From 36d22d82aa202bb199967e9512281e9a53db42c9 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 7 Apr 2024 21:33:14 +0200 Subject: Adding upstream version 115.7.0esr. Signed-off-by: Daniel Baumann --- security/nss/doc/signver.xml | 229 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 229 insertions(+) create mode 100644 security/nss/doc/signver.xml (limited to 'security/nss/doc/signver.xml') diff --git a/security/nss/doc/signver.xml b/security/nss/doc/signver.xml new file mode 100644 index 0000000000..9415a929a4 --- /dev/null +++ b/security/nss/doc/signver.xml @@ -0,0 +1,229 @@ + + + +]> + + + + + &date; + NSS Security Tools + nss-tools + &version; + + + + SIGNVER + 1 + + + + signver + Verify a detached PKCS#7 signature for a file. + + + + + signtool + + -A + -V + + -d directory + -a + -i input_file + -o output_file + -s signature_file + -v + + + + + STATUS + This documentation is still work in progress. Please contribute to the initial review in Mozilla NSS bug 836477 + + + + + Description + + The Signature Verification Tool, signver, is a simple command-line utility that unpacks a base-64-encoded PKCS#7 signed object and verifies the digital signature using standard cryptographic techniques. The Signature Verification Tool can also display the contents of the signed object. + + + + Options + + + -A + Displays all of the information in the PKCS#7 signature. + + + -V + Verifies the digital signature. + + + -d directory + Specify the database directory which contains the certificates and keys. + signver supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt). If the prefix dbm: is not used, then the tool assumes that the given databases are in the SQLite format. + + + -a + Sets that the given signature file is in ASCII format. + + + -i input_file + Gives the input file for the object with signed data. + + + -o output_file + Gives the output file to which to write the results. + + + -s signature_file + Gives the input file for the digital signature. + + + -v + Enables verbose output. + + + + + + Extended Examples + Verifying a Signature + The option verifies that the signature in a given signature file is valid when used to sign the given object (from the input file). +signver -V -s signature_file -i signed_file -d /home/my/sharednssdb + +signatureValid=yes + + + Printing Signature Data + + The option prints all of the information contained in a signature file. Using the option prints the signature file information to the given output file rather than stdout. + +signver -A -s signature_file -o output_file + + + +NSS Database Types +NSS originally used BerkeleyDB databases to store security information. +The last versions of these legacy databases are: + + + + cert8.db for certificates + + + + + key3.db for keys + + + + + secmod.db for PKCS #11 module information + + + + +BerkeleyDB has performance limitations, though, which prevent it from being easily used by multiple applications simultaneously. NSS has +some flexibility that allows applications to use their own, independent database engine while keeping a shared database and working around the access issues. Still, NSS +requires more flexibility to provide a truly shared security database. + +In 2009, NSS introduced a new set of databases that are SQLite databases rather than +BerkleyDB. These new databases provide more accessibility and performance: + + + + cert9.db for certificates + + + + + key4.db for keys + + + + + pkcs11.txt, which is listing of all of the PKCS #11 modules contained in a new subdirectory in the security databases directory + + + + +Because the SQLite databases are designed to be shared, these are the shared database type. The shared database type is preferred; the legacy format is included for backward compatibility. + +By default, the tools (certutil, pk12util, modutil) assume that the given security databases use the SQLite type +Using the legacy databases must be manually specified by using the dbm: prefix with the given security directory. For example: + +# signver -A -s signature -d dbm:/home/my/sharednssdb + +To set the legacy database type as the default type for the tools, set the NSS_DEFAULT_DB_TYPE environment variable to dbm: +export NSS_DEFAULT_DB_TYPE="dbm" + +This line can be added to the ~/.bashrc file to make the change permanent for the user. + + + + + https://wiki.mozilla.org/NSS_Shared_DB_Howto + + +For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki: + + + + https://wiki.mozilla.org/NSS_Shared_DB + + + + + + + See Also + signtool (1) + + The NSS wiki has information on the new database design and how to configure applications to use it. + + + Setting up the shared NSS database + https://wiki.mozilla.org/NSS_Shared_DB_Howto + + + + Engineering and technical information about the shared NSS database + + + https://wiki.mozilla.org/NSS_Shared_DB + + + + + + + + Additional Resources + For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at http://www.mozilla.org/projects/security/pki/nss/. The NSS site relates directly to NSS code changes and releases. + Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto + IRC: Freenode at #dogtag-pki + + + + + Authors + The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google. + + Authors: Elio Maldonado <emaldona@redhat.com>, Deon Lackey <dlackey@redhat.com>. + + + + + + LICENSE + Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. + + + + -- cgit v1.2.3