n | + | | | ss/ <https://www.mozilla.org/p | + | | | rojects/security/pki/nss/>`__. | + | | | The NSS site relates | + | | | directly to NSS code | + | | | changes and releases. | + | | | Mailing lists: | + | | | https://lists.mozill | + | | | a.org/listinfo/dev-tech-crypto | + | | | IRC: Freenode at | + | | | #dogtag-pki | + | | | Authors | + | | | The NSS tools were written | + | | | and maintained by developers | + | | | with Netscape, Red | + | | | Hat, and Sun. | + | | | Authors: Elio Maldonado | + | | | <emaldona@redhat.com>, Deon | + | | | Lackey | + | | | <dlackey@redhat.com>. | + | | | Copyright | + | | | (c) 2010, Red Hat, Inc. | + | | | Licensed under the GNU Public | + | | | License version 2. | + | | | References | + | | | Visible links | + | | | 1. | + | | | `http://www.mozi | + | | | lla.org/projects/security/pki/ | + | | | nss/ <https://www.mozilla.org/ | + | | | projects/security/pki/nss/>`__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 356 | :ref:`mozil | | + | | la_projects_nss_tools_signver` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Name | + | | | signver — Verify a detached | + | | | PKCS#7 signature for a file. | + | | | Synopsis | + | | | signtool -A \| -V -d | + | | | directory [-a] [-i input_file] | + | | | [-o output_file] [-s | + | | | signature_file] [-v] | + | | | Description | + | | | The Signature Verification | + | | | Tool, signver, is a simple | + | | | command-line utility | + | | | that unpacks a | + | | | base-64-encoded PKCS#7 signed | + | | | object and verifies the | + | | | digital signature using | + | | | standard cryptographic | + | | | techniques. The Signature | + | | | Verification Tool can also | + | | | display the contents of the | + | | | signed object. | + | | | Options | + | | | -A | + | | | Displays all of the | + | | | information in the PKCS#7 | + | | | signature. | + | | | -V | + | | | Verifies the | + | | | digital signature. | + | | | -d [sql:]directory | + | | | Specify the | + | | | database directory which | + | | | contains the certificates and | + | | | keys. | + | | | signver supports | + | | | two types of databases: the | + | | | legacy security | + | | | databases | + | | | (cert8.db, key3.db, and | + | | | secmod.db) and new SQLite | + | | | databases | + | | | (cert9.db, key4.db, and | + | | | pkcs11.txt). If the prefix | + | | | sql: | + | | | is not used, then | + | | | the tool assumes that the | + | | | given databases are in | + | | | the old format. | + | | | -a | + | | | Sets that the given | + | | | signature file is in ASCII | + | | | format. | + | | | -i input_file | + | | | Gives the input | + | | | file for the object with | + | | | signed data. | + | | | -o output_file | + | | | Gives the output | + | | | file to which to write the | + | | | results. | + | | | -s signature_file | + | | | Gives the input | + | | | file for the digital | + | | | signature. | + | | | -v | + | | | Enables verbose | + | | | output. | + | | | Extended Examples | + | | | Verifying a Signature | + | | | The -V option verifies that | + | | | the signature in a given | + | | | signature file is | + | | | valid when used to sign the | + | | | given object (from the input | + | | | file). | + | | | signver -V -s signature_file | + | | | -i signed_file -d | + | | | sql:/home/my/sharednssdb | + | | | signatureValid=yes | + | | | Printing Signature Data | + | | | The -A option prints all of | + | | | the information contained in a | + | | | signature file. | + | | | Using the -o option prints | + | | | the signature file information | + | | | to the given | + | | | output file rather than | + | | | stdout. | + | | | signver -A -s signature_file | + | | | -o output_file | + | | | NSS Database Types | + | | | NSS originally used | + | | | BerkeleyDB databases to store | + | | | security information. | + | | | The last versions of these | + | | | legacy databases are: | + | | | o cert8.db for | + | | | certificates | + | | | o key3.db for keys | + | | | o secmod.db for PKCS #11 | + | | | module information | + | | | BerkeleyDB has performance | + | | | limitations, though, which | + | | | prevent it from | + | | | being easily used by | + | | | multiple applications | + | | | simultaneously. NSS has some | + | | | flexibility that allows | + | | | applications to use their own, | + | | | independent | + | | | database engine while | + | | | keeping a shared database and | + | | | working around the | + | | | access issues. Still, NSS | + | | | requires more flexibility to | + | | | provide a truly | + | | | shared security database. | + | | | In 2009, NSS introduced a | + | | | new set of databases that are | + | | | SQLite databases | + | | | rather than BerkleyDB. | + | | | These new databases provide | + | | | more accessibility and | + | | | performance: | + | | | o cert9.db for | + | | | certificates | + | | | o key4.db for keys | + | | | o pkcs11.txt, which is | + | | | listing of all of the PKCS #11 | + | | | modules contained | + | | | in a new subdirectory | + | | | in the security databases | + | | | directory | + | | | Because the SQLite | + | | | databases are designed to be | + | | | shared, these are the | + | | | shared database type. The | + | | | shared database type is | + | | | preferred; the legacy | + | | | format is included for | + | | | backward compatibility. | + | | | By default, the tools | + | | | (certutil, pk12util, modutil) | + | | | assume that the given | + | | | security databases follow | + | | | the more common legacy type. | + | | | Using the SQLite | + | | | databases must be manually | + | | | specified by using the sql: | + | | | prefix with the | + | | | given security directory. | + | | | For example: | + | | | # signver -A -s signature -d | + | | | sql:/home/my/sharednssdb | + | | | To set the shared database | + | | | type as the default type for | + | | | the tools, set the | + | | | NSS_DEFAULT_DB_TYPE | + | | | environment variable to sql: | + | | | export | + | | | NSS_DEFAULT_DB_TYPE="sql" | + | | | This line can be set added | + | | | to the ~/.bashrc file to make | + | | | the change | + | | | permanent. | + | | | Most applications do not | + | | | use the shared database by | + | | | default, but they can | + | | | be configured to use them. | + | | | For example, this how-to | + | | | article covers how to | + | | | configure Firefox and | + | | | Thunderbird to use the new | + | | | shared NSS databases: | + | | | | + | | | o https://wiki.m | + | | | ozilla.org/NSS_Shared_DB_Howto | + | | | For an engineering draft on | + | | | the changes in the shared NSS | + | | | databases, see | + | | | the NSS project wiki: | + | | | | + | | | o https:// | + | | | wiki.mozilla.org/NSS_Shared_DB | + | | | See Also | + | | | signtool (1) | + | | | The NSS wiki has | + | | | information on the new | + | | | database design and how to | + | | | configure applications to | + | | | use it. | + | | | o Setting up the shared | + | | | NSS database | + | | | | + | | | https://wiki.m | + | | | ozilla.org/NSS_Shared_DB_Howto | + | | | o Engineering and | + | | | technical information about | + | | | the shared NSS database | + | | | | + | | | https:// | + | | | wiki.mozilla.org/NSS_Shared_DB | + | | | Additional Resources | + | | | For information about NSS | + | | | and other tools related to NSS | + | | | (like JSS), check | + | | | out the NSS project wiki at | + | | | | + | | | [1]\ `http://www.mozil | + | | | la.org/projects/security/pki/n | + | | | ss/ <https://www.mozilla.org/p | + | | | rojects/security/pki/nss/>`__. | + | | | The NSS site relates | + | | | directly to NSS code | + | | | changes and releases. | + | | | Mailing lists: | + | | | https://lists.mozill | + | | | a.org/listinfo/dev-tech-crypto | + | | | IRC: Freenode at | + | | | #dogtag-pki | + | | | Authors | + | | | The NSS tools were written | + | | | and maintained by developers | + | | | with Netscape, Red | + | | | Hat, and Sun. | + | | | Authors: Elio Maldonado | + | | | <emaldona@redhat.com>, Deon | + | | | Lackey | + | | | <dlackey@redhat.com>. | + | | | Copyright | + | | | (c) 2010, Red Hat, Inc. | + | | | Licensed under the GNU Public | + | | | License version 2. | + | | | References | + | | | Visible links | + | | | 1. | + | | | `http://www.mozi | + | | | lla.org/projects/security/pki/ | + | | | nss/ <https://www.mozilla.org/ | + | | | projects/security/pki/nss/>`__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 357 | :ref:`mozi | | + | | lla_projects_nss_tools_ssltap` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Name | + | | | ssltap — Tap into SSL | + | | | connections and display the | + | | | data going by | + | | | Synopsis | + | | | libssltap [-vhfsxl] [-p | + | | | port] [hostname:port] | + | | | Description | + | | | The SSL Debugging Tool | + | | | ssltap is an SSL-aware | + | | | command-line proxy. It | + | | | watches TCP connections and | + | | | displays the data going by. If | + | | | a connection is | + | | | SSL, the data display | + | | | includes interpreted SSL | + | | | records and handshaking | + | | | Options | + | | | -v | + | | | Print a version | + | | | string for the tool. | + | | | -h | + | | | Turn on hex/ASCII | + | | | printing. Instead of | + | | | outputting raw data, the | + | | | command interprets | + | | | each record as a numbered line | + | | | of hex values, | + | | | followed by the | + | | | same data as ASCII characters. | + | | | The two parts are | + | | | separated by a | + | | | vertical bar. Nonprinting | + | | | characters are replaced | + | | | by dots. | + | | | -f | + | | | Turn on fancy | + | | | printing. Output is printed in | + | | | colored HTML. Data | + | | | sent from the | + | | | client to the server is in | + | | | blue; the server's reply | + | | | is in red. When | + | | | used with looping mode, the | + | | | different connections | + | | | are separated with | + | | | horizontal lines. You can use | + | | | this option to | + | | | upload the output | + | | | into a browser. | + | | | -s | + | | | Turn on SSL parsing | + | | | and decoding. The tool does | + | | | not automatically | + | | | detect SSL | + | | | sessions. If you are | + | | | intercepting an SSL | + | | | connection, | + | | | use this option so | + | | | that the tool can detect and | + | | | decode SSL | + | | | structures. | + | | | If the tool detects | + | | | a certificate chain, it saves | + | | | the DER-encoded | + | | | certificates into | + | | | files in the current | + | | | directory. The files are | + | | | named cert.0x, | + | | | where x is the sequence number | + | | | of the certificate. | + | | | If the -s option is | + | | | used with -h, two separate | + | | | parts are printed | + | | | for each record: | + | | | the plain hex/ASCII output, | + | | | and the parsed SSL | + | | | output. | + | | | -x | + | | | Turn on hex/ASCII | + | | | printing of undecoded data | + | | | inside parsed SSL | + | | | records. Used only | + | | | with the -s option. This | + | | | option uses the same | + | | | output format as | + | | | the -h option. | + | | | -l prefix | + | | | Turn on looping; | + | | | that is, continue to accept | + | | | connections rather | + | | | than stopping after | + | | | the first connection is | + | | | complete. | + | | | -p port | + | | | Change the default | + | | | rendezvous port (1924) to | + | | | another port. | + | | | The following are | + | | | well-known port numbers: | + | | | \* HTTP 80 | + | | | \* HTTPS 443 | + | | | \* SMTP 25 | + | | | \* FTP 21 | + | | | \* IMAP 143 | + | | | \* IMAPS 993 (IMAP | + | | | over SSL) | + | | | \* NNTP 119 | + | | | \* NNTPS 563 (NNTP | + | | | over SSL) | + | | | Usage and Examples | + | | | You can use the SSL | + | | | Debugging Tool to intercept | + | | | any connection | + | | | information. Although you | + | | | can run the tool at its most | + | | | basic by issuing | + | | | the ssltap command with no | + | | | options other than | + | | | hostname:port, the | + | | | information you get in this | + | | | way is not very useful. For | + | | | example, assume | + | | | your development machine is | + | | | called intercept. The simplest | + | | | way to use the | + | | | debugging tool is to | + | | | execute the following command | + | | | from a command shell: | + | | | $ ssltap www.netscape.com | + | | | The program waits for an | + | | | incoming connection on the | + | | | default port 1924. In | + | | | your browser window, enter | + | | | the URL http://intercept:1924. | + | | | The browser | + | | | retrieves the requested | + | | | page from the server at | + | | | www.netscape.com, but the | + | | | page is intercepted and | + | | | passed on to the browser by | + | | | the debugging tool on | + | | | intercept. On its way to | + | | | the browser, the data is | + | | | printed to the command | + | | | shell from which you issued | + | | | the command. Data sent from | + | | | the client to the | + | | | server is surrounded by the | + | | | following symbols: --> [ data | + | | | ] Data sent from | + | | | the server to the client is | + | | | surrounded by the following | + | | | symbols: "left | + | | | arrow"-- [ data ] The raw | + | | | data stream is sent to | + | | | standard output and is | + | | | not interpreted in any way. | + | | | This can result in peculiar | + | | | effects, such as | + | | | sounds, flashes, and even | + | | | crashes of the command shell | + | | | window. To output a | + | | | basic, printable | + | | | interpretation of the data, | + | | | use the -h option, or, if you | + | | | are looking at an SSL | + | | | connection, the -s option. You | + | | | will notice that the | + | | | page you retrieved looks | + | | | incomplete in the browser. | + | | | This is because, by | + | | | default, the tool closes | + | | | down after the first | + | | | connection is complete, so | + | | | the browser is not able to | + | | | load images. To make the tool | + | | | continue to | + | | | accept connections, switch | + | | | on looping mode with the -l | + | | | option. The | + | | | following examples show the | + | | | output from commonly used | + | | | combinations of | + | | | options. | + | | | Example 1 | + | | | $ ssltap.exe -sx -p 444 | + | | | interzone.mcom.com:443 > | + | | | sx.txt | + | | | Output | + | | | Connected to | + | | | interzone.mcom.com:443 | + | | | -->; [ | + | | | alloclen = 66 bytes | + | | | [ssl2] ClientHelloV2 { | + | | | version = {0x03, | + | | | 0x00} | + | | | | + | | | cipher-specs-length = 39 | + | | | (0x27) | + | | | sid-length = 0 | + | | | (0x00) | + | | | challenge-length | + | | | = 16 (0x10) | + | | | cipher-suites = { | + | | | (0x010080) | + | | | SSL2/RSA/RC4-128/MD5 | + | | | (0x020080) | + | | | SSL2/RSA/RC4-40/MD5 | + | | | (0x030080) | + | | | SSL2/RSA/RC2CBC128/MD5 | + | | | (0x040080) | + | | | SSL2/RSA/RC2CBC40/MD5 | + | | | (0x060040) | + | | | SSL2/RSA/DES64CBC/MD5 | + | | | (0x0700c0) | + | | | SSL2/RSA/3DES192EDE-CBC/MD5 | + | | | (0x000004) | + | | | SSL3/RSA/RC4-128/MD5 | + | | | (0x00ffe0) | + | | | SS | + | | | L3/RSA-FIPS/3DES192EDE-CBC/SHA | + | | | (0x00000a) | + | | | SSL3/RSA/3DES192EDE-CBC/SHA | + | | | (0x00ffe1) | + | | | SSL3/RSA-FIPS/DES64CBC/SHA | + | | | (0x000009) | + | | | SSL3/RSA/DES64CBC/SHA | + | | | (0x000003) | + | | | SSL3/RSA/RC4-40/MD5 | + | | | (0x000006) | + | | | SSL3/RSA/RC2CBC40/MD5 | + | | | } | + | | | session-id = { } | + | | | challenge = { | + | | | 0xec5d 0x8edb 0x37c9 0xb5c9 | + | | | 0x7b70 0x8fe9 0xd1d3 | + | | | 0x2592 } | + | | | } | + | | | ] | + | | | <-- [ | + | | | SSLRecord { | + | | | 0: 16 03 00 03 | + | | | e5 | + | | | | + | | | \|..... | + | | | type = 22 (handshake) | + | | | version = { 3,0 } | + | | | length = 997 (0x3e5) | + | | | handshake { | + | | | 0: 02 00 00 | + | | | 46 | + | | | | + | | | \|...F | + | | | type = 2 (server_hello) | + | | | length = 70 (0x000046) | + | | | ServerHello { | + | | | server_version = | + | | | {3, 0} | + | | | random = {...} | + | | | 0: 77 8c 6e 26 6c 0c ec | + | | | c0 d9 58 4f 47 d3 2d 01 45 | + | | | \| | + | | | wn&l.ì..XOG.-.E | + | | | 10: 5c 17 75 43 a7 4c 88 | + | | | c7 88 64 3c 50 41 48 4f 7f | + | | | \| | + | | | \.uC§L.Ç.d<PAHO. | + | | | session ID | + | | | = { | + | | | length = 32 | + | | | contents = | + | | | {..} | + | | | 0: 14 11 07 a8 2a 31 91 | + | | | 29 11 94 40 37 57 10 a7 32 | + | | | \| ...¨*1.)..@7W.§2 | + | | | 10: 56 6f 52 62 fe 3d b3 | + | | | 65 b1 e4 13 0f 52 a3 c8 f6 | + | | | \| VoRbþ=³e±...R£È. | + | | | } | + | | | cipher_suite = | + | | | (0x0003) SSL3/RSA/RC4-40/MD5 | + | | | } | + | | | 0: 0b 00 02 | + | | | c5 | + | | | | + | | | \|...Å | + | | | type = 11 (certificate) | + | | | length = 709 (0x0002c5) | + | | | CertificateChain | + | | | { | + | | | chainlength = 706 | + | | | (0x02c2) | + | | | Certificate { | + | | | size = 703 | + | | | (0x02bf) | + | | | data = { saved | + | | | in file 'cert.001' } | + | | | } | + | | | } | + | | | 0: 0c 00 00 | + | | | ca | + | | | | + | | | \|.... | + | | | type = 12 | + | | | (server_key_exchange) | + | | | length = 202 | + | | | (0x0000ca) | + | | | 0: 0e 00 00 | + | | | 00 | + | | | | + | | | \|.... | + | | | type = 14 | + | | | (server_hello_done) | + | | | length = 0 | + | | | (0x000000) | + | | | } | + | | | } | + | | | ] | + | | | --> [ | + | | | SSLRecord { | + | | | 0: 16 03 00 00 | + | | | 44 | + | | | | + | | | \|....D | + | | | type = 22 (handshake) | + | | | version = { 3,0 } | + | | | length = 68 (0x44) | + | | | handshake { | + | | | 0: 10 00 00 | + | | | 40 | + | | | | + | | | \|...@ | + | | | type = 16 | + | | | (client_key_exchange) | + | | | length = 64 (0x000040) | + | | | ClientKeyExchange { | + | | | message = {...} | + | | | } | + | | | } | + | | | } | + | | | ] | + | | | --> [ | + | | | SSLRecord { | + | | | 0: 14 03 00 00 | + | | | 01 | + | | | | + | | | \|..... | + | | | type = 20 | + | | | (change_cipher_spec) | + | | | version = { 3,0 } | + | | | length = 1 (0x1) | + | | | 0: | + | | | 01 | + | | | | + | | | \|. | + | | | } | + | | | SSLRecord { | + | | | 0: 16 03 00 00 | + | | | 38 | + | | | | + | | | \|....8 | + | | | type = 22 (handshake) | + | | | version = { 3,0 } | + | | | length = 56 (0x38) | + | | | < encrypted > | + | | | } | + | | | ] | + | | | <-- [ | + | | | SSLRecord { | + | | | 0: 14 03 00 00 | + | | | 01 | + | | | | + | | | \|..... | + | | | type = 20 | + | | | (change_cipher_spec) | + | | | version = { 3,0 } | + | | | length = 1 (0x1) | + | | | 0: | + | | | 01 | + | | | | + | | | \|. | + | | | } | + | | | ] | + | | | <-- [ | + | | | SSLRecord { | + | | | 0: 16 03 00 00 | + | | | 38 | + | | | | + | | | \|....8 | + | | | type = 22 (handshake) | + | | | version = { 3,0 } | + | | | length = 56 (0x38) | + | | | < encrypted | + | | | > | + | | | } | + | | | ] | + | | | --> [ | + | | | SSLRecord { | + | | | 0: 17 03 00 01 | + | | | 1f | + | | | | + | | | \|..... | + | | | type = 23 | + | | | (application_data) | + | | | version = { 3,0 } | + | | | length = 287 (0x11f) | + | | | < encrypted > | + | | | } | + | | | ] | + | | | <-- [ | + | | | SSLRecord { | + | | | 0: 17 03 00 00 | + | | | a0 | + | | | | + | | | \|.... | + | | | type = 23 | + | | | (application_data) | + | | | version = { 3,0 } | + | | | length = 160 (0xa0) | + | | | < encrypted > | + | | | } | + | | | ] | + | | | <-- [ | + | | | SSLRecord { | + | | | 0: 17 03 00 00 | + | | | df | + | | | | + | | | \|....ß | + | | | type = 23 | + | | | (application_data) | + | | | version = { 3,0 } | + | | | length = 223 (0xdf) | + | | | < encrypted > | + | | | } | + | | | SSLRecord { | + | | | 0: 15 03 00 00 | + | | | 12 | + | | | | + | | | \|..... | + | | | type = 21 (alert) | + | | | version = { 3,0 } | + | | | length = 18 (0x12) | + | | | < encrypted > | + | | | } | + | | | ] | + | | | Server socket closed. | + | | | Example 2 | + | | | The -s option turns on SSL | + | | | parsing. Because the -x option | + | | | is not used in | + | | | this example, undecoded | + | | | values are output as raw data. | + | | | The output is | + | | | routed to a text file. | + | | | $ ssltap -s -p 444 | + | | | interzone.mcom.com:443 > s.txt | + | | | Output | + | | | Connected to | + | | | interzone.mcom.com:443 | + | | | --> [ | + | | | alloclen = 63 bytes | + | | | [ssl2] ClientHelloV2 { | + | | | version = {0x03, | + | | | 0x00} | + | | | | + | | | cipher-specs-length = 36 | + | | | (0x24) | + | | | sid-length = 0 | + | | | (0x00) | + | | | challenge-length | + | | | = 16 (0x10) | + | | | cipher-suites = { | + | | | (0x010080) | + | | | SSL2/RSA/RC4-128/MD5 | + | | | (0x020080) | + | | | SSL2/RSA/RC4-40/MD5 | + | | | (0x030080) | + | | | SSL2/RSA/RC2CBC128/MD5 | + | | | (0x060040) | + | | | SSL2/RSA/DES64CBC/MD5 | + | | | (0x0700c0) | + | | | SSL2/RSA/3DES192EDE-CBC/MD5 | + | | | (0x000004) | + | | | SSL3/RSA/RC4-128/MD5 | + | | | (0x00ffe0) | + | | | SS | + | | | L3/RSA-FIPS/3DES192EDE-CBC/SHA | + | | | (0x00000a) | + | | | SSL3/RSA/3DES192EDE-CBC/SHA | + | | | (0x00ffe1) | + | | | SSL3/RSA-FIPS/DES64CBC/SHA | + | | | (0x000009) | + | | | SSL3/RSA/DES64CBC/SHA | + | | | (0x000003) | + | | | SSL3/RSA/RC4-40/MD5 | + | | | } | + | | | session-id = { | + | | | } | + | | | challenge = { | + | | | 0x713c 0x9338 0x30e1 0xf8d6 | + | | | 0xb934 0x7351 0x200c | + | | | 0x3fd0 } | + | | | ] | + | | | >-- [ | + | | | SSLRecord { | + | | | type = 22 (handshake) | + | | | version = { 3,0 } | + | | | length = 997 (0x3e5) | + | | | handshake { | + | | | type = 2 | + | | | (server_hello) | + | | | length = 70 | + | | | (0x000046) | + | | | ServerHello { | + | | | server_version = | + | | | {3, 0} | + | | | random = {...} | + | | | session ID = { | + | | | length = 32 | + | | | contents = | + | | | {..} | + | | | } | + | | | cipher_suite = | + | | | (0x0003) SSL3/RSA/RC4-40/MD5 | + | | | } | + | | | type = 11 | + | | | (certificate) | + | | | length = 709 | + | | | (0x0002c5) | + | | | CertificateChain | + | | | { | + | | | chainlength = | + | | | 706 (0x02c2) | + | | | Certificate { | + | | | size = 703 | + | | | (0x02bf) | + | | | data = { | + | | | saved in file 'cert.001' } | + | | | } | + | | | } | + | | | type = 12 | + | | | (server_key_exchange) | + | | | length = 202 | + | | | (0x0000ca) | + | | | type = 14 | + | | | (server_hello_done) | + | | | length = 0 | + | | | (0x000000) | + | | | } | + | | | } | + | | | ] | + | | | --> [ | + | | | SSLRecord { | + | | | type = 22 (handshake) | + | | | version = { 3,0 } | + | | | length = 68 (0x44) | + | | | handshake { | + | | | type = 16 | + | | | (client_key_exchange) | + | | | length = 64 | + | | | (0x000040) | + | | | ClientKeyExchange | + | | | { | + | | | message = | + | | | {...} | + | | | } | + | | | } | + | | | } | + | | | ] | + | | | --> [ | + | | | SSLRecord { | + | | | type = 20 | + | | | (change_cipher_spec) | + | | | version = { 3,0 } | + | | | length = 1 (0x1) | + | | | } | + | | | SSLRecord { | + | | | type = 22 (handshake) | + | | | version = { 3,0 } | + | | | length = 56 (0x38) | + | | | > encrypted > | + | | | } | + | | | ] | + | | | >-- [ | + | | | SSLRecord { | + | | | type = 20 | + | | | (change_cipher_spec) | + | | | version = { 3,0 } | + | | | length = 1 (0x1) | + | | | } | + | | | ] | + | | | >-- [ | + | | | SSLRecord { | + | | | type = 22 (handshake) | + | | | version = { 3,0 } | + | | | length = 56 (0x38) | + | | | > encrypted > | + | | | } | + | | | ] | + | | | --> [ | + | | | SSLRecord { | + | | | type = 23 | + | | | (application_data) | + | | | version = { 3,0 } | + | | | length = 287 (0x11f) | + | | | > encrypted > | + | | | } | + | | | ] | + | | | [ | + | | | SSLRecord { | + | | | type = 23 | + | | | (application_data) | + | | | version = { 3,0 } | + | | | length = 160 (0xa0) | + | | | > encrypted > | + | | | } | + | | | ] | + | | | >-- [ | + | | | SSLRecord { | + | | | type = 23 | + | | | (application_data) | + | | | version = { 3,0 } | + | | | length = 223 (0xdf) | + | | | > encrypted > | + | | | } | + | | | SSLRecord { | + | | | type = 21 (alert) | + | | | version = { 3,0 } | + | | | length = 18 (0x12) | + | | | > encrypted > | + | | | } | + | | | ] | + | | | Server socket closed. | + | | | Example 3 | + | | | In this example, the -h | + | | | option turns hex/ASCII format. | + | | | There is no SSL | + | | | parsing or decoding. The | + | | | output is routed to a text | + | | | file. | + | | | $ ssltap -h -p 444 | + | | | interzone.mcom.com:443 > h.txt | + | | | Output | + | | | Connected to | + | | | interzone.mcom.com:443 | + | | | --> [ | + | | | 0: 80 40 01 03 00 00 27 | + | | | 00 00 00 10 01 00 80 02 00 | + | | | \| .@....'......... | + | | | 10: 80 03 00 80 04 00 80 | + | | | 06 00 40 07 00 c0 00 00 04 | + | | | \| .........@...... | + | | | 20: 00 ff e0 00 00 0a 00 | + | | | ff e1 00 00 09 00 00 03 00 | + | | | \| ........á....... | + | | | 30: 00 06 9b fe 5b 56 96 | + | | | 49 1f 9f ca dd d5 ba b9 52 | + | | | \| ..þ[V.I.\xd9 ...º¹R | + | | | 40: 6f | + | | | 2d | + | | | | + | | | \|o- | + | | | ] | + | | | <-- [ | + | | | 0: 16 03 00 03 e5 02 00 | + | | | 00 46 03 00 7f e5 0d 1b 1d | + | | | \| ........F....... | + | | | 10: 68 7f 3a 79 60 d5 17 | + | | | 3c 1d 9c 96 b3 88 d2 69 3b | + | | | \| h.:y`..<..³.Òi; | + | | | 20: 78 e2 4b 8b a6 52 12 | + | | | 4b 46 e8 c2 20 14 11 89 05 | + | | | \| x.K.¦R.KFè. ... | + | | | 30: 4d 52 91 fd 93 e0 51 | + | | | 48 91 90 08 96 c1 b6 76 77 | + | | | \| MR.ý..QH.....¶vw | + | | | 40: 2a f4 00 08 a1 06 61 | + | | | a2 64 1f 2e 9b 00 03 00 0b | + | | | \| \*ô..¡.a¢d...... | + | | | 50: 00 02 c5 00 02 c2 00 | + | | | 02 bf 30 82 02 bb 30 82 02 | + | | | \| ..Å......0...0.. | + | | | 60: 24 a0 03 02 01 02 02 | + | | | 02 01 36 30 0d 06 09 2a 86 | + | | | \| $ .......60...*. | + | | | 70: 48 86 f7 0d 01 01 04 | + | | | 05 00 30 77 31 0b 30 09 06 | + | | | \| H.÷......0w1.0.. | + | | | 80: 03 55 04 06 13 02 55 | + | | | 53 31 2c 30 2a 06 03 55 04 | + | | | \| .U....US1,0*..U. | + | | | 90: 0a 13 23 4e 65 74 73 | + | | | 63 61 70 65 20 43 6f 6d 6d | + | | | \| ..#Netscape Comm | + | | | a0: 75 6e 69 63 61 74 69 | + | | | 6f 6e 73 20 43 6f 72 70 6f | + | | | \| unications Corpo | + | | | b0: 72 61 74 69 6f 6e 31 | + | | | 11 30 0f 06 03 55 04 0b 13 | + | | | \| ration1.0...U... | + | | | c0: 08 48 61 72 64 63 6f | + | | | 72 65 31 27 30 25 06 03 55 | + | | | \| .Hardcore1'0%..U | + | | | d0: 04 03 13 1e 48 61 72 | + | | | 64 63 6f 72 65 20 43 65 72 | + | | | \| ....Hardcore Cer | + | | | e0: 74 69 66 69 63 61 74 | + | | | 65 20 53 65 72 76 65 72 20 | + | | | \| tificate Server | + | | | f0: 49 49 30 1e 17 0d 39 | + | | | 38 30 35 31 36 30 31 30 33 | + | | | \| II0...9805160103 | + | | | <additional data lines> | + | | | ] | + | | | <additional records in same | + | | | format> | + | | | Server socket closed. | + | | | Example 4 | + | | | In this example, the -s | + | | | option turns on SSL parsing, | + | | | and the -h option | + | | | turns on hex/ASCII format. | + | | | Both formats are shown for | + | | | each record. The | + | | | output is routed to a text | + | | | file. | + | | | $ ssltap -hs -p 444 | + | | | interzone.mcom.com:443 > | + | | | hs.txt | + | | | Output | + | | | Connected to | + | | | interzone.mcom.com:443 | + | | | --> [ | + | | | 0: 80 3d 01 03 00 00 24 | + | | | 00 00 00 10 01 00 80 02 00 | + | | | \| .=....$......... | + | | | 10: 80 03 00 80 04 00 80 | + | | | 06 00 40 07 00 c0 00 00 04 | + | | | \| .........@...... | + | | | 20: 00 ff e0 00 00 0a 00 | + | | | ff e1 00 00 09 00 00 03 03 | + | | | \| ........á....... | + | | | 30: 55 e6 e4 99 79 c7 d7 | + | | | 2c 86 78 96 5d b5 cf e9 | + | | | \|U..yÇ\xb0 ,.x.]µÏé | + | | | alloclen = 63 bytes | + | | | [ssl2] ClientHelloV2 { | + | | | version = {0x03, | + | | | 0x00} | + | | | | + | | | cipher-specs-length = 36 | + | | | (0x24) | + | | | sid-length = 0 | + | | | (0x00) | + | | | challenge-length | + | | | = 16 (0x10) | + | | | cipher-suites = { | + | | | (0x010080) | + | | | SSL2/RSA/RC4-128/MD5 | + | | | (0x020080) | + | | | SSL2/RSA/RC4-40/MD5 | + | | | (0x030080) | + | | | SSL2/RSA/RC2CBC128/MD5 | + | | | (0x040080) | + | | | SSL2/RSA/RC2CBC40/MD5 | + | | | (0x060040) | + | | | SSL2/RSA/DES64CBC/MD5 | + | | | (0x0700c0) | + | | | SSL2/RSA/3DES192EDE-CBC/MD5 | + | | | (0x000004) | + | | | SSL3/RSA/RC4-128/MD5 | + | | | (0x00ffe0) | + | | | SS | + | | | L3/RSA-FIPS/3DES192EDE-CBC/SHA | + | | | (0x00000a) | + | | | SSL3/RSA/3DES192EDE-CBC/SHA | + | | | (0x00ffe1) | + | | | SSL3/RSA-FIPS/DES64CBC/SHA | + | | | (0x000009) | + | | | SSL3/RSA/DES64CBC/SHA | + | | | (0x000003) | + | | | SSL3/RSA/RC4-40/MD5 | + | | | } | + | | | session-id = { } | + | | | challenge = { | + | | | 0x0355 0xe6e4 0x9979 0xc7d7 | + | | | 0x2c86 0x7896 0x5db | + | | | 0xcfe9 } | + | | | } | + | | | ] | + | | | <additional records in same | + | | | formats> | + | | | Server socket closed. | + | | | Usage Tips | + | | | When SSL restarts a | + | | | previous session, it makes use | + | | | of cached information | + | | | to do a partial handshake. | + | | | If you wish to capture a full | + | | | SSL handshake, | + | | | restart the browser to | + | | | clear the session id cache. | + | | | If you run the tool on a | + | | | machine other than the SSL | + | | | server to which you | + | | | are trying to connect, the | + | | | browser will complain that the | + | | | host name you | + | | | are trying to connect to is | + | | | different from the | + | | | certificate. If you are | + | | | using the default BadCert | + | | | callback, you can still | + | | | connect through a | + | | | dialog. If you are not | + | | | using the default BadCert | + | | | callback, the one you | + | | | supply must allow for this | + | | | possibility. | + | | | See Also | + | | | The NSS Security Tools are | + | | | also documented at | + | | | | + | | | [1]\ `http://www.mozil | + | | | la.org/projects/security/pki/n | + | | | ss/ <https://www.mozilla.org/p | + | | | rojects/security/pki/nss/>`__. | + | | | Additional Resources | + | | | NSS is maintained in | + | | | conjunction with PKI and | + | | | security-related projects | + | | | through Mozilla dn Fedora. | + | | | The most closely-related | + | | | project is Dogtag PKI, | + | | | with a project wiki at | + | | | [2]\ http: | + | | | //pki.fedoraproject.org/wiki/. | + | | | For information | + | | | specifically about NSS, the | + | | | NSS project wiki is located at | + | | | | + | | | [3]\ `http://www.mozil | + | | | la.org/projects/security/pki/n | + | | | ss/ <https://www.mozilla.org/p | + | | | rojects/security/pki/nss/>`__. | + | | | The NSS site relates | + | | | directly to NSS code | + | | | changes and releases. | + | | | Mailing lists: | + | | | pki-devel@redhat.com and | + | | | pki-users@redhat.com | + | | | IRC: Freenode at | + | | | #dogtag-pki | + | | | Authors | + | | | The NSS tools were written | + | | | and maintained by developers | + | | | with Netscape and | + | | | now with Red Hat and Sun. | + | | | Authors: Elio Maldonado | + | | | <emaldona@redhat.com>, Deon | + | | | Lackey | + | | | <dlackey@redhat.com>. | + | | | Copyright | + | | | (c) 2010, Red Hat, Inc. | + | | | Licensed under the GNU Public | + | | | License version 2. | + | | | References | + | | | Visible links | + | | | 1. | + | | | `http://www.mozilla.org/p | + | | | rojects/secu.../pki/nss/tools | + | | | <https://www.mozilla.org/proje | + | | | cts/security/pki/nss/tools>`__ | + | | | 2. | + | | | http | + | | | ://pki.fedoraproject.org/wiki/ | + | | | 3. | + | | | `http://www.mozi | + | | | lla.org/projects/security/pki/ | + | | | nss/ <https://www.mozilla.org/ | + | | | projects/security/pki/nss/>`__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 358 | :ref:`mozill | | + | | a_projects_nss_tools_vfychain` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Name | + | | | vfychain — vfychain | + | | | [options] [revocation options] | + | | | certfile [[options] | + | | | certfile] ... | + | | | Synopsis | + | | | vfychain | + | | | Description | + | | | The verification Tool, | + | | | vfychain, verifies certificate | + | | | chains. modutil can | + | | | add and delete PKCS #11 | + | | | modules, change passwords on | + | | | security databases, | + | | | set defaults, list module | + | | | contents, enable or disable | + | | | slots, enable or | + | | | disable FIPS 140-2 | + | | | compliance, and assign default | + | | | providers for | + | | | cryptographic operations. | + | | | This tool can also create | + | | | certificate, key, and | + | | | module security database | + | | | files. | + | | | The tasks associated with | + | | | security module database | + | | | management are part of | + | | | a process that typically | + | | | also involves managing key | + | | | databases and | + | | | certificate databases. | + | | | Options | + | | | -a | + | | | the following | + | | | certfile is base64 encoded | + | | | -b YYMMDDHHMMZ | + | | | Validate date | + | | | (default: now) | + | | | -d directory | + | | | database directory | + | | | -f | + | | | Enable cert | + | | | fetching from AIA URL | + | | | -o oid | + | | | Set policy OID for | + | | | cert validation(Format | + | | | OID.1.2.3) | + | | | -p | + | | | Use PKIX Library to | + | | | validate certificate by | + | | | calling: | + | | | \* | + | | | CERT_VerifyCertificate if | + | | | specified once, | + | | | \* | + | | | CERT_PKIXVerifyCert if | + | | | specified twice and more. | + | | | -r | + | | | Following certfile | + | | | is raw binary DER (default) | + | | | -t | + | | | Following cert is | + | | | explicitly trusted (overrides | + | | | db trust) | + | | | -u usage | + | | | 0=SSL client, 1=SSL | + | | | server, 2=SSL StepUp, 3=SSL | + | | | CA, 4=Email | + | | | signer, 5=Email | + | | | recipient, 6=Object signer, | + | | | | + | | | 9=ProtectedObjectSigner, | + | | | 10=OCSP responder, 11=Any CA | + | | | -v | + | | | Verbose mode. | + | | | Prints root cert | + | | | subject(double the argument | + | | | for | + | | | whole root cert | + | | | info) | + | | | -w password | + | | | Database password | + | | | -W pwfile | + | | | Password file | + | | | Revocation options | + | | | for PKIX API (invoked with -pp | + | | | options) is a | + | | | collection of the | + | | | following flags: [-g type [-h | + | | | flags] [-m type | + | | | [-s flags]] ...] | + | | | ... | + | | | Where: | + | | | -g test-type | + | | | Sets status | + | | | checking test type. Possible | + | | | values are "leaf" or | + | | | "chain" | + | | | -g test type | + | | | Sets status | + | | | checking test type. Possible | + | | | values are "leaf" or | + | | | "chain". | + | | | -h test flags | + | | | Sets revocation | + | | | flags for the test type it | + | | | follows. Possible | + | | | flags: | + | | | "testLocalInfoFirst" and | + | | | "requireFreshInfo". | + | | | -m method type | + | | | Sets method type | + | | | for the test type it follows. | + | | | Possible types are | + | | | "crl" and "ocsp". | + | | | -s method flags | + | | | Sets revocation | + | | | flags for the method it | + | | | follows. Possible types | + | | | are "doNotUse", | + | | | "forbidFetching", | + | | | "ignoreDefaultSrc", | + | | | "requireInfo" and | + | | | "failIfNoInfo". | + | | | Additional Resources | + | | | For information about NSS | + | | | and other tools related to NSS | + | | | (like JSS), check | + | | | out the NSS project wiki at | + | | | | + | | | [1]\ `http://www.mozil | + | | | la.org/projects/security/pki/n | + | | | ss/ <https://www.mozilla.org/p | + | | | rojects/security/pki/nss/>`__. | + | | | The NSS site relates | + | | | directly to NSS code | + | | | changes and releases. | + | | | Mailing lists: | + | | | https://lists.mozill | + | | | a.org/listinfo/dev-tech-crypto | + | | | IRC: Freenode at | + | | | #dogtag-pki | + | | | Authors | + | | | The NSS tools were written | + | | | and maintained by developers | + | | | with Netscape, Red | + | | | Hat, and Sun. | + | | | Authors: Elio Maldonado | + | | | <emaldona@redhat.com>, Deon | + | | | Lackey | + | | | <dlackey@redhat.com>. | + | | | Copyright | + | | | (c) 2010, Red Hat, Inc. | + | | | Licensed under the GNU Public | + | | | License version 2. | + | | | References | + | | | Visible links | + | | | 1. | + | | | `http://www.mozi | + | | | lla.org/projects/security/pki/ | + | | | nss/ <https://www.mozilla.org/ | + | | | projects/security/pki/nss/>`__ | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 359 | :ref:`mozil | | + | | la_projects_nss_tools_vfyserv` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | Coming soon | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 360 | :ref:`mozilla | **NSS** | + | | _projects_nss_troubleshooting` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | On this page, let's collect | + | | | information on how to | + | | | troubleshoot NSS at runtime. | + | | | Debugging tips, how to enable | + | | | tracing of the various | + | | | modules, etc. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+ + | 361 | :ref:`mozilla_p | **NSS** | + | | rojects_nss_utility_functions` | | + +--------------------------------+--------------------------------+--------------------------------+ + | | | The public functions listed | + | | | here perform initialization | + | | | tasks and other services. | + +--------------------------------+--------------------------------+--------------------------------+ + | | | | + +--------------------------------+--------------------------------+--------------------------------+
\ No newline at end of file |